diff --git a/VERSION b/VERSION
index 78d19a2970..3717b2a503 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-v1.6.3
+v1.6.4
diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go
index e9283e4ccf..9c157d20a8 100644
--- a/api/v1alpha1/envoyproxy_types.go
+++ b/api/v1alpha1/envoyproxy_types.go
@@ -98,12 +98,16 @@ type EnvoyProxySpec struct {
// If unspecified, the default filter order is applied.
// Default filter order is:
//
+ // - envoy.filters.http.custom_response
+ //
// - envoy.filters.http.health_check
//
// - envoy.filters.http.fault
//
// - envoy.filters.http.cors
//
+ // - envoy.filters.http.header_mutation
+ //
// - envoy.filters.http.ext_authz
//
// - envoy.filters.http.api_key_auth
@@ -134,8 +138,6 @@ type EnvoyProxySpec struct {
//
// - envoy.filters.http.grpc_stats
//
- // - envoy.filters.http.custom_response
- //
// - envoy.filters.http.credential_injector
//
// - envoy.filters.http.compressor
@@ -240,10 +242,13 @@ type FilterPosition struct {
}
// EnvoyFilter defines the type of Envoy HTTP filter.
-// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.custom_response;envoy.filters.http.credential_injector;envoy.filters.http.compressor
+// +kubebuilder:validation:Enum=envoy.filters.http.custom_response;envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.header_mutation;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.credential_injector;envoy.filters.http.compressor;envoy.filters.http.dynamic_forward_proxy
type EnvoyFilter string
const (
+ // EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
+ EnvoyFilterCustomResponse EnvoyFilter = "envoy.filters.http.custom_response"
+
// EnvoyFilterHealthCheck defines the Envoy HTTP health check filter.
EnvoyFilterHealthCheck EnvoyFilter = "envoy.filters.http.health_check"
@@ -253,6 +258,9 @@ const (
// EnvoyFilterCORS defines the Envoy HTTP CORS filter.
EnvoyFilterCORS EnvoyFilter = "envoy.filters.http.cors"
+ // EnvoyFilterHeaderMutation defines the Envoy HTTP header mutation filter
+ EnvoyFilterHeaderMutation EnvoyFilter = "envoy.filters.http.header_mutation"
+
// EnvoyFilterExtAuthz defines the Envoy HTTP external authorization filter.
EnvoyFilterExtAuthz EnvoyFilter = "envoy.filters.http.ext_authz"
@@ -272,15 +280,18 @@ const (
// EnvoyFilterSessionPersistence defines the Envoy HTTP session persistence filter.
EnvoyFilterSessionPersistence EnvoyFilter = "envoy.filters.http.stateful_session"
+ // EnvoyFilterBuffer defines the Envoy HTTP buffer filter
+ EnvoyFilterBuffer EnvoyFilter = "envoy.filters.http.buffer"
+
+ // EnvoyFilterLua defines the Envoy HTTP Lua filter.
+ EnvoyFilterLua EnvoyFilter = "envoy.filters.http.lua"
+
// EnvoyFilterExtProc defines the Envoy HTTP external process filter.
EnvoyFilterExtProc EnvoyFilter = "envoy.filters.http.ext_proc"
// EnvoyFilterWasm defines the Envoy HTTP WebAssembly filter.
EnvoyFilterWasm EnvoyFilter = "envoy.filters.http.wasm"
- // EnvoyFilterLua defines the Envoy HTTP Lua filter.
- EnvoyFilterLua EnvoyFilter = "envoy.filters.http.lua"
-
// EnvoyFilterRBAC defines the Envoy RBAC filter.
EnvoyFilterRBAC EnvoyFilter = "envoy.filters.http.rbac"
@@ -296,9 +307,6 @@ const (
// EnvoyFilterGRPCStats defines the Envoy HTTP gRPC stats filter.
EnvoyFilterGRPCStats EnvoyFilter = "envoy.filters.http.grpc_stats"
- // EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
- EnvoyFilterCustomResponse EnvoyFilter = "envoy.filters.http.custom_response"
-
// EnvoyFilterCredentialInjector defines the Envoy HTTP credential injector filter.
EnvoyFilterCredentialInjector EnvoyFilter = "envoy.filters.http.credential_injector"
@@ -308,12 +316,6 @@ const (
// EnvoyFilterRouter defines the Envoy HTTP router filter.
EnvoyFilterRouter EnvoyFilter = "envoy.filters.http.router"
- // EnvoyFilterBuffer defines the Envoy HTTP buffer filter
- EnvoyFilterBuffer EnvoyFilter = "envoy.filters.http.buffer"
-
- // EnvoyFilterHeaderMutation defines the Envoy HTTP header mutation filter
- EnvoyFilterHeaderMutation EnvoyFilter = "envoy.filters.http.header_mutation"
-
// StatFormatterRouteName defines the Route Name formatter for stats
StatFormatterRouteName string = "%ROUTE_NAME%"
diff --git a/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml b/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml
index e763641dfa..3ca2945b02 100644
--- a/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml
+++ b/charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml
@@ -2860,30 +2860,19 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef references an object that contains a client certificate
- and its associated private key. It can reference standard Kubernetes resources,
- i.e., Secret, or implementation-specific custom resources.
-
- A ClientCertificateRef is considered invalid if:
-
- * It refers to a resource that cannot be resolved (e.g., the referenced resource
- does not exist) or is misconfigured (e.g., a Secret does not contain the keys
- named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
- and the Message of the Condition MUST indicate why the reference is invalid.
-
- * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
- in the target namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
-
- Implementations MAY choose to perform further validation of the certificate
- content (e.g., checking expiry or enforcing specific formats). In such cases,
- an implementation-specific Reason and Message MUST be set.
-
- Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
- Support: Implementation-specific - Other resource kinds or Secrets with a
- different type (e.g., `Opaque`).
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
properties:
group:
default: ""
@@ -4448,30 +4437,19 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef references an object that contains a client certificate
- and its associated private key. It can reference standard Kubernetes resources,
- i.e., Secret, or implementation-specific custom resources.
-
- A ClientCertificateRef is considered invalid if:
-
- * It refers to a resource that cannot be resolved (e.g., the referenced resource
- does not exist) or is misconfigured (e.g., a Secret does not contain the keys
- named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
- and the Message of the Condition MUST indicate why the reference is invalid.
-
- * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
- in the target namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
-
- Implementations MAY choose to perform further validation of the certificate
- content (e.g., checking expiry or enforcing specific formats). In such cases,
- an implementation-specific Reason and Message MUST be set.
-
- Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
- Support: Implementation-specific - Other resource kinds or Secrets with a
- different type (e.g., `Opaque`).
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
properties:
group:
default: ""
@@ -5665,14 +5643,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5744,14 +5718,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5956,14 +5926,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6035,14 +6001,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6333,14 +6295,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6411,14 +6369,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6622,14 +6576,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6700,14 +6650,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8316,7 +8262,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -8355,7 +8300,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -8367,7 +8311,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -8472,14 +8415,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8551,14 +8490,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8869,9 +8804,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -8919,14 +8851,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8998,14 +8926,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -9818,7 +9742,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -9857,7 +9780,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -9869,7 +9791,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -9971,14 +9892,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10049,14 +9966,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10367,9 +10280,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -10416,14 +10326,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10494,14 +10400,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10835,14 +10737,10 @@ spec:
- RegularExpression
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header to
+ be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12522,7 +12420,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -12561,7 +12458,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -12573,7 +12469,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -12678,14 +12573,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12757,14 +12648,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13075,9 +12962,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -13125,14 +13009,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13204,14 +13084,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14024,7 +13900,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -14063,7 +13938,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -14075,7 +13949,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -14177,14 +14050,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14255,14 +14124,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14573,9 +14438,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -14622,14 +14484,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14700,14 +14558,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -15041,14 +14895,10 @@ spec:
- RegularExpression
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header to
+ be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml
index 12c40a4773..7918026d95 100644
--- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml
+++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -284,12 +284,16 @@ spec:
If unspecified, the default filter order is applied.
Default filter order is:
+ - envoy.filters.http.custom_response
+
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
+
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
@@ -320,8 +324,6 @@ spec:
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
-
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
@@ -338,9 +340,11 @@ spec:
After defines the filter that should come after the filter.
Only one of Before or After must be set.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -356,18 +360,20 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
before:
description: |-
Before defines the filter that should come before the filter.
Only one of Before or After must be set.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -383,16 +389,18 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
name:
description: Name of the filter.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -408,9 +416,9 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
required:
- name
diff --git a/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml b/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml
index a663cce86f..fcc9e088b7 100644
--- a/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml
+++ b/charts/gateway-crds-helm/templates/standard-gatewayapi-crds.yaml
@@ -7087,9 +7087,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -8024,9 +8021,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -9902,9 +9896,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -10839,9 +10830,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
diff --git a/charts/gateway-helm/crds/gatewayapi-crds.yaml b/charts/gateway-helm/crds/gatewayapi-crds.yaml
index 53f41ad8ee..ee7eb803a7 100644
--- a/charts/gateway-helm/crds/gatewayapi-crds.yaml
+++ b/charts/gateway-helm/crds/gatewayapi-crds.yaml
@@ -2859,30 +2859,19 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef references an object that contains a client certificate
- and its associated private key. It can reference standard Kubernetes resources,
- i.e., Secret, or implementation-specific custom resources.
-
- A ClientCertificateRef is considered invalid if:
-
- * It refers to a resource that cannot be resolved (e.g., the referenced resource
- does not exist) or is misconfigured (e.g., a Secret does not contain the keys
- named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
- and the Message of the Condition MUST indicate why the reference is invalid.
-
- * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
- in the target namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
-
- Implementations MAY choose to perform further validation of the certificate
- content (e.g., checking expiry or enforcing specific formats). In such cases,
- an implementation-specific Reason and Message MUST be set.
-
- Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
- Support: Implementation-specific - Other resource kinds or Secrets with a
- different type (e.g., `Opaque`).
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
properties:
group:
default: ""
@@ -4447,30 +4436,19 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef references an object that contains a client certificate
- and its associated private key. It can reference standard Kubernetes resources,
- i.e., Secret, or implementation-specific custom resources.
-
- A ClientCertificateRef is considered invalid if:
-
- * It refers to a resource that cannot be resolved (e.g., the referenced resource
- does not exist) or is misconfigured (e.g., a Secret does not contain the keys
- named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
- and the Message of the Condition MUST indicate why the reference is invalid.
-
- * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
- in the target namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
-
- Implementations MAY choose to perform further validation of the certificate
- content (e.g., checking expiry or enforcing specific formats). In such cases,
- an implementation-specific Reason and Message MUST be set.
-
- Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
- Support: Implementation-specific - Other resource kinds or Secrets with a
- different type (e.g., `Opaque`).
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
properties:
group:
default: ""
@@ -5664,14 +5642,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5743,14 +5717,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5955,14 +5925,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6034,14 +6000,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6332,14 +6294,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6410,14 +6368,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6621,14 +6575,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6699,14 +6649,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8315,7 +8261,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -8354,7 +8299,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -8366,7 +8310,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -8471,14 +8414,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8550,14 +8489,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8868,9 +8803,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -8918,14 +8850,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8997,14 +8925,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -9817,7 +9741,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -9856,7 +9779,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -9868,7 +9790,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -9970,14 +9891,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10048,14 +9965,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10366,9 +10279,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -10415,14 +10325,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10493,14 +10399,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10834,14 +10736,10 @@ spec:
- RegularExpression
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header to
+ be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12521,7 +12419,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -12560,7 +12457,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -12572,7 +12468,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -12677,14 +12572,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12756,14 +12647,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13074,9 +12961,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -13124,14 +13008,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13203,14 +13083,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14023,7 +13899,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -14062,7 +13937,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -14074,7 +13948,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -14176,14 +14049,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14254,14 +14123,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14572,9 +14437,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -14621,14 +14483,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14699,14 +14557,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -15040,14 +14894,10 @@ spec:
- RegularExpression
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header to
+ be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
index 3178b94fad..59dec2e9c8 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -283,12 +283,16 @@ spec:
If unspecified, the default filter order is applied.
Default filter order is:
+ - envoy.filters.http.custom_response
+
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
+
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
@@ -319,8 +323,6 @@ spec:
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
-
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
@@ -337,9 +339,11 @@ spec:
After defines the filter that should come after the filter.
Only one of Before or After must be set.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -355,18 +359,20 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
before:
description: |-
Before defines the filter that should come before the filter.
