Merge branch 'main' into telemetry-backend

.github/dependabot.yml

@@ -20,8 +20,6 @@ updates:
     ignore:
       # skip to update retest, because it won't work with the latest version
       - dependency-name: "envoyproxy/toolshed/gh-actions/retest"
-      # skip until https://github.com/codecov/feedback/issues/112 is resolved
-      - dependency-name: "codecov/codecov-action"
   - package-ecosystem: github-actions
     directory: /tools/github-actions/setup-deps
     schedule:

.github/workflows/build_and_test.yaml

@@ -44,6 +44,9 @@ jobs:
 
   coverage-test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read   #  for actions/checkout
+      id-token: write  #  for fetching OIDC token
     steps:
     - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b  # v4.1.5
     - uses: ./tools/github-actions/setup-deps
@@ -52,12 +55,14 @@ jobs:
     - name: Run Coverage Tests
       run: make go.test.coverage
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0  # v3.1.5
+      uses: codecov/codecov-action@6d798873df2b1b8e5846dba6fb86631229fbcb17  # v4.4.0
       with:
-        fail_ci_if_error: false
+        fail_ci_if_error: true
         files: ./coverage.xml
         name: codecov-envoy-gateway
         verbose: true
+        # TODO change to `use_oidc: true` once https://github.com/codecov/codecov-action/issues/1435 is resolved.
+        use_oidc: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) }}
 
   build:
     runs-on: ubuntu-latest

.github/workflows/license-scan.yml

@@ -0,0 +1,27 @@
+name: License Scan
+
+on:
+  pull_request:
+    branches:
+    - "main"
+  push:
+    branches:
+    - "main"
+
+permissions:
+  contents: read
+
+jobs:
+  scan:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b  # v4.1.5
+    - name: Run scanner
+      uses: google/osv-scanner-action/osv-scanner-action@75532bf0bf75464b047d80414dbce04449498365  # v1.7.3
+      with:
+        scan-args: |-
+          --skip-git
+          --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib
+          ./
+      continue-on-error: true  # TODO remove once all issues are resolved

.github/workflows/trivy.yml

@@ -25,7 +25,7 @@ jobs:
         IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55  # v0.19.0
+      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561  # v0.20.0
       with:
         image-ref: envoy-proxy/gateway-dev:${{ github.sha }}
         exit-code: '1'

api/v1alpha1/backend_types.go

@@ -0,0 +1,193 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	// KindBackend is the name of the Backend kind.
+	KindBackend = "Backend"
+)
+
+// AppProtocolType defines various backend applications protocols supported by Envoy Gateway
+//
+// +kubebuilder:validation:Enum=gateway.envoyproxy.io/h2c;gateway.envoyproxy.io/ws;gateway.envoyproxy.io/wss
+// +notImplementedHide
+type AppProtocolType string
+
+const (
+	// AppProtocolTypeH2C defines the HTTP/2 application protocol.
+	AppProtocolTypeH2C AppProtocolType = "gateway.envoyproxy.io/h2c"
+	// AppProtocolTypeWS defines the WebSocket over HTTP protocol.
+	AppProtocolTypeWS AppProtocolType = "gateway.envoyproxy.io/ws"
+	// AppProtocolTypeWSS defines the WebSocket over HTTPS protocol.
+	AppProtocolTypeWSS AppProtocolType = "gateway.envoyproxy.io/wss"
+)
+
+// Backend allows the user to configure the endpoints of a backend and
+// the behavior of the connection from Envoy Proxy to the backend.
+//
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:categories=envoy-gateway,shortName=be
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].reason`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +notImplementedHide
+type Backend struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec defines the desired state of Backend.
+	Spec BackendSpec `json:"spec"`
+
+	// Status defines the current status of Backend.
+	Status BackendStatus `json:"status,omitempty"`
+}
+
+// BackendEndpoint describes a backend endpoint, which can be either a fully-qualified domain name, IPv4 address or unix domain socket
+// corresponding to Envoy's Address: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-address
+//
+// +kubebuilder:validation:XValidation:rule="(has(self.fqdn) || has(self.ipv4) || has(self.unix))",message="one of fqdn, ipv4 or unix must be specified"
+// +kubebuilder:validation:XValidation:rule="((has(self.fqdn) && !(has(self.ipv4) || has(self.unix))) || (has(self.ipv4) && !(has(self.fqdn) || has(self.unix))) || (has(self.unix) && !(has(self.ipv4) || has(self.fqdn))))",message="only one of fqdn, ipv4 or unix can be specified"
+// +notImplementedHide
+type BackendEndpoint struct {
+	// FQDN defines a FQDN endpoint
+	//
+	// +optional
+	FQDN *FQDNEndpoint `json:"fqdn,omitempty"`
+
+	// IPv4 defines an IPv4 endpoint
+	//
+	// +optional
+	IPv4 *IPv4Endpoint `json:"ipv4,omitempty"`
+
+	// Unix defines the unix domain socket endpoint
+	//
+	// +optional
+	Unix *UnixSocket `json:"unix,omitempty"`
+}
+
+// IPv4Endpoint describes TCP/UDP socket address, corresponding to Envoy's Socket Address
+// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-socketaddress
+//
+// +notImplementedHide
+type IPv4Endpoint struct {
+	// Address defines the IPv4 address of the backend endpoint.
+	//
+	// +kubebuilder:validation:MinLength=7
+	// +kubebuilder:validation:MaxLength=15
+	// +kubebuilder:validation:Pattern=`^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$`
+	Address string `json:"address"`
+
+	// Port defines the port of the backend endpoint.
+	//
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=65535
+	Port int32 `json:"port"`
+}
+
+// FQDNEndpoint describes TCP/UDP socket address, corresponding to Envoy's Socket Address
+// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-socketaddress
+//
+// +notImplementedHide
+type FQDNEndpoint struct {
+	// Hostname defines the FQDN hostname of the backend endpoint.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=`^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`
+	Hostname string `json:"hostname"`
+
+	// Port defines the port of the backend endpoint.
+	//
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=65535
+	Port int32 `json:"port"`
+}
+
+// UnixSocket describes TCP/UDP unix domain socket address, corresponding to Envoy's Pipe
+// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-pipe
+//
+// +notImplementedHide
+type UnixSocket struct {
+	// Path defines the unix domain socket path of the backend endpoint.
+	Path string `json:"path"`
+}
+
+// BackendSpec describes the desired state of BackendSpec.
+//
+// +notImplementedHide
+type BackendSpec struct {
+	// Endpoints defines the endpoints to be used when connecting to the backend.
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=4
+	// +kubebuilder:validation:XValidation:rule="self.all(f, has(f.fqdn)) || !self.exists(f, has(f.fqdn))",message="fqdn addresses cannot be mixed with other address types"
+	Endpoints []BackendEndpoint `json:"endpoints,omitempty"`
+
+	// AppProtocols defines the application protocols to be supported when connecting to the backend.
+	//
+	// +optional
+	AppProtocols []AppProtocolType `json:"appProtocols,omitempty"`
+}
+
+// BackendConditionType is a type of condition for a backend. This type should be
+// used with a Backend resource Status.Conditions field.
+type BackendConditionType string
+
+// BackendConditionReason is a reason for a backend condition.
+type BackendConditionReason string
+
+const (
+	// BackendConditionAccepted indicates whether the backend has been accepted or
+	// rejected by a targeted resource, and why.
+	//
+	// Possible reasons for this condition to be True are:
+	//
+	// * "Accepted"
+	//
+	// Possible reasons for this condition to be False are:
+	//
+	// * "Invalid"
+	//
+	BackendConditionAccepted BackendConditionType = "Accepted"
+
+	// BackendReasonAccepted is used with the "Accepted" condition when the backend
+	// has been accepted by the targeted resource.
+	BackendReasonAccepted BackendConditionReason = "Accepted"
+
+	// BackendReasonInvalid is used with the "Accepted" condition when the backend
+	// is syntactically or semantically invalid.
+	BackendReasonInvalid BackendConditionReason = "Invalid"
+)
+
+// BackendStatus defines the state of Backend
+// +notImplementedHide
+type BackendStatus struct {
+	// Conditions describe the current conditions of the Backend.
+	//
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	// +kubebuilder:validation:MaxItems=8
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// BackendList contains a list of Backend resources.
+//
+// +kubebuilder:object:root=true
+// +notImplementedHide
+type BackendList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Backend `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Backend{}, &BackendList{})
+}

api/v1alpha1/clienttrafficpolicy_types.go

@@ -104,10 +104,22 @@ type HeaderSettings struct {
 	// +optional
 	EnableEnvoyHeaders *bool `json:"enableEnvoyHeaders,omitempty"`
 
+	// Configure Envoy proxy how to handle the x-forwarded-client-cert (XFCC) HTTP header.
+	// When enabled, Hash and By is always set
+	// +optional
+	XForwardedClientCert *XForwardedClientCert `json:"xForwardedClientCert,omitempty"`
+
 	// WithUnderscoresAction configures the action to take when an HTTP header with underscores
 	// is encountered. The default action is to reject the request.
 	// +optional
 	WithUnderscoresAction *WithUnderscoresAction `json:"withUnderscoresAction,omitempty"`
+
+	// PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
+	// (Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
+	// It defaults to false.
+	//
+	// +optional
+	PreserveXRequestID *bool `json:"preserveXRequestID,omitempty"`
 }
 
 // WithUnderscoresAction configures the action to take when an HTTP header with underscores
@@ -127,6 +139,59 @@ const (
 	WithUnderscoresActionDropHeader WithUnderscoresAction = "DropHeader"
 )
 
