Merge branch 'main' into feat-certgen-overwrite-flag

api/v1alpha1/ratelimit_types.go

@@ -98,7 +98,6 @@ type RateLimitRule struct {
 	// the request path and do not reduce the rate limit counters on the response path.
 	//
 	// +optional
-	// +notImplementedHide
 	Cost *RateLimitCost `json:"cost,omitempty"`
 }
 
@@ -112,7 +111,6 @@ type RateLimitCost struct {
 	// enough capacity, the request is rate limited.
 	//
 	// +optional
-	// +notImplementedHide
 	Request *RateLimitCostSpecifier `json:"request,omitempty"`
 	// Response specifies the number to reduce the rate limit counters
 	// after the response is sent back to the client or the request stream is closed.
@@ -127,7 +125,6 @@ type RateLimitCost struct {
 	// Currently, this is only supported for HTTP Global Rate Limits.
 	//
 	// +optional
-	// +notImplementedHide
 	Response *RateLimitCostSpecifier `json:"response,omitempty"`
 }
 
@@ -143,12 +140,10 @@ type RateLimitCostSpecifier struct {
 	// Using zero can be used to only check the rate limit counters without reducing them.
 	//
 	// +optional
-	// +notImplementedHide
 	Number *uint64 `json:"number,omitempty"`
 	// Metadata specifies the per-request metadata to retrieve the usage number from.
 	//
 	// +optional
-	// +notImplementedHide
 	Metadata *RateLimitCostMetadata `json:"metadata,omitempty"`
 }
 

examples/grpc-ext-proc/main.go

@@ -20,7 +20,6 @@ import (
 
 	envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_service_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3"
-
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
@@ -329,10 +328,26 @@ func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_Proc
 					},
 				},
 			}
+
 			resp = &envoy_service_proc_v3.ProcessingResponse{
 				Response: &envoy_service_proc_v3.ProcessingResponse_ResponseHeaders{
 					ResponseHeaders: rhq,
 				},
+				DynamicMetadata: &structpb.Struct{
+					Fields: map[string]*structpb.Value{
+						"io.envoyproxy.gateway.e2e": {
+							Kind: &structpb.Value_StructValue{
+								StructValue: &structpb.Struct{
+									Fields: map[string]*structpb.Value{
+										"request_cost_set_by_ext_proc": {
+											Kind: &structpb.Value_NumberValue{NumberValue: float64(10)},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
 			}
 			break
 		default:

internal/gatewayapi/backendtrafficpolicy.go

@@ -791,9 +791,30 @@ func buildRateLimitRule(rule egv1a1.RateLimitRule) (*ir.RateLimitRule, error) {
 			irRule.CIDRMatch = cidrMatch
 		}
 	}
+
+	if cost := rule.Cost; cost != nil {
+		if cost.Request != nil {
+			irRule.RequestCost = translateRateLimitCost(cost.Request)
+		}
+		if cost.Response != nil {
+			irRule.ResponseCost = translateRateLimitCost(cost.Response)
+		}
+	}
 	return irRule, nil
 }
 
+func translateRateLimitCost(cost *egv1a1.RateLimitCostSpecifier) *ir.RateLimitCost {
+	ret := &ir.RateLimitCost{}
+	if cost.Number != nil {
+		ret.Number = cost.Number
+	}
+	if cost.Metadata != nil {
+		ret.Format = ptr.To(fmt.Sprintf("%%DYNAMIC_METADATA(%s:%s)%%",
+			cost.Metadata.Namespace, cost.Metadata.Key))
+	}
+	return ret
+}
+
 func int64ToUint32(in int64) (uint32, bool) {
 	if in >= 0 && in <= math.MaxUint32 {
 		return uint32(in), true

internal/gatewayapi/backendtrafficpolicy_test.go

@@ -11,6 +11,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"k8s.io/utils/ptr"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/ir"
@@ -107,3 +108,27 @@ func TestMakeIrTriggerSet(t *testing.T) {
 		})
 	}
 }
+
+func Test_translateRateLimitCost(t *testing.T) {
+	for _, tc := range []struct {
+		name string
+		cost *egv1a1.RateLimitCostSpecifier
+		exp  *ir.RateLimitCost
+	}{
+		{
+			name: "number",
+			cost: &egv1a1.RateLimitCostSpecifier{Number: ptr.To[uint64](1)},
+			exp:  &ir.RateLimitCost{Number: ptr.To[uint64](1)},
+		},
+		{
+			name: "metadata",
+			cost: &egv1a1.RateLimitCostSpecifier{Metadata: &egv1a1.RateLimitCostMetadata{Namespace: "something.com", Key: "name"}},
+			exp:  &ir.RateLimitCost{Format: ptr.To(`%DYNAMIC_METADATA(something.com:name)%`)},
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			act := translateRateLimitCost(tc.cost)
+			require.Equal(t, tc.exp, act)
+		})
+	}
+}

internal/gatewayapi/clienttrafficpolicy.go

@@ -484,6 +484,12 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie
 
 		// Early return if got any errors
 		if errs != nil {
+			for _, route := range httpIR.Routes {
+				// Return a 500 direct response
+				route.DirectResponse = &ir.CustomResponse{
+					StatusCode: ptr.To(uint32(500)),
+				}
+			}
 			return errs
 		}
 
@@ -504,6 +510,9 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie
 
 		// Early return if got any errors
 		if errs != nil {
+			// Remove all TCP routes if there are any errors
+			// The listener will still be created, but any client traffic will be forwarded to the default empty cluster
+			tcpIR.Routes = nil
 			return errs
 		}
 

internal/gatewayapi/ext_service.go

@@ -95,8 +95,7 @@ func (t *Translator) processExtServiceDestination(
 		if !t.BackendEnabled {
 			return nil, fmt.Errorf("resource %s of type Backend cannot be used since Backend is disabled in Envoy Gateway configuration", string(backendRef.Name))
 		}
-		ds = t.processBackendDestinationSetting(backendRef.BackendObjectReference, backendNamespace, resources)
-		ds.Protocol = protocol
+		ds = t.processBackendDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources)
 	}
 
 	if ds == nil {

internal/gatewayapi/route.go

@@ -1359,7 +1359,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext,
 		}
 		ds.IPFamily = getServiceIPFamily(resources.GetService(backendNamespace, string(backendRef.Name)))
 	case egv1a1.KindBackend:
-		ds = t.processBackendDestinationSetting(backendRef.BackendObjectReference, backendNamespace, resources)
+		ds = t.processBackendDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources)
 		ds.TLS, err = t.applyBackendTLSSetting(
 			backendRef.BackendObjectReference,
 			backendNamespace,
@@ -1725,11 +1725,10 @@ func getTargetBackendReference(backendRef gwapiv1a2.BackendObjectReference, back
 	return ref
 }
 
-func (t *Translator) processBackendDestinationSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, resources *resource.Resources) *ir.DestinationSetting {
+func (t *Translator) processBackendDestinationSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, protocol ir.AppProtocol, resources *resource.Resources) *ir.DestinationSetting {
 	var (
 		dstEndpoints []*ir.DestinationEndpoint
 		dstAddrType  *ir.DestinationAddressType
-		dstProtocol  ir.AppProtocol
 	)
 
 	addrTypeMap := make(map[ir.DestinationAddressType]int)
@@ -1775,14 +1774,16 @@ func (t *Translator) processBackendDestinationSetting(backendRef gwapiv1.Backend
 	}
 
 	for _, ap := range backend.Spec.AppProtocols {
-		if ap == egv1a1.AppProtocolTypeH2C {
-			dstProtocol = ir.HTTP2
-			break
+		switch ap {
+		case egv1a1.AppProtocolTypeH2C:
+			protocol = ir.HTTP2
+		case "grpc":
+			protocol = ir.GRPC
 		}
 	}
 
 	ds := &ir.DestinationSetting{
-		Protocol:    dstProtocol,
+		Protocol:    protocol,
 		Endpoints:   dstEndpoints,
 		AddressType: dstAddrType,
 	}

internal/gatewayapi/testdata/backend-with-fallback.out.yaml

@@ -160,12 +160,14 @@ xdsIR:
             endpoints:
             - host: 1.1.1.1
               port: 3001
+            protocol: HTTP
             weight: 1
           - addressType: IP
             endpoints:
             - host: 2.2.2.2
               port: 3001
             priority: 1
+            protocol: HTTP
             weight: 1
         hostname: '*'
         isHTTP2: false

internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml

@@ -300,6 +300,7 @@ xdsIR:
             endpoints:
             - host: 2.2.2.2
               port: 3443
+            protocol: HTTP
             tls:
               alpnProtocols: null
               caCertificate:
@@ -357,6 +358,7 @@ xdsIR:
             endpoints:
             - host: 2.2.2.2
               port: 3443
+            protocol: HTTP
             tls:
               alpnProtocols: null
               caCertificate:

internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml

@@ -261,6 +261,7 @@ xdsIR:
             endpoints:
             - host: 2.2.2.2
               port: 3443
+            protocol: HTTP
             tls:
               alpnProtocols: null
               caCertificate:
@@ -272,6 +273,7 @@ xdsIR:
             endpoints:
             - host: 3.3.3.3
               port: 3443
+            protocol: HTTP
             weight: 1
         hostname: '*'
         isHTTP2: false

internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.in.yaml

@@ -110,3 +110,12 @@ backendTrafficPolicies:
           limit:
             requests: 20
             unit: Hour
+          cost:
+            request:
+              from: Number
+              number: 1
+            response:
+              from: Metadata
+              metadata:
+                namespace: something.com
+                key: some_cost_set_by_foo

internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml

@@ -13,6 +13,15 @@ backendTrafficPolicies:
           - sourceCIDR:
               type: Distinct
               value: 192.168.0.0/16
+          cost:
+            request:
+              from: Number
+              number: 1
+            response:
+              from: Metadata
+              metadata:
+                key: some_cost_set_by_foo
+                namespace: something.com
           limit:
             requests: 20
             unit: Hour
@@ -370,3 +379,7 @@ xdsIR:
                 limit:
                   requests: 20
                   unit: Hour
+                requestCost:
+                  number: 1
+                responseCost:
+                  format: '%DYNAMIC_METADATA(something.com:some_cost_set_by_foo)%'