Merge remote-tracking branch 'upstream/main' into doc/ecosystem

.codespell.ignorewords

@@ -6,3 +6,4 @@ od
 als
 wit
 aks
+immediatedly

.github/dependabot.yml

@@ -32,7 +32,7 @@ updates:
   - projectcontour/maintainers
 
 # release branch N targets
-- target-branch: release-1.26
+- target-branch: release-1.27
   package-ecosystem: "gomod"
   directory: "/"
   schedule:
@@ -52,7 +52,7 @@ updates:
     k8s-dependencies:
       patterns:
       - "k8s.io/*"
-- target-branch: release-1.26
+- target-branch: release-1.27
   package-ecosystem: "github-actions"
   directory: "/"
   schedule:
@@ -70,7 +70,7 @@ updates:
   - projectcontour/maintainers
 
 # release branch N-1 targets
-- target-branch: release-1.25
+- target-branch: release-1.26
   package-ecosystem: "gomod"
   directory: "/"
   schedule:
@@ -90,7 +90,7 @@ updates:
     k8s-dependencies:
       patterns:
       - "k8s.io/*"
-- target-branch: release-1.25
+- target-branch: release-1.26
   package-ecosystem: "github-actions"
   directory: "/"
   schedule:
@@ -108,7 +108,7 @@ updates:
   - projectcontour/maintainers
 
 # release branch N-2 targets
-- target-branch: release-1.24
+- target-branch: release-1.25
   package-ecosystem: "gomod"
   directory: "/"
   schedule:
@@ -128,7 +128,7 @@ updates:
     k8s-dependencies:
       patterns:
       - "k8s.io/*"
-- target-branch: release-1.24
+- target-branch: release-1.25
   package-ecosystem: "github-actions"
   directory: "/"
   schedule:

.github/workflows/build_daily.yaml

@@ -10,7 +10,7 @@ on:
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  GO_VERSION: 1.21.0
+  GO_VERSION: 1.21.3
 jobs:
   e2e-envoy-xds:
     runs-on: ubuntu-latest
@@ -152,3 +152,38 @@ jobs:
           steps: ${{ toJson(steps) }}
           channel: '#contour-ci-notifications'
         if: ${{ failure() && github.ref == 'refs/heads/main' }}
+  e2e-endpoint-slices:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v3
+        with:
+          # * Module download cache
+          # * Build cache (Linux)
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ github.job }}-go-
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+      - name: add deps to path
+        run: |
+          ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+      - name: e2e tests
+        env:
+          CONTOUR_E2E_IMAGE: ghcr.io/projectcontour/contour:main
+          CONTOUR_E2E_USE_ENDPOINT_SLICES: true
+        run: |
+          make setup-kind-cluster run-e2e cleanup-kind
+      - uses: act10ns/slack@v2
+        with:
+          status: ${{ job.status }}
+          steps: ${{ toJson(steps) }}
+          channel: '#contour-ci-notifications'
+        if: ${{ failure() && github.ref == 'refs/heads/main' }}
+

.github/workflows/build_tag.yaml

@@ -13,7 +13,9 @@ on:
       - 'v[0-9]*.[0-9]*.[0-9]*alpha*'
       - 'v[0-9]*.[0-9]*.[0-9]*rc*'
 env:
+  GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  GO_VERSION: 1.21.3
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -41,3 +43,43 @@ jobs:
         steps: ${{ toJson(steps) }}
         channel: '#contour-ci-notifications'
       if: failure()
+  gateway-conformance-report:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/cache@v3
+        with:
+          # * Module download cache
+          # * Build cache (Linux)
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ github.job }}-go-
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+      - name: add deps to path
+        run: |
+          ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+      - name: Gateway API conformance tests
+        env:
+          GENERATE_GATEWAY_CONFORMANCE_REPORT: "true"
+        run: |
+          export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(git describe --tags)"
+          make setup-kind-cluster run-gateway-conformance cleanup-kind
+      - name: Upload gateway conformance report
+        uses: actions/upload-artifact@v3
+        with:
+          name: gateway-conformance-report
+          path: gateway-conformance-report/projectcontour-contour-*.yaml
+      - uses: act10ns/slack@v2
+        with:
+          status: ${{ job.status }}
+          steps: ${{ toJson(steps) }}
+          channel: '#contour-ci-notifications'
+        if: ${{ failure() && github.ref == 'refs/heads/main' }}

.github/workflows/prbuild.yaml

@@ -11,7 +11,7 @@ on:
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  GO_VERSION: 1.21.0
+  GO_VERSION: 1.21.3
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/trivy-scan.yaml

@@ -13,15 +13,15 @@ jobs:
       matrix:
         branch:
         - main
+        - release-1.27
         - release-1.26
         - release-1.25
-        - release-1.24
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ matrix.branch }}
-      - uses: aquasecurity/trivy-action@0.12.0
+      - uses: aquasecurity/trivy-action@0.13.0
         with:
           scanners: vuln
           scan-type: 'fs'

.gitignore

@@ -28,5 +28,8 @@ site/public
 # Saved container image archive
 image/
 
+# Gateway API conformance report output
+gateway-conformance-report/
+
 # Compiled tests from Ginkgo
 *.test

.golangci.yml

@@ -32,7 +32,30 @@ linters-settings:
       - http.DefaultTransport
   revive:
     rules:
-      - name: use-any
+    - name: blank-imports
+    - name: context-as-argument
+    - name: context-keys-type
+    - name: dot-imports
+    - name: empty-block
+    - name: error-naming
+    - name: error-return
+    - name: error-strings
+    - name: errorf
+    - name: exported
+    - name: increment-decrement
+    - name: indent-error-flow
+    - name: package-comments
+    - name: range
+    - name: receiver-naming
+    - name: redefines-builtin-id
+    - name: superfluous-else
+    - name: time-naming
+    - name: unexported-return
+    - name: unreachable-code
+    - name: unused-parameter
+    - name: use-any
+    - name: var-declaration
+    - name: var-naming
 
 issues:
   exclude-rules:

Makefile

@@ -6,7 +6,7 @@ IMAGE := $(REGISTRY)/$(PROJECT)
 SRCDIRS := ./cmd ./internal ./apis
 LOCAL_BOOTSTRAP_CONFIG = localenvoyconfig.yaml
 SECURE_LOCAL_BOOTSTRAP_CONFIG = securelocalenvoyconfig.yaml
-ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.27.0
+ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.28.0
 GATEWAY_API_VERSION ?= $(shell grep "sigs.k8s.io/gateway-api" go.mod | awk '{print $$2}')
 
 # Used to supply a local Envoy docker container an IP to connect to that is running
@@ -44,7 +44,7 @@ endif
 IMAGE_PLATFORMS ?= linux/amd64,linux/arm64
 
 # Base build image to use.
-BUILD_BASE_IMAGE ?= golang:1.21.0
+BUILD_BASE_IMAGE ?= golang:1.21.3
 
 # Enable build with CGO.
 BUILD_CGO_ENABLED ?= 0

apis/projectcontour/v1/httpproxy.go

@@ -551,6 +551,18 @@ type Route struct {
 	// +optional
 	PathRewritePolicy *PathRewritePolicy `json:"pathRewritePolicy,omitempty"`
 	// The policy for managing request headers during proxying.
+	//
+	// You may dynamically rewrite the Host header to be forwarded
+	// upstream to the content of a request header using
+	// the below format "%REQ(X-Header-Name)%". If the value of the header
+	// is empty, it is ignored.
+	//
+	// *NOTE: Pay attention to the potential security implications of using this option.
+	// Provided header must come from trusted source.
+	//
+	// **NOTE: The header rewrite is only done while forwarding and has no bearing
+	// on the routing decision.
+	//
 	// +optional
 	RequestHeadersPolicy *HeadersPolicy `json:"requestHeadersPolicy,omitempty"`
 	// The policy for managing response headers during proxying.
@@ -1268,7 +1280,7 @@ type LoadBalancerPolicy struct {
 }
 
 // HeadersPolicy defines how headers are managed during forwarding.
-// The `Host` header is treated specially and if set in a HTTP response
+// The `Host` header is treated specially and if set in a HTTP request
 // will be used as the SNI server name when forwarding over TLS. It is an
 // error to attempt to set the `Host` header in a HTTP response.
 type HeadersPolicy struct {

apis/projectcontour/v1alpha1/contourconfig.go

@@ -84,8 +84,19 @@ type ContourConfigurationSpec struct {
 
 	// Tracing defines properties for exporting trace data to OpenTelemetry.
 	Tracing *TracingConfig `json:"tracing,omitempty"`
+
+	// FeatureFlags defines toggle to enable new contour features.
+	// Available toggles are:
+	// useEndpointSlices - configures contour to fetch endpoint data
+	// from k8s endpoint slices. defaults to false and reading endpoint
+	// data from the k8s endpoints.
+	FeatureFlags FeatureFlags `json:"featureFlags,omitempty"`
 }
 
+// FeatureFlags defines the set of feature flags
+// to toggle new contour features.
+type FeatureFlags []string
+
 // XDSServerType is the type of xDS server implementation.
 type XDSServerType string
 
@@ -391,6 +402,27 @@ type EnvoyListenerConfig struct {
 	// Single set of options are applied to all listeners.
 	// +optional
 	SocketOptions *SocketOptions `json:"socketOptions,omitempty"`
+
+	// Defines the limit on number of HTTP requests that Envoy will process from a single
+	// connection in a single I/O cycle. Requests over this limit are processed in subsequent
+	// I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
+	// detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
+	// value when this is not set is no limit.
+	//
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	MaxRequestsPerIOCycle *uint32 `json:"maxRequestsPerIOCycle,omitempty"`
+
+	// Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
+	// SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
+	// for a peer on a single HTTP/2 connection. It is recommended to not set this lower
+	// than 100 but this field can be used to bound resource usage by HTTP/2 connections
+	// and mitigate attacks like CVE-2023-44487. The default value when this is not set is
+	// unlimited.
+	//
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	HTTP2MaxConcurrentStreams *uint32 `json:"httpMaxConcurrentStreams,omitempty"`
 }
 
 // SocketOptions defines configurable socket options for Envoy listeners.

apis/projectcontour/v1alpha1/contourconfig_helpers.go

@@ -17,9 +17,18 @@ import (
 	"fmt"
 	"strconv"
 
+	"golang.org/x/exp/slices"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
+const (
+	featureFlagUseEndpointSlices string = "useEndpointSlices"
+)
+
+var featureFlagsMap = map[string]bool{
+	featureFlagUseEndpointSlices: true,
+}
+
 // Validate configuration that is not already covered by CRD validation.
 func (c *ContourConfigurationSpec) Validate() error {
 	// Validation of root configuration fields.
@@ -215,6 +224,20 @@ func (e *EnvoyTLS) SanitizedCipherSuites() []string {
 	return validatedCiphers
 }
 
+func (f FeatureFlags) Validate() error {
+	for _, featureFlag := range f {
+		if _, found := featureFlagsMap[featureFlag]; !found {
+			return fmt.Errorf("invalid contour configuration, unknown feature flag:%s", featureFlag)
+		}
+	}
+
+	return nil
+}
+
+func (f FeatureFlags) IsEndpointSliceEnabled() bool {
+	return slices.Contains(f, featureFlagUseEndpointSlices)
+}
+
 // Validate ensures that exactly one of ControllerName or GatewayRef are specified.
 func (g *GatewayConfig) Validate() error {
 	if g == nil {