Merge branch 'main' into httproute-1000

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,6 +1,6 @@
 **What type of PR is this?**
 <!--
-Your PR title should be descriptive, and generally start with type that contains a subsystem name with `()` if necessary 
+Your PR title should be descriptive, and generally start with type that contains a subsystem name with `()` if necessary
 and summary followed by a colon. format `chore/docs/api/feat/fix/refactor/style/test: summary`.
 Examples:
 * "docs: fix grammar error"
@@ -23,3 +23,9 @@ a new PR, and we will review the API part first. It will save you lots of implem
 Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
 -->
 Fixes #
+
+<!--
+For any non-trivial changes, you need to provide a brief description of the changes in the release notes.
+Please add the description to the release-notes/current.yaml file and include this file in the PR.
+-->
+Release Notes: Yes/No

.github/workflows/build_and_test.yaml

@@ -20,7 +20,7 @@ jobs:
   lint:
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
     # Generate the installation manifests first, so it can check
     # for errors while running `make -k lint`
@@ -31,14 +31,14 @@ jobs:
   gen-check:
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
     - run: make -k gen-check
 
   license-check:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
     - run: make -k licensecheck
 
@@ -48,7 +48,7 @@ jobs:
       contents: read   #  for actions/checkout
       id-token: write  #  for fetching OIDC token
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
 
     # test
@@ -67,14 +67,14 @@ jobs:
     runs-on: ubuntu-latest
     needs: [lint, gen-check, license-check, coverage-test]
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
 
     - name: Build EG Multiarch Binaries
       run: make build-multiarch PLATFORMS="linux_amd64 linux_arm64"
 
     - name: Upload EG Binaries
-      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
       with:
         name: envoy-gateway
         path: bin/
@@ -87,7 +87,7 @@ jobs:
       matrix:
         version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
@@ -116,7 +116,7 @@ jobs:
       matrix:
         version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
@@ -143,7 +143,7 @@ jobs:
     if: ${{ ! startsWith(github.event_name, 'push') }}
     needs: [build]
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
 
     - name: Setup Graphviz
@@ -170,7 +170,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [conformance-test, e2e-test]
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries

.github/workflows/codeql.yml

@@ -32,18 +32,18 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea  # v3.26.11
+      uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b  # v3.26.13
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea  # v3.26.11
+      uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b  # v3.26.13
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea  # v3.26.11
+      uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b  # v3.26.13
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/docs.yaml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Check out code
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       with:
         ref: ${{ github.event.pull_request.head.sha }}
 
@@ -48,7 +48,7 @@ jobs:
       contents: write
     steps:
     - name: Git checkout
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       with:
         submodules: true
         ref: ${{ github.event.pull_request.head.sha }}

.github/workflows/experimental_conformance.yaml

@@ -21,7 +21,7 @@ jobs:
       matrix:
         version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
 
     # gateway api experimental conformance
@@ -33,7 +33,7 @@ jobs:
       run: make experimental-conformance
 
     - name: Upload Conformance Report
-      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
       with:
         name: conformance-report-k8s-${{ matrix.version }}
         path: ./test/conformance/conformance-report-k8s-${{ matrix.version }}.yaml

.github/workflows/latest_release.yaml

@@ -22,7 +22,7 @@ jobs:
   benchmark-test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
 
     - name: Setup Graphviz
@@ -46,7 +46,7 @@ jobs:
       run: cd test/benchmark && zip -r benchmark_report.zip benchmark_report
 
     - name: Upload Benchmark Report
-      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
       with:
         name: benchmark_report
         path: test/benchmark/benchmark_report.zip
@@ -57,7 +57,7 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - uses: ./tools/github-actions/setup-deps
 
     - name: Generate Release Manifests

.github/workflows/license-scan.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Checkout code
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - name: Run scanner
       uses: google/osv-scanner-action/osv-scanner-action@19ec1116569a47416e11a45848722b1af31a857b  # v1.9.0
       with:

.github/workflows/release.yaml

@@ -15,7 +15,7 @@ jobs:
   benchmark-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       - uses: ./tools/github-actions/setup-deps
 
       - name: Setup Graphviz
@@ -39,7 +39,7 @@ jobs:
         run: cd test/benchmark && zip -r benchmark_report.zip benchmark_report
 
       - name: Upload Benchmark Report
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
         with:
           name: benchmark_report
           path: test/benchmark/benchmark_report.zip
@@ -50,7 +50,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
       - name: Extract Release Tag and Commit SHA
         id: vars

.github/workflows/scorecard.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
     - name: "Checkout code"
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       with:
         persist-credentials: false
 
@@ -33,13 +33,13 @@ jobs:
         publish_results: true
 
     - name: "Upload artifact"
-      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
       with:
         name: SARIF file
         path: results.sarif
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea  # v3.26.11
+      uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b  # v3.26.13
       with:
         sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -18,14 +18,14 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Checkout code
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
     - name: Build an image from Dockerfile
       run: |
         IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8  # v0.24.0
+      uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2  # v0.28.0
       with:
         image-ref: envoy-proxy/gateway-dev:${{ github.sha }}
         exit-code: '1'

api/v1alpha1/accesslogging_types.go

@@ -37,7 +37,6 @@ type ProxyAccessLogSetting struct {
 	// If type is defined, the accesslog settings would apply to the relevant component (as-is).
 	// +kubebuilder:validation:Enum=Listener;Route
 	// +optional
-	// +notImplementedHide
 	Type *ProxyAccessLogType `json:"type,omitempty"`
 }
 

api/v1alpha1/backend_types.go

@@ -131,7 +131,6 @@ type BackendSpec struct {
 	// the health of the active backends falls below 72%.
 	//
 	// +optional
-	// +notImplementedHide
 	Fallback *bool `json:"fallback,omitempty"`
 }
 

api/v1alpha1/backendtrafficpolicy_types.go

@@ -74,7 +74,6 @@ type BackendTrafficPolicySpec struct {
 	// If multiple configurations are specified, the first one to match wins.
 	//
 	// +optional
-	// +notImplementedHide
 	ResponseOverride []*ResponseOverride `json:"responseOverride,omitempty"`
 }
 

api/v1alpha1/basic_auth_types.go

@@ -5,7 +5,9 @@
 
 package v1alpha1
 
-import gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+import (
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
 
 const BasicAuthUsersSecretKey = ".htpasswd"
 
@@ -23,5 +25,5 @@ type BasicAuth struct {
 	// for more details.
 	//
 	// Note: The secret must be in the same namespace as the SecurityPolicy.
-	Users gwapiv1b1.SecretObjectReference `json:"users"`
+	Users gwapiv1.SecretObjectReference `json:"users"`
 }

api/v1alpha1/connection_types.go

@@ -66,10 +66,9 @@ type BackendConnection struct {
 type ConnectionLimit struct {
 	// Value of the maximum concurrent connections limit.
 	// When the limit is reached, incoming connections will be closed after the CloseDelay duration.
-	// Default: unlimited.
 	//
-	// +kubebuilder:validation:Minimum=0
-	Value int64 `json:"value,omitempty"`
+	// +kubebuilder:validation:Minimum=1
+	Value int64 `json:"value"`
 
 	// CloseDelay defines the delay to use before closing connections that are rejected
 	// once the limit value is reached.

api/v1alpha1/envoygateway_helpers.go

@@ -241,6 +241,16 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern
 	return r.Kubernetes
 }
 
+func (r *EnvoyGatewayProvider) IsRunningOnKubernetes() bool {
+	return r.Type == ProviderTypeKubernetes
+}
+
+func (r *EnvoyGatewayProvider) IsRunningOnHost() bool {
+	return r.Type == ProviderTypeCustom &&
+		r.Custom.Infrastructure != nil &&
+		r.Custom.Infrastructure.Type == InfrastructureProviderTypeHost
+}
+
 // DefaultEnvoyGatewayLoggingLevel returns a new EnvoyGatewayLogging with default configuration parameters.
 // When v1alpha1.LogComponentGatewayDefault specified, all other logging components are ignored.
 func (logging *EnvoyGatewayLogging) DefaultEnvoyGatewayLoggingLevel(level LogLevel) LogLevel {

api/v1alpha1/envoyproxy_types.go

@@ -124,6 +124,8 @@ type EnvoyProxySpec struct {
 	//
 	// - envoy.filters.http.ratelimit
 	//
+	// - envoy.filters.http.custom_response
+	//
 	// - envoy.filters.http.router
 	//
 	// Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain.
@@ -174,7 +176,7 @@ type FilterPosition struct {
 }
 
 // EnvoyFilter defines the type of Envoy HTTP filter.
-// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit
+// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.custom_response
 type EnvoyFilter string
 
 const (
@@ -217,6 +219,9 @@ const (
 	// EnvoyFilterRateLimit defines the Envoy HTTP rate limit filter.
 	EnvoyFilterRateLimit EnvoyFilter = "envoy.filters.http.ratelimit"
 
+	// EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
+	EnvoyFilterCustomResponse EnvoyFilter = "envoy.filters.http.custom_response"
+
 	// EnvoyFilterRouter defines the Envoy HTTP router filter.
 	EnvoyFilterRouter EnvoyFilter = "envoy.filters.http.router"
 )