Merge branch 'main' into feat-tcp-security-policy-e2e

Author: davem-git

.github/workflows/build_and_test.yaml

@@ -96,9 +96,6 @@ jobs:
       with:
         fetch-depth: 0  # Need main branch access for benchmark comparison
     - uses: ./tools/github-actions/setup-deps
-
-    - name: Install benchstat
-      run: go install golang.org/x/perf/cmd/benchstat@latest
     - name: Run Benchmark Comparison
       continue-on-error: true
       run: |

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5  # v3.29.5
+      uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047  # v3.29.5
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@f443b600d91635bebf5b0d9ebc620189c0d6fba5  # v3.29.5
+      uses: github/codeql-action/autobuild@16140ae1a102900babc80a33c44059580f687047  # v3.29.5
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5  # v3.29.5
+      uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047  # v3.29.5
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/docs.yaml

@@ -60,7 +60,7 @@ jobs:
         extended: true
 
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444  # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903  # v6.0.0
       with:
         node-version: '18'
 

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5  # v3.29.5
+      uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047  # v3.29.5
       with:
         sarif_file: results.sarif

VERSION

@@ -1 +1 @@
-v1.5.3
+v1.5.4

api/v1alpha1/backend_types.go

@@ -8,7 +8,6 @@ package v1alpha1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
-	gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
 )
 
 const (
@@ -196,7 +195,7 @@ type BackendTLSSettings struct {
 	// CACertificateRefs or WellKnownCACertificates may be specified, not both.
 	//
 	// +optional
-	WellKnownCACertificates *gwapiv1a3.WellKnownCACertificatesType `json:"wellKnownCACertificates,omitempty"`
+	WellKnownCACertificates *gwapiv1.WellKnownCACertificatesType `json:"wellKnownCACertificates,omitempty"`
 
 	// InsecureSkipVerify indicates whether the upstream's certificate verification
 	// should be skipped. Defaults to "false".

api/v1alpha1/backendtrafficpolicy_types.go

@@ -8,7 +8,7 @@ package v1alpha1
 import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
 const (
@@ -31,7 +31,7 @@ type BackendTrafficPolicy struct {
 	Spec BackendTrafficPolicySpec `json:"spec"`
 
 	// status defines the current status of BackendTrafficPolicy.
-	Status gwapiv1a2.PolicyStatus `json:"status,omitempty"`
+	Status gwapiv1.PolicyStatus `json:"status,omitempty"`
 }
 
 // BackendTrafficPolicySpec defines the desired state of BackendTrafficPolicy.
@@ -43,6 +43,7 @@ type BackendTrafficPolicy struct {
 // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == 'gateway.networking.k8s.io') : true ", message="this policy can only have a targetRefs[*].group of gateway.networking.k8s.io"
 // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute', 'TCPRoute', 'TLSRoute']) : true ", message="this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute"
 // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, !has(ref.sectionName)) : true",message="this policy does not yet support the sectionName field"
+// +kubebuilder:validation:XValidation:rule="!has(self.compression) || !has(self.compressor)", message="either compression or compressor can be set, not both"
 type BackendTrafficPolicySpec struct {
 	PolicyTargetReferences `json:",inline"`
 	ClusterSettings        `json:",inline"`
@@ -73,13 +74,23 @@ type BackendTrafficPolicySpec struct {
 	UseClientProtocol *bool `json:"useClientProtocol,omitempty"`
 
 	// The compression config for the http streams.
+	// Deprecated: Use Compressor instead.
 	//
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	//
 	// +optional
 	Compression []*Compression `json:"compression,omitempty" patchMergeKey:"type" patchStrategy:"merge"`
 
+	// The compressor config for the http streams.
+	// This provides more granular control over compression configuration.
+	//
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	//
+	// +optional
+	Compressor []*Compression `json:"compressor,omitempty" patchMergeKey:"type" patchStrategy:"merge"`
+
 	// ResponseOverride defines the configuration to override specific responses with a custom one.
 	// If multiple configurations are specified, the first one to match wins.
 	//

api/v1alpha1/clienttrafficpolicy_types.go

@@ -7,7 +7,7 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
 const (
@@ -30,17 +30,16 @@ type ClientTrafficPolicy struct {
 	Spec ClientTrafficPolicySpec `json:"spec"`
 
 	// Status defines the current status of ClientTrafficPolicy.
-	Status gwapiv1a2.PolicyStatus `json:"status,omitempty"`
+	Status gwapiv1.PolicyStatus `json:"status,omitempty"`
 }
 
-// +kubebuilder:validation:XValidation:rule="(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef) && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size() > 0) ", message="either targetRef or targetRefs must be used"
+// ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy.
 //
+// +kubebuilder:validation:XValidation:rule="(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef) && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size() > 0) ", message="either targetRef or targetRefs must be used"
 // +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.group == 'gateway.networking.k8s.io' : true", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
 // +kubebuilder:validation:XValidation:rule="has(self.targetRef) ? self.targetRef.kind == 'Gateway' : true", message="this policy can only have a targetRef.kind of Gateway"
 // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == 'gateway.networking.k8s.io') : true", message="this policy can only have a targetRefs[*].group of gateway.networking.k8s.io"
 // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind == 'Gateway') : true", message="this policy can only have a targetRefs[*].kind of Gateway"
-//
-// ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy.
 type ClientTrafficPolicySpec struct {
 	PolicyTargetReferences `json:",inline"`
 

api/v1alpha1/compression_types.go

@@ -7,13 +7,15 @@ package v1alpha1
 
 // CompressorType defines the types of compressor library supported by Envoy Gateway.
 //
-// +kubebuilder:validation:Enum=Gzip;Brotli
+// +kubebuilder:validation:Enum=Gzip;Brotli;Zstd
 type CompressorType string
 
 const (
 	GzipCompressorType CompressorType = "Gzip"
 
 	BrotliCompressorType CompressorType = "Brotli"
+
+	ZstdCompressorType CompressorType = "Zstd"
 )
 
 // GzipCompressor defines the config for the Gzip compressor.
@@ -26,6 +28,11 @@ type GzipCompressor struct{}
 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/compression/brotli/compressor/v3/brotli.proto#extension-envoy-compression-brotli-compressor
 type BrotliCompressor struct{}
 
+// ZstdCompressor defines the config for the Zstd compressor.
+// The default values can be found here:
+// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/compression/zstd/compressor/v3/zstd.proto#extension-envoy-compression-zstd-compressor
+type ZstdCompressor struct{}
+
 // Compression defines the config of enabling compression.
 // This can help reduce the bandwidth at the expense of higher CPU.
 type Compression struct {
@@ -43,4 +50,9 @@ type Compression struct {
 	//
 	// +optional
 	Gzip *GzipCompressor `json:"gzip,omitempty"`
+
+	// The configuration for Zstd compressor.
+	//
+	// +optional
+	Zstd *ZstdCompressor `json:"zstd,omitempty"`
 }

api/v1alpha1/envoyextensionypolicy_types.go

@@ -7,7 +7,7 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
 const (
@@ -29,7 +29,7 @@ type EnvoyExtensionPolicy struct {
 	Spec EnvoyExtensionPolicySpec `json:"spec"`
 
 	// Status defines the current status of EnvoyExtensionPolicy.
-	Status gwapiv1a2.PolicyStatus `json:"status,omitempty"`
+	Status gwapiv1.PolicyStatus `json:"status,omitempty"`
 }
 
 // EnvoyExtensionPolicySpec defines the desired state of EnvoyExtensionPolicy.