[release/v1.7] v1.7.0 cherrypick (#8190)

* chore(docs): Update Azure Entra link in OIDC guide (#8167)

Update Azure Entra link in OIDC guide

Signed-off-by: Guy Daich <[email protected]>

* fix: continue processing the remaining xDS with invalid EnvoyPatchPolicies (#8153)

continue processing the remaining xDS with invalid EnvoyPatchPolicies

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>

* build(deps): bump the actions group across 1 directory with 2 updates (#8178)

Bumps the actions group with 2 updates in the / directory: [docker/login-action](https://github.com/docker/login-action) and [github/codeql-action](https://github.com/github/codeql-action).

Updates `docker/login-action` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@5e57cd1...c94ce9f)

Updates `github/codeql-action` from 4.32.0 to 4.32.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@b20883b...6bc82e0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 3.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: github/codeql-action
  dependency-version: 4.32.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Isaac Wilson <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>

* fix: skip provision when IR Infra is invalid (#7754)

* fix: do not trigger IR deletion when EnvoyProxy is invalid

Signed-off-by: zirain <[email protected]>

* add Invalid to ir.Infra

Signed-off-by: zirain <[email protected]>

* fix gen

Signed-off-by: zirain <[email protected]>

* add e2e

Signed-off-by: zirain <[email protected]>

* remove invalid

Signed-off-by: zirain <[email protected]>

* add comments

Signed-off-by: zirain <[email protected]>

* update

Signed-off-by: zirain <[email protected]>

* merge loop

Signed-off-by: zirain <[email protected]>

* move back

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>

* docs: add HTTP header and method based authentication task (#7990)

* docs: add HTTP header and method based authentication task

Signed-off-by: Aditya Sanskar Srivastav <[email protected]>

* docs: replace api-key examples with user header

Signed-off-by: Aditya Sanskar Srivastav <[email protected]>

* docs: format header and method authentication examples

Signed-off-by: Aditya Sanskar Srivastav <[email protected]>

* docs: add header and method based authorization examples

Signed-off-by: Aditya Sanskar Srivastav <[email protected]>

---------

Signed-off-by: Aditya Sanskar Srivastav <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>

* fix: Validation of XListenerSet certificateRefs (#8168)

Previously, validateTerminateModeAndGetTLSSecrets would always use the
namespace of the listener's gateway when verifying a cross-namespace
ref.

This meant that if the listener were from an XListenerSet, whether or
not the Secret associated with the certificateRef was in the same
namespace as the XListenerSet, it would not be permitted.

Additionally, and relatedly, this fixes an issue where an XListenerSet
could reference a Secret in the gateway's namespace without a
ReferenceGrant being present.

With this change we add a new GetNamespace() method to
gatewayapi.ListenerContext which returns the listener's gateway's
namespace for a listener added directly to the gateway, or the
XListenerSet's namespace otherwise. This is similar to some of the other
methods that were added to ListenerContext in support of XListenerSets.

The new method is used when creating the `crossNamespaceFrom` to
determine if the certificateRef is permitted. If the Secret and
XListenerSet are in the same namespace, it is permitted. If that is not
the case a ReferenceGrant from the XListenerSet to the Secret will be
properly searched for.

Signed-off-by: krishicks <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>

* fix: Remove whitespace for nodeSelector in deployment YAML - helm chart change (#8185)

Remove whitespace for nodeSelector in deployment YAML

Signed-off-by: Jess Belliveau <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>

* [release/v1.7.0] release notes (#8188)

Signed-off-by: Karol Szwaj <[email protected]>

---------

Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: zirain <[email protected]>
Signed-off-by: Aditya Sanskar Srivastav <[email protected]>
Signed-off-by: krishicks <[email protected]>
Signed-off-by: Jess Belliveau <[email protected]>
Co-authored-by: Guy Daich <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Isaac Wilson <[email protected]>
Co-authored-by: zirain <[email protected]>
Co-authored-by: Aditya Sanskar Srivastav <[email protected]>
Co-authored-by: krishicks <[email protected]>
Co-authored-by: Jess Belliveau <[email protected]>

Author: 9 people

.github/workflows/build_and_test.yaml

@@ -308,7 +308,7 @@ jobs:
     # build and push image
     - name: Login to DockerHub
       if: github.event_name == 'push'
-      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
       with:
         username: ${{ vars.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30  # v3.29.5
+      uses: github/codeql-action/init@6bc82e05fd0ea64601dd4b465378bbcf57de0314  # v3.29.5
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30  # v3.29.5
+      uses: github/codeql-action/autobuild@6bc82e05fd0ea64601dd4b465378bbcf57de0314  # v3.29.5
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30  # v3.29.5
+      uses: github/codeql-action/analyze@6bc82e05fd0ea64601dd4b465378bbcf57de0314  # v3.29.5
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/release.yaml

@@ -67,7 +67,7 @@ jobs:
           } >> "$GITHUB_ENV"
 
