diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6edca5c9ddc..f1b71766bae 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5 + uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5 + uses: github/codeql-action/autobuild@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5 + uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index b43ac588e4b..d0bf9498245 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -18,7 +18,7 @@ jobs: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Run scanner - uses: google/osv-scanner-action/osv-scanner-action@9bb69575e74019c2ad085a1860787043adf47ccb # v2.2.4 + uses: google/osv-scanner-action/osv-scanner-action@e92b5d07338d4f0ba0981dffed17c48976ca4730 # v2.2.3 with: scan-args: |- # See allowed licenses at https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md#approved-licenses-for-allowlist --licenses=Apache-2.0,0BSD,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,MIT-0,ISC,OpenSSL,OpenSSL-standalone,PSF-2.0,Python-2.0,Python-2.0.1,PostgreSQL,SSLeay-standalone,UPL-1.0,X11,Zlib diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index db05aef0166..0c28e150935 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -19,7 +19,7 @@ permissions: jobs: scan-scheduled: if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9bb69575e74019c2ad085a1860787043adf47ccb" # v2.2.4 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e92b5d07338d4f0ba0981dffed17c48976ca4730" # v2.2.3 with: scan-args: |- --recursive @@ -32,7 +32,7 @@ jobs: scan-pr: if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@9bb69575e74019c2ad085a1860787043adf47ccb" # v2.2.4 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@e92b5d07338d4f0ba0981dffed17c48976ca4730" # v2.2.3 with: scan-args: |- --recursive diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index edf878bcbd4..bc87e003b80 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5 + uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 with: sarif_file: results.sarif diff --git a/.prettierignore b/.prettierignore new file mode 100644 index 00000000000..4b7f4ed6649 --- /dev/null +++ b/.prettierignore @@ -0,0 +1,31 @@ +# Ignore templated/generated or external directories for YAML formatting +charts/gateway-helm/ +charts/gateway-addons-helm/ +charts/gateway-crds-helm/ + +# Generated install bundle +bin/install.yaml + +# Helm test charts +test/helm/gateway-helm/ +test/helm/gateway-addons-helm/ +test/helm/gateway-crds-helm/ + +# Example chart +examples/extension-server/charts/extension-server + +# Third-party / editor dirs +site/node_modules/ +.vscode/ + +# exclude release-notes +release-notes/* + +# testdata directories +**/testdata/** + +# GitHub workflows +.github/workflows/* + +# tools/github-actions +tools/github-actions/** diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index be726b94603..180277e12ac 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -1544,12 +1544,12 @@ spec: description: |- Type decides the scope for the RateLimits. Valid RateLimitType values are "Global" or "Local". - - Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting. enum: - Global - Local type: string + required: + - type type: object requestBuffer: description: |- diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml index c75d4d6f62a..40a504d7e16 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -292,8 +292,6 @@ spec: - envoy.filters.http.ext_authz - - envoy.filters.http.api_key_auth - - envoy.filters.http.basic_auth - envoy.filters.http.oauth2 @@ -302,8 +300,6 @@ spec: - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - - envoy.filters.http.lua - envoy.filters.http.ext_proc @@ -316,16 +312,8 @@ spec: - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - - envoy.filters.http.grpc_stats - - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - - - envoy.filters.http.compressor - - envoy.filters.http.router Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. @@ -347,17 +335,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string before: @@ -374,17 +358,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string name: @@ -399,17 +379,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string required: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index f0fa3b569ce..42308f8f34d 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -1543,12 +1543,12 @@ spec: description: |- Type decides the scope for the RateLimits. Valid RateLimitType values are "Global" or "Local". - - Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting. enum: - Global - Local type: string + required: + - type type: object requestBuffer: description: |- diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 2d329615a20..02f18ac84bc 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -291,8 +291,6 @@ spec: - envoy.filters.http.ext_authz - - envoy.filters.http.api_key_auth - - envoy.filters.http.basic_auth - envoy.filters.http.oauth2 @@ -301,8 +299,6 @@ spec: - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - - envoy.filters.http.lua - envoy.filters.http.ext_proc @@ -315,16 +311,8 @@ spec: - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - - envoy.filters.http.grpc_stats - - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - - - envoy.filters.http.compressor - - envoy.filters.http.router Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. @@ -346,17 +334,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string before: @@ -373,17 +357,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string name: @@ -398,17 +378,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string required: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-both-type.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-both-type.in.yaml deleted file mode 100644 index b7f7255b875..00000000000 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-both-type.in.yaml +++ /dev/null @@ -1,62 +0,0 @@ -gateways: -- apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - metadata: - namespace: envoy-gateway - name: gateway-1 - spec: - gatewayClassName: envoy-gateway-class - listeners: - - name: http - protocol: HTTP - port: 80 - allowedRoutes: - namespaces: - from: All -grpcRoutes: -- apiVersion: gateway.networking.k8s.io/v1alpha2 - kind: GRPCRoute - metadata: - namespace: default - name: grpcroute-1 - spec: - parentRefs: - - namespace: envoy-gateway - name: gateway-1 - sectionName: http - rules: - - backendRefs: - - name: service-1 - port: 8080 -backendTrafficPolicies: -- apiVersion: gateway.envoyproxy.io/v1alpha1 - kind: BackendTrafficPolicy - metadata: - namespace: default - name: policy-for-grcp-route - spec: - targetRef: - group: gateway.networking.k8s.io - kind: GRPCRoute - name: grpcroute-1 - rateLimit: - global: - rules: - - clientSelectors: - - sourceCIDR: - type: "Distinct" - value: 192.168.0.0/16 - limit: - requests: 20 - unit: Hour - local: - rules: - - clientSelectors: - - headers: - - name: x-user-id - value: one - - name: x-org-id - value: foo - limit: - requests: 10 - unit: Hour diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-both-type.