Merge branch 'main' into clustertrustbundles

Author: zirain

VERSION

@@ -1 +1 @@
-v1.4.1
+v1.4.2

api/v1alpha1/connection_types.go

@@ -39,12 +39,11 @@ type ClientConnection struct {
 
 	// MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
 	// per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
-	// this threshold will be accepted in later event loop iterations. If no value is provided Envoy will accept
-	// all connections pending accept from the kernel.
-	// It is recommended to lower this value for better overload management and reduced per-event cost.
-	// Setting it to 1 is a viable option with no noticeable impact on performance.
+	// this threshold will be accepted in later event loop iterations.
+	// Defaults to 1 and can be disabled by setting to 0 for allowing unlimited accepted connections.
 	//
 	// +optional
+	// +kubebuilder:default=1
 	MaxAcceptPerSocketEvent *uint32 `json:"maxAcceptPerSocketEvent,omitempty"`
 }
 

api/v1alpha1/envoygateway_types.go

@@ -505,6 +505,7 @@ type RedisTLSSettings struct {
 // RateLimitRedisSettings defines the configuration for connecting to redis database.
 type RateLimitRedisSettings struct {
 	// URL of the Redis Database.
+	// This can reference a single Redis host or a comma delimited list for Sentinel and Cluster deployments of Redis.
 	URL string `json:"url"`
 
 	// TLS defines TLS configuration for connecting to redis database.
@@ -528,6 +529,14 @@ type ExtensionManager struct {
 	// +optional
 	PolicyResources []GroupVersionKind `json:"policyResources,omitempty"`
 
+	// BackendResources defines the set of K8s resources the extension will handle as
+	// custom backendRef resources. These resources can be referenced in HTTPRoute
+	// backendRefs to enable support for custom backend types (e.g., S3, Lambda, etc.)
+	// that are not natively supported by Envoy Gateway.
+	//
+	// +optional
+	BackendResources []GroupVersionKind `json:"backendResources,omitempty"`
+
 	// Hooks defines the set of hooks the extension supports
 	//
 	// +kubebuilder:validation:Required

api/v1alpha1/shared_types.go

@@ -387,14 +387,15 @@ const (
 // XDSTranslatorHook defines the types of hooks that an Envoy Gateway extension may support
 // for the xds-translator
 //
-// +kubebuilder:validation:Enum=VirtualHost;Route;HTTPListener;Translation
+// +kubebuilder:validation:Enum=VirtualHost;Route;HTTPListener;Translation;Cluster
 type XDSTranslatorHook string
 
 const (
 	XDSVirtualHost  XDSTranslatorHook = "VirtualHost"
 	XDSRoute        XDSTranslatorHook = "Route"
 	XDSHTTPListener XDSTranslatorHook = "HTTPListener"
 	XDSTranslation  XDSTranslatorHook = "Translation"
+	XDSCluster      XDSTranslatorHook = "Cluster"
 )
 
 // StringMatch defines how to match any strings.

api/v1alpha1/validation/envoygateway_validate.go

@@ -8,6 +8,7 @@ package validation
 import (
 	"fmt"
 	"net/url"
+	"strings"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 )
@@ -167,8 +168,11 @@ func validateEnvoyGatewayRateLimit(rateLimit *egv1a1.RateLimit) error {
 	if rateLimit.Backend.Redis == nil || rateLimit.Backend.Redis.URL == "" {
 		return fmt.Errorf("empty ratelimit redis settings")
 	}
-	if _, err := url.Parse(rateLimit.Backend.Redis.URL); err != nil {
-		return fmt.Errorf("unknown ratelimit redis url format: %w", err)
+	redisHosts := strings.Split(rateLimit.Backend.Redis.URL, ",")
+	for _, host := range redisHosts {
+		if _, err := url.Parse(host); err != nil {
+			return fmt.Errorf("unknown ratelimit redis url format: %w", err)
+		}
 	}
 	return nil
 }

api/v1alpha1/validation/envoygateway_validate_test.go

@@ -302,6 +302,42 @@ func TestValidateEnvoyGateway(t *testing.T) {
 			},
 			expect: true,
 		},
+		{
+			name: "happy ratelimit redis sentinel settings",
+			eg: &egv1a1.EnvoyGateway{
+				EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{
+					Gateway:  egv1a1.DefaultGateway(),
+					Provider: egv1a1.DefaultEnvoyGatewayProvider(),
+					RateLimit: &egv1a1.RateLimit{
+						Backend: egv1a1.RateLimitDatabaseBackend{
+							Type: egv1a1.RedisBackendType,
+							Redis: &egv1a1.RateLimitRedisSettings{
+								URL: "primary_.-,node-0:26379,node-1:26379",
+							},
+						},
+					},
+				},
+			},
+			expect: true,
+		},
+		{
+			name: "happy ratelimit redis cluster settings",
+			eg: &egv1a1.EnvoyGateway{
+				EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{
+					Gateway:  egv1a1.DefaultGateway(),
+					Provider: egv1a1.DefaultEnvoyGatewayProvider(),
+					RateLimit: &egv1a1.RateLimit{
+						Backend: egv1a1.RateLimitDatabaseBackend{
+							Type: egv1a1.RedisBackendType,
+							Redis: &egv1a1.RateLimitRedisSettings{
+								URL: "node-0:6376,node-1:6376,node-2:6376",
+							},
+						},
+					},
+				},
+			},
+			expect: true,
+		},
 		{
 			name: "happy extension settings",
 			eg: &egv1a1.EnvoyGateway{

api/v1alpha1/zz_generated.deepcopy.go

@@ -154,13 +154,12 @@ spec:
                     - value
                     type: object
                   maxAcceptPerSocketEvent:
+                    default: 1
                     description: |-
                       MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
                       per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
-                      this threshold will be accepted in later event loop iterations. If no value is provided Envoy will accept
-                      all connections pending accept from the kernel.
-                      It is recommended to lower this value for better overload management and reduced per-event cost.
-                      Setting it to 1 is a viable option with no noticeable impact on performance.
+                      this threshold will be accepted in later event loop iterations.
+                      Defaults to 1 and can be disabled by setting to 0 for allowing unlimited accepted connections.
                     format: int32
                     type: integer
                   socketBufferLimit:

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -62,6 +62,7 @@ To uninstall the chart:
 | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
 | config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. |
 | createNamespace | bool | `false` |  |
+| deployment.annotations | object | `{}` |  |
 | deployment.envoyGateway.image.repository | string | `""` |  |
 | deployment.envoyGateway.image.tag | string | `""` |  |
 | deployment.envoyGateway.imagePullPolicy | string | `""` |  |

charts/gateway-helm/README.md

@@ -153,13 +153,12 @@ spec:
                     - value
                     type: object
                   maxAcceptPerSocketEvent:
+                    default: 1
                     description: |-
                       MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
                       per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
-                      this threshold will be accepted in later event loop iterations. If no value is provided Envoy will accept
-                      all connections pending accept from the kernel.
-                      It is recommended to lower this value for better overload management and reduced per-event cost.
-                      Setting it to 1 is a viable option with no noticeable impact on performance.
+                      this threshold will be accepted in later event loop iterations.
+                      Defaults to 1 and can be disabled by setting to 0 for allowing unlimited accepted connections.
                     format: int32
                     type: integer
                   socketBufferLimit: