Merge branch 'main' into andyfong-ai-upstream-custom-hostname

.github/workflows/pr-kubernetes-tests.yaml

@@ -95,7 +95,7 @@ jobs:
         # 2025-02-13: 26m29s
         - cluster-name: 'cluster-seven'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestK8sGateway$$/^CRDCategories$$|^TestK8sGateway$$/^Metrics$$|^TestGloomtlsGatewayEdgeGateway$$|^TestGloomtlsGatewayK8sGateway$$|^TestGlooGatewayEdgeGatewayClearMetrics$$|^TestWatchNamespaceSelector$$'
+          go-test-run-regex: '^TestK8sGateway$$/^CRDCategories$$|^TestK8sGateway$$/^Metrics$$|^TestGloomtlsGatewayEdgeGateway$$|^TestGloomtlsGatewayK8sGateway$$|^TestGlooGatewayEdgeGatewayClearMetrics$$|^TestWatchNamespaceSelector$$|^TestK8sGateway$$/^TLSRouteServices$$'
 
         # In our PR tests, we run the suite of tests using the upper ends of versions that we claim to support
         # The versions should mirror: https://docs.solo.io/gloo-edge/latest/reference/support/

Makefile

@@ -1243,7 +1243,7 @@ $(TEST_ASSET_DIR)/conformance/conformance_test.go:
 	cat $(shell go list -json -m sigs.k8s.io/gateway-api | jq -r '.Dir')/conformance/conformance_test.go >> $@
 	go fmt $@
 
-CONFORMANCE_SUPPORTED_FEATURES ?= -supported-features=Gateway,ReferenceGrant,HTTPRoute,HTTPRouteQueryParamMatching,HTTPRouteMethodMatching,HTTPRouteResponseHeaderModification,HTTPRoutePortRedirect,HTTPRouteHostRewrite,HTTPRouteSchemeRedirect,HTTPRoutePathRedirect,HTTPRouteHostRewrite,HTTPRoutePathRewrite,HTTPRouteRequestMirror
+CONFORMANCE_SUPPORTED_FEATURES ?= -supported-features=Gateway,ReferenceGrant,HTTPRoute,HTTPRouteQueryParamMatching,HTTPRouteMethodMatching,HTTPRouteResponseHeaderModification,HTTPRoutePortRedirect,HTTPRouteHostRewrite,HTTPRouteSchemeRedirect,HTTPRoutePathRedirect,HTTPRouteHostRewrite,HTTPRoutePathRewrite,HTTPRouteRequestMirror,TLSRoute
 CONFORMANCE_SUPPORTED_PROFILES ?= -conformance-profiles=GATEWAY-HTTP
 CONFORMANCE_REPORT_ARGS ?= -report-output=$(TEST_ASSET_DIR)/conformance/$(VERSION)-report.yaml -organization=solo.io -project=gloo-gateway -version=$(VERSION) -url=github.com/solo-io/gloo -contact=github.com/solo-io/gloo/issues/new/choose
 CONFORMANCE_ARGS := -gateway-class=gloo-gateway $(CONFORMANCE_SUPPORTED_FEATURES) $(CONFORMANCE_SUPPORTED_PROFILES) $(CONFORMANCE_REPORT_ARGS)

changelog/v1.19.0-beta11/docs-small-fixes.yaml

@@ -0,0 +1,5 @@
+changelog:
+  - type: NON_USER_FACING
+    resolvesIssue: true
+    description: >-
+      Removes extproc note, fixes readfile shortcode. Adds in draft for GG UI. 

changelog/v1.19.0-beta11/tls-route.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: NEW_FEATURE
+    issueLink: https://github.com/kgateway-dev/kgateway/issues/10074
+    resolvesIssue: false
+    description: >-
+      "Add support for sig gateway's TLS Routes."

docs/content/guides/observability/ui/_index.txt

@@ -0,0 +1,7 @@
+---
+title: Gloo UI
+weight: 
+description:
+---
+
+{{< children >}}

