diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d0a786afc7c..c4fd727abe7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -30,6 +30,11 @@ updates: - release-note/none-required reviewers: - projectcontour/maintainers + groups: + artifact-actions: + patterns: + - "actions/upload-artifact" + - "actions/download-artifact" # release branch N targets - target-branch: release-1.27 @@ -68,6 +73,11 @@ updates: - release-note/none-required reviewers: - projectcontour/maintainers + groups: + artifact-actions: + patterns: + - "actions/upload-artifact" + - "actions/download-artifact" # release branch N-1 targets - target-branch: release-1.26 @@ -106,6 +116,11 @@ updates: - release-note/none-required reviewers: - projectcontour/maintainers + groups: + artifact-actions: + patterns: + - "actions/upload-artifact" + - "actions/download-artifact" # release branch N-2 targets - target-branch: release-1.25 @@ -144,3 +159,8 @@ updates: - release-note/none-required reviewers: - projectcontour/maintainers + groups: + artifact-actions: + patterns: + - "actions/upload-artifact" + - "actions/download-artifact" diff --git a/.github/reviewers.yaml b/.github/reviewers.yaml new file mode 100644 index 00000000000..a42a3554aea --- /dev/null +++ b/.github/reviewers.yaml @@ -0,0 +1,7 @@ +reviewers: + defaults: + - team:contour-reviewers + +options: + ignore_draft: true + number_of_reviewers: 1 diff --git a/.github/workflows/build_daily.yaml b/.github/workflows/build_daily.yaml index 2c36d99ba16..80f7b7bf976 100644 --- a/.github/workflows/build_daily.yaml +++ b/.github/workflows/build_daily.yaml @@ -10,13 +10,13 @@ on: env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - GO_VERSION: 1.21.3 + GO_VERSION: 1.21.5 jobs: e2e-envoy-xds: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -26,7 +26,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -40,7 +40,7 @@ jobs: CONTOUR_E2E_XDS_SERVER_TYPE: envoy run: | make setup-kind-cluster run-e2e cleanup-kind - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -49,8 +49,8 @@ jobs: e2e-envoy-deployment: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -60,7 +60,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -74,7 +74,7 @@ jobs: CONTOUR_E2E_ENVOY_DEPLOYMENT_MODE: deployment run: | make setup-kind-cluster run-e2e cleanup-kind - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -83,8 +83,8 @@ jobs: e2e-gateway-reconcile-controller: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -94,7 +94,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -109,7 +109,7 @@ jobs: CONTOUR_E2E_GATEWAY_RECONCILE_MODE: controller run: | make setup-kind-cluster run-e2e cleanup-kind - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -118,8 +118,8 @@ jobs: e2e-ipv6: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -129,7 +129,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -146,7 +146,7 @@ jobs: make setup-kind-cluster export CONTOUR_E2E_LOCAL_HOST=$(ifconfig | grep inet6 | grep global | head -n1 | awk '{print $2}') make run-e2e cleanup-kind - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -155,8 +155,8 @@ jobs: e2e-endpoint-slices: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -166,7 +166,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -180,10 +180,9 @@ jobs: CONTOUR_E2E_USE_ENDPOINT_SLICES: true run: | make setup-kind-cluster run-e2e cleanup-kind - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} channel: '#contour-ci-notifications' if: ${{ failure() && github.ref == 'refs/heads/main' }} - diff --git a/.github/workflows/build_main.yaml b/.github/workflows/build_main.yaml index f11b20c859e..33200cf2e21 100644 --- a/.github/workflows/build_main.yaml +++ b/.github/workflows/build_main.yaml @@ -11,13 +11,13 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: version: latest - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -30,7 +30,7 @@ jobs: PUSH_IMAGE: "true" run: | make multiarch-build - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} diff --git a/.github/workflows/build_tag.yaml b/.github/workflows/build_tag.yaml index 1310cc48c0c..2d2ed44e10a 100644 --- a/.github/workflows/build_tag.yaml +++ b/.github/workflows/build_tag.yaml @@ -15,18 +15,18 @@ on: env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - GO_VERSION: 1.21.3 + GO_VERSION: 1.21.5 jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: version: latest - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -37,7 +37,7 @@ jobs: TAG_LATEST: "false" run: | ./hack/actions/build-and-push-release-images.sh - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -47,8 +47,8 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -58,7 +58,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -73,11 +73,11 @@ jobs: export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(git describe --tags)" make setup-kind-cluster run-gateway-conformance cleanup-kind - name: Upload gateway conformance report - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: gateway-conformance-report path: gateway-conformance-report/projectcontour-contour-*.yaml - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4d44ae9c514..f9103325ba7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -11,7 +11,7 @@ on: env: GOPROXY: https://proxy.golang.org/ - GO_VERSION: 1.21.3 + GO_VERSION: 1.21.5 jobs: CodeQL-Build: @@ -19,9 +19,9 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -32,20 +32,20 @@ jobs: restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: languages: go # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 diff --git a/.github/workflows/label_check.yaml b/.github/workflows/label_check.yaml index 72ea481b7ea..bcca6be23fc 100644 --- a/.github/workflows/label_check.yaml +++ b/.github/workflows/label_check.yaml @@ -20,17 +20,17 @@ jobs: name: Check release-note label set runs-on: ubuntu-latest steps: - - uses: mheap/github-action-required-labels@v5 + - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 with: mode: minimum count: 1 labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/deprecation, release-note/none-required" - - uses: mheap/github-action-required-labels@v5 + - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 with: mode: maximum count: 1 labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/none-required" - - uses: mheap/github-action-required-labels@v5 + - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 with: mode: maximum count: 1 @@ -41,8 +41,8 @@ jobs: - check-label runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -52,7 +52,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: 'stable' cache: false diff --git a/.github/workflows/openssf-scorecard.yaml b/.github/workflows/openssf-scorecard.yaml new file mode 100644 index 00000000000..c2b1ce0965f --- /dev/null +++ b/.github/workflows/openssf-scorecard.yaml @@ -0,0 +1,46 @@ +name: OpenSSF Scorecard +on: + branch_protection_rule: + # Run weekly + schedule: + - cron: '0 12 * * 1' + push: + branches: + - "main" + # Allow manual runs + workflow_dispatch: + +permissions: + contents: read + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + with: + name: SARIF file + path: results.sarif + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + with: + sarif_file: results.sarif diff --git a/.github/workflows/prbuild.yaml b/.github/workflows/prbuild.yaml index 39e5087cb0b..0016ab9fa37 100644 --- a/.github/workflows/prbuild.yaml +++ b/.github/workflows/prbuild.yaml @@ -11,24 +11,24 @@ on: env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - GO_VERSION: 1.21.3 + GO_VERSION: 1.21.5 jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: v1.55.2 # TODO: re-enable linting tools package once https://github.com/projectcontour/contour/issues/5077 # is resolved args: --build-tags=e2e,conformance,gcp,oidc,none - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -39,15 +39,15 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Codespell - uses: codespell-project/actions-codespell@v2.0 + uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0 with: skip: .git,*.png,*.woff,*.woff2,*.eot,*.ttf,*.jpg,*.ico,*.svg,./site/themes/contour/static/fonts/README.md,./vendor,./site/public,./hack/actions/check-changefile-exists.go,go.mod,go.sum ignore_words_file: './.codespell.ignorewords' check_filenames: true check_hidden: true - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -56,8 +56,8 @@ jobs: codegen: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -67,7 +67,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -79,7 +79,7 @@ jobs: run: | make generate lint-yamllint lint-flags ./hack/actions/check-uncommitted-codegen.sh - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -92,9 +92,9 @@ jobs: - codegen runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: version: latest - name: Build image @@ -103,11 +103,11 @@ jobs: run: | make multiarch-build - name: Upload image - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: image path: image/contour-*.tar - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -129,24 +129,24 @@ jobs: # image to use) for each kubernetes_version value. include: - kubernetes_version: "kubernetes:latest" - node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" + node_image: "docker.io/kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570" - kubernetes_version: "kubernetes:n-1" - node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" + node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" - kubernetes_version: "kubernetes:n-2" - node_image: "docker.io/kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb" + node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" - config_type: "ConfigmapConfiguration" use_config_crd: "false" - config_type: "ContourConfiguration" use_config_crd: "true" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Download image - uses: actions/download-artifact@v3 + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 with: name: image path: image - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -156,7 +156,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -172,7 +172,7 @@ jobs: run: | export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" make e2e - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -192,23 +192,23 @@ jobs: # image to use) for each kubernetes_version value. include: - kubernetes_version: "kubernetes:latest" - node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" + node_image: "docker.io/kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570" - kubernetes_version: "kubernetes:n-1" - node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" + node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" - kubernetes_version: "kubernetes:n-2" - node_image: "docker.io/kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb" + node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # Fetch history for all tags and branches so we can figure out most # recent release tag. fetch-depth: 0 - name: Download image - uses: actions/download-artifact@v3 + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 with: name: image path: image - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -218,7 +218,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -235,24 +235,12 @@ jobs: run: | export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" make upgrade - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} channel: '#contour-ci-notifications' if: ${{ failure() && github.ref == 'refs/heads/main' }} - # TODO: re-enable once Ingress v1 support is complete - # ingress-conformance: - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v4 - # - name: add deps to path - # run: | - # ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - # echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - # - name: ingress conformance tests - # run: | - # make check-ingress-conformance test-linux: needs: - lint @@ -260,8 +248,8 @@ jobs: - codegen runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -271,7 +259,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -285,10 +273,10 @@ jobs: make check-coverage - name: codeCoverage if: ${{ success() }} - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 with: files: coverage.out - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -301,8 +289,8 @@ jobs: - codegen runs-on: macos-latest steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Windows) @@ -312,7 +300,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -324,7 +312,7 @@ jobs: run: | make install make check-coverage - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} @@ -334,13 +322,13 @@ jobs: runs-on: ubuntu-latest needs: [build-image] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Download image - uses: actions/download-artifact@v3 + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 with: name: image path: image - - uses: actions/cache@v3 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache # * Build cache (Linux) @@ -350,7 +338,7 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false @@ -364,7 +352,7 @@ jobs: run: | export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" make gateway-conformance - - uses: act10ns/slack@v2 + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 with: status: ${{ job.status }} steps: ${{ toJson(steps) }} diff --git a/.github/workflows/request-reviews.yaml b/.github/workflows/request-reviews.yaml new file mode 100644 index 00000000000..5c1a70060d4 --- /dev/null +++ b/.github/workflows/request-reviews.yaml @@ -0,0 +1,14 @@ +name: Request Reviews + +on: + pull_request_target: + types: [opened, ready_for_review, reopened] + +jobs: + request-reviews: + runs-on: ubuntu-latest + steps: + - uses: necojackarc/auto-request-review@6a51cebffe2c084705d9a7b394abd802e0119633 # v0.12.0 + with: + token: ${{ secrets.PAT_FOR_AUTO_REQUEST_REVIEW }} + config: .github/reviewers.yaml diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index e4a1ccdcb0c..4a1b43d1980 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -11,7 +11,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v8 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} exempt-all-milestones: true diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml index 4e3dfe76ffd..71dfdd6eae2 100644 --- a/.github/workflows/trivy-scan.yaml +++ b/.github/workflows/trivy-scan.yaml @@ -18,10 +18,10 @@ jobs: - release-1.25 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ matrix.branch }} - - uses: aquasecurity/trivy-action@0.14.0 + - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 with: scanners: vuln scan-type: 'fs' @@ -29,6 +29,6 @@ jobs: output: 'trivy-results.sarif' ignore-unfixed: true severity: 'HIGH,CRITICAL' - - uses: github/codeql-action/upload-sarif@v2 + - uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: sarif_file: 'trivy-results.sarif' diff --git a/Makefile b/Makefile index 7147dd93579..81255feef62 100644 --- a/Makefile +++ b/Makefile @@ -44,7 +44,7 @@ endif IMAGE_PLATFORMS ?= linux/amd64,linux/arm64 # Base build image to use. -BUILD_BASE_IMAGE ?= golang:1.21.3 +BUILD_BASE_IMAGE ?= golang:1.21.5 # Enable build with CGO. BUILD_CGO_ENABLED ?= 0 diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go index 015bcb8b6e2..3e50f1efc24 100644 --- a/apis/projectcontour/v1alpha1/contourconfig.go +++ b/apis/projectcontour/v1alpha1/contourconfig.go @@ -107,6 +107,21 @@ const ( EnvoyServerType XDSServerType = "envoy" ) +type GlobalCircuitBreakerDefaults struct { + // The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024. + // +optional + MaxConnections uint32 `json:"maxConnections,omitempty" yaml:"max-connections,omitempty"` + // The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024. + // +optional + MaxPendingRequests uint32 `json:"maxPendingRequests,omitempty" yaml:"max-pending-requests,omitempty"` + // The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024 + // +optional + MaxRequests uint32 `json:"maxRequests,omitempty" yaml:"max-requests,omitempty"` + // The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 3. + // +optional + MaxRetries uint32 `json:"maxRetries,omitempty" yaml:"max-retries,omitempty"` +} + // XDSServerConfig holds the config for the Contour xDS server. type XDSServerConfig struct { // Defines the XDSServer to use for `contour serve`. @@ -688,6 +703,17 @@ type ClusterParameters struct { // +kubebuilder:validation:Minimum=1 // +optional PerConnectionBufferLimitBytes *uint32 `json:"per-connection-buffer-limit-bytes,omitempty"` + + // GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. + // If defined, this will be used as the default for all services. + // + // +optional + GlobalCircuitBreakerDefaults *GlobalCircuitBreakerDefaults `json:"circuitBreakers,omitempty"` + + // UpstreamTLS contains the TLS policy parameters for upstream connections + // + // +optional + UpstreamTLS *EnvoyTLS `json:"upstreamTLS,omitempty"` } // HTTPProxyConfig defines parameters on HTTPProxy. diff --git a/apis/projectcontour/v1alpha1/contourdeployment.go b/apis/projectcontour/v1alpha1/contourdeployment.go index abc371b5197..7a37ef5cecd 100644 --- a/apis/projectcontour/v1alpha1/contourdeployment.go +++ b/apis/projectcontour/v1alpha1/contourdeployment.go @@ -68,6 +68,9 @@ type ContourDeploymentSpec struct { RuntimeSettings *ContourConfigurationSpec `json:"runtimeSettings,omitempty"` // ResourceLabels is a set of labels to add to the provisioned Contour resources. + // + // Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be + // removed in a future release. // +optional ResourceLabels map[string]string `json:"resourceLabels,omitempty"` } diff --git a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go index 883fb38a893..1727df16bd9 100644 --- a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go @@ -60,6 +60,16 @@ func (in *ClusterParameters) DeepCopyInto(out *ClusterParameters) { *out = new(uint32) **out = **in } + if in.GlobalCircuitBreakerDefaults != nil { + in, out := &in.GlobalCircuitBreakerDefaults, &out.GlobalCircuitBreakerDefaults + *out = new(GlobalCircuitBreakerDefaults) + **out = **in + } + if in.UpstreamTLS != nil { + in, out := &in.UpstreamTLS, &out.UpstreamTLS + *out = new(EnvoyTLS) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterParameters. @@ -881,6 +891,21 @@ func (in *GatewayConfig) DeepCopy() *GatewayConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GlobalCircuitBreakerDefaults) DeepCopyInto(out *GlobalCircuitBreakerDefaults) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalCircuitBreakerDefaults. +func (in *GlobalCircuitBreakerDefaults) DeepCopy() *GlobalCircuitBreakerDefaults { + if in == nil { + return nil + } + out := new(GlobalCircuitBreakerDefaults) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPProxyConfig) DeepCopyInto(out *HTTPProxyConfig) { *out = *in diff --git a/changelogs/unreleased/5828-KauzClay-major.md b/changelogs/unreleased/5828-KauzClay-major.md new file mode 100644 index 00000000000..707f24a4cd0 --- /dev/null +++ b/changelogs/unreleased/5828-KauzClay-major.md @@ -0,0 +1,9 @@ +## Upstream TLS now supports TLS 1.3 and TLS parameters can be configured + +The default maximum TLS version for upstream connections is now 1.3, instead of the Envoy default of 1.2. + +In a similar way to how Contour users can configure Min/Max TLS version and +Cipher Suites for Envoy's listeners, users can now specify the +same information for upstream connections. In the ContourConfiguration, this is +available under `spec.envoy.cluster.upstreamTLS`. The equivalent config file +parameter is `cluster.upstream-tls`. diff --git a/changelogs/unreleased/5961-izturn-small.md b/changelogs/unreleased/5961-izturn-small.md new file mode 100644 index 00000000000..130c664704c --- /dev/null +++ b/changelogs/unreleased/5961-izturn-small.md @@ -0,0 +1 @@ +For Gateway API v1.0, the successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route's ParentRefs field. diff --git a/changelogs/unreleased/5968-skriss-deprecation.md b/changelogs/unreleased/5968-skriss-deprecation.md new file mode 100644 index 00000000000..6146bec7461 --- /dev/null +++ b/changelogs/unreleased/5968-skriss-deprecation.md @@ -0,0 +1 @@ +The `ContourDeployment.Spec.ResourceLabels` field is now deprecated. You should use `Gateway.Spec.Infrastructure.Labels` instead. The `ResourceLabels` field will be removed in a future release. \ No newline at end of file diff --git a/changelogs/unreleased/5968-skriss-small.md b/changelogs/unreleased/5968-skriss-small.md new file mode 100644 index 00000000000..a0e80d9f346 --- /dev/null +++ b/changelogs/unreleased/5968-skriss-small.md @@ -0,0 +1 @@ +Gateway API: adds support for [Gateway infrastructure labels and annotations](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayInfrastructure)``. \ No newline at end of file diff --git a/changelogs/unreleased/5969-skriss-small.md b/changelogs/unreleased/5969-skriss-small.md new file mode 100644 index 00000000000..064a7f3f4df --- /dev/null +++ b/changelogs/unreleased/5969-skriss-small.md @@ -0,0 +1 @@ +Gateway API: add the `gateway.networking.k8s.io/gateway-name` label to generated resources. \ No newline at end of file diff --git a/changelogs/unreleased/5997-izturn-minor.md b/changelogs/unreleased/5997-izturn-minor.md new file mode 100644 index 00000000000..efd30f164c4 --- /dev/null +++ b/changelogs/unreleased/5997-izturn-minor.md @@ -0,0 +1,3 @@ +## Gateway API: support HTTPRoute request timeouts + +Contour now enables end-users to specify request timeouts by setting the [HTTPRouteRule.Timeouts.Request](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteTimeouts) parameter. Note that `BackendRequest` is not yet implemented because without Gateway API support for retries, it's functionally equivalent to `Request`. \ No newline at end of file diff --git a/changelogs/unreleased/6013-davinci26-minor.md b/changelogs/unreleased/6013-davinci26-minor.md new file mode 100644 index 00000000000..df19a22dc78 --- /dev/null +++ b/changelogs/unreleased/6013-davinci26-minor.md @@ -0,0 +1,3 @@ +## Support for Global Circuit Breaker Policy + +The way [circuit-breaker-annotations](https://projectcontour.io/docs/1.27/config/annotations/) work currently is that when not present they are being defaulted to Envoy defaults. The Envoy defaults can be quite low for larger clusters with more traffic so if a user accidentally deletes them or unset them this cause an issue. With this change we are providing contour administrators the ability to provide global defaults that are good. In that case even if the user forgets to set them or deletes them they can have the safety net of good defaults. They can be configured via [cluster.circuit-breakers](https://projectcontour.io/docs/1.28/configuration/#circuit-breakers) or via `ContourConfiguration`` CRD in [spec.envoy.cluster.circuitBreakers](https://projectcontour.io/docs/1.28/config/api/#projectcontour.io/v1alpha1.GlobalCircuitBreakerDefaults) diff --git a/changelogs/unreleased/6031-skriss-small.md b/changelogs/unreleased/6031-skriss-small.md new file mode 100644 index 00000000000..71864af4250 --- /dev/null +++ b/changelogs/unreleased/6031-skriss-small.md @@ -0,0 +1 @@ +Updates to Kubernetes 1.29. Supported/tested Kubernetes versions are now 1.27, 1.28 and 1.29. \ No newline at end of file diff --git a/changelogs/unreleased/6053-sunjayBhatia-small.md b/changelogs/unreleased/6053-sunjayBhatia-small.md new file mode 100644 index 00000000000..f7590e4ec01 --- /dev/null +++ b/changelogs/unreleased/6053-sunjayBhatia-small.md @@ -0,0 +1 @@ +Updates to Go 1.21.5. See the [Go release notes](https://go.dev/doc/devel/release#go1.21.minor) for more information. diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go index 6b9e90eedb2..333f573bb32 100644 --- a/cmd/contour/serve.go +++ b/cmd/contour/serve.go @@ -560,6 +560,12 @@ func (s *Server) doServe() error { globalRateLimitService: contourConfiguration.RateLimitService, maxRequestsPerConnection: contourConfiguration.Envoy.Cluster.MaxRequestsPerConnection, perConnectionBufferLimitBytes: contourConfiguration.Envoy.Cluster.PerConnectionBufferLimitBytes, + globalCircuitBreakerDefaults: contourConfiguration.Envoy.Cluster.GlobalCircuitBreakerDefaults, + upstreamTLS: &dag.UpstreamTLS{ + MinimumProtocolVersion: annotation.TLSVersion(contourConfiguration.Envoy.Cluster.UpstreamTLS.MinimumProtocolVersion, "1.2"), + MaximumProtocolVersion: annotation.TLSVersion(contourConfiguration.Envoy.Cluster.UpstreamTLS.MaximumProtocolVersion, "1.3"), + CipherSuites: contourConfiguration.Envoy.Cluster.UpstreamTLS.SanitizedCipherSuites(), + }, }) // Build the core Kubernetes event handler. @@ -1117,6 +1123,8 @@ type dagBuilderConfig struct { maxRequestsPerConnection *uint32 perConnectionBufferLimitBytes *uint32 globalRateLimitService *contour_api_v1alpha1.RateLimitServiceConfig + globalCircuitBreakerDefaults *contour_api_v1alpha1.GlobalCircuitBreakerDefaults + upstreamTLS *dag.UpstreamTLS } func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { @@ -1186,7 +1194,9 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { ConnectTimeout: dbc.connectTimeout, MaxRequestsPerConnection: dbc.maxRequestsPerConnection, PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes, + GlobalCircuitBreakerDefaults: dbc.globalCircuitBreakerDefaults, SetSourceMetadataOnRoutes: true, + UpstreamTLS: dbc.upstreamTLS, }, &dag.ExtensionServiceProcessor{ // Note that ExtensionService does not support ExternalName, if it does get added, @@ -1194,6 +1204,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { FieldLogger: s.log.WithField("context", "ExtensionServiceProcessor"), ClientCertificate: dbc.clientCert, ConnectTimeout: dbc.connectTimeout, + UpstreamTLS: dbc.upstreamTLS, }, &dag.HTTPProxyProcessor{ EnableExternalNameService: dbc.enableExternalNameService, @@ -1209,6 +1220,8 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { GlobalRateLimitService: dbc.globalRateLimitService, PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes, SetSourceMetadataOnRoutes: true, + GlobalCircuitBreakerDefaults: dbc.globalCircuitBreakerDefaults, + UpstreamTLS: dbc.upstreamTLS, }, } @@ -1220,6 +1233,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder { MaxRequestsPerConnection: dbc.maxRequestsPerConnection, PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes, SetSourceMetadataOnRoutes: true, + GlobalCircuitBreakerDefaults: dbc.globalCircuitBreakerDefaults, }) } diff --git a/cmd/contour/serve_test.go b/cmd/contour/serve_test.go index 8f6ac4234b1..4bf95257e73 100644 --- a/cmd/contour/serve_test.go +++ b/cmd/contour/serve_test.go @@ -123,6 +123,31 @@ func TestGetDAGBuilder(t *testing.T) { assert.ElementsMatch(t, map[string]string(nil), ingressProcessor.ResponseHeadersPolicy.Remove) }) + t.Run("GlobalCircuitBreakerDefaults specified for all processors", func(t *testing.T) { + g := contour_api_v1alpha1.GlobalCircuitBreakerDefaults{ + MaxConnections: 100, + } + + serve := &Server{ + log: logrus.StandardLogger(), + } + got := serve.getDAGBuilder(dagBuilderConfig{ + gatewayControllerName: "projectcontour.io/gateway-controller", + rootNamespaces: []string{}, + dnsLookupFamily: contour_api_v1alpha1.AutoClusterDNSFamily, + globalCircuitBreakerDefaults: &g, + }) + + iProcessor := mustGetIngressProcessor(t, got) + assert.EqualValues(t, iProcessor.GlobalCircuitBreakerDefaults, &g) + + hProcessor := mustGetHTTPProxyProcessor(t, got) + assert.EqualValues(t, hProcessor.GlobalCircuitBreakerDefaults, &g) + + gProcessor := mustGetGatewayAPIProcessor(t, got) + assert.EqualValues(t, gProcessor.GlobalCircuitBreakerDefaults, &g) + }) + t.Run("request and response headers policy specified for ingress", func(t *testing.T) { policy := &contour_api_v1alpha1.PolicyConfig{ RequestHeadersPolicy: &contour_api_v1alpha1.HeadersPolicy{ @@ -192,6 +217,19 @@ func TestGetDAGBuilder(t *testing.T) { // TODO(3453): test additional properties of the DAG builder (processor fields, cache fields, Gateway tests (requires a client fake)) } +func mustGetGatewayAPIProcessor(t *testing.T, builder *dag.Builder) *dag.GatewayAPIProcessor { + t.Helper() + for i := range builder.Processors { + found, ok := builder.Processors[i].(*dag.GatewayAPIProcessor) + if ok { + return found + } + } + + require.FailNow(t, "GatewayAPIProcessor not found in list of DAG builder's processors") + return nil +} + func mustGetHTTPProxyProcessor(t *testing.T, builder *dag.Builder) *dag.HTTPProxyProcessor { t.Helper() for i := range builder.Processors { diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go index 7d14c2a94f4..c6b71d0791a 100644 --- a/cmd/contour/servecontext.go +++ b/cmd/contour/servecontext.go @@ -572,6 +572,12 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha DNSLookupFamily: dnsLookupFamily, MaxRequestsPerConnection: ctx.Config.Cluster.MaxRequestsPerConnection, PerConnectionBufferLimitBytes: ctx.Config.Cluster.PerConnectionBufferLimitBytes, + GlobalCircuitBreakerDefaults: ctx.Config.Cluster.GlobalCircuitBreakerDefaults, + UpstreamTLS: &contour_api_v1alpha1.EnvoyTLS{ + MinimumProtocolVersion: ctx.Config.Cluster.UpstreamTLS.MinimumProtocolVersion, + MaximumProtocolVersion: ctx.Config.Cluster.UpstreamTLS.MaximumProtocolVersion, + CipherSuites: ctx.Config.Cluster.UpstreamTLS.CipherSuites, + }, }, Network: &contour_api_v1alpha1.NetworkParameters{ XffNumTrustedHops: &ctx.Config.Network.XffNumTrustedHops, diff --git a/cmd/contour/servecontext_test.go b/cmd/contour/servecontext_test.go index dd8d3bf681c..b3914e0999d 100644 --- a/cmd/contour/servecontext_test.go +++ b/cmd/contour/servecontext_test.go @@ -473,7 +473,12 @@ func TestConvertServeContext(t *testing.T) { ConnectTimeout: ref.To("2s"), }, Cluster: &contour_api_v1alpha1.ClusterParameters{ - DNSLookupFamily: contour_api_v1alpha1.AutoClusterDNSFamily, + DNSLookupFamily: contour_api_v1alpha1.AutoClusterDNSFamily, + GlobalCircuitBreakerDefaults: nil, + UpstreamTLS: &contour_api_v1alpha1.EnvoyTLS{ + MinimumProtocolVersion: "", + MaximumProtocolVersion: "", + }, }, Network: &contour_api_v1alpha1.NetworkParameters{ EnvoyAdminPort: ref.To(9001), @@ -772,6 +777,26 @@ func TestConvertServeContext(t *testing.T) { return cfg }, }, + "global circuit breaker defaults": { + getServeContext: func(ctx *serveContext) *serveContext { + ctx.Config.Cluster.GlobalCircuitBreakerDefaults = &contour_api_v1alpha1.GlobalCircuitBreakerDefaults{ + MaxConnections: 4, + MaxPendingRequests: 5, + MaxRequests: 6, + MaxRetries: 7, + } + return ctx + }, + getContourConfiguration: func(cfg contour_api_v1alpha1.ContourConfigurationSpec) contour_api_v1alpha1.ContourConfigurationSpec { + cfg.Envoy.Cluster.GlobalCircuitBreakerDefaults = &contour_api_v1alpha1.GlobalCircuitBreakerDefaults{ + MaxConnections: 4, + MaxPendingRequests: 5, + MaxRequests: 6, + MaxRetries: 7, + } + return cfg + }, + }, "global external authorization": { getServeContext: func(ctx *serveContext) *serveContext { ctx.Config.GlobalExternalAuthorization = config.GlobalExternalAuthorization{ diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 783ff7574f5..6f3f1f4aa65 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -78,6 +78,36 @@ spec: description: Cluster holds various configurable Envoy cluster values that can be set in the config file. properties: + circuitBreakers: + description: GlobalCircuitBreakerDefaults specifies default + circuit breaker budget across all services. If defined, + this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that a + single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests that + a single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single Envoy + instance allows to the Kubernetes Service; defaults + to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries a + single Envoy instance allows to the Kubernetes Service; + defaults to 3. + format: int32 + type: integer + type: object dnsLookupFamily: description: "DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver will only @@ -111,6 +141,48 @@ spec: format: int32 minimum: 1 type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to + be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should only + be used by advanced users. Note that these will be ignored + when TLS 1.3 is in use. \n This field is optional; when + it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - + \"AES256-SHA\" \n Contour recommends leaving this undefined + unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock + Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum TLS + version this vhost should negotiate. \n Values: `1.2`, + `1.3`(default). \n Other values will produce an error." + type: string + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS + version this vhost should negotiate. \n Values: `1.2` + (default), `1.3`. \n Other values will produce an error." + type: string + type: object type: object defaultHTTPVersions: description: "DefaultHTTPVersions defines the default set of HTTPS @@ -2256,32 +2328,6 @@ spec: capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: - claims: - description: "Claims lists the names of - resources, defined in spec.resourceClaims, - that are used by this container. \n This - is an alpha field and requires enabling - the DynamicResourceAllocation feature - gate. \n This field is immutable. It can - only be set for containers." - items: - description: ResourceClaim references - one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name - of one entry in pod.spec.resourceClaims - of the Pod where this field is used. - It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2367,6 +2413,29 @@ spec: the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string + volumeAttributesClassName: + description: 'volumeAttributesClassName may + be used to set the VolumeAttributesClass used + by this claim. If specified, the CSI driver + will create or update the volume with the + attributes defined in the corresponding VolumeAttributesClass. + This has a different purpose than storageClassName, + it can be changed after the claim is created. + An empty string value means that no VolumeAttributesClass + will be applied to the claim but it''s not + allowed to reset this field to empty string + once it is set. If unspecified and the PersistentVolumeClaim + is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller + if it exists. If the resource referred to + by volumeAttributesClass does not exist, this + PersistentVolumeClaim will be set to a Pending + state, as reflected by the modifyVolumeStatus + field, until such as a resource exists. