docs: New concept page for load balancing

.github/codecov.yml

@@ -15,3 +15,4 @@ ignore:
   - "test"
   - "**/*.pb.go"
   - "**/zz_generated.*.go"
+  - "api/**/*_types.go"

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387  # v3.28.16
+      uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@28deaeda66b76a05916b6923827895f2b14ab387  # v3.28.16
+      uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387  # v3.28.16
+      uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/latest_release.yaml

@@ -81,7 +81,6 @@ jobs:
         tar -zcvf egctl_latest_darwin_amd64.tar.gz bin/darwin/amd64/egctl
         tar -zcvf egctl_latest_darwin_arm64.tar.gz bin/darwin/arm64/egctl
         zip -r egctl_latest_windows_amd64.zip bin/windows/amd64/egctl
-        zip -r egctl_latest_windows_arm64.zip bin/windows/arm64/egctl
 
     # Ignore the error when we delete the latest release, it might not exist.
 
@@ -127,7 +126,6 @@ jobs:
           egctl_latest_darwin_amd64.tar.gz
           egctl_latest_darwin_arm64.tar.gz
           egctl_latest_windows_amd64.zip
-          egctl_latest_windows_arm64.zip
         body: |
           This is the "latest" release of **Envoy Gateway**, which contains the most recent commits from the main branch.
 

.github/workflows/license-scan.yml

@@ -18,7 +18,7 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - name: Run scanner
-      uses: google/osv-scanner-action/osv-scanner-action@6fc714450122bda9d00e4ad5d639ad6a39eedb1f  # v2.0.1
+      uses: google/osv-scanner-action/osv-scanner-action@e69cc6c86b31f1e7e23935bbe7031b50e51082de  # v2.0.2
       continue-on-error: true  # remove this after https://github.com/google/deps.dev/issues/146 has been resolved
       with:
         scan-args: |-

.github/workflows/osv-scanner.yml

@@ -19,7 +19,7 @@ permissions:
 jobs:
   scan-scheduled:
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f"  # v2.0.1
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de"  # v2.0.2
     with:
       scan-args: |-
         --recursive
@@ -32,7 +32,7 @@ jobs:
 
   scan-pr:
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f"  # v2.0.1
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de"  # v2.0.2
     with:
       scan-args: |-
         --recursive

.github/workflows/release.yaml

@@ -95,7 +95,6 @@ jobs:
           tar -zcvf egctl_${{ env.release_tag }}_darwin_amd64.tar.gz bin/darwin/amd64/egctl
           tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/egctl
           zip -r egctl_${{ env.release_tag }}_windows_amd64.zip bin/windows/amd64/egctl
-          zip -r egctl_${{ env.release_tag }}_windows_arm64.zip bin/windows/arm64/egctl
 
       - name: Upload Release Manifests
         uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631  # v2.2.2
@@ -115,4 +114,3 @@ jobs:
             egctl_${{ env.release_tag }}_darwin_amd64.tar.gz
             egctl_${{ env.release_tag }}_darwin_arm64.tar.gz
             egctl_${{ env.release_tag }}_windows_amd64.zip
-            egctl_${{ env.release_tag }}_windows_arm64.zip

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387  # v3.28.16
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
       with:
         sarif_file: results.sarif

OWNERS

@@ -33,9 +33,9 @@ reviewers:
 - cnvergence
 - liorokman
 - rudrakhp
-- sanposhiho
 
 emeritus-reviewers:
 
 - chauhanshubham
 - tmsnan
+- sanposhiho

VERSION

@@ -1 +1 @@
-v1.4.0-rc.1
+v1.4.0-rc.2

api/v1alpha1/backend_types.go

@@ -115,6 +115,7 @@ type UnixSocket struct {
 
 // BackendSpec describes the desired state of BackendSpec.
 // +kubebuilder:validation:XValidation:rule="self.type != 'DynamicResolver' || !has(self.endpoints) && !has(self.appProtocols)",message="DynamicResolver type cannot have endpoints and appProtocols specified"
+// +kubebuilder:validation:XValidation:rule="has(self.tls) ? self.type == 'DynamicResolver' : true",message="TLS settings can only be specified for DynamicResolver backends"
 type BackendSpec struct {
 	// Type defines the type of the backend. Defaults to "Endpoints"
 	//
@@ -148,12 +149,13 @@ type BackendSpec struct {
 	// Only supported for DynamicResolver backends.
 	//
 	// +optional
-	// +notImplementedHide
 	TLS *BackendTLSSettings `json:"tls,omitempty"`
 }
 
 // BackendTLSSettings holds the TLS settings for the backend.
 // Only used for DynamicResolver backends.
+// +kubebuilder:validation:XValidation:message="must not contain both CACertificateRefs and WellKnownCACertificates",rule="!(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates != \"\")"
+// +kubebuilder:validation:XValidation:message="must specify either CACertificateRefs or WellKnownCACertificates",rule="(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates != \"\")"
 type BackendTLSSettings struct {
 	// CACertificateRefs contains one or more references to Kubernetes objects that
 	// contain TLS certificates of the Certificate Authorities that can be used

api/v1alpha1/envoygateway_helpers.go

@@ -33,11 +33,11 @@ func DefaultEnvoyGateway() *EnvoyGateway {
 
 // SetEnvoyGatewayDefaults sets default EnvoyGateway configuration parameters.
 func (e *EnvoyGateway) SetEnvoyGatewayDefaults() {
-	if e.TypeMeta.Kind == "" {
-		e.TypeMeta.Kind = KindEnvoyGateway
+	if e.Kind == "" {
+		e.Kind = KindEnvoyGateway
 	}
-	if e.TypeMeta.APIVersion == "" {
-		e.TypeMeta.APIVersion = GroupVersion.String()
+	if e.APIVersion == "" {
+		e.APIVersion = GroupVersion.String()
 	}
 	if e.Provider == nil {
 		e.Provider = DefaultEnvoyGatewayProvider()

api/v1alpha1/kubernetes_helpers.go

@@ -11,7 +11,6 @@ import (
 
 	jsonpatch "github.com/evanphx/json-patch"
 	appsv1 "k8s.io/api/apps/v1"
-	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
 	policyv1 "k8s.io/api/policy/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -158,150 +157,6 @@ func (hpa *KubernetesHorizontalPodAutoscalerSpec) setDefault() {
 	}
 }
 
-// ApplyMergePatch applies a merge patch to a deployment based on the merge type
-func (deployment *KubernetesDeploymentSpec) ApplyMergePatch(old *appsv1.Deployment) (*appsv1.Deployment, error) {
-	if deployment.Patch == nil {
-		return old, nil
-	}
-
-	var patchedJSON []byte
-	var err error
-
-	// Serialize the current deployment to JSON
-	originalJSON, err := json.Marshal(old)
-	if err != nil {
-		return nil, fmt.Errorf("error marshaling original deployment: %w", err)
-	}
-
-	switch {
-	case deployment.Patch.Type == nil || *deployment.Patch.Type == StrategicMerge:
-		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, deployment.Patch.Value.Raw, appsv1.Deployment{})
-	case *deployment.Patch.Type == JSONMerge:
-		patchedJSON, err = jsonpatch.MergePatch(originalJSON, deployment.Patch.Value.Raw)
-	default:
-		return nil, fmt.Errorf("unsupported merge type: %s", *deployment.Patch.Type)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("error applying merge patch: %w", err)
-	}
-
-	// Deserialize the patched JSON into a new deployment object
-	var patchedDeployment appsv1.Deployment
-	if err := json.Unmarshal(patchedJSON, &patchedDeployment); err != nil {
-		return nil, fmt.Errorf("error unmarshaling patched deployment: %w", err)
-	}
-
-	return &patchedDeployment, nil
-}
-
-// ApplyMergePatch applies a merge patch to a daemonset based on the merge type
-func (daemonset *KubernetesDaemonSetSpec) ApplyMergePatch(old *appsv1.DaemonSet) (*appsv1.DaemonSet, error) {
-	if daemonset.Patch == nil {
-		return old, nil
-	}
-
-	var patchedJSON []byte
-	var err error
-
-	// Serialize the current daemonset to JSON
-	originalJSON, err := json.Marshal(old)
-	if err != nil {
-		return nil, fmt.Errorf("error marshaling original daemonset: %w", err)
-	}
-
-	switch {
-	case daemonset.Patch.Type == nil || *daemonset.Patch.Type == StrategicMerge:
-		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, daemonset.Patch.Value.Raw, appsv1.DaemonSet{})
-	case *daemonset.Patch.Type == JSONMerge:
-		patchedJSON, err = jsonpatch.MergePatch(originalJSON, daemonset.Patch.Value.Raw)
-	default:
-		return nil, fmt.Errorf("unsupported merge type: %s", *daemonset.Patch.Type)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("error applying merge patch: %w", err)
-	}
-
-	// Deserialize the patched JSON into a new daemonset object
-	var patchedDaemonSet appsv1.DaemonSet
-	if err := json.Unmarshal(patchedJSON, &patchedDaemonSet); err != nil {
-		return nil, fmt.Errorf("error unmarshaling patched daemonset: %w", err)
-	}
-
-	return &patchedDaemonSet, nil
-}
-
-// ApplyMergePatch applies a merge patch to a service based on the merge type
-func (service *KubernetesServiceSpec) ApplyMergePatch(old *corev1.Service) (*corev1.Service, error) {
-	if service.Patch == nil {
-		return old, nil
-	}
-
-	var patchedJSON []byte
-	var err error
-
-	// Serialize the current service to JSON
-	originalJSON, err := json.Marshal(old)
-	if err != nil {
-		return nil, fmt.Errorf("error marshaling original service: %w", err)
-	}
-
-	switch {
-	case service.Patch.Type == nil || *service.Patch.Type == StrategicMerge:
-		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, service.Patch.Value.Raw, corev1.Service{})
-	case *service.Patch.Type == JSONMerge:
-		patchedJSON, err = jsonpatch.MergePatch(originalJSON, service.Patch.Value.Raw)
-	default:
-		return nil, fmt.Errorf("unsupported merge type: %s", *service.Patch.Type)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("error applying merge patch: %w", err)
-	}
-
-	// Deserialize the patched JSON into a new service object
-	var patchedService corev1.Service
-	if err := json.Unmarshal(patchedJSON, &patchedService); err != nil {
-		return nil, fmt.Errorf("error unmarshaling patched service: %w", err)
-	}
-
-	return &patchedService, nil
-}
-
-// ApplyMergePatch applies a merge patch to a HorizontalPodAutoscaler based on the merge type
-func (hpa *KubernetesHorizontalPodAutoscalerSpec) ApplyMergePatch(old *autoscalingv2.HorizontalPodAutoscaler) (*autoscalingv2.HorizontalPodAutoscaler, error) {
-	if hpa.Patch == nil {
-		return old, nil
-	}
-
-	var patchedJSON []byte
-	var err error
-
-	// Serialize the current HPA to JSON
-	originalJSON, err := json.Marshal(old)
-	if err != nil {
-		return nil, fmt.Errorf("error marshaling original HorizontalPodAutoscaler: %w", err)
-	}
-
-	switch {
-	case hpa.Patch.Type == nil || *hpa.Patch.Type == StrategicMerge:
-		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, hpa.Patch.Value.Raw, autoscalingv2.HorizontalPodAutoscaler{})
-	case *hpa.Patch.Type == JSONMerge:
-		patchedJSON, err = jsonpatch.MergePatch(originalJSON, hpa.Patch.Value.Raw)
-	default:
-		return nil, fmt.Errorf("unsupported merge type: %s", *hpa.Patch.Type)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("error applying merge patch: %w", err)
-	}
-
-	// Deserialize the patched JSON into a new HorizontalPodAutoscaler object
-	var patchedHpa autoscalingv2.HorizontalPodAutoscaler
-	if err := json.Unmarshal(patchedJSON, &patchedHpa); err != nil {
-		return nil, fmt.Errorf("error unmarshaling patched HorizontalPodAutoscaler: %w", err)
-	}
-
-	return &patchedHpa, nil
-}
-
 // ApplyMergePatch applies a merge patch to a PodDisruptionBudget based on the merge type
 func (pdb *KubernetesPodDisruptionBudgetSpec) ApplyMergePatch(old *policyv1.PodDisruptionBudget) (*policyv1.PodDisruptionBudget, error) {
 	if pdb.Patch == nil {

