Merge branch 'main' into dym-lb-policy

Signed-off-by: jukie <10012479+jukie@users.noreply.github.com>

Author: jukie

.github/dependabot.yml

@@ -64,6 +64,9 @@ updates:
       - /tools
     schedule:
       interval: weekly
+    ignore:
+      # fortawesome/fontawesome-free should be updated with docsy.
+      - dependency-name: "@fortawesome/fontawesome-free"
   - package-ecosystem: pip
     directories:
       - /tools/src/codespell

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13  # v3.29.5
+      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v3.29.5
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13  # v3.29.5
+      uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v3.29.5
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13  # v3.29.5
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v3.29.5
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/docs.yaml

@@ -48,7 +48,7 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Setup Node
-      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
       with:
         node-version-file: site/.nvmrc
 

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13  # v3.29.5
+      uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v3.29.5
       with:
         sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -35,7 +35,7 @@ jobs:
         IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+      uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
       with:
         image-ref: envoy-proxy/gateway-dev:${{ github.sha }}
         exit-code: '1'

api/v1alpha1/envoygateway_types.go

@@ -312,6 +312,8 @@ type ExtensionAPISettings struct {
 	// DisableLua determines if Lua EnvoyExtensionPolicies should be disabled.
 	// If set to true, the Lua EnvoyExtensionPolicy feature will be disabled.
 	DisableLua bool `json:"disableLua"`
+	// EnableSDSSecretRef enables read SDS(Secret Discovery Service) settings from a secret(with type gateway.envoyproxy.io/sds).
+	EnableSDSSecretRef bool `json:"enableSDSSecretRef"`
 }
 
 // EnvoyGatewayProvider defines the desired configuration of a provider.

api/v1alpha1/healthcheck_types.go

@@ -70,6 +70,8 @@ type PassiveHealthCheck struct {
 	// MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected.
 	//
 	// +kubebuilder:default=10
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=100
 	// +optional
 	MaxEjectionPercent *int32 `json:"maxEjectionPercent,omitempty"`
 

api/v1alpha1/loadbalancer_types.go

@@ -18,7 +18,8 @@ import (
 // +kubebuilder:validation:XValidation:rule="self.type == 'DynamicModule' ? has(self.dynamicModule) : !has(self.dynamicModule)",message="If LoadBalancer type is DynamicModule, dynamicModule field needs to be set."
 // +kubebuilder:validation:XValidation:rule="self.type in ['Random', 'ConsistentHash', 'DynamicModule'] ? !has(self.slowStart) : true",message="Currently SlowStart is only supported for RoundRobin, LeastRequest, and BackendUtilization load balancers."
 // +kubebuilder:validation:XValidation:rule="self.type == 'ConsistentHash' && has(self.zoneAware) ? !has(self.zoneAware.preferLocal) : true",message="PreferLocal zone-aware routing is not supported for ConsistentHash load balancers. Use weightedZones instead."
-// +kubebuilder:validation:XValidation:rule="self.type in ['BackendUtilization', 'DynamicModule'] ? !has(self.zoneAware) : true",message="ZoneAware routing is not supported for BackendUtilization and DynamicModule load balancers."
+// +kubebuilder:validation:XValidation:rule="self.type == 'BackendUtilization' && has(self.zoneAware) ? !has(self.zoneAware.preferLocal) : true",message="PreferLocal zone-aware routing is not currently supported for BackendUtilization load balancers. Only WeightedZones can be used with BackendUtilization."
+// +kubebuilder:validation:XValidation:rule="self.type == 'DynamicModule' ? !has(self.zoneAware) : true",message="ZoneAware routing is not supported for DynamicModule load balancers."
 // +kubebuilder:validation:XValidation:rule="has(self.zoneAware) ? !(has(self.zoneAware.preferLocal) && has(self.zoneAware.weightedZones)) : true",message="ZoneAware PreferLocal and WeightedZones cannot be specified together."
 // +kubebuilder:validation:XValidation:rule="self.type == 'DynamicModule' ? !has(self.endpointOverride) : true",message="EndpointOverride is not supported for DynamicModule load balancers."
 type LoadBalancer struct {

api/v1alpha1/ratelimit_types.go

@@ -71,6 +71,23 @@ type LocalRateLimit struct {
 	Rules []RateLimitRule `json:"rules"`
 }
 
+// XRateLimitHeadersOption controls whether X-RateLimit response headers are sent for a rate limit rule.
+// Valid values are "Off" and "DraftVersion03".
+// This allows per-rule override of the global X-RateLimit header setting in ClientTrafficPolicy.
+//
+// +kubebuilder:validation:Enum=Off;DraftVersion03
+type XRateLimitHeadersOption string
+
+const (
+	// XRateLimitHeadersOptionDisabled disables X-RateLimit headers for this rate limit rule,
+	// regardless of the global ClientTrafficPolicy setting.
+	XRateLimitHeadersOptionDisabled XRateLimitHeadersOption = "Disabled"
+
+	// XRateLimitHeadersOptionDraftVersion03 enables X-RateLimit headers using RFC draft version 03
+	// for this rate limit rule, regardless of the global ClientTrafficPolicy setting.
+	XRateLimitHeadersOptionDraftVersion03 XRateLimitHeadersOption = "DraftVersion03"
+)
+
 // RateLimitRule defines the semantics for matching attributes
 // from the incoming requests, and setting limits for them.
 type RateLimitRule struct {
@@ -119,6 +136,12 @@ type RateLimitRule struct {
 	//
 	// +optional
 	ShadowMode *bool `json:"shadowMode,omitempty"`
+	// XRateLimitHeaders controls whether X-RateLimit response headers are emitted for this rate limit rule.
+	// When set, this overrides the global DisableRateLimitHeaders setting in ClientTrafficPolicy for this rule.
+	// If not set, the rule inherits the listener-level setting (default behavior).
+	//
+	// +optional
+	XRateLimitHeaders *XRateLimitHeadersOption `json:"xRateLimitHeaders,omitempty"`
 }
 
 type RateLimitCost struct {
@@ -409,7 +432,12 @@ type PathMatch struct {
 
 // RateLimitValue defines the limits for rate limiting.
 type RateLimitValue struct {
-	Requests uint          `json:"requests"`
+	// Requests is the number of requests (or cost units, when used with
+	// cost-based rate limiting) allowed per Unit.
+	//
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=4294967295
+	Requests uint32        `json:"requests"`
 	Unit     RateLimitUnit `json:"unit"`
 }
 

api/v1alpha1/shared_types.go

@@ -16,6 +16,9 @@ import (
 )
 
 const (
+	// SDSSecretType is the type for secrets that reference SDS configuration
+	SDSSecretType = "gateway.envoyproxy.io/sds"
+
 	// DefaultDeploymentReplicas is the default number of deployment replicas.
 	DefaultDeploymentReplicas = 1
 	// DefaultDeploymentCPUResourceRequests for deployment cpu resource