docs/content/guides/observability/ui/setup.txt

@@ -0,0 +1,113 @@
+---
+title: Set up the Gloo UI
+weight: 
+description: Install the Gloo UI to get an at-a-glance view of the configuration, health, and compliance status of your Gloo Gateway setup and the workloads in your cluster. 
+---
+Install the Gloo UI to get an at-a-glance view of the configuration, health, and compliance status of your Gloo Gateway setup and the workloads in your cluster. 
+
+To learn more about the features of the Gloo UI, see [About the Gloo UI]({{< versioned_link_path fromRoot="/guides/observability/ui/explore#about-the-gloo-ui" >}}).
+
+## Before you begin
+
+Install GG
+
+## Set up the Gloo UI
+
+Use these instructions to install the Gloo UI in the same cluster as Gloo Gateway. The Gloo UI analyzes your Gloo Gateway setup and provides metrics and insights to you. 
+
+1. Set the name of your cluster and your Gloo Gateway license key as an environment variable.
+   ```sh
+   export CLUSTER_NAME=<cluster-name>
+   export GLOO_GATEWAY_LICENSE_KEY=<license-key>
+   ```
+
+2. Add the Helm repo for the Gloo UI. 
+   ```sh
+   helm repo add gloo-platform https://storage.googleapis.com/gloo-platform/helm-charts
+   helm repo update  
+   ```
+
+3. Install the custom resources for the Gloo UI. 
+   ```sh
+   helm upgrade -i gloo-platform-crds gloo-platform/gloo-platform-crds \
+    --namespace=gloo-system \
+    --version={{< readfile file="/static/content/version-platform.md" markdown="true">}} \
+    --set installEnterpriseCrds=false
+   ```
+
+4. Install the Gloo UI and configure it for Gloo Gateway.
+   ```yaml 
+   helm upgrade -i gloo-platform gloo-platform/gloo-platform \
+   --namespace gloo-system \
+   --version={{< readfile file="static/content/version-platform.md" markdown="true">}} \
+   -f - <<EOF
+   common:
+     adminNamespace: "gloo-system"
+     cluster: $CLUSTER_NAME
+   featureGates:
+     insightsConfiguration: true
+   glooInsightsEngine:
+     enabled: true
+   glooAnalyzer:
+     enabled: true
+   glooUi:
+     enabled: true
+   licensing:
+     glooGatewayLicenseKey: $GLOO_GATEWAY_LICENSE_KEY
+   prometheus:
+     enabled: true
+   telemetryCollector:
+     enabled: true
+     mode: deployment
+     replicaCount: 1
+   EOF
+   ```
+
+5. Verify that the Gloo UI components are successfully installed. 
+   ```sh
+   kubectl get pods -n gloo-system
+   ```
+
+   Example output: 
+   {{< highlight yaml "hl_lines=4-6" >}}
+   NAME                                        READY   STATUS    RESTARTS   AGE
+   extauth-f7695bf7f-f6dkt                     1/1     Running   0          10m
+   gloo-587b79d556-tpvfj                       1/1     Running   0          10m
+   gloo-mesh-ui-66db8d9584-kgjld               3/3     Running   0          72m
+   gloo-telemetry-collector-68b8cf6f49-zhx87   1/1     Running   0          57m
+   prometheus-server-7484d8bfd-tx5s4           2/2     Running   0          72m
+   rate-limit-557dcb857f-9zq2t                 1/1     Running   0          10m
+   redis-5d6c6bcd4-cnmbm                       1/1     Running   0          10m
+   {{< /highlight >}}
+
+
+## Visualize traffic
+
+1. Follow the petstore [hello world example]({{< versioned_link_path fromRoot="/guides/traffic_management/hello_world/" >}}). This example deploys the petstore sample app and exposes a route to the app on your gateway proxy.  
+
+2. Send a few requests to the httpbin app. 
+   ```sh
+   for i in {1..10}; do curl $(glooctl proxy url --name gateway-proxy)/all-pets; done
+   ```
+
+7. Open the Gloo UI. 
+   1. Port-forward the Gloo UI pod. 
+      ```sh
+      kubectl port-forward deployment/gloo-mesh-ui -n gloo-system 8090
+      ```
+   2. Open the Gloo UI dashboard. 
+      ```sh
+      open http://localhost:8090/dashboard
+      ```
+
+      ![Gloo UI dashboard]({{% versioned_link_path fromRoot="/img/ui-dashboard.png" %}})
+
+8. Go to **Observability** > **Graph** to see the Gloo UI Graph. Select your cluster from the **Cluster** drop-down list, and the `httpbin` and `gloo-system` namespaces from the **Namespace** drop-down list. Verify that you see requests from the gateway proxy to the httpbin app. Note that it might take a few seconds for the graph to show the requests that you sent.
+
+   ![Gloo UI Graph]({{< versioned_link_path fromRoot="/img/ui-graph.png" >}})
+
+
+
+## Next
+
+Continue with [exploring the features of the Gloo UI]({{< versioned_link_path fromRoot="/guides/observability/ui/explore" >}}). 

docs/content/guides/traffic_management/extproc/about.md

@@ -12,10 +12,6 @@ With external processing, you can implement an external processing server that c
 External processing is an Enterprise-only feature. 
 {{% /notice %}}
 
-{{% notice warning %}}
-Envoy's external processing filter is considered a work in progress and has an unknown security posture. Use caution when using this feature in production environments. For more information, see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_proc_filter#external-processing).
-{{% /notice %}}
-
 ### How it works
 
 The following diagram shows an example for how request header manipulation works when an external processing server is used. 

docs/content/guides/traffic_management/extproc/header-manipulation.md

@@ -10,11 +10,6 @@ Set up an external processing (ExtProc) server that manipulates request headers
 External processing is an Enterprise-only feature.
 {{% /notice %}}
 
-{{% notice warning %}}
-Envoy's external processing filter is considered a work in progress and has an unknown security posture. Use caution when using this feature in production environments. For more information, see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_proc_filter#external-processing).
-Note that as of Envoy 1.32, header manipulation via ExtProc does not support the [`append_action`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#envoy-v3-api-msg-config-core-v3-headervalueoption) field.
-{{% /notice %}}
-
 1. Before you begin, install [Gloo Gateway Enterprise]({{% versioned_link_path fromRoot="/installation/enterprise/" %}}) in your cluster.
 
 2. Set up the ExtProc server. This example uses a prebuilt ExtProc server that manipulates request and response headers based on instructions that are sent in an `instructions` header.

docs/content/static/content/version-platform.md

@@ -0,0 +1 @@
+2.7.0-rc2

docs/layouts/shortcodes/readfile.html

@@ -6,13 +6,13 @@
 
 {{- else -}}
 
-{{$file := .Get "file"}}
-{{ if (fileExists $file ) -}}
-{{- if eq (.Get "markdown") "true" -}}
-{{- $file  | readFile | markdownify -}}
-{{- else -}}
-{{ $file  | readFile | safeHTML }}
-{{- end -}}
-{{- end -}}
+  {{$file := .Get "file"}}
+  {{- if (fileExists $file ) -}}
+    {{- if eq (.Get "markdown") "true" -}}
+      {{- $file  | readFile | markdownify -}}
+    {{- else -}}
+      {{- $file  | readFile | safeHTML -}}
+    {{- end -}}
+  {{- end -}}
 
 {{- end -}}

install/helm/gloo/templates/44-rbac.yaml

@@ -13,6 +13,7 @@ rules:
   - gatewayclasses
   - gateways
   - tcproutes
+  - tlsroutes
   - httproutes
   - referencegrants
   verbs: ["get", "list", "watch"]
@@ -50,6 +51,7 @@ rules:
   - gateways/status
   - httproutes/status
   - tcproutes/status
+  - tlsroutes/status
   verbs: ["update", "patch"]
 - apiGroups:
   - apiextensions.k8s.io

projects/gateway2/controller/controller.go

@@ -80,6 +80,7 @@ func NewBaseGatewayController(ctx context.Context, cfg GatewayConfig) error {
 		controllerBuilder.watchGw,
 		controllerBuilder.watchHttpRoute,
 		controllerBuilder.watchTcpRoute,
+		controllerBuilder.watchTlsRoute,
 		controllerBuilder.watchReferenceGrant,
 		controllerBuilder.watchNamespaces,
 		controllerBuilder.watchHttpListenerOptions,
@@ -140,6 +141,12 @@ func (c *controllerBuilder) addIndexes(ctx context.Context) error {
 		}
 	}
 
+	if c.cfg.CRDs.Has(wellknown.TLSRouteCRDName) {
+		if err := c.cfg.Mgr.GetFieldIndexer().IndexField(ctx, &apiv1a2.TLSRoute{}, query.TlsRouteTargetField, query.IndexerByObjType); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
 	return errors.Join(errs...)
 }
 
@@ -361,6 +368,19 @@ func (c *controllerBuilder) watchTcpRoute(ctx context.Context) error {
 		Complete(reconcile.Func(c.reconciler.ReconcileTcpRoutes))
 }
 
+func (c *controllerBuilder) watchTlsRoute(ctx context.Context) error {
+	if !c.cfg.CRDs.Has(wellknown.TLSRouteCRDName) {
+		log.FromContext(ctx).Info("TLSRoute type not registered in scheme; skipping TLSRoute controller setup")
+		return nil
+	}
+
+	// Proceed to set up the controller for TLSRoute
+	return ctrl.NewControllerManagedBy(c.cfg.Mgr).
+		WithEventFilter(predicate.GenerationChangedPredicate{}).
+		For(&apiv1a2.TLSRoute{}).
+		Complete(reconcile.Func(c.reconciler.ReconcileTlsRoutes))
+}
+
 func (c *controllerBuilder) watchReferenceGrant(_ context.Context) error {
 	return ctrl.NewControllerManagedBy(c.cfg.Mgr).
 		WithEventFilter(predicate.GenerationChangedPredicate{}).
@@ -551,6 +571,17 @@ func (r *controllerReconciler) ReconcileTcpRoutes(ctx context.Context, req ctrl.
 	return ctrl.Result{}, nil
 }
 
