Merge branch 'v1.18.x' into fix/1.18/requesttransformordering

.golangci.yaml

@@ -79,24 +79,13 @@ run:
   # If we find that the job is timing out, we can explore ways to make this job run faster, or increase the timeout.
   timeout: 10m
 
-  skip-dirs:
-    # don't lint ruleguard files
-    - test/rules
-
-    # don't lint gomock intermediate files
-    - 'gomock_reflect_\d*'
-
 # output configuration options
 output:
-  # Format: colored-line-number|line-number|json|colored-tab|tab|checkstyle|code-climate|junit-xml|github-actions|teamcity
-  #
-  # Multiple can be specified by separating them by comma, output can be provided
-  # for each of them by separating format name and path by colon symbol.
-  # Output path can be either `stdout`, `stderr` or path to the file to write to.
-  # Example: "checkstyle:report.xml,json:stdout,colored-line-number"
-  #
-  # Default: colored-line-number
-  format: colored-line-number
+  # Use default format
+  # Default:
+  #   formats:
+  #     - format: colored-line-number
+  #       path: stdout
 
   # Print lines of code with issue.
   print-issued-lines: true

changelog/v1.18.7/fix-gwp-fips-distroless.yaml

@@ -0,0 +1,5 @@
+changelog:
+- type: FIX
+  issueLink: https://github.com/solo-io/gloo/issues/10602
+  resolvesIssue: false
+  description: Fixes the gateway params image to respect the fips and distroless variants specified by global.image.variant. This only applies to the kubernetes gateway proxy.

changelog/v1.18.8/fix_glooctl-check_test-flake.yaml

@@ -0,0 +1,10 @@
+changelog:
+- type: NON_USER_FACING
+  issueLink: https://github.com/solo-io/solo-projects/issues/6619
+  description: fixes flaky enterprise glooctl check tests
+  resolvesIssue: false
+- type: NON_USER_FACING
+  description: |
+    Adjusted timeout in an effort to reduce failures of these tests.
+  issueLink: https://github.com/solo-io/solo-projects/issues/7685
+  resolvesIssue: false

changelog/v1.18.8/linter-yaml-changes.yaml

@@ -0,0 +1,7 @@
+changelog:
+  - type: NON_USER_FACING
+    resolvesIssue: false
+    description: >-
+      Updates for golangci-lint-action  breaking changes in `6.5.0`
+      skipCI-kube-tests:true
+      skipCI-docs-build:true

changelog/v1.18.9/merge-listener-options.yaml

@@ -0,0 +1,8 @@
+changelog:
+  - type: NON_USER_FACING
+    issueLink: https://github.com/solo-io/solo-projects/issues/7300
+    resolvesIssue: true
+    description: >-
+      If we generate any ListenerOptions from a Gateway to Proxy
+      translator, they will no longer be overridden by user
+      ListenerOptions.

install/helm/gloo/templates/_gg-helpers.tpl

@@ -42,18 +42,18 @@ Images valid for the GatewayParameters
 ref Image api in projects/gateway2/api/v1alpha1/kube/container.proto
 */}}
 {{- define "gloo-gateway.gatewayParametersImage" -}}
-{{- $image := . -}}
+{{ $image := . }}
 {{- if $image.registry }}
 registry: {{ $image.registry }}
 {{- end -}}{{/* if $image.registry */}}
 {{- if $image.repository }}
-repository: {{ $image.repository }}
+repository: {{ template "gloo.image.repository" $image }}
 {{- end -}}{{/* if $image.repository */}}
 {{- if $image.tag }}
-tag: {{ $image.tag }}
+tag: {{ template "gloo.image.tag" $image }}
 {{- end -}}{{/* if $image.tag */}}
 {{- if $image.digest }}
-digest: {{ $image.digest }}
+digest: {{ template "gloo.image.digest" $image }}
 {{- end -}}{{/* if $image.digest */}}
 {{- if $image.pullPolicy }}
 pullPolicy: {{ $image.pullPolicy }}

install/helm/gloo/templates/_helpers.tpl

@@ -25,59 +25,75 @@ ClusterRole
 {{- end -}}
 {{- end -}}
 
-{{/*
-Construct a container image name from a registry, repository, tag, and digest.
-*/}}
-{{- define "gloo.image" -}}
-{{- $image := printf "%s/%s" .registry .repository -}}
-
+{{- define "gloo.image.repository" -}}
 {{- /*
 for fips or fips-distroless variants: add -fips to the image repo (name)
 */ -}}
+{{- if .repository -}}
+{{- $repository := .repository -}}
 {{- if or .fips (has .variant (list "fips" "fips-distroless")) -}}
 {{- $fipsSupportedImages := list "gloo-ee" "extauth-ee" "gloo-ee-envoy-wrapper" "rate-limit-ee" "discovery-ee" "sds-ee" -}}
 {{- if (has .repository $fipsSupportedImages) -}}
-{{- $image = printf "%s-fips" $image -}}
+{{- $repository = printf "%s-fips" $repository -}}
 {{- end -}}{{- /* if (has .repository $fipsSupportedImages) */ -}}
 {{- end -}}{{- /* if or .fips (has .variant (list "fips" "fips-distroless")) */ -}}
+{{ $repository }}
+{{- end -}}{{- /* if .repository */ -}}
+{{- end -}}{{- /* define "gloo.image.repository" */ -}}
 
-{{- /*
-add tag, if it exists
-*/ -}}
+{{- define "gloo.image.tag" -}}
 {{- if .tag -}}
-{{- $image = printf "%s:%s" $image .tag -}}
-{{- end -}}{{- /* if .tag */ -}}
-
+{{- $tag := .tag -}}
 {{- /*
 for distroless or fips-distroless variants: add -distroless to the tag
 */ -}}
 {{- if and .tag (has .variant (list "distroless" "fips-distroless")) -}}
 {{- $distrolessSupportedImages := list "gloo" "gloo-envoy-wrapper" "discovery" "sds" "certgen" "kubectl" "access-logger" "ingress" "gloo-ee" "extauth-ee" "gloo-ee-envoy-wrapper" "rate-limit-ee" "discovery-ee" "sds-ee" "observability-ee" "caching-ee" -}}
 {{- if (has .repository $distrolessSupportedImages) -}}
-{{- $image = printf "%s-distroless" $image -}} {{- /* Add distroless suffix to the tag since it contains the same binaries in a different container */ -}}
+{{- $tag = printf "%s-distroless" $tag -}} {{- /* Add distroless suffix to the tag since it contains the same binaries in a different container */ -}}
 {{- end -}}{{- /* if (has .repository $distrolessSupportedImages) */ -}}
 {{- end -}}{{- /* if and .tag (has .variant (list "distroless" "fips-distroless")) */ -}}
+{{ $tag }}
+{{- end -}}{{- /* if .tag */ -}}
+{{- end -}}{{- /* define "gloo.image.tag" */ -}}
 
-{{- /*
-add digest for the chosen variant, if it exists
-*/ -}}
+{{- define "gloo.image.digest" -}}
+{{- $digest := "" -}}
 {{- if or .fips (eq .variant "fips") -}}
   {{- if .fipsDigest -}}
-    {{- $image = printf "%s@%s" $image .fipsDigest -}}
+    {{- $digest = .fipsDigest -}}
   {{- end -}}{{- /* if .fipsDigest */ -}}
 {{- else if eq .variant "distroless" -}}
   {{- if .distrolessDigest -}}
-    {{- $image = printf "%s@%s" $image .distrolessDigest -}}
+    {{- $digest = .distrolessDigest -}}
   {{- end -}}{{- /* if .distrolessDigest */ -}}
 {{- else if eq .variant "fips-distroless" -}}
   {{- if .fipsDistrolessDigest -}}
-    {{- $image = printf "%s@%s" $image .fipsDistrolessDigest -}}
+    {{- $digest = .fipsDistrolessDigest -}}
   {{- end -}}{{- /* if .fipsDistrolessDigest */ -}}
 {{- else -}}
   {{- if .digest -}}{{- /* standard image digest */ -}}
-    {{- $image = printf "%s@%s" $image .digest -}}
+    {{- $digest = .digest -}}
   {{- end -}}{{- /* if .digest */ -}}
 {{- end -}}
+{{ $digest }}
+{{- end -}}{{- /* define "gloo.image.digest" */ -}}
+
+
+{{/*
+Construct a container image name from a registry, repository, tag, and digest.
+*/}}
+{{- define "gloo.image" -}}
+{{- $repository := include  "gloo.image.repository" . -}}
+{{- $image := printf "%s/%s" .registry $repository -}}
+{{- $tag := include  "gloo.image.tag" . -}}
+{{- if $tag -}}
+{{- $image = printf "%s:%s" $image $tag -}}
+{{- end -}}{{- /* if .tag */ -}}
+{{- $digest := include  "gloo.image.digest" . -}}
+{{- if $digest -}}
+{{- $image = printf "%s@%s" $image $digest -}}
+{{- end -}}{{- /* if .digest */ -}}
 {{ $image }}
 {{- end -}}{{- /* define "gloo.image" */ -}}
 