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-both-type.out.yaml deleted file mode 100644 index 27d7f6f7cd9..00000000000 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-both-type.out.yaml +++ /dev/null @@ -1,246 +0,0 @@ -backendTrafficPolicies: -- apiVersion: gateway.envoyproxy.io/v1alpha1 - kind: BackendTrafficPolicy - metadata: - name: policy-for-grcp-route - namespace: default - spec: - rateLimit: - global: - rules: - - clientSelectors: - - sourceCIDR: - type: Distinct - value: 192.168.0.0/16 - limit: - requests: 20 - unit: Hour - local: - rules: - - clientSelectors: - - headers: - - name: x-user-id - value: one - - name: x-org-id - value: foo - limit: - requests: 10 - unit: Hour - targetRef: - group: gateway.networking.k8s.io - kind: GRPCRoute - name: grpcroute-1 - status: - ancestors: - - ancestorRef: - group: gateway.networking.k8s.io - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http - conditions: - - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" - type: Accepted - controllerName: gateway.envoyproxy.io/gatewayclass-controller -gateways: -- apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - metadata: - name: gateway-1 - namespace: envoy-gateway - spec: - gatewayClassName: envoy-gateway-class - listeners: - - allowedRoutes: - namespaces: - from: All - name: http - port: 80 - protocol: HTTP - status: - listeners: - - attachedRoutes: 1 - conditions: - - lastTransitionTime: null - message: Sending translated listener configuration to the data plane - reason: Programmed - status: "True" - type: Programmed - - lastTransitionTime: null - message: Listener has been successfully translated - reason: Accepted - status: "True" - type: Accepted - - lastTransitionTime: null - message: Listener references have been resolved - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - name: http - supportedKinds: - - group: gateway.networking.k8s.io - kind: HTTPRoute - - group: gateway.networking.k8s.io - kind: GRPCRoute -grpcRoutes: -- apiVersion: gateway.networking.k8s.io/v1alpha2 - kind: GRPCRoute - metadata: - name: grpcroute-1 - namespace: default - spec: - parentRefs: - - name: gateway-1 - namespace: envoy-gateway - sectionName: http - rules: - - backendRefs: - - name: service-1 - port: 8080 - status: - parents: - - conditions: - - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" - type: Accepted - - lastTransitionTime: null - message: Resolved all the Object references for the Route - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - controllerName: gateway.envoyproxy.io/gatewayclass-controller - parentRef: - name: gateway-1 - namespace: envoy-gateway - sectionName: http -infraIR: - envoy-gateway/gateway-1: - proxy: - listeners: - - address: null - name: envoy-gateway/gateway-1/http - ports: - - containerPort: 10080 - name: http-80 - protocol: HTTP - servicePort: 80 - metadata: - labels: - gateway.envoyproxy.io/owning-gateway-name: gateway-1 - gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway - ownerReference: - kind: GatewayClass - name: envoy-gateway-class - name: envoy-gateway/gateway-1 - namespace: envoy-gateway-system -xdsIR: - envoy-gateway/gateway-1: - accessLog: - json: - - path: /dev/stdout - globalResources: - envoyClientCertificate: - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= - name: envoy-gateway-system/envoy - privateKey: '[redacted]' - proxyServiceCluster: - metadata: - name: envoy-envoy-gateway-gateway-1-196ae069 - namespace: envoy-gateway-system - sectionName: "8080" - name: envoy-gateway/gateway-1 - settings: - - addressType: IP - endpoints: - - host: 7.6.5.4 - port: 8080 - zone: zone1 - metadata: - name: envoy-envoy-gateway-gateway-1-196ae069 - namespace: envoy-gateway-system - sectionName: "8080" - name: envoy-gateway/gateway-1 - protocol: TCP - http: - - address: 0.0.0.0 - externalPort: 80 - hostnames: - - '*' - isHTTP2: true - metadata: - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http - name: envoy-gateway/gateway-1/http - path: - escapedSlashesAction: UnescapeAndRedirect - mergeSlashes: true - port: 10080 - routes: - - destination: - metadata: - kind: GRPCRoute - name: grpcroute-1 - namespace: default - name: grpcroute/default/grpcroute-1/rule/0 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8080 - metadata: - name: service-1 - namespace: default - sectionName: "8080" - name: grpcroute/default/grpcroute-1/rule/0/backend/0 - protocol: GRPC - weight: 1 - hostname: '*' - isHTTP2: true - metadata: - kind: GRPCRoute - name: grpcroute-1 - namespace: default - name: grpcroute/default/grpcroute-1/rule/0/match/-1/* - traffic: - rateLimit: - global: - rules: - - cidrMatch: - cidr: 192.168.0.0/16 - distinct: true - ip: 192.168.0.0 - isIPv6: false - maskLen: 16 - headerMatches: [] - limit: - requests: 20 - unit: Hour - name: default/policy-for-grcp-route/rule/0 - local: - default: - requests: 4294967295 - unit: Second - rules: - - headerMatches: - - distinct: false - exact: one - name: x-user-id - - distinct: false - exact: foo - name: x-org-id - limit: - requests: 10 - unit: Hour - name: default/policy-for-grcp-route/rule/0 - readyListener: - address: 0.0.0.0 - ipFamily: IPv4 - path: /ready - port: 19003 diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.in.yaml index ca70dbd1179..74cae0fc653 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.in.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.in.yaml @@ -114,9 +114,6 @@ backendTrafficPolicies: - name: x-org-id value: admin invert: true - path: - type: PathPrefix - value: "/user" limit: requests: 10 unit: Hour @@ -138,9 +135,6 @@ backendTrafficPolicies: - sourceCIDR: type: "Distinct" value: 192.168.0.0/16 - path: - type: PathPrefix - value: "/" limit: requests: 20 unit: Hour diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml index b261a0dfd95..ca29c7923e2 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml @@ -9,10 +9,7 @@ backendTrafficPolicies: global: rules: - clientSelectors: - - path: - type: PathPrefix - value: / - sourceCIDR: + - sourceCIDR: type: Distinct value: 192.168.0.0/16 cost: @@ -104,9 +101,6 @@ backendTrafficPolicies: - invert: true name: x-org-id value: admin - path: - type: PathPrefix - value: /user limit: requests: 10 unit: Hour @@ -496,10 +490,6 @@ xdsIR: requests: 10 unit: Hour name: envoy-gateway/policy-for-gateway/rule/0 - pathMatch: - distinct: false - name: "" - safeRegex: ^/user(/.*|\?.*|#.*|;.*|$) readyListener: address: 0.0.0.0 ipFamily: IPv4 @@ -593,10 +583,6 @@ xdsIR: requests: 20 unit: Hour name: default/policy-for-route/rule/0 - pathMatch: - distinct: false - name: "" - prefix: / requestCost: number: 1 responseCost: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.in.yaml index bbb3eb9e5a7..fd435bbb51e 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.in.