envoyproxy · arkodg · May 13, 2025 · May 2, 2025 · May 2, 2025 · May 2, 2025
@@ -15,3 +15,4 @@ ignore:
   - "test"
   - "**/*.pb.go"
   - "**/zz_generated.*.go"
+  - "api/**/*_types.go"
@@ -36,19 +36,23 @@ updates:
       # Ignore github.com/docker/docker, since it should be updated alongside github.com/google/go-containerregistry
       - dependency-name: github.com/docker/docker
     groups:
-      github.com:
+      gomod:
         patterns:
           - "github.com*"
+          - "go.opentelemetry.io*"
+          - "golang*"
+          - "google*"
+          - "fortio.org*"
+          - "gopkg.in*"
+          - "helm.sh*"
+          - "gomodules.xyz"
+        exclude-patterns:
+          # Exclude envoyproxy/go-control-plane, since it needs more work to update
+          - "github.com/envoyproxy/go-control-plane*"
       k8s.io:
         patterns:
           - "k8s.io/*"
           - "sigs.k8s.io/*"
-      go.opentelemetry.io:
-        patterns:
-          - "go.opentelemetry.io*"
-          # Merge golang/google groups into group, since it should be updated alongside opentelemetry
-          - "golang*"
-          - "google*"
   - package-ecosystem: pip
     directories:
       - /tools/src/codespell

@@ -88,13 +88,20 @@ jobs:
         target:
         - version: v1.30.10
           ipFamily: ipv4
+          profile: default
         - version: v1.31.6
           ipFamily: ipv4
+          profile: default
         - version: v1.32.3
           ipFamily: ipv6  # only run ipv6 test on this version to save time
+          profile: default
         # TODO: this's IPv4 first, need a way to test IPv6 first.
         - version: v1.33.0
           ipFamily: dual  # only run dual test on latest version to save time
+          profile: default
+        - version: v1.33.0
+          ipFamily: dual  # only run dual test on latest version to save time
+          profile: gateway-namespace-mode
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - uses: ./tools/github-actions/setup-deps
@@ -116,6 +123,7 @@ jobs:
         KIND_NODE_TAG: ${{ matrix.target.version }}
         IMAGE_PULL_POLICY: IfNotPresent
         IP_FAMILY: ${{ matrix.target.ipFamily }}
+        KUBE_DEPLOY_PROFILE: ${{ matrix.target.profile }}
       run: make conformance
 
   e2e-test:
@@ -127,13 +135,20 @@ jobs:
         target:
         - version: v1.30.10
           ipFamily: ipv4
+          profile: default
         - version: v1.31.6
           ipFamily: ipv4
+          profile: default
         - version: v1.32.3
           ipFamily: ipv6  # only run ipv6 test on this version to save time
+          profile: default
         # TODO: this's IPv4 first, need a way to test IPv6 first.
         - version: v1.33.0
           ipFamily: dual  # only run dual test on latest version to save time
+          profile: default
+        - version: v1.33.0
+          ipFamily: dual  # only run dual test on latest version to save time
+          profile: gateway-namespace-mode
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - uses: ./tools/github-actions/setup-deps
@@ -155,6 +170,7 @@ jobs:
         KIND_NODE_TAG: ${{ matrix.target.version }}
         IMAGE_PULL_POLICY: IfNotPresent
         IP_FAMILY: ${{ matrix.target.ipFamily }}
+        KUBE_DEPLOY_PROFILE: ${{ matrix.target.profile }}
         E2E_TIMEOUT: 1h
         NUM_WORKERS: 2
       run: make e2e
@@ -187,6 +203,7 @@ jobs:
 
     - name: Read Benchmark report
       run: cat test/benchmark/benchmark_report/benchmark_report.md
+
   resilience-test:
     runs-on: ubuntu-latest
     if: ${{ ! startsWith(github.event_name, 'push') }}
@@ -203,7 +220,7 @@ jobs:
 
   publish:
     runs-on: ubuntu-latest
-    needs: [conformance-test, e2e-test]
+    needs: [conformance-test, e2e-test, resilience-test]
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - uses: ./tools/github-actions/setup-deps

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387  # v3.28.16
+      uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@28deaeda66b76a05916b6923827895f2b14ab387  # v3.28.16
+      uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387  # v3.28.16
+      uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
       with:
         category: "/language:${{matrix.language}}"
@@ -18,7 +18,7 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - name: Run scanner
-      uses: google/osv-scanner-action/osv-scanner-action@6fc714450122bda9d00e4ad5d639ad6a39eedb1f  # v2.0.1
+      uses: google/osv-scanner-action/osv-scanner-action@e69cc6c86b31f1e7e23935bbe7031b50e51082de  # v2.0.2
       continue-on-error: true  # remove this after https://github.com/google/deps.dev/issues/146 has been resolved
       with:
         scan-args: |-

@@ -19,7 +19,7 @@ permissions:
 jobs:
   scan-scheduled:
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f"  # v2.0.1
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de"  # v2.0.2
     with:
       scan-args: |-
         --recursive
@@ -32,7 +32,7 @@ jobs:
 
   scan-pr:
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f"  # v2.0.1
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de"  # v2.0.2
     with:
       scan-args: |-
         --recursive

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387  # v3.28.16
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
       with:
         sarif_file: results.sarif
@@ -115,6 +115,7 @@ type UnixSocket struct {
 
 // BackendSpec describes the desired state of BackendSpec.
 // +kubebuilder:validation:XValidation:rule="self.type != 'DynamicResolver' || !has(self.endpoints) && !has(self.appProtocols)",message="DynamicResolver type cannot have endpoints and appProtocols specified"
+// +kubebuilder:validation:XValidation:rule="has(self.tls) ? self.type == 'DynamicResolver' : true",message="TLS settings can only be specified for DynamicResolver backends"
 type BackendSpec struct {
 	// Type defines the type of the backend. Defaults to "Endpoints"
 	//
@@ -148,12 +149,13 @@ type BackendSpec struct {
 	// Only supported for DynamicResolver backends.
 	//
 	// +optional
-	// +notImplementedHide
 	TLS *BackendTLSSettings `json:"tls,omitempty"`
 }
 
 // BackendTLSSettings holds the TLS settings for the backend.
 // Only used for DynamicResolver backends.
+// +kubebuilder:validation:XValidation:message="must not contain both CACertificateRefs and WellKnownCACertificates",rule="!(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates != \"\")"
+// +kubebuilder:validation:XValidation:message="must specify either CACertificateRefs or WellKnownCACertificates",rule="(has(self.caCertificateRefs) && size(self.caCertificateRefs) > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates != \"\")"
 type BackendTLSSettings struct {
 	// CACertificateRefs contains one or more references to Kubernetes objects that
 	// contain TLS certificates of the Certificate Authorities that can be used

@@ -33,11 +33,11 @@
 
 // SetEnvoyGatewayDefaults sets default EnvoyGateway configuration parameters.
 func (e *EnvoyGateway) SetEnvoyGatewayDefaults() {
-	if e.TypeMeta.Kind == "" {
-		e.TypeMeta.Kind = KindEnvoyGateway
+	if e.Kind == "" {
+		e.Kind = KindEnvoyGateway
 	}
-	if e.TypeMeta.APIVersion == "" {
-		e.TypeMeta.APIVersion = GroupVersion.String()
+	if e.APIVersion == "" {
+		e.APIVersion = GroupVersion.String()
 	}
 	if e.Provider == nil {
 		e.Provider = DefaultEnvoyGatewayProvider()

@@ -11,7 +11,6 @@ import (
 
 	jsonpatch "github.com/evanphx/json-patch"
 	appsv1 "k8s.io/api/apps/v1"
-	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
 	policyv1 "k8s.io/api/policy/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -158,150 +157,6 @@ func (hpa *KubernetesHorizontalPodAutoscalerSpec) setDefault() {
 	}
 }
 
-// ApplyMergePatch applies a merge patch to a deployment based on the merge type
-func (deployment *KubernetesDeploymentSpec) ApplyMergePatch(old *appsv1.Deployment) (*appsv1.Deployment, error) {
-	if deployment.Patch == nil {
-		return old, nil
-	}
-
-	var patchedJSON []byte
-	var err error
-
-	// Serialize the current deployment to JSON
-	originalJSON, err := json.Marshal(old)
-	if err != nil {
-		return nil, fmt.Errorf("error marshaling original deployment: %w", err)
-	}
-
-	switch {
-	case deployment.Patch.Type == nil || *deployment.Patch.Type == StrategicMerge:
-		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, deployment.Patch.Value.Raw, appsv1.Deployment{})
-	case *deployment.Patch.Type == JSONMerge:
-		patchedJSON, err = jsonpatch.MergePatch(originalJSON, deployment.Patch.Value.Raw)
-	default:
-		return nil, fmt.Errorf("unsupported merge type: %s", *deployment.Patch.Type)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("error applying merge patch: %w", err)
-	}
-
-	// Deserialize the patched JSON into a new deployment object
-	var patchedDeployment appsv1.Deployment
-	if err := json.Unmarshal(patchedJSON, &patchedDeployment); err != nil {
-		return nil, fmt.Errorf("error unmarshaling patched deployment: %w", err)
-	}
-
-	return &patchedDeployment, nil
-}
-
-// ApplyMergePatch applies a merge patch to a daemonset based on the merge type
-func (daemonset *KubernetesDaemonSetSpec) ApplyMergePatch(old *appsv1.DaemonSet) (*appsv1.DaemonSet, error) {
-	if daemonset.Patch == nil {
-		return old, nil
-	}
-
-	var patchedJSON []byte
-	var err error
-
-	// Serialize the current daemonset to JSON
-	originalJSON, err := json.Marshal(old)
-	if err != nil {
-		return nil, fmt.Errorf("error marshaling original daemonset: %w", err)
-	}
-
-	switch {
-	case daemonset.Patch.Type == nil || *daemonset.Patch.Type == StrategicMerge:
-		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, daemonset.Patch.Value.Raw, appsv1.DaemonSet{})
-	case *daemonset.Patch.Type == JSONMerge:
-		patchedJSON, err = jsonpatch.MergePatch(originalJSON, daemonset.Patch.Value.Raw)
-	default:
-		return nil, fmt.Errorf("unsupported merge type: %s", *daemonset.Patch.Type)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("error applying merge patch: %w", err)
-	}
-
-	// Deserialize the patched JSON into a new daemonset object
-	var patchedDaemonSet appsv1.DaemonSet
-	if err := json.Unmarshal(patchedJSON, &patchedDaemonSet); err != nil {
-		return nil, fmt.Errorf("error unmarshaling patched daemonset: %w", err)
-	}
-
-	return &patchedDaemonSet, nil
-}
-
-// ApplyMergePatch applies a merge patch to a service based on the merge type
-func (service *KubernetesServiceSpec) ApplyMergePatch(old *corev1.Service) (*corev1.Service, error) {
-	if service.Patch == nil {
-		return old, nil
-	}
-
-	var patchedJSON []byte
-	var err error
-
-	// Serialize the current service to JSON
-	originalJSON, err := json.Marshal(old)
-	if err != nil {
-		return nil, fmt.Errorf("error marshaling original service: %w", err)
-	}
-
-	switch {
-	case service.Patch.Type == nil || *service.Patch.Type == StrategicMerge:
-		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, service.Patch.Value.Raw, corev1.Service{})
-	case *service.Patch.Type == JSONMerge:
-		patchedJSON, err = jsonpatch.MergePatch(originalJSON, service.Patch.Value.Raw)
-	default:
-		return nil, fmt.Errorf("unsupported merge type: %s", *service.Patch.Type)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("error applying merge patch: %w", err)
-	}
-
-	// Deserialize the patched JSON into a new service object
-	var patchedService corev1.Service
-	if err := json.Unmarshal(patchedJSON, &patchedService); err != nil {
-		return nil, fmt.Errorf("error unmarshaling patched service: %w", err)
-	}
-
-	return &patchedService, nil
-}
-
-// ApplyMergePatch applies a merge patch to a HorizontalPodAutoscaler based on the merge type
-func (hpa *KubernetesHorizontalPodAutoscalerSpec) ApplyMergePatch(old *autoscalingv2.HorizontalPodAutoscaler) (*autoscalingv2.HorizontalPodAutoscaler, error) {
-	if hpa.Patch == nil {
-		return old, nil
-	}
-
-	var patchedJSON []byte
-	var err error
-
-	// Serialize the current HPA to JSON
-	originalJSON, err := json.Marshal(old)
-	if err != nil {
-		return nil, fmt.Errorf("error marshaling original HorizontalPodAutoscaler: %w", err)
-	}
-
-	switch {
-	case hpa.Patch.Type == nil || *hpa.Patch.Type == StrategicMerge:
-		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, hpa.Patch.Value.Raw, autoscalingv2.HorizontalPodAutoscaler{})
-	case *hpa.Patch.Type == JSONMerge:
-		patchedJSON, err = jsonpatch.MergePatch(originalJSON, hpa.Patch.Value.Raw)
-	default:
-		return nil, fmt.Errorf("unsupported merge type: %s", *hpa.Patch.Type)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("error applying merge patch: %w", err)
-	}
-
-	// Deserialize the patched JSON into a new HorizontalPodAutoscaler object
-	var patchedHpa autoscalingv2.HorizontalPodAutoscaler
-	if err := json.Unmarshal(patchedJSON, &patchedHpa); err != nil {
-		return nil, fmt.Errorf("error unmarshaling patched HorizontalPodAutoscaler: %w", err)
-	}
-
-	return &patchedHpa, nil
-}
-
 // ApplyMergePatch applies a merge patch to a PodDisruptionBudget based on the merge type
 func (pdb *KubernetesPodDisruptionBudgetSpec) ApplyMergePatch(old *policyv1.PodDisruptionBudget) (*policyv1.PodDisruptionBudget, error) {
 	if pdb.Patch == nil {

@@ -51,15 +51,6 @@ type GlobalRateLimit struct {
 	//
 	// +kubebuilder:validation:MaxItems=64
 	Rules []RateLimitRule `json:"rules"`
-
-	// Shared determines whether the rate limit rules apply across all the policy targets.
-	// If set to true, the rule is treated as a common bucket and is shared across all policy targets (xRoutes).
-	// Default: false.
-	//
-	// +optional
-	// +notImplementedHide
-	// +kubebuilder:default=false
-	Shared *bool `json:"shared,omitempty"`
 }
 
 // LocalRateLimit defines local rate limit configuration.
@@ -108,6 +99,12 @@ type RateLimitRule struct {
 	//
 	// +optional
 	Cost *RateLimitCost `json:"cost,omitempty"`
+	// Shared determines whether this rate limit rule applies across all the policy targets.
+	// If set to true, the rule is treated as a common bucket and is shared across all policy targets (xRoutes).
+	// Default: false.
+	//
+	// +optional
+	Shared *bool `json:"shared,omitempty"`
 }
 
 type RateLimitCost struct {