Merge branch 'main' into fix/docsrelease

.github/workflows/nightly-tests.yaml

@@ -56,7 +56,7 @@ jobs:
     name: End-to-End (branch=${{ github.ref_name }}, cluster=${{ matrix.test.cluster-name }}, version=${{ matrix.version-files.label }} )
     if: ${{ github.event_name == 'workflow_dispatch' && inputs.run-kubernetes-end-to-end && inputs.branch == 'workflow_initiating_branch' }}
     runs-on: ubuntu-22.04
-    timeout-minutes: 150
+    timeout-minutes: 180
     strategy:
       # Since we are running these on a schedule, there is no value in failing fast
       # In fact, we want to ensure that all tests run, so that we have a clearer picture of which tests are prone to flaking
@@ -66,7 +66,7 @@ jobs:
           # When running the tests at night, there is no value in splitting the tests across multiple clusters and running them in parallel.
           # As a result, we increase the threshold for the tests, since they all run serially on a single cluster
           - cluster-name: 'cluster-one'
-            go-test-args: '-v -timeout=120m'
+            go-test-args: '-v -timeout=150m'
             go-test-run-regex: ${{ inputs.kubernetes-end-to-end-run-regex }}
         # In our nightly tests, we run the suite of tests using the lower and upper ends of versions that we claim to support
         # The versions should mirror: https://docs.solo.io/gloo-edge/latest/reference/support/
@@ -117,7 +117,7 @@ jobs:
     name: End-to-End (branch=main, cluster=${{ matrix.test.cluster-name }}, version=${{ matrix.version-files.label }} )
     if: ${{ (github.event_name == 'workflow_dispatch' && inputs.run-kubernetes-end-to-end && inputs.branch == 'main') || github.event.schedule == '0 5 * * *' }}
     runs-on: ubuntu-22.04
-    timeout-minutes: 150
+    timeout-minutes: 180
     strategy:
       # Since we are running these on a schedule, there is no value in failing fast
       # In fact, we want to ensure that all tests run, so that we have a clearer picture of which tests are prone to flaking
@@ -127,7 +127,7 @@ jobs:
           # When running the tests at night, there is no value in splitting the tests across multiple clusters and running them in parallel.
           # As a result, we increase the threshold for the tests, since they all run serially on a single cluster
           - cluster-name: 'cluster-one'
-            go-test-args: '-v -timeout=120m'
+            go-test-args: '-v -timeout=150m'
             # Specifying an empty regex means all tests will be run.
             go-test-run-regex: ""
         # In our nightly tests, we run the suite of tests using the lower and upper ends of versions that we claim to support
@@ -174,6 +174,7 @@ jobs:
           istio-version: ${{ steps.dotenv.outputs.istio_version }}
           matrix-label: ${{ matrix.version-files.label }}
 
+  # Reminder: when setting up the job next release branch, copy from "end_to_end_tests_main" not the previous release job as configuration may have changed
   end_to_end_tests_17:
     name: End-to-End (branch=v1.17.x, cluster=${{ matrix.test.cluster-name }}, version=${{ matrix.version-files.label }} )
     if: ${{ (github.event_name == 'workflow_dispatch' && inputs.run-kubernetes-end-to-end && inputs.branch == 'v1.17.x') || github.event.schedule == '0 6 * * 1' }}

.github/workflows/pr-kubernetes-tests.yaml

@@ -55,36 +55,36 @@ jobs:
         # NOTE: We use the GitHub action step time (as opposed to the `go test` time), because it is easier to capture
 
         test:
-        # Oct 3, 2024: 24 minutes
+        # Nov 14, 2024: 22 minutes
         - cluster-name: 'cluster-one'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestK8sGateway$$/^RouteDelegation$$|^TestK8sGateway$$/^Services$$|^TestGlooctlGlooGatewayEdgeGateway$$|^TestGlooctlK8sGateway$$'
+          go-test-run-regex: '^TestK8sGateway$$/^RouteDelegation$$|^TestGlooctlGlooGatewayEdgeGateway$$|^TestGlooctlK8sGateway$$'
 
-        # Oct 10, 2024: 24 minutes
+        # Nov 14, 2024: 22 minutes
         - cluster-name: 'cluster-two'
           go-test-args: '-v -timeout=25m'
           go-test-run-regex: '^TestK8sGatewayIstioRevision$$|^TestRevisionIstioRegression$$|^TestK8sGateway$$/^Deployer$$|^TestK8sGateway$$/^RouteOptions$$|^TestK8sGateway$$/^VirtualHostOptions$$|^TestK8sGateway$$/^Upstreams$$|^TestK8sGateway$$/^HeadlessSvc$$|^TestK8sGateway$$/^PortRouting$$|^TestK8sGatewayMinimalDefaultGatewayParameters$$|^TestK8sGateway$$/^DirectResponse$$|^TestK8sGateway$$/^HttpListenerOptions$$|^TestK8sGateway$$/^ListenerOptions$$|^TestK8sGateway$$/^GlooAdminServer$$'
 
-        # Oct 3, 2024: 25 minutes
+        # Nov 14, 2024: 23 minutes
         - cluster-name: 'cluster-three'
           go-test-args: '-v -timeout=30m'
           go-test-run-regex: '(^TestK8sGatewayIstioAutoMtls$$|^TestAutomtlsIstioEdgeApisGateway$$|^TestIstioEdgeApiGateway$$|^TestIstioRegression$$)'
 
-        # Oct 10, 2024: 20 minutes
+        # Nov 14, 2024: 21 minutes
         - cluster-name: 'cluster-four'
           go-test-args: '-v -timeout=30m'
           go-test-run-regex: '(^TestK8sGatewayIstio$$|^TestGlooGatewayEdgeGateway$$|^TestGlooctlIstioInjectEdgeApiGateway$$)'
 
-        # October 10, 2024: 22 minutes
+        # Nov 14, 2024: 30 minutes
         # TODO (sheidkamp) rebalance tests
         - cluster-name: 'cluster-five'
           go-test-args: '-v -timeout=35m'
           go-test-run-regex: '^TestFullEnvoyValidation$$|^TestValidationStrict$$|^TestValidationAlwaysAccept$$|^TestTransformationValidationDisabled$$|^TestGloomtlsGatewayEdgeGateway$$|^TestWatchNamespaceSelector$$'
 
-        # October 10, 2024: 12 minutes
+        # Nov 14, 2024: 23 minutes
         - cluster-name: 'cluster-six'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestDiscoveryWatchlabels$$|^TestK8sGatewayNoValidation$$|^TestHelm$$|^TestHelmSettings$$|^TestK8sGatewayAws$$'
+          go-test-run-regex: '^TestDiscoveryWatchlabels$$|^TestK8sGatewayNoValidation$$|^TestHelm$$|^TestHelmSettings$$|^TestK8sGatewayAws$$|^TestK8sGateway$$/^CRDCategories$$|^TestK8sGateway$$/^HTTPRouteServices$$|^TestK8sGateway$$/^TCPRouteServices$$|^TestZeroDowntimeRollout$$'
 
         # In our PR tests, we run the suite of tests using the upper ends of versions that we claim to support
         # The versions should mirror: https://docs.solo.io/gloo-edge/latest/reference/support/

changelog/v1.18.0-rc1/GG-CRD-categories.yaml

@@ -0,0 +1,5 @@
+changelog:
+- type: NEW_FEATURE
+  description: Adds a common category to all Gloo Gateway CRDs. `kubectl get gloo-gateway -A` can now be used to list all GG CRs on your cluster. Also adds the "solo-io" category to GG enterprise CRDs.
+  issueLink: https://github.com/solo-io/solo-projects/issues/6605
+  resolvesIssue: false

changelog/v1.18.0-rc1/add-readiness-liveness-probe.yaml

@@ -0,0 +1,15 @@
+changelog:
+- type: NEW_FEATURE
+  issueLink: https://github.com/solo-io/solo-projects/issues/7084
+  resolvesIssue: false
+  description: Adds the ability for users to enable as well as add custom readiness and liveness probes to the Kubernetes Gloo Gateway.
+- type: HELM
+  issueLink: https://github.com/solo-io/solo-projects/issues/7084
+  resolvesIssue: false
+  description: >-
+    Adds the following new fields that configure the Kubernetes Gloo Gateway pod :
+      - `kubeGateway.gatewayParameters.glooGateway.podTemplate.terminationGracePeriodSeconds` to specify the terminationGracePeriodSeconds.
+      - `kubeGateway.gatewayParameters.glooGateway.podTemplate.gracefulShutdown` to configure the graceful shutdown config for the envoy container.
+      - `kubeGateway.gatewayParameters.glooGateway.podTemplate.customLivenessProbe` to specify a custom liveness probe for the envoy container. No default liveness probe is set
+      - `kubeGateway.gatewayParameters.glooGateway.podTemplate.customReadinessProbe` to specify a custom readiness probe for the envoy container.
+      - `kubeGateway.gatewayParameters.glooGateway.podTemplate.probes` to enable the readiness probe. If the customReadinessProbe is not specified, a default readiness probe is set. No default liveness probe is set.

changelog/v1.18.0-rc1/bump-kubectl-image.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/gloo-mesh-enterprise/issues/19119
+    resolvesIssue: false
+    description: >-
+      Bump the kubectl image from 1.29.6 to to 1.31.1 to address CVE-2023-45288.

changelog/v1.18.0-rc1/deprecate-graphql.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/solo-projects/issues/7159
+    resolvesIssue: false
+    description: >-
+      The GraphQL feature of Gloo Gateway is deprecated and will be removed in a future release

changelog/v1.18.0-rc1/helm-doc-gen.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: NON_USER_FACING
+    issueLink: https://github.com/solo-io/solo-projects/issues/6888
+    resolvesIssue: false
+    description: >-
+      Update helm public docs generation to work from main branch and only pull in released changes

changelog/v1.18.0-rc1/move-changelogs.yaml

@@ -0,0 +1,7 @@
+changelog:
+  - type: NON_USER_FACING
+    description: >-
+      Move changelogs to 1.18.0-rc1
+
+      skipCI-kube-tests:true
+      skipCI-docs-build:true

changelog/v1.18.0-rc1/portal-auth-api.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: NEW_FEATURE
+    issueLink: https://github.com/solo-io/solo-projects/issues/7170
+    resolvesIssue: false
+    description: >-
+      Add API for configuring authentication for APIs managed by Gloo Portal.

changelog/v1.18.0-rc1/remove-external-apis.yaml

@@ -0,0 +1,11 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/solo-projects/issues/6768
+    resolvesIssue: false
+    description: >-
+      Remove docs for external APIs
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: solo-io
+    dependencyRepo: solo-kit
+    dependencyTag: v0.36.2
+    issueLink: https://github.com/solo-io/solo-projects/issues/6768

changelog/v1.18.0-rc1/remove-hardcoded-namespace-in-tracing-test-master.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: NON_USER_FACING
+    issueLink: https://github.com/solo-io/solo-projects/issues/7223
+    resolvesIssue: true
+    description: >-
+      Remove hard-coded namespaces from the tracing tests. This issue is causing tests to pass in OSS gloo, but fail in solo-projects.

changelog/v1.18.0-rc2/e2e-timeout-bump.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/gloo/issues/10380
+    resolvesIssue: true
+    description: >-
+      Bump the timeout for the nightly e2e tests

devel/testing/kube-e2e-tests.md

@@ -22,4 +22,6 @@ These tests are run by a [GitHub action](/.github/workflows/regression-tests.yam
 If a test fails, you can retry it from a [browser window](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#reviewing-previous-workflow-runs). If you do this, please make sure to comment on the Pull Request with a link to the failed logs for debugging purposes.
 
 ## Local Development
-See the [kube2e test README](/test/kube2e/README.md) for more details about running these tests.
+See the [kubernetes e2e test README](/test/kubernetes/e2e/README.md) and [debugging guide](/test/kubernetes/e2e/debugging.md) for more details about running these tests.
+
+See the [kube2e test README](/test/kube2e/README.md) for more details about running the legacy tests.

docs/build-docs.sh

@@ -265,11 +265,6 @@ firebaseJson=$(cat <<EOF
         "destination": "/gloo-edge/:version/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/virtual_service.proto.sk/",
         "type":"301"
       },
-      {
-        "source": "/gloo-edge/:version/v1/github.com/solo-io/gloo/projects/gloo/api/v1/plugins/transformation/transformation.proto.sk/",
-        "destination": "/gloo-edge/:version/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/transformation/transformation.proto.sk/",
-        "type":"301"
-      },
       {
         "source": "/gloo-edge/:version/v1/github.com/solo-io/gloo/projects/gloo/api/v1/proxy.proto.sk/",
         "destination": "/gloo-edge/:version/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/proxy.proto.sk/",

docs/cmd/generate_docs.go

@@ -503,11 +503,9 @@ func fetchEnterpriseHelmValues(_ []string) error {
 	if err != nil {
 		return err
 	}
-	version, err := semver.NewVersion(string(semverReleaseTag))
-	if err != nil {
-		return err
-	}
-	minorReleaseTag := fmt.Sprintf("v%d.%d.x", version.Major(), version.Minor())
+
+	minorReleaseTag := "v" + string(semverReleaseTag)
+
 	files, err := githubutils.GetFilesFromGit(ctx, client, repoOwner, glooEnterpriseRepo, minorReleaseTag, path)
 	if err != nil {
 		return err

docs/content/guides/graphql/_index.md

@@ -6,6 +6,9 @@ description: Enable GraphQL resolution.
 
 Set up API gateway and GraphQL server functionality for your apps in the same process by using Gloo Gateway.
 
+{{% notice warning %}}
+This feature is deprecated in Gloo Gateway 1.18 and will be removed in a future release
+{{% /notice %}}
 {{% notice note %}}
 This feature is available only in Gloo Gateway Enterprise.
 {{% /notice %}}

docs/content/guides/security/csrf/_index.md

@@ -440,4 +440,4 @@ x-envoy-upstream-service-time: 2
 
 In this guide, we described what is Cross Site Request Forgery (CSRF) and approaches for dealing with these attacks.  We delved into one Gloo Gateway approach that directly uses an integrated Envoy filter.
 
-For more information, check out both the [Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/csrf_filter#config-http-filters-csrf) and [Gloo docs]({{% versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/filters/http/csrf/v3/csrf.proto.sk/" %}}).
+For more information, check out the [Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/csrf_filter#config-http-filters-csrf).

docs/content/guides/security/waf/_index.md

@@ -27,15 +27,14 @@ You have several options for using ModSecurity to write WAF policies:
 * Use publicly available rule sets that provide a generic set of detection rules to protect against the most common security threats. For example, the [OWASP Core Rule Set](https://github.com/coreruleset/coreruleset) is an open source project that protects apps against a wide range of attacks, including the "OWASP Top Ten."
 * Write your own custom rules by following the [ModSecurity rules language](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)). For examples, see [Configure WAF policies](#configure-waf-policies).
 
-For more information, see the [Gloo API docs]({{% versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/waf/waf.proto.sk/" %}}).
 
 ### Understand the WAF API {#about-api}
 
 The WAF filter supports a list of `RuleSet` objects which are loaded into the ModSecurity library.  The Gloo Gateway API has a few conveniences built on top of that to allow easier access to the OWASP Core Rule Set (via the [`coreRuleSet`](#core-rule-set) field). 
 
 You can disable each rule set on a route independently of other rule sets. Rule sets are applied on top of each other in order. This order means that later rule sets overwrite any conflicting rules in previous rule sets. For more fine-grained control, you can add a custom `rule_str`, which is applied after any files of rule sets.
 
-Review the following `RuleSet` API example and explanation. For more information, see the [Gloo API docs]({{% versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/waf/waf.proto.sk/" %}}).
+Review the following `RuleSet`
 
 ```proto
 message ModSecurity {
@@ -429,7 +428,7 @@ of envoy's access logging. This means that directives that configure the audit e
 This is **intentional** - to make sure that ModSecurity doesn't degrade
 envoy performance. While the way we emit the logs is different, you have _all the features_ that 
 ModSecurity audit-logging provides:
-- You can use the `action` property of the [audit logging configuration]({{% versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/waf/waf.proto.sk/#auditlogging" %}}) instead of [SecAuditEngine](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecAuditEngine) to choose when to log.
+- You can use the `action` property of the audit logging configuration instead of [SecAuditEngine](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecAuditEngine) to choose when to log.
 - You can still use the [SecAuditLogParts](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecAuditLogParts), 
 [SecAuditLogRelevantStatus](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecAuditLogRelevantStatus) and (assuming action is RELEVANT_ONLY) `noauditlog` features of ModSecurity.
 - The format of the log is controlled by [SecAuditLogFormat](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecAuditLogFormat).
@@ -451,8 +450,7 @@ is better for your specific use-case.
 
 Let's see this in action!
 
-To enable audit logging, edit the [auditLogging]({{% versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/waf/waf.proto.sk/#auditlogging" %}}) field in your 
-[WAF settings]({{% versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/waf/waf.proto.sk/#settings" %}}).
+To enable audit logging, edit the auditLogging field in your WAF settings.
 
 For example, lets edit our `VirtualService` with some
 rules and audit logging:

docs/content/guides/traffic_management/buffering/_index.md

@@ -31,7 +31,7 @@ You can configure a maximum payload size on a gateway (`perConnectionBufferLimit
 
 ## Route
 
-You can set buffer limits and other connection options with the [Buffer]({{< versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/filters/http/buffer/v3/buffer.proto.sk/" >}}) settings in the options of a [Route]({{< versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/virtual_service.proto.sk/#route" >}}) in a [RouteTable]({{< versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/route_table.proto.sk/" >}}).
+You can set buffer limits and other connection options with the Buffer settings in the options of a [Route]({{< versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/virtual_service.proto.sk/#route" >}}) in a [RouteTable]({{< versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gateway/api/v1/route_table.proto.sk/" >}}).
 
 ```yaml
 apiVersion: gateway.solo.io/v1

docs/content/installation/advanced_configuration/gzip.md

@@ -43,8 +43,6 @@ spec:
 
 Once that is saved, you're all set. Traffic on the http gateway will call the gzip filter.
 
-You can learn about the configuration options [here]({{< versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/config/filter/http/gzip/v2/gzip.proto.sk" >}}).
-
 More information about the Gzip filter can be found in the [relevant Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gzip_filter). If data is not being compressed, you may want to check that all the necessary conditions for the Envoy filter are met.
 See the [How it works](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/gzip_filter#how-it-works)
 section for information on when compression will be skipped.

docs/content/introduction/traffic_filter.md

@@ -103,7 +103,7 @@ Review the following diagram of how Gloo Gateway filters traffic, depending on w
     * **CORS**: See the [Cross-origin resources sharing security guide]({{% versioned_link_path fromRoot="/guides/security/cors/" %}}).
     * **DLP**: See the [Data loss prevention security guide]({{% versioned_link_path fromRoot="/guides/security/data_loss_prevention/" %}}).
     * **WAF**: See the [Web application firewall security guide]({{% versioned_link_path fromRoot="/guides/security/waf/" %}}).
-    * **Sanitize**: See the [sanitize proto reference]({{% versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/extauth/sanitize.proto.sk/" %}}).
+    * **Sanitize**
 4.  **Filters only after external auth**: Review the information about other filters that you can apply only after external auth.
     * **RBAC**: Note that the RBAC filter requires the `JwtStaged` filter. See the [RBAC proto reference]({{% versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto.sk/" %}}).
     * **gRPC-web**: See the [gRPC web guide]({{% versioned_link_path fromRoot="/guides/traffic_management/listener_configuration/grpc_web/" %}}).