[release/v1.5] cherry pick for v1.5.2

internal/cmd/certgen.go

@@ -137,8 +137,8 @@ func patchTopologyInjectorWebhook(ctx context.Context, cli client.Client, cfg *c
 
 	var updated bool
 	desiredBundle := current.Data["ca.crt"]
-	for i, webhook := range webhookCfg.Webhooks {
-		if !bytes.Equal(desiredBundle, webhook.ClientConfig.CABundle) {
+	for i := range webhookCfg.Webhooks {
+		if !bytes.Equal(desiredBundle, webhookCfg.Webhooks[i].ClientConfig.CABundle) {
 			webhookCfg.Webhooks[i].ClientConfig.CABundle = desiredBundle
 			updated = true
 		}

internal/cmd/egctl/config.go

@@ -125,10 +125,10 @@ func fetchRunningEnvoyPods(c kube.CLIClient, nn types.NamespacedName, labelSelec
 		if err != nil {
 			return nil, err
 		}
-		for _, i := range namespaces.Items {
-			podList, err := c.PodsForSelector(i.Name, proxy.EnvoyAppLabelSelector()...)
+		for i := range namespaces.Items {
+			podList, err := c.PodsForSelector(namespaces.Items[i].Name, proxy.EnvoyAppLabelSelector()...)
 			if err != nil {
-				return nil, fmt.Errorf("list pods failed in ns %s: %w", i.Name, err)
+				return nil, fmt.Errorf("list pods failed in ns %s: %w", namespaces.Items[i].Name, err)
 			}
 
 			if len(podList.Items) == 0 {
@@ -170,9 +170,9 @@ func fetchRunningEnvoyPods(c kube.CLIClient, nn types.NamespacedName, labelSelec
 	}
 
 	podsNamespacedNames := make([]types.NamespacedName, 0, len(pods))
-	for _, pod := range pods {
-		podNsName := utils.NamespacedName(&pod)
-		if pod.Status.Phase != "Running" {
+	for i := range pods {
+		podNsName := utils.NamespacedName(&pods[i])
+		if pods[i].Status.Phase != "Running" {
 			return podsNamespacedNames, fmt.Errorf("pod %s is not running", podNsName)
 		}
 

internal/cmd/egctl/config_ratelimit.go

@@ -106,14 +106,14 @@ func fetchRunningRateLimitPods(cli kubernetes.CLIClient, namespace string, label
 	}
 
 	rlNN := []types.NamespacedName{}
-	for _, rlPod := range rlPods.Items {
+	for i := range rlPods.Items {
 		rlPodNsName := types.NamespacedName{
-			Namespace: rlPod.Namespace,
-			Name:      rlPod.Name,
+			Namespace: rlPods.Items[i].Namespace,
+			Name:      rlPods.Items[i].Name,
 		}
 
 		// Check that the rate limit pod is ready properly and can accept external traffic
-		if !checkRateLimitPodStatusReady(rlPod.Status) {
+		if !checkRateLimitPodStatusReady(&rlPods.Items[i].Status) {
 			continue
 		}
 
@@ -127,7 +127,7 @@ func fetchRunningRateLimitPods(cli kubernetes.CLIClient, namespace string, label
 }
 
 // checkRateLimitPodStatusReady Check that the rate limit pod is ready
-func checkRateLimitPodStatusReady(status corev1.PodStatus) bool {
+func checkRateLimitPodStatusReady(status *corev1.PodStatus) bool {
 	if status.Phase != corev1.PodRunning {
 		return false
 	}

internal/cmd/egctl/config_test.go

@@ -520,7 +520,7 @@ func TestCheckRateLimitPodStatusReady(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.caseName, func(t *testing.T) {
-			actual := checkRateLimitPodStatusReady(tc.status)
+			actual := checkRateLimitPodStatusReady(&tc.status)
 			require.Equal(t, tc.expect, actual)
 		})
 	}

internal/cmd/egctl/status.go

@@ -421,7 +421,7 @@ func fetchConditions(parent reflect.Value, quiet, verbose bool) [][]string {
 
 	// All conditions are sorted in descending order by time.
 	for i := len(conditions) - 1; i >= 0; i-- {
-		row := fetchCondition(conditions[i], verbose)
+		row := fetchCondition(&conditions[i], verbose)
 		rows = append(rows, row)
 
 		if quiet {
@@ -433,7 +433,7 @@ func fetchConditions(parent reflect.Value, quiet, verbose bool) [][]string {
 }
 
 // fetchCondition fetches the Type, Status, Reason of one condition, and more if verbose.
-func fetchCondition(condition metav1.Condition, verbose bool) []string {
+func fetchCondition(condition *metav1.Condition, verbose bool) []string {
 	row := []string{condition.Type, string(condition.Status), condition.Reason}
 
 	// Write more details about this condition if verbose is on.

internal/cmd/egctl/testdata/translate/out/envoy-patch-policy.all.yaml

@@ -189,6 +189,7 @@ xds:
                     typedConfig:
                       '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
                       domain: eag-ratelimit
+                      disableXEnvoyRatelimitedHeader: true
                       failureModeDeny: true
                       rateLimitService:
                         grpcService:

internal/cmd/egctl/translate.go

@@ -256,7 +256,7 @@ func translate(w io.Writer, inFile, inType string, outTypes []string, output, re
 			}
 		}
 		// Print
-		if err = printOutput(w, result, output); err != nil {
+		if err = printOutput(w, &result, output); err != nil {
 			return fmt.Errorf("failed to print result, error:%w", err)
 		}
 
@@ -406,7 +406,7 @@ func TranslateGatewayAPIToXds(namespace, dnsDomain, resourceType string, resourc
 }
 
 // printOutput prints the echo-backed gateway API and xDS output
-func printOutput(w io.Writer, result TranslationResult, output string) error {
+func printOutput(w io.Writer, result *TranslationResult, output string) error {
 	var (
 		out []byte
 		err error

internal/cmd/egctl/version.go

@@ -98,14 +98,14 @@ func versions(w io.Writer, containerName, output string, remote bool) error {
 		return fmt.Errorf("list EG pods failed: %w", err)
 	}
 
-	for _, pod := range pods.Items {
-		if pod.Status.Phase != "Running" {
+	for i := range pods.Items {
+		if pods.Items[i].Status.Phase != "Running" {
 
-			fmt.Fprintf(w, "WARN: pod %s/%s is not running, skipping it.", pod.Namespace, pod.Name)
+			fmt.Fprintf(w, "WARN: pod %s/%s is not running, skipping it.", pods.Items[i].Namespace, pods.Items[i].Name)
 			continue
 		}
 
-		nn := utils.NamespacedName(&pod)
+		nn := utils.NamespacedName(&pods.Items[i])
 		stdout, _, err := c.PodExec(nn, containerName, "envoy-gateway version -ojson")
 		if err != nil {
 			return fmt.Errorf("pod exec on %s/%s failed: %w", nn.Namespace, nn.Name, err)

internal/cmd/server_test.go

@@ -57,7 +57,7 @@ func TestGetConfigValidate(t *testing.T) {
 			require.NoError(t, err)
 			defer os.Remove(file.Name())
 
-			_, err = file.Write([]byte(test.input))
+			_, err = file.WriteString(test.input)
 			require.NoError(t, err)
 
 			_, err = getConfigByPath(os.Stderr, file.Name())

internal/extension/registry/extension_manager.go

@@ -86,7 +86,7 @@ func NewManager(cfg *config.Server, inK8s bool) (extTypes.Manager, error) {
 	}, nil
 }
 
-func NewInMemoryManager(cfg egv1a1.ExtensionManager, server extension.EnvoyGatewayExtensionServer) (extTypes.Manager, func(), error) {
+func NewInMemoryManager(cfg *egv1a1.ExtensionManager, server extension.EnvoyGatewayExtensionServer) (extTypes.Manager, func(), error) {
 	if server == nil {
 		return nil, nil, fmt.Errorf("in-memory manager must be passed a server")
 	}
@@ -108,7 +108,7 @@ func NewInMemoryManager(cfg egv1a1.ExtensionManager, server extension.EnvoyGatew
 	}
 
 	if cfg.Service != nil {
-		opts, err := setupGRPCOpts(context.Background(), nil, &cfg, "")
+		opts, err := setupGRPCOpts(context.Background(), nil, cfg, "")
 		if err != nil {
 			return nil, nil, err
 		}
@@ -126,7 +126,7 @@ func NewInMemoryManager(cfg egv1a1.ExtensionManager, server extension.EnvoyGatew
 
 	return &Manager{
 		extensionConnCache: conn,
-		extension:          cfg,
+		extension:          *cfg,
 	}, c, nil
 }
 

internal/extension/registry/extension_manager_test.go

@@ -543,7 +543,7 @@ func Test_Integration_RetryPolicy_MaxAttempts(t *testing.T) {
 				},
 			}
 
-			mgr, _, err := NewInMemoryManager(extManager, &retryTestServer{})
+			mgr, _, err := NewInMemoryManager(&extManager, &retryTestServer{})
 			require.NoError(t, err)
 
 			hook, err := mgr.GetPostXDSHookClient(egv1a1.XDSRoute)
@@ -727,7 +727,7 @@ func Test_Integration_ClusterUpdateExtensionServer(t *testing.T) {
 				},
 			}
 