@@ -170,7 +186,7 @@ It takes 4 values:
   .defaults - the default securityContext for the pod or container
   .globalSec - global security settings, usually from .Values.global.securitySettings
   .indent - the number of spaces to indent the output. If not set, the output will not be indented.
-    The indentation argument is necessary because it is possible that no output will be rendered. 
+    The indentation argument is necessary because it is possible that no output will be rendered.
     If that happens and the caller handles the indentation the result will be a line of whitespace, which gets caught by the whitespace tests
 
   Depending upon the value of .values.merge, the securityContext will be merged with the defaults or completely replaced.
@@ -234,7 +250,7 @@ It takes 4 values:
   .podSecurityStandards - podSecurityStandard from values.yaml
   .globalSec - global security settings, usually from .Values.global.securitySettings
   .indent - the number of spaces to indent the output. If not set, the output will not be indented.
-    The indentation argument is necessary because it is possible that no output will be rendered. 
+    The indentation argument is necessary because it is possible that no output will be rendered.
     If that happens and the caller handles the indentation the result will be a line of whitespace, which gets caught by the whitespace tests
 
   If .podSecurityStandards.container.enableRestrictedContainerDefaults is true, the defaults will be set to a restricted set of values.
@@ -260,7 +276,7 @@ It takes 4 values:
 {{- end -}}
 {{- /* set default seccompProfileType */ -}}
 
-{{- $pss_restricted_defaults := dict 
+{{- $pss_restricted_defaults := dict
     "runAsNonRoot" true
     "capabilities" (dict "drop" (list "ALL"))
     "allowPrivilegeEscalation" false }}
@@ -280,7 +296,7 @@ It takes 4 values:
   {{- end -}}
 {{- end -}}
 {{- /* call general securityContext template */ -}}
-{{- include "gloo.securityContext" (dict 
+{{- include "gloo.securityContext" (dict
             "values" $values
             "defaults" $defaults
             "indent" $indent

install/test/k8sgateway_test.go

@@ -487,6 +487,57 @@ var _ = Describe("Kubernetes Gateway API integration", func() {
 					})
 				})
 			})
+
+			Context("distroless and fips", func() {
+				DescribeTable("Uses the correct image for the sds-ee container", func(variant string, expectedImage string) {
+					extraValueArgs := []string{
+						"kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.registry=my-sds-reg",
+						"kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.tag=my-sds-tag",
+						"kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.repository=sds-ee",
+						"global.image.variant=" + variant,
+					}
+					valuesArgs = append(valuesArgs, extraValueArgs...)
+					// Updated values so need to re-render
+					prepareHelmManifest(namespace, glootestutils.HelmValues{ValuesArgs: valuesArgs})
+
+					gwp := getDefaultGatewayParameters(testManifest)
+					gwpKube := gwp.Spec.Kube
+					Expect(gwpKube).ToNot(BeNil())
+					sdsContainer := gwpKube.SdsContainer.Image
+					image := fmt.Sprintf("%s/%s:%s", *sdsContainer.Registry, *sdsContainer.Repository, *sdsContainer.Tag)
+					Expect(image).To(Equal(expectedImage))
+				},
+					Entry("No variant specified", "", "my-sds-reg/sds-ee:my-sds-tag"),
+					Entry("Standard variant", "standard", "my-sds-reg/sds-ee:my-sds-tag"),
+					Entry("Fips variant", "fips", "my-sds-reg/sds-ee-fips:my-sds-tag"),
+					Entry("Distroless variant", "distroless", "my-sds-reg/sds-ee:my-sds-tag-distroless"),
+					Entry("Fips-Distroless variant", "fips-distroless", "my-sds-reg/sds-ee-fips:my-sds-tag-distroless"))
+
+				DescribeTable("Uses the correct image for the gloo-ee-envoy-wrapper container", func(variant string, expectedImage string) {
+					extraValueArgs := []string{
+						"kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.registry=my-gloo-ee-envoy-wrapper-reg",
+						"kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.tag=my-gloo-ee-envoy-wrapper-tag",
+						"kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.repository=gloo-ee-envoy-wrapper",
+						"global.image.variant=" + variant,
+					}
+					valuesArgs = append(valuesArgs, extraValueArgs...)
+					// Updated values so need to re-render
+					prepareHelmManifest(namespace, glootestutils.HelmValues{ValuesArgs: valuesArgs})
+
+					gwp := getDefaultGatewayParameters(testManifest)
+					gwpKube := gwp.Spec.Kube
+					Expect(gwpKube).ToNot(BeNil())
+					envoyContainer := gwpKube.EnvoyContainer.Image
+					image := fmt.Sprintf("%s/%s:%s", *envoyContainer.Registry, *envoyContainer.Repository, *envoyContainer.Tag)
+					Expect(image).To(Equal(expectedImage))
+				},
+					Entry("No variant specified", "", "my-gloo-ee-envoy-wrapper-reg/gloo-ee-envoy-wrapper:my-gloo-ee-envoy-wrapper-tag"),
+					Entry("Standard variant", "standard", "my-gloo-ee-envoy-wrapper-reg/gloo-ee-envoy-wrapper:my-gloo-ee-envoy-wrapper-tag"),
+					Entry("Fips variant", "fips", "my-gloo-ee-envoy-wrapper-reg/gloo-ee-envoy-wrapper-fips:my-gloo-ee-envoy-wrapper-tag"),
+					Entry("Distroless variant", "distroless", "my-gloo-ee-envoy-wrapper-reg/gloo-ee-envoy-wrapper:my-gloo-ee-envoy-wrapper-tag-distroless"),
+					Entry("Fips-Distroless variant", "fips-distroless", "my-gloo-ee-envoy-wrapper-reg/gloo-ee-envoy-wrapper-fips:my-gloo-ee-envoy-wrapper-tag-distroless"))
+
+			})
 		})
 
 		When("kube gateway integration is disabled (default)", func() {

projects/gateway2/translator/plugins/listeneroptions/listener_options_plugin.go

@@ -7,6 +7,7 @@ import (
 	"github.com/solo-io/gloo/projects/gateway2/translator/plugins"
 	lisquery "github.com/solo-io/gloo/projects/gateway2/translator/plugins/listeneroptions/query"
 	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
+	"github.com/solo-io/gloo/projects/gloo/pkg/utils"
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -47,7 +48,11 @@ func (p *plugin) ApplyListenerPlugin(
 	// use the first option (highest in priority)
 	// see for more context: https://github.com/solo-io/solo-projects/issues/6313
 	optToUse := attachedOptions[0]
-	outListener.Options = optToUse.Spec.GetOptions()
+	if outListener.GetOptions() != nil {
+		outListener.Options, _ = utils.ShallowMergeListenerOptions(outListener.GetOptions(), optToUse.Spec.GetOptions())
+	} else {
+		outListener.Options = optToUse.Spec.GetOptions()
+	}
 
 	return nil
 }

projects/gateway2/translator/plugins/listeneroptions/listener_options_plugin_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/solo-io/gloo/projects/gateway2/translator/testutils"
 	"github.com/solo-io/gloo/projects/gateway2/wellknown"
 	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
+	"github.com/solo-io/gloo/projects/gloo/pkg/api/v1/options/proxy_protocol"
 	corev1 "github.com/solo-io/skv2/pkg/api/core.skv2.solo.io/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -48,12 +49,19 @@ var _ = Describe("ListenerOptions Plugin", func() {
 				},
 			}
 
