Merge branch 'main' into docs/user-observability

.github/codecov.yml

@@ -5,3 +5,8 @@ coverage:
         target: 60%
         threshold: 5%
         if_ci_failed: error
+    patch:
+      default:
+        target: 60%
+        threshold: 5%
+        if_ci_failed: error

docs/latest/user/authn.md

@@ -7,11 +7,14 @@ supports validating a JWT from an HTTP header, e.g. `Authorization: Bearer <toke
 ## Installation
 
 Follow the steps from the [Quickstart](quickstart.md) guide to install Envoy Gateway and the example manifest.
-Before proceeding, you should be able to query the example backend using HTTP.
+For GRPC - follow the steps from the [GRPC Routing](grpc-routing.md) example.
+Before proceeding, you should be able to query the example backend using HTTP or GRPC.
 
 ## Configuration
 
-Allow requests with a valid JWT by creating an [AuthenticationFilter][] and referencing it from the example HTTPRoute.
+Allow requests with a valid JWT by creating an [AuthenticationFilter][] and referencing it from the example HTTPRoute or GRPCRoute.
+
+### HTTPRoute
 
 ```shell
 kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/authn/jwt.yaml
@@ -35,6 +38,29 @@ Verify the AuthenticationFilter configuration:
 kubectl get authenticationfilter/jwt-example -o yaml
 ```
 
+### GRPCRoute
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/authn/grtpc-jwt.yaml
+```
+
+The GRPCRoute is now updated to authenticate all requests to `yages` service, by referencing an AuthenticationFilter that provides the JWT authentication configuration.
+
+Verify the GRPCRoute configuration and status:
+
+```shell
+kubectl get grpcroute/yages -o yaml
+```
+
+The AuthenticationFilter is configured for JWT authentication and uses a single [JSON Web Key Set (JWKS)][jwks]
+provider for authenticating the JWT.
+
+Verify the AuthenticationFilter configuration:
+
+```shell
+kubectl get authenticationfilter/jwt-example -o yaml
+```
+
 ## Testing
 
 Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](quickstart.md) guide is set. If not, follow the
@@ -44,6 +70,8 @@ Quickstart instructions to set the variable.
 echo $GATEWAY_HOST
 ```
 
+### HTTPRoute
+
 Verify that requests to `/foo` are denied without a JWT:
 
 ```shell
@@ -75,6 +103,43 @@ Verify that requests to `/bar` are allowed __without__ a JWT:
 curl -sS -o /dev/null -H "Host: www.example.com" -w "%{http_code}\n" http://$GATEWAY_HOST/bar
 ```
 
+### GRPCRoute
+
+Verify that requests to `yages`service are denied without a JWT:
+
+```shell
+grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping
+```
+
+You should see the below response
+
+```shell
+Error invoking method "yages.Echo/Ping": rpc error: code = Unauthenticated desc = failed to query for service descriptor "yages.Echo": Jwt is missing
+```
+
+Get the JWT used for testing request authentication:
+
+```shell
+TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
+```
+
+__Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's
+header.
+
+Verify that a request to `yages` service with a valid JWT is allowed:
+
+```shell
+grpcurl -plaintext -H "authorization: Bearer $TOKEN" -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping
+```
+
+You should see the below response
+
+```shell
+{
+  "text": "pong"
+}
+```
+
 ## Clean-Up
 
 Follow the steps from the [Quickstart](quickstart.md) guide to uninstall Envoy Gateway and the example manifest.

internal/cmd/egctl/testdata/translate/in/authn-single-route-single-match-to-xds.yaml

@@ -29,6 +29,7 @@ metadata:
     app: backend
     service: backend
 spec:
+  clusterIP: 7.7.7.7
   ports:
     - name: http
       port: 3000

internal/cmd/egctl/testdata/translate/in/echo-gateway-api.yaml

@@ -29,6 +29,7 @@ metadata:
     app: backend
     service: backend
 spec:
+  clusterIP: 7.7.7.7
   ports:
     - name: http
       port: 3000

internal/cmd/egctl/testdata/translate/in/envoy-patch-policy.yaml

@@ -32,6 +32,7 @@ metadata:
     app: backend
     service: backend
 spec:
+  clusterIP: 7.7.7.7
   ports:
     - name: http
       port: 3000

internal/cmd/egctl/testdata/translate/in/quickstart.yaml

@@ -29,6 +29,7 @@ metadata:
     app: backend
     service: backend
 spec:
+  clusterIP: 7.7.7.7
   ports:
     - name: http
       port: 3000

internal/cmd/egctl/testdata/translate/in/rate-limit-filter-single-route-single-match-to-xds.yaml

@@ -29,6 +29,7 @@ metadata:
     app: backend
     service: backend
 spec:
+  clusterIP: 7.7.7.7
   ports:
     - name: http
       port: 3000

internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.all.json

@@ -191,6 +191,7 @@
                         "endpoint": {
                           "address": {
                             "socketAddress": {
+                              "address": "7.7.7.7",
                               "portValue": 3000
                             }
                           }

internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.all.yaml

@@ -109,6 +109,7 @@ xds:
             - endpoint:
                 address:
                   socketAddress:
+                    address: 7.7.7.7
                     portValue: 3000
               loadBalancingWeight: 1
             loadBalancingWeight: 1

internal/cmd/egctl/testdata/translate/out/authn-single-route-single-match-to-xds.endpoint.yaml

@@ -10,6 +10,7 @@ xds:
           - endpoint:
               address:
                 socketAddress:
+                  address: "7.7.7.7"
                   portValue: 3000
             loadBalancingWeight: 1
           loadBalancingWeight: 1

internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.all.json

@@ -191,6 +191,7 @@
                         "endpoint": {
                           "address": {
                             "socketAddress": {
+                              "address": "7.7.7.7",
                               "portValue": 3000
                             }
                           }

internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.all.yaml

@@ -109,6 +109,7 @@ xds:
             - endpoint:
                 address:
                   socketAddress:
+                    address: 7.7.7.7
                     portValue: 3000
               loadBalancingWeight: 1
             loadBalancingWeight: 1

internal/cmd/egctl/testdata/translate/out/rate-limit-filter-single-route-single-match-to-xds.endpoint.yaml

@@ -10,6 +10,7 @@ xds:
           - endpoint:
               address:
                 socketAddress:
+                  address: 7.7.7.7
                   portValue: 3000
             loadBalancingWeight: 1
           loadBalancingWeight: 1

internal/gatewayapi/helpers.go

@@ -254,6 +254,9 @@ func ValidateGRPCRouteFilter(filter *v1alpha2.GRPCRouteFilter, extGKs ...schema.
 		case string(filter.ExtensionRef.Group) == egv1a1.GroupVersion.Group &&
 			string(filter.ExtensionRef.Kind) == egv1a1.KindAuthenticationFilter:
 			return nil
+		case string(filter.ExtensionRef.Group) == egv1a1.GroupVersion.Group &&
+			string(filter.ExtensionRef.Kind) == egv1a1.KindRateLimitFilter:
+			return nil
 		default:
 			for _, gk := range extGKs {
 				if filter.ExtensionRef.Group == v1beta1.Group(gk.Group) &&
@@ -276,6 +279,14 @@ func IsAuthnGRPCFilter(filter *v1alpha2.GRPCRouteFilter) bool {
 		string(filter.ExtensionRef.Kind) == egv1a1.KindAuthenticationFilter
 }
 
+// IsRateLimitGRPCFilter returns true if the provided filter is an RateLimitFilter.
+func IsRateLimitGRPCFilter(filter *v1alpha2.GRPCRouteFilter) bool {
+	return filter.Type == v1alpha2.GRPCRouteFilterExtensionRef &&
+		filter.ExtensionRef != nil &&
+		string(filter.ExtensionRef.Group) == egv1a1.GroupVersion.Group &&
+		string(filter.ExtensionRef.Kind) == egv1a1.KindRateLimitFilter
+}
+
 // GatewayOwnerLabels returns the Gateway Owner labels using
 // the provided namespace and name as the values.
 func GatewayOwnerLabels(namespace, name string) map[string]string {

internal/gatewayapi/helpers_test.go

@@ -128,6 +128,42 @@ func TestValidateGRPCFilterRef(t *testing.T) {
 			},
 			expected: true,
 		},
+		{
+			name: "invalid ratelimitfilter group",
+			filter: &gwapiv1a2.GRPCRouteFilter{
+				Type: gwapiv1a2.GRPCRouteFilterExtensionRef,
+				ExtensionRef: &gwapiv1b1.LocalObjectReference{
+					Group: "UnsupportedGroup",
+					Kind:  egv1a1.KindRateLimitFilter,
+					Name:  "test",
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "invalid ratelimitfilter kind",
+			filter: &gwapiv1a2.GRPCRouteFilter{
+				Type: gwapiv1a2.GRPCRouteFilterExtensionRef,
+				ExtensionRef: &gwapiv1b1.LocalObjectReference{
+					Group: gwapiv1b1.Group(egv1a1.GroupVersion.Group),
+					Kind:  "UnsupportedKind",
+					Name:  "test",
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "valid ratelimitfilter",
+			filter: &gwapiv1a2.GRPCRouteFilter{
+				Type: gwapiv1a2.GRPCRouteFilterExtensionRef,
+				ExtensionRef: &gwapiv1b1.LocalObjectReference{
+					Group: gwapiv1b1.Group(egv1a1.GroupVersion.Group),
+					Kind:  egv1a1.KindRateLimitFilter,
+					Name:  "test",
+				},
+			},
+			expected: true,
+		},
 	}
 	for _, tc := range testCases {
 		tc := tc

internal/gatewayapi/testdata/grpcroute-with-valid-ratelimitfilter.in.yaml

@@ -0,0 +1,55 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1beta1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+grpcRoutes:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+  kind: GRPCRoute
+  metadata:
+    namespace: default
+    name: grpcroute-1
+  spec:
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - filters:
+      - type: ExtensionRef
+        extensionRef:
+          group: gateway.envoyproxy.io
+          kind: RateLimitFilter
+          name: test
+      backendRefs:
+      - name: service-1
+        port: 8080
+rateLimitFilters:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: RateLimitFilter
+  metadata:
+    namespace: default
+    name: test
+  spec:
+    type: Global
+    global:
+      rules:
+      - clientSelectors:
+        - headers:
+          - name: x-user-id
+            value: one
+          - name: x-org-id
+            type: Distinct
+        limit:
+          requests: 10
+          unit: Hour