Merge branch 'main' into dependabot/github_actions/codecov/codecov-action-5.4.2

Author: arkodg

.github/workflows/build_and_test.yaml

@@ -85,7 +85,16 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        version: [ v1.29.10, v1.30.6, v1.31.4, v1.32.0 ]
+        target:
+        - version: v1.29.10
+          ipFamily: ipv4
+        - version: v1.30.6
+          ipFamily: ipv4
+        - version: v1.31.4
+          ipFamily: ipv6  # only run ipv6 test on this version to save time
+        # TODO: this's IPv4 first, need a way to test IPv6 first.
+        - version: v1.32.0
+          ipFamily: dual  # only run dual test on latest version to save time
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - uses: ./tools/github-actions/setup-deps
@@ -104,8 +113,9 @@ jobs:
     # conformance
     - name: Run Standard Conformance Tests
       env:
-        KIND_NODE_TAG: ${{ matrix.version }}
+        KIND_NODE_TAG: ${{ matrix.target.version }}
         IMAGE_PULL_POLICY: IfNotPresent
+        IP_FAMILY: ${{ matrix.target.ipFamily }}
       run: make conformance
 
   e2e-test:

api/v1alpha1/backend_types.go

@@ -7,6 +7,8 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
 )
 
 const (
@@ -141,6 +143,42 @@ type BackendSpec struct {
 	//
 	// +optional
 	Fallback *bool `json:"fallback,omitempty"`
+
+	// TLS defines the TLS settings for the backend.
+	// Only supported for DynamicResolver backends.
+	//
+	// +optional
+	// +notImplementedHide
+	TLS *BackendTLSSettings `json:"tls,omitempty"`
+}
+
+// BackendTLSSettings holds the TLS settings for the backend.
+// Only used for DynamicResolver backends.
+type BackendTLSSettings struct {
+	// CACertificateRefs contains one or more references to Kubernetes objects that
+	// contain TLS certificates of the Certificate Authorities that can be used
+	// as a trust anchor to validate the certificates presented by the backend.
+	//
+	// A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+	// with the CA certificate in a key named `ca.crt` is currently supported.
+	//
+	// If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+	// specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+	// not both.
+	//
+	// +kubebuilder:validation:MaxItems=8
+	// +optional
+	CACertificateRefs []gwapiv1.LocalObjectReference `json:"caCertificateRefs,omitempty"`
+
+	// WellKnownCACertificates specifies whether system CA certificates may be used in
+	// the TLS handshake between the gateway and backend pod.
+	//
+	// If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+	// must be specified with at least one entry for a valid configuration. Only one of
+	// CACertificateRefs or WellKnownCACertificates may be specified, not both.
+	//
+	// +optional
+	WellKnownCACertificates *gwapiv1a3.WellKnownCACertificatesType `json:"wellKnownCACertificates,omitempty"`
 }
 
 // BackendType defines the type of the Backend.

api/v1alpha1/backendtrafficpolicy_types.go

@@ -100,16 +100,15 @@ type BackendTrafficPolicySpec struct {
 	// +notImplementedHide
 	// +optional
 	RequestBuffer *RequestBuffer `json:"requestBuffer,omitempty"`
-	// Telemetry configures the telemetry settings for the backend or backend.
+	// Telemetry configures the telemetry settings for the policy target (Gateway or xRoute).
 	// This will override the telemetry settings in the EnvoyProxy resource.
 	//
-	// +notImplementedHide
 	// +optional
 	Telemetry *BackendTelemetry `json:"telemetry,omitempty"`
 }
 
 type BackendTelemetry struct {
-	// Tracing configures the tracing settings for the backend.
+	// Tracing configures the tracing settings for the backend or HTTPRoute.
 	//
 	// +optional
 	Tracing *Tracing `json:"tracing,omitempty"`

api/v1alpha1/envoygateway_types.go

@@ -501,13 +501,15 @@ type ExtensionManager struct {
 	Service *ExtensionService `json:"service,omitempty"`
 
 	// FailOpen defines if Envoy Gateway should ignore errors returned from the Extension Service hooks.
-	// The default is false, which means Envoy Gateway will fail closed if the Extension Service returns an error.
 	//
-	// Fail-close means that if the Extension Service hooks return an error, the relevant route/listener/resource
-	// will be replaced with a default configuration returning Internal Server Error (HTTP 500).
+	// When set to false, Envoy Gateway does not ignore extension Service hook errors. As a result,
+	// xDS updates are skipped for the relevant envoy proxy fleet and the previous state is preserved.
 	//
-	// Fail-open means that if the Extension Service hooks return an error, no changes will be applied to the
-	// source of the configuration which was sent to the extension server.
+	// When set to true, if the Extension Service hooks return an error, no changes will be applied to the
+	// source of the configuration which was sent to the extension server. The errors are ignored and the resulting
+	// xDS configuration is updated in the xDS snapshot.
+	//
+	// Default: false
 	//
 	// +optional
 	FailOpen bool `json:"failOpen,omitempty"`

api/v1alpha1/zz_generated.deepcopy.go

@@ -25,7 +25,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   labels:
@@ -676,7 +676,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   name: gatewayclasses.gateway.networking.k8s.io
@@ -1196,7 +1196,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   name: gateways.gateway.networking.k8s.io
@@ -3904,7 +3904,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   name: grpcroutes.gateway.networking.k8s.io
@@ -6125,7 +6125,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   name: httproutes.gateway.networking.k8s.io
@@ -13407,7 +13407,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   name: referencegrants.gateway.networking.k8s.io
@@ -13600,7 +13600,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   name: tcproutes.gateway.networking.k8s.io
@@ -14336,7 +14336,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   name: tlsroutes.gateway.networking.k8s.io
@@ -15135,7 +15135,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   name: udproutes.gateway.networking.k8s.io
@@ -15871,7 +15871,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   labels:
@@ -15962,21 +15962,21 @@ spec:
                       interval:
                         default: 10s
                         description: |-
-                          BudgetInterval defines the duration in which requests will be considered
+                          Interval defines the duration in which requests will be considered
                           for calculating the budget for retries.
 
                           Support: Extended
                         pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
                         type: string
                         x-kubernetes-validations:
-                        - message: budgetInterval can not be greater than one hour
-                            or less than one second
+                        - message: interval can not be greater than one hour or less
+                            than one second
                           rule: '!(duration(self) < duration(''1s'') || duration(self)
                             > duration(''1h''))'
                       percent:
                         default: 20
                         description: |-
-                          BudgetPercent defines the maximum percentage of active requests that may
+                          Percent defines the maximum percentage of active requests that may
                           be made up of retries.
 
                           Support: Extended
@@ -16480,7 +16480,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.3.0-rc.2
+    gateway.networking.k8s.io/bundle-version: v1.3.0
     gateway.networking.k8s.io/channel: experimental
   creationTimestamp: null
   name: xlistenersets.gateway.networking.x-k8s.io

charts/gateway-crds-helm/templates/gatewayapi-crds.yaml

@@ -147,6 +147,72 @@ spec:
                   The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
                   the health of the active backends falls below 72%.
                 type: boolean
+              tls:
+                description: |-
+                  TLS defines the TLS settings for the backend.
+                  Only supported for DynamicResolver backends.
+                properties:
+                  caCertificateRefs:
+                    description: |-
+                      CACertificateRefs contains one or more references to Kubernetes objects that
+                      contain TLS certificates of the Certificate Authorities that can be used
+                      as a trust anchor to validate the certificates presented by the backend.
+
+                      A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+                      with the CA certificate in a key named `ca.crt` is currently supported.
+
+                      If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+                      specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+                      not both.
+                    items:
+                      description: |-
+                        LocalObjectReference identifies an API object within the namespace of the
+                        referrer.
+                        The API object must be valid in the cluster; the Group and Kind must
+                        be registered in the cluster for this reference to be valid.
+
+                        References to objects with invalid Group and Kind are not valid, and must
+                        be rejected by the implementation, with appropriate Conditions set
+                        on the containing object.
+                      properties:
+                        group:
+                          description: |-
+                            Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                            When unspecified or empty string, core API group is inferred.
+                          maxLength: 253
+                          pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                        kind:
+                          description: Kind is kind of the referent. For example "HTTPRoute"
+                            or "Service".
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                          type: string
+                        name:
+                          description: Name is the name of the referent.
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                      required:
+                      - group
+                      - kind
+                      - name
+                      type: object
+                    maxItems: 8
+                    type: array
+                  wellKnownCACertificates:
+                    description: |-
+                      WellKnownCACertificates specifies whether system CA certificates may be used in
+                      the TLS handshake between the gateway and backend pod.
+
+                      If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+                      must be specified with at least one entry for a valid configuration. Only one of
+                      CACertificateRefs or WellKnownCACertificates may be specified, not both.
+                    enum:
+                    - System
+                    type: string
+                type: object
               type:
                 default: Endpoints
                 description: Type defines the type of the backend. Defaults to "Endpoints"

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backends.yaml

@@ -1669,11 +1669,12 @@ spec:
                 type: object
               telemetry:
                 description: |-
-                  Telemetry configures the telemetry settings for the backend or backend.
+                  Telemetry configures the telemetry settings for the policy target (Gateway or xRoute).
                   This will override the telemetry settings in the EnvoyProxy resource.
                 properties:
                   tracing:
-                    description: Tracing configures the tracing settings for the backend.
+                    description: Tracing configures the tracing settings for the backend
+                      or HTTPRoute.
                     properties:
                       customTags:
                         additionalProperties: