Merge branch 'sheidkamp/apikey_metadata' of ssh://github.com/solo-io/…

…gloo into sheidkamp/apikey_metadata
solo-io · Sep 17, 2024 · 1806902 · 1806902
2 parents b9a576a + 6524930
commit 1806902
Show file tree

Hide file tree

Showing 193 changed files with 1,034 additions and 432 deletions.
diff --git a/.github/workflows/pr-kubernetes-tests.yaml b/.github/workflows/pr-kubernetes-tests.yaml
@@ -50,27 +50,36 @@ jobs:
         # Our goal is to load balance tests in a way that allows quick iteration on PRs
         # If tests are exceeding the 25-minute limit, please see:
         # /test/kubernetes/e2e/load_balancing_tests.md
+        #
+        # Above each test below, we document the latest date/time for the GitHub action step to run
+        # NOTE: We use the GitHub action step time (as opposed to the `go test` time), because it is easier to capture
+
         test:
-        # August 6, 2024: 23 minutes execution time (see load_balancing_tests.md)
+        # September 16, 2024: 22 minutes
         - cluster-name: 'cluster-one'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestGloomtlsGatewayEdgeGateway$$|^TestK8sGateway$$/^RouteDelegation$$|^TestK8sGateway$$/^Services$$|^TestGlooctlGlooGatewayEdgeGateway$$|^TestGlooctlK8sGateway$$|^TestHelm$$'
+          go-test-run-regex: '^TestK8sGateway$$/^RouteDelegation$$|^TestK8sGateway$$/^Services$$|^TestGlooctlGlooGatewayEdgeGateway$$|^TestGlooctlK8sGateway$$'
 
-        # August 6, 2024: 27 minutes execution time (see load_balancing_tests.md)
+        # September 16, 2024: 16 minutes
         - cluster-name: 'cluster-two'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestValidationStrict$$|^TestValidationAlwaysAccept$$|^TestTransformationValidationDisabled$$|^TestK8sGatewayIstioRevision$$|^TestRevisionIstioRegression$$|^TestK8sGateway$$/^Deployer$$|^TestK8sGateway$$/^RouteOptions$$|^TestK8sGateway$$/^VirtualHostOptions$$|^TestK8sGateway$$/^Upstreams$$|^TestK8sGateway$$/^HeadlessSvc$$|^TestK8sGateway$$/^PortRouting$$|^TestK8sGatewayMinimalDefaultGatewayParameters$$'
+          go-test-run-regex: '^TestK8sGatewayIstioRevision$$|^TestRevisionIstioRegression$$|^TestK8sGateway$$/^Deployer$$|^TestK8sGateway$$/^RouteOptions$$|^TestK8sGateway$$/^VirtualHostOptions$$|^TestK8sGateway$$/^Upstreams$$|^TestK8sGateway$$/^HeadlessSvc$$|^TestK8sGateway$$/^PortRouting$$|^TestK8sGatewayMinimalDefaultGatewayParameters$$'
 
-        # August 6, 2024: 26 minutes execution time (see load_balancing_tests.md)
+        # September 16, 2024: 21 minutes
         - cluster-name: 'cluster-three'
           go-test-args: '-v -timeout=25m'
           go-test-run-regex: '(^TestK8sGatewayIstioAutoMtls$$|^TestAutomtlsIstioEdgeApisGateway$$|^TestIstioEdgeApiGateway$$|^TestIstioRegression$$)'
 
-        # August 6, 2024: 24 minutes execution time (see load_balancing_tests.md)
+        # September 16, 2024: 23 minutes
         - cluster-name: 'cluster-four'
           go-test-args: '-v -timeout=25m'
           go-test-run-regex: '(^TestK8sGatewayIstio$$|^TestGlooGatewayEdgeGateway$$|^TestGlooctlIstioInjectEdgeApiGateway$$|^TestK8sGatewayNoValidation$$)'
 
+        # September 16, 2024: 17 minutes
+        - cluster-name: 'cluster-five'
+          go-test-args: '-v -timeout=25m'
+          go-test-run-regex: '^TestValidationStrict$$|^TestValidationAlwaysAccept$$|^TestTransformationValidationDisabled$$|^TestGloomtlsGatewayEdgeGateway$$|^TestHelm$$'
+
         # In our PR tests, we run the suite of tests using the upper ends of versions that we claim to support
         # The versions should mirror: https://docs.solo.io/gloo-edge/latest/reference/support/
         version-files:

diff --git a/.trivyignore b/.trivyignore
@@ -42,3 +42,7 @@ CVE-2019-14993
 CVE-2021-39155
 CVE-2021-39156
 CVE-2022-23635
+
+# Ignore go stdlib vulnerability. Go bump to 1.22.7 in N-1 branches cover this, but older versions we aren't concerned
+# about updating as it shouldn't affect us
+CVE-2024-34156
diff --git a/changelog/v1.18.0-beta22/ai-additional-labels.yaml b/changelog/v1.18.0-beta22/ai-additional-labels.yaml
@@ -0,0 +1,5 @@
+changelog:
+  - type: NEW_FEATURE
+    issueLink: https://github.com/solo-io/solo-projects/issues/6895
+    description: >- 
+      Add an API to allow configuring additional labels for AI request stats.
diff --git a/changelog/v1.18.0-beta22/doc-cors.yaml b/changelog/v1.18.0-beta22/doc-cors.yaml
@@ -0,0 +1,5 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >- 
+      Update regular expression used in allowOriginRegex in the CORS documentation.
+      skipCI-kube-tests: true
diff --git a/changelog/v1.18.0-beta22/doc-fixes1.yaml b/changelog/v1.18.0-beta22/doc-fixes1.yaml
@@ -0,0 +1,5 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >- 
+      Weekly doc fixes such as links, grammar, typos, and version updates.
+      skipCI-kube-tests:true
diff --git a/changelog/v1.18.0-beta22/glooctl-check-metrics-timeout.yaml b/changelog/v1.18.0-beta22/glooctl-check-metrics-timeout.yaml
@@ -0,0 +1,4 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >-
+      Increases timeout for retrieving proxy metrics in glooctl check to 60 seconds.
diff --git a/changelog/v1.18.0-beta22/glooctl-check-retries.yaml b/changelog/v1.18.0-beta22/glooctl-check-retries.yaml
@@ -0,0 +1,6 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/gloo/issues/10020
+    resolvesIssue: false
+    description: >-
+      Increase timeout/retries for glooctl check when connecting to the gateway using port forwarding.
diff --git a/changelog/v1.18.0-beta22/ignore-cve-2024-34156.yaml b/changelog/v1.18.0-beta22/ignore-cve-2024-34156.yaml
@@ -0,0 +1,5 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >- 
+      Ignore CVE-2024-34156 go stdlib vulnerability. Go bump to 1.22.7 in N-1 branches cover this, but older versions we
+      aren't concerned about updating as it shouldn't affect us.
diff --git a/changelog/v1.18.0-beta22/persist-proxy-upgrade-fix.yaml b/changelog/v1.18.0-beta22/persist-proxy-upgrade-fix.yaml
@@ -0,0 +1,12 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/gloo/issues/9968
+    resolvesIssue: false
+    description: >-
+      Fixes an issue on upgrades to 1.17+ where persistproxyspec was set to true.
+      Persist proxy spec is configured in helm via gateway.persistProxySpec or in ee gloo.gateway.persistProxySpec
+  - type: NON_USER_FACING
+    description:
+      Updates upgrade test with some of the extra functionality previously only in the enterprise test steps.
+      This is used to validate the main issue for persistproxy spec.
+      The changes do not adhere to our current best practices on writing tests but follow the prior art in enterprise.
diff --git a/changelog/v1.18.0-beta22/rebalance-kube-tests.yaml b/changelog/v1.18.0-beta22/rebalance-kube-tests.yaml
@@ -0,0 +1,5 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >-
+      Add cluster-five to the set of KinD clusters that execute our Kubernetes tests. This is to ensure
+      that our existing 4 clusters do not exceed the 25 minute time limit.
diff --git a/changelog/v1.18.0-beta22/tls-secret-validation.yaml b/changelog/v1.18.0-beta22/tls-secret-validation.yaml
@@ -0,0 +1,8 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/solo-projects/issues/6772
+    resolvesIssue: false
+    description: >-
+      Plugs a gap where go would check a secret for validity per spec but Envoy is more aggressive.
+      For example a TLS secret with a certChain that contains an invalid PEM block will be rejected by Envoy but not Go.
+      Prior to this PR these types of secrets would be accepted by Gloo and nacked by Envoy.
diff --git a/changelog/v1.18.0-beta22/upgrade-go-control-plane.yaml b/changelog/v1.18.0-beta22/upgrade-go-control-plane.yaml
@@ -0,0 +1,21 @@
+changelog:
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: envoyproxy
+    dependencyRepo: go-control-plane
+    dependencyTag: v0.13.0
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: golang
+    dependencyRepo: protobuf
+    dependencyTag: v1.5.4
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: envoyproxy
+    dependencyRepo: protoc-gen-validate
+    dependencyTag: v1.0.4
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: google.golang.com
+    dependencyRepo: grpc
+    dependencyTag: v1.65.0
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: google.golang.com
+    dependencyRepo: protobuf
+    dependencyTag: v1.34.1
diff --git a/changelog/v1.18.0-beta22/upgrade-go.yaml b/changelog/v1.18.0-beta22/upgrade-go.yaml
@@ -0,0 +1,13 @@
+changelog:
+  - type: NON_USER_FACING
+    description: Upgrade kubernetes to 1.31 and go to 1.23.1
+    issueLink: https://github.com/solo-io/gloo/issues/9683
+    resolvesIssue: false
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: solo-io
+    dependencyRepo: cloud-builders
+    dependencyTag: 0.10.1
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: golang
+    dependencyRepo: go
+    dependencyTag: go1.23.1
diff --git a/ci/cloudbuild/publish-artifacts.yaml b/ci/cloudbuild/publish-artifacts.yaml
@@ -1,6 +1,6 @@
 steps:
 
-- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.9.3'
+- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.10.1'
   id: 'prepare-workspace'
   args:
   - '--repo-name'
@@ -44,7 +44,7 @@ steps:
   - 'us-central1-a'
 
 # Run make targets to push docker images to quay.io
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.9.3'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.10.1'
   id: 'publish-docker'
   args:
   - 'publish-docker'
@@ -65,7 +65,7 @@ steps:
   waitFor:
   - 'publish-docker'
 
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.9.3'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.10.1'
   id: 'release-chart'
   dir: *dir
   args:
@@ -80,7 +80,7 @@ steps:
   - 'gcr-auth'
 
 # Run make targets to retag and push docker images to GCR
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.9.3'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.10.1'
   id: 'docker-push-extended-gcr'
   dir: *dir
   args:

diff --git a/ci/cloudbuild/run-tests.yaml b/ci/cloudbuild/run-tests.yaml
@@ -1,6 +1,6 @@
 steps:
 
-- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.9.3'
+- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.10.1'
   id: 'prepare-workspace'
   args:
   - '--repo-name'
@@ -23,7 +23,7 @@ steps:
     cd /go/pkg
     gsutil cat gs://$PROJECT_ID-cache/gloo/gloo-mod.tar.gz | tar -xzf - || echo "untar mod cache failed; continuing because we can download deps as we need them"
 
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.9.3'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.10.1'
   id: 'prepare-envoy'
   dir: *dir
   entrypoint: 'bash'
@@ -77,7 +77,7 @@ steps:
   waitFor:
   - 'prepare-gcr-zone'
 
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.9.3'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.10.1'
   id: 'prepare-test-tools'
   dir: *dir
   args:
@@ -88,7 +88,7 @@ steps:
   - 'prepare-gcr-zone'
   - 'prepare-test-credentials'
 
-- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.9.3'
+- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.10.1'
   id: 'run-tests'
   dir: *dir
   entrypoint: 'make'
@@ -99,7 +99,7 @@ steps:
   secretEnv:
   - 'JWT_PRIVATE_KEY'
 
-- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.9.3'
+- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.10.1'
   id: 'run-e2e-tests'
   dir: *dir
   entrypoint: 'make'
@@ -110,7 +110,7 @@ steps:
   secretEnv:
   - 'JWT_PRIVATE_KEY'
 
-- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.9.3'
+- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.10.1'
   id: 'run-hashicorp-e2e-tests'
   dir: *dir
   entrypoint: 'make'

diff --git a/cloudbuild-cache.yaml b/cloudbuild-cache.yaml
@@ -1,6 +1,6 @@
 options:
   env:
-    - "_GO_VERSION=1.22.7"
+    - "_GO_VERSION=1.23.1"
 
 steps:
 - name: gcr.io/cloud-builders/gsutil

diff --git a/docs/content/guides/security/access_logging/_index.md b/docs/content/guides/security/access_logging/_index.md
@@ -409,7 +409,15 @@ spec:
 
 You can apply different filters on your access logs to reduce and optimize the number of logs that are stored. For example, you can filter access logs based on request headers, HTTP response codes, gRPC status codes, request duration, health check status, tracing parameters, response flags, and more. You can also combine multiple filters, and perform `AND` and `OR` operations on filter results. For more information, see {{% protobuf name="als.options.gloo.solo.io.AccessLogFilter" display="AccessLogFilter"%}}. 
 
-1. Follow the steps in [File-based](file-based-access-logging) or [gRPC](#grpc-access-loggin) access logging to enable access logging for your gateway.
+### Using status code filters
+
+You can apply access log filters to requests that match a specific HTTP status code by using the `defaultValue` or `runtimeKey` option. 
+
+**Option 1: Use `defaultValue`** </br>
+
+Use the `defaultValue` option in the Gateway resource to specify the HTTP status code for which you want to apply the access log filter. Note that the `defaultValue` is set for a specific Gateway only. To apply the same HTTP status code to multiple Gateway resources, see `Option 2: Override the default value with a runtime key-value pair`. 
+
+1. Follow the steps in [File-based](#file-based-access-logging) or [gRPC](#grpc-access-logging) access logging to enable access logging for your gateway.
 2. To apply additional filters to your access logs, you create or edit your gateway resource and add the access log filters to the `spec.options.accessLoggingService.accessLog` section. The following example uses file-based access logging and captures access logs only for requests with an HTTP response code that is greater than or equal to 400. 
    ```yaml
    apiVersion: gateway.solo.io/v1
@@ -437,18 +445,63 @@ You can apply different filters on your access logs to reduce and optimize the n
                  op: GE
                  value: 
                    defaultValue: 400
-                   # see note below about runtimeKey
-                   runtimeKey: "my_status_code_filter"
      proxyNames:
      - gateway-proxy
      ssl: false
      useProxyProto: false
    ```
 
+**Option 2: Override the default value with a runtime key-value pair**: </br>
+
+You can apply access log filters for requests that match an HTTP status code that you defined in the [Envoy runtime configuration layer](https://www.envoyproxy.io/docs/envoy/v1.30.0/configuration/operations/runtime#config-runtime-bootstrap). This setup is useful if you have multiple gateway proxies that all share the same runtime configuration.
+
 {{% notice note %}}
-Note that the `runtimeKey` is enforced only if it matches a key that is defined in Envoy's [runtime configuration layer](https://www.envoyproxy.io/docs/envoy/v1.30.0/configuration/operations/runtime#config-runtime-bootstrap). Gloo Gateway does not include a key by default. To specify a key-value pair, use the [gatewayProxies.NAME.customStaticLayer]({{< versioned_link_path fromRoot="/reference/helm_chart_values/" >}}) Helm value or set the key at runtime by using the gateway proxy admin interface.
+Note that the `runtimeKey` is enforced only if it matches a key that is defined in Envoy’s runtime configuration layer. Gloo Gateway does not include a key by default. If the key cannot be found in the Envoy runtime configuration, the `defaultValue` option is used to determine the HTTP status code for which to enforce the access log filter. 
 {{% /notice %}}
 
+1. Set a runtime value in the Envoy configuration layer for the status code that you want to apply the access log filter for. The runtime value is a key-value pair, such as `access_log_status_filter: 400`. Choose between the following options to set the runtime value:
+   * Set the runtime value by using the `gatewayProxies.NAME.customStaticLayer` Helm value.
+   * Set the runtime value by using the gateway proxy admin interface.
+
+2. Follow the steps in [File-based](#file-based-access-logging) or [gRPC](#grpc-access-loggin) access logging to enable access logging for your gateway.
+3. Create or edit your gateway resource and add the access log filters to the `spec.options.accessLoggingService.accessLog` section. The following example uses file-based access logging and captures access logs only for requests with an HTTP response code that is greater than or equal to what is defined in the `access_log_status_filter` runtime value.
+
+   {{% notice note %}}
+   Note that the `runtimeKey` overrides any settings in `defaultValue`
+   {{% /notice %}}
+
+   ```yaml
+   apiVersion: gateway.solo.io/v1
+   kind: Gateway
+   metadata:
+     labels:
+       app: gloo
+     name: gateway-proxy
+     namespace: gloo-system
+   spec:
+     bindAddress: '::'
+     bindPort: 8080
+     options:
+       accessLoggingService:
+         accessLog:
+         - fileSink:
+             jsonFormat:
+               duration: '%DURATION%'
+               origpath: '%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%'
+               protocol: '%PROTOCOL%'
+             path: /dev/stdout
+           filter:
+             statusCodeFilter:
+               comparison:
+                 op: GE
+                 value: 
+                   runtimeKey: "access_log_status_filter"
+     proxyNames:
+     - gateway-proxy
+     ssl: false
+     useProxyProto: false
+   ```
+
 For more configuration options, see {{% protobuf name="als.options.gloo.solo.io.AccessLogFilter" display="AccessLogFilter"%}}.
 
 ### Using header filters on access logs with prefix matching

diff --git a/docs/content/guides/security/cors/_index.md b/docs/content/guides/security/cors/_index.md
@@ -85,7 +85,7 @@ spec:
         allowOrigin:
         - https://example.com
         allowOriginRegex:
-        - https://[a-zA-Z0-9]*.example.com
+        - https://[a-zA-Z0-9]*\.example\.com
         exposeHeaders:
         - origin
         maxAge: 1d
@@ -99,7 +99,7 @@ The following fields are available when configuring a CORS policy for your `Virt
 | Field              | Type       | Description                                                                                                                                                      | Default |
 | ------------------ | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
 | `allowOrigin`      | `[]string` | Specifies the origins that will be allowed to make CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match.                       |         |
-| `allowOriginRegex` | `[]string` | Specifies regex patterns that match origins that will be allowed to make CORS requests. An origin is allowed if either `allow_origin` or `allow_origin_regex` match. Note that Gloo Gateway uses [ECMAScript](https://en.cppreference.com/w/cpp/regex/ecmascript) regex grammar. For example, to match all subdomains `https://example.com`, do not use `https://*.example.com`, but instead use `https://[a-zA-Z0-9]*.example.com`.   |         |
+| `allowOriginRegex` | `[]string` | Specifies regex patterns that match origins that will be allowed to make CORS requests. An origin is allowed if either `allow_origin` or `allow_origin_regex` match. Note that Gloo Gateway uses [ECMAScript](https://en.cppreference.com/w/cpp/regex/ecmascript) regex grammar. For example, to match all subdomains `https://example.com`, do not use `https://*.example.com`, but instead use `https://[a-zA-Z0-9]*\.example\.com`.   |         |
 | `allowMethods`     | `[]string` | Specifies the content for the *access-control-allow-methods* header.                                                                                             |         |
 | `allowHeaders`     | `[]string` | Specifies the content for the *access-control-allow-headers* header.                                                                                             |         |
 | `exposeHeaders`    | `[]string` | Specifies the content for the *access-control-expose-headers* header.                                                                                            |         |
@@ -135,7 +135,7 @@ The following fields are available when configuring a CORS policy for your `Virt
            allowOrigin:
            - https://example.com
            allowOriginRegex:
-           - https://[a-zA-Z0-9]*.example.com
+           - https://[a-zA-Z0-9]*\.example\.com
            exposeHeaders:
            - origin
            maxAge: 1d
@@ -232,7 +232,7 @@ The following fields are available when configuring a CORS policy for your `Virt
            allowOrigin:
            - https://fake.com
            allowOriginRegex:
-           - https://[a-zA-Z0-9]*.example.com
+           - https://[a-zA-Z0-9]*\.example\.com
            exposeHeaders:
            - origin
            - vh-header
@@ -305,7 +305,7 @@ The following fields are available when configuring a CORS policy for your `Virt
            allowOrigin:
            - https://fake.com
            allowOriginRegex:
-           - https://[a-zA-Z0-9]*.example.com
+           - https://[a-zA-Z0-9]*\.example\.com
            exposeHeaders:
            - origin
            - vh-header

diff --git a/docs/content/installation/platform_configuration/cluster_setup.md b/docs/content/installation/platform_configuration/cluster_setup.md
@@ -21,7 +21,7 @@ Installing Gloo Gateway will require an environment for installation. Kubernetes
    - [OpenShift](#openshift)
    - [Google Kubernetes Engine (GKE)](#google-kubernetes-engine-gke)
    - [Azure Kubernetes Service (AKS)](#azure-kubernetes-service-aks)
-   - [Amazon Elastic Container Service for Kubernetes (EKS)]   (#amazon-elastic-container-service-for-kubernetes-eks)
+   - [Amazon Elastic Container Service for Kubernetes (EKS)](#amazon-elastic-container-service-for-kubernetes-eks)
    - [Additional Notes](#additional-notes)
      - [DNS Records](#dns-records)
      - [Certificate Management](#certificate-management)