[release/v1.4] cherry-pick for v1.4.3 (#6767)

* fix: don't block deployment creating when missing secret in EnvoyProxy (#6692)

* fix: don't block deployment creating when missing secret in EnvoyProxy

Signed-off-by: zirain <[email protected]>

* sort httpFilters on name if priority order is same (#6600)

* sort httpFilters on name if priority order is same

ensures stability across translations, mitigating listener drains
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/listeners/listener_filters#filter-chain-only-update

Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix: add missing HTTP filters for HTTP3 listener (#6584)

* fix: add missing HTTP filters for HTTP3 listener

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix: use per-route configuration for session persistence to avoid listener drain (#6580)

use per-route configuration for session persistence to avoid listener darin

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: zirain <[email protected]>

* Fix EEP CEL Validations around FullDuplexStreamed and FailOpen (#6560)

* Fix EEP CEL Validations around FullDuplexStreamed and FailOpen

Fixes: #6559

Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Arko Dasgupta <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>

Author: 3 people

api/v1alpha1/ext_proc_types.go

@@ -68,7 +68,7 @@ type ExtProcProcessingMode struct {
 // +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true"
-// +kubebuilder:validation:XValidation:message="If FullDuplexStreamed body processing mode is used, FailOpen must be false.",rule="!(has(self.failOpen) && self.failOpen == true && ((has(self.processingMode.request.body) && self.processingMode.request.body == 'FullDuplexStreamed') || (has(self.processingMode.response.body) && self.processingMode.response.body == 'FullDuplexStreamed')))"
+// +kubebuilder:validation:XValidation:message="If FullDuplexStreamed body processing mode is used, FailOpen must be false.",rule="!(has(self.failOpen) && self.failOpen == true && has(self.processingMode) && ((has(self.processingMode.request) && has(self.processingMode.request.body) && self.processingMode.request.body == 'FullDuplexStreamed') || (has(self.processingMode.response) && has(self.processingMode.response.body) && self.processingMode.response.body == 'FullDuplexStreamed')))"
 type ExtProc struct {
 	BackendCluster `json:",inline"`
 

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml

@@ -1044,10 +1044,11 @@ spec:
                       == "" || f.group == ''gateway.envoyproxy.io'')) : true'
                   - message: If FullDuplexStreamed body processing mode is used, FailOpen
                       must be false.
-                    rule: '!(has(self.failOpen) && self.failOpen == true && ((has(self.processingMode.request.body)
+                    rule: '!(has(self.failOpen) && self.failOpen == true && has(self.processingMode)
+                      && ((has(self.processingMode.request) && has(self.processingMode.request.body)
                       && self.processingMode.request.body == ''FullDuplexStreamed'')
-                      || (has(self.processingMode.response.body) && self.processingMode.response.body
-                      == ''FullDuplexStreamed'')))'
+                      || (has(self.processingMode.response) && has(self.processingMode.response.body)
+                      && self.processingMode.response.body == ''FullDuplexStreamed'')))'
                 maxItems: 16
                 type: array
               lua:

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml

@@ -1043,10 +1043,11 @@ spec:
                       == "" || f.group == ''gateway.envoyproxy.io'')) : true'
                   - message: If FullDuplexStreamed body processing mode is used, FailOpen
                       must be false.
-                    rule: '!(has(self.failOpen) && self.failOpen == true && ((has(self.processingMode.request.body)
+                    rule: '!(has(self.failOpen) && self.failOpen == true && has(self.processingMode)
+                      && ((has(self.processingMode.request) && has(self.processingMode.request.body)
                       && self.processingMode.request.body == ''FullDuplexStreamed'')
-                      || (has(self.processingMode.response.body) && self.processingMode.response.body
-                      == ''FullDuplexStreamed'')))'
+                      || (has(self.processingMode.response) && has(self.processingMode.response.body)
+                      && self.processingMode.response.body == ''FullDuplexStreamed'')))'
                 maxItems: 16
                 type: array
               lua:

internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml

@@ -1176,14 +1176,14 @@ xds:
                     initialStreamWindowSize: 65536
                     maxConcurrentStreams: 100
                   httpFilters:
-                  - name: envoy.filters.http.grpc_web
-                    typedConfig:
-                      '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                   - name: envoy.filters.http.grpc_stats
                     typedConfig:
                       '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig
                       emitFilterState: true
                       statsForAllMethods: true
+                  - name: envoy.filters.http.grpc_web
+                    typedConfig:
+                      '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                   - name: envoy.filters.http.router
                     typedConfig:
                       '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json

@@ -953,12 +953,6 @@
                             "maxConcurrentStreams": 100
                           },
                           "httpFilters": [
-                            {
-                              "name": "envoy.filters.http.grpc_web",
-                              "typedConfig": {
-                                "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb"
-                              }
-                            },
                             {
                               "name": "envoy.filters.http.grpc_stats",
                               "typedConfig": {
@@ -967,6 +961,12 @@
                                 "statsForAllMethods": true
                               }
                             },
+                            {
+                              "name": "envoy.filters.http.grpc_web",
+                              "typedConfig": {
+                                "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb"
+                              }
+                            },
                             {
                               "name": "envoy.filters.http.router",
                               "typedConfig": {

internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml

@@ -593,14 +593,14 @@ xds:
                     initialStreamWindowSize: 65536
                     maxConcurrentStreams: 100
                   httpFilters:
-                  - name: envoy.filters.http.grpc_web
-                    typedConfig:
-                      '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                   - name: envoy.filters.http.grpc_stats
                     typedConfig:
                       '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig
                       emitFilterState: true
                       statsForAllMethods: true
+                  - name: envoy.filters.http.grpc_web
+                    typedConfig:
+                      '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                   - name: envoy.filters.http.router
                     typedConfig:
                       '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml

@@ -229,14 +229,14 @@ xds:
                   initialStreamWindowSize: 65536
                   maxConcurrentStreams: 100
                 httpFilters:
-                - name: envoy.filters.http.grpc_web
-                  typedConfig:
-                    '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                 - name: envoy.filters.http.grpc_stats
                   typedConfig:
                     '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig
                     emitFilterState: true
                     statsForAllMethods: true
+                - name: envoy.filters.http.grpc_web
+                  typedConfig:
+                    '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                 - name: envoy.filters.http.router
                   typedConfig:
                     '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/gatewayapi/testdata/backend-tls-settings-invalid.in.yaml

@@ -0,0 +1,157 @@
+envoyProxyForGatewayClass:
+  apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: EnvoyProxy
+  metadata:
+    namespace: envoy-gateway-system
+    name: test
+  spec:
+    backendTLS:
+      clientCertificateRef:
+        group: ""
+        kind: Secret
+        namespace: envoy-gateway-system
+        name: client-auth
+      ciphers:
+        - ECDHE-RSA-AES128-GCM-SHA256
+        - ECDHE-ECDSA-AES256-GCM-SHA384
+      ecdhCurves:
+        - ECDHE-RSA-AES128-GCM-SHA256
+        - ECDHE-ECDSA-AES256-GCM-SHA384
+      maxVersion: tls1.3
+      minVersion: tls1.2
+      SignatureAlgorithms:
+        - RSA-PSS-RSAE-SHA256
+        - ECDSA-SECP256R1-SHA256
+      alpnProtocols:
+        - HTTP/1.1
+        - HTTP/2
+
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: gateway-1
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+httpRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-1
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+      rules:
+        - matches:
+            - path:
+                value: "/"
+          backendRefs:
+            - group: gateway.envoyproxy.io
+              kind: Backend
+              name: backend-1
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-2
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+      rules:
+        - matches:
+            - path:
+                value: "/"
+          backendRefs:
+            - group: gateway.envoyproxy.io
+              kind: Backend
+              name: backend-2
+
+configMaps:
+  - apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: ca-cmap
+      namespace: default
+    data:
+      ca.crt: |
+        -----BEGIN CERTIFICATE-----
+        MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL
+        BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw
+        MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G
+        A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc
+        1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM
+        yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b
+        kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU
+        Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq
+        ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR
+        bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48
+        6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/
+        BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz
+        2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J
+        i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE
+        A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg
+        d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1
+        3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q==
+        -----END CERTIFICATE-----
+backendTLSPolicies:
+  - apiVersion: gateway.networking.k8s.io/v1alpha3
+    kind: BackendTLSPolicy
+    metadata:
+      name: policy-btls-for-backend-1
+      namespace: default
+    spec:
+      targetRefs:
+        - group: gateway.envoyproxy.io
+          kind: Backend
+          name: backend-1
+      validation:
+        caCertificateRefs:
+          - kind: ConfigMap
+            group: ""
+            name: ca-cmap
+        hostname: example.com
+        subjectAltNames:
+          - type: URI
+            uri: spiffe://cluster.local/ns/istio-demo/sa/echo-v1
+          - type: Hostname
+            hostname: subdomain.secondexample.com
+
+backends:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-1
+      namespace: default
+    spec:
+      # the BackendTLSPolicy should override the one from Backend
+      # the generated ir tls settings should contain the tls settings from Backend, BackendTLSPolicy and EnvoyProxy
+      tls:
+        caCertificateRefs:
+          - name: ca-cmap
+            group: ""
+            kind: ConfigMap
+      endpoints:
+        - ip:
+            address: 1.1.1.1
+            port: 3001
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-2
+      namespace: default
+    spec:
+      endpoints:
+        - ip:
+            address: 2.2.2.2
+            port: 3001