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass + feature gate to be enabled.' + type: string volumeMode: description: volumeMode defines what type of volume is required by the claim. Value of @@ -2755,6 +2824,107 @@ spec: description: Projection that may be projected along with other supported volume types properties: + clusterTrustBundle: + description: "ClusterTrustBundle allows a pod + to access the `.spec.trustBundle` field of ClusterTrustBundle + objects in an auto-updating file. \n Alpha, + gated by the ClusterTrustBundleProjection feature + gate. \n ClusterTrustBundle objects can either + be selected by name, or by the combination of + signer name and a label selector. \n Kubelet + performs aggressive normalization of the PEM + contents written into the pod filesystem. Esoteric + PEM features such as inter-block comments and + block headers are stripped. Certificates are + deduplicated. The ordering of certificates within + the file is arbitrary, and Kubelet may change + the order over time." + properties: + labelSelector: + description: Select all ClusterTrustBundles + that match this label selector. Only has + effect if signerName is set. Mutually-exclusive + with name. If unset, interpreted as "match + nothing". If set but empty, interpreted + as "match everything". + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: Select a single ClusterTrustBundle + by object name. Mutually-exclusive with + signerName and labelSelector. + type: string + optional: + description: If true, don't block pod startup + if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the + named ClusterTrustBundle is allowed not + to exist. If using signerName, then the + combination of signerName and labelSelector + is allowed to match zero ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: Select all ClusterTrustBundles + that match this signer name. Mutually-exclusive + with name. The contents of all selected + ClusterTrustBundles will be unified and + deduplicated. + type: string + required: + - path + type: object configMap: description: configMap information about the configMap data to project @@ -3496,8 +3666,9 @@ spec: resourceLabels: additionalProperties: type: string - description: ResourceLabels is a set of labels to add to the provisioned - Contour resources. + description: "ResourceLabels is a set of labels to add to the provisioned + Contour resources. \n Deprecated: use Gateway.Spec.Infrastructure.Labels + instead. This field will be removed in a future release." type: object runtimeSettings: description: RuntimeSettings is a ContourConfiguration spec to be @@ -3543,6 +3714,36 @@ spec: description: Cluster holds various configurable Envoy cluster values that can be set in the config file. properties: + circuitBreakers: + description: GlobalCircuitBreakerDefaults specifies default + circuit breaker budget across all services. If defined, + this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that + a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests + that a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single + Envoy instance allows to the Kubernetes Service; + defaults to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries + a single Envoy instance allows to the Kubernetes + Service; defaults to 3. + format: int32 + type: integer + type: object dnsLookupFamily: description: "DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver @@ -3578,6 +3779,52 @@ spec: format: int32 minimum: 1 type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers + to be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should + only be used by advanced users. Note that these + will be ignored when TLS 1.3 is in use. \n This + field is optional; when it is undefined, a Contour-managed + ciphersuite list will be used, which may be updated + to keep it secure. \n Contour's default list is: + - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" + - \"AES256-SHA\" \n Contour recommends leaving this + undefined unless you are sure you must. \n See: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for + stock Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum + TLS version this vhost should negotiate. \n Values: + `1.2`, `1.3`(default). \n Other values will produce + an error." + type: string + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum + TLS version this vhost should negotiate. \n Values: + `1.2` (default), `1.3`. \n Other values will produce + an error." + type: string + type: object type: object defaultHTTPVersions: description: "DefaultHTTPVersions defines the default set @@ -7772,6 +8019,17 @@ spec: description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) type: string + ipMode: + description: IPMode specifies how the load-balancer IP behaves, + and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered + to the node with the destination set to the load-balancer's + IP and port. Setting this to "Proxy" indicates that traffic + is delivered to the node or pod with the destination set + to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust + traffic routing. + type: string ports: description: Ports is a list of records of service ports If used, every port defined in the service should have diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index 2020135a384..5acc615ffaa 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -297,6 +297,36 @@ spec: description: Cluster holds various configurable Envoy cluster values that can be set in the config file. properties: + circuitBreakers: + description: GlobalCircuitBreakerDefaults specifies default + circuit breaker budget across all services. If defined, + this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that a + single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests that + a single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single Envoy + instance allows to the Kubernetes Service; defaults + to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries a + single Envoy instance allows to the Kubernetes Service; + defaults to 3. + format: int32 + type: integer + type: object dnsLookupFamily: description: "DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver will only @@ -330,6 +360,48 @@ spec: format: int32 minimum: 1 type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to + be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should only + be used by advanced users. Note that these will be ignored + when TLS 1.3 is in use. \n This field is optional; when + it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - + \"AES256-SHA\" \n Contour recommends leaving this undefined + unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock + Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum TLS + version this vhost should negotiate. \n Values: `1.2`, + `1.3`(default). \n Other values will produce an error." + type: string + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS + version this vhost should negotiate. \n Values: `1.2` + (default), `1.3`. \n Other values will produce an error." + type: string + type: object type: object defaultHTTPVersions: description: "DefaultHTTPVersions defines the default set of HTTPS @@ -2475,32 +2547,6 @@ spec: capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: - claims: - description: "Claims lists the names of - resources, defined in spec.resourceClaims, - that are used by this container. \n This - is an alpha field and requires enabling - the DynamicResourceAllocation feature - gate. \n This field is immutable. It can - only be set for containers." - items: - description: ResourceClaim references - one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name - of one entry in pod.spec.resourceClaims - of the Pod where this field is used. - It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2586,6 +2632,29 @@ spec: the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string + volumeAttributesClassName: + description: 'volumeAttributesClassName may + be used to set the VolumeAttributesClass used + by this claim. If specified, the CSI driver + will create or update the volume with the + attributes defined in the corresponding VolumeAttributesClass. + This has a different purpose than storageClassName, + it can be changed after the claim is created. + An empty string value means that no VolumeAttributesClass + will be applied to the claim but it''s not + allowed to reset this field to empty string + once it is set. If unspecified and the PersistentVolumeClaim + is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller + if it exists. If the resource referred to + by volumeAttributesClass does not exist, this + PersistentVolumeClaim will be set to a Pending + state, as reflected by the modifyVolumeStatus + field, until such as a resource exists. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass + feature gate to be enabled.' + type: string volumeMode: description: volumeMode defines what type of volume is required by the claim. Value of @@ -2974,6 +3043,107 @@ spec: description: Projection that may be projected along with other supported volume types properties: + clusterTrustBundle: + description: "ClusterTrustBundle allows a pod + to access the `.spec.trustBundle` field of ClusterTrustBundle + objects in an auto-updating file. \n Alpha, + gated by the ClusterTrustBundleProjection feature + gate. \n ClusterTrustBundle objects can either + be selected by name, or by the combination of + signer name and a label selector. \n Kubelet + performs aggressive normalization of the PEM + contents written into the pod filesystem. Esoteric + PEM features such as inter-block comments and + block headers are stripped. Certificates are + deduplicated. The ordering of certificates within + the file is arbitrary, and Kubelet may change + the order over time." + properties: + labelSelector: + description: Select all ClusterTrustBundles + that match this label selector. Only has + effect if signerName is set. Mutually-exclusive + with name. If unset, interpreted as "match + nothing". If set but empty, interpreted + as "match everything". + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: Select a single ClusterTrustBundle + by object name. Mutually-exclusive with + signerName and labelSelector. + type: string + optional: + description: If true, don't block pod startup + if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the + named ClusterTrustBundle is allowed not + to exist. If using signerName, then the + combination of signerName and labelSelector + is allowed to match zero ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: Select all ClusterTrustBundles + that match this signer name. Mutually-exclusive + with name. The contents of all selected + ClusterTrustBundles will be unified and + deduplicated. + type: string + required: + - path + type: object configMap: description: configMap information about the configMap data to project @@ -3715,8 +3885,9 @@ spec: resourceLabels: additionalProperties: type: string - description: ResourceLabels is a set of labels to add to the provisioned - Contour resources. + description: "ResourceLabels is a set of labels to add to the provisioned + Contour resources. \n Deprecated: use Gateway.Spec.Infrastructure.Labels + instead. This field will be removed in a future release." type: object runtimeSettings: description: RuntimeSettings is a ContourConfiguration spec to be @@ -3762,6 +3933,36 @@ spec: description: Cluster holds various configurable Envoy cluster values that can be set in the config file. properties: + circuitBreakers: + description: GlobalCircuitBreakerDefaults specifies default + circuit breaker budget across all services. If defined, + this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that + a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests + that a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single + Envoy instance allows to the Kubernetes Service; + defaults to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries + a single Envoy instance allows to the Kubernetes + Service; defaults to 3. + format: int32 + type: integer + type: object dnsLookupFamily: description: "DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver @@ -3797,6 +3998,52 @@ spec: format: int32 minimum: 1 type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers + to be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should + only be used by advanced users. Note that these + will be ignored when TLS 1.3 is in use. \n This + field is optional; when it is undefined, a Contour-managed + ciphersuite list will be used, which may be updated + to keep it secure. \n Contour's default list is: + - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" + - \"AES256-SHA\" \n Contour recommends leaving this + undefined unless you are sure you must. \n See: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for + stock Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum + TLS version this vhost should negotiate. \n Values: + `1.2`, `1.3`(default). \n Other values will produce + an error." + type: string + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum + TLS version this vhost should negotiate. \n Values: + `1.2` (default), `1.3`. \n Other values will produce + an error." + type: string + type: object type: object defaultHTTPVersions: description: "DefaultHTTPVersions defines the default set @@ -7991,6 +8238,17 @@ spec: description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) type: string + ipMode: + description: IPMode specifies how the load-balancer IP behaves, + and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered + to the node with the destination set to the load-balancer's + IP and port. Setting this to "Proxy" indicates that traffic + is delivered to the node or pod with the destination set + to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust + traffic routing. + type: string ports: description: Ports is a list of records of service ports If used, every port defined in the service should have diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index f0065dfc379..526c7b2ba5a 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -89,6 +89,36 @@ spec: description: Cluster holds various configurable Envoy cluster values that can be set in the config file. properties: + circuitBreakers: + description: GlobalCircuitBreakerDefaults specifies default + circuit breaker budget across all services. If defined, + this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that a + single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests that + a single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single Envoy + instance allows to the Kubernetes Service; defaults + to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries a + single Envoy instance allows to the Kubernetes Service; + defaults to 3. + format: int32 + type: integer + type: object dnsLookupFamily: description: "DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver will only @@ -122,6 +152,48 @@ spec: format: int32 minimum: 1 type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to + be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should only + be used by advanced users. Note that these will be ignored + when TLS 1.3 is in use. \n This field is optional; when + it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - + \"AES256-SHA\" \n Contour recommends leaving this undefined + unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock + Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum TLS + version this vhost should negotiate. \n Values: `1.2`, + `1.3`(default). \n Other values will produce an error." + type: string + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS + version this vhost should negotiate. \n Values: `1.2` + (default), `1.3`. \n Other values will produce an error." + type: string + type: object type: object defaultHTTPVersions: description: "DefaultHTTPVersions defines the default set of HTTPS @@ -2267,32 +2339,6 @@ spec: capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: - claims: - description: "Claims lists the names of - resources, defined in spec.resourceClaims, - that are used by this container. \n This - is an alpha field and requires enabling - the DynamicResourceAllocation feature - gate. \n This field is immutable. It can - only be set for containers." - items: - description: ResourceClaim references - one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name - of one entry in pod.spec.resourceClaims - of the Pod where this field is used. - It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2378,6 +2424,29 @@ spec: the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string + volumeAttributesClassName: + description: 'volumeAttributesClassName may + be used to set the VolumeAttributesClass used + by this claim. If specified, the CSI driver + will create or update the volume with the + attributes defined in the corresponding VolumeAttributesClass. + This has a different purpose than storageClassName, + it can be changed after the claim is created. + An empty string value means that no VolumeAttributesClass + will be applied to the claim but it''s not + allowed to reset this field to empty string + once it is set. If unspecified and the PersistentVolumeClaim + is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller + if it exists. If the resource referred to + by volumeAttributesClass does not exist, this + PersistentVolumeClaim will be set to a Pending + state, as reflected by the modifyVolumeStatus + field, until such as a resource exists. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass + feature gate to be enabled.' + type: string volumeMode: description: volumeMode defines what type of volume is required by the claim. Value of @@ -2766,6 +2835,107 @@ spec: description: Projection that may be projected along with other supported volume types properties: + clusterTrustBundle: + description: "ClusterTrustBundle allows a pod + to access the `.spec.trustBundle` field of ClusterTrustBundle + objects in an auto-updating file. \n Alpha, + gated by the ClusterTrustBundleProjection feature + gate. \n ClusterTrustBundle objects can either + be selected by name, or by the combination of + signer name and a label selector. \n Kubelet + performs aggressive normalization of the PEM + contents written into the pod filesystem. Esoteric + PEM features such as inter-block comments and + block headers are stripped. Certificates are + deduplicated. The ordering of certificates within + the file is arbitrary, and Kubelet may change + the order over time." + properties: + labelSelector: + description: Select all ClusterTrustBundles + that match this label selector. Only has + effect if signerName is set. Mutually-exclusive + with name. If unset, interpreted as "match + nothing". If set but empty, interpreted + as "match everything". + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: Select a single ClusterTrustBundle + by object name. Mutually-exclusive with + signerName and labelSelector. + type: string + optional: + description: If true, don't block pod startup + if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the + named ClusterTrustBundle is allowed not + to exist. If using signerName, then the + combination of signerName and labelSelector + is allowed to match zero ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: Select all ClusterTrustBundles + that match this signer name. Mutually-exclusive + with name. The contents of all selected + ClusterTrustBundles will be unified and + deduplicated. + type: string + required: + - path + type: object configMap: description: configMap information about the configMap data to project @@ -3507,8 +3677,9 @@ spec: resourceLabels: additionalProperties: type: string - description: ResourceLabels is a set of labels to add to the provisioned - Contour resources. + description: "ResourceLabels is a set of labels to add to the provisioned + Contour resources. \n Deprecated: use Gateway.Spec.Infrastructure.Labels + instead. This field will be removed in a future release." type: object runtimeSettings: description: RuntimeSettings is a ContourConfiguration spec to be @@ -3554,6 +3725,36 @@ spec: description: Cluster holds various configurable Envoy cluster values that can be set in the config file. properties: + circuitBreakers: + description: GlobalCircuitBreakerDefaults specifies default + circuit breaker budget across all services. If defined, + this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that + a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests + that a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single + Envoy instance allows to the Kubernetes Service; + defaults to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries + a single Envoy instance allows to the Kubernetes + Service; defaults to 3. + format: int32 + type: integer + type: object dnsLookupFamily: description: "DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver @@ -3589,6 +3790,52 @@ spec: format: int32 minimum: 1 type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers + to be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should + only be used by advanced users. Note that these + will be ignored when TLS 1.3 is in use. \n This + field is optional; when it is undefined, a Contour-managed + ciphersuite list will be used, which may be updated + to keep it secure. \n Contour's default list is: + - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" + - \"AES256-SHA\" \n Contour recommends leaving this + undefined unless you are sure you must. \n See: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for + stock Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum + TLS version this vhost should negotiate. \n Values: + `1.2`, `1.3`(default). \n Other values will produce + an error." + type: string + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum + TLS version this vhost should negotiate. \n Values: + `1.2` (default), `1.3`. \n Other values will produce + an error." + type: string + type: object type: object defaultHTTPVersions: description: "DefaultHTTPVersions defines the default set @@ -7783,6 +8030,17 @@ spec: description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) type: string + ipMode: + description: IPMode specifies how the load-balancer IP behaves, + and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered + to the node with the destination set to the load-balancer's + IP and port. Setting this to "Proxy" indicates that traffic + is delivered to the node or pod with the destination set + to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust + traffic routing. + type: string ports: description: Ports is a list of records of service ports If used, every port defined in the service should have diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index f4a9db215f3..8b16a4a46a1 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -300,6 +300,36 @@ spec: description: Cluster holds various configurable Envoy cluster values that can be set in the config file. properties: + circuitBreakers: + description: GlobalCircuitBreakerDefaults specifies default + circuit breaker budget across all services. If defined, + this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that a + single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests that + a single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single Envoy + instance allows to the Kubernetes Service; defaults + to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries a + single Envoy instance allows to the Kubernetes Service; + defaults to 3. + format: int32 + type: integer + type: object dnsLookupFamily: description: "DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver will only @@ -333,6 +363,48 @@ spec: format: int32 minimum: 1 type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to + be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should only + be used by advanced users. Note that these will be ignored + when TLS 1.3 is in use. \n This field is optional; when + it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - + \"AES256-SHA\" \n Contour recommends leaving this undefined + unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock + Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum TLS + version this vhost should negotiate. \n Values: `1.2`, + `1.3`(default). \n Other values will produce an error." + type: string + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS + version this vhost should negotiate. \n Values: `1.2` + (default), `1.3`. \n Other values will produce an error." + type: string + type: object type: object defaultHTTPVersions: description: "DefaultHTTPVersions defines the default set of HTTPS @@ -2478,32 +2550,6 @@ spec: capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: - claims: - description: "Claims lists the names of - resources, defined in spec.resourceClaims, - that are used by this container. \n This - is an alpha field and requires enabling - the DynamicResourceAllocation feature - gate. \n This field is immutable. It can - only be set for containers." - items: - description: ResourceClaim references - one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name - of one entry in pod.spec.resourceClaims - of the Pod where this field is used. - It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2589,6 +2635,29 @@ spec: the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string + volumeAttributesClassName: + description: 'volumeAttributesClassName may + be used to set the VolumeAttributesClass used + by this claim. If specified, the CSI driver + will create or update the volume with the + attributes defined in the corresponding VolumeAttributesClass. + This has a different purpose than storageClassName, + it can be changed after the claim is created. + An empty string value means that no VolumeAttributesClass + will be applied to the claim but it''s not + allowed to reset this field to empty string + once it is set. If unspecified and the PersistentVolumeClaim + is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller + if it exists. If the resource referred to + by volumeAttributesClass does not exist, this + PersistentVolumeClaim will be set to a Pending + state, as reflected by the modifyVolumeStatus + field, until such as a resource exists. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass + feature gate to be enabled.' + type: string volumeMode: description: volumeMode defines what type of volume is required by the claim. Value of @@ -2977,6 +3046,107 @@ spec: description: Projection that may be projected along with other supported volume types properties: + clusterTrustBundle: + description: "ClusterTrustBundle allows a pod + to access the `.spec.trustBundle` field of ClusterTrustBundle + objects in an auto-updating file. \n Alpha, + gated by the ClusterTrustBundleProjection feature + gate. \n ClusterTrustBundle objects can either + be selected by name, or by the combination of + signer name and a label selector. \n Kubelet + performs aggressive normalization of the PEM + contents written into the pod filesystem. Esoteric + PEM features such as inter-block comments and + block headers are stripped. Certificates are + deduplicated. The ordering of certificates within + the file is arbitrary, and Kubelet may change + the order over time." + properties: + labelSelector: + description: Select all ClusterTrustBundles + that match this label selector. Only has + effect if signerName is set. Mutually-exclusive + with name. If unset, interpreted as "match + nothing". If set but empty, interpreted + as "match everything". + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: Select a single ClusterTrustBundle + by object name. Mutually-exclusive with + signerName and labelSelector. + type: string + optional: + description: If true, don't block pod startup + if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the + named ClusterTrustBundle is allowed not + to exist. If using signerName, then the + combination of signerName and labelSelector + is allowed to match zero ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: Select all ClusterTrustBundles + that match this signer name. Mutually-exclusive + with name. The contents of all selected + ClusterTrustBundles will be unified and + deduplicated. + type: string + required: + - path + type: object configMap: description: configMap information about the configMap data to project @@ -3718,8 +3888,9 @@ spec: resourceLabels: additionalProperties: type: string - description: ResourceLabels is a set of labels to add to the provisioned - Contour resources. + description: "ResourceLabels is a set of labels to add to the provisioned + Contour resources. \n Deprecated: use Gateway.Spec.Infrastructure.Labels + instead. This field will be removed in a future release." type: object runtimeSettings: description: RuntimeSettings is a ContourConfiguration spec to be @@ -3765,6 +3936,36 @@ spec: description: Cluster holds various configurable Envoy cluster values that can be set in the config file. properties: + circuitBreakers: + description: GlobalCircuitBreakerDefaults specifies default + circuit breaker budget across all services. If defined, + this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that + a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests + that a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single + Envoy instance allows to the Kubernetes Service; + defaults to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries + a single Envoy instance allows to the Kubernetes + Service; defaults to 3. + format: int32 + type: integer + type: object dnsLookupFamily: description: "DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver @@ -3800,6 +4001,52 @@ spec: format: int32 minimum: 1 type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers + to be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should + only be used by advanced users. Note that these + will be ignored when TLS 1.3 is in use. \n This + field is optional; when it is undefined, a Contour-managed + ciphersuite list will be used, which may be updated + to keep it secure. \n Contour's default list is: + - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" + - \"AES256-SHA\" \n Contour recommends leaving this + undefined unless you are sure you must. \n See: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for + stock Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum + TLS version this vhost should negotiate. \n Values: + `1.2`, `1.3`(default). \n Other values will produce + an error." + type: string + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum + TLS version this vhost should negotiate. \n Values: + `1.2` (default), `1.3`. \n Other values will produce + an error." + type: string + type: object type: object defaultHTTPVersions: description: "DefaultHTTPVersions defines the default set @@ -7994,6 +8241,17 @@ spec: description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) type: string + ipMode: + description: IPMode specifies how the load-balancer IP behaves, + and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered + to the node with the destination set to the load-balancer's + IP and port. Setting this to "Proxy" indicates that traffic + is delivered to the node or pod with the destination set + to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust + traffic routing. + type: string ports: description: Ports is a list of records of service ports If used, every port defined in the service should have diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index 3f24568201b..c7dc925b86d 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -297,6 +297,36 @@ spec: description: Cluster holds various configurable Envoy cluster values that can be set in the config file. properties: + circuitBreakers: + description: GlobalCircuitBreakerDefaults specifies default + circuit breaker budget across all services. If defined, + this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that a + single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests that + a single Envoy instance allows to the Kubernetes Service; + defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single Envoy + instance allows to the Kubernetes Service; defaults + to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries a + single Envoy instance allows to the Kubernetes Service; + defaults to 3. + format: int32 + type: integer + type: object dnsLookupFamily: description: "DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver will only @@ -330,6 +360,48 @@ spec: format: int32 minimum: 1 type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers to + be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should only + be used by advanced users. Note that these will be ignored + when TLS 1.3 is in use. \n This field is optional; when + it is undefined, a Contour-managed ciphersuite list + will be used, which may be updated to keep it secure. + \n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" - + \"AES256-SHA\" \n Contour recommends leaving this undefined + unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for stock + Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum TLS + version this vhost should negotiate. \n Values: `1.2`, + `1.3`(default). \n Other values will produce an error." + type: string + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum TLS + version this vhost should negotiate. \n Values: `1.2` + (default), `1.3`. \n Other values will produce an error." + type: string + type: object type: object defaultHTTPVersions: description: "DefaultHTTPVersions defines the default set of HTTPS @@ -2475,32 +2547,6 @@ spec: capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: - claims: - description: "Claims lists the names of - resources, defined in spec.resourceClaims, - that are used by this container. \n This - is an alpha field and requires enabling - the DynamicResourceAllocation feature - gate. \n This field is immutable. It can - only be set for containers." - items: - description: ResourceClaim references - one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name - of one entry in pod.spec.resourceClaims - of the Pod where this field is used. - It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2586,6 +2632,29 @@ spec: the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string + volumeAttributesClassName: + description: 'volumeAttributesClassName may + be used to set the VolumeAttributesClass used + by this claim. If specified, the CSI driver + will create or update the volume with the + attributes defined in the corresponding VolumeAttributesClass. + This has a different purpose than storageClassName, + it can be changed after the claim is created. + An empty string value means that no VolumeAttributesClass + will be applied to the claim but it''s not + allowed to reset this field to empty string + once it is set. If unspecified and the PersistentVolumeClaim + is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller + if it exists. If the resource referred to + by volumeAttributesClass does not exist, this + PersistentVolumeClaim will be set to a Pending + state, as reflected by the modifyVolumeStatus + field, until such as a resource exists. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the VolumeAttributesClass + feature gate to be enabled.' + type: string volumeMode: description: volumeMode defines what type of volume is required by the claim. Value of @@ -2974,6 +3043,107 @@ spec: description: Projection that may be projected along with other supported volume types properties: + clusterTrustBundle: + description: "ClusterTrustBundle allows a pod + to access the `.spec.trustBundle` field of ClusterTrustBundle + objects in an auto-updating file. \n Alpha, + gated by the ClusterTrustBundleProjection feature + gate. \n ClusterTrustBundle objects can either + be selected by name, or by the combination of + signer name and a label selector. \n Kubelet + performs aggressive normalization of the PEM + contents written into the pod filesystem. Esoteric + PEM features such as inter-block comments and + block headers are stripped. Certificates are + deduplicated. The ordering of certificates within + the file is arbitrary, and Kubelet may change + the order over time." + properties: + labelSelector: + description: Select all ClusterTrustBundles + that match this label selector. Only has + effect if signerName is set. Mutually-exclusive + with name. If unset, interpreted as "match + nothing". If set but empty, interpreted + as "match everything". + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: Select a single ClusterTrustBundle + by object name. Mutually-exclusive with + signerName and labelSelector. + type: string + optional: + description: If true, don't block pod startup + if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the + named ClusterTrustBundle is allowed not + to exist. If using signerName, then the + combination of signerName and labelSelector + is allowed to match zero ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: Select all ClusterTrustBundles + that match this signer name. Mutually-exclusive + with name. The contents of all selected + ClusterTrustBundles will be unified and + deduplicated. + type: string + required: + - path + type: object configMap: description: configMap information about the configMap data to project @@ -3715,8 +3885,9 @@ spec: resourceLabels: additionalProperties: type: string - description: ResourceLabels is a set of labels to add to the provisioned - Contour resources. + description: "ResourceLabels is a set of labels to add to the provisioned + Contour resources. \n Deprecated: use Gateway.Spec.Infrastructure.Labels + instead. This field will be removed in a future release." type: object runtimeSettings: description: RuntimeSettings is a ContourConfiguration spec to be @@ -3762,6 +3933,36 @@ spec: description: Cluster holds various configurable Envoy cluster values that can be set in the config file. properties: + circuitBreakers: + description: GlobalCircuitBreakerDefaults specifies default + circuit breaker budget across all services. If defined, + this will be used as the default for all services. + properties: + maxConnections: + description: The maximum number of connections that + a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of pending requests + that a single Envoy instance allows to the Kubernetes + Service; defaults to 1024. + format: int32 + type: integer + maxRequests: + description: The maximum parallel requests a single + Envoy instance allows to the Kubernetes Service; + defaults to 1024 + format: int32 + type: integer + maxRetries: + description: The maximum number of parallel retries + a single Envoy instance allows to the Kubernetes + Service; defaults to 3. + format: int32 + type: integer + type: object dnsLookupFamily: description: "DNSLookupFamily defines how external names are looked up When configured as V4, the DNS resolver @@ -3797,6 +3998,52 @@ spec: format: int32 minimum: 1 type: integer + upstreamTLS: + description: UpstreamTLS contains the TLS policy parameters + for upstream connections + properties: + cipherSuites: + description: "CipherSuites defines the TLS ciphers + to be supported by Envoy TLS listeners when negotiating + TLS 1.2. Ciphers are validated against the set that + Envoy supports by default. This parameter should + only be used by advanced users. Note that these + will be ignored when TLS 1.3 is in use. \n This + field is optional; when it is undefined, a Contour-managed + ciphersuite list will be used, which may be updated + to keep it secure. \n Contour's default list is: + - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\" + \n Ciphers provided are validated against the following + list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\" + - \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\" + - \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\" + - \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\" + - \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\" + - \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\" + - \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" + - \"AES256-SHA\" \n Contour recommends leaving this + undefined unless you are sure you must. \n See: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters + Note: This list is a superset of what is valid for + stock Envoy builds and those using BoringSSL FIPS." + items: + type: string + type: array + maximumProtocolVersion: + description: "MaximumProtocolVersion is the maximum + TLS version this vhost should negotiate. \n Values: + `1.2`, `1.3`(default). \n Other values will produce + an error." + type: string + minimumProtocolVersion: + description: "MinimumProtocolVersion is the minimum + TLS version this vhost should negotiate. \n Values: + `1.2` (default), `1.3`. \n Other values will produce + an error." + type: string + type: object type: object defaultHTTPVersions: description: "DefaultHTTPVersions defines the default set @@ -7991,6 +8238,17 @@ spec: description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) type: string + ipMode: + description: IPMode specifies how the load-balancer IP behaves, + and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered + to the node with the destination set to the load-balancer's + IP and port. Setting this to "Proxy" indicates that traffic + is delivered to the node or pod with the destination set + to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust + traffic routing. + type: string ports: description: Ports is a list of records of service ports If used, every port defined in the service should have diff --git a/go.mod b/go.mod index 86ce15b5b15..9d87f0bd8aa 100644 --- a/go.mod +++ b/go.mod @@ -8,42 +8,42 @@ require ( github.com/ahmetb/gen-crd-api-reference-docs v0.3.0 github.com/alecthomas/kingpin/v2 v2.4.0 github.com/bombsimon/logrusr/v4 v4.1.0 - github.com/cert-manager/cert-manager v1.13.2 + github.com/cert-manager/cert-manager v1.13.3 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/distribution/reference v0.5.0 - github.com/envoyproxy/go-control-plane v0.11.2-0.20231019082134-6e4589f570e1 - github.com/go-logr/logr v1.3.0 + github.com/envoyproxy/go-control-plane v0.12.0 + github.com/go-logr/logr v1.4.1 github.com/google/go-cmp v0.6.0 github.com/google/go-github/v48 v48.2.0 - github.com/google/uuid v1.4.0 + github.com/google/uuid v1.5.0 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 - github.com/onsi/ginkgo/v2 v2.13.1 + github.com/onsi/ginkgo/v2 v2.13.2 github.com/onsi/gomega v1.30.0 github.com/projectcontour/yages v0.1.0 - github.com/prometheus/client_golang v1.17.0 + github.com/prometheus/client_golang v1.18.0 github.com/prometheus/client_model v0.5.0 github.com/prometheus/common v0.45.0 github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.8.4 github.com/tsaarni/certyaml v0.9.2 - github.com/vektra/mockery/v2 v2.37.1 + github.com/vektra/mockery/v2 v2.39.1 go.uber.org/automaxprocs v1.5.3 - golang.org/x/oauth2 v0.14.0 + golang.org/x/oauth2 v0.15.0 gonum.org/v1/plot v0.14.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 - google.golang.org/grpc v1.59.0 - google.golang.org/protobuf v1.31.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 + google.golang.org/grpc v1.60.1 + google.golang.org/protobuf v1.32.0 gopkg.in/yaml.v3 v3.0.1 - k8s.io/api v0.28.4 - k8s.io/apiextensions-apiserver v0.28.4 - k8s.io/apimachinery v0.28.4 - k8s.io/client-go v0.28.4 + k8s.io/api v0.29.0 + k8s.io/apiextensions-apiserver v0.29.0 + k8s.io/apimachinery v0.29.0 + k8s.io/client-go v0.29.0 k8s.io/klog/v2 v2.110.1 sigs.k8s.io/controller-runtime v0.16.3 sigs.k8s.io/controller-tools v0.13.0 sigs.k8s.io/gateway-api v1.0.0 - sigs.k8s.io/kustomize/kyaml v0.15.0 + sigs.k8s.io/kustomize/kyaml v0.16.0 sigs.k8s.io/yaml v1.4.0 ) @@ -55,7 +55,7 @@ require ( github.com/campoy/embedmd v1.0.0 // indirect github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/chigopher/pathlib v0.15.0 // indirect + github.com/chigopher/pathlib v0.19.1 // indirect github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect @@ -81,6 +81,7 @@ require ( github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect + github.com/gorilla/websocket v1.5.0 // indirect github.com/hashicorp/hcl v1.0.1-vault-5 // indirect github.com/huandu/xstrings v1.4.0 // indirect github.com/iancoleman/strcase v0.2.0 // indirect @@ -100,6 +101,7 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/pelletier/go-toml/v2 v2.0.6 // indirect github.com/pkg/errors v0.9.1 // indirect @@ -117,28 +119,29 @@ require ( github.com/subosito/gotenv v1.4.2 // indirect github.com/tsaarni/x500dn v1.0.0 // indirect github.com/xhit/go-str2duration/v2 v2.1.0 // indirect - golang.org/x/crypto v0.15.0 // indirect + go.uber.org/goleak v1.3.0 // indirect + golang.org/x/crypto v0.17.0 // indirect golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect golang.org/x/image v0.11.0 // indirect golang.org/x/mod v0.13.0 // indirect - golang.org/x/net v0.18.0 // indirect - golang.org/x/sys v0.14.0 // indirect - golang.org/x/term v0.14.0 // indirect + golang.org/x/net v0.19.0 // indirect + golang.org/x/sys v0.15.0 // indirect + golang.org/x/term v0.15.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.14.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect + google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/component-base v0.28.4 // indirect + k8s.io/component-base v0.29.0 // indirect k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 // indirect k8s.io/klog v1.0.0 // indirect k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/go.sum b/go.sum index f57b1c76860..5d0a32114e9 100644 --- a/go.sum +++ b/go.sum @@ -68,12 +68,12 @@ github.com/campoy/embedmd v1.0.0/go.mod h1:oxyr9RCiSXg0M3VJ3ks0UGfp98BpSSGr0kpiX github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= -github.com/cert-manager/cert-manager v1.13.2 h1:LG8+OLvxtc49CSyfjW7zHSyvlt7JVaHgRGyhfdvPpkk= -github.com/cert-manager/cert-manager v1.13.2/go.mod h1:AdfSU8muS+bj3C46YaD1VrlpXh672z5MeW/k1k5Sl1w= +github.com/cert-manager/cert-manager v1.13.3 h1:3R4G0RI7K0OkTZhWlVOC5SGZMYa2NwqmQJoyKydrz/M= +github.com/cert-manager/cert-manager v1.13.3/go.mod h1:BM2+Pt/NmSv1Zr25/MHv6BgIEF9IUxA1xAjp80qkxgc= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chigopher/pathlib v0.15.0 h1:1pg96WL3iC1/YyWV4UJSl3E0GBf4B+h5amBtsbAAieY= -github.com/chigopher/pathlib v0.15.0/go.mod h1:3+YPPV21mU9vyw8Mjp+F33CyCfE6iOzinpiqBcccv7I= +github.com/chigopher/pathlib v0.19.1 h1:RoLlUJc0CqBGwq239cilyhxPNLXTK+HXoASGyGznx5A= +github.com/chigopher/pathlib v0.19.1/go.mod h1:tzC1dZLW8o33UQpWkNkhvPwL5n4yyFRFm/jL1YGWFvY= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= @@ -99,8 +99,8 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.11.2-0.20231019082134-6e4589f570e1 h1:i/XN+pZrv2iM+Czc4o4tP6UzUJoOxjNI9gQdE1vIjd0= -github.com/envoyproxy/go-control-plane v0.11.2-0.20231019082134-6e4589f570e1/go.mod h1:3X10o7QcAVxP4y/hnTLgkXLwuZV2DxAEh6uaYD5PoxI= +github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= +github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA= github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= @@ -133,8 +133,9 @@ github.com/go-latex/latex v0.0.0-20230307184459-12ec69307ad9/go.mod h1:gWuR/CrFD github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= @@ -230,12 +231,14 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJY github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= -github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU= +github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= +github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= @@ -301,12 +304,14 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.13.1 h1:LNGfMbR2OVGBfXjvRZIZ2YCTQdGKtPLvuI1rMCCj3OU= -github.com/onsi/ginkgo/v2 v2.13.1/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= +github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs= +github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -325,8 +330,8 @@ github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= github.com/projectcontour/yages v0.1.0 h1:vcFpregOq5TVF0/AXLive1MY4CVMDkgL7/+qbUeIbDs= github.com/projectcontour/yages v0.1.0/go.mod h1:pcJrPa3dP17HwGj2YOfBZ4w5WmC1rSpv/X/sV4wauSw= -github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q= -github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY= +github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= +github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= @@ -381,8 +386,8 @@ github.com/tsaarni/certyaml v0.9.2 h1:LoRTuajwjJ1CHAJiMv5cpOtwQ05207Oqe6cT9D7WDa github.com/tsaarni/certyaml v0.9.2/go.mod h1:s+ErAC1wZ32r1ihSULvR7HXedKKN5HZasdb8Cj8gT9E= github.com/tsaarni/x500dn v1.0.0 h1:LvaWTkqRpse4VHBhB5uwf3wytokK4vF9IOyNAEyiA+U= github.com/tsaarni/x500dn v1.0.0/go.mod h1:QaHa3EcUKC4dfCAZmj8+ZRGLKukWgpGv9H3oOCsAbcE= -github.com/vektra/mockery/v2 v2.37.1 h1:UxNLZqcGEeDAnWZBV6vM5XyLyN1IWGOSTsHquFcOiL0= -github.com/vektra/mockery/v2 v2.37.1/go.mod h1:diB13hxXG6QrTR0ol2Rk8s2dRMftzvExSvPDKr+IYKk= +github.com/vektra/mockery/v2 v2.39.1 h1:zgnW69s+351ZF/L+O5pO64MpVP96aDtw8jwOGvGXzwU= +github.com/vektra/mockery/v2 v2.39.1/go.mod h1:dPzGtjT0/Uu4hqpF6QNHwz+GLago7lq1bxdj9wHbGKo= github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc= github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -400,8 +405,8 @@ go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8= go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= -go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= -go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= @@ -416,8 +421,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= -golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -492,8 +497,8 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg= -golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= +golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -503,8 +508,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0= -golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM= +golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ= +golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -562,13 +567,13 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= -golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8= -golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -716,12 +721,12 @@ google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= -google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d h1:DoPTO70H+bcDXcd39vOqb2viZxgqeBeSGtZ55yZU4/Q= -google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 h1:o4LtQxebKIJ4vkzyhtD2rfUNZ20Zf0ik5YVP5E7G7VE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 h1:SeZZZx0cP0fqUyA+oRzP9k7cSwJlvDFiROO72uwD6i0= +google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97/go.mod h1:t1VqOqqvce95G3hIDCT5FeO3YUc6Q4Oe24L/+rNMxRk= +google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 h1:W18sezcAYs+3tDZX4F80yctqa12jcP1PUS2gQu1zTPU= +google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97/go.mod h1:iargEX0SFPm3xcfMI0d1domjg0ZF4Aa0p2awqyxhvF0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 h1:6GQBEOdGkX6MMTLT9V+TjtIRZCw9VPD5Z+yHY9wMgS0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97/go.mod h1:v7nGkzlmW8P3n/bKmWBn2WpBjpOEx8Q6gMueudAmKfY= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -738,8 +743,8 @@ google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= -google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU= +google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -752,8 +757,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= +google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -782,16 +787,16 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= -k8s.io/api v0.28.4 h1:8ZBrLjwosLl/NYgv1P7EQLqoO8MGQApnbgH8tu3BMzY= -k8s.io/api v0.28.4/go.mod h1:axWTGrY88s/5YE+JSt4uUi6NMM+gur1en2REMR7IRj0= -k8s.io/apiextensions-apiserver v0.28.4 h1:AZpKY/7wQ8n+ZYDtNHbAJBb+N4AXXJvyZx6ww6yAJvU= -k8s.io/apiextensions-apiserver v0.28.4/go.mod h1:pgQIZ1U8eJSMQcENew/0ShUTlePcSGFq6dxSxf2mwPM= -k8s.io/apimachinery v0.28.4 h1:zOSJe1mc+GxuMnFzD4Z/U1wst50X28ZNsn5bhgIIao8= -k8s.io/apimachinery v0.28.4/go.mod h1:wI37ncBvfAoswfq626yPTe6Bz1c22L7uaJ8dho83mgg= -k8s.io/client-go v0.28.4 h1:Np5ocjlZcTrkyRJ3+T3PkXDpe4UpatQxj85+xjaD2wY= -k8s.io/client-go v0.28.4/go.mod h1:0VDZFpgoZfelyP5Wqu0/r/TRYcLYuJ2U1KEeoaPa1N4= -k8s.io/component-base v0.28.4 h1:c/iQLWPdUgI90O+T9TeECg8o7N3YJTiuz2sKxILYcYo= -k8s.io/component-base v0.28.4/go.mod h1:m9hR0uvqXDybiGL2nf/3Lf0MerAfQXzkfWhUY58JUbU= +k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= +k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= +k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= +k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= +k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= +k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= +k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= +k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= +k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s= +k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M= k8s.io/gengo v0.0.0-20201203183100-97869a43a9d9/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 h1:pWEwq4Asjm4vjW7vcsmijwBhOr1/shsbSYiWXmNGlks= k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= @@ -818,10 +823,10 @@ sigs.k8s.io/gateway-api v1.0.0 h1:iPTStSv41+d9p0xFydll6d7f7MOBGuqXM6p2/zVYMAs= sigs.k8s.io/gateway-api v1.0.0/go.mod h1:4cUgr0Lnp5FZ0Cdq8FdRwCvpiWws7LVhLHGIudLlf4c= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/kyaml v0.15.0 h1:ynlLMAxDhrY9otSg5GYE2TcIz31XkGZ2Pkj7SdolD84= -sigs.k8s.io/kustomize/kyaml v0.15.0/go.mod h1:+uMkBahdU1KNOj78Uta4rrXH+iH7wvg+nW7+GULvREA= -sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= -sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0= +sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/hack/actions/install-kubernetes-toolchain.sh b/hack/actions/install-kubernetes-toolchain.sh index 1f4ebfdfe69..78f4a78ca3e 100755 --- a/hack/actions/install-kubernetes-toolchain.sh +++ b/hack/actions/install-kubernetes-toolchain.sh @@ -4,9 +4,8 @@ set -o errexit set -o nounset set -o pipefail -readonly KUBECTL_VERS="v1.28.0" +readonly KUBECTL_VERS="v1.29.0" readonly KIND_VERS="v0.20.0" -readonly SONOBUOY_VERS="0.19.0" readonly PROGNAME=$(basename $0) readonly CURL=${CURL:-curl} @@ -50,10 +49,3 @@ download \ "${DESTDIR}/kubectl" chmod +x "${DESTDIR}/kubectl" - -download \ - "https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERS}/sonobuoy_${SONOBUOY_VERS}_linux_amd64.tar.gz" \ - "${DESTDIR}/sonobuoy.tgz" - -tar -C "${DESTDIR}" -xf "${DESTDIR}/sonobuoy.tgz" sonobuoy -rm "${DESTDIR}/sonobuoy.tgz" diff --git a/internal/contourconfig/contourconfiguration.go b/internal/contourconfig/contourconfiguration.go index 52a677a97d3..c2ebe4db4e9 100644 --- a/internal/contourconfig/contourconfiguration.go +++ b/internal/contourconfig/contourconfiguration.go @@ -120,6 +120,11 @@ func Defaults() contour_api_v1alpha1.ContourConfigurationSpec { }, Cluster: &contour_api_v1alpha1.ClusterParameters{ DNSLookupFamily: contour_api_v1alpha1.AutoClusterDNSFamily, + UpstreamTLS: &contour_api_v1alpha1.EnvoyTLS{ + MinimumProtocolVersion: "1.2", + MaximumProtocolVersion: "1.3", + CipherSuites: contour_api_v1alpha1.DefaultTLSCiphers, + }, }, Network: &contour_api_v1alpha1.NetworkParameters{ XffNumTrustedHops: ref.To(uint32(0)), diff --git a/internal/contourconfig/contourconfiguration_test.go b/internal/contourconfig/contourconfiguration_test.go index 4106ea9a1d7..ccc19d98915 100644 --- a/internal/contourconfig/contourconfiguration_test.go +++ b/internal/contourconfig/contourconfiguration_test.go @@ -121,6 +121,13 @@ func TestOverlayOnDefaults(t *testing.T) { }, Cluster: &contour_api_v1alpha1.ClusterParameters{ DNSLookupFamily: contour_api_v1alpha1.IPv4ClusterDNSFamily, + UpstreamTLS: &contour_api_v1alpha1.EnvoyTLS{ + MinimumProtocolVersion: "1.1", + MaximumProtocolVersion: "1.2", + CipherSuites: []string{ + "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]", + }, + }, }, Network: &contour_api_v1alpha1.NetworkParameters{ XffNumTrustedHops: ref.To(uint32(77)), diff --git a/internal/controller/mocks/manager.go b/internal/controller/mocks/manager.go index 5109f606a80..ac7467283c1 100644 --- a/internal/controller/mocks/manager.go +++ b/internal/controller/mocks/manager.go @@ -40,6 +40,10 @@ type Manager struct { func (_m *Manager) Add(_a0 manager.Runnable) error { ret := _m.Called(_a0) + if len(ret) == 0 { + panic("no return value specified for Add") + } + var r0 error if rf, ok := ret.Get(0).(func(manager.Runnable) error); ok { r0 = rf(_a0) @@ -54,6 +58,10 @@ func (_m *Manager) Add(_a0 manager.Runnable) error { func (_m *Manager) AddHealthzCheck(name string, check healthz.Checker) error { ret := _m.Called(name, check) + if len(ret) == 0 { + panic("no return value specified for AddHealthzCheck") + } + var r0 error if rf, ok := ret.Get(0).(func(string, healthz.Checker) error); ok { r0 = rf(name, check) @@ -68,6 +76,10 @@ func (_m *Manager) AddHealthzCheck(name string, check healthz.Checker) error { func (_m *Manager) AddReadyzCheck(name string, check healthz.Checker) error { ret := _m.Called(name, check) + if len(ret) == 0 { + panic("no return value specified for AddReadyzCheck") + } + var r0 error if rf, ok := ret.Get(0).(func(string, healthz.Checker) error); ok { r0 = rf(name, check) @@ -82,6 +94,10 @@ func (_m *Manager) AddReadyzCheck(name string, check healthz.Checker) error { func (_m *Manager) Elected() <-chan struct{} { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for Elected") + } + var r0 <-chan struct{} if rf, ok := ret.Get(0).(func() <-chan struct{}); ok { r0 = rf() @@ -98,6 +114,10 @@ func (_m *Manager) Elected() <-chan struct{} { func (_m *Manager) GetAPIReader() client.Reader { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetAPIReader") + } + var r0 client.Reader if rf, ok := ret.Get(0).(func() client.Reader); ok { r0 = rf() @@ -114,6 +134,10 @@ func (_m *Manager) GetAPIReader() client.Reader { func (_m *Manager) GetCache() cache.Cache { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetCache") + } + var r0 cache.Cache if rf, ok := ret.Get(0).(func() cache.Cache); ok { r0 = rf() @@ -130,6 +154,10 @@ func (_m *Manager) GetCache() cache.Cache { func (_m *Manager) GetClient() client.Client { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetClient") + } + var r0 client.Client if rf, ok := ret.Get(0).(func() client.Client); ok { r0 = rf() @@ -146,6 +174,10 @@ func (_m *Manager) GetClient() client.Client { func (_m *Manager) GetConfig() *rest.Config { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetConfig") + } + var r0 *rest.Config if rf, ok := ret.Get(0).(func() *rest.Config); ok { r0 = rf() @@ -162,6 +194,10 @@ func (_m *Manager) GetConfig() *rest.Config { func (_m *Manager) GetControllerOptions() config.Controller { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetControllerOptions") + } + var r0 config.Controller if rf, ok := ret.Get(0).(func() config.Controller); ok { r0 = rf() @@ -176,6 +212,10 @@ func (_m *Manager) GetControllerOptions() config.Controller { func (_m *Manager) GetEventRecorderFor(name string) record.EventRecorder { ret := _m.Called(name) + if len(ret) == 0 { + panic("no return value specified for GetEventRecorderFor") + } + var r0 record.EventRecorder if rf, ok := ret.Get(0).(func(string) record.EventRecorder); ok { r0 = rf(name) @@ -192,6 +232,10 @@ func (_m *Manager) GetEventRecorderFor(name string) record.EventRecorder { func (_m *Manager) GetFieldIndexer() client.FieldIndexer { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetFieldIndexer") + } + var r0 client.FieldIndexer if rf, ok := ret.Get(0).(func() client.FieldIndexer); ok { r0 = rf() @@ -208,6 +252,10 @@ func (_m *Manager) GetFieldIndexer() client.FieldIndexer { func (_m *Manager) GetHTTPClient() *http.Client { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetHTTPClient") + } + var r0 *http.Client if rf, ok := ret.Get(0).(func() *http.Client); ok { r0 = rf() @@ -224,6 +272,10 @@ func (_m *Manager) GetHTTPClient() *http.Client { func (_m *Manager) GetLogger() logr.Logger { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetLogger") + } + var r0 logr.Logger if rf, ok := ret.Get(0).(func() logr.Logger); ok { r0 = rf() @@ -238,6 +290,10 @@ func (_m *Manager) GetLogger() logr.Logger { func (_m *Manager) GetRESTMapper() meta.RESTMapper { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetRESTMapper") + } + var r0 meta.RESTMapper if rf, ok := ret.Get(0).(func() meta.RESTMapper); ok { r0 = rf() @@ -254,6 +310,10 @@ func (_m *Manager) GetRESTMapper() meta.RESTMapper { func (_m *Manager) GetScheme() *runtime.Scheme { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetScheme") + } + var r0 *runtime.Scheme if rf, ok := ret.Get(0).(func() *runtime.Scheme); ok { r0 = rf() @@ -270,6 +330,10 @@ func (_m *Manager) GetScheme() *runtime.Scheme { func (_m *Manager) GetWebhookServer() webhook.Server { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for GetWebhookServer") + } + var r0 webhook.Server if rf, ok := ret.Get(0).(func() webhook.Server); ok { r0 = rf() @@ -286,6 +350,10 @@ func (_m *Manager) GetWebhookServer() webhook.Server { func (_m *Manager) Start(ctx context.Context) error { ret := _m.Called(ctx) + if len(ret) == 0 { + panic("no return value specified for Start") + } + var r0 error if rf, ok := ret.Get(0).(func(context.Context) error); ok { r0 = rf(ctx) diff --git a/internal/dag/builder_test.go b/internal/dag/builder_test.go index 5c48af11e8d..fb4b435059c 100644 --- a/internal/dag/builder_test.go +++ b/internal/dag/builder_test.go @@ -4158,7 +4158,59 @@ func TestDAGInsertGatewayAPI(t *testing.T) { }, ), }, - // END + + "HTTPRoute rule with request timeout": { + gatewayclass: validClass, + gateway: gatewayHTTPAllNamespaces, + objs: []any{ + kuardService, + makeHTTPRoute("5s", ""), + }, + want: listeners( + &Listener{ + Name: "http-80", + VirtualHosts: virtualhosts( + virtualhost("test.projectcontour.io", + &Route{ + PathMatchCondition: prefixString("/"), + Clusters: clustersWeight(service(kuardService)), + TimeoutPolicy: RouteTimeoutPolicy{ + ResponseTimeout: timeout.DurationSetting(5 * time.Second), + }, + }, + ), + ), + }, + ), + }, + "HTTPRoute rule with request and backendRequest timeout": { + gatewayclass: validClass, + gateway: gatewayHTTPAllNamespaces, + objs: []any{ + kuardService, + makeHTTPRoute("5s", "5s"), + }, + want: listeners(), + }, + + "HTTPRoute rule with backendRequest timeout only": { + gatewayclass: validClass, + gateway: gatewayHTTPAllNamespaces, + objs: []any{ + kuardService, + makeHTTPRoute("", "5s"), + }, + want: listeners(), + }, + "HTTPRoute rule with invalid request timeout": { + gatewayclass: validClass, + gateway: gatewayHTTPAllNamespaces, + objs: []any{ + kuardService, + makeHTTPRoute("invalid", ""), + }, + want: listeners(), + }, "different weights for multiple forwardTos": { gatewayclass: validClass, @@ -16273,3 +16325,38 @@ func withMirror(r *Route, mirrors []*Service, weight int64) *Route { } return r } + +func makeHTTPRouteTimeouts(request, backendRequest string) *gatewayapi_v1.HTTPRouteTimeouts { + httpRouteTimeouts := &gatewayapi_v1.HTTPRouteTimeouts{} + + if request != "" { + httpRouteTimeouts.Request = ref.To(gatewayapi_v1.Duration(request)) + } + if backendRequest != "" { + httpRouteTimeouts.BackendRequest = ref.To(gatewayapi_v1.Duration(backendRequest)) + } + + return httpRouteTimeouts +} + +func makeHTTPRoute(request, backendRequest string) *gatewayapi_v1beta1.HTTPRoute { + return &gatewayapi_v1beta1.HTTPRoute{ + ObjectMeta: metav1.ObjectMeta{ + Name: "basic", + Namespace: "projectcontour", + }, + Spec: gatewayapi_v1beta1.HTTPRouteSpec{ + CommonRouteSpec: gatewayapi_v1beta1.CommonRouteSpec{ + ParentRefs: []gatewayapi_v1beta1.ParentReference{gatewayapi.GatewayParentRef("projectcontour", "contour")}, + }, + Hostnames: []gatewayapi_v1beta1.Hostname{ + "test.projectcontour.io", + }, + Rules: []gatewayapi_v1beta1.HTTPRouteRule{{ + Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), + BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), + Timeouts: makeHTTPRouteTimeouts(request, backendRequest), + }}, + }, + } +} diff --git a/internal/dag/dag.go b/internal/dag/dag.go index aea888e4b16..e9e5d7e734f 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -818,6 +818,7 @@ type DNSNameCluster struct { Port int DNSLookupFamily string UpstreamValidation *PeerValidationContext + UpstreamTLS *UpstreamTLS } type JWTRule struct { @@ -1040,6 +1041,9 @@ type Cluster struct { // PerConnectionBufferLimitBytes defines the soft limit on size of the cluster’s new connection read and write buffers. PerConnectionBufferLimitBytes *uint32 + + // UpstreamTLS contains the TLS version and cipher suite configurations for upstream connections + UpstreamTLS *UpstreamTLS } // WeightedService represents the load balancing weight of a @@ -1229,6 +1233,9 @@ type ExtensionCluster struct { // ClientCertificate is the optional identifier of the TLS secret containing client certificate and // private key to be used when establishing TLS connection to upstream cluster. ClientCertificate *Secret + + // UpstreamTLS contains the TLS version and cipher suite configurations for upstream connections + UpstreamTLS *UpstreamTLS } const singleDNSLabelWildcardRegex = "^[a-z0-9]([-a-z0-9]*[a-z0-9])?" @@ -1260,3 +1267,10 @@ type SlowStartConfig struct { func (s *SlowStartConfig) String() string { return fmt.Sprintf("%s%f%d", s.Window.String(), s.Aggression, s.MinWeightPercent) } + +// UpstreamTLS holds the TLS configuration for upstream connections +type UpstreamTLS struct { + MinimumProtocolVersion string + MaximumProtocolVersion string + CipherSuites []string +} diff --git a/internal/dag/extension_processor.go b/internal/dag/extension_processor.go index f8ae3df1abd..0f97cb12713 100644 --- a/internal/dag/extension_processor.go +++ b/internal/dag/extension_processor.go @@ -39,6 +39,10 @@ type ExtensionServiceProcessor struct { // ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service. ConnectTimeout time.Duration + + // UpstreamTLS defines the TLS settings like min/max version + // and cipher suites for upstream connections. + UpstreamTLS *UpstreamTLS } var _ Processor = &ExtensionServiceProcessor{} @@ -114,6 +118,7 @@ func (p *ExtensionServiceProcessor) buildExtensionService( ClusterTimeoutPolicy: ctp, SNI: "", ClientCertificate: clientCertSecret, + UpstreamTLS: p.UpstreamTLS, } lbPolicy := loadBalancerPolicy(ext.Spec.LoadBalancerPolicy) diff --git a/internal/dag/gatewayapi_processor.go b/internal/dag/gatewayapi_processor.go index bbd895dda56..3b685bdc438 100644 --- a/internal/dag/gatewayapi_processor.go +++ b/internal/dag/gatewayapi_processor.go @@ -14,16 +14,19 @@ package dag import ( + "errors" "fmt" "net/http" "regexp" "strings" "time" + contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/gatewayapi" "github.com/projectcontour/contour/internal/k8s" "github.com/projectcontour/contour/internal/ref" "github.com/projectcontour/contour/internal/status" + "github.com/projectcontour/contour/internal/timeout" "github.com/sirupsen/logrus" v1 "k8s.io/api/core/v1" @@ -72,6 +75,9 @@ type GatewayAPIProcessor struct { // configurable and off by default in order to support the feature // without requiring all existing test cases to change. SetSourceMetadataOnRoutes bool + + // GlobalCircuitBreakerDefaults defines global circuit breaker defaults. + GlobalCircuitBreakerDefaults *contour_api_v1alpha1.GlobalCircuitBreakerDefaults } // matchConditions holds match rules. @@ -136,12 +142,9 @@ func (p *GatewayAPIProcessor) Run(dag *DAG, source *KubernetesCache) { } // Compute listeners and save a list of the valid/ready ones. - var readyListeners []*listenerInfo - + var listenerInfos []*listenerInfo for _, listener := range p.source.gateway.Spec.Listeners { - if ready, listenerInfo := p.computeListener(listener, gwAccessor, validateListenersResult); ready { - readyListeners = append(readyListeners, listenerInfo) - } + listenerInfos = append(listenerInfos, p.computeListener(listener, gwAccessor, validateListenersResult)) } // Keep track of the number of routes attached @@ -150,22 +153,22 @@ func (p *GatewayAPIProcessor) Run(dag *DAG, source *KubernetesCache) { // Process HTTPRoutes. for _, httpRoute := range p.source.httproutes { - p.processRoute(KindHTTPRoute, httpRoute, httpRoute.Spec.ParentRefs, gatewayNotProgrammedCondition, readyListeners, listenerAttachedRoutes, &gatewayapi_v1beta1.HTTPRoute{}) + p.processRoute(KindHTTPRoute, httpRoute, httpRoute.Spec.ParentRefs, gatewayNotProgrammedCondition, listenerInfos, listenerAttachedRoutes, &gatewayapi_v1beta1.HTTPRoute{}) } // Process TLSRoutes. for _, tlsRoute := range p.source.tlsroutes { - p.processRoute(KindTLSRoute, tlsRoute, tlsRoute.Spec.ParentRefs, gatewayNotProgrammedCondition, readyListeners, listenerAttachedRoutes, &gatewayapi_v1alpha2.TLSRoute{}) + p.processRoute(KindTLSRoute, tlsRoute, tlsRoute.Spec.ParentRefs, gatewayNotProgrammedCondition, listenerInfos, listenerAttachedRoutes, &gatewayapi_v1alpha2.TLSRoute{}) } // Process GRPCRoutes. for _, grpcRoute := range p.source.grpcroutes { - p.processRoute(KindGRPCRoute, grpcRoute, grpcRoute.Spec.ParentRefs, gatewayNotProgrammedCondition, readyListeners, listenerAttachedRoutes, &gatewayapi_v1alpha2.GRPCRoute{}) + p.processRoute(KindGRPCRoute, grpcRoute, grpcRoute.Spec.ParentRefs, gatewayNotProgrammedCondition, listenerInfos, listenerAttachedRoutes, &gatewayapi_v1alpha2.GRPCRoute{}) } // Process TCPRoutes. for _, tcpRoute := range p.source.tcproutes { - p.processRoute(KindTCPRoute, tcpRoute, tcpRoute.Spec.ParentRefs, gatewayNotProgrammedCondition, readyListeners, listenerAttachedRoutes, &gatewayapi_v1alpha2.TCPRoute{}) + p.processRoute(KindTCPRoute, tcpRoute, tcpRoute.Spec.ParentRefs, gatewayNotProgrammedCondition, listenerInfos, listenerAttachedRoutes, &gatewayapi_v1alpha2.TCPRoute{}) } for listenerName, attachedRoutes := range listenerAttachedRoutes { @@ -180,7 +183,7 @@ func (p *GatewayAPIProcessor) processRoute( route client.Object, parentRefs []gatewayapi_v1beta1.ParentReference, gatewayNotProgrammedCondition *metav1.Condition, - readyListeners []*listenerInfo, + listeners []*listenerInfo, listenerAttachedRoutes map[string]int, emptyResource client.Object, ) { @@ -198,16 +201,17 @@ func (p *GatewayAPIProcessor) processRoute( } routeParentStatus := routeStatus.StatusUpdateFor(routeParentRef) - // If the Gateway is invalid, set status on the route and we're done. if gatewayNotProgrammedCondition != nil { routeParentStatus.AddCondition(gatewayapi_v1beta1.RouteConditionAccepted, metav1.ConditionFalse, status.ReasonInvalidGateway, "Invalid Gateway") continue } - // Get the list of listeners that are (a) included by this parent ref, and - // (b) allow the route (based on kind, namespace). - allowedListeners := p.getListenersForRouteParentRef(routeParentRef, route.GetNamespace(), routeKind, readyListeners, routeParentStatus) + // Get the list of listeners that are + // (a) included by this parent ref, and + // (b) allow the route (based on kind, namespace), and + // (c) the 'listenerInfo.ready' is true + allowedListeners := p.getListenersForRouteParentRef(routeParentRef, route.GetNamespace(), routeKind, listeners, listenerAttachedRoutes, routeParentStatus) if len(allowedListeners) == 0 { p.resolveRouteRefs(route, routeParentStatus) } @@ -251,21 +255,15 @@ func (p *GatewayAPIProcessor) processRoute( } } - var attached bool - switch route := route.(type) { case *gatewayapi_v1beta1.HTTPRoute: - attached = p.computeHTTPRouteForListener(route, routeParentStatus, listener, hosts) + p.computeHTTPRouteForListener(route, routeParentStatus, listener, hosts) case *gatewayapi_v1alpha2.TLSRoute: - attached = p.computeTLSRouteForListener(route, routeParentStatus, listener, hosts) + p.computeTLSRouteForListener(route, routeParentStatus, listener, hosts) case *gatewayapi_v1alpha2.GRPCRoute: - attached = p.computeGRPCRouteForListener(route, routeParentStatus, listener, hosts) + p.computeGRPCRouteForListener(route, routeParentStatus, listener, hosts) case *gatewayapi_v1alpha2.TCPRoute: - attached = p.computeTCPRouteForListener(route, routeParentStatus, listener) - } - - if attached { - listenerAttachedRoutes[string(listener.listener.Name)]++ + p.computeTCPRouteForListener(route, routeParentStatus, listener) } hostCount += hosts.Len() @@ -307,7 +305,8 @@ func (p *GatewayAPIProcessor) getListenersForRouteParentRef( routeParentRef gatewayapi_v1beta1.ParentReference, routeNamespace string, routeKind gatewayapi_v1beta1.Kind, - validListeners []*listenerInfo, + listeners []*listenerInfo, + attachedRoutes map[string]int, routeParentStatusAccessor *status.RouteParentStatusUpdate, ) []*listenerInfo { @@ -316,30 +315,30 @@ func (p *GatewayAPIProcessor) getListenersForRouteParentRef( // gateway, or one of them, if the ref is to a specific listener, // or none of them, if the listener(s) the ref targets are invalid). var selectedListeners []*listenerInfo - for _, validListener := range validListeners { + for _, listener := range listeners { // We've already verified the parent ref is for this Gateway, // now check if it has a listener name and port specified. // Both need to match the listener if specified. - if (routeParentRef.SectionName == nil || *routeParentRef.SectionName == validListener.listener.Name) && - (routeParentRef.Port == nil || *routeParentRef.Port == validListener.listener.Port) { - selectedListeners = append(selectedListeners, validListener) + if (routeParentRef.SectionName == nil || *routeParentRef.SectionName == listener.listener.Name) && + (routeParentRef.Port == nil || *routeParentRef.Port == listener.listener.Port) { + selectedListeners = append(selectedListeners, listener) } } - if len(selectedListeners) == 0 { - routeParentStatusAccessor.AddCondition( - gatewayapi_v1beta1.RouteConditionAccepted, - metav1.ConditionFalse, - gatewayapi_v1.RouteReasonNoMatchingParent, - "No listeners match this parent ref", - ) - return nil - } - // Now find the subset of those listeners that allow this route // to select them, based on route kind and namespace. var allowedListeners []*listenerInfo + + readyListenerCount := 0 + for _, selectedListener := range selectedListeners { + + // for compute the AttachedRoutes, the listener that not passed its check(s), had been selected too + // so ignore it. + if selectedListener.ready { + readyListenerCount++ + } + // Check if the listener allows routes of this kind if !selectedListener.AllowsKind(routeKind) { continue @@ -350,7 +349,21 @@ func (p *GatewayAPIProcessor) getListenersForRouteParentRef( continue } - allowedListeners = append(allowedListeners, selectedListener) + attachedRoutes[string(selectedListener.listener.Name)]++ + + if selectedListener.ready { + allowedListeners = append(allowedListeners, selectedListener) + } + + } + if readyListenerCount == 0 { + routeParentStatusAccessor.AddCondition( + gatewayapi_v1beta1.RouteConditionAccepted, + metav1.ConditionFalse, + gatewayapi_v1.RouteReasonNoMatchingParent, + "No listeners match this parent ref", + ) + return nil } if len(allowedListeners) == 0 { @@ -372,6 +385,7 @@ type listenerInfo struct { allowedKinds []gatewayapi_v1beta1.Kind namespaceSelector labels.Selector tlsSecret *Secret + ready bool } func (l *listenerInfo) AllowsKind(kind gatewayapi_v1beta1.Kind) bool { @@ -419,7 +433,12 @@ func (p *GatewayAPIProcessor) computeListener( listener gatewayapi_v1beta1.Listener, gwAccessor *status.GatewayStatusUpdate, validateListenersResult gatewayapi.ValidateListenersResult, -) (bool, *listenerInfo) { +) *listenerInfo { + + info := &listenerInfo{ + listener: listener, + dagListenerName: validateListenersResult.ListenerNames[string(listener.Name)], + } addInvalidListenerCondition := func(msg string) { gwAccessor.AddListenerCondition( @@ -507,39 +526,37 @@ func (p *GatewayAPIProcessor) computeListener( } }() - // If the listener had an invalid protocol/port/hostname, we don't need to go - // any further. - if _, ok := validateListenersResult.InvalidListenerConditions[listener.Name]; ok { - return false, nil - } - // Get a list of the route kinds that the listener accepts. - listenerRouteKinds := p.getListenerRouteKinds(listener, gwAccessor) - gwAccessor.SetListenerSupportedKinds(string(listener.Name), listenerRouteKinds) - - var selector labels.Selector + info.allowedKinds = p.getListenerRouteKinds(listener, gwAccessor) + gwAccessor.SetListenerSupportedKinds(string(listener.Name), info.allowedKinds) if listener.AllowedRoutes != nil && listener.AllowedRoutes.Namespaces != nil && listener.AllowedRoutes.Namespaces.From != nil && *listener.AllowedRoutes.Namespaces.From == gatewayapi_v1.NamespacesFromSelector { if listener.AllowedRoutes.Namespaces.Selector == nil { addInvalidListenerCondition("Listener.AllowedRoutes.Namespaces.Selector is required when Listener.AllowedRoutes.Namespaces.From is set to \"Selector\".") - return false, nil + return info } if len(listener.AllowedRoutes.Namespaces.Selector.MatchExpressions)+len(listener.AllowedRoutes.Namespaces.Selector.MatchLabels) == 0 { addInvalidListenerCondition("Listener.AllowedRoutes.Namespaces.Selector must specify at least one MatchLabel or MatchExpression.") - return false, nil + return info } var err error - selector, err = metav1.LabelSelectorAsSelector(listener.AllowedRoutes.Namespaces.Selector) + info.namespaceSelector, err = metav1.LabelSelectorAsSelector(listener.AllowedRoutes.Namespaces.Selector) if err != nil { addInvalidListenerCondition(fmt.Sprintf("Error parsing Listener.AllowedRoutes.Namespaces.Selector: %v.", err)) - return false, nil + return info } } + // If the listener had an invalid protocol/port/hostname, we reach here just for pick the information to compute the AttachedRoutes later, + // we don't need to go any further. + if _, invalid := validateListenersResult.InvalidListenerConditions[listener.Name]; invalid { + return info + } + var listenerSecret *Secret // Validate TLS details for HTTPS/TLS protocol listeners. @@ -551,19 +568,19 @@ func (p *GatewayAPIProcessor) computeListener( if listener.TLS == nil { addInvalidListenerCondition(fmt.Sprintf("Listener.TLS is required when protocol is %q.", listener.Protocol)) - return false, nil + return info } if listener.TLS.Mode != nil && *listener.TLS.Mode != gatewayapi_v1.TLSModeTerminate { addInvalidListenerCondition(fmt.Sprintf("Listener.TLS.Mode must be %q when protocol is %q.", gatewayapi_v1.TLSModeTerminate, listener.Protocol)) - return false, nil + return info } // Resolve the TLS secret. if listenerSecret = p.resolveListenerSecret(listener.TLS.CertificateRefs, string(listener.Name), gwAccessor); listenerSecret == nil { // If TLS was configured on the Listener, but the secret ref is invalid, don't allow any // routes to be bound to this listener since it can't serve TLS traffic. - return false, nil + return info } case gatewayapi_v1.TLSProtocolType: // The TLS protocol is used for TCP traffic encrypted with TLS. @@ -571,7 +588,7 @@ func (p *GatewayAPIProcessor) computeListener( // or passed through to the backend. if listener.TLS == nil { addInvalidListenerCondition(fmt.Sprintf("Listener.TLS is required when protocol is %q.", listener.Protocol)) - return false, nil + return info } switch { @@ -580,26 +597,23 @@ func (p *GatewayAPIProcessor) computeListener( if listenerSecret = p.resolveListenerSecret(listener.TLS.CertificateRefs, string(listener.Name), gwAccessor); listenerSecret == nil { // If TLS was configured on the Listener, but the secret ref is invalid, don't allow any // routes to be bound to this listener since it can't serve TLS traffic. - return false, nil + return info } case *listener.TLS.Mode == gatewayapi_v1.TLSModePassthrough: if len(listener.TLS.CertificateRefs) != 0 { addInvalidListenerCondition(fmt.Sprintf("Listener.TLS.CertificateRefs cannot be defined when Listener.TLS.Mode is %q.", gatewayapi_v1.TLSModePassthrough)) - return false, nil + return info } default: addInvalidListenerCondition(fmt.Sprintf("Listener.TLS.Mode must be %q or %q.", gatewayapi_v1.TLSModeTerminate, gatewayapi_v1.TLSModePassthrough)) - return false, nil + return info } } - return true, &listenerInfo{ - listener: listener, - dagListenerName: validateListenersResult.ListenerNames[string(listener.Name)], - allowedKinds: listenerRouteKinds, - tlsSecret: listenerSecret, - namespaceSelector: selector, - } + info.tlsSecret = listenerSecret + info.ready = true + return info + } // getListenerRouteKinds gets a list of the valid route kinds that @@ -1103,14 +1117,43 @@ func (p *GatewayAPIProcessor) resolveRouteRefs(route any, routeAccessor *status. } } -func (p *GatewayAPIProcessor) computeHTTPRouteForListener(route *gatewayapi_v1beta1.HTTPRoute, routeAccessor *status.RouteParentStatusUpdate, listener *listenerInfo, hosts sets.Set[string]) bool { - var programmed bool +func parseHTTPRouteTimeouts(httpRouteTimeouts *gatewayapi_v1.HTTPRouteTimeouts) (*RouteTimeoutPolicy, error) { + if httpRouteTimeouts == nil { + return nil, nil + } + + // Since Gateway API doesn't yet support retries, this timeout setting + // is functionally equivalent to httpRouteTimeouts.Request, so we're + // not implementing it for now. Once retries are added to Gateway API, + // support for backend request timeouts can be added. + if httpRouteTimeouts.BackendRequest != nil { + return nil, errors.New("HTTPRoute.Spec.Rules.Timeouts.BackendRequest is not supported, use HTTPRoute.Spec.Rules.Timeouts.Request instead") + } + if httpRouteTimeouts.Request == nil { + return nil, nil + } + + requestTimeout, err := timeout.Parse(string(*httpRouteTimeouts.Request)) + if err != nil { + return nil, fmt.Errorf("invalid HTTPRoute.Spec.Rules.Timeouts.Request: %v", err) + } + + return &RouteTimeoutPolicy{ + ResponseTimeout: requestTimeout, + }, nil +} +func (p *GatewayAPIProcessor) computeHTTPRouteForListener( + route *gatewayapi_v1beta1.HTTPRoute, + routeAccessor *status.RouteParentStatusUpdate, + listener *listenerInfo, + hosts sets.Set[string]) { + for ruleIndex, rule := range route.Spec.Rules { // Get match conditions for the rule. var matchconditions []*matchConditions for _, match := range rule.Matches { - pathMatch, ok := gatewayPathMatchCondition(match.Path, routeAccessor) - if !ok { + pathMatch := gatewayPathMatchCondition(match.Path, routeAccessor) + if pathMatch == nil { continue } @@ -1145,14 +1188,22 @@ func (p *GatewayAPIProcessor) computeHTTPRouteForListener(route *gatewayapi_v1be // Process rule-level filters. var ( - requestHeaderPolicy *HeadersPolicy - responseHeaderPolicy *HeadersPolicy + err error redirect *Redirect + urlRewriteHostname string mirrorPolicies []*MirrorPolicy + requestHeaderPolicy *HeadersPolicy + responseHeaderPolicy *HeadersPolicy pathRewritePolicy *PathRewritePolicy - urlRewriteHostname string + timeoutPolicy *RouteTimeoutPolicy ) + timeoutPolicy, err = parseHTTPRouteTimeouts(rule.Timeouts) + if err != nil { + routeAccessor.AddCondition(gatewayapi_v1beta1.RouteConditionAccepted, metav1.ConditionFalse, gatewayapi_v1beta1.RouteReasonUnsupportedValue, err.Error()) + continue + } + // Per Gateway API docs: "Specifying the same filter multiple times is // not supported unless explicitly indicated in the filter." For filters // that can't be used multiple times within the same rule, Contour @@ -1360,17 +1411,17 @@ func (p *GatewayAPIProcessor) computeHTTPRouteForListener(route *gatewayapi_v1be } routes = p.clusterRoutes( matchconditions, - requestHeaderPolicy, - responseHeaderPolicy, - mirrorPolicies, clusters, totalWeight, priority, - pathRewritePolicy, KindHTTPRoute, route.Namespace, route.Name, - ) + requestHeaderPolicy, + responseHeaderPolicy, + mirrorPolicies, + pathRewritePolicy, + timeoutPolicy) } // Add each route to the relevant vhost(s)/svhosts(s). @@ -1385,13 +1436,9 @@ func (p *GatewayAPIProcessor) computeHTTPRouteForListener(route *gatewayapi_v1be vhost := p.dag.EnsureVirtualHost(listener.dagListenerName, host) vhost.AddRoute(route) } - - programmed = true } } } - - return programmed } func (p *GatewayAPIProcessor) computeGRPCRouteForListener(route *gatewayapi_v1alpha2.GRPCRoute, routeAccessor *status.RouteParentStatusUpdate, listener *listenerInfo, hosts sets.Set[string]) bool { @@ -1505,16 +1552,17 @@ func (p *GatewayAPIProcessor) computeGRPCRouteForListener(route *gatewayapi_v1al } routes = p.clusterRoutes( matchconditions, - requestHeaderPolicy, - responseHeaderPolicy, - mirrorPolicies, clusters, totalWeight, priority, - nil, KindGRPCRoute, route.Namespace, route.Name, + requestHeaderPolicy, + responseHeaderPolicy, + mirrorPolicies, + nil, + nil, ) // Add each route to the relevant vhost(s)/svhosts(s). @@ -1766,6 +1814,7 @@ func (p *GatewayAPIProcessor) validateBackendObjectRef( return nil, ref.To(resolvedRefsFalse(gatewayapi_v1beta1.RouteReasonBackendNotFound, fmt.Sprintf("service %q is invalid: %s", meta.Name, err))) } + service = serviceCircuitBreakerPolicy(service, p.GlobalCircuitBreakerDefaults) if err = validateAppProtocol(&service.Weighted.ServicePort); err != nil { return nil, ref.To(resolvedRefsFalse(gatewayapi_v1.RouteReasonUnsupportedProtocol, err.Error())) } @@ -1783,9 +1832,9 @@ func validateAppProtocol(svc *v1.ServicePort) error { return fmt.Errorf("AppProtocol: \"%s\" is unsupported", *svc.AppProtocol) } -func gatewayPathMatchCondition(match *gatewayapi_v1beta1.HTTPPathMatch, routeAccessor *status.RouteParentStatusUpdate) (MatchCondition, bool) { +func gatewayPathMatchCondition(match *gatewayapi_v1beta1.HTTPPathMatch, routeAccessor *status.RouteParentStatusUpdate) MatchCondition { if match == nil { - return &PrefixMatchCondition{Prefix: "/"}, true + return &PrefixMatchCondition{Prefix: "/"} } path := ref.Val(match.Value, "/") @@ -1794,41 +1843,40 @@ func gatewayPathMatchCondition(match *gatewayapi_v1beta1.HTTPPathMatch, routeAcc if match.Type == nil || *match.Type == gatewayapi_v1.PathMatchPathPrefix { if !strings.HasPrefix(path, "/") { routeAccessor.AddCondition(status.ConditionValidMatches, metav1.ConditionFalse, status.ReasonInvalidPathMatch, "Match.Path.Value must start with '/'.") - return nil, false + return nil } if strings.Contains(path, "//") { routeAccessor.AddCondition(status.ConditionValidMatches, metav1.ConditionFalse, status.ReasonInvalidPathMatch, "Match.Path.Value must not contain consecutive '/' characters.") - return nil, false + return nil } // As an optimization, if path is just "/", we can use // string prefix matching instead of segment prefix // matching which requires a regex. if path == "/" { - return &PrefixMatchCondition{Prefix: path}, true + return &PrefixMatchCondition{Prefix: path} } - return &PrefixMatchCondition{Prefix: path, PrefixMatchType: PrefixMatchSegment}, true + return &PrefixMatchCondition{Prefix: path, PrefixMatchType: PrefixMatchSegment} } if *match.Type == gatewayapi_v1.PathMatchExact { if !strings.HasPrefix(path, "/") { routeAccessor.AddCondition(status.ConditionValidMatches, metav1.ConditionFalse, status.ReasonInvalidPathMatch, "Match.Path.Value must start with '/'.") - return nil, false + return nil } if strings.Contains(path, "//") { routeAccessor.AddCondition(status.ConditionValidMatches, metav1.ConditionFalse, status.ReasonInvalidPathMatch, "Match.Path.Value must not contain consecutive '/' characters.") - return nil, false + return nil } - - return &ExactMatchCondition{Path: path}, true + return &ExactMatchCondition{Path: path} } if *match.Type == gatewayapi_v1.PathMatchRegularExpression { if err := ValidateRegex(*match.Value); err != nil { routeAccessor.AddCondition(status.ConditionValidMatches, metav1.ConditionFalse, status.ReasonInvalidPathMatch, "Match.Path.Value is invalid for RegularExpression match type.") - return nil, false + return nil } - return &RegexMatchCondition{Regex: path}, true + return &RegexMatchCondition{Regex: path} } routeAccessor.AddCondition( @@ -1837,7 +1885,7 @@ func gatewayPathMatchCondition(match *gatewayapi_v1beta1.HTTPPathMatch, routeAcc gatewayapi_v1beta1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.PathMatch: Only Prefix match type, Exact match type and RegularExpression match type are supported.", ) - return nil, false + return nil } func gatewayHeaderMatchConditions(matches []gatewayapi_v1beta1.HTTPHeaderMatch) ([]HeaderMatchCondition, error) { @@ -2087,16 +2135,17 @@ func (p *GatewayAPIProcessor) grpcClusters(routeNamespace string, backendRefs [] // clusterRoutes builds a []*dag.Route for the supplied set of matchConditions, headerPolicies and backendRefs. func (p *GatewayAPIProcessor) clusterRoutes( matchConditions []*matchConditions, - requestHeaderPolicy *HeadersPolicy, - responseHeaderPolicy *HeadersPolicy, - mirrorPolicies []*MirrorPolicy, clusters []*Cluster, totalWeight uint32, priority uint8, - pathRewritePolicy *PathRewritePolicy, kind string, namespace string, name string, + requestHeaderPolicy *HeadersPolicy, + responseHeaderPolicy *HeadersPolicy, + mirrorPolicies []*MirrorPolicy, + pathRewritePolicy *PathRewritePolicy, + timeoutPolicy *RouteTimeoutPolicy, ) []*Route { var routes []*Route @@ -2121,6 +2170,9 @@ func (p *GatewayAPIProcessor) clusterRoutes( Priority: priority, PathRewritePolicy: pathRewritePolicy, } + if timeoutPolicy != nil { + route.TimeoutPolicy = *timeoutPolicy + } if p.SetSourceMetadataOnRoutes { route.Kind = kind diff --git a/internal/dag/gatewayapi_processor_test.go b/internal/dag/gatewayapi_processor_test.go index bfec5ba9950..a1cd47da0cb 100644 --- a/internal/dag/gatewayapi_processor_test.go +++ b/internal/dag/gatewayapi_processor_test.go @@ -466,6 +466,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"HTTPRoute"}, + ready: true, }, { listener: gatewayapi_v1beta1.Listener{ @@ -477,6 +478,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"HTTPRoute"}, + ready: true, }, }, want: []int{0, 1}, @@ -526,6 +528,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"HTTPRoute"}, + ready: true, }, { listener: gatewayapi_v1beta1.Listener{ @@ -537,6 +540,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"HTTPRoute"}, + ready: true, }, }, want: []int{0, 1}, @@ -587,6 +591,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"HTTPRoute"}, + ready: true, }, { listener: gatewayapi_v1beta1.Listener{ @@ -598,6 +603,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"HTTPRoute"}, + ready: true, }, }, want: []int{0}, @@ -617,6 +623,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"HTTPRoute"}, + ready: true, }, { listener: gatewayapi_v1beta1.Listener{ @@ -628,6 +635,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"HTTPRoute"}, + ready: true, }, }, want: []int{1}, @@ -677,6 +685,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"TLSRoute"}, + ready: true, }, { listener: gatewayapi_v1beta1.Listener{ @@ -688,6 +697,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"HTTPRoute"}, + ready: true, }, }, want: []int{1}, @@ -707,6 +717,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"GRPCRoute"}, + ready: true, }, { listener: gatewayapi_v1beta1.Listener{ @@ -718,6 +729,7 @@ func TestGetListenersForRouteParentRef(t *testing.T) { }, }, allowedKinds: []gatewayapi_v1beta1.Kind{"HTTPRoute"}, + ready: true, }, }, want: []int{0}, @@ -742,7 +754,13 @@ func TestGetListenersForRouteParentRef(t *testing.T) { rsu := &status.RouteStatusUpdate{} rpsu := rsu.StatusUpdateFor(tc.routeParentRef) - got := processor.getListenersForRouteParentRef(tc.routeParentRef, tc.routeNamespace, gatewayapi_v1beta1.Kind(tc.routeKind), tc.listeners, rpsu) + got := processor.getListenersForRouteParentRef( + tc.routeParentRef, + tc.routeNamespace, + gatewayapi_v1beta1.Kind(tc.routeKind), + tc.listeners, + map[string]int{}, + rpsu) var want []*listenerInfo for _, i := range tc.want { diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go index 255a1fa0b71..29278ea5328 100644 --- a/internal/dag/httpproxy_processor.go +++ b/internal/dag/httpproxy_processor.go @@ -112,6 +112,13 @@ type HTTPProxyProcessor struct { // configurable and off by default in order to support the feature // without requiring all existing test cases to change. SetSourceMetadataOnRoutes bool + + // GlobalCircuitBreakerDefaults defines global circuit breaker defaults. + GlobalCircuitBreakerDefaults *contour_api_v1alpha1.GlobalCircuitBreakerDefaults + + // UpstreamTLS defines the TLS settings like min/max version + // and cipher suites for upstream connections. + UpstreamTLS *UpstreamTLS } // Run translates HTTPProxies into DAG objects and @@ -489,6 +496,7 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) { Port: port, DNSLookupFamily: dnsLookupFamily, UpstreamValidation: uv, + UpstreamTLS: p.UpstreamTLS, }, CacheDuration: cacheDuration, }, @@ -933,6 +941,7 @@ func (p *HTTPProxyProcessor) computeRoutes( "Spec.Routes unresolved service reference: %s", err) continue } + s = serviceCircuitBreakerPolicy(s, p.GlobalCircuitBreakerDefaults) // Determine the protocol to use to speak to this Cluster. protocol, err := getProtocol(service, s) @@ -1026,6 +1035,7 @@ func (p *HTTPProxyProcessor) computeRoutes( SlowStartConfig: slowStart, MaxRequestsPerConnection: p.MaxRequestsPerConnection, PerConnectionBufferLimitBytes: p.PerConnectionBufferLimitBytes, + UpstreamTLS: p.UpstreamTLS, } if service.Mirror && len(r.MirrorPolicies) > 0 { validCond.AddError(contour_api_v1.ConditionTypeServiceError, "OnlyOneMirror", diff --git a/internal/dag/httpproxy_processor_test.go b/internal/dag/httpproxy_processor_test.go index b090d3c4945..af345290514 100644 --- a/internal/dag/httpproxy_processor_test.go +++ b/internal/dag/httpproxy_processor_test.go @@ -1499,3 +1499,32 @@ func TestRateLimitPerRoute(t *testing.T) { }) } } + +func TestDetermineUpstreamTLS(t *testing.T) { + tests := map[string]struct { + envoyTLS *contour_api_v1alpha1.EnvoyTLS + want *UpstreamTLS + }{ + "nothing set": { + envoyTLS: nil, + want: nil, + }, + "only set tls min max": { + envoyTLS: &contour_api_v1alpha1.EnvoyTLS{ + MinimumProtocolVersion: "1.1", + MaximumProtocolVersion: "1.2", + }, + want: &UpstreamTLS{ + MinimumProtocolVersion: "1.1", + MaximumProtocolVersion: "1.2", + }, + }, + } + + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + got := (*UpstreamTLS)(tc.envoyTLS) + assert.Equal(t, tc.want, got) + }) + } +} diff --git a/internal/dag/ingress_processor.go b/internal/dag/ingress_processor.go index 918f6fcab29..c15a1d8ae4c 100644 --- a/internal/dag/ingress_processor.go +++ b/internal/dag/ingress_processor.go @@ -20,6 +20,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" + contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/annotation" "github.com/projectcontour/contour/internal/k8s" "github.com/projectcontour/contour/internal/ref" @@ -65,6 +66,13 @@ type IngressProcessor struct { // configurable and off by default in order to support the feature // without requiring all existing test cases to change. SetSourceMetadataOnRoutes bool + + // GlobalCircuitBreakerDefaults defines global circuit breaker defaults. + GlobalCircuitBreakerDefaults *contour_api_v1alpha1.GlobalCircuitBreakerDefaults + + // UpstreamTLS defines the TLS settings like min/max version + // and cipher suites for upstream connections. + UpstreamTLS *UpstreamTLS } // Run translates Ingresses into DAG objects and @@ -213,6 +221,7 @@ func (p *IngressProcessor) computeIngressRule(ing *networking_v1.Ingress, rule n Error("unresolved service reference") continue } + s = serviceCircuitBreakerPolicy(s, p.GlobalCircuitBreakerDefaults) r, err := p.route(ing, rule.Host, path, pathType, s, clientCertSecret, be.Service.Name, be.Service.Port.Number, p.FieldLogger) if err != nil { @@ -294,6 +303,7 @@ func (p *IngressProcessor) route(ingress *networking_v1.Ingress, host string, pa TimeoutPolicy: ClusterTimeoutPolicy{ConnectTimeout: p.ConnectTimeout}, MaxRequestsPerConnection: p.MaxRequestsPerConnection, PerConnectionBufferLimitBytes: p.PerConnectionBufferLimitBytes, + UpstreamTLS: p.UpstreamTLS, }}, } diff --git a/internal/dag/policy.go b/internal/dag/policy.go index 97c57d2cf08..4c237b96a5f 100644 --- a/internal/dag/policy.go +++ b/internal/dag/policy.go @@ -27,6 +27,7 @@ import ( gatewayapi_v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" + contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/annotation" "github.com/projectcontour/contour/internal/ref" "github.com/projectcontour/contour/internal/timeout" @@ -809,3 +810,27 @@ func loadBalancerRequestHashPolicies(lbp *contour_api_v1.LoadBalancerPolicy, val } } + +func serviceCircuitBreakerPolicy(s *Service, cb *contour_api_v1alpha1.GlobalCircuitBreakerDefaults) *Service { + if s == nil { + return nil + } + + if s.MaxConnections == 0 && cb != nil { + s.MaxConnections = cb.MaxConnections + } + + if s.MaxPendingRequests == 0 && cb != nil { + s.MaxPendingRequests = cb.MaxPendingRequests + } + + if s.MaxRequests == 0 && cb != nil { + s.MaxRequests = cb.MaxRequests + } + + if s.MaxRetries == 0 && cb != nil { + s.MaxRetries = cb.MaxRetries + } + + return s +} diff --git a/internal/dag/policy_test.go b/internal/dag/policy_test.go index 6daf9e7a969..018b386d8b2 100644 --- a/internal/dag/policy_test.go +++ b/internal/dag/policy_test.go @@ -21,6 +21,7 @@ import ( "time" contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" + contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/timeout" "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" @@ -1271,6 +1272,76 @@ func TestValidateHeaderAlteration(t *testing.T) { } } +func TestServiceCircuitBreakerPolicy(t *testing.T) { + tests := map[string]struct { + in *Service + globalDefault *contour_api_v1alpha1.GlobalCircuitBreakerDefaults + want *Service + }{ + "service is nil and globalDefault is nil": { + in: nil, + globalDefault: nil, + want: nil, + }, + "service is nil and globalDefault is not nil": { + in: nil, + globalDefault: &contour_api_v1alpha1.GlobalCircuitBreakerDefaults{}, + want: nil, + }, + "service is not nil and globalDefault is nil": { + in: &Service{ + MaxConnections: 42, + MaxPendingRequests: 73, + MaxRequests: 89, + MaxRetries: 13, + }, + globalDefault: nil, + want: &Service{ + MaxConnections: 42, + MaxPendingRequests: 73, + MaxRequests: 89, + MaxRetries: 13, + }, + }, + "service is not set but global is": { + in: &Service{}, + globalDefault: &contour_api_v1alpha1.GlobalCircuitBreakerDefaults{ + MaxConnections: 42, + MaxPendingRequests: 73, + MaxRequests: 89, + MaxRetries: 13, + }, + want: &Service{ + MaxConnections: 42, + MaxPendingRequests: 73, + MaxRequests: 89, + MaxRetries: 13, + }, + }, + "service is not set but global is partial": { + in: &Service{}, + globalDefault: &contour_api_v1alpha1.GlobalCircuitBreakerDefaults{ + MaxConnections: 42, + MaxPendingRequests: 73, + MaxRequests: 89, + }, + want: &Service{ + MaxConnections: 42, + MaxPendingRequests: 73, + MaxRequests: 89, + MaxRetries: 0, + }, + }, + } + + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + got := serviceCircuitBreakerPolicy(tc.in, tc.globalDefault) + assert.Equal(t, tc.want, got) + }) + } +} + func TestExtractHeaderValue(t *testing.T) { tests := map[string]string{ "%REQ(X-Header-Name)%": "X-Header-Name", diff --git a/internal/dag/status_test.go b/internal/dag/status_test.go index fe4835fb448..659da1a04cb 100644 --- a/internal/dag/status_test.go +++ b/internal/dag/status_test.go @@ -5218,6 +5218,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { for _, o := range tc.objs { builder.Source.Insert(o) } + dag := builder.Build() gotRouteUpdates := dag.StatusCache.GetRouteUpdates() gotGatewayUpdates := dag.StatusCache.GetGatewayUpdates() @@ -5506,7 +5507,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "exact path match not starting with '/' for httproute", testcase{ objs: []any{ @@ -5552,7 +5553,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "regular expression path match with invalid value for httproute", testcase{ @@ -5594,7 +5595,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "prefix path match with consecutive '/' characters for httproute", testcase{ @@ -5641,7 +5642,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "exact path match with consecutive '/' characters for httproute", testcase{ @@ -5688,7 +5689,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "invalid path match type for httproute", testcase{ @@ -5724,17 +5725,12 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), Conditions: []metav1.Condition{ routeResolvedRefsCondition(), - { - Type: string(gatewayapi_v1.RouteConditionAccepted), - Status: contour_api_v1.ConditionFalse, - Reason: string(gatewayapi_v1.RouteReasonUnsupportedValue), - Message: "HTTPRoute.Spec.Rules.PathMatch: Only Prefix match type, Exact match type and RegularExpression match type are supported.", - }, + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.PathMatch: Only Prefix match type, Exact match type and RegularExpression match type are supported."), }, }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "invalid header match type not supported for httproute", testcase{ @@ -5777,17 +5773,12 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), Conditions: []metav1.Condition{ routeResolvedRefsCondition(), - { - Type: string(gatewayapi_v1.RouteConditionAccepted), - Status: contour_api_v1.ConditionFalse, - Reason: string(gatewayapi_v1.RouteReasonUnsupportedValue), - Message: "HTTPRoute.Spec.Rules.Matches.Headers: Only Exact match type and RegularExpression match type are supported", - }, + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.Matches.Headers: Only Exact match type and RegularExpression match type are supported"), }, }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "regular expression header match with invalid value for httproute", testcase{ @@ -5830,17 +5821,12 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), Conditions: []metav1.Condition{ routeResolvedRefsCondition(), - { - Type: string(gatewayapi_v1.RouteConditionAccepted), - Status: contour_api_v1.ConditionFalse, - Reason: string(gatewayapi_v1.RouteReasonUnsupportedValue), - Message: "HTTPRoute.Spec.Rules.Matches.Headers: Invalid value for RegularExpression match type is specified", - }, + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.Matches.Headers: Invalid value for RegularExpression match type is specified"), }, }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "regular expression query param match with valid value for httproute", testcase{ @@ -5936,17 +5922,12 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), Conditions: []metav1.Condition{ routeResolvedRefsCondition(), - { - Type: string(gatewayapi_v1.RouteConditionAccepted), - Status: contour_api_v1.ConditionFalse, - Reason: string(gatewayapi_v1.RouteReasonUnsupportedValue), - Message: "HTTPRoute.Spec.Rules.Matches.QueryParams: Invalid value for RegularExpression match type is specified", - }, + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.Matches.QueryParams: Invalid value for RegularExpression match type is specified"), }, }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "query param match with invalid type for httproute", testcase{ @@ -5989,17 +5970,12 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), Conditions: []metav1.Condition{ routeResolvedRefsCondition(), - { - Type: string(gatewayapi_v1.RouteConditionAccepted), - Status: contour_api_v1.ConditionFalse, - Reason: string(gatewayapi_v1.RouteReasonUnsupportedValue), - Message: "HTTPRoute.Spec.Rules.Matches.QueryParams: Only Exact and RegularExpression match types are supported", - }, + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.Matches.QueryParams: Only Exact and RegularExpression match types are supported"), }, }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "spec.rules.backendRef.name not specified", testcase{ @@ -6175,7 +6151,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "spec.rules.backendRef.namespace does not match route", testcase{ @@ -6942,7 +6918,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "spec.rules.hostname: invalid hostname", testcase{ @@ -6984,7 +6960,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "spec.rules.hostname: invalid hostname, ip address", testcase{ @@ -7024,7 +7000,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "two HTTP listeners, route's hostname intersects with one of them", testcase{ @@ -7120,7 +7096,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, "listener-2": { Name: gatewayapi_v1beta1.SectionName("listener-2"), - AttachedRoutes: int32(0), + AttachedRoutes: int32(1), SupportedKinds: []gatewayapi_v1beta1.RouteGroupKind{ { Group: ref.To(gatewayapi_v1beta1.Group(gatewayapi_v1beta1.GroupName)), @@ -7221,7 +7197,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { ListenerStatus: map[string]*gatewayapi_v1beta1.ListenerStatus{ "listener-1": { Name: gatewayapi_v1beta1.SectionName("listener-1"), - AttachedRoutes: int32(0), + AttachedRoutes: int32(1), SupportedKinds: []gatewayapi_v1beta1.RouteGroupKind{ { Group: ref.To(gatewayapi_v1beta1.Group(gatewayapi_v1beta1.GroupName)), @@ -7236,7 +7212,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { }, "listener-2": { Name: gatewayapi_v1beta1.SectionName("listener-2"), - AttachedRoutes: int32(0), + AttachedRoutes: int32(1), SupportedKinds: []gatewayapi_v1beta1.RouteGroupKind{ { Group: ref.To(gatewayapi_v1beta1.Group(gatewayapi_v1beta1.GroupName)), @@ -7955,12 +7931,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), Conditions: []metav1.Condition{ - { - Type: string(gatewayapi_v1.RouteConditionAccepted), - Status: contour_api_v1.ConditionFalse, - Reason: string(gatewayapi_v1.RouteReasonUnsupportedValue), - Message: "HTTPRoute.Spec.Rules.BackendRef.Filters: Only RequestHeaderModifier and ResponseHeaderModifier type is supported.", - }, + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.BackendRef.Filters: Only RequestHeaderModifier and ResponseHeaderModifier type is supported."), routeResolvedRefsCondition(), }, }, @@ -8006,12 +7977,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), Conditions: []metav1.Condition{ routeResolvedRefsCondition(), - { - Type: string(gatewayapi_v1.RouteConditionAccepted), - Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1.RouteReasonUnsupportedValue), - Message: "HTTPRoute.Spec.Rules.Filters.URLRewrite.Path.Type: invalid type \"custom\": only ReplacePrefixMatch and ReplaceFullPath are supported.", - }, + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.Filters.URLRewrite.Path.Type: invalid type \"custom\": only ReplacePrefixMatch and ReplaceFullPath are supported."), }, }, }, @@ -8249,12 +8215,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), Conditions: []metav1.Condition{ routeResolvedRefsCondition(), - { - Type: string(gatewayapi_v1.RouteConditionAccepted), - Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1.RouteReasonUnsupportedValue), - Message: "HTTPRoute.Spec.Rules.Filters: invalid type \"custom-filter\": only RequestHeaderModifier, ResponseHeaderModifier, RequestRedirect, RequestMirror and URLRewrite are supported.", - }, + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.Filters: invalid type \"custom-filter\": only RequestHeaderModifier, ResponseHeaderModifier, RequestRedirect, RequestMirror and URLRewrite are supported."), }, }, }, @@ -9262,6 +9223,224 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) + run(t, "HTTP listener with invalid AllowedRoute kind referenced by route parent ref", testcase{ + objs: []any{ + kuardService, + &gatewayapi_v1beta1.HTTPRoute{ + ObjectMeta: metav1.ObjectMeta{ + Name: "basic", + Namespace: "default", + }, + Spec: gatewayapi_v1beta1.HTTPRouteSpec{ + CommonRouteSpec: gatewayapi_v1beta1.CommonRouteSpec{ + ParentRefs: []gatewayapi_v1beta1.ParentReference{gatewayapi.GatewayListenerParentRef("projectcontour", "contour", "listener-1", 80)}, + }, + Hostnames: []gatewayapi_v1beta1.Hostname{"foo.projectcontour.io"}, + Rules: []gatewayapi_v1beta1.HTTPRouteRule{{ + Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), + BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), + }}, + }, + }}, + gateway: &gatewayapi_v1beta1.