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.in.yaml @@ -9,7 +9,6 @@ clientTrafficPolicies: initialStreamWindowSize: 64Ki initialConnectionWindowSize: 32Mi maxConcurrentStreams: 200 - onInvalidMessage: TerminateConnection targetRef: group: gateway.networking.k8s.io kind: Gateway diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml index c89f9102c0c..8ee7f581708 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml @@ -9,7 +9,6 @@ clientTrafficPolicies: initialConnectionWindowSize: 32Mi initialStreamWindowSize: 64Ki maxConcurrentStreams: 200 - onInvalidMessage: TerminateConnection targetRef: group: gateway.networking.k8s.io kind: Gateway @@ -192,7 +191,6 @@ xdsIR: initialConnectionWindowSize: 65536 initialStreamWindowSize: 33554432 maxConcurrentStreams: 200 - resetStreamOnError: false isHTTP2: false metadata: kind: Gateway @@ -208,6 +206,8 @@ xdsIR: externalPort: 8080 hostnames: - www.example.com + http2: + maxConcurrentStreams: 200 isHTTP2: false metadata: kind: Gateway diff --git a/internal/gatewayapi/testdata/custom-filter-order.in.yaml b/internal/gatewayapi/testdata/custom-filter-order.in.yaml index 11243797c3b..59c44d469a3 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.in.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.in.yaml @@ -17,7 +17,7 @@ envoyProxyForGatewayClass: - name: envoy.filters.http.wasm before: envoy.filters.http.jwt_authn - name: envoy.filters.http.cors - after: envoy.filters.http.basic_auth + after: envoy.filters.http.basic_authn gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index 7c3df25abbe..f05f383f70e 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -135,7 +135,7 @@ infraIR: filterOrder: - before: envoy.filters.http.jwt_authn name: envoy.filters.http.wasm - - after: envoy.filters.http.basic_auth + - after: envoy.filters.http.basic_authn name: envoy.filters.http.cors logging: {} status: {} @@ -221,7 +221,7 @@ xdsIR: filterOrder: - before: envoy.filters.http.jwt_authn name: envoy.filters.http.wasm - - after: envoy.filters.http.basic_auth + - after: envoy.filters.http.basic_authn name: envoy.filters.http.cors globalResources: envoyClientCertificate: diff --git a/internal/gatewayapi/testdata/envoyproxy-gateway-accesslog-with-bad-sinks.out.yaml b/internal/gatewayapi/testdata/envoyproxy-gateway-accesslog-with-bad-sinks.out.yaml index 5da07c49ab5..a6bb55e49a8 100644 --- a/internal/gatewayapi/testdata/envoyproxy-gateway-accesslog-with-bad-sinks.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-gateway-accesslog-with-bad-sinks.out.yaml @@ -27,5 +27,10 @@ gateways: reason: InvalidParameters status: "False" type: Accepted + listeners: + - attachedRoutes: 0 + conditions: null + name: http + supportedKinds: null infraIR: {} xdsIR: {} diff --git a/internal/xds/translator/testdata/in/xds-ir/custom-filter-order.yaml b/internal/xds/translator/testdata/in/xds-ir/custom-filter-order.yaml index 053feeaf301..7f224f4f1b9 100644 --- a/internal/xds/translator/testdata/in/xds-ir/custom-filter-order.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/custom-filter-order.yaml @@ -1,7 +1,7 @@ filterOrder: - before: envoy.filters.http.jwt_authn name: envoy.filters.http.wasm -- after: envoy.filters.http.basic_auth +- after: envoy.filters.http.basic_authn name: envoy.filters.http.cors http: - address: 0.0.0.0 diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-from-multiple-listeners.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-from-multiple-listeners.yaml deleted file mode 100644 index 2edc562af00..00000000000 --- a/internal/xds/translator/testdata/in/xds-ir/jwt-from-multiple-listeners.yaml +++ /dev/null @@ -1,121 +0,0 @@ -# This file tests JWT configuration from multiple HTTP listeners sharing the same port won't overlap. -http: - - address: 0.0.0.0 - externalPort: 80 - hostnames: - - domain1.example.com - isHTTP2: false - metadata: - kind: Gateway - name: external-gateway - namespace: envoy-gateway-system - sectionName: domain1-example-com-http - name: envoy-gateway-system/external-gateway/domain1-example-com-http - path: - escapedSlashesAction: UnescapeAndRedirect - mergeSlashes: true - port: 10080 - routes: - - destination: - metadata: - kind: HTTPRoute - name: domain1 - namespace: ns1 - name: httproute/ns1/domain1/rule/0 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 80 - metadata: - kind: Service - name: app1 - namespace: ns1 - sectionName: "80" - name: httproute/ns1/domain1/rule/0/backend/0 - protocol: HTTP - weight: 1 - hostname: domain1.example.com - isHTTP2: false - metadata: - kind: HTTPRoute - name: domain1 - namespace: ns1 - name: httproute/ns1/domain1/rule/0/match/0/domain1_example_com - pathMatch: - distinct: false - name: "" - prefix: / - security: - jwt: - allowMissing: true - providers: - - extractFrom: - cookies: - - AccessTokenDomain1 - issuer: https://accounts.google.com - name: jwt1 - remoteJWKS: - uri: https://www.googleapis.com/oauth2/v3/certs - - address: 0.0.0.0 - externalPort: 80 - hostnames: - - domain2.example.com - isHTTP2: false - metadata: - kind: Gateway - name: external-gateway - namespace: envoy-gateway-system - sectionName: domain2-example-com-http - name: envoy-gateway-system/external-gateway/domain2-example-com-http - path: - escapedSlashesAction: UnescapeAndRedirect - mergeSlashes: true - port: 10080 - routes: - - destination: - metadata: - kind: HTTPRoute - name: domain2 - namespace: ns2 - name: httproute/ns2/domain2/rule/0 - settings: - - addressType: IP - endpoints: - - host: 9.9.9.9 - port: 80 - metadata: - kind: Service - name: app2 - namespace: ns2 - sectionName: "80" - name: httproute/ns2/domain2/rule/0/backend/0 - protocol: HTTP - weight: 1 - hostname: domain2.example.com - isHTTP2: false - metadata: - kind: HTTPRoute - name: domain2 - namespace: ns2 - name: httproute/ns2/domain2/rule/0/match/0/domain2_example_com - pathMatch: - distinct: false - name: "" - prefix: / - security: - jwt: - allowMissing: true - providers: - - extractFrom: - cookies: - - AccessTokenDomain2 - issuer: https://accounts.google.com - name: jwt2 - remoteJWKS: - uri: https://www.googleapis.com/oauth2/v3/certs -readyListener: - address: 0.0.0.0 - ipFamily: IPv4 - path: /ready - port: 19003 diff --git a/internal/xds/translator/testdata/in/xds-ir/ratelimit-both-type.yaml b/internal/xds/translator/testdata/in/xds-ir/ratelimit-both-type.yaml deleted file mode 100644 index 47c75eaaeaf..00000000000 --- a/internal/xds/translator/testdata/in/xds-ir/ratelimit-both-type.yaml +++ /dev/null @@ -1,68 +0,0 @@ -globalResources: - envoyClientCertificate: - name: envoy-gateway-system/envoy - privateKey: [107, 101, 121, 45, 100, 97, 116, 97] - certificate: [99, 101, 114, 116, 45, 100, 97, 