diff --git a/VERSION b/VERSION index b8db7fc27e..cd180246b3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.5.0-rc.1 +v1.5.0-rc.2 diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go index 649b4b635f..abc7d59dfb 100644 --- a/api/v1alpha1/clienttrafficpolicy_types.go +++ b/api/v1alpha1/clienttrafficpolicy_types.go @@ -7,7 +7,6 @@ package v1alpha1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" ) @@ -159,7 +158,7 @@ type HeaderSettings struct { // routing, tracing and built-in header manipulation. // // +optional - EarlyRequestHeaders *gwapiv1.HTTPHeaderFilter `json:"earlyRequestHeaders,omitempty"` + EarlyRequestHeaders *HTTPHeaderFilter `json:"earlyRequestHeaders,omitempty"` } // WithUnderscoresAction configures the action to take when an HTTP header with underscores diff --git a/api/v1alpha1/cors_types.go b/api/v1alpha1/cors_types.go index 26c87bd8a0..c3d2067511 100644 --- a/api/v1alpha1/cors_types.go +++ b/api/v1alpha1/cors_types.go @@ -5,7 +5,7 @@ package v1alpha1 -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" // Origin is defined by the scheme (protocol), hostname (domain), and port of // the URL used to access it. The hostname can be "precise" which is just the @@ -61,7 +61,7 @@ type CORS struct { // It specifies the value in the Access-Control-Max-Age CORS response header.. // // +optional - MaxAge *metav1.Duration `json:"maxAge,omitempty"` + MaxAge *gwapiv1.Duration `json:"maxAge,omitempty"` // AllowCredentials indicates whether a request can include user credentials // like cookies, authentication headers, or TLS client certificates. diff --git a/api/v1alpha1/dns_types.go b/api/v1alpha1/dns_types.go index ed99a6ca0e..2dbfd272e5 100644 --- a/api/v1alpha1/dns_types.go +++ b/api/v1alpha1/dns_types.go @@ -5,7 +5,7 @@ package v1alpha1 -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" // DNSLookupFamily defines the behavior of Envoy when resolving DNS for hostnames // +enum @@ -31,10 +31,14 @@ const ( type DNS struct { // DNSRefreshRate specifies the rate at which DNS records should be refreshed. // Defaults to 30 seconds. - DNSRefreshRate *metav1.Duration `json:"dnsRefreshRate,omitempty"` + // + // +optional + DNSRefreshRate *gwapiv1.Duration `json:"dnsRefreshRate,omitempty"` // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. // If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. // Defaults to true. + // + // +optional RespectDNSTTL *bool `json:"respectDnsTtl,omitempty"` // LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN). // If set, this configuration overrides other defaults. diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go index 86a6c1f4ea..a59a35658e 100644 --- a/api/v1alpha1/envoygateway_types.go +++ b/api/v1alpha1/envoygateway_types.go @@ -143,13 +143,21 @@ type KubernetesClientRateLimit struct { // LeaderElection defines the desired leader election settings. type LeaderElection struct { // LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership. - // It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds. + // It's based on the timestamp of the last acknowledged signal. + // The default setting is 15 seconds. + // + // +optional LeaseDuration *gwapiv1.Duration `json:"leaseDuration,omitempty"` // RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership - // status before relinquishing its position. The default setting is 10 seconds. + // status before relinquishing its position. + // The default setting is 10 seconds. + // + // +optional RenewDeadline *gwapiv1.Duration `json:"renewDeadline,omitempty"` // RetryPeriod denotes the interval at which LeaderElector clients should perform action retries. // The default setting is 2 seconds. + // + // +optional RetryPeriod *gwapiv1.Duration `json:"retryPeriod,omitempty"` // Disable provides the option to turn off leader election, which is enabled by default. Disable *bool `json:"disable,omitempty"` @@ -173,7 +181,7 @@ type EnvoyGatewayLogging struct { } // EnvoyGatewayLogComponent defines a component that supports a configured logging level. -// +kubebuilder:validation:Enum=default;provider;gateway-api;xds-translator;xds-server;infrastructure;global-ratelimit +// +kubebuilder:validation:Enum=default;provider;gateway-api;xds-translator;xds-server;xds;infrastructure;global-ratelimit type EnvoyGatewayLogComponent string const ( @@ -193,6 +201,9 @@ const ( // LogComponentXdsServerRunner defines the "xds-server" runner component. LogComponentXdsServerRunner EnvoyGatewayLogComponent = "xds-server" + // LogComponentXdsRunner defines the "xds" runner component. + LogComponentXdsRunner EnvoyGatewayLogComponent = "xds" + // LogComponentInfrastructureRunner defines the "infrastructure" runner component. LogComponentInfrastructureRunner EnvoyGatewayLogComponent = "infrastructure" @@ -432,9 +443,9 @@ type RateLimit struct { // Timeout specifies the timeout period for the proxy to access the ratelimit server // If not set, timeout is 20ms. + // // +optional - // +kubebuilder:validation:Format=duration - Timeout *metav1.Duration `json:"timeout,omitempty"` + Timeout *gwapiv1.Duration `json:"timeout,omitempty"` // FailClosed is a switch used to control the flow of traffic // when the response from the ratelimit server cannot be obtained. diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go index 20baa32df2..8eeabc6427 100644 --- a/api/v1alpha1/envoyproxy_types.go +++ b/api/v1alpha1/envoyproxy_types.go @@ -272,6 +272,12 @@ const ( // EnvoyFilterRateLimit defines the Envoy HTTP rate limit filter. EnvoyFilterRateLimit EnvoyFilter = "envoy.filters.http.ratelimit" + // EnvoyFilterGRPCWeb defines the Envoy HTTP gRPC-web filter. + EnvoyFilterGRPCWeb EnvoyFilter = "envoy.filters.http.grpc_web" + + // EnvoyFilterGRPCStats defines the Envoy HTTP gRPC stats filter. + EnvoyFilterGRPCStats EnvoyFilter = "envoy.filters.http.grpc_stats" + // EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter. EnvoyFilterCustomResponse EnvoyFilter = "envoy.filters.http.custom_response" @@ -344,12 +350,12 @@ type ShutdownConfig struct { // If unspecified, defaults to 60 seconds. // // +optional - DrainTimeout *metav1.Duration `json:"drainTimeout,omitempty"` + DrainTimeout *gwapiv1.Duration `json:"drainTimeout,omitempty"` // MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete. // If unspecified, defaults to 10 seconds. // // +optional - MinDrainDuration *metav1.Duration `json:"minDrainDuration,omitempty"` + MinDrainDuration *gwapiv1.Duration `json:"minDrainDuration,omitempty"` } // +kubebuilder:validation:XValidation:rule="((has(self.envoyDeployment) && !has(self.envoyDaemonSet)) || (!has(self.envoyDeployment) && has(self.envoyDaemonSet))) || (!has(self.envoyDeployment) && !has(self.envoyDaemonSet))",message="only one of envoyDeployment or envoyDaemonSet can be specified" diff --git a/api/v1alpha1/fault_injection.go b/api/v1alpha1/fault_injection.go index a8b7e1f541..eab92714c5 100644 --- a/api/v1alpha1/fault_injection.go +++ b/api/v1alpha1/fault_injection.go @@ -5,7 +5,7 @@ package v1alpha1 -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" // FaultInjection defines the fault injection policy to be applied. This configuration can be used to // inject delays and abort requests to mimic failure scenarios such as service failures and overloads @@ -29,7 +29,7 @@ type FaultInjectionDelay struct { // FixedDelay specifies the fixed delay duration // // +required - FixedDelay *metav1.Duration `json:"fixedDelay"` + FixedDelay *gwapiv1.Duration `json:"fixedDelay"` // Percentage specifies the percentage of requests to be delayed. Default 100%, if set 0, no requests will be delayed. Accuracy to 0.0001%. // +optional diff --git a/api/v1alpha1/healthcheck_types.go b/api/v1alpha1/healthcheck_types.go index 772e781664..d0893e7cf5 100644 --- a/api/v1alpha1/healthcheck_types.go +++ b/api/v1alpha1/healthcheck_types.go @@ -5,10 +5,7 @@ package v1alpha1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" -) +import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" // HealthCheck configuration to decide which endpoints // are healthy and can be used for routing. @@ -42,10 +39,9 @@ type PassiveHealthCheck struct { // Interval defines the time between passive health checks. // - // +kubebuilder:validation:Format=duration // +kubebuilder:default="3s" // +optional - Interval *metav1.Duration `json:"interval,omitempty"` + Interval *gwapiv1.Duration `json:"interval,omitempty"` // ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. // Parameter takes effect only when split_external_local_origin_errors is set to true. @@ -68,10 +64,9 @@ type PassiveHealthCheck struct { // BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. // - // +kubebuilder:validation:Format=duration // +kubebuilder:default="30s" // +optional - BaseEjectionTime *metav1.Duration `json:"baseEjectionTime,omitempty"` + BaseEjectionTime *gwapiv1.Duration `json:"baseEjectionTime,omitempty"` // MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected. // @@ -90,22 +85,19 @@ type PassiveHealthCheck struct { type ActiveHealthCheck struct { // Timeout defines the time to wait for a health check response. // - // +kubebuilder:validation:Format=duration // +kubebuilder:default="1s" // +optional - Timeout *metav1.Duration `json:"timeout"` + Timeout *gwapiv1.Duration `json:"timeout"` // Interval defines the time between active health checks. // - // +kubebuilder:validation:Format=duration // +kubebuilder:default="3s" // +optional - Interval *metav1.Duration `json:"interval"` + Interval *gwapiv1.Duration `json:"interval"` // InitialJitter defines the maximum time Envoy will wait before the first health check. // Envoy will randomly select a value between 0 and the initial jitter value. // - // +kubebuilder:validation:Format=duration // +optional InitialJitter *gwapiv1.Duration `json:"initialJitter,omitempty"` diff --git a/api/v1alpha1/loadbalancer_types.go b/api/v1alpha1/loadbalancer_types.go index fd52391505..2b177d49da 100644 --- a/api/v1alpha1/loadbalancer_types.go +++ b/api/v1alpha1/loadbalancer_types.go @@ -5,7 +5,7 @@ package v1alpha1 -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" // LoadBalancer defines the load balancer policy to be applied. // +union @@ -47,7 +47,6 @@ type LoadBalancer struct { // ZoneAware defines the configuration related to the distribution of requests between locality zones. // // +optional - // +notImplementedHide ZoneAware *ZoneAware `json:"zoneAware,omitempty"` } @@ -120,7 +119,7 @@ type Cookie struct { // Max-Age attribute value. // // +optional - TTL *metav1.Duration `json:"ttl,omitempty"` + TTL *gwapiv1.Duration `json:"ttl,omitempty"` // Additional Attributes to set for the generated cookie. // // +optional @@ -147,7 +146,7 @@ type SlowStart struct { // Currently only supports linear growth of traffic. For additional details, // see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig // +kubebuilder:validation:Required - Window *metav1.Duration `json:"window"` + Window *gwapiv1.Duration `json:"window"` // TODO: Add support for non-linear traffic increases based on user usage. } @@ -156,7 +155,6 @@ type ZoneAware struct { // PreferLocalZone configures zone-aware routing to prefer sending traffic to the local locality zone. // // +optional - // +notImplementedHide PreferLocal *PreferLocalZone `json:"preferLocal,omitempty"` } @@ -166,13 +164,11 @@ type PreferLocalZone struct { // which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally. // // +optional - // +notImplementedHide Force *ForceLocalZone `json:"force,omitempty"` // MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing. // // +optional - // +notImplementedHide MinEndpointsThreshold *uint64 `json:"minEndpointsThreshold,omitempty"` } diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 64ec47b1d2..cd3e4b72d1 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -6,7 +6,6 @@ package v1alpha1 import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) @@ -110,7 +109,7 @@ type OIDC struct { // OAuth flow will fail. // // +optional - DefaultTokenTTL *metav1.Duration `json:"defaultTokenTTL,omitempty"` + DefaultTokenTTL *gwapiv1.Duration `json:"defaultTokenTTL,omitempty"` // RefreshToken indicates whether the Envoy should automatically refresh the // id token and access token when they expire. @@ -127,8 +126,9 @@ type OIDC struct { // // If not specified, defaults to 604800s (one week). // Note: this field is only applicable when the "refreshToken" field is set to true. + // // +optional - DefaultRefreshTokenTTL *metav1.Duration `json:"defaultRefreshTokenTTL,omitempty"` + DefaultRefreshTokenTTL *gwapiv1.Duration `json:"defaultRefreshTokenTTL,omitempty"` // Skips OIDC authentication when the request contains a header that will be extracted by the JWT filter. Unless // explicitly stated otherwise in the extractFrom field, this will be the "Authorization: Bearer ..." header. diff --git a/api/v1alpha1/retry_types.go b/api/v1alpha1/retry_types.go index d5f3eb24d3..17439c7fae 100644 --- a/api/v1alpha1/retry_types.go +++ b/api/v1alpha1/retry_types.go @@ -6,7 +6,7 @@ package v1alpha1 import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) // Retry defines the retry strategy to be applied. @@ -96,8 +96,7 @@ type PerRetryPolicy struct { // Timeout is the timeout per retry attempt. // // +optional - // +kubebuilder:validation:Format=duration - Timeout *metav1.Duration `json:"timeout,omitempty"` + Timeout *gwapiv1.Duration `json:"timeout,omitempty"` // Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential // back-off algorithm for retries. For additional details, // see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries @@ -109,13 +108,12 @@ type PerRetryPolicy struct { type BackOffPolicy struct { // BaseInterval is the base interval between retries. // - // +kubebuilder:validation:Format=duration - BaseInterval *metav1.Duration `json:"baseInterval,omitempty"` + // +optional + BaseInterval *gwapiv1.Duration `json:"baseInterval,omitempty"` // MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. // The default is 10 times the base_interval // // +optional - // +kubebuilder:validation:Format=duration - MaxInterval *metav1.Duration `json:"maxInterval,omitempty"` + MaxInterval *gwapiv1.Duration `json:"maxInterval,omitempty"` // we can add rate limited based backoff config here if we want to. } diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index f9bff1d182..213212f4db 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -871,3 +871,84 @@ type CustomRedirect struct { // +kubebuilder:validation:Enum=301;302 StatusCode *int `json:"statusCode,omitempty"` } + +// HTTPHeaderFilter has been copied from the upstream Gateway API project +// https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1/httproute_types.go +// and edited to increase the maxItems from 16 to 64 +// Remove this definition and reuse the upstream one once it supports items more than 64 + +// HTTPHeaderFilter defines a filter that modifies the headers of an HTTP +// request or response. Only one action for a given header name is +// permitted. Filters specifying multiple actions of the same or different +// type for any one header name are invalid. Configuration to set or add +// multiple values for a header must use RFC 7230 header value formatting, +// separating each value with a comma. +type HTTPHeaderFilter struct { + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + // + // +optional + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=64 + Set []gwapiv1.HTTPHeader `json:"set,omitempty"` + + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + // + // +optional + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=64 + Add []gwapiv1.HTTPHeader `json:"add,omitempty"` + + // Remove the given header(s) from the HTTP request before the action. The + // value of Remove is a list of HTTP header names. Note that the header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + // + // +optional + // +listType=set + // +kubebuilder:validation:MaxItems=64 + Remove []string `json:"remove,omitempty"` +} diff --git a/api/v1alpha1/validation/envoygateway_validate.go b/api/v1alpha1/validation/envoygateway_validate.go index 3814b78fa4..37d9b63b5a 100644 --- a/api/v1alpha1/validation/envoygateway_validate.go +++ b/api/v1alpha1/validation/envoygateway_validate.go @@ -144,6 +144,7 @@ func validateEnvoyGatewayLogging(logging *egv1a1.EnvoyGatewayLogging) error { egv1a1.LogComponentGatewayAPIRunner, egv1a1.LogComponentXdsTranslatorRunner, egv1a1.LogComponentXdsServerRunner, + egv1a1.LogComponentXdsRunner, egv1a1.LogComponentInfrastructureRunner, egv1a1.LogComponentGlobalRateLimitRunner: switch logLevel { @@ -152,7 +153,7 @@ func validateEnvoyGatewayLogging(logging *egv1a1.EnvoyGatewayLogging) error { return fmt.Errorf("envoy gateway logging level invalid. valid options: info/debug/warn/error") } default: - return fmt.Errorf("envoy gateway logging components invalid. valid options: system/provider/gateway-api/xds-translator/xds-server/infrastructure") + return fmt.Errorf("envoy gateway logging components invalid. valid options: system/provider/gateway-api/xds-translator/xds-server/xds/infrastructure") } } return nil diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 4ec48585c8..cdbb72f622 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -126,12 +126,12 @@ func (in *ActiveHealthCheck) DeepCopyInto(out *ActiveHealthCheck) { *out = *in if in.Timeout != nil { in, out := &in.Timeout, &out.Timeout - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.Interval != nil { in, out := &in.Interval, &out.Interval - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.InitialJitter != nil { @@ -279,12 +279,12 @@ func (in *BackOffPolicy) DeepCopyInto(out *BackOffPolicy) { *out = *in if in.BaseInterval != nil { in, out := &in.BaseInterval, &out.BaseInterval - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.MaxInterval != nil { in, out := &in.MaxInterval, &out.MaxInterval - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } } @@ -826,7 +826,7 @@ func (in *CORS) DeepCopyInto(out *CORS) { } if in.MaxAge != nil { in, out := &in.MaxAge, &out.MaxAge - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.AllowCredentials != nil { @@ -1379,7 +1379,7 @@ func (in *Cookie) DeepCopyInto(out *Cookie) { *out = *in if in.TTL != nil { in, out := &in.TTL, &out.TTL - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.Attributes != nil { @@ -1578,7 +1578,7 @@ func (in *DNS) DeepCopyInto(out *DNS) { *out = *in if in.DNSRefreshRate != nil { in, out := &in.DNSRefreshRate, &out.DNSRefreshRate - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.RespectDNSTTL != nil { @@ -2934,7 +2934,7 @@ func (in *FaultInjectionDelay) DeepCopyInto(out *FaultInjectionDelay) { *out = *in if in.FixedDelay != nil { in, out := &in.FixedDelay, &out.FixedDelay - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.Percentage != nil { @@ -3364,6 +3364,36 @@ func (in *HTTPExtAuthService) DeepCopy() *HTTPExtAuthService { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPHeaderFilter) DeepCopyInto(out *HTTPHeaderFilter) { + *out = *in + if in.Set != nil { + in, out := &in.Set, &out.Set + *out = make([]v1.HTTPHeader, len(*in)) + copy(*out, *in) + } + if in.Add != nil { + in, out := &in.Add, &out.Add + *out = make([]v1.HTTPHeader, len(*in)) + copy(*out, *in) + } + if in.Remove != nil { + in, out := &in.Remove, &out.Remove + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPHeaderFilter. +func (in *HTTPHeaderFilter) DeepCopy() *HTTPHeaderFilter { + if in == nil { + return nil + } + out := new(HTTPHeaderFilter) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPHostnameModifier) DeepCopyInto(out *HTTPHostnameModifier) { *out = *in @@ -3652,7 +3682,7 @@ func (in *HeaderSettings) DeepCopyInto(out *HeaderSettings) { } if in.EarlyRequestHeaders != nil { in, out := &in.EarlyRequestHeaders, &out.EarlyRequestHeaders - *out = new(v1.HTTPHeaderFilter) + *out = new(HTTPHeaderFilter) (*in).DeepCopyInto(*out) } } @@ -4723,7 +4753,7 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { } if in.DefaultTokenTTL != nil { in, out := &in.DefaultTokenTTL, &out.DefaultTokenTTL - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.RefreshToken != nil { @@ -4733,7 +4763,7 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { } if in.DefaultRefreshTokenTTL != nil { in, out := &in.DefaultRefreshTokenTTL, &out.DefaultRefreshTokenTTL - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.PassThroughAuthHeader != nil { @@ -4941,7 +4971,7 @@ func (in *PassiveHealthCheck) DeepCopyInto(out *PassiveHealthCheck) { } if in.Interval != nil { in, out := &in.Interval, &out.Interval - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.ConsecutiveLocalOriginFailures != nil { @@ -4961,7 +4991,7 @@ func (in *PassiveHealthCheck) DeepCopyInto(out *PassiveHealthCheck) { } if in.BaseEjectionTime != nil { in, out := &in.BaseEjectionTime, &out.BaseEjectionTime - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.MaxEjectionPercent != nil { @@ -5031,7 +5061,7 @@ func (in *PerRetryPolicy) DeepCopyInto(out *PerRetryPolicy) { *out = *in if in.Timeout != nil { in, out := &in.Timeout, &out.Timeout - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.BackOff != nil { @@ -5581,7 +5611,7 @@ func (in *RateLimit) DeepCopyInto(out *RateLimit) { in.Backend.DeepCopyInto(&out.Backend) if in.Timeout != nil { in, out := &in.Timeout, &out.Timeout - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.Telemetry != nil { @@ -6309,12 +6339,12 @@ func (in *ShutdownConfig) DeepCopyInto(out *ShutdownConfig) { *out = *in if in.DrainTimeout != nil { in, out := &in.DrainTimeout, &out.DrainTimeout - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } if in.MinDrainDuration != nil { in, out := &in.MinDrainDuration, &out.MinDrainDuration - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } } @@ -6354,7 +6384,7 @@ func (in *SlowStart) DeepCopyInto(out *SlowStart) { *out = *in if in.Window != nil { in, out := &in.Window, &out.Window - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } } diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 4be80d9bc6..2e7ce17d4e 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -177,6 +177,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -235,6 +236,7 @@ spec: properties: fixedDelay: description: FixedDelay specifies the fixed delay duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string percentage: default: 100 @@ -349,14 +351,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -430,7 +431,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -481,7 +482,7 @@ spec: default: 30s description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -506,7 +507,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -625,6 +626,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -708,6 +710,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -1643,18 +1646,18 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 311faf9cef..f23d6b2442 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -244,7 +244,7 @@ spec: - name - value type: object - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-map-keys: - name @@ -270,7 +270,7 @@ spec: my-header2: bar items: type: string - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-type: set set: @@ -318,7 +318,7 @@ spec: - name - value type: object - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-map-keys: - name diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 73556e46e8..cfb084ddca 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -324,6 +324,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -447,14 +448,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -533,7 +533,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -586,7 +586,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -611,7 +611,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -701,6 +701,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -787,6 +788,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -899,18 +901,18 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml index bca62d14d3..004ea44c93 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10516,11 +10516,13 @@ spec: description: |- DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds. If unspecified, defaults to 60 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string minDrainDuration: description: |- MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete. If unspecified, defaults to 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object telemetry: @@ -10874,6 +10876,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -11007,7 +11010,6 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: @@ -11015,7 +11017,7 @@ spec: description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -11104,7 +11106,7 @@ spec: description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -11167,7 +11169,7 @@ spec: defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -11195,7 +11197,7 @@ spec: description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -11290,6 +11292,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -11384,6 +11387,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -11505,19 +11509,19 @@ spec: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -11985,6 +11989,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -12118,7 +12123,6 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: @@ -12126,7 +12130,7 @@ spec: description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -12215,7 +12219,7 @@ spec: description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -12278,7 +12282,7 @@ spec: defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -12306,7 +12310,7 @@ spec: description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -12401,6 +12405,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -12495,6 +12500,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -12616,19 +12622,19 @@ spec: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -13204,6 +13210,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -13332,14 +13339,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -13423,7 +13429,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -13481,7 +13487,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -13508,7 +13514,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -13600,6 +13606,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -13690,6 +13697,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -13806,19 +13814,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -14320,6 +14328,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -14447,14 +14456,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -14538,7 +14546,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -14595,7 +14603,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -14622,7 +14630,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -14714,6 +14722,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -14803,6 +14812,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -14917,19 +14927,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml index 79af9ce40c..9a53734974 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -522,6 +522,7 @@ spec: description: |- MaxAge defines how long the results of a preflight request can be cached. It specifies the value in the Access-Control-Max-Age CORS response header.. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object extAuth: @@ -828,6 +829,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -951,14 +953,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -1037,7 +1038,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -1092,7 +1093,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -1118,7 +1119,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -1210,6 +1211,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -1297,6 +1299,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -1411,19 +1414,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -1835,6 +1838,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -1958,14 +1962,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -2044,7 +2047,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -2099,7 +2102,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -2125,7 +2128,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -2217,6 +2220,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -2304,6 +2308,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -2418,19 +2423,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -3034,6 +3039,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -3161,14 +3167,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -3252,7 +3257,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -3310,7 +3315,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -3337,7 +3342,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -3429,6 +3434,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -3518,6 +3524,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -3633,19 +3640,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -3944,6 +3951,7 @@ spec: If not specified, defaults to 604800s (one week). Note: this field is only applicable when the "refreshToken" field is set to true. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string defaultTokenTTL: description: |- @@ -3955,6 +3963,7 @@ spec: If not specified, defaults to 0. In this case, the "expires_in" field in the authorization response must be set by the authorization server, or the OAuth flow will fail. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string denyRedirect: description: |- @@ -4297,6 +4306,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -4420,14 +4430,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -4506,7 +4515,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -4561,7 +4570,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -4587,7 +4596,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -4679,6 +4688,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -4766,6 +4776,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -4880,19 +4891,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index f87cb95968..1200bdf0c3 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -176,6 +176,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -234,6 +235,7 @@ spec: properties: fixedDelay: description: FixedDelay specifies the fixed delay duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string percentage: default: 100 @@ -348,14 +350,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -429,7 +430,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -480,7 +481,7 @@ spec: default: 30s description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -505,7 +506,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -624,6 +625,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -707,6 +709,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -1642,18 +1645,18 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 85e91f5882..f3ba0cdd22 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -243,7 +243,7 @@ spec: - name - value type: object - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-map-keys: - name @@ -269,7 +269,7 @@ spec: my-header2: bar items: type: string - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-type: set set: @@ -317,7 +317,7 @@ spec: - name - value type: object - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-map-keys: - name diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 2ed348e214..aeed98b113 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -323,6 +323,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -446,14 +447,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -532,7 +532,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -585,7 +585,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -610,7 +610,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -700,6 +700,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -786,6 +787,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -898,18 +900,18 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index fe454279c2..7d99356073 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10515,11 +10515,13 @@ spec: description: |- DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds. If unspecified, defaults to 60 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string minDrainDuration: description: |- MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete. If unspecified, defaults to 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object telemetry: @@ -10873,6 +10875,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -11006,7 +11009,6 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: @@ -11014,7 +11016,7 @@ spec: description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -11103,7 +11105,7 @@ spec: description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -11166,7 +11168,7 @@ spec: defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -11194,7 +11196,7 @@ spec: description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -11289,6 +11291,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -11383,6 +11386,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -11504,19 +11508,19 @@ spec: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -11984,6 +11988,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -12117,7 +12122,6 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: @@ -12125,7 +12129,7 @@ spec: description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -12214,7 +12218,7 @@ spec: description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -12277,7 +12281,7 @@ spec: defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -12305,7 +12309,7 @@ spec: description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -12400,6 +12404,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -12494,6 +12499,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -12615,19 +12621,19 @@ spec: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -13203,6 +13209,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -13331,14 +13338,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -13422,7 +13428,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -13480,7 +13486,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -13507,7 +13513,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -13599,6 +13605,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -13689,6 +13696,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -13805,19 +13813,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -14319,6 +14327,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -14446,14 +14455,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -14537,7 +14545,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -14594,7 +14602,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -14621,7 +14629,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -14713,6 +14721,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -14802,6 +14811,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -14916,19 +14926,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index ea1b263aca..090a8f8e2c 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -521,6 +521,7 @@ spec: description: |- MaxAge defines how long the results of a preflight request can be cached. It specifies the value in the Access-Control-Max-Age CORS response header.. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object extAuth: @@ -827,6 +828,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -950,14 +952,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -1036,7 +1037,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -1091,7 +1092,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -1117,7 +1118,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -1209,6 +1210,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -1296,6 +1298,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -1410,19 +1413,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -1834,6 +1837,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -1957,14 +1961,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -2043,7 +2046,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -2098,7 +2101,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -2124,7 +2127,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -2216,6 +2219,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -2303,6 +2307,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -2417,19 +2422,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -3033,6 +3038,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -3160,14 +3166,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -3251,7 +3256,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -3309,7 +3314,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -3336,7 +3341,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -3428,6 +3433,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -3517,6 +3523,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -3632,19 +3639,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -3943,6 +3950,7 @@ spec: If not specified, defaults to 604800s (one week). Note: this field is only applicable when the "refreshToken" field is set to true. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string defaultTokenTTL: description: |- @@ -3954,6 +3962,7 @@ spec: If not specified, defaults to 0. In this case, the "expires_in" field in the authorization response must be set by the authorization server, or the OAuth flow will fail. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string denyRedirect: description: |- @@ -4296,6 +4305,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -4419,14 +4429,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -4505,7 +4514,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -4560,7 +4569,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -4586,7 +4595,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -4678,6 +4687,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -4765,6 +4775,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -4879,19 +4890,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index c86026e17b..7a265fb79d 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -45,8 +45,8 @@ require ( golang.org/x/text v0.27.0 // indirect golang.org/x/tools v0.35.0 // indirect golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index d17ae39070..7abb864d9d 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -37,8 +37,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18= -github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= +github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= +github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= @@ -160,10 +160,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY= -google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 h1:0UOBWO4dC+e51ui0NFKSPbkHHiQ4TmrEfEZMLDyRmY8= +google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0/go.mod h1:8ytArBbtOy2xfht+y2fqKd5DRDJRUQhqbyEnQ4bDChs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0 h1:MAKi5q709QWfnkkpNQ0M12hYJ1+e8qYVDyowc4U1XZM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4= google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM= google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= diff --git a/go.mod b/go.mod index c235913318..b4b06e99e8 100644 --- a/go.mod +++ b/go.mod @@ -34,16 +34,16 @@ require ( github.com/go-openapi/strfmt v0.23.0 github.com/go-openapi/validate v0.24.0 github.com/golang/protobuf v1.5.4 - github.com/google/cel-go v0.25.0 + github.com/google/cel-go v0.26.0 github.com/google/go-cmp v0.7.0 github.com/google/go-containerregistry v0.20.6 - github.com/miekg/dns v1.1.67 + github.com/miekg/dns v1.1.68 github.com/ohler55/ojg v1.26.8 github.com/pkg/errors v0.9.1 - github.com/prometheus/client_golang v1.22.0 + github.com/prometheus/client_golang v1.23.0 github.com/prometheus/client_model v0.6.2 github.com/prometheus/common v0.65.0 - github.com/quic-go/quic-go v0.52.0 + github.com/quic-go/quic-go v0.54.0 github.com/replicatedhq/troubleshoot v0.121.2 github.com/shopspring/decimal v1.4.0 github.com/spf13/cobra v1.9.1 @@ -61,12 +61,12 @@ require ( go.opentelemetry.io/otel/metric v1.37.0 go.opentelemetry.io/otel/sdk v1.37.0 go.opentelemetry.io/otel/sdk/metric v1.37.0 - go.opentelemetry.io/proto/otlp v1.7.0 + go.opentelemetry.io/proto/otlp v1.7.1 go.uber.org/zap v1.27.0 - golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476 + golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 golang.org/x/net v0.42.0 gomodules.xyz/jsonpatch/v2 v2.5.0 - google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 + google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 google.golang.org/grpc v1.74.2 google.golang.org/grpc/security/advancedtls v1.0.0 google.golang.org/protobuf v1.36.6 @@ -93,15 +93,15 @@ require ( 4d63.com/gocheckcompilerdirectives v1.3.0 // indirect 4d63.com/gochecknoglobals v0.2.2 // indirect al.essio.dev/pkg/shellescape v1.5.1 // indirect - buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.6-20250121211742-6d880cc6cc8d.1 // indirect - buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250613105001-9f2d3c737feb.1 // indirect - buf.build/gen/go/bufbuild/registry/connectrpc/go v1.18.1-20250606164443-9d1800bf4ccc.1 // indirect - buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.36.6-20250606164443-9d1800bf4ccc.1 // indirect + buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.6-20250718181942-e35f9b667443.1 // indirect + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250717185734-6c6e0d3c608e.1 // indirect + buf.build/gen/go/bufbuild/registry/connectrpc/go v1.18.1-20250721151928-2b7ae473b098.1 // indirect + buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.36.6-20250721151928-2b7ae473b098.1 // indirect buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.36.6-20241007202033-cf42259fcbfc.1 // indirect buf.build/go/app v0.1.0 // indirect buf.build/go/bufplugin v0.9.0 // indirect buf.build/go/interrupt v1.1.0 // indirect - buf.build/go/protovalidate v0.13.1 // indirect + buf.build/go/protovalidate v0.14.0 // indirect buf.build/go/protoyaml v0.6.0 // indirect buf.build/go/spdx v0.2.0 // indirect buf.build/go/standard v0.1.0 // indirect @@ -160,7 +160,7 @@ require ( github.com/bombsimon/wsl/v5 v5.1.0 // indirect github.com/breml/bidichk v0.3.3 // indirect github.com/breml/errchkjson v0.4.1 // indirect - github.com/bufbuild/buf v1.55.1 // indirect + github.com/bufbuild/buf v1.56.0 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20250218205857-750e09ce93e1 // indirect github.com/butuzov/ireturn v0.4.0 // indirect @@ -185,7 +185,7 @@ require ( github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect - github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.17.0 // indirect github.com/containerd/typeurl/v2 v2.2.3 // indirect github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect github.com/containers/ocicrypt v1.2.1 // indirect @@ -234,7 +234,6 @@ require ( github.com/go-openapi/swag v0.23.1 // indirect github.com/go-redis/redis/v7 v7.4.1 // indirect github.com/go-sql-driver/mysql v1.9.3 // indirect - github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/go-toolsmith/astcast v1.1.0 // indirect github.com/go-toolsmith/astcopy v1.1.0 // indirect github.com/go-toolsmith/astequal v1.2.0 // indirect @@ -268,7 +267,6 @@ require ( github.com/google/go-intervals v0.0.2 // indirect github.com/google/go-jsonnet v0.20.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gordonklaus/ineffassign v0.1.0 // indirect @@ -372,7 +370,6 @@ require ( github.com/norwoodj/helm-docs v1.14.2 // indirect github.com/nunnatsa/ginkgolinter v0.20.0 // indirect github.com/oklog/ulid v1.3.1 // indirect - github.com/onsi/ginkgo/v2 v2.23.4 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.1 // indirect github.com/opencontainers/runtime-spec v1.2.1 // indirect @@ -408,7 +405,7 @@ require ( github.com/sashamelentyev/usestdlibvars v1.29.0 // indirect github.com/securego/gosec/v2 v2.22.6 // indirect github.com/segmentio/asm v1.2.0 // indirect - github.com/segmentio/encoding v0.5.1 // indirect + github.com/segmentio/encoding v0.5.3 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/shirou/gopsutil/v4 v4.25.6 // indirect github.com/sirupsen/logrus v1.9.3 // indirect @@ -422,7 +419,7 @@ require ( github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect - github.com/stoewer/go-strcase v1.3.0 // indirect + github.com/stoewer/go-strcase v1.3.1 // indirect github.com/stretchr/objx v0.5.2 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/sylabs/sif/v2 v2.21.1 // indirect @@ -473,8 +470,8 @@ require ( go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect go.opentelemetry.io/otel/trace v1.37.0 // indirect go.uber.org/automaxprocs v1.6.0 // indirect @@ -494,7 +491,7 @@ require ( golang.org/x/time v0.12.0 // indirect golang.org/x/tools v0.35.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0 // indirect google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect diff --git a/go.sum b/go.sum index 68fe833348..23672b7127 100644 --- a/go.sum +++ b/go.sum @@ -4,14 +4,14 @@ 4d63.com/gochecknoglobals v0.2.2/go.mod h1:lLxwTQjL5eIesRbvnzIP3jZtG140FnTdz+AlMa+ogt0= al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho= al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890= -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.6-20250121211742-6d880cc6cc8d.1 h1:f6miF8tK6H+Ktad24WpnNfpHO75GRGk0rhJ1mxPXqgA= -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.6-20250121211742-6d880cc6cc8d.1/go.mod h1:rvbyamNtvJ4o3ExeCmaG5/6iHnu0vy0E+UQ+Ph0om8s= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250613105001-9f2d3c737feb.1 h1:AUL6VF5YWL01j/1H/DQbPUSDkEwYqwVCNw7yhbpOxSQ= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250613105001-9f2d3c737feb.1/go.mod h1:avRlCjnFzl98VPaeCtJ24RrV/wwHFzB8sWXhj26+n/U= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.18.1-20250606164443-9d1800bf4ccc.1 h1:x7juyChlm/fXZyuJTdBeMzHwAMhPJkP0qE4/IpwpGX4= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.18.1-20250606164443-9d1800bf4ccc.1/go.mod h1:vi8xjh+6SQRvLQYnyVFZ7kOBrFevwFudusxWVc6E58A= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.36.6-20250606164443-9d1800bf4ccc.1 h1:iiP7EL8EWrWmxn9qPDQTFdVSu04qIrmglpyjC10K4IU= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.36.6-20250606164443-9d1800bf4ccc.1/go.mod h1:bUPpZtzAkcnTA7OLfKCvkvkxEAC6dG/ZIlbnbUJicL4= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.6-20250718181942-e35f9b667443.1 h1:8kSz6PsTC64z3itQqwMgswSGR/QpB3ShZGycu+zq+58= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.6-20250718181942-e35f9b667443.1/go.mod h1:TsmeaGU5CZAF7zRM05vIKgXh56GgwaoMS8X+a77RV5Q= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250717185734-6c6e0d3c608e.1 h1:Lg6klmCi3v7VvpqeeLEER9/m5S8y9e9DjhqQnSCNy4k= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250717185734-6c6e0d3c608e.1/go.mod h1:avRlCjnFzl98VPaeCtJ24RrV/wwHFzB8sWXhj26+n/U= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.18.1-20250721151928-2b7ae473b098.1 h1:icgV8NMRNi31JwLZ8OJQK1HNIX3RTBdhjvpRPJF4fyI= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.18.1-20250721151928-2b7ae473b098.1/go.mod h1:/MMEAJmz7PEmksjkSxhWXell82FXiG7BLUPBJRmKBsA= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.36.6-20250721151928-2b7ae473b098.1 h1:fgiFo9f0jCni7kb5QxQ78CccZv6WLTH5Iea2B+AvSKY= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.36.6-20250721151928-2b7ae473b098.1/go.mod h1:RsJBKYlgzsbl5LAhIu0cNrPPzBNenMLTAAykRxFidtw= buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.36.6-20241007202033-cf42259fcbfc.1 h1:trcsXBDm8exui7mvndZnvworCyBq1xuMnod2N0j79K8= buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.36.6-20241007202033-cf42259fcbfc.1/go.mod h1:OUbhXurY+VHFGn9FBxcRy8UB7HXk9NvJ2qCgifOMypQ= buf.build/go/app v0.1.0 h1:nlqD/h0rhIN73ZoiDElprrPiO2N6JV+RmNK34K29Ihg= @@ -20,8 +20,8 @@ buf.build/go/bufplugin v0.9.0 h1:ktZJNP3If7ldcWVqh46XKeiYJVPxHQxCfjzVQDzZ/lo= buf.build/go/bufplugin v0.9.0/go.mod h1:Z0CxA3sKQ6EPz/Os4kJJneeRO6CjPeidtP1ABh5jPPY= buf.build/go/interrupt v1.1.0 h1:olBuhgv9Sav4/9pkSLoxgiOsZDgM5VhRhvRpn3DL0lE= buf.build/go/interrupt v1.1.0/go.mod h1:ql56nXPG1oHlvZa6efNC7SKAQ/tUjS6z0mhJl0gyeRM= -buf.build/go/protovalidate v0.13.1 h1:6loHDTWdY/1qmqmt1MijBIKeN4T9Eajrqb9isT1W1s8= -buf.build/go/protovalidate v0.13.1/go.mod h1:C/QcOn/CjXRn5udUwYBiLs8y1TGy7RS+GOSKqjS77aU= +buf.build/go/protovalidate v0.14.0 h1:kr/rC/no+DtRyYX+8KXLDxNnI1rINz0imk5K44ZpZ3A= +buf.build/go/protovalidate v0.14.0/go.mod h1:+F/oISho9MO7gJQNYC2VWLzcO1fTPmaTA08SDYJZncA= buf.build/go/protoyaml v0.6.0 h1:Nzz1lvcXF8YgNZXk+voPPwdU8FjDPTUV4ndNTXN0n2w= buf.build/go/protoyaml v0.6.0/go.mod h1:RgUOsBu/GYKLDSIRgQXniXbNgFlGEZnQpRAUdLAFV2Q= buf.build/go/spdx v0.2.0 h1:IItqM0/cMxvFJJumcBuP8NrsIzMs/UYjp/6WSpq8LTw= @@ -176,8 +176,8 @@ github.com/breml/errchkjson v0.4.1 h1:keFSS8D7A2T0haP9kzZTi7o26r7kE3vymjZNeNDRDw github.com/breml/errchkjson v0.4.1/go.mod h1:a23OvR6Qvcl7DG/Z4o0el6BRAjKnaReoPQFciAl9U3s= github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70= github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= -github.com/bufbuild/buf v1.55.1 h1:yaRXO9YmtgyEhiqT/gwuJWhHN9xBBbqlQvXVnPauvCk= -github.com/bufbuild/buf v1.55.1/go.mod h1:bvDF6WkvObC+ca9gmP++/oCAWeVVX7MspMcTFznqF7k= +github.com/bufbuild/buf v1.56.0 h1:Z0eK+npK01FB924rtDVMOJtvBh9c421mYLo9QhUP3pM= +github.com/bufbuild/buf v1.56.0/go.mod h1:uDNMYshCJIXL99OQc71SDeFiDqOse9sSHXPpZlrqElw= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20250218205857-750e09ce93e1 h1:V1xulAoqLqVg44rY97xOR+mQpD2N+GzhMHVwJ030WEU= @@ -233,8 +233,8 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= -github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8= -github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU= +github.com/containerd/stargz-snapshotter/estargz v0.17.0 h1:+TyQIsR/zSFI1Rm31EQBwpAA1ovYgIKHy7kctL3sLcE= +github.com/containerd/stargz-snapshotter/estargz v0.17.0/go.mod h1:s06tWAiJcXQo9/8AReBCIo/QxcXFZ2n4qfsRnpl71SM= github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= github.com/containers/image/v5 v5.36.0 h1:Zh+xFcLjRmicnOT5AFPHH/xj+e3s9ojDN/9X2Kx1+Jo= @@ -492,8 +492,8 @@ github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e h1:gD6P7NEo7Eqt github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e/go.mod h1:h+wZwLjUTJnm/P2rwlbJdRPZXOzaT36/FwnPnY2inzc= github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.25.0 h1:jsFw9Fhn+3y2kBbltZR4VEz5xKkcIFRPDnuEzAGv5GY= -github.com/google/cel-go v0.25.0/go.mod h1:hjEb6r5SuOSlhCHmFoLzu8HGCERvIsDAbxDAyNU/MmI= +github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI= +github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -718,8 +718,8 @@ github.com/mgechev/revive v1.11.0 h1:b/gLLpBE427o+Xmd8G58gSA+KtBwxWinH/A565Awh0w github.com/mgechev/revive v1.11.0/go.mod h1:tI0oLF/2uj+InHCBLrrqfTKfjtFTBCFFfG05auyzgdw= github.com/microsoft/go-mssqldb v1.9.2 h1:nY8TmFMQOHpm2qVWo6y4I2mAmVdZqlGiMGAYt64Ibbs= github.com/microsoft/go-mssqldb v1.9.2/go.mod h1:GBbW9ASTiDC+mpgWDGKdm3FnFLTUsLYN3iFL90lQ+PA= -github.com/miekg/dns v1.1.67 h1:kg0EHj0G4bfT5/oOys6HhZw4vmMlnoZ+gDu8tJ/AlI0= -github.com/miekg/dns v1.1.67/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps= +github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA= +github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps= github.com/mistifyio/go-zfs/v3 v3.0.1 h1:YaoXgBePoMA12+S1u/ddkv+QqxcfiZK4prI6HPnkFiU= github.com/mistifyio/go-zfs/v3 v3.0.1/go.mod h1:CzVgeB0RvF2EGzQnytKVvVSDwmKJXxkOTUGbNrTja/k= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= @@ -840,8 +840,8 @@ github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= -github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= -github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= +github.com/prometheus/client_golang v1.23.0 h1:ust4zpdl9r4trLY/gSjlm07PuiBq2ynaXXlptpfy8Uc= +github.com/prometheus/client_golang v1.23.0/go.mod h1:i/o0R9ByOnHX0McrTMTyhYvKE4haaf2mW08I+jGAjEE= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= @@ -863,8 +863,8 @@ github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 h1:M8mH9eK4OUR4l github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567/go.mod h1:DWNGW8A4Y+GyBgPuaQJuWiy0XYftx4Xm/y5Jqk9I6VQ= github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= -github.com/quic-go/quic-go v0.52.0 h1:/SlHrCRElyaU6MaEPKqKr9z83sBg2v4FLLvWM+Z47pA= -github.com/quic-go/quic-go v0.52.0/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ= +github.com/quic-go/quic-go v0.54.0 h1:6s1YB9QotYI6Ospeiguknbp2Znb/jZYjZLRXn9kMQBg= +github.com/quic-go/quic-go v0.54.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY= github.com/raeperd/recvcheck v0.2.0 h1:GnU+NsbiCqdC2XX5+vMZzP+jAJC5fht7rcVTAhX74UI= github.com/raeperd/recvcheck v0.2.0/go.mod h1:n04eYkwIR0JbgD73wT8wL4JjPC3wm0nFtzBnWNocnYU= github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho= @@ -906,8 +906,8 @@ github.com/securego/gosec/v2 v2.22.6 h1:mixR+X+Z5fT6QddWY8jyU9gs43CyW0SnADHB6kJm github.com/securego/gosec/v2 v2.22.6/go.mod h1:510TFNDMrIPytokyHQAVLvPeDr41Yihn2ak8P+XQfNE= github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= -github.com/segmentio/encoding v0.5.1 h1:LhmgXA5/alniiqfc4cYYrxF6DbUQ3m8MVz4/LQIU1mg= -github.com/segmentio/encoding v0.5.1/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0= +github.com/segmentio/encoding v0.5.3 h1:OjMgICtcSFuNvQCdwqMCv9Tg7lEOXGwm1J5RPQccx6w= +github.com/segmentio/encoding v0.5.3/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= @@ -949,8 +949,8 @@ github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YE github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/stbenjam/no-sprintf-host-port v0.2.0 h1:i8pxvGrt1+4G0czLr/WnmyH7zbZ8Bg8etvARQ1rpyl4= github.com/stbenjam/no-sprintf-host-port v0.2.0/go.mod h1:eL0bQ9PasS0hsyTyfTjjG+E80QIyPnBVQbYZyv20Jfk= -github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= -github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= +github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs= +github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= @@ -1109,8 +1109,8 @@ go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQ go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 h1:PS8wXpbyaDJQ2VDHHncMe9Vct0Zn1fEjpsjrLxGJoSc= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0/go.mod h1:HDBUsEjOuRC0EzKZ1bSaRGZWUBAzo+MhAcUUORSr4D0= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ= go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls= @@ -1121,8 +1121,8 @@ go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0 h1:zG8 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0/go.mod h1:hOfBCz8kv/wuq73Mx2H2QnWokh/kHZxkh6SNF2bdKtw= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.37.0 h1:9PgnL3QNlj10uGxExowIDIZu66aVBwWhXmbOp1pa6RA= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.37.0/go.mod h1:0ineDcLELf6JmKfuo0wvvhAVMuxWFYvkTin2iV4ydPQ= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 h1:dNzwXjZKpMpE2JhmO+9HsPl42NIXFIFSUSSs0fiqra0= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0/go.mod h1:90PoxvaEB5n6AOdZvi+yWJQoE95U8Dhhw2bSyRqnTD0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 h1:5pojmb1U1AogINhN3SurB+zm/nIcusopeBNp42f45QM= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0/go.mod h1:57gTHJSE5S1tqg+EKsLPlTWhpHMsWlVmer+LA926XiA= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg= @@ -1147,8 +1147,8 @@ go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFh go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps= go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4= go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= -go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os= -go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo= +go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= +go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -1175,8 +1175,8 @@ golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+Zdx golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb h1:Iu0p/klM0SM7atONioa/bPhLS7cjhnip99x1OIGibwg= golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb/go.mod h1:lxN5T34bK4Z/i6cMaU7frUU57VkDXFD4Kamfl/cp9oU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476 h1:bsqhLWFR6G6xiQcb+JoGqdKdRU6WzPWmK8E0jxTjzo4= -golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8= +golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4= +golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc= golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/exp/typeparams v0.0.0-20250620022241-b7579e27df2b h1:KdrhdYPDUvJTvrDK9gdjfFd6JTk8vA1WJoldYSi0kHo= @@ -1330,10 +1330,10 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697/go.mod h1:JJrvXBWRZaFMxBufik1a4RpFw4HhgVtBBWQeQgUj2cc= -google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY= -google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0 h1:0UOBWO4dC+e51ui0NFKSPbkHHiQ4TmrEfEZMLDyRmY8= +google.golang.org/genproto/googleapis/api v0.0.0-20250728155136-f173205681a0/go.mod h1:8ytArBbtOy2xfht+y2fqKd5DRDJRUQhqbyEnQ4bDChs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0 h1:MAKi5q709QWfnkkpNQ0M12hYJ1+e8qYVDyowc4U1XZM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250728155136-f173205681a0/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 997bb75a1d..466c48cd2f 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -1127,6 +1127,14 @@ xds: useRemoteAddress: true name: default/eg/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: eg + namespace: default + sectionName: http name: default/eg/http perConnectionBufferLimitBytes: 32768 - activeState: @@ -1214,14 +1222,14 @@ xds: initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: + - name: envoy.filters.http.grpc_web + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - name: envoy.filters.http.grpc_stats typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig emitFilterState: true statsForAllMethods: true - - name: envoy.filters.http.grpc_web - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router @@ -1239,6 +1247,14 @@ xds: useRemoteAddress: true name: default/eg/grpc maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: eg + namespace: default + sectionName: grpc name: default/eg/grpc perConnectionBufferLimitBytes: 32768 - activeState: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index b31e8aed56..0e0d7dae9b 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -978,6 +978,20 @@ "name": "default/eg/http" }, "maxConnectionsToAcceptPerSocketEvent": 1, + "metadata": { + "filterMetadata": { + "envoy-gateway": { + "resources": [ + { + "kind": "Gateway", + "name": "eg", + "namespace": "default", + "sectionName": "http" + } + ] + } + } + }, "name": "default/eg/http", "perConnectionBufferLimitBytes": 32768 } @@ -1090,17 +1104,17 @@ }, "httpFilters": [ { - "name": "envoy.filters.http.grpc_stats", + "name": "envoy.filters.http.grpc_web", "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig", - "emitFilterState": true, - "statsForAllMethods": true + "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb" } }, { - "name": "envoy.filters.http.grpc_web", + "name": "envoy.filters.http.grpc_stats", "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb" + "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig", + "emitFilterState": true, + "statsForAllMethods": true } }, { @@ -1130,6 +1144,20 @@ "name": "default/eg/grpc" }, "maxConnectionsToAcceptPerSocketEvent": 1, + "metadata": { + "filterMetadata": { + "envoy-gateway": { + "resources": [ + { + "kind": "Gateway", + "name": "eg", + "namespace": "default", + "sectionName": "grpc" + } + ] + } + } + }, "name": "default/eg/grpc", "perConnectionBufferLimitBytes": 32768 } diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index b6467311ec..2b6d629a8e 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -580,6 +580,14 @@ xds: useRemoteAddress: true name: default/eg/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: eg + namespace: default + sectionName: http name: default/eg/http perConnectionBufferLimitBytes: 32768 - activeState: @@ -667,14 +675,14 @@ xds: initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: + - name: envoy.filters.http.grpc_web + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - name: envoy.filters.http.grpc_stats typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig emitFilterState: true statsForAllMethods: true - - name: envoy.filters.http.grpc_web - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router @@ -692,6 +700,14 @@ xds: useRemoteAddress: true name: default/eg/grpc maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: eg + namespace: default + sectionName: grpc name: default/eg/grpc perConnectionBufferLimitBytes: 32768 - activeState: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml index 1c8fba4d1d..407c87e4e9 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml @@ -143,6 +143,14 @@ xds: useRemoteAddress: true name: default/eg/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: eg + namespace: default + sectionName: http name: default/eg/http perConnectionBufferLimitBytes: 32768 - activeState: @@ -230,14 +238,14 @@ xds: initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: + - name: envoy.filters.http.grpc_web + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - name: envoy.filters.http.grpc_stats typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig emitFilterState: true statsForAllMethods: true - - name: envoy.filters.http.grpc_web - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router @@ -255,6 +263,14 @@ xds: useRemoteAddress: true name: default/eg/grpc maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: eg + namespace: default + sectionName: grpc name: default/eg/grpc perConnectionBufferLimitBytes: 32768 - activeState: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 300d0c8f6d..2ef1bfccad 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -689,6 +689,20 @@ "name": "envoy-gateway-system/eg/http" }, "maxConnectionsToAcceptPerSocketEvent": 1, + "metadata": { + "filterMetadata": { + "envoy-gateway": { + "resources": [ + { + "kind": "Gateway", + "name": "eg", + "namespace": "envoy-gateway-system", + "sectionName": "http" + } + ] + } + } + }, "name": "envoy-gateway-system/eg/http", "perConnectionBufferLimitBytes": 32768 } diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 55673a986f..97e8af982d 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -418,6 +418,14 @@ xds: useRemoteAddress: true name: envoy-gateway-system/eg/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: eg + namespace: envoy-gateway-system + sectionName: http name: envoy-gateway-system/eg/http perConnectionBufferLimitBytes: 32768 - '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml index 6eeb127d70..9e33881f16 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml @@ -163,5 +163,13 @@ xds: useRemoteAddress: true name: envoy-gateway-system/eg/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: eg + namespace: envoy-gateway-system + sectionName: http name: envoy-gateway-system/eg/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index d8bd72e73f..6f1a6b9d6f 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -353,6 +353,14 @@ xds: useRemoteAddress: true name: envoy-gateway-system/eg/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: eg + namespace: envoy-gateway-system + sectionName: http name: envoy-gateway-system/eg/http perConnectionBufferLimitBytes: 32768 - '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump diff --git a/internal/cmd/server.go b/internal/cmd/server.go index 6ba9f77b96..c4924d7149 100644 --- a/internal/cmd/server.go +++ b/internal/cmd/server.go @@ -24,8 +24,7 @@ import ( "github.com/envoyproxy/gateway/internal/message" "github.com/envoyproxy/gateway/internal/metrics" providerrunner "github.com/envoyproxy/gateway/internal/provider/runner" - xdsserverrunner "github.com/envoyproxy/gateway/internal/xds/server/runner" - xdstranslatorrunner "github.com/envoyproxy/gateway/internal/xds/translator/runner" + xdsrunner "github.com/envoyproxy/gateway/internal/xds/runner" ) type Runner interface { @@ -138,12 +137,10 @@ func startRunners(ctx context.Context, cfg *config.Server) (err error) { pResources *message.ProviderResources xdsIR *message.XdsIR infraIR *message.InfraIR - xds *message.Xds }{ pResources: new(message.ProviderResources), xdsIR: new(message.XdsIR), infraIR: new(message.InfraIR), - xds: new(message.Xds), } // The Elected channel is used to block the tasks that are waiting for the leader to be elected. @@ -183,13 +180,13 @@ func startRunners(ctx context.Context, cfg *config.Server) (err error) { }), }, { - // Start the Xds Translator Service - // It subscribes to the xdsIR, translates it into xds Resources and publishes it. + // Start the Xds Service + // It subscribes to the xdsIR, translates it into xds Resources + // and publishes it into the xDS Cache. // It also computes the EnvoyPatchPolicy statuses and publishes it. - runner: xdstranslatorrunner.New(&xdstranslatorrunner.Config{ + runner: xdsrunner.New(&xdsrunner.Config{ Server: *cfg, XdsIR: channels.xdsIR, - Xds: channels.xds, ExtensionManager: extMgr, ProviderResources: channels.pResources, }), @@ -203,15 +200,6 @@ func startRunners(ctx context.Context, cfg *config.Server) (err error) { InfraIR: channels.infraIR, }), }, - { - // Start the xDS Server - // It subscribes to the xds Resources and configures the remote Envoy Proxy - // via the xDS Protocol. - runner: xdsserverrunner.New(&xdsserverrunner.Config{ - Server: *cfg, - Xds: channels.xds, - }), - }, { // Start the Admin Server // It provides admin endpoints including pprof for debugging. @@ -254,7 +242,6 @@ func startRunners(ctx context.Context, cfg *config.Server) (err error) { channels.pResources, channels.xdsIR, channels.infraIR, - channels.xds, } for _, ch := range closeChannels { ch.Close() diff --git a/internal/envoygateway/config/decoder_test.go b/internal/envoygateway/config/decoder_test.go index cd49d89ff2..568a08b6f0 100644 --- a/internal/envoygateway/config/decoder_test.go +++ b/internal/envoygateway/config/decoder_test.go @@ -195,9 +195,7 @@ func TestDecode(t *testing.T) { Provider: egv1a1.DefaultEnvoyGatewayProvider(), Gateway: egv1a1.DefaultGateway(), RateLimit: &egv1a1.RateLimit{ - Timeout: &metav1.Duration{ - Duration: 10000000, - }, + Timeout: ptr.To(gwapiv1.Duration("10ms")), FailClosed: true, Backend: egv1a1.RateLimitDatabaseBackend{ Type: egv1a1.RedisBackendType, diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 7b10a951fe..07d926a9b6 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -12,6 +12,7 @@ import ( "sort" "strconv" "strings" + "time" perr "github.com/pkg/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -974,14 +975,24 @@ func int64ToUint32(in int64) (uint32, bool) { } func (t *Translator) buildFaultInjection(policy *egv1a1.BackendTrafficPolicy) *ir.FaultInjection { - var fi *ir.FaultInjection + var ( + fi *ir.FaultInjection + d time.Duration + err error + ) if policy.Spec.FaultInjection != nil { fi = &ir.FaultInjection{} if policy.Spec.FaultInjection.Delay != nil { + if policy.Spec.FaultInjection.Delay.FixedDelay != nil { + d, err = time.ParseDuration(string(*policy.Spec.FaultInjection.Delay.FixedDelay)) + if err != nil { + return nil + } + } fi.Delay = &ir.FaultInjectionDelay{ Percentage: policy.Spec.FaultInjection.Delay.Percentage, - FixedDelay: policy.Spec.FaultInjection.Delay.FixedDelay, + FixedDelay: ir.MetaV1DurationPtr(d), } } if policy.Spec.FaultInjection.Abort != nil { diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 40e37fdf0a..d3c59cc724 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -18,7 +18,6 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/utils/ptr" - gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -601,9 +600,7 @@ func buildClientTimeout(clientTimeout *egv1a1.ClientTimeout) (*ir.ClientTimeout, if err != nil { return nil, fmt.Errorf("invalid TCP IdleTimeout value %s", *clientTimeout.TCP.IdleTimeout) } - irTCPTimeout.IdleTimeout = &metav1.Duration{ - Duration: d, - } + irTCPTimeout.IdleTimeout = ir.MetaV1DurationPtr(d) } irClientTimeout.TCP = irTCPTimeout } @@ -615,9 +612,7 @@ func buildClientTimeout(clientTimeout *egv1a1.ClientTimeout) (*ir.ClientTimeout, if err != nil { return nil, fmt.Errorf("invalid HTTP RequestReceivedTimeout value %s", *clientTimeout.HTTP.RequestReceivedTimeout) } - irHTTPTimeout.RequestReceivedTimeout = &metav1.Duration{ - Duration: d, - } + irHTTPTimeout.RequestReceivedTimeout = ir.MetaV1DurationPtr(d) } if clientTimeout.HTTP.IdleTimeout != nil { @@ -625,9 +620,7 @@ func buildClientTimeout(clientTimeout *egv1a1.ClientTimeout) (*ir.ClientTimeout, if err != nil { return nil, fmt.Errorf("invalid HTTP IdleTimeout value %s", *clientTimeout.HTTP.IdleTimeout) } - irHTTPTimeout.IdleTimeout = &metav1.Duration{ - Duration: d, - } + irHTTPTimeout.IdleTimeout = ir.MetaV1DurationPtr(d) } if clientTimeout.HTTP.StreamIdleTimeout != nil { @@ -635,9 +628,7 @@ func buildClientTimeout(clientTimeout *egv1a1.ClientTimeout) (*ir.ClientTimeout, if err != nil { return nil, fmt.Errorf("invalid HTTP StreamIdleTimeout value %s", *clientTimeout.HTTP.StreamIdleTimeout) } - irHTTPTimeout.StreamIdleTimeout = &metav1.Duration{ - Duration: d, - } + irHTTPTimeout.StreamIdleTimeout = ir.MetaV1DurationPtr(d) } irClientTimeout.HTTP = irHTTPTimeout } @@ -962,7 +953,7 @@ func buildConnection(connection *egv1a1.ClientConnection) (*ir.ClientConnection, if err != nil { return nil, fmt.Errorf("invalid CloseDelay value %s", *connection.ConnectionLimit.CloseDelay) } - irConnectionLimit.CloseDelay = ptr.To(metav1.Duration{Duration: d}) + irConnectionLimit.CloseDelay = ir.MetaV1DurationPtr(d) } irConnection.ConnectionLimit = irConnectionLimit @@ -983,7 +974,7 @@ func buildConnection(connection *egv1a1.ClientConnection) (*ir.ClientConnection, return irConnection, nil } -func translateEarlyRequestHeaders(headerModifier *gwapiv1.HTTPHeaderFilter) ([]ir.AddHeader, []string, error) { +func translateEarlyRequestHeaders(headerModifier *egv1a1.HTTPHeaderFilter) ([]ir.AddHeader, []string, error) { // Make sure the header modifier config actually exists if headerModifier == nil { return nil, nil, nil diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index 6473e9b9dd..42de49bad8 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -104,7 +104,7 @@ func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings) (*ir.Timeout, er errs = errors.Join(errs, fmt.Errorf("invalid ConnectTimeout value %s", *pto.TCP.ConnectTimeout)) } else { to.TCP = &ir.TCPTimeout{ - ConnectTimeout: ptr.To(metav1.Duration{Duration: d}), + ConnectTimeout: ir.MetaV1DurationPtr(d), } } } @@ -119,7 +119,7 @@ func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings) (*ir.Timeout, er if err != nil { errs = errors.Join(errs, fmt.Errorf("invalid ConnectionIdleTimeout value %s", *pto.HTTP.ConnectionIdleTimeout)) } else { - cit = ptr.To(metav1.Duration{Duration: d}) + cit = ir.MetaV1DurationPtr(d) } } @@ -128,7 +128,7 @@ func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings) (*ir.Timeout, er if err != nil { errs = errors.Join(errs, fmt.Errorf("invalid MaxConnectionDuration value %s", *pto.HTTP.MaxConnectionDuration)) } else { - mcd = ptr.To(metav1.Duration{Duration: d}) + mcd = ir.MetaV1DurationPtr(d) } } @@ -137,7 +137,7 @@ func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings) (*ir.Timeout, er if err != nil { errs = errors.Join(errs, fmt.Errorf("invalid RequestTimeout value %s", *pto.HTTP.RequestTimeout)) } else { - rt = ptr.To(metav1.Duration{Duration: d}) + rt = ir.MetaV1DurationPtr(d) } } @@ -293,8 +293,12 @@ func buildLoadBalancer(policy egv1a1.ClusterSettings) (*ir.LoadBalancer, error) LeastRequest: &ir.LeastRequest{}, } if policy.LoadBalancer.SlowStart != nil && policy.LoadBalancer.SlowStart.Window != nil { + d, err := time.ParseDuration(string(*policy.LoadBalancer.SlowStart.Window)) + if err != nil { + return nil, err + } lb.LeastRequest.SlowStart = &ir.SlowStart{ - Window: policy.LoadBalancer.SlowStart.Window, + Window: ir.MetaV1DurationPtr(d), } } case egv1a1.RandomLoadBalancerType: @@ -306,8 +310,25 @@ func buildLoadBalancer(policy egv1a1.ClusterSettings) (*ir.LoadBalancer, error) RoundRobin: &ir.RoundRobin{}, } if policy.LoadBalancer.SlowStart != nil && policy.LoadBalancer.SlowStart.Window != nil { + d, err := time.ParseDuration(string(*policy.LoadBalancer.SlowStart.Window)) + if err != nil { + return nil, err + } lb.RoundRobin.SlowStart = &ir.SlowStart{ - Window: policy.LoadBalancer.SlowStart.Window, + Window: ir.MetaV1DurationPtr(d), + } + } + } + + // Add ZoneAware loadbalancer settings + if policy.LoadBalancer.ZoneAware != nil && policy.LoadBalancer.ZoneAware.PreferLocal != nil { + preferLocal := policy.LoadBalancer.ZoneAware.PreferLocal + lb.PreferLocal = &ir.PreferLocalZone{ + MinEndpointsThreshold: preferLocal.MinEndpointsThreshold, + } + if preferLocal.Force != nil { + lb.PreferLocal.Force = &ir.ForceLocalZone{ + MinEndpointsInZoneThreshold: preferLocal.Force.MinEndpointsInZoneThreshold, } } } @@ -402,14 +423,28 @@ func buildPassiveHealthCheck(policy egv1a1.HealthCheck) *ir.OutlierDetection { hc := policy.Passive irOD := &ir.OutlierDetection{ - Interval: hc.Interval, SplitExternalLocalOriginErrors: hc.SplitExternalLocalOriginErrors, ConsecutiveLocalOriginFailures: hc.ConsecutiveLocalOriginFailures, ConsecutiveGatewayErrors: hc.ConsecutiveGatewayErrors, Consecutive5xxErrors: hc.Consecutive5xxErrors, - BaseEjectionTime: hc.BaseEjectionTime, MaxEjectionPercent: hc.MaxEjectionPercent, } + + if hc.Interval != nil { + d, err := time.ParseDuration(string(*hc.Interval)) + if err != nil { + return nil + } + irOD.Interval = ir.MetaV1DurationPtr(d) + } + + if hc.BaseEjectionTime != nil { + d, err := time.ParseDuration(string(*hc.BaseEjectionTime)) + if err != nil { + return nil + } + irOD.BaseEjectionTime = ir.MetaV1DurationPtr(d) + } return irOD } @@ -420,12 +455,22 @@ func buildActiveHealthCheck(policy egv1a1.HealthCheck) *ir.ActiveHealthCheck { hc := policy.Active irHC := &ir.ActiveHealthCheck{ - Timeout: hc.Timeout, - Interval: hc.Interval, InitialJitter: hc.InitialJitter, UnhealthyThreshold: hc.UnhealthyThreshold, HealthyThreshold: hc.HealthyThreshold, } + + if hc.Timeout != nil { + if d, err := time.ParseDuration(string(*hc.Timeout)); err == nil { + irHC.Timeout = ir.MetaV1DurationPtr(d) + } + } + + if hc.Interval != nil { + if d, err := time.ParseDuration(string(*hc.Interval)); err == nil { + irHC.Interval = ir.MetaV1DurationPtr(d) + } + } switch hc.Type { case egv1a1.ActiveHealthCheckerTypeHTTP: irHC.HTTP = buildHTTPActiveHealthChecker(hc.HTTP) @@ -509,11 +554,18 @@ func translateDNS(policy egv1a1.ClusterSettings) *ir.DNS { if policy.DNS == nil { return nil } - return &ir.DNS{ - LookupFamily: policy.DNS.LookupFamily, - RespectDNSTTL: policy.DNS.RespectDNSTTL, - DNSRefreshRate: policy.DNS.DNSRefreshRate, + irDNS := &ir.DNS{ + LookupFamily: policy.DNS.LookupFamily, + RespectDNSTTL: policy.DNS.RespectDNSTTL, } + + if policy.DNS.DNSRefreshRate != nil { + if d, err := time.ParseDuration(string(*policy.DNS.DNSRefreshRate)); err == nil { + irDNS.DNSRefreshRate = ir.MetaV1DurationPtr(d) + } + } + + return irDNS } func buildRetry(r *egv1a1.Retry) (*ir.Retry, error) { @@ -552,7 +604,11 @@ func buildRetry(r *egv1a1.Retry) (*ir.Retry, error) { bpr := false if r.PerRetry.Timeout != nil { - pr.Timeout = r.PerRetry.Timeout + d, err := time.ParseDuration(string(*r.PerRetry.Timeout)) + if err != nil { + return nil, err + } + pr.Timeout = ir.MetaV1DurationPtr(d) bpr = true } @@ -560,18 +616,22 @@ func buildRetry(r *egv1a1.Retry) (*ir.Retry, error) { if r.PerRetry.BackOff.MaxInterval != nil || r.PerRetry.BackOff.BaseInterval != nil { bop := &ir.BackOffPolicy{} if r.PerRetry.BackOff.BaseInterval != nil { - bop.BaseInterval = r.PerRetry.BackOff.BaseInterval - if bop.BaseInterval.Duration == 0 { - return nil, fmt.Errorf("baseInterval cannot be set to 0s") + if d, err := time.ParseDuration(string(*r.PerRetry.BackOff.BaseInterval)); err == nil { + bop.BaseInterval = ir.MetaV1DurationPtr(d) + if bop.BaseInterval.Duration == 0 { + return nil, fmt.Errorf("baseInterval cannot be set to 0s") + } } } if r.PerRetry.BackOff.MaxInterval != nil { - bop.MaxInterval = r.PerRetry.BackOff.MaxInterval - if bop.MaxInterval.Duration == 0 { - return nil, fmt.Errorf("maxInterval cannot be set to 0s") - } - if bop.BaseInterval != nil && bop.BaseInterval.Duration > bop.MaxInterval.Duration { - return nil, fmt.Errorf("maxInterval cannot be less than baseInterval") + if d, err := time.ParseDuration(string(*r.PerRetry.BackOff.MaxInterval)); err == nil { + bop.MaxInterval = ir.MetaV1DurationPtr(d) + if bop.MaxInterval.Duration == 0 { + return nil, fmt.Errorf("maxInterval cannot be set to 0s") + } + if bop.BaseInterval != nil && bop.BaseInterval.Duration > bop.MaxInterval.Duration { + return nil, fmt.Errorf("maxInterval cannot be less than baseInterval") + } } } diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 46894556a1..c6986f847d 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -605,7 +605,7 @@ func (t *Translator) buildExtProc( if err != nil { return nil, fmt.Errorf("invalid ExtProc MessageTimeout value %v", extProc.MessageTimeout) } - extProcIR.MessageTimeout = ptr.To(metav1.Duration{Duration: d}) + extProcIR.MessageTimeout = ir.MetaV1DurationPtr(d) } if extProc.FailOpen != nil { diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go index 631de32472..be65cb0bef 100644 --- a/internal/gatewayapi/filters.go +++ b/internal/gatewayapi/filters.go @@ -1032,7 +1032,7 @@ func (t *Translator) processCORSFilter( AllowMethods: allowMethods, AllowHeaders: allowHeaders, ExposeHeaders: exposeHeaders, - MaxAge: ptr.To(metav1.Duration{Duration: time.Duration(corsFilter.MaxAge) * time.Second}), + MaxAge: ir.MetaV1DurationPtr(time.Duration(corsFilter.MaxAge) * time.Second), AllowCredentials: bool(corsFilter.AllowCredentials), } } diff --git a/internal/gatewayapi/globalresources.go b/internal/gatewayapi/globalresources.go index 24830e34b4..c0ce06d0f9 100644 --- a/internal/gatewayapi/globalresources.go +++ b/internal/gatewayapi/globalresources.go @@ -32,6 +32,11 @@ func (t *Translator) ProcessGlobalResources(resources *resource.Resources, xdsIR xdsIRs[irKey].GlobalResources = &ir.GlobalResources{} } xdsIRs[irKey].GlobalResources.ProxyServiceCluster = rDest + + // For merged gateways we only need to process once + if t.MergeGateways { + break + } } // Get the envoy client TLS secret. It is used for envoy to establish a TLS connection with control plane components, diff --git a/internal/gatewayapi/resource/testdata/all-resources.out.yaml b/internal/gatewayapi/resource/testdata/all-resources.out.yaml index f6acba05db..69ac8ade73 100644 --- a/internal/gatewayapi/resource/testdata/all-resources.out.yaml +++ b/internal/gatewayapi/resource/testdata/all-resources.out.yaml @@ -45,7 +45,7 @@ backendTrafficPolicies: attributes: SameSite: Strict name: Lb-Test-Cookie - ttl: 1m0s + ttl: 60s tableSize: 65537 type: Cookie type: ConsistentHash diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index a60564028e..fa517eea67 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -350,7 +350,7 @@ func processRouteTimeout(irRoute *ir.HTTPRoute, rule gwapiv1.HTTPRouteRule) { if err != nil { d, _ = time.ParseDuration(HTTPRequestTimeout) } - irRoute.Timeout = ptr.To(metav1.Duration{Duration: d}) + irRoute.Timeout = ir.MetaV1DurationPtr(d) } // Only set the IR Route Timeout to the backend request timeout @@ -361,7 +361,7 @@ func processRouteTimeout(irRoute *ir.HTTPRoute, rule gwapiv1.HTTPRouteRule) { if err != nil { d, _ = time.ParseDuration(HTTPRequestTimeout) } - irRoute.Timeout = ptr.To(metav1.Duration{Duration: d}) + irRoute.Timeout = ir.MetaV1DurationPtr(d) } } } @@ -381,14 +381,14 @@ func processRouteRetry(irRoute *ir.HTTPRoute, rule gwapiv1.HTTPRouteRule) { if err == nil { res.PerRetry = &ir.PerRetryPolicy{ BackOff: &ir.BackOffPolicy{ - BaseInterval: ptr.To(metav1.Duration{Duration: backoff}), + BaseInterval: ir.MetaV1DurationPtr(backoff), }, } // xref: https://gateway-api.sigs.k8s.io/geps/gep-1742/#timeout-values if rule.Timeouts != nil && rule.Timeouts.BackendRequest != nil { backendRequestTimeout, err := time.ParseDuration(string(*rule.Timeouts.BackendRequest)) if err == nil { - res.PerRetry.Timeout = &metav1.Duration{Duration: backendRequestTimeout} + res.PerRetry.Timeout = ir.MetaV1DurationPtr(backendRequestTimeout) } } } @@ -460,7 +460,7 @@ func (t *Translator) processHTTPRouteRule( if err != nil { return nil, status.NewRouteStatusError(err, gwapiv1.RouteReasonUnsupportedValue) } - sessionPersistence.Cookie.TTL = &metav1.Duration{Duration: ttl} + sessionPersistence.Cookie.TTL = ir.MetaV1DurationPtr(ttl) } case *rule.SessionPersistence.Type == gwapiv1.HeaderBasedSessionPersistence: sessionPersistence = &ir.SessionPersistence{ @@ -1488,6 +1488,18 @@ func (t *Translator) processDestination(name string, backendRefContext BackendRe if t.isCustomBackendResource(backendRef.Group, KindDerefOr(backendRef.Kind, resource.KindService)) { // Add the custom backend resource to ExtensionRefFilters so it can be processed by the extension system unstructuredRef = t.processBackendExtensions(backendRef.BackendObjectReference, backendNamespace, resources) + + // Check if the custom backend resource was found + if unstructuredRef == nil { + return nil, nil, status.NewRouteStatusError( + fmt.Errorf("custom backend %s %s/%s not found", + KindDerefOr(backendRef.Kind, resource.KindService), + backendNamespace, + backendRef.Name), + gwapiv1.RouteReasonBackendNotFound, + ).WithType(gwapiv1.RouteConditionResolvedRefs) + } + return &ir.DestinationSetting{ Name: name, Weight: &weight, diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 2eccf8832d..37e7519a6a 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -194,11 +194,11 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re r.Logger.Error(err, "unable to validate infra ir, skipped sending it") errChan <- err } else { - message.HandleStore(message.Metadata{ + r.InfraIR.Store(key, val) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.InfraIRMessageName, - }, - key, val, &r.InfraIR.Map) + }) newIRKeys = append(newIRKeys, key) } } @@ -209,67 +209,67 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re r.Logger.Error(err, "unable to validate xds ir, skipped sending it") errChan <- err } else { - message.HandleStore(message.Metadata{ + r.XdsIR.Store(key, val) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.XDSIRMessageName, - }, - key, val, &r.XdsIR.Map) + }) } } // Update Status for _, gateway := range result.Gateways { key := utils.NamespacedName(gateway) - message.HandleStore(message.Metadata{ + r.ProviderResources.GatewayStatuses.Store(key, &gateway.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.GatewayStatusMessageName, - }, - key, &gateway.Status, &r.ProviderResources.GatewayStatuses) + }) delete(statusesToDelete.GatewayStatusKeys, key) } for _, httpRoute := range result.HTTPRoutes { key := utils.NamespacedName(httpRoute) - message.HandleStore(message.Metadata{ + r.ProviderResources.HTTPRouteStatuses.Store(key, &httpRoute.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.HTTPRouteStatusMessageName, - }, - key, &httpRoute.Status, &r.ProviderResources.HTTPRouteStatuses) + }) delete(statusesToDelete.HTTPRouteStatusKeys, key) } for _, grpcRoute := range result.GRPCRoutes { key := utils.NamespacedName(grpcRoute) - message.HandleStore(message.Metadata{ + r.ProviderResources.GRPCRouteStatuses.Store(key, &grpcRoute.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.GRPCRouteStatusMessageName, - }, - key, &grpcRoute.Status, &r.ProviderResources.GRPCRouteStatuses) + }) delete(statusesToDelete.GRPCRouteStatusKeys, key) } for _, tlsRoute := range result.TLSRoutes { key := utils.NamespacedName(tlsRoute) - message.HandleStore(message.Metadata{ + r.ProviderResources.TLSRouteStatuses.Store(key, &tlsRoute.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.TLSRouteStatusMessageName, - }, - key, &tlsRoute.Status, &r.ProviderResources.TLSRouteStatuses) + }) delete(statusesToDelete.TLSRouteStatusKeys, key) } for _, tcpRoute := range result.TCPRoutes { key := utils.NamespacedName(tcpRoute) - message.HandleStore(message.Metadata{ + r.ProviderResources.TCPRouteStatuses.Store(key, &tcpRoute.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.TCPRouteStatusMessageName, - }, - key, &tcpRoute.Status, &r.ProviderResources.TCPRouteStatuses) + }) delete(statusesToDelete.TCPRouteStatusKeys, key) } for _, udpRoute := range result.UDPRoutes { key := utils.NamespacedName(udpRoute) - message.HandleStore(message.Metadata{ + r.ProviderResources.UDPRouteStatuses.Store(key, &udpRoute.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.UDPRouteStatusMessageName, - }, - key, &udpRoute.Status, &r.ProviderResources.UDPRouteStatuses) + }) delete(statusesToDelete.UDPRouteStatusKeys, key) } @@ -280,11 +280,11 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re for _, backendTLSPolicy := range result.BackendTLSPolicies { key := utils.NamespacedName(backendTLSPolicy) if !(reflect.ValueOf(backendTLSPolicy.Status).IsZero()) { - message.HandleStore(message.Metadata{ + r.ProviderResources.BackendTLSPolicyStatuses.Store(key, &backendTLSPolicy.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.BackendTLSPolicyStatusMessageName, - }, - key, &backendTLSPolicy.Status, &r.ProviderResources.BackendTLSPolicyStatuses) + }) } delete(statusesToDelete.BackendTLSPolicyStatusKeys, key) } @@ -292,55 +292,55 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re for _, clientTrafficPolicy := range result.ClientTrafficPolicies { key := utils.NamespacedName(clientTrafficPolicy) if !(reflect.ValueOf(clientTrafficPolicy.Status).IsZero()) { - message.HandleStore(message.Metadata{ + r.ProviderResources.ClientTrafficPolicyStatuses.Store(key, &clientTrafficPolicy.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.ClientTrafficPolicyStatusMessageName, - }, - key, &clientTrafficPolicy.Status, &r.ProviderResources.ClientTrafficPolicyStatuses) + }) } delete(statusesToDelete.ClientTrafficPolicyStatusKeys, key) } for _, backendTrafficPolicy := range result.BackendTrafficPolicies { key := utils.NamespacedName(backendTrafficPolicy) if !(reflect.ValueOf(backendTrafficPolicy.Status).IsZero()) { - message.HandleStore(message.Metadata{ + r.ProviderResources.BackendTrafficPolicyStatuses.Store(key, &backendTrafficPolicy.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.BackendTrafficPolicyStatusMessageName, - }, - key, &backendTrafficPolicy.Status, &r.ProviderResources.BackendTrafficPolicyStatuses) + }) } delete(statusesToDelete.BackendTrafficPolicyStatusKeys, key) } for _, securityPolicy := range result.SecurityPolicies { key := utils.NamespacedName(securityPolicy) if !(reflect.ValueOf(securityPolicy.Status).IsZero()) { - message.HandleStore(message.Metadata{ + r.ProviderResources.SecurityPolicyStatuses.Store(key, &securityPolicy.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.SecurityPolicyStatusMessageName, - }, - key, &securityPolicy.Status, &r.ProviderResources.SecurityPolicyStatuses) + }) } delete(statusesToDelete.SecurityPolicyStatusKeys, key) } for _, envoyExtensionPolicy := range result.EnvoyExtensionPolicies { key := utils.NamespacedName(envoyExtensionPolicy) if !(reflect.ValueOf(envoyExtensionPolicy.Status).IsZero()) { - message.HandleStore(message.Metadata{ + r.ProviderResources.EnvoyExtensionPolicyStatuses.Store(key, &envoyExtensionPolicy.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.EnvoyExtensionPolicyStatusMessageName, - }, - key, &envoyExtensionPolicy.Status, &r.ProviderResources.EnvoyExtensionPolicyStatuses) + }) } delete(statusesToDelete.EnvoyExtensionPolicyStatusKeys, key) } for _, backend := range result.Backends { key := utils.NamespacedName(backend) if !(reflect.ValueOf(backend.Status).IsZero()) { - message.HandleStore(message.Metadata{ + r.ProviderResources.BackendStatuses.Store(key, &backend.Status) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.BackendStatusMessageName, - }, - key, &backend.Status, &r.ProviderResources.BackendStatuses) + }) } delete(statusesToDelete.BackendStatusKeys, key) } @@ -351,11 +351,11 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re } if !(reflect.ValueOf(extServerPolicy.Object["status"]).IsZero()) { policyStatus := unstructuredToPolicyStatus(extServerPolicy.Object["status"].(map[string]any)) - message.HandleStore(message.Metadata{ + r.ProviderResources.ExtensionPolicyStatuses.Store(key, &policyStatus) + message.PublishMetric(message.Metadata{ Runner: r.Name(), Message: message.ExtensionServerPoliciesStatusMessageName, - }, - key, &policyStatus, &r.ProviderResources.ExtensionPolicyStatuses) + }) } delete(statusesToDelete.ExtensionServerPolicyStatusKeys, key) } diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 6ca6f48132..a070d5bdc8 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -895,14 +895,21 @@ func (t *Translator) buildCORS(cors *egv1a1.CORS) *ir.CORS { } } - return &ir.CORS{ + irCORS := &ir.CORS{ AllowOrigins: allowOrigins, AllowMethods: cors.AllowMethods, AllowHeaders: cors.AllowHeaders, ExposeHeaders: cors.ExposeHeaders, - MaxAge: cors.MaxAge, AllowCredentials: cors.AllowCredentials != nil && *cors.AllowCredentials, } + + if cors.MaxAge != nil { + if d, err := time.ParseDuration(string(*cors.MaxAge)); err == nil { + irCORS.MaxAge = ir.MetaV1DurationPtr(d) + } + } + + return irCORS } func containsWildcard(s string) bool { @@ -1223,28 +1230,40 @@ func (t *Translator) buildOIDC( "HMAC secret not found in secret %s/%s", t.ControllerNamespace, oidcHMACSecretName) } - return &ir.OIDC{ - Name: irConfigName(policy), - Provider: *provider, - ClientID: clientID, - ClientSecret: clientSecretBytes, - Scopes: scopes, - Resources: oidc.Resources, - RedirectURL: redirectURL, - RedirectPath: redirectPath, - LogoutPath: logoutPath, - ForwardAccessToken: forwardAccessToken, - DefaultTokenTTL: oidc.DefaultTokenTTL, - RefreshToken: refreshToken, - DefaultRefreshTokenTTL: oidc.DefaultRefreshTokenTTL, - CookieSuffix: suffix, - CookieNameOverrides: policy.Spec.OIDC.CookieNames, - CookieDomain: policy.Spec.OIDC.CookieDomain, - CookieConfig: policy.Spec.OIDC.CookieConfig, - HMACSecret: hmacData, - PassThroughAuthHeader: passThroughAuthHeader, - DenyRedirect: oidc.DenyRedirect, - }, nil + irOIDC := &ir.OIDC{ + Name: irConfigName(policy), + Provider: *provider, + ClientID: clientID, + ClientSecret: clientSecretBytes, + Scopes: scopes, + Resources: oidc.Resources, + RedirectURL: redirectURL, + RedirectPath: redirectPath, + LogoutPath: logoutPath, + ForwardAccessToken: forwardAccessToken, + RefreshToken: refreshToken, + CookieSuffix: suffix, + CookieNameOverrides: policy.Spec.OIDC.CookieNames, + CookieDomain: policy.Spec.OIDC.CookieDomain, + CookieConfig: policy.Spec.OIDC.CookieConfig, + HMACSecret: hmacData, + PassThroughAuthHeader: passThroughAuthHeader, + DenyRedirect: oidc.DenyRedirect, + } + + if oidc.DefaultTokenTTL != nil { + if d, err := time.ParseDuration(string(*oidc.DefaultTokenTTL)); err == nil { + irOIDC.DefaultTokenTTL = ir.MetaV1DurationPtr(d) + } + } + + if oidc.DefaultRefreshTokenTTL != nil { + if d, err := time.ParseDuration(string(*oidc.DefaultRefreshTokenTTL)); err == nil { + irOIDC.DefaultRefreshTokenTTL = ir.MetaV1DurationPtr(d) + } + } + + return irOIDC, nil } func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) (*ir.OIDCProvider, error) { diff --git a/internal/gatewayapi/testdata/backend-tls-settings-invalid.in.yaml b/internal/gatewayapi/testdata/backend-tls-settings-invalid.in.yaml new file mode 100644 index 0000000000..c9fdaa9eca --- /dev/null +++ b/internal/gatewayapi/testdata/backend-tls-settings-invalid.in.yaml @@ -0,0 +1,157 @@ +envoyProxyForGatewayClass: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + namespace: envoy-gateway-system + name: test + spec: + backendTLS: + clientCertificateRef: + group: "" + kind: Secret + namespace: envoy-gateway-system + name: client-auth + ciphers: + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + ecdhCurves: + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + maxVersion: tls1.3 + minVersion: tls1.2 + SignatureAlgorithms: + - RSA-PSS-RSAE-SHA256 + - ECDSA-SECP256R1-SHA256 + alpnProtocols: + - HTTP/1.1 + - HTTP/2 + +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + value: "/" + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-1 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + value: "/" + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-2 + +configMaps: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: ca-cmap + namespace: default + data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL + BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw + MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G + A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc + 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM + yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b + kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU + Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq + ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR + bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48 + 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/ + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz + 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J + i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE + A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg + d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1 + 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== + -----END CERTIFICATE----- +backendTLSPolicies: + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: BackendTLSPolicy + metadata: + name: policy-btls-for-backend-1 + namespace: default + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-1 + validation: + caCertificateRefs: + - kind: ConfigMap + group: "" + name: ca-cmap + hostname: example.com + subjectAltNames: + - type: URI + uri: spiffe://cluster.local/ns/istio-demo/sa/echo-v1 + - type: Hostname + hostname: subdomain.secondexample.com + +backends: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-1 + namespace: default + spec: + # the BackendTLSPolicy should override the one from Backend + # the generated ir tls settings should contain the tls settings from Backend, BackendTLSPolicy and EnvoyProxy + tls: + caCertificateRefs: + - name: ca-cmap + group: "" + kind: ConfigMap + endpoints: + - ip: + address: 1.1.1.1 + port: 3001 + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-2 + namespace: default + spec: + endpoints: + - ip: + address: 2.2.2.2 + port: 3001 diff --git a/internal/gatewayapi/testdata/backend-tls-settings-invalid.out.yaml b/internal/gatewayapi/testdata/backend-tls-settings-invalid.out.yaml new file mode 100644 index 0000000000..7c6f33d270 --- /dev/null +++ b/internal/gatewayapi/testdata/backend-tls-settings-invalid.out.yaml @@ -0,0 +1,325 @@ +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls-for-backend-1 + namespace: default + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-1 + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: example.com + subjectAltNames: + - type: URI + uri: spiffe://cluster.local/ns/istio-demo/sa/echo-v1 + - hostname: subdomain.secondexample.com + type: Hostname + status: + ancestors: + - ancestorRef: + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-1 + namespace: default + spec: + endpoints: + - ip: + address: 1.1.1.1 + port: 3001 + tls: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-2 + namespace: default + spec: + endpoints: + - ip: + address: 2.2.2.2 + port: 3001 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-1 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: 'Failed to process route rule 0 backendRef 0: failed to locate TLS + secret for client auth: envoy-gateway-system/client-auth specified in EnvoyProxy + envoy-gateway-system/test.' + reason: InvalidBackendTLS + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-2 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +infraIR: + envoy-gateway/gateway-1: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway-system + spec: + backendTLS: + alpnProtocols: + - HTTP/1.1 + - HTTP/2 + ciphers: + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + clientCertificateRef: + group: "" + kind: Secret + name: client-auth + namespace: envoy-gateway-system + ecdhCurves: + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + maxVersion: tls1.3 + minVersion: tls1.2 + signatureAlgorithms: + - RSA-PSS-RSAE-SHA256 + - ECDSA-SECP256R1-SHA256 + logging: {} + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-1 + namespace: envoy-gateway-system +xdsIR: + envoy-gateway/gateway-1: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + name: envoy-gateway/gateway-1 + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: / + - destination: + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 2.2.2.2 + port: 3001 + metadata: + kind: Backend + name: backend-2 + namespace: default + name: httproute/default/httproute-2/rule/0/backend/0 + protocol: HTTP + weight: 1 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: / + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml index 20cf9e2af0..5f679cf771 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml @@ -92,7 +92,7 @@ backendTrafficPolicies: type: HTTP unhealthyThreshold: 3 passive: - baseEjectionTime: 2m30s + baseEjectionTime: 150s consecutive5XxErrors: 5 consecutiveGatewayErrors: 0 consecutiveLocalOriginFailures: 5 @@ -188,7 +188,7 @@ backendTrafficPolicies: type: TCP unhealthyThreshold: 3 passive: - baseEjectionTime: 2m40s + baseEjectionTime: 160s consecutive5XxErrors: 5 consecutiveGatewayErrors: 0 consecutiveLocalOriginFailures: 5 @@ -312,7 +312,7 @@ backendTrafficPolicies: type: HTTP unhealthyThreshold: 3 passive: - baseEjectionTime: 2m40s + baseEjectionTime: 160s consecutive5XxErrors: 5 consecutiveGatewayErrors: 0 consecutiveLocalOriginFailures: 5 diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.in.yaml index 9da4a34e66..6527fe4589 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.in.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.in.yaml @@ -142,6 +142,11 @@ backendTrafficPolicies: type: RoundRobin slowStart: window: 300s + zoneAware: + preferLocal: + force: + minEndpointsInZoneThreshold: 1 + minEndpointsThreshold: 1 - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml index 787e1b9a97..ae77eb5215 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml @@ -39,7 +39,7 @@ backendTrafficPolicies: spec: loadBalancer: slowStart: - window: 5m0s + window: 300s type: LeastRequest targetRef: group: gateway.networking.k8s.io @@ -128,8 +128,13 @@ backendTrafficPolicies: spec: loadBalancer: slowStart: - window: 5m0s + window: 300s type: RoundRobin + zoneAware: + preferLocal: + force: + minEndpointsInZoneThreshold: 1 + minEndpointsThreshold: 1 targetRef: group: gateway.networking.k8s.io kind: Gateway diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml index a02130e69a..bb297aa721 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml @@ -29,7 +29,7 @@ backendTrafficPolicies: type: HTTP unhealthyThreshold: 3 passive: - baseEjectionTime: 2m40s + baseEjectionTime: 160s consecutive5XxErrors: 5 consecutiveGatewayErrors: 0 consecutiveLocalOriginFailures: 5 diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml index 68bc27202b..0d6f3dda25 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml @@ -29,7 +29,7 @@ backendTrafficPolicies: type: HTTP unhealthyThreshold: 3 passive: - baseEjectionTime: 2m40s + baseEjectionTime: 160s consecutive5XxErrors: 5 consecutiveGatewayErrors: 0 consecutiveLocalOriginFailures: 5 @@ -101,7 +101,7 @@ backendTrafficPolicies: type: HTTP unhealthyThreshold: 3 passive: - baseEjectionTime: 2m40s + baseEjectionTime: 160s consecutive5XxErrors: 5 consecutiveGatewayErrors: 0 consecutiveLocalOriginFailures: 5 diff --git a/internal/gatewayapi/testdata/conflicting-policies.out.yaml b/internal/gatewayapi/testdata/conflicting-policies.out.yaml index 0ef3c928db..9db433b2fb 100644 --- a/internal/gatewayapi/testdata/conflicting-policies.out.yaml +++ b/internal/gatewayapi/testdata/conflicting-policies.out.yaml @@ -244,7 +244,7 @@ securityPolicies: - OPTIONS allowOrigins: - http://*.foo.com - maxAge: 10m0s + maxAge: 600s targetRef: group: gateway.networking.k8s.io kind: Gateway diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-invalid-apiversion.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-invalid-apiversion.out.yaml index bf91cc836b..1083567720 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-invalid-apiversion.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-invalid-apiversion.out.yaml @@ -80,9 +80,11 @@ httpRoutes: status: "True" type: Accepted - lastTransitionTime: null - message: Resolved all the Object references for the Route - reason: ResolvedRefs - status: "True" + message: |- + Failed to process route rule 0 backendRef 0: custom backend S3Backend default/s3-backend not found. + Failed to process route rule 1 backendRef 0: custom backend LambdaBackend default/lambda-backend not found. + reason: BackendNotFound + status: "False" type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: @@ -145,16 +147,8 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - metadata: - kind: HTTPRoute - name: httproute-1 - namespace: default - name: httproute/default/httproute-1/rule/1 - settings: - - isCustomBackend: true - name: httproute/default/httproute-1/rule/1/backend/0 - weight: 1 + - directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: @@ -166,16 +160,8 @@ xdsIR: distinct: false name: "" prefix: /lambda - - destination: - metadata: - kind: HTTPRoute - name: httproute-1 - namespace: default - name: httproute/default/httproute-1/rule/0 - settings: - - isCustomBackend: true - name: httproute/default/httproute-1/rule/0/backend/0 - weight: 1 + - directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-not-found.in.