Merge remote-tracking branch 'upstream/main' into add-hpa-helm-chart

charts/gateway-helm/README.md

@@ -60,9 +60,7 @@ To uninstall the chart:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
-| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
-| config.envoyGateway.logging.level.default | string | `"info"` |  |
-| config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
+| config.envoyGateway | object | `{"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. |
 | createNamespace | bool | `false` |  |
 | deployment.envoyGateway.image.repository | string | `""` |  |
 | deployment.envoyGateway.image.tag | string | `""` |  |

charts/gateway-helm/values.tmpl.yaml

@@ -82,6 +82,7 @@ hpa:
   behavior: {}
 
 config:
+# -- EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options.
   envoyGateway:
     gateway:
       controllerName: gateway.envoyproxy.io/gatewayclass-controller

examples/envoy-als/main.go

@@ -18,20 +18,17 @@ import (
 	"google.golang.org/grpc"
 )
 
-var (
-	LogCount = prometheus.NewCounterVec(prometheus.CounterOpts{
-		Name: "log_count",
-		Help: "The total number of logs received.",
-	}, []string{"api_version"})
-)
+var LogCount = prometheus.NewCounterVec(prometheus.CounterOpts{
+	Name: "log_count",
+	Help: "The total number of logs received.",
+}, []string{"api_version"})
 
 func init() {
 	// Register the summary and the histogram with Prometheus's default registry.
 	prometheus.MustRegister(LogCount)
 }
 
-type ALSServer struct {
-}
+type ALSServer struct{}
 
 func (a *ALSServer) StreamAccessLogs(logStream alsv2.AccessLogService_StreamAccessLogsServer) error {
 	log.Println("Streaming als v2 logs")
@@ -50,8 +47,7 @@ func (a *ALSServer) StreamAccessLogs(logStream alsv2.AccessLogService_StreamAcce
 	}
 }
 
-type ALSServerV3 struct {
-}
+type ALSServerV3 struct{}
 
 func (a *ALSServerV3) StreamAccessLogs(logStream alsv3.AccessLogService_StreamAccessLogsServer) error {
 	log.Println("Streaming als v3 logs")

examples/grpc-ext-auth/main.go

@@ -83,7 +83,8 @@ func NewAuthServer(users Users) envoy_service_auth_v3.AuthorizationServer {
 // attributes associated with the incoming request.
 func (s *authServer) Check(
 	_ context.Context,
-	req *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) {
+	req *envoy_service_auth_v3.CheckRequest,
+) (*envoy_service_auth_v3.CheckResponse, error) {
 	authorization := req.Attributes.Request.Http.Headers["authorization"]
 	log.Println(authorization)
 

examples/grpc-ext-proc/main.go

@@ -74,7 +74,7 @@ func main() {
 		log.Fatalf("failed to listen: %v", err)
 	}
 
-	err = os.Chmod(udsAddr, 0700)
+	err = os.Chmod(udsAddr, 0o700)
 	if err != nil {
 		log.Fatalf("failed to set permissions: %v", err)
 	}

site/content/en/latest/install/gateway-helm-api.md

@@ -24,9 +24,7 @@ The Helm chart for Envoy Gateway
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
-| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
-| config.envoyGateway.logging.level.default | string | `"info"` |  |
-| config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
+| config.envoyGateway | object | `{"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. |
 | createNamespace | bool | `false` |  |
 | deployment.envoyGateway.image.repository | string | `""` |  |
 | deployment.envoyGateway.image.tag | string | `""` |  |

site/content/zh/latest/install/gateway-helm-api.md

@@ -24,9 +24,7 @@ The Helm chart for Envoy Gateway
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
-| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
-| config.envoyGateway.logging.level.default | string | `"info"` |  |
-| config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
+| config.envoyGateway | object | `{"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. |
 | createNamespace | bool | `false` |  |
 | deployment.envoyGateway.image.repository | string | `""` |  |
 | deployment.envoyGateway.image.tag | string | `""` |  |

site/data/adopters.yaml

@@ -27,3 +27,7 @@ adopters:
     logo: "/logos/titan.svg"
     url: "https://www.titan.email"
     description: "Titan uses Envoy Gateway to enhance observability and centralize security for its Kubernetes services, managing critical policies like rate limiting, IP blocking, and access controls—freeing developers from the burden of handling service security."
+  - name: "CoactiveAI"
+    logo: "/logos/coactive.svg"
+    url: "https://www.coactive.ai/"
+    description: "CoactiveAI is advancing multimodal content search and analytics at scale, and relies on envoy gateway to simplify self-service routing, consistent API authentication, request modification, safe rollouts with traffic splitting, and request mirroring for data consistency over split deployments."

test/e2e/testdata/backend-panic-threshold.yaml

@@ -0,0 +1,39 @@
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: BackendTrafficPolicy
+metadata:
+  name: panic-threshold-pass-btp
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: http-with-panic-threshold-pass
+  healthCheck:
+    panicThreshold: 40
+    active:
+      timeout: 3s
+      interval: 5s
+      unhealthyThreshold: 2
+      healthyThreshold: 1
+      type: HTTP
+      http:
+        path: "/status/418"
+        expectedStatuses:
+          - 200
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-with-panic-threshold-pass
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+    - name: same-namespace
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /ping
+      backendRefs:
+        - name: infra-backend-v1
+          port: 8080

test/e2e/tests/backend_panic_threshold.go

@@ -0,0 +1,129 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+//go:build e2e
+
+package tests
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/types"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	"sigs.k8s.io/gateway-api/conformance/utils/http"
+	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+	"sigs.k8s.io/gateway-api/conformance/utils/suite"
+	"sigs.k8s.io/gateway-api/conformance/utils/tlog"
+
+	"github.com/envoyproxy/gateway/internal/gatewayapi"
+	"github.com/envoyproxy/gateway/internal/gatewayapi/resource"
+	"github.com/envoyproxy/gateway/test/utils/prometheus"
+)
+
+func init() {
+	ConformanceTests = append(ConformanceTests, BackendPanicThresholdHTTPTest)
+}
+
+var BackendPanicThresholdHTTPTest = suite.ConformanceTest{
+	ShortName:   "BackendPanicThresholdHTTPTest",
+	Description: "Resource with BackendPanicThreshold enabled",
+	Manifests:   []string{"testdata/backend-panic-threshold.yaml"},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		t.Run("active http", func(t *testing.T) {
+			ctx := context.Background()
+			ns := "gateway-conformance-infra"
+			passRouteNN := types.NamespacedName{Name: "http-with-panic-threshold-pass", Namespace: ns}
+			gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), passRouteNN)
+
+			ancestorRef := gwapiv1a2.ParentReference{
+				Group:     gatewayapi.GroupPtr(gwapiv1.GroupName),
+				Kind:      gatewayapi.KindPtr(resource.KindGateway),
+				Namespace: gatewayapi.NamespacePtr(gwNN.Namespace),
+				Name:      gwapiv1.ObjectName(gwNN.Name),
+			}
+			BackendTrafficPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "panic-threshold-pass-btp", Namespace: ns}, suite.ControllerName, ancestorRef)
+
+			promClient, err := prometheus.NewClient(suite.Client,
+				types.NamespacedName{Name: "prometheus", Namespace: "monitoring"},
+			)
+			require.NoError(t, err)
+
+			passClusterName := fmt.Sprintf("httproute/%s/%s/rule/0", ns, passRouteNN.Name)
+			gtwName := "same-namespace"
+
+			// health check requests will be distributed to the cluster with configured path.
+			// we can use envoy_cluster_health_check_failure stats to ensure HC requests have failed.
+			hcFailPromQL := fmt.Sprintf(`envoy_cluster_health_check_failure{envoy_cluster_name="%s",gateway_envoyproxy_io_owning_gateway_name="%s"}`, passClusterName, gtwName)
+
+			http.AwaitConvergence(
+				t,
+				suite.TimeoutConfig.RequiredConsecutiveSuccesses,
+				suite.TimeoutConfig.MaxTimeToConsistency,
+				func(_ time.Duration) bool {
+					// check hc failure stats from Prometheus
+					v, err := promClient.QuerySum(ctx, hcFailPromQL)
+					if err != nil {
+						// wait until Prometheus sync stats
+						return false
+					}
+					tlog.Logf(t, "cluster fail health check: failure stats query count: %v", v)
+
+					if v == 0 {
+						t.Error("failure is not same as expected")
+					} else {
+						t.Log("failure is same as expected")
+					}
+
+					return true
+				},
+			)
+
+			t.Run("probes succeed with failed HC due to panic mode", func(t *testing.T) {
+				expectedResponse := http.ExpectedResponse{
+					Request: http.Request{
+						Path: "/ping",
+					},
+					Response: http.Response{
+						StatusCode: 200,
+					},
+					Namespace: ns,
+				}
+
+				http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
+			})
+
+			panicModePromQL := fmt.Sprintf(`envoy_cluster_lb_healthy_panic{envoy_cluster_name="%s",gateway_envoyproxy_io_owning_gateway_name="%s"}`, passClusterName, gtwName)
+
+			http.AwaitConvergence(
+				t,
+				suite.TimeoutConfig.RequiredConsecutiveSuccesses,
+				suite.TimeoutConfig.MaxTimeToConsistency,
+				func(_ time.Duration) bool {
+					// check panic mode stats from Prometheus
+					v, err := promClient.QuerySum(ctx, panicModePromQL)
+					if err != nil {
+						// wait until Prometheus sync stats
+						return false
+					}
+					tlog.Logf(t, "cluster lb in panic mode: stats query count: %v", v)
+
+					if v == 0 {
+						t.Error("failure is not same as expected")
+					} else {
+						t.Log("failure is same as expected")
+					}
+
+					return true
+				},
+			)
+		})
+	},
+}

test/resilience/suite/flags.go

@@ -9,6 +9,4 @@ package suite
 
 import "flag"
 
-var (
-	ReportSaveDir = flag.String("report-save-dir", "benchmark_report", "The dir where to save the benchmark test report.")
-)
+var ReportSaveDir = flag.String("report-save-dir", "benchmark_report", "The dir where to save the benchmark test report.")

test/resilience/suite/suite.go

@@ -9,16 +9,17 @@ package suite
 
 import (
 	"context"
-	"github.com/envoyproxy/gateway/test/utils/kubernetes"
 	"io/fs"
-	"sigs.k8s.io/gateway-api/conformance/utils/roundtripper"
 	"testing"
 	"time"
 
-	opt "github.com/envoyproxy/gateway/internal/cmd/options"
-	kube "github.com/envoyproxy/gateway/internal/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/gateway-api/conformance/utils/config"
+	"sigs.k8s.io/gateway-api/conformance/utils/roundtripper"
+
+	opt "github.com/envoyproxy/gateway/internal/cmd/options"
+	kube "github.com/envoyproxy/gateway/internal/kubernetes"
+	"github.com/envoyproxy/gateway/test/utils/kubernetes"
 )
 
 const (
@@ -50,9 +51,7 @@ type ResilienceTestSuite struct {
 }
 
 func NewResilienceTestSuite(client client.Client, reportDir string, manifestFS []fs.FS, gcn string) (*ResilienceTestSuite, error) {
-	var (
-		timeoutConfig = config.TimeoutConfig{}
-	)
+	timeoutConfig := config.TimeoutConfig{}
 
 	// Reset some timeout config for the benchmark test.
 	config.SetupTimeoutConfig(&timeoutConfig)
@@ -84,8 +83,7 @@ func (rts *ResilienceTestSuite) WithResCleanUp(ctx context.Context, t *testing.T
 	res, err := f()
 	t.Cleanup(func() {
 		t.Logf("Start to cleanup resilsence test resources")
-		if deleteErr := rts.Client.Delete(ctx, res); deleteErr != nil {
-		}
+		_ = rts.Client.Delete(ctx, res)
 
 		t.Logf("Clean up complete!")
 	})
@@ -107,8 +105,7 @@ func (rts *ResilienceTestSuite) Run(t *testing.T, tests []ResilienceTest) {
 func (rts *ResilienceTestSuite) RegisterCleanup(t *testing.T, ctx context.Context, object client.Object) {
 	t.Cleanup(func() {
 		t.Logf("Start to cleanup resilsence test resources")
-		if deleteErr := rts.Client.Delete(ctx, object); deleteErr != nil {
-		}
+		_ = rts.Client.Delete(ctx, object)
 
 		t.Logf("Clean up complete!")
 	})

test/resilience/tests/envoygateway.go

@@ -48,7 +48,7 @@ var EGResilience = suite.ResilienceTest{
 		}
 		ap.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, "testdata/base.yaml", true)
 
-		//this test will fail until https://github.com/envoyproxy/gateway/pull/4767/files is merged
+		// this test will fail until https://github.com/envoyproxy/gateway/pull/4767/files is merged
 		t.Run("Secondary EnvoyGateway instances can serve an up to date xDS", func(t *testing.T) {
 			ctx := context.Background()
 			t.Log("Scaling down the deployment to 0 replicas")

tools/make/lint.mk

@@ -5,7 +5,7 @@
 ##@ Lint
 
 GITHUB_ACTION ?=
-LINT_BUILD_TAGS ?= e2e,celvalidation,conformance,experimental,benchmark
+LINT_BUILD_TAGS ?= e2e,celvalidation,conformance,experimental,benchmark,resilience
 
 .PHONY: lint
 lint: ## Run all linter of code sources, including golint, yamllint, whitenoise lint and codespell.