116, 97] -http: -- name: "first-listener" - address: "::" - port: 10080 - hostnames: - - "*" - path: - mergeSlashes: true - escapedSlashesAction: UnescapeAndRedirect - routes: - - name: "first-route" - hostname: "*" - traffic: - rateLimit: - global: - rules: - - headerMatches: - - name: "x-user-id" - exact: "one" - limit: - requests: 5 - unit: second - pathMatch: - exact: "foo/bar" - destination: - name: "first-route-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - name: "first-route-dest/backend/0" - - name: "second-route" - hostname: "*" - traffic: - rateLimit: - global: - rules: - - headerMatches: - - name: "x-user-id" - distinct: true - limit: - requests: 5 - unit: second - local: - default: - requests: 10 - unit: Minute - rules: - - headerMatches: - - name: x-user-id - exact: one - limit: - requests: 10 - unit: Hour - pathMatch: - exact: "example" - destination: - name: "second-route-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - name: "second-route-dest/backend/0" diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml index 9d4df0182e1..14804eca768 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml @@ -14,15 +14,15 @@ initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: + - name: envoy.filters.http.cors + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors - disabled: true name: envoy.filters.http.basic_auth/securitypolicy/envoy-gateway/policy-for-gateway typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth users: inlineBytes: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= - - name: envoy.filters.http.cors - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors - disabled: true name: envoy.filters.http.wasm/envoyextensionpolicy/envoy-gateway/policy-for-gateway/0 typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.clusters.yaml deleted file mode 100644 index 578e27762db..00000000000 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.clusters.yaml +++ /dev/null @@ -1,105 +0,0 @@ -- circuitBreakers: - thresholds: - - maxRetries: 1024 - commonLbConfig: {} - connectTimeout: 10s - dnsLookupFamily: V4_PREFERRED - edsClusterConfig: - edsConfig: - ads: {} - resourceApiVersion: V3 - serviceName: httproute/ns1/domain1/rule/0 - ignoreHealthOnHostRemoval: true - lbPolicy: LEAST_REQUEST - loadBalancingPolicy: - policies: - - typedExtensionConfig: - name: envoy.load_balancing_policies.least_request - typedConfig: - '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest - localityLbConfig: - localityWeightedLbConfig: {} - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: HTTPRoute - name: domain1 - namespace: ns1 - name: httproute/ns1/domain1/rule/0 - perConnectionBufferLimitBytes: 32768 - type: EDS -- circuitBreakers: - thresholds: - - maxRetries: 1024 - commonLbConfig: {} - connectTimeout: 10s - dnsLookupFamily: V4_PREFERRED - dnsRefreshRate: 30s - ignoreHealthOnHostRemoval: true - lbPolicy: LEAST_REQUEST - loadAssignment: - clusterName: www_googleapis_com_443 - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: www.googleapis.com - portValue: 443 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - locality: - region: www_googleapis_com_443/backend/-1 - loadBalancingPolicy: - policies: - - typedExtensionConfig: - name: envoy.load_balancing_policies.least_request - typedConfig: - '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest - localityLbConfig: - localityWeightedLbConfig: {} - name: www_googleapis_com_443 - perConnectionBufferLimitBytes: 32768 - respectDnsTtl: true - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - validationContext: - trustedCa: - filename: /etc/ssl/certs/ca-certificates.crt - sni: www.googleapis.com - type: STRICT_DNS -- circuitBreakers: - thresholds: - - maxRetries: 1024 - commonLbConfig: {} - connectTimeout: 10s - dnsLookupFamily: V4_PREFERRED - edsClusterConfig: - edsConfig: - ads: {} - resourceApiVersion: V3 - serviceName: httproute/ns2/domain2/rule/0 - ignoreHealthOnHostRemoval: true - lbPolicy: LEAST_REQUEST - loadBalancingPolicy: - policies: - - typedExtensionConfig: - name: envoy.load_balancing_policies.least_request - typedConfig: - '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest - localityLbConfig: - localityWeightedLbConfig: {} - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: HTTPRoute - name: domain2 - namespace: ns2 - name: httproute/ns2/domain2/rule/0 - perConnectionBufferLimitBytes: 32768 - type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.endpoints.yaml deleted file mode 100644 index e3eba986364..00000000000 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.endpoints.yaml +++ /dev/null @@ -1,40 +0,0 @@ -- clusterName: httproute/ns1/domain1/rule/0 - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: 7.7.7.7 - portValue: 80 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - locality: - region: httproute/ns1/domain1/rule/0/backend/0 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Service - name: app1 - namespace: ns1 - sectionName: "80" -- clusterName: httproute/ns2/domain2/rule/0 - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: 9.9.9.9 - portValue: 80 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - locality: - region: httproute/ns2/domain2/rule/0/backend/0 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Service - name: app2 - namespace: ns2 - sectionName: "80" diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.listeners.yaml deleted file mode 100644 index 7cf5e6201d5..00000000000 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.listeners.yaml +++ /dev/null @@ -1,116 +0,0 @@ -- address: - socketAddress: - address: 0.0.0.0 - portValue: 19003 - bypassOverloadManager: true - filterChains: - - filters: - - name: envoy.filters.network.http_connection_manager - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - httpFilters: - - name: envoy.filters.http.health_check - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck - headers: - - name: :path - stringMatch: - exact: /ready - passThroughMode: false - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - suppressEnvoyHeaders: true - routeConfig: - name: ready_route - virtualHosts: - - domains: - - '*' - name: ready_route - routes: - - directResponse: - status: 500 - match: - prefix: / - statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19003 -- address: - socketAddress: - address: 0.0.0.0 - portValue: 10080 - defaultFilterChain: - filters: - - name: envoy.filters.network.http_connection_manager - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - http2ProtocolOptions: - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.jwt_authn - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication - providers: - httproute/ns1/domain1/rule/0/match/0/domain1_example_com/jwt1: - forward: true - fromCookies: - - AccessTokenDomain1 - issuer: https://accounts.google.com - normalizePayloadInMetadata: - spaceDelimitedClaims: - - scope - payloadInMetadata: jwt1 - remoteJwks: - asyncFetch: {} - httpUri: - cluster: www_googleapis_com_443 - timeout: 10s - uri: https://www.googleapis.com/oauth2/v3/certs - httproute/ns2/domain2/rule/0/match/0/domain2_example_com/jwt2: - forward: true - fromCookies: - - AccessTokenDomain2 - issuer: https://accounts.google.com - normalizePayloadInMetadata: - spaceDelimitedClaims: - - scope - payloadInMetadata: jwt2 - remoteJwks: - asyncFetch: {} - httpUri: - cluster: www_googleapis_com_443 - timeout: 10s - uri: https://www.googleapis.com/oauth2/v3/certs - requirementMap: - httproute/ns1/domain1/rule/0/match/0/domain1_example_com: - requiresAny: - requirements: - - providerName: httproute/ns1/domain1/rule/0/match/0/domain1_example_com/jwt1 - - allowMissing: {} - httproute/ns2/domain2/rule/0/match/0/domain2_example_com: - requiresAny: - requirements: - - providerName: httproute/ns2/domain2/rule/0/match/0/domain2_example_com/jwt2 - - allowMissing: {} - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - suppressEnvoyHeaders: true - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: envoy-gateway-system/external-gateway/domain1-example-com-http - serverHeaderTransformation: PASS_THROUGH - statPrefix: http-10080 - useRemoteAddress: true - name: envoy-gateway-system/external-gateway/domain1-example-com-http - maxConnectionsToAcceptPerSocketEvent: 1 - name: envoy-gateway-system/external-gateway/domain1-example-com-http - perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.routes.yaml deleted file mode 100644 index e13818e7078..00000000000 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-from-multiple-listeners.routes.yaml +++ /dev/null @@ -1,63 +0,0 @@ -- ignorePortInHostMatching: true - name: envoy-gateway-system/external-gateway/domain1-example-com-http - virtualHosts: - - domains: - - domain1.example.com - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: external-gateway - namespace: envoy-gateway-system - sectionName: domain1-example-com-http - name: envoy-gateway-system/external-gateway/domain1-example-com-http/domain1_example_com - routes: - - match: - prefix: / - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: HTTPRoute - name: domain1 - namespace: ns1 - name: httproute/ns1/domain1/rule/0/match/0/domain1_example_com - route: - cluster: httproute/ns1/domain1/rule/0 - upgradeConfigs: - - upgradeType: websocket - typedPerFilterConfig: - envoy.filters.http.jwt_authn: - '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig - requirementName: httproute/ns1/domain1/rule/0/match/0/domain1_example_com - - domains: - - domain2.example.com - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: external-gateway - namespace: envoy-gateway-system - sectionName: domain2-example-com-http - name: envoy-gateway-system/external-gateway/domain2-example-com-http/domain2_example_com - routes: - - match: - prefix: / - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: HTTPRoute - name: domain2 - namespace: ns2 - name: httproute/ns2/domain2/rule/0/match/0/domain2_example_com - route: - cluster: httproute/ns2/domain2/rule/0 - upgradeConfigs: - - upgradeType: websocket - typedPerFilterConfig: - envoy.filters.http.jwt_authn: - '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig - requirementName: httproute/ns2/domain2/rule/0/match/0/domain2_example_com diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit-distinct.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit-distinct.routes.yaml index cd84f782560..65cce8400e9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit-distinct.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit-distinct.routes.yaml @@ -10,6 +10,11 @@ name: first-route-ratelimit-distinct-ip route: cluster: first-route-dest + rateLimits: + - actions: + - requestHeaders: + descriptorKey: rule-0-match-0 + headerName: x-user-id upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: @@ -30,11 +35,6 @@ filterEnforced: defaultValue: numerator: 100 - rateLimits: - - actions: - - requestHeaders: - descriptorKey: rule-0-match-0 - headerName: x-user-id statPrefix: http_local_rate_limiter tokenBucket: fillInterval: 60s @@ -45,6 +45,44 @@ name: second-route-ratelimit-multiple-rules route: cluster: second-route-dest + rateLimits: + - actions: + - headerValueMatch: + descriptorKey: rule-0-match-0 + descriptorValue: rule-0-match-0 + expectMatch: true + headers: + - name: x-user-id + stringMatch: + exact: one + - headerValueMatch: + descriptorKey: rule-0-match-1 + descriptorValue: rule-0-match-1 + expectMatch: true + headers: + - name: x-org-id + stringMatch: + exact: foo + - actions: + - headerValueMatch: + descriptorKey: rule-1-match-0 + descriptorValue: rule-1-match-0 + expectMatch: true + headers: + - name: x-user-id + stringMatch: + exact: two + - headerValueMatch: + descriptorKey: rule-1-match-1 + descriptorValue: rule-1-match-1 + expectMatch: true + headers: + - name: x-org-id + stringMatch: + exact: bar + - maskedRemoteAddress: + v4PrefixMaskLen: 16 + - remoteAddress: {} upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: @@ -80,44 +118,6 @@ filterEnforced: defaultValue: numerator: 100 - rateLimits: - - actions: - - headerValueMatch: - descriptorKey: rule-0-match-0 - descriptorValue: rule-0-match-0 - expectMatch: true - headers: - - name: x-user-id - stringMatch: - exact: one - - headerValueMatch: - descriptorKey: rule-0-match-1 - descriptorValue: rule-0-match-1 - expectMatch: true - headers: - - name: x-org-id - stringMatch: - exact: foo - - actions: - - headerValueMatch: - descriptorKey: rule-1-match-0 - descriptorValue: rule-1-match-0 - expectMatch: true - headers: - - name: x-user-id - stringMatch: - exact: two - - headerValueMatch: - descriptorKey: rule-1-match-1 - descriptorValue: rule-1-match-1 - expectMatch: true - headers: - - name: x-org-id - stringMatch: - exact: bar - - maskedRemoteAddress: - v4PrefixMaskLen: 16 - - remoteAddress: {} statPrefix: http_local_rate_limiter tokenBucket: fillInterval: 60s diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.routes.yaml index c898c4e4d30..7fd4979238f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.routes.yaml @@ -10,6 +10,24 @@ name: first-route-ratelimit-single-rule route: cluster: first-route-dest + rateLimits: + - actions: + - headerValueMatch: + descriptorKey: rule-0-match-0 + descriptorValue: rule-0-match-0 + expectMatch: true + headers: + - name: x-user-id + stringMatch: + exact: one + - headerValueMatch: + descriptorKey: rule-0-match-1 + descriptorValue: rule-0-match-1 + expectMatch: true + headers: + - name: x-org-id + stringMatch: + exact: foo upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: @@ -33,24 +51,6 @@ filterEnforced: defaultValue: numerator: 100 - rateLimits: - - actions: - - headerValueMatch: - descriptorKey: rule-0-match-0 - descriptorValue: rule-0-match-0 - expectMatch: true - headers: - - name: x-user-id - stringMatch: - exact: one - - headerValueMatch: - descriptorKey: rule-0-match-1 - descriptorValue: rule-0-match-1 - expectMatch: true - headers: - - name: x-org-id - stringMatch: - exact: foo statPrefix: http_local_rate_limiter tokenBucket: fillInterval: 60s @@ -61,6 +61,43 @@ name: second-route-ratelimit-multiple-rules route: cluster: second-route-dest + rateLimits: + - actions: + - headerValueMatch: + descriptorKey: rule-0-match-0 + descriptorValue: rule-0-match-0 + expectMatch: true + headers: + - name: x-user-id + stringMatch: + exact: one + - headerValueMatch: + descriptorKey: rule-0-match-1 + descriptorValue: rule-0-match-1 + expectMatch: true + headers: + - name: x-org-id + stringMatch: + exact: foo + - actions: + - headerValueMatch: + descriptorKey: rule-1-match-0 + descriptorValue: rule-1-match-0 + expectMatch: true + headers: + - name: x-user-id + stringMatch: + exact: two + - headerValueMatch: + descriptorKey: rule-1-match-1 + descriptorValue: rule-1-match-1 + expectMatch: true + headers: + - name: x-org-id + stringMatch: + exact: bar + - maskedRemoteAddress: + v4PrefixMaskLen: 16 upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: @@ -95,43 +132,6 @@ filterEnforced: defaultValue: numerator: 100 - rateLimits: - - actions: - - headerValueMatch: - descriptorKey: rule-0-match-0 - descriptorValue: rule-0-match-0 - expectMatch: true - headers: - - name: x-user-id - stringMatch: - exact: one - - headerValueMatch: - descriptorKey: rule-0-match-1 - descriptorValue: rule-0-match-1 - expectMatch: true - headers: - - name: x-org-id - stringMatch: - exact: foo - - actions: - - headerValueMatch: - descriptorKey: rule-1-match-0 - descriptorValue: rule-1-match-0 - expectMatch: true - headers: - - name: x-user-id - stringMatch: - exact: two - - headerValueMatch: - descriptorKey: rule-1-match-1 - descriptorValue: rule-1-match-1 - expectMatch: true - headers: - - name: x-org-id - stringMatch: - exact: bar - - maskedRemoteAddress: - v4PrefixMaskLen: 16 statPrefix: http_local_rate_limiter tokenBucket: fillInterval: 60s diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.clusters.yaml deleted file mode 100644 index 39e632c5b75..00000000000 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.clusters.yaml +++ /dev/null @@ -1,104 +0,0 @@ -- circuitBreakers: - thresholds: - - maxRetries: 1024 - commonLbConfig: {} - connectTimeout: 10s - dnsLookupFamily: V4_PREFERRED - edsClusterConfig: - edsConfig: - ads: {} - resourceApiVersion: V3 - serviceName: first-route-dest - ignoreHealthOnHostRemoval: true - lbPolicy: LEAST_REQUEST - loadBalancingPolicy: - policies: - - typedExtensionConfig: - name: envoy.load_balancing_policies.least_request - typedConfig: - '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest - localityLbConfig: - localityWeightedLbConfig: {} - name: first-route-dest - perConnectionBufferLimitBytes: 32768 - type: EDS -- circuitBreakers: - thresholds: - - maxRetries: 1024 - commonLbConfig: {} - connectTimeout: 10s - dnsLookupFamily: V4_PREFERRED - edsClusterConfig: - edsConfig: - ads: {} - resourceApiVersion: V3 - serviceName: second-route-dest - ignoreHealthOnHostRemoval: true - lbPolicy: LEAST_REQUEST - loadBalancingPolicy: - policies: - - typedExtensionConfig: - name: envoy.load_balancing_policies.least_request - typedConfig: - '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest - localityLbConfig: - localityWeightedLbConfig: {} - name: second-route-dest - perConnectionBufferLimitBytes: 32768 - type: EDS -- circuitBreakers: - thresholds: - - maxRetries: 1024 - commonLbConfig: {} - connectTimeout: 10s - dnsLookupFamily: V4_PREFERRED - dnsRefreshRate: 30s - ignoreHealthOnHostRemoval: true - lbPolicy: LEAST_REQUEST - loadAssignment: - clusterName: ratelimit_cluster - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: envoy-ratelimit.envoy-gateway-system.svc.cluster.local - portValue: 8081 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - locality: - region: ratelimit_cluster/backend/-1 - loadBalancingPolicy: - policies: - - typedExtensionConfig: - name: envoy.load_balancing_policies.least_request - typedConfig: - '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest - localityLbConfig: - localityWeightedLbConfig: {} - name: ratelimit_cluster - perConnectionBufferLimitBytes: 32768 - respectDnsTtl: true - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - tlsCertificateSdsSecretConfigs: - - name: envoy-gateway-system/envoy - sdsConfig: - ads: {} - resourceApiVersion: V3 - tlsParams: - tlsMaximumProtocolVersion: TLSv1_3 - validationContext: - trustedCa: - filename: /certs/ca.crt - type: STRICT_DNS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicitHttpConfig: - http2ProtocolOptions: - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.endpoints.yaml deleted file mode 100644 index de95bf555b9..00000000000 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.endpoints.yaml +++ /dev/null @@ -1,24 +0,0 @@ -- clusterName: first-route-dest - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: 1.2.3.4 - portValue: 50000 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - locality: - region: first-route-dest/backend/0 -- clusterName: second-route-dest - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: 1.2.3.4 - portValue: 50000 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - locality: - region: second-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.listeners.yaml deleted file mode 100644 index 862ea444b99..00000000000 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.listeners.yaml +++ /dev/null @@ -1,51 +0,0 @@ -- address: - socketAddress: - address: '::' - portValue: 10080 - defaultFilterChain: - filters: - - name: envoy.filters.network.http_connection_manager - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - http2ProtocolOptions: - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - maxDynamicDescriptors: 10000 - statPrefix: http_local_rate_limiter - - name: envoy.filters.http.ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit - disableXEnvoyRatelimitedHeader: true - domain: first-listener - enableXRatelimitHeaders: DRAFT_VERSION_03 - rateLimitService: - grpcService: - envoyGrpc: - clusterName: ratelimit_cluster - transportApiVersion: V3 - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - suppressEnvoyHeaders: true - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: first-listener - serverHeaderTransformation: PASS_THROUGH - statPrefix: http-10080 - useRemoteAddress: true - name: first-listener - maxConnectionsToAcceptPerSocketEvent: 1 - name: first-listener - perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.routes.yaml deleted file mode 100644 index 45ad315c483..00000000000 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.routes.yaml +++ /dev/null @@ -1,76 +0,0 @@ -- ignorePortInHostMatching: true - name: first-listener - virtualHosts: - - domains: - - '*' - name: first-listener/* - routes: - - match: - path: foo/bar - name: first-route - route: - cluster: first-route-dest - rateLimits: - - actions: - - genericKey: - descriptorKey: first-route - descriptorValue: first-route - - headerValueMatch: - descriptorKey: rule-0-match-0 - descriptorValue: rule-0-match-0 - expectMatch: true - headers: - - name: x-user-id - stringMatch: - exact: one - upgradeConfigs: - - upgradeType: websocket - - match: - path: example - name: second-route - route: - cluster: second-route-dest - rateLimits: - - actions: - - genericKey: - descriptorKey: second-route - descriptorValue: second-route - - requestHeaders: - descriptorKey: rule-0-match-0 - headerName: x-user-id - upgradeConfigs: - - upgradeType: websocket - typedPerFilterConfig: - envoy.filters.http.local_ratelimit: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - alwaysConsumeDefaultTokenBucket: false - descriptors: - - entries: - - key: rule-0-match-0 - value: rule-0-match-0 - tokenBucket: - fillInterval: 3600s - maxTokens: 10 - tokensPerFill: 10 - enableXRatelimitHeaders: DRAFT_VERSION_03 - filterEnabled: - defaultValue: - numerator: 100 - filterEnforced: - defaultValue: - numerator: 100 - rateLimits: - - actions: - - headerValueMatch: - descriptorKey: rule-0-match-0 - descriptorValue: rule-0-match-0 - expectMatch: true - headers: - - name: x-user-id - stringMatch: - exact: one - statPrefix: http_local_rate_limiter - tokenBucket: - fillInterval: 60s - maxTokens: 10 - tokensPerFill: 10 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.secrets.yaml deleted file mode 100644 index fb089151187..00000000000 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-both-type.secrets.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- name: envoy-gateway-system/envoy - tlsCertificate: - certificateChain: - inlineBytes: Y2VydC1kYXRh - privateKey: - inlineBytes: a2V5LWRhdGE= diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 32c964f90bc..19e589cdf75 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -8,14 +8,9 @@ security updates: | # New features or capabilities added in this release. new features: | - Added support for both Global and Local rate limiting in BackendTrafficPolicy simultaneously. - Added support for applying SecurityPolicy Authorization to TCPRoute (client IP / allow-deny list for TCP traffic). bug fixes: | - Fixed Listener port limit typo 65353 -> 65535. - - Fixed issue where reloading invalid envoy gateway configuration. - - Fixed missing JWT provider configuration when JWT authentication is configured on multiple HTTP listeners sharing the same port. - # Enhancements that improve performance. performance improvements: | diff --git a/site/content/en/contributions/CONTRIBUTING.md b/site/content/en/contributions/CONTRIBUTING.md index bdb9df9f3c9..9ae725a9e42 100644 --- a/site/content/en/contributions/CONTRIBUTING.md +++ b/site/content/en/contributions/CONTRIBUTING.md @@ -45,6 +45,8 @@ to the following guidelines for all code, APIs, and documentation: * Submit your PR. * Tests will automatically run for you. * We will **not** merge any PR that is not passing tests. +* Before submitting, ensure YAML is formatted: + * Run `make format-yaml` to auto-format all tracked YAML files using go-prettier. * PRs are expected to have 100% test coverage for added code. This can be verified with a coverage build. If your PR cannot have 100% coverage for some reason please clearly explain why, when you open it. diff --git a/test/e2e/testdata/tcproute-authorization-client-ip.yaml b/test/e2e/testdata/tcproute-authorization-client-ip.yaml deleted file mode 100644 index 34f6f419418..00000000000 --- a/test/e2e/testdata/tcproute-authorization-client-ip.yaml +++ /dev/null @@ -1,100 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: tcp-authorization-backend - namespace: gateway-conformance-infra -spec: - gatewayClassName: "{GATEWAY_CLASS_NAME}" - listeners: - - name: ip - protocol: TCP - port: 8080 - allowedRoutes: - kinds: - - kind: TCPRoute - - name: fqdn - protocol: TCP - port: 8090 - allowedRoutes: - kinds: - - kind: TCPRoute ---- -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TCPRoute -metadata: - name: tcp-backend-authorization-ip - namespace: gateway-conformance-infra -spec: - parentRefs: - - name: tcp-authorization-backend - sectionName: ip - rules: - - backendRefs: - - group: gateway.envoyproxy.io - kind: Backend - name: backend-ip - port: 8080 ---- -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TCPRoute -metadata: - name: tcp-backend-authorization-fqdn - namespace: gateway-conformance-infra -spec: - parentRefs: - - name: tcp-authorization-backend - sectionName: fqdn - rules: - - backendRefs: - - group: gateway.envoyproxy.io - kind: Backend - name: backend-fqdn - port: 8080 ---- -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: Backend -metadata: - name: backend-fqdn - namespace: gateway-conformance-infra -spec: - endpoints: - - fqdn: - hostname: infra-backend-v1.gateway-conformance-infra.svc.cluster.local - port: 8080 ---- -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: SecurityPolicy -metadata: - name: tcp-backend-authorization-ip-security-policy - namespace: gateway-conformance-infra -spec: - targetRefs: - - group: gateway.networking.k8s.io - kind: TCPRoute - name: tcp-backend-authorization-ip - authorization: - defaultAction: Deny - rules: - - action: Allow - principal: - clientCIDRs: - - 192.168.254.0/24 ---- -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: SecurityPolicy -metadata: - name: tcp-backend-authorization-fqdn-security-policy - namespace: gateway-conformance-infra -spec: - targetRefs: - - group: gateway.networking.k8s.io - kind: TCPRoute - name: tcp-backend-authorization-fqdn - authorization: - defaultAction: Deny - rules: - - action: Allow - principal: - clientCIDRs: - - 0.0.0.0/0 - - ::/0 diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml index c5e4dfd337c..6602b87b5f4 100644 --- a/test/helm/gateway-crds-helm/all.out.yaml +++ b/test/helm/gateway-crds-helm/all.out.yaml @@ -22677,12 +22677,12 @@ spec: description: |- Type decides the scope for the RateLimits. Valid RateLimitType values are "Global" or "Local". - - Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting. enum: - Global - Local type: string + required: + - type type: object requestBuffer: description: |- @@ -28542,8 +28542,6 @@ spec: - envoy.filters.http.ext_authz - - envoy.filters.http.api_key_auth - - envoy.filters.http.basic_auth - envoy.filters.http.oauth2 @@ -28552,8 +28550,6 @@ spec: - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - - envoy.filters.http.lua - envoy.filters.http.ext_proc @@ -28566,16 +28562,8 @@ spec: - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - - envoy.filters.http.grpc_stats - - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - - - envoy.filters.http.compressor - - envoy.filters.http.router Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. @@ -28597,17 +28585,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string before: @@ -28624,17 +28608,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string name: @@ -28649,17 +28629,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string required: diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml index a05ba9f7f81..377be517e3c 100644 --- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml +++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml @@ -2021,12 +2021,12 @@ spec: description: |- Type decides the scope for the RateLimits. Valid RateLimitType values are "Global" or "Local". - - Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting. enum: - Global - Local type: string + required: + - type type: object requestBuffer: description: |- @@ -7886,8 +7886,6 @@ spec: - envoy.filters.http.ext_authz - - envoy.filters.http.api_key_auth - - envoy.filters.http.basic_auth - envoy.filters.http.oauth2 @@ -7896,8 +7894,6 @@ spec: - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - - envoy.filters.http.lua - envoy.filters.http.ext_proc @@ -7910,16 +7906,8 @@ spec: - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - - envoy.filters.http.grpc_stats - - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - - - envoy.filters.http.compressor - - envoy.filters.http.router Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. @@ -7941,17 +7929,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string before: @@ -7968,17 +7952,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string name: @@ -7993,17 +7973,13 @@ spec: - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn - envoy.filters.http.stateful_session - - envoy.filters.http.buffer - envoy.filters.http.lua - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit - - envoy.filters.http.grpc_web - - envoy.filters.http.grpc_stats - envoy.filters.http.custom_response - - envoy.filters.http.credential_injector - envoy.filters.http.compressor type: string required: diff --git a/tools/go.mod b/tools/go.mod index f4f20d80620..e598c9bf773 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -9,6 +9,7 @@ tool ( github.com/google/go-jsonnet/cmd/jsonnet github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb github.com/norwoodj/helm-docs/cmd/helm-docs + github.com/wasilibs/go-prettier/v3/cmd/prettier golang.org/x/perf/cmd/benchstat google.golang.org/grpc/cmd/protoc-gen-go-grpc google.golang.org/protobuf/cmd/protoc-gen-go diff --git a/tools/linter/yamllint/.yamllint b/tools/linter/yamllint/.yamllint deleted file mode 100644 index ae2e0b76bd2..00000000000 --- a/tools/linter/yamllint/.yamllint +++ /dev/null @@ -1,66 +0,0 @@ ---- - -ignore: | - # This directory fails checks since many files - # are templated. Instead, we run the linter - # after running `make generate-manifests` which creates - # the Install YAML in bin/ - charts/gateway-helm/ - charts/gateway-addons-helm/ - charts/gateway-crds-helm/ - bin/install.yaml - test/helm/gateway-helm/ - test/helm/gateway-addons-helm/ - test/helm/gateway-crds-helm/ - examples/extension-server/charts/extension-server - site/node_modules/ - .vscode/ - -rules: - braces: - min-spaces-inside: 0 - max-spaces-inside: 0 - min-spaces-inside-empty: -1 - max-spaces-inside-empty: -1 - brackets: - min-spaces-inside: 0 - max-spaces-inside: 1 - min-spaces-inside-empty: -1 - max-spaces-inside-empty: -1 - colons: - max-spaces-before: 0 - max-spaces-after: 1 - commas: - max-spaces-before: 1 - min-spaces-after: 1 - max-spaces-after: 1 - comments: - level: error - require-starting-space: true - min-spaces-from-content: 2 - comments-indentation: - level: warning - document-end: disable - document-start: disable - empty-lines: - max: 2 - max-start: 0 - max-end: 1 - empty-values: - forbid-in-block-mappings: false - forbid-in-flow-mappings: true - hyphens: - max-spaces-after: 1 - indentation: - spaces: 2 - indent-sequences: consistent # be consistent: don't mix indentation styles in one file. - check-multi-line-strings: false - key-duplicates: enable - key-ordering: disable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - check-keys: false # GitHub Actions uses "on:" as a key - level: warning diff --git a/tools/make/lint.mk b/tools/make/lint.mk index 43db54cc136..2be32ca8319 100644 --- a/tools/make/lint.mk +++ b/tools/make/lint.mk @@ -8,7 +8,27 @@ GITHUB_ACTION ?= LINT_BUILD_TAGS ?= e2e,celvalidation,conformance,experimental,benchmark,resilience,integration .PHONY: lint -lint: ## Run all linter of code sources, including golint, yamllint, whitenoise lint and codespell. +lint: ## Run all linter of code sources, including golint, whitenoise lint and codespell. + +# Format YAML files with go-prettier for consistent style. +.PHONY: format-yaml +format-yaml: ## Format YAML files with go-prettier + @$(LOG_TARGET) + @files="$$(git ls-files :*.yml :*.yaml)"; \ + if [ -n "$$files" ]; then \ + prettier -w $$files; \ + fi + +.PHONY: check-format-yaml +check-format-yaml: ## Check YAML formatting with go-prettier (no changes) + @$(LOG_TARGET) + @files="$$(git ls-files :*.yml :*.yaml)"; \ + if [ -n "$$files" ]; then \ + prettier --check $$files; \ + fi + +# Run YAML format check as part of gen-check to integrate with existing CI +gen-check: check-format-yaml # lint-deps is run separately in CI to separate the tooling install logs from the actual output logs generated # by the lint tooling. @@ -22,12 +42,7 @@ lint.golint: @$(LOG_TARGET) $(GO_TOOL) golangci-lint run $(GOLANGCI_LINT_FLAGS) --build-tags=$(LINT_BUILD_TAGS) --config=tools/linter/golangci-lint/.golangci.yml -.PHONY: lint.yamllint -lint: lint.yamllint -lint-deps: $(tools/yamllint) -lint.yamllint: $(tools/yamllint) - @$(LOG_TARGET) - $(tools/yamllint) --config-file=tools/linter/yamllint/.yamllint $$(git ls-files :*.yml :*.yaml | xargs -L1 dirname | sort -u) + CODESPELL_FLAGS ?= $(if $(GITHUB_ACTION),--disable-colors) .PHONY: lint.codespell diff --git a/tools/make/tools.mk b/tools/make/tools.mk index e1bb44c0212..3f225b55ee9 100644 --- a/tools/make/tools.mk +++ b/tools/make/tools.mk @@ -14,7 +14,6 @@ $(tools.bindir)/%: $(tools.srcdir)/%.sh # ========================= # tools/codespell = $(tools.bindir)/codespell -tools/yamllint = $(tools.bindir)/yamllint tools/sphinx-build = $(tools.bindir)/sphinx-build tools/release-notes-docs = $(tools.bindir)/release-notes-docs $(tools.bindir)/%.d/venv: $(tools.srcdir)/%/requirements.txt diff --git a/tools/src/yamllint/requirements.txt b/tools/src/yamllint/requirements.txt deleted file mode 100644 index 99c78bd3112..00000000000 --- a/tools/src/yamllint/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -yamllint==1.37.1