-			mgr, _, err := NewInMemoryManager(extManager, &clusterUpdateTestServer{})
+			mgr, _, err := NewInMemoryManager(&extManager, &clusterUpdateTestServer{})
 			require.NoError(t, err)
 
 			hook, err := mgr.GetPostXDSHookClient(egv1a1.XDSTranslation)
@@ -804,7 +804,7 @@ func TestPostTranslateModifyHookWithListenersAndRoutes(t *testing.T) {
 		},
 	}
 
-	mgr, _, err := NewInMemoryManager(extManager, &testServer{})
+	mgr, _, err := NewInMemoryManager(&extManager, &testServer{})
 	require.NoError(t, err)
 
 	hook, err := mgr.GetPostXDSHookClient(egv1a1.XDSTranslation)
@@ -934,9 +934,10 @@ func TestGetTranslationHookConfig(t *testing.T) {
 			var err error
 
 			if tt.config == nil {
-				mgr, _, err = NewInMemoryManager(egv1a1.ExtensionManager{}, &testServer{})
+				defaultExt := egv1a1.ExtensionManager{}
+				mgr, _, err = NewInMemoryManager(&defaultExt, &testServer{})
 			} else {
-				mgr, _, err = NewInMemoryManager(*tt.config, &testServer{})
+				mgr, _, err = NewInMemoryManager(tt.config, &testServer{})
 			}
 
 			require.NoError(t, err)

internal/gatewayapi/backend.go

@@ -20,7 +20,7 @@ import (
 )
 
 func (t *Translator) ProcessBackends(backends []*egv1a1.Backend, backendTLSPolicies []*gwapiv1a3.BackendTLSPolicy) []*egv1a1.Backend {
-	var res []*egv1a1.Backend
+	res := make([]*egv1a1.Backend, 0, len(backends))
 	for _, backend := range backends {
 		// Ensure Backends are enabled
 		if !t.BackendEnabled {

internal/gatewayapi/backendtlspolicy.go

@@ -151,7 +151,7 @@ func (t *Translator) processBackendTLSPolicy(
 
 	tlsBundle, err := getBackendTLSBundle(policy, resources)
 	ancestorRefs := getAncestorRefs(policy)
-	ancestorRefs = append(ancestorRefs, parent)
+	ancestorRefs = append(ancestorRefs, &parent)
 
 	if err != nil {
 		status.SetTranslationErrorForPolicyAncestors(&policy.Status,
@@ -222,7 +222,7 @@ func (t *Translator) applyEnvoyProxyBackendTLSSetting(tlsConfig *ir.TLSUpstreamC
 	return tlsConfig, nil
 }
 
-func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, backendNamespace string) bool {
+func backendTLSTargetMatched(policy *gwapiv1a3.BackendTLSPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, backendNamespace string) bool {
 	for _, currTarget := range policy.Spec.TargetRefs {
 		if target.Group == currTarget.Group &&
 			target.Kind == currTarget.Kind &&
@@ -248,7 +248,7 @@ func getBackendTLSPolicy(
 	// SectionName is port number for EG Backend object
 	target := getTargetBackendReference(backendRef, backendNamespace, resources)
 	for _, policy := range policies {
-		if backendTLSTargetMatched(*policy, target, backendNamespace) {
+		if backendTLSTargetMatched(policy, target, backendNamespace) {
 			return policy
 		}
 	}
@@ -257,7 +257,7 @@ func getBackendTLSPolicy(
 
 func getBackendTLSBundle(backendTLSPolicy *gwapiv1a3.BackendTLSPolicy, resources *resource.Resources) (*ir.TLSUpstreamConfig, error) {
 	// Translate SubjectAltNames from gwapiv1a3 to ir
-	var subjectAltNames []ir.SubjectAltName
+	subjectAltNames := make([]ir.SubjectAltName, 0, len(backendTLSPolicy.Spec.Validation.SubjectAltNames))
 	for _, san := range backendTLSPolicy.Spec.Validation.SubjectAltNames {
 		var subjectAltName ir.SubjectAltName
 		switch san.Type {
@@ -347,10 +347,10 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject
 	return []byte(ca), nil
 }
 
-func getAncestorRefs(policy *gwapiv1a3.BackendTLSPolicy) []gwapiv1a2.ParentReference {
-	ret := make([]gwapiv1a2.ParentReference, len(policy.Status.Ancestors))
+func getAncestorRefs(policy *gwapiv1a3.BackendTLSPolicy) []*gwapiv1a2.ParentReference {
+	ret := make([]*gwapiv1a2.ParentReference, len(policy.Status.Ancestors))
 	for i, ancestor := range policy.Status.Ancestors {
-		ret[i] = ancestor.AncestorRef
+		ret[i] = &ancestor.AncestorRef
 	}
 	return ret
 }