+func (r *controllerReconciler) ReconcileTlsRoutes(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	// TODO: consider finding impacted gateways and queue them
+	// TODO: consider enabling this
+	//	// reconcile this specific route:
+	//	queries := query.NewData(r.cli, r.scheme)
+	//	httproute.TranslateGatewayHTTPRouteRules(queries, hr, nil)
+
+	r.kick(ctx)
+	return ctrl.Result{}, nil
+}
+
 func (r *controllerReconciler) ReconcileReferenceGrants(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	// reconcile all things?! https://github.com/solo-io/gloo/issues/9997
 	r.kick(ctx)

projects/gateway2/controller/start.go

@@ -290,5 +290,14 @@ func getGatewayCRDs(restConfig *rest.Config) (sets.Set[string], error) {
 		crds.Insert(wellknown.TCPRouteCRDName)
 	}
 
+	tlsRouteExists, err := glooschemes.CRDExists(restConfig, gwv1a2.GroupVersion.Group, gwv1a2.GroupVersion.Version, wellknown.TLSRouteKind)
+	if err != nil {
+		return nil, err
+	}
+
+	if tlsRouteExists {
+		crds.Insert(wellknown.TLSRouteCRDName)
+	}
+
 	return crds, nil
 }

projects/gateway2/proxy_syncer/proxy_syncer.go

@@ -247,6 +247,9 @@ func (p glooProxy) Equals(in glooProxy) bool {
 	if !maps.Equal(p.reportMap.TCPRoutes, in.reportMap.TCPRoutes) {
 		return false
 	}
+	if !maps.Equal(p.reportMap.TLSRoutes, in.reportMap.TLSRoutes) {
+		return false
+	}
 	return true
 }
 
@@ -273,6 +276,9 @@ func (r report) Equals(in report) bool {
 	if !maps.Equal(r.ReportMap.TCPRoutes, in.ReportMap.TCPRoutes) {
 		return false
 	}
+	if !maps.Equal(r.ReportMap.TLSRoutes, in.ReportMap.TLSRoutes) {
+		return false
+	}
 	return true
 }
 
@@ -491,6 +497,19 @@ func (s *ProxySyncer) Init(ctx context.Context, dbg *krt.DebugHandler) error {
 				// obsGen will stay as-is...
 				maps.Copy(p.reportMap.TCPRoutes[rnn].Parents, rr.Parents)
 			}
+
+			// 4. merge tlsroute parentRefs into RouteReports
+			for rnn, rr := range p.reportMap.TLSRoutes {
+				// if we haven't encountered this route, just copy it over completely
+				old := merged.TLSRoutes[rnn]
+				if old == nil {
+					merged.TLSRoutes[rnn] = rr
+					continue
+				}
+				// else, let's merge our parentRefs into the existing map
+				// obsGen will stay as-is...
+				maps.Copy(p.reportMap.TLSRoutes[rnn].Parents, rr.Parents)
+			}
 		}
 		return &report{merged}
 	})
@@ -902,6 +921,12 @@ func (s *ProxySyncer) syncRouteStatus(ctx context.Context, rm reports.ReportMap)
 				return nil
 			}
 			r.Status.RouteStatus = *status
+		case *gwv1a2.TLSRoute:
+			status = rm.BuildRouteStatus(ctx, r, s.controllerName)
+			if status == nil || isRouteStatusEqual(&r.Status.RouteStatus, status) {
+				return nil
+			}
+			r.Status.RouteStatus = *status
 		default:
 			logger.Warnw(fmt.Sprintf("unsupported route type for %s", routeType), "route", route)
 			return nil
@@ -930,6 +955,16 @@ func (s *ProxySyncer) syncRouteStatus(ctx context.Context, rm reports.ReportMap)
 			logger.Errorw("all attempts failed at updating TCPRoute status", "error", err, "route", rnn)
 		}
 	}
+
+	// Sync TLSRoute statuses
+	for rnn := range rm.TLSRoutes {
+		err := syncStatusWithRetry(wellknown.TLSRouteKind, rnn, func() client.Object { return new(gwv1a2.TLSRoute) }, func(route client.Object) error {
+			return buildAndUpdateStatus(route, wellknown.TLSRouteKind)
+		})
+		if err != nil {
+			logger.Errorw("all attempts failed at updating TLSRoute status", "error", err, "route", rnn)
+		}
+	}
 }
 
 // syncGatewayStatus will build and update status for all Gateways in a reportMap