[release/v1.3] Release v1.3.2 cherry-pick (#5576)

* load BackendTLSPolicy in standalone mode (#5431)

Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit 4d914ae)
Signed-off-by: Guy Daich <[email protected]>

* Wasm: cache Wasm OCI image permission check results (#5358)

* add TTL for wasm permission check

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* fix test

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* change

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* refresh the cache

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* purge the cache

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* refactor

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* on retry on retriable errors

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* add release note

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

---------

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 672de8a)
Signed-off-by: Guy Daich <[email protected]>

* Load EnvoyExtensionPolicy in standalone mode (#5460)

* load EnvoyExtensionPolicy in standalone mode

Signed-off-by: Takeshi Yoneda <[email protected]>

* more

Signed-off-by: Takeshi Yoneda <[email protected]>

* release note

Signed-off-by: Takeshi Yoneda <[email protected]>

* review: use a valid target name instead of myapp

Signed-off-by: Takeshi Yoneda <[email protected]>

* gen

Signed-off-by: Takeshi Yoneda <[email protected]>

---------

Signed-off-by: Takeshi Yoneda <[email protected]>
(cherry picked from commit 4be098d)
Signed-off-by: Guy Daich <[email protected]>

* fix: check for mirror backendRef in httproute index (#5497)

* check for mirror backendRef

Signed-off-by: mark winter <[email protected]>
(cherry picked from commit 72b72c4)
Signed-off-by: Guy Daich <[email protected]>

* fix: dont return an err when gatewayclass is not accepted (#5524)

* bug: dont return an err when gatewayclass is not accepted

this is a user generated error, we shouldnt log it as
a system error, and return with an error

Signed-off-by: Arko Dasgupta <[email protected]>

* release notes

Signed-off-by: Arko Dasgupta <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit 51e87ca)
Signed-off-by: Guy Daich <[email protected]>

* fix: host header should not be allowed to modify (#5533)

* host header is not allowed to be modified

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* address comment

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

---------

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 54efa34)
Signed-off-by: Guy Daich <[email protected]>

* fix: retrigger reconciliation when backendRef of type ServiceImport is updated (#5461)

* fix: retrigger reconilation when backendRef of type ServiceImport is updated

Signed-off-by: Teju Nareddy <[email protected]>
(cherry picked from commit e2f8978)
Signed-off-by: Guy Daich <[email protected]>

* pin envoy and ratelimit

Signed-off-by: Guy Daich <[email protected]>

* fix: otel sink json access logging without text field (#5498)

* fix otel sink json access logging without text field

Signed-off-by: Tomi Juntunen <[email protected]>

* use json format as default when format or type is not set

Signed-off-by: Tomi Juntunen <[email protected]>

* set formatters only if the slice of formatters is not empty

Signed-off-by: Tomi Juntunen <[email protected]>

---------

Signed-off-by: Tomi Juntunen <[email protected]>
Co-authored-by: Arko Dasgupta <[email protected]>
(cherry picked from commit cb3ffd2)
Signed-off-by: Guy Daich <[email protected]>

* [release/v1.3] v1.3.2 release notes (#5584)

v1.3.2 release notes

Signed-off-by: Guy Daich <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Takeshi Yoneda <[email protected]>
Signed-off-by: mark winter <[email protected]>
Signed-off-by: Teju Nareddy <[email protected]>
Signed-off-by: Tomi Juntunen <[email protected]>
Co-authored-by: Arko Dasgupta <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Takeshi Yoneda <[email protected]>
Co-authored-by: Mark Winter <[email protected]>
Co-authored-by: Teju Nareddy <[email protected]>
Co-authored-by: Tomi Juntunen <[email protected]>

Author: 7 people

VERSION

@@ -1 +1 @@
-v1.3.1
+v1.3.2

api/v1alpha1/shared_types.go

@@ -22,15 +22,15 @@ const (
 	// DefaultDeploymentMemoryResourceRequests for deployment memory resource
 	DefaultDeploymentMemoryResourceRequests = "512Mi"
 	// DefaultEnvoyProxyImage is the default image used by envoyproxy
-	DefaultEnvoyProxyImage = "docker.io/envoyproxy/envoy:distroless-v1.33.0"
+	DefaultEnvoyProxyImage = "docker.io/envoyproxy/envoy:distroless-v1.33.1"
 	// DefaultShutdownManagerCPUResourceRequests for shutdown manager cpu resource
 	DefaultShutdownManagerCPUResourceRequests = "10m"
 	// DefaultShutdownManagerMemoryResourceRequests for shutdown manager memory resource
 	DefaultShutdownManagerMemoryResourceRequests = "32Mi"
 	// DefaultShutdownManagerImage is the default image used for the shutdown manager.
 	DefaultShutdownManagerImage = "docker.io/envoyproxy/gateway-dev:latest"
 	// DefaultRateLimitImage is the default image used by ratelimit.
-	DefaultRateLimitImage = "docker.io/envoyproxy/ratelimit:ae4cee11"
+	DefaultRateLimitImage = "docker.io/envoyproxy/ratelimit:0141a24f"
 	// HTTPProtocol is the common-used http protocol.
 	HTTPProtocol = "http"
 	// GRPCProtocol is the common-used grpc protocol.

charts/gateway-helm/README.md

@@ -102,7 +102,7 @@ To uninstall the chart:
 | global.images.envoyGateway.image | string | `nil` |  |
 | global.images.envoyGateway.pullPolicy | string | `nil` |  |
 | global.images.envoyGateway.pullSecrets | list | `[]` |  |
-| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:ae4cee11"` |  |
+| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:0141a24f"` |  |
 | global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` |  |
 | global.images.ratelimit.pullSecrets | list | `[]` |  |
 | kubernetesClusterDomain | string | `"cluster.local"` |  |

charts/gateway-helm/values.tmpl.yaml

@@ -12,7 +12,7 @@ global:
       pullSecrets: []
     ratelimit:
       # This is the full image name including the hub, repo, and tag.
-      image: "docker.io/envoyproxy/ratelimit:ae4cee11"
+      image: "docker.io/envoyproxy/ratelimit:0141a24f"
       # Specify image pull policy if default behavior isn't desired.
       # Default behavior: latest images will be Always else IfNotPresent.
       pullPolicy: IfNotPresent

go.mod

@@ -9,6 +9,7 @@ require (
 	fortio.org/log v1.17.1
 	github.com/Masterminds/semver/v3 v3.3.1
 	github.com/andybalholm/brotli v1.1.1
+	github.com/avast/retry-go v3.0.0+incompatible
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc

go.sum

@@ -99,6 +99,8 @@ github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:l
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHSxpiH9JdtuBj0=
+github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml

@@ -44,3 +44,34 @@ spec:
     - ip:
         address: 0.0.0.0
         port: 3000
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: example-com-tls-policy
+spec:
+  targetRefs:
+    - group: 'gateway.envoyproxy.io'
+      kind: Backend
+      name: backend
+  validation:
+    wellKnownCACertificates: "System"
+    hostname: www.example.com
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyExtensionPolicy
+metadata:
+  name: ext-proc-example
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: backend
+  extProc:
+    - backendRefs:
+        - name: grpc-ext-proc
+          port: 9002
+      processingMode:
+        request: {}
+        response:
+          body: Streamed

internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml

@@ -1,3 +1,30 @@
+backendTLSPolicies:
+- kind: BackendTLSPolicy
+  metadata:
+    creationTimestamp: null
+    name: example-com-tls-policy
+    namespace: envoy-gateway-system
+  spec:
+    targetRefs:
+    - group: gateway.envoyproxy.io
+      kind: Backend
+      name: backend
+    validation:
+      hostname: www.example.com
+      wellKnownCACertificates: System
+  status:
+    ancestors:
+    - ancestorRef:
+        group: gateway.networking.k8s.io
+        kind: Gateway
+        name: eg
+      conditions:
+      - lastTransitionTime: null
+        message: Policy has been accepted.
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
 backends:
 - kind: Backend
   metadata:
@@ -16,6 +43,43 @@ backends:
       reason: Accepted
       status: "True"
       type: Accepted
+envoyExtensionPolicies:
+- kind: EnvoyExtensionPolicy
+  metadata:
+    creationTimestamp: null
+    name: ext-proc-example
+    namespace: envoy-gateway-system
+  spec:
+    extProc:
+    - backendRefs:
+      - group: ""
+        kind: Service
+        name: grpc-ext-proc
+        port: 9002
+      processingMode:
+        request: {}
+        response:
+          body: Streamed
+    targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: backend
+  status:
+    ancestors:
+    - ancestorRef:
+        group: gateway.networking.k8s.io
+        kind: Gateway
+        name: eg
+        namespace: envoy-gateway-system
+      conditions:
+      - lastTransitionTime: null
+        message: |-
+          Wasm: wasm cache is not initialized
+          ExtProc: service envoy-gateway-system/grpc-ext-proc not found.
+        reason: Invalid
+        status: "False"
+        type: Accepted
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
 gatewayClass:
   kind: GatewayClass
   metadata: