Merge branch 'main' into optimize-compute-gloo-eps

solo-io · Dec 16, 2024 · f254052 · f254052
2 parents 653c679 + 530eced
commit f254052
Show file tree

Hide file tree

Showing 52 changed files with 2,193 additions and 450 deletions.
diff --git a/.github/workflows/push-docs.yaml b/.github/workflows/push-docs.yaml
@@ -46,16 +46,19 @@ jobs:
         minor=""
         directory=""
         if [[ "${{ steps.lts-version.outputs.lts }}" == "main" ]]; then
-          minor="1.18"
+          minor="1.19"
+          directory="main"
+        elif [[ "${{ steps.lts-version.outputs.lts }}" == "v1.19.x" ]]; then
+          minor="1.19"
           directory="main"
         elif [[ "${{ steps.lts-version.outputs.lts }}" == "v1.18.x" ]]; then
           minor="1.18"
-          directory="main"
+          directory="latest"
         elif [[ "${{ steps.lts-version.outputs.lts }}" == "v1.17.x" ]]; then
           minor="1.17"
-          directory="latest"
+          directory="1.17.x"
         else
-          minor="1.18"
+          minor="1.19"
           directory="main"
         fi
         echo "minor=${minor}" >> $GITHUB_OUTPUT
@@ -197,4 +200,4 @@ jobs:
           -d "text=$MESSAGE" \
           -d "channel=doctopus-tests" \
           -d "token=${SLACK_BOT_TOKEN}" \
-          -X POST https://slack.com/api/chat.postMessage
+          -X POST https://slack.com/api/chat.postMessage
diff --git a/changelog/v1.19.0-beta3/allow-listener-warnings.yaml b/changelog/v1.19.0-beta3/allow-listener-warnings.yaml
@@ -0,0 +1,9 @@
+changelog:
+- type: NON_USER_FACING
+  issueLink: https://github.com/k8sgateway/k8sgateway/issues/10293
+  resolvesIssue: false
+  description: Adds support for listener level warnings. This way when a listener or its plugin returns an error, it can be checked if it is a configuration error that can be treated as a warning and processed accordingly.
+- type: FIX
+  issueLink: https://github.com/k8sgateway/k8sgateway/issues/10293
+  resolvesIssue: false
+  description: Fixes an issue where an error is thrown instead of an InvalidDestinationWarning when a tracing collector references a missing upstream.
diff --git a/changelog/v1.19.0-beta3/data-plane-validation.yaml b/changelog/v1.19.0-beta3/data-plane-validation.yaml
@@ -0,0 +1,5 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >-
+      Adding docs for full Envoy validation.
+      skipCI-kube-tests:true
diff --git a/changelog/v1.19.0-beta3/docs-prepare-1.18.yaml b/changelog/v1.19.0-beta3/docs-prepare-1.18.yaml
@@ -0,0 +1,5 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >-
+      Prepare 1.18 docs.
+      skipCI-kube-tests:true
diff --git a/changelog/v1.19.0-beta3/docs-sec-update.yaml b/changelog/v1.19.0-beta3/docs-sec-update.yaml
@@ -0,0 +1,5 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >- 
+      Adds security scan 4 file to Enterprise.
+      skipCI-kube-tests:true
diff --git a/changelog/v1.19.0-beta3/docs-workflow.yaml b/changelog/v1.19.0-beta3/docs-workflow.yaml
@@ -0,0 +1,5 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >- 
+      Update docs workflow for 1.18 release. 
+      skipCI-kube-tests:true
diff --git a/changelog/v1.19.0-beta3/fix-metrics-suite.yaml b/changelog/v1.19.0-beta3/fix-metrics-suite.yaml
@@ -0,0 +1,5 @@
+changelog:
+- type: NON_USER_FACING
+  issueLink: https://github.com/solo-io/solo-projects/issues/7405
+  description: Fixes the failing K8sGateway/Metrics in enterprise caused by using the wrong BaseTestingSuite constructor.
+
diff --git a/changelog/v1.19.0-beta3/k8s-e2e-skip-install-update-followup.yaml b/changelog/v1.19.0-beta3/k8s-e2e-skip-install-update-followup.yaml
@@ -0,0 +1,6 @@
+changelog:
+  - type: NON_USER_FACING
+    issueLink: https://github.com/solo-io/solo-projects/issues/7432
+    resolvesIssue: true
+    description: >-
+      Cleanup/PR feedback from initial PR.
diff --git a/docs/active_versions.json b/docs/active_versions.json
@@ -1,12 +1,12 @@
 {
-  "latest": "v1.17.x",
+  "latest": "v1.18.x",
   "versions": [
     "main",
-    "v1.17.x"
+    "v1.18.x"
   ],
   "oldVersions": [
+    "v1.17.x",
     "v1.16.x",
-    "v1.15.x",
-    "v1.14.x"
+    "v1.15.x"
   ]
 }
diff --git a/...content/guides/traffic_management/configuration_validation/admission_control.md b/...content/guides/traffic_management/configuration_validation/admission_control.md
@@ -19,6 +19,7 @@ For more information about how resource configuration validation works in Gloo G
 
 Configure the validating admission webhook to reject invalid Gloo custom resources before they are applied in the cluster. 
 
+
 1. Enable strict resource validation by updating your Gloo Gateway installation and set the following Helm values.
    ```bash
    --set gateway.validation.alwaysAcceptResources=false
@@ -61,7 +62,170 @@ Configure the validating admission webhook to reject invalid Gloo custom resourc
       {{< notice tip >}}
       You can also use the validating admission webhook by running the <code>kubectl apply --dry-run=server</code> command to test your Gloo configuration before you apply it to your cluster. For more information, see <a href="#test-resource-configurations">Test resource configurations</a>. 
       {{< /notice >}}
+
+## Enable full Envoy validation (beta) {#envoy-validation}
+
+In addition to strict resource validation, you can enable full Envoy validation in your Gloo Gateway setup. The full Envoy validation adds another validation layer to the validation webhook by converting the translated xDS snapshot into static bootstrap configuration that can be fed into Envoy. This way, you can validate configuration that is typically accepted by Gloo Gateway, but later rejected by Envoy. For example, you might have a transformation policy in your VirtualService that uses an invalid Inja template. Gloo Gateway cannot validate the Inja template and therefore accepts the configuration. However, with the full Envoy validation enabled, this configuration is checked against Envoy and rejected if Envoy detects invalid configuration. 
 
+{{% notice note %}}
+The full Envoy validation is a beta feature. 
+{{% /notice %}}
+{{% notice warning %}}
+Enabling full Envoy validation is a resource-intensive operation that can have a negative performance impact on your environment, especially if the environment has a lot of resources. 
+{{% /notice %}}
+
+1. Follow the [Hello World guide]({{% versioned_link_path fromRoot="/guides/traffic_management/hello_world/" %}}) to set up the hello world app and expose it with a VirtualService.
+2. Edit the Settings to enable strict resource validation without the full Envoy validation. Make sure to also set `disableTransformationValidation: true` to disable the transformation validation. To persist this setting between Gloo Gateway upgrades, add this setting to your Helm values file instead. 
+   ```sh
+   kubectl edit settings default -n gloo-system
+   ```
+
+   Enter the following values: 
+   ```yaml
+   ...
+   spec:
+     gateway:
+       validation:
+         allowWarnings: false
+         alwaysAccept: false
+         disableTransformationValidation: true
+         fullEnvoyValidation: false
+   ...
+   ```
+
+3. Add a transformation policy to the hello world VirtualService that uses an invalid Inja template. The following example does not close the else statement. Verify that this configuration is accepted by Gloo Gateway. 
+   {{< highlight yaml "hl_lines=23" >}}
+kubectl apply -f- <<EOF
+apiVersion: gateway.solo.io/v1
+kind: VirtualService
+metadata:
+  name: default
+  namespace: gloo-system
+spec:
+  virtualHost:
+    domains:
+    - '*'
+    routes:
+    - matchers:
+      - exact: /all-pets
+      options:
+        prefixRewrite: /api/pets
+        stagedTransformations:
+          regular: 
+            responseTransforms: 
+            - responseTransformation: 
+                transformationTemplate: 
+                  headers: 
+                    test_header: 
+                      text: '{% if default(data.error.message, "") != %}400{% else '
+      routeAction:
+        single:
+          upstream:
+            name: default-petstore-8080
+            namespace: gloo-system
+EOF
+   {{< /highlight >}}
+
+4. Review the logs of the `gateway-proxy` pod. Verify that although Gloo Gateway accepted the configuration, a warning regarding the malformatted Inja template is reported by Envoy. 
+   ```sh
+   kubectl logs -f -n gloo-system -l gateway-proxy
+   ```
+
+   Example output: 
+   ```
+   [2024-12-13 18:43:12.090][1][warning][config] [external/envoy/source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138] gRPC config for type.googleapis.com/envoy.config.route.v3.RouteConfiguration rejected: Failed to parse response template on response matcher: Failed to parse header template 'test_header': [inja.exception.parser_error] (at 1:42) too few arguments
+   ```
+
+5. Restore the old VirtualService again. 
+   ```yaml
+   kubectl apply -f- <<EOF                                      
+   apiVersion: gateway.solo.io/v1
+   kind: VirtualService
+   metadata:
+     name: default
+     namespace: gloo-system
+   spec:
+     virtualHost:
+       domains:
+       - '*'
+       routes:
+       - matchers:
+         - exact: /all-pets
+         options:
+           prefixRewrite: /api/pets
+         routeAction:            
+           single:   
+             upstream:            
+               name: default-petstore-8080
+               namespace: gloo-system   
+   EOF  
+   ```    
+
+5. Edit the Settings resource to enable full Envoy validation. Note that you can leave `disableTransformationValidation: true`, because the transformation validation is included in the full Envoy validation. 
+   ```sh
+   kubectl edit settings default -n gloo-system
+   ```
+
+   Enter the following values: 
+   ```yaml
+   ...
+   spec:
+     gateway:
+       validation:
+         allowWarnings: false
+         alwaysAccept: false
+         disableTransformationValidation: true
+         fullEnvoyValidation: true
+   ...
+   ```
+
+6. Try to apply the invalid VirtualService again. Verify that the resource is now rejected and the Envoy error about the invalid Inja template is surfaced to you. 
+   {{< highlight yaml "hl_lines=23" >}}
+kubectl apply -f- <<EOF
+apiVersion: gateway.solo.io/v1
+kind: VirtualService
+metadata:
+  name: default
+  namespace: gloo-system
+spec:
+  virtualHost:
+    domains:
+    - '*'
+    routes:
+    - matchers:
+      - exact: /all-pets
+      options:
+        prefixRewrite: /api/pets
+        stagedTransformations:
+          regular: 
+            responseTransforms: 
+            - responseTransformation: 
+                transformationTemplate: 
+                  headers: 
+                    test_header: 
+                      text: '{% if default(data.error.message, "") != %}400{% else '
+      routeAction:
+        single:
+          upstream:
+            name: default-petstore-8080
+            namespace: gloo-system
+EOF
+   {{< /highlight >}}
+
+   Example output: 
+   ```
+   Error from server: error when applying patch:
+   {"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"gateway.solo.io/v1\",\"kind\":\"VirtualService\",\"metadata\":{\"annotations\":{},\"name\":\"default\",\"namespace\":\"gloo-system\"},\"spec\":{\"virtualHost\":{\"domains\":[\"*\"],\"routes\":[{\"matchers\":[{\"exact\":\"/all-pets\"}],\"options\":{\"prefixRewrite\":\"/api/pets\",\"stagedTransformations\":{\"regular\":{\"responseTransforms\":[{\"responseTransformation\":{\"transformationTemplate\":{\"headers\":{\"test_header\":{\"text\":\"{% if default(data.error.message, \\\"\\\") != %}400{% else \"}}}}}]}}},\"routeAction\":{\"single\":{\"upstream\":{\"name\":\"default-petstore-8080\",\"namespace\":\"gloo-system\"}}}}]}}}\n"}},"spec":{"virtualHost":{"routes":[{"matchers":[{"exact":"/all-pets"}],"options":{"prefixRewrite":"/api/pets","stagedTransformations":{"regular":{"responseTransforms":[{"responseTransformation":{"transformationTemplate":{"headers":{"test_header":{"text":"{% if default(data.error.message, \"\") != %}400{% else "}}}}}]}}},"routeAction":{"single":{"upstream":{"name":"default-petstore-8080","namespace":"gloo-system"}}}}]}}}
+   to:
+   Resource: "gateway.solo.io/v1, Resource=virtualservices", GroupVersionKind: "gateway.solo.io/v1, Kind=VirtualService"
+   Name: "default", Namespace: "gloo-system"
+   for: "STDIN": error when patching "STDIN": admission webhook "gloo.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating *v1.VirtualService failed: 1 error occurred:
+	   * Validating *v1.VirtualService failed: validating *v1.VirtualService name:"default"  namespace:"gloo-system": 1 error occurred:
+	   * failed gloo validation resource reports: 2 errors occurred:
+	   * invalid resource gloo-system.gateway-proxy
+	   * envoy validation mode output: error initializing configuration '/dev/fd/0': Failed to parse response template on response matcher: Failed to parse header template 'test_header': [inja.exception.parser_error] (at 1:42) too few arguments
+   , error: command ""/usr/local/bin/envoy" "--mode" "validate" "--config-path" "/dev/fd/0" "-l" "critical" "--log-format" "%v"" failed with error: exit status 1
+   ```
 
 ## View the current validating admission webhook configuration
 

diff --git a/docs/content/guides/traffic_management/hello_world/_index.md b/docs/content/guides/traffic_management/hello_world/_index.md
@@ -377,7 +377,7 @@ At this point we have a Virtual Service with a routing rule sending traffic on t
 Let’s test the route rule by retrieving the URL of Gloo Gateway, and sending a web request to the `/all-pets` path of the URL using curl. 
 
 ```shell
-curl $(glooctl proxy url)/all-pets
+curl $(glooctl proxy url --name gateway-proxy)/all-pets
 ```
 
 ```json

diff --git a/docs/content/operations/upgrading/faq.md b/docs/content/operations/upgrading/faq.md
@@ -65,6 +65,50 @@ The Envoy dependency in Gloo Gateway 1.18 was upgraded from 1.29.x to 1.31.x. Th
 * **HTTP/2**: HTTP/2 colon prefixed headers are now sanitized by Envoy. Previously, sanitation was performed by the `nghttp2` library, which caused pseudo headers with upper case letters to fail validation. Now, these pseudo headers pass validation. You can temporarily revert this change by setting the runtime guard `envoy.reloadable_features.sanitize_http2_headers_without_nghttp2` to `false`. 
 * **Local ratelimit**: The token bucket implementation changed. Previously, a timer-based token bucket was used to assign tokens to connections. In Envoy 1.31.x, the new AtomicToken bucket is used that is no longer timer-based. Tokens are now automatically refilled when the token bucket is accessed. Because of this change, the `x-ratelimit-reset` header is no longer sent. You can temporarily revert this change by setting the runtime guard `envoy.reloadable_features.no_timer_based_rate_limit_token_bucket` to `false`.
 
+## New features
+
+### Watch namespace based on label 
+
+Previously, the namespaces that you wanted Gloo Gateway to watch for resources needed to be provided as a static list via the `watchNamespaces` setting in the Settings resource and had to be updated manually every time a namespace was added or deleted. Starting in 1.18.0, you can now define the namespaces that you want to watch by using the `WatchNamespaceSelectors` option on the Settings CR. This way, Gloo Gateway automatically includes new namespaces that have the required selectors. 
+
+Label selectors can use exact matches or an `In`, `NotIn`, `Exists`, or `DoesNotExist` expression. You can also chain label selectors to form logical `AND` or `OR` expressions as shown in the following example. 
+
+```yaml
+settings: 
+  watchNamespaceSelectors: 
+    - matchLabels: 
+        label: match
+    - matchLabels: 
+        label: and
+    - matchExpressions: 
+      - key: expression
+        operator: In
+        values: 
+          - and
+```
+        
+{{% notice note %}}
+If you specify both the `watchNamespaces` and `watchNamespaceSelectors` setting, the `watchNamespaces` setting takes precedence.  
+{{% /notice %}}
+
+For more information, see [Specify namespaces to watch for Kuberenetes services and Gloo Gateway CRs]({{% versioned_link_path fromRoot="/installation/advanced_configuration/multiple-gloo-installs/#specify-namespaces-to-watch-for-kuberenetes-services-and-gloo-gateway-crs " %}}).
+
+### ARM images
+
+In Gloo Gateway Enterprise, ARM images are now supported for Gloo Gateway components. An image that is tagged with -arm is compatible with ARM64 architectures. Note that ARM images are currently not published for VMs.
+
+### Kubernetes 1.30 and 1.31 support 
+
+Starting in version 1.18.0, Gloo Gateway can now run on Kubernetes 1.30 and 1.31. For more information about supported Kubernetes, Envoy, and Istio versions, see [Supported versions]({{% versioned_link_path fromRoot="/reference/support/" %}}).
+
+### Front channel logout
+
+You can configure a front channel logout path on an AuthConfig that configures OIDC authorization code for your apps.
+
+Front channel logout is a security mechanism that is used in the context of Single Sign-On (SSO) and Identity and Access Management (IAM) systems to ensure that when a user logs out of one app or service, they are also automatically logged out of the Identity Provider (IdP) and therefore all related apps and services in a secure and synchronized manner. Without front channel logout, the user is logged out of the requested app only.
+
+For more information, see [Front channel logout]({{% versioned_link_path fromRoot="/guides/security/auth/extauth/oauth/#front-channel-logout" %}}).
+
 
 <!-- ggv2-related changes:
 ggv2 - Disable Istio Envoy proxy from running by default and only rely on proxyless Istio agent mtls integration. Note: Although this is a change to the default behavior of the istio integration, this should not have any impact on most users as the sidecar proxy was unused in the data path. (https://github.com/solo-io/solo-projects/issues/5711)
@@ -184,7 +228,7 @@ New CRDs are automatically applied to your cluster when performing a `helm insta
 
 Review the following summary of important new, deprecated, or removed CRD updates. For full details, see the [changelogs](#changelogs).
 
-As part of the {{< readfile file="static/content/version_geoss_latest.md" markdown="true">}} release, no CLI changes were introduced.
+As part of the {{< readfile file="static/content/version_geoss_latest.md" markdown="true">}} release, no CRD changes were introduced.
 <!--
 **New and updated CRDs**:
 
@@ -200,13 +244,15 @@ N/A
 
 You must upgrade `glooctl` before you upgrade Gloo Gateway. Because `glooctl` can create resources in your cluster, such as with `glooctl add route`, you might have errors in Gloo Gateway if you create resources with an older version of `glooctl`.
 
-As part of the {{< readfile file="static/content/version_geoss_latest.md" markdown="true">}} release, no CLI changes were introduced.
-<!--
+
 Review the following summary of important new, deprecated, or removed CLI options. For full details, see the [changelogs](#changelogs).
 
 **New CLI commands or options**:
 
-* `glooctl create secret encryptionkey`: [Create encryption secrets]({{% versioned_link_path fromRoot="/reference/cli/glooctl_create_secret_encryptionkey/" %}}), such as to use in the `cipherConfig` field of the `ExtAuthConfig` resource.
+* `glooctl proxy snapshot`: [Create a snapshot of the current state in Envoy]({{% versioned_link_path fromRoot="/reference/cli/glooctl_proxy_snapshot/" %}}) for the purpose of simplified issue reporting and triaging.
+
+<!-->
+As part of the {{< readfile file="static/content/version_geoss_latest.md" markdown="true">}} release, no CLI changes were introduced.
 
 **Changed behavior**:-->