diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index e1c8190985..d32896c2c4 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -152,44 +152,6 @@ envoyProxyForGatewayClass: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: @@ -701,44 +663,6 @@ xds: connectionKeepalive: interval: 30s timeout: 5s - - connectTimeout: 10s - loadAssignment: - clusterName: wasm_cluster - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: envoy-gateway - portValue: 18002 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - name: wasm_cluster - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - tlsCertificateSdsSecretConfigs: - - name: xds_certificate - sdsConfig: - pathConfigSource: - path: /sds/xds-certificate.json - resourceApiVersion: V3 - tlsParams: - tlsMaximumProtocolVersion: TLSv1_3 - validationContextSdsSecretConfig: - name: xds_trusted_ca - sdsConfig: - pathConfigSource: - path: /sds/xds-trusted-ca.json - resourceApiVersion: V3 - type: STRICT_DNS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicitHttpConfig: - http2ProtocolOptions: {} listeners: - address: socketAddress: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index ac020e294a..3d2e1433e4 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -200,71 +200,6 @@ } } } - }, - { - "connectTimeout": "10s", - "loadAssignment": { - "clusterName": "wasm_cluster", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "socketAddress": { - "address": "envoy-gateway", - "portValue": 18002 - } - } - }, - "loadBalancingWeight": 1 - } - ], - "loadBalancingWeight": 1 - } - ] - }, - "name": "wasm_cluster", - "transportSocket": { - "name": "envoy.transport_sockets.tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", - "commonTlsContext": { - "tlsCertificateSdsSecretConfigs": [ - { - "name": "xds_certificate", - "sdsConfig": { - "pathConfigSource": { - "path": "/sds/xds-certificate.json" - }, - "resourceApiVersion": "V3" - } - } - ], - "tlsParams": { - "tlsMaximumProtocolVersion": "TLSv1_3" - }, - "validationContextSdsSecretConfig": { - "name": "xds_trusted_ca", - "sdsConfig": { - "pathConfigSource": { - "path": "/sds/xds-trusted-ca.json" - }, - "resourceApiVersion": "V3" - } - } - } - } - }, - "type": "STRICT_DNS", - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "explicitHttpConfig": { - "http2ProtocolOptions": {} - } - } - } } ], "listeners": [ diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index c8ddd01d8b..ef19b7dd56 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -117,44 +117,6 @@ xds: connectionKeepalive: interval: 30s timeout: 5s - - connectTimeout: 10s - loadAssignment: - clusterName: wasm_cluster - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: envoy-gateway - portValue: 18002 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - name: wasm_cluster - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - tlsCertificateSdsSecretConfigs: - - name: xds_certificate - sdsConfig: - pathConfigSource: - path: /sds/xds-certificate.json - resourceApiVersion: V3 - tlsParams: - tlsMaximumProtocolVersion: TLSv1_3 - validationContextSdsSecretConfig: - name: xds_trusted_ca - sdsConfig: - pathConfigSource: - path: /sds/xds-trusted-ca.json - resourceApiVersion: V3 - type: STRICT_DNS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicitHttpConfig: - http2ProtocolOptions: {} listeners: - address: socketAddress: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml index c5d4d53086..6dcc5612c9 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml @@ -116,44 +116,6 @@ xds: connectionKeepalive: interval: 30s timeout: 5s - - connectTimeout: 10s - loadAssignment: - clusterName: wasm_cluster - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: envoy-gateway - portValue: 18002 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - name: wasm_cluster - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - tlsCertificateSdsSecretConfigs: - - name: xds_certificate - sdsConfig: - pathConfigSource: - path: /sds/xds-certificate.json - resourceApiVersion: V3 - tlsParams: - tlsMaximumProtocolVersion: TLSv1_3 - validationContextSdsSecretConfig: - name: xds_trusted_ca - sdsConfig: - pathConfigSource: - path: /sds/xds-trusted-ca.json - resourceApiVersion: V3 - type: STRICT_DNS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicitHttpConfig: - http2ProtocolOptions: {} listeners: - address: socketAddress: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index b7051f5469..aacad63882 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -200,71 +200,6 @@ } } } - }, - { - "connectTimeout": "10s", - "loadAssignment": { - "clusterName": "wasm_cluster", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "socketAddress": { - "address": "envoy-gateway", - "portValue": 18002 - } - } - }, - "loadBalancingWeight": 1 - } - ], - "loadBalancingWeight": 1 - } - ] - }, - "name": "wasm_cluster", - "transportSocket": { - "name": "envoy.transport_sockets.tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", - "commonTlsContext": { - "tlsCertificateSdsSecretConfigs": [ - { - "name": "xds_certificate", - "sdsConfig": { - "pathConfigSource": { - "path": "/sds/xds-certificate.json" - }, - "resourceApiVersion": "V3" - } - } - ], - "tlsParams": { - "tlsMaximumProtocolVersion": "TLSv1_3" - }, - "validationContextSdsSecretConfig": { - "name": "xds_trusted_ca", - "sdsConfig": { - "pathConfigSource": { - "path": "/sds/xds-trusted-ca.json" - }, - "resourceApiVersion": "V3" - } - } - } - } - }, - "type": "STRICT_DNS", - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "explicitHttpConfig": { - "http2ProtocolOptions": {} - } - } - } } ], "listeners": [ diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index f56c075117..899fefe9b5 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -117,44 +117,6 @@ xds: connectionKeepalive: interval: 30s timeout: 5s - - connectTimeout: 10s - loadAssignment: - clusterName: wasm_cluster - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: envoy-gateway - portValue: 18002 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - name: wasm_cluster - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - tlsCertificateSdsSecretConfigs: - - name: xds_certificate - sdsConfig: - pathConfigSource: - path: /sds/xds-certificate.json - resourceApiVersion: V3 - tlsParams: - tlsMaximumProtocolVersion: TLSv1_3 - validationContextSdsSecretConfig: - name: xds_trusted_ca - sdsConfig: - pathConfigSource: - path: /sds/xds-trusted-ca.json - resourceApiVersion: V3 - type: STRICT_DNS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicitHttpConfig: - http2ProtocolOptions: {} listeners: - address: socketAddress: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml index c48e13e175..c7675ded8b 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml @@ -116,44 +116,6 @@ xds: connectionKeepalive: interval: 30s timeout: 5s - - connectTimeout: 10s - loadAssignment: - clusterName: wasm_cluster - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: envoy-gateway - portValue: 18002 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - name: wasm_cluster - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - tlsCertificateSdsSecretConfigs: - - name: xds_certificate - sdsConfig: - pathConfigSource: - path: /sds/xds-certificate.json - resourceApiVersion: V3 - tlsParams: - tlsMaximumProtocolVersion: TLSv1_3 - validationContextSdsSecretConfig: - name: xds_trusted_ca - sdsConfig: - pathConfigSource: - path: /sds/xds-trusted-ca.json - resourceApiVersion: V3 - type: STRICT_DNS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicitHttpConfig: - http2ProtocolOptions: {} listeners: - address: socketAddress: diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index b3e3bda8c0..da32fd6a55 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -117,44 +117,6 @@ xds: connectionKeepalive: interval: 30s timeout: 5s - - connectTimeout: 10s - loadAssignment: - clusterName: wasm_cluster - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: envoy-gateway - portValue: 18002 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - name: wasm_cluster - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - tlsCertificateSdsSecretConfigs: - - name: xds_certificate - sdsConfig: - pathConfigSource: - path: /sds/xds-certificate.json - resourceApiVersion: V3 - tlsParams: - tlsMaximumProtocolVersion: TLSv1_3 - validationContextSdsSecretConfig: - name: xds_trusted_ca - sdsConfig: - pathConfigSource: - path: /sds/xds-trusted-ca.json - resourceApiVersion: V3 - type: STRICT_DNS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicitHttpConfig: - http2ProtocolOptions: {} listeners: - address: socketAddress: diff --git a/internal/gatewayapi/globalresources.go b/internal/gatewayapi/globalresources.go index f3488ecf19..ce252f75a5 100644 --- a/internal/gatewayapi/globalresources.go +++ b/internal/gatewayapi/globalresources.go @@ -27,8 +27,7 @@ func (t *Translator) ProcessGlobalResources(resources *resource.Resources, xdsIR } for _, xdsIR := range xdsIRs { - // TODO zhaohuabing: this is also required by WASM - if containsGlobalRateLimit(xdsIR.HTTP) { + if containsGlobalRateLimit(xdsIR.HTTP) || containsWasm(xdsIR.HTTP) { xdsIR.GlobalResources = &ir.GlobalResources{} xdsIR.GlobalResources.EnvoyClientCertificate = &ir.TLSCertificate{ Name: irGlobalConfigName(envoyTLSSecret), @@ -56,3 +55,15 @@ func containsGlobalRateLimit(httpListeners []*ir.HTTPListener) bool { } return false } + +func containsWasm(httpListeners []*ir.HTTPListener) bool { + for _, httpListener := range httpListeners { + for _, route := range httpListener.Routes { + if route.EnvoyExtensions != nil && + len(route.EnvoyExtensions.Wasms) > 0 { + return true + } + } + } + return false +} diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 1a8e3b00e3..68b30e9e99 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -119,7 +119,7 @@ func (r *Runner) startWasmCache(ctx context.Context) { Salt: salt, TLSConfig: tlsConfig, }, - cacheOption, r.Logger) + cacheOption, r.ControllerNamespace, r.Logger) r.wasmCache.Start(ctx) } diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index 74f368ed3f..5f296e4351 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -225,6 +225,11 @@ xdsIR: name: envoy.filters.http.wasm - after: envoy.filters.http.basic_authn name: envoy.filters.http.cors + globalResources: + envoyClientCertificate: + name: envoy-gateway-system/envoy + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= http: - address: 0.0.0.0 hostnames: @@ -270,7 +275,7 @@ xdsIR: failOpen: false httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm - servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 @@ -280,7 +285,7 @@ xdsIR: failOpen: false httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm - servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml index 5b8e5e9cd5..bf0348a823 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml @@ -239,6 +239,11 @@ xdsIR: accessLog: json: - path: /dev/stdout + globalResources: + envoyClientCertificate: + name: envoy-gateway-system/envoy + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= http: - address: 0.0.0.0 hostnames: @@ -282,7 +287,7 @@ xdsIR: - ANOTHER_KEY httpWasmCode: originalDownloadingURL: https://www.test.com/wasm-filter-4.wasm - servingURL: https://envoy-gateway:18002/fe571e7b1ef5dc626ceb2c2c86782a134a92989a2643485238951696ae4334c3.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/fe571e7b1ef5dc626ceb2c2c86782a134a92989a2643485238951696ae4334c3.wasm sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 name: envoyextensionpolicy/default/policy-for-http-route/wasm/0 wasmName: wasm-filter-4 @@ -324,7 +329,7 @@ xdsIR: - ANOTHER_KEY httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm - servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 @@ -335,7 +340,7 @@ xdsIR: - ANOTHER_KEY httpWasmCode: originalDownloadingURL: oci://www.example.com/wasm-filter-2:v1.0.0 - servingURL: https://envoy-gateway:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 rootID: my-root-id @@ -344,7 +349,7 @@ xdsIR: failOpen: false httpWasmCode: originalDownloadingURL: oci://www.example.com:8080/wasm-filter-3:latest - servingURL: https://envoy-gateway:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 wasmName: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml index 3a4d9ace19..3f466ec0e6 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml @@ -207,6 +207,11 @@ xdsIR: accessLog: json: - path: /dev/stdout + globalResources: + envoyClientCertificate: + name: envoy-gateway-system/envoy + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= http: - address: 0.0.0.0 hostnames: @@ -252,7 +257,7 @@ xdsIR: failOpen: false httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm - servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 @@ -262,7 +267,7 @@ xdsIR: failOpen: false httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm - servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 @@ -306,7 +311,7 @@ xdsIR: failOpen: false httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm - servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 @@ -316,7 +321,7 @@ xdsIR: failOpen: false httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm - servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml index a24f788861..4ffdf9d4f5 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml @@ -241,6 +241,11 @@ xdsIR: accessLog: json: - path: /dev/stdout + globalResources: + envoyClientCertificate: + name: envoy-gateway-system/envoy + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= http: - address: 0.0.0.0 hostnames: @@ -286,7 +291,7 @@ xdsIR: failOpen: true httpWasmCode: originalDownloadingURL: https://www.test.com/wasm-filter-4.wasm - servingURL: https://envoy-gateway:18002/fe571e7b1ef5dc626ceb2c2c86782a134a92989a2643485238951696ae4334c3.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/fe571e7b1ef5dc626ceb2c2c86782a134a92989a2643485238951696ae4334c3.wasm sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 name: envoyextensionpolicy/default/policy-for-http-route/wasm/0 wasmName: wasm-filter-4 @@ -329,7 +334,7 @@ xdsIR: failOpen: false httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm - servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 @@ -339,7 +344,7 @@ xdsIR: failOpen: false httpWasmCode: originalDownloadingURL: oci://www.example.com/wasm-filter-2:v1.0.0 - servingURL: https://envoy-gateway:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 rootID: my-root-id @@ -348,7 +353,7 @@ xdsIR: failOpen: false httpWasmCode: originalDownloadingURL: oci://www.example.com:8080/wasm-filter-3:latest - servingURL: https://envoy-gateway:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 wasmName: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index bcbf93ab64..33828b120f 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -880,7 +880,7 @@ func (m *mockWasmCache) Get(downloadURL string, options wasm.GetOptions) (url, c if options.Checksum != "" && checksum != options.Checksum { return "", "", fmt.Errorf("module downloaded from %v has checksum %v, which does not match: %v", downloadURL, checksum, options.Checksum) } - return fmt.Sprintf("https://envoy-gateway:18002/%s.wasm", hashedName), checksum, nil + return fmt.Sprintf("https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/%s.wasm", hashedName), checksum, nil } func (m *mockWasmCache) Cleanup() {} diff --git a/internal/infrastructure/host/proxy_infra.go b/internal/infrastructure/host/proxy_infra.go index 42d2a2b69e..f384b6854e 100644 --- a/internal/infrastructure/host/proxy_infra.go +++ b/internal/infrastructure/host/proxy_infra.go @@ -69,7 +69,6 @@ func (i *Infra) CreateOrUpdateProxyInfra(ctx context.Context, infra *ir.Infra) e TrustedCA: filepath.Join(i.sdsConfigPath, common.SdsCAFilename), }, XdsServerHost: ptr.To("0.0.0.0"), - WasmServerPort: ptr.To(int32(0)), AdminServerPort: ptr.To(int32(0)), StatsServerPort: ptr.To(int32(0)), } diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index e2bf60ecbd..490b8516fb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -181,44 +181,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 8a48907a49..f2a9ac4af0 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index a0d8a65c58..e76912906e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index 74d237770a..9d28c2438c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -129,44 +129,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 566555ed15..47d98de044 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/gateway-namespace-mode.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/gateway-namespace-mode.yaml index 03c3ff4fcc..5e83597797 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/gateway-namespace-mode.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/gateway-namespace-mode.yaml @@ -193,52 +193,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - http_filters: - - name: envoy.filters.http.credential_injector - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector - credential: - name: envoy.http.injected_credentials.generic - typed_config: - "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic - credential: - name: jwt-sa-bearer - overwrite: true - - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 secrets: - name: jwt-sa-bearer generic_secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 72eccdd573..335af41346 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -189,44 +189,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 4b0371530e..0a3df16c88 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index 17ec7a22e0..3205887615 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 7a1aedf318..5d228dc1a7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 3a9ce07690..6a0ccedd3c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -185,44 +185,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index be8261e493..82766a0cee 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index acd51dd088..ffaeaf5500 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 5261dc842b..3c54978e5c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index 6045afd02d..a0f53dd758 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index 434c2e9022..1548efa17d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -180,44 +180,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 37eda35ecb..1f09bd4502 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -186,44 +186,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index cab6025414..b646e37401 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -186,44 +186,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index