From 11085a9aebace3a009c80a977fb144e09dad7f4b Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Thu, 20 Feb 2025 13:57:51 +0800 Subject: [PATCH 01/10] validate all xds resources before returning the translation result (#5148) * validate all xds resources before returning the translation result Signed-off-by: Huabing (Robin) Zhao --------- Signed-off-by: Huabing (Robin) Zhao (cherry picked from commit b1bf60963f46c1439bfb52769e6de06c6637b896) Signed-off-by: Huabing (Robin) Zhao --- internal/utils/proto/proto.go | 33 +++++++ internal/xds/cache/snapshotcache.go | 8 ++ internal/xds/filters/wellknown.go | 73 ++++++++++++--- internal/xds/translator/accesslog.go | 102 +++++++++++++++------ internal/xds/translator/authorization.go | 22 ++--- internal/xds/translator/basicauth.go | 14 +-- internal/xds/translator/cluster.go | 10 +- internal/xds/translator/custom_response.go | 27 ++---- internal/xds/translator/extauth.go | 4 - internal/xds/translator/extproc.go | 4 - internal/xds/translator/fault.go | 11 +-- internal/xds/translator/healthcheck.go | 3 - internal/xds/translator/httpfilters.go | 6 +- internal/xds/translator/jwt.go | 8 +- internal/xds/translator/oidc.go | 8 +- internal/xds/translator/route.go | 9 +- internal/xds/translator/tracing.go | 8 +- internal/xds/translator/translator.go | 16 +++- internal/xds/translator/wasm.go | 3 - internal/xds/types/resourceversiontable.go | 83 ++++------------- 20 files changed, 258 insertions(+), 194 deletions(-) diff --git a/internal/utils/proto/proto.go b/internal/utils/proto/proto.go index ff05e3a715..96800b0b34 100644 --- a/internal/utils/proto/proto.go +++ b/internal/utils/proto/proto.go @@ -10,10 +10,12 @@ package proto import ( "bytes" + "errors" "github.com/golang/protobuf/jsonpb" protov1 "github.com/golang/protobuf/proto" "google.golang.org/protobuf/proto" + "google.golang.org/protobuf/types/known/anypb" "sigs.k8s.io/yaml" ) @@ -38,3 +40,34 @@ func FromJSON(content []byte, out proto.Message) error { unmarshaler := &jsonpb.Unmarshaler{AllowUnknownFields: true} return unmarshaler.Unmarshal(bytes.NewReader(content), protov1.MessageV1(out)) } + +func ToAnyWithValidation(msg proto.Message) (*anypb.Any, error) { + if msg == nil { + return nil, errors.New("empty message received") + } + + // If the message has a ValidateAll method, call it before marshaling. + if err := Validate(msg); err != nil { + return nil, err + } + + any, err := anypb.New(msg) + if err != nil { + return nil, err + } + return any, nil +} + +// Validate validates the given message by calling its ValidateAll or Validate methods. +func Validate(msg proto.Message) error { + // If the message has a ValidateAll method, call it + if validator, ok := msg.(interface{ ValidateAll() error }); ok { + return validator.ValidateAll() + } + + // If the message has a Validate method, call it + if validator, ok := msg.(interface{ Validate() error }); ok { + return validator.Validate() + } + return nil +} diff --git a/internal/xds/cache/snapshotcache.go b/internal/xds/cache/snapshotcache.go index 633021aa16..a9922ae2fa 100644 --- a/internal/xds/cache/snapshotcache.go +++ b/internal/xds/cache/snapshotcache.go @@ -231,6 +231,10 @@ func (s *snapshotCache) OnStreamRequest(streamID int64, req *discoveryv3.Discove nodeID, nodeVersion, req.ResourceNames, req.GetTypeUrl(), errorCode, errorMessage) + if errorCode != 0 { + s.log.Errorf("Envoy rejected the last update with code %d and message %s", errorCode, errorMessage) + } + return nil } @@ -336,6 +340,10 @@ func (s *snapshotCache) OnStreamDeltaRequest(streamID int64, req *discoveryv3.De req.GetTypeUrl(), errorCode, errorMessage) + if errorCode != 0 { + s.log.Errorf("Envoy rejected the last update with code %d and message %s", errorCode, errorMessage) + } + return nil } diff --git a/internal/xds/filters/wellknown.go b/internal/xds/filters/wellknown.go index e6f0109078..67f56fd0f4 100644 --- a/internal/xds/filters/wellknown.go +++ b/internal/xds/filters/wellknown.go @@ -6,43 +6,88 @@ package filters import ( + routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" grpcstats "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3" grpcweb "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_web/v3" + healthcheck "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/health_check/v3" httprouter "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3" hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" + matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" "github.com/envoyproxy/go-control-plane/pkg/wellknown" "google.golang.org/protobuf/types/known/wrapperspb" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" ) -var ( +var GRPCWeb, GRPCStats *hcm.HttpFilter + +func init() { + any, err := proto.ToAnyWithValidation(&grpcweb.GrpcWeb{}) + if err != nil { + panic(err) + } GRPCWeb = &hcm.HttpFilter{ Name: wellknown.GRPCWeb, ConfigType: &hcm.HttpFilter_TypedConfig{ - TypedConfig: protocov.ToAny(&grpcweb.GrpcWeb{}), + TypedConfig: any, + }, + } + + any, err = proto.ToAnyWithValidation(&grpcstats.FilterConfig{ + EmitFilterState: true, + PerMethodStatSpecifier: &grpcstats.FilterConfig_StatsForAllMethods{ + StatsForAllMethods: &wrapperspb.BoolValue{Value: true}, }, + }) + if err != nil { + panic(err) } GRPCStats = &hcm.HttpFilter{ Name: wellknown.HTTPGRPCStats, ConfigType: &hcm.HttpFilter_TypedConfig{ - TypedConfig: protocov.ToAny(&grpcstats.FilterConfig{ - EmitFilterState: true, - PerMethodStatSpecifier: &grpcstats.FilterConfig_StatsForAllMethods{ - StatsForAllMethods: &wrapperspb.BoolValue{Value: true}, - }, - }), + TypedConfig: any, }, } -) +} -func GenerateRouterFilter(enableEnvoyHeaders bool) *hcm.HttpFilter { +func GenerateRouterFilter(enableEnvoyHeaders bool) (*hcm.HttpFilter, error) { + anyCfg, err := proto.ToAnyWithValidation(&httprouter.Router{ + SuppressEnvoyHeaders: !enableEnvoyHeaders, + }) + if err != nil { + return nil, err + } return &hcm.HttpFilter{ Name: wellknown.Router, ConfigType: &hcm.HttpFilter_TypedConfig{ - TypedConfig: protocov.ToAny(&httprouter.Router{ - SuppressEnvoyHeaders: !enableEnvoyHeaders, - }), + TypedConfig: anyCfg, + }, + }, nil +} + +func GenerateHealthCheckFilter(checkPath string) (*hcm.HttpFilter, error) { + anyCfg, err := proto.ToAnyWithValidation(&healthcheck.HealthCheck{ + PassThroughMode: &wrapperspb.BoolValue{Value: false}, + Headers: []*routev3.HeaderMatcher{ + { + Name: ":path", + HeaderMatchSpecifier: &routev3.HeaderMatcher_StringMatch{ + StringMatch: &matcherv3.StringMatcher{ + MatchPattern: &matcherv3.StringMatcher_Exact{ + Exact: checkPath, + }, + }, + }, + }, }, + }) + if err != nil { + return nil, err } + return &hcm.HttpFilter{ + Name: wellknown.HealthCheck, + ConfigType: &hcm.HttpFilter_TypedConfig{ + TypedConfig: anyCfg, + }, + }, nil } diff --git a/internal/xds/translator/accesslog.go b/internal/xds/translator/accesslog.go index b6494dbf0f..991c8e342c 100644 --- a/internal/xds/translator/accesslog.go +++ b/internal/xds/translator/accesslog.go @@ -26,7 +26,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -78,25 +78,45 @@ var listenerAccessLogFilter = &accesslog.AccessLogFilter{ var ( // reqWithoutQueryFormatter configures additional formatters needed for some of the format strings like "REQ_WITHOUT_QUERY" + reqWithoutQueryFormatter *cfgcore.TypedExtensionConfig + + // metadataFormatter configures additional formatters needed for some of the format strings like "METADATA" + // for more information, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/formatter/metadata/v3/metadata.proto + metadataFormatter *cfgcore.TypedExtensionConfig + + // celFormatter configures additional formatters needed for some of the format strings like "CEL" + // for more information, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/formatter/cel/v3/cel.proto + celFormatter *cfgcore.TypedExtensionConfig +) + +func init() { + any, err := proto.ToAnyWithValidation(&reqwithoutqueryformatter.ReqWithoutQuery{}) + if err != nil { + panic(err) + } reqWithoutQueryFormatter = &cfgcore.TypedExtensionConfig{ Name: "envoy.formatter.req_without_query", - TypedConfig: protocov.ToAny(&reqwithoutqueryformatter.ReqWithoutQuery{}), + TypedConfig: any, } - // metadataFormatter configures additional formatters needed for some of the format strings like "METADATA" - // for more information, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/formatter/metadata/v3/metadata.proto + any, err = proto.ToAnyWithValidation(&metadataformatter.Metadata{}) + if err != nil { + panic(err) + } metadataFormatter = &cfgcore.TypedExtensionConfig{ Name: "envoy.formatter.metadata", - TypedConfig: protocov.ToAny(&metadataformatter.Metadata{}), + TypedConfig: any, } - // celFormatter configures additional formatters needed for some of the format strings like "CEL" - // for more information, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/formatter/cel/v3/cel.proto + any, err = proto.ToAnyWithValidation(&celformatter.Cel{}) + if err != nil { + panic(err) + } celFormatter = &cfgcore.TypedExtensionConfig{ Name: "envoy.formatter.cel", - TypedConfig: protocov.ToAny(&celformatter.Cel{}), + TypedConfig: any, } -) +} func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([]*accesslog.AccessLog, error) { if al == nil { @@ -143,7 +163,11 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([ filelog.GetLogFormat().Formatters = formatters } - accesslogAny, err := protocov.ToAnyWithValidation(filelog) + accesslogAny, err := proto.ToAnyWithValidation(filelog) + if err != nil { + return nil, err + } + filter, err := buildAccessLogFilter(text.CELMatches, defaultLogTypeForListener) if err != nil { return nil, err } @@ -152,7 +176,7 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([ ConfigType: &accesslog.AccessLog_TypedConfig{ TypedConfig: accesslogAny, }, - Filter: buildAccessLogFilter(text.CELMatches, defaultLogTypeForListener), + Filter: filter, }) } // handle json file access logs @@ -199,7 +223,11 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([ filelog.GetLogFormat().Formatters = formatters } - accesslogAny, err := protocov.ToAnyWithValidation(filelog) + accesslogAny, err := proto.ToAnyWithValidation(filelog) + if err != nil { + return nil, err + } + filter, err := buildAccessLogFilter(json.CELMatches, defaultLogTypeForListener) if err != nil { return nil, err } @@ -208,7 +236,7 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([ ConfigType: &accesslog.AccessLog_TypedConfig{ TypedConfig: accesslogAny, }, - Filter: buildAccessLogFilter(json.CELMatches, defaultLogTypeForListener), + Filter: filter, }) } // handle ALS access logs @@ -245,7 +273,11 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([ alCfg.AdditionalResponseTrailersToLog = als.HTTP.ResponseTrailers } - accesslogAny, err := protocov.ToAnyWithValidation(alCfg) + accesslogAny, err := proto.ToAnyWithValidation(alCfg) + if err != nil { + return nil, err + } + filter, err := buildAccessLogFilter(als.CELMatches, defaultLogTypeForListener) if err != nil { return nil, err } @@ -254,14 +286,18 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([ ConfigType: &accesslog.AccessLog_TypedConfig{ TypedConfig: accesslogAny, }, - Filter: buildAccessLogFilter(als.CELMatches, defaultLogTypeForListener), + Filter: filter, }) case egv1a1.ALSEnvoyProxyAccessLogTypeTCP: alCfg := &grpcaccesslog.TcpGrpcAccessLogConfig{ CommonConfig: cc, } - accesslogAny, err := protocov.ToAnyWithValidation(alCfg) + accesslogAny, err := proto.ToAnyWithValidation(alCfg) + if err != nil { + return nil, err + } + filter, err := buildAccessLogFilter(als.CELMatches, defaultLogTypeForListener) if err != nil { return nil, err } @@ -270,7 +306,7 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([ ConfigType: &accesslog.AccessLog_TypedConfig{ TypedConfig: accesslogAny, }, - Filter: buildAccessLogFilter(als.CELMatches, defaultLogTypeForListener), + Filter: filter, }) } } @@ -320,7 +356,11 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([ al.Formatters = formatters } - accesslogAny, err := protocov.ToAnyWithValidation(al) + accesslogAny, err := proto.ToAnyWithValidation(al) + if err != nil { + return nil, err + } + filter, err := buildAccessLogFilter(otel.CELMatches, defaultLogTypeForListener) if err != nil { return nil, err } @@ -329,44 +369,52 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([ ConfigType: &accesslog.AccessLog_TypedConfig{ TypedConfig: accesslogAny, }, - Filter: buildAccessLogFilter(otel.CELMatches, defaultLogTypeForListener), + Filter: filter, }) } return accessLogs, nil } -func celAccessLogFilter(expr string) *accesslog.AccessLogFilter { +func celAccessLogFilter(expr string) (*accesslog.AccessLogFilter, error) { fl := &cel.ExpressionFilter{ Expression: expr, } + any, err := proto.ToAnyWithValidation(fl) + if err != nil { + return nil, err + } return &accesslog.AccessLogFilter{ FilterSpecifier: &accesslog.AccessLogFilter_ExtensionFilter{ ExtensionFilter: &accesslog.ExtensionFilter{ Name: celFilter, - ConfigType: &accesslog.ExtensionFilter_TypedConfig{TypedConfig: protocov.ToAny(fl)}, + ConfigType: &accesslog.ExtensionFilter_TypedConfig{TypedConfig: any}, }, }, - } + }, nil } -func buildAccessLogFilter(exprs []string, withNoRouteMatchFilter bool) *accesslog.AccessLogFilter { +func buildAccessLogFilter(exprs []string, withNoRouteMatchFilter bool) (*accesslog.AccessLogFilter, error) { // add filter for access logs var filters []*accesslog.AccessLogFilter for _, expr := range exprs { - filters = append(filters, celAccessLogFilter(expr)) + fl, err := celAccessLogFilter(expr) + if err != nil { + return nil, err + } + filters = append(filters, fl) } if withNoRouteMatchFilter { filters = append(filters, listenerAccessLogFilter) } if len(filters) == 0 { - return nil + return nil, nil } if len(filters) == 1 { - return filters[0] + return filters[0], nil } return &accesslog.AccessLogFilter{ @@ -375,7 +423,7 @@ func buildAccessLogFilter(exprs []string, withNoRouteMatchFilter bool) *accesslo Filters: filters, }, }, - } + }, nil } func accessLogTextFormatters(text string) []*cfgcore.TypedExtensionConfig { diff --git a/internal/xds/translator/authorization.go b/internal/xds/translator/authorization.go index e19d1dbaf5..4112d2aed1 100644 --- a/internal/xds/translator/authorization.go +++ b/internal/xds/translator/authorization.go @@ -26,7 +26,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -76,7 +76,7 @@ func (*rbac) patchHCM( // buildHCMRBACFilter returns a RBAC filter from the provided IR listener. func buildHCMRBACFilter() (*hcmv3.HttpFilter, error) { rbacProto := &rbacv3.RBAC{} - rbacAny, err := protocov.ToAnyWithValidation(rbacProto) + rbacAny, err := proto.ToAnyWithValidation(rbacProto) if err != nil { return nil, err } @@ -134,7 +134,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { return err } - if cfgAny, err = protocov.ToAnyWithValidation(rbacPerRoute); err != nil { + if cfgAny, err = proto.ToAnyWithValidation(rbacPerRoute); err != nil { return err } @@ -160,7 +160,7 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e Name: "ALLOW", Action: rbacconfigv3.RBAC_ALLOW, } - if allowAction, err = protocov.ToAnyWithValidation(allow); err != nil { + if allowAction, err = proto.ToAnyWithValidation(allow); err != nil { return nil, err } @@ -168,7 +168,7 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e Name: "DENY", Action: rbacconfigv3.RBAC_DENY, } - if denyAction, err = protocov.ToAnyWithValidation(deny); err != nil { + if denyAction, err = proto.ToAnyWithValidation(deny); err != nil { return nil, err } @@ -312,11 +312,11 @@ func buildIPPredicate(clientCIDRs []*ir.CIDRMatch) (*matcherv3.Matcher_MatcherLi }) } - if ipMatcher, err = protocov.ToAnyWithValidation(ipRangeMatcher); err != nil { + if ipMatcher, err = proto.ToAnyWithValidation(ipRangeMatcher); err != nil { return nil, err } - if sourceIPInput, err = protocov.ToAnyWithValidation(&networkinput.SourceIPInput{}); err != nil { + if sourceIPInput, err = proto.ToAnyWithValidation(&networkinput.SourceIPInput{}); err != nil { return nil, err } @@ -385,11 +385,11 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis }, } - if inputPb, err = protocov.ToAnyWithValidation(input); err != nil { + if inputPb, err = proto.ToAnyWithValidation(input); err != nil { return nil, err } - if matcherPb, err = protocov.ToAnyWithValidation(scopeMatcher); err != nil { + if matcherPb, err = proto.ToAnyWithValidation(scopeMatcher); err != nil { return nil, err } @@ -450,7 +450,7 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis Path: path, } - if inputPb, err = protocov.ToAnyWithValidation(input); err != nil { + if inputPb, err = proto.ToAnyWithValidation(input); err != nil { return nil, err } @@ -488,7 +488,7 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis } } - if matcherPb, err = protocov.ToAnyWithValidation(&metadatav3.Metadata{ + if matcherPb, err = proto.ToAnyWithValidation(&metadatav3.Metadata{ Value: valueMatcher, }); err != nil { return nil, err diff --git a/internal/xds/translator/basicauth.go b/internal/xds/translator/basicauth.go index 31a421ae8a..4d22377c74 100644 --- a/internal/xds/translator/basicauth.go +++ b/internal/xds/translator/basicauth.go @@ -17,7 +17,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -82,10 +82,8 @@ func buildHCMBasicAuthFilter(basicAuth *ir.BasicAuth) (*hcmv3.HttpFilter, error) }, }, } - if err = basicAuthProto.ValidateAll(); err != nil { - return nil, err - } - if basicAuthAny, err = protocov.ToAnyWithValidation(basicAuthProto); err != nil { + + if basicAuthAny, err = proto.ToAnyWithValidation(basicAuthProto); err != nil { return nil, err } @@ -131,11 +129,7 @@ func (*basicAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error // Overwrite the HCM level filter config with the per route filter config. basicAuthProto := basicAuthPerRouteConfig(irRoute.Security.BasicAuth) - if err = basicAuthProto.ValidateAll(); err != nil { - return err - } - - if basicAuthAny, err = protocov.ToAnyWithValidation(basicAuthProto); err != nil { + if basicAuthAny, err = proto.ToAnyWithValidation(basicAuthProto); err != nil { return err } diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index c5064c29ee..2d0b333b81 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -30,7 +30,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" ) const ( @@ -520,7 +520,7 @@ func buildTypedExtensionProtocolOptions(args *xdsClusterArgs) map[string]*anypb. if args.http1Settings != nil { http1opts.EnableTrailers = args.http1Settings.EnableTrailers if args.http1Settings.PreserveHeaderCase { - preservecaseAny, _ := protocov.ToAnyWithValidation(&preservecasev3.PreserveCaseFormatterConfig{}) + preservecaseAny, _ := proto.ToAnyWithValidation(&preservecasev3.PreserveCaseFormatterConfig{}) http1opts.HeaderKeyFormat = &corev3.Http1ProtocolOptions_HeaderKeyFormat{ HeaderFormat: &corev3.Http1ProtocolOptions_HeaderKeyFormat_StatefulFormatter{ StatefulFormatter: &corev3.TypedExtensionConfig{ @@ -573,7 +573,7 @@ func buildTypedExtensionProtocolOptions(args *xdsClusterArgs) map[string]*anypb. } } - anyProtocolOptions, _ := protocov.ToAnyWithValidation(&protocolOptions) + anyProtocolOptions, _ := proto.ToAnyWithValidation(&protocolOptions) extensionOptions := map[string]*anypb.Any{ extensionOptionsKey: anyProtocolOptions, @@ -604,7 +604,7 @@ func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.T // If existing transport socket does not exist wrap around raw buffer if tSocket == nil { rawCtx := &rawbufferv3.RawBuffer{} - rawCtxAny, err := protocov.ToAnyWithValidation(rawCtx) + rawCtxAny, err := proto.ToAnyWithValidation(rawCtx) if err != nil { return nil } @@ -619,7 +619,7 @@ func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.T ppCtx.TransportSocket = tSocket } - ppCtxAny, err := protocov.ToAnyWithValidation(ppCtx) + ppCtxAny, err := proto.ToAnyWithValidation(ppCtx) if err != nil { return nil } diff --git a/internal/xds/translator/custom_response.go b/internal/xds/translator/custom_response.go index 6cca67982e..0d3bf5b9a3 100644 --- a/internal/xds/translator/custom_response.go +++ b/internal/xds/translator/custom_response.go @@ -24,7 +24,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -77,16 +77,11 @@ func (c *customResponse) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener * // buildHCMCustomResponseFilter returns an OAuth2 HTTP filter from the provided IR HTTPRoute. func (c *customResponse) buildHCMCustomResponseFilter(ro *ir.ResponseOverride) (*hcmv3.HttpFilter, error) { - proto, err := c.customResponseConfig(ro) + config, err := c.customResponseConfig(ro) if err != nil { return nil, err } - - if err := proto.ValidateAll(); err != nil { - return nil, err - } - - any, err := protocov.ToAnyWithValidation(proto) + any, err := proto.ToAnyWithValidation(config) if err != nil { return nil, err } @@ -238,7 +233,7 @@ func (c *customResponse) buildHTTPAttributeCELInput() (*cncfv3.TypedExtensionCon err error ) - if pb, err = protocov.ToAnyWithValidation(&matcherv3.HttpAttributesCelMatchInput{}); err != nil { + if pb, err = proto.ToAnyWithValidation(&matcherv3.HttpAttributesCelMatchInput{}); err != nil { return nil, err } @@ -254,7 +249,7 @@ func (c *customResponse) buildStatusCodeInput() (*cncfv3.TypedExtensionConfig, e err error ) - if pb, err = protocov.ToAnyWithValidation(&envoymatcherv3.HttpResponseStatusCodeMatchInput{}); err != nil { + if pb, err = proto.ToAnyWithValidation(&envoymatcherv3.HttpResponseStatusCodeMatchInput{}); err != nil { return nil, err } @@ -361,11 +356,7 @@ func (c *customResponse) buildStatusCodeCELMatcher(codeRange ir.StatusCodeRange) }, }, } - if err := matcher.ValidateAll(); err != nil { - return nil, err - } - - if pb, err = protocov.ToAnyWithValidation(matcher); err != nil { + if pb, err = proto.ToAnyWithValidation(matcher); err != nil { return nil, err } @@ -400,11 +391,7 @@ func (c *customResponse) buildAction(r ir.ResponseOverrideRule) (*matcherv3.Matc err error ) - if err := response.ValidateAll(); err != nil { - return nil, err - } - - if pb, err = protocov.ToAnyWithValidation(response); err != nil { + if pb, err = proto.ToAnyWithValidation(response); err != nil { return nil, err } diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 2f8766fe91..9acd4102ba 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -72,10 +72,6 @@ func (*extAuth) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPLi // buildHCMExtAuthFilter returns an ext_authz HTTP filter from the provided IR HTTPRoute. func buildHCMExtAuthFilter(extAuth *ir.ExtAuth) (*hcmv3.HttpFilter, error) { extAuthProto := extAuthConfig(extAuth) - if err := extAuthProto.ValidateAll(); err != nil { - return nil, err - } - extAuthAny, err := anypb.New(extAuthProto) if err != nil { return nil, err diff --git a/internal/xds/translator/extproc.go b/internal/xds/translator/extproc.go index 57cc9634d0..840f99e889 100644 --- a/internal/xds/translator/extproc.go +++ b/internal/xds/translator/extproc.go @@ -69,10 +69,6 @@ func (*extProc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPLi // buildHCMExtProcFilter returns an ext_proc HTTP filter from the provided IR HTTPRoute. func buildHCMExtProcFilter(extProc ir.ExtProc) (*hcmv3.HttpFilter, error) { extAuthProto := extProcConfig(extProc) - if err := extAuthProto.ValidateAll(); err != nil { - return nil, err - } - extAuthAny, err := anypb.New(extAuthProto) if err != nil { return nil, err diff --git a/internal/xds/translator/fault.go b/internal/xds/translator/fault.go index 192ce5bf8e..2647264d96 100644 --- a/internal/xds/translator/fault.go +++ b/internal/xds/translator/fault.go @@ -20,7 +20,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -67,12 +67,7 @@ func (*fault) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPList // buildHCMFaultFilter returns a basic_auth HTTP filter from the provided IR HTTPRoute. func buildHCMFaultFilter() (*hcmv3.HttpFilter, error) { faultProto := &xdshttpfaultv3.HTTPFault{} - - if err := faultProto.ValidateAll(); err != nil { - return nil, err - } - - faultAny, err := protocov.ToAnyWithValidation(faultProto) + faultAny, err := proto.ToAnyWithValidation(faultProto) if err != nil { return nil, err } @@ -166,7 +161,7 @@ func (*fault) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { return nil } - routeCfgAny, err := protocov.ToAnyWithValidation(routeCfgProto) + routeCfgAny, err := proto.ToAnyWithValidation(routeCfgProto) if err != nil { return err } diff --git a/internal/xds/translator/healthcheck.go b/internal/xds/translator/healthcheck.go index 3356730a6e..c44484a6ad 100644 --- a/internal/xds/translator/healthcheck.go +++ b/internal/xds/translator/healthcheck.go @@ -82,9 +82,6 @@ func buildHealthCheckFilter(healthCheck *ir.HealthCheckSettings) (*hcmv3.HttpFil }}, } - if err = healthCheckProto.ValidateAll(); err != nil { - return nil, err - } if healthCheckAny, err = anypb.New(healthCheckProto); err != nil { return nil, err } diff --git a/internal/xds/translator/httpfilters.go b/internal/xds/translator/httpfilters.go index 1b994fba66..d54c1cc0c0 100644 --- a/internal/xds/translator/httpfilters.go +++ b/internal/xds/translator/httpfilters.go @@ -272,7 +272,11 @@ func (t *Translator) patchHCMWithFilters( } if !hasRouter { headerSettings := ptr.Deref(irListener.Headers, ir.HeaderSettings{}) - mgr.HttpFilters = append(mgr.HttpFilters, filters.GenerateRouterFilter(headerSettings.EnableEnvoyHeaders)) + routerFilter, err := filters.GenerateRouterFilter(headerSettings.EnableEnvoyHeaders) + if err != nil { + return err + } + mgr.HttpFilters = append(mgr.HttpFilters, routerFilter) } // Sort the filters in the correct order. diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index bc3e8d1b16..886e5f6fde 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -22,7 +22,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -77,7 +77,7 @@ func buildHCMJWTFilter(irListener *ir.HTTPListener) (*hcmv3.HttpFilter, error) { return nil, err } - jwtAuthnAny, err := protocov.ToAnyWithValidation(jwtAuthnProto) + jwtAuthnAny, err := proto.ToAnyWithValidation(jwtAuthnProto) if err != nil { return nil, err } @@ -210,7 +210,7 @@ func buildXdsUpstreamTLSSocket(sni string) (*corev3.TransportSocket, error) { }, } - tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtxProto) + tlsCtxAny, err := proto.ToAnyWithValidation(tlsCtxProto) if err != nil { return nil, err } @@ -243,7 +243,7 @@ func (*jwt) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { RequirementSpecifier: &jwtauthnv3.PerRouteConfig_RequirementName{RequirementName: irRoute.Name}, } - routeCfgAny, err := protocov.ToAnyWithValidation(routeCfgProto) + routeCfgAny, err := proto.ToAnyWithValidation(routeCfgProto) if err != nil { return err } diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index c51bbd7549..b13f81753c 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -21,7 +21,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -79,11 +79,7 @@ func buildHCMOAuth2Filter(oidc *ir.OIDC) (*hcmv3.HttpFilter, error) { return nil, err } - if err := oauth2Proto.ValidateAll(); err != nil { - return nil, err - } - - OAuth2Any, err := protocov.ToAnyWithValidation(oauth2Proto) + OAuth2Any, err := proto.ToAnyWithValidation(oauth2Proto) if err != nil { return nil, err } diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index 414e76b836..ad41f43628 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -19,7 +19,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" ) const ( @@ -574,6 +574,11 @@ func buildHashPolicy(httpRoute *ir.HTTPRoute) []*routev3.RouteAction_HashPolicy func buildRetryPolicy(route *ir.HTTPRoute) (*routev3.RetryPolicy, error) { rr := route.Traffic.Retry + anyCfg, err := proto.ToAnyWithValidation(&previoushost.PreviousHostsPredicate{}) + if err != nil { + return nil, err + } + rp := &routev3.RetryPolicy{ RetryOn: retryDefaultRetryOn, RetriableStatusCodes: []uint32{retryDefaultRetriableStatusCode}, @@ -582,7 +587,7 @@ func buildRetryPolicy(route *ir.HTTPRoute) (*routev3.RetryPolicy, error) { { Name: "envoy.retry_host_predicates.previous_hosts", ConfigType: &routev3.RetryPolicy_RetryHostPredicate_TypedConfig{ - TypedConfig: protocov.ToAny(&previoushost.PreviousHostsPredicate{}), + TypedConfig: anyCfg, }, }, }, diff --git a/internal/xds/translator/tracing.go b/internal/xds/translator/tracing.go index ee3f4f5e90..5681fa442f 100644 --- a/internal/xds/translator/tracing.go +++ b/internal/xds/translator/tracing.go @@ -20,7 +20,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -49,7 +49,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e ServiceName: tracing.ServiceName, CollectorCluster: tracing.Destination.Name, } - return protocov.ToAnyWithValidation(config) + return proto.ToAnyWithValidation(config) } case egv1a1.TracingProviderTypeOpenTelemetry: providerName = envoyOpenTelemetry @@ -67,7 +67,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e ServiceName: tracing.ServiceName, } - return protocov.ToAnyWithValidation(config) + return proto.ToAnyWithValidation(config) } case egv1a1.TracingProviderTypeZipkin: providerName = envoyZipkin @@ -81,7 +81,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e CollectorEndpointVersion: tracecfg.ZipkinConfig_HTTP_JSON, } - return protocov.ToAnyWithValidation(config) + return proto.ToAnyWithValidation(config) } default: return nil, fmt.Errorf("unknown tracing provider type: %s", tracing.Provider.Type) diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 1e0ae77e91..cb7d581247 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -21,7 +21,7 @@ import ( matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" resourcev3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3" "github.com/envoyproxy/go-control-plane/pkg/wellknown" - "google.golang.org/protobuf/proto" + protobuf "google.golang.org/protobuf/proto" "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/wrapperspb" "k8s.io/apimachinery/pkg/util/sets" @@ -30,7 +30,7 @@ import ( extensionTypes "github.com/envoyproxy/gateway/internal/extension/types" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" - "github.com/envoyproxy/gateway/internal/utils/protocov" + "github.com/envoyproxy/gateway/internal/utils/proto" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -122,6 +122,12 @@ func (t *Translator) Translate(xdsIR *ir.Xds) (*types.ResourceVersionTable, erro errs = errors.Join(errs, err) } + // Validate all the xds resources in the table before returning + // This is necessary to catch any misconfigurations that might have been missed during translation + if err := tCtx.ValidateAll(); err != nil { + errs = errors.Join(errs, err) + } + return tCtx, errs } @@ -524,7 +530,7 @@ func (t *Translator) addHTTPFiltersToHCM(filterChain *listenerv3.FilterChain, ht for i, filter := range filterChain.Filters { if filter.Name == wellknown.HTTPConnectionManager { var mgrAny *anypb.Any - if mgrAny, err = protocov.ToAnyWithValidation(hcm); err != nil { + if mgrAny, err = proto.ToAnyWithValidation(hcm); err != nil { return err } @@ -543,7 +549,7 @@ func findHCMinFilterChain(filterChain *listenerv3.FilterChain) (*hcmv3.HttpConne for _, filter := range filterChain.Filters { if filter.Name == wellknown.HTTPConnectionManager { hcm := &hcmv3.HttpConnectionManager{} - if err := anypb.UnmarshalTo(filter.GetTypedConfig(), hcm, proto.UnmarshalOptions{}); err != nil { + if err := anypb.UnmarshalTo(filter.GetTypedConfig(), hcm, protobuf.UnmarshalOptions{}); err != nil { return nil, err } return hcm, nil @@ -957,7 +963,7 @@ func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3. } } - tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtx) + tlsCtxAny, err := proto.ToAnyWithValidation(tlsCtx) if err != nil { return nil, err } diff --git a/internal/xds/translator/wasm.go b/internal/xds/translator/wasm.go index b8777e3805..ec8ef4b825 100644 --- a/internal/xds/translator/wasm.go +++ b/internal/xds/translator/wasm.go @@ -80,9 +80,6 @@ func buildHCMWasmFilter(wasm ir.Wasm) (*hcmv3.HttpFilter, error) { if wasmProto, err = wasmConfig(wasm); err != nil { return nil, err } - if err = wasmProto.ValidateAll(); err != nil { - return nil, err - } if wasmAny, err = anypb.New(wasmProto); err != nil { return nil, err } diff --git a/internal/xds/types/resourceversiontable.go b/internal/xds/types/resourceversiontable.go index 2f7a7926bd..5af8a4f71b 100644 --- a/internal/xds/types/resourceversiontable.go +++ b/internal/xds/types/resourceversiontable.go @@ -6,18 +6,15 @@ package types import ( + "errors" "fmt" - clusterv3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" - endpointv3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" - listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" - routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" - tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" "github.com/envoyproxy/go-control-plane/pkg/cache/types" resourcev3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3" - "google.golang.org/protobuf/proto" + protobuf "google.golang.org/protobuf/proto" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/proto" ) // XdsResources represents all the xds resources @@ -50,7 +47,7 @@ func (t *ResourceVersionTable) DeepCopyInto(out *ResourceVersionTable) { in, out := &val, &outVal //nolint:gosec,scopelint *out = make([]types.Resource, len(*in)) for i := range *in { - (*out)[i] = proto.Clone((*in)[i]) + (*out)[i] = protobuf.Clone((*in)[i]) } } (*out)[key] = outVal @@ -81,62 +78,8 @@ func (t *ResourceVersionTable) AddXdsResource(rType resourcev3.Type, xdsResource return fmt.Errorf("xds resource is nil") } - // Perform type switch to handle different types of xdsResource - switch rType { - case resourcev3.ListenerType: - // Handle Type specific operations - if resourceOfType, ok := xdsResource.