Merge remote-tracking branch 'upstream/main' into snappcloud

snapp-incubator · Jan 8, 2024 · 6bf5adb · 6bf5adb
2 parents c11d7f7 + c1dd2da
commit 6bf5adb
Show file tree

Hide file tree

Showing 286 changed files with 30,139 additions and 5,195 deletions.
diff --git a/.github/reviewers.yaml b/.github/reviewers.yaml
@@ -0,0 +1,7 @@
+reviewers:
+  defaults:
+  - team:contour-reviewers
+
+options:
+  ignore_draft: true
+  number_of_reviewers: 1
diff --git a/.github/workflows/openssf-scorecard.yaml b/.github/workflows/openssf-scorecard.yaml
@@ -0,0 +1,46 @@
+name: OpenSSF Scorecard
+on:
+  branch_protection_rule:
+  # Run weekly
+  schedule:
+  - cron: '0 12 * * 1'
+  push:
+    branches:
+    - "main"
+  # Allow manual runs
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+    - name: "Checkout code"
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        persist-credentials: false
+
+    - name: "Run analysis"
+      uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        publish_results: true
+
+    - name: "Upload artifact"
+      uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+      with:
+        name: SARIF file
+        path: results.sarif
+
+    - name: "Upload to code-scanning"
+      uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+      with:
+        sarif_file: results.sarif
diff --git a/.github/workflows/request-reviews.yaml b/.github/workflows/request-reviews.yaml
@@ -0,0 +1,14 @@
+name: Request Reviews
+
+on:
+  pull_request_target:
+    types: [opened, ready_for_review, reopened]
+
+jobs:
+  request-reviews:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: necojackarc/auto-request-review@6a51cebffe2c084705d9a7b394abd802e0119633 # v0.12.0
+        with:
+          token: ${{ secrets.PAT_FOR_AUTO_REQUEST_REVIEW }}
+          config: .github/reviewers.yaml
diff --git a/.gitignore b/.gitignore
@@ -28,5 +28,8 @@ site/public
 # Saved container image archive
 image/
 
+# Gateway API conformance report output
+gateway-conformance-report/
+
 # Compiled tests from Ginkgo
 *.test
diff --git a/.golangci.yml b/.golangci.yml
@@ -32,16 +32,39 @@ linters-settings:
       - http.DefaultTransport
   revive:
     rules:
-      - name: use-any
+    - name: blank-imports
+    - name: context-as-argument
+    - name: context-keys-type
+    - name: dot-imports
+    - name: empty-block
+    - name: error-naming
+    - name: error-return
+    - name: error-strings
+    - name: errorf
+    - name: exported
+    - name: increment-decrement
+    - name: indent-error-flow
+    - name: package-comments
+    - name: range
+    - name: receiver-naming
+    - name: redefines-builtin-id
+    - name: superfluous-else
+    - name: time-naming
+    - name: unexported-return
+    - name: unreachable-code
+    - name: unused-parameter
+    - name: use-any
+    - name: var-declaration
+    - name: var-naming
 
 issues:
   exclude-rules:
-  - linters:
-    - unparam
+  - linters: ["unparam"]
     text: "always receives"
   - path: zz_generated
-    linters:
-    - goimports
+    linters: ["goimports"]
   - path: test/e2e
-    linters:
-      - bodyclose
+    linters: ["bodyclose"]
+  - path: test/e2e
+    linters: ["revive"]
+    text: "should not use dot imports"
diff --git a/Makefile b/Makefile
@@ -6,7 +6,7 @@ IMAGE := $(REGISTRY)/$(PROJECT)
 SRCDIRS := ./cmd ./internal ./apis
 LOCAL_BOOTSTRAP_CONFIG = localenvoyconfig.yaml
 SECURE_LOCAL_BOOTSTRAP_CONFIG = securelocalenvoyconfig.yaml
-ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.27.2
+ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.28.0
 GATEWAY_API_VERSION ?= $(shell grep "sigs.k8s.io/gateway-api" go.mod | awk '{print $$2}')
 
 # Used to supply a local Envoy docker container an IP to connect to that is running
@@ -44,7 +44,7 @@ endif
 IMAGE_PLATFORMS ?= linux/amd64,linux/arm64
 
 # Base build image to use.
-BUILD_BASE_IMAGE ?= golang:1.21.3
+BUILD_BASE_IMAGE ?= golang:1.21.5
 
 # Enable build with CGO.
 BUILD_CGO_ENABLED ?= 0

diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go
@@ -1315,14 +1315,27 @@ type HeaderValue struct {
 }
 
 // UpstreamValidation defines how to verify the backend service's certificate
+// +kubebuilder:validation:XValidation:message="subjectNames[0] must equal subjectName if set",rule="has(self.subjectNames) ? self.subjectNames[0] == self.subjectName : true"
 type UpstreamValidation struct {
 	// Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
 	// The secret must contain key named ca.crt.
 	// The name can be optionally prefixed with namespace "namespace/name".
 	// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
+	// Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=317
 	CACertificate string `json:"caSecret"`
 	// Key which is expected to be present in the 'subjectAltName' of the presented certificate.
+	// Deprecated: migrate to using the plural field subjectNames.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=250
 	SubjectName string `json:"subjectName"`
+	// List of keys, of which at least one is expected to be present in the 'subjectAltName of the
+	// presented certificate.
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=8
+	SubjectNames []string `json:"subjectNames"`
 }
 
 // DownstreamValidation defines how to verify the client certificate.

diff --git a/apis/projectcontour/v1/zz_generated.deepcopy.go b/apis/projectcontour/v1/zz_generated.deepcopy.go
diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go
@@ -84,8 +84,19 @@ type ContourConfigurationSpec struct {
 
 	// Tracing defines properties for exporting trace data to OpenTelemetry.
 	Tracing *TracingConfig `json:"tracing,omitempty"`
+
+	// FeatureFlags defines toggle to enable new contour features.
+	// Available toggles are:
+	// useEndpointSlices - configures contour to fetch endpoint data
+	// from k8s endpoint slices. defaults to false and reading endpoint
+	// data from the k8s endpoints.
+	FeatureFlags FeatureFlags `json:"featureFlags,omitempty"`
 }
 
+// FeatureFlags defines the set of feature flags
+// to toggle new contour features.
+type FeatureFlags []string
+
 // XDSServerType is the type of xDS server implementation.
 type XDSServerType string
 
@@ -96,6 +107,21 @@ const (
 	EnvoyServerType XDSServerType = "envoy"
 )
 
+type GlobalCircuitBreakerDefaults struct {
+	// The maximum number of connections that a single Envoy instance allows to the Kubernetes Service; defaults to 1024.
+	// +optional
+	MaxConnections uint32 `json:"maxConnections,omitempty" yaml:"max-connections,omitempty"`
+	// The maximum number of pending requests that a single Envoy instance allows to the Kubernetes Service; defaults to 1024.
+	// +optional
+	MaxPendingRequests uint32 `json:"maxPendingRequests,omitempty" yaml:"max-pending-requests,omitempty"`
+	// The maximum parallel requests a single Envoy instance allows to the Kubernetes Service; defaults to 1024
+	// +optional
+	MaxRequests uint32 `json:"maxRequests,omitempty" yaml:"max-requests,omitempty"`
+	// The maximum number of parallel retries a single Envoy instance allows to the Kubernetes Service; defaults to 3.
+	// +optional
+	MaxRetries uint32 `json:"maxRetries,omitempty" yaml:"max-retries,omitempty"`
+}
+
 // XDSServerConfig holds the config for the Contour xDS server.
 type XDSServerConfig struct {
 	// Defines the XDSServer to use for `contour serve`.
@@ -681,6 +707,17 @@ type ClusterParameters struct {
 	// +kubebuilder:validation:Minimum=1
 	// +optional
 	PerConnectionBufferLimitBytes *uint32 `json:"per-connection-buffer-limit-bytes,omitempty"`
+
+	// GlobalCircuitBreakerDefaults specifies default circuit breaker budget across all services.
+	// If defined, this will be used as the default for all services.
+	//
+	// +optional
+	GlobalCircuitBreakerDefaults *GlobalCircuitBreakerDefaults `json:"circuitBreakers,omitempty"`
+
+	// UpstreamTLS contains the TLS policy parameters for upstream connections
+	//
+	// +optional
+	UpstreamTLS *EnvoyTLS `json:"upstreamTLS,omitempty"`
 }
 
 // HTTPProxyConfig defines parameters on HTTPProxy.

diff --git a/apis/projectcontour/v1alpha1/contourconfig_helpers.go b/apis/projectcontour/v1alpha1/contourconfig_helpers.go
@@ -15,11 +15,20 @@ package v1alpha1
 
 import (
 	"fmt"
+	"slices"
 	"strconv"
 
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
+const (
+	featureFlagUseEndpointSlices string = "useEndpointSlices"
+)
+
+var featureFlagsMap = map[string]bool{
+	featureFlagUseEndpointSlices: true,
+}
+
 // Validate configuration that is not already covered by CRD validation.
 func (c *ContourConfigurationSpec) Validate() error {
 	// Validation of root configuration fields.
@@ -215,6 +224,20 @@ func (e *EnvoyTLS) SanitizedCipherSuites() []string {
 	return validatedCiphers
 }
 
+func (f FeatureFlags) Validate() error {
+	for _, featureFlag := range f {
+		if _, found := featureFlagsMap[featureFlag]; !found {
+			return fmt.Errorf("invalid contour configuration, unknown feature flag:%s", featureFlag)
+		}
+	}
+
+	return nil
+}
+
+func (f FeatureFlags) IsEndpointSliceEnabled() bool {
+	return slices.Contains(f, featureFlagUseEndpointSlices)
+}
+
 // Validate ensures that exactly one of ControllerName or GatewayRef are specified.
 func (g *GatewayConfig) Validate() error {
 	if g == nil {

diff --git a/apis/projectcontour/v1alpha1/contourconfig_helpers_test.go b/apis/projectcontour/v1alpha1/contourconfig_helpers_test.go
@@ -14,6 +14,7 @@
 package v1alpha1_test
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/projectcontour/contour/apis/projectcontour/v1alpha1"
@@ -294,3 +295,39 @@ func TestAccessLogFormatExtensions(t *testing.T) {
 	}
 	assert.Empty(t, e3.AccessLogFormatterExtensions())
 }
+
+func TestFeatureFlagsValidate(t *testing.T) {
+	tests := []struct {
+		name     string
+		flags    v1alpha1.FeatureFlags
+		expected error
+	}{
+		{
+			name:     "valid flag",
+			flags:    v1alpha1.FeatureFlags{"useEndpointSlices"},
+			expected: nil,
+		},
+		{
+			name:     "invalid flag",
+			flags:    v1alpha1.FeatureFlags{"invalidFlag"},
+			expected: fmt.Errorf("invalid contour configuration, unknown feature flag:invalidFlag"),
+		},
+		{
+			name:     "mix of valid and invalid flags",
+			flags:    v1alpha1.FeatureFlags{"useEndpointSlices", "invalidFlag"},
+			expected: fmt.Errorf("invalid contour configuration, unknown feature flag:invalidFlag"),
+		},
+		{
+			name:     "empty flags",
+			flags:    v1alpha1.FeatureFlags{},
+			expected: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.flags.Validate()
+			assert.Equal(t, tt.expected, err)
+		})
+	}
+}
diff --git a/apis/projectcontour/v1alpha1/contourdeployment.go b/apis/projectcontour/v1alpha1/contourdeployment.go
@@ -68,6 +68,9 @@ type ContourDeploymentSpec struct {
 	RuntimeSettings *ContourConfigurationSpec `json:"runtimeSettings,omitempty"`
 
 	// ResourceLabels is a set of labels to add to the provisioned Contour resources.
+	//
+	// Deprecated: use Gateway.Spec.Infrastructure.Labels instead. This field will be
+	// removed in a future release.
 	// +optional
 	ResourceLabels map[string]string `json:"resourceLabels,omitempty"`
 }