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "contour", + Namespace: "projectcontour", + }, + Spec: gatewayapi_v1beta1.GatewaySpec{ + Listeners: []gatewayapi_v1beta1.Listener{ + { + Name: "listener-1", + Port: 80, + Protocol: gatewayapi_v1.HTTPProtocolType, + AllowedRoutes: &gatewayapi_v1beta1.AllowedRoutes{ + Kinds: []gatewayapi_v1beta1.RouteGroupKind{ + {Kind: "FooRoute"}, + }, + }, + Hostname: ref.To(gatewayapi_v1beta1.Hostname("*.projectcontour.io")), + }, + }, + }, + }, + wantRouteConditions: []*status.RouteStatusUpdate{{ + FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, + RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ + { + ParentRef: gatewayapi.GatewayListenerParentRef("projectcontour", "contour", "listener-1", 80), + Conditions: []metav1.Condition{ + { + Type: string(gatewayapi_v1.RouteConditionAccepted), + Status: contour_api_v1.ConditionFalse, + Reason: string(gatewayapi_v1beta1.RouteReasonNotAllowedByListeners), + Message: "No listeners included by this parent ref allowed this attachment.", + }, + routeResolvedRefsCondition(), + }, + }, + }, + }}, + wantGatewayStatusUpdate: []*status.GatewayStatusUpdate{ + { + FullName: types.NamespacedName{Namespace: "projectcontour", Name: "contour"}, + Conditions: map[gatewayapi_v1.GatewayConditionType]metav1.Condition{ + gatewayapi_v1.GatewayConditionAccepted: gatewayAcceptedCondition(), + gatewayapi_v1.GatewayConditionProgrammed: { + Type: string(gatewayapi_v1.GatewayConditionProgrammed), + Status: contour_api_v1.ConditionFalse, + Reason: string(gatewayapi_v1.GatewayReasonListenersNotValid), + Message: "Listeners are not valid", + }, + }, + ListenerStatus: map[string]*gatewayapi_v1beta1.ListenerStatus{ + "listener-1": { + Name: gatewayapi_v1beta1.SectionName("listener-1"), + AttachedRoutes: int32(0), + Conditions: []metav1.Condition{ + { + Type: string(gatewayapi_v1.ListenerConditionResolvedRefs), + Status: metav1.ConditionFalse, + Reason: string(gatewayapi_v1.ListenerReasonInvalidRouteKinds), + Message: "Kind \"FooRoute\" is not supported, kind must be \"HTTPRoute\", \"TLSRoute\", \"GRPCRoute\" or \"TCPRoute\"", + }, + { + Type: string(gatewayapi_v1.ListenerConditionProgrammed), + Status: metav1.ConditionFalse, + Reason: string(gatewayapi_v1.ListenerReasonInvalid), + Message: "Invalid listener, see other listener conditions for details", + }, + listenerAcceptedCondition(), + }, + }, + }, + }, + }, + }) + + run(t, "route rule with timeouts.request and timeouts.backendRequest specified", testcase{ + objs: []any{ + kuardService, + &gatewayapi_v1beta1.HTTPRoute{ + ObjectMeta: metav1.ObjectMeta{ + Name: "basic", + Namespace: "default", + }, + Spec: gatewayapi_v1beta1.HTTPRouteSpec{ + CommonRouteSpec: gatewayapi_v1beta1.CommonRouteSpec{ + ParentRefs: []gatewayapi_v1beta1.ParentReference{gatewayapi.GatewayParentRef("projectcontour", "contour")}, + }, + Hostnames: []gatewayapi_v1beta1.Hostname{ + "test.projectcontour.io", + }, + Rules: []gatewayapi_v1beta1.HTTPRouteRule{ + { + Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), + BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), + Timeouts: &gatewayapi_v1.HTTPRouteTimeouts{ + Request: ref.To(gatewayapi_v1.Duration("30s")), + BackendRequest: ref.To(gatewayapi_v1.Duration("30s")), + }, + }, + }, + }, + }}, + + wantRouteConditions: []*status.RouteStatusUpdate{{ + FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, + RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ + { + + ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), + Conditions: []metav1.Condition{ + routeResolvedRefsCondition(), + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.Timeouts.BackendRequest is not supported, use HTTPRoute.Spec.Rules.Timeouts.Request instead"), + }, + }, + }, + }}, + + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), + }) + + run(t, "route rule with only timeouts.backendRequest specified", testcase{ + objs: []any{ + kuardService, + &gatewayapi_v1beta1.HTTPRoute{ + ObjectMeta: metav1.ObjectMeta{ + Name: "basic", + Namespace: "default", + }, + Spec: gatewayapi_v1beta1.HTTPRouteSpec{ + CommonRouteSpec: gatewayapi_v1beta1.CommonRouteSpec{ + ParentRefs: []gatewayapi_v1beta1.ParentReference{gatewayapi.GatewayParentRef("projectcontour", "contour")}, + }, + Hostnames: []gatewayapi_v1beta1.Hostname{ + "test.projectcontour.io", + }, + Rules: []gatewayapi_v1beta1.HTTPRouteRule{ + { + Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), + BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), + Timeouts: &gatewayapi_v1.HTTPRouteTimeouts{ + BackendRequest: ref.To(gatewayapi_v1.Duration("30s")), + }, + }, + }, + }, + }}, + wantRouteConditions: []*status.RouteStatusUpdate{{ + FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, + RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ + { + ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), + Conditions: []metav1.Condition{ + routeResolvedRefsCondition(), + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "HTTPRoute.Spec.Rules.Timeouts.BackendRequest is not supported, use HTTPRoute.Spec.Rules.Timeouts.Request instead"), + }, + }, + }, + }}, + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), + }) + + run(t, "timeouts with invalid request for httproute", testcase{ + objs: []any{ + kuardService, + &gatewayapi_v1beta1.HTTPRoute{ + ObjectMeta: metav1.ObjectMeta{ + Name: "basic", + Namespace: "default", + }, + Spec: gatewayapi_v1beta1.HTTPRouteSpec{ + CommonRouteSpec: gatewayapi_v1beta1.CommonRouteSpec{ + ParentRefs: []gatewayapi_v1beta1.ParentReference{gatewayapi.GatewayParentRef("projectcontour", "contour")}, + }, + Hostnames: []gatewayapi_v1beta1.Hostname{ + "test.projectcontour.io", + }, + Rules: []gatewayapi_v1beta1.HTTPRouteRule{{ + BackendRefs: gatewayapi.HTTPBackendRef("kuard", 8080, 1), + Timeouts: &gatewayapi_v1.HTTPRouteTimeouts{ + Request: ref.To(gatewayapi_v1.Duration("invalid")), + }, + }}, + }, + }}, + wantRouteConditions: []*status.RouteStatusUpdate{{ + FullName: types.NamespacedName{Namespace: "default", Name: "basic"}, + RouteParentStatuses: []*gatewayapi_v1beta1.RouteParentStatus{ + { + ParentRef: gatewayapi.GatewayParentRef("projectcontour", "contour"), + Conditions: []metav1.Condition{ + routeResolvedRefsCondition(), + routeAcceptedFalse(gatewayapi_v1.RouteReasonUnsupportedValue, "invalid HTTPRoute.Spec.Rules.Timeouts.Request: unable to parse timeout string \"invalid\": time: invalid duration \"invalid\""), + }, + }, + }, + }}, + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), + }) + } func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { @@ -9435,7 +9614,7 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 1), }) run(t, "TLSRoute: spec.rules.backendRef.name invalid on two matches", testcase{ @@ -9478,7 +9657,7 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 1), }) run(t, "TLSRoute: spec.rules.backendRef.port not specified", testcase{ @@ -9526,7 +9705,7 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 1), }) run(t, "TLSRoute: spec.rules.backendRefs not specified", testcase{ @@ -9567,7 +9746,7 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 1), }) run(t, "TLSRoute: spec.rules.hostname: invalid wildcard", testcase{ @@ -9610,7 +9789,7 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 1), }) run(t, "TLSRoute: spec.rules.hostname: invalid hostname", testcase{ @@ -9653,7 +9832,7 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 1), }) run(t, "TLSRoute: spec.rules.hostname: invalid hostname, ip address", testcase{ @@ -9694,7 +9873,7 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 1), }) run(t, "TLSRoute: spec.rules.backendRefs has 0 weight", testcase{ @@ -9741,7 +9920,7 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate(string(gw.Spec.Listeners[0].Name), gw.Spec.Listeners[0].Protocol, 1), }) run(t, "TLSRoute: backendrefs still validated when route not accepted", testcase{ @@ -9883,6 +10062,7 @@ func TestGatewayAPITLSRouteDAGStatus(t *testing.T) { listenerAcceptedCondition(), listenerResolvedRefsCondition(), }, + AttachedRoutes: 1, }, }, }}, @@ -10112,7 +10292,7 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "grpcroute: method match must have Service configured", testcase{ @@ -10155,7 +10335,7 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "grpcroute: method match must have Method configured", testcase{ @@ -10198,7 +10378,7 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "grpcroute: invalid header match type is not supported", testcase{ @@ -10253,7 +10433,7 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "grpcroute: regular expression header match has invalid value", testcase{ @@ -10308,7 +10488,7 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "grpcroute: invalid RequestHeaderModifier due to duplicated headers", testcase{ @@ -10596,7 +10776,7 @@ func TestGatewayAPIGRPCRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("http", gatewayapi_v1.HTTPProtocolType, 1), }) run(t, "grpcroute: still validate backendrefs when not accepted", testcase{ @@ -10995,7 +11175,7 @@ func TestGatewayAPITCPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("tcp", gatewayapi_v1.TCPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("tcp", gatewayapi_v1.TCPProtocolType, 1), }) run(t, "TCPRoute with rule with no backends", testcase{ objs: []any{ @@ -11026,7 +11206,7 @@ func TestGatewayAPITCPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("tcp", gatewayapi_v1.TCPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("tcp", gatewayapi_v1.TCPProtocolType, 1), }) run(t, "TCPRoute with rule with ref to nonexistent backend", testcase{ objs: []any{ @@ -11059,7 +11239,7 @@ func TestGatewayAPITCPRouteDAGStatus(t *testing.T) { }, }, }}, - wantGatewayStatusUpdate: validGatewayStatusUpdate("tcp", gatewayapi_v1.TCPProtocolType, 0), + wantGatewayStatusUpdate: validGatewayStatusUpdate("tcp", gatewayapi_v1.TCPProtocolType, 1), }) } @@ -11089,6 +11269,14 @@ func routeAcceptedHTTPRouteCondition() metav1.Condition { Message: "Accepted HTTPRoute", } } +func routeAcceptedFalse(reason gatewayapi_v1.RouteConditionReason, message string) metav1.Condition { + return metav1.Condition{ + Type: string(gatewayapi_v1.RouteConditionAccepted), + Status: contour_api_v1.ConditionFalse, + Reason: string(reason), + Message: message, + } +} func routeAcceptedGRPCRouteCondition() metav1.Condition { return metav1.Condition{ diff --git a/internal/debug/mocks/dag_builder.go b/internal/debug/mocks/dag_builder.go index 7b876bee396..7255b3f5802 100644 --- a/internal/debug/mocks/dag_builder.go +++ b/internal/debug/mocks/dag_builder.go @@ -17,6 +17,10 @@ type DagBuilder struct { func (_m *DagBuilder) Build() *dag.DAG { ret := _m.Called() + if len(ret) == 0 { + panic("no return value specified for Build") + } + var r0 *dag.DAG if rf, ok := ret.Get(0).(func() *dag.DAG); ok { r0 = rf() diff --git a/internal/envoy/v3/auth.go b/internal/envoy/v3/auth.go index c2af6d1db20..411e9060462 100644 --- a/internal/envoy/v3/auth.go +++ b/internal/envoy/v3/auth.go @@ -25,7 +25,7 @@ import ( // UpstreamTLSContext creates an envoy_v3_tls.UpstreamTlsContext. By default // UpstreamTLSContext returns a HTTP/1.1 TLS enabled context. A list of // additional ALPN protocols can be provided. -func UpstreamTLSContext(peerValidationContext *dag.PeerValidationContext, sni string, clientSecret *dag.Secret, alpnProtocols ...string) *envoy_v3_tls.UpstreamTlsContext { +func UpstreamTLSContext(peerValidationContext *dag.PeerValidationContext, sni string, clientSecret *dag.Secret, upstreamTLS *dag.UpstreamTLS, alpnProtocols ...string) *envoy_v3_tls.UpstreamTlsContext { var clientSecretConfigs []*envoy_v3_tls.SdsSecretConfig if clientSecret != nil { clientSecretConfigs = []*envoy_v3_tls.SdsSecretConfig{{ @@ -42,6 +42,14 @@ func UpstreamTLSContext(peerValidationContext *dag.PeerValidationContext, sni st Sni: sni, } + if upstreamTLS != nil { + context.CommonTlsContext.TlsParams = &envoy_v3_tls.TlsParameters{ + TlsMinimumProtocolVersion: ParseTLSVersion(upstreamTLS.MinimumProtocolVersion), + TlsMaximumProtocolVersion: ParseTLSVersion(upstreamTLS.MaximumProtocolVersion), + CipherSuites: upstreamTLS.CipherSuites, + } + } + if peerValidationContext.GetCACertificate() != nil && len(peerValidationContext.GetSubjectName()) > 0 { // We have to explicitly assign the value from validationContext // to context.CommonTlsContext.ValidationContextType because the diff --git a/internal/envoy/v3/auth_test.go b/internal/envoy/v3/auth_test.go index 96df9c2a919..43987273b44 100644 --- a/internal/envoy/v3/auth_test.go +++ b/internal/envoy/v3/auth_test.go @@ -41,9 +41,10 @@ func TestUpstreamTLSContext(t *testing.T) { validation *dag.PeerValidationContext alpnProtocols []string externalName string + upstreamTLS *dag.UpstreamTLS want *envoy_v3_tls.UpstreamTlsContext }{ - "no alpn, no validation": { + "no alpn, no validation, no upstreamTLS": { want: &envoy_v3_tls.UpstreamTlsContext{ CommonTlsContext: &envoy_v3_tls.CommonTlsContext{}, }, @@ -108,11 +109,25 @@ func TestUpstreamTLSContext(t *testing.T) { Sni: "projectcontour.local", }, }, + "use TLS 1.3": { + upstreamTLS: &dag.UpstreamTLS{ + MinimumProtocolVersion: "1.3", + MaximumProtocolVersion: "1.3", + }, + want: &envoy_v3_tls.UpstreamTlsContext{ + CommonTlsContext: &envoy_v3_tls.CommonTlsContext{ + TlsParams: &envoy_v3_tls.TlsParameters{ + TlsMinimumProtocolVersion: ParseTLSVersion("1.3"), + TlsMaximumProtocolVersion: ParseTLSVersion("1.3"), + }, + }, + }, + }, } for name, tc := range tests { t.Run(name, func(t *testing.T) { - got := UpstreamTLSContext(tc.validation, tc.externalName, nil, tc.alpnProtocols...) + got := UpstreamTLSContext(tc.validation, tc.externalName, nil, tc.upstreamTLS, tc.alpnProtocols...) protobuf.ExpectEqual(t, tc.want, got) }) } diff --git a/internal/envoy/v3/cluster.go b/internal/envoy/v3/cluster.go index e39beedadee..90e281e6446 100644 --- a/internal/envoy/v3/cluster.go +++ b/internal/envoy/v3/cluster.go @@ -97,6 +97,7 @@ func Cluster(c *dag.Cluster) *envoy_cluster_v3.Cluster { c.UpstreamValidation, c.SNI, c.ClientCertificate, + c.UpstreamTLS, ), ) case "h2": @@ -106,6 +107,7 @@ func Cluster(c *dag.Cluster) *envoy_cluster_v3.Cluster { c.UpstreamValidation, c.SNI, c.ClientCertificate, + c.UpstreamTLS, "h2", ), ) @@ -177,6 +179,7 @@ func ExtensionCluster(ext *dag.ExtensionCluster) *envoy_cluster_v3.Cluster { ext.UpstreamValidation, ext.SNI, ext.ClientCertificate, + ext.UpstreamTLS, "h2", ), ) @@ -207,7 +210,7 @@ func DNSNameCluster(c *dag.DNSNameCluster) *envoy_cluster_v3.Cluster { var transportSocket *envoy_core_v3.TransportSocket if c.Scheme == "https" { - transportSocket = UpstreamTLSTransportSocket(UpstreamTLSContext(c.UpstreamValidation, c.Address, nil)) + transportSocket = UpstreamTLSTransportSocket(UpstreamTLSContext(c.UpstreamValidation, c.Address, nil, c.UpstreamTLS)) } cluster.LoadAssignment = ClusterLoadAssignment(envoy.DNSNameClusterName(c), SocketAddress(c.Address, c.Port)) diff --git a/internal/envoy/v3/cluster_test.go b/internal/envoy/v3/cluster_test.go index 42ebd5b108e..92d2593bdc8 100644 --- a/internal/envoy/v3/cluster_test.go +++ b/internal/envoy/v3/cluster_test.go @@ -170,7 +170,7 @@ func TestCluster(t *testing.T) { ServiceName: "default/kuard/http", }, TransportSocket: UpstreamTLSTransportSocket( - UpstreamTLSContext(nil, "", nil, "h2"), + UpstreamTLSContext(nil, "", nil, nil, "h2"), ), TypedExtensionProtocolOptions: map[string]*anypb.Any{ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": protobuf.MustMarshalAny( @@ -274,7 +274,7 @@ func TestCluster(t *testing.T) { ServiceName: "default/kuard/http", }, TransportSocket: UpstreamTLSTransportSocket( - UpstreamTLSContext(nil, "", nil), + UpstreamTLSContext(nil, "", nil, nil), ), }, }, @@ -290,7 +290,7 @@ func TestCluster(t *testing.T) { ClusterDiscoveryType: ClusterDiscoveryType(envoy_cluster_v3.Cluster_STRICT_DNS), LoadAssignment: ExternalNameClusterLoadAssignment(service(svcExternal, "tls")), TransportSocket: UpstreamTLSTransportSocket( - UpstreamTLSContext(nil, "projectcontour.local", nil), + UpstreamTLSContext(nil, "projectcontour.local", nil, nil), ), }, }, @@ -318,10 +318,48 @@ func TestCluster(t *testing.T) { SubjectName: "foo.bar.io", }, "", + nil, nil), ), }, }, + "UpstreamTLS protocol version set": { + cluster: &dag.Cluster{ + Upstream: service(s1, "tls"), + Protocol: "tls", + UpstreamValidation: &dag.PeerValidationContext{ + CACertificate: secret, + SubjectName: "foo.bar.io", + }, + UpstreamTLS: &dag.UpstreamTLS{ + MinimumProtocolVersion: "1.3", + MaximumProtocolVersion: "1.3", + }, + }, + want: &envoy_cluster_v3.Cluster{ + Name: "default/kuard/443/62d1f9ad02", + AltStatName: "default_kuard_443", + ClusterDiscoveryType: ClusterDiscoveryType(envoy_cluster_v3.Cluster_EDS), + EdsClusterConfig: &envoy_cluster_v3.Cluster_EdsClusterConfig{ + EdsConfig: ConfigSource("contour"), + ServiceName: "default/kuard/http", + }, + TransportSocket: UpstreamTLSTransportSocket( + UpstreamTLSContext( + &dag.PeerValidationContext{ + CACertificate: secret, + SubjectName: "foo.bar.io", + }, + "", + nil, + &dag.UpstreamTLS{ + MinimumProtocolVersion: "1.3", + MaximumProtocolVersion: "1.3", + }, + ), + ), + }, + }, "projectcontour.io/max-connections": { cluster: &dag.Cluster{ Upstream: &dag.Service{ @@ -526,7 +564,7 @@ func TestCluster(t *testing.T) { ServiceName: "default/kuard/http", }, TransportSocket: UpstreamTLSTransportSocket( - UpstreamTLSContext(nil, "", clientSecret), + UpstreamTLSContext(nil, "", clientSecret, nil), ), }, }, @@ -854,7 +892,7 @@ func TestDNSNameCluster(t *testing.T) { }, }, }, - TransportSocket: UpstreamTLSTransportSocket(UpstreamTLSContext(nil, "foo.projectcontour.io", nil)), + TransportSocket: UpstreamTLSTransportSocket(UpstreamTLSContext(nil, "foo.projectcontour.io", nil, nil)), }, }, "HTTPS cluster with upstream validation": { @@ -903,7 +941,7 @@ func TestDNSNameCluster(t *testing.T) { }, }, SubjectName: "foo.projectcontour.io", - }, "foo.projectcontour.io", nil)), + }, "foo.projectcontour.io", nil, nil)), }, }, } diff --git a/internal/envoy/v3/socket_test.go b/internal/envoy/v3/socket_test.go index 8f1802617f6..7949673283d 100644 --- a/internal/envoy/v3/socket_test.go +++ b/internal/envoy/v3/socket_test.go @@ -30,11 +30,11 @@ func TestUpstreamTLSTransportSocket(t *testing.T) { want *envoy_core_v3.TransportSocket }{ "h2": { - ctxt: UpstreamTLSContext(nil, "", nil, "h2"), + ctxt: UpstreamTLSContext(nil, "", nil, nil, "h2"), want: &envoy_core_v3.TransportSocket{ Name: "envoy.transport_sockets.tls", ConfigType: &envoy_core_v3.TransportSocket_TypedConfig{ - TypedConfig: protobuf.MustMarshalAny(UpstreamTLSContext(nil, "", nil, "h2")), + TypedConfig: protobuf.MustMarshalAny(UpstreamTLSContext(nil, "", nil, nil, "h2")), }, }, }, diff --git a/internal/featuretests/v3/backendcavalidation_test.go b/internal/featuretests/v3/backendcavalidation_test.go index ccec1da2e2c..0c779ac577e 100644 --- a/internal/featuretests/v3/backendcavalidation_test.go +++ b/internal/featuretests/v3/backendcavalidation_test.go @@ -76,7 +76,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { // assert that there is a regular, non validation enabled cluster in CDS. c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/kuard/443/4929fca9d4", "default/kuard/securebackend", "default_kuard_443"), nil, "", "", nil), + tlsCluster(cluster("default/kuard/443/4929fca9d4", "default/kuard/securebackend", "default_kuard_443"), nil, "", "", nil, nil), ), TypeUrl: clusterType, }) @@ -114,7 +114,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { // assert that the cluster now has a certificate and subject name. c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil), + tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil), ), TypeUrl: clusterType, }) @@ -161,7 +161,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) { // assert that the cluster now has a certificate and subject name. c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil), + tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil), ), TypeUrl: clusterType, }) diff --git a/internal/featuretests/v3/backendclientauth_test.go b/internal/featuretests/v3/backendclientauth_test.go index d3b32cc4382..b686c676de7 100644 --- a/internal/featuretests/v3/backendclientauth_test.go +++ b/internal/featuretests/v3/backendclientauth_test.go @@ -121,7 +121,7 @@ func TestBackendClientAuthenticationWithHTTPProxy(t *testing.T) { c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/backend/443/950c17581f", "default/backend/http", "default_backend_443"), []byte(featuretests.CERTIFICATE), "subjname", "", sec1), + tlsCluster(cluster("default/backend/443/950c17581f", "default/backend/http", "default_backend_443"), []byte(featuretests.CERTIFICATE), "subjname", "", sec1, nil), ), TypeUrl: clusterType, }) @@ -159,7 +159,7 @@ func TestBackendClientAuthenticationWithIngress(t *testing.T) { c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsClusterWithoutValidation(cluster("default/backend/443/4929fca9d4", "default/backend/http", "default_backend_443"), "", sec1), + tlsClusterWithoutValidation(cluster("default/backend/443/4929fca9d4", "default/backend/http", "default_backend_443"), "", sec1, nil), ), TypeUrl: clusterType, }) @@ -214,6 +214,7 @@ func TestBackendClientAuthenticationWithExtensionService(t *testing.T) { SubjectName: "subjname"}, "subjname", &dag.Secret{Object: sec1}, + nil, "h2", ), ) diff --git a/internal/featuretests/v3/cluster_test.go b/internal/featuretests/v3/cluster_test.go index 0c9c3dd0ae5..556c2d2de3f 100644 --- a/internal/featuretests/v3/cluster_test.go +++ b/internal/featuretests/v3/cluster_test.go @@ -20,14 +20,21 @@ import ( envoy_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" + contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" + "github.com/projectcontour/contour/internal/dag" envoy_v3 "github.com/projectcontour/contour/internal/envoy/v3" "github.com/projectcontour/contour/internal/featuretests" "github.com/projectcontour/contour/internal/fixture" + "github.com/projectcontour/contour/internal/gatewayapi" + "github.com/projectcontour/contour/internal/ref" + "github.com/sirupsen/logrus" "google.golang.org/protobuf/types/known/wrapperspb" v1 "k8s.io/api/core/v1" networking_v1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + gatewayapi_v1 "sigs.k8s.io/gateway-api/apis/v1" + gatewayapi_v1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) // projectcontour/contour#186 @@ -383,8 +390,36 @@ func TestCDSResourceFiltering(t *testing.T) { }) } -func TestClusterCircuitbreakerAnnotations(t *testing.T) { - rh, c, done := setup(t) +func circuitBreakerGlobalOpt(t *testing.T, g *contour_api_v1alpha1.GlobalCircuitBreakerDefaults) func(*dag.Builder) { + return func(b *dag.Builder) { + log := fixture.NewTestLogger(t) + log.SetLevel(logrus.DebugLevel) + + b.Processors = []dag.Processor{ + &dag.ListenerProcessor{}, + &dag.IngressProcessor{ + FieldLogger: log.WithField("context", "IngressProcessor"), + GlobalCircuitBreakerDefaults: g, + }, + &dag.HTTPProxyProcessor{ + GlobalCircuitBreakerDefaults: g, + }, + &dag.GatewayAPIProcessor{ + FieldLogger: log.WithField("context", "GatewayAPIProcessor"), + GlobalCircuitBreakerDefaults: g, + }, + } + } +} + +func TestClusterCircuitbreakerAnnotationsIngress(t *testing.T) { + g := &contour_api_v1alpha1.GlobalCircuitBreakerDefaults{ + MaxConnections: 13, + MaxPendingRequests: 14, + MaxRequests: 15, + MaxRetries: 17, + } + rh, c, done := setup(t, circuitBreakerGlobalOpt(t, g)) defer done() s1 := fixture.NewService("kuard"). @@ -454,6 +489,347 @@ func TestClusterCircuitbreakerAnnotations(t *testing.T) { CircuitBreakers: &envoy_cluster_v3.CircuitBreakers{ Thresholds: []*envoy_cluster_v3.CircuitBreakers_Thresholds{{ MaxPendingRequests: wrapperspb.UInt32(9999), + MaxConnections: wrapperspb.UInt32(13), + MaxRequests: wrapperspb.UInt32(15), + MaxRetries: wrapperspb.UInt32(17), + }}, + }, + }), + ), + TypeUrl: clusterType, + }) + + s3 := fixture.NewService("kuard"). + Annotate("projectcontour.io/max-connections", "0"). + Annotate("projectcontour.io/max-pending-requests", "0"). + Annotate("projectcontour.io/max-requests", "0"). + Annotate("projectcontour.io/max-retries", "0"). + WithPorts(v1.ServicePort{Port: 8080, TargetPort: intstr.FromString("8080")}) + + rh.OnUpdate(s2, s3) + + // check that it's been translated correctly. + c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + Resources: resources(t, + DefaultCluster(&envoy_cluster_v3.Cluster{ + Name: "default/kuard/8080/da39a3ee5e", + AltStatName: "default_kuard_8080", + ClusterDiscoveryType: envoy_v3.ClusterDiscoveryType(envoy_cluster_v3.Cluster_EDS), + EdsClusterConfig: &envoy_cluster_v3.Cluster_EdsClusterConfig{ + EdsConfig: envoy_v3.ConfigSource("contour"), + ServiceName: "default/kuard", + }, + CircuitBreakers: &envoy_cluster_v3.CircuitBreakers{ + Thresholds: []*envoy_cluster_v3.CircuitBreakers_Thresholds{{ + MaxConnections: wrapperspb.UInt32(13), + MaxPendingRequests: wrapperspb.UInt32(14), + MaxRequests: wrapperspb.UInt32(15), + MaxRetries: wrapperspb.UInt32(17), + }}, + }, + }), + ), + TypeUrl: clusterType, + }) +} + +func TestClusterCircuitbreakerAnnotationsHTTPProxy(t *testing.T) { + g := &contour_api_v1alpha1.GlobalCircuitBreakerDefaults{ + MaxConnections: 13, + MaxPendingRequests: 14, + MaxRequests: 15, + MaxRetries: 17, + } + rh, c, done := setup(t, circuitBreakerGlobalOpt(t, g)) + defer done() + + s1 := fixture.NewService("kuard"). + Annotate("projectcontour.io/max-connections", "9000"). + Annotate("projectcontour.io/max-pending-requests", "4096"). + Annotate("projectcontour.io/max-requests", "404"). + Annotate("projectcontour.io/max-retries", "7"). + WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromString("8080")}) + + rh.OnAdd( + &contour_api_v1.HTTPProxy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "simple", + Namespace: "default", + }, + Spec: contour_api_v1.HTTPProxySpec{ + VirtualHost: &contour_api_v1.VirtualHost{Fqdn: "www.example.com"}, + Routes: []contour_api_v1.Route{ + { + Services: []contour_api_v1.Service{ + { + Name: "kuard", + Port: 80, + }, + }, + }, + }, + }, + }) + + rh.OnAdd(s1) + + // check that it's been translated correctly. + c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + Resources: resources(t, + DefaultCluster(&envoy_cluster_v3.Cluster{ + Name: "default/kuard/80/da39a3ee5e", + AltStatName: "default_kuard_80", + ClusterDiscoveryType: envoy_v3.ClusterDiscoveryType(envoy_cluster_v3.Cluster_EDS), + EdsClusterConfig: &envoy_cluster_v3.Cluster_EdsClusterConfig{ + EdsConfig: envoy_v3.ConfigSource("contour"), + ServiceName: "default/kuard", + }, + CircuitBreakers: &envoy_cluster_v3.CircuitBreakers{ + Thresholds: []*envoy_cluster_v3.CircuitBreakers_Thresholds{{ + MaxConnections: wrapperspb.UInt32(9000), + MaxPendingRequests: wrapperspb.UInt32(4096), + MaxRequests: wrapperspb.UInt32(404), + MaxRetries: wrapperspb.UInt32(7), + }}, + }, + }), + ), + TypeUrl: clusterType, + }) + + // update s1 with slightly weird values + s2 := fixture.NewService("kuard"). + Annotate("projectcontour.io/max-pending-requests", "9999"). + Annotate("projectcontour.io/max-requests", "1e6"). + Annotate("projectcontour.io/max-retries", "0"). + WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromString("8080")}) + + rh.OnUpdate(s1, s2) + + // check that it's been translated correctly. + c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + Resources: resources(t, + DefaultCluster(&envoy_cluster_v3.Cluster{ + Name: "default/kuard/80/da39a3ee5e", + AltStatName: "default_kuard_80", + ClusterDiscoveryType: envoy_v3.ClusterDiscoveryType(envoy_cluster_v3.Cluster_EDS), + EdsClusterConfig: &envoy_cluster_v3.Cluster_EdsClusterConfig{ + EdsConfig: envoy_v3.ConfigSource("contour"), + ServiceName: "default/kuard", + }, + CircuitBreakers: &envoy_cluster_v3.CircuitBreakers{ + Thresholds: []*envoy_cluster_v3.CircuitBreakers_Thresholds{{ + MaxPendingRequests: wrapperspb.UInt32(9999), + MaxConnections: wrapperspb.UInt32(13), + MaxRequests: wrapperspb.UInt32(15), + MaxRetries: wrapperspb.UInt32(17), + }}, + }, + }), + ), + TypeUrl: clusterType, + }) + + s3 := fixture.NewService("kuard"). + Annotate("projectcontour.io/max-connections", "0"). + Annotate("projectcontour.io/max-pending-requests", "0"). + Annotate("projectcontour.io/max-requests", "0"). + Annotate("projectcontour.io/max-retries", "0"). + WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromString("8080")}) + + rh.OnUpdate(s2, s3) + + // check that it's been translated correctly. + c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + Resources: resources(t, + DefaultCluster(&envoy_cluster_v3.Cluster{ + Name: "default/kuard/80/da39a3ee5e", + AltStatName: "default_kuard_80", + ClusterDiscoveryType: envoy_v3.ClusterDiscoveryType(envoy_cluster_v3.Cluster_EDS), + EdsClusterConfig: &envoy_cluster_v3.Cluster_EdsClusterConfig{ + EdsConfig: envoy_v3.ConfigSource("contour"), + ServiceName: "default/kuard", + }, + CircuitBreakers: &envoy_cluster_v3.CircuitBreakers{ + Thresholds: []*envoy_cluster_v3.CircuitBreakers_Thresholds{{ + MaxConnections: wrapperspb.UInt32(13), + MaxPendingRequests: wrapperspb.UInt32(14), + MaxRequests: wrapperspb.UInt32(15), + MaxRetries: wrapperspb.UInt32(17), + }}, + }, + }), + ), + TypeUrl: clusterType, + }) +} + +func TestClusterCircuitbreakerAnnotationsGateway(t *testing.T) { + g := &contour_api_v1alpha1.GlobalCircuitBreakerDefaults{ + MaxConnections: 13, + MaxPendingRequests: 14, + MaxRequests: 15, + MaxRetries: 17, + } + rh, c, done := setup(t, circuitBreakerGlobalOpt(t, g)) + defer done() + + s1 := fixture.NewService("kuard"). + Annotate("projectcontour.io/max-connections", "9000"). + Annotate("projectcontour.io/max-pending-requests", "4096"). + Annotate("projectcontour.io/max-requests", "404"). + Annotate("projectcontour.io/max-retries", "7"). + WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromString("8080")}) + + gc := &gatewayapi_v1beta1.GatewayClass{ + ObjectMeta: metav1.ObjectMeta{ + Name: "contour", + }, + Spec: gatewayapi_v1beta1.GatewayClassSpec{ + ControllerName: "projectcontour.io/contour", + }, + Status: gatewayapi_v1beta1.GatewayClassStatus{ + Conditions: []metav1.Condition{ + { + Type: string(gatewayapi_v1.GatewayClassConditionStatusAccepted), + Status: metav1.ConditionTrue, + }, + }, + }, + } + + gt := &gatewayapi_v1beta1.