Only one of Before or After must be set.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -382,16 +388,18 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
name:
description: Name of the filter.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -407,9 +415,9 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
required:
- name
diff --git a/internal/cmd/envoy/shutdown_manager.go b/internal/cmd/envoy/shutdown_manager.go
index f1c82dae79..cd56853392 100644
--- a/internal/cmd/envoy/shutdown_manager.go
+++ b/internal/cmd/envoy/shutdown_manager.go
@@ -10,9 +10,12 @@ import (
"encoding/json"
"errors"
"fmt"
+ "net"
"net/http"
"os"
"os/signal"
+ "regexp"
+ "strconv"
"syscall"
"time"
@@ -137,7 +140,7 @@ func Shutdown(drainTimeout, minDrainDuration time.Duration, exitAtConnections in
for {
elapsedTime := time.Since(startTime)
- conn, err := getTotalConnections()
+ conn, err := getTotalConnections(bootstrap.EnvoyAdminPort)
if err != nil {
logger.Error(err, "error getting total connections")
}
@@ -169,54 +172,90 @@ func Shutdown(drainTimeout, minDrainDuration time.Duration, exitAtConnections in
// postEnvoyAdminAPI sends a POST request to the Envoy admin API
func postEnvoyAdminAPI(path string) error {
- if resp, err := http.Post(fmt.Sprintf("http://%s:%d/%s",
- "localhost", bootstrap.EnvoyAdminPort, path), "application/json", nil); err != nil {
+ resp, err := http.Post(fmt.Sprintf("http://%s:%d/%s",
+ "localhost", bootstrap.EnvoyAdminPort, path), "application/json", nil)
+ if err != nil {
return err
- } else {
- defer resp.Body.Close()
+ }
+ if resp == nil {
+ return errors.New("unexcepted nil response from Envoy admin API")
+ }
+ defer func() {
+ _ = resp.Body.Close()
+ }()
- if resp.StatusCode != http.StatusOK {
- return fmt.Errorf("unexpected response status: %s", resp.Status)
- }
- return nil
+ if resp.StatusCode != http.StatusOK {
+ return fmt.Errorf("unexpected response status: %s", resp.Status)
+ }
+ return nil
+}
+
+func getTotalConnections(port int) (*int, error) {
+ return getDownstreamCXActive(port)
+}
+
+// Define struct to decode JSON response into; expecting a single stat in the response in the format:
+// {"stats":[{"name":"server.total_connections","value":123}]}
+type envoyStatsResponse struct {
+ Stats []struct {
+ Name string
+ Value int
}
}
-// getTotalConnections retrieves the total number of open connections from Envoy's server.total_connections stat
-func getTotalConnections() (*int, error) {
- // Send request to Envoy admin API to retrieve server.total_connections stat
- if resp, err := http.Get(fmt.Sprintf("http://%s:%d//stats?filter=^server\\.total_connections$&format=json",
- "localhost", bootstrap.EnvoyAdminPort)); err != nil {
+func getStatsFromEnvoyStatsEndpoint(port int, statFilter string) (*envoyStatsResponse, error) {
+ resp, err := http.Get(fmt.Sprintf("http://%s//stats?filter=%s&format=json",
+ net.JoinHostPort("localhost", strconv.Itoa(port)), statFilter))
+ if err != nil {
+ return nil, err
+ }
+
+ defer func() {
+ _ = resp.Body.Close()
+ }()
+ if resp.StatusCode != http.StatusOK {
+ return nil, fmt.Errorf("unexpected response status: %s", resp.Status)
+ }
+
+ r := &envoyStatsResponse{}
+ // Decode JSON response into struct
+ if err := json.NewDecoder(resp.Body).Decode(&r); err != nil {
return nil, err
- } else {
- defer resp.Body.Close()
-
- if resp.StatusCode != http.StatusOK {
- return nil, fmt.Errorf("unexpected response status: %s", resp.Status)
- } else {
- // Define struct to decode JSON response into; expecting a single stat in the response in the format:
- // {"stats":[{"name":"server.total_connections","value":123}]}
- var r *struct {
- Stats []struct {
- Name string
- Value int
- }
- }
-
- // Decode JSON response into struct
- if err := json.NewDecoder(resp.Body).Decode(&r); err != nil {
- return nil, err
- }
-
- // Defensive check for empty stats
- if len(r.Stats) == 0 {
- return nil, fmt.Errorf("no stats found")
- }
-
- // Log and return total connections
- c := r.Stats[0].Value
- logger.Info(fmt.Sprintf("total connections: %d", c))
- return &c, nil
+ }
+
+ // Defensive check for empty stats
+ if len(r.Stats) == 0 {
+ return nil, fmt.Errorf("no stats found")
+ }
+
+ return r, nil
+}
+
+// getDownstreamCXActive retrieves the total number of open connections from Envoy's listener downstream_cx_active stat
+func getDownstreamCXActive(port int) (*int, error) {
+ // Send request to Envoy admin API to retrieve listener.\.$.downstream_cx_active stat
+ statFilter := "^listener\\..*\\.downstream_cx_active$"
+ r, err := getStatsFromEnvoyStatsEndpoint(port, statFilter)
+ if err != nil {
+ return nil, fmt.Errorf("error getting listener downstream_cx_active stat: %w", err)
+ }
+
+ totalConnection := filterDownstreamCXActive(r)
+ logger.Info(fmt.Sprintf("total downstream connections: %d", *totalConnection))
+ return totalConnection, nil
+}
+
+// skipConnectionRE is a regex to match connection stats to be excluded from total connections count
+// e.g. admin, ready and stat listener and stats from worker thread
+var skipConnectionRE = regexp.MustCompile(`admin|19001|19003|worker`)
+
+func filterDownstreamCXActive(r *envoyStatsResponse) *int {
+ totalConnection := 0
+ for _, stat := range r.Stats {
+ if excluded := skipConnectionRE.MatchString(stat.Name); !excluded {
+ totalConnection += stat.Value
}
}
+
+ return &totalConnection
}
diff --git a/internal/cmd/envoy/shutdown_manager_test.go b/internal/cmd/envoy/shutdown_manager_test.go
new file mode 100644
index 0000000000..16b904696f
--- /dev/null
+++ b/internal/cmd/envoy/shutdown_manager_test.go
@@ -0,0 +1,240 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package envoy
+
+import (
+ "errors"
+ "fmt"
+ "io"
+ "net"
+ "net/http"
+ "strconv"
+ "strings"
+ "testing"
+ "time"
+
+ "github.com/stretchr/testify/require"
+ "k8s.io/utils/ptr"
+)
+
+// setupFakeEnvoyStats set up an HTTP server return content
+func setupFakeEnvoyStats(t *testing.T, content string) *http.Server {
+ l, err := net.Listen("tcp", ":0") //nolint: gosec
+ require.NoError(t, err)
+ require.NoError(t, l.Close())
+ mux := http.NewServeMux()
+ mux.HandleFunc("/", func(writer http.ResponseWriter, _ *http.Request) {
+ writer.Header().Set("Content-Type", "application/json")
+ writer.WriteHeader(http.StatusOK)
+ _, _ = writer.Write([]byte(content))
+ })
+
+ addr := l.Addr().String()
+ s := &http.Server{
+ Addr: addr,
+ Handler: mux,
+ ReadHeaderTimeout: time.Second,
+ }
+ t.Logf("start to listen at %s ", addr)
+ go func() {
+ if err := s.ListenAndServe(); err != nil {
+ fmt.Println("fail to listen: ", err)
+ }
+ }()
+
+ return s
+}
+
+func TestGetTotalConnections(t *testing.T) {
+ cases := []struct {
+ name string
+ input string
+
+ expectedError error
+ expectedCount *int
+ }{
+ {
+ name: "downstream_cx_active",
+ input: `{
+ "stats": [
+ {
+ "name": "listener.0.0.0.0_8000.downstream_cx_active",
+ "value": 1
+ },
+ {
+ "name": "listener.0.0.0.0_8000.worker_0.downstream_cx_active",
+ "value": 1
+ },
+ {
+ "name": "listener.0.0.0.0_8000.worker_1.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.0.0.0.0_8000.worker_2.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.0.0.0.0_8000.worker_3.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.0.0.0.0_8000.worker_4.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.0.0.0.0_8000.worker_5.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.0.0.0.0_8000.worker_6.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.0.0.0.0_8000.worker_7.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.0.0.0.0_8000.worker_8.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.0.0.0.0_8000.worker_9.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.worker_0.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.worker_1.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.worker_2.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.worker_3.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.worker_4.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.worker_5.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.worker_6.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.worker_7.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.worker_8.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8080.worker_9.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.worker_0.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.worker_1.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.worker_2.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.worker_3.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.worker_4.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.worker_5.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.worker_6.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.worker_7.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.worker_8.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.127.0.0.1_8081.worker_9.downstream_cx_active",
+ "value": 0
+ },
+ {
+ "name": "listener.admin.downstream_cx_active",
+ "value": 2
+ },
+ {
+ "name": "listener.admin.main_thread.downstream_cx_active",
+ "value": 2
+ }
+ ]
+}`,
+ expectedCount: ptr.To(1),
+ },
+ {
+ name: "invalid",
+ input: `{"stats":[{"name":"listener.0.0.0.0_8000.downstream_cx_active","value":1]}`,
+ expectedError: errors.New("error getting listener downstream_cx_active stat"),
+ },
+ }
+
+ for _, tc := range cases {
+ t.Run(tc.name, func(t *testing.T) {
+ s := setupFakeEnvoyStats(t, tc.input)
+ _, port, err := net.SplitHostPort(s.Addr)
+ require.NoError(t, err)
+
+ p, err := strconv.Atoi(port)
+ require.NoError(t, err)
+ defer func() {
+ _ = s.Close()
+ }()
+ reader := strings.NewReader(tc.input)
+ rc := io.NopCloser(reader)
+ defer func() {
+ _ = rc.Close()
+ }()
+
+ gotCount, gotError := getTotalConnections(p)
+ if tc.expectedError != nil {
+ require.ErrorContains(t, gotError, tc.expectedError.Error())
+ return
+ }
+ require.NoError(t, gotError)
+ require.Equal(t, tc.expectedCount, gotCount)
+ })
+ }
+}
diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go
index 465a4f1927..31a30bf3b1 100644
--- a/internal/gatewayapi/backendtlspolicy.go
+++ b/internal/gatewayapi/backendtlspolicy.go
@@ -22,7 +22,12 @@ import (
"github.com/envoyproxy/gateway/internal/utils"
)
-var ErrBackendTLSPolicyInvalidKind = fmt.Errorf("no CA bundle found in referenced ConfigMap, Secret, or ClusterTrustBundle")
+var (
+ ErrBackendTLSPolicyInvalidKind = fmt.Errorf("Unsupported reference kind, supported kinds are ConfigMap, Secret, and ClusterTrustBundle")
+ ErrBackendTLSPolicyNoValidCACertificate = fmt.Errorf(
+ "no valid CA certificate found in referenced resources",
+ )
+)
// ProcessBackendTLSPolicyStatus is called to post-process Backend TLS Policy status
// after they were applied in all relevant translations.
@@ -286,33 +291,39 @@ func (t *Translator) processBackendTLSPolicy(
ancestorRefs = append(ancestorRefs, &parent)
if err != nil {
- status.SetConditionForPolicyAncestors(&policy.Status,
+ acceptedReason := gwapiv1.BackendTLSPolicyReasonNoValidCACertificate
+ resolvedReason := gwapiv1.BackendTLSPolicyReasonInvalidCACertificateRef
+
+ if errors.Is(err, ErrBackendTLSPolicyInvalidKind) {
+ // Accepted MUST remain NoValidCACertificate (per Gateway API conformance)
+ resolvedReason = gwapiv1.BackendTLSPolicyReasonInvalidKind
+ }
+
+ status.SetConditionForPolicyAncestors(
+ &policy.Status,
ancestorRefs,
t.GatewayControllerName,
gwapiv1.PolicyConditionAccepted,
metav1.ConditionFalse,
- gwapiv1.BackendTLSPolicyReasonNoValidCACertificate,
+ acceptedReason,
status.Error2ConditionMsg(err),
policy.Generation,
)
- reason := gwapiv1.BackendTLSPolicyReasonInvalidCACertificateRef
- if errors.Is(err, ErrBackendTLSPolicyInvalidKind) {
- reason = gwapiv1.BackendTLSPolicyReasonInvalidKind
- }
-
- status.SetConditionForPolicyAncestors(&policy.Status,
+ status.SetConditionForPolicyAncestors(
+ &policy.Status,
ancestorRefs,
t.GatewayControllerName,
gwapiv1.BackendTLSPolicyConditionResolvedRefs,
metav1.ConditionFalse,
- reason,
+ resolvedReason,
status.Error2ConditionMsg(err),
policy.Generation,
)
return nil, err
}
+
status.SetConditionForPolicyAncestors(&policy.Status,
ancestorRefs,
t.GatewayControllerName,
@@ -461,11 +472,13 @@ func getBackendTLSBundle(backendTLSPolicy *gwapiv1.BackendTLSPolicy, resources *
func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObjectReference, resources *resource.Resources) ([]byte, error) {
ca := ""
+ foundSupportedRef := false
for _, caRef := range caCertificates {
kind := string(caRef.Kind)
switch kind {
case resource.KindConfigMap:
+ foundSupportedRef = true
cm := resources.GetConfigMap(namespace, string(caRef.Name))
if cm != nil {
if crt, dataOk := getOrFirstFromData(cm.Data, caCertKey); dataOk {
@@ -480,6 +493,7 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject
return nil, fmt.Errorf("configmap %s not found in namespace %s", caRef.Name, namespace)
}
case resource.KindSecret:
+ foundSupportedRef = true
secret := resources.GetSecret(namespace, string(caRef.Name))
if secret != nil {
if crt, dataOk := getOrFirstFromData(secret.Data, caCertKey); dataOk {
@@ -494,6 +508,7 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject
return nil, fmt.Errorf("secret %s not found in namespace %s", caRef.Name, namespace)
}
case resource.KindClusterTrustBundle:
+ foundSupportedRef = true
ctb := resources.GetClusterTrustBundle(string(caRef.Name))
if ctb != nil {
if ca != "" {
@@ -507,7 +522,10 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject
}
if ca == "" {
- return nil, ErrBackendTLSPolicyInvalidKind
+ if !foundSupportedRef {
+ return nil, ErrBackendTLSPolicyInvalidKind
+ }
+ return nil, ErrBackendTLSPolicyNoValidCACertificate
}
return []byte(ca), nil
}
diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go
index 8c5ed81d14..7f37c865b7 100644
--- a/internal/gatewayapi/runner/runner.go
+++ b/internal/gatewayapi/runner/runner.go
@@ -132,7 +132,8 @@ func (r *Runner) startWasmCache(ctx context.Context) {
}
func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *resource.ControllerResources]) {
- message.HandleSubscription(message.Metadata{Runner: r.Name(), Message: message.ProviderResourcesMessageName}, sub,
+ message.HandleSubscription(r.Logger,
+ message.Metadata{Runner: r.Name(), Message: message.ProviderResourcesMessageName}, sub,
func(update message.Update[string, *resource.ControllerResources], errChan chan error) {
r.Logger.Info("received an update", "key", update.Key)
val := update.Value
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml
index e932a38ce0..00bf125f7c 100644
--- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml
+++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml
@@ -59,12 +59,14 @@ backendTLSPolicies:
sectionName: http
conditions:
- lastTransitionTime: null
- message: No CA bundle found in referenced ConfigMap, Secret, or ClusterTrustBundle.
+ message: Unsupported reference kind, supported kinds are ConfigMap, Secret,
+ and ClusterTrustBundle.
reason: NoValidCACertificate
status: "False"
type: Accepted
- lastTransitionTime: null
- message: No CA bundle found in referenced ConfigMap, Secret, or ClusterTrustBundle.
+ message: Unsupported reference kind, supported kinds are ConfigMap, Secret,
+ and ClusterTrustBundle.
reason: InvalidKind
status: "False"
type: ResolvedRefs
@@ -143,7 +145,7 @@ httpRoutes:
- lastTransitionTime: null
message: |-
Failed to process route rule 0 backendRef 0: configmap no-ca-cmap not found in namespace backends.
- Failed to process route rule 0 backendRef 1: no CA bundle found in referenced ConfigMap, Secret, or ClusterTrustBundle.
+ Failed to process route rule 0 backendRef 1: Unsupported reference kind, supported kinds are ConfigMap, Secret, and ClusterTrustBundle.
reason: InvalidBackendTLS
status: "False"
type: ResolvedRefs
diff --git a/internal/gatewayapi/testdata/tcproute-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/tcproute-with-backendtlspolicy.in.yaml
new file mode 100644
index 0000000000..08ed833792
--- /dev/null
+++ b/internal/gatewayapi/testdata/tcproute-with-backendtlspolicy.in.yaml
@@ -0,0 +1,70 @@
+envoyProxyForGatewayClass:
+ apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyProxy
+ metadata:
+ namespace: envoy-gateway-system
+ name: test
+ spec:
+ backendTLS:
+ clientCertificateRef:
+ group: ""
+ kind: Secret
+ name: client-auth
+secrets:
+ - apiVersion: v1
+ kind: Secret
+ metadata:
+ name: client-auth
+ namespace: envoy-gateway-system
+ type: kubernetes.io/tls
+ data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
+gateways:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ namespace: envoy-gateway
+ name: gateway-1
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - name: tcp
+ protocol: TCP
+ port: 90
+ allowedRoutes:
+ namespaces:
+ from: All
+tcpRoutes:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: TCPRoute
+ metadata:
+ namespace: default
+ name: tcproute-1
+ spec:
+ parentRefs:
+ - namespace: envoy-gateway
+ name: gateway-1
+ rules:
+ - name: rule-1
+ backendRefs:
+ - name: service-1
+ port: 8080
+backendTLSPolicies:
+ - apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls-for-service-1
+ namespace: default
+ spec:
+ targetRefs:
+ - kind: Service
+ name: service-1
+ validation:
+ wellKnownCACertificates: System
+ hostname: example.com
+ subjectAltNames:
+ - type: URI
+ uri: spiffe://cluster.local/ns/istio-demo/sa/echo-v1
+ - type: Hostname
+ hostname: subdomain.secondexample.com
diff --git a/internal/gatewayapi/testdata/tcproute-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/tcproute-with-backendtlspolicy.out.yaml
new file mode 100644
index 0000000000..cabe2673a7
--- /dev/null
+++ b/internal/gatewayapi/testdata/tcproute-with-backendtlspolicy.out.yaml
@@ -0,0 +1,213 @@
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: BackendTLSPolicy
+ metadata:
+ name: policy-btls-for-service-1
+ namespace: default
+ spec:
+ targetRefs:
+ - group: ""
+ kind: Service
+ name: service-1
+ validation:
+ hostname: example.com
+ subjectAltNames:
+ - type: URI
+ uri: spiffe://cluster.local/ns/istio-demo/sa/echo-v1
+ - hostname: subdomain.secondexample.com
+ type: Hostname
+ wellKnownCACertificates: System
+ status:
+ ancestors:
+ - ancestorRef:
+ name: gateway-1
+ namespace: envoy-gateway
+ conditions:
+ - lastTransitionTime: null
+ message: Resolved all the Object references.
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ - lastTransitionTime: null
+ message: Policy has been accepted.