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-not-found.in.yaml new file mode 100644 index 0000000000..bd1054f0e7 --- /dev/null +++ b/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-not-found.in.yaml @@ -0,0 +1,46 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/s3" + backendRefs: + - group: storage.example.io + kind: S3Backend + name: s3-backend + port: 443 + - matches: + - path: + value: "/lambda" + backendRefs: + - group: compute.example.io + kind: LambdaBackend + name: lambda-backend + port: 443 diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-not-found.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-not-found.out.yaml new file mode 100644 index 0000000000..1083567720 --- /dev/null +++ b/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-not-found.out.yaml @@ -0,0 +1,180 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - group: storage.example.io + kind: S3Backend + name: s3-backend + port: 443 + matches: + - path: + value: /s3 + - backendRefs: + - group: compute.example.io + kind: LambdaBackend + name: lambda-backend + port: 443 + matches: + - path: + value: /lambda + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: |- + Failed to process route rule 0 backendRef 0: custom backend S3Backend default/s3-backend not found. + Failed to process route rule 1 backendRef 0: custom backend LambdaBackend default/lambda-backend not found. + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-1 + namespace: "" +xdsIR: + envoy-gateway/gateway-1: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + name: envoy-gateway/gateway-1 + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + name: envoy-envoy-gateway-gateway-1-196ae069 + sectionName: "8080" + name: envoy-gateway/gateway-1 + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/1/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /lambda + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /s3 + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml index 572fb5b701..202571c4c7 100644 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml @@ -441,7 +441,7 @@ securityPolicies: exposeHeaders: - x-header-7 - x-header-8 - maxAge: 33m20s + maxAge: 2000s targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -480,7 +480,7 @@ securityPolicies: exposeHeaders: - x-header-7 - x-header-8 - maxAge: 33m20s + maxAge: 2000s targetRef: group: gateway.networking.k8s.io kind: Gateway diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml index 6625c69cd2..442b0e5ad1 100644 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml @@ -272,7 +272,7 @@ securityPolicies: exposeHeaders: - x-header-7 - x-header-8 - maxAge: 33m20s + maxAge: 2000s targetRef: group: gateway.networking.k8s.io kind: Gateway diff --git a/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml index e07797a05a..3e0841057b 100644 --- a/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml @@ -81,7 +81,7 @@ securityPolicies: exposeHeaders: - x-header-3 - x-header-4 - maxAge: 16m40s + maxAge: 1000s targetRef: group: gateway.networking.k8s.io kind: Gateway diff --git a/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml index a8d6184b01..d857ab1953 100644 --- a/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml @@ -375,7 +375,7 @@ securityPolicies: exposeHeaders: - x-header-7 - x-header-8 - maxAge: 33m20s + maxAge: 2000s targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -405,7 +405,7 @@ securityPolicies: cors: allowOrigins: - http://*.example.com - maxAge: 16m40s + maxAge: 1000s targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -516,7 +516,7 @@ securityPolicies: exposeHeaders: - x-header-3 - x-header-4 - maxAge: 16m40s + maxAge: 1000s jwt: providers: - audiences: diff --git a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml index 3f11863d24..18deec7203 100644 --- a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml @@ -286,7 +286,7 @@ securityPolicies: cors: allowOrigins: - http://*.example.com - maxAge: 16m40s + maxAge: 1000s targetRef: group: gateway.networking.k8s.io kind: GRPCRoute @@ -315,7 +315,7 @@ securityPolicies: cors: allowOrigins: - http://*.example.com - maxAge: 16m40s + maxAge: 1000s targetRef: group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml index 4c53e97e35..d78d560705 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml @@ -313,7 +313,7 @@ securityPolicies: exposeHeaders: - x-header-3 - x-header-4 - maxAge: 16m40s + maxAge: 1000s targetRefs: - group: gateway.networking.k8s.io kind: Gateway diff --git a/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml index 12847b3c3c..c5d5cd3c31 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml @@ -309,7 +309,7 @@ securityPolicies: exposeHeaders: - x-header-7 - x-header-8 - maxAge: 33m20s + maxAge: 2000s targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -348,7 +348,7 @@ securityPolicies: exposeHeaders: - x-header-7 - x-header-8 - maxAge: 33m20s + maxAge: 2000s targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -389,7 +389,7 @@ securityPolicies: exposeHeaders: - x-header-3 - x-header-4 - maxAge: 16m40s + maxAge: 1000s targetRef: group: gateway.networking.k8s.io kind: Gateway diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml index 60064b6edb..7fb6248bda 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml @@ -164,8 +164,8 @@ securityPolicies: group: null kind: null name: client1-secret - defaultRefreshTokenTTL: 24h0m0s - defaultTokenTTL: 30m0s + defaultRefreshTokenTTL: 24h + defaultTokenTTL: 30m forwardAccessToken: true logoutPath: /bar/logout provider: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendrefs.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendrefs.out.yaml index 7b875d44f8..883cf1da6c 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendrefs.out.yaml @@ -150,8 +150,8 @@ securityPolicies: group: null kind: null name: client1-secret - defaultRefreshTokenTTL: 24h0m0s - defaultTokenTTL: 30m0s + defaultRefreshTokenTTL: 24h + defaultTokenTTL: 30m forwardAccessToken: true logoutPath: /bar/logout provider: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml index d1ff5a259a..6b7d8f33cf 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml @@ -146,8 +146,8 @@ securityPolicies: group: null kind: null name: client1-secret - defaultRefreshTokenTTL: 24h0m0s - defaultTokenTTL: 30m0s + defaultRefreshTokenTTL: 24h + defaultTokenTTL: 30m forwardAccessToken: true logoutPath: /bar/logout provider: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index 9f3d3627a9..1c603f2981 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -155,8 +155,8 @@ securityPolicies: kind: null name: client2-secret cookieDomain: example.com - defaultRefreshTokenTTL: 48h0m0s - defaultTokenTTL: 1h0m0s + defaultRefreshTokenTTL: 48h + defaultTokenTTL: 1h forwardAccessToken: true logoutPath: /foo/logout provider: @@ -204,8 +204,8 @@ securityPolicies: group: null kind: null name: client1-secret - defaultRefreshTokenTTL: 24h0m0s - defaultTokenTTL: 30m0s + defaultRefreshTokenTTL: 24h + defaultTokenTTL: 30m forwardAccessToken: true logoutPath: /bar/logout provider: diff --git a/internal/infrastructure/common/proxy_args.go b/internal/infrastructure/common/proxy_args.go index 4d6a67892d..5d2fa5f22d 100644 --- a/internal/infrastructure/common/proxy_args.go +++ b/internal/infrastructure/common/proxy_args.go @@ -7,6 +7,7 @@ package common import ( "fmt" + "time" "k8s.io/utils/ptr" @@ -84,7 +85,11 @@ func BuildProxyArgs( // Default drain timeout. drainTimeout := 60.0 if shutdownConfig != nil && shutdownConfig.DrainTimeout != nil { - drainTimeout = shutdownConfig.DrainTimeout.Seconds() + d, err := time.ParseDuration(string(*shutdownConfig.DrainTimeout)) + if err != nil { + return nil, err + } + drainTimeout = d.Seconds() } args = append(args, fmt.Sprintf("--drain-time-s %.0f", drainTimeout)) diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index a332387742..ace4dcba0a 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -8,6 +8,7 @@ package proxy import ( "fmt" "path/filepath" + "time" "github.com/containers/image/v5/docker/reference" corev1 "k8s.io/api/core/v1" @@ -257,7 +258,11 @@ func expectedShutdownManagerImage(shutdownManager *egv1a1.ShutdownManager) strin func expectedShutdownManagerArgs(cfg *egv1a1.ShutdownConfig) []string { args := []string{"envoy", "shutdown-manager"} if cfg != nil && cfg.DrainTimeout != nil { - args = append(args, fmt.Sprintf("--ready-timeout=%.0fs", cfg.DrainTimeout.Seconds()+10)) + d, err := time.ParseDuration(string(*cfg.DrainTimeout)) + if err != nil { + return nil + } + args = append(args, fmt.Sprintf("--ready-timeout=%.0fs", d.Seconds()+10)) } return args } @@ -270,11 +275,19 @@ func expectedShutdownPreStopCommand(cfg *egv1a1.ShutdownConfig) []string { } if cfg.DrainTimeout != nil { - command = append(command, fmt.Sprintf("--drain-timeout=%.0fs", cfg.DrainTimeout.Seconds())) + d, err := time.ParseDuration(string(*cfg.DrainTimeout)) + if err != nil { + return nil + } + command = append(command, fmt.Sprintf("--drain-timeout=%.0fs", d.Seconds())) } if cfg.MinDrainDuration != nil { - command = append(command, fmt.Sprintf("--min-drain-duration=%.0fs", cfg.MinDrainDuration.Seconds())) + d, err := time.ParseDuration(string(*cfg.MinDrainDuration)) + if err != nil { + return nil + } + command = append(command, fmt.Sprintf("--min-drain-duration=%.0fs", d.Seconds())) } return command diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index 61adadaff5..a7c1739778 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -9,6 +9,7 @@ import ( "context" "fmt" "strconv" + "time" "golang.org/x/exp/maps" appsv1 "k8s.io/api/apps/v1" @@ -631,7 +632,11 @@ func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPod func expectedTerminationGracePeriodSeconds(cfg *egv1a1.ShutdownConfig) *int64 { s := 360 // default if cfg != nil && cfg.DrainTimeout != nil { - s = int(cfg.DrainTimeout.Seconds() + 300) // 5 minutes longer than drain timeout + d, err := time.ParseDuration(string(*cfg.DrainTimeout)) + if err != nil { + return nil + } + s = int(d.Seconds() + 300) // 5 minutes longer than drain timeout } return ptr.To(int64(s)) } diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go index def8a1893c..8e78d1a603 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go @@ -11,7 +11,6 @@ import ( "os" "sort" "testing" - "time" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -25,6 +24,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/utils/ptr" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" "sigs.k8s.io/yaml" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -293,12 +293,8 @@ func TestDeployment(t *testing.T) { }, }, shutdown: &egv1a1.ShutdownConfig{ - DrainTimeout: &metav1.Duration{ - Duration: 30 * time.Second, - }, - MinDrainDuration: &metav1.Duration{ - Duration: 15 * time.Second, - }, + DrainTimeout: ptr.To(gwapiv1.Duration("30s")), + MinDrainDuration: ptr.To(gwapiv1.Duration("15s")), }, shutdownManager: &egv1a1.ShutdownManager{ Image: ptr.To("privaterepo/envoyproxy/gateway-dev:v1.2.3"), @@ -865,12 +861,8 @@ func TestDaemonSet(t *testing.T) { }, }, shutdown: &egv1a1.ShutdownConfig{ - DrainTimeout: &metav1.Duration{ - Duration: 30 * time.Second, - }, - MinDrainDuration: &metav1.Duration{ - Duration: 15 * time.Second, - }, + DrainTimeout: ptr.To(gwapiv1.Duration("30s")), + MinDrainDuration: ptr.To(gwapiv1.Duration("15s")), }, }, { diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 477d8896c4..4b6f242882 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -132,6 +132,11 @@ func (p *PrivateBytes) UnmarshalJSON(data []byte) error { return err } +// MetaV1DurationPtr converts a time.Duration to a *metav1.Duration +func MetaV1DurationPtr(d time.Duration) *metav1.Duration { + return &metav1.Duration{Duration: d} +} + // Xds holds the intermediate representation of a Gateway and is // used by the xDS Translator to convert it into xDS resources. // +k8s:deepcopy-gen=true diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 6cebc99dc6..429e35ef22 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -15,7 +15,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -1533,8 +1532,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "invalid timeout", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Duration(0)}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Duration(0)), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To[uint32](3), HealthyThreshold: ptr.To[uint32](3), HTTP: &HTTPHealthChecker{ @@ -1551,8 +1550,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "invalid panic threshold", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Duration(3)}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Duration(3)), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To[uint32](3), HealthyThreshold: ptr.To[uint32](3), HTTP: &HTTPHealthChecker{ @@ -1569,8 +1568,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "invalid interval", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Duration(0)}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Duration(0)), UnhealthyThreshold: ptr.To[uint32](3), HealthyThreshold: ptr.To[uint32](3), HTTP: &HTTPHealthChecker{ @@ -1589,8 +1588,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "invalid initial jitter", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), InitialJitter: ptr.To(gwapiv1.Duration("-1s")), UnhealthyThreshold: ptr.To[uint32](3), HealthyThreshold: ptr.To[uint32](3), @@ -1610,8 +1609,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "invalid unhealthy threshold", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To[uint32](0), HealthyThreshold: ptr.To[uint32](3), HTTP: &HTTPHealthChecker{ @@ -1630,8 +1629,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "invalid healthy threshold", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To[uint32](3), HealthyThreshold: ptr.To[uint32](0), HTTP: &HTTPHealthChecker{ @@ -1650,8 +1649,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "http-health-check: invalid host", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To[uint32](3), HealthyThreshold: ptr.To[uint32](3), HTTP: &HTTPHealthChecker{ @@ -1669,8 +1668,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "http-health-check: invalid path", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To[uint32](3), HealthyThreshold: ptr.To[uint32](3), HTTP: &HTTPHealthChecker{ @@ -1689,8 +1688,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "http-health-check: invalid method", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To(uint32(3)), HealthyThreshold: ptr.To(uint32(3)), HTTP: &HTTPHealthChecker{ @@ -1709,8 +1708,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "http-health-check: invalid expected-statuses", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To(uint32(3)), HealthyThreshold: ptr.To(uint32(3)), HTTP: &HTTPHealthChecker{ @@ -1729,8 +1728,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "http-health-check: invalid range", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To(uint32(3)), HealthyThreshold: ptr.To(uint32(3)), HTTP: &HTTPHealthChecker{ @@ -1749,8 +1748,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "http-health-check: invalid expected-responses", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To(uint32(3)), HealthyThreshold: ptr.To(uint32(3)), HTTP: &HTTPHealthChecker{ @@ -1773,8 +1772,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "tcp-health-check: invalid send payload", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To(uint32(3)), HealthyThreshold: ptr.To(uint32(3)), TCP: &TCPHealthChecker{ @@ -1796,8 +1795,8 @@ func TestValidateHealthCheck(t *testing.T) { name: "tcp-health-check: invalid receive payload", input: HealthCheck{ &ActiveHealthCheck{ - Timeout: &metav1.Duration{Duration: time.Second}, - Interval: &metav1.Duration{Duration: time.Second}, + Timeout: MetaV1DurationPtr(time.Second), + Interval: MetaV1DurationPtr(time.Second), UnhealthyThreshold: ptr.To(uint32(3)), HealthyThreshold: ptr.To(uint32(3)), TCP: &TCPHealthChecker{ @@ -1820,8 +1819,8 @@ func TestValidateHealthCheck(t *testing.T) { input: HealthCheck{ &ActiveHealthCheck{}, &OutlierDetection{ - Interval: &metav1.Duration{Duration: time.Duration(0)}, - BaseEjectionTime: &metav1.Duration{Duration: time.Second}, + Interval: MetaV1DurationPtr(time.Duration(0)), + BaseEjectionTime: MetaV1DurationPtr(time.Second), }, ptr.To[uint32](10), }, @@ -1832,8 +1831,8 @@ func TestValidateHealthCheck(t *testing.T) { input: HealthCheck{ &ActiveHealthCheck{}, &OutlierDetection{ - Interval: &metav1.Duration{Duration: time.Second}, - BaseEjectionTime: &metav1.Duration{Duration: time.Duration(0)}, + Interval: MetaV1DurationPtr(time.Second), + BaseEjectionTime: MetaV1DurationPtr(time.Duration(0)), }, ptr.To[uint32](10), }, diff --git a/internal/message/types.go b/internal/message/types.go index 5ef6acf216..10c5b55726 100644 --- a/internal/message/types.go +++ b/internal/message/types.go @@ -15,7 +15,6 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/ir" - xdstypes "github.com/envoyproxy/gateway/internal/xds/types" ) // ProviderResources message @@ -133,16 +132,9 @@ type InfraIR struct { watchable.Map[string, *ir.Infra] } -// Xds message -type Xds struct { - watchable.Map[string, *xdstypes.ResourceVersionTable] -} - type MessageName string const ( - // XDSMessageName is a message containing xds translated from xds-ir - XDSMessageName MessageName = "xds" // XDSIRMessageName is a message containing xds-ir translated from provider-resources XDSIRMessageName MessageName = "xds-ir" // InfraIRMessageName is a message containing infra-ir translated from provider-resources diff --git a/internal/message/watchutil.go b/internal/message/watchutil.go index 32a9f61d3a..645bd7eb0b 100644 --- a/internal/message/watchutil.go +++ b/internal/message/watchutil.go @@ -28,6 +28,10 @@ type Metadata struct { Message MessageName } +func PublishMetric(meta Metadata) { + watchablePublishTotal.WithSuccess(meta.LabelValues()...).Increment() +} + func (m Metadata) LabelValues() []metrics.LabelValue { labels := make([]metrics.LabelValue, 0, 2) if m.Runner != "" { @@ -100,8 +104,3 @@ func HandleSubscription[K comparable, V any]( } } } - -func HandleStore[K comparable, V any](meta Metadata, key K, value V, publish *watchable.Map[K, V]) { - publish.Store(key, value) - watchablePublishTotal.WithSuccess(meta.LabelValues()...).Increment() -} diff --git a/internal/message/watchutil_test.go b/internal/message/watchutil_test.go index 109c023f43..6e6472d14f 100644 --- a/internal/message/watchutil_test.go +++ b/internal/message/watchutil_test.go @@ -91,39 +91,6 @@ func TestHandleSubscriptionAlreadyInitialized(t *testing.T) { assert.Equal(t, 1, deleteCalls) } -func TestHandleStore(t *testing.T) { - var m watchable.Map[string, any] - message.HandleStore(message.Metadata{Runner: "demo", Message: "demo"}, "foo", "bar", &m) - - endCtx, end := context.WithCancel(context.Background()) - go func() { - <-endCtx.Done() - message.HandleStore(message.Metadata{Runner: "demo", Message: "demo"}, "baz", "qux", &m) - m.Delete("qux") // no-op - message.HandleStore(message.Metadata{Runner: "demo", Message: "demo"}, "foo", "bar", &m) // no-op - m.Delete("baz") - time.Sleep(100 * time.Millisecond) - m.Close() - }() - - var storeCalls int - var deleteCalls int - message.HandleSubscription[string, any]( - message.Metadata{Runner: "demo", Message: "demo"}, - m.Subscribe(context.Background()), - func(update message.Update[string, any], errChans chan error) { - end() - if update.Delete { - deleteCalls++ - } else { - storeCalls++ - } - }, - ) - assert.Equal(t, 2, storeCalls) - assert.Equal(t, 1, deleteCalls) -} - func TestXdsIRUpdates(t *testing.T) { tests := []struct { desc string diff --git a/internal/metrics/register.go b/internal/metrics/register.go index 51c3f97610..cb1d761bed 100644 --- a/internal/metrics/register.go +++ b/internal/metrics/register.go @@ -112,9 +112,8 @@ func (r *Runner) newOptions() (registerOptions, error) { newOpts.pullOptions.disable = true } else { newOpts.pullOptions.disable = false - restclient.RegisterClientMetricsWithoutRequestTotal(metricsserver.Registry) - // Workqueue metrics are already registered in controller-runtime. Use another registry. reg := prometheus.NewRegistry() + restclient.RegisterClientMetricsWithoutRequestTotal(reg) workqueue.RegisterMetrics(reg) newOpts.pullOptions.registry = metricsserver.Registry newOpts.pullOptions.gatherer = prometheus.Gatherers{ diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index bf6c1295ae..c806496f0d 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -300,11 +300,11 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques false, string(gwapiv1.GatewayClassReasonInvalidParameters), msg) - message.HandleStore(message.Metadata{ + r.resources.GatewayClassStatuses.Store(utils.NamespacedName(gc), &gc.Status) + message.PublishMetric(message.Metadata{ Runner: string(egv1a1.LogComponentProviderRunner), Message: message.GatewayClassStatusMessageName, - }, - utils.NamespacedName(gc), &gc.Status, &r.resources.GatewayClassStatuses) + }) failToProcessGCParamsRef = true } } @@ -322,11 +322,11 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques false, string(gwapiv1.GatewayClassReasonAccepted), fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err)) - message.HandleStore(message.Metadata{ + r.resources.GatewayClassStatuses.Store(utils.NamespacedName(gc), &gc.Status) + message.PublishMetric(message.Metadata{ Runner: string(egv1a1.LogComponentProviderRunner), Message: message.GatewayClassStatusMessageName, - }, - utils.NamespacedName(gc), &gc.Status, &r.resources.GatewayClassStatuses) + }) failToProcessGCParamsRef = true } @@ -512,11 +512,11 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques // The Store is triggered even when there are no Gateways associated to the // GatewayClass. This would happen in case the last Gateway is removed and the // Store will be required to trigger a cleanup of envoy infra resources. - message.HandleStore(message.Metadata{ + r.resources.GatewayAPIResources.Store(string(r.classController), &gwcResources) + message.PublishMetric(message.Metadata{ Runner: string(egv1a1.LogComponentProviderRunner), Message: message.ProviderResourcesMessageName, - }, - string(r.classController), &gwcResources, &r.resources.GatewayAPIResources) + }) r.log.Info("reconciled gateways successfully") return reconcile.Result{}, nil @@ -1363,7 +1363,6 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g } for _, gtw := range gatewayList.Items { - gtw := gtw //nolint:copyloopvar if r.namespaceLabel != nil { if ok, err := r.checkObjectNamespaceLabels(>w); err != nil { // If the error is transient, we return it to allow Reconcile to retry. @@ -1385,19 +1384,14 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g if terminatesTLS(&listener) { for _, certRef := range listener.TLS.CertificateRefs { if refsSecret(&certRef) { - if err := r.processSecretRef( - ctx, - resourceMap, - resourceTree, - resource.KindGateway, - gtw.Namespace, - gtw.Name, + if err := r.processSecretRef(ctx, + resourceMap, resourceTree, + resource.KindGateway, gtw.Namespace, gtw.Name, certRef); err != nil { if isTransientError(err) { return err } - r.log.Error(err, - "failed to process TLS SecretRef for gateway", + r.log.Error(err, "failed to process TLS SecretRef for gateway", "gateway", gtw, "secretRef", certRef) } } @@ -2291,18 +2285,14 @@ func (r *gatewayAPIReconciler) processGatewayParamsRef(ctx context.Context, gtw return err } + // Missing secret shouldn't stop the Gateway infrastructure from coming up if ep.Spec.BackendTLS != nil && ep.Spec.BackendTLS.ClientCertificateRef != nil { certRef := ep.Spec.BackendTLS.ClientCertificateRef if refsSecret(certRef) { - if err := r.processSecretRef( - ctx, - resourceMap, - resourceTree, - resource.KindGateway, - gtw.Namespace, - gtw.Name, - *certRef); err != nil { - return fmt.Errorf("failed to process TLS SecretRef for gateway %s/%s: %w", gtw.Namespace, gtw.Name, err) + if err := r.processSecretRef(ctx, + resourceMap, resourceTree, resource.KindGateway, + gtw.Namespace, gtw.Name, *certRef); err != nil { + r.log.Error(err, "failed to process ClientCertificateRef for EnvoyProxy", "namespace", gtw.Namespace, "name", gtw.Name) } } } diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index 5e2d22bd52..d3dc5e31ae 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -614,7 +614,7 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje } } - if r.isProxyServiceCluster(&nsName) { + if r.isProxyServiceCluster(ep.GetLabels()) { return true } return false @@ -940,23 +940,13 @@ func (r *gatewayAPIReconciler) isRouteReferencingHTTPRouteFilter(nsName *types.N return len(httpRouteList.Items) != 0 } -func (r *gatewayAPIReconciler) isProxyServiceCluster(nn *types.NamespacedName) bool { - ctx := context.Background() - svc := &corev1.Service{} - if err := r.client.Get(ctx, *nn, svc); err != nil { - r.log.Error(err, "unable to find associated proxy ServiceCluster") - return false - } - - svcLabels := svc.GetLabels() - - // Check if service belongs to a Gateway - if gtw := r.findOwningGateway(ctx, svcLabels); gtw != nil { +// isProxyServiceCluster returns true if the provided labels reference an owning Gateway or GatewayClass +func (r *gatewayAPIReconciler) isProxyServiceCluster(labels map[string]string) bool { + if gtw := r.findOwningGateway(context.Background(), labels); gtw != nil { return true } - // Check if service belongs to a GatewayClass - gcName, ok := svcLabels[gatewayapi.OwningGatewayClassLabel] + gcName, ok := labels[gatewayapi.OwningGatewayClassLabel] if ok && r.mergeGateways.Has(gcName) { return true } diff --git a/internal/xds/server/runner/runner.go b/internal/xds/runner/runner.go similarity index 57% rename from internal/xds/server/runner/runner.go rename to internal/xds/runner/runner.go index df47b9951c..51d172b358 100644 --- a/internal/xds/server/runner/runner.go +++ b/internal/xds/runner/runner.go @@ -10,6 +10,7 @@ import ( "crypto/tls" "fmt" "net" + "reflect" "strconv" "time" @@ -25,15 +26,19 @@ import ( "google.golang.org/grpc" "google.golang.org/grpc/credentials" "google.golang.org/grpc/keepalive" + ktypes "k8s.io/apimachinery/pkg/types" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/crypto" "github.com/envoyproxy/gateway/internal/envoygateway/config" + extension "github.com/envoyproxy/gateway/internal/extension/types" + "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit" + "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/message" "github.com/envoyproxy/gateway/internal/xds/bootstrap" "github.com/envoyproxy/gateway/internal/xds/cache" "github.com/envoyproxy/gateway/internal/xds/server/kubejwt" - xdstypes "github.com/envoyproxy/gateway/internal/xds/types" + "github.com/envoyproxy/gateway/internal/xds/translator" ) const ( @@ -63,9 +68,15 @@ const ( type Config struct { config.Server - Xds *message.Xds - grpc *grpc.Server - cache cache.SnapshotCacheWithCallbacks + grpc *grpc.Server + cache cache.SnapshotCacheWithCallbacks + XdsIR *message.XdsIR + ExtensionManager extension.Manager + ProviderResources *message.ProviderResources + // Test-configurable TLS paths + TLSCertPath string + TLSKeyPath string + TLSCaPath string } type Runner struct { @@ -77,7 +88,7 @@ func New(cfg *Config) *Runner { } func (r *Runner) Name() string { - return string(egv1a1.LogComponentXdsServerRunner) + return string(egv1a1.LogComponentXdsRunner) } // Close implements Runner interface. @@ -141,11 +152,10 @@ func (r *Runner) Start(ctx context.Context) (err error) { // Start and listen xDS gRPC Server. go r.serveXdsServer(ctx) - // Start message Subscription. // Do not call .Subscribe() inside Goroutine since it is supposed to be called from the same // Goroutine where Close() is called. - xdsSubCh := r.Xds.Subscribe(ctx) - go r.subscribeAndTranslate(xdsSubCh) + sub := r.XdsIR.Subscribe(ctx) + go r.subscribeAndTranslate(sub) r.Logger.Info("started") return } @@ -186,51 +196,143 @@ func registerServer(srv serverv3.Server, g *grpc.Server) { runtimev3.RegisterRuntimeDiscoveryServiceServer(g, srv) } -func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *xdstypes.ResourceVersionTable]) { - message.HandleSubscription(message.Metadata{Runner: r.Name(), Message: message.XDSMessageName}, sub, - func(update message.Update[string, *xdstypes.ResourceVersionTable], errChan chan error) { +func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *ir.Xds]) { + // Subscribe to resources + message.HandleSubscription(message.Metadata{Runner: r.Name(), Message: message.XDSIRMessageName}, sub, + func(update message.Update[string, *ir.Xds], errChan chan error) { + r.Logger.Info("received an update") key := update.Key val := update.Value - r.Logger.Info("received an update") - var err error if update.Delete { - err = r.cache.GenerateNewSnapshot(key, nil) - } else if val != nil && val.XdsResources != nil { - if r.cache == nil { - r.Logger.Error(err, "failed to init snapshot cache") + if err := r.cache.GenerateNewSnapshot(key, nil); err != nil { + r.Logger.Error(err, "failed to delete the snapshot") errChan <- err - } else { - // Update snapshot cache - err = r.cache.GenerateNewSnapshot(key, val.XdsResources) } - } - if err != nil { - r.Logger.Error(err, "failed to generate a snapshot") - errChan <- err + } else { + // Translate to xds resources + t := &translator.Translator{ + ControllerNamespace: r.ControllerNamespace, + FilterOrder: val.FilterOrder, + RuntimeFlags: r.EnvoyGateway.RuntimeFlags, + Logger: r.Logger, + } + + // Set the extension manager if an extension is loaded + if r.ExtensionManager != nil { + t.ExtensionManager = &r.ExtensionManager + } + + // Set the rate limit service URL if global rate limiting is enabled. + if r.EnvoyGateway.RateLimit != nil { + t.GlobalRateLimit = &translator.GlobalRateLimitSettings{ + ServiceURL: ratelimit.GetServiceURL(r.ControllerNamespace, r.DNSDomain), + FailClosed: r.EnvoyGateway.RateLimit.FailClosed, + } + if r.EnvoyGateway.RateLimit.Timeout != nil { + d, err := time.ParseDuration(string(*r.EnvoyGateway.RateLimit.Timeout)) + if err != nil { + r.Logger.Error(err, "invalid rateLimit timeout") + errChan <- err + } else { + t.GlobalRateLimit.Timeout = d + } + } + } + + result, err := t.Translate(val) + if err != nil { + r.Logger.Error(err, "failed to translate xds ir") + errChan <- err + } + + // xDS translation is done in a best-effort manner, so the result + // may contain partial resources even if there are errors. + if result == nil { + r.Logger.Info("no xds resources to publish") + return + } + + // Get all status keys from watchable and save them in the map statusesToDelete. + // Iterating through result.EnvoyPatchPolicyStatuses, any valid keys will be removed from statusesToDelete. + // Remaining keys will be deleted from watchable before we exit this function. + statusesToDelete := make(map[ktypes.NamespacedName]bool) + for key := range r.ProviderResources.EnvoyPatchPolicyStatuses.LoadAll() { + statusesToDelete[key] = true + } + + // Publish EnvoyPatchPolicyStatus + for _, e := range result.EnvoyPatchPolicyStatuses { + key := ktypes.NamespacedName{ + Name: e.Name, + Namespace: e.Namespace, + } + // Skip updating status for policies with empty status + // They may have been skipped in this translation because + // their target is not found (not relevant) + if !(reflect.ValueOf(e.Status).IsZero()) { + r.ProviderResources.EnvoyPatchPolicyStatuses.Store(key, e.Status) + } + delete(statusesToDelete, key) + } + // Discard the EnvoyPatchPolicyStatuses to reduce memory footprint + result.EnvoyPatchPolicyStatuses = nil + + // Update snapshot cache + if err == nil { + if result.XdsResources != nil { + if r.cache == nil { + r.Logger.Error(err, "failed to init snapshot cache") + errChan <- err + } else { + // Update snapshot cache + if err := r.cache.GenerateNewSnapshot(key, result.XdsResources); err != nil { + r.Logger.Error(err, "failed to generate a snapshot") + errChan <- err + } + } + } else { + r.Logger.Error(err, "skipped publishing xds resources") + } + } + + // Delete all the deletable status keys + for key := range statusesToDelete { + r.ProviderResources.EnvoyPatchPolicyStatuses.Delete(key) + } } }, ) - r.Logger.Info("subscriber shutting down") } func (r *Runner) loadTLSConfig() (tlsConfig *tls.Config, err error) { - switch { - case r.EnvoyGateway.Provider.IsRunningOnKubernetes(): - tlsConfig, err = crypto.LoadTLSConfig(xdsTLSCertFilepath, xdsTLSKeyFilepath, xdsTLSCaFilepath) - if err != nil { - return nil, fmt.Errorf("failed to create tls config: %w", err) - } + var certPath, keyPath, caPath string - case r.EnvoyGateway.Provider.IsRunningOnHost(): - tlsConfig, err = crypto.LoadTLSConfig(localTLSCertFilepath, localTLSKeyFilepath, localTLSCaFilepath) - if err != nil { - return nil, fmt.Errorf("failed to create tls config: %w", err) + // Use test-configurable paths if provided + if r.TLSCertPath != "" && r.TLSKeyPath != "" && r.TLSCaPath != "" { + certPath = r.TLSCertPath + keyPath = r.TLSKeyPath + caPath = r.TLSCaPath + } else { + // Use default paths based on provider type + switch { + case r.EnvoyGateway.Provider.IsRunningOnKubernetes(): + certPath = xdsTLSCertFilepath + keyPath = xdsTLSKeyFilepath + caPath = xdsTLSCaFilepath + case r.EnvoyGateway.Provider.IsRunningOnHost(): + certPath = localTLSCertFilepath + keyPath = localTLSKeyFilepath + caPath = localTLSCaFilepath + default: + return nil, fmt.Errorf("no valid tls certificates") } + } - default: - return nil, fmt.Errorf("no valid tls certificates") + tlsConfig, err = crypto.LoadTLSConfig(certPath, keyPath, caPath) + if err != nil { + return nil, fmt.Errorf("failed to create tls config: %w", err) } return } diff --git a/internal/xds/runner/runner_test.go b/internal/xds/runner/runner_test.go new file mode 100644 index 0000000000..cbcc7fb823 --- /dev/null +++ b/internal/xds/runner/runner_test.go @@ -0,0 +1,513 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package runner + +import ( + "context" + "crypto/tls" + "crypto/x509" + "errors" + "fmt" + "io" + "net" + "os" + "path/filepath" + "strconv" + "testing" + "time" + + listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "github.com/tsaarni/certyaml" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/crypto" + "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/extension/types" + "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/message" + "github.com/envoyproxy/gateway/internal/xds/bootstrap" +) + +func TestTLSConfig(t *testing.T) { + // Create trusted CA, server and client certs. + trustedCACert := certyaml.Certificate{ + Subject: "cn=trusted-ca", + } + egCertBeforeRotation := certyaml.Certificate{ + Subject: "cn=eg-before-rotation", + SubjectAltNames: []string{"DNS:localhost"}, + Issuer: &trustedCACert, + } + egCertAfterRotation := certyaml.Certificate{ + Subject: "cn=eg-after-rotation", + SubjectAltNames: []string{"DNS:localhost"}, + Issuer: &trustedCACert, + } + trustedEnvoyCert := certyaml.Certificate{ + Subject: "cn=trusted-envoy", + Issuer: &trustedCACert, + } + + // Create another CA and a client cert to test that untrusted clients are denied. + untrustedCACert := certyaml.Certificate{ + Subject: "cn=untrusted-ca", + } + untrustedClientCert := certyaml.Certificate{ + Subject: "cn=untrusted-client", + Issuer: &untrustedCACert, + } + + caCertPool := x509.NewCertPool() + ca, err := trustedCACert.X509Certificate() + require.NoError(t, err) + caCertPool.AddCert(&ca) + + tests := map[string]struct { + serverCredentials *certyaml.Certificate + clientCredentials *certyaml.Certificate + expectError bool + }{ + "successful TLS connection established": { + serverCredentials: &egCertBeforeRotation, + clientCredentials: &trustedEnvoyCert, + expectError: false, + }, + "rotating server credentials returns new server cert": { + serverCredentials: &egCertAfterRotation, + clientCredentials: &trustedEnvoyCert, + expectError: false, + }, + "rotating server credentials again to ensure rotation can be repeated": { + serverCredentials: &egCertBeforeRotation, + clientCredentials: &trustedEnvoyCert, + expectError: false, + }, + "fail to connect with client certificate which is not signed by correct CA": { + serverCredentials: &egCertBeforeRotation, + clientCredentials: &untrustedClientCert, + expectError: true, + }, + } + + // Create temporary directory to store certificates and key for the server. + configDir, err := os.MkdirTemp("", "eg-testdata-") + require.NoError(t, err) + defer os.RemoveAll(configDir) + + caFile := filepath.Join(configDir, "ca.crt") + certFile := filepath.Join(configDir, "tls.crt") + keyFile := filepath.Join(configDir, "tls.key") + + // Initial set of credentials must be written into temp directory before + // starting the tests to avoid error at server startup. + err = trustedCACert.WritePEM(caFile, keyFile) + require.NoError(t, err) + err = egCertBeforeRotation.WritePEM(certFile, keyFile) + require.NoError(t, err) + + // Start a dummy server. + tlsCfg, err := crypto.LoadTLSConfig(certFile, keyFile, caFile) + require.NoError(t, err) + + g := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsCfg))) + if g == nil { + t.Error("failed to create server") + } + + address := "localhost:8001" + l, err := net.Listen("tcp", address) + require.NoError(t, err) + + go func() { + err := g.Serve(l) + require.NoError(t, err) + }() + defer g.GracefulStop() + + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + // Store certificate and key to temp dir used by serveContext. + err = tc.serverCredentials.WritePEM(certFile, keyFile) + require.NoError(t, err) + clientCert, _ := tc.clientCredentials.TLSCertificate() + receivedCert, err := tryConnect(address, clientCert, caCertPool) + gotError := err != nil + if gotError != tc.expectError { + t.Errorf("Unexpected result when connecting to the server: %s", err) + } + if err == nil { + expectedCert, _ := tc.serverCredentials.X509Certificate() + assert.Equal(t, &expectedCert, receivedCert) + } + }) + } +} + +// tryConnect tries to establish TLS connection to the server. +// If successful, return the server certificate. +func tryConnect(address string, clientCert tls.Certificate, caCertPool *x509.CertPool) (*x509.Certificate, error) { + clientConfig := &tls.Config{ + ServerName: "localhost", + MinVersion: tls.VersionTLS13, + Certificates: []tls.Certificate{clientCert}, + NextProtos: []string{"h2"}, + RootCAs: caCertPool, + } + conn, err := tls.Dial("tcp", address, clientConfig) + if err != nil { + return nil, err + } + defer conn.Close() + + err = peekError(conn) + if err != nil { + return nil, err + } + + return conn.ConnectionState().PeerCertificates[0], nil +} + +// peekError is a workaround for TLS 1.3: due to shortened handshake, TLS alert +// from server is received at first read from the socket. To receive alert for +// bad certificate, this function tries to read one byte. +// Adapted from https://golang.org/src/crypto/tls/handshake_client_test.go +func peekError(conn net.Conn) error { + _ = conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond)) + _, err := conn.Read(make([]byte, 1)) + if err != nil { + if errors.Is(err, io.EOF) { + return nil + } + + var netErr net.Error + if !errors.As(netErr, &netErr) || !netErr.Timeout() { + return err + } + } + return nil +} + +// setupTLSCerts creates temporary TLS certificates for testing +func setupTLSCerts(t *testing.T) (caFile, certFile, keyFile string, cleanup func()) { + configDir, err := os.MkdirTemp("", "eg-runner-test-") + require.NoError(t, err) + + caFile = filepath.Join(configDir, "ca.crt") + certFile = filepath.Join(configDir, "tls.crt") + keyFile = filepath.Join(configDir, "tls.key") + + // Create certificates + trustedCACert := certyaml.Certificate{ + Subject: "cn=test-ca", + } + serverCert := certyaml.Certificate{ + Subject: "cn=test-server", + SubjectAltNames: []string{"DNS:localhost"}, + Issuer: &trustedCACert, + } + + err = trustedCACert.WritePEM(caFile, keyFile) + require.NoError(t, err) + err = serverCert.WritePEM(certFile, keyFile) + require.NoError(t, err) + + return caFile, certFile, keyFile, func() { + os.RemoveAll(configDir) + } +} + +func TestServeXdsServerListenFailed(t *testing.T) { + // Occupy the address to make listening failed + addr := net.JoinHostPort(XdsServerAddress, strconv.Itoa(bootstrap.DefaultXdsServerPort)) + l, err := net.Listen("tcp", addr) + require.NoError(t, err) + defer l.Close() + + cfg, _ := config.New(os.Stdout) + r := New(&Config{ + Server: *cfg, + }) + r.Logger = r.Logger.WithName(r.Name()).WithValues("runner", r.Name()) + // Don't crash in this function + r.serveXdsServer(context.Background()) +} + +func TestRunner(t *testing.T) { + // Setup TLS certificates + caFile, certFile, keyFile, cleanup := setupTLSCerts(t) + defer cleanup() + + // Setup + xdsIR := new(message.XdsIR) + pResource := new(message.ProviderResources) + cfg, err := config.New(os.Stdout) + require.NoError(t, err) + r := New(&Config{ + Server: *cfg, + ProviderResources: pResource, + XdsIR: xdsIR, + TLSCertPath: certFile, + TLSKeyPath: keyFile, + TLSCaPath: caFile, + }) + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + // Start + err = r.Start(ctx) + require.NoError(t, err) + defer func() { + cancel() + time.Sleep(100 * time.Millisecond) // Allow graceful shutdown + }() + + // xDS is nil at start + require.Equal(t, map[string]*ir.Xds{}, xdsIR.LoadAll()) + + // test translation + path := "example" + res := ir.Xds{ + HTTP: []*ir.HTTPListener{ + { + CoreListenerDetails: ir.CoreListenerDetails{ + Name: "test", + Address: "0.0.0.0", + Port: 80, + }, + Hostnames: []string{"example.com"}, + Routes: []*ir.HTTPRoute{ + { + Name: "test-route", + PathMatch: &ir.StringMatch{ + Exact: &path, + }, + Destination: &ir.RouteDestination{ + Name: "test-dest", + Settings: []*ir.DestinationSetting{ + { + Endpoints: []*ir.DestinationEndpoint{ + { + Host: "10.11.12.13", + Port: 8080, + }, + }, + }, + }, + }, + }, + }, + }, + }, + } + xdsIR.Store("test", &res) + require.Eventually(t, func() bool { + // Check that the cache has the snapshot for our test key + return r.cache.SnapshotHasIrKey("test") + }, time.Second*5, time.Millisecond*50) + + // Delete the IR triggering an xds delete + xdsIR.Delete("test") + require.Eventually(t, func() bool { + // Wait for the IR to be empty after deletion + return len(xdsIR.LoadAll()) == 0 + }, time.Second*5, time.Millisecond*50) +} + +func TestRunner_withExtensionManager_FailOpen(t *testing.T) { + // Setup TLS certificates + caFile, certFile, keyFile, cleanup := setupTLSCerts(t) + defer cleanup() + + // Setup + xdsIR := new(message.XdsIR) + pResource := new(message.ProviderResources) + + cfg, err := config.New(os.Stdout) + require.NoError(t, err) + require.NotNil(t, cfg) + + extMgr := &extManagerMock{} + extMgr.ShouldFailOpen = true + + r := New(&Config{ + Server: *cfg, + ProviderResources: pResource, + XdsIR: xdsIR, + ExtensionManager: extMgr, + TLSCertPath: certFile, + TLSKeyPath: keyFile, + TLSCaPath: caFile, + }) + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + // Start + err = r.Start(ctx) + require.NoError(t, err) + defer func() { + cancel() + time.Sleep(100 * time.Millisecond) // Allow graceful shutdown + }() + + // xDS is nil at start + require.Equal(t, map[string]*ir.Xds{}, xdsIR.LoadAll()) + + // test translation + path := "example" + res := ir.Xds{ + HTTP: []*ir.HTTPListener{ + { + CoreListenerDetails: ir.CoreListenerDetails{ + Name: "test", + Address: "0.0.0.0", + Port: 80, + }, + Hostnames: []string{"example.com"}, + Routes: []*ir.HTTPRoute{ + { + Name: "test-route", + PathMatch: &ir.StringMatch{ + Exact: &path, + }, + Destination: &ir.RouteDestination{ + Name: "test-dest", + Settings: []*ir.DestinationSetting{ + { + Endpoints: []*ir.DestinationEndpoint{ + { + Host: "10.11.12.13", + Port: 8080, + }, + }, + }, + }, + }, + }, + }, + }, + }, + } + xdsIR.Store("test", &res) + require.Eventually(t, func() bool { + // Since the extension manager is configured to fail open, in an event of an error + // from the extension manager hooks, xds update should be published. + return r.cache.SnapshotHasIrKey("test") + }, time.Second*5, time.Millisecond*50) +} + +func TestRunner_withExtensionManager_FailClosed(t *testing.T) { + // Setup TLS certificates + caFile, certFile, keyFile, cleanup := setupTLSCerts(t) + defer cleanup() + + // Setup + xdsIR := new(message.XdsIR) + pResource := new(message.ProviderResources) + + cfg, err := config.New(os.Stdout) + require.NoError(t, err) + require.NotNil(t, cfg) + + extMgr := &extManagerMock{} + + r := New(&Config{ + Server: *cfg, + ProviderResources: pResource, + XdsIR: xdsIR, + ExtensionManager: extMgr, + TLSCertPath: certFile, + TLSKeyPath: keyFile, + TLSCaPath: caFile, + }) + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + // Start + err = r.Start(ctx) + require.NoError(t, err) + defer func() { + cancel() + time.Sleep(100 * time.Millisecond) // Allow graceful shutdown + }() + + // xDS is nil at start + require.Equal(t, map[string]*ir.Xds{}, xdsIR.LoadAll()) + + // test translation + path := "example" + res := ir.Xds{ + HTTP: []*ir.HTTPListener{ + { + CoreListenerDetails: ir.CoreListenerDetails{ + Name: "test", + Address: "0.0.0.0", + Port: 80, + }, + Hostnames: []string{"example.com"}, + Routes: []*ir.HTTPRoute{ + { + Name: "test-route", + PathMatch: &ir.StringMatch{ + Exact: &path, + }, + Destination: &ir.RouteDestination{ + Name: "test-dest", + Settings: []*ir.DestinationSetting{ + { + Endpoints: []*ir.DestinationEndpoint{ + { + Host: "10.11.12.13", + Port: 8080, + }, + }, + }, + }, + }, + }, + }, + }, + }, + } + xdsIR.Store("test", &res) + require.Never(t, func() bool { + // Since the extension manager is configured to fail closed, in an event of an error + // from the extension manager hooks, xds update should not be published. + return r.cache.SnapshotHasIrKey("test") + }, time.Second*5, time.Millisecond*50) +} + +type extManagerMock struct { + types.Manager + ShouldFailOpen bool +} + +func (m *extManagerMock) GetPostXDSHookClient(xdsHookType egv1a1.XDSTranslatorHook) (types.XDSHookClient, error) { + if xdsHookType == egv1a1.XDSHTTPListener { + return &xdsHookClientMock{}, nil + } + + return nil, nil +} + +func (m *extManagerMock) FailOpen() bool { + return m.ShouldFailOpen +} + +type xdsHookClientMock struct { + types.XDSHookClient +} + +func (c *xdsHookClientMock) PostHTTPListenerModifyHook(*listenerv3.Listener, []*unstructured.Unstructured) (*listenerv3.Listener, error) { + return nil, fmt.Errorf("assuming a network error during the call") +} diff --git a/internal/xds/server/runner/runner_test.go b/internal/xds/server/runner/runner_test.go deleted file mode 100644 index 69dd798b81..0000000000 --- a/internal/xds/server/runner/runner_test.go +++ /dev/null @@ -1,205 +0,0 @@ -// Copyright Envoy Gateway Authors -// SPDX-License-Identifier: Apache-2.0 -// The full text of the Apache license is available in the LICENSE file at -// the root of the repo. - -package runner - -import ( - "context" - "crypto/tls" - "crypto/x509" - "errors" - "io" - "net" - "os" - "path/filepath" - "strconv" - "testing" - "time" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - "github.com/tsaarni/certyaml" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - - "github.com/envoyproxy/gateway/internal/crypto" - "github.com/envoyproxy/gateway/internal/envoygateway/config" - "github.com/envoyproxy/gateway/internal/xds/bootstrap" -) - -func TestTLSConfig(t *testing.T) { - // Create trusted CA, server and client certs. - trustedCACert := certyaml.Certificate{ - Subject: "cn=trusted-ca", - } - egCertBeforeRotation := certyaml.Certificate{ - Subject: "cn=eg-before-rotation", - SubjectAltNames: []string{"DNS:localhost"}, - Issuer: &trustedCACert, - } - egCertAfterRotation := certyaml.Certificate{ - Subject: "cn=eg-after-rotation", - SubjectAltNames: []string{"DNS:localhost"}, - Issuer: &trustedCACert, - } - trustedEnvoyCert := certyaml.Certificate{ - Subject: "cn=trusted-envoy", - Issuer: &trustedCACert, - } - - // Create another CA and a client cert to test that untrusted clients are denied. - untrustedCACert := certyaml.Certificate{ - Subject: "cn=untrusted-ca", - } - untrustedClientCert := certyaml.Certificate{ - Subject: "cn=untrusted-client", - Issuer: &untrustedCACert, - } - - caCertPool := x509.NewCertPool() - ca, err := trustedCACert.X509Certificate() - require.NoError(t, err) - caCertPool.AddCert(&ca) - - tests := map[string]struct { - serverCredentials *certyaml.Certificate - clientCredentials *certyaml.Certificate - expectError bool - }{ - "successful TLS connection established": { - serverCredentials: &egCertBeforeRotation, - clientCredentials: &trustedEnvoyCert, - expectError: false, - }, - "rotating server credentials returns new server cert": { - serverCredentials: &egCertAfterRotation, - clientCredentials: &trustedEnvoyCert, - expectError: false, - }, - "rotating server credentials again to ensure rotation can be repeated": { - serverCredentials: &egCertBeforeRotation, - clientCredentials: &trustedEnvoyCert, - expectError: false, - }, - "fail to connect with client certificate which is not signed by correct CA": { - serverCredentials: &egCertBeforeRotation, - clientCredentials: &untrustedClientCert, - expectError: true, - }, - } - - // Create temporary directory to store certificates and key for the server. - configDir, err := os.MkdirTemp("", "eg-testdata-") - require.NoError(t, err) - defer os.RemoveAll(configDir) - - caFile := filepath.Join(configDir, "ca.crt") - certFile := filepath.Join(configDir, "tls.crt") - keyFile := filepath.Join(configDir, "tls.key") - - // Initial set of credentials must be written into temp directory before - // starting the tests to avoid error at server startup. - err = trustedCACert.WritePEM(caFile, keyFile) - require.NoError(t, err) - err = egCertBeforeRotation.WritePEM(certFile, keyFile) - require.NoError(t, err) - - // Start a dummy server. - tlsCfg, err := crypto.LoadTLSConfig(certFile, keyFile, caFile) - require.NoError(t, err) - - g := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsCfg))) - if g == nil { - t.Error("failed to create server") - } - - address := "localhost:8001" - l, err := net.Listen("tcp", address) - require.NoError(t, err) - - go func() { - err := g.Serve(l) - require.NoError(t, err) - }() - defer g.GracefulStop() - - for name, tc := range tests { - t.Run(name, func(t *testing.T) { - // Store certificate and key to temp dir used by serveContext. - err = tc.serverCredentials.WritePEM(certFile, keyFile) - require.NoError(t, err) - clientCert, _ := tc.clientCredentials.TLSCertificate() - receivedCert, err := tryConnect(address, clientCert, caCertPool) - gotError := err != nil - if gotError != tc.expectError { - t.Errorf("Unexpected result when connecting to the server: %s", err) - } - if err == nil { - expectedCert, _ := tc.serverCredentials.X509Certificate() - assert.Equal(t, &expectedCert, receivedCert) - } - }) - } -} - -// tryConnect tries to establish TLS connection to the server. -// If successful, return the server certificate. -func tryConnect(address string, clientCert tls.Certificate, caCertPool *x509.CertPool) (*x509.Certificate, error) { - clientConfig := &tls.Config{ - ServerName: "localhost", - MinVersion: tls.VersionTLS13, - Certificates: []tls.Certificate{clientCert}, - NextProtos: []string{"h2"}, - RootCAs: caCertPool, - } - conn, err := tls.Dial("tcp", address, clientConfig) - if err != nil { - return nil, err - } - defer conn.Close() - - err = peekError(conn) - if err != nil { - return nil, err - } - - return conn.ConnectionState().PeerCertificates[0], nil -} - -// peekError is a workaround for TLS 1.3: due to shortened handshake, TLS alert -// from server is received at first read from the socket. To receive alert for -// bad certificate, this function tries to read one byte. -// Adapted from https://golang.org/src/crypto/tls/handshake_client_test.go -func peekError(conn net.Conn) error { - _ = conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond)) - _, err := conn.Read(make([]byte, 1)) - if err != nil { - if errors.Is(err, io.EOF) { - return nil - } - - var netErr net.Error - if !errors.As(netErr, &netErr) || !netErr.Timeout() { - return err - } - } - return nil -} - -func TestServeXdsServerListenFailed(t *testing.T) { - // Occupy the address to make listening failed - addr := net.JoinHostPort(XdsServerAddress, strconv.Itoa(bootstrap.DefaultXdsServerPort)) - l, err := net.Listen("tcp", addr) - require.NoError(t, err) - defer l.Close() - - cfg, _ := config.New(os.Stdout) - r := New(&Config{ - Server: *cfg, - }) - r.Logger = r.Logger.WithName(r.Name()).WithValues("runner", r.Name()) - // Don't crash in this function - r.serveXdsServer(context.Background()) -} diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 3aa5d49520..a4b98ee6b2 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -422,9 +422,7 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) { cluster.RespectDnsTtl = true if args.dns != nil { if args.dns.DNSRefreshRate != nil { - if args.dns.DNSRefreshRate.Duration > 0 { - cluster.DnsRefreshRate = durationpb.New(args.dns.DNSRefreshRate.Duration) - } + cluster.DnsRefreshRate = durationpb.New(args.dns.DNSRefreshRate.Duration) } if args.dns.RespectDNSTTL != nil { cluster.RespectDnsTtl = ptr.Deref(args.dns.RespectDNSTTL, true) diff --git a/internal/xds/translator/httpfilters.go b/internal/xds/translator/httpfilters.go index a5e0a25c16..ff68e89d2c 100644 --- a/internal/xds/translator/httpfilters.go +++ b/internal/xds/translator/httpfilters.go @@ -130,14 +130,18 @@ func newOrderedHTTPFilter(filter *hcmv3.HttpFilter) *OrderedHTTPFilter { order = 302 case isFilterType(filter, egv1a1.EnvoyFilterRateLimit): order = 303 - case isFilterType(filter, egv1a1.EnvoyFilterCustomResponse): + case isFilterType(filter, egv1a1.EnvoyFilterGRPCWeb): order = 304 - case isFilterType(filter, egv1a1.EnvoyFilterCredentialInjector): + case isFilterType(filter, egv1a1.EnvoyFilterGRPCStats): order = 305 - case isFilterType(filter, egv1a1.EnvoyFilterCompressor): + case isFilterType(filter, egv1a1.EnvoyFilterCustomResponse): order = 306 - case isFilterType(filter, egv1a1.EnvoyFilterRouter): + case isFilterType(filter, egv1a1.EnvoyFilterCredentialInjector): order = 307 + case isFilterType(filter, egv1a1.EnvoyFilterCompressor): + order = 308 + case isFilterType(filter, egv1a1.EnvoyFilterRouter): + order = 309 } return &OrderedHTTPFilter{ diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index f02784e29d..943e46cc5e 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -335,23 +335,13 @@ func (t *Translator) addHCMToXDSListener( } // HTTP filter configuration - var statPrefix string - if irListener.TLS != nil { - statPrefix = "https" - } else { - statPrefix = "http" - } - - // Append port to the statPrefix. - statPrefix = strings.Join([]string{statPrefix, strconv.Itoa(int(irListener.Port))}, "-") - // Client IP detection useRemoteAddress := true originalIPDetectionExtensions := originalIPDetectionExtensions(irListener.ClientIPDetection) if originalIPDetectionExtensions != nil { useRemoteAddress = false } - + statPrefix := hcmStatPrefix(irListener, t.xdsNameSchemeV2()) mgr := &hcmv3.HttpConnectionManager{ AccessLog: al, CodecType: hcmv3.HttpConnectionManager_AUTO, @@ -360,7 +350,7 @@ func (t *Translator) addHCMToXDSListener( Rds: &hcmv3.Rds{ ConfigSource: makeConfigSource(), // Configure route name to be found via RDS. - RouteConfigName: routeConfigName(irListener), + RouteConfigName: routeConfigName(irListener, t.xdsNameSchemeV2()), }, }, HttpProtocolOptions: http1ProtocolOptions(irListener.HTTP1), @@ -500,9 +490,24 @@ func (t *Translator) addHCMToXDSListener( return nil } -func routeConfigName(irListener *ir.HTTPListener) string { - // TODO(zhaohuabing): change the routeConfig name for HTTP listeners because they are merged into one route config - return irListener.Name +func hcmStatPrefix(irListener *ir.HTTPListener, nameSchemeV2 bool) string { + statPrefix := "http" + if irListener.TLS != nil { + statPrefix = "https" + } + + if nameSchemeV2 { + return fmt.Sprintf("%s-%d", statPrefix, irListener.ExternalPort) + } + return fmt.Sprintf("%s-%d", statPrefix, irListener.Port) +} + +// use the same name for the route config as the filter chain name, as they're 1:1 mapping. +func routeConfigName(irListener *ir.HTTPListener, nameSchemeV2 bool) string { + if irListener.TLS != nil { + return httpsListenerFilterChainName(irListener) + } + return httpListenerDefaultFilterChainName(irListener, nameSchemeV2) } // port value is used for the default filter chain name for HTTP listeners, as multiple HTTP listeners are merged into @@ -515,7 +520,7 @@ func httpListenerDefaultFilterChainName(irListener *ir.HTTPListener, nameSchemeV return irListener.Name } -// irListener name is used as the filter chain name for HTTPS listener, as Listener is 1:1 mapping to the filter chain +// irListener name is used as the filter chain name for HTTPS listener, as HTTPS Listener is 1:1 mapping to the filter chain. // The Gateway API layer ensures that each listener has a unique combination of hostname and port. func httpsListenerFilterChainName(irListener *ir.HTTPListener) string { return irListener.Name diff --git a/internal/xds/translator/metadata.go b/internal/xds/translator/metadata.go index 6ee726c258..41233ebdba 100644 --- a/internal/xds/translator/metadata.go +++ b/internal/xds/translator/metadata.go @@ -27,8 +27,23 @@ func buildXdsMetadata(metadata *ir.ResourceMetadata) *corev3.Metadata { return nil } + return buildXdsMetadataFromMultiple([]*ir.ResourceMetadata{metadata}) +} + +func buildXdsMetadataFromMultiple(metadata []*ir.ResourceMetadata) *corev3.Metadata { + if metadata == nil { + return nil + } + resourcesList := &structpb.ListValue{} - resourcesList.Values = append(resourcesList.Values, buildResourceMetadata(metadata)) + for _, md := range metadata { + if md != nil { + resourcesList.Values = append(resourcesList.Values, buildResourceMetadata(md)) + } + } + if len(resourcesList.Values) == 0 { + return nil + } return &corev3.Metadata{ FilterMetadata: map[string]*structpb.Struct{ diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index f07f80d8ea..5cda9f0634 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -626,7 +626,11 @@ func buildHashPolicy(httpRoute *ir.HTTPRoute) []*routev3.RouteAction_HashPolicy }, } if ch.Cookie.TTL != nil { - hashPolicy.GetCookie().Ttl = durationpb.New(ch.Cookie.TTL.Duration) + d, err := time.ParseDuration(string(*ch.Cookie.TTL)) + if err != nil { + return nil + } + hashPolicy.GetCookie().Ttl = durationpb.New(d) } if ch.Cookie.Attributes != nil { attributes := make([]*routev3.RouteAction_HashPolicy_CookieAttribute, 0, len(ch.Cookie.Attributes)) diff --git a/internal/xds/translator/runner/runner.go b/internal/xds/translator/runner/runner.go deleted file mode 100644 index c3e33c1969..0000000000 --- a/internal/xds/translator/runner/runner.go +++ /dev/null @@ -1,151 +0,0 @@ -// Copyright Envoy Gateway Authors -// SPDX-License-Identifier: Apache-2.0 -// The full text of the Apache license is available in the LICENSE file at -// the root of the repo. - -package runner - -import ( - "context" - "reflect" - - "github.com/telepresenceio/watchable" - ktypes "k8s.io/apimachinery/pkg/types" - - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/envoygateway/config" - extension "github.com/envoyproxy/gateway/internal/extension/types" - "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit" - "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/message" - "github.com/envoyproxy/gateway/internal/xds/translator" -) - -type Config struct { - config.Server - XdsIR *message.XdsIR - Xds *message.Xds - ExtensionManager extension.Manager - ProviderResources *message.ProviderResources -} - -type Runner struct { - Config -} - -func New(cfg *Config) *Runner { - return &Runner{Config: *cfg} -} - -// Close implements Runner interface. -func (r *Runner) Close() error { return nil } - -// Name implements Runner interface. -func (r *Runner) Name() string { - return string(egv1a1.LogComponentXdsTranslatorRunner) -} - -// Start starts the xds-translator runner -func (r *Runner) Start(ctx context.Context) (err error) { - r.Logger = r.Logger.WithName(r.Name()).WithValues("runner", r.Name()) - // Do not call .Subscribe() inside Goroutine since it is supposed to be called from the same - // Goroutine where Close() is called. - sub := r.XdsIR.Subscribe(ctx) - go r.subscribeAndTranslate(sub) - r.Logger.Info("started") - return -} - -func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *ir.Xds]) { - // Subscribe to resources - message.HandleSubscription(message.Metadata{Runner: r.Name(), Message: message.XDSIRMessageName}, sub, - func(update message.Update[string, *ir.Xds], errChan chan error) { - r.Logger.Info("received an update") - key := update.Key - val := update.Value - - if update.Delete { - r.Xds.Delete(key) - } else { - // Translate to xds resources - t := &translator.Translator{ - ControllerNamespace: r.ControllerNamespace, - FilterOrder: val.FilterOrder, - RuntimeFlags: r.EnvoyGateway.RuntimeFlags, - Logger: r.Logger, - } - - // Set the extension manager if an extension is loaded - if r.ExtensionManager != nil { - t.ExtensionManager = &r.ExtensionManager - } - - // Set the rate limit service URL if global rate limiting is enabled. - if r.EnvoyGateway.RateLimit != nil { - t.GlobalRateLimit = &translator.GlobalRateLimitSettings{ - ServiceURL: ratelimit.GetServiceURL(r.ControllerNamespace, r.DNSDomain), - FailClosed: r.EnvoyGateway.RateLimit.FailClosed, - } - if r.EnvoyGateway.RateLimit.Timeout != nil { - t.GlobalRateLimit.Timeout = r.EnvoyGateway.RateLimit.Timeout.Duration - } - } - - result, err := t.Translate(val) - if err != nil { - r.Logger.Error(err, "failed to translate xds ir") - errChan <- err - } - - // xDS translation is done in a best-effort manner, so the result - // may contain partial resources even if there are errors. - if result == nil { - r.Logger.Info("no xds resources to publish") - return - } - - // Get all status keys from watchable and save them in the map statusesToDelete. - // Iterating through result.EnvoyPatchPolicyStatuses, any valid keys will be removed from statusesToDelete. - // Remaining keys will be deleted from watchable before we exit this function. - statusesToDelete := make(map[ktypes.NamespacedName]bool) - for key := range r.ProviderResources.EnvoyPatchPolicyStatuses.LoadAll() { - statusesToDelete[key] = true - } - - // Publish EnvoyPatchPolicyStatus - for _, e := range result.EnvoyPatchPolicyStatuses { - key := ktypes.NamespacedName{ - Name: e.Name, - Namespace: e.Namespace, - } - // Skip updating status for policies with empty status - // They may have been skipped in this translation because - // their target is not found (not relevant) - if !(reflect.ValueOf(e.Status).IsZero()) { - r.ProviderResources.EnvoyPatchPolicyStatuses.Store(key, e.Status) - } - delete(statusesToDelete, key) - } - // Discard the EnvoyPatchPolicyStatuses to reduce memory footprint - result.EnvoyPatchPolicyStatuses = nil - - // Publish - if err == nil { - message.HandleStore(message.Metadata{ - Runner: r.Name(), - Message: message.XDSMessageName, - }, - key, result, &r.Xds.Map) - } else { - r.Logger.Error(err, "skipped publishing xds resources") - } - - // Delete all the deletable status keys - for key := range statusesToDelete { - r.ProviderResources.EnvoyPatchPolicyStatuses.Delete(key) - } - } - }, - ) - r.Logger.Info("subscriber shutting down") -} diff --git a/internal/xds/translator/runner/runner_test.go b/internal/xds/translator/runner/runner_test.go deleted file mode 100644 index 45f3f46bf4..0000000000 --- a/internal/xds/translator/runner/runner_test.go +++ /dev/null @@ -1,274 +0,0 @@ -// Copyright Envoy Gateway Authors -// SPDX-License-Identifier: Apache-2.0 -// The full text of the Apache license is available in the LICENSE file at -// the root of the repo. - -package runner - -import ( - "context" - "fmt" - "os" - "testing" - "time" - - listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" - resourcev3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3" - "github.com/stretchr/testify/require" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/envoygateway/config" - "github.com/envoyproxy/gateway/internal/extension/types" - "github.com/envoyproxy/gateway/internal/ir" - "github.com/envoyproxy/gateway/internal/message" -) - -func TestRunner(t *testing.T) { - // Setup - xdsIR := new(message.XdsIR) - xds := new(message.Xds) - pResource := new(message.ProviderResources) - cfg, err := config.New(os.Stdout) - require.NoError(t, err) - r := New(&Config{ - Server: *cfg, - ProviderResources: pResource, - XdsIR: xdsIR, - Xds: xds, - }) - - ctx := context.Background() - // Start - err = r.Start(ctx) - require.NoError(t, err) - - // xDS is nil at start - require.Equal(t, map[string]*ir.Xds{}, xdsIR.LoadAll()) - - // test translation - path := "example" - res := ir.Xds{ - HTTP: []*ir.HTTPListener{ - { - CoreListenerDetails: ir.CoreListenerDetails{ - Name: "test", - Address: "0.0.0.0", - Port: 80, - }, - Hostnames: []string{"example.com"}, - Routes: []*ir.HTTPRoute{ - { - Name: "test-route", - PathMatch: &ir.StringMatch{ - Exact: &path, - }, - Destination: &ir.RouteDestination{ - Name: "test-dest", - Settings: []*ir.DestinationSetting{ - { - Endpoints: []*ir.DestinationEndpoint{ - { - Host: "10.11.12.13", - Port: 8080, - }, - }, - }, - }, - }, - }, - }, - }, - }, - } - xdsIR.Store("test", &res) - require.Eventually(t, func() bool { - out := xds.LoadAll() - if out == nil { - return false - } - if out["test"] == nil { - return false - } - // Ensure an xds listener is created - return len(out["test"].XdsResources[resourcev3.ListenerType]) == 1 - }, time.Second*5, time.Millisecond*50) - - // Delete the IR triggering an xds delete - xdsIR.Delete("test") - require.Eventually(t, func() bool { - out := xds.LoadAll() - // Ensure that xds has no key, value pairs - return len(out) == 0 - }, time.Second*5, time.Millisecond*50) -} - -func TestRunner_withExtensionManager_FailOpen(t *testing.T) { - // Setup - xdsIR := new(message.XdsIR) - xds := new(message.Xds) - pResource := new(message.ProviderResources) - - cfg, err := config.New(os.Stdout) - require.NoError(t, err) - require.NotNil(t, cfg) - - extMgr := &extManagerMock{} - extMgr.ShouldFailOpen = true - - r := New(&Config{ - Server: *cfg, - ProviderResources: pResource, - XdsIR: xdsIR, - Xds: xds, - ExtensionManager: extMgr, - }) - - ctx := context.Background() - // Start - err = r.Start(ctx) - require.NoError(t, err) - - // xDS is nil at start - require.Equal(t, map[string]*ir.Xds{}, xdsIR.LoadAll()) - - // test translation - path := "example" - res := ir.Xds{ - HTTP: []*ir.HTTPListener{ - { - CoreListenerDetails: ir.CoreListenerDetails{ - Name: "test", - Address: "0.0.0.0", - Port: 80, - }, - Hostnames: []string{"example.com"}, - Routes: []*ir.HTTPRoute{ - { - Name: "test-route", - PathMatch: &ir.StringMatch{ - Exact: &path, - }, - Destination: &ir.RouteDestination{ - Name: "test-dest", - Settings: []*ir.DestinationSetting{ - { - Endpoints: []*ir.DestinationEndpoint{ - { - Host: "10.11.12.13", - Port: 8080, - }, - }, - }, - }, - }, - }, - }, - }, - }, - } - xdsIR.Store("test", &res) - require.Eventually(t, func() bool { - out := xds.LoadAll() - // Since the extension manager is configured to fail open, in an event of an error - // from the extension manager hooks, xds update should be published. - return len(out) == 1 - }, time.Second*5, time.Millisecond*50) -} - -func TestRunner_withExtensionManager_FailClosed(t *testing.T) { - // Setup - xdsIR := new(message.XdsIR) - xds := new(message.Xds) - pResource := new(message.ProviderResources) - - cfg, err := config.New(os.Stdout) - require.NoError(t, err) - require.NotNil(t, cfg) - - extMgr := &extManagerMock{} - - r := New(&Config{ - Server: *cfg, - ProviderResources: pResource, - XdsIR: xdsIR, - Xds: xds, - ExtensionManager: extMgr, - }) - - ctx := context.Background() - // Start - err = r.Start(ctx) - require.NoError(t, err) - - // xDS is nil at start - require.Equal(t, map[string]*ir.Xds{}, xdsIR.LoadAll()) - - // test translation - path := "example" - res := ir.Xds{ - HTTP: []*ir.HTTPListener{ - { - CoreListenerDetails: ir.CoreListenerDetails{ - Name: "test", - Address: "0.0.0.0", - Port: 80, - }, - Hostnames: []string{"example.com"}, - Routes: []*ir.HTTPRoute{ - { - Name: "test-route", - PathMatch: &ir.StringMatch{ - Exact: &path, - }, - Destination: &ir.RouteDestination{ - Name: "test-dest", - Settings: []*ir.DestinationSetting{ - { - Endpoints: []*ir.DestinationEndpoint{ - { - Host: "10.11.12.13", - Port: 8080, - }, - }, - }, - }, - }, - }, - }, - }, - }, - } - xdsIR.Store("test", &res) - require.Never(t, func() bool { - out := xds.LoadAll() - // Since the extension manager is configured to fail closed, in an event of an error - // from the extension manager hooks, xds update should not be published. - return len(out) > 0 - }, time.Second*5, time.Millisecond*50) -} - -type extManagerMock struct { - types.Manager - ShouldFailOpen bool -} - -func (m *extManagerMock) GetPostXDSHookClient(xdsHookType egv1a1.XDSTranslatorHook) (types.XDSHookClient, error) { - if xdsHookType == egv1a1.XDSHTTPListener { - return &xdsHookClientMock{}, nil - } - - return nil, nil -} - -func (m *extManagerMock) FailOpen() bool { - return m.ShouldFailOpen -} - -type xdsHookClientMock struct { - types.XDSHookClient -} - -func (c *xdsHookClientMock) PostHTTPListenerModifyHook(*listenerv3.Listener, []*unstructured.Unstructured) (*listenerv3.Listener, error) { - return nil, fmt.Errorf("assuming a network error during the call") -} diff --git a/internal/xds/translator/testdata/in/xds-ir/backend-tls-skip-verify.yaml b/internal/xds/translator/testdata/in/xds-ir/backend-tls-skip-verify.yaml index fc74c38f36..f446ca58e5 100644 --- a/internal/xds/translator/testdata/in/xds-ir/backend-tls-skip-verify.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/backend-tls-skip-verify.yaml @@ -19,7 +19,3 @@ http: name: "first-route-dest/backend/0" tls: insecureSkipVerify: true - useSystemTrustStore: true - CACertificate: - name: policy-btls/default-ca - sni: example.com diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml index 58471e8de1..5bc6484861 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml @@ -345,5 +345,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml index 261038728f..998f503038 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml @@ -75,5 +75,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml index 261038728f..998f503038 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml @@ -75,5 +75,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml index 7f609a90d1..41a1c3abc8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml @@ -45,5 +45,13 @@ useRemoteAddress: true name: default/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: default + sectionName: http name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-tls-skip-verify.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-tls-skip-verify.clusters.yaml index 540ba4fd71..915a64ca87 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-tls-skip-verify.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-tls-skip-verify.clusters.yaml @@ -30,5 +30,4 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext commonTlsContext: {} - sni: example.com type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/btp-telemetry.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/btp-telemetry.listeners.yaml index 4d0fe90c54..be40ad3cb0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/btp-telemetry.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/btp-telemetry.listeners.yaml @@ -31,5 +31,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/compression.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/compression.listeners.yaml index e0bba0b836..90876bb592 100644 --- a/internal/xds/translator/testdata/out/xds-ir/compression.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/compression.listeners.yaml @@ -47,5 +47,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/credential-injection-backend-filter.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/credential-injection-backend-filter.listeners.yaml index 4d0fe90c54..be40ad3cb0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/credential-injection-backend-filter.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/credential-injection-backend-filter.listeners.yaml @@ -31,5 +31,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/credential-injection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/credential-injection.listeners.yaml index 7a127ec768..c9dbe4269e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/credential-injection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/credential-injection.listeners.yaml @@ -59,5 +59,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml index 79224eb3d4..7ac2f81044 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml @@ -167,5 +167,13 @@ useRemoteAddress: true name: default/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: default + sectionName: http name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/dns-lookup-family.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/dns-lookup-family.listeners.yaml index c5fb9a58f8..4de7e41ca8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/dns-lookup-family.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/dns-lookup-family.listeners.yaml @@ -138,14 +138,6 @@ transportApiVersion: V3 withRequestBody: maxRequestBytes: 8192 - - name: envoy.filters.http.grpc_stats - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig - emitFilterState: true - statsForAllMethods: true - - name: envoy.filters.http.grpc_web - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - disabled: true name: envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-httproute/extproc/0 typedConfig: @@ -160,6 +152,14 @@ requestTrailerMode: SKIP responseHeaderMode: SKIP responseTrailerMode: SKIP + - name: envoy.filters.http.grpc_web + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb + - name: envoy.filters.http.grpc_stats + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig + emitFilterState: true + statsForAllMethods: true - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router @@ -177,5 +177,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml index 7f609a90d1..41a1c3abc8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml @@ -45,5 +45,13 @@ useRemoteAddress: true name: default/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: default + sectionName: http name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-connect-proxy.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-connect-proxy.listeners.yaml index 4d0fe90c54..be40ad3cb0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-connect-proxy.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-connect-proxy.listeners.yaml @@ -31,5 +31,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-connect-terminate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-connect-terminate.listeners.yaml index 4d0fe90c54..be40ad3cb0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-connect-terminate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-connect-terminate.listeners.yaml @@ -31,5 +31,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver.listeners.yaml index f869509943..1d2eb71e64 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver.listeners.yaml @@ -67,5 +67,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml index a5bc288824..dfae8da1b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml @@ -31,5 +31,15 @@ useRemoteAddress: true name: first-listener maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - annotations: + foo: bar + kind: Gateway + name: first-gateway + namespace: first-gateway + sectionName: first-listener name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-upgrade-spdy.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-upgrade-spdy.listeners.yaml index 4d0fe90c54..be40ad3cb0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-upgrade-spdy.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-upgrade-spdy.listeners.yaml @@ -31,5 +31,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-upgrade-websocket-spdy.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-upgrade-websocket-spdy.listeners.yaml index 4d0fe90c54..be40ad3cb0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-upgrade-websocket-spdy.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-upgrade-websocket-spdy.listeners.yaml @@ -31,5 +31,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml index 2a7c6641af..b2e4d2fb20 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml @@ -14,14 +14,14 @@ initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: + - name: envoy.filters.http.grpc_web + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - name: envoy.filters.http.grpc_stats typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig emitFilterState: true statsForAllMethods: true - - name: envoy.filters.http.grpc_web - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml index 672ec20c19..f14e70b86e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml @@ -63,5 +63,13 @@ useRemoteAddress: true name: default/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: default + sectionName: http name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.listeners.yaml index 5c88ff3986..bc14dec8de 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.listeners.yaml @@ -96,6 +96,18 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: https-1 + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: https-2 name: envoy-gateway/gateway-1/https-1 perConnectionBufferLimitBytes: 32768 - address: @@ -152,5 +164,13 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: https-3 name: envoy-gateway/gateway-1/https-3 perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/request-buffer.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/request-buffer.listeners.yaml index 1b5504bd87..3448386e4d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/request-buffer.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/request-buffer.listeners.yaml @@ -36,6 +36,14 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 - address: @@ -76,5 +84,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-2/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-2/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml index 61573e5b44..c89b24ad99 100644 --- a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml @@ -103,5 +103,13 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/xds-name-scheme-v2.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/xds-name-scheme-v2.listeners.yaml index b1b39aa28e..51f8b8f0e9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/xds-name-scheme-v2.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/xds-name-scheme-v2.listeners.yaml @@ -25,9 +25,9 @@ configSource: ads: {} resourceApiVersion: V3 - routeConfigName: envoy-gateway/gateway-1/http1 + routeConfigName: http-80 serverHeaderTransformation: PASS_THROUGH - statPrefix: http-10080 + statPrefix: http-80 useRemoteAddress: true name: http-80 maxConnectionsToAcceptPerSocketEvent: 1 @@ -65,7 +65,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-1/https1 serverHeaderTransformation: PASS_THROUGH - statPrefix: https-10443 + statPrefix: https-443 useRemoteAddress: true name: envoy-gateway/gateway-1/https1 transportSocket: @@ -110,7 +110,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-1/https2 serverHeaderTransformation: PASS_THROUGH - statPrefix: https-10443 + statPrefix: https-443 useRemoteAddress: true name: envoy-gateway/gateway-1/https2 transportSocket: @@ -168,7 +168,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-2/https-http3 serverHeaderTransformation: PASS_THROUGH - statPrefix: https-11443 + statPrefix: https-1443 useRemoteAddress: true name: envoy-gateway/gateway-2/https-http3 transportSocket: @@ -222,7 +222,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-2/https-http3 serverHeaderTransformation: PASS_THROUGH - statPrefix: https-11443 + statPrefix: https-1443 useRemoteAddress: true name: envoy-gateway/gateway-2/https-http3 transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/xds-name-scheme-v2.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/xds-name-scheme-v2.routes.yaml index 01d3a93d1b..5c5dbe25f6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/xds-name-scheme-v2.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/xds-name-scheme-v2.routes.yaml @@ -1,9 +1,9 @@ - ignorePortInHostMatching: true - name: envoy-gateway/gateway-1/http1 + name: http-80 virtualHosts: - domains: - foo.net - name: envoy-gateway/gateway-1/http1/foo_net + name: foo_net routes: - match: prefix: / @@ -14,7 +14,7 @@ - upgradeType: websocket - domains: - bar.net - name: envoy-gateway/gateway-1/http2/bar_net + name: bar_net routes: - match: prefix: / @@ -28,7 +28,7 @@ virtualHosts: - domains: - foo.com - name: envoy-gateway/gateway-1/https1/foo_com + name: foo_com routes: - match: prefix: / @@ -42,7 +42,7 @@ virtualHosts: - domains: - bar.com - name: envoy-gateway/gateway-1/https2/bar_com + name: bar_com routes: - match: prefix: / @@ -56,7 +56,7 @@ virtualHosts: - domains: - '*' - name: envoy-gateway/gateway-2/https-http3/* + name: '*' routes: - match: prefix: / diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 862d8d7133..5d68a43253 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -276,6 +276,7 @@ func (t *Translator) processHTTPListenerXdsTranslation( // The XDS translation is done in a best-effort manner, so we collect all // errors and return them at the end. var ( + ownerGatewayListeners = make(map[string][]*ir.ResourceMetadata) // The set of Gateway HTTPListeners that own the xDS Listener http3EnabledListeners = make(map[listenerKey]*ir.HTTP3Settings) // Map to track HTTP3 settings for listeners by address and port errs error ) @@ -401,6 +402,12 @@ func (t *Translator) processHTTPListenerXdsTranslation( } } + // Collect the metadata for the HTTPListener. + ownerGatewayListeners[tcpXDSListener.Name] = append(ownerGatewayListeners[tcpXDSListener.Name], httpListener.Metadata) + if http3Enabled { + ownerGatewayListeners[quicXDSListener.Name] = append(ownerGatewayListeners[quicXDSListener.Name], httpListener.Metadata) + } + // Add the secrets referenced by the listener's TLS configuration to the // resource version table. // 1:1 between IR TLSListenerConfig and xDS Secret @@ -446,7 +453,7 @@ func (t *Translator) processHTTPListenerXdsTranslation( routeCfgName = findXdsHTTPRouteConfigName(tcpXDSListener) // If the route config name is not found, we use the current ir Listener name as the route config name to create a new route config. if routeCfgName == "" { - routeCfgName = routeConfigName(httpListener) + routeCfgName = routeConfigName(httpListener, t.xdsNameSchemeV2()) } // Create a route config if we have not found one yet @@ -475,6 +482,14 @@ func (t *Translator) processHTTPListenerXdsTranslation( } } + // Add the owner Gateway Listeners to the xDS listeners' metadata. + for listenerName, ownerGatewayListeners := range ownerGatewayListeners { + xdsListener := findXdsListener(tCtx, listenerName) + if xdsListener != nil { + xdsListener.Metadata = buildXdsMetadataFromMultiple(ownerGatewayListeners) + } + } + return errs } @@ -504,7 +519,7 @@ func (t *Translator) addRouteToRouteConfig( underscoredHostname := strings.ReplaceAll(httpRoute.Hostname, ".", "_") // Allocate virtual host for this httpRoute. vHost = &routev3.VirtualHost{ - Name: virtualHostName(httpListener, underscoredHostname), + Name: virtualHostName(httpListener, underscoredHostname, t.xdsNameSchemeV2()), Domains: []string{httpRoute.Hostname}, Metadata: buildXdsMetadata(httpListener.Metadata), } @@ -656,7 +671,10 @@ func (t *Translator) addRouteToRouteConfig( return errs } -func virtualHostName(httpListener *ir.HTTPListener, underscoredHostname string) string { +func virtualHostName(httpListener *ir.HTTPListener, underscoredHostname string, xdsNameSchemeV2 bool) string { + if xdsNameSchemeV2 { + return underscoredHostname + } return fmt.Sprintf("%s/%s", httpListener.Name, underscoredHostname) } @@ -1060,7 +1078,8 @@ func addXdsCluster(tCtx *types.ResourceVersionTable, args *xdsClusterArgs) error preferLocal := ptr.Deref(args.loadBalancer, ir.LoadBalancer{}).PreferLocal xdsEndpoints := buildXdsClusterLoadAssignment(args.name, args.settings, preferLocal) for _, ds := range args.settings { - if ds.TLS != nil { + shouldValidateTLS := ds.TLS != nil && !ds.TLS.InsecureSkipVerify + if shouldValidateTLS { // Create an SDS secret for the CA certificate - either with inline bytes or with a filesystem ref secret := buildXdsUpstreamTLSCASecret(ds.TLS) if err := tCtx.AddXdsResource(resourcev3.SecretType, secret); err != nil { diff --git a/internal/xds/types/resourceversiontable.go b/internal/xds/types/resourceversiontable.go index dc186475bc..f6914aa03a 100644 --- a/internal/xds/types/resourceversiontable.go +++ b/internal/xds/types/resourceversiontable.go @@ -11,7 +11,6 @@ import ( "github.com/envoyproxy/go-control-plane/pkg/cache/types" resourcev3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3" - protobuf "google.golang.org/protobuf/proto" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils/proto" @@ -28,45 +27,6 @@ type ResourceVersionTable struct { EnvoyPatchPolicyStatuses } -// DeepCopyInto copies the contents into the output object -// This was generated by controller-gen, moved from -// zz_generated.deepcopy.go and updated to use proto.Clone -// to deep copy the proto.Message -func (t *ResourceVersionTable) DeepCopyInto(out *ResourceVersionTable) { - *out = *t - if t.XdsResources != nil { - in, out := &t.XdsResources, &out.XdsResources - *out = make(map[resourcev3.Type][]types.Resource, len(*in)) - for key, val := range *in { - var outVal []types.Resource - if val == nil { - (*out)[key] = nil - } else { - // Snippet was generated by controller-gen - // G601: Implicit memory aliasing in for loop. - in, out := &val, &outVal //nolint:gosec,scopelint - *out = make([]types.Resource, len(*in)) - for i := range *in { - (*out)[i] = protobuf.Clone((*in)[i]) - } - } - (*out)[key] = outVal - } - } -} - -// DeepCopy generates a deep copy of the ResourceVersionTable object. -// This was generated by controller-gen and moved over from -// zz_generated.deepcopy.go to this file. -func (t *ResourceVersionTable) DeepCopy() *ResourceVersionTable { - if t == nil { - return nil - } - out := new(ResourceVersionTable) - t.DeepCopyInto(out) - return out -} - // GetXdsResources retrieves the translated xds resources saved in the translator context. func (t *ResourceVersionTable) GetXdsResources() XdsResources { return t.XdsResources diff --git a/internal/xds/types/resourceversiontable_test.go b/internal/xds/types/resourceversiontable_test.go index 5fd7a42dd1..6f9032dff0 100644 --- a/internal/xds/types/resourceversiontable_test.go +++ b/internal/xds/types/resourceversiontable_test.go @@ -21,65 +21,8 @@ import ( "google.golang.org/protobuf/testing/protocmp" ) -var ( - testListener = &listenerv3.Listener{ - Name: "test-listener", - } - testSecret = &tlsv3.Secret{ - Name: "test-secret", - } -) - -func TestDeepCopy(t *testing.T) { - testCases := []struct { - name string - in *ResourceVersionTable - out *ResourceVersionTable - }{ - { - name: "nil", - in: nil, - out: nil, - }, - { - name: "listener", - in: &ResourceVersionTable{ - XdsResources: XdsResources{ - resourcev3.ListenerType: []types.Resource{testListener}, - }, - }, - out: &ResourceVersionTable{ - XdsResources: XdsResources{ - resourcev3.ListenerType: []types.Resource{testListener}, - }, - }, - }, - { - name: "kitchen-sink", - in: &ResourceVersionTable{ - XdsResources: XdsResources{ - resourcev3.ListenerType: []types.Resource{testListener}, - resourcev3.SecretType: []types.Resource{testSecret}, - }, - }, - out: &ResourceVersionTable{ - XdsResources: XdsResources{ - resourcev3.ListenerType: []types.Resource{testListener}, - resourcev3.SecretType: []types.Resource{testSecret}, - }, - }, - }, - } - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - if tc.out == nil { - require.Nil(t, tc.in.DeepCopy()) - } else { - diff := cmp.Diff(tc.out, tc.in.DeepCopy(), protocmp.Transform()) - require.Empty(t, diff) - } - }) - } +var testListener = &listenerv3.Listener{ + Name: "test-listener", } func TestAddOrReplaceXdsResource(t *testing.T) { @@ -533,7 +476,7 @@ func TestAddOrReplaceXdsResource(t *testing.T) { t.Run(tc.name, func(t *testing.T) { err := tc.tableIn.AddOrReplaceXdsResource(tc.typeIn, tc.resourceIn, tc.funcIn) require.NoError(t, err) - diff := cmp.Diff(tc.tableOut, tc.tableIn.DeepCopy(), protocmp.Transform()) + diff := cmp.Diff(tc.tableOut, tc.tableIn, protocmp.Transform()) require.Empty(t, diff) }) } diff --git a/release-notes/v1.5.0-rc.2.yaml b/release-notes/v1.5.0-rc.2.yaml new file mode 100644 index 0000000000..67dcd0fbaa --- /dev/null +++ b/release-notes/v1.5.0-rc.2.yaml @@ -0,0 +1,26 @@ +date: August 5, 2025 + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +breaking changes: | + Removed `xds-translator` and `xds-server` values from the `runner` label in `watchable_subscribe_total`. Use `xds` instead. + +# Updates addressing vulnerabilities, security flaws, or compliance requirements. +security updates: | + Disable automountServiceAccountToken for proxy and ratelimit deployments and serviceAccounts + +# New features or capabilities added in this release. +new features: | + Added Gateway Listeners to the xDS listener metadata. + +bug fixes: | + Fixed an issue that controller panic when reloading configuration. + Reverted to use Store directly instead of HandleStore wrapper to improve GC cleanup. + +# Enhancements that improve performance. +performance improvements: | + +# Deprecated features or APIs. +deprecations: | + +# Other notable changes not covered by the above sections. +Other changes: | diff --git a/site/content/en/contributions/RELEASING.md b/site/content/en/contributions/RELEASING.md index 5d27ed1b06..809e2af598 100644 --- a/site/content/en/contributions/RELEASING.md +++ b/site/content/en/contributions/RELEASING.md @@ -40,48 +40,48 @@ export GITHUB_REMOTE=origin __Note:__ The release candidate version should be in the format `${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER}`. 3. Sign, commit, and push your changes to your fork. -4. Submit a [Pull Request][] to merge the changes into the `main` branch. Do not proceed until your PR has merged and - the [Build and Test][] has successfully completed. -5. Create a new release branch from `main`. The release branch should be named +4. Submit a [Pull Request][] to merge the changes into the `main` branch. +5. Do not proceed until your PR has merged and the [Build and Test][] has successfully completed. +6. Create a new release branch from `main`. The release branch should be named `release/v${MAJOR_VERSION}.${MINOR_VERSION}`, e.g. `release/v0.3`. ```shell git checkout -b release/v${MAJOR_VERSION}.${MINOR_VERSION} ``` -6. Push the branch to the Envoy Gateway repo. +7. Push the branch to the Envoy Gateway repo. ```shell git push ${GITHUB_REMOTE} release/v${MAJOR_VERSION}.${MINOR_VERSION} ``` -7. Create a topic branch for updating the Envoy proxy image and Envoy Ratelimit image to the tag supported by the release. +8. Create a topic branch for updating the Envoy proxy image and Envoy Ratelimit image to the tag supported by the release. Please note that the tags should be updated in both the source code and the Helm chart. Reference [PR #2098][] for additional details on updating the image tag. -8. Sign, commit, and push your changes to your fork. -9. Submit a [Pull Request][] to merge the changes into the `release/v${MAJOR_VERSION}.${MINOR_VERSION}` branch. Do not - proceed until your PR has merged into the release branch and the [Build and Test][] has completed for your PR. -10. Ensure your release branch is up-to-date and tag the head of your release branch with the release candidate number. +9. Sign, commit, and push your changes to your fork. +10. Submit a [Pull Request][] to merge the changes into the `release/v${MAJOR_VERSION}.${MINOR_VERSION}` branch. +11. Do not proceed until your PR has merged into the release branch and the [Build and Test][] has completed for your PR. +12. Ensure your release branch is up-to-date and tag the head of your release branch with the release candidate number. ```shell git tag -a v${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER} -m 'Envoy Gateway v${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER} Release Candidate' ``` -11. Push the tag to the Envoy Gateway repository. +13. Push the tag to the Envoy Gateway repository. ```shell git push ${GITHUB_REMOTE} v${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER} ``` -12. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc. -13. Confirm that the [release workflow][] completed successfully. -14. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. -15. Confirm that the [release][] was created. -16. Note that the [Quickstart][] references are __not__ updated for release candidates. However, test +14. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc. +15. Confirm that the [release workflow][] completed successfully. +16. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. +17. Confirm that the [release][] was created. +18. Note that the [Quickstart][] references are __not__ updated for release candidates. However, test the quickstart steps using the release candidate by manually updating the links. -17. [Generate][] the GitHub changelog. -18. Ensure you check the "This is a pre-release" checkbox when editing the GitHub release. -19. If you find any bugs in this process, please create an issue. +19. [Generate][] the GitHub changelog. +20. Ensure you check the "This is a pre-release" checkbox when editing the GitHub release. +21. If you find any bugs in this process, please create an issue. ## Minor Release @@ -170,16 +170,17 @@ export GITHUB_REMOTE=origin ``` 3. Sign, commit, and push your changes to your fork. -4. Submit a [Pull Request][] to merge the changes into the `main` branch. Do not proceed until all your PRs have merged - and the [Build and Test][] has completed for your final PR. +4. Submit a [Pull Request][] to merge the changes into the `main` branch. -5. Checkout the release branch. +5. Do not proceed until all your PRs have merged and the [Build and Test][] has completed for your final PR. + +6. Checkout the release branch. ```shell git checkout release/v${MAJOR_VERSION}.${MINOR_VERSION} $GITHUB_REMOTE/release/v${MAJOR_VERSION}.${MINOR_VERSION} ``` -6. If the tip of the release branch does not match the tip of `main`, perform the following: +7. If the tip of the release branch does not match the tip of `main`, perform the following: 1. Create a topic branch from the release branch. 2. Cherry-pick the commits from `main` that differ from the release branch, e.g. `git cherry-pick .. -s` @@ -199,7 +200,7 @@ export GITHUB_REMOTE=origin git pull $GITHUB_REMOTE release/v${MAJOR_VERSION}.${MINOR_VERSION} ``` -7. Tag the head of your release branch with the release tag. For example: +8. Tag the head of your release branch with the release tag. For example: ```shell git tag -a v${MAJOR_VERSION}.${MINOR_VERSION}.0 -m 'Envoy Gateway v${MAJOR_VERSION}.${MINOR_VERSION}.0 Release' @@ -207,18 +208,18 @@ export GITHUB_REMOTE=origin __Note:__ The tag version differs from the release branch by including the `.0` patch version. -8. Push the tag to the Envoy Gateway repository. +9. Push the tag to the Envoy Gateway repository. ```shell git push origin v${MAJOR_VERSION}.${MINOR_VERSION}.0 ``` -9. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc. -10. Confirm that the [release workflow][] completed successfully. -11. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. -12. Confirm that the [release][] was created. -13. Confirm that the steps in the [Quickstart][] work as expected. -14. [Generate][] the GitHub changelog and include the following text at the beginning of the release page: +10. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc. +11. Confirm that the [release workflow][] completed successfully. +12. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. +13. Confirm that the [release][] was created. +14. Confirm that the steps in the [Quickstart][] work as expected. +15. [Generate][] the GitHub changelog and include the following text at the beginning of the release page: ```console # Release Announcement @@ -227,7 +228,7 @@ export GITHUB_REMOTE=origin (https://gateway.envoyproxy.io/news/releases/notes/v${MAJOR_VERSION}.${MINOR_VERSION}.html) to learn more about the release. ``` -15. Update the `lastVersionTag` in `test/e2e/tests/eg_upgrade.go` to reflect the latest prior release. Refer to [PR #4666] as an example. +16. Update the `lastVersionTag` in `test/e2e/tests/eg_upgrade.go` to reflect the latest prior release. Refer to [PR #4666] as an example. If you find any bugs in this process, please create an issue. @@ -313,21 +314,20 @@ export GITHUB_REMOTE=origin ``` 3. Sign, commit, and push your changes to your fork. -4. Submit a [Pull Request][] to merge the changes into the `main` branch. Do not proceed until all your PRs have merged - and the [Build and Test][] has completed for your final PR. - -5. Checkout the release branch. +4. Submit a [Pull Request][] to merge the changes into the `main` branch. +5. Do not proceed until all your PRs have merged and the [Build and Test][] has completed for your final PR. +6. Checkout the release branch. ```shell git checkout release/v${MAJOR_VERSION}.${MINOR_VERSION} $GITHUB_REMOTE/release/v${MAJOR_VERSION}.${MINOR_VERSION} ``` -6. Cherry-pick the release note and release announcement that you created in the previous step to the release branch. The release note will be included in the release artifacts. +7. Cherry-pick the release note and release announcement that you created in the previous step to the release branch. The release note will be included in the release artifacts. 1. Create a topic branch from the release branch. 2. Cherry-pick the release note and release announcement commit from `main` to the topic branch. 3. Submit a PR to merge the topic from of your fork into the release branch. -7. Cherry-pick the commits that you want to include in the patch release. +8. Cherry-pick the commits that you want to include in the patch release. 1. Create a topic branch from the release branch. 2. Cherry-pick the commits from `main` that you want to include in the patch release. 3. Run tests locally, e.g. `make lint`. @@ -346,24 +346,24 @@ export GITHUB_REMOTE=origin git pull $GITHUB_REMOTE release/v${MAJOR_VERSION}.${MINOR_VERSION} ``` -7. Tag the head of your release branch with the release tag. For example: +9. Tag the head of your release branch with the release tag. For example: ```shell git tag -a v${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION} -m 'Envoy Gateway v${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION} Release' ``` -8. Push the tag to the Envoy Gateway repository. +10. Push the tag to the Envoy Gateway repository. - ```shell - git push origin v${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION - ``` + ```shell + git push origin v${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION + ``` -9. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc. -10. Confirm that the [release workflow][] completed successfully. -11. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. -12. Confirm that the [release][] was created. -13. Confirm that the steps in the [Quickstart][] work as expected. -14. [Generate][] the GitHub changelog and include the following text at the beginning of the release page: +11. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc. +12. Confirm that the [release workflow][] completed successfully. +13. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. +14. Confirm that the [release][] was created. +15. Confirm that the steps in the [Quickstart][] work as expected. +16. [Generate][] the GitHub changelog and include the following text at the beginning of the release page: ```console # Release Announcement @@ -372,7 +372,7 @@ export GITHUB_REMOTE=origin (https://gateway.envoyproxy.io/news/releases/notes/v${MAJOR_VERSION}.${MINOR_VERSION}.${MINOR_VERSION}.html) to learn more about the release. ``` -15. If this patch release is the latest release, update the `lastVersionTag` in `test/e2e/tests/eg_upgrade.go` to reflect the latest prior release. Refer to [PR #4666] as an example. +17. If this patch release is the latest release, update the `lastVersionTag` in `test/e2e/tests/eg_upgrade.go` to reflect the latest prior release. Refer to [PR #4666] as an example. ### Announce the Release diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 0aa4d2f41a..3c7539e52e 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -129,8 +129,8 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | -| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 1s | Timeout defines the time to wait for a health check response. | -| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 3s | Interval defines the time between active health checks. | +| `timeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | 1s | Timeout defines the time to wait for a health check response. | +| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | 3s | Interval defines the time between active health checks. | | `initialJitter` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | InitialJitter defines the maximum time Envoy will wait before the first health check.