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "contour", + Namespace: "projectcontour", + }, + Spec: gatewayapi_v1beta1.GatewaySpec{ + GatewayClassName: gatewayapi_v1beta1.ObjectName(gc.Name), + Listeners: []gatewayapi_v1beta1.Listener{ + { + Name: "http", + Port: 80, + Protocol: gatewayapi_v1.HTTPProtocolType, + AllowedRoutes: &gatewayapi_v1beta1.AllowedRoutes{ + Namespaces: &gatewayapi_v1beta1.RouteNamespaces{ + From: ref.To(gatewayapi_v1.NamespacesFromAll), + }, + }, + }, + }, + }, + } + rh.OnAdd(gc) + rh.OnAdd(gt) + + rh.OnAdd(&gatewayapi_v1beta1.HTTPRoute{ + ObjectMeta: metav1.ObjectMeta{ + Name: "basic", + Namespace: "default", + }, + Spec: gatewayapi_v1beta1.HTTPRouteSpec{ + CommonRouteSpec: gatewayapi_v1beta1.CommonRouteSpec{ + ParentRefs: []gatewayapi_v1beta1.ParentReference{ + gatewayapi.GatewayParentRef("projectcontour", "contour"), + }, + }, + Hostnames: []gatewayapi_v1beta1.Hostname{ + "test.projectcontour.io", + }, + Rules: []gatewayapi_v1beta1.HTTPRouteRule{ + { + Matches: gatewayapi.HTTPRouteMatch(gatewayapi_v1.PathMatchPathPrefix, "/"), + BackendRefs: gatewayapi.HTTPBackendRef("kuard", 80, 1), + }, + }, + }, + }) + + rh.OnAdd(s1) + + // check that it's been translated correctly. + c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + Resources: resources(t, + DefaultCluster(&envoy_cluster_v3.Cluster{ + Name: "default/kuard/80/da39a3ee5e", + AltStatName: "default_kuard_80", + ClusterDiscoveryType: envoy_v3.ClusterDiscoveryType(envoy_cluster_v3.Cluster_EDS), + EdsClusterConfig: &envoy_cluster_v3.Cluster_EdsClusterConfig{ + EdsConfig: envoy_v3.ConfigSource("contour"), + ServiceName: "default/kuard", + }, + CircuitBreakers: &envoy_cluster_v3.CircuitBreakers{ + Thresholds: []*envoy_cluster_v3.CircuitBreakers_Thresholds{{ + MaxConnections: wrapperspb.UInt32(9000), + MaxPendingRequests: wrapperspb.UInt32(4096), + MaxRequests: wrapperspb.UInt32(404), + MaxRetries: wrapperspb.UInt32(7), + }}, + }, + }), + ), + TypeUrl: clusterType, + }) + + // update s1 with slightly weird values + s2 := fixture.NewService("kuard"). + Annotate("projectcontour.io/max-pending-requests", "9999"). + Annotate("projectcontour.io/max-requests", "1e6"). + Annotate("projectcontour.io/max-retries", "0"). + WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromString("8080")}) + + rh.OnUpdate(s1, s2) + + // check that it's been translated correctly. + c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + Resources: resources(t, + DefaultCluster(&envoy_cluster_v3.Cluster{ + Name: "default/kuard/80/da39a3ee5e", + AltStatName: "default_kuard_80", + ClusterDiscoveryType: envoy_v3.ClusterDiscoveryType(envoy_cluster_v3.Cluster_EDS), + EdsClusterConfig: &envoy_cluster_v3.Cluster_EdsClusterConfig{ + EdsConfig: envoy_v3.ConfigSource("contour"), + ServiceName: "default/kuard", + }, + CircuitBreakers: &envoy_cluster_v3.CircuitBreakers{ + Thresholds: []*envoy_cluster_v3.CircuitBreakers_Thresholds{{ + MaxPendingRequests: wrapperspb.UInt32(9999), + MaxConnections: wrapperspb.UInt32(13), + MaxRequests: wrapperspb.UInt32(15), + MaxRetries: wrapperspb.UInt32(17), + }}, + }, + }), + ), + TypeUrl: clusterType, + }) + + s3 := fixture.NewService("kuard"). + Annotate("projectcontour.io/max-connections", "0"). + Annotate("projectcontour.io/max-pending-requests", "0"). + Annotate("projectcontour.io/max-requests", "0"). + Annotate("projectcontour.io/max-retries", "0"). + WithPorts(v1.ServicePort{Port: 80, TargetPort: intstr.FromString("8080")}) + + rh.OnUpdate(s2, s3) + + // check that it's been translated correctly. + c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + Resources: resources(t, + DefaultCluster(&envoy_cluster_v3.Cluster{ + Name: "default/kuard/80/da39a3ee5e", + AltStatName: "default_kuard_80", + ClusterDiscoveryType: envoy_v3.ClusterDiscoveryType(envoy_cluster_v3.Cluster_EDS), + EdsClusterConfig: &envoy_cluster_v3.Cluster_EdsClusterConfig{ + EdsConfig: envoy_v3.ConfigSource("contour"), + ServiceName: "default/kuard", + }, + CircuitBreakers: &envoy_cluster_v3.CircuitBreakers{ + Thresholds: []*envoy_cluster_v3.CircuitBreakers_Thresholds{{ + MaxConnections: wrapperspb.UInt32(13), + MaxPendingRequests: wrapperspb.UInt32(14), + MaxRequests: wrapperspb.UInt32(15), + MaxRetries: wrapperspb.UInt32(17), }}, }, }), diff --git a/internal/featuretests/v3/envoy.go b/internal/featuretests/v3/envoy.go index 97252185bd2..cf0a0814b71 100644 --- a/internal/featuretests/v3/envoy.go +++ b/internal/featuretests/v3/envoy.go @@ -184,7 +184,7 @@ func cluster(name, servicename, statName string) *envoy_cluster_v3.Cluster { }) } -func tlsCluster(c *envoy_cluster_v3.Cluster, ca []byte, subjectName string, sni string, clientSecret *v1.Secret, alpnProtocols ...string) *envoy_cluster_v3.Cluster { +func tlsCluster(c *envoy_cluster_v3.Cluster, ca []byte, subjectName string, sni string, clientSecret *v1.Secret, upstreamTLS *dag.UpstreamTLS, alpnProtocols ...string) *envoy_cluster_v3.Cluster { var secret *dag.Secret if clientSecret != nil { secret = &dag.Secret{Object: clientSecret} @@ -204,13 +204,14 @@ func tlsCluster(c *envoy_cluster_v3.Cluster, ca []byte, subjectName string, sni SubjectName: subjectName}, sni, secret, + upstreamTLS, alpnProtocols..., ), ) return c } -func tlsClusterWithoutValidation(c *envoy_cluster_v3.Cluster, sni string, clientSecret *v1.Secret, alpnProtocols ...string) *envoy_cluster_v3.Cluster { +func tlsClusterWithoutValidation(c *envoy_cluster_v3.Cluster, sni string, clientSecret *v1.Secret, upstreamTLS *dag.UpstreamTLS, alpnProtocols ...string) *envoy_cluster_v3.Cluster { var secret *dag.Secret if clientSecret != nil { secret = &dag.Secret{Object: clientSecret} @@ -221,6 +222,7 @@ func tlsClusterWithoutValidation(c *envoy_cluster_v3.Cluster, sni string, client nil, sni, secret, + upstreamTLS, alpnProtocols..., ), ) diff --git a/internal/featuretests/v3/externalname_test.go b/internal/featuretests/v3/externalname_test.go index 1d3b1c2b872..917a1753cb1 100644 --- a/internal/featuretests/v3/externalname_test.go +++ b/internal/featuretests/v3/externalname_test.go @@ -219,7 +219,7 @@ func TestExternalNameService(t *testing.T) { }, &envoy_cluster_v3.Cluster{ TransportSocket: envoy_v3.UpstreamTLSTransportSocket( - envoy_v3.UpstreamTLSContext(nil, "external.address", nil, "h2"), + envoy_v3.UpstreamTLSContext(nil, "external.address", nil, nil, "h2"), ), }, ), @@ -271,7 +271,7 @@ func TestExternalNameService(t *testing.T) { externalNameCluster("default/kuard/80/f9439c1de8", "default/kuard", "default_kuard_80", "foo.io", 80), &envoy_cluster_v3.Cluster{ TransportSocket: envoy_v3.UpstreamTLSTransportSocket( - envoy_v3.UpstreamTLSContext(nil, "external.address", nil), + envoy_v3.UpstreamTLSContext(nil, "external.address", nil, nil), ), }, ), @@ -312,7 +312,7 @@ func TestExternalNameService(t *testing.T) { externalNameCluster("default/kuard/80/7d449598f5", "default/kuard", "default_kuard_80", "foo.io", 80), &envoy_cluster_v3.Cluster{ TransportSocket: envoy_v3.UpstreamTLSTransportSocket( - envoy_v3.UpstreamTLSContext(nil, "foo.io", nil), + envoy_v3.UpstreamTLSContext(nil, "foo.io", nil, nil), ), }, ), diff --git a/internal/featuretests/v3/headerpolicy_test.go b/internal/featuretests/v3/headerpolicy_test.go index d22c5a41c6c..824b668d4b3 100644 --- a/internal/featuretests/v3/headerpolicy_test.go +++ b/internal/featuretests/v3/headerpolicy_test.go @@ -214,7 +214,7 @@ func TestHeaderPolicy_ReplaceHeader_HTTProxy(t *testing.T) { c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(externalNameCluster("default/externalname/443/9ebffe8f28", "default/externalname/https", "default_externalname_443", "goodbye.planet", 443), nil, "goodbye.planet", "goodbye.planet", nil), + tlsCluster(externalNameCluster("default/externalname/443/9ebffe8f28", "default/externalname/https", "default_externalname_443", "goodbye.planet", 443), nil, "goodbye.planet", "goodbye.planet", nil, nil), ), TypeUrl: clusterType, }) @@ -334,7 +334,7 @@ func TestHeaderPolicy_ReplaceHostHeader_HTTProxy(t *testing.T) { c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(externalNameCluster("default/externalname/443/9ebffe8f28", "default/externalname/https", "default_externalname_443", "goodbye.planet", 443), nil, "goodbye.planet", "goodbye.planet", nil), + tlsCluster(externalNameCluster("default/externalname/443/9ebffe8f28", "default/externalname/https", "default_externalname_443", "goodbye.planet", 443), nil, "goodbye.planet", "goodbye.planet", nil, nil), ), TypeUrl: clusterType, }) diff --git a/internal/featuretests/v3/tcpproxy_test.go b/internal/featuretests/v3/tcpproxy_test.go index 29150fe633b..8fae97bc3a2 100644 --- a/internal/featuretests/v3/tcpproxy_test.go +++ b/internal/featuretests/v3/tcpproxy_test.go @@ -374,7 +374,7 @@ func TestTCPProxyTLSBackend(t *testing.T) { svc.Namespace+"/"+svc.Name+"/443/4929fca9d4", svc.Namespace+"/"+svc.Name+"/https", svc.Namespace+"_"+svc.Name+"_443", - ), nil, "", "", nil), + ), nil, "", "", nil, nil), ), TypeUrl: clusterType, }) diff --git a/internal/featuretests/v3/upstreamprotocol_test.go b/internal/featuretests/v3/upstreamprotocol_test.go index b25ba9b90db..878b63b6e01 100644 --- a/internal/featuretests/v3/upstreamprotocol_test.go +++ b/internal/featuretests/v3/upstreamprotocol_test.go @@ -49,7 +49,7 @@ func TestUpstreamProtocolTLS(t *testing.T) { c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/kuard/443/4929fca9d4", "default/kuard/securebackend", "default_kuard_443"), nil, "", "", nil), + tlsCluster(cluster("default/kuard/443/4929fca9d4", "default/kuard/securebackend", "default_kuard_443"), nil, "", "", nil, nil), ), TypeUrl: clusterType, }) @@ -61,7 +61,7 @@ func TestUpstreamProtocolTLS(t *testing.T) { c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - tlsCluster(cluster("default/kuard/443/4929fca9d4", "default/kuard/securebackend", "default_kuard_443"), nil, "", "", nil), + tlsCluster(cluster("default/kuard/443/4929fca9d4", "default/kuard/securebackend", "default_kuard_443"), nil, "", "", nil, nil), ), TypeUrl: clusterType, }) @@ -133,7 +133,7 @@ func TestUpstreamProtocolH2(t *testing.T) { c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - h2cCluster(tlsCluster(cluster("default/kuard/443/bf1c365741", "default/kuard/securebackend", "default_kuard_443"), nil, "", "", nil, "h2")), + h2cCluster(tlsCluster(cluster("default/kuard/443/bf1c365741", "default/kuard/securebackend", "default_kuard_443"), nil, "", "", nil, nil, "h2")), ), TypeUrl: clusterType, }) @@ -145,7 +145,7 @@ func TestUpstreamProtocolH2(t *testing.T) { c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ Resources: resources(t, - h2cCluster(tlsCluster(cluster("default/kuard/443/bf1c365741", "default/kuard/securebackend", "default_kuard_443"), nil, "", "", nil, "h2")), + h2cCluster(tlsCluster(cluster("default/kuard/443/bf1c365741", "default/kuard/securebackend", "default_kuard_443"), nil, "", "", nil, nil, "h2")), ), TypeUrl: clusterType, }) diff --git a/internal/featuretests/v3/upstreamtls_test.go b/internal/featuretests/v3/upstreamtls_test.go new file mode 100644 index 00000000000..e6a67d69efe --- /dev/null +++ b/internal/featuretests/v3/upstreamtls_test.go @@ -0,0 +1,233 @@ +// Copyright Project Contour Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v3 + +import ( + "testing" + + envoy_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" + envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_v3_tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" + envoy_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" + matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" + contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1" + projcontour "github.com/projectcontour/contour/apis/projectcontour/v1" + "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" + "github.com/projectcontour/contour/internal/dag" + envoy_v3 "github.com/projectcontour/contour/internal/envoy/v3" + "github.com/projectcontour/contour/internal/featuretests" + "github.com/projectcontour/contour/internal/fixture" + "github.com/projectcontour/contour/internal/ref" + corev1 "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" + networking_v1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +func TestUpstreamTLSWithHTTPProxy(t *testing.T) { + rh, c, done := setup(t, proxyClientCertificateOpt(t), func(b *dag.Builder) { + for _, processor := range b.Processors { + if httpProxyProcessor, ok := processor.(*dag.HTTPProxyProcessor); ok { + httpProxyProcessor.UpstreamTLS = &dag.UpstreamTLS{ + MinimumProtocolVersion: "1.2", + MaximumProtocolVersion: "1.2", + } + } + } + }) + defer done() + + sec1 := clientSecret() + sec2 := caSecret() + rh.OnAdd(sec1) + rh.OnAdd(sec2) + + svc := fixture.NewService("backend"). + WithPorts(v1.ServicePort{Name: "http", Port: 443}) + rh.OnAdd(svc) + + proxy := fixture.NewProxy("authenticated").WithSpec( + projcontour.HTTPProxySpec{ + VirtualHost: &projcontour.VirtualHost{ + Fqdn: "www.example.com", + }, + Routes: []projcontour.Route{{ + Services: []projcontour.Service{{ + Name: svc.Name, + Port: 443, + Protocol: ref.To("tls"), + UpstreamValidation: &projcontour.UpstreamValidation{ + CACertificate: sec2.Name, + SubjectName: "subjname", + }, + }}, + }}, + }) + rh.OnAdd(proxy) + + c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + Resources: resources(t, + tlsCluster( + cluster("default/backend/443/950c17581f", "default/backend/http", "default_backend_443"), + []byte(featuretests.CERTIFICATE), + "subjname", + "", + sec1, + &dag.UpstreamTLS{ + MinimumProtocolVersion: "1.2", + MaximumProtocolVersion: "1.2", + }), + ), + TypeUrl: clusterType, + }) + +} + +func TestUpstreamTLSWithIngress(t *testing.T) { + rh, c, done := setup(t, func(b *dag.Builder) { + for _, processor := range b.Processors { + if ingressProcessor, ok := processor.(*dag.IngressProcessor); ok { + ingressProcessor.UpstreamTLS = &dag.UpstreamTLS{ + MinimumProtocolVersion: "1.2", + MaximumProtocolVersion: "1.2", + } + } + } + }) + defer done() + + s1 := fixture.NewService("kuard"). + Annotate("projectcontour.io/upstream-protocol.tls", "securebackend"). + WithPorts(v1.ServicePort{Name: "securebackend", Port: 443, TargetPort: intstr.FromInt(8888)}) + rh.OnAdd(s1) + + i1 := &networking_v1.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "kuard", + Namespace: "default", + }, + Spec: networking_v1.IngressSpec{ + DefaultBackend: featuretests.IngressBackend(s1), + }, + } + rh.OnAdd(i1) + + c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + Resources: resources(t, + tlsCluster( + cluster("default/kuard/443/4929fca9d4", "default/kuard/securebackend", "default_kuard_443"), + nil, + "", + "", + nil, + &dag.UpstreamTLS{ + MinimumProtocolVersion: "1.2", + MaximumProtocolVersion: "1.2", + }, + ), + ), + TypeUrl: clusterType, + }) +} + +func TestUpstreamTLSWithExtensionService(t *testing.T) { + + rh, c, done := setup(t, func(b *dag.Builder) { + for _, processor := range b.Processors { + if extensionServiceProcessor, ok := processor.(*dag.ExtensionServiceProcessor); ok { + extensionServiceProcessor.UpstreamTLS = &dag.UpstreamTLS{ + MinimumProtocolVersion: "1.2", + MaximumProtocolVersion: "1.2", + } + } + } + }) + defer done() + + // Add common test fixtures. + + rh.OnAdd(&corev1.Secret{ + ObjectMeta: fixture.ObjectMeta("ns/cacert"), + Type: corev1.SecretTypeOpaque, + Data: map[string][]byte{ + dag.CACertificateKey: []byte(featuretests.CERTIFICATE), + }, + }) + + rh.OnAdd(fixture.NewService("ns/svc1").WithPorts(corev1.ServicePort{Port: 8081})) + + rh.OnAdd(featuretests.Endpoints("ns", "svc1", corev1.EndpointSubset{ + Addresses: featuretests.Addresses("192.168.183.20"), + Ports: featuretests.Ports(featuretests.Port("", 8081)), + })) + + ext := &v1alpha1.ExtensionService{ + ObjectMeta: fixture.ObjectMeta("ns/ext"), + Spec: v1alpha1.ExtensionServiceSpec{ + Services: []v1alpha1.ExtensionServiceTarget{ + {Name: "svc1", Port: 8081}, + }, + UpstreamValidation: &contour_api_v1.UpstreamValidation{ + CACertificate: "cacert", + SubjectName: "ext.projectcontour.io", + }, + }, + } + + rh.OnAdd(ext) + + // Enabling validation add SNI as well as CA and server altname validation. + tlsSocket := envoy_v3.UpstreamTLSTransportSocket( + &envoy_v3_tls.UpstreamTlsContext{ + Sni: "ext.projectcontour.io", + CommonTlsContext: &envoy_v3_tls.CommonTlsContext{ + TlsParams: &envoy_v3_tls.TlsParameters{ + TlsMinimumProtocolVersion: envoy_v3_tls.TlsParameters_TLSv1_2, + TlsMaximumProtocolVersion: envoy_v3_tls.TlsParameters_TLSv1_2, + }, + AlpnProtocols: []string{"h2"}, + ValidationContextType: &envoy_v3_tls.CommonTlsContext_ValidationContext{ + ValidationContext: &envoy_v3_tls.CertificateValidationContext{ + TrustedCa: &envoy_core_v3.DataSource{ + Specifier: &envoy_core_v3.DataSource_InlineBytes{ + InlineBytes: []byte(featuretests.CERTIFICATE), + }, + }, + MatchTypedSubjectAltNames: []*envoy_v3_tls.SubjectAltNameMatcher{ + { + SanType: envoy_v3_tls.SubjectAltNameMatcher_DNS, + Matcher: &matcher.StringMatcher{ + MatchPattern: &matcher.StringMatcher_Exact{ + Exact: "ext.projectcontour.io", + }, + }, + }, + }, + }, + }, + }, + }, + ) + + c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ + TypeUrl: clusterType, + Resources: resources(t, + DefaultCluster( + h2cCluster(cluster("extension/ns/ext", "extension/ns/ext", "extension_ns_ext")), + &envoy_cluster_v3.Cluster{TransportSocket: tlsSocket}, + ), + ), + }) +} diff --git a/internal/gatewayapi/listeners.go b/internal/gatewayapi/listeners.go index 54194264747..26077c1be9c 100644 --- a/internal/gatewayapi/listeners.go +++ b/internal/gatewayapi/listeners.go @@ -54,6 +54,15 @@ type ListenerPort struct { Protocol string } +func conflictedCondition(reason gatewayapi_v1.ListenerConditionReason, msg string) metav1.Condition { + return metav1.Condition{ + Type: string(gatewayapi_v1.ListenerConditionConflicted), + Status: metav1.ConditionTrue, + Reason: string(reason), + Message: msg, + } +} + // ValidateListeners validates protocols, ports and hostnames on a set of listeners. // It ensures that: // - protocols are supported @@ -134,44 +143,24 @@ func ValidateListeners(listeners []gatewayapi_v1beta1.Listener) ValidateListener switch { case listener.Protocol == gatewayapi_v1.HTTPProtocolType: if otherListener.Protocol != gatewayapi_v1.HTTPProtocolType { - result.InvalidListenerConditions[listener.Name] = metav1.Condition{ - Type: string(gatewayapi_v1.ListenerConditionConflicted), - Status: metav1.ConditionTrue, - Reason: string(gatewayapi_v1.ListenerReasonProtocolConflict), - Message: "All Listener protocols for a given port must be compatible", - } + result.InvalidListenerConditions[listener.Name] = conflictedCondition(gatewayapi_v1.ListenerReasonProtocolConflict, "All Listener protocols for a given port must be compatible") return true } case compatibleTLSProtocols.Has(listener.Protocol): if !compatibleTLSProtocols.Has(otherListener.Protocol) { - result.InvalidListenerConditions[listener.Name] = metav1.Condition{ - Type: string(gatewayapi_v1.ListenerConditionConflicted), - Status: metav1.ConditionTrue, - Reason: string(gatewayapi_v1.ListenerReasonProtocolConflict), - Message: "All Listener protocols for a given port must be compatible", - } + result.InvalidListenerConditions[listener.Name] = conflictedCondition(gatewayapi_v1.ListenerReasonProtocolConflict, "All Listener protocols for a given port must be compatible") return true } case listener.Protocol == gatewayapi_v1.TCPProtocolType: if otherListener.Protocol != gatewayapi_v1.TCPProtocolType { - result.InvalidListenerConditions[listener.Name] = metav1.Condition{ - Type: string(gatewayapi_v1.ListenerConditionConflicted), - Status: metav1.ConditionTrue, - Reason: string(gatewayapi_v1.ListenerReasonProtocolConflict), - Message: "All Listener protocols for a given port must be compatible", - } + result.InvalidListenerConditions[listener.Name] = conflictedCondition(gatewayapi_v1.ListenerReasonProtocolConflict, "All Listener protocols for a given port must be compatible") return true } } // Hostname conflict if ref.Val(listener.Hostname, "") == ref.Val(otherListener.Hostname, "") { - result.InvalidListenerConditions[listener.Name] = metav1.Condition{ - Type: string(gatewayapi_v1.ListenerConditionConflicted), - Status: metav1.ConditionTrue, - Reason: string(gatewayapi_v1.ListenerReasonHostnameConflict), - Message: "All Listener hostnames for a given port must be unique", - } + result.InvalidListenerConditions[listener.Name] = conflictedCondition(gatewayapi_v1.ListenerReasonHostnameConflict, "All Listener hostnames for a given port must be unique") return true } } diff --git a/internal/k8s/mocks/cache.go b/internal/k8s/mocks/cache.go index 9c77e45690e..992c31568d8 100644 --- a/internal/k8s/mocks/cache.go +++ b/internal/k8s/mocks/cache.go @@ -31,6 +31,10 @@ func (_m *Cache) Get(ctx context.Context, key types.NamespacedName, obj client.O _ca = append(_ca, _va...) ret := _m.Called(_ca...) + if len(ret) == 0 { + panic("no return value specified for Get") + } + var r0 error if rf, ok := ret.Get(0).(func(context.Context, types.NamespacedName, client.Object, ...client.GetOption) error); ok { r0 = rf(ctx, key, obj, opts...) @@ -52,6 +56,10 @@ func (_m *Cache) GetInformer(ctx context.Context, obj client.Object, opts ...cac _ca = append(_ca, _va...) ret := _m.Called(_ca...) + if len(ret) == 0 { + panic("no return value specified for GetInformer") + } + var r0 cache.Informer var r1 error if rf, ok := ret.Get(0).(func(context.Context, client.Object, ...cache.InformerGetOption) (cache.Informer, error)); ok { @@ -85,6 +93,10 @@ func (_m *Cache) GetInformerForKind(ctx context.Context, gvk schema.GroupVersion _ca = append(_ca, _va...) ret := _m.Called(_ca...) + if len(ret) == 0 { + panic("no return value specified for GetInformerForKind") + } + var r0 cache.Informer var r1 error if rf, ok := ret.Get(0).(func(context.Context, schema.GroupVersionKind, ...cache.InformerGetOption) (cache.Informer, error)); ok { @@ -111,6 +123,10 @@ func (_m *Cache) GetInformerForKind(ctx context.Context, gvk schema.GroupVersion func (_m *Cache) IndexField(ctx context.Context, obj client.Object, field string, extractValue client.IndexerFunc) error { ret := _m.Called(ctx, obj, field, extractValue) + if len(ret) == 0 { + panic("no return value specified for IndexField") + } + var r0 error if rf, ok := ret.Get(0).(func(context.Context, client.Object, string, client.IndexerFunc) error); ok { r0 = rf(ctx, obj, field, extractValue) @@ -132,6 +148,10 @@ func (_m *Cache) List(ctx context.Context, list client.ObjectList, opts ...clien _ca = append(_ca, _va...) ret := _m.Called(_ca...) + if len(ret) == 0 { + panic("no return value specified for List") + } + var r0 error if rf, ok := ret.Get(0).(func(context.Context, client.ObjectList, ...client.ListOption) error); ok { r0 = rf(ctx, list, opts...) @@ -146,6 +166,10 @@ func (_m *Cache) List(ctx context.Context, list client.ObjectList, opts ...clien func (_m *Cache) Start(ctx context.Context) error { ret := _m.Called(ctx) + if len(ret) == 0 { + panic("no return value specified for Start") + } + var r0 error if rf, ok := ret.Get(0).(func(context.Context) error); ok { r0 = rf(ctx) @@ -160,6 +184,10 @@ func (_m *Cache) Start(ctx context.Context) error { func (_m *Cache) WaitForCacheSync(ctx context.Context) bool { ret := _m.Called(ctx) + if len(ret) == 0 { + panic("no return value specified for WaitForCacheSync") + } + var r0 bool if rf, ok := ret.Get(0).(func(context.Context) bool); ok { r0 = rf(ctx) diff --git a/internal/provisioner/controller/gateway.go b/internal/provisioner/controller/gateway.go index 9787248c65b..310c73ab6a8 100644 --- a/internal/provisioner/controller/gateway.go +++ b/internal/provisioner/controller/gateway.go @@ -226,6 +226,7 @@ func (r *gatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct contourModel.Spec.RuntimeSettings = gatewayClassParams.Spec.RuntimeSettings // if there is a same name pair, overwrite it + // nolint:staticcheck for k, v := range gatewayClassParams.Spec.ResourceLabels { contourModel.Spec.ResourceLabels[k] = v } @@ -369,6 +370,16 @@ func (r *gatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct } } + if gateway.Spec.Infrastructure != nil { + for k, v := range gateway.Spec.Infrastructure.Labels { + contourModel.Spec.ResourceLabels[string(k)] = string(v) + } + + for k, v := range gateway.Spec.Infrastructure.Annotations { + contourModel.Spec.ResourceAnnotations[string(k)] = string(v) + } + } + if errs := r.ensureContour(ctx, contourModel, log); len(errs) > 0 { return ctrl.Result{}, fmt.Errorf("failed to ensure resources for gateway: %w", retryable.NewMaybeRetryableAggregate(errs)) } diff --git a/internal/provisioner/controller/gateway_test.go b/internal/provisioner/controller/gateway_test.go index a8ba99c9d4e..d786789e867 100644 --- a/internal/provisioner/controller/gateway_test.go +++ b/internal/provisioner/controller/gateway_test.go @@ -19,6 +19,7 @@ import ( contourv1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1" "github.com/projectcontour/contour/internal/provisioner" + "github.com/projectcontour/contour/internal/provisioner/model" "github.com/projectcontour/contour/internal/ref" "github.com/go-logr/logr" @@ -26,6 +27,7 @@ import ( "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" @@ -1266,6 +1268,136 @@ func TestGatewayReconcile(t *testing.T) { assert.True(t, errors.IsNotFound(err)) }, }, + "The Gateway's infrastructure labels and annotations are set on all resources": { + gatewayClass: reconcilableGatewayClass("gatewayclass-1", controller), + gateway: &gatewayv1beta1.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "gateway-1", + Name: "gateway-1", + }, + Spec: gatewayv1beta1.GatewaySpec{ + GatewayClassName: gatewayv1beta1.ObjectName("gatewayclass-1"), + Infrastructure: &gatewayapi_v1.GatewayInfrastructure{ + Labels: map[gatewayapi_v1.AnnotationKey]gatewayapi_v1.AnnotationValue{ + gatewayapi_v1.AnnotationKey("projectcontour.io/label-1"): gatewayapi_v1.AnnotationValue("label-value-1"), + gatewayapi_v1.AnnotationKey("projectcontour.io/label-2"): gatewayapi_v1.AnnotationValue("label-value-2"), + }, + Annotations: map[gatewayapi_v1.AnnotationKey]gatewayapi_v1.AnnotationValue{ + gatewayapi_v1.AnnotationKey("projectcontour.io/annotation-1"): gatewayapi_v1.AnnotationValue("annotation-value-1"), + gatewayapi_v1.AnnotationKey("projectcontour.io/annotation-2"): gatewayapi_v1.AnnotationValue("annotation-value-2"), + }, + }, + }, + }, + assertions: func(t *testing.T, r *gatewayReconciler, gw *gatewayv1beta1.Gateway, reconcileErr error) { + require.NoError(t, reconcileErr) + + for _, obj := range []client.Object{ + &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contour-gateway-1"}, + }, + &appsv1.DaemonSet{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "envoy-gateway-1"}, + }, + &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contour-gateway-1"}, + }, + &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "envoy-gateway-1"}, + }, + &contourv1alpha1.ContourConfiguration{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contourconfig-gateway-1"}, + }, + &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contourcert-gateway-1"}, + }, + &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "envoycert-gateway-1"}, + }, + &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contour-gateway-1"}, + }, + &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "envoy-gateway-1"}, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: "contour-gateway-1-gateway-1"}, + }, + &rbacv1.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{Name: "contour-gateway-1-gateway-1"}, + }, + &rbacv1.Role{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contour-gateway-1"}, + }, + &rbacv1.RoleBinding{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contour-rolebinding-gateway-1"}, + }, + } { + require.NoError(t, r.client.Get(context.Background(), keyFor(obj), obj)) + + for k, v := range gw.Spec.Infrastructure.Labels { + assert.Equal(t, obj.GetLabels()[string(k)], string(v)) + } + for k, v := range gw.Spec.Infrastructure.Annotations { + assert.Equal(t, obj.GetAnnotations()[string(k)], string(v)) + } + } + }, + }, + "Gateway owner labels are set on all resources": { + gatewayClass: reconcilableGatewayClass("gatewayclass-1", controller), + gateway: makeGateway(), + assertions: func(t *testing.T, r *gatewayReconciler, gw *gatewayv1beta1.Gateway, reconcileErr error) { + require.NoError(t, reconcileErr) + + for _, obj := range []client.Object{ + &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contour-gateway-1"}, + }, + &appsv1.DaemonSet{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "envoy-gateway-1"}, + }, + &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contour-gateway-1"}, + }, + &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "envoy-gateway-1"}, + }, + &contourv1alpha1.ContourConfiguration{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contourconfig-gateway-1"}, + }, + &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contourcert-gateway-1"}, + }, + &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "envoycert-gateway-1"}, + }, + &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contour-gateway-1"}, + }, + &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "envoy-gateway-1"}, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: "contour-gateway-1-gateway-1"}, + }, + &rbacv1.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{Name: "contour-gateway-1-gateway-1"}, + }, + &rbacv1.Role{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contour-gateway-1"}, + }, + &rbacv1.RoleBinding{ + ObjectMeta: metav1.ObjectMeta{Namespace: "gateway-1", Name: "contour-rolebinding-gateway-1"}, + }, + } { + require.NoError(t, r.client.Get(context.Background(), keyFor(obj), obj)) + + assert.Equal(t, gw.Name, obj.GetLabels()[model.ContourOwningGatewayNameLabel]) + assert.Equal(t, gw.Name, obj.GetLabels()[model.GatewayAPIOwningGatewayNameLabel]) + } + }, + }, } for name, tc := range tests { diff --git a/internal/provisioner/labels/labels.go b/internal/provisioner/labels/labels.go index 08741c24ec2..a0d863948e2 100644 --- a/internal/provisioner/labels/labels.go +++ b/internal/provisioner/labels/labels.go @@ -17,16 +17,19 @@ type LabeledObject interface { GetLabels() map[string]string } -// Exist returns true if obj contains labels m. -func Exist(obj LabeledObject, m map[string]string) bool { - labels := obj.GetLabels() - if labels == nil { +// AnyExist returns true if obj contains at least one of the provided labels. +func AnyExist(obj LabeledObject, labels map[string]string) bool { + objLabels := obj.GetLabels() + + if len(objLabels) == 0 { return false } - for key, val := range m { - if found, ok := labels[key]; !ok || found != val { - return false + + for k, v := range labels { + if val, ok := objLabels[k]; ok && val == v { + return true } } - return true + + return false } diff --git a/internal/provisioner/labels/labels_test.go b/internal/provisioner/labels/labels_test.go index c8f794b1d19..74fccc3d74b 100644 --- a/internal/provisioner/labels/labels_test.go +++ b/internal/provisioner/labels/labels_test.go @@ -17,15 +17,28 @@ import ( "testing" "github.com/projectcontour/contour/internal/provisioner/model" + "github.com/stretchr/testify/assert" ) -func TestExist(t *testing.T) { +func TestAnyExist(t *testing.T) { testCases := []struct { description string current map[string]string exist map[string]string expected bool }{ + { + description: "nil labels", + current: nil, + exist: map[string]string{"name": "foo"}, + expected: false, + }, + { + description: "empty labels", + current: map[string]string{}, + exist: map[string]string{"name": "foo"}, + expected: false, + }, { description: "one matched label", current: map[string]string{"name": "foo"}, @@ -36,7 +49,7 @@ func TestExist(t *testing.T) { description: "one of two matched labels", current: map[string]string{"name": "foo"}, exist: map[string]string{"name": "foo", "ns": "foo-ns"}, - expected: false, + expected: true, }, { description: "two matched labels", @@ -56,20 +69,14 @@ func TestExist(t *testing.T) { exist: map[string]string{"foo": "bar"}, expected: false, }, - { - description: "two unmatched labels", - current: map[string]string{"name": "bar"}, - exist: map[string]string{"name": "bar", "ns": "foo-ns"}, - expected: false, - }, } - contour := model.Contour{} for _, tc := range testCases { - contour.Labels = tc.current - result := Exist(&contour, tc.exist) - if result != tc.expected { - t.Fatalf("%q: returned %t, expected %t.", tc.description, result, tc.expected) - } + t.Run(tc.description, func(t *testing.T) { + contour := model.Contour{} + contour.Labels = tc.current + + assert.Equal(t, tc.expected, AnyExist(&contour, tc.exist)) + }) } } diff --git a/internal/provisioner/model/model.go b/internal/provisioner/model/model.go index cdb9d149297..026802104b7 100644 --- a/internal/provisioner/model/model.go +++ b/internal/provisioner/model/model.go @@ -24,9 +24,13 @@ import ( ) const ( - // OwningGatewayNameLabel is the owner reference label used for a Contour - // created by the gateway provisioner. The value should be the name of the Gateway. - OwningGatewayNameLabel = "projectcontour.io/owning-gateway-name" + // ContourOwningGatewayNameLabel is the Contour-defined owner reference label applied + // to generated resources. The value should be the name of the Gateway. + ContourOwningGatewayNameLabel = "projectcontour.io/owning-gateway-name" + + // GatewayAPIOwningGatewayNameLabel is the Gateway API-defined owner reference label applied + // to generated resources. The value should be the name of the Gateway. + GatewayAPIOwningGatewayNameLabel = "gateway.networking.k8s.io/gateway-name" ) // Default returns a default instance of a Contour @@ -71,6 +75,7 @@ func Default(namespace, name string) *Contour { }, }, ResourceLabels: map[string]string{}, + ResourceAnnotations: map[string]string{}, EnvoyPodAnnotations: map[string]string{}, ContourPodAnnotations: map[string]string{}, }, @@ -200,9 +205,12 @@ type ContourSpec struct { // when envoy be running as a `DaemonSet`,it's must be nil ContourDeploymentStrategy appsv1.DeploymentStrategy - // ResourceLabels is a set of labels to add to the provisioned Contour resource(s). + // ResourceLabels is a set of labels to add to the provisioned resources. ResourceLabels map[string]string + // ResourceAnnotations is a set of annotations to add to the provisioned resources. + ResourceAnnotations map[string]string + // EnvoyExtraVolumes holds the extra volumes to add to envoy's pod. EnvoyExtraVolumes []corev1.Volume @@ -596,18 +604,10 @@ const ( ContourAvailableConditionType = "Available" ) -// OwningSelector returns a label selector using "projectcontour.io/owning-gateway-name". -func OwningSelector(contour *Contour) *metav1.LabelSelector { - return &metav1.LabelSelector{ - MatchLabels: map[string]string{ - OwningGatewayNameLabel: contour.Name, - }, - } -} - // OwnerLabels returns owner labels for the provided contour. func OwnerLabels(contour *Contour) map[string]string { return map[string]string{ - OwningGatewayNameLabel: contour.Name, + ContourOwningGatewayNameLabel: contour.Name, + GatewayAPIOwningGatewayNameLabel: contour.Name, } } diff --git a/internal/provisioner/model/names.go b/internal/provisioner/model/names.go index 54a751d6e7c..ca3aeff89fc 100644 --- a/internal/provisioner/model/names.go +++ b/internal/provisioner/model/names.go @@ -79,10 +79,11 @@ func (c *Contour) EnvoyRBACNames() RBACNames { } } -// AppLabels returns labels for a Contour resources(Deployment/DaemonSet). -func (c *Contour) AppLabels() map[string]string { +// WorkloadLabels returns labels to apply to the Contour and Envoy +// workloads (i.e. deployment(s)/daemonset). +func (c *Contour) WorkloadLabels() map[string]string { labels := map[string]string{} - for k, v := range CommonLabels(c) { + for k, v := range c.CommonLabels() { labels[k] = v } @@ -94,8 +95,11 @@ func (c *Contour) AppLabels() map[string]string { return labels } -// CommonLabels returns labels for Contour resources. -func CommonLabels(c *Contour) map[string]string { +// CommonLabels returns labels to apply to all generated +// resources. Note that WorkloadLabels should be used in +// place of CommonLabels for the Contour and Envoy workload +// resources. +func (c *Contour) CommonLabels() map[string]string { labels := map[string]string{} // Add user-defined labels @@ -111,6 +115,18 @@ func CommonLabels(c *Contour) map[string]string { return labels } +// CommonAnnotations returns annotations to apply to all +// generated resources. +func (c *Contour) CommonAnnotations() map[string]string { + annotations := map[string]string{} + + for k, v := range c.Spec.ResourceAnnotations { + annotations[k] = v + } + + return annotations +} + // RBACNames holds a set of names of related RBAC resources. type RBACNames struct { ServiceAccount string diff --git a/internal/provisioner/objects/contourconfig/contourconfig.go b/internal/provisioner/objects/contourconfig/contourconfig.go index 8e154481aa6..a3f5318f71f 100644 --- a/internal/provisioner/objects/contourconfig/contourconfig.go +++ b/internal/provisioner/objects/contourconfig/contourconfig.go @@ -29,9 +29,10 @@ import ( func EnsureContourConfig(ctx context.Context, cli client.Client, contour *model.Contour) error { desired := &contour_api_v1alpha1.ContourConfiguration{ ObjectMeta: metav1.ObjectMeta{ - Namespace: contour.Namespace, - Name: contour.ContourConfigurationName(), - Labels: model.CommonLabels(contour), + Namespace: contour.Namespace, + Name: contour.ContourConfigurationName(), + Labels: contour.CommonLabels(), + Annotations: contour.CommonAnnotations(), }, } diff --git a/internal/provisioner/objects/contourconfig/contourconfig_test.go b/internal/provisioner/objects/contourconfig/contourconfig_test.go index 6f5487076da..d02f41940f4 100644 --- a/internal/provisioner/objects/contourconfig/contourconfig_test.go +++ b/internal/provisioner/objects/contourconfig/contourconfig_test.go @@ -241,7 +241,7 @@ func TestEnsureContourConfigDeleted(t *testing.T) { Namespace: "contour-namespace", Name: "contourconfig-contour-1", Labels: map[string]string{ - model.OwningGatewayNameLabel: "contour-1", + model.ContourOwningGatewayNameLabel: "contour-1", }, }, }, @@ -292,7 +292,7 @@ func TestEnsureContourConfigDeleted(t *testing.T) { Namespace: "contour-namespace", Name: "contourconfig-contour-1", Labels: map[string]string{ - model.OwningGatewayNameLabel: "some-other-contour", + model.ContourOwningGatewayNameLabel: "some-other-contour", }, }, }, diff --git a/internal/provisioner/objects/dataplane/dataplane.go b/internal/provisioner/objects/dataplane/dataplane.go index fb85a507445..765919aba98 100644 --- a/internal/provisioner/objects/dataplane/dataplane.go +++ b/internal/provisioner/objects/dataplane/dataplane.go @@ -341,9 +341,10 @@ func DesiredDaemonSet(contour *model.Contour, contourImage, envoyImage string) * ds := &appsv1.DaemonSet{ ObjectMeta: metav1.ObjectMeta{ - Namespace: contour.Namespace, - Name: contour.EnvoyDataPlaneName(), - Labels: contour.AppLabels(), + Namespace: contour.Namespace, + Name: contour.EnvoyDataPlaneName(), + Labels: contour.WorkloadLabels(), + Annotations: contour.CommonAnnotations(), }, Spec: appsv1.DaemonSetSpec{ RevisionHistoryLimit: ref.To(int32(10)), @@ -413,9 +414,10 @@ func desiredDeployment(contour *model.Contour, contourImage, envoyImage string) deployment := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ - Namespace: contour.Namespace, - Name: contour.EnvoyDataPlaneName(), - Labels: contour.AppLabels(), + Namespace: contour.Namespace, + Name: contour.EnvoyDataPlaneName(), + Labels: contour.WorkloadLabels(), + Annotations: contour.CommonAnnotations(), }, Spec: appsv1.DeploymentSpec{ Replicas: ref.To(contour.Spec.EnvoyReplicas), @@ -486,7 +488,7 @@ func desiredDeployment(contour *model.Contour, contourImage, envoyImage string) // updateDaemonSetIfNeeded updates a DaemonSet if current does not match desired, // using contour to verify the existence of owner labels. func updateDaemonSetIfNeeded(ctx context.Context, cli client.Client, contour *model.Contour, current, desired *appsv1.DaemonSet) error { - if labels.Exist(current, model.OwnerLabels(contour)) { + if labels.AnyExist(current, model.OwnerLabels(contour)) { ds, updated := equality.DaemonsetConfigChanged(current, desired) if updated { if err := cli.Update(ctx, ds); err != nil { @@ -501,7 +503,7 @@ func updateDaemonSetIfNeeded(ctx context.Context, cli client.Client, contour *mo // updateDeploymentIfNeeded updates a Deployment if current does not match desired, // using contour to verify the existence of owner labels. func updateDeploymentIfNeeded(ctx context.Context, cli client.Client, contour *model.Contour, current, desired *appsv1.Deployment) error { - if labels.Exist(current, model.OwnerLabels(contour)) { + if labels.AnyExist(current, model.OwnerLabels(contour)) { ds, updated := equality.DeploymentConfigChanged(current, desired) if updated { if err := cli.Update(ctx, ds); err != nil { @@ -526,7 +528,7 @@ func EnvoyPodSelector(contour *model.Contour) *metav1.LabelSelector { // envoyPodLabels returns the labels for envoy's pods func envoyPodLabels(contour *model.Contour) map[string]string { labels := EnvoyPodSelector(contour).MatchLabels - for k, v := range contour.AppLabels() { + for k, v := range contour.WorkloadLabels() { labels[k] = v } return labels @@ -551,5 +553,11 @@ func envoyPodAnnotations(contour *model.Contour) map[string]string { annotations["prometheus.io/port"] = fmt.Sprint(metricsPort) annotations["prometheus.io/path"] = "/stats/prometheus" + // Annotations specified on the Gateway take precedence + // over annotations specified on the GatewayClass/its parameters. + for k, v := range contour.CommonAnnotations() { + annotations[k] = v + } + return annotations } diff --git a/internal/provisioner/objects/dataplane/dataplane_test.go b/internal/provisioner/objects/dataplane/dataplane_test.go index c6918500d5e..beb9dd8f6da 100644 --- a/internal/provisioner/objects/dataplane/dataplane_test.go +++ b/internal/provisioner/objects/dataplane/dataplane_test.go @@ -338,7 +338,7 @@ func TestDesiredDaemonSet(t *testing.T) { checkDaemonSetHasEnvVar(t, ds, EnvoyContainerName, envoyNsEnvVar) checkDaemonSetHasEnvVar(t, ds, EnvoyContainerName, envoyPodEnvVar) checkDaemonSetHasEnvVar(t, ds, envoyInitContainerName, envoyNsEnvVar) - checkDaemonSetHasLabels(t, ds, cntr.AppLabels()) + checkDaemonSetHasLabels(t, ds, cntr.WorkloadLabels()) checkContainerHasPort(t, ds, int32(cntr.Spec.RuntimeSettings.Envoy.Metrics.Port)) checkDaemonSetHasNodeSelector(t, ds, nil) diff --git a/internal/provisioner/objects/deployment/deployment.go b/internal/provisioner/objects/deployment/deployment.go index 4a1688708f9..8a14230aa04 100644 --- a/internal/provisioner/objects/deployment/deployment.go +++ b/internal/provisioner/objects/deployment/deployment.go @@ -195,9 +195,10 @@ func DesiredDeployment(contour *model.Contour, image string) *appsv1.Deployment } deploy := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ - Namespace: contour.Namespace, - Name: contour.ContourDeploymentName(), - Labels: contour.AppLabels(), + Namespace: contour.Namespace, + Name: contour.ContourDeploymentName(), + Labels: contour.WorkloadLabels(), + Annotations: contour.CommonAnnotations(), }, Spec: appsv1.DeploymentSpec{ ProgressDeadlineSeconds: ref.To(int32(600)), @@ -268,7 +269,7 @@ func DesiredDeployment(contour *model.Contour, image string) *appsv1.Deployment // updateDeploymentIfNeeded updates a Deployment if current does not match desired, // using contour to verify the existence of owner labels. func updateDeploymentIfNeeded(ctx context.Context, cli client.Client, contour *model.Contour, current, desired *appsv1.Deployment) error { - if labels.Exist(current, model.OwnerLabels(contour)) { + if labels.AnyExist(current, model.OwnerLabels(contour)) { deploy, updated := equality.DeploymentConfigChanged(current, desired) if updated { if err := cli.Update(ctx, deploy); err != nil { @@ -293,7 +294,7 @@ func ContourDeploymentPodSelector(contour *model.Contour) *metav1.LabelSelector // app labels func contourPodLabels(contour *model.Contour) map[string]string { labels := ContourDeploymentPodSelector(contour).MatchLabels - for k, v := range contour.AppLabels() { + for k, v := range contour.WorkloadLabels() { labels[k] = v } return labels @@ -316,5 +317,11 @@ func contourPodAnnotations(contour *model.Contour) map[string]string { annotations["prometheus.io/scrape"] = "true" annotations["prometheus.io/port"] = fmt.Sprint(port) + // Annotations specified on the Gateway take precedence + // over annotations specified on the GatewayClass/its parameters. + for k, v := range contour.CommonAnnotations() { + annotations[k] = v + } + return annotations } diff --git a/internal/provisioner/objects/deployment/deployment_test.go b/internal/provisioner/objects/deployment/deployment_test.go index 2d5de7ad691..c53fc85a189 100644 --- a/internal/provisioner/objects/deployment/deployment_test.go +++ b/internal/provisioner/objects/deployment/deployment_test.go @@ -183,7 +183,7 @@ func TestDesiredDeployment(t *testing.T) { checkContainerHasImage(t, container, testContourImage) checkDeploymentHasEnvVar(t, deploy, contourNsEnvVar) checkDeploymentHasEnvVar(t, deploy, contourPodEnvVar) - checkDeploymentHasLabels(t, deploy, cntr.AppLabels()) + checkDeploymentHasLabels(t, deploy, cntr.WorkloadLabels()) checkPodHasAnnotations(t, &deploy.Spec.Template, contourPodAnnotations(cntr)) for _, port := range cntr.Spec.NetworkPublishing.Envoy.Ports { diff --git a/internal/provisioner/objects/object.go b/internal/provisioner/objects/object.go index bce42f4e4c6..4a963983517 100644 --- a/internal/provisioner/objects/object.go +++ b/internal/provisioner/objects/object.go @@ -98,7 +98,7 @@ func EnsureObjectDeleted[T client.Object](ctx context.Context, cli client.Client return err } - if !labels.Exist(obj, model.OwnerLabels(contour)) { + if !labels.AnyExist(obj, model.OwnerLabels(contour)) { return nil } diff --git a/internal/provisioner/objects/rbac/clusterrole/cluster_role.go b/internal/provisioner/objects/rbac/clusterrole/cluster_role.go index 4641a2af794..b610bc7e687 100644 --- a/internal/provisioner/objects/rbac/clusterrole/cluster_role.go +++ b/internal/provisioner/objects/rbac/clusterrole/cluster_role.go @@ -69,8 +69,9 @@ func desiredClusterRole(name string, contour *model.Contour) *rbacv1.ClusterRole Kind: "Role", }, ObjectMeta: metav1.ObjectMeta{ - Name: name, - Labels: model.CommonLabels(contour), + Name: name, + Labels: contour.CommonLabels(), + Annotations: contour.CommonAnnotations(), }, Rules: []rbacv1.PolicyRule{ // Core Contour-watched resources. @@ -98,7 +99,7 @@ func desiredClusterRole(name string, contour *model.Contour) *rbacv1.ClusterRole // updateClusterRoleIfNeeded updates a ClusterRole resource if current does not match desired, // using contour to verify the existence of owner labels. func updateClusterRoleIfNeeded(ctx context.Context, cli client.Client, contour *model.Contour, current, desired *rbacv1.ClusterRole) error { - if labels.Exist(current, model.OwnerLabels(contour)) { + if labels.AnyExist(current, model.OwnerLabels(contour)) { cr, updated := equality.ClusterRoleConfigChanged(current, desired) if updated { if err := cli.Update(ctx, cr); err != nil { diff --git a/internal/provisioner/objects/rbac/clusterrole/cluster_role_test.go b/internal/provisioner/objects/rbac/clusterrole/cluster_role_test.go index 89ebbd833a4..2f6a961d32f 100644 --- a/internal/provisioner/objects/rbac/clusterrole/cluster_role_test.go +++ b/internal/provisioner/objects/rbac/clusterrole/cluster_role_test.go @@ -49,7 +49,8 @@ func TestDesiredClusterRole(t *testing.T) { cr := desiredClusterRole(name, cntr) checkClusterRoleName(t, cr, name) ownerLabels := map[string]string{ - model.OwningGatewayNameLabel: cntr.Name, + model.ContourOwningGatewayNameLabel: cntr.Name, + model.GatewayAPIOwningGatewayNameLabel: cntr.Name, } checkClusterRoleLabels(t, cr, ownerLabels) } diff --git a/internal/provisioner/objects/rbac/clusterrolebinding/cluster_role_binding.go b/internal/provisioner/objects/rbac/clusterrolebinding/cluster_role_binding.go index 7af3ed19d45..a9991a5b3cc 100644 --- a/internal/provisioner/objects/rbac/clusterrolebinding/cluster_role_binding.go +++ b/internal/provisioner/objects/rbac/clusterrolebinding/cluster_role_binding.go @@ -51,8 +51,9 @@ func desiredClusterRoleBinding(name, roleRef, svcAcctRef string, contour *model. Kind: "RoleBinding", }, ObjectMeta: metav1.ObjectMeta{ - Name: name, - Labels: model.CommonLabels(contour), + Name: name, + Labels: contour.CommonLabels(), + Annotations: contour.CommonAnnotations(), }, } crb.Subjects = []rbacv1.Subject{ @@ -74,7 +75,7 @@ func desiredClusterRoleBinding(name, roleRef, svcAcctRef string, contour *model. // updateClusterRoleBindingIfNeeded updates a ClusterRoleBinding resource if current // does not match desired, using contour to verify the existence of owner labels. func updateClusterRoleBindingIfNeeded(ctx context.Context, cli client.Client, contour *model.Contour, current, desired *rbacv1.ClusterRoleBinding) error { - if labels.Exist(current, model.OwnerLabels(contour)) { + if labels.AnyExist(current, model.OwnerLabels(contour)) { crb, updated := equality.ClusterRoleBindingConfigChanged(current, desired) if updated { if err := cli.Update(ctx, crb); err != nil { diff --git a/internal/provisioner/objects/rbac/clusterrolebinding/cluster_role_binding_test.go b/internal/provisioner/objects/rbac/clusterrolebinding/cluster_role_binding_test.go index f8f81f1846b..822c59bf069 100644 --- a/internal/provisioner/objects/rbac/clusterrolebinding/cluster_role_binding_test.go +++ b/internal/provisioner/objects/rbac/clusterrolebinding/cluster_role_binding_test.go @@ -71,7 +71,8 @@ func TestDesiredClusterRoleBinding(t *testing.T) { crb := desiredClusterRoleBinding(name, testRoleRef, testSvcAcct, cntr) checkClusterRoleBindingName(t, crb, name) ownerLabels := map[string]string{ - model.OwningGatewayNameLabel: cntr.Name, + model.ContourOwningGatewayNameLabel: cntr.Name, + model.GatewayAPIOwningGatewayNameLabel: cntr.Name, } checkClusterRoleBindingLabels(t, crb, ownerLabels) checkClusterRoleBindingSvcAcct(t, crb, testSvcAcct, cntr.Namespace) diff --git a/internal/provisioner/objects/rbac/role/role.go b/internal/provisioner/objects/rbac/role/role.go index 00b85eddeb4..d326348036c 100644 --- a/internal/provisioner/objects/rbac/role/role.go +++ b/internal/provisioner/objects/rbac/role/role.go @@ -50,9 +50,10 @@ func desiredControllerRole(name string, contour *model.Contour) *rbacv1.Role { Kind: "Role", }, ObjectMeta: metav1.ObjectMeta{ - Namespace: contour.Namespace, - Name: name, - Labels: model.CommonLabels(contour), + Namespace: contour.Namespace, + Name: name, + Labels: contour.CommonLabels(), + Annotations: contour.CommonAnnotations(), }, } verbCGU := []string{"create", "get", "update"} @@ -74,7 +75,7 @@ func desiredControllerRole(name string, contour *model.Contour) *rbacv1.Role { // updateRoleIfNeeded updates a Role resource if current does not match desired, // using contour to verify the existence of owner labels. func updateRoleIfNeeded(ctx context.Context, cli client.Client, contour *model.Contour, current, desired *rbacv1.Role) (*rbacv1.Role, error) { - if labels.Exist(current, model.OwnerLabels(contour)) { + if labels.AnyExist(current, model.OwnerLabels(contour)) { role, updated := equality.RoleConfigChanged(current, desired) if updated { if err := cli.Update(ctx, role); err != nil { diff --git a/internal/provisioner/objects/rbac/role/role_test.go b/internal/provisioner/objects/rbac/role/role_test.go index 15613223088..4412708bbcc 100644 --- a/internal/provisioner/objects/rbac/role/role_test.go +++ b/internal/provisioner/objects/rbac/role/role_test.go @@ -49,7 +49,8 @@ func TestDesiredControllerRole(t *testing.T) { role := desiredControllerRole(name, cntr) checkRoleName(t, role, name) ownerLabels := map[string]string{ - model.OwningGatewayNameLabel: cntr.Name, + model.ContourOwningGatewayNameLabel: cntr.Name, + model.GatewayAPIOwningGatewayNameLabel: cntr.Name, } checkRoleLabels(t, role, ownerLabels) } diff --git a/internal/provisioner/objects/rbac/rolebinding/role_binding.go b/internal/provisioner/objects/rbac/rolebinding/role_binding.go index 0bf9701a0e6..19315dac051 100644 --- a/internal/provisioner/objects/rbac/rolebinding/role_binding.go +++ b/internal/provisioner/objects/rbac/rolebinding/role_binding.go @@ -52,9 +52,10 @@ func desiredRoleBinding(name, svcAcctRef, roleRef string, contour *model.Contour Kind: "RoleBinding", }, ObjectMeta: metav1.ObjectMeta{ - Namespace: contour.Namespace, - Name: name, - Labels: model.CommonLabels(contour), + Namespace: contour.Namespace, + Name: name, + Labels: contour.CommonLabels(), + Annotations: contour.CommonAnnotations(), }, } rb.Subjects = []rbacv1.Subject{{ @@ -75,7 +76,7 @@ func desiredRoleBinding(name, svcAcctRef, roleRef string, contour *model.Contour // updateRoleBindingIfNeeded updates a RoleBinding resource if current does // not match desired. func updateRoleBindingIfNeeded(ctx context.Context, cli client.Client, contour *model.Contour, current, desired *rbacv1.RoleBinding) error { - if labels.Exist(current, model.OwnerLabels(contour)) { + if labels.AnyExist(current, model.OwnerLabels(contour)) { rb, updated := equality.RoleBindingConfigChanged(current, desired) if updated { if err := cli.Update(ctx, rb); err != nil { diff --git a/internal/provisioner/objects/rbac/rolebinding/role_binding_test.go b/internal/provisioner/objects/rbac/rolebinding/role_binding_test.go index f7c8135ce76..557c94eb36b 100644 --- a/internal/provisioner/objects/rbac/rolebinding/role_binding_test.go +++ b/internal/provisioner/objects/rbac/rolebinding/role_binding_test.go @@ -72,7 +72,8 @@ func TestDesiredRoleBinding(t *testing.T) { rb := desiredRoleBinding(rbName, svcAcct, roleRef, cntr) checkRoleBindingName(t, rb, rbName) ownerLabels := map[string]string{ - model.OwningGatewayNameLabel: cntr.Name, + model.ContourOwningGatewayNameLabel: cntr.Name, + model.GatewayAPIOwningGatewayNameLabel: cntr.Name, } checkRoleBindingLabels(t, rb, ownerLabels) checkRoleBindingSvcAcct(t, rb, svcAcct, cntr.Namespace) diff --git a/internal/provisioner/objects/rbac/serviceaccount/service_account.go b/internal/provisioner/objects/rbac/serviceaccount/service_account.go index 1f4e5d624fe..26ad2218053 100644 --- a/internal/provisioner/objects/rbac/serviceaccount/service_account.go +++ b/internal/provisioner/objects/rbac/serviceaccount/service_account.go @@ -49,9 +49,10 @@ func desiredServiceAccount(name string, contour *model.Contour) *corev1.ServiceA Kind: rbacv1.ServiceAccountKind, }, ObjectMeta: metav1.ObjectMeta{ - Namespace: contour.Namespace, - Name: name, - Labels: model.CommonLabels(contour), + Namespace: contour.Namespace, + Name: name, + Labels: contour.CommonLabels(), + Annotations: contour.CommonAnnotations(), }, } } @@ -59,7 +60,7 @@ func desiredServiceAccount(name string, contour *model.Contour) *corev1.ServiceA // updateSvcAcctIfNeeded updates a ServiceAccount resource if current does not match desired, // using contour to verify the existence of owner labels. func updateSvcAcctIfNeeded(ctx context.Context, cli client.Client, contour *model.Contour, current, desired *corev1.ServiceAccount) (*corev1.ServiceAccount, error) { - if labels.Exist(current, model.OwnerLabels(contour)) { + if labels.AnyExist(current, model.OwnerLabels(contour)) { sa, updated := utilequality.ServiceAccountConfigChanged(current, desired) if updated { if err := cli.Update(ctx, sa); err != nil { diff --git a/internal/provisioner/objects/secret/secret.go b/internal/provisioner/objects/secret/secret.go index 9d3bbfc2835..36fcc34ac2f 100644 --- a/internal/provisioner/objects/secret/secret.go +++ b/internal/provisioner/objects/secret/secret.go @@ -59,9 +59,9 @@ func EnsureXDSSecrets(ctx context.Context, cli client.Client, contour *model.Con for _, secret := range secrets { // Add owner & user-defined labels. if secret.Labels == nil { - secret.Labels = model.CommonLabels(contour) + secret.Labels = contour.CommonLabels() } else { - for k, v := range model.CommonLabels(contour) { + for k, v := range contour.CommonLabels() { secret.Labels[k] = v } } @@ -74,6 +74,10 @@ func EnsureXDSSecrets(ctx context.Context, cli client.Client, contour *model.Con } secret.Annotations[generatedByVersionAnnotation] = tagFromImage(image) + for k, v := range contour.CommonAnnotations() { + secret.Annotations[k] = v + } + if err := cli.Create(ctx, secret); err != nil { if !errors.IsAlreadyExists(err) { return fmt.Errorf("error creating secret: %w", err) diff --git a/internal/provisioner/objects/service/service.go b/internal/provisioner/objects/service/service.go index 78bd48becbe..f74a8273291 100644 --- a/internal/provisioner/objects/service/service.go +++ b/internal/provisioner/objects/service/service.go @@ -158,9 +158,10 @@ func DesiredContourService(contour *model.Contour) *corev1.Service { xdsPort := objects.XDSPort svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Namespace: contour.Namespace, - Name: contour.ContourServiceName(), - Labels: model.CommonLabels(contour), + Namespace: contour.Namespace, + Name: contour.ContourServiceName(), + Labels: contour.CommonLabels(), + Annotations: contour.CommonAnnotations(), }, Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{ @@ -196,8 +197,8 @@ func DesiredEnvoyService(contour *model.Contour) *corev1.Service { ObjectMeta: metav1.ObjectMeta{ Namespace: contour.Namespace, Name: contour.EnvoyServiceName(), - Annotations: map[string]string{}, - Labels: model.CommonLabels(contour), + Labels: contour.CommonLabels(), + Annotations: contour.CommonAnnotations(), }, Spec: corev1.ServiceSpec{ Ports: ports, @@ -304,7 +305,7 @@ func DesiredEnvoyService(contour *model.Contour) *corev1.Service { // updateContourServiceIfNeeded updates a Contour Service if current does not match desired. func updateContourServiceIfNeeded(ctx context.Context, cli client.Client, contour *model.Contour, current, desired *corev1.Service) error { - if !labels.Exist(current, model.OwnerLabels(contour)) { + if !labels.AnyExist(current, model.OwnerLabels(contour)) { return nil } _, updated := equality.ClusterIPServiceChanged(current, desired) @@ -322,7 +323,7 @@ func updateContourServiceIfNeeded(ctx context.Context, cli client.Client, contou // updateEnvoyServiceIfNeeded updates an Envoy Service if current does not match desired, // using contour to verify the existence of owner labels. func updateEnvoyServiceIfNeeded(ctx context.Context, cli client.Client, contour *model.Contour, current, desired *corev1.Service) error { - if !labels.Exist(current, model.OwnerLabels(contour)) { + if !labels.AnyExist(current, model.OwnerLabels(contour)) { return nil } diff --git a/internal/xdscache/v3/endpointslicetranslator.go b/internal/xdscache/v3/endpointslicetranslator.go index 96d3886c94b..770415be436 100644 --- a/internal/xdscache/v3/endpointslicetranslator.go +++ b/internal/xdscache/v3/endpointslicetranslator.go @@ -55,23 +55,27 @@ func (c *EndpointSliceCache) RecalculateEndpoints(port, healthPort v1.ServicePor // Range over each port. We want the resultant endpoints to be a // a cartesian product MxN where M are the endpoints and N are the ports. - for _, p := range endpointSlice.Ports { + for _, endpointPort := range endpointSlice.Ports { // Nil check for the port. - if p.Port == nil { + if endpointPort.Port == nil { continue } - if p.Protocol == nil || (healthPort.Protocol != *p.Protocol || port.Protocol != *p.Protocol) && *p.Protocol != v1.ProtocolTCP { + if endpointPort.Protocol == nil { + continue + } + + if *endpointPort.Protocol != v1.ProtocolTCP { continue } // Set healthCheckPort only when port and healthPort are different. - if p.Name != nil && (healthPort.Name != "" && healthPort.Name == *p.Name && port.Name != healthPort.Name) { - healthCheckPort = *p.Port + if endpointPort.Name != nil && (healthPort.Name != "" && healthPort.Name == *endpointPort.Name && port.Name != healthPort.Name) { + healthCheckPort = *endpointPort.Port } // Match by port name. - if port.Name != "" && p.Name != nil && port.Name != *p.Name { + if port.Name != "" && endpointPort.Name != nil && port.Name != *endpointPort.Name { continue } @@ -84,14 +88,14 @@ func (c *EndpointSliceCache) RecalculateEndpoints(port, healthPort v1.ServicePor // address but no more than 100. These are all assumed to be fungible // and clients may choose to only use the first element. // Refer to: https://issue.k8s.io/106267 - addr := envoy_v3.SocketAddress(endpoint.Addresses[0], int(*p.Port)) + addr := envoy_v3.SocketAddress(endpoint.Addresses[0], int(*endpointPort.Port)) // as per note on https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/ // Clients of the EndpointSlice API must iterate through all the existing EndpointSlices associated to // a Service and build a complete list of unique network endpoints. It is important to mention that // endpoints may be duplicated in different EndpointSlices. // Hence, we need to ensure that the endpoints we add to []*LoadBalancingEndpoint aren't duplicated. - endpointKey := fmt.Sprintf("%s:%d", endpoint.Addresses[0], *p.Port) + endpointKey := fmt.Sprintf("%s:%d", endpoint.Addresses[0], *endpointPort.Port) if _, exists := uniqueEndpoints[endpointKey]; !exists { lb = append(lb, envoy_v3.LBEndpoint(addr)) uniqueEndpoints[endpointKey] = struct{}{} diff --git a/internal/xdscache/v3/endpointstranslator.go b/internal/xdscache/v3/endpointstranslator.go index 83e1d7309f8..4c31b82c334 100644 --- a/internal/xdscache/v3/endpointstranslator.go +++ b/internal/xdscache/v3/endpointstranslator.go @@ -53,22 +53,22 @@ func RecalculateEndpoints(port, healthPort v1.ServicePort, eps *v1.Endpoints) [] continue } - for _, p := range s.Ports { - if (healthPort.Protocol != p.Protocol || port.Protocol != p.Protocol) && p.Protocol != v1.ProtocolTCP { + for _, endpointPort := range s.Ports { + if endpointPort.Protocol != v1.ProtocolTCP { // NOTE: we only support "TCP", which is the default. continue } // Set healthCheckPort only when port and healthPort are different. - if healthPort.Name != "" && healthPort.Name == p.Name && port.Name != healthPort.Name { - healthCheckPort = p.Port + if healthPort.Name != "" && healthPort.Name == endpointPort.Name && port.Name != healthPort.Name { + healthCheckPort = endpointPort.Port } // If the port isn't named, it must be the // only Service port, so it's a match by // definition. Otherwise, only take endpoint // ports that match the service port name. - if port.Name != "" && port.Name != p.Name { + if port.Name != "" && port.Name != endpointPort.Name { continue } @@ -77,7 +77,7 @@ func RecalculateEndpoints(port, healthPort v1.ServicePort, eps *v1.Endpoints) [] sort.Slice(addresses, func(i, j int) bool { return addresses[i].IP < addresses[j].IP }) for _, a := range addresses { - addr := envoy_v3.SocketAddress(a.IP, int(p.Port)) + addr := envoy_v3.SocketAddress(a.IP, int(endpointPort.Port)) lb = append(lb, envoy_v3.LBEndpoint(addr)) } } diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go index 10179cc1668..87574eac345 100644 --- a/pkg/config/parameters.go +++ b/pkg/config/parameters.go @@ -182,8 +182,7 @@ func (n NamespacedName) Validate() error { // TLSParameters holds configuration file TLS configuration details. type TLSParameters struct { - MinimumProtocolVersion string `yaml:"minimum-protocol-version"` - MaximumProtocolVersion string `yaml:"maximum-protocol-version"` + ProtocolParameters `yaml:",inline"` // FallbackCertificate defines the namespace/name of the Kubernetes secret to // use as fallback when a non-SNI request is received. @@ -194,6 +193,12 @@ type TLSParameters struct { // to be used when establishing TLS connection to upstream // cluster. ClientCertificate NamespacedName `yaml:"envoy-client-certificate,omitempty"` +} + +// ProtocolParameters holds configuration details for TLS protocol specifics. +type ProtocolParameters struct { + MinimumProtocolVersion string `yaml:"minimum-protocol-version"` + MaximumProtocolVersion string `yaml:"maximum-protocol-version"` // CipherSuites defines the TLS ciphers to be supported by Envoy TLS // listeners when negotiating TLS 1.2. Ciphers are validated against the @@ -214,6 +219,15 @@ func (t TLSParameters) Validate() error { return fmt.Errorf("invalid TLS client certificate: %w", err) } + if err := t.ProtocolParameters.Validate(); err != nil { + return fmt.Errorf("invalid TLS Protocol Parameters: %w", err) + } + + return nil +} + +// Validate TLS protocol versions and cipher suites +func (t ProtocolParameters) Validate() error { if err := t.CipherSuites.Validate(); err != nil { return fmt.Errorf("invalid TLS cipher suites: %w", err) } @@ -429,6 +443,14 @@ type ClusterParameters struct { // // +optional PerConnectionBufferLimitBytes *uint32 `yaml:"per-connection-buffer-limit-bytes,omitempty"` + + // GlobalCircuitBreakerDefaults holds configurable global defaults for the circuit breakers. + // + // +optional + GlobalCircuitBreakerDefaults *contour_api_v1alpha1.GlobalCircuitBreakerDefaults `yaml:"circuit-breakers,omitempty"` + + // UpstreamTLS contains the TLS policy parameters for upstream connections + UpstreamTLS ProtocolParameters `yaml:"upstream-tls,omitempty"` } func (p *ClusterParameters) Validate() error { @@ -443,6 +465,11 @@ func (p *ClusterParameters) Validate() error { if p.PerConnectionBufferLimitBytes != nil && *p.PerConnectionBufferLimitBytes < 1 { return fmt.Errorf("invalid per connections buffer limit bytes value %q set on cluster, minimum value is 1", *p.PerConnectionBufferLimitBytes) } + + if err := p.UpstreamTLS.Validate(); err != nil { + return err + } + return nil } diff --git a/pkg/config/parameters_test.go b/pkg/config/parameters_test.go index 31467990952..52e31491d79 100644 --- a/pkg/config/parameters_test.go +++ b/pkg/config/parameters_test.go @@ -268,51 +268,51 @@ func TestTLSParametersValidation(t *testing.T) { }.Validate()) // Cipher suites validation - assert.NoError(t, TLSParameters{ + assert.NoError(t, ProtocolParameters{ CipherSuites: []string{}, }.Validate()) - assert.NoError(t, TLSParameters{ + assert.NoError(t, ProtocolParameters{ CipherSuites: []string{ "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]", "ECDHE-ECDSA-AES128-GCM-SHA256", }, }.Validate()) - assert.Error(t, TLSParameters{ + assert.Error(t, ProtocolParameters{ CipherSuites: []string{ "NOTAVALIDCIPHER", }, }.Validate()) // TLS protocol version validation - assert.NoError(t, TLSParameters{ + assert.NoError(t, ProtocolParameters{ MinimumProtocolVersion: "1.2", }.Validate()) - assert.Error(t, TLSParameters{ + assert.Error(t, ProtocolParameters{ MinimumProtocolVersion: "1.1", }.Validate()) - assert.NoError(t, TLSParameters{ + assert.NoError(t, ProtocolParameters{ MaximumProtocolVersion: "1.3", }.Validate()) - assert.Error(t, TLSParameters{ + assert.Error(t, ProtocolParameters{ MaximumProtocolVersion: "invalid", }.Validate()) - assert.NoError(t, TLSParameters{ + assert.NoError(t, ProtocolParameters{ MinimumProtocolVersion: "1.2", MaximumProtocolVersion: "1.3", }.Validate()) - assert.Error(t, TLSParameters{ + assert.Error(t, ProtocolParameters{ MinimumProtocolVersion: "1.3", MaximumProtocolVersion: "1.2", }.Validate()) - assert.NoError(t, TLSParameters{ + assert.NoError(t, ProtocolParameters{ MinimumProtocolVersion: "1.2", MaximumProtocolVersion: "1.2", }.Validate()) - assert.NoError(t, TLSParameters{ + assert.NoError(t, ProtocolParameters{ MinimumProtocolVersion: "1.3", MaximumProtocolVersion: "1.3", }.Validate()) - assert.Error(t, TLSParameters{ + assert.Error(t, ProtocolParameters{ MinimumProtocolVersion: "1.1", MaximumProtocolVersion: "1.3", }.Validate()) @@ -488,6 +488,20 @@ listener: cluster: max-requests-per-connection: 1 `) + + check(func(t *testing.T, conf *Parameters) { + assert.Equal(t, uint32(42), conf.Cluster.GlobalCircuitBreakerDefaults.MaxConnections) + assert.Equal(t, uint32(43), conf.Cluster.GlobalCircuitBreakerDefaults.MaxPendingRequests) + assert.Equal(t, uint32(44), conf.Cluster.GlobalCircuitBreakerDefaults.MaxRequests) + assert.Equal(t, uint32(0), conf.Cluster.GlobalCircuitBreakerDefaults.MaxRetries) + }, ` +cluster: + circuit-breakers: + max-connections: 42 + max-pending-requests: 43 + max-requests: 44 +`) + } func TestMetricsParametersValidation(t *testing.T) { @@ -625,6 +639,12 @@ func TestClusterParametersValidation(t *testing.T) { PerConnectionBufferLimitBytes: ref.To(uint32(0)), } require.Error(t, l.Validate()) + l = &ClusterParameters{ + UpstreamTLS: ProtocolParameters{ + MaximumProtocolVersion: "invalid", + }, + } + require.Error(t, l.Validate()) l = &ClusterParameters{ PerConnectionBufferLimitBytes: ref.To(uint32(1)), } diff --git a/site/content/docs/1.21/configuration.md b/site/content/docs/1.21/configuration.md index 9c2f7351dc2..84e2e65338b 100644 --- a/site/content/docs/1.21/configuration.md +++ b/site/content/docs/1.21/configuration.md @@ -85,7 +85,6 @@ merge_slashes path transformation behavior that strips duplicate slashes from re | incluster | boolean | `false` | This field specifies that Contour is running in a Kubernetes cluster and should use the in-cluster client access configuration. | | json-fields | string array | [fields][5] | This is the list the field names to include in the JSON [access log format][2]. This field only has effect if `accesslog-format` is `json`. | | kubeconfig | string | `$HOME/.kube/config` | Path to a Kubernetes [kubeconfig file][3] for when Contour is executed outside a cluster. | -| leaderelection | leaderelection | | The [leader election configuration](#leader-election-configuration). | | policy | PolicyConfig | | The default [policy configuration](#policy-configuration). | | tls | TLS | | The default [TLS configuration](#tls-configuration). | | timeouts | TimeoutConfig | | The [timeout configuration](#timeout-configuration). | @@ -125,21 +124,6 @@ Contour should provision TLS hosts. | name | string | `""` | This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | | namespace | string | `""` | This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | -### Leader Election Configuration - -The leader election configuration block configures how a deployment with more than one Contour pod elects a leader. -The Contour leader is responsible for updating the status field on Ingress and HTTPProxy documents. -In the vast majority of deployments, only the `configmap-name` and `configmap-namespace` fields should require any configuration. - -_Note:_ Configuring leader election via the configuration file is deprecated, please use the `contour serve` command line flags instead. - -| Field Name | Type | Default | Description | -| ------------------- | ------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| configmap-name | string | `leader-elect` | The name of the ConfigMap that Contour leader election will lease. | -| configmap-namespace | string | `projectcontour` | The namespace of the ConfigMap that Contour leader election will lease. If the `CONTOUR_NAMESPACE` environment variable is present, Contour will populate this field with its value. | -| lease-duration | [duration][4] | `15s` | The duration of the leadership lease. | -| renew-deadline | [duration][4] | `10s` | The length of time that the leader will retry refreshing leadership before giving up. | -| retry-period | [duration][4] | `2s` | The interval at which Contour will attempt to the acquire leadership lease. | ### Timeout Configuration diff --git a/site/content/docs/1.22/configuration.md b/site/content/docs/1.22/configuration.md index 9c2f7351dc2..84e2e65338b 100644 --- a/site/content/docs/1.22/configuration.md +++ b/site/content/docs/1.22/configuration.md @@ -85,7 +85,6 @@ merge_slashes path transformation behavior that strips duplicate slashes from re | incluster | boolean | `false` | This field specifies that Contour is running in a Kubernetes cluster and should use the in-cluster client access configuration. | | json-fields | string array | [fields][5] | This is the list the field names to include in the JSON [access log format][2]. This field only has effect if `accesslog-format` is `json`. | | kubeconfig | string | `$HOME/.kube/config` | Path to a Kubernetes [kubeconfig file][3] for when Contour is executed outside a cluster. | -| leaderelection | leaderelection | | The [leader election configuration](#leader-election-configuration). | | policy | PolicyConfig | | The default [policy configuration](#policy-configuration). | | tls | TLS | | The default [TLS configuration](#tls-configuration). | | timeouts | TimeoutConfig | | The [timeout configuration](#timeout-configuration). | @@ -125,21 +124,6 @@ Contour should provision TLS hosts. | name | string | `""` | This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | | namespace | string | `""` | This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | -### Leader Election Configuration - -The leader election configuration block configures how a deployment with more than one Contour pod elects a leader. -The Contour leader is responsible for updating the status field on Ingress and HTTPProxy documents. -In the vast majority of deployments, only the `configmap-name` and `configmap-namespace` fields should require any configuration. - -_Note:_ Configuring leader election via the configuration file is deprecated, please use the `contour serve` command line flags instead. - -| Field Name | Type | Default | Description | -| ------------------- | ------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| configmap-name | string | `leader-elect` | The name of the ConfigMap that Contour leader election will lease. | -| configmap-namespace | string | `projectcontour` | The namespace of the ConfigMap that Contour leader election will lease. If the `CONTOUR_NAMESPACE` environment variable is present, Contour will populate this field with its value. | -| lease-duration | [duration][4] | `15s` | The duration of the leadership lease. | -| renew-deadline | [duration][4] | `10s` | The length of time that the leader will retry refreshing leadership before giving up. | -| retry-period | [duration][4] | `2s` | The interval at which Contour will attempt to the acquire leadership lease. | ### Timeout Configuration diff --git a/site/content/docs/1.23/configuration.md b/site/content/docs/1.23/configuration.md index f2eff5c5a63..5d29b1f75c9 100644 --- a/site/content/docs/1.23/configuration.md +++ b/site/content/docs/1.23/configuration.md @@ -85,7 +85,6 @@ merge_slashes path transformation behavior that strips duplicate slashes from re | incluster | boolean | `false` | This field specifies that Contour is running in a Kubernetes cluster and should use the in-cluster client access configuration. | | json-fields | string array | [fields][5] | This is the list the field names to include in the JSON [access log format][2]. This field only has effect if `accesslog-format` is `json`. | | kubeconfig | string | `$HOME/.kube/config` | Path to a Kubernetes [kubeconfig file][3] for when Contour is executed outside a cluster. | -| leaderelection | leaderelection | | The [leader election configuration](#leader-election-configuration). | | policy | PolicyConfig | | The default [policy configuration](#policy-configuration). | | tls | TLS | | The default [TLS configuration](#tls-configuration). | | timeouts | TimeoutConfig | | The [timeout configuration](#timeout-configuration). | @@ -125,21 +124,6 @@ Contour should provision TLS hosts. | name | string | `""` | This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | | namespace | string | `""` | This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | -### Leader Election Configuration - -The leader election configuration block configures how a deployment with more than one Contour pod elects a leader. -The Contour leader is responsible for updating the status field on Ingress and HTTPProxy documents. -In the vast majority of deployments, only the `configmap-name` and `configmap-namespace` fields should require any configuration. - -_Note:_ Configuring leader election via the configuration file is deprecated, please use the `contour serve` command line flags instead. - -| Field Name | Type | Default | Description | -| ------------------- | ------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| configmap-name | string | `leader-elect` | The name of the ConfigMap that Contour leader election will lease. | -| configmap-namespace | string | `projectcontour` | The namespace of the ConfigMap that Contour leader election will lease. If the `CONTOUR_NAMESPACE` environment variable is present, Contour will populate this field with its value. | -| lease-duration | [duration][4] | `15s` | The duration of the leadership lease. | -| renew-deadline | [duration][4] | `10s` | The length of time that the leader will retry refreshing leadership before giving up. | -| retry-period | [duration][4] | `2s` | The interval at which Contour will attempt to the acquire leadership lease. | ### Timeout Configuration diff --git a/site/content/docs/1.24/configuration.md b/site/content/docs/1.24/configuration.md index 94e7e0ad17a..8f5bd90ad9a 100644 --- a/site/content/docs/1.24/configuration.md +++ b/site/content/docs/1.24/configuration.md @@ -89,7 +89,6 @@ Where Contour settings can also be specified with command-line flags, the comman | kubeconfig | string | `$HOME/.kube/config` | Path to a Kubernetes [kubeconfig file][3] for when Contour is executed outside a cluster. | | kubernetesClientQPS | float32 | | QPS allowed for the Kubernetes client. | | kubernetesClientBurst | int | | Burst allowed for the Kubernetes client. | -| leaderelection | leaderelection | | The [leader election configuration](#leader-election-configuration). | | policy | PolicyConfig | | The default [policy configuration](#policy-configuration). | | tls | TLS | | The default [TLS configuration](#tls-configuration). | | timeouts | TimeoutConfig | | The [timeout configuration](#timeout-configuration). | @@ -129,21 +128,6 @@ Contour should provision TLS hosts. | name | string | `""` | This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | | namespace | string | `""` | This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | -### Leader Election Configuration - -The leader election configuration block configures how a deployment with more than one Contour pod elects a leader. -The Contour leader is responsible for updating the status field on Ingress and HTTPProxy documents. -In the vast majority of deployments, only the `configmap-name` and `configmap-namespace` fields should require any configuration. - -_Note:_ Configuring leader election via the configuration file is deprecated, please use the `contour serve` command line flags instead. - -| Field Name | Type | Default | Description | -| ------------------- | ------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| configmap-name | string | `leader-elect` | The name of the ConfigMap that Contour leader election will lease. | -| configmap-namespace | string | `projectcontour` | The namespace of the ConfigMap that Contour leader election will lease. If the `CONTOUR_NAMESPACE` environment variable is present, Contour will populate this field with its value. | -| lease-duration | [duration][4] | `15s` | The duration of the leadership lease. | -| renew-deadline | [duration][4] | `10s` | The length of time that the leader will retry refreshing leadership before giving up. | -| retry-period | [duration][4] | `2s` | The interval at which Contour will attempt to the acquire leadership lease. | ### Timeout Configuration diff --git a/site/content/docs/1.25/configuration.md b/site/content/docs/1.25/configuration.md index 9d9014ec444..dbab39b75dc 100644 --- a/site/content/docs/1.25/configuration.md +++ b/site/content/docs/1.25/configuration.md @@ -90,7 +90,6 @@ Where Contour settings can also be specified with command-line flags, the comman | kubeconfig | string | `$HOME/.kube/config` | Path to a Kubernetes [kubeconfig file][3] for when Contour is executed outside a cluster. | | kubernetesClientQPS | float32 | | QPS allowed for the Kubernetes client. | | kubernetesClientBurst | int | | Burst allowed for the Kubernetes client. | -| leaderelection | leaderelection | | The [leader election configuration](#leader-election-configuration). | | policy | PolicyConfig | | The default [policy configuration](#policy-configuration). | | tls | TLS | | The default [TLS configuration](#tls-configuration). | | timeouts | TimeoutConfig | | The [timeout configuration](#timeout-configuration). | @@ -130,21 +129,6 @@ Contour should provision TLS hosts. | name | string | `""` | This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | | namespace | string | `""` | This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | -### Leader Election Configuration - -The leader election configuration block configures how a deployment with more than one Contour pod elects a leader. -The Contour leader is responsible for updating the status field on Ingress and HTTPProxy documents. -In the vast majority of deployments, only the `configmap-name` and `configmap-namespace` fields should require any configuration. - -_Note:_ Configuring leader election via the configuration file is deprecated, please use the `contour serve` command line flags instead. - -| Field Name | Type | Default | Description | -| ------------------- | ------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| configmap-name | string | `leader-elect` | The name of the ConfigMap that Contour leader election will lease. | -| configmap-namespace | string | `projectcontour` | The namespace of the ConfigMap that Contour leader election will lease. If the `CONTOUR_NAMESPACE` environment variable is present, Contour will populate this field with its value. | -| lease-duration | [duration][4] | `15s` | The duration of the leadership lease. | -| renew-deadline | [duration][4] | `10s` | The length of time that the leader will retry refreshing leadership before giving up. | -| retry-period | [duration][4] | `2s` | The interval at which Contour will attempt to the acquire leadership lease. | ### Timeout Configuration diff --git a/site/content/docs/1.26/configuration.md b/site/content/docs/1.26/configuration.md index dd800bc9ab2..a9c636f9aa4 100644 --- a/site/content/docs/1.26/configuration.md +++ b/site/content/docs/1.26/configuration.md @@ -91,7 +91,6 @@ Where Contour settings can also be specified with command-line flags, the comman | kubeconfig | string | `$HOME/.kube/config` | Path to a Kubernetes [kubeconfig file][3] for when Contour is executed outside a cluster. | | kubernetesClientQPS | float32 | | QPS allowed for the Kubernetes client. | | kubernetesClientBurst | int | | Burst allowed for the Kubernetes client. | -| leaderelection | leaderelection | | The [leader election configuration](#leader-election-configuration). | | policy | PolicyConfig | | The default [policy configuration](#policy-configuration). | | tls | TLS | | The default [TLS configuration](#tls-configuration). | | timeouts | TimeoutConfig | | The [timeout configuration](#timeout-configuration). | @@ -132,21 +131,6 @@ Contour should provision TLS hosts. | name | string | `""` | This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | | namespace | string | `""` | This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | -### Leader Election Configuration - -The leader election configuration block configures how a deployment with more than one Contour pod elects a leader. -The Contour leader is responsible for updating the status field on Ingress and HTTPProxy documents. -In the vast majority of deployments, only the `configmap-name` and `configmap-namespace` fields should require any configuration. - -_Note:_ Configuring leader election via the configuration file is deprecated, please use the `contour serve` command line flags instead. - -| Field Name | Type | Default | Description | -| ------------------- | ------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| configmap-name | string | `leader-elect` | The name of the ConfigMap that Contour leader election will lease. | -| configmap-namespace | string | `projectcontour` | The namespace of the ConfigMap that Contour leader election will lease. If the `CONTOUR_NAMESPACE` environment variable is present, Contour will populate this field with its value. | -| lease-duration | [duration][4] | `15s` | The duration of the leadership lease. | -| renew-deadline | [duration][4] | `10s` | The length of time that the leader will retry refreshing leadership before giving up. | -| retry-period | [duration][4] | `2s` | The interval at which Contour will attempt to the acquire leadership lease. | ### Timeout Configuration diff --git a/site/content/docs/1.27/configuration.md b/site/content/docs/1.27/configuration.md index 06eea341d61..1ce00eb4fc6 100644 --- a/site/content/docs/1.27/configuration.md +++ b/site/content/docs/1.27/configuration.md @@ -91,7 +91,6 @@ Where Contour settings can also be specified with command-line flags, the comman | kubeconfig | string | `$HOME/.kube/config` | Path to a Kubernetes [kubeconfig file][3] for when Contour is executed outside a cluster. | | kubernetesClientQPS | float32 | | QPS allowed for the Kubernetes client. | | kubernetesClientBurst | int | | Burst allowed for the Kubernetes client. | -| leaderelection | leaderelection | | The [leader election configuration](#leader-election-configuration). | | policy | PolicyConfig | | The default [policy configuration](#policy-configuration). | | tls | TLS | | The default [TLS configuration](#tls-configuration). | | timeouts | TimeoutConfig | | The [timeout configuration](#timeout-configuration). | @@ -133,21 +132,6 @@ Contour should provision TLS hosts. | name | string | `""` | This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | | namespace | string | `""` | This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | -### Leader Election Configuration - -The leader election configuration block configures how a deployment with more than one Contour pod elects a leader. -The Contour leader is responsible for updating the status field on Ingress and HTTPProxy documents. -In the vast majority of deployments, only the `configmap-name` and `configmap-namespace` fields should require any configuration. - -_Note:_ Configuring leader election via the configuration file is deprecated, please use the `contour serve` command line flags instead. - -| Field Name | Type | Default | Description | -| ------------------- | ------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| configmap-name | string | `leader-elect` | The name of the ConfigMap that Contour leader election will lease. | -| configmap-namespace | string | `projectcontour` | The namespace of the ConfigMap that Contour leader election will lease. If the `CONTOUR_NAMESPACE` environment variable is present, Contour will populate this field with its value. | -| lease-duration | [duration][4] | `15s` | The duration of the leadership lease. | -| renew-deadline | [duration][4] | `10s` | The length of time that the leader will retry refreshing leadership before giving up. | -| retry-period | [duration][4] | `2s` | The interval at which Contour will attempt to the acquire leadership lease. | ### Timeout Configuration diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index 2c5bc508f24..a78277849ba 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -5294,6 +5294,8 @@
ResourceLabels is a set of labels to add to the provisioned Contour resources.
+Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be +removed in a future release.
circuitBreakers
+GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services. +If defined, this will be used as the default for all services.
+upstreamTLS
+UpstreamTLS contains the TLS policy parameters for upstream connections
+ResourceLabels is a set of labels to add to the provisioned Contour resources.
+Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be +removed in a future release.
(Appears on: +ClusterParameters, EnvoyListenerConfig)
@@ -7564,6 +7600,76 @@
+(Appears on: +ClusterParameters) +
++
+Field | +Description | +
---|---|
+maxConnections
++ +uint32 + + |
+
+(Optional)
+ The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024. + |
+
+maxPendingRequests
++ +uint32 + + |
+
+(Optional)
+ The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024. + |
+
+maxRequests
++ +uint32 + + |
+
+(Optional)
+ The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024 + |
+
+maxRetries
++ +uint32 + + |
+
+(Optional)
+ The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 3. + |
+
diff --git a/site/content/docs/main/configuration.md b/site/content/docs/main/configuration.md index 06eea341d61..f0e98c97ae3 100644 --- a/site/content/docs/main/configuration.md +++ b/site/content/docs/main/configuration.md @@ -91,7 +91,6 @@ Where Contour settings can also be specified with command-line flags, the comman | kubeconfig | string | `$HOME/.kube/config` | Path to a Kubernetes [kubeconfig file][3] for when Contour is executed outside a cluster. | | kubernetesClientQPS | float32 | | QPS allowed for the Kubernetes client. | | kubernetesClientBurst | int | | Burst allowed for the Kubernetes client. | -| leaderelection | leaderelection | | The [leader election configuration](#leader-election-configuration). | | policy | PolicyConfig | | The default [policy configuration](#policy-configuration). | | tls | TLS | | The default [TLS configuration](#tls-configuration). | | timeouts | TimeoutConfig | | The [timeout configuration](#timeout-configuration). | @@ -118,6 +117,16 @@ Contour should provision TLS hosts. | envoy-client-certificate | | | [Client certificate configuration for Envoy](#envoy-client-certificate). | | cipher-suites | []string | See [config package documentation](https://pkg.go.dev/github.com/projectcontour/contour/pkg/config#pkg-variables) | This field specifies the TLS ciphers to be supported by TLS listeners when negotiating TLS 1.2. This parameter should only be used by advanced users. Note that this is ignored when TLS 1.3 is in use. The set of ciphers that are allowed is a superset of those supported by default in stock, non-FIPS Envoy builds and FIPS builds as specified [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites). Custom ciphers not accepted by Envoy in a standard build are not supported. | +### Upstream TLS Configuration + +The Upstream TLS configuration block can be used to configure default values for how Contour establishes TLS for upstream connections. + +| Field Name | Type | Default | Description | +| ------------------------ | -------- | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| minimum-protocol-version | string | `1.2` | This field specifies the minimum TLS protocol version that is allowed. Valid options are `1.2` (default) and `1.3`. Any other value defaults to TLS 1.2. | +| maximum-protocol-version | string | `1.3` | This field specifies the maximum TLS protocol version that is allowed. Valid options are `1.2` and `1.3`. Any other value defaults to TLS 1.3. | +| cipher-suites | []string | See [config package documentation](https://pkg.go.dev/github.com/projectcontour/contour/pkg/config#pkg-variables) | This field specifies the TLS ciphers to be supported by TLS listeners when negotiating TLS 1.2. This parameter should only be used by advanced users. Note that this is ignored when TLS 1.3 is in use. The set of ciphers that are allowed is a superset of those supported by default in stock, non-FIPS Envoy builds and FIPS builds as specified [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites). Custom ciphers not accepted by Envoy in a standard build are not supported. | + ### Fallback Certificate | Field Name | Type | Default | Description | @@ -133,21 +142,6 @@ Contour should provision TLS hosts. | name | string | `""` | This field specifies the name of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | | namespace | string | `""` | This field specifies the namespace of the Kubernetes secret to use as the client certificate and private key when establishing TLS connections to the backend service. | -### Leader Election Configuration - -The leader election configuration block configures how a deployment with more than one Contour pod elects a leader. -The Contour leader is responsible for updating the status field on Ingress and HTTPProxy documents. -In the vast majority of deployments, only the `configmap-name` and `configmap-namespace` fields should require any configuration. - -_Note:_ Configuring leader election via the configuration file is deprecated, please use the `contour serve` command line flags instead. - -| Field Name | Type | Default | Description | -| ------------------- | ------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| configmap-name | string | `leader-elect` | The name of the ConfigMap that Contour leader election will lease. | -| configmap-namespace | string | `projectcontour` | The namespace of the ConfigMap that Contour leader election will lease. If the `CONTOUR_NAMESPACE` environment variable is present, Contour will populate this field with its value. | -| lease-duration | [duration][4] | `15s` | The duration of the leadership lease. | -| renew-deadline | [duration][4] | `10s` | The length of time that the leader will retry refreshing leadership before giving up. | -| retry-period | [duration][4] | `2s` | The interval at which Contour will attempt to the acquire leadership lease. | ### Timeout Configuration @@ -173,10 +167,15 @@ The cluster configuration block can be used to configure various parameters for |-----------------------------------|--------|---------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | dns-lookup-family | string | auto | This field specifies the dns-lookup-family to use for upstream requests to externalName type Kubernetes services from an HTTPProxy route. Values are: `auto`, `v4`, `v6`, `all` | | max-requests-per-connection | int | none | This field specifies the maximum requests for upstream connections. If not specified, there is no limit | +| circuit-breakers | [CircuitBreakers](#circuit-breakers) | none | This field specifies the default value for [circuit-breaker-annotations](https://projectcontour.io/docs/main/config/annotations/) for services that don't specify them. | | per-connection-buffer-limit-bytes | int | 1MiB* | This field specifies the soft limit on size of the cluster’s new connection read and write buffer. If not specified, Envoy defaults of 1MiB apply | +| upstream-tls | UpstreamTLS | | [Upstream TLS configuration](#upstream-tls) | _This is Envoy's default setting value and is not explicitly configured by Contour._ + + + ### Network Configuration The network configuration block can be used to configure various parameters network connections. @@ -293,6 +292,16 @@ Metrics and health endpoints cannot have the same port number when metrics are s | tos | int | 0 | Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. Single value is applied to all listeners. The value must be in the range 0-255, 0 means socket option is not set. If listeners are bound to IPv6-only addresses, setting this option will cause an error. | | traffic-class | int | 0 | Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. Single value is applied to all listeners. The value must be in the range 0-255, 0 means socket option is not set. If listeners are bound to IPv4-only addresses, setting this option will cause an error. | + +### Circuit Breakers + +| Field Name | Type | Default | Description | +| --------------- | ------ | ------- | ----------------------------------------------------------------------------- | +| max-connections | int | 0 | The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024. | +| max-pending-requests | int | 0 | The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024. | +| max-requests | int | 0 | The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024 | +| max-retries | int | 0 | The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 3. This setting only makes sense if the cluster is configured to do retries.| + ### Configuration Example The following is an example ConfigMap with configuration file included: diff --git a/site/content/resources/compatibility-matrix.md b/site/content/resources/compatibility-matrix.md index 9be81f5694b..7ed4e8f46fb 100644 --- a/site/content/resources/compatibility-matrix.md +++ b/site/content/resources/compatibility-matrix.md @@ -10,7 +10,7 @@ These combinations of versions are specifically tested in CI and supported by th | Contour Version | Envoy Version | Kubernetes Versions | Gateway API Version | | --------------- | :------------------- | ------------------- | --------------------| -| main | [1.28.0][45] | 1.28, 1.27, 1.26 | [0.8.1][109] | +| main | [1.28.0][45] | 1.29, 1.28, 1.27 | [1.0.0][110] | | 1.27.0 | [1.28.0][45] | 1.28, 1.27, 1.26 | [0.8.1][109] | | 1.26.1 | [1.27.2][42] | 1.28, 1.27, 1.26 | [0.8.1][109] | | 1.26.0 | [1.27.0][41] | 1.28, 1.27, 1.26 | [0.8.0][108] | @@ -187,4 +187,5 @@ __Note:__ This list of extensions was last verified to be complete with Envoy v1 [106]: https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.6.0 [107]: https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.6.2 [108]: https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.8.0 -[109]: https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.8.1 \ No newline at end of file +[109]: https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.8.1 +[110]: https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.0.0 \ No newline at end of file diff --git a/test/conformance/gatewayapi/gateway_conformance_test.go b/test/conformance/gatewayapi/gateway_conformance_test.go index e5a80d83ce3..86165a97226 100644 --- a/test/conformance/gatewayapi/gateway_conformance_test.go +++ b/test/conformance/gatewayapi/gateway_conformance_test.go @@ -74,10 +74,16 @@ func TestGatewayConformance(t *testing.T) { // See: https://github.com/envoyproxy/envoy/issues/17318 tests.HTTPRouteRedirectPortAndScheme.ShortName, - // Tests newly failing with Gateway API 1.0, to be addressed. + // Not implemented yet since it's functionally equivalent + // to Timeouts.Request, to be enabled once Gateway API + // supports retries. + // See: https://github.com/projectcontour/contour/issues/6000 tests.HTTPRouteTimeoutBackendRequest.ShortName, - tests.HTTPRouteTimeoutRequest.ShortName, - tests.GatewayWithAttachedRoutes.ShortName, + + // Contour supports the positive-case functionality, + // but there are some negative cases that aren't fully + // implemented plus complications with the test setup itself. + // See: https://github.com/projectcontour/contour/issues/5922 tests.GatewayStaticAddresses.ShortName, }, ExemptFeatures: sets.New( diff --git a/test/e2e/httpproxy/backend_tls_protocol_version_test.go b/test/e2e/httpproxy/backend_tls_protocol_version_test.go new file mode 100644 index 00000000000..5575dafcf25 --- /dev/null +++ b/test/e2e/httpproxy/backend_tls_protocol_version_test.go @@ -0,0 +1,102 @@ +// Copyright Project Contour Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build e2e + +package httpproxy + +import ( + "context" + "encoding/json" + + certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + certmanagermetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" + . "github.com/onsi/ginkgo/v2" + contourv1 "github.com/projectcontour/contour/apis/projectcontour/v1" + "github.com/projectcontour/contour/test/e2e" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func testBackendTLSProtocolVersion(namespace, protocolVersion string) { + Specify("backend connection uses configured TLS version", func() { + // Backend server cert signed by CA. + backendServerCert := &certmanagerv1.Certificate{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: "backend-server-cert", + }, + Spec: certmanagerv1.CertificateSpec{ + Usages: []certmanagerv1.KeyUsage{ + certmanagerv1.UsageServerAuth, + }, + CommonName: "echo-secure", + DNSNames: []string{"echo-secure"}, + SecretName: "backend-server-cert", + IssuerRef: certmanagermetav1.ObjectReference{ + Name: "ca-issuer", + }, + }, + } + require.NoError(f.T(), f.Client.Create(context.TODO(), backendServerCert)) + f.Fixtures.EchoSecure.Deploy(namespace, "echo-secure") + + p := &contourv1.HTTPProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: "backend-tls", + }, + Spec: contourv1.HTTPProxySpec{ + VirtualHost: &contourv1.VirtualHost{ + Fqdn: "backend-tls.projectcontour.io", + }, + Routes: []contourv1.Route{ + { + Services: []contourv1.Service{ + { + Name: "echo-secure", + Port: 443, + UpstreamValidation: &contourv1.UpstreamValidation{ + CACertificate: "backend-client-cert", + SubjectName: "echo-secure", + }, + }, + }, + }, + }, + }, + } + f.CreateHTTPProxyAndWaitFor(p, e2e.HTTPProxyValid) + + type responseTLSDetails struct { + TLS struct { + Version string + } + } + + // Send HTTP request, we will check backend connection was over HTTPS. + res, ok := f.HTTP.RequestUntil(&e2e.HTTPRequestOpts{ + Host: p.Spec.VirtualHost.Fqdn, + Condition: e2e.HasStatusCode(200), + }) + require.NotNil(f.T(), res, "request never succeeded") + require.Truef(f.T(), ok, "expected 200 response code, got %d", res.StatusCode) + + // Get cert presented to backend app. + tlsInfo := new(responseTLSDetails) + require.NoError(f.T(), json.Unmarshal(res.Body, tlsInfo)) + assert.Equal(f.T(), tlsInfo.TLS.Version, protocolVersion) + + }) +} diff --git a/test/e2e/httpproxy/httpproxy_test.go b/test/e2e/httpproxy/httpproxy_test.go index 16d0bd2b335..c59dd17b18a 100644 --- a/test/e2e/httpproxy/httpproxy_test.go +++ b/test/e2e/httpproxy/httpproxy_test.go @@ -282,6 +282,110 @@ var _ = Describe("HTTPProxy", func() { }) }) + f.NamespacedTest("httpproxy-backend-tls-version", func(namespace string) { + BeforeEach(func() { + // Top level issuer. + selfSignedIssuer := &certmanagerv1.Issuer{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: "selfsigned", + }, + Spec: certmanagerv1.IssuerSpec{ + IssuerConfig: certmanagerv1.IssuerConfig{ + SelfSigned: &certmanagerv1.SelfSignedIssuer{}, + }, + }, + } + require.NoError(f.T(), f.Client.Create(context.TODO(), selfSignedIssuer)) + + // CA to sign backend certs with. + caCertificate := &certmanagerv1.Certificate{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: "ca-cert", + }, + Spec: certmanagerv1.CertificateSpec{ + IsCA: true, + Usages: []certmanagerv1.KeyUsage{ + certmanagerv1.UsageSigning, + certmanagerv1.UsageCertSign, + }, + CommonName: "ca-cert", + SecretName: "ca-cert", + IssuerRef: certmanagermetav1.ObjectReference{ + Name: "selfsigned", + }, + }, + } + require.NoError(f.T(), f.Client.Create(context.TODO(), caCertificate)) + + // Issuer based on CA to generate new certs with. + basedOnCAIssuer := &certmanagerv1.Issuer{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: "ca-issuer", + }, + Spec: certmanagerv1.IssuerSpec{ + IssuerConfig: certmanagerv1.IssuerConfig{ + CA: &certmanagerv1.CAIssuer{ + SecretName: "ca-cert", + }, + }, + }, + } + require.NoError(f.T(), f.Client.Create(context.TODO(), basedOnCAIssuer)) + + // Backend client cert, can use for upstream validation as well. + backendClientCert := &certmanagerv1.Certificate{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: "backend-client-cert", + }, + Spec: certmanagerv1.CertificateSpec{ + Usages: []certmanagerv1.KeyUsage{ + certmanagerv1.UsageClientAuth, + }, + CommonName: "client", + SecretName: "backend-client-cert", + IssuerRef: certmanagermetav1.ObjectReference{ + Name: "ca-issuer", + }, + }, + } + require.NoError(f.T(), f.Client.Create(context.TODO(), backendClientCert)) + + contourConfig.TLS = config.TLSParameters{ + ClientCertificate: config.NamespacedName{ + Namespace: namespace, + Name: "backend-client-cert", + }, + } + + contourConfiguration.Spec.Envoy.ClientCertificate = &contour_api_v1alpha1.NamespacedName{ + Name: "backend-client-cert", + Namespace: namespace, + } + }) + Context("with backend tls version configured", func() { + protocolVersion := "1.3" + expectedProtocolVersion := "TLSv1.3" + + BeforeEach(func() { + contourConfig.Cluster.UpstreamTLS.MinimumProtocolVersion = protocolVersion + + // need to set this because it isn't set in the default config + contourConfig.Cluster.DNSLookupFamily = "auto" + + contourConfiguration.Spec.Envoy.Cluster.UpstreamTLS = &contour_api_v1alpha1.EnvoyTLS{ + MinimumProtocolVersion: protocolVersion, + } + }) + + testBackendTLSProtocolVersion(namespace, expectedProtocolVersion) + }) + + }) + f.NamespacedTest("httpproxy-external-auth", testExternalAuth) f.NamespacedTest("httpproxy-http-health-checks", testHTTPHealthChecks) diff --git a/test/scripts/make-kind-cluster.sh b/test/scripts/make-kind-cluster.sh index d94118e240d..dc9fd75f8fc 100755 --- a/test/scripts/make-kind-cluster.sh +++ b/test/scripts/make-kind-cluster.sh @@ -27,7 +27,7 @@ readonly KUBECTL=${KUBECTL:-kubectl} readonly MULTINODE_CLUSTER=${MULTINODE_CLUSTER:-"false"} readonly IPV6_CLUSTER=${IPV6_CLUSTER:-"false"} readonly SKIP_GATEWAY_API_INSTALL=${SKIP_GATEWAY_API_INSTALL:-"false"} -readonly NODEIMAGE=${NODEIMAGE:-"docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31"} +readonly NODEIMAGE=${NODEIMAGE:-"kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570"} readonly CLUSTERNAME=${CLUSTERNAME:-contour-e2e} readonly WAITTIME=${WAITTIME:-5m} diff --git a/test/scripts/run-gateway-conformance.sh b/test/scripts/run-gateway-conformance.sh index de086ca99c9..df63ca52f4f 100755 --- a/test/scripts/run-gateway-conformance.sh +++ b/test/scripts/run-gateway-conformance.sh @@ -67,5 +67,5 @@ else # test/conformance/gatewayapi/gateway_conformance_test.go. go test -timeout=40m ./conformance -run TestConformance -gateway-class=contour -all-features \ -exempt-features=Mesh \ - -skip-tests=HTTPRouteRedirectPortAndScheme + -skip-tests=HTTPRouteRedirectPortAndScheme,HTTPRouteTimeoutBackendRequest,GatewayStaticAddresses fi diff --git a/versions.yaml b/versions.yaml index 3b9e0bb36e3..385a1b89634 100644 --- a/versions.yaml +++ b/versions.yaml @@ -9,11 +9,11 @@ versions: dependencies: envoy: "1.28.0" kubernetes: + - "1.29" - "1.28" - "1.27" - - "1.26" gateway-api: - - "0.8.1" + - "1.0.0" - version: v1.27.0 supported: "true" dependencies: