Changelog plus CI check for changelogs. (#4064)

* Add Changelogs directory
* Add changelog checker
Signed-off-by: Nick Young <ynick@vmware.com>

.codespell.skip

@@ -10,3 +10,4 @@
 ./site/themes/contour/static/fonts/README.md
 ./vendor
 ./site/public
+./hack/actions/check-changefile-exists.go

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -1,6 +1,7 @@
 ---
 name: Pull request
 about: Tell us about your contribution
+labels: ["release-note/small"]
 ---
 
 ---
@@ -12,6 +13,7 @@ Before submitting a pull request, make sure you read about our Contribution Work
 
 Some notable call outs from our Contribution Workflow:
 - All PR's must have a `Fixes #NNN` or `Updates #NNN` line in the pull request description.
+- All PR's must add a `release-note/category` label, where category is one of `major`, `minor`, `small`, `docs`, `infra`, or `not-required`.
 - Contour operates according to the talk, then code rule.
 - If you plan to submit a pull request for anything more than a typo or small bug fix, first you should raise an issue to discuss your proposal, before submitting any code.
 - We generally won't merge a PR without an associated issue.

.github/workflows/codeql-analysis.yml

@@ -2,7 +2,7 @@ name: "Code scanning - action"
 
 on:
   push:
-    branches: main
+    branches: [main]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [main]

.github/workflows/label_check.yaml

@@ -0,0 +1,32 @@
+name: Release Note Label Check
+
+# Trigger the workflow on push or pull request
+on: 
+  push:
+  pull_request:
+    types: [opened, labeled, unlabeled, synchronize]
+
+env:
+  GOPROXY: https://proxy.golang.org/
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+jobs:
+  check-label:
+    name: Check release-note label set
+    runs-on: ubuntu-latest
+    steps:
+      - uses: mheap/github-action-required-labels@v1
+        with:
+          mode: exactly
+          count: 1
+          labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/none-required"
+  check-changelog:
+    name: Check for changelog file
+    needs:
+      - check-label
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - run: go run ./hack/actions/check-changefile-exists.go
+      env:
+        PR_NUMBER: ${{ github.event.number }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/prbuild.yaml

@@ -1,13 +1,84 @@
 name: Build and Test Pull Request
 
 # Trigger the workflow on push or pull request
-on: [push, pull_request]
+on: 
+  pull_request:
+    types: [opened, synchronize]
 
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: v1.42.0
+          args: --build-tags=e2e
+      - uses: act10ns/slack@v1
+        with:
+          status: ${{ job.status }}
+          steps: ${{ toJson(steps) }}
+          channel: '#contour-ci-notifications'
+        if: ${{ failure() && github.ref == 'refs/heads/main' }}
+  codespell:
+    name: Codespell
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v2
+      - name: Codespell
+        uses: codespell-project/actions-codespell@master
+        with:
+          skip: .git,*.png,*.woff,*.woff2,*.eot,*.ttf,*.jpg,*.ico,*.svg,./site/themes/contour/static/fonts/README.md,./vendor,./site/public,./hack/actions/check-changefile-exists.go
+          ignore_words_file: './.codespell.ignorewords'
+          check_filenames: true
+          check_hidden: true
+      - uses: act10ns/slack@v1
+        with:
+          status: ${{ job.status }}
+          steps: ${{ toJson(steps) }}
+          channel: '#contour-ci-notifications'
+        if: ${{ failure() && github.ref == 'refs/heads/main' }}
+  codegen:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          # * Module download cache
+          # * Build cache (Linux)
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ github.job }}-go-
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '1.17.0'
+      - name: add deps to path
+        run: |
+          ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+      - name: generate
+        run: |
+          make generate lint-yamllint lint-flags
+          ./hack/actions/check-uncommitted-codegen.sh
+      - uses: act10ns/slack@v1
+        with:
+          status: ${{ job.status }}
+          steps: ${{ toJson(steps) }}
+          channel: '#contour-ci-notifications'
+        if: ${{ failure() && github.ref == 'refs/heads/main' }}    
   build-image:
+    needs:
+      - lint
+      - codespell
+      - codegen
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
@@ -33,9 +104,13 @@ jobs:
       if: ${{ failure() && github.ref == 'refs/heads/main' }}
   e2e:
     runs-on: ubuntu-latest
-    # TODO uncomment the below once we're using the image
-    # or its binary for testing.
-    # needs: [build-image]
+    needs:
+      - lint
+      - codespell
+      - codegen
+      # TODO uncomment the below once we're using the image
+      # or its binary for testing.
+      # - build-image
     strategy:
       matrix:
         # use stable kubernetes_version values since they're included
@@ -171,6 +246,10 @@ jobs:
   #       run: |
   #         make check-ingress-conformance
   test-linux:
+    needs:
+      - lint
+      - codespell
+      - codegen
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -206,6 +285,10 @@ jobs:
           channel: '#contour-ci-notifications'
         if: ${{ failure() && github.ref == 'refs/heads/main' }}
   test-osx:
+    needs:
+      - lint
+      - codespell
+      - codegen
     runs-on: macos-latest
     steps:
       - uses: actions/checkout@v2
@@ -236,68 +319,3 @@ jobs:
           steps: ${{ toJson(steps) }}
           channel: '#contour-ci-notifications'
         if: ${{ failure() && github.ref == 'refs/heads/main' }}
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
-        with:
-          version: v1.42.0
-          args: --build-tags=e2e
-      - uses: act10ns/slack@v1
-        with:
-          status: ${{ job.status }}
-          steps: ${{ toJson(steps) }}
-          channel: '#contour-ci-notifications'
-        if: ${{ failure() && github.ref == 'refs/heads/main' }}
-  codespell:
-    name: Codespell
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@v2
-      - name: Codespell
-        uses: codespell-project/actions-codespell@master
-        with:
-          skip: .git,*.png,*.woff,*.woff2,*.eot,*.ttf,*.jpg,*.ico,*.svg,./site/themes/contour/static/fonts/README.md,./vendor,./site/public
-          ignore_words_file: './.codespell.ignorewords'
-          check_filenames: true
-          check_hidden: true
-      - uses: act10ns/slack@v1
-        with:
-          status: ${{ job.status }}
-          steps: ${{ toJson(steps) }}
-          channel: '#contour-ci-notifications'
-        if: ${{ failure() && github.ref == 'refs/heads/main' }}
-  codegen:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/cache@v2
-        with:
-          # * Module download cache
-          # * Build cache (Linux)
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-${{ github.job }}-go-
-      - uses: actions/setup-go@v2
-        with:
-          go-version: '1.17.0'
-      - name: add deps to path
-        run: |
-          ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin
-          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
-      - name: generate
-        run: |
-          make generate lint-yamllint lint-flags
-          ./hack/actions/check-uncommitted-codegen.sh
-      - uses: act10ns/slack@v1
-        with:
-          status: ${{ job.status }}
-          steps: ${{ toJson(steps) }}
-          channel: '#contour-ci-notifications'
-        if: ${{ failure() && github.ref == 'refs/heads/main' }}

CONTRIBUTING.md

@@ -172,15 +172,20 @@ In addition, the meeting will be used to go over untriaged issues, longer-term i
 - Have a short subject on the first line and a body. The body can be empty.
 - Use the imperative mood (ie "If applied, this commit will (subject)" should make sense).
 - There must be a DCO line ("Signed-off-by: David Cheney <cheneyd@vmware.com>"), see [DCO Sign Off](#dco-sign-off) below.
-- Put a summary of the main area affected by the commit at the start,
-with a colon as delimiter. For example 'docs:', 'internal/(packagename):', 'design:' or something similar.
 - Do not merge commits that don't relate to the affected issue (e.g. "Updating from PR comments", etc). Should
 the need to cherrypick a commit or rollback arise, it should be clear what a specific commit's purpose is.
+- Put a summary of the main area affected by the commit at the start,
+with a colon as delimiter. For example 'docs:', 'internal/(packagename):', 'design:' or something similar.
+- PRs *must* be labelled with a `release-note/category` label, where category is one of
+`major`, `minor`, `small`, `docs`, or `infra`, unless the change is really small, in which case
+it may have a `release-note/not-required` category.
+- PRs *must* include a file named `changelogs/unreleased/PR#-githubID-category.md`, which is a Markdown
+file with a description of the change. Please see `changelogs/unreleased/<category>-sample.md` for 
+sample changelogs.
 - If main has moved on, you'll need to rebase before we can merge,
 so merging upstream main or rebasing from upstream before opening your
 PR will probably save you some time.
-
-Pull requests *must* include a `Fixes #NNNN` or `Updates #NNNN` comment.
+- Pull requests *must* include a `Fixes #NNNN` or `Updates #NNNN` comment.
 Remember that `Fixes` will close the associated issue, and `Updates` will link the PR to it.
 
 #### Commit message template

changelogs/CHANGELOG-v1.10.0

@@ -0,0 +1,66 @@
+We are delighted to present version 1.10.0 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
+
+There have been a bunch of great contributions from our community for this release, thanks to everyone!
+
+# Major Changes
+
+## Envoy xDS v3 Support
+Contour now supports Envoy's xDS v3 protocol in addition to the deprecated v2 protocol. The example YAML has been updated to configure Envoy to use the v3 protocol by default.
+
+When users have an existing Contour installation and wish to upgrade without dropping connections, users should first upgrade Contour  to v1.10.0 which will serve both v2 and v3 xDS versions from the same gRPC endpoint. Next, change the Envoy Daemonset or deployment to include `--xds-resource-version=v3` as an argument in the `envoy-initconfig` init container, which tells Envoy to upgrade to the `v3` resource version. The usual rollout process will handle draining connections allowing a fleet of Envoy instances to move from the v2 xDS Resource API version gradually to the v3 version.
+
+See the xDS Migration guide for more information: https://projectcontour.io/guides/xds-migration/
+
+Related issues and PRs: #1898, #2930, #3016, #3017, #3068, #3079, #3074, #3087, #3093
+
+Thanks to @stevesloka and @jpeach for their hard work on this upgrade.
+
+## Custom JSON fields for Envoy access logs
+Contour now supports custom JSON fields in the Envoy access log. Custom fields can be specified in the `json-fields` config field, using the format `<custom-field-name>=<Envoy format string>`, where the Envoy format string can contain [any Envoy command operator](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) except `DYNAMIC_METADATA` and `FILTER_STATE`. 
+
+You can read more about this feature in Contour's [updated guide to structured logging](https://projectcontour.io/guides/structured-logs/).
+
+Related issues and PRs: #3059, #3032, #1507
+
+Thanks to @Mike1808, @KauzClay, and @XanderStrike for designing and implementing this feature!
+
+## Multi-arch Docker images
+Contour's Docker images are now multi-architecture, with `linux/amd64` and `linux/arm64` currently supported. No change is needed by users; the correct architecture will be automatically be pulled for your host.
+
+Related issues and PRs: #3031, #2868
+
+Thanks to @skriss for implementing multi-arch support.
+
+## Envoy 1.16
+
+Contour now uses Envoy 1.16.0.
+
+Related issues and PRs: #3029, #3013
+
+Thanks to @yoitsro for this upgrade!
+
+## Default minimum TLS version is now 1.2
+
+TLS 1.2 is now the default minimum TLS version for `HTTPProxies` and `Ingresses`. It's still possible to use 1.1 if necessary by explicitly specifying it. See the [HTTPProxy documentation](https://projectcontour.io/docs/v1.10.0/config/tls-termination/) and [Ingress documentation](https://projectcontour.io/docs/v1.10.0/config/annotations/#contour-specific-ingress-annotations) for more information.
+
+Related issues and PRs: #3007, #2777, #3012
+
+Thanks to @skriss for making this change.
+
+## RBAC v1
+
+Contour's example YAML now uses `rbac.authorization.k8s.io/v1` instead of the deprecated `rbac.authorization.k8s.io/v1beta1` version for role-based access control (RBAC) resources. RBAC has been generally available in Kubernetes since v1.8, so this has no effect on the minimum supported Kubernetes version.
+
+Related issues and PRs: #3015, #2991
+
+Thanks to @narahari92 for this upgrade!
+
+# Deprecation & Removal Notices
+- The `request-timeout` field has been removed from the config file. This field was moved into the timeouts block, i.e. `timeouts.request-timeout`, in Contour 1.7.
+- In Contour 1.11, TLS 1.1 will be disabled by default. Users who require TLS 1.1 will have to enable it via the config file's `tls.minimum-protocol-version` field, and by specifying it for each `HTTPProxy` or `Ingress` where it's needed. See the [HTTPProxy documentation](https://projectcontour.io/docs/v1.10.0/config/tls-termination/) and [Ingress documentation](https://projectcontour.io/docs/v1.10.0/config/annotations/#contour-specific-ingress-annotations) for more information.
+
+# Upgrading
+Please consult the upgrade [documentation](https://projectcontour.io/resources/upgrading/).
+
+# Are you a Contour user? We would love to know!
+If you're using Contour and want to add your organization to our adopters list, please visit this [page](https://github.com/projectcontour/contour/blob/master/ADOPTERS.md). If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this [GitHub thread](https://github.com/projectcontour/contour/issues/1269).

changelogs/CHANGELOG-v1.10.1

@@ -0,0 +1,6 @@
+We are delighted to present version 1.10.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.
+
+## Fixes
+
+- Upgrades the default Envoy version from 1.16.0 to 1.16.2 for security and bug fixes. See the Envoy [1.16.1](https://www.envoyproxy.io/docs/envoy/v1.16.2/version_history/v1.16.1) and [1.16.2](https://www.envoyproxy.io/docs/envoy/v1.16.2/version_history/current) changelogs for details.
+- Fixes a concurrent map access issue which could lead to Contour crashing/restarting (#3199).