envoyproxy · arkodg · Jun 4, 2025 · May 23, 2025 · May 14, 2025 · May 23, 2025
@@ -9,7 +9,7 @@ import (
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
-// +kubebuilder:validation:Enum=Streamed;Buffered;BufferedPartial
+// +kubebuilder:validation:Enum=Streamed;Buffered;BufferedPartial;FullDuplexStreamed
 type ExtProcBodyProcessingMode string
 
 const (

@@ -38,7 +38,7 @@
         {
             "datasource": {
                 "type": "prometheus",
-                "uid": "PBFA97CFB590B2093"
+                "uid": "$datasource"
             },
             "description": "The fraction of this program's available CPU time used by the GC since the program started.",
             "fieldConfig": {
@@ -122,7 +122,7 @@
                 {
                     "datasource": {
                         "type": "prometheus",
-                        "uid": "PBFA97CFB590B2093"
+                        "uid": "$datasource"
                     },
                     "disableTextWrap": false,
                     "editorMode": "code",
@@ -145,7 +145,7 @@
         {
             "datasource": {
                 "type": "prometheus",
-                "uid": "PBFA97CFB590B2093"
+                "uid": "$datasource"
             },
             "description": "Resident memory size",
             "fieldConfig": {
@@ -194,7 +194,7 @@
                 {
                     "datasource": {
                         "type": "prometheus",
-                        "uid": "PBFA97CFB590B2093"
+                        "uid": "$datasource"
                     },
                     "disableTextWrap": false,
                     "editorMode": "code",
@@ -216,7 +216,7 @@
         {
             "datasource": {
                 "type": "prometheus",
-                "uid": "PBFA97CFB590B2093"
+                "uid": "$datasource"
             },
             "description": "Virtual memory size",
             "fieldConfig": {
@@ -266,7 +266,7 @@
                 {
                     "datasource": {
                         "type": "prometheus",
-                        "uid": "PBFA97CFB590B2093"
+                        "uid": "$datasource"
                     },
                     "disableTextWrap": false,
                     "editorMode": "code",
@@ -288,7 +288,7 @@
         {
             "datasource": {
                 "type": "prometheus",
-                "uid": "PBFA97CFB590B2093"
+                "uid": "$datasource"
             },
             "description": "Number of ratelimit rule hits in total",
             "fieldConfig": {
@@ -341,7 +341,7 @@
                 {
                     "datasource": {
                         "type": "prometheus",
-                        "uid": "PBFA97CFB590B2093"
+                        "uid": "$datasource"
                     },
                     "disableTextWrap": false,
                     "editorMode": "builder",
@@ -363,7 +363,7 @@
         {
             "datasource": {
                 "type": "prometheus",
-                "uid": "PBFA97CFB590B2093"
+                "uid": "$datasource"
             },
             "description": "Number of rule hits over the NearLimit ratio threshold (currently 80%) but under the threshold rate.",
             "fieldConfig": {
@@ -416,7 +416,7 @@
                 {
                     "datasource": {
                         "type": "prometheus",
-                        "uid": "PBFA97CFB590B2093"
+                        "uid": "$datasource"
                     },
                     "disableTextWrap": false,
                     "editorMode": "builder",
@@ -438,7 +438,7 @@
         {
             "datasource": {
                 "type": "prometheus",
-                "uid": "PBFA97CFB590B2093"
+                "uid": "$datasource"
             },
             "description": "Number of rule hits exceeding the threshold rate",
             "fieldConfig": {
@@ -491,7 +491,7 @@
                 {
                     "datasource": {
                         "type": "prometheus",
-                        "uid": "PBFA97CFB590B2093"
+                        "uid": "$datasource"
                     },
                     "disableTextWrap": false,
                     "editorMode": "builder",
@@ -522,7 +522,7 @@
                 "current": {
                     "selected": false,
                     "text": "Prometheus",
-                    "value": "PBFA97CFB590B2093"
+                    "value": "$datasource"
                 },
                 "hide": 0,
                 "includeAll": false,

@@ -1003,6 +1003,7 @@ spec:
                               - Streamed
                               - Buffered
                               - BufferedPartial
+                              - FullDuplexStreamed
                               type: string
                           type: object
                         response:
@@ -1026,6 +1027,7 @@ spec:
                               - Streamed
                               - Buffered
                               - BufferedPartial
+                              - FullDuplexStreamed
                               type: string
                           type: object
                       type: object

@@ -1002,6 +1002,7 @@ spec:
                               - Streamed
                               - Buffered
                               - BufferedPartial
+                              - FullDuplexStreamed
                               type: string
                           type: object
                         response:
@@ -1025,6 +1026,7 @@ spec:
                               - Streamed
                               - Buffered
                               - BufferedPartial
+                              - FullDuplexStreamed
                               type: string
                           type: object
                       type: object

@@ -1,4 +1,4 @@
-FROM golang:1.24.2 AS builder
+FROM golang:1.24.3 AS builder
 
 ARG GO_LDFLAGS=""
 

@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway-grcp-ext-auth
 
-go 1.24.2
+go 1.24.3
 
 require (
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4

@@ -1,6 +1,6 @@
 module github.com/exampleorg/envoygateway-extension
 
-go 1.24.2
+go 1.24.3
 
 require (
 	github.com/envoyproxy/gateway v1.3.1

@@ -1,4 +1,4 @@
-FROM golang:1.24.2 AS builder
+FROM golang:1.24.3 AS builder
 
 ARG GO_LDFLAGS=""
 

@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway-grpc-ext-proc
 
-go 1.24.2
+go 1.24.3
 
 require (
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4

@@ -1,4 +1,4 @@
-FROM golang:1.24.2 AS builder
+FROM golang:1.24.3 AS builder
 
 ARG GO_LDFLAGS=""
 

@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway-preserve-case-backend
 
-go 1.24.2
+go 1.24.3
 
 require github.com/valyala/fasthttp v1.61.0
 

@@ -1,4 +1,4 @@
-FROM golang:1.24.2 AS builder
+FROM golang:1.24.3 AS builder
 
 ARG GO_LDFLAGS=""
 

@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway-simple-extension-server
 
-go 1.24.2
+go 1.24.3
 
 require (
 	github.com/envoyproxy/gateway v1.3.2

@@ -1,4 +1,4 @@
-FROM golang:1.24.2 AS builder
+FROM golang:1.24.3 AS builder
 
 ARG GO_LDFLAGS=""
 

@@ -1,3 +1,3 @@
 module github.com/envoyproxy/static-file-server
 
-go 1.24.2
+go 1.24.3
@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway
 
-go 1.24.2
+go 1.24.3
 
 require (
 	fortio.org/fortio v1.69.4
@@ -198,7 +198,7 @@ require (
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.2 // indirect
+	github.com/ebitengine/purego v0.8.3 // indirect
 	github.com/elastic/crd-ref-docs v0.1.0 // indirect
 	github.com/elliotchance/orderedmap/v2 v2.2.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect

@@ -358,8 +358,8 @@ github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:Htrtb
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/ebitengine/purego v0.8.2 h1:jPPGWs2sZ1UgOSgD2bClL0MJIqu58nOmIcBuXr62z1I=
-github.com/ebitengine/purego v0.8.2/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.8.3 h1:K+0AjQp63JEZTEMZiwsI9g0+hAMNohwUOtY0RPGexmc=
+github.com/ebitengine/purego v0.8.3/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/elastic/crd-ref-docs v0.1.0 h1:Cr5kz89QB3Iuuj7dhAfLMApCrChEGAaIBTxGk/xuRKw=
 github.com/elastic/crd-ref-docs v0.1.0/go.mod h1:X83mMBdJt05heJUYiS3T0yJ/JkCuliuhSUNav5Gjo/U=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=

@@ -77,9 +77,7 @@ envoyExtensionPolicies:
         namespace: envoy-gateway-system
       conditions:
       - lastTransitionTime: null
-        message: |-
-          Wasm: wasm cache is not initialized
-          ExtProc: service envoy-gateway-system/grpc-ext-proc not found.
+        message: 'ExtProc: service envoy-gateway-system/grpc-ext-proc not found.'
         reason: Invalid
         status: "False"
         type: Accepted

@@ -23,7 +23,7 @@ envoyProxyForGatewayClass:
           local_cluster_name: local_cluster
         node:
           locality:
-            zone: "$(ENVOY_SERVICE_ZONE)"
+            zone: $(ENVOY_SERVICE_ZONE)
         layered_runtime:
           layers:
           - name: global_config
@@ -108,7 +108,7 @@ envoyProxyForGatewayClass:
                   load_balancing_weight: 1
                 load_balancing_weight: 1
                 locality:
-                  zone: "$(ENVOY_SERVICE_ZONE)"
+                  zone: $(ENVOY_SERVICE_ZONE)
             name: local_cluster
             type: STATIC
           - connect_timeout: 10s

@@ -207,9 +207,25 @@
 }
 
 func getBackendTLSBundle(backendTLSPolicy *gwapiv1a3.BackendTLSPolicy, resources *resource.Resources) (*ir.TLSUpstreamConfig, error) {
+	// Translate SubjectAltNames from gwapiv1a3 to ir
+	var subjectAltNames []ir.SubjectAltName
+	for _, san := range backendTLSPolicy.Spec.Validation.SubjectAltNames {
+		var subjectAltName ir.SubjectAltName
+		switch san.Type {
+		case "DNS":
+			subjectAltName.Hostname = ptr.To(string(san.Hostname))
+		case "URI":
+			subjectAltName.URI = ptr.To(string(san.URI))
+		default:
+			continue // skip unknown types
+		}
+		subjectAltNames = append(subjectAltNames, subjectAltName)
+	}
+
 	tlsBundle := &ir.TLSUpstreamConfig{
 		SNI:                 ptr.To(string(backendTLSPolicy.Spec.Validation.Hostname)),
 		UseSystemTrustStore: ptr.Deref(backendTLSPolicy.Spec.Validation.WellKnownCACertificates, "") == gwapiv1a3.WellKnownCACertificatesSystem,
+		SubjectAltNames:     subjectAltNames,
 	}
 	if tlsBundle.UseSystemTrustStore {
 		tlsBundle.CACertificate = &ir.TLSCACertificate{

@@ -440,7 +440,13 @@ func (t *Translator) translateBackendTrafficPolicyForRouteWithMerge(
 	// Since GlobalRateLimit merge relies on IR auto-generated key: (<policy-ns>/<policy-name>/rule/<rule-index>)
 	// We can't simply merge the BTP's using utils.Merge() we need to specifically merge the GlobalRateLimit.Rules using IR fields.
 	// Since ir.TrafficFeatures is not a built-in Kubernetes API object with defined merging strategies and it does not support a deep merge (for lists/maps).
+
+	// Handle rate limit merging cases:
+	// 1. Both policies have rate limits - merge them
+	// 2. Only gateway policy has rate limits - preserve gateway policy's rule names
+	// 3. Only route policy has rate limits - use route policy's rule names (default behavior)
 	if policy.Spec.RateLimit != nil && gwPolicy.Spec.RateLimit != nil {
+		// Case 1: Both policies have rate limits - merge them
 		tfGW, _ := t.buildTrafficFeatures(gwPolicy, resources)
 		tfRoute, _ := t.buildTrafficFeatures(policy, resources)
 
@@ -454,7 +460,15 @@ func (t *Translator) translateBackendTrafficPolicyForRouteWithMerge(
 			// Replace the rate limit in the merged features if successful
 			tf.RateLimit = mergedRL
 		}
+	} else if policy.Spec.RateLimit == nil && gwPolicy.Spec.RateLimit != nil {
+		// Case 2: Only gateway policy has rate limits - preserve gateway policy's rule names
+		tfGW, _ := t.buildTrafficFeatures(gwPolicy, resources)
+		if tfGW != nil && tfGW.RateLimit != nil {
+			// Use the gateway policy's rate limit with its original rule names
+			tf.RateLimit = tfGW.RateLimit
+		}
 	}
+	// Case 3: Only route policy has rate limits or neither has rate limits - use default behavior (tf already built from merged policy)
 
 	x, ok := xdsIR[t.IRKey(gatewayNN)]
 	if !ok {

@@ -614,12 +614,16 @@ func (t *Translator) buildWasms(
 	policy *egv1a1.EnvoyExtensionPolicy,
 	resources *resource.Resources,
 ) ([]ir.Wasm, error) {
+	var wasmIRList []ir.Wasm
+
+	if len(policy.Spec.Wasm) == 0 {
+		return wasmIRList, nil
+	}
+
 	if t.WasmCache == nil {
 		return nil, fmt.Errorf("wasm cache is not initialized")
 	}
 
-	var wasmIRList []ir.Wasm
-
 	if policy == nil {
 		return nil, nil
 	}