Envoy will randomly select a value between 0 and the initial jitter value. | | `unhealthyThreshold` | _integer_ | false | 3 | UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. | | `healthyThreshold` | _integer_ | false | 1 | HealthyThreshold defines the number of healthy health checks required before a backend host is marked healthy. | @@ -280,8 +280,8 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | -| `baseInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | BaseInterval is the base interval between retries. | -| `maxInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval | +| `baseInterval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | BaseInterval is the base interval between retries. | +| `maxInterval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval | #### Backend @@ -630,7 +630,7 @@ _Appears in:_ | `allowMethods` | _string array_ | false | | AllowMethods defines the methods that are allowed to make requests.
It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
The value "*" allows any method to be used. | | `allowHeaders` | _string array_ | false | | AllowHeaders defines the headers that are allowed to be sent with requests.
It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
The value "*" allows any header to be sent. | | `exposeHeaders` | _string array_ | false | | ExposeHeaders defines which response headers should be made accessible to
scripts running in the browser.
It specifies the headers in the Access-Control-Expose-Headers CORS response header..
The value "*" allows any header to be exposed. | -| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header.. | +| `maxAge` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header.. | | `allowCredentials` | _boolean_ | false | | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. | @@ -960,7 +960,7 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | | `name` | _string_ | true | | Name of the cookie to hash.
If this cookie does not exist in the request, Envoy will generate a cookie and set
the TTL on the response back to the client based on Layer 4
attributes of the backend endpoint, to ensure that these future requests
go to the same backend endpoint. Make sure to set the TTL field for this case. | -| `ttl` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value. | +| `ttl` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value. | | `attributes` | _object (keys:string, values:string)_ | false | | Additional Attributes to set for the generated cookie. | @@ -1093,8 +1093,8 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | -| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. | -| `respectDnsTtl` | _boolean_ | true | | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. | +| `dnsRefreshRate` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. | +| `respectDnsTtl` | _boolean_ | false | | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. | | `lookupFamily` | _[DNSLookupFamily](#dnslookupfamily)_ | false | | LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
If set, this configuration overrides other defaults. | @@ -1224,6 +1224,8 @@ _Appears in:_ | `envoy.filters.http.rbac` | EnvoyFilterRBAC defines the Envoy RBAC filter.
| | `envoy.filters.http.local_ratelimit` | EnvoyFilterLocalRateLimit defines the Envoy HTTP local rate limit filter.
| | `envoy.filters.http.ratelimit` | EnvoyFilterRateLimit defines the Envoy HTTP rate limit filter.
| +| `envoy.filters.http.grpc_web` | EnvoyFilterGRPCWeb defines the Envoy HTTP gRPC-web filter.
| +| `envoy.filters.http.grpc_stats` | EnvoyFilterGRPCStats defines the Envoy HTTP gRPC stats filter.
| | `envoy.filters.http.custom_response` | EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
| | `envoy.filters.http.credential_injector` | EnvoyFilterCredentialInjector defines the Envoy HTTP credential injector filter.
| | `envoy.filters.http.compressor` | EnvoyFilterCompressor defines the Envoy HTTP compressor filter.
| @@ -1378,6 +1380,7 @@ _Appears in:_ | `gateway-api` | LogComponentGatewayAPIRunner defines the "gateway-api" runner component.
| | `xds-translator` | LogComponentXdsTranslatorRunner defines the "xds-translator" runner component.
| | `xds-server` | LogComponentXdsServerRunner defines the "xds-server" runner component.
| +| `xds` | LogComponentXdsRunner defines the "xds" runner component.
| | `infrastructure` | LogComponentInfrastructureRunner defines the "infrastructure" runner component.
| | `global-ratelimit` | LogComponentGlobalRateLimitRunner defines the "global-ratelimit" runner component.
| @@ -1992,7 +1995,7 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | -| `fixedDelay` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | FixedDelay specifies the fixed delay duration | +| `fixedDelay` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | FixedDelay specifies the fixed delay duration | | `percentage` | _float_ | false | 100 | Percentage specifies the percentage of requests to be delayed. Default 100%, if set 0, no requests will be delayed. Accuracy to 0.0001%. | @@ -2278,6 +2281,27 @@ _Appears in:_ | `headersToBackend` | _string array_ | false | | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. | +#### HTTPHeaderFilter + + + +HTTPHeaderFilter defines a filter that modifies the headers of an HTTP +request or response. Only one action for a given header name is +permitted. Filters specifying multiple actions of the same or different +type for any one header name are invalid. Configuration to set or add +multiple values for a header must use RFC 7230 header value formatting, +separating each value with a comma. + +_Appears in:_ +- [HeaderSettings](#headersettings) + +| Field | Type | Required | Default | Description | +| --- | --- | --- | --- | --- | +| `set` | _HTTPHeader array_ | false | | Set overwrites the request with the given header (name, value)
before the action.
Input:
GET /foo HTTP/1.1
my-header: foo
Config:
set:
- name: "my-header"
value: "bar"
Output:
GET /foo HTTP/1.1
my-header: bar | +| `add` | _HTTPHeader array_ | false | | Add adds the given header(s) (name, value) to the request
before the action. It appends to any existing values associated
with the header name.
Input:
GET /foo HTTP/1.1
my-header: foo
Config:
add:
- name: "my-header"
value: "bar,baz"
Output:
GET /foo HTTP/1.1
my-header: foo,bar,baz | +| `remove` | _string array_ | false | | Remove the given header(s) from the HTTP request before the action. The
value of Remove is a list of HTTP header names. Note that the header
names are case-insensitive (see
https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
Input:
GET /foo HTTP/1.1
my-header1: foo
my-header2: bar
my-header3: baz
Config:
remove: ["my-header1", "my-header3"]
Output:
GET /foo HTTP/1.1
my-header2: bar | + + #### HTTPHostnameModifier @@ -3073,9 +3097,9 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | -| `leaseDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds. | -| `renewDeadline` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
status before relinquishing its position. The default setting is 10 seconds. | -| `retryPeriod` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
The default setting is 2 seconds. | +| `leaseDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
It's based on the timestamp of the last acknowledged signal.
The default setting is 15 seconds. | +| `renewDeadline` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
status before relinquishing its position.
The default setting is 10 seconds. | +| `retryPeriod` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
The default setting is 2 seconds. | | `disable` | _boolean_ | true | | Disable provides the option to turn off leader election, which is enabled by default. | @@ -3123,6 +3147,7 @@ _Appears in:_ | `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash | | `endpointOverride` | _[EndpointOverride](#endpointoverride)_ | false | | EndpointOverride defines the configuration for endpoint override.
When specified, the load balancer will attempt to route requests to endpoints
based on the override information extracted from request headers or metadata.
If the override endpoints are not available, the configured load balancer policy will be used as fallback. | | `slowStart` | _[SlowStart](#slowstart)_ | false | | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers | +| `zoneAware` | _[ZoneAware](#zoneaware)_ | false | | ZoneAware defines the configuration related to the distribution of requests between locality zones. | #### LoadBalancerType @@ -3309,9 +3334,9 @@ _Appears in:_ | `denyRedirect` | _[OIDCDenyRedirect](#oidcdenyredirect)_ | false | | Any request that matches any of the provided matchers (with either tokens that are expired or missing tokens) will not be redirected to the OIDC Provider.
This behavior can be useful for AJAX or machine requests. | | `logoutPath` | _string_ | true | | The path to log a user out, clearing their credential cookies.
If not specified, uses a default logout path "/logout" | | `forwardAccessToken` | _boolean_ | false | | ForwardAccessToken indicates whether the Envoy should forward the access token
via the Authorization header Bearer scheme to the upstream.
If not specified, defaults to false. | -| `defaultTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | DefaultTokenTTL is the default lifetime of the id token and access token.
Please note that Envoy will always use the expiry time from the response
of the authorization server if it is provided. This field is only used when
the expiry time is not provided by the authorization.
If not specified, defaults to 0. In this case, the "expires_in" field in
the authorization response must be set by the authorization server, or the
OAuth flow will fail. | +| `defaultTokenTTL` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | DefaultTokenTTL is the default lifetime of the id token and access token.
Please note that Envoy will always use the expiry time from the response
of the authorization server if it is provided. This field is only used when
the expiry time is not provided by the authorization.
If not specified, defaults to 0. In this case, the "expires_in" field in
the authorization response must be set by the authorization server, or the
OAuth flow will fail. | | `refreshToken` | _boolean_ | false | | RefreshToken indicates whether the Envoy should automatically refresh the
id token and access token when they expire.
When set to true, the Envoy will use the refresh token to get a new id token
and access token when they expire.
If not specified, defaults to false. | -| `defaultRefreshTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | DefaultRefreshTokenTTL is the default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
the refresh token or the refresh token is not JWT.
If not specified, defaults to 604800s (one week).
Note: this field is only applicable when the "refreshToken" field is set to true. | +| `defaultRefreshTokenTTL` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | DefaultRefreshTokenTTL is the default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
the refresh token or the refresh token is not JWT.
If not specified, defaults to 604800s (one week).
Note: this field is only applicable when the "refreshToken" field is set to true. | | `passThroughAuthHeader` | _boolean_ | false | | Skips OIDC authentication when the request contains a header that will be extracted by the JWT filter. Unless
explicitly stated otherwise in the extractFrom field, this will be the "Authorization: Bearer ..." header.
The passThroughAuthHeader option is typically used for non-browser clients that may not be able to handle OIDC
redirects and wish to directly supply a token instead.
If not specified, defaults to false. | @@ -3479,11 +3504,11 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | | `splitExternalLocalOriginErrors` | _boolean_ | false | false | SplitExternalLocalOriginErrors enables splitting of errors between external and local origin. | -| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 3s | Interval defines the time between passive health checks. | +| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | 3s | Interval defines the time between passive health checks. | | `consecutiveLocalOriginFailures` | _integer_ | false | 5 | ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true. | | `consecutiveGatewayErrors` | _integer_ | false | 0 | ConsecutiveGatewayErrors sets the number of consecutive gateway errors triggering ejection. | | `consecutive5XxErrors` | _integer_ | false | 5 | Consecutive5xxErrors sets the number of consecutive 5xx errors triggering ejection. | -| `baseEjectionTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | 30s | BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. | +| `baseEjectionTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | 30s | BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. | | `maxEjectionPercent` | _integer_ | false | 10 | MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected. | @@ -3545,7 +3570,7 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | -| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | Timeout is the timeout per retry attempt. | +| `timeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | Timeout is the timeout per retry attempt. | | `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries | @@ -3579,6 +3604,8 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | +| `force` | _[ForceLocalZone](#forcelocalzone)_ | false | | ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally. | +| `minEndpointsThreshold` | _integer_ | false | | MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing. | #### Principal @@ -3976,7 +4003,7 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | | `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | | Backend holds the configuration associated with the
database backend used by the rate limit service to store
state associated with global ratelimiting. | -| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | Timeout specifies the timeout period for the proxy to access the ratelimit server
If not set, timeout is 20ms. | +| `timeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | Timeout specifies the timeout period for the proxy to access the ratelimit server
If not set, timeout is 20ms. | | `failClosed` | _boolean_ | true | | FailClosed is a switch used to control the flow of traffic
when the response from the ratelimit server cannot be obtained.
If FailClosed is false, let the traffic pass,
otherwise, don't let the traffic pass and return 500.
If not set, FailClosed is False. | | `telemetry` | _[RateLimitTelemetry](#ratelimittelemetry)_ | false | | Telemetry defines telemetry configuration for RateLimit. | @@ -4646,8 +4673,8 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | -| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds. | -| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds. | +| `drainTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds. | +| `minDrainDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds. | #### ShutdownManager @@ -4675,7 +4702,7 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | -| `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig | +| `window` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig | #### SourceMatch @@ -5322,5 +5349,6 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | +| `preferLocal` | _[PreferLocalZone](#preferlocalzone)_ | false | | PreferLocalZone configures zone-aware routing to prefer sending traffic to the local locality zone. | diff --git a/site/content/en/latest/concepts/gateway_api_extensions/backend-traffic-policy.md b/site/content/en/latest/concepts/gateway_api_extensions/backend-traffic-policy.md index 1cc981a1bb..06c99d39e3 100644 --- a/site/content/en/latest/concepts/gateway_api_extensions/backend-traffic-policy.md +++ b/site/content/en/latest/concepts/gateway_api_extensions/backend-traffic-policy.md @@ -29,17 +29,58 @@ Think of it as a traffic controller between your gateway and backend services. I `BackendTrafficPolicy` is part of the Envoy Gateway API suite, which extends the Kubernetes Gateway API with additional capabilities. It's implemented as a Custom Resource Definition (CRD) that you can use to configure how Envoy Gateway manages traffic to your backend services. -You can attach it to Gateway API resources in two ways: +### Targets -1. Using `targetRefs` to directly reference specific Gateway resources -2. Using `targetSelectors` to match Gateway resources based on labels +BackendTrafficPolicy can be attached to Gateway API resources using two targeting mechanisms: -The policy applies to all resources that match either targeting method. When multiple policies target the same resource, the most specific configuration wins. +1. **Direct Reference (`targetRefs`)**: Explicitly reference specific resources by name and kind. +2. **Label Selection (`targetSelectors`)**: Match resources based on their labels (see [targetSelectors API reference](../../api/extension_types#targetselectors)) -For example, consider these two policies: +```yaml +# Direct reference targeting +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: direct-policy +spec: + targetRefs: + - kind: HTTPRoute + name: my-route + circuitBreaker: + maxConnections: 50 + +--- +# Label-based targeting +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: selector-policy +spec: + targetSelectors: + - kind: HTTPRoute + matchLabels: + app: payment-service + rateLimit: + type: Local + local: + requests: 10 + unit: Second +``` + +The policy applies to all resources that match either targeting method. You can target various Gateway API resource types including +`Gateway`, `HTTPRoute`, `GRPCRoute`, `TCPRoute`, `UDPRoute`, `TLSRoute`. + +**Important**: A BackendTrafficPolicy can only target resources in the same namespace as the policy itself. + +### Precedence + +When multiple BackendTrafficPolicies apply to the same resource, Envoy Gateway resolves conflicts using a precedence hierarchy based on the target resource type, regardless of how the policy was attached: + +1. **Route-level policies** (HTTPRoute, GRPCRoute, etc.) - Highest precedence +2. **Gateway-level policies** - Lower precedence ```yaml -# Policy 1: Applies to all routes in the gateway +# Gateway-level policy (lower precedence) - Applies to all routes in the gateway apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: @@ -52,7 +93,7 @@ spec: maxConnections: 100 --- -# Policy 2: Applies to a specific route +# Route-level policy (higher precedence) apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: @@ -65,9 +106,47 @@ spec: maxConnections: 50 ``` -In this example `my-route` and `my-gateway` would both affect the route. However, since Policy 2 targets the route directly while Policy 1 targets the gateway, Policy 2's configuration (`maxConnections: 50`) will take precedence for that specific route. +In this example, the HTTPRoute `my-route` would use `maxConnections: 50` from the route-level policy, overriding the gateway-level setting of 100. + +#### Multiple Policies at the Same Level + +When multiple BackendTrafficPolicies target the same resource at the same hierarchy level (e.g., multiple policies targeting the same HTTPRoute), Envoy Gateway uses the following tie-breaking rules: + +1. **Creation Time Priority**: The oldest policy (earliest `creationTimestamp`) takes precedence +2. **Name-based Sorting**: If policies have identical creation timestamps, they are sorted alphabetically by namespaced name, with the first policy taking precedence + +```yaml +# Policy created first - takes precedence +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: alpha-policy + creationTimestamp: "2023-01-01T10:00:00Z" +spec: + targetRefs: + - kind: HTTPRoute + name: my-route + circuitBreaker: + maxConnections: 30 + +--- +# Policy created later - lower precedence +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: beta-policy + creationTimestamp: "2023-01-01T11:00:00Z" +spec: + targetRefs: + - kind: HTTPRoute + name: my-route + circuitBreaker: + maxConnections: 40 +``` + +In this example, `alpha-policy` would take precedence due to its earlier creation time, so the HTTPRoute would use `maxConnections: 30`. -Lastly, it's important to note that even when you apply a policy to a Gateway, the policy's effects are tracked separately for each backend service referenced in your routes. For example, if you set up circuit breaking on a Gateway with multiple backend services, each backend service will have its own independent circuit breaker counter. This ensures that issues with one backend service don't affect the others. +When the `mergeType` field is unset, no merging occurs and only the most specific configuration takes effect. However, policies can be configured to merge with parent policies using the `mergeType` field (see [Policy Merging](#policy-merging) section below). ## Policy Merging diff --git a/site/content/en/latest/concepts/gateway_api_extensions/client-traffic-policy.md b/site/content/en/latest/concepts/gateway_api_extensions/client-traffic-policy.md index 8dc47a3063..b5afbfb06d 100644 --- a/site/content/en/latest/concepts/gateway_api_extensions/client-traffic-policy.md +++ b/site/content/en/latest/concepts/gateway_api_extensions/client-traffic-policy.md @@ -36,14 +36,67 @@ Think of `ClientTrafficPolicy` as a set of rules for your Gateway's entry points `ClientTrafficPolicy` is part of the Envoy Gateway API suite, which extends the Kubernetes Gateway API with additional capabilities. It's implemented as a Custom Resource Definition (CRD) that you can use to configure how Envoy Gateway manages incoming client traffic. -You can attach it to Gateway API resources in two ways: +### Targets -1. Using `targetRefs` to directly reference specific Gateway resources -2. Using `targetSelectors` to match Gateway resources based on labels +ClientTrafficPolicy can be attached to Gateway API resources using two targeting mechanisms: -The policy applies to all Gateway resources that match either targeting method. When multiple policies target the same resource, the most specific configuration wins. +1. **Direct Reference (`targetRefs`)**: Explicitly reference specific Gateway resources by name and kind. +2. **Label Selection (`targetSelectors`)**: Match Gateway resources based on their labels (see [targetSelectors API reference](../../api/extension_types#targetselectors)) -For example, consider these policies targeting the same Gateway Listener: +The policy applies to all Gateway resources that match either targeting method. + +**Important**: A ClientTrafficPolicy can only target Gateway resources in the same namespace as the policy itself. + +### Precedence + +When multiple ClientTrafficPolicies apply to the same resource, Envoy Gateway resolves conflicts using section-level specificity and creation-time priority: + +1. **Section-specific policies** (targeting specific listeners via `sectionName`) - Highest precedence +2. **Gateway-wide policies** (targeting entire Gateway) - Lower precedence + +#### Multiple Policies at the Same Level + +When multiple ClientTrafficPolicies target the same resource at the same specificity level (e.g., multiple policies targeting the same Gateway listener section), Envoy Gateway uses the following tie-breaking rules: + +1. **Creation Time Priority**: The oldest policy (earliest `creationTimestamp`) takes precedence +2. **Name-based Sorting**: If policies have identical creation timestamps, they are sorted alphabetically by namespaced name, with the first policy taking precedence + +```yaml +# Policy created first - takes precedence +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: ClientTrafficPolicy +metadata: + name: alpha-policy + creationTimestamp: "2023-01-01T10:00:00Z" +spec: + targetRefs: + - kind: Gateway + name: my-gateway + sectionName: https-listener + timeout: + http: + idleTimeout: 30s + +--- +# Policy created later - lower precedence +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: ClientTrafficPolicy +metadata: + name: beta-policy + creationTimestamp: "2023-01-01T11:00:00Z" +spec: + targetRefs: + - kind: Gateway + name: my-gateway + sectionName: https-listener + timeout: + http: + idleTimeout: 40s +``` + +In this example, `alpha-policy` would take precedence due to its earlier creation time, so the listener would use `idleTimeout: 30s`. + +For example, consider these policies with different specificity levels targeting the same Gateway: ```yaml # Policy A: Targets a specific listener in the gateway diff --git a/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md b/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md index 12f0eccfdd..4eac2fb50e 100644 --- a/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md +++ b/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md @@ -27,14 +27,146 @@ title: "SecurityPolicy" ## SecurityPolicy in Envoy Gateway -`SecurityPolicy` is implemented as a Kubernetes Custom Resource Definition (CRD) and follows the policy attachment model. You can attach it to Gateway API resources in two ways: +`SecurityPolicy` is implemented as a Kubernetes Custom Resource Definition (CRD) and follows the policy attachment model. -1. Using `targetRefs` to directly reference specific Gateway resources -2. Using `targetSelectors` to match Gateway resources based on labels +### Targets -The policy applies to all resources that match either targeting method. When multiple policies target the same resource, the most specific configuration wins. +SecurityPolicy can be attached to Gateway API resources using two targeting mechanisms: -For example, consider these policies targeting the same Gateway Listener: +1. **Direct Reference (`targetRefs`)**: Explicitly reference specific resources by name and kind. +2. **Label Selection (`targetSelectors`)**: Match resources based on their labels (see [targetSelectors API reference](../../api/extension_types#targetselectors)) + +The policy applies to all resources that match either targeting method. You can target various Gateway API resource types including `Gateway`, `HTTPRoute`, and `GRPCRoute`. + +**Important**: A SecurityPolicy can only target resources in the same namespace as the policy itself. + +### Precedence + +When multiple SecurityPolicies apply to the same resource, Envoy Gateway resolves conflicts using a precedence hierarchy based on the target resource type and section-level specificity: + +1. **Route rule-level policies** (HTTPRoute/GRPCRoute with `sectionName` targeting specific rules) - Highest precedence +2. **Route-level policies** (HTTPRoute, GRPCRoute without `sectionName`) - High precedence +3. **Listener-level policies** (Gateway with `sectionName` targeting specific listeners) - Medium precedence +4. **Gateway-level policies** (Gateway without `sectionName`) - Lowest precedence + +#### Multiple Policies at the Same Level + +When multiple SecurityPolicies target the same resource at the same hierarchy level (e.g., multiple policies targeting the same HTTPRoute), Envoy Gateway uses the following tie-breaking rules: + +1. **Creation Time Priority**: The oldest policy (earliest `creationTimestamp`) takes precedence +2. **Name-based Sorting**: If policies have identical creation timestamps, they are sorted alphabetically by namespaced name, with the first policy taking precedence + +```yaml +# Policy created first - takes precedence +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: alpha-policy + creationTimestamp: "2023-01-01T10:00:00Z" +spec: + targetRefs: + - kind: HTTPRoute + name: my-route + cors: + allowOrigins: + - exact: https://example.com + +--- +# Policy created later - lower precedence +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: beta-policy + creationTimestamp: "2023-01-01T11:00:00Z" +spec: + targetRefs: + - kind: HTTPRoute + name: my-route + cors: + allowOrigins: + - exact: https://different.com +``` + +In this example, `alpha-policy` would take precedence due to its earlier creation time, so the HTTPRoute would use the CORS setting from `alpha-policy`. + +```yaml +# HTTPRoute with named rules +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: my-route +spec: + rules: + - name: rule-1 # Named rule for sectionName targeting + matches: + - path: + value: "/api" + backendRefs: + - name: api-service + port: 80 + +--- +# Route rule-level policy (highest precedence) +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: rule-policy +spec: + targetRef: + kind: HTTPRoute + name: my-route + sectionName: rule-1 # Targets specific named rule + cors: + allowOrigins: + - exact: https://rule.example.com + +--- +# Route-level policy (high precedence) +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: route-policy +spec: + targetRef: + kind: HTTPRoute + name: my-route # No sectionName = entire route + cors: + allowOrigins: + - exact: https://route.example.com + +--- +# Listener-level policy (medium precedence) +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: listener-policy +spec: + targetRef: + kind: Gateway + name: my-gateway + sectionName: https-listener # Targets specific listener + cors: + allowOrigins: + - exact: https://listener.example.com + +--- +# Gateway-level policy (lowest precedence) +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: gateway-policy +spec: + targetRef: + kind: Gateway + name: my-gateway # No sectionName = entire gateway + cors: + allowOrigins: + - exact: https://gateway.example.com +``` + +In this example, the specific rule `rule-1` within HTTPRoute `my-route` would use the CORS settings from the route rule-level policy (`https://rule.example.com`), overriding the route-level, listener-level, and gateway-level settings. + +For section-specific targeting, consider these policies with different hierarchy levels targeting the same Gateway: ```yaml # Policy A: Applies to a specific listener diff --git a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md index 9fddf7dc57..72b047e3bc 100644 --- a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md @@ -82,6 +82,89 @@ data: {{< boilerplate rollout-envoy-gateway >}} +## XDS Name Scheme V2 + +Starting from v1.5, Envoy Gateway uses version 2 of the xDS name scheme when generating xDS resources. +Because [EnvoyPatchPolicy][] relies on specific xDS resource names, it’s important to use the correct naming format when authoring a patch policy. + +| Component | Scheme Version | Format Description | Example | +|----------------------|----------------|------------------------------------------------------------------------------|----------------------------------| +| **Listener name** | Old | `//` | `default/eg/http` | +| | V2 | `-` | `tcp-80` | +| **RouteConfig name** | Old | `//` | `default/eg/http` | +| | V2 (HTTP) | `http-` | `http-80` | +| | V2 (HTTPS) | `//` | `default/eg/https` | +| **FilterChain name** | Old | `//` | `default/eg/http` | +| | V2 (HTTP) | `http-` | `http-80` | +| | V2 (HTTPS) | `//` | `default/eg/https` | +| **VirtualHost name** | Old | `///` | `default/eg/http/www_example_com` | +| | V2 | `` | `www_example_com` | +| **HCM StatPrefix** | Old | `/` | `http-10080`, `https-10443` | +| | V2 (HTTP) | `http-` | `http-80` | +| | V2 (HTTPS) | `https-` | `https-443` | + + +This change is gated by the XDSNameSchemeV2 runtime flag. The flag is disabled by default in v1.5 and will be enabled by default starting in v1.6. + +We recommend users begin migrating their [EnvoyPatchPolicy][] resources to use the version 2 naming scheme before upgrading to v1.6. + +To opt in to the new naming scheme early, add the`XDSNameSchemeV2` runtime flag to the `runtimeFlags.enabled` field in your [EnvoyGateway][] configuration. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + ## Testing ### Customize Response diff --git a/site/content/en/latest/tasks/operations/gateway-namespace-mode.md b/site/content/en/latest/tasks/operations/gateway-namespace-mode.md index ad7f3cd51b..3c5d841bf6 100644 --- a/site/content/en/latest/tasks/operations/gateway-namespace-mode.md +++ b/site/content/en/latest/tasks/operations/gateway-namespace-mode.md @@ -14,10 +14,15 @@ For status updates or to provide feedback, please follow our [GitHub issues](htt In standard deployment mode, Envoy Gateway creates all data plane resources in the controller namespace (typically `envoy-gateway-system`). -Gateway Namespace Mode changes this behavior by placing Envoy Proxy data plane resources like Deployments, Services and ServiceAccounts in each Gateway's namespace, providing stronger isolation and multi-tenancy. +The motivation behind this was to operate with minimum permissions needed to be given for Envoy Gateway controller, as the control plane and data plane was deployed in the same namespace. -Traditional deployment mode uses mTLS where both the client and server authenticate each other. However, in Gateway Namespace Mode, we've shifted to server-side TLS and JWT token validation between infra and control-plane. +Gateway Namespace Mode changes this behavior by placing Envoy Proxy data plane resources like Deployments, Services and ServiceAccounts in each Gateway's namespace, which provides stronger isolation and multi-tenancy compared to the Controller Namespace mode, as it isolates Envoy proxy data plane across different tenants. +This distributed architecture requires additional RBAC permissions for the Envoy Gateway controller to manage Kubernetes resources across multiple namespaces. +The default (Controller Namespace) deployment mode uses mTLS where both the client and server authenticate each other. However, in Gateway Namespace Mode, we've shifted to server-side TLS and JWT token validation between infra and control-plane. + +* **Envoy proxy pods** (running in Gateway namespaces) act as clients and authenticate using JWT tokens +* **Envoy Gateway controller pod** (running in controller namespace) acts as the server and validates JWT tokens * Only the CA certificate is available in pods running in Gateway namespaces * Client certificates are not mounted in these namespaces * The Envoy proxy still validates server certificates using the CA certificate diff --git a/site/content/en/latest/tasks/security/backend-skip-tls-verification.md b/site/content/en/latest/tasks/security/backend-skip-tls-verification.md new file mode 100644 index 0000000000..4d862b0b18 --- /dev/null +++ b/site/content/en/latest/tasks/security/backend-skip-tls-verification.md @@ -0,0 +1,341 @@ +--- +title: "Backend TLS: Skip TLS Verification" +--- + +This task demonstrates how to skip TLS verification for a backend service in Envoy Gateway. + +By default, you must configure a [BackendTLSPolicy][] to validate the TLS certificate of a backend service when it uses TLS. + +However, in certain scenarios—such as development or testing—you might want to skip TLS verification for a backend service. +To do this, you can use the [Backend][] API and set the `tls.insecureSkipVerify` field to true in the [Backend][] resource. + +Warning: Skipping TLS verification disables certificate validation, which can expose your connection to man-in-the-middle +attacks. This setting is typically used only for development or testing and is not recommended in production environments. + +## Prerequisites + +- OpenSSL to generate TLS assets. + +## Installation + +{{< boilerplate prerequisites >}} + +## Enable Backend + +The [Backend][] API is disabled by default in Envoy Gateway. To enable it, follow the steps outlined in [Backend Routing][] to configure the [EnvoyGateway][] startup settings accordingly. + +## TLS Certificates + +Generate the certificates and keys used by the backend to terminate TLS connections from the Gateways. + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout ca.key -out ca.crt +``` + +Create a certificate and a private key for `www.example.com`. + +First, create an openssl configuration file: + +```shell +cat > openssl.conf <}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Skip TLS Verification + +In the following example, we will create a [Backend][] resource that routes to the `tls-backend` service, and an [HTTPRoute][] +that references the [Backend][] resource. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Send a request to the backend service: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:80:${GATEWAY_HOST}" \ +http://www.example.com:80/get +``` + +Because the backend service is using TLS, and no [BackendTLSPolicy][] is configured to validate the TLS certificate, +the request will fail with a `400 Bad Request` error: + +```bash +* Connected to www.example.com (172.18.0.200) port 80 +* using HTTP/1.x +> GET /get HTTP/1.1 +> Host:www.example.com +> User-Agent: curl/8.14.1 +> Accept: */* +> +* Request completely sent off +< HTTP/1.1 400 Bad Request +< date: Thu, 31 Jul 2025 06:09:51 GMT +< transfer-encoding: chunked +``` + +Disabling TLS verification by setting the `InsecureSkipVerify` field to `true` allows the request to succeed: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Send the request again: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:80:${GATEWAY_HOST}" \ +http://www.example.com:80/get +``` + +You should now see a successful response from the backend service. Since TLS verification has been skipped, the request +proceeds without validating the backend’s TLS certificate. The response will include TLS details such as the protocol +version and cipher suite used for the connection. + + +```shell +< HTTP/1.1 200 OK +[...] + "tls": { + "version": "TLSv1.2", + "serverName": "", + "negotiatedProtocol": "http/1.1", + "cipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + } +``` + +[Backend Routing]: ../traffic/backend/#enable-backend +[Backend]: ../../../api/extension_types#backend +[EnvoyGateway]: ../../../api/extension_types#envoygateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ diff --git a/site/content/en/latest/tasks/traffic/zone-aware-routing.md b/site/content/en/latest/tasks/traffic/zone-aware-routing.md index 260b30740a..a07c70ded9 100644 --- a/site/content/en/latest/tasks/traffic/zone-aware-routing.md +++ b/site/content/en/latest/tasks/traffic/zone-aware-routing.md @@ -2,10 +2,15 @@ title: "Zone Aware Routing" --- -EnvoyGateway makes use of [Envoy Zone Aware Routing][Envoy Zone Aware Routing] to support Kubernetes [Traffic Distribution][Traffic Distribution] -and [Topology Aware Routing][Topology Aware Routing] which are useful for keeping network traffic in the originating zone. +EnvoyGateway makes use of [Envoy Zone Aware Routing][Envoy Zone Aware Routing] to keep network traffic in the originating zone. Preferring same-zone traffic between Pods in your cluster can help with reliability, performance (network latency and throughput), or cost. +Zone-aware routing may be enabled in one of two ways: +1. Configuring a [BackendTrafficPolicy][BackendTrafficPolicy] with the `loadbalancer.zoneAware` field +2. Configuring a backendRef Kubernetes `Service` with [Traffic Distribution][Traffic Distribution] or [Topology Aware Routing][Topology Aware Routing] + +When both a backendRef and a [BackendTrafficPolicy][BackendTrafficPolicy] include a configuration for zone awareness, the [BackendTrafficPolicy][BackendTrafficPolicy] takes precedence. + ## Prerequisites * The Kubernetes cluster's nodes must indicate topology information via the `topology.kubernetes.io/zone` [well-known label][Kubernetes well-known metadata]. * There must be at least two valid topology zones for scheduling. @@ -13,7 +18,9 @@ Preferring same-zone traffic between Pods in your cluster can help with reliabil ## Configuration -### Kubernetes Service +Choose one of the following configuration options. + +### Option 1: Kubernetes Service Create the example Kubernetes Service with either topology aware routing or traffic distribution enabled. #### Topology Aware Routing @@ -110,12 +117,64 @@ spec: {{% /tab %}} {{< /tabpane >}} +### Option 2: BackendTrafficPolicy +Zone aware routing can also be enabled directly with a [BackendTrafficPolicy][BackendTrafficPolicy]. +The example below configures similar behavior to Kubernetes Traffic Distribution and forces all traffic to the local zone via the `force` field instead +of Envoy's default behavior which _prefers_ routing locally as much as possible while still achieving overall equal request distribution across all endpoints. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} +```shell +cat <}} + ### Example deployments and HTTPRoute Next apply the example manifests to create two Deployments and an HTTPRoute. For the test configuration one Deployment (zone-aware-routing-backend-local) includes affinity for EnvoyProxy Pods to ensure its Pods are scheduled in the same -zone and the second Deployment (zone-aware-routing-backend-nonlocal) uses anti-affinity to ensure its Pods _don't_ -schedule to the same zone in order to demonstrate functionality. +zone and the second Deployment (zone-aware-routing-backend-nonlocal) uses anti-affinity to ensure its Pods _don't_ +schedule to the same zone in order to demonstrate functionality. ```shell kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/zone-aware-routing.yaml -n default ``` @@ -129,7 +188,7 @@ zone-aware-routing-backend-nonlocal 3/3 3 3 9m1s ``` -An HTTPRoute resource is created for the `/zone-aware-routing` path prefix along with two example Deployment resources that +An HTTPRoute resource is created for the `/zone-aware-routing` path prefix along with two example Deployment resources that are respectively configured with pod affinity/anti-affinity targeting the Envoy Proxy Pods for testing. Verify the HTTPRoute configuration and status: @@ -138,6 +197,12 @@ Verify the HTTPRoute configuration and status: kubectl get httproute/zone-aware-routing -o yaml ``` +If used during configuration, verify the [BackendTrafficPolicy][BackendTrafficPolicy]: + +```shell +kubectl get backendtrafficpolicy/zone-aware-routing -o yaml +``` + ## Testing Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the @@ -204,9 +269,11 @@ kubectl delete service/zone-aware-routing-backend kubectl delete deployment/zone-aware-routing-backend-local kubectl delete deployment/zone-aware-routing-backend-nonlocal kubectl delete httproute/zone-aware-routing +kubectl delete backendtrafficpolicy/zone-aware-routing ``` [Traffic Distribution]: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution [Topology Aware Routing]: https://kubernetes.io/docs/concepts/services-networking/topology-aware-routing/ [Kubernetes well-known metadata]: https://kubernetes.io/docs/reference/labels-annotations-taints/#topologykubernetesiozone -[Envoy Zone Aware Routing]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/zone_aware \ No newline at end of file +[Envoy Zone Aware Routing]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/zone_aware +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy \ No newline at end of file diff --git a/site/content/en/latest/troubleshooting/admin-console.md b/site/content/en/latest/troubleshooting/admin-console.md index b0aa56ce41..1289f75802 100644 --- a/site/content/en/latest/troubleshooting/admin-console.md +++ b/site/content/en/latest/troubleshooting/admin-console.md @@ -6,7 +6,7 @@ Envoy Gateway provides a built-in web-based admin console that offers a comprehe ## Prerequisites -{{< boilerplate o11y_prerequisites >}} +{{< boilerplate prerequisites >}} ## Overview diff --git a/site/content/en/v1.4/tasks/operations/gateway-namespace-mode.md b/site/content/en/v1.4/tasks/operations/gateway-namespace-mode.md index f71b2c688f..7789274463 100644 --- a/site/content/en/v1.4/tasks/operations/gateway-namespace-mode.md +++ b/site/content/en/v1.4/tasks/operations/gateway-namespace-mode.md @@ -14,10 +14,15 @@ For status updates or to provide feedback, please follow our [GitHub issues](htt In standard deployment mode, Envoy Gateway creates all data plane resources in the controller namespace (typically `envoy-gateway-system`). -Gateway Namespace Mode changes this behavior by placing Envoy Proxy data plane resources like Deployments, Services and ServiceAccounts in each Gateway's namespace, providing stronger isolation and multi-tenancy. +The motivation behind this was to operate with minimum permissions needed to be given for Envoy Gateway controller, as the control plane and data plane was deployed in the same namespace. -Traditional deployment mode uses mTLS where both the client and server authenticate each other. However, in Gateway Namespace Mode, we've shifted to server-side TLS and JWT token validation between infra and control-plane. +Gateway Namespace Mode changes this behavior by placing Envoy Proxy data plane resources like Deployments, Services and ServiceAccounts in each Gateway's namespace, which provides stronger isolation and multi-tenancy compared to the Controller Namespace mode, as it isolates Envoy proxy data plane across different tenants. +This distributed architecture requires additional RBAC permissions for the Envoy Gateway controller to manage Kubernetes resources across multiple namespaces. +The default (Controller Namespace) deployment mode uses mTLS where both the client and server authenticate each other. However, in Gateway Namespace Mode, we've shifted to server-side TLS and JWT token validation between infra and control-plane. + +* **Envoy proxy pods** (running in Gateway namespaces) act as clients and authenticate using JWT tokens +* **Envoy Gateway controller pod** (running in controller namespace) acts as the server and validates JWT tokens * Only the CA certificate is available in pods running in Gateway namespaces * Client certificates are not mounted in these namespaces * The Envoy proxy still validates server certificates using the CA certificate diff --git a/test/cel-validation/backendtrafficpolicy_test.go b/test/cel-validation/backendtrafficpolicy_test.go index f0259ad112..17986a5ae7 100644 --- a/test/cel-validation/backendtrafficpolicy_test.go +++ b/test/cel-validation/backendtrafficpolicy_test.go @@ -432,9 +432,7 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { LoadBalancer: &egv1a1.LoadBalancer{ Type: egv1a1.LeastRequestLoadBalancerType, SlowStart: &egv1a1.SlowStart{ - Window: &metav1.Duration{ - Duration: 10000000, - }, + Window: ptr.To(gwapiv1.Duration("10ms")), }, }, }, @@ -459,9 +457,7 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { LoadBalancer: &egv1a1.LoadBalancer{ Type: egv1a1.RoundRobinLoadBalancerType, SlowStart: &egv1a1.SlowStart{ - Window: &metav1.Duration{ - Duration: 10000000, - }, + Window: ptr.To(gwapiv1.Duration("10ms")), }, }, }, @@ -486,9 +482,7 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { LoadBalancer: &egv1a1.LoadBalancer{ Type: egv1a1.RandomLoadBalancerType, SlowStart: &egv1a1.SlowStart{ - Window: &metav1.Duration{ - Duration: 10000000, - }, + Window: ptr.To(gwapiv1.Duration("10ms")), }, }, }, @@ -515,9 +509,7 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { LoadBalancer: &egv1a1.LoadBalancer{ Type: egv1a1.ConsistentHashLoadBalancerType, SlowStart: &egv1a1.SlowStart{ - Window: &metav1.Duration{ - Duration: 10000000, - }, + Window: ptr.To(gwapiv1.Duration("10ms")), }, }, }, @@ -653,9 +645,7 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, FaultInjection: &egv1a1.FaultInjection{ Delay: &egv1a1.FaultInjectionDelay{ - FixedDelay: &metav1.Duration{ - Duration: 10000000, - }, + FixedDelay: ptr.To(gwapiv1.Duration("10ms")), }, }, } diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index 10a057894e..9f8f8b4d44 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -1315,12 +1315,8 @@ func TestSecurityPolicyTarget(t *testing.T) { NumRetries: ptr.To(int32(3)), PerRetry: &egv1a1.PerRetryPolicy{ BackOff: &egv1a1.BackOffPolicy{ - BaseInterval: &metav1.Duration{ - Duration: time.Second * 1, - }, - MaxInterval: &metav1.Duration{ - Duration: time.Second * 10, - }, + BaseInterval: ptr.To(gwapiv1.Duration("1s")), + MaxInterval: ptr.To(gwapiv1.Duration("10s")), }, }, RetryOn: &egv1a1.RetryOn{ @@ -1366,9 +1362,7 @@ func TestSecurityPolicyTarget(t *testing.T) { Retry: &egv1a1.Retry{ NumRetries: ptr.To(int32(3)), PerRetry: &egv1a1.PerRetryPolicy{ - Timeout: &metav1.Duration{ - Duration: time.Second * 10, - }, + Timeout: ptr.To(gwapiv1.Duration("10s")), }, RetryOn: &egv1a1.RetryOn{ HTTPStatusCodes: []egv1a1.HTTPStatus{500}, diff --git a/test/e2e/testdata/backend-tls.yaml b/test/e2e/testdata/backend-tls.yaml index b95dbaa900..1f6f7d0637 100644 --- a/test/e2e/testdata/backend-tls.yaml +++ b/test/e2e/testdata/backend-tls.yaml @@ -153,7 +153,7 @@ spec: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: - name: backend-insecure-tls-verify + name: backend-insecure-tls-verify-and-mismatch-ca namespace: gateway-conformance-infra spec: endpoints: @@ -166,7 +166,7 @@ spec: apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - name: http-with-backend-insecure-skip-verify + name: http-with-backend-insecure-skip-verify-and-mismatch-ca namespace: gateway-conformance-infra spec: parentRefs: @@ -175,9 +175,40 @@ spec: - matches: - path: type: PathPrefix - value: /backend-tls-skip-verify + value: /backend-tls-skip-verify-and-mismatch-ca backendRefs: - - name: backend-insecure-tls-verify + - name: backend-insecure-tls-verify-and-mismatch-ca + group: gateway.envoyproxy.io + kind: Backend +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-insecure-tls-verify-without-backend-tls-policy + namespace: gateway-conformance-infra +spec: + endpoints: + - fqdn: + hostname: tls-backend-2.gateway-conformance-infra.svc.cluster.local + port: 443 + tls: + insecureSkipVerify: true +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-backend-insecure-skip-verify-without-backend-tls-policy + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /backend-tls-skip-verify-without-backend-tls-policy + backendRefs: + - name: backend-insecure-tls-verify-without-backend-tls-policy group: gateway.envoyproxy.io kind: Backend --- diff --git a/test/e2e/testdata/zone-aware-routing-backendref-enabled.yaml b/test/e2e/testdata/zone-aware-routing-backendref-enabled.yaml new file mode 100644 index 0000000000..fdec6ba43c --- /dev/null +++ b/test/e2e/testdata/zone-aware-routing-backendref-enabled.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: topology-aware-routing + namespace: gateway-conformance-infra + annotations: + service.kubernetes.io/topology-mode: Auto +spec: + selector: + app: zone-aware-backend + ports: + - protocol: TCP + port: 8080 + name: http11 + targetPort: 3000 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: topology-aware-routing + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /topology-aware-routing + backendRefs: + - name: topology-aware-routing + port: 8080 + weight: 1 diff --git a/test/e2e/testdata/zone-aware-routing-btp-enabled.yaml b/test/e2e/testdata/zone-aware-routing-btp-enabled.yaml new file mode 100644 index 0000000000..28536127b8 --- /dev/null +++ b/test/e2e/testdata/zone-aware-routing-btp-enabled.yaml @@ -0,0 +1,49 @@ +apiVersion: v1 +kind: Service +metadata: + name: btp-zone-aware + namespace: gateway-conformance-infra +spec: + selector: + app: zone-aware-backend + ports: + - protocol: TCP + port: 8080 + name: http11 + targetPort: 3000 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: btp-zone-aware + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /btp-zone-aware + backendRefs: + - name: btp-zone-aware + port: 8080 + weight: 1 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: btp-zone-aware + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: btp-zone-aware + loadBalancer: + type: RoundRobin + zoneAware: + preferLocal: + minEndpointsThreshold: 1 + force: + minEndpointsInZoneThreshold: 1 diff --git a/test/e2e/testdata/zone-aware-routing.yaml b/test/e2e/testdata/zone-aware-routing-deployments.yaml similarity index 82% rename from test/e2e/testdata/zone-aware-routing.yaml rename to test/e2e/testdata/zone-aware-routing-deployments.yaml index 63a2414fca..492ff92a16 100644 --- a/test/e2e/testdata/zone-aware-routing.yaml +++ b/test/e2e/testdata/zone-aware-routing-deployments.yaml @@ -99,37 +99,3 @@ spec: - proxy topologyKey: topology.kubernetes.io/zone namespaceSelector: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: zone-aware-backend - namespace: gateway-conformance-infra - annotations: - service.kubernetes.io/topology-mode: Auto -spec: - selector: - app: zone-aware-backend - ports: - - protocol: TCP - port: 8080 - name: http11 - targetPort: 3000 ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: zone-aware-http-route - namespace: gateway-conformance-infra -spec: - parentRefs: - - name: same-namespace - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - name: zone-aware-backend - port: 8080 - weight: 1 diff --git a/test/e2e/tests/backend_tls.go b/test/e2e/tests/backend_tls.go index bb76ed9ef3..e711f79492 100644 --- a/test/e2e/tests/backend_tls.go +++ b/test/e2e/tests/backend_tls.go @@ -88,12 +88,29 @@ var BackendTLSTest = suite.ConformanceTest{ }) t.Run("with CA mismatch and skip tls verify", func(t *testing.T) { - routeNN := types.NamespacedName{Name: "http-with-backend-insecure-skip-verify", Namespace: ConformanceInfraNamespace} + routeNN := types.NamespacedName{Name: "http-with-backend-insecure-skip-verify-and-mismatch-ca", Namespace: ConformanceInfraNamespace} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) expectedResponse := http.ExpectedResponse{ Request: http.Request{ - Path: "/backend-tls-skip-verify", + Path: "/backend-tls-skip-verify-and-mismatch-ca", + }, + Response: http.Response{ + StatusCode: 200, // Bad Request: Client sent an HTTP request to an HTTPS server + }, + Namespace: ConformanceInfraNamespace, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("without BackendTLSPolicy and skip tls verify", func(t *testing.T) { + routeNN := types.NamespacedName{Name: "http-with-backend-insecure-skip-verify-without-backend-tls-policy", Namespace: ConformanceInfraNamespace} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/backend-tls-skip-verify-without-backend-tls-policy", }, Response: http.Response{ StatusCode: 200, // Bad Request: Client sent an HTTP request to an HTTPS server diff --git a/test/e2e/tests/connection_limit.go b/test/e2e/tests/connection_limit.go index 15e316fec4..c60dfaf2ce 100644 --- a/test/e2e/tests/connection_limit.go +++ b/test/e2e/tests/connection_limit.go @@ -85,6 +85,9 @@ var ConnectionLimitTest = suite.ConformanceTest{ } prefix := "http-10080" + if XDSNameSchemeV2() { + prefix = "http-80" + } gtwName := "connection-limit-gateway" promQL := fmt.Sprintf(`envoy_connection_limit_limited_connections{envoy_connection_limit_prefix="%s",gateway_envoyproxy_io_owning_gateway_name="%s"}`, prefix, gtwName) diff --git a/test/e2e/tests/zone_aware_routing.go b/test/e2e/tests/zone_aware_routing.go index 5ac6edc0fa..64699c7f5a 100644 --- a/test/e2e/tests/zone_aware_routing.go +++ b/test/e2e/tests/zone_aware_routing.go @@ -10,7 +10,13 @@ package tests import ( "testing" + "k8s.io/apimachinery/pkg/types" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" "sigs.k8s.io/gateway-api/conformance/utils/suite" + + "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -19,17 +25,42 @@ func init() { var ZoneAwareRoutingTest = suite.ConformanceTest{ ShortName: "ZoneAwareRouting", - Description: "Resource with Zone Aware Routing enabled", - Manifests: []string{"testdata/zone-aware-routing.yaml"}, + Description: "Test Zone Aware Routing is working", + Manifests: []string{ + "testdata/zone-aware-routing-backendref-enabled.yaml", + "testdata/zone-aware-routing-btp-enabled.yaml", + "testdata/zone-aware-routing-deployments.yaml", + }, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { - t.Run("only local zone should get requests", func(t *testing.T) { + t.Run("topology aware routing - only local zone should get requests", func(t *testing.T) { + // Pods from the backend-local deployment have affinity + // for the Envoy Proxy pods so should receive all requests. + expected := map[string]int{ + "zone-aware-backend-local": sendRequests, + "zone-aware-backend-nonlocal": 0, + } + runWeightedBackendTest(t, suite, "topology-aware-routing", "/topology-aware-routing", "zone-aware-backend", expected) + }) + t.Run("BackendTrafficPolicy - only local zone should get requests", func(t *testing.T) { + BackendTrafficPolicyMustBeAccepted(t, + suite.Client, + types.NamespacedName{Name: "btp-zone-aware", Namespace: "gateway-conformance-infra"}, + suite.ControllerName, + gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(resource.KindGateway), + Namespace: gatewayapi.NamespacePtr("gateway-conformance-infra"), + Name: gwapiv1.ObjectName("same-namespace"), + }, + ) + // Pods from the backend-local deployment have affinity // for the Envoy Proxy pods so should receive all requests. expected := map[string]int{ "zone-aware-backend-local": sendRequests, "zone-aware-backend-nonlocal": 0, } - runWeightedBackendTest(t, suite, "zone-aware-http-route", "/", "zone-aware-backend", expected) + runWeightedBackendTest(t, suite, "btp-zone-aware", "/btp-zone-aware", "zone-aware-backend", expected) }) }, } diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml index c32cc359f8..575b0950c9 100644 --- a/test/helm/gateway-crds-helm/all.out.yaml +++ b/test/helm/gateway-crds-helm/all.out.yaml @@ -17820,6 +17820,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -17878,6 +17879,7 @@ spec: properties: fixedDelay: description: FixedDelay specifies the fixed delay duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string percentage: default: 100 @@ -17992,14 +17994,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -18073,7 +18074,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -18124,7 +18125,7 @@ spec: default: 30s description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -18149,7 +18150,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -18268,6 +18269,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -18351,6 +18353,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -19286,18 +19289,18 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -20242,7 +20245,7 @@ spec: - name - value type: object - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-map-keys: - name @@ -20268,7 +20271,7 @@ spec: my-header2: bar items: type: string - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-type: set set: @@ -20316,7 +20319,7 @@ spec: - name - value type: object - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-map-keys: - name @@ -21764,6 +21767,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -21887,14 +21891,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -21973,7 +21976,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -22026,7 +22029,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -22051,7 +22054,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -22141,6 +22144,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -22227,6 +22231,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -22339,18 +22344,18 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -34440,11 +34445,13 @@ spec: description: |- DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds. If unspecified, defaults to 60 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string minDrainDuration: description: |- MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete. If unspecified, defaults to 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object telemetry: @@ -34798,6 +34805,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -34931,7 +34939,6 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: @@ -34939,7 +34946,7 @@ spec: description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -35028,7 +35035,7 @@ spec: description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -35091,7 +35098,7 @@ spec: defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -35119,7 +35126,7 @@ spec: description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -35214,6 +35221,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -35308,6 +35316,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -35429,19 +35438,19 @@ spec: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -35909,6 +35918,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -36042,7 +36052,6 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: @@ -36050,7 +36059,7 @@ spec: description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -36139,7 +36148,7 @@ spec: description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -36202,7 +36211,7 @@ spec: defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -36230,7 +36239,7 @@ spec: description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -36325,6 +36334,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -36419,6 +36429,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -36540,19 +36551,19 @@ spec: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -37128,6 +37139,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -37256,14 +37268,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -37347,7 +37358,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -37405,7 +37416,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -37432,7 +37443,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -37524,6 +37535,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -37614,6 +37626,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -37730,19 +37743,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -38244,6 +38257,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -38371,14 +38385,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -38462,7 +38475,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -38519,7 +38532,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -38546,7 +38559,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -38638,6 +38651,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -38727,6 +38741,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -38841,19 +38856,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -39898,6 +39913,7 @@ spec: description: |- MaxAge defines how long the results of a preflight request can be cached. It specifies the value in the Access-Control-Max-Age CORS response header.. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object extAuth: @@ -40204,6 +40220,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -40327,14 +40344,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -40413,7 +40429,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -40468,7 +40484,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -40494,7 +40510,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -40586,6 +40602,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -40673,6 +40690,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -40787,19 +40805,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -41211,6 +41229,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -41334,14 +41353,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -41420,7 +41438,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -41475,7 +41493,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -41501,7 +41519,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -41593,6 +41611,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -41680,6 +41699,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -41794,19 +41814,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -42410,6 +42430,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -42537,14 +42558,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -42628,7 +42648,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -42686,7 +42706,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -42713,7 +42733,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -42805,6 +42825,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -42894,6 +42915,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -43009,19 +43031,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -43320,6 +43342,7 @@ spec: If not specified, defaults to 604800s (one week). Note: this field is only applicable when the "refreshToken" field is set to true. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string defaultTokenTTL: description: |- @@ -43331,6 +43354,7 @@ spec: If not specified, defaults to 0. In this case, the "expires_in" field in the authorization response must be set by the authorization server, or the OAuth flow will fail. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string denyRedirect: description: |- @@ -43673,6 +43697,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -43796,14 +43821,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -43882,7 +43906,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -43937,7 +43961,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -43963,7 +43987,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -44055,6 +44079,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -44142,6 +44167,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -44256,19 +44282,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml index bf8389a949..ed85e8407f 100644 --- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml +++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml @@ -508,6 +508,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -566,6 +567,7 @@ spec: properties: fixedDelay: description: FixedDelay specifies the fixed delay duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string percentage: default: 100 @@ -680,14 +682,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -761,7 +762,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -812,7 +813,7 @@ spec: default: 30s description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -837,7 +838,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -956,6 +957,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -1039,6 +1041,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -1974,18 +1977,18 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -2930,7 +2933,7 @@ spec: - name - value type: object - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-map-keys: - name @@ -2956,7 +2959,7 @@ spec: my-header2: bar items: type: string - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-type: set set: @@ -3004,7 +3007,7 @@ spec: - name - value type: object - maxItems: 16 + maxItems: 64 type: array x-kubernetes-list-map-keys: - name @@ -4452,6 +4455,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -4575,14 +4579,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -4661,7 +4664,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -4714,7 +4717,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -4739,7 +4742,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -4829,6 +4832,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -4915,6 +4919,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -5027,18 +5032,18 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -17128,11 +17133,13 @@ spec: description: |- DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds. If unspecified, defaults to 60 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string minDrainDuration: description: |- MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete. If unspecified, defaults to 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object telemetry: @@ -17486,6 +17493,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -17619,7 +17627,6 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: @@ -17627,7 +17634,7 @@ spec: description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -17716,7 +17723,7 @@ spec: description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -17779,7 +17786,7 @@ spec: defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -17807,7 +17814,7 @@ spec: description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -17902,6 +17909,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -17996,6 +18004,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -18117,19 +18126,19 @@ spec: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -18597,6 +18606,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -18730,7 +18740,6 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: @@ -18738,7 +18747,7 @@ spec: description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -18827,7 +18836,7 @@ spec: description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -18890,7 +18899,7 @@ spec: defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -18918,7 +18927,7 @@ spec: description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -19013,6 +19022,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -19107,6 +19117,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -19228,19 +19239,19 @@ spec: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -19816,6 +19827,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -19944,14 +19956,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -20035,7 +20046,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -20093,7 +20104,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -20120,7 +20131,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -20212,6 +20223,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -20302,6 +20314,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -20418,19 +20431,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -20932,6 +20945,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -21059,14 +21073,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -21150,7 +21163,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -21207,7 +21220,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -21234,7 +21247,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -21326,6 +21339,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -21415,6 +21429,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -21529,19 +21544,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -22586,6 +22601,7 @@ spec: description: |- MaxAge defines how long the results of a preflight request can be cached. It specifies the value in the Access-Control-Max-Age CORS response header.. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object extAuth: @@ -22892,6 +22908,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -23015,14 +23032,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -23101,7 +23117,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -23156,7 +23172,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -23182,7 +23198,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -23274,6 +23290,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -23361,6 +23378,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -23475,19 +23493,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -23899,6 +23917,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -24022,14 +24041,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -24108,7 +24126,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -24163,7 +24181,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -24189,7 +24207,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -24281,6 +24299,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -24368,6 +24387,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -24482,19 +24502,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -25098,6 +25118,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -25225,14 +25246,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -25316,7 +25336,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -25374,7 +25394,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -25401,7 +25421,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -25493,6 +25513,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -25582,6 +25603,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -25697,19 +25719,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: @@ -26008,6 +26030,7 @@ spec: If not specified, defaults to 604800s (one week). Note: this field is only applicable when the "refreshToken" field is set to true. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string defaultTokenTTL: description: |- @@ -26019,6 +26042,7 @@ spec: If not specified, defaults to 0. In this case, the "expires_in" field in the authorization response must be set by the authorization server, or the OAuth flow will fail. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string denyRedirect: description: |- @@ -26361,6 +26385,7 @@ spec: description: |- DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string lookupFamily: description: |- @@ -26484,14 +26509,13 @@ spec: description: |- InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value. - format: duration pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string interval: default: 3s description: Interval defines the time between active health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string tcp: description: |- @@ -26570,7 +26594,7 @@ spec: default: 1s description: Timeout defines the time to wait for a health check response. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: allOf: @@ -26625,7 +26649,7 @@ spec: description: BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string consecutive5XxErrors: default: 5 @@ -26651,7 +26675,7 @@ spec: default: 3s description: Interval defines the time between passive health checks. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxEjectionPercent: default: 10 @@ -26743,6 +26767,7 @@ spec: description: |- TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - name @@ -26830,6 +26855,7 @@ spec: During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - window @@ -26944,19 +26970,19 @@ spec: baseInterval: description: BaseInterval is the base interval between retries. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string maxInterval: description: |- MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object timeout: description: Timeout is the timeout per retry attempt. - format: duration + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string type: object retryOn: diff --git a/test/resilience/tests/extensionserver.go b/test/resilience/tests/extensionserver.go index 6947a87ab0..65c4bffeb5 100644 --- a/test/resilience/tests/extensionserver.go +++ b/test/resilience/tests/extensionserver.go @@ -34,7 +34,7 @@ var ESResilience = suite.ResilienceTest{ Test: func(t *testing.T, suite *suite.ResilienceTestSuite) { const ( namespace = "envoy-gateway-system" - PrometheusXDSTranslatorErrors = `watchable_subscribe_total{runner="xds-translator", status="failure"}` + PrometheusXDSTranslatorErrors = `watchable_subscribe_total{runner="xds", status="failure"}` PrometheusEnvoyConnectedToControlPlane = `envoy_control_plane_connected_state` )