       - name: Login to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30  # v3.29.5
+      uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314  # v3.29.5
       with:
         sarif_file: results.sarif

VERSION

@@ -1 +1 @@
-v1.7.0-rc.2
+v1.7.0

charts/gateway-helm/templates/envoy-gateway-deployment.yaml

@@ -37,7 +37,7 @@ spec:
       {{- end }}
       {{- with .Values.deployment.pod.nodeSelector }}
       nodeSelector:
-        {{ toYaml . | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.deployment.pod.topologySpreadConstraints }}
       topologySpreadConstraints:

internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml

@@ -41,3 +41,58 @@ gatewayClass:
       reason: InvalidParameters
       status: "False"
       type: Accepted
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    name: eg
+    namespace: default
+  spec:
+    gatewayClassName: eg
+    listeners:
+    - allowedRoutes:
+        namespaces:
+          from: Same
+      name: tcp
+      port: 1234
+      protocol: TCP
+    - allowedRoutes:
+        namespaces:
+          from: Same
+      name: udp
+      port: 1234
+      protocol: UDP
+    - allowedRoutes:
+        namespaces:
+          from: Same
+      hostname: foo.com
+      name: tls-passthrough
+      port: 8443
+      protocol: TLS
+      tls:
+        mode: Passthrough
+    - allowedRoutes:
+        kinds:
+        - group: gateway.networking.k8s.io
+          kind: HTTPRoute
+        namespaces:
+          from: Same
+      name: http
+      port: 80
+      protocol: HTTP
+    - allowedRoutes:
+        kinds:
+        - group: gateway.networking.k8s.io
+          kind: GRPCRoute
+        namespaces:
+          from: Same
+      name: grpc
+      port: 8080
+      protocol: HTTP
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: 'Invalid parametersRef:: dynamic_resources cannot be modified'
+      reason: InvalidParameters
+      status: "False"
+      type: Accepted

internal/gatewayapi/contexts.go

@@ -204,6 +204,13 @@ func (l *ListenerContext) IsReady() bool {
 	return false
 }
 
+func (l *ListenerContext) GetNamespace() string {
+	if l.isFromXListenerSet() {
+		return l.xListenerSet.Namespace
+	}
+	return l.gateway.Namespace
+}
+
 func (l *ListenerContext) GetConditions() []metav1.Condition {
 	if l.isFromXListenerSet() {
 		return l.xListenerSet.Status.Listeners[l.xListenerSetStatusIdx].Conditions

internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml

@@ -19,5 +19,41 @@ gatewayClass:
       reason: InvalidParameters
       status: "False"
       type: Accepted
-infraIR: {}
-xdsIR: {}
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    name: gateway-1
+    namespace: envoy-gateway
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - allowedRoutes:
+        namespaces:
+          from: Same
+      name: http
+      port: 80
+      protocol: HTTP
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: 'Invalid parametersRef:: [unable to configure access log when using
+        File sink type but "file" field being empty, unable to configure access log
+        when using OpenTelemetry sink type but "openTelemetry" field being empty]'
+      reason: InvalidParameters
+      status: "False"
+      type: Accepted
+infraIR:
+  envoy-gateway/gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway-name: gateway-1
+          gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+        ownerReference:
+          kind: GatewayClass
+          name: envoy-gateway-class
+      name: envoy-gateway/gateway-1
+      namespace: envoy-gateway-system
+xdsIR:
+  envoy-gateway/gateway-1: {}

internal/gatewayapi/testdata/envoyproxy-for-gatewayclass.in.yaml

@@ -0,0 +1,82 @@
+gatewayClass:
+  apiVersion: gateway.networking.k8s.io/v1
+  kind: GatewayClass
+  metadata:
+    name: envoy-gateway-class
+  spec:
+    controllerName: gateway.envoyproxy.io/gatewayclass-controller
+    parametersRef:
+      group: gateway.envoyproxy.io
+      kind: EnvoyProxy
+      name: invalid
+      namespace: envoy-gateway-system
+envoyProxyForGatewayClass:
+  apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: EnvoyProxy
+  metadata:
+    namespace: envoy-gateway
+    name: invalid
+  spec:
+    telemetry:
+      accessLog:
+        settings:
+          - format:
+              type: Text
+              text: |
+                [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n
+            sinks:
+              - type: File
+              - type: ALS
+              - type: OpenTelemetry
+envoyProxiesForGateways:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: EnvoyProxy
+    metadata:
+      namespace: envoy-gateway
+      name: valid
+    spec:
+      telemetry:
+        accessLog:
+          settings:
+            - format:
+                type: Text
+                text: |
+                  [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n
+              sinks:
+                - type: File
+                  file:
+                    path: /dev/stdout
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: ep-from-gtw
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: Same
+      infrastructure:
+        parametersRef:
+          group: gateway.envoyproxy.io
+          kind: EnvoyProxy
+          name: valid
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: ep-from-gc
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: Same