+// Configure Envoy proxy how to handle the x-forwarded-client-cert (XFCC) HTTP header.
+type XForwardedClientCert struct {
+	// Envoy Proxy mode how to handle the x-forwarded-client-cert (XFCC) HTTP header.
+	// +optional
+	Mode *ForwardMode `json:"mode,omitempty"`
+
+	// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
+	// +kubebuilder:validation:MaxItems=5
+	// +optional
+	CertDetailsToAdd []ClientCertData `json:"certDetailsToAdd,omitempty"`
+}
+
+// Envoy Proxy mode how to handle the x-forwarded-client-cert (XFCC) HTTP header.
+// +kubebuilder:validation:Enum=Sanitize;ForwardOnly;AppendForward;SanitizeSet;AlwaysForwardOnly
+type ForwardMode string
+
+const (
+	// Do not send the XFCC header to the next hop. This is the default value.
+	ForwardModeSanitize ForwardMode = "Sanitize"
+	// When the client connection is mTLS (Mutual TLS), forward the XFCC header
+	// in the request.
+	ForwardModeForwardOnly ForwardMode = "ForwardOnly"
+	// When the client connection is mTLS, append the client certificate
+	// information to the request’s XFCC header and forward it.
+	ForwardModeAppendForward ForwardMode = "AppendForward"
+	// When the client connection is mTLS, reset the XFCC header with the client
+	// certificate information and send it to the next hop.
+	ForwardModeSanitizeSet ForwardMode = "SanitizeSet"
+	// Always forward the XFCC header in the request, regardless of whether the
+	// client connection is mTLS.
+	ForwardModeAlwaysForwardOnly ForwardMode = "AlwaysForwardOnly"
+)
+
+// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
+// By default, x-forwarded-client-cert (XFCC) will always include By and Hash data
+// +kubebuilder:validation:Enum=Subject;Cert;Chain;Dns;Uri
+type ClientCertData string
+
+const (
+	// Whether to forward the subject of the client cert.
+	ClientCertDataSubject ClientCertData = "Subject"
+	// Whether to forward the entire client cert in URL encoded PEM format.
+	// This will appear in the XFCC header comma separated from other values with the value Cert=”PEM”.
+	ClientCertDataCert ClientCertData = "Cert"
+	// Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM format.
+	// This will appear in the XFCC header comma separated from other values with the value Chain=”PEM”.
+	ClientCertDataChain ClientCertData = "Chain"
+	// Whether to forward the DNS type Subject Alternative Names of the client cert.
+	ClientCertDataDNS ClientCertData = "Dns"
+	// Whether to forward the URI type Subject Alternative Name of the client cert.
+	ClientCertDataURI ClientCertData = "Uri"
+)
+
 // ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
 //
 // +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"

api/v1alpha1/envoygateway_types.go

@@ -166,6 +166,9 @@ type ExtensionAPISettings struct {
 	// EnableEnvoyPatchPolicy enables Envoy Gateway to
 	// reconcile and implement the EnvoyPatchPolicy resources.
 	EnableEnvoyPatchPolicy bool `json:"enableEnvoyPatchPolicy"`
+	// EnableBackend enables Envoy Gateway to
+	// reconcile and implement the Backend resources.
+	EnableBackend bool `json:"enableBackend"`
 }
 
 // EnvoyGatewayProvider defines the desired configuration of a provider.

api/v1alpha1/envoyproxy_helpers.go

@@ -57,6 +57,23 @@ func DefaultEnvoyProxyHpaMetrics() []autoscalingv2.MetricSpec {
 	}
 }
 
+// NeedToSwitchPorts returns true if the EnvoyProxy needs to switch ports.
+func (e *EnvoyProxy) NeedToSwitchPorts() bool {
+	if e.Spec.Provider == nil {
+		return true
+	}
+
+	if e.Spec.Provider.Kubernetes == nil {
+		return true
+	}
+
+	if e.Spec.Provider.Kubernetes.UseListenerPortAsContainerPort == nil {
+		return true
+	}
+
+	return !*e.Spec.Provider.Kubernetes.UseListenerPortAsContainerPort
+}
+
 // GetEnvoyProxyKubeProvider returns the EnvoyProxyKubernetesProvider of EnvoyProxyProvider or
 // a default EnvoyProxyKubernetesProvider if unspecified. If EnvoyProxyProvider is not of
 // type "Kubernetes", a nil EnvoyProxyKubernetesProvider is returned.

api/v1alpha1/envoyproxy_types.go

@@ -264,6 +264,13 @@ type EnvoyProxyKubernetesProvider struct {
 	//
 	// +optional
 	EnvoyHpa *KubernetesHorizontalPodAutoscalerSpec `json:"envoyHpa,omitempty"`
+
+	// UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
+	// When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
+	// This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability.
+	//
+	// +optional
+	UseListenerPortAsContainerPort *bool `json:"useListenerPortAsContainerPort,omitempty"`
 }
 
 // ProxyLogging defines logging parameters for managed proxies.