-			outputListener = &v1.Listener{}
+			outputListener = &v1.Listener{
+				Options: &v1.ListenerOptions{
+					ProxyProtocol: &proxy_protocol.ProxyProtocol{},
+				},
+			}
 
 			expectedOptions = &v1.ListenerOptions{
+				// from config
 				PerConnectionBufferLimitBytes: &wrapperspb.UInt32Value{
 					Value: uint32(419),
 				},
+				// base
+				ProxyProtocol: &proxy_protocol.ProxyProtocol{},
 			}
 		})
 		JustBeforeEach(func() {
@@ -102,7 +110,7 @@ var _ = Describe("ListenerOptions Plugin", func() {
 			It("does not add buffer limit", func() {
 				err := plugin.ApplyListenerPlugin(ctx, listenerCtx, outputListener)
 				Expect(err).ToNot(HaveOccurred())
-				Expect(outputListener.GetOptions()).To(BeNil())
+				Expect(outputListener.GetOptions().GetPerConnectionBufferLimitBytes()).To(BeNil())
 			})
 		})
 
@@ -114,11 +122,10 @@ var _ = Describe("ListenerOptions Plugin", func() {
 			It("does not add buffer limit", func() {
 				err := plugin.ApplyListenerPlugin(ctx, listenerCtx, outputListener)
 				Expect(err).ToNot(HaveOccurred())
-				Expect(outputListener.GetOptions()).To(BeNil())
+				Expect(outputListener.GetOptions().GetPerConnectionBufferLimitBytes()).To(BeNil())
 			})
 		})
 	})
-
 })
 
 func attachedListenerOption() *solokubev1.ListenerOption {
@@ -144,6 +151,7 @@ func attachedListenerOption() *solokubev1.ListenerOption {
 		},
 	}
 }
+
 func attachedListenerOptionWithSectionName() *solokubev1.ListenerOption {
 	listOpt := attachedListenerOption()
 	listOpt.Spec.TargetRefs[0].SectionName = &wrapperspb.StringValue{

projects/gloo/cli/pkg/cmd/check/gloo_stats.go

@@ -34,7 +34,7 @@ var (
 	customGlooDeploymentName = helpers.GlooDeploymentName
 )
 
-func ResourcesSyncedOverXds(stats, deploymentName string) bool {
+func ResourcesSyncedOverXds(printer printers.P, stats, deploymentName string) bool {
 	var outOfSyncResources []string
 	metrics := parseMetrics(stats, []string{glooeTotalEntites, glooeInSyncEntities}, deploymentName)
 	for metric, val := range metrics {
@@ -51,6 +51,12 @@ func ResourcesSyncedOverXds(stats, deploymentName string) bool {
 		fmt.Println(resourcesOutOfSyncMessage(outOfSyncResources))
 		return false
 	}
+
+	if len(metrics) == 0 {
+		printer.AppendStatus("xds metrics", "No xds metrics to check")
+	} else {
+		printer.AppendStatus("xds metrics", "OK")
+	}
 	return true
 }
 
@@ -69,6 +75,7 @@ func RateLimitIsConnected(stats string) bool {
 }
 
 func checkXdsMetrics(ctx context.Context, printer printers.P, opts *options.Options, deployments *appsv1.DeploymentList) error {
+	printer.AppendCheck("Checking xds metrics... ")
 	errMessage := "Problem while checking for gloo xds errors"
 	if deployments == nil {
 		fmt.Println("Skipping due to an error in checking deployments")
@@ -103,7 +110,7 @@ func checkXdsMetrics(ctx context.Context, printer printers.P, opts *options.Opti
 		return fmt.Errorf(err)
 	}
 
-	if !ResourcesSyncedOverXds(stats, customGlooDeploymentName) {
+	if !ResourcesSyncedOverXds(printer, stats, customGlooDeploymentName) {
 		fmt.Println(errMessage)
 		return fmt.Errorf(errMessage)
 	}