chore: add missing filters in the filter order configuration (#7404)

* add missing filters in the filter order configuration

Signed-off-by: Huabing Zhao <[email protected]>

* fix wrong filter name

Signed-off-by: Huabing Zhao <[email protected]>

Author: zhaohuabing

api/v1alpha1/envoyproxy_types.go

@@ -106,6 +106,8 @@ type EnvoyProxySpec struct {
 	//
 	// - envoy.filters.http.ext_authz
 	//
+	// - envoy.filters.http.api_key_auth
+	//
 	// - envoy.filters.http.basic_auth
 	//
 	// - envoy.filters.http.oauth2
@@ -114,6 +116,8 @@ type EnvoyProxySpec struct {
 	//
 	// - envoy.filters.http.stateful_session
 	//
+	// - envoy.filters.http.buffer
+	//
 	// - envoy.filters.http.lua
 	//
 	// - envoy.filters.http.ext_proc
@@ -126,8 +130,16 @@ type EnvoyProxySpec struct {
 	//
 	// - envoy.filters.http.ratelimit
 	//
+	// - envoy.filters.http.grpc_web
+	//
+	// - envoy.filters.http.grpc_stats
+	//
 	// - envoy.filters.http.custom_response
 	//
+	// - envoy.filters.http.credential_injector
+	//
+	// - envoy.filters.http.compressor
+	//
 	// - envoy.filters.http.router
 	//
 	// Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain.
@@ -222,7 +234,7 @@ type FilterPosition struct {
 }
 
 // EnvoyFilter defines the type of Envoy HTTP filter.
-// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.custom_response;envoy.filters.http.compressor
+// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.custom_response;envoy.filters.http.credential_injector;envoy.filters.http.compressor
 type EnvoyFilter string
 
 const (

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -292,6 +292,8 @@ spec:
 
                   - envoy.filters.http.ext_authz
 
+                  - envoy.filters.http.api_key_auth
+
                   - envoy.filters.http.basic_auth
 
                   - envoy.filters.http.oauth2
@@ -300,6 +302,8 @@ spec:
 
                   - envoy.filters.http.stateful_session
 
+                  - envoy.filters.http.buffer
+
                   - envoy.filters.http.lua
 
                   - envoy.filters.http.ext_proc
@@ -312,8 +316,16 @@ spec:
 
                   - envoy.filters.http.ratelimit
 
+                  - envoy.filters.http.grpc_web
+
+                  - envoy.filters.http.grpc_stats
+
                   - envoy.filters.http.custom_response
 
+                  - envoy.filters.http.credential_injector
+
+                  - envoy.filters.http.compressor
+
                   - envoy.filters.http.router
 
                   Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain.
@@ -335,13 +347,17 @@ spec:
                       - envoy.filters.http.oauth2
                       - envoy.filters.http.jwt_authn
                       - envoy.filters.http.stateful_session
+                      - envoy.filters.http.buffer
                       - envoy.filters.http.lua
                       - envoy.filters.http.ext_proc
                       - envoy.filters.http.wasm
                       - envoy.filters.http.rbac
                       - envoy.filters.http.local_ratelimit
                       - envoy.filters.http.ratelimit
+                      - envoy.filters.http.grpc_web
+                      - envoy.filters.http.grpc_stats
                       - envoy.filters.http.custom_response
+                      - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
                       type: string
                     before:
@@ -358,13 +374,17 @@ spec:
                       - envoy.filters.http.oauth2
                       - envoy.filters.http.jwt_authn
                       - envoy.filters.http.stateful_session
+                      - envoy.filters.http.buffer
                       - envoy.filters.http.lua
                       - envoy.filters.http.ext_proc
                       - envoy.filters.http.wasm
                       - envoy.filters.http.rbac
                       - envoy.filters.http.local_ratelimit
                       - envoy.filters.http.ratelimit
+                      - envoy.filters.http.grpc_web
+                      - envoy.filters.http.grpc_stats
                       - envoy.filters.http.custom_response
+                      - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
                       type: string
                     name:
@@ -379,13 +399,17 @@ spec:
                       - envoy.filters.http.oauth2
                       - envoy.filters.http.jwt_authn
                       - envoy.filters.http.stateful_session
+                      - envoy.filters.http.buffer
                       - envoy.filters.http.lua
                       - envoy.filters.http.ext_proc
                       - envoy.filters.http.wasm
                       - envoy.filters.http.rbac
                       - envoy.filters.http.local_ratelimit
                       - envoy.filters.http.ratelimit
+                      - envoy.filters.http.grpc_web
+                      - envoy.filters.http.grpc_stats
                       - envoy.filters.http.custom_response
+                      - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
                       type: string
                   required:

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -291,6 +291,8 @@ spec:
 
                   - envoy.filters.http.ext_authz
 
+                  - envoy.filters.http.api_key_auth
+
                   - envoy.filters.http.basic_auth
 
                   - envoy.filters.http.oauth2
@@ -299,6 +301,8 @@ spec:
 
                   - envoy.filters.http.stateful_session
 
+                  - envoy.filters.http.buffer
+
                   - envoy.filters.http.lua
 
                   - envoy.filters.http.ext_proc
@@ -311,8 +315,16 @@ spec:
 
                   - envoy.filters.http.ratelimit
 
+                  - envoy.filters.http.grpc_web
+
+                  - envoy.filters.http.grpc_stats
+
                   - envoy.filters.http.custom_response
 
+                  - envoy.filters.http.credential_injector
+
+                  - envoy.filters.http.compressor
+
                   - envoy.filters.http.router
 
                   Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain.
@@ -334,13 +346,17 @@ spec:
                       - envoy.filters.http.oauth2
                       - envoy.filters.http.jwt_authn
                       - envoy.filters.http.stateful_session
+                      - envoy.filters.http.buffer
                       - envoy.filters.http.lua
                       - envoy.filters.http.ext_proc
                       - envoy.filters.http.wasm
                       - envoy.filters.http.rbac
                       - envoy.filters.http.local_ratelimit
                       - envoy.filters.http.ratelimit
+                      - envoy.filters.http.grpc_web
+                      - envoy.filters.http.grpc_stats
                       - envoy.filters.http.custom_response
+                      - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
                       type: string
                     before:
@@ -357,13 +373,17 @@ spec:
                       - envoy.filters.http.oauth2
                       - envoy.filters.http.jwt_authn
                       - envoy.filters.http.stateful_session
+                      - envoy.filters.http.buffer
                       - envoy.filters.http.lua
                       - envoy.filters.http.ext_proc
                       - envoy.filters.http.wasm
                       - envoy.filters.http.rbac
                       - envoy.filters.http.local_ratelimit
                       - envoy.filters.http.ratelimit
+                      - envoy.filters.http.grpc_web
+                      - envoy.filters.http.grpc_stats
                       - envoy.filters.http.custom_response
+                      - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
                       type: string
                     name:
@@ -378,13 +398,17 @@ spec:
                       - envoy.filters.http.oauth2
                       - envoy.filters.http.jwt_authn
                       - envoy.filters.http.stateful_session
+                      - envoy.filters.http.buffer
                       - envoy.filters.http.lua
                       - envoy.filters.http.ext_proc
                       - envoy.filters.http.wasm
                       - envoy.filters.http.rbac
                       - envoy.filters.http.local_ratelimit
                       - envoy.filters.http.ratelimit
+                      - envoy.filters.http.grpc_web
+                      - envoy.filters.http.grpc_stats
                       - envoy.filters.http.custom_response
+                      - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
                       type: string
                   required:

internal/gatewayapi/testdata/custom-filter-order.in.yaml

@@ -17,7 +17,7 @@ envoyProxyForGatewayClass:
       - name: envoy.filters.http.wasm
         before: envoy.filters.http.jwt_authn
       - name: envoy.filters.http.cors
-        after: envoy.filters.http.basic_authn
+        after: envoy.filters.http.basic_auth
 gateways:
   - apiVersion: gateway.networking.k8s.io/v1
     kind: Gateway

internal/gatewayapi/testdata/custom-filter-order.out.yaml

@@ -135,7 +135,7 @@ infraIR:
           filterOrder:
           - before: envoy.filters.http.jwt_authn
             name: envoy.filters.http.wasm
-          - after: envoy.filters.http.basic_authn
+          - after: envoy.filters.http.basic_auth
             name: envoy.filters.http.cors
           logging: {}
         status: {}
@@ -221,7 +221,7 @@ xdsIR:
     filterOrder:
     - before: envoy.filters.http.jwt_authn
       name: envoy.filters.http.wasm
-    - after: envoy.filters.http.basic_authn
+    - after: envoy.filters.http.basic_auth
       name: envoy.filters.http.cors
     globalResources:
       envoyClientCertificate:

internal/xds/translator/testdata/in/xds-ir/custom-filter-order.yaml

@@ -1,7 +1,7 @@
 filterOrder:
 - before: envoy.filters.http.jwt_authn
   name: envoy.filters.http.wasm
-- after: envoy.filters.http.basic_authn
+- after: envoy.filters.http.basic_auth
   name: envoy.filters.http.cors
 http:
 - address: 0.0.0.0

internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml

@@ -14,15 +14,15 @@
           initialStreamWindowSize: 65536
           maxConcurrentStreams: 100
         httpFilters:
-        - name: envoy.filters.http.cors
-          typedConfig:
-            '@type': type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
         - disabled: true
           name: envoy.filters.http.basic_auth/securitypolicy/envoy-gateway/policy-for-gateway
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth
             users:
               inlineBytes: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=
+        - name: envoy.filters.http.cors
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
         - disabled: true
           name: envoy.filters.http.wasm/envoyextensionpolicy/envoy-gateway/policy-for-gateway/0
           typedConfig:

site/content/en/latest/api/extension_types.md

@@ -1755,7 +1755,7 @@ _Appears in:_
 | `extraArgs` | _string array_ |  false  |  | ExtraArgs defines additional command line options that are provided to Envoy.<br />More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options<br />Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. |
 | `mergeGateways` | _boolean_ |  false  |  | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.<br />Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.<br />This means that the port, protocol and hostname tuple must be unique for every listener.<br />If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. |
 | `shutdown` | _[ShutdownConfig](#shutdownconfig)_ |  false  |  | Shutdown defines configuration for graceful envoy shutdown process. |
-| `filterOrder` | _[FilterPosition](#filterposition) array_ |  false  |  | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.<br />The FilterPosition in the list will be applied in the order they are defined.<br />If unspecified, the default filter order is applied.<br />Default filter order is:<br />- envoy.filters.http.health_check<br />- envoy.filters.http.fault<br />- envoy.filters.http.cors<br />- envoy.filters.http.ext_authz<br />- envoy.filters.http.basic_auth<br />- envoy.filters.http.oauth2<br />- envoy.filters.http.jwt_authn<br />- envoy.filters.http.stateful_session<br />- envoy.filters.http.lua<br />- envoy.filters.http.ext_proc<br />- envoy.filters.http.wasm<br />- envoy.filters.http.rbac<br />- envoy.filters.http.local_ratelimit<br />- envoy.filters.http.ratelimit<br />- envoy.filters.http.custom_response<br />- envoy.filters.http.router<br />Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. |
+| `filterOrder` | _[FilterPosition](#filterposition) array_ |  false  |  | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.<br />The FilterPosition in the list will be applied in the order they are defined.<br />If unspecified, the default filter order is applied.<br />Default filter order is:<br />- envoy.filters.http.health_check<br />- envoy.filters.http.fault<br />- envoy.filters.http.cors<br />- envoy.filters.http.ext_authz<br />- envoy.filters.http.api_key_auth<br />- envoy.filters.http.basic_auth<br />- envoy.filters.http.oauth2<br />- envoy.filters.http.jwt_authn<br />- envoy.filters.http.stateful_session<br />- envoy.filters.http.buffer<br />- envoy.filters.http.lua<br />- envoy.filters.http.ext_proc<br />- envoy.filters.http.wasm<br />- envoy.filters.http.rbac<br />- envoy.filters.http.local_ratelimit<br />- envoy.filters.http.ratelimit<br />- envoy.filters.http.grpc_web<br />- envoy.filters.http.grpc_stats<br />- envoy.filters.http.custom_response<br />- envoy.filters.http.credential_injector<br />- envoy.filters.http.compressor<br />- envoy.filters.http.router<br />Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. |
 | `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ |  false  |  | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.<br />These settings are applied on backends for which TLS policies are specified. |
 | `ipFamily` | _[IPFamily](#ipfamily)_ |  false  |  | IPFamily specifies the IP family for the EnvoyProxy fleet.<br />This setting only affects the Gateway listener port and does not impact<br />other aspects of the Envoy proxy configuration.<br />If not specified, the system will operate as follows:<br />- It defaults to IPv4 only.<br />- IPv6 and dual-stack environments are not supported in this default configuration.<br />Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. |
 | `preserveRouteOrder` | _boolean_ |  false  |  | PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API<br />specification (https://gateway-api.sigs.k8s.io/reference/1.4/spec/#httprouterule)<br />or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.<br />Default: False |

site/content/en/latest/tasks/operations/customize-envoyproxy.md

@@ -1025,17 +1025,27 @@ Under the hood, Envoy Gateway uses a series of [Envoy HTTP filters](https://www.
 to process HTTP requests and responses, and to apply various policies.
 
 By default, Envoy Gateway applies the following filters in the order shown:
+* envoy.filters.http.health_check
 * envoy.filters.http.fault
 * envoy.filters.http.cors
 * envoy.filters.http.ext_authz
-* envoy.filters.http.basic_authn
+* envoy.filters.http.api_key_auth
+* envoy.filters.http.basic_auth
 * envoy.filters.http.oauth2
 * envoy.filters.http.jwt_authn
+* envoy.filters.http.stateful_session
+* envoy.filters.http.buffer
+* envoy.filters.http.lua
 * envoy.filters.http.ext_proc
 * envoy.filters.http.wasm
 * envoy.filters.http.rbac
 * envoy.filters.http.local_ratelimit
 * envoy.filters.http.ratelimit
+* envoy.filters.http.grpc_web
+* envoy.filters.http.grpc_stats
+* envoy.filters.http.custom_response
+* envoy.filters.http.credential_injector
+* envoy.filters.http.compressor
 * envoy.filters.http.router
 
 The default order in which these filters are applied is opinionated and may not suit all use cases.
@@ -1047,7 +1057,7 @@ If a filter occurs in multiple configurations, the final order is the result of
 To avoid conflicts, it is recommended to only specify one configuration per filter.
 
 For example, the following configuration moves the `envoy.filters.http.wasm` filter before the `envoy.filters.http.jwt_authn`
-filter and the `envoy.filters.http.cors` filter after the `envoy.filters.http.basic_authn` filter:
+filter and the `envoy.filters.http.cors` filter after the `envoy.filters.http.basic_auth` filter:
 
 {{< tabpane text=true >}}
 {{% tab header="Apply from stdin" %}}
@@ -1064,7 +1074,7 @@ spec:
     - name: envoy.filters.http.wasm
       before: envoy.filters.http.jwt_authn
     - name: envoy.filters.http.cors
-      after: envoy.filters.http.basic_authn
+      after: envoy.filters.http.basic_auth
 EOF
 ```
 
@@ -1084,7 +1094,7 @@ spec:
     - name: envoy.filters.http.wasm
       before: envoy.filters.http.jwt_authn
     - name: envoy.filters.http.cors
-      after: envoy.filters.http.basic_authn
+      after: envoy.filters.http.basic_auth
 ```
 
 {{% /tab %}}