Merge branch 'main' into egctl-1

envoyproxy · Feb 15, 2023 · 147568f · 147568f
2 parents 73d100b + 4262398
commit 147568f
Show file tree

Hide file tree

Showing 52 changed files with 230 additions and 262 deletions.
diff --git a/api/v1alpha1/ratelimitfilter_types.go b/api/v1alpha1/ratelimitfilter_types.go
@@ -97,6 +97,12 @@ type RateLimitSelectCondition struct {
 	// +optional
 	// +kubebuilder:validation:MaxItems=16
 	Headers []HeaderMatch `json:"headers,omitempty"`
+
+	// SourceIP is the IP CIDR that represents the range of Source IP Addresses of the client.
+	// These could also be the intermediate addresses through which the request has flown through and is part of the  `X-Forwarded-For` header.
+	// For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`.
+	// +optional
+	SourceIP *string `json:"sourceIP,omitempty"`
 }
 
 // HeaderMatch defines the match attributes within the HTTP Headers of the request.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/docs/latest/design/ratelimit.md b/docs/latest/design/ratelimit.md
@@ -165,6 +165,51 @@ spec:
       port: 3000
 ```
 
+### Rate limit per source IP
+
+* Here is an example of a rate limit implemented by the application developer that limits the total requests made
+to a specific route by matching on source IP. In this case, requests from `x.x.x.x` will be rate limited at 10 requests/hour.
+
+```yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: RateLimitFilter
+metadata:
+  name: ratelimit-per-ip
+spec:
+  type: Global
+  global:
+    rules:
+    - clientSelectors:
+      - sourceIP: x.x.x.x/32
+      limit:
+        requests: 10
+        unit: Hour
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: example
+spec:
+  parentRefs:
+  - name: eg
+  hostnames:
+  - www.example.com
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /foo
+    filters:
+    - type: ExtensionRef
+      extensionRef:
+        group: gateway.envoyproxy.io
+        kind: RateLimitFilter
+        name: ratelimit-per-user 
+    backendRefs:
+    - name: backend
+      port: 3000
+```
+
 ## Multiple RateLimitFilters, rules and clientSelectors
 * Users can create multiple `RateLimitFilter`s and apply it to the same `HTTPRoute`. In such a case each
 `RateLimitFilter` will be applied to the route and matched (and limited) in a mutually exclusive way, independent of each other.

diff --git a/docs/latest/releases/README.md b/docs/latest/releases/README.md
@@ -34,7 +34,7 @@ In order to align with the Envoy Proxy [release schedule][], Envoy Gateway relea
 | Version |  Expected   |   Actual    | Difference | End of Life |
 |:-------:|:-----------:|:-----------:|:----------:|:-----------:|
 |  0.2.0  | 2022/10/22  | 2022/10/20  |   -2 day   |  2023/4/20  |
-|  0.3.0  | 2023/01/22  |             |            |             |
+|  0.3.0  | 2023/01/22  | 2023/02/09  |   +17 day  |  2023/08/09 |
 
 [v2.0.0 spec]: https://semver.org/spec/v2.0.0.html
 [release guide]: ../dev/releasing.md

diff --git a/docs/latest/user/authn.md b/docs/latest/user/authn.md
@@ -90,5 +90,5 @@ kubectl delete authenticationfilter/jwt-example
 Checkout the [Developer Guide](../dev/README.md) to get involved in the project.
 
 [jwt]: https://tools.ietf.org/html/rfc7519
-[AuthenticationFilter]: https://github.com/envoyproxy/gateway/blob/main/api/v1alpha1/authenticationfilter_types.go
+[AuthenticationFilter]: https://gateway.envoyproxy.io/latest/api/extension_types.html#authenticationfilter
 [jwks]: https://tools.ietf.org/html/rfc7517
diff --git a/docs/latest/user/rate-limit.md b/docs/latest/user/rate-limit.md
@@ -482,8 +482,8 @@ transfer-encoding: chunked
 
 
 [Global rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
-[RateLimitFilter]: https://github.com/envoyproxy/gateway/blob/main/api/v1alpha1/ratelimitfilter_types.go
+[RateLimitFilter]: https://gateway.envoyproxy.io/latest/api/extension_types.html#ratelimitfilter
 [Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit
-[EnvoyGateway]: https://github.com/envoyproxy/gateway/blob/main/api/config/v1alpha1/envoygateway_types.go
+[EnvoyGateway]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoygateway
 [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
 [ExtensionRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.HTTPRouteFilter
diff --git a/docs/v0.3.0/releases/README.md b/docs/v0.3.0/releases/README.md
@@ -34,7 +34,7 @@ In order to align with the Envoy Proxy [release schedule][], Envoy Gateway relea
 | Version |  Expected   |   Actual    | Difference | End of Life |
 |:-------:|:-----------:|:-----------:|:----------:|:-----------:|
 |  0.2.0  | 2022/10/22  | 2022/10/20  |   -2 day   |  2023/4/20  |
-|  0.3.0  | 2023/01/22  |             |            |             |
+|  0.3.0  | 2023/01/22  | 2023/02/09  |   +17 day  |  2023/08/09 |
 
 [v2.0.0 spec]: https://semver.org/spec/v2.0.0.html
 [release guide]: ../dev/releasing.md

diff --git a/docs/v0.3.0/user/authn.md b/docs/v0.3.0/user/authn.md
@@ -90,5 +90,5 @@ kubectl delete authenticationfilter/jwt-example
 Checkout the [Developer Guide](../dev/README.md) to get involved in the project.
 
 [jwt]: https://tools.ietf.org/html/rfc7519
-[AuthenticationFilter]: https://github.com/envoyproxy/gateway/blob/main/api/v1alpha1/authenticationfilter_types.go
+[AuthenticationFilter]: https://gateway.envoyproxy.io/v0.3.0/api/extension_types.html#authenticationfilter
 [jwks]: https://tools.ietf.org/html/rfc7517
diff --git a/docs/v0.3.0/user/rate-limit.md b/docs/v0.3.0/user/rate-limit.md
@@ -481,9 +481,9 @@ transfer-encoding: chunked
 ```
 
 
-[Global rate limiting]: https://www.envoyproxy.io/docs/envoy/v0.3.0/intro/arch_overview/other_features/global_rate_limiting
-[RateLimitFilter]: https://github.com/envoyproxy/gateway/blob/main/api/v1alpha1/ratelimitfilter_types.go
+[Global rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
+[RateLimitFilter]: https://gateway.envoyproxy.io/v0.3.0/api/extension_types.html#ratelimitfilter
 [Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit
-[EnvoyGateway]: https://github.com/envoyproxy/gateway/blob/main/api/config/v1alpha1/envoygateway_types.go
+[EnvoyGateway]: https://gateway.envoyproxy.io/v0.3.0/api/config_types.html#envoygateway
 [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
 [ExtensionRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.HTTPRouteFilter
diff --git a/go.mod b/go.mod
@@ -3,11 +3,12 @@ module github.com/envoyproxy/gateway
 go 1.19
 
 require (
-	github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc
-	github.com/envoyproxy/go-control-plane v0.10.3-0.20221028143534-ed9652aebfd9
+	github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b
+	github.com/envoyproxy/go-control-plane v0.11.0
 	github.com/envoyproxy/ratelimit v1.4.1-0.20230109191524-5f3f5a4cf573
 	github.com/go-logr/logr v1.2.3
 	github.com/go-logr/zapr v1.2.3
+	github.com/golang/protobuf v1.5.2
 	github.com/google/go-cmp v0.5.9
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
@@ -17,7 +18,7 @@ require (
 	github.com/tsaarni/certyaml v0.9.1
 	go.uber.org/zap v1.24.0
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
-	google.golang.org/grpc v1.52.3
+	google.golang.org/grpc v1.53.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.26.1
@@ -32,11 +33,11 @@ require (
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v0.6.7 // indirect
+	github.com/envoyproxy/protoc-gen-validate v0.9.1 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
@@ -47,7 +48,6 @@ require (
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
@@ -82,15 +82,15 @@ require (
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/net v0.4.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect
-	golang.org/x/sys v0.3.0 // indirect
-	golang.org/x/term v0.3.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/net v0.5.0 // indirect
+	golang.org/x/oauth2 v0.4.0 // indirect
+	golang.org/x/sys v0.4.0 // indirect
+	golang.org/x/term v0.4.0 // indirect
+	golang.org/x/text v0.6.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 // indirect
+	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.26.1 // indirect