(*listenerv3.Listener); ok { - if err := resourceOfType.ValidateAll(); err != nil { - return fmt.Errorf("validation failed for xds resource %+v, err: %w", xdsResource, err) - } - } else { - return fmt.Errorf("failed to cast xds resource %+v to Listener type", xdsResource) - } - case resourcev3.RouteType: - // Handle Type specific operations - if resourceOfType, ok := xdsResource.(*routev3.RouteConfiguration); ok { - if err := resourceOfType.ValidateAll(); err != nil { - return fmt.Errorf("validation failed for xds resource %+v, err: %w", xdsResource, err) - } - } else { - return fmt.Errorf("failed to cast xds resource %+v to RouteConfiguration type", xdsResource) - } - - case resourcev3.SecretType: - // Handle specific operations - if resourceOfType, ok := xdsResource.(*tlsv3.Secret); ok { - if err := resourceOfType.ValidateAll(); err != nil { - return fmt.Errorf("validation failed for xds resource %+v, err: %w", xdsResource, err) - } - } else { - return fmt.Errorf("failed to cast xds resource %+v to Secret type", xdsResource) - } - - case resourcev3.EndpointType: - if resourceOfType, ok := xdsResource.(*endpointv3.ClusterLoadAssignment); ok { - if err := resourceOfType.ValidateAll(); err != nil { - return fmt.Errorf("validation failed for xds resource %+v, err: %w", xdsResource, err) - } - } else { - return fmt.Errorf("failed to cast xds resource %+v to ClusterLoadAssignment type", xdsResource) - } - - case resourcev3.ClusterType: - // Handle specific operations - if resourceOfType, ok := xdsResource.(*clusterv3.Cluster); ok { - if err := resourceOfType.ValidateAll(); err != nil { - return fmt.Errorf("validation failed for xds resource %+v, err: %w", xdsResource, err) - } - } else { - return fmt.Errorf("failed to cast xds resource %+v to Cluster type", xdsResource) - } - case resourcev3.RateLimitConfigType: - // Handle specific operations - // cfg resource from runner.go is the RateLimitConfig type from "github.com/envoyproxy/go-control-plane/ratelimit/config/ratelimit/v3", which does have validate function. - - // Add more cases for other types as needed - default: - // Handle the case when the type is not recognized or supported + if err := proto.Validate(xdsResource); err != nil { + return fmt.Errorf("validation failed for xds resource %+v, err: %w", xdsResource, err) } if t.XdsResources == nil { @@ -150,6 +93,20 @@ func (t *ResourceVersionTable) AddXdsResource(rType resourcev3.Type, xdsResource return nil } +// ValidateAll validates all the xds resources in the ResourceVersionTable +func (t *ResourceVersionTable) ValidateAll() error { + var errs error + + for _, xdsResource := range t.XdsResources { + for _, resource := range xdsResource { + if err := proto.Validate(resource); err != nil { + errs = errors.Join(errs, err) + } + } + } + return errs +} + // AddOrReplaceXdsResource will update an existing resource of rType according to matchFunc or add as a new resource // if none satisfy the match criteria. It will only update the first match it finds, regardless // if multiple resources satisfy the match criteria. From 153f1569dab89085b90129498721d405111d7d3d Mon Sep 17 00:00:00 2001 From: tobrien-nydig <100732440+tobrien-nydig@users.noreply.github.com> Date: Fri, 21 Feb 2025 16:08:59 -0800 Subject: [PATCH 02/10] fix: Allow weights to be zero on endpoints (#5278) * fix: Allow weights to be zero on endpoints Signed-off-by: Tim OBrien * chore: bump go to 1.24 (#5287) * chore: bump go to 1.24 Signed-off-by: zirain * fix Signed-off-by: zirain --------- Signed-off-by: zirain Signed-off-by: Tim OBrien * build(deps): bump sigs.k8s.io/kind from 0.26.0 to 0.27.0 in /tools/src/kind (#5295) build(deps): bump sigs.k8s.io/kind in /tools/src/kind Bumps [sigs.k8s.io/kind](https://github.com/kubernetes-sigs/kind) from 0.26.0 to 0.27.0. - [Release notes](https://github.com/kubernetes-sigs/kind/releases) - [Commits](https://github.com/kubernetes-sigs/kind/compare/v0.26.0...v0.27.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/kind dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Tim OBrien * build(deps): bump helm.sh/helm/v3 from 3.17.0 to 3.17.1 (#5291) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.17.0 to 3.17.1. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.17.0...v3.17.1) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Tim OBrien * build(deps): bump the golang-org group across 2 directories with 1 update (#5290) Bumps the golang-org group with 1 update in the / directory: [golang.org/x/net](https://github.com/golang/net). Bumps the golang-org group with 1 update in the /examples/extension-server directory: [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/net` from 0.34.0 to 0.35.0 - [Commits](https://github.com/golang/net/compare/v0.34.0...v0.35.0) Updates `golang.org/x/net` from 0.34.0 to 0.35.0 - [Commits](https://github.com/golang/net/compare/v0.34.0...v0.35.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/net dependency-type: indirect update-type: version-update:semver-minor dependency-group: golang-org ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Tim OBrien * build(deps): bump github.com/golangci/golangci-lint from 1.63.4 to 1.64.5 in /tools/src/golangci-lint (#5294) build(deps): bump github.com/golangci/golangci-lint Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.63.4 to 1.64.5. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.63.4...v1.64.5) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Tim OBrien * Add test case Signed-off-by: Tim OBrien * Add test case Signed-off-by: Tim OBrien * one more test Signed-off-by: Tim OBrien * one more test Signed-off-by: Tim OBrien * remove Signed-off-by: Tim OBrien * Found the bug for real Signed-off-by: Tim OBrien * Focus on gatewayapi Signed-off-by: Tim OBrien * cleanup Signed-off-by: Tim OBrien * cleanup Signed-off-by: Tim OBrien * build(deps): bump github.com/evanphx/json-patch/v5 from 5.9.0 to 5.9.11 (#5293) Bumps [github.com/evanphx/json-patch/v5](https://github.com/evanphx/json-patch) from 5.9.0 to 5.9.11. - [Release notes](https://github.com/evanphx/json-patch/releases) - [Commits](https://github.com/evanphx/json-patch/compare/v5.9.0...v5.9.11) --- updated-dependencies: - dependency-name: github.com/evanphx/json-patch/v5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Tim OBrien * api: BackendTrafficPolicy DNSLookupFamily (#5249) * api: BackendTrafficPolicy DNSLookupFamily Signed-off-by: Guy Daich * fix api Signed-off-by: Guy Daich * fix enum Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich Signed-off-by: Tim OBrien * clean up logic on if Signed-off-by: Tim OBrien * Update logic and add udp tests Signed-off-by: Tim OBrien * fix udp tests Signed-off-by: Tim OBrien * chore: ignore `sched.co` (#5305) chore: ignore Signed-off-by: zirain Signed-off-by: Tim OBrien * newline Signed-off-by: Tim OBrien --------- Signed-off-by: Tim OBrien Signed-off-by: zirain Signed-off-by: dependabot[bot] Signed-off-by: Guy Daich Signed-off-by: tobrien-nydig <100732440+tobrien-nydig@users.noreply.github.com> Co-authored-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Guy Daich (cherry picked from commit 1f9a1bd37afccaef55ba130e8edbac3197d2fef8) Signed-off-by: Huabing (Robin) Zhao --- internal/gatewayapi/route.go | 14 +- ...multiple-backends-and-zero-weights.in.yaml | 39 +++++ ...ultiple-backends-and-zero-weights.out.yaml | 134 ++++++++++++++++++ ...multiple-backends-and-zero-weights.in.yaml | 39 +++++ ...ultiple-backends-and-zero-weights.out.yaml | 134 ++++++++++++++++++ 5 files changed, 352 insertions(+), 8 deletions(-) create mode 100644 internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.in.yaml create mode 100644 internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.out.yaml create mode 100644 internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.in.yaml create mode 100644 internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.out.yaml diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index a9ef69f576..cbf15e6abc 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -949,11 +949,10 @@ func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resour for _, backendRef := range udpRoute.Spec.Rules[0].BackendRefs { ds := t.processDestination(backendRef, parentRef, udpRoute, resources) - if ds == nil { - continue + // Skip nil destination settings + if ds != nil { + destSettings = append(destSettings, ds) } - - destSettings = append(destSettings, ds) } // If no negative condition has been set for ResolvedRefs, set "ResolvedRefs=True" @@ -1082,11 +1081,10 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour for _, backendRef := range tcpRoute.Spec.Rules[0].BackendRefs { ds := t.processDestination(backendRef, parentRef, tcpRoute, resources) - if ds == nil { - continue + // Skip nil destination settings + if ds != nil { + destSettings = append(destSettings, ds) } - - destSettings = append(destSettings, ds) } // If no negative condition has been set for ResolvedRefs, set "ResolvedRefs=True" diff --git a/internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.in.yaml b/internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.in.yaml new file mode 100644 index 0000000000..af361628fa --- /dev/null +++ b/internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.in.yaml @@ -0,0 +1,39 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tcp + protocol: TCP + port: 90 + allowedRoutes: + namespaces: + from: All +tcpRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TCPRoute + metadata: + namespace: default + name: tcproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - backendRefs: + - name: service-1 + port: 8080 + weight: 1 + - name: service-2 + port: 8080 + weight: 2 + - name: service-3 + port: 8080 + weight: 3 + - name: service-4 + port: 8080 + weight: 0 diff --git a/internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.out.yaml b/internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.out.yaml new file mode 100644 index 0000000000..bd9d641561 --- /dev/null +++ b/internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.out.yaml @@ -0,0 +1,134 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: tcp + port: 90 + protocol: TCP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: tcp + supportedKinds: + - group: gateway.networking.k8s.io + kind: TCPRoute +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/tcp + ports: + - containerPort: 10090 + name: tcp-90 + protocol: TCP + servicePort: 90 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +tcpRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TCPRoute + metadata: + creationTimestamp: null + name: tcproute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8080 + weight: 1 + - name: service-2 + port: 8080 + weight: 2 + - name: service-3 + port: 8080 + weight: 3 + - name: service-4 + port: 8080 + weight: 0 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + tcp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-1/tcp + port: 10090 + routes: + - destination: + name: tcproute/default/tcproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: TCP + weight: 1 + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: TCP + weight: 2 + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: TCP + weight: 3 + name: tcproute/default/tcproute-1 diff --git a/internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.in.yaml b/internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.in.yaml new file mode 100644 index 0000000000..53851284ee --- /dev/null +++ b/internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.in.yaml @@ -0,0 +1,39 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: udp + protocol: UDP + port: 90 + allowedRoutes: + namespaces: + from: All +udpRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: UDPRoute + metadata: + namespace: default + name: udproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - backendRefs: + - name: service-1 + port: 8162 + weight: 1 + - name: service-2 + port: 8162 + weight: 2 + - name: service-3 + port: 8162 + weight: 3 + - name: service-4 + port: 8162 + weight: 0 diff --git a/internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.out.yaml b/internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.out.yaml new file mode 100644 index 0000000000..e3d2bbac4d --- /dev/null +++ b/internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.out.yaml @@ -0,0 +1,134 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: udp + port: 90 + protocol: UDP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: udp + supportedKinds: + - group: gateway.networking.k8s.io + kind: UDPRoute +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/udp + ports: + - containerPort: 10090 + name: udp-90 + protocol: UDP + servicePort: 90 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +udpRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: UDPRoute + metadata: + creationTimestamp: null + name: udproute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8162 + weight: 1 + - name: service-2 + port: 8162 + weight: 2 + - name: service-3 + port: 8162 + weight: 3 + - name: service-4 + port: 8162 + weight: 0 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + udp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-1/udp + port: 10090 + route: + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 1 + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 2 + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 3 + name: udproute/default/udproute-1 From 4b431d563293b4c05dff856b377067ef299e2034 Mon Sep 17 00:00:00 2001 From: Balazs Stasz <139752289+bstasz@users.noreply.github.com> Date: Wed, 26 Feb 2025 04:12:14 +0100 Subject: [PATCH 03/10] fix: Standalone mode - Secret and ConfigMap parsing (#5329) * Added Secret and ConfigMap parsing Signed-off-by: Balazs Stasz * Updated release notes Signed-off-by: Balazs Stasz * Fixed lint issues Signed-off-by: Balazs Stasz * Fixed gen-check issues Signed-off-by: Balazs Stasz * Added new test cases for Secret Signed-off-by: Balazs Stasz --------- Signed-off-by: Balazs Stasz Signed-off-by: Arko Dasgupta Co-authored-by: Arko Dasgupta (cherry picked from commit a41e992968edd820da0574f244f458c8fefb3a5c) Signed-off-by: Huabing (Robin) Zhao --- internal/gatewayapi/resource/load.go | 30 ++ .../resource/testdata/all-resources.in.yaml | 268 ++++++++++++ .../resource/testdata/all-resources.out.yaml | 395 ++++++++++++++++++ release-notes/current.yaml | 2 + 4 files changed, 695 insertions(+) create mode 100644 internal/gatewayapi/resource/testdata/all-resources.in.yaml create mode 100644 internal/gatewayapi/resource/testdata/all-resources.out.yaml diff --git a/internal/gatewayapi/resource/load.go b/internal/gatewayapi/resource/load.go index 7c87ffb791..78f84d16d8 100644 --- a/internal/gatewayapi/resource/load.go +++ b/internal/gatewayapi/resource/load.go @@ -95,6 +95,8 @@ func loadKubernetesYAMLToResources(input []byte, addMissingResources bool) (*Res } kobjVal := reflect.ValueOf(kobj).Elem() spec := kobjVal.FieldByName("Spec") + data := kobjVal.FieldByName("Data") + stringData := kobjVal.FieldByName("StringData") switch gvk.Kind { case KindEnvoyProxy: @@ -307,6 +309,34 @@ func loadKubernetesYAMLToResources(input []byte, addMissingResources bool) (*Res Spec: typedSpec.(egv1a1.BackendSpec), } resources.Backends = append(resources.Backends, backend) + case KindSecret: + typedData := data.Interface() + typedStringData := stringData.Interface() + secret := &corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + Kind: KindSecret, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Data: typedData.(map[string][]byte), + StringData: typedStringData.(map[string]string), + } + resources.Secrets = append(resources.Secrets, secret) + case KindConfigMap: + typedData := data.Interface() + configMap := &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + Kind: KindConfigMap, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Data: typedData.(map[string]string), + } + resources.ConfigMaps = append(resources.ConfigMaps, configMap) } return nil diff --git a/internal/gatewayapi/resource/testdata/all-resources.in.yaml b/internal/gatewayapi/resource/testdata/all-resources.in.yaml new file mode 100644 index 0000000000..6bb5994374 --- /dev/null +++ b/internal/gatewayapi/resource/testdata/all-resources.in.yaml @@ -0,0 +1,268 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: example + namespace: default +spec: + provider: + type: Kubernetes + kubernetes: + envoyService: + annotations: + custom1: svc-annotation1 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg +spec: + gatewayClassName: eg + listeners: + - name: http + protocol: HTTP + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: backend + namespace: default +spec: + parentRefs: + - name: eg + sectionName: tcp + rules: + - backendRefs: + - name: backend + port: 3000 +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: UDPRoute +metadata: + name: backend + namespace: default +spec: + parentRefs: + - name: eg + sectionName: udp + rules: + - backendRefs: + - name: backend + port: 3000 +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TLSRoute +metadata: + name: backend + namespace: default +spec: + parentRefs: + - name: eg + sectionName: tls-passthrough + rules: + - backendRefs: + - name: backend + port: 3000 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend + namespace: default +spec: + parentRefs: + - name: eg + hostnames: + - "www.example.com" + rules: + - backendRefs: + - name: providedBackend + port: 8000 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GRPCRoute +metadata: + name: backend + namespace: default +spec: + parentRefs: + - name: eg + sectionName: grpc + hostnames: + - "www.grpc-example.com" + rules: + - matches: + - method: + service: com.example.Things + method: DoThing + headers: + - name: com.example.Header + value: foobar + backendRefs: + - name: providedBackend + port: 9000 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + name: ratelimit-patch-policy + namespace: default +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: eg + type: JSONPatch + jsonPatches: + - type: "type.googleapis.com/envoy.config.listener.v3.Listener" + # The listener name is of the form // + name: default/eg/http + operation: + op: add + path: "/default_filter_chain/filters/0/typed_config/http_filters/0" + value: + name: "envoy.filters.http.ratelimit" + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit" + domain: "eag-ratelimit" + failure_mode_deny: true + timeout: 1s + rate_limit_service: + grpc_service: + envoy_grpc: + cluster_name: rate-limit-cluster + transport_api_version: V3 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: jwt-example +spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend + apiKeyAuth: + credentialRefs: + - name: foobar + extractFrom: + - headers: + - foobar + jwt: + providers: + - name: example + remoteJWKS: + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: cookie-lb-policy + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: cookie-lb-route + loadBalancer: + type: ConsistentHash + consistentHash: + type: Cookie + cookie: + name: "Lb-Test-Cookie" + ttl: 60s + attributes: + SameSite: Strict + retry: + retryOn: + httpStatusCodes: + - 200 + - 404 + healthCheck: + active: + type: HTTP + http: + path: "/" + method: GET + circuitBreaker: + maxRequestsPerConnection: 123 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: ClientTrafficPolicy +metadata: + name: client-timeout + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: same-namespace + timeout: + http: + requestReceivedTimeout: 50ms +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: direct-response-inline + namespace: default +spec: + directResponse: + contentType: text/plain + body: + type: Inline + inline: "OK" +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend +spec: + endpoints: + - ip: + address: 0.0.0.0 + port: 4321 +--- +apiVersion: v1 +kind: Secret +metadata: + name: secret-with-data-and-string-data + namespace: default +data: + .secret-file: dmFsdWUtMg0KDQo= +stringData: + secret: "literal value" +--- +apiVersion: v1 +kind: Secret +metadata: + name: secret-with-data + namespace: default +data: + .secret-file: dmFsdWUtMg0KDQo= +--- +apiVersion: v1 +kind: Secret +metadata: + name: secret-with-string-data + namespace: default +stringData: + secret: "literal value" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: configmap + namespace: default +data: + player_initial_lives: "3" + game.properties: | + enemy.types=aliens,monsters + player.maximum-lives=5 diff --git a/internal/gatewayapi/resource/testdata/all-resources.out.yaml b/internal/gatewayapi/resource/testdata/all-resources.out.yaml new file mode 100644 index 0000000000..00f0bf210c --- /dev/null +++ b/internal/gatewayapi/resource/testdata/all-resources.out.yaml @@ -0,0 +1,395 @@ +backendTrafficPolicies: +- kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: cookie-lb-policy + namespace: gateway-conformance-infra + spec: + circuitBreaker: + maxConnections: 1024 + maxParallelRequests: 1024 + maxParallelRetries: 1024 + maxPendingRequests: 1024 + maxRequestsPerConnection: 123 + healthCheck: + active: + healthyThreshold: 1 + http: + method: GET + path: / + interval: 3s + timeout: 1s + type: HTTP + unhealthyThreshold: 3 + loadBalancer: + consistentHash: + cookie: + attributes: + SameSite: Strict + name: Lb-Test-Cookie + ttl: 1m0s + tableSize: 65537 + type: Cookie + type: ConsistentHash + retry: + numRetries: 2 + retryOn: + httpStatusCodes: + - 200 + - 404 + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: cookie-lb-route + status: + ancestors: null +backends: +- kind: Backend + metadata: + creationTimestamp: null + name: backend + namespace: envoy-gateway-system + spec: + endpoints: + - ip: + address: 0.0.0.0 + port: 4321 + status: {} +clientTrafficPolicies: +- kind: ClientTrafficPolicy + metadata: + creationTimestamp: null + name: client-timeout + namespace: gateway-conformance-infra + spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: same-namespace + timeout: + http: + requestReceivedTimeout: 50ms + status: + ancestors: null +configMaps: +- data: + game.properties: | + enemy.types=aliens,monsters + player.maximum-lives=5 + player_initial_lives: "3" + kind: ConfigMap + metadata: + creationTimestamp: null + name: configmap + namespace: default +envoyPatchPolicies: +- kind: EnvoyPatchPolicy + metadata: + creationTimestamp: null + name: ratelimit-patch-policy + namespace: default + spec: + jsonPatches: + - name: default/eg/http + operation: + op: add + path: /default_filter_chain/filters/0/typed_config/http_filters/0 + value: + name: envoy.filters.http.ratelimit + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + domain: eag-ratelimit + failure_mode_deny: true + rate_limit_service: + grpc_service: + envoy_grpc: + cluster_name: rate-limit-cluster + transport_api_version: V3 + timeout: 1s + type: type.googleapis.com/envoy.config.listener.v3.Listener + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: eg + type: JSONPatch + status: + ancestors: null +envoyProxyForGatewayClass: + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: example + namespace: default + spec: + logging: + level: + default: warn + provider: + kubernetes: + envoyService: + annotations: + custom1: svc-annotation1 + externalTrafficPolicy: Local + type: LoadBalancer + type: Kubernetes + status: {} +gatewayClass: + kind: GatewayClass + metadata: + creationTimestamp: null + name: eg + namespace: envoy-gateway-system + spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + status: {} +gateways: +- kind: Gateway + metadata: + creationTimestamp: null + name: eg + namespace: envoy-gateway-system + spec: + gatewayClassName: eg + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: {} +grpcRoutes: +- kind: GRPCRoute + metadata: + creationTimestamp: null + name: backend + namespace: default + spec: + hostnames: + - www.grpc-example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg + sectionName: grpc + rules: + - backendRefs: + - group: "" + kind: Service + name: providedBackend + port: 9000 + weight: 1 + matches: + - headers: + - name: com.example.Header + type: Exact + value: foobar + method: + method: DoThing + service: com.example.Things + type: Exact + status: + parents: null +httpFilters: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + creationTimestamp: null + name: direct-response-inline + namespace: default + spec: + directResponse: + body: + inline: OK + type: Inline + contentType: text/plain +httpRoutes: +- kind: HTTPRoute + metadata: + creationTimestamp: null + name: backend + namespace: default + spec: + hostnames: + - www.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg + rules: + - backendRefs: + - group: "" + kind: Service + name: providedBackend + port: 8000 + weight: 1 + matches: + - path: + type: PathPrefix + value: / + status: + parents: null +namespaces: +- metadata: + creationTimestamp: null + name: envoy-gateway-system + spec: {} + status: {} +- metadata: + creationTimestamp: null + name: default + spec: {} + status: {} +- metadata: + creationTimestamp: null + name: gateway-conformance-infra + spec: {} + status: {} +secrets: +- data: + .secret-file: dmFsdWUtMg0KDQo= + kind: Secret + metadata: + creationTimestamp: null + name: secret-with-data-and-string-data + namespace: default + stringData: + secret: literal value +- data: + .secret-file: dmFsdWUtMg0KDQo= + kind: Secret + metadata: + creationTimestamp: null + name: secret-with-data + namespace: default +- kind: Secret + metadata: + creationTimestamp: null + name: secret-with-string-data + namespace: default + stringData: + secret: literal value +securityPolicies: +- kind: SecurityPolicy + metadata: + creationTimestamp: null + name: jwt-example + namespace: envoy-gateway-system + spec: + apiKeyAuth: + credentialRefs: + - group: "" + kind: Secret + name: foobar + extractFrom: + - headers: + - foobar + jwt: + providers: + - name: example + remoteJWKS: + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend + status: + ancestors: null +services: +- metadata: + creationTimestamp: null + name: backend + namespace: default + spec: + clusterIP: 1.2.3.4 + ports: + - name: TCP-3000 + port: 3000 + protocol: TCP + targetPort: 0 + - name: UDP-3000 + port: 3000 + protocol: UDP + targetPort: 0 + status: + loadBalancer: {} +- metadata: + creationTimestamp: null + name: providedBackend + namespace: default + spec: + clusterIP: 1.2.3.4 + ports: + - name: TCP-8000 + port: 8000 + protocol: TCP + targetPort: 0 + - name: TCP-9000 + port: 9000 + protocol: TCP + targetPort: 0 + status: + loadBalancer: {} +tcpRoutes: +- kind: TCPRoute + metadata: + creationTimestamp: null + name: backend + namespace: default + spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg + sectionName: tcp + rules: + - backendRefs: + - group: "" + kind: Service + name: backend + port: 3000 + weight: 1 + status: + parents: null +tlsRoutes: +- kind: TLSRoute + metadata: + creationTimestamp: null + name: backend + namespace: default + spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg + sectionName: tls-passthrough + rules: + - backendRefs: + - group: "" + kind: Service + name: backend + port: 3000 + weight: 1 + status: + parents: null +udpRoutes: +- kind: UDPRoute + metadata: + creationTimestamp: null + name: backend + namespace: default + spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg + sectionName: udp + rules: + - backendRefs: + - group: "" + kind: Service + name: backend + port: 3000 + weight: 1 + status: + parents: null diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 3072b3a0bc..85eff03fbe 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -13,6 +13,8 @@ new features: | bug fixes: | Fixed a panic that occurred following update to the envoy-gateway-config ConfigMap + Added support for Secret and ConfigMap parsing in Standalone mode. + Bypass overload manager for stats and ready listeners # Enhancements that improve performance. performance improvements: | From 5f7bee72bd9d5455e99a124d8db972e709074a6c Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Sat, 1 Mar 2025 02:05:07 -0800 Subject: [PATCH 04/10] fix: backendSettings for extAuth (#5372) * fix: backendSettings for extAuth Fixes: https://github.com/envoyproxy/gateway/issues/5371 Signed-off-by: Arko Dasgupta * release note Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta (cherry picked from commit 1c0eca6503eb07c69427c746db52b82b02e78be9) Signed-off-by: Huabing (Robin) Zhao --- internal/gatewayapi/securitypolicy.go | 2 + ...ndtrafficpolicy-dns-lookup-family.out.yaml | 500 ++++++++++++++++++ ...ritypolicy-with-extauth-backendref.in.yaml | 6 + ...itypolicy-with-extauth-backendref.out.yaml | 20 + .../testdata/in/xds-ir/ext-auth-backend.yaml | 6 + .../out/xds-ir/ext-auth-backend.clusters.yaml | 5 +- release-notes/current.yaml | 2 + 7 files changed, 540 insertions(+), 1 deletion(-) create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-dns-lookup-family.out.yaml diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 0268e26f0b..74cd6f09e5 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -905,6 +905,7 @@ func (t *Translator) buildExtAuth( switch { case http != nil: protocol = ir.HTTP + backendSettings = http.BackendSettings switch { case len(http.BackendRefs) > 0: backendRefs = http.BackendCluster.BackendRefs @@ -920,6 +921,7 @@ func (t *Translator) buildExtAuth( } case grpc != nil: protocol = ir.GRPC + backendSettings = grpc.BackendSettings switch { case len(grpc.BackendCluster.BackendRefs) > 0: backendRefs = grpc.BackendRefs diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-dns-lookup-family.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-dns-lookup-family.out.yaml new file mode 100644 index 0000000000..7951e9ce25 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-dns-lookup-family.out.yaml @@ -0,0 +1,500 @@ +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: backend-traffic-policy + namespace: default + spec: + dns: + dnsRefreshRate: 5s + lookupFamily: IPv6 + respectDnsTtl: false + targetRef: + group: gateway.networking.k8s.io + kind: GRPCRoute + name: grpcroute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-fqdn2 + namespace: default + spec: + endpoints: + - fqdn: + hostname: backend-v2.gateway-conformance-infra.svc.cluster.local + port: 9090 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-fqdn + namespace: default + spec: + endpoints: + - fqdn: + hostname: grpc-infra-backend.gateway-conformance-infra.svc.cluster.local + port: 8080 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-fqdn3 + namespace: default + spec: + endpoints: + - fqdn: + hostname: backend-v3.gateway-conformance-infra.svc.cluster.local + port: 8080 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-fqdn + namespace: default + spec: + endpoints: + - fqdn: + hostname: grpc-infra-backend-v1.gateway-conformance-infra.svc.cluster.local + port: 8080 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +envoyExtensionPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + creationTimestamp: null + name: policy-for-httproute + namespace: default + spec: + extProc: + - backendRefs: + - kind: Backend + name: backend-fqdn2 + port: 9090 + backendSettings: + dns: + dnsRefreshRate: 5s + lookupFamily: IPv4AndIPv6 + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + creationTimestamp: null + name: grpcroute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - kind: Backend + name: backend-fqdn + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - kind: Backend + name: backend-fqdn + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: config-for-gateway-class + namespace: envoy-gateway + spec: + logging: {} + telemetry: + accessLog: + settings: + - format: + text: | + [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n + type: Text + sinks: + - file: + path: /dev/stdout + type: File + - openTelemetry: + backendRefs: + - kind: Service + name: logs + namespace: default + port: 8080 + backendSettings: + dns: + dnsRefreshRate: 30s + lookupFamily: IPv4AndIPv6 + resources: + k8s.cluster.name: cluster-1 + type: OpenTelemetry + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway-1 + namespace: envoy-gateway + spec: + extAuth: + bodyToExtAuth: + maxRequestBytes: 8192 + failOpen: false + http: + backendRefs: + - kind: Backend + name: backend-fqdn3 + namespace: default + port: 8080 + backendSettings: + dns: + dnsRefreshRate: 30s + lookupFamily: IPv4Preferred + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +xdsIR: + envoy-gateway/gateway-1: + accessLog: + openTelemetry: + - destination: + name: accesslog_otel_0_1 + settings: + - name: accesslog_otel_0_1/backend/-1 + protocol: TCP + resources: + k8s.cluster.name: cluster-1 + text: | + [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n + traffic: + dns: + dnsRefreshRate: 30s + lookupFamily: IPv4AndIPv6 + text: + - format: | + [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n + path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: true + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: FQDN + endpoints: + - host: grpc-infra-backend.gateway-conformance-infra.svc.cluster.local + port: 8080 + name: httproute/default/httproute-1/rule/0/backend/0 + protocol: HTTP + weight: 1 + envoyExtensions: + extProcs: + - authority: backend-fqdn2.default:9090 + destination: + name: envoyextensionpolicy/default/policy-for-httproute/extproc/0 + settings: + - addressType: FQDN + endpoints: + - host: backend-v2.gateway-conformance-infra.svc.cluster.local + port: 9090 + name: envoyextensionpolicy/default/policy-for-httproute/extproc/0/backend/0 + protocol: GRPC + weight: 1 + name: envoyextensionpolicy/default/policy-for-httproute/extproc/0 + traffic: + dns: + dnsRefreshRate: 5s + lookupFamily: IPv4AndIPv6 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + security: + extAuth: + bodyToExtAuth: + maxRequestBytes: 8192 + failOpen: false + http: + authority: backend-v3.gateway-conformance-infra.svc.cluster.local:8080 + destination: + name: securitypolicy/envoy-gateway/policy-for-gateway-1/extauth/0 + settings: + - addressType: FQDN + endpoints: + - host: backend-v3.gateway-conformance-infra.svc.cluster.local + port: 8080 + name: securitypolicy/envoy-gateway/policy-for-gateway-1/extauth/0/backend/0 + protocol: HTTP + weight: 1 + path: "" + name: securitypolicy/envoy-gateway/policy-for-gateway-1 + traffic: + dns: + dnsRefreshRate: 30s + lookupFamily: IPv4Preferred + traffic: + dns: + dnsRefreshRate: 5s + lookupFamily: IPv6 + respectDnsTtl: false + - destination: + name: grpcroute/default/grpcroute-1/rule/0 + settings: + - addressType: FQDN + endpoints: + - host: grpc-infra-backend.gateway-conformance-infra.svc.cluster.local + port: 8080 + name: grpcroute/default/grpcroute-1/rule/0/backend/0 + protocol: GRPC + weight: 1 + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: default + name: grpcroute/default/grpcroute-1/rule/0/match/-1/* + security: + extAuth: + bodyToExtAuth: + maxRequestBytes: 8192 + failOpen: false + http: + authority: backend-v3.gateway-conformance-infra.svc.cluster.local:8080 + destination: + name: securitypolicy/envoy-gateway/policy-for-gateway-1/extauth/0 + settings: + - addressType: FQDN + endpoints: + - host: backend-v3.gateway-conformance-infra.svc.cluster.local + port: 8080 + name: securitypolicy/envoy-gateway/policy-for-gateway-1/extauth/0/backend/0 + protocol: HTTP + weight: 1 + path: "" + name: securitypolicy/envoy-gateway/policy-for-gateway-1 + traffic: + dns: + dnsRefreshRate: 30s + lookupFamily: IPv4Preferred + traffic: + dns: + dnsRefreshRate: 5s + lookupFamily: IPv6 + respectDnsTtl: false + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.in.yaml index 1c24de65ef..93a6223fa7 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.in.yaml @@ -169,3 +169,9 @@ securityPolicies: headersToBackend: - header1 - header2 + backendSettings: + circuitBreaker: + maxConnections: 30001 + maxParallelRequests: 1022 + maxParallelRetries: 1023 + maxPendingRequests: 1024 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml index a53d14e408..076894323d 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml @@ -188,6 +188,12 @@ securityPolicies: - name: http-backend namespace: envoy-gateway port: 80 + backendSettings: + circuitBreaker: + maxConnections: 30001 + maxParallelRequests: 1022 + maxParallelRetries: 1023 + maxPendingRequests: 1024 headersToBackend: - header1 - header2 @@ -352,3 +358,17 @@ xdsIR: - header2 path: /auth name: securitypolicy/default/policy-for-gateway-1 +<<<<<<< HEAD +======= + traffic: + circuitBreaker: + maxConnections: 30001 + maxParallelRequests: 1022 + maxParallelRetries: 1023 + maxPendingRequests: 1024 + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 +>>>>>>> 1c0eca650 (fix: backendSettings for extAuth (#5372)) diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth-backend.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth-backend.yaml index 4f93e2e773..fba3c4a838 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-auth-backend.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth-backend.yaml @@ -106,6 +106,12 @@ http: extAuth: name: securitypolicy/default/policy-for-gateway-1 failOpen: true + traffic: + circuitBreaker: + maxConnections: 30001 + maxParallelRequests: 1022 + maxParallelRetries: 1023 + maxPendingRequests: 1024 http: authority: primary.foo.com destination: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml index 79e1aed5eb..cc94e780af 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml @@ -88,7 +88,10 @@ initialStreamWindowSize: 65536 - circuitBreakers: thresholds: - - maxRetries: 1024 + - maxConnections: 30001 + maxPendingRequests: 1024 + maxRequests: 1022 + maxRetries: 1023 commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 85eff03fbe..03ae9529e3 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -13,8 +13,10 @@ new features: | bug fixes: | Fixed a panic that occurred following update to the envoy-gateway-config ConfigMap + Fix traffic splitting when filters are attached to the backendRef. Added support for Secret and ConfigMap parsing in Standalone mode. Bypass overload manager for stats and ready listeners + Fix translating backendSettings for extAuth # Enhancements that improve performance. performance improvements: | From 29d9f4d2ab72e44815b2761ac0d9a8367a767cd4 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 5 Mar 2025 02:14:30 +0000 Subject: [PATCH 05/10] bump version to 1.2.7 Signed-off-by: Huabing (Robin) Zhao --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index a6c5252cd4..503f4b1293 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.2.6 +v1.2.7 From 8a2c91a869b1cc3212b66eb1a87d181178d6c481 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 5 Mar 2025 02:24:19 +0000 Subject: [PATCH 06/10] fix gen Signed-off-by: Huabing (Robin) Zhao --- .../securitypolicy-with-extauth-backendref.out.yaml | 8 -------- ...-rule-with-multiple-backends-and-zero-weights.out.yaml | 7 +------ ...-rule-with-multiple-backends-and-zero-weights.out.yaml | 7 +------ 3 files changed, 2 insertions(+), 20 deletions(-) diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml index 076894323d..15ab332ea1 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml @@ -358,17 +358,9 @@ xdsIR: - header2 path: /auth name: securitypolicy/default/policy-for-gateway-1 -<<<<<<< HEAD -======= traffic: circuitBreaker: maxConnections: 30001 maxParallelRequests: 1022 maxParallelRetries: 1023 maxPendingRequests: 1024 - readyListener: - address: 0.0.0.0 - ipFamily: IPv4 - path: /ready - port: 19003 ->>>>>>> 1c0eca650 (fix: backendSettings for extAuth (#5372)) diff --git a/internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.out.yaml b/internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.out.yaml index bd9d641561..ee87a58396 100644 --- a/internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-rule-with-multiple-backends-and-zero-weights.out.yaml @@ -98,13 +98,8 @@ tcpRoutes: xdsIR: envoy-gateway/gateway-1: accessLog: - text: + json: - path: /dev/stdout - readyListener: - address: 0.0.0.0 - ipFamily: IPv4 - path: /ready - port: 19003 tcp: - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp diff --git a/internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.out.yaml b/internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.out.yaml index e3d2bbac4d..c266691269 100644 --- a/internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.out.yaml +++ b/internal/gatewayapi/testdata/udproute-rule-with-multiple-backends-and-zero-weights.out.yaml @@ -98,13 +98,8 @@ udpRoutes: xdsIR: envoy-gateway/gateway-1: accessLog: - text: + json: - path: /dev/stdout - readyListener: - address: 0.0.0.0 - ipFamily: IPv4 - path: /ready - port: 19003 udp: - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp From bc92bd0dde8ed8163ad863a882ab0d1189386dc3 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 5 Mar 2025 02:40:29 +0000 Subject: [PATCH 07/10] bump ratelimit to ae4cee11 Signed-off-by: Huabing (Robin) Zhao --- api/v1alpha1/shared_types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index 28eced60c6..1e57786d0a 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -30,7 +30,7 @@ const ( // DefaultShutdownManagerImage is the default image used for the shutdown manager. DefaultShutdownManagerImage = "docker.io/envoyproxy/gateway-dev:latest" // DefaultRateLimitImage is the default image used by ratelimit. - DefaultRateLimitImage = "docker.io/envoyproxy/ratelimit:49af5cca" + DefaultRateLimitImage = "docker.io/envoyproxy/ratelimit:ae4cee11" // HTTPProtocol is the common-used http protocol. HTTPProtocol = "http" // GRPCProtocol is the common-used grpc protocol. From 243db4e3ffc5de5d1d62af1f9244805458f41ae9 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 5 Mar 2025 02:53:17 +0000 Subject: [PATCH 08/10] fix gen Signed-off-by: Huabing (Robin) Zhao --- .../testdata/deployments/default.yaml | 2 +- .../deployments/disable-prometheus.yaml | 2 +- .../deployments/enable-tracing-custom.yaml | 2 +- .../testdata/deployments/enable-tracing.yaml | 2 +- .../deployments/merge-annotations.yaml | 2 +- .../testdata/deployments/merge-labels.yaml | 2 +- .../deployments/patch-deployment.yaml | 2 +- .../deployments/with-node-selector.yaml | 2 +- .../with-topology-spread-constraints.yaml | 2 +- release-notes/current.yaml | 6 ---- release-notes/v1.2.7.yaml | 25 ++++++++++++++++ site/content/en/news/releases/notes/v1.2.7.md | 30 +++++++++++++++++++ 12 files changed, 64 insertions(+), 15 deletions(-) create mode 100644 release-notes/v1.2.7.yaml create mode 100644 site/content/en/news/releases/notes/v1.2.7.md diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml index 16052ec6d8..84af681d9e 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml @@ -86,7 +86,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml index 76e64e7e8b..de4c83da5f 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml @@ -76,7 +76,7 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml index 6ad0f48b7d..6971dc186e 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml @@ -101,7 +101,7 @@ spec: value: "0.6" - name: OTEL_EXPORTER_OTLP_ENDPOINT value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4317 - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml index 5c2b0f142d..b78ec434d6 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml @@ -101,7 +101,7 @@ spec: value: "1.0" - name: OTEL_EXPORTER_OTLP_ENDPOINT value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4318 - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml index bd1b21ad2a..945e60e676 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml @@ -88,7 +88,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml index 12b3b4c7b7..9cd149a109 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml @@ -88,7 +88,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml index a5330aae25..21b6e9fbfd 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml @@ -86,7 +86,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml index ca89859fd1..4700c613c3 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml @@ -86,7 +86,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml index 2f02296bc6..c784904d25 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml @@ -86,7 +86,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 03ae9529e3..5f6cb7da74 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -6,17 +6,11 @@ breaking changes: | # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | - Fixed vulnerability which exposed the Envoy admin interface through the prometheus stats endpoint. # New features or capabilities added in this release. new features: | bug fixes: | - Fixed a panic that occurred following update to the envoy-gateway-config ConfigMap - Fix traffic splitting when filters are attached to the backendRef. - Added support for Secret and ConfigMap parsing in Standalone mode. - Bypass overload manager for stats and ready listeners - Fix translating backendSettings for extAuth # Enhancements that improve performance. performance improvements: | diff --git a/release-notes/v1.2.7.yaml b/release-notes/v1.2.7.yaml new file mode 100644 index 0000000000..68ef215a8f --- /dev/null +++ b/release-notes/v1.2.7.yaml @@ -0,0 +1,25 @@ +date: January 23, 2025 + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +breaking changes: | + +# Updates addressing vulnerabilities, security flaws, or compliance requirements. +security updates: | + +# New features or capabilities added in this release. +new features: | + Added support for Secret and ConfigMap parsing in Standalone mode. + +bug fixes: | + Fix translating of backendSettings for extAuth. + Fix allowing weights to be zero on endpoints for backendRefs in TCPRoute and UDPRoute. + Fix validation of all xDS resources before sending them to the Envoy fleet. + +# Enhancements that improve performance. +performance improvements: | + +# Deprecated features or APIs. +deprecations: | + +# Other notable changes not covered by the above sections. +Other changes: | diff --git a/site/content/en/news/releases/notes/v1.2.7.md b/site/content/en/news/releases/notes/v1.2.7.md new file mode 100644 index 0000000000..d11ad64397 --- /dev/null +++ b/site/content/en/news/releases/notes/v1.2.7.md @@ -0,0 +1,30 @@ +--- +title: "v1.2.7" +publishdate: 2025-01-23 +--- + +Date: January 23, 2025 + +## Breaking changes +- + +## Security updates +- + +## New features +- Added support for Secret and ConfigMap parsing in Standalone mode. + +## Bug fixes +- Fix translating of backendSettings for extAuth. +- Fix allowing weights to be zero on endpoints for backendRefs in TCPRoute and UDPRoute. +- Fix validation of all xDS resources before sending them to the Envoy fleet. + +## Performance improvements +- + +## Deprecations +- + +## Other changes +- + From 804f2db616f8f545e4cce2b6e92b5b6a52133783 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Thu, 6 Mar 2025 04:22:00 +0000 Subject: [PATCH 09/10] bump ratelimt Signed-off-by: Huabing (Robin) Zhao --- charts/gateway-helm/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gateway-helm/templates/_helpers.tpl b/charts/gateway-helm/templates/_helpers.tpl index d9aefc2a84..3d1b4a133e 100755 --- a/charts/gateway-helm/templates/_helpers.tpl +++ b/charts/gateway-helm/templates/_helpers.tpl @@ -108,7 +108,7 @@ provider: {{- if .Values.global.images.ratelimit.image }} image: {{ .Values.global.images.ratelimit.image }} {{- else }} - image: "docker.io/envoyproxy/ratelimit:master" + image: "docker.io/envoyproxy/ratelimit:ae4cee11" {{- end }} {{- with .Values.global.images.ratelimit.pullSecrets }} pod: From 5e7f7afd777360127f3a1ae13909efdb52f557ed Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Thu, 6 Mar 2025 04:52:08 +0000 Subject: [PATCH 10/10] bump ratelimit Signed-off-by: Huabing (Robin) Zhao --- charts/gateway-helm/README.md | 2 +- charts/gateway-helm/templates/_helpers.tpl | 2 +- charts/gateway-helm/values.tmpl.yaml | 2 +- site/content/en/latest/install/gateway-helm-api.md | 2 +- site/content/zh/latest/install/gateway-helm-api.md | 2 +- test/helm/gateway-helm/certjen-custom-scheduling.out.yaml | 2 +- test/helm/gateway-helm/control-plane-with-pdb.out.yaml | 2 +- test/helm/gateway-helm/default-config.out.yaml | 2 +- test/helm/gateway-helm/deployment-custom-topology.out.yaml | 2 +- test/helm/gateway-helm/deployment-images-config.out.yaml | 2 +- test/helm/gateway-helm/deployment-priorityclass.out.yaml | 2 +- test/helm/gateway-helm/deployment-securitycontext.out.yaml | 2 +- test/helm/gateway-helm/service-annotations.out.yaml | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index c7424049fa..b49a6ba7e9 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -102,7 +102,7 @@ To uninstall the chart: | global.images.envoyGateway.image | string | `nil` | | | global.images.envoyGateway.pullPolicy | string | `nil` | | | global.images.envoyGateway.pullSecrets | list | `[]` | | -| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:49af5cca"` | | +| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:ae4cee11"` | | | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | | | global.images.ratelimit.pullSecrets | list | `[]` | | | kubernetesClusterDomain | string | `"cluster.local"` | | diff --git a/charts/gateway-helm/templates/_helpers.tpl b/charts/gateway-helm/templates/_helpers.tpl index 3d1b4a133e..d9aefc2a84 100755 --- a/charts/gateway-helm/templates/_helpers.tpl +++ b/charts/gateway-helm/templates/_helpers.tpl @@ -108,7 +108,7 @@ provider: {{- if .Values.global.images.ratelimit.image }} image: {{ .Values.global.images.ratelimit.image }} {{- else }} - image: "docker.io/envoyproxy/ratelimit:ae4cee11" + image: "docker.io/envoyproxy/ratelimit:master" {{- end }} {{- with .Values.global.images.ratelimit.pullSecrets }} pod: diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 0db2f19a71..a9d3c88df5 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -12,7 +12,7 @@ global: pullSecrets: [] ratelimit: # This is the full image name including the hub, repo, and tag. - image: "docker.io/envoyproxy/ratelimit:49af5cca" + image: "docker.io/envoyproxy/ratelimit:ae4cee11" # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. pullPolicy: IfNotPresent diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 875ce2dad0..1035fdea50 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -66,7 +66,7 @@ The Helm chart for Envoy Gateway | global.images.envoyGateway.image | string | `nil` | | | global.images.envoyGateway.pullPolicy | string | `nil` | | | global.images.envoyGateway.pullSecrets | list | `[]` | | -| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:49af5cca"` | | +| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:ae4cee11"` | | | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | | | global.images.ratelimit.pullSecrets | list | `[]` | | | kubernetesClusterDomain | string | `"cluster.local"` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 875ce2dad0..1035fdea50 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -66,7 +66,7 @@ The Helm chart for Envoy Gateway | global.images.envoyGateway.image | string | `nil` | | | global.images.envoyGateway.pullPolicy | string | `nil` | | | global.images.envoyGateway.pullSecrets | list | `[]` | | -| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:49af5cca"` | | +| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:ae4cee11"` | | | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | | | global.images.ratelimit.pullSecrets | list | `[]` | | | kubernetesClusterDomain | string | `"cluster.local"` | | diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index da1f565b4a..e4541b8cd2 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -37,7 +37,7 @@ data: kubernetes: rateLimitDeployment: container: - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 patch: type: StrategicMerge value: diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index f2968da8e6..210af77b53 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -52,7 +52,7 @@ data: kubernetes: rateLimitDeployment: container: - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 patch: type: StrategicMerge value: diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 4412787559..ebd8d9db5c 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -37,7 +37,7 @@ data: kubernetes: rateLimitDeployment: container: - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 patch: type: StrategicMerge value: diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 4f3c19beb1..c78eb3d246 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -37,7 +37,7 @@ data: kubernetes: rateLimitDeployment: container: - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 patch: type: StrategicMerge value: diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 764f234385..f09e89d191 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -37,7 +37,7 @@ data: kubernetes: rateLimitDeployment: container: - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 patch: type: StrategicMerge value: diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 807dd5d78b..9063afac9d 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -37,7 +37,7 @@ data: kubernetes: rateLimitDeployment: container: - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 patch: type: StrategicMerge value: diff --git a/test/helm/gateway-helm/deployment-securitycontext.out.yaml b/test/helm/gateway-helm/deployment-securitycontext.out.yaml index 9e29afe3e9..cf23490af9 100644 --- a/test/helm/gateway-helm/deployment-securitycontext.out.yaml +++ b/test/helm/gateway-helm/deployment-securitycontext.out.yaml @@ -37,7 +37,7 @@ data: kubernetes: rateLimitDeployment: container: - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 patch: type: StrategicMerge value: diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index 20c7e1616c..83ea20ab6a 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -37,7 +37,7 @@ data: kubernetes: rateLimitDeployment: container: - image: docker.io/envoyproxy/ratelimit:49af5cca + image: docker.io/envoyproxy/ratelimit:ae4cee11 patch: type: StrategicMerge value: