Merge branch 'main' into dym-lb-policy

Author: jukie

.github/workflows/build_and_test.yaml

@@ -124,15 +124,28 @@ jobs:
         filter: ${{ github.ref == 'refs/heads/main' && 'tree:0' || '' }}
     - uses: ./tools/github-actions/setup-deps
 
-    - name: Build EG Multiarch Binaries
-      run: make build-multiarch PLATFORMS="linux_amd64 linux_arm64"
+    # Build both linux/amd64 and linux/arm64 on main (needed for multi-arch image publish),
+    # and only linux/amd64 on PRs and release branches.
+    - name: Build EG Binaries
+      run: make build-multiarch BINS="envoy-gateway" PLATFORMS="${{ github.ref == 'refs/heads/main' && 'linux_amd64 linux_arm64' || 'linux_amd64' }}"
 
     - name: Upload EG Binaries
       uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
       with:
         name: envoy-gateway
         path: bin/
 
+  build-egctl:
+    runs-on: ubuntu-latest
+    needs: [changes, lint, gen-check, license-check, coverage-test]
+    if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.run_test_workflow == 'true' }}
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - uses: ./tools/github-actions/setup-deps
+
+    - name: Build egctl Binary
+      run: make build BINS="egctl" PLATFORM="linux_amd64"
+
   conformance-test:
     runs-on: ubuntu-latest
     needs:
@@ -179,9 +192,7 @@ jobs:
         path: bin/
 
     - name: Give Privileges To EG Binaries
-      run: |
-        chmod +x bin/linux/amd64/envoy-gateway
-        chmod +x bin/linux/arm64/envoy-gateway
+      run: chmod +x bin/linux/*/envoy-gateway
 
     # conformance
     - name: Run Standard Conformance Tests
@@ -194,6 +205,7 @@ jobs:
         # set ACTIONS_STEP_DEBUG to true if context runner.debug is '1',
         # which means to dump the current state when there's a case failed.
         ACTIONS_STEP_DEBUG: ${{ runner.debug == '1' }}
+        SKIP_GO_BUILD: "true"
       run: make conformance
 
   e2e-test:
@@ -238,9 +250,7 @@ jobs:
         path: bin/
 
     - name: Give Privileges To EG Binaries
-      run: |
-        chmod +x bin/linux/amd64/envoy-gateway
-        chmod +x bin/linux/arm64/envoy-gateway
+      run: chmod +x bin/linux/*/envoy-gateway
 
     # E2E
     - name: Run E2E Tests
@@ -260,6 +270,7 @@ jobs:
         # set ACTIONS_STEP_DEBUG to true if context runner.debug is '1',
         # which means to dump the current state when there's a case failed.
         ACTIONS_STEP_DEBUG: ${{ runner.debug == '1' }}
+        SKIP_GO_BUILD: "true"
       run: make e2e
 
   benchmark-test:
@@ -274,6 +285,14 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
     - uses: ./tools/github-actions/setup-deps
 
+    - name: Download EG Binaries
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+      with:
+        name: envoy-gateway
+        path: bin/
+
+    - name: Give Privileges To EG Binaries
+      run: chmod +x bin/linux/*/envoy-gateway
 
     # Benchmark
     - name: Run Benchmark tests
@@ -287,6 +306,7 @@ jobs:
         BENCHMARK_MEMORY_LIMITS: 2000Mi
         BENCHMARK_REPORT_DIR: benchmark_report
         BENCHMARK_RENDER_PNG: "false"
+        SKIP_GO_BUILD: "true"
       run: make benchmark
 
     - name: Upload Benchmark report
@@ -304,10 +324,21 @@ jobs:
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
     - uses: ./tools/github-actions/setup-deps
+
+    - name: Download EG Binaries
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+      with:
+        name: envoy-gateway
+        path: bin/
+
+    - name: Give Privileges To EG Binaries
+      run: chmod +x bin/linux/*/envoy-gateway
+
     - name: Resilience Test
       env:
         IMAGE_PULL_POLICY: IfNotPresent
         CUSTOM_CNI: "true"
+        SKIP_GO_BUILD: "true"
       run: make resilience
 
   publish:
@@ -325,9 +356,7 @@ jobs:
         path: bin/
 
     - name: Give Privileges To EG Binaries
-      run: |
-        chmod +x bin/linux/amd64/envoy-gateway
-        chmod +x bin/linux/arm64/envoy-gateway
+      run: chmod +x bin/linux/*/envoy-gateway
 
     # build and push image
     - name: Login to DockerHub
@@ -363,6 +392,7 @@ jobs:
     - license-check
     - coverage-test
     - build
+    - build-egctl
     - conformance-test
     - e2e-test
     - benchmark-test

api/v1alpha1/ext_auth_types.go

@@ -64,6 +64,29 @@ type ExtAuth struct {
 	// +optional
 	RecomputeRoute *bool `json:"recomputeRoute,omitempty"`
 
+	// IncludeRouteMetadata sends Envoy Gateway's built-in route metadata to the
+	// external authorization service as context.
+	//
+	// This includes Envoy Gateway's built-in metadata for the selected route in
+	// the "envoy-gateway" metadata namespace.
+	//
+	// The metadata is exposed under the "resources" field as a list of route
+	// resource objects. For example:
+	//
+	// envoy-gateway:
+	//   resources:
+	//   - kind: HTTPRoute
+	//     name: backend
+	//     namespace: default
+	//     annotations:
+	//       foo: bar
+	//
+	// The resource object may include fields such as kind, namespace, name,
+	// sectionName, and supported route annotations.
+	//
+	// +optional
+	IncludeRouteMetadata *bool `json:"includeRouteMetadata,omitempty"`
+
 	// ContextExtensions are analogous to http_request.headers, however these
 	// contents will not be sent to the upstream server. This provides an
 	// extension mechanism for sending additional information to the auth server

api/v1alpha1/zz_generated.deepcopy.go

@@ -1,7 +1,7 @@
 dependencies:
 - name: prometheus
   repository: https://prometheus-community.github.io/helm-charts
-  version: 29.1.0
+  version: 29.2.1
 - name: grafana
   repository: https://grafana.github.io/helm-charts
   version: 10.5.15
@@ -19,6 +19,6 @@ dependencies:
   version: 1.3.1
 - name: opentelemetry-collector
   repository: https://open-telemetry.github.io/opentelemetry-helm-charts
-  version: 0.147.2
-digest: sha256:17fdc01e5a85cef9c1c943f00de8be2edecefbfdd442f6a94aaa7aa41c6ba855
-generated: "2026-04-08T04:30:45.827362158Z"
+  version: 0.150.0
+digest: sha256:a280a7ff86e2eb03ceddb82202ca0fbf429fa02690863bd0a3a1f30fa1d4ae85
+generated: "2026-04-15T04:32:15.769343149Z"

charts/gateway-addons-helm/Chart.lock

@@ -26,7 +26,7 @@ sources:
 
 dependencies:
   - name: prometheus
-    version: 29.1.0
+    version: 29.2.1
     repository: https://prometheus-community.github.io/helm-charts
     condition: prometheus.enabled
   - name: grafana
@@ -51,5 +51,5 @@ dependencies:
     condition: tempo.enabled
   - name: opentelemetry-collector
     repository: https://open-telemetry.github.io/opentelemetry-helm-charts
-    version: 0.147.2
+    version: 0.150.0
     condition: opentelemetry-collector.enabled

charts/gateway-addons-helm/Chart.yaml

@@ -26,8 +26,8 @@ An Add-ons Helm chart for Envoy Gateway
 | https://grafana.github.io/helm-charts | grafana | 10.5.15 |
 | https://grafana.github.io/helm-charts | loki | 6.55.0 |
 | https://grafana.github.io/helm-charts | tempo | 1.3.1 |
-| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.147.2 |
-| https://prometheus-community.github.io/helm-charts | prometheus | 29.1.0 |
+| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.150.0 |
+| https://prometheus-community.github.io/helm-charts | prometheus | 29.2.1 |
 
 ## Usage
 
@@ -172,7 +172,7 @@ helm uninstall eg-addons -n monitoring
 | opentelemetry-collector.enabled | bool | `false` |  |
 | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` |  |
 | opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` |  |
-| opentelemetry-collector.image.tag | string | `"0.149.0"` |  |
+| opentelemetry-collector.image.tag | string | `"0.150.1"` |  |
 | opentelemetry-collector.mode | string | `"deployment"` |  |
 | opentelemetry-collector.ports.datadog.containerPort | int | `8126` |  |
 | opentelemetry-collector.ports.datadog.enabled | bool | `true` |  |

charts/gateway-addons-helm/README.md

@@ -868,7 +868,7 @@ opentelemetry-collector:
   mode: deployment
   image:
     repository: "otel/opentelemetry-collector-contrib"
-    tag: "0.149.0"
+    tag: "0.150.1"
   config:
     exporters:
       prometheus:

charts/gateway-addons-helm/values.yaml

@@ -3520,6 +3520,28 @@ spec:
                       rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
                         == "" || f.group == ''multicluster.x-k8s.io'' || f.group ==
                         ''gateway.envoyproxy.io'')) : true'
+                  includeRouteMetadata:
+                    description: |-
+                      IncludeRouteMetadata sends Envoy Gateway's built-in route metadata to the
+                      external authorization service as context.
+
+                      This includes Envoy Gateway's built-in metadata for the selected route in
+                      the "envoy-gateway" metadata namespace.
+
+                      The metadata is exposed under the "resources" field as a list of route
+                      resource objects. For example:
+
+                      envoy-gateway:
+                        resources:
+                        - kind: HTTPRoute
+                          name: backend
+                          namespace: default
+                          annotations:
+                            foo: bar
+
+                      The resource object may include fields such as kind, namespace, name,
+                      sectionName, and supported route annotations.
+                    type: boolean
                   recomputeRoute:
                     description: |-
                       RecomputeRoute clears the route cache and recalculates the routing decision.

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -3519,6 +3519,28 @@ spec:
                       rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
                         == "" || f.group == ''multicluster.x-k8s.io'' || f.group ==
                         ''gateway.envoyproxy.io'')) : true'
+                  includeRouteMetadata:
+                    description: |-
+                      IncludeRouteMetadata sends Envoy Gateway's built-in route metadata to the
+                      external authorization service as context.
+
+                      This includes Envoy Gateway's built-in metadata for the selected route in
+                      the "envoy-gateway" metadata namespace.
+
+                      The metadata is exposed under the "resources" field as a list of route
+                      resource objects. For example:
+
+                      envoy-gateway:
+                        resources:
+                        - kind: HTTPRoute
+                          name: backend
+                          namespace: default
+                          annotations:
+                            foo: bar
+
+                      The resource object may include fields such as kind, namespace, name,
+                      sectionName, and supported route annotations.
+                    type: boolean
                   recomputeRoute:
                     description: |-
                       RecomputeRoute clears the route cache and recalculates the routing decision.

charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -7,6 +7,7 @@ require (
 	github.com/golang/protobuf v1.5.4
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409
 	google.golang.org/grpc v1.80.0
+	google.golang.org/protobuf v1.36.11
 )
 
 require (
@@ -16,5 +17,4 @@ require (
 	golang.org/x/net v0.51.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
 )