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ metadata:
+ name: gateway-1
+ namespace: envoy-gateway
+ spec:
+ gatewayClassName: envoy-gateway-class
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: tcp
+ port: 90
+ protocol: TCP
+ status:
+ listeners:
+ - attachedRoutes: 1
+ conditions:
+ - lastTransitionTime: null
+ message: Sending translated listener configuration to the data plane
+ reason: Programmed
+ status: "True"
+ type: Programmed
+ - lastTransitionTime: null
+ message: Listener has been successfully translated
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Listener references have been resolved
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ name: tcp
+ supportedKinds:
+ - group: gateway.networking.k8s.io
+ kind: TCPRoute
+infraIR:
+ envoy-gateway/gateway-1:
+ proxy:
+ config:
+ apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyProxy
+ metadata:
+ name: test
+ namespace: envoy-gateway-system
+ spec:
+ backendTLS:
+ clientCertificateRef:
+ group: ""
+ kind: Secret
+ name: client-auth
+ logging: {}
+ status: {}
+ listeners:
+ - address: null
+ name: envoy-gateway/gateway-1/tcp
+ ports:
+ - containerPort: 10090
+ name: tcp-90
+ protocol: TCP
+ servicePort: 90
+ metadata:
+ labels:
+ gateway.envoyproxy.io/owning-gateway-name: gateway-1
+ gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+ ownerReference:
+ kind: GatewayClass
+ name: envoy-gateway-class
+ name: envoy-gateway/gateway-1
+ namespace: envoy-gateway-system
+tcpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+ kind: TCPRoute
+ metadata:
+ name: tcproute-1
+ namespace: default
+ spec:
+ parentRefs:
+ - name: gateway-1
+ namespace: envoy-gateway
+ rules:
+ - backendRefs:
+ - name: service-1
+ port: 8080
+ name: rule-1
+ status:
+ parents:
+ - conditions:
+ - lastTransitionTime: null
+ message: Route is accepted
+ reason: Accepted
+ status: "True"
+ type: Accepted
+ - lastTransitionTime: null
+ message: Resolved all the Object references for the Route
+ reason: ResolvedRefs
+ status: "True"
+ type: ResolvedRefs
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parentRef:
+ name: gateway-1
+ namespace: envoy-gateway
+xdsIR:
+ envoy-gateway/gateway-1:
+ accessLog:
+ json:
+ - path: /dev/stdout
+ globalResources:
+ proxyServiceCluster:
+ metadata:
+ name: envoy-envoy-gateway-gateway-1-196ae069
+ namespace: envoy-gateway-system
+ sectionName: "8080"
+ name: envoy-gateway/gateway-1
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.6.5.4
+ port: 8080
+ zone: zone1
+ metadata:
+ name: envoy-envoy-gateway-gateway-1-196ae069
+ namespace: envoy-gateway-system
+ sectionName: "8080"
+ name: envoy-gateway/gateway-1
+ protocol: TCP
+ readyListener:
+ address: 0.0.0.0
+ ipFamily: IPv4
+ path: /ready
+ port: 19003
+ tcp:
+ - address: 0.0.0.0
+ externalPort: 90
+ metadata:
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: tcp
+ name: envoy-gateway/gateway-1/tcp
+ port: 10090
+ routes:
+ - destination:
+ metadata:
+ kind: TCPRoute
+ name: tcproute-1
+ namespace: default
+ sectionName: rule-1
+ name: tcproute/default/tcproute-1/rule/-1
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ metadata:
+ name: service-1
+ namespace: default
+ sectionName: "8080"
+ name: tcproute/default/tcproute-1/rule/-1/backend/0
+ protocol: TCP
+ tls:
+ alpnProtocols: null
+ caCertificate:
+ name: policy-btls-for-service-1/default-ca
+ clientCertificates:
+ - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+ name: envoy-gateway-system/client-auth
+ privateKey: '[redacted]'
+ sni: example.com
+ subjectAltNames:
+ - uri: spiffe://cluster.local/ns/istio-demo/sa/echo-v1
+ - hostname: subdomain.secondexample.com
+ useSystemTrustStore: true
+ weight: 1
+ name: tcproute/default/tcproute-1
diff --git a/internal/globalratelimit/runner/runner.go b/internal/globalratelimit/runner/runner.go
index e91efaca76..c63953f137 100644
--- a/internal/globalratelimit/runner/runner.go
+++ b/internal/globalratelimit/runner/runner.go
@@ -136,7 +136,8 @@ func (r *Runner) translateFromSubscription(ctx context.Context, c <-chan watchab
// rateLimitConfigsCache is a cache of the rate limit config, which is keyed by the xdsIR key.
rateLimitConfigsCache := map[string][]cachetype.Resource{}
- message.HandleSubscription(message.Metadata{Runner: r.Name(), Message: message.XDSIRMessageName}, c,
+ message.HandleSubscription(r.Logger,
+ message.Metadata{Runner: r.Name(), Message: message.XDSIRMessageName}, c,
func(update message.Update[string, *ir.Xds], errChan chan error) {
r.Logger.Info("received a notification")
diff --git a/internal/infrastructure/runner/runner.go b/internal/infrastructure/runner/runner.go
index 7db6428c04..6b6998f849 100644
--- a/internal/infrastructure/runner/runner.go
+++ b/internal/infrastructure/runner/runner.go
@@ -104,7 +104,9 @@ func (r *Runner) Start(ctx context.Context) (err error) {
func (r *Runner) updateProxyInfraFromSubscription(ctx context.Context, sub <-chan watchable.Snapshot[string, *ir.Infra]) {
// Subscribe to resources
- message.HandleSubscription(message.Metadata{Runner: r.Name(), Message: message.InfraIRMessageName}, sub,
+ message.HandleSubscription(
+ r.Logger,
+ message.Metadata{Runner: r.Name(), Message: message.InfraIRMessageName}, sub,
func(update message.Update[string, *ir.Infra], errChan chan error) {
r.Logger.Info("received an update", "key", update.Key, "delete", update.Delete)
val := update.Value
diff --git a/internal/message/watchutil.go b/internal/message/watchutil.go
index 83ef831f67..ac0d6990b6 100644
--- a/internal/message/watchutil.go
+++ b/internal/message/watchutil.go
@@ -7,22 +7,17 @@ package message
import (
"fmt"
- "os"
"runtime/debug"
"time"
"github.com/telepresenceio/watchable"
- egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
"github.com/envoyproxy/gateway/internal/logging"
"github.com/envoyproxy/gateway/internal/metrics"
)
type Update[K comparable, V any] watchable.Update[K, V]
-// TODO: Remove the global logger and localize the scope of the logger.
-var logger = logging.DefaultLogger(os.Stdout, egv1a1.LogLevelInfo).WithName("watchable")
-
type Metadata struct {
Runner string
Message MessageName
@@ -47,14 +42,16 @@ func (m Metadata) LabelValues() []metrics.LabelValue {
// handleWithCrashRecovery calls the provided handle function and gracefully recovers from any panics
// that might occur when the handle function is called.
func handleWithCrashRecovery[K comparable, V any](
+ l logging.Logger,
handle func(updateFunc Update[K, V], errChans chan error),
update Update[K, V],
meta Metadata,
errChans chan error,
) {
+ logger := l.WithValues("runner", meta.Runner)
defer func() {
if r := recover(); r != nil {
- logger.WithValues("runner", meta.Runner).Error(fmt.Errorf("%+v", r), "observed a panic",
+ logger.Error(fmt.Errorf("%+v", r), "observed a panic",
"stackTrace", string(debug.Stack()))
watchableSubscribeTotal.WithFailure(metrics.ReasonError, meta.LabelValues()...).Increment()
panicCounter.WithFailure(metrics.ReasonError, meta.LabelValues()...).Increment()
@@ -74,7 +71,7 @@ func handleWithCrashRecovery[K comparable, V any](
// This is better than simply iterating over snapshot.Updates because
// it handles the case where the watchable.Map already contains
// entries before .Subscribe is called.
-func HandleSubscription[K comparable, V any](
+func HandleSubscription[K comparable, V any](l logging.Logger,
meta Metadata,
subscription <-chan watchable.Snapshot[K, V],
handle func(updateFunc Update[K, V], errChans chan error),
@@ -83,7 +80,7 @@ func HandleSubscription[K comparable, V any](
errChans := make(chan error, 10)
go func() {
for err := range errChans {
- logger.WithValues("runner", meta.Runner).Error(err, "observed an error")
+ l.Error(err, "observed an error")
watchableSubscribeTotal.WithFailure(metrics.ReasonError, meta.LabelValues()...).Increment()
}
}()
@@ -91,7 +88,7 @@ func HandleSubscription[K comparable, V any](
if snapshot, ok := <-subscription; ok {
for k, v := range snapshot.State {
- handleWithCrashRecovery(handle, Update[K, V]{
+ handleWithCrashRecovery(l, handle, Update[K, V]{
Key: k,
Value: v,
}, meta, errChans)
@@ -100,8 +97,8 @@ func HandleSubscription[K comparable, V any](
for snapshot := range subscription {
watchableDepth.With(meta.LabelValues()...).Record(float64(len(subscription)))
- for _, update := range coalesceUpdates(meta.Runner, snapshot.Updates) {
- handleWithCrashRecovery(handle, Update[K, V](update), meta, errChans)
+ for _, update := range coalesceUpdates(l, snapshot.Updates) {
+ handleWithCrashRecovery(l, handle, Update[K, V](update), meta, errChans)
}
}
}
@@ -109,7 +106,7 @@ func HandleSubscription[K comparable, V any](
// coalesceUpdates merges multiple updates for the same key into a single update,
// preserving the latest state for each key.
// This helps reduce redundant processing and ensures that only the most recent update per key is handled.
-func coalesceUpdates[K comparable, V any](runner string, updates []watchable.Update[K, V]) []watchable.Update[K, V] {
+func coalesceUpdates[K comparable, V any](logger logging.Logger, updates []watchable.Update[K, V]) []watchable.Update[K, V] {
if len(updates) <= 1 {
return updates
}
@@ -129,7 +126,7 @@ func coalesceUpdates[K comparable, V any](runner string, updates []watchable.Upd
result := updates[write+1:]
if len(result) != len(updates) {
- logger.WithValues("runner", runner).Info(
+ logger.Info(
"coalesced updates",
"count", len(result),
"before", len(updates),
diff --git a/internal/message/watchutil_internal_test.go b/internal/message/watchutil_internal_test.go
index 8bf56ab2e2..445457c1a5 100644
--- a/internal/message/watchutil_internal_test.go
+++ b/internal/message/watchutil_internal_test.go
@@ -6,15 +6,19 @@
package message
import (
+ "os"
"testing"
"github.com/stretchr/testify/require"
"github.com/telepresenceio/watchable"
+
+ egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+ "github.com/envoyproxy/gateway/internal/logging"
)
func TestCoalesceUpdates(t *testing.T) {
t.Parallel()
-
+ logger := logging.NewLogger(os.Stdout, egv1a1.DefaultEnvoyGatewayLogging())
tests := []struct {
name string
input []watchable.Update[string, int]
@@ -61,7 +65,7 @@ func TestCoalesceUpdates(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
- actual := coalesceUpdates("test-runner", tc.input)
+ actual := coalesceUpdates(logger, tc.input)
require.Equal(t, tc.expected, actual)
})
}
diff --git a/internal/message/watchutil_test.go b/internal/message/watchutil_test.go
index 21411b3f6f..c4895b4149 100644
--- a/internal/message/watchutil_test.go
+++ b/internal/message/watchutil_test.go
@@ -7,6 +7,7 @@ package message_test
import (
"context"
+ "io"
"testing"
"time"
@@ -15,7 +16,9 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+ egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
"github.com/envoyproxy/gateway/internal/gatewayapi/resource"
+ "github.com/envoyproxy/gateway/internal/logging"
"github.com/envoyproxy/gateway/internal/message"
)
@@ -24,7 +27,8 @@ func TestHandleSubscriptionAlreadyClosed(t *testing.T) {
close(ch)
var calls int
- message.HandleSubscription[string, any](
+ message.HandleSubscription(
+ logging.NewLogger(io.Discard, egv1a1.DefaultEnvoyGatewayLogging()),
message.Metadata{Runner: "demo", Message: "demo"},
ch,
func(update message.Update[string, any], errChans chan error) { calls++ },
@@ -49,7 +53,8 @@ func TestPanicInSubscriptionHandler(t *testing.T) {
}()
numCalls := 0
- message.HandleSubscription[string, any](
+ message.HandleSubscription(
+ logging.NewLogger(io.Discard, egv1a1.DefaultEnvoyGatewayLogging()),
message.Metadata{Runner: "demo", Message: "demo"},
m.Subscribe(context.Background()),
func(update message.Update[string, any], errChans chan error) {
@@ -77,7 +82,8 @@ func TestHandleSubscriptionAlreadyInitialized(t *testing.T) {
var storeCalls int
var deleteCalls int
- message.HandleSubscription[string, any](
+ message.HandleSubscription(
+ logging.NewLogger(io.Discard, egv1a1.DefaultEnvoyGatewayLogging()),
message.Metadata{Runner: "demo", Message: "demo"},
m.Subscribe(context.Background()),
func(update message.Update[string, any], errChans chan error) {
@@ -246,7 +252,7 @@ func TestControllerResourceUpdate(t *testing.T) {
m := &message.ProviderResources{}
snapshotC := m.GatewayAPIResources.Subscribe(ctx)
- endCtx, end := context.WithCancel(ctx)
+ endCtx, cancel := context.WithCancel(ctx)
m.GatewayAPIResources.Store("start", &resource.ControllerResources{})
go func() {
@@ -259,15 +265,17 @@ func TestControllerResourceUpdate(t *testing.T) {
}()
updates := 0
- message.HandleSubscription(message.Metadata{Runner: "demo", Message: "demo"}, snapshotC, func(u message.Update[string, *resource.ControllerResources], errChans chan error) {
- end()
- if u.Key == "test" {
- updates += 1
- }
- if u.Key == "end" {
- m.GatewayAPIResources.Close()
- }
- })
+ message.HandleSubscription(
+ logging.NewLogger(io.Discard, egv1a1.DefaultEnvoyGatewayLogging()),
+ message.Metadata{Runner: "demo", Message: "demo"}, snapshotC, func(u message.Update[string, *resource.ControllerResources], _ chan error) {
+ cancel()
+ if u.Key == "test" {
+ updates += 1
+ }
+ if u.Key == "end" {
+ m.GatewayAPIResources.Close()
+ }
+ })
if tc.updates > 1 {
assert.LessOrEqual(t, updates, tc.updates) // Updates can be coalesced
} else {
diff --git a/internal/provider/kubernetes/kubernetes.go b/internal/provider/kubernetes/kubernetes.go
index 0163fb2d49..0c8fc65e94 100644
--- a/internal/provider/kubernetes/kubernetes.go
+++ b/internal/provider/kubernetes/kubernetes.go
@@ -8,6 +8,7 @@ package kubernetes
import (
"context"
"fmt"
+ "net/http"
"time"
appsv1 "k8s.io/api/apps/v1"
@@ -65,8 +66,36 @@ var (
webhookTLSPort = 9443
)
-// New creates a new Provider from the provided EnvoyGateway.
-func New(ctx context.Context, restCfg *rest.Config, svrCfg *ec.Server, resources *message.ProviderResources) (*Provider, error) {
+// cacheReadyCheck returns a healthz.Checker that verifies the manager's cache has synced.
+// This ensures the control plane has populated its cache with all resources from the API server
+// before reporting ready. This prevents serving inconsistent xDS configuration to Envoy proxies
+// when running multiple control plane replicas during periods of resource churn.
+func cacheReadyCheck(mgr manager.Manager) healthz.Checker {
+ return func(req *http.Request) error {
+ // Use a short timeout to avoid blocking the health check indefinitely.
+ // The readiness probe will retry periodically until the cache syncs.
+ ctx, cancel := context.WithTimeout(req.Context(), 1*time.Second)
+ defer cancel()
+
+ // WaitForCacheSync returns true if the cache has synced, false if the context is cancelled.
+ if !mgr.GetCache().WaitForCacheSync(ctx) {
+ return fmt.Errorf("cache not synced yet")
+ }
+
+ return nil
+ }
+}
+
+func New(ctx context.Context, restCfg *rest.Config, svrCfg *ec.Server,
+ resources *message.ProviderResources,
+) (*Provider, error) {
+ return newProvider(ctx, restCfg, svrCfg, resources)
+}
+
+// newProvider creates a new Provider from the provided EnvoyGateway.
+func newProvider(ctx context.Context, restCfg *rest.Config, svrCfg *ec.Server,
+ resources *message.ProviderResources,
+) (*Provider, error) {
// TODO: Decide which mgr opts should be exposed through envoygateway.provider.kubernetes API.
mgrOpts := manager.Options{
@@ -198,8 +227,8 @@ func New(ctx context.Context, restCfg *rest.Config, svrCfg *ec.Server, resources
return nil, fmt.Errorf("unable to set up health check: %w", err)
}
- // Add ready check health probes.
- if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+ // Add ready check to wait for a successful sync of the cache.
+ if err := mgr.AddReadyzCheck("cache-sync", cacheReadyCheck(mgr)); err != nil {
return nil, fmt.Errorf("unable to set up ready check: %w", err)
}
diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go
index b3aec665f7..7f4dccab16 100644
--- a/internal/provider/kubernetes/status.go
+++ b/internal/provider/kubernetes/status.go
@@ -28,7 +28,7 @@ import (
func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context, extensionManagerEnabled bool) {
// GatewayClass object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.GatewayClassStatusMessageName},
r.subscriptions.gatewayClassStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1.GatewayClassStatus], errChan chan error) {
@@ -58,7 +58,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// Gateway object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.GatewayStatusMessageName},
r.subscriptions.gatewayStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1.GatewayStatus], errChan chan error) {
@@ -83,7 +83,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// HTTPRoute object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.HTTPRouteStatusMessageName},
r.subscriptions.httpRouteStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1.HTTPRouteStatus], errChan chan error) {
@@ -125,7 +125,9 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// GRPCRoute object status updater
go func() {
- message.HandleSubscription(message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.GRPCRouteStatusMessageName}, r.subscriptions.grpcRouteStatuses,
+ message.HandleSubscription(r.log,
+ message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.GRPCRouteStatusMessageName},
+ r.subscriptions.grpcRouteStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1.GRPCRouteStatus], errChan chan error) {
// skip delete updates.
if update.Delete {
@@ -165,7 +167,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// TLSRoute object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.TLSRouteStatusMessageName},
r.subscriptions.tlsRouteStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1a2.TLSRouteStatus], errChan chan error) {
@@ -207,7 +209,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// TCPRoute object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.TCPRouteStatusMessageName},
r.subscriptions.tcpRouteStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1a2.TCPRouteStatus], errChan chan error) {
@@ -249,7 +251,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// UDPRoute object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.UDPRouteStatusMessageName},
r.subscriptions.udpRouteStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1a2.UDPRouteStatus], errChan chan error) {
@@ -291,7 +293,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// EnvoyPatchPolicy object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.EnvoyPatchPolicyStatusMessageName},
r.subscriptions.envoyPatchPolicyStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1.PolicyStatus], errChan chan error) {
@@ -329,7 +331,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// ClientTrafficPolicy object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.ClientTrafficPolicyStatusMessageName},
r.subscriptions.clientTrafficPolicyStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1.PolicyStatus], errChan chan error) {
@@ -367,7 +369,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// BackendTrafficPolicy object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.BackendTrafficPolicyStatusMessageName},
r.subscriptions.backendTrafficPolicyStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1.PolicyStatus], errChan chan error) {
@@ -405,7 +407,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// SecurityPolicy object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.SecurityPolicyStatusMessageName},
r.subscriptions.securityPolicyStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1.PolicyStatus], errChan chan error) {
@@ -443,7 +445,12 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// BackendTLSPolicy object status updater
go func() {
- message.HandleSubscription(message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.BackendTLSPolicyStatusMessageName}, r.subscriptions.backendTLSPolicyStatuses,
+ message.HandleSubscription(r.log,
+ message.Metadata{
+ Runner: string(egv1a1.LogComponentProviderRunner),
+ Message: message.BackendTLSPolicyStatusMessageName,
+ },
+ r.subscriptions.backendTLSPolicyStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1.PolicyStatus], errChan chan error) {
// skip delete updates.
if update.Delete {
@@ -479,7 +486,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// EnvoyExtensionPolicy object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.EnvoyExtensionPolicyStatusMessageName},
r.subscriptions.envoyExtensionPolicyStatuses,
func(update message.Update[types.NamespacedName, *gwapiv1.PolicyStatus], errChan chan error) {
@@ -517,7 +524,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
// Backend object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.BackendStatusMessageName},
r.subscriptions.backendStatuses,
func(update message.Update[types.NamespacedName, *egv1a1.BackendStatus], errChan chan error) {
@@ -556,7 +563,7 @@ func (r *gatewayAPIReconciler) updateStatusFromSubscriptions(ctx context.Context
if extensionManagerEnabled {
// ExtensionServerPolicy object status updater
go func() {
- message.HandleSubscription(
+ message.HandleSubscription(r.log,
message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: message.ExtensionServerPoliciesStatusMessageName},
r.subscriptions.extensionPolicyStatuses,
func(update message.Update[message.NamespacedNameAndGVK, *gwapiv1.PolicyStatus], errChan chan error) {
diff --git a/internal/xds/runner/runner.go b/internal/xds/runner/runner.go
index a875d9d730..93f768fea1 100644
--- a/internal/xds/runner/runner.go
+++ b/internal/xds/runner/runner.go
@@ -255,7 +255,8 @@ func registerServer(srv serverv3.Server, g *grpc.Server) {
func (r *Runner) translateFromSubscription(sub <-chan watchable.Snapshot[string, *ir.Xds]) {
// Subscribe to resources
- message.HandleSubscription(message.Metadata{Runner: r.Name(), Message: message.XDSIRMessageName}, sub,
+ message.HandleSubscription(r.Logger,
+ message.Metadata{Runner: r.Name(), Message: message.XDSIRMessageName}, sub,
func(update message.Update[string, *ir.Xds], errChan chan error) {
r.Logger.Info("received an update")
key := update.Key
@@ -310,7 +311,9 @@ func (r *Runner) translateFromSubscription(sub <-chan watchable.Snapshot[string,
return
}
- // Update snapshot cache
+ // Only update the snapshot cache when there are no system-level errors, to avoid publishing partial resources.
+ // This allows Envoy to continue using the previous known-good snapshot until the next successful translation.
+ // Note: invalid EnvoyPatchPolicies are considered user-level errors and will not prevent the snapshot from being updated.
if err == nil {
if result.XdsResources != nil {
if r.cache == nil {
diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go
index d349a4b17a..3ce860c4f0 100644
--- a/internal/xds/translator/cluster.go
+++ b/internal/xds/translator/cluster.go
@@ -214,6 +214,10 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) {
requiresHTTP2Options = true
}
+ if ds.Protocol == ir.TCP {
+ requiresAutoHTTPConfig = false
+ }
+
// auto HTTP config is required if all the destinations use HTTPS-based protocol
requiresAutoHTTPConfig = requiresAutoHTTPConfig && (ds.TLS != nil)
if ds.TLS != nil {
diff --git a/internal/xds/translator/httpfilters.go b/internal/xds/translator/httpfilters.go
index dfcf73bf60..893961610c 100644
--- a/internal/xds/translator/httpfilters.go
+++ b/internal/xds/translator/httpfilters.go
@@ -76,15 +76,15 @@ type OrderedHTTPFilters []*OrderedHTTPFilter
// newOrderedHTTPFilter gives each HTTP filter a rational order.
// This is needed because the order of the filters is important.
-// For example, the health_check filter should be placed in the first position because external load
-// balancer determines whether envoy should receive traffic based on the health check result which
-// only depending on the current draining state of the envoy, result should not be affected by other
-// filters, or else user traffic disruption may happen.
-// the fault filter should be placed in the second position because
-// it doesn't rely on the functionality of other filters, and rejecting early can save computation costs
-// for the remaining filters, the cors filter should be put at the third to avoid unnecessary
-// processing of other filters for unauthorized cross-region access.
-// The router filter must be the last one since it's a terminal filter.
+// For example:
+// - the custom_response filter should be placed first to ensure it sees local replies.
+// - the health_check filter should be placed next because external load balancer determines whether envoy should
+// receive traffic based on the health check result which only depending on the current draining state of the envoy,
+// result should not be affected by other filters, or else user traffic disruption may happen.
+// - the fault filter should be placed after it because it doesn't rely on the functionality of other filters,
+// and rejecting early can save computation costs for the remaining filters.
+// - the cors filter should be put after that to avoid unnecessary processing of other filters for unauthorized cross-region access.
+// - the router filter must be the last one since it's a terminal filter.
//
// Important: please modify this method and set the order for the new filter
// when adding a new filter in the HCM filter chain.
@@ -98,31 +98,33 @@ func newOrderedHTTPFilter(filter *hcmv3.HttpFilter) *OrderedHTTPFilter {
// the remaining filters is skipped when rejected early
// Important: After adding new filter types, don't forget to modify the validation rule of the EnvoyFilter type in the API
switch {
- case isFilterType(filter, egv1a1.EnvoyFilterHealthCheck):
+ case isFilterType(filter, egv1a1.EnvoyFilterCustomResponse):
order = 0
- case isFilterType(filter, egv1a1.EnvoyFilterFault):
+ case isFilterType(filter, egv1a1.EnvoyFilterHealthCheck):
order = 1
- case isFilterType(filter, egv1a1.EnvoyFilterCORS):
+ case isFilterType(filter, egv1a1.EnvoyFilterFault):
order = 2
+ case isFilterType(filter, egv1a1.EnvoyFilterCORS):
+ order = 3
case isFilterType(filter, egv1a1.EnvoyFilterHeaderMutation):
// Ensure header mutation run before ext auth which might consume the header.
- order = 3
- case isFilterType(filter, egv1a1.EnvoyFilterExtAuthz):
order = 4
- case isFilterType(filter, egv1a1.EnvoyFilterAPIKeyAuth):
+ case isFilterType(filter, egv1a1.EnvoyFilterExtAuthz):
order = 5
- case isFilterType(filter, egv1a1.EnvoyFilterBasicAuth):
+ case isFilterType(filter, egv1a1.EnvoyFilterAPIKeyAuth):
order = 6
- case isFilterType(filter, egv1a1.EnvoyFilterOAuth2):
+ case isFilterType(filter, egv1a1.EnvoyFilterBasicAuth):
order = 7
- case isFilterType(filter, egv1a1.EnvoyFilterJWTAuthn):
+ case isFilterType(filter, egv1a1.EnvoyFilterOAuth2):
order = 8
- case isFilterType(filter, egv1a1.EnvoyFilterSessionPersistence):
+ case isFilterType(filter, egv1a1.EnvoyFilterJWTAuthn):
order = 9
- case isFilterType(filter, egv1a1.EnvoyFilterBuffer):
+ case isFilterType(filter, egv1a1.EnvoyFilterSessionPersistence):
order = 10
+ case isFilterType(filter, egv1a1.EnvoyFilterBuffer):
+ order = 11
case isFilterType(filter, egv1a1.EnvoyFilterLua):
- order = 11 + mustGetFilterIndex(filter.Name)
+ order = 12 + mustGetFilterIndex(filter.Name)
case isFilterType(filter, egv1a1.EnvoyFilterExtProc):
order = 100 + mustGetFilterIndex(filter.Name)
case isFilterType(filter, egv1a1.EnvoyFilterWasm):
@@ -137,8 +139,6 @@ func newOrderedHTTPFilter(filter *hcmv3.HttpFilter) *OrderedHTTPFilter {
order = 304
case isFilterType(filter, egv1a1.EnvoyFilterGRPCStats):
order = 305
- case isFilterType(filter, egv1a1.EnvoyFilterCustomResponse):
- order = 306
case isFilterType(filter, egv1a1.EnvoyFilterCredentialInjector):
order = 307
case isFilterType(filter, egv1a1.EnvoyFilterCompressor):
diff --git a/internal/xds/translator/httpfilters_test.go b/internal/xds/translator/httpfilters_test.go
index 5063c34b41..282cc41d12 100644
--- a/internal/xds/translator/httpfilters_test.go
+++ b/internal/xds/translator/httpfilters_test.go
@@ -31,6 +31,7 @@ func Test_sortHTTPFilters(t *testing.T) {
httpFilterForTest(egv1a1.EnvoyFilterHeaderMutation),
httpFilterForTest(egv1a1.EnvoyFilterJWTAuthn),
httpFilterForTest(egv1a1.EnvoyFilterOAuth2 + "/securitypolicy/default/policy-for-http-route-1"),
+ httpFilterForTest(egv1a1.EnvoyFilterCustomResponse),
httpFilterForTest(egv1a1.EnvoyFilterBasicAuth),
httpFilterForTest(egv1a1.EnvoyFilterWasm + "/envoyextensionpolicy/default/policy-for-http-route-1/2"),
httpFilterForTest(egv1a1.EnvoyFilterRateLimit),
@@ -46,6 +47,7 @@ func Test_sortHTTPFilters(t *testing.T) {
httpFilterForTest(egv1a1.EnvoyFilterBuffer),
},
want: []*hcmv3.HttpFilter{
+ httpFilterForTest(egv1a1.EnvoyFilterCustomResponse),
httpFilterForTest(wellknown.HealthCheck),
httpFilterForTest(egv1a1.EnvoyFilterFault),
httpFilterForTest(egv1a1.EnvoyFilterCORS),
diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go
index c255e5f01f..4f79caeb1f 100644
--- a/internal/xds/translator/route.go
+++ b/internal/xds/translator/route.go
@@ -73,7 +73,7 @@ func buildXdsRoute(httpRoute *ir.HTTPRoute, httpListener *ir.HTTPListener) (*rou
router.Action = &routev3.Route_Redirect{Redirect: buildXdsRedirectAction(httpRoute)}
case httpRoute.URLRewrite != nil:
routeAction := buildXdsURLRewriteAction(httpRoute, httpRoute.URLRewrite, httpRoute.PathMatch)
- routeAction.IdleTimeout = idleTimeout(httpRoute)
+ routeAction.IdleTimeout = idleTimeout(httpRoute, httpListener)
if httpRoute.Mirrors != nil {
routeAction.RequestMirrorPolicies = buildXdsRequestMirrorPolicies(httpRoute.Mirrors)
}
@@ -85,7 +85,7 @@ func buildXdsRoute(httpRoute *ir.HTTPRoute, httpListener *ir.HTTPListener) (*rou
router.Action = &routev3.Route_Route{Route: routeAction}
default:
routeAction := buildXdsRouteAction(httpRoute)
- routeAction.IdleTimeout = idleTimeout(httpRoute)
+ routeAction.IdleTimeout = idleTimeout(httpRoute, httpListener)
if httpRoute.Mirrors != nil {
routeAction.RequestMirrorPolicies = buildXdsRequestMirrorPolicies(httpRoute.Mirrors)
@@ -377,21 +377,31 @@ func getEffectiveRequestTimeout(httpRoute *ir.HTTPRoute) *metav1.Duration {
return nil
}
-func idleTimeout(httpRoute *ir.HTTPRoute) *durationpb.Duration {
- rt := getEffectiveRequestTimeout(httpRoute)
- timeout := time.Hour // Default to 1 hour
- if rt != nil {
- // Ensure is not less than the request timeout
- if timeout < rt.Duration {
- timeout = rt.Duration
- }
+func idleTimeout(httpRoute *ir.HTTPRoute, httpListener *ir.HTTPListener) *durationpb.Duration {
+ // When a user-configured stream idle timeout exists at the listener level, avoid overriding it at the route level
+ // and allow the user-configured listener-level timeout to take effect.
+ // TODO: we may need to support route-level idle timeout in the BackendTrafficPolicy
+ if httpListener != nil &&
+ httpListener.Timeout != nil &&
+ httpListener.Timeout.HTTP != nil &&
+ httpListener.Timeout.HTTP.StreamIdleTimeout != nil {
+ return nil
+ }
+ // When a user-configured request timeout exists at the route level, and no user-configured stream idle timeout exists
+ // at the listener level, set a route-level idle timeout to avoid stream timeout before request timeout.
+ requestTimeout := getEffectiveRequestTimeout(httpRoute)
+ idleTimeout := time.Hour // Default to 1 hour
+ if requestTimeout != nil {
+ // Ensure the idle timeout is not less than the request timeout
+ if idleTimeout < requestTimeout.Duration {
+ idleTimeout = requestTimeout.Duration
+ }
// Disable idle timeout when request timeout is disabled
- if rt.Duration == 0 {
- timeout = 0
+ if requestTimeout.Duration == 0 {
+ idleTimeout = 0
}
-
- return durationpb.New(timeout)
+ return durationpb.New(idleTimeout)
}
return nil
}
diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml
index 9164b6b082..64b4e12779 100644
--- a/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml
+++ b/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml
@@ -101,3 +101,32 @@ http:
- host: "1.2.3.4"
port: 50002
name: "seventh-route-dest/backend/0"
+- name: "second-listener"
+ address: "::"
+ port: 10081
+ hostnames:
+ - "*"
+ path:
+ mergeSlashes: true
+ escapedSlashesAction: UnescapeAndRedirect
+ timeout:
+ http:
+ streamIdleTimeout: 10s
+ routes:
+ - name: "first-route"
+ hostname: "*"
+ traffic:
+ timeout:
+ http:
+ requestTimeout: 5s # should not set route-level idle timeout because listener has it
+ headerMatches:
+ - name: user
+ stringMatch:
+ exact: "jason"
+ destination:
+ name: "first-route-dest"
+ settings:
+ - endpoints:
+ - host: "1.2.3.4"
+ port: 50000
+ name: "first-route-dest/backend/0"
diff --git a/internal/xds/translator/testdata/in/xds-ir/tcproute-mtls.yaml b/internal/xds/translator/testdata/in/xds-ir/tcproute-mtls.yaml
new file mode 100644
index 0000000000..f5a266f49f
--- /dev/null
+++ b/internal/xds/translator/testdata/in/xds-ir/tcproute-mtls.yaml
@@ -0,0 +1,49 @@
+tcp:
+ - address: 0.0.0.0
+ externalPort: 90
+ metadata:
+ kind: Gateway
+ name: gateway-1
+ namespace: envoy-gateway
+ sectionName: tcp
+ name: envoy-gateway/gateway-1/tcp
+ port: 10090
+ routes:
+ - destination:
+ metadata:
+ kind: TCPRoute
+ name: tcproute-1
+ namespace: default
+ sectionName: rule-1
+ name: tcproute/default/tcproute-1/rule/-1
+ settings:
+ - addressType: IP
+ endpoints:
+ - host: 7.7.7.7
+ port: 8080
+ metadata:
+ kind: Service
+ name: service-1
+ namespace: default
+ sectionName: "8080"
+ name: tcproute/default/tcproute-1/rule/-1/backend/0
+ protocol: TCP
+ tls:
+ alpnProtocols: null
+ caCertificate:
+ name: policy-btls-for-service-1/default-ca
+ clientCertificates:
+ - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+ name: envoy-gateway-system/client-auth
+ privateKey: "[redacted]"
+ sni: example.com
+ subjectAltNames:
+ - uri: spiffe://cluster.local/ns/istio-demo/sa/echo-v1
+ - hostname: subdomain.secondexample.com
+ useSystemTrustStore: true
+ weight: 1
+ metadata:
+ kind: TCPRoute
+ name: tcproute-1
+ namespace: default
+ name: tcproute/default/tcproute-1
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml
index 5dd5e46e3c..c2a422e285 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml
@@ -33,3 +33,39 @@
maxConnectionsToAcceptPerSocketEvent: 1
name: first-listener
perConnectionBufferLimitBytes: 32768
+- address:
+ socketAddress:
+ address: '::'
+ portValue: 10081
+ defaultFilterChain:
+ filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ commonHttpProtocolOptions:
+ headersWithUnderscoresAction: REJECT_REQUEST
+ http2ProtocolOptions:
+ initialConnectionWindowSize: 1048576
+ initialStreamWindowSize: 65536
+ maxConcurrentStreams: 100
+ httpFilters:
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ suppressEnvoyHeaders: true
+ mergeSlashes: true
+ normalizePath: true
+ pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+ rds:
+ configSource:
+ ads: {}
+ resourceApiVersion: V3
+ routeConfigName: second-listener
+ serverHeaderTransformation: PASS_THROUGH
+ statPrefix: http-10081
+ streamIdleTimeout: 10s
+ useRemoteAddress: true
+ name: second-listener
+ maxConnectionsToAcceptPerSocketEvent: 1
+ name: second-listener
+ perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.routes.yaml
index 4585dc7b0b..a1163a0428 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.routes.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.routes.yaml
@@ -76,3 +76,22 @@
timeout: 0s
upgradeConfigs:
- upgradeType: websocket
+- ignorePortInHostMatching: true
+ name: second-listener
+ virtualHosts:
+ - domains:
+ - '*'
+ name: second-listener/*
+ routes:
+ - match:
+ headers:
+ - name: user
+ stringMatch:
+ exact: jason
+ prefix: /
+ name: first-route
+ route:
+ cluster: first-route-dest
+ timeout: 5s
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml
index 2471dd8cb4..054f90bb71 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml
@@ -1,16 +1,24 @@
- circuitBreakers:
thresholds:
- maxRetries: 1024
- commonLbConfig:
- localityWeightedLbConfig: {}
+ commonLbConfig: {}
connectTimeout: 10s
- dnsLookupFamily: V4_ONLY
+ dnsLookupFamily: V4_PREFERRED
edsClusterConfig:
edsConfig:
ads: {}
resourceApiVersion: V3
serviceName: first-route-dest
+ ignoreHealthOnHostRemoval: true
lbPolicy: LEAST_REQUEST
+ loadBalancingPolicy:
+ policies:
+ - typedExtensionConfig:
+ name: envoy.load_balancing_policies.least_request
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+ localityLbConfig:
+ localityWeightedLbConfig: {}
name: first-route-dest
perConnectionBufferLimitBytes: 32768
type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.endpoints.yaml
index 9a6f5a46c9..0d68b430c2 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.endpoints.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.endpoints.yaml
@@ -8,17 +8,4 @@
portValue: 50000
loadBalancingWeight: 1
loadBalancingWeight: 1
- locality:
- region: first-route-dest/backend/0
-- clusterName: second-route-dest
- endpoints:
- - lbEndpoints:
- - endpoint:
- address:
- socketAddress:
- address: 4.5.6.7
- portValue: 50000
- loadBalancingWeight: 1
- loadBalancingWeight: 1
- locality:
- region: second-route-dest/backend/0
+ locality: {}
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.listeners.yaml
index 51c022c26f..6f069367c6 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.listeners.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.listeners.yaml
@@ -1,8 +1,7 @@
- address:
socketAddress:
- address: 0.0.0.0
+ address: '::'
portValue: 10080
- drainType: MODIFY_ONLY
filterChains:
- filters:
- name: envoy.filters.network.http_connection_manager
@@ -48,5 +47,8 @@
sdsConfig:
ads: {}
resourceApiVersion: V3
+ disableStatefulSessionResumption: true
+ disableStatelessSessionResumption: true
+ maxConnectionsToAcceptPerSocketEvent: 1
name: first-listener
perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml
index 2471dd8cb4..054f90bb71 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml
@@ -1,16 +1,24 @@
- circuitBreakers:
thresholds:
- maxRetries: 1024
- commonLbConfig:
- localityWeightedLbConfig: {}
+ commonLbConfig: {}
connectTimeout: 10s
- dnsLookupFamily: V4_ONLY
+ dnsLookupFamily: V4_PREFERRED
edsClusterConfig:
edsConfig:
ads: {}
resourceApiVersion: V3
serviceName: first-route-dest
+ ignoreHealthOnHostRemoval: true
lbPolicy: LEAST_REQUEST
+ loadBalancingPolicy:
+ policies:
+ - typedExtensionConfig:
+ name: envoy.load_balancing_policies.least_request
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+ localityLbConfig:
+ localityWeightedLbConfig: {}
name: first-route-dest
perConnectionBufferLimitBytes: 32768
type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.endpoints.yaml
index 3b3f2d0907..0d68b430c2 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.endpoints.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.endpoints.yaml
@@ -8,5 +8,4 @@
portValue: 50000
loadBalancingWeight: 1
loadBalancingWeight: 1
- locality:
- region: first-route-dest/backend/0
+ locality: {}
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.listeners.yaml
index 4aee3acf75..214e566ca0 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.listeners.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.listeners.yaml
@@ -1,8 +1,7 @@
- address:
socketAddress:
- address: 0.0.0.0
+ address: '::'
portValue: 10080
- drainType: MODIFY_ONLY
filterChains:
- filters:
- name: envoy.filters.network.http_connection_manager
@@ -19,7 +18,6 @@
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
domain: eg-ratelimit
- disableXEnvoyRatelimitedHeader: true
failureModeDeny: true
rateLimitService:
grpcService:
@@ -40,8 +38,9 @@
resourceApiVersion: V3
routeConfigName: first-listener
serverHeaderTransformation: PASS_THROUGH
- statPrefix: https
+ statPrefix: https-10080
useRemoteAddress: true
+ name: first-listener
transportSocket:
name: envoy.transport_sockets.tls
typedConfig:
@@ -59,5 +58,8 @@
sdsConfig:
ads: {}
resourceApiVersion: V3
+ disableStatefulSessionResumption: true
+ disableStatelessSessionResumption: true
+ maxConnectionsToAcceptPerSocketEvent: 1
name: first-listener
perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.secrets.yaml
new file mode 100644
index 0000000000..ad88ffe43c
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.secrets.yaml
@@ -0,0 +1,12 @@
+- name: secret-1
+ tlsCertificate:
+ certificateChain:
+ inlineBytes: Y2VydC1kYXRh
+ privateKey:
+ inlineBytes: a2V5LWRhdGE=
+- name: secret-2
+ tlsCertificate:
+ certificateChain:
+ inlineBytes: Y2VydC1kYXRh
+ privateKey:
+ inlineBytes: a2V5LWRhdGE=
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml
index 2471dd8cb4..054f90bb71 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml
@@ -1,16 +1,24 @@
- circuitBreakers:
thresholds:
- maxRetries: 1024
- commonLbConfig:
- localityWeightedLbConfig: {}
+ commonLbConfig: {}
connectTimeout: 10s
- dnsLookupFamily: V4_ONLY
+ dnsLookupFamily: V4_PREFERRED
edsClusterConfig:
edsConfig:
ads: {}
resourceApiVersion: V3
serviceName: first-route-dest
+ ignoreHealthOnHostRemoval: true
lbPolicy: LEAST_REQUEST
+ loadBalancingPolicy:
+ policies:
+ - typedExtensionConfig:
+ name: envoy.load_balancing_policies.least_request
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+ localityLbConfig:
+ localityWeightedLbConfig: {}
name: first-route-dest
perConnectionBufferLimitBytes: 32768
type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.endpoints.yaml
index 3b3f2d0907..0d68b430c2 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.endpoints.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.endpoints.yaml
@@ -8,5 +8,4 @@
portValue: 50000
loadBalancingWeight: 1
loadBalancingWeight: 1
- locality:
- region: first-route-dest/backend/0
+ locality: {}
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.listeners.yaml
index 17a4871056..5dd5e46e3c 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.listeners.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.listeners.yaml
@@ -1,6 +1,6 @@
- address:
socketAddress:
- address: 0.0.0.0
+ address: '::'
portValue: 10080
defaultFilterChain:
filters:
@@ -27,8 +27,9 @@
resourceApiVersion: V3
routeConfigName: first-listener
serverHeaderTransformation: PASS_THROUGH
- statPrefix: http
+ statPrefix: http-10080
useRemoteAddress: true
- drainType: MODIFY_ONLY
+ name: first-listener
+ maxConnectionsToAcceptPerSocketEvent: 1
name: first-listener
perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml
index 2471dd8cb4..054f90bb71 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml
@@ -1,16 +1,24 @@
- circuitBreakers:
thresholds:
- maxRetries: 1024
- commonLbConfig:
- localityWeightedLbConfig: {}
+ commonLbConfig: {}
connectTimeout: 10s
- dnsLookupFamily: V4_ONLY
+ dnsLookupFamily: V4_PREFERRED
edsClusterConfig:
edsConfig:
ads: {}
resourceApiVersion: V3
serviceName: first-route-dest
+ ignoreHealthOnHostRemoval: true
lbPolicy: LEAST_REQUEST
+ loadBalancingPolicy:
+ policies:
+ - typedExtensionConfig:
+ name: envoy.load_balancing_policies.least_request
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+ localityLbConfig:
+ localityWeightedLbConfig: {}
name: first-route-dest
perConnectionBufferLimitBytes: 32768
type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.endpoints.yaml
index 3b3f2d0907..0d68b430c2 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.endpoints.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.endpoints.yaml
@@ -8,5 +8,4 @@
portValue: 50000
loadBalancingWeight: 1
loadBalancingWeight: 1
- locality:
- region: first-route-dest/backend/0
+ locality: {}
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.listeners.yaml
index 4aee3acf75..214e566ca0 100644
--- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.listeners.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.listeners.yaml
@@ -1,8 +1,7 @@
- address:
socketAddress:
- address: 0.0.0.0
+ address: '::'
portValue: 10080
- drainType: MODIFY_ONLY
filterChains:
- filters:
- name: envoy.filters.network.http_connection_manager
@@ -19,7 +18,6 @@
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
domain: eg-ratelimit
- disableXEnvoyRatelimitedHeader: true
failureModeDeny: true
rateLimitService:
grpcService:
@@ -40,8 +38,9 @@
resourceApiVersion: V3
routeConfigName: first-listener
serverHeaderTransformation: PASS_THROUGH
- statPrefix: https
+ statPrefix: https-10080
useRemoteAddress: true
+ name: first-listener
transportSocket:
name: envoy.transport_sockets.tls
typedConfig:
@@ -59,5 +58,8 @@
sdsConfig:
ads: {}
resourceApiVersion: V3
+ disableStatefulSessionResumption: true
+ disableStatelessSessionResumption: true
+ maxConnectionsToAcceptPerSocketEvent: 1
name: first-listener
perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.secrets.yaml
new file mode 100644
index 0000000000..ad88ffe43c
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.secrets.yaml
@@ -0,0 +1,12 @@
+- name: secret-1
+ tlsCertificate:
+ certificateChain:
+ inlineBytes: Y2VydC1kYXRh
+ privateKey:
+ inlineBytes: a2V5LWRhdGE=
+- name: secret-2
+ tlsCertificate:
+ certificateChain:
+ inlineBytes: Y2VydC1kYXRh
+ privateKey:
+ inlineBytes: a2V5LWRhdGE=
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.clusters.yaml
new file mode 100644
index 0000000000..7e9eb80719
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.clusters.yaml
@@ -0,0 +1,48 @@
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_PREFERRED
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: first-route-dest
+ ignoreHealthOnHostRemoval: true
+ lbPolicy: LEAST_REQUEST
+ loadBalancingPolicy:
+ policies:
+ - typedExtensionConfig:
+ name: envoy.load_balancing_policies.least_request
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+ localityLbConfig:
+ localityWeightedLbConfig: {}
+ name: first-route-dest
+ perConnectionBufferLimitBytes: 32768
+ type: EDS
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_PREFERRED
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: second-route-dest
+ ignoreHealthOnHostRemoval: true
+ lbPolicy: LEAST_REQUEST
+ loadBalancingPolicy:
+ policies:
+ - typedExtensionConfig:
+ name: envoy.load_balancing_policies.least_request
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+ localityLbConfig:
+ localityWeightedLbConfig: {}
+ name: second-route-dest
+ perConnectionBufferLimitBytes: 32768
+ type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.endpoints.yaml
new file mode 100644
index 0000000000..b27cfd4b02
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.endpoints.yaml
@@ -0,0 +1,24 @@
+- clusterName: first-route-dest
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 1.2.3.4
+ portValue: 50000
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: first-route-dest/backend/0
+- clusterName: second-route-dest
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 4.5.6.7
+ portValue: 60000
+ loadBalancingWeight: 1
+ loadBalancingWeight: 1
+ locality:
+ region: second-route-dest/backend/0
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.listeners.yaml
new file mode 100644
index 0000000000..6f069367c6
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.listeners.yaml
@@ -0,0 +1,54 @@
+- address:
+ socketAddress:
+ address: '::'
+ portValue: 10080
+ filterChains:
+ - filters:
+ - name: envoy.filters.network.http_connection_manager
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ commonHttpProtocolOptions:
+ headersWithUnderscoresAction: REJECT_REQUEST
+ http2ProtocolOptions:
+ initialConnectionWindowSize: 1048576
+ initialStreamWindowSize: 65536
+ maxConcurrentStreams: 100
+ httpFilters:
+ - name: envoy.filters.http.router
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ suppressEnvoyHeaders: true
+ mergeSlashes: true
+ normalizePath: true
+ pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+ rds:
+ configSource:
+ ads: {}
+ resourceApiVersion: V3
+ routeConfigName: first-listener
+ serverHeaderTransformation: PASS_THROUGH
+ statPrefix: https-10080
+ useRemoteAddress: true
+ name: first-listener
+ transportSocket:
+ name: envoy.transport_sockets.tls
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+ commonTlsContext:
+ alpnProtocols:
+ - h2
+ - http/1.1
+ tlsCertificateSdsSecretConfigs:
+ - name: secret-1
+ sdsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ - name: secret-2
+ sdsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ disableStatefulSessionResumption: true
+ disableStatelessSessionResumption: true
+ maxConnectionsToAcceptPerSocketEvent: 1
+ name: first-listener
+ perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.routes.yaml
new file mode 100644
index 0000000000..1151564d8d
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.routes.yaml
@@ -0,0 +1,32 @@
+- ignorePortInHostMatching: true
+ name: first-listener
+ virtualHosts:
+ - domains:
+ - '*'
+ name: first-listener/*
+ routes:
+ - match:
+ headers:
+ - name: user
+ stringMatch:
+ exact: jason
+ prefix: /
+ name: first-route
+ route:
+ cluster: first-route-dest
+ upgradeConfigs:
+ - upgradeType: websocket
+ - match:
+ headers:
+ - name: user
+ stringMatch:
+ exact: james
+ - name: country
+ stringMatch:
+ exact: US
+ prefix: /
+ name: second-route
+ route:
+ cluster: second-route-dest
+ upgradeConfigs:
+ - upgradeType: websocket
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.secrets.yaml
new file mode 100644
index 0000000000..ad88ffe43c
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath-invalid.secrets.yaml
@@ -0,0 +1,12 @@
+- name: secret-1
+ tlsCertificate:
+ certificateChain:
+ inlineBytes: Y2VydC1kYXRh
+ privateKey:
+ inlineBytes: a2V5LWRhdGE=
+- name: secret-2
+ tlsCertificate:
+ certificateChain:
+ inlineBytes: Y2VydC1kYXRh
+ privateKey:
+ inlineBytes: a2V5LWRhdGE=
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.clusters.yaml
new file mode 100644
index 0000000000..6851697af0
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.clusters.yaml
@@ -0,0 +1,61 @@
+- circuitBreakers:
+ thresholds:
+ - maxRetries: 1024
+ commonLbConfig: {}
+ connectTimeout: 10s
+ dnsLookupFamily: V4_PREFERRED
+ edsClusterConfig:
+ edsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ serviceName: tcproute/default/tcproute-1/rule/-1
+ ignoreHealthOnHostRemoval: true
+ lbPolicy: LEAST_REQUEST
+ loadBalancingPolicy:
+ policies:
+ - typedExtensionConfig:
+ name: envoy.load_balancing_policies.least_request
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+ localityLbConfig:
+ localityWeightedLbConfig: {}
+ metadata:
+ filterMetadata:
+ envoy-gateway:
+ resources:
+ - kind: TCPRoute
+ name: tcproute-1
+ namespace: default
+ sectionName: rule-1
+ name: tcproute/default/tcproute-1/rule/-1
+ perConnectionBufferLimitBytes: 32768
+ transportSocketMatches:
+ - match:
+ name: tcproute/default/tcproute-1/rule/-1/tls/0
+ name: tcproute/default/tcproute-1/rule/-1/tls/0
+ transportSocket:
+ name: envoy.transport_sockets.tls
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ commonTlsContext:
+ combinedValidationContext:
+ defaultValidationContext:
+ matchTypedSubjectAltNames:
+ - matcher:
+ exact: spiffe://cluster.local/ns/istio-demo/sa/echo-v1
+ sanType: URI
+ - matcher:
+ exact: subdomain.secondexample.com
+ sanType: DNS
+ validationContextSdsSecretConfig:
+ name: policy-btls-for-service-1/default-ca
+ sdsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ tlsCertificateSdsSecretConfigs:
+ - name: envoy-gateway-system/client-auth
+ sdsConfig:
+ ads: {}
+ resourceApiVersion: V3
+ sni: example.com
+ type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.endpoints.yaml
new file mode 100644
index 0000000000..5e4a4a21e3
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.endpoints.yaml
@@ -0,0 +1,24 @@
+- clusterName: tcproute/default/tcproute-1/rule/-1
+ endpoints:
+ - lbEndpoints:
+ - endpoint:
+ address:
+ socketAddress:
+ address: 7.7.7.7
+ portValue: 8080
+ loadBalancingWeight: 1
+ metadata:
+ filterMetadata:
+ envoy.transport_socket_match:
+ name: tcproute/default/tcproute-1/rule/-1/tls/0
+ loadBalancingWeight: 1
+ locality:
+ region: tcproute/default/tcproute-1/rule/-1/backend/0
+ metadata:
+ filterMetadata:
+ envoy-gateway:
+ resources:
+ - kind: Service
+ name: service-1
+ namespace: default
+ sectionName: "8080"
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.listeners.yaml
new file mode 100644
index 0000000000..91a999d6bc
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.listeners.yaml
@@ -0,0 +1,15 @@
+- address:
+ socketAddress:
+ address: 0.0.0.0
+ portValue: 10090
+ filterChains:
+ - filters:
+ - name: envoy.filters.network.tcp_proxy
+ typedConfig:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+ cluster: tcproute/default/tcproute-1/rule/-1
+ statPrefix: tcp-10090
+ name: tcproute/default/tcproute-1
+ maxConnectionsToAcceptPerSocketEvent: 1
+ name: envoy-gateway/gateway-1/tcp
+ perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.routes.yaml
new file mode 100644
index 0000000000..fe51488c70
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.routes.yaml
@@ -0,0 +1 @@
+[]
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.secrets.yaml
new file mode 100644
index 0000000000..f5e6180467
--- /dev/null
+++ b/internal/xds/translator/testdata/out/xds-ir/tcproute-mtls.secrets.yaml
@@ -0,0 +1,10 @@
+- name: policy-btls-for-service-1/default-ca
+ validationContext:
+ trustedCa:
+ filename: /etc/ssl/certs/ca-certificates.crt
+- name: envoy-gateway-system/client-auth
+ tlsCertificate:
+ certificateChain:
+ inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+ privateKey:
+ inlineBytes: W3JlZGFjdGVkXQ==
diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go
index 4922991bf2..2818af2d2c 100644
--- a/internal/xds/translator/translator.go
+++ b/internal/xds/translator/translator.go
@@ -155,7 +155,9 @@ func (t *Translator) Translate(xdsIR *ir.Xds) (*types.ResourceVersionTable, erro
// All XDS resources is ready, let's do the patch.
if err := processJSONPatches(tCtx, xdsIR.EnvoyPatchPolicies); err != nil {
- errs = errors.Join(errs, err)
+ // Since JSONPatch error is user-triggered, we don't fail the entire xDS translation so that the remaining
+ // valid xDS resources can be sent to the proxy.
+ t.Logger.Error(err, "Failed to process JSON patches")
}
// Check if an extension want to inject any clusters/secrets
@@ -793,6 +795,19 @@ func (t *Translator) processTCPListenerXdsTranslation(
errs = errors.Join(errs, err)
}
}
+ } else if route.Destination != nil {
+ // TCPRoute with BackendTLSPolicy
+ // add tcp route client certs
+ for _, st := range route.Destination.Settings {
+ if st.TLS != nil {
+ for _, clientCert := range st.TLS.ClientCertificates {
+ secret := buildXdsTLSCertSecret(&clientCert)
+ if err := tCtx.AddXdsResource(resourcev3.SecretType, secret); err != nil {
+ errs = errors.Join(errs, err)
+ }
+ }
+ }
+ }
}
if err := t.addXdsTCPFilterChain(
xdsListener,
diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go
index 8338496906..863b24282c 100644
--- a/internal/xds/translator/translator_test.go
+++ b/internal/xds/translator/translator_test.go
@@ -93,26 +93,21 @@ func TestTranslateXds(t *testing.T) {
},
"jsonpatch-with-jsonpath-invalid": {
requireEnvoyPatchPolicies: true,
- errMsg: "no jsonPointers were found while evaluating the jsonPath",
},
"jsonpatch-add-op-empty-jsonpath": {
requireEnvoyPatchPolicies: true,
- errMsg: "a patch operation must specify a path or jsonPath",
},
"jsonpatch-missing-resource": {
requireEnvoyPatchPolicies: true,
},
"jsonpatch-invalid-patch": {
requireEnvoyPatchPolicies: true,
- errMsg: "unable to unmarshal xds resource",
},
"jsonpatch-add-op-without-value": {
requireEnvoyPatchPolicies: true,
- errMsg: "the add operation requires a value",
},
"jsonpatch-move-op-with-value": {
requireEnvoyPatchPolicies: true,
- errMsg: "value and from can't be specified with the remove operation",
},
"http-route-invalid": {
errMsg: "validation failed for xds resource",
diff --git a/release-notes/v1.6.4.yaml b/release-notes/v1.6.4.yaml
new file mode 100644
index 0000000000..76d70eff46
--- /dev/null
+++ b/release-notes/v1.6.4.yaml
@@ -0,0 +1,32 @@
+date: February 11, 2026
+
+# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs.
+breaking changes: |
+ Gateway API CRD has been updated, more details could be found [here](https://github.com/kubernetes-sigs/gateway-api/issues/4490).
+
+# Updates addressing vulnerabilities, security flaws, or compliance requirements.
+security updates: |
+ Bump golang to `1.25.7` for security fixes to the go command and the `crypto/tls` package.
+
+# New features or capabilities added in this release.
+new features: |
+
+bug fixes: |
+ Fixes an issue where shutdown manager didn't ignore ready and stats listener metrics in connection calculation.
+ Fixed an issue where BackendTLSPolicy ResolvedRefs status reason was not aligned with Gateway API specification.
+ Fixed an issue where shutdown manager incorrectly counted ready and stats listener connections, preventing timely shutdown.
+ Fixed an issue where custom response filters were not properly positioned in the filter chain, causing redirect functionality to fail in OAuth2 flows.
+ Fixed an issue where route-level idle timeout prevented users from configuring listener-level idle timeout.
+ Fixed an issue where the message package did not adopt the configured logging level.
+ Fixed an issue where TCPRoute with mTLS did not work due to incorrect auto HTTP protocol detection on TCP clusters.
+ Fixed an issue where invalid EnvoyPatchPolicy prevented processing of remaining xDS resources.
+ Fixed an issue where the controller reported ready before cache synced.
+
+# Enhancements that improve performance.
+performance improvements: |
+
+# Deprecated features or APIs.
+deprecations: |
+
+# Other notable changes not covered by the above sections.
+Other changes: |
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 651ccd16db..4aa2b45649 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -1238,29 +1238,29 @@ _Appears in:_
| Value | Description |
| ----- | ----------- |
+| `envoy.filters.http.custom_response` | EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
|
| `envoy.filters.http.health_check` | EnvoyFilterHealthCheck defines the Envoy HTTP health check filter.
|
| `envoy.filters.http.fault` | EnvoyFilterFault defines the Envoy HTTP fault filter.
|
| `envoy.filters.http.cors` | EnvoyFilterCORS defines the Envoy HTTP CORS filter.
|
+| `envoy.filters.http.header_mutation` | EnvoyFilterHeaderMutation defines the Envoy HTTP header mutation filter
|
| `envoy.filters.http.ext_authz` | EnvoyFilterExtAuthz defines the Envoy HTTP external authorization filter.
|
| `envoy.filters.http.api_key_auth` | EnvoyFilterAPIKeyAuth defines the Envoy HTTP api key authentication filter.
|
| `envoy.filters.http.basic_auth` | EnvoyFilterBasicAuth defines the Envoy HTTP basic authentication filter.
|
| `envoy.filters.http.oauth2` | EnvoyFilterOAuth2 defines the Envoy HTTP OAuth2 filter.
|
| `envoy.filters.http.jwt_authn` | EnvoyFilterJWTAuthn defines the Envoy HTTP JWT authentication filter.
|
| `envoy.filters.http.stateful_session` | EnvoyFilterSessionPersistence defines the Envoy HTTP session persistence filter.
|
+| `envoy.filters.http.buffer` | EnvoyFilterBuffer defines the Envoy HTTP buffer filter
|
+| `envoy.filters.http.lua` | EnvoyFilterLua defines the Envoy HTTP Lua filter.
|
| `envoy.filters.http.ext_proc` | EnvoyFilterExtProc defines the Envoy HTTP external process filter.
|
| `envoy.filters.http.wasm` | EnvoyFilterWasm defines the Envoy HTTP WebAssembly filter.
|
-| `envoy.filters.http.lua` | EnvoyFilterLua defines the Envoy HTTP Lua filter.
|
| `envoy.filters.http.rbac` | EnvoyFilterRBAC defines the Envoy RBAC filter.
|
| `envoy.filters.http.local_ratelimit` | EnvoyFilterLocalRateLimit defines the Envoy HTTP local rate limit filter.
|
| `envoy.filters.http.ratelimit` | EnvoyFilterRateLimit defines the Envoy HTTP rate limit filter.
|
| `envoy.filters.http.grpc_web` | EnvoyFilterGRPCWeb defines the Envoy HTTP gRPC-web filter.
|
| `envoy.filters.http.grpc_stats` | EnvoyFilterGRPCStats defines the Envoy HTTP gRPC stats filter.
|
-| `envoy.filters.http.custom_response` | EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
|
| `envoy.filters.http.credential_injector` | EnvoyFilterCredentialInjector defines the Envoy HTTP credential injector filter.
|
| `envoy.filters.http.compressor` | EnvoyFilterCompressor defines the Envoy HTTP compressor filter.
|
| `envoy.filters.http.router` | EnvoyFilterRouter defines the Envoy HTTP router filter.
|
-| `envoy.filters.http.buffer` | EnvoyFilterBuffer defines the Envoy HTTP buffer filter
|
-| `envoy.filters.http.header_mutation` | EnvoyFilterHeaderMutation defines the Envoy HTTP header mutation filter
|
#### EnvoyGateway
@@ -1755,7 +1755,7 @@ _Appears in:_
| `extraArgs` | _string array_ | false | | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. |
| `mergeGateways` | _boolean_ | false | | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. |
| `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | | Shutdown defines configuration for graceful envoy shutdown process. |
-| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
- envoy.filters.http.buffer
- envoy.filters.http.lua
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
- envoy.filters.http.local_ratelimit
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
- envoy.filters.http.router
Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. |
+| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:
- envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
- envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
- envoy.filters.http.oauth2
- envoy.filters.http.jwt_authn
- envoy.filters.http.stateful_session
- envoy.filters.http.buffer
- envoy.filters.http.lua
- envoy.filters.http.ext_proc
- envoy.filters.http.wasm
- envoy.filters.http.rbac
- envoy.filters.http.local_ratelimit
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
- envoy.filters.http.router
Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. |
| `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. |
| `ipFamily` | _[IPFamily](#ipfamily)_ | false | | IPFamily specifies the IP family for the EnvoyProxy fleet.
This setting only affects the Gateway listener port and does not impact
other aspects of the Envoy proxy configuration.
If not specified, the system will operate as follows:
- It defaults to IPv4 only.
- IPv6 and dual-stack environments are not supported in this default configuration.
Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. |
| `preserveRouteOrder` | _boolean_ | false | | PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API
specification (https://gateway-api.sigs.k8s.io/reference/1.4/spec/#httprouterule)
or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.
Default: False |
diff --git a/site/content/en/news/releases/notes/v1.6.4.md b/site/content/en/news/releases/notes/v1.6.4.md
new file mode 100644
index 0000000000..f1fd1d8dfa
--- /dev/null
+++ b/site/content/en/news/releases/notes/v1.6.4.md
@@ -0,0 +1,36 @@
+---
+title: "v1.6.4"
+publishdate: 2026-02-11
+---
+
+Date: February 11, 2026
+
+## Breaking changes
+- Gateway API CRD has been updated, more details could be found [here](https://github.com/kubernetes-sigs/gateway-api/issues/4490).
+
+## Security updates
+- Bump golang to `1.25.7` for security fixes to the go command and the `crypto/tls` package.
+
+## New features
+-
+
+## Bug fixes
+- Fixes an issue where shutdown manager didn't ignore ready and stats listener metrics in connection calculation.
+- Fixed an issue where BackendTLSPolicy ResolvedRefs status reason was not aligned with Gateway API specification.
+- Fixed an issue where shutdown manager incorrectly counted ready and stats listener connections, preventing timely shutdown.
+- Fixed an issue where custom response filters were not properly positioned in the filter chain, causing redirect functionality to fail in OAuth2 flows.
+- Fixed an issue where route-level idle timeout prevented users from configuring listener-level idle timeout.
+- Fixed an issue where the message package did not adopt the configured logging level.
+- Fixed an issue where TCPRoute with mTLS did not work due to incorrect auto HTTP protocol detection on TCP clusters.
+- Fixed an issue where invalid EnvoyPatchPolicy prevented processing of remaining xDS resources.
+- Fixed an issue where the controller reported ready before cache synced.
+
+## Performance improvements
+-
+
+## Deprecations
+-
+
+## Other changes
+-
+
diff --git a/test/e2e/testdata/tcproute-mtls.yaml b/test/e2e/testdata/tcproute-mtls.yaml
new file mode 100644
index 0000000000..4eb983aab4
--- /dev/null
+++ b/test/e2e/testdata/tcproute-mtls.yaml
@@ -0,0 +1,103 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+ name: tcp-gateway
+ namespace: gateway-conformance-infra
+spec:
+ gatewayClassName: "{GATEWAY_CLASS_NAME}"
+ infrastructure:
+ parametersRef:
+ group: gateway.envoyproxy.io
+ kind: EnvoyProxy
+ name: tcp-gateway-settings
+ listeners:
+ - name: tcp
+ protocol: TCP
+ port: 8090
+ allowedRoutes:
+ kinds:
+ - kind: TCPRoute
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+ name: tcp-gateway-settings
+ namespace: gateway-conformance-infra
+spec:
+ ipFamily: IPv4
+ backendTLS:
+ clientCertificateRef:
+ kind: Secret
+ name: "client-tls-certificate"
+---
+# This is used as the client certificate for the envoy to connect to the backend service
+# openssl req -out envoy.csr -newkey rsa:2048 -nodes -keyout envoy.key -subj "/CN=envoy/O=example organization"
+# openssl x509 -req -days 36500 -CA ca.crt -CAkey ca.key -set_serial 0 -in envoy.csr -out envoy.crt
+apiVersion: v1
+kind: Secret
+metadata:
+ name: client-tls-certificate
+ namespace: gateway-conformance-infra
+type: kubernetes.io/tls
+data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHekNDQWdPZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREF0TVJVd0V3WURWUVFLREF4bGVHRnQKY0d4bElFbHVZeTR4RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1DQVhEVEkxTVRBeE16QTJNekV4T0ZvWQpEekl4TWpVd09URTVNRFl6TVRFNFdqQXZNUTR3REFZRFZRUUREQVZsYm5admVURWRNQnNHQTFVRUNnd1VaWGhoCmJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUIKQVFDd0ViQ3FYb1BtT0NBYTRVYmxrcE80eHRFMDUwSXM3ZHgvbDlrY3lpRDA5SmU0L0t0L0RPdENjeTYybXVTUAp6N2ZtR3EwTktOdGU3aWhQTGY1YlUzQlRVVGR0WU5lNXBadVNMQm9CQ1VUZWEzNkdzVHdXeTdBbVgxUVI2YXJMCkdEWVBzL3k1MWU3WE9hT3ZQTmx2M0VxTURzaUoyU0NtSmkyV1NBZXBtdStMQytHenBKRFZ4Z3gwYXV0djVIeWwKVXJKb3JKOFpxd0NPS29SdGNkQmpSMXpzTjdJZzJVWFpuMGltUzU2bENtQUg5YVRpbUZFbko5S3ZEd3JURGNXTQpGTXA5QW5iMlBLbkJmMWZZMU51VTV6cHpPaGhkN1B1RDNiMnZQUjlPdW5vMFBEU1hNYWVFdnNBbnlnUG10aDExClhxMHRxc1d5RVU4Q3gvcjNuNm9xZ3phckFnTUJBQUdqUWpCQU1CMEdBMVVkRGdRV0JCUUkzVlMyRDR3b3ZDRisKRUpDYmt0dW93Y2tvckRBZkJnTlZIU01FR0RBV2dCUVdVcUs0c0FRRnl6RE82MjFHaEhQMU44a2d0ekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQUszUHducGVVLzB1c1I5SnF4MFAyMzZQaGdvYW5IZXJlWlB4eDRMcFFqNHdJCnhEclE3RUwyOVBZMmRrcW0yWmI2cTJiUnVnSmNFMGdFQnNoN3ZtejBYNTQxQUYrOWIrbmdlOVhUZjBYdmZoM20KSGV5Q0d2MTJtSERSNDBHTE9PRzhpYmRZcVFDcGJxenYyRFRFbmNtNjNETEsvUVcrdjFSMEIrU3FLdnVldkxxVQpxT1RBS0JwTVdhZUh4cHB5RHlMblhyN3RxbE9GMGFUY1M0dlpjOUdWcitvOEdiY0diTHBSYVVTMHBPN2VtL3o3Cml1MFlMa1lkOGpnd0RTcDZBRFlhUjk3WEFlTStYS2djb3d6cFRWK0NYbUpaZTJtRzZIc3JIU0pIVUxaZHUwcDcKUUNQdDFEbnJmS2Z5L0Zmd29VQmZKa1pNbVo1dTVMSElabEZJR0tWSndnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+ tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ3dFYkNxWG9QbU9DQWEKNFVibGtwTzR4dEUwNTBJczdkeC9sOWtjeWlEMDlKZTQvS3QvRE90Q2N5NjJtdVNQejdmbUdxME5LTnRlN2loUApMZjViVTNCVFVUZHRZTmU1cFp1U0xCb0JDVVRlYTM2R3NUd1d5N0FtWDFRUjZhckxHRFlQcy95NTFlN1hPYU92ClBObHYzRXFNRHNpSjJTQ21KaTJXU0FlcG11K0xDK0d6cEpEVnhneDBhdXR2NUh5bFVySm9ySjhacXdDT0tvUnQKY2RCalIxenNON0lnMlVYWm4waW1TNTZsQ21BSDlhVGltRkVuSjlLdkR3clREY1dNRk1wOUFuYjJQS25CZjFmWQoxTnVVNXpwek9oaGQ3UHVEM2IydlBSOU91bm8wUERTWE1hZUV2c0FueWdQbXRoMTFYcTB0cXNXeUVVOEN4L3IzCm42b3FnemFyQWdNQkFBRUNnZ0VBQVcvemlFQ0RSU0xhS0Q0RWpTVTRMWDc2QUR1UEQ3elZXdmxMWFcvTSt4THcKRmlPQjV1U2RHd3JEcTl2eDE3YXpZcDUvSVNkZk94UW9vaFRYQ2JuUnBleDR6bHpIQmczekNpdHYvdWdyZHNGYgo1QStZVlB0T3NkRi9aeklJSWVaTnNxMGVlQW5tREQyOU4xWUExR2Z3OTltN0MxMEpaakhUbDNGNUZvcGNRRDlTCkhXVGNKeVEwRVkzaGlrZEYrT1JZVUJPcjlXbmQ0d25xRGN2cURoYi8zaGxJaGsyNk5zOWdPbFRvS3hZNmFKWjIKbWdXUFg1SnZoKzFRRkFBKzdKVnROUW9EeUE3cThuUHZETTgwMW1VaWppOEdhdkkxVElJTFliTDJVUEljRXlJaQpxQVZYQTQ1bkFDaWhYd3kxdk8xK3NsTUwvUEJOdzRpVk8ybnNJQi9SS1FLQmdRRGNPZVpDK3dWSlp1aWpOd1UvCkpmV1oyQU5rZ3dxWHdsNEVMUGRHOThDbnN1Zk5sei9qTnpaVTZmcHlzYitYOE1kUGdRRUhCNkVjMTlFUDh4TkMKeWtDWlltNTNXT2s2ei9vTnVvbDl2MzhlVUpwSGtjemFYTDRyRmZYUVZhZXVJRkdnbE11cWtBYUg3bGhNdE4rRgpuanIxTDJid3UyNW9XTXQrZ21zdGNGc2dYd0tCZ1FETXE0VVpzbU5hWUZCNDlBNStCRHgxcS9GM1VWTzBjZTlqCk01TUM5VTg0eEFHWklhU2ZKYmRvb1hUUi9wWWw5eTY0clppSk9QcDFqREVPMG16b3dwNDRpWHdvdXlNYUVoMngKSHFaempwbmw2V2VLOHhBNHZFQ2tiUmR6WWlRRGQ5TEE2ZjhYelVoMktWb0Q2SmFUT282YTVCSHErMGdncEJRTAppRVYwa2YxZE5RS0JnUUNDVkoycDdDYXZ6d0JFZjI1U2RlT0luV2M4bDdTd0pXNUFhR0FiRnNwa05LT3NieU4zCkU1akszZ0hDMk9DN1NkcWFlWTBqSE9mRFN4SEZyNlFwZGNxUE84cUdSUThhS0RVaTVNOHpwUjNVMGZ6TCtFUlUKd21nazFZVTVPMGZWNi9pQzRTdzdENnRkekxkakJmUDJmck1Eb1g3NVh1TXpTOEY2YURLSG5LUEJYd0tCZ0hSYgoweWovMVNKTmZaSzJWZ0xvejZLcXBYWUxZNFpEL0RBdTR4YWNkblMwWXFBM2swcnplMmxkMlhlRndNRkczV1liCk00eFlPM1JXeHBGQnFxOU43ZndBbGZqbUk1ZXYwdmVla0UxRU5sU1N0TTQzVC9LaGZESyszc1UzZDNnTlNHRnEKNXg4V0Uyc3lLVDN0bnFXSGRnbXpQa2lVb2JZRThteDRCZHkzSHc4OUFvR0FlTTR0czVQMlpSOWExenBSeG9NTApDbVY5ZjliVCt6MVh1L1FlYjM1aWpheTZTMHdaNkhDTjBYcTk2U1llWkxaWW14WkpyQXZ2WGdCb1phT2VSVnlxClFGRUdYN2l2L2JvOUZkOXFkdGVmOGJHWTllOFU0RkJiYllYNFdQaHU3RVVFNFlZckRSMHV6VnArRXJleDlyS0gKUFpIeFFmbUhlMXN2RHRiU2xabXppdWs9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TCPRoute
+metadata:
+ name: tcp-route
+ namespace: gateway-conformance-infra
+spec:
+ parentRefs:
+ - name: tcp-gateway
+ rules:
+ - backendRefs:
+ - name: tls-backend-2
+ port: 443
+---
+apiVersion: v1
+data:
+ ca.crt: |
+ -----BEGIN CERTIFICATE-----
+ MIIDQzCCAiugAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMRMwEQYDVQQKEwpFbnZv
+ eVByb3h5MRAwDgYDVQQLEwdHYXRld2F5MRkwFwYDVQQDExBFbnZveSBHYXRld2F5
+ IENBMCAXDTI0MDMxMDE1MzIxN1oYDzIxMjQwMzEwMTYzMjE3WjBCMRMwEQYDVQQK
+ EwpFbnZveVByb3h5MRAwDgYDVQQLEwdHYXRld2F5MRkwFwYDVQQDExBFbnZveSBH
+ YXRld2F5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7ZFmGB4e
+ m1KdGEohAZBfqydAEGLDHJ1YyfHWdd+vBAevdW64bZx3pggJOtgCnePuFd02rDQS
+ dlsJlX/6mFtoQilo6wvxDSJRfaTDbtfTjw+7k8yfd/Jsmh0RWG+UeyI7Na9sXAz7
+ b57mpxsCoNowzeK5ETiOGGNWPcjENJkSnBarz5muN00xIZWBU+yN5PLJNxZvxpZJ
+ Ol/SSI8sno0e0PxAmp3fe7QaXiZj/TAGJPGuTJkUxrHqyZGJtYUxsS8A0dT1zBjj
+ izA5Dp+b5yzYo23Hh7BgpbZ7X4gsDThFuwCD6fHyepuv2zHPqvSsdqg2hAhDp91R
+ zrn7a9GxG2VSIwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw
+ AwEB/zAdBgNVHQ4EFgQUUpP1aZ1M2KIuPPWrNPDV2c5CngowDQYJKoZIhvcNAQEL
+ BQADggEBAGSEkAVz+Z0qS4FmA0q4SCpIIq64bsdEjiUzev7pK1LEK0/Y28QBPixV
+ cUXfax18VPR9pls1JgXto9qY+C0hnRZic6611QTJlWK1p6dinQ/eDdYCBC+nv5xx
+ ssASwmplIxMvj3S1qF6dr7sMI2ZVD5HElTWdO19UBLyhiKKZW2KxDsYj+5NRwGFe
+ G+JuDgq7njUM8mdyYk0NehefdBUEUUCQtnwUtW95/429XwqQROuRDteGT9kjD+Y5
+ ea5mW4mfqLeuGJXZs9bdWjKKdLQPrn9IshPysWqz2Hz8dQ1f7N9/g8UWVSjd4cyx
+ S5EAolzVv0yB7wHCWCgfG/ckdOTUNnE=
+ -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+ name: backend-tls-ca
+ namespace: gateway-conformance-infra
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+ name: tls-backend-policy
+ namespace: gateway-conformance-infra
+spec:
+ targetRefs:
+ - group: ""
+ kind: Service
+ name: tls-backend-2
+ sectionName: https
+ validation:
+ caCertificateRefs:
+ - name: backend-tls-ca
+ group: ""
+ kind: ConfigMap
+ hostname: example.com
diff --git a/test/e2e/tests/tcproute.go b/test/e2e/tests/tcproute.go
index 877663ceac..b0c8b34bf5 100644
--- a/test/e2e/tests/tcproute.go
+++ b/test/e2e/tests/tcproute.go
@@ -32,7 +32,7 @@ import (
)
func init() {
- ConformanceTests = append(ConformanceTests, TCPRouteTest)
+ ConformanceTests = append(ConformanceTests, TCPRouteTest, TCPMTLSRouteTest)
}
var TCPRouteTest = suite.ConformanceTest{
@@ -73,12 +73,48 @@ var TCPRouteTest = suite.ConformanceTest{
Namespace: ns,
}
- // Send a request to an valid path and expect a successful response
+ // Send a request to a valid path and expect a successful response
http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, OkResp)
})
},
}
+var TCPMTLSRouteTest = suite.ConformanceTest{
+ ShortName: "TCPRouteMtls",
+ Description: "Testing TCP MTLS Route",
+ Manifests: []string{"testdata/tcproute-mtls.yaml"},
+ Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+ ns := "gateway-conformance-infra"
+ acceptedCond := metav1.Condition{
+ Type: string(gwapiv1.PolicyConditionAccepted),
+ Status: metav1.ConditionTrue,
+ Reason: string(gwapiv1.PolicyReasonAccepted),
+ }
+ resolvedRefsCond := metav1.Condition{
+ Type: string(gwapiv1.BackendTLSPolicyConditionResolvedRefs),
+ Status: metav1.ConditionTrue,
+ Reason: string(gwapiv1.BackendTLSPolicyReasonResolvedRefs),
+ }
+
+ routeNN := types.NamespacedName{Name: "tcp-route", Namespace: ns}
+ gwNN := types.NamespacedName{Name: "tcp-gateway", Namespace: ns}
+ validPolicyNN := types.NamespacedName{Name: "tls-backend-policy", Namespace: ns}
+ kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validPolicyNN, gwNN, acceptedCond)
+ kubernetes.BackendTLSPolicyMustHaveCondition(t, suite.Client, suite.TimeoutConfig, validPolicyNN, gwNN, resolvedRefsCond)
+ gwAddr := GatewayAndTCPRoutesMustBeAccepted(t, suite.Client, &suite.TimeoutConfig, suite.ControllerName, NewGatewayRef(gwNN), routeNN)
+
+ http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, http.ExpectedResponse{
+ Request: http.Request{
+ Path: "/",
+ },
+ Response: http.Response{
+ StatusCodes: []int{200},
+ },
+ Namespace: ns,
+ })
+ },
+}
+
func GatewayAndTCPRoutesMustBeAccepted(t *testing.T, c client.Client, timeoutConfig *config.TimeoutConfig, controllerName string, gw GatewayRef, routeNNs ...types.NamespacedName) string {
t.Helper()
@@ -91,8 +127,11 @@ func GatewayAndTCPRoutesMustBeAccepted(t *testing.T, c client.Client, timeoutCon
if err != nil {
tlog.Logf(t, "error fetching TCPRoute: %v", err)
}
-
- gwAddr, err := WaitForGatewayAddress(t, c, timeoutConfig, gw.NamespacedName, string(*tcpRoute.Spec.ParentRefs[0].SectionName))
+ sectionName := ""
+ if tcpRoute.Spec.ParentRefs[0].SectionName != nil {
+ sectionName = string(*tcpRoute.Spec.ParentRefs[0].SectionName)
+ }
+ gwAddr, err := WaitForGatewayAddress(t, c, timeoutConfig, gw.NamespacedName, sectionName)
require.NoErrorf(t, err, "timed out waiting for Gateway address to be assigned")
ns := gwapiv1.Namespace(gw.Namespace)
diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml
index 2f70946d9d..b2073e431e 100644
--- a/test/helm/gateway-crds-helm/all.out.yaml
+++ b/test/helm/gateway-crds-helm/all.out.yaml
@@ -2845,30 +2845,19 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef references an object that contains a client certificate
- and its associated private key. It can reference standard Kubernetes resources,
- i.e., Secret, or implementation-specific custom resources.
-
- A ClientCertificateRef is considered invalid if:
-
- * It refers to a resource that cannot be resolved (e.g., the referenced resource
- does not exist) or is misconfigured (e.g., a Secret does not contain the keys
- named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
- and the Message of the Condition MUST indicate why the reference is invalid.
-
- * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
- in the target namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
-
- Implementations MAY choose to perform further validation of the certificate
- content (e.g., checking expiry or enforcing specific formats). In such cases,
- an implementation-specific Reason and Message MUST be set.
-
- Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
- Support: Implementation-specific - Other resource kinds or Secrets with a
- different type (e.g., `Opaque`).
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
properties:
group:
default: ""
@@ -4433,30 +4422,19 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef references an object that contains a client certificate
- and its associated private key. It can reference standard Kubernetes resources,
- i.e., Secret, or implementation-specific custom resources.
-
- A ClientCertificateRef is considered invalid if:
-
- * It refers to a resource that cannot be resolved (e.g., the referenced resource
- does not exist) or is misconfigured (e.g., a Secret does not contain the keys
- named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
- and the Message of the Condition MUST indicate why the reference is invalid.
-
- * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
- in the target namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
-
- Implementations MAY choose to perform further validation of the certificate
- content (e.g., checking expiry or enforcing specific formats). In such cases,
- an implementation-specific Reason and Message MUST be set.
-
- Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
- Support: Implementation-specific - Other resource kinds or Secrets with a
- different type (e.g., `Opaque`).
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
properties:
group:
default: ""
@@ -5651,14 +5629,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5730,14 +5704,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5942,14 +5912,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6021,14 +5987,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6319,14 +6281,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6397,14 +6355,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6608,14 +6562,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6686,14 +6636,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8303,7 +8249,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -8342,7 +8287,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -8354,7 +8298,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -8459,14 +8402,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8538,14 +8477,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8856,9 +8791,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -8906,14 +8838,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8985,14 +8913,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -9805,7 +9729,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -9844,7 +9767,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -9856,7 +9778,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -9958,14 +9879,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10036,14 +9953,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10354,9 +10267,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -10403,14 +10313,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10481,14 +10387,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10822,14 +10724,10 @@ spec:
- RegularExpression
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header to
+ be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12509,7 +12407,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -12548,7 +12445,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -12560,7 +12456,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -12665,14 +12560,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12744,14 +12635,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13062,9 +12949,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -13112,14 +12996,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13191,14 +13071,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14011,7 +13887,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -14050,7 +13925,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -14062,7 +13936,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -14164,14 +14037,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14242,14 +14111,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14560,9 +14425,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -14609,14 +14471,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14687,14 +14545,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -15028,14 +14882,10 @@ spec:
- RegularExpression
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header to
+ be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -28705,12 +28555,16 @@ spec:
If unspecified, the default filter order is applied.
Default filter order is:
+ - envoy.filters.http.custom_response
+
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
+
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
@@ -28741,8 +28595,6 @@ spec:
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
-
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
@@ -28759,9 +28611,11 @@ spec:
After defines the filter that should come after the filter.
Only one of Before or After must be set.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -28777,18 +28631,20 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
before:
description: |-
Before defines the filter that should come before the filter.
Only one of Before or After must be set.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -28804,16 +28660,18 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
name:
description: Name of the filter.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -28829,9 +28687,9 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
required:
- name
diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
index 8650f978b9..8a33ea9f4e 100644
--- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
+++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
@@ -7885,12 +7885,16 @@ spec:
If unspecified, the default filter order is applied.
Default filter order is:
+ - envoy.filters.http.custom_response
+
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
+
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
@@ -7921,8 +7925,6 @@ spec:
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
-
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
@@ -7939,9 +7941,11 @@ spec:
After defines the filter that should come after the filter.
Only one of Before or After must be set.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -7957,18 +7961,20 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
before:
description: |-
Before defines the filter that should come before the filter.
Only one of Before or After must be set.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -7984,16 +7990,18 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
name:
description: Name of the filter.
enum:
+ - envoy.filters.http.custom_response
- envoy.filters.http.health_check
- envoy.filters.http.fault
- envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
- envoy.filters.http.ext_authz
- envoy.filters.http.api_key_auth
- envoy.filters.http.basic_auth
@@ -8009,9 +8017,9 @@ spec:
- envoy.filters.http.ratelimit
- envoy.filters.http.grpc_web
- envoy.filters.http.grpc_stats
- - envoy.filters.http.custom_response
- envoy.filters.http.credential_injector
- envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
type: string
required:
- name
diff --git a/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml b/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml
index e84e2dfe9d..76654b403d 100644
--- a/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml
+++ b/test/helm/gateway-crds-helm/gateway-api-crds.out.yaml
@@ -2845,30 +2845,19 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef references an object that contains a client certificate
- and its associated private key. It can reference standard Kubernetes resources,
- i.e., Secret, or implementation-specific custom resources.
-
- A ClientCertificateRef is considered invalid if:
-
- * It refers to a resource that cannot be resolved (e.g., the referenced resource
- does not exist) or is misconfigured (e.g., a Secret does not contain the keys
- named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
- and the Message of the Condition MUST indicate why the reference is invalid.
-
- * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
- in the target namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
-
- Implementations MAY choose to perform further validation of the certificate
- content (e.g., checking expiry or enforcing specific formats). In such cases,
- an implementation-specific Reason and Message MUST be set.
-
- Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
- Support: Implementation-specific - Other resource kinds or Secrets with a
- different type (e.g., `Opaque`).
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
properties:
group:
default: ""
@@ -4433,30 +4422,19 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef references an object that contains a client certificate
- and its associated private key. It can reference standard Kubernetes resources,
- i.e., Secret, or implementation-specific custom resources.
-
- A ClientCertificateRef is considered invalid if:
-
- * It refers to a resource that cannot be resolved (e.g., the referenced resource
- does not exist) or is misconfigured (e.g., a Secret does not contain the keys
- named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
- and the Message of the Condition MUST indicate why the reference is invalid.
-
- * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
- in the target namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
-
- Implementations MAY choose to perform further validation of the certificate
- content (e.g., checking expiry or enforcing specific formats). In such cases,
- an implementation-specific Reason and Message MUST be set.
-
- Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
- Support: Implementation-specific - Other resource kinds or Secrets with a
- different type (e.g., `Opaque`).
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
properties:
group:
default: ""
@@ -5651,14 +5629,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5730,14 +5704,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5942,14 +5912,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6021,14 +5987,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6319,14 +6281,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6397,14 +6355,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6608,14 +6562,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6686,14 +6636,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8303,7 +8249,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -8342,7 +8287,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -8354,7 +8298,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -8459,14 +8402,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8538,14 +8477,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8856,9 +8791,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -8906,14 +8838,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8985,14 +8913,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -9805,7 +9729,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -9844,7 +9767,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -9856,7 +9778,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -9958,14 +9879,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10036,14 +9953,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10354,9 +10267,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -10403,14 +10313,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10481,14 +10387,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10822,14 +10724,10 @@ spec:
- RegularExpression
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header to
+ be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12509,7 +12407,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -12548,7 +12445,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -12560,7 +12456,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -12665,14 +12560,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12744,14 +12635,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13062,9 +12949,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -13112,14 +12996,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13191,14 +13071,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14011,7 +13887,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -14050,7 +13925,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -14062,7 +13936,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -14164,14 +14037,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14242,14 +14111,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14560,9 +14425,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -14609,14 +14471,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14687,14 +14545,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -15028,14 +14882,10 @@ spec:
- RegularExpression
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header to
+ be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
diff --git a/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml b/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml
index e84e2dfe9d..76654b403d 100644
--- a/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml
+++ b/test/helm/gateway-crds-helm/gateway-api-experimental-crds.out.yaml
@@ -2845,30 +2845,19 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef references an object that contains a client certificate
- and its associated private key. It can reference standard Kubernetes resources,
- i.e., Secret, or implementation-specific custom resources.
-
- A ClientCertificateRef is considered invalid if:
-
- * It refers to a resource that cannot be resolved (e.g., the referenced resource
- does not exist) or is misconfigured (e.g., a Secret does not contain the keys
- named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
- and the Message of the Condition MUST indicate why the reference is invalid.
-
- * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
- in the target namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
-
- Implementations MAY choose to perform further validation of the certificate
- content (e.g., checking expiry or enforcing specific formats). In such cases,
- an implementation-specific Reason and Message MUST be set.
-
- Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
- Support: Implementation-specific - Other resource kinds or Secrets with a
- different type (e.g., `Opaque`).
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
properties:
group:
default: ""
@@ -4433,30 +4422,19 @@ spec:
properties:
clientCertificateRef:
description: |-
- ClientCertificateRef references an object that contains a client certificate
- and its associated private key. It can reference standard Kubernetes resources,
- i.e., Secret, or implementation-specific custom resources.
-
- A ClientCertificateRef is considered invalid if:
-
- * It refers to a resource that cannot be resolved (e.g., the referenced resource
- does not exist) or is misconfigured (e.g., a Secret does not contain the keys
- named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
- and the Message of the Condition MUST indicate why the reference is invalid.
-
- * It refers to a resource in another namespace UNLESS there is a ReferenceGrant
- in the target namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the `ResolvedRefs` condition
- on the Gateway MUST be set to False with the Reason `RefNotPermitted`.
-
- Implementations MAY choose to perform further validation of the certificate
- content (e.g., checking expiry or enforcing specific formats). In such cases,
- an implementation-specific Reason and Message MUST be set.
-
- Support: Core - Reference to a Kubernetes TLS Secret (with the type `kubernetes.io/tls`).
- Support: Implementation-specific - Other resource kinds or Secrets with a
- different type (e.g., `Opaque`).
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
properties:
group:
default: ""
@@ -5651,14 +5629,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5730,14 +5704,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -5942,14 +5912,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6021,14 +5987,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6319,14 +6281,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6397,14 +6355,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6608,14 +6562,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -6686,14 +6636,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8303,7 +8249,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -8342,7 +8287,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -8354,7 +8298,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -8459,14 +8402,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8538,14 +8477,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8856,9 +8791,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -8906,14 +8838,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -8985,14 +8913,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -9805,7 +9729,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -9844,7 +9767,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -9856,7 +9778,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -9958,14 +9879,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10036,14 +9953,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10354,9 +10267,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -10403,14 +10313,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10481,14 +10387,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -10822,14 +10724,10 @@ spec:
- RegularExpression
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header to
+ be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12509,7 +12407,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -12548,7 +12445,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -12560,7 +12456,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -12665,14 +12560,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -12744,14 +12635,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13062,9 +12949,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -13112,14 +12996,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -13191,14 +13071,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP
+ Header to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14011,7 +13887,6 @@ spec:
If the list has entries, only those entries must be sent.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
type: object
@@ -14050,7 +13925,6 @@ spec:
request must be set to the actual number of bytes forwarded.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
allowedResponseHeaders:
@@ -14062,7 +13936,6 @@ spec:
except Authority or Host must be copied.
items:
type: string
- maxItems: 64
type: array
x-kubernetes-list-type: set
path:
@@ -14164,14 +14037,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14242,14 +14111,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14560,9 +14425,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -14609,14 +14471,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -14687,14 +14545,10 @@ spec:
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header
+ to be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
@@ -15028,14 +14882,10 @@ spec:
- RegularExpression
type: string
value:
- description: |-
- Value is the value of HTTP Header to be matched.
-
- Must consist of printable US-ASCII characters, optionally separated
- by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2
+ description: Value is the value of HTTP Header to
+ be matched.
maxLength: 4096
minLength: 1
- pattern: ^[!-~]+([\t ]?[!-~]+)*$
type: string
required:
- name
diff --git a/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml b/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml
index 094c73bb54..9e0a0aabeb 100644
--- a/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml
+++ b/test/helm/gateway-crds-helm/gateway-api-standard-crds.out.yaml
@@ -7074,9 +7074,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -8011,9 +8008,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -9889,9 +9883,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier:
@@ -10826,9 +10817,6 @@ spec:
enum:
- 301
- 302
- - 303
- - 307
- - 308
type: integer
type: object
responseHeaderModifier: