Merge branch 'main' into add-body-to-ext-auth

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd  # v3.27.0
+      uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f  # v3.27.4
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd  # v3.27.0
+      uses: github/codeql-action/autobuild@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f  # v3.27.4
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd  # v3.27.0
+      uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f  # v3.27.4
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/docs.yaml

@@ -3,14 +3,12 @@ on:
   push:
     branches:
     - "main"
-    - "release/v*"
     paths:
     - 'site/**'
     - 'tools/make/docs.mk'
   pull_request:
     branches:
     - "main"
-    - "release/v*"
     paths:
     - 'site/**'
     - 'tools/make/docs.mk'

.github/workflows/latest_release.yaml

@@ -107,7 +107,7 @@ jobs:
         GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }}
 
     - name: Recreate the Latest Release and Tag
-      uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8  # v0.1.15
+      uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974  # v0.1.15
       with:
         draft: false
         prerelease: true

.github/workflows/release.yaml

@@ -96,7 +96,7 @@ jobs:
           tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/egctl
 
       - name: Upload Release Manifests
-        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8  # v0.1.15
+        uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974  # v0.1.15
         with:
           files: |
             release-artifacts/install.yaml

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd  # v3.27.0
+      uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f  # v3.27.4
       with:
         sarif_file: results.sarif

api/v1alpha1/accesslogging_types.go

@@ -138,10 +138,7 @@ const (
 // The service must implement the Envoy gRPC Access Log Service streaming API:
 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto
 // Access log format information is passed in the form of gRPC metadata when the
-// stream is established. Specifically, the following metadata is passed:
-//
-// - `x-accesslog-text` - The access log format string when a Text format is used.
-// - `x-accesslog-attr` - JSON encoded key/value pairs when a JSON format is used.
+// stream is established.
 //
 // +kubebuilder:validation:XValidation:rule="self.type == 'HTTP' || !has(self.http)",message="The http field may only be set when type is HTTP."
 // +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)"

api/v1alpha1/authorization_types.go

@@ -71,7 +71,6 @@ type Principal struct {
 	// Note: in order to use JWT claims for authorization, you must configure the
 	// JWT authentication in the same `SecurityPolicy`.
 	// +optional
-	// +notImplementedHide
 	JWT *JWTPrincipal `json:"jwt,omitempty"`
 }
 

api/v1alpha1/clienttrafficpolicy_types.go

@@ -237,14 +237,29 @@ type ClientIPDetectionSettings struct {
 }
 
 // XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+// for more details.
+// +kubebuilder:validation:XValidation:rule="(has(self.numTrustedHops) && !has(self.trustedCIDRs)) || (!has(self.numTrustedHops) && has(self.trustedCIDRs))", message="only one of numTrustedHops or trustedCIDRs must be set"
 type XForwardedForSettings struct {
 	// NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
 	// headers to trust when determining the origin client's IP address.
-	// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
-	// for more details.
+	// Only one of NumTrustedHops and TrustedCIDRs must be set.
 	//
 	// +optional
 	NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"`
+
+	// TrustedCIDRs is a list of CIDR ranges to trust when evaluating
+	// the remote IP address to determine the original client’s IP address.
+	// When the remote IP address matches a trusted CIDR and the x-forwarded-for header was sent,
+	// each entry in the x-forwarded-for header is evaluated from right to left
+	// and the first public non-trusted address is used as the original client address.
+	// If all addresses in x-forwarded-for are within the trusted list, the first (leftmost) entry is used.
+	// Only one of NumTrustedHops and TrustedCIDRs must be set.
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +notImplementedHide
+	TrustedCIDRs []CIDR `json:"trustedCIDRs,omitempty"`
 }
 
 // CustomHeaderExtensionSettings provides configuration for determining the client IP address for a request based on

api/v1alpha1/ext_auth_types.go

@@ -60,7 +60,6 @@ type ExtAuth struct {
 // The authorization request message is defined in
 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
 // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0"
-// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true"
 type GRPCExtAuthService struct {
@@ -71,7 +70,6 @@ type GRPCExtAuthService struct {
 // HTTPExtAuthService defines the HTTP External Authorization service
 //
 // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0"
-// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true"
 type HTTPExtAuthService struct {

api/v1alpha1/tls_types.go

@@ -69,7 +69,12 @@ type TLSSettings struct {
 	SignatureAlgorithms []string `json:"signatureAlgorithms,omitempty"`
 
 	// ALPNProtocols supplies the list of ALPN protocols that should be
-	// exposed by the listener. By default h2 and http/1.1 are enabled.
+	// exposed by the listener or used by the proxy to connect to the backend.
+	// Defaults:
+	// 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
+	// 2. Other Routes: ALPN is disabled.
+	// 3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
+	// When an empty list is provided, the ALPN TLS extension is disabled.
 	// Supported values are:
 	// - http/1.0
 	// - http/1.1

api/v1alpha1/validation/securitypolicy_validate.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"net/mail"
 	"net/url"
+	"strings"
 
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/validation"
@@ -69,13 +70,21 @@ func ValidateJWTProvider(providers []egv1a1.JWTProvider) error {
 		case len(provider.Name) == 0:
 			errs = append(errs, errors.New("jwt provider cannot be an empty string"))
 		case len(provider.Issuer) != 0:
-			// Issuer can take the format of a URL or an email address.
-			if _, err := url.ParseRequestURI(provider.Issuer); err != nil {
-				_, err := mail.ParseAddress(provider.Issuer)
-				if err != nil {
-					errs = append(errs, fmt.Errorf("invalid issuer; must be a URL or email address: %w", err))
+			switch {
+			// Issuer follows StringOrURI format based on https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1.
+			// Hence, when it contains ':', it MUST be a valid URI.
+			case strings.Contains(provider.Issuer, ":"):
+				if _, err := url.ParseRequestURI(provider.Issuer); err != nil {
+					errs = append(errs, fmt.Errorf("invalid issuer; when issuer contains ':' character, it MUST be a valid URI"))
+				}
+			// Adding reserved character for '@', to represent an email address.
+			// Hence, when it contains '@', it MUST be a valid Email Address.
+			case strings.Contains(provider.Issuer, "@"):
+				if _, err := mail.ParseAddress(provider.Issuer); err != nil {
+					errs = append(errs, fmt.Errorf("invalid issuer; when issuer contains '@' character, it MUST be a valid Email Address format: %w", err))
 				}
 			}
+
 		case len(provider.RemoteJWKS.URI) == 0:
 			errs = append(errs, fmt.Errorf("uri must be set for remote JWKS provider: %s", provider.Name))
 		}

api/v1alpha1/validation/securitypolicy_validate_test.go

@@ -41,7 +41,7 @@ func TestValidateSecurityPolicy(t *testing.T) {
 			expected: false,
 		},
 		{
-			name: "valid security policy with url",
+			name: "valid security policy with URI issuer",
 			policy: &egv1a1.SecurityPolicy{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       egv1a1.KindSecurityPolicy,
@@ -69,7 +69,7 @@ func TestValidateSecurityPolicy(t *testing.T) {
 			expected: true,
 		},
 		{
-			name: "valid security policy with email",
+			name: "valid security policy with Email issuer",
 			policy: &egv1a1.SecurityPolicy{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       egv1a1.KindSecurityPolicy,
@@ -96,6 +96,34 @@ func TestValidateSecurityPolicy(t *testing.T) {
 			},
 			expected: true,
 		},
+		{
+			name: "valid security policy with non URI/Email Issuer",
+			policy: &egv1a1.SecurityPolicy{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       egv1a1.KindSecurityPolicy,
+					APIVersion: egv1a1.GroupVersion.String(),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+					Name:      "test",
+				},
+				Spec: egv1a1.SecurityPolicySpec{
+					JWT: &egv1a1.JWT{
+						Providers: []egv1a1.JWTProvider{
+							{
+								Name:      "test",
+								Issuer:    "foo.bar.local",
+								Audiences: []string{"foo.bar.local"},
+								RemoteJWKS: egv1a1.RemoteJWKS{
+									URI: "https://test.local/jwt/public-key/jwks.json",
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: true,
+		},
 		{
 			name: "valid security policy with jwtClaimToHeader",
 			policy: &egv1a1.SecurityPolicy{

api/v1alpha1/wasm_types.go

@@ -10,6 +10,14 @@ import (
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
+// WasmEnv defines the environment variables for the VM of a Wasm extension
+type WasmEnv struct {
+	// HostKeys is a list of keys for environment variables from the host envoy process
+	// that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
+	// +optional
+	HostKeys []string `json:"hostKeys,omitempty"`
+}
+
 // Wasm defines a Wasm extension.
 //
 // Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
@@ -52,6 +60,10 @@ type Wasm struct {
 	// Priority defines the location of the Wasm extension in the HTTP filter chain.
 	// If not specified, the Wasm extension will be inserted before the router filter.
 	// Priority *uint32 `json:"priority,omitempty"`
+
+	// Env configures the environment for the Wasm extension
+	// +optional
+	Env *WasmEnv `json:"env,omitempty"`
 }
 
 // WasmCodeSource defines the source of the Wasm code.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -85,11 +85,32 @@ spec:
                         description: |-
                           NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
                           headers to trust when determining the origin client's IP address.
-                          Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
-                          for more details.
+                          Only one of NumTrustedHops and TrustedCIDRs must be set.
                         format: int32
                         type: integer
+                      trustedCIDRs:
+                        description: |-
+                          TrustedCIDRs is a list of CIDR ranges to trust when evaluating
+                          the remote IP address to determine the original client’s IP address.
+                          When the remote IP address matches a trusted CIDR and the x-forwarded-for header was sent,
+                          each entry in the x-forwarded-for header is evaluated from right to left
+                          and the first public non-trusted address is used as the original client address.
+                          If all addresses in x-forwarded-for are within the trusted list, the first (leftmost) entry is used.
+                          Only one of NumTrustedHops and TrustedCIDRs must be set.
+                        items:
+                          description: |-
+                            CIDR defines a CIDR Address range.
+                            A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+                          pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))
+                          type: string
+                        minItems: 1
+                        type: array
                     type: object
+                    x-kubernetes-validations:
+                    - message: only one of numTrustedHops or trustedCIDRs must be
+                        set
+                      rule: (has(self.numTrustedHops) && !has(self.trustedCIDRs))
+                        || (!has(self.numTrustedHops) && has(self.trustedCIDRs))
                 type: object
                 x-kubernetes-validations:
                 - message: customHeader cannot be used in conjunction with xForwardedFor
@@ -668,7 +689,12 @@ spec:
                   alpnProtocols:
                     description: |-
                       ALPNProtocols supplies the list of ALPN protocols that should be
-                      exposed by the listener. By default h2 and http/1.1 are enabled.
+                      exposed by the listener or used by the proxy to connect to the backend.
+                      Defaults:
+                      1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
+                      2. Other Routes: ALPN is disabled.
+                      3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
+                      When an empty list is provided, the ALPN TLS extension is disabled.
                       Supported values are:
                       - http/1.0
                       - http/1.1

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml

@@ -1232,6 +1232,17 @@ spec:
                         Config is the configuration for the Wasm extension.
                         This configuration will be passed as a JSON string to the Wasm extension.
                       x-kubernetes-preserve-unknown-fields: true
+                    env:
+                      description: Env configures the environment for the Wasm extension
+                      properties:
+                        hostKeys:
+                          description: |-
+                            HostKeys is a list of keys for environment variables from the host envoy process
+                            that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
+                          items:
+                            type: string
+                          type: array
+                      type: object
                     failOpen:
                       default: false
                       description: |-

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -51,7 +51,12 @@ spec:
                   alpnProtocols:
                     description: |-
                       ALPNProtocols supplies the list of ALPN protocols that should be
-                      exposed by the listener. By default h2 and http/1.1 are enabled.
+                      exposed by the listener or used by the proxy to connect to the backend.
+                      Defaults:
+                      1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
+                      2. Other Routes: ALPN is disabled.
+                      3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
+                      When an empty list is provided, the ALPN TLS extension is disabled.
                       Supported values are:
                       - http/1.0
                       - http/1.1