Merge branch 'main' into e2e-eg-cert-reload

.github/dependabot.yml

@@ -30,12 +30,14 @@ updates:
       k8s.io:
         patterns:
           - "k8s.io/*"
+          - "sigs.k8s.io/*"
       go.opentelemetry.io:
         patterns:
           - "go.opentelemetry.io/*"
       golang.org:
         patterns:
           - "golang.org/*"
+          - "google.golang.org/*"
   - package-ecosystem: pip
     directories:
       - /tools/src/codespell

.github/workflows/build_and_test.yaml

@@ -85,7 +85,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+        version: [ v1.29.10, v1.30.6, v1.31.4, v1.32.0 ]
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - uses: ./tools/github-actions/setup-deps
@@ -115,14 +115,14 @@ jobs:
       fail-fast: false
       matrix:
         target:
-        - version: v1.28.13
+        - version: v1.29.10
           ipFamily: ipv4
-        - version: v1.29.8
+        - version: v1.30.6
           ipFamily: ipv4
-        - version: v1.30.4
+        - version: v1.31.4
           ipFamily: ipv6  # only run ipv6 test on this version to save time
         # TODO: this's IPv4 first, need a way to test IPv6 first.
-        - version: v1.31.0
+        - version: v1.32.0
           ipFamily: dual  # only run dual test on latest version to save time
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
@@ -163,7 +163,7 @@ jobs:
     # Benchmark
     - name: Run Benchmark tests
       env:
-        KIND_NODE_TAG: v1.28.13
+        KIND_NODE_TAG: v1.29.10
         IMAGE_PULL_POLICY: IfNotPresent
         # Args for benchmark test
         BENCHMARK_RPS: 10000
@@ -176,6 +176,19 @@ jobs:
 
     - name: Read Benchmark report
       run: cat test/benchmark/benchmark_report/benchmark_report.md
+  resilience-test:
+    runs-on: ubuntu-latest
+    if: ${{ ! startsWith(github.event_name, 'push') }}
+    needs: [build]
+    steps:
+    - uses: actions/[email protected]
+    - uses: ./tools/github-actions/setup-deps
+    - name: Resilience Test
+      env:
+        KIND_NODE_TAG: v1.28.13
+        IMAGE_PULL_POLICY: IfNotPresent
+        CUSTOM_CNI: "true"
+      run: make resilience
 
   publish:
     runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195  # v3.27.6
+      uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae  # v3.27.9
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195  # v3.27.6
+      uses: github/codeql-action/autobuild@df409f7d9260372bd5f19e5b04e83cb3c43714ae  # v3.27.9
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195  # v3.27.6
+      uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae  # v3.27.9
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/experimental_conformance.yaml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+        version: [ v1.29.10, v1.30.6, v1.31.4, v1.32.0 ]
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - uses: ./tools/github-actions/setup-deps

.github/workflows/latest_release.yaml

@@ -31,7 +31,7 @@ jobs:
     # Benchmark
     - name: Run Benchmark tests
       env:
-        KIND_NODE_TAG: v1.28.13
+        KIND_NODE_TAG: v1.29.10
         IMAGE_PULL_POLICY: IfNotPresent
         # Args for benchmark test
         BENCHMARK_RPS: 10000
@@ -107,7 +107,7 @@ jobs:
         GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }}
 
     - name: Recreate the Latest Release and Tag
-      uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974  # v0.1.15
+      uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048  # v0.1.15
       with:
         draft: false
         prerelease: true

.github/workflows/osv-scanner.yml

@@ -19,27 +19,34 @@ permissions:
 jobs:
   scan-scheduled:
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@19ec1116569a47416e11a45848722b1af31a857b"  # v1.9.0
+    runs-on: ubuntu-latest
+    steps:
+    - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@19ec1116569a47416e11a45848722b1af31a857b"  # v1.9.0
+      with:
+        scan-args: |-
+          --skip-git
+          --recursive
+          ./
     permissions:
       actions: read
       contents: read
       # Require writing security events to upload SARIF file to security tab
       security-events: write
-    with:
-      scan-args: |-
-        --skip-git
-        --recursive
-        ./
 
   scan-pr:
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@19ec1116569a47416e11a45848722b1af31a857b"  # v1.9.0
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/setup-go@v5
+      with:
+        go-version: '1.23.4' # The Go version to download (if necessary) and use.
+    - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@19ec1116569a47416e11a45848722b1af31a857b"  # v1.9.0
+      with:
+        scan-args: |-
+          --skip-git
+          --recursive
+          ./
     permissions:
       actions: read
       contents: read
       security-events: write
-    with:
-      scan-args: |-
-        --skip-git
-        --recursive
-        ./

.github/workflows/release.yaml

@@ -24,7 +24,7 @@ jobs:
       # Benchmark
       - name: Run Benchmark tests
         env:
-          KIND_NODE_TAG: v1.28.13
+          KIND_NODE_TAG: v1.29.10
           IMAGE_PULL_POLICY: IfNotPresent
           # Args for benchmark test
           BENCHMARK_RPS: 10000
@@ -96,7 +96,7 @@ jobs:
           tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/egctl
 
       - name: Upload Release Manifests
-        uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974  # v0.1.15
+        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048  # v0.1.15
         with:
           files: |
             release-artifacts/install.yaml

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195  # v3.27.6
+      uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae  # v3.27.9
       with:
         sarif_file: results.sarif

VERSION

@@ -1 +1 @@
-v1.2.3
+v1.2.4

api/v1alpha1/kubernetes_helpers.go

@@ -11,7 +11,9 @@ import (
 
 	jsonpatch "github.com/evanphx/json-patch"
 	appsv1 "k8s.io/api/apps/v1"
+	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
+	policyv1 "k8s.io/api/policy/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"k8s.io/utils/ptr"
@@ -237,10 +239,10 @@ func (service *KubernetesServiceSpec) ApplyMergePatch(old *corev1.Service) (*cor
 	var patchedJSON []byte
 	var err error
 
-	// Serialize the current deployment to JSON
+	// Serialize the current service to JSON
 	originalJSON, err := json.Marshal(old)
 	if err != nil {
-		return nil, fmt.Errorf("error marshaling original deployment: %w", err)
+		return nil, fmt.Errorf("error marshaling original service: %w", err)
 	}
 
 	switch {
@@ -263,3 +265,75 @@ func (service *KubernetesServiceSpec) ApplyMergePatch(old *corev1.Service) (*cor
 
 	return &patchedService, nil
 }
+
+// ApplyMergePatch applies a merge patch to a HorizontalPodAutoscaler based on the merge type
+func (hpa *KubernetesHorizontalPodAutoscalerSpec) ApplyMergePatch(old *autoscalingv2.HorizontalPodAutoscaler) (*autoscalingv2.HorizontalPodAutoscaler, error) {
+	if hpa.Patch == nil {
+		return old, nil
+	}
+
+	var patchedJSON []byte
+	var err error
+
+	// Serialize the current HPA to JSON
+	originalJSON, err := json.Marshal(old)
+	if err != nil {
+		return nil, fmt.Errorf("error marshaling original HorizontalPodAutoscaler: %w", err)
+	}
+
+	switch {
+	case hpa.Patch.Type == nil || *hpa.Patch.Type == StrategicMerge:
+		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, hpa.Patch.Value.Raw, autoscalingv2.HorizontalPodAutoscaler{})
+	case *hpa.Patch.Type == JSONMerge:
+		patchedJSON, err = jsonpatch.MergePatch(originalJSON, hpa.Patch.Value.Raw)
+	default:
+		return nil, fmt.Errorf("unsupported merge type: %s", *hpa.Patch.Type)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("error applying merge patch: %w", err)
+	}
+
+	// Deserialize the patched JSON into a new HorizontalPodAutoscaler object
+	var patchedHpa autoscalingv2.HorizontalPodAutoscaler
+	if err := json.Unmarshal(patchedJSON, &patchedHpa); err != nil {
+		return nil, fmt.Errorf("error unmarshaling patched HorizontalPodAutoscaler: %w", err)
+	}
+
+	return &patchedHpa, nil
+}
+
+// ApplyMergePatch applies a merge patch to a PodDisruptionBudget based on the merge type
+func (pdb *KubernetesPodDisruptionBudgetSpec) ApplyMergePatch(old *policyv1.PodDisruptionBudget) (*policyv1.PodDisruptionBudget, error) {
+	if pdb.Patch == nil {
+		return old, nil
+	}
+
+	var patchedJSON []byte
+	var err error
+
+	// Serialize the PDB deployment to JSON
+	originalJSON, err := json.Marshal(old)
+	if err != nil {
+		return nil, fmt.Errorf("error marshaling original PodDisruptionBudget: %w", err)
+	}
+
+	switch {
+	case pdb.Patch.Type == nil || *pdb.Patch.Type == StrategicMerge:
+		patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, pdb.Patch.Value.Raw, policyv1.PodDisruptionBudget{})
+	case *pdb.Patch.Type == JSONMerge:
+		patchedJSON, err = jsonpatch.MergePatch(originalJSON, pdb.Patch.Value.Raw)
+	default:
+		return nil, fmt.Errorf("unsupported merge type: %s", *pdb.Patch.Type)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("error applying merge patch: %w", err)
+	}
+
+	// Deserialize the patched JSON into a new HorizontalPodAutoscaler object
+	var patchedPdb policyv1.PodDisruptionBudget
+	if err := json.Unmarshal(patchedJSON, &patchedPdb); err != nil {
+		return nil, fmt.Errorf("error unmarshaling patched PodDisruptionBudget: %w", err)
+	}
+
+	return &patchedPdb, nil
+}

api/v1alpha1/shared_types.go

@@ -406,6 +406,11 @@ type KubernetesPodDisruptionBudgetSpec struct {
 	// and resilience during maintenance operations.
 	// +optional
 	MinAvailable *int32 `json:"minAvailable,omitempty"`
+
+	// Patch defines how to perform the patch operation to the PodDisruptionBudget
+	//
+	// +optional
+	Patch *KubernetesPatchSpec `json:"patch,omitempty"`
 }
 
 // KubernetesHorizontalPodAutoscalerSpec defines Kubernetes Horizontal Pod Autoscaler settings of Envoy Proxy Deployment.
@@ -443,6 +448,11 @@ type KubernetesHorizontalPodAutoscalerSpec struct {
 	//
 	// +optional
 	Behavior *autoscalingv2.HorizontalPodAutoscalerBehavior `json:"behavior,omitempty"`
+
+	// Patch defines how to perform the patch operation to the HorizontalPodAutoscaler
+	//
+	// +optional
+	Patch *KubernetesPatchSpec `json:"patch,omitempty"`
 }
 
 // HTTPStatus defines the http status code.

api/v1alpha1/validation/envoyproxy_validate.go

@@ -72,6 +72,14 @@ func validateProvider(spec *egv1a1.EnvoyProxySpec) []error {
 		if len(validateDeploymentErrs) != 0 {
 			errs = append(errs, validateDeploymentErrs...)
 		}
+		validateHpaErrors := validateHpa(spec)
+		if len(validateHpaErrors) != 0 {
+			errs = append(errs, validateHpaErrors...)
+		}
+		validatePdbErrors := validatePdb(spec)
+		if len(validatePdbErrors) != 0 {
+			errs = append(errs, validatePdbErrors...)
+		}
 		validateServiceErrs := validateService(spec)
 		if len(validateServiceErrs) != 0 {
 			errs = append(errs, validateServiceErrs...)
@@ -95,6 +103,36 @@ func validateDeployment(spec *egv1a1.EnvoyProxySpec) []error {
 	return errs
 }
 
+func validateHpa(spec *egv1a1.EnvoyProxySpec) []error {
+	var errs []error
+	if spec.Provider.Kubernetes != nil && spec.Provider.Kubernetes.EnvoyHpa != nil {
+		if patch := spec.Provider.Kubernetes.EnvoyHpa.Patch; patch != nil {
+			if patch.Value.Raw == nil {
+				errs = append(errs, fmt.Errorf("envoy hpa patch object cannot be empty"))
+			}
+			if patch.Type != nil && *patch.Type != egv1a1.JSONMerge && *patch.Type != egv1a1.StrategicMerge {
+				errs = append(errs, fmt.Errorf("unsupported envoy hpa patch type %s", *patch.Type))
+			}
+		}
+	}
+	return errs
+}
+
+func validatePdb(spec *egv1a1.EnvoyProxySpec) []error {
+	var errs []error
+	if spec.Provider.Kubernetes != nil && spec.Provider.Kubernetes.EnvoyPDB != nil {
+		if patch := spec.Provider.Kubernetes.EnvoyPDB.Patch; patch != nil {
+			if patch.Value.Raw == nil {
+				errs = append(errs, fmt.Errorf("envoy pdb patch object cannot be empty"))
+			}
+			if patch.Type != nil && *patch.Type != egv1a1.JSONMerge && *patch.Type != egv1a1.StrategicMerge {
+				errs = append(errs, fmt.Errorf("unsupported envoy pdb patch type %s", *patch.Type))
+			}
+		}
+	}
+	return errs
+}
+
 // TODO: remove this function if CEL validation became stable
 func validateService(spec *egv1a1.EnvoyProxySpec) []error {
 	var errs []error