api/v1alpha1/ratelimit_types.go

@@ -49,8 +49,10 @@ type GlobalRateLimit struct {
 	// matches two rules, one rate limited and one not, the final decision will be
 	// to rate limit the request.
 	//
+	// +patchMergeKey:"name"
+	// +patchStrategy:"merge"
 	// +kubebuilder:validation:MaxItems=64
-	Rules []RateLimitRule `json:"rules"`
+	Rules []RateLimitRule `json:"rules" patchMergeKey:"name" patchStrategy:"merge"`
 
 	// Shared determines whether the rate limit rules apply across all the policy targets.
 	// If set to true, the rule is treated as a common bucket and is shared across all policy targets (xRoutes).
@@ -69,15 +71,23 @@ type LocalRateLimit struct {
 	// matches two rules, one with 10rps and one with 20rps, the final limit will
 	// be based on the rule with 10rps.
 	//
+	// +patchMergeKey:"name"
+	// +patchStrategy:"merge"
+	//
 	// +optional
 	// +kubebuilder:validation:MaxItems=16
 	// +kubebuilder:validation:XValidation:rule="self.all(foo, !has(foo.cost) || !has(foo.cost.response))", message="response cost is not supported for Local Rate Limits"
-	Rules []RateLimitRule `json:"rules"`
+	Rules []RateLimitRule `json:"rules" patchMergeKey:"name" patchStrategy:"merge"`
 }
 
 // RateLimitRule defines the semantics for matching attributes
 // from the incoming requests, and setting limits for them.
 type RateLimitRule struct {
+	// Name is the name of the rule. This is used to identify the rule
+	// in the Envoy configuration and as a unique identifier for merging.
+	//
+	// +optional
+	Name string `json:"name,omitempty"`
 	// ClientSelectors holds the list of select conditions to select
 	// specific clients using attributes from the traffic flow.
 	// All individual select conditions must hold True for this rule

charts/gateway-crds-helm/README.md

@@ -32,6 +32,6 @@ To uninstall the chart:
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| crds.envoyGateway.enabled | bool | `true` |  |
-| crds.gatewayAPI.enabled | bool | `true` |  |
+| crds.envoyGateway.enabled | bool | `false` |  |
+| crds.gatewayAPI.enabled | bool | `false` |  |
 

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backends.yaml

@@ -213,6 +213,15 @@ spec:
                     - System
                     type: string
                 type: object
+                x-kubernetes-validations:
+                - message: must not contain both CACertificateRefs and WellKnownCACertificates
+                  rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs)
+                    > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+                    != "")'
+                - message: must specify either CACertificateRefs or WellKnownCACertificates
+                  rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs)
+                    > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+                    != "")
               type:
                 default: Endpoints
                 description: Type defines the type of the backend. Defaults to "Endpoints"
@@ -225,6 +234,8 @@ spec:
             - message: DynamicResolver type cannot have endpoints and appProtocols
                 specified
               rule: self.type != 'DynamicResolver' || !has(self.endpoints) && !has(self.appProtocols)
+            - message: TLS settings can only be specified for DynamicResolver backends
+              rule: 'has(self.tls) ? self.type == ''DynamicResolver'' : true'
           status:
             description: Status defines the current status of Backend.
             properties:

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -948,6 +948,11 @@ spec:
                               - requests
                               - unit
                               type: object
+                            name:
+                              description: |-
+                                Name is the name of the rule. This is used to identify the rule
+                                in the Envoy configuration and as a unique identifier for merging.
+                              type: string
                           required:
                           - limit
                           type: object
@@ -1198,6 +1203,11 @@ spec:
                               - requests
                               - unit
                               type: object
+                            name:
+                              description: |-
+                                Name is the name of the rule. This is used to identify the rule
+                                in the Envoy configuration and as a unique identifier for merging.
+                              type: string
                           required:
                           - limit
                           type: object