Merge branch 'main' into clustertrustbundles

Author: zirain

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@39edc492dbe16b1465b0cafca41432d857bdb31a  # v3.29.1
+      uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b  # v3.29.2
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@39edc492dbe16b1465b0cafca41432d857bdb31a  # v3.29.1
+      uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b  # v3.29.2
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@39edc492dbe16b1465b0cafca41432d857bdb31a  # v3.29.1
+      uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b  # v3.29.2
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@39edc492dbe16b1465b0cafca41432d857bdb31a  # v3.29.1
+      uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b  # v3.29.2
       with:
         sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -25,7 +25,7 @@ jobs:
         IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37  # v0.31.0
+      uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4  # v0.32.0
       with:
         image-ref: envoy-proxy/gateway-dev:${{ github.sha }}
         exit-code: '1'

api/v1alpha1/envoyproxy_types.go

@@ -158,12 +158,32 @@ type EnvoyProxySpec struct {
 	// +optional
 	PreserveRouteOrder *bool `json:"preserveRouteOrder,omitempty"`
 
-	// DisableLuaValidation disables the Lua script validation for Lua EnvoyExtensionPolicies
-	// +kubebuilder:default=false
+	// LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+	// Default: Strict
 	// +optional
-	DisableLuaValidation *bool `json:"disableLuaValidation,omitempty"`
+	LuaValidation *LuaValidation `json:"luaValidation,omitempty"`
 }
 
+// +kubebuilder:validation:Enum=Strict;Disabled
+type LuaValidation string
+
+const (
+	// LuaValidationStrict is the default level and checks for issues during script execution.
+	// Recommended if your scripts only use the standard Envoy Lua stream handle API.
+	// For supported APIs, see: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api
+	LuaValidationStrict LuaValidation = "Strict"
+
+	// LuaValidationSyntax checks for syntax errors in the Lua script.
+	// Note that this is not a full runtime validation and does not check for issues during script execution.
+	// This is recommended if your scripts use external libraries that are not supported by Lua runtime validation.
+	LuaValidationSyntax LuaValidation = "Syntax"
+
+	// LuaValidationDisabled disables all validations of Lua scripts.
+	// Scripts will be accepted and executed without any validation checks.
+	// This is not recommended unless both runtime and syntax validations are failing unexpectedly.
+	LuaValidationDisabled LuaValidation = "Disabled"
+)
+
 // RoutingType defines the type of routing of this Envoy proxy.
 type RoutingType string
 

api/v1alpha1/timeout_types.go

@@ -81,4 +81,10 @@ type HTTPClientTimeout struct {
 	//
 	// +optional
 	IdleTimeout *gwapiv1.Duration `json:"idleTimeout,omitempty"`
+
+	//  The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity.
+	//  Default: 5 minutes.
+	//
+	// +optional
+	StreamIdleTimeout *gwapiv1.Duration `json:"streamIdleTimeout,omitempty"`
 }

api/v1alpha1/zz_generated.deepcopy.go

@@ -41,15 +41,15 @@ The Envoy Gateway must be installed before installing this chart.
 Once Helm has been set up correctly, install the chart from dockerhub:
 
 ``` shell
-    helm install eg-addons oci://docker.io/envoyproxy/gateway-addons-helm --version v0.0.0-latest -n monitoring --create-namespace
+helm install eg-addons oci://docker.io/envoyproxy/gateway-addons-helm --version v0.0.0-latest -n monitoring --create-namespace
 ```
 
 You can find all helm chart release in [Dockerhub](https://hub.docker.com/r/envoyproxy/gateway-addons-helm/tags)
 
 To uninstall the chart:
 
 ``` shell
-    helm uninstall eg-addons -n monitoring
+helm uninstall eg-addons -n monitoring
 ```
 
 ## Values

charts/gateway-addons-helm/README.md

@@ -17,15 +17,20 @@ If you do, make sure that you don't install the CRDs again when installing the E
 Once Helm has been set up correctly, install the chart from dockerhub:
 
 ``` shell
-    helm install gateway-crds oci://docker.io/envoyproxy/gateway-crds-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace
+helm template eg-crds oci://docker.io/envoyproxy/gateway-crds-helm \
+    --version v0.0.0-latest | kubectl apply --server-side -f -
 ```
 
+**Note**: We're using `helm template` piped into `kubectl apply` instead of `helm install` due to a [known Helm limitation](https://github.com/helm/helm/pull/12277)
+related to large CRDs in the `templates/` directory.
+
 You can find all helm chart release in [Dockerhub](https://hub.docker.com/r/envoyproxy/gateway-crds-helm/tags)
 
 To uninstall the chart:
 
 ``` shell
-    helm uninstall gateway-crds -n envoy-gateway-system
+helm template eg-crds oci://docker.io/envoyproxy/gateway-crds-helm \
+    --version v0.0.0-latest | kubectl delete --server-side -f -
 ```
 
 ## Values

charts/gateway-crds-helm/README.md

@@ -726,6 +726,12 @@ spec:
                           initiation and stops when either the last byte of the request is sent upstream or when the response begins.
                         pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
                         type: string
+                      streamIdleTimeout:
+                        description: |2-
+                           The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity.
+                           Default: 5 minutes.
+                        pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+                        type: string
                     type: object
                   tcp:
                     description: Timeout settings for TCP.

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -270,11 +270,6 @@ spec:
                   the number of cpuset threads on the platform.
                 format: int32
                 type: integer
-              disableLuaValidation:
-                default: false
-                description: DisableLuaValidation disables the Lua script validation
-                  for Lua EnvoyExtensionPolicies
-                type: boolean
               extraArgs:
                 description: |-
                   ExtraArgs defines additional command line options that are provided to Envoy.
@@ -442,6 +437,14 @@ spec:
                       and the log level is the value. If unspecified, defaults to "default: warn".
                     type: object
                 type: object
+              luaValidation:
+                description: |-
+                  LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+                  Default: Strict
+                enum:
+                - Strict
+                - Disabled
+                type: string
               mergeGateways:
                 description: |-
                   MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.