diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go
index 482cf28113..d5567d2c52 100644
--- a/api/v1alpha1/envoyproxy_types.go
+++ b/api/v1alpha1/envoyproxy_types.go
@@ -158,12 +158,27 @@ type EnvoyProxySpec struct {
// +optional
PreserveRouteOrder *bool `json:"preserveRouteOrder,omitempty"`
- // DisableLuaValidation disables the Lua script validation for Lua EnvoyExtensionPolicies
- // +kubebuilder:default=false
+ // LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+ // Default: Strict
// +optional
- DisableLuaValidation *bool `json:"disableLuaValidation,omitempty"`
+ LuaValidation *LuaValidation `json:"luaValidation,omitempty"`
}
+// +kubebuilder:validation:Enum=Strict;Disabled
+type LuaValidation string
+
+const (
+ // LuaValidationStrict is the default level and checks for issues during script execution.
+ // Recommended if your scripts only use the standard Envoy Lua stream handle API.
+ // For supported APIs, see: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api
+ LuaValidationStrict LuaValidation = "Strict"
+
+ // LuaValidationDisabled disables all validation of Lua scripts.
+ // Scripts will be accepted and executed without any validation checks.
+ // This is not recommended unless your scripts import libraries that are not supported by Lua runtime validation.
+ LuaValidationDisabled LuaValidation = "Disabled"
+)
+
// RoutingType defines the type of routing of this Envoy proxy.
type RoutingType string
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index b0e5185a2f..0ae6350b2b 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -2412,9 +2412,9 @@ func (in *EnvoyProxySpec) DeepCopyInto(out *EnvoyProxySpec) {
*out = new(bool)
**out = **in
}
- if in.DisableLuaValidation != nil {
- in, out := &in.DisableLuaValidation, &out.DisableLuaValidation
- *out = new(bool)
+ if in.LuaValidation != nil {
+ in, out := &in.LuaValidation, &out.LuaValidation
+ *out = new(LuaValidation)
**out = **in
}
}
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml
index c5b6403b58..e4df4ec339 100644
--- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml
+++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -270,11 +270,6 @@ spec:
the number of cpuset threads on the platform.
format: int32
type: integer
- disableLuaValidation:
- default: false
- description: DisableLuaValidation disables the Lua script validation
- for Lua EnvoyExtensionPolicies
- type: boolean
extraArgs:
description: |-
ExtraArgs defines additional command line options that are provided to Envoy.
@@ -442,6 +437,14 @@ spec:
and the log level is the value. If unspecified, defaults to "default: warn".
type: object
type: object
+ luaValidation:
+ description: |-
+ LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+ Default: Strict
+ enum:
+ - Strict
+ - Disabled
+ type: string
mergeGateways:
description: |-
MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
index b8f200c01e..59d44a7532 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -269,11 +269,6 @@ spec:
the number of cpuset threads on the platform.
format: int32
type: integer
- disableLuaValidation:
- default: false
- description: DisableLuaValidation disables the Lua script validation
- for Lua EnvoyExtensionPolicies
- type: boolean
extraArgs:
description: |-
ExtraArgs defines additional command line options that are provided to Envoy.
@@ -441,6 +436,14 @@ spec:
and the log level is the value. If unspecified, defaults to "default: warn".
type: object
type: object
+ luaValidation:
+ description: |-
+ LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+ Default: Strict
+ enum:
+ - Strict
+ - Disabled
+ type: string
mergeGateways:
description: |-
MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
diff --git a/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml b/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml
index ba0e000f39..7fe4d68370 100644
--- a/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml
@@ -19,7 +19,6 @@ envoyProxyForGatewayClass:
socket_address:
address: 127.0.0.1
port_value: 19000
- disableLuaValidation: false
logging:
level:
default: warn
diff --git a/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml b/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml
index 090c629456..c798702335 100644
--- a/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml
+++ b/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml
@@ -6,7 +6,6 @@ envoyProxyForGatewayClass:
name: example
namespace: default
spec:
- disableLuaValidation: false
logging:
level:
default: warn
diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go
index de83c0d69b..5e8899c21f 100644
--- a/internal/gatewayapi/envoyextensionpolicy.go
+++ b/internal/gatewayapi/envoyextensionpolicy.go
@@ -452,7 +452,8 @@ func (t *Translator) buildLua(
if err != nil {
return nil, err
}
- if envoyProxy != nil && envoyProxy.Spec.DisableLuaValidation != nil && *envoyProxy.Spec.DisableLuaValidation {
+ if envoyProxy != nil && envoyProxy.Spec.LuaValidation != nil &&
+ *envoyProxy.Spec.LuaValidation == egv1a1.LuaValidationDisabled {
return &ir.Lua{
Name: name,
Code: luaCode,
diff --git a/internal/gatewayapi/resource/testdata/all-resources.out.yaml b/internal/gatewayapi/resource/testdata/all-resources.out.yaml
index ae5b2eaec1..612090f674 100644
--- a/internal/gatewayapi/resource/testdata/all-resources.out.yaml
+++ b/internal/gatewayapi/resource/testdata/all-resources.out.yaml
@@ -169,7 +169,6 @@ envoyProxyForGatewayClass:
name: example
namespace: default
spec:
- disableLuaValidation: false
logging:
level:
default: warn
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-invalid-lua-validation-disabled.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-invalid-lua-validation-disabled.in.yaml
index 97bd5af0d4..86178c9b5c 100644
--- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-invalid-lua-validation-disabled.in.yaml
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-invalid-lua-validation-disabled.in.yaml
@@ -5,7 +5,7 @@ envoyProxyForGatewayClass:
namespace: envoy-gateway-system
name: test
spec:
- disableLuaValidation: true
+ luaValidation: Disabled
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-invalid-lua-validation-disabled.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-invalid-lua-validation-disabled.out.yaml
index c825c8f25a..1803ccef52 100644
--- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-invalid-lua-validation-disabled.out.yaml
+++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-invalid-lua-validation-disabled.out.yaml
@@ -120,8 +120,8 @@ infraIR:
name: test
namespace: envoy-gateway-system
spec:
- disableLuaValidation: true
logging: {}
+ luaValidation: Disabled
status: {}
listeners:
- address: null
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
index 67f6279973..c46d636c60 100644
--- a/release-notes/current.yaml
+++ b/release-notes/current.yaml
@@ -32,8 +32,7 @@ new features: |
Added support for specifying deployment annotations through the helm chart.