da6e816d94..bee9650598 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -185,44 +185,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 3848c76941..538a837773 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -184,44 +184,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index 3e86e14000..762d42e5f9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -133,44 +133,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml index 022a07bf13..41f290234a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml @@ -185,44 +185,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 9eb387a235..034697656a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -185,44 +185,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml index edf6fd6746..ded8d79668 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml @@ -197,52 +197,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - http_filters: - - name: envoy.filters.http.credential_injector - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector - credential: - name: envoy.http.injected_credentials.generic - typed_config: - "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic - credential: - name: jwt-sa-bearer - overwrite: true - - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 secrets: - name: jwt-sa-bearer generic_secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml index 00ccd38ebf..37d053e036 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml @@ -185,44 +185,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index 5c60929c34..460174656c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -193,44 +193,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 90c87b8949..1586d258ac 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -184,44 +184,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index 7bb12ed61c..90cfd5c37b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -184,44 +184,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 40f362fe71..d2df4f7852 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -185,44 +185,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index a7da4ca853..ae5d29392d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -189,44 +189,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index a57ba75e48..0e4d831cdb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -184,44 +184,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index b661ac8c24..589bbb9112 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -184,44 +184,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index 5510fcbecb..c723c4f0b1 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -184,44 +184,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 465ff29def..212acfc745 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -184,44 +184,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 8f2bae1a6a..81479bbd4b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -184,44 +184,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 894c5269bc..182b1407a7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -184,44 +184,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml index a767126cee..d5e1c8be85 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml @@ -197,52 +197,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - http_filters: - - name: envoy.filters.http.credential_injector - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector - credential: - name: envoy.http.injected_credentials.generic - typed_config: - "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic - credential: - name: jwt-sa-bearer - overwrite: true - - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 secrets: - name: jwt-sa-bearer generic_secret: @@ -647,52 +601,6 @@ spec: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - http_filters: - - name: envoy.filters.http.credential_injector - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector - credential: - name: envoy.http.injected_credentials.generic - typed_config: - "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic - credential: - name: jwt-sa-bearer - overwrite: true - - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 secrets: - name: jwt-sa-bearer generic_secret: diff --git a/internal/wasm/httpserver.go b/internal/wasm/httpserver.go index 2d346486e5..b1e60c9e84 100644 --- a/internal/wasm/httpserver.go +++ b/internal/wasm/httpserver.go @@ -72,6 +72,8 @@ type HTTPServer struct { cache Cache // HTTP server to serve the Wasm modules to the Envoy Proxies. server *http.Server + // The namespace where the Envoy Gateway is running. + controllerNamespace string // logger logger logging.Logger } @@ -95,15 +97,16 @@ type wasmModuleEntry struct { // NewHTTPServerWithFileCache creates a HTTP server with a local file cache for Wasm modules. // The local file cache is used to store the Wasm modules downloaded from the original URL. // The HTTP server serves the cached Wasm modules over HTTP to the Envoy Proxies. -func NewHTTPServerWithFileCache(serverOptions SeverOptions, cacheOptions CacheOptions, logger logging.Logger) *HTTPServer { +func NewHTTPServerWithFileCache(serverOptions SeverOptions, cacheOptions CacheOptions, controllerNamespace string, logger logging.Logger) *HTTPServer { logger = logger.WithName("wasm-cache") serverOptions.setDefault() return &HTTPServer{ - SeverOptions: serverOptions, - mappingPath2Cache: make(map[string]wasmModuleEntry), - failedAttempts: make(map[string]attemptEntry), - cache: newLocalFileCache(cacheOptions, logger), - logger: logger, + SeverOptions: serverOptions, + mappingPath2Cache: make(map[string]wasmModuleEntry), + failedAttempts: make(map[string]attemptEntry), + cache: newLocalFileCache(cacheOptions, logger), + controllerNamespace: controllerNamespace, + logger: logger, } } @@ -208,7 +211,8 @@ func (s *HTTPServer) Get(originalURL string, opts GetOptions) (servingURL, check if s.enableTLS() { scheme = "https" } - servingURL = fmt.Sprintf("%s://%s:%d/%s", scheme, serverHost, serverPort, mappingPath) + serverHostFQDN := fmt.Sprintf("%s.%s.svc.cluster.local", serverHost, s.controllerNamespace) + servingURL = fmt.Sprintf("%s://%s:%d/%s", scheme, serverHostFQDN, serverPort, mappingPath) return servingURL, checksum, nil } diff --git a/internal/wasm/httpserver_test.go b/internal/wasm/httpserver_test.go index 0fd7c099bc..9984ec9fc8 100644 --- a/internal/wasm/httpserver_test.go +++ b/internal/wasm/httpserver_test.go @@ -338,7 +338,7 @@ func startLocalHTTPServer(ctx context.Context, cacheDir string, maxFailedAttempt }, CacheOptions{ CacheDir: cacheDir, - }, logger) + }, "envoy-gateway-system", logger) go s.Start(ctx) // Wait for the server to start diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go index 3818dab3b7..27fc7b4a2c 100644 --- a/internal/xds/bootstrap/bootstrap.go +++ b/internal/xds/bootstrap/bootstrap.go @@ -38,10 +38,6 @@ const ( // DefaultXdsServerPort is the default listening port of the xds-server. DefaultXdsServerPort = 18000 - wasmServerHost = envoyGatewayXdsServerHost - // DefaultWasmServerPort is the default listening port of the wasm HTTP server. - wasmServerPort = 18002 - EnvoyStatsPort = 19001 EnvoyReadinessPort = 19003 @@ -68,8 +64,6 @@ type bootstrapConfig struct { type bootstrapParameters struct { // XdsServer defines the configuration of the XDS server. XdsServer serverParameters - // WasmServer defines the configuration of the Wasm HTTP server. - WasmServer serverParameters // AdminServer defines the configuration of the Envoy admin interface. AdminServer adminServerParameters // StatsServer defines the configuration for stats listener @@ -143,7 +137,6 @@ type RenderBootstrapConfigOptions struct { SdsConfig SdsConfigPath XdsServerHost *string XdsServerPort *int32 - WasmServerPort *int32 AdminServerPort *int32 StatsServerPort *int32 MaxHeapSizeBytes uint64 @@ -246,10 +239,6 @@ func GetRenderedBootstrapConfig(opts *RenderBootstrapConfigOptions) (string, err Address: envoyGatewayXdsServerHost, Port: DefaultXdsServerPort, }, - WasmServer: serverParameters{ - Address: wasmServerHost, - Port: wasmServerPort, - }, AdminServer: adminServerParameters{ Address: EnvoyAdminAddress, Port: EnvoyAdminPort, @@ -296,9 +285,6 @@ func GetRenderedBootstrapConfig(opts *RenderBootstrapConfigOptions) (string, err if opts.StatsServerPort != nil { cfg.parameters.StatsServer.Port = *opts.StatsServerPort } - if opts.WasmServerPort != nil { - cfg.parameters.WasmServer.Port = *opts.WasmServerPort - } if opts.IPFamily != nil { cfg.parameters.IPFamily = string(*opts.IPFamily) diff --git a/internal/xds/bootstrap/bootstrap.yaml.tpl b/internal/xds/bootstrap/bootstrap.yaml.tpl index c4bb5e4843..dafb277d96 100644 --- a/internal/xds/bootstrap/bootstrap.yaml.tpl +++ b/internal/xds/bootstrap/bootstrap.yaml.tpl @@ -248,62 +248,6 @@ static_resources: path_config_source: path: {{ .SdsTrustedCAPath }} resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: {{ .WasmServer.Address }} - port_value: {{ .WasmServer.Port }} - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - {{- if .GatewayNamespaceMode }} - http_filters: - - name: envoy.filters.http.credential_injector - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector - credential: - name: envoy.http.injected_credentials.generic - typed_config: - "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic - credential: - name: jwt-sa-bearer - overwrite: true - - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec - {{- end }} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - {{- if not .GatewayNamespaceMode }} - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: {{ .SdsCertificatePath }} - resource_api_version: V3 - {{- end }} - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: {{ .SdsTrustedCAPath }} - resource_api_version: V3 {{- if .GatewayNamespaceMode }} secrets: - name: jwt-sa-bearer diff --git a/internal/xds/bootstrap/bootstrap_test.go b/internal/xds/bootstrap/bootstrap_test.go index 4ef244fd55..2c60748151 100644 --- a/internal/xds/bootstrap/bootstrap_test.go +++ b/internal/xds/bootstrap/bootstrap_test.go @@ -162,7 +162,6 @@ func TestGetRenderedBootstrapConfig(t *testing.T) { opts: &RenderBootstrapConfigOptions{ XdsServerHost: ptr.To("foo.bar"), XdsServerPort: ptr.To(int32(12345)), - WasmServerPort: ptr.To(int32(1111)), AdminServerPort: ptr.To(int32(2222)), StatsServerPort: ptr.To(int32(3333)), SdsConfig: sds, diff --git a/internal/xds/bootstrap/testdata/merge/default.out.yaml b/internal/xds/bootstrap/testdata/merge/default.out.yaml index 2bba2f49e6..6355da0d26 100644 --- a/internal/xds/bootstrap/testdata/merge/default.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/default.out.yaml @@ -118,44 +118,6 @@ staticResources: connectionKeepalive: interval: 30s timeout: 5s - - connectTimeout: 10s - loadAssignment: - clusterName: wasm_cluster - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: envoy-gateway - portValue: 18002 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - name: wasm_cluster - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - tlsCertificateSdsSecretConfigs: - - name: xds_certificate - sdsConfig: - pathConfigSource: - path: /sds/xds-certificate.json - resourceApiVersion: V3 - tlsParams: - tlsMaximumProtocolVersion: TLSv1_3 - validationContextSdsSecretConfig: - name: xds_trusted_ca - sdsConfig: - pathConfigSource: - path: /sds/xds-trusted-ca.json - resourceApiVersion: V3 - type: STRICT_DNS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicitHttpConfig: - http2ProtocolOptions: {} listeners: - address: socketAddress: diff --git a/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml b/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml index 383bd140ad..7103c7405e 100644 --- a/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml @@ -112,44 +112,6 @@ staticResources: connectionKeepalive: interval: 30s timeout: 5s - - connectTimeout: 10s - loadAssignment: - clusterName: wasm_cluster - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: envoy-gateway - portValue: 18002 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - name: wasm_cluster - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - tlsCertificateSdsSecretConfigs: - - name: xds_certificate - sdsConfig: - pathConfigSource: - path: /sds/xds-certificate.json - resourceApiVersion: V3 - tlsParams: - tlsMaximumProtocolVersion: TLSv1_3 - validationContextSdsSecretConfig: - name: xds_trusted_ca - sdsConfig: - pathConfigSource: - path: /sds/xds-trusted-ca.json - resourceApiVersion: V3 - type: STRICT_DNS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicitHttpConfig: - http2ProtocolOptions: {} - connectTimeout: 0.250s loadAssignment: clusterName: prometheus_stats diff --git a/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml b/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml index 2f9ebbb302..95b6513157 100644 --- a/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml @@ -115,44 +115,6 @@ static_resources: connection_keepalive: interval: 30s timeout: 5s - - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - load_balancing_weight: 1 - load_balancing_weight: 1 - name: wasm_cluster - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - tls_params: - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 - type: STRICT_DNS - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: {} listeners: - address: socket_address: diff --git a/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml b/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml index f467f8a9d6..c9ab73ed73 100644 --- a/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml @@ -112,44 +112,6 @@ staticResources: connectionKeepalive: interval: 30s timeout: 5s - - connectTimeout: 10s - loadAssignment: - clusterName: wasm_cluster - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: envoy-gateway - portValue: 18002 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - name: wasm_cluster - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - tlsCertificateSdsSecretConfigs: - - name: xds_certificate - sdsConfig: - pathConfigSource: - path: /sds/xds-certificate.json - resourceApiVersion: V3 - tlsParams: - tlsMaximumProtocolVersion: TLSv1_3 - validationContextSdsSecretConfig: - name: xds_trusted_ca - sdsConfig: - pathConfigSource: - path: /sds/xds-trusted-ca.json - resourceApiVersion: V3 - type: STRICT_DNS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicitHttpConfig: - http2ProtocolOptions: {} - connectTimeout: 1s dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s diff --git a/internal/xds/bootstrap/testdata/render/custom-server-port.yaml b/internal/xds/bootstrap/testdata/render/custom-server-port.yaml index 79b64b4725..ab036892ea 100644 --- a/internal/xds/bootstrap/testdata/render/custom-server-port.yaml +++ b/internal/xds/bootstrap/testdata/render/custom-server-port.yaml @@ -141,44 +141,6 @@ static_resources: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 1111 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml index 93f4c1a8c4..525ad200a3 100644 --- a/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml +++ b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml @@ -152,44 +152,6 @@ static_resources: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml index 937296ef3a..0ae906b711 100644 --- a/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml +++ b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml @@ -94,44 +94,6 @@ static_resources: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/xds/bootstrap/testdata/render/enable-prometheus-brotli-compression.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus-brotli-compression.yaml index 652d532c9f..0866561b9c 100644 --- a/internal/xds/bootstrap/testdata/render/enable-prometheus-brotli-compression.yaml +++ b/internal/xds/bootstrap/testdata/render/enable-prometheus-brotli-compression.yaml @@ -157,44 +157,6 @@ static_resources: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml index 66c8d04049..00c0230d69 100644 --- a/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml +++ b/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml @@ -157,44 +157,6 @@ static_resources: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml index 05aae78543..b32ad36fe1 100644 --- a/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml +++ b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml @@ -141,44 +141,6 @@ static_resources: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/xds/bootstrap/testdata/render/ipv6.yaml b/internal/xds/bootstrap/testdata/render/ipv6.yaml index 90fa14380b..436710a883 100644 --- a/internal/xds/bootstrap/testdata/render/ipv6.yaml +++ b/internal/xds/bootstrap/testdata/render/ipv6.yaml @@ -142,44 +142,6 @@ static_resources: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml b/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml index de2379c1fd..dcd84799bf 100644 --- a/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml +++ b/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml @@ -119,44 +119,6 @@ static_resources: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/xds/bootstrap/testdata/render/otel-metrics.yaml b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml index de2379c1fd..dcd84799bf 100644 --- a/internal/xds/bootstrap/testdata/render/otel-metrics.yaml +++ b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml @@ -119,44 +119,6 @@ static_resources: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml b/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml index de27984f32..26e54e4e7a 100644 --- a/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml +++ b/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml @@ -141,44 +141,6 @@ static_resources: path_config_source: path: /sds/xds-trusted-ca.json resource_api_version: V3 - - name: wasm_cluster - type: STRICT_DNS - connect_timeout: 10s - load_assignment: - cluster_name: wasm_cluster - endpoints: - - load_balancing_weight: 1 - lb_endpoints: - - load_balancing_weight: 1 - endpoint: - address: - socket_address: - address: envoy-gateway - port_value: 18002 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" - explicit_http_config: - http2_protocol_options: {} - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_maximum_protocol_version: TLSv1_3 - tls_certificate_sds_secret_configs: - - name: xds_certificate - sds_config: - path_config_source: - path: /sds/xds-certificate.json - resource_api_version: V3 - validation_context_sds_secret_config: - name: xds_trusted_ca - sds_config: - path_config_source: - path: /sds/xds-trusted-ca.json - resource_api_version: V3 overload_manager: refresh_interval: 0.25s resource_monitors: diff --git a/internal/xds/translator/globalresources.go b/internal/xds/translator/globalresources.go index bb4f7ce9ec..0cb59c5f41 100644 --- a/internal/xds/translator/globalresources.go +++ b/internal/xds/translator/globalresources.go @@ -7,6 +7,7 @@ package translator import ( "errors" + "fmt" corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" @@ -22,6 +23,9 @@ import ( const ( // rateLimitClientTLSCACertFilename is the ratelimit ca cert file. rateLimitClientTLSCACertFilename = "/certs/ca.crt" + wasmHTTPServiceClusterName = "wasm_cluster" + wasmHTTPServiceHost = "envoy-gateway" + wasmHTTPServicePort = 18002 ) // patchGlobalResources builds and appends the global resources that are shared across listeners and routes. @@ -40,6 +44,12 @@ func (t *Translator) patchGlobalResources(tCtx *types.ResourceVersionTable, irXd errs = errors.Join(errs, err) } } + + if containsWasm(irXds.HTTP) { + if err := t.createWasmHTTPServiceCluster(tCtx, irXds.GlobalResources.EnvoyClientCertificate, irXds.Metrics); err != nil { + errs = errors.Join(errs, err) + } + } } return errs } @@ -77,7 +87,7 @@ func (t *Translator) createRateLimitServiceCluster(tCtx *types.ResourceVersionTa Name: destinationSettingName(clusterName), } - tSocket, err := buildRateLimitTLSocket(envoyClientCertificate) + tSocket, err := buildEnvoyClientTLSSocket(envoyClientCertificate) if err != nil { return err } @@ -91,10 +101,13 @@ func (t *Translator) createRateLimitServiceCluster(tCtx *types.ResourceVersionTa }) } -// buildRateLimitTLSocket builds the TLS socket for the rate limit service. -func buildRateLimitTLSocket(envoyClientCertificate *ir.TLSCertificate) (*corev3.TransportSocket, error) { +// buildEnvoyClientTLSSocket builds the TLS socket for Envoy to connect to the control plane components. +func buildEnvoyClientTLSSocket(envoyClientCertificate *ir.TLSCertificate) (*corev3.TransportSocket, error) { tlsCtx := &tlsv3.UpstreamTlsContext{ CommonTlsContext: &tlsv3.CommonTlsContext{ + TlsParams: &tlsv3.TlsParameters{ + TlsMaximumProtocolVersion: tlsv3.TlsParameters_TLSv1_3, + }, ValidationContextType: &tlsv3.CommonTlsContext_ValidationContext{ ValidationContext: &tlsv3.CertificateValidationContext{ TrustedCa: &corev3.DataSource{ @@ -123,3 +136,41 @@ func buildRateLimitTLSocket(envoyClientCertificate *ir.TLSCertificate) (*corev3. }, }, nil } + +func containsWasm(httpListeners []*ir.HTTPListener) bool { + for _, httpListener := range httpListeners { + for _, route := range httpListener.Routes { + if route.EnvoyExtensions != nil && + len(route.EnvoyExtensions.Wasms) > 0 { + return true + } + } + } + return false +} + +func (t *Translator) createWasmHTTPServiceCluster(tCtx *types.ResourceVersionTable, envoyClientCertificate *ir.TLSCertificate, metrics *ir.Metrics) error { + ds := &ir.DestinationSetting{ + Weight: ptr.To[uint32](1), + Protocol: ir.GRPC, + Endpoints: []*ir.DestinationEndpoint{ir.NewDestEndpoint(wasmHTTPServiceFQDN(t.ControllerNamespace), wasmHTTPServicePort, false, nil)}, + Name: destinationSettingName(wasmHTTPServiceClusterName), + } + + tSocket, err := buildEnvoyClientTLSSocket(envoyClientCertificate) + if err != nil { + return err + } + + return addXdsCluster(tCtx, &xdsClusterArgs{ + name: wasmHTTPServiceClusterName, + settings: []*ir.DestinationSetting{ds}, + tSocket: tSocket, + endpointType: EndpointTypeDNS, + metrics: metrics, + }) +} + +func wasmHTTPServiceFQDN(controllerNamespace string) string { + return fmt.Sprintf("%s.%s.svc.cluster.local", wasmHTTPServiceHost, controllerNamespace) +} diff --git a/internal/xds/translator/runner/runner.go b/internal/xds/translator/runner/runner.go index 6348b6a934..3d4832168c 100644 --- a/internal/xds/translator/runner/runner.go +++ b/internal/xds/translator/runner/runner.go @@ -67,8 +67,9 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *ir } else { // Translate to xds resources t := &translator.Translator{ - FilterOrder: val.FilterOrder, - Logger: r.Logger, + ControllerNamespace: r.ControllerNamespace, + FilterOrder: val.FilterOrder, + Logger: r.Logger, } // Set the extension manager if an extension is loaded diff --git a/internal/xds/translator/testdata/in/xds-ir/wasm.yaml b/internal/xds/translator/testdata/in/xds-ir/wasm.yaml index ddc2dcd8be..b1158ba654 100644 --- a/internal/xds/translator/testdata/in/xds-ir/wasm.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/wasm.yaml @@ -1,3 +1,8 @@ +globalResources: + envoyClientCertificate: + name: envoy-gateway-system/envoy + privateKey: [107, 101, 121, 45, 100, 97, 116, 97] + serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97] http: - address: 0.0.0.0 hostnames: @@ -67,7 +72,7 @@ http: parameter2: value3 failOpen: false httpWasmCode: - servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 @@ -77,7 +82,7 @@ http: parameter2: value2 failOpen: false httpWasmCode: - servingURL: https://envoy-gateway:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm originalDownloadingURL: oci://www.example.com/wasm-filter-2:v1.0.0 sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 @@ -86,7 +91,7 @@ http: - config: null failOpen: false httpWasmCode: - servingURL: https://envoy-gateway:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm + servingURL: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm originalDownloadingURL: oci://www.example.com:8080/wasm-filter-3:latest sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml index 65926cf2e6..281cd662bf 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml @@ -110,6 +110,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 validationContext: trustedCa: filename: /certs/ca.crt diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml index 604afcec0c..64f2811448 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml @@ -84,6 +84,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 validationContext: trustedCa: filename: /certs/ca.crt diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml index 2011d47d3b..cc53cfb4b4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml @@ -84,6 +84,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 validationContext: trustedCa: filename: /certs/ca.crt diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml index 581dd8f8b5..6fc0376cbf 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml @@ -92,6 +92,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 validationContext: trustedCa: filename: /certs/ca.crt diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-global-shared.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-global-shared.clusters.yaml index 05aa374a64..eda9440ea0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-global-shared.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-global-shared.clusters.yaml @@ -111,6 +111,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 validationContext: trustedCa: filename: /certs/ca.crt diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml index 2011d47d3b..cc53cfb4b4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml @@ -84,6 +84,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 validationContext: trustedCa: filename: /certs/ca.crt diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-multi-global-shared.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-multi-global-shared.clusters.yaml index 581dd8f8b5..6fc0376cbf 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-multi-global-shared.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-multi-global-shared.clusters.yaml @@ -92,6 +92,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 validationContext: trustedCa: filename: /certs/ca.crt diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml index 4f2b44ba81..c8ebe9beb6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml @@ -101,6 +101,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 validationContext: trustedCa: filename: /certs/ca.crt diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml index 4f2b44ba81..c8ebe9beb6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml @@ -101,6 +101,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 validationContext: trustedCa: filename: /certs/ca.crt diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml index ba27dfd9d2..013fb88341 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml @@ -32,3 +32,51 @@ name: httproute/default/httproute-2/rule/0 perConnectionBufferLimitBytes: 32768 type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: wasm_cluster + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: envoy-gateway.envoy-gateway-system.svc.cluster.local + portValue: 18002 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: wasm_cluster/backend/-1 + name: wasm_cluster + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + tlsCertificateSdsSecretConfigs: + - name: envoy-gateway-system/envoy + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 + validationContext: + trustedCa: + filename: /certs/ca.crt + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml index e3a679d1ae..62f562343a 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml @@ -49,7 +49,7 @@ httpUri: cluster: wasm_cluster timeout: 10s - uri: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm + uri: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 runtime: envoy.wasm.runtime.v8 vmId: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 @@ -69,7 +69,7 @@ httpUri: cluster: wasm_cluster timeout: 10s - uri: https://envoy-gateway:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm + uri: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 runtime: envoy.wasm.runtime.v8 vmId: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 @@ -88,7 +88,7 @@ httpUri: cluster: wasm_cluster timeout: 10s - uri: https://envoy-gateway:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm + uri: https://envoy-gateway.envoy-gateway-system.svc.cluster.local:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee environmentVariables: hostEnvKeys: diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.secrets.yaml new file mode 100644 index 0000000000..fb08915118 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.secrets.yaml @@ -0,0 +1,6 @@ +- name: envoy-gateway-system/envoy + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh + privateKey: + inlineBytes: a2V5LWRhdGE= diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 7b23f358d0..a737fe50ff 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -44,6 +44,9 @@ const ( // Translator translates the xDS IR into xDS resources. type Translator struct { + // ControllerNamespace is the namespace of the Gateway API controller + ControllerNamespace string + // GlobalRateLimit holds the global rate limit settings // required during xds translation. GlobalRateLimit *GlobalRateLimitSettings diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index 5aefb9b37f..1ddd3d5ad2 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -157,6 +157,7 @@ func TestTranslateXds(t *testing.T) { x := requireXdsIRFromInputTestData(t, inputFile) tr := &Translator{ + ControllerNamespace: "envoy-gateway-system", GlobalRateLimit: &GlobalRateLimitSettings{ ServiceURL: ratelimit.GetServiceURL("envoy-gateway-system", dnsDomain), }, diff --git a/internal/xds/translator/wasm.go b/internal/xds/translator/wasm.go index 87bf412dc7..b0ba741a19 100644 --- a/internal/xds/translator/wasm.go +++ b/internal/xds/translator/wasm.go @@ -23,8 +23,7 @@ import ( ) const ( - vmRuntimeV8 = "envoy.wasm.runtime.v8" - wasmHTTPServerCluster = "wasm_cluster" + vmRuntimeV8 = "envoy.wasm.runtime.v8" ) func init() { @@ -124,7 +123,7 @@ func wasmConfig(wasm ir.Wasm) (*wasmfilterv3.Wasm, error) { HttpUri: &corev3.HttpUri{ Uri: wasm.Code.ServingURL, HttpUpstreamType: &corev3.HttpUri_Cluster{ - Cluster: wasmHTTPServerCluster, + Cluster: wasmHTTPServiceClusterName, }, Timeout: &durationpb.Duration{ Seconds: defaultExtServiceRequestTimeout, diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 3243165086..de792ddddb 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -61,14 +61,6 @@ func TestE2E(t *testing.T) { ) } - // TODO: make these tests work in GatewayNamespaceMode - if tests.IsGatewayNamespaceMode() { - skipTests = append(skipTests, - tests.HTTPWasmTest.ShortName, - tests.OCIWasmTest.ShortName, - ) - } - cSuite, err := suite.NewConformanceTestSuite(suite.ConformanceOptions{ Client: c, RestConfig: cfg,