Added support for customizing the name of the ServiceAccount used by the Proxy.
Added support for custom backendRefs via extension server using PostClusterModify hook.
-
-
+ Introduce validation strictness levels for Lua scripts in EnvoyExtensionPolicies.
bug fixes: |
Handle integer zone annotation values
Fixed issue where WASM cache init failure caused routes with WASM-less EnvoyExtensionPolicies to have 500 direct responses.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 0b2fc92253..95ed18572f 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -1635,7 +1635,7 @@ _Appears in:_
| `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. |
| `ipFamily` | _[IPFamily](#ipfamily)_ | false | | IPFamily specifies the IP family for the EnvoyProxy fleet.
This setting only affects the Gateway listener port and does not impact
other aspects of the Envoy proxy configuration.
If not specified, the system will operate as follows:
- It defaults to IPv4 only.
- IPv6 and dual-stack environments are not supported in this default configuration.
Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. |
| `preserveRouteOrder` | _boolean_ | false | | PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API
specification (https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule)
or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.
Default: False |
-| `disableLuaValidation` | _boolean_ | false | false | DisableLuaValidation disables the Lua script validation for Lua EnvoyExtensionPolicies |
+| `luaValidation` | _[LuaValidation](#luavalidation)_ | false | | LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
Default: Strict |
#### EnvoyProxyStatus
@@ -3154,6 +3154,21 @@ _Appears in:_
| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | | ValueRef has the source code specified as a local object reference.
Only a reference to ConfigMap is supported.
The value of key `lua` in the ConfigMap will be used.
If the key is not found, the first value in the ConfigMap will be used. |
+#### LuaValidation
+
+_Underlying type:_ _string_
+
+
+
+_Appears in:_
+- [EnvoyProxySpec](#envoyproxyspec)
+
+| Value | Description |
+| ----- | ----------- |
+| `Strict` | LuaValidationStrict is the default level and checks for issues during script execution.
Recommended if your scripts only use the standard Envoy Lua stream handle API.
For supported APIs, see: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api
|
+| `Disabled` | LuaValidationDisabled disables all validation of Lua scripts.
Scripts will be accepted and executed without any validation checks.
This is not recommended unless your scripts import libraries that are not supported by Lua runtime validation.
|
+
+
#### LuaValueType
_Underlying type:_ _string_
diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml
index 2e543f6361..14f90f39a4 100644
--- a/test/helm/gateway-crds-helm/all.out.yaml
+++ b/test/helm/gateway-crds-helm/all.out.yaml
@@ -24078,11 +24078,6 @@ spec:
the number of cpuset threads on the platform.
format: int32
type: integer
- disableLuaValidation:
- default: false
- description: DisableLuaValidation disables the Lua script validation
- for Lua EnvoyExtensionPolicies
- type: boolean
extraArgs:
description: |-
ExtraArgs defines additional command line options that are provided to Envoy.
@@ -24250,6 +24245,14 @@ spec:
and the log level is the value. If unspecified, defaults to "default: warn".
type: object
type: object
+ luaValidation:
+ description: |-
+ LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+ Default: Strict
+ enum:
+ - Strict
+ - Disabled
+ type: string
mergeGateways:
description: |-
MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
index fb50314e4c..089a2574d6 100644
--- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
+++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
@@ -6766,11 +6766,6 @@ spec:
the number of cpuset threads on the platform.
format: int32
type: integer
- disableLuaValidation:
- default: false
- description: DisableLuaValidation disables the Lua script validation
- for Lua EnvoyExtensionPolicies
- type: boolean
extraArgs:
description: |-
ExtraArgs defines additional command line options that are provided to Envoy.
@@ -6938,6 +6933,14 @@ spec:
and the log level is the value. If unspecified, defaults to "default: warn".
type: object
type: object
+ luaValidation:
+ description: |-
+ LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+ Default: Strict
+ enum:
+ - Strict
+ - Disabled
+ type: string
mergeGateways:
description: |-
MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.