[release/v1.0] cherry pick from main to release/v1.0 (envoyproxy#2911)

* ci: update cherry-pick v1.0.0 (envoyproxy#2784) Signed-off-by: bitliu <bitliu@tencent.com> * fix: add missing release notes details and re organize it (envoyproxy#2785) fix: complete missing release notes and re organize it Signed-off-by: bitliu <bitliu@tencent.com> * e2e: backend upgrade test (envoyproxy#2725) * chore: add testdata to passive health checks (envoyproxy#2788) * chore: add testdata to passive health checks Signed-off-by: yeedove <yeedove@gmail.com> * fix test Signed-off-by: yeedove <yeedove@gmail.com> --------- Signed-off-by: yeedove <yeedove@gmail.com> * promote: guydc as maintainer (envoyproxy#2794) Signed-off-by: bitliu <bitliu@tencent.com> * fix: Delete unused status keys from watchable (envoyproxy#2782) * Delete unused status keys in gatewayapi-runner Signed-off-by: Yuneui Jeong <uniglot@proton.me> * Delete unused status keys in xds-translator runner Signed-off-by: Yuneui Jeong <uniglot@proton.me> * Add tests and fix code to pass all tests Signed-off-by: Yuneui Jeong <uniglot@proton.me> * Cover more Signed-off-by: Yuneui <uniglot@proton.me> * Change struct's name and other minor fixes Signed-off-by: Yuneui Jeong <uniglot@proton.me> --------- Signed-off-by: Yuneui Jeong <uniglot@proton.me> Signed-off-by: Yuneui <uniglot@proton.me> * docs: fix commands in basic auth example (envoyproxy#2791) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * feat: Support WellKnownSystemCerts in BackendTLSPolicy (envoyproxy#2804) * Add support for using the system truststore with upstream TLS. Signed-off-by: Lior Okman <lior.okman@sap.com> * Make the linter happy Signed-off-by: Lior Okman <lior.okman@sap.com> --------- Signed-off-by: Lior Okman <lior.okman@sap.com> * docs: refactor user guides (envoyproxy#2797) * docs: refactor user guides Signed-off-by: bitliu <bitliu@tencent.com> * fix: relative paths Signed-off-by: bitliu <bitliu@tencent.com> --------- Signed-off-by: bitliu <bitliu@tencent.com> * Fix gen check (envoyproxy#2814) * fix: gen-check error Signed-off-by: bitliu <bitliu@tencent.com> * run lint for docs Signed-off-by: bitliu <bitliu@tencent.com> --------- Signed-off-by: bitliu <bitliu@tencent.com> * refactor: set instead of map for mergeGateways (envoyproxy#2803) * refactor:set[T] instead of map[T]bool Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com> * fix lint Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com> --------- Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com> Co-authored-by: Xunzhuo <bitliu@tencent.com> * remove: support for hostnetwork (envoyproxy#2815) * feat(egctl): add support for egctl to translate from gateway-api resources to IR (envoyproxy#2799) * Added an option to translate to IR representation. Signed-off-by: Lior Okman <lior.okman@sap.com> * Added a unit test, and made sure that existing services have an IP address. Signed-off-by: Lior Okman <lior.okman@sap.com> * Add omitempty where needed. Signed-off-by: Lior Okman <lior.okman@sap.com> * Make gen-check happy Signed-off-by: Lior Okman <lior.okman@sap.com> * Added some documentation. Signed-off-by: Lior Okman <lior.okman@sap.com> --------- Signed-off-by: Lior Okman <lior.okman@sap.com> * docs: basic auth example use https (envoyproxy#2806) * docs: basic auth example use https Signed-off-by: phantooom <xiaorui.zou@gmail.com> * docs: refactor user guides (envoyproxy#2797) * docs: refactor user guides Signed-off-by: bitliu <bitliu@tencent.com> * fix: relative paths Signed-off-by: bitliu <bitliu@tencent.com> --------- Signed-off-by: bitliu <bitliu@tencent.com> Signed-off-by: phantooom <xiaorui.zou@gmail.com> * Fix gen check (envoyproxy#2814) * fix: gen-check error Signed-off-by: bitliu <bitliu@tencent.com> * run lint for docs Signed-off-by: bitliu <bitliu@tencent.com> --------- Signed-off-by: bitliu <bitliu@tencent.com> Signed-off-by: phantooom <xiaorui.zou@gmail.com> * refactor: set instead of map for mergeGateways (envoyproxy#2803) * refactor:set[T] instead of map[T]bool Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com> * fix lint Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com> --------- Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com> Co-authored-by: Xunzhuo <bitliu@tencent.com> Signed-off-by: phantooom <xiaorui.zou@gmail.com> * Update site/content/en/latest/user/security/basic-auth.md Co-authored-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: zou rui <xiaorui.zou@gmail.com> --------- Signed-off-by: phantooom <xiaorui.zou@gmail.com> Signed-off-by: bitliu <bitliu@tencent.com> Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com> Signed-off-by: zou rui <xiaorui.zou@gmail.com> Co-authored-by: Xunzhuo <bitliu@tencent.com> Co-authored-by: Dennis Zhou <idennis.zhou@gmail.com> Co-authored-by: Huabing Zhao <zhaohuabing@gmail.com> * chore: group go.opentelemetry.io dependabot (envoyproxy#2821) Signed-off-by: zirain <zirain2009@gmail.com> * Add referenced BackendRefs for ExtAuth to Resource Tree (envoyproxy#2795) * add referenced BackendRefs for ExtAuth to Resource Tree Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * clean up the controller code Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * minor changes Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * return errors Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix validate error Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix gen Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * Support BackendTLSPolicy for the Ext HTTP/GRPC auth service Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix gen Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * check cross-ns reference grant Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix bootstrap merge (envoyproxy#2801) * fix bootstrap merge Signed-off-by: zirain <zirain2009@gmail.com> * refactor validateBootstrap Signed-off-by: zirain <zirain2009@gmail.com> * lint Signed-off-by: zirain <zirain2009@gmail.com> * update test Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> * fix: skip the ReasonTargetNotFound for all policies (envoyproxy#2802) * stop populating ReasonTargetNotFound for all the policies Signed-off-by: shawnh2 <shawnhxh@outlook.com> * add test to ensure the status is expected Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix gen-check and lint Signed-off-by: shawnh2 <shawnhxh@outlook.com> --------- Signed-off-by: shawnh2 <shawnhxh@outlook.com> * docs: update EnvoyProxy logs (envoyproxy#2822) * docs: update EnvoyProxy logs Signed-off-by: zirain <zirain2009@gmail.com> * lint Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> * fix: omit default replicas on Kubernetes Deployment (envoyproxy#2816) * fix: remove default replicas function Signed-off-by: Ardika Bagus <me@ardikabs.com> * chore: omit replicas because nil equal to 1 by default Signed-off-by: Ardika Bagus <me@ardikabs.com> * chore: add a note when a user is being explicit on deployment replicas Signed-off-by: Ardika Bagus <me@ardikabs.com> --------- Signed-off-by: Ardika Bagus <me@ardikabs.com> * bug: compute endpointType for all protocol types (envoyproxy#2833) Fixes: envoyproxy#2832 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * docs: Routing outside k8s (envoyproxy#2831) * docs: Routing outside k8s Fixes: envoyproxy#2482 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * updates Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> * build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (envoyproxy#2825) Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0 (envoyproxy#2826) Bumps [golang.org/x/net](/~https://github.com/golang/net) from 0.21.0 to 0.22.0. - [Commits](golang/net@v0.21.0...v0.22.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (envoyproxy#2827) Bumps [github.com/stretchr/testify](/~https://github.com/stretchr/testify) from 1.8.4 to 1.9.0. - [Release notes](/~https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.4...v1.9.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix: failed to create envoy-oidc-hmac secret when upgrading EG (envoyproxy#2835) try to create every secret instead of returning eraly Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * build(deps): bump google.golang.org/grpc from 1.62.0 to 1.62.1 (envoyproxy#2829) Bumps [google.golang.org/grpc](/~https://github.com/grpc/grpc-go) from 1.62.0 to 1.62.1. - [Release notes](/~https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.62.0...v1.62.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ext auth e2e tests (envoyproxy#2830) * e2e tests for http ext auth Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * export util methods to avoid unparam link issues Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fixt test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix existing secret check (envoyproxy#2838) fix existing secret Signed-off-by: zirain <zirain2009@gmail.com> * ci: update k8s matrix (envoyproxy#2836) * ci: update k8s matrix Signed-off-by: zirain <zirain2009@gmail.com> * v1.26.14 Signed-off-by: zirain <zirain2009@gmail.com> * nit Signed-off-by: zirain <zirain2009@gmail.com> * update matrix Signed-off-by: zirain <zirain2009@gmail.com> * link in quickstart Signed-off-by: zirain <zirain2009@gmail.com> * update Signed-off-by: zirain <zirain2009@gmail.com> * 1.29.2 Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> * e2e: try to fix client timeout flakes (envoyproxy#2812) * chore: client timeout log Signed-off-by: zirain <zirain2009@gmail.com> * add EnvoyProxy extra args Signed-off-by: zirain <zirain2009@gmail.com> * add E2E_CLEANUP Signed-off-by: zirain <zirain2009@gmail.com> * nit Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> * feat: Support Upstream TLS to multiple Backends (envoyproxy#2818) * Use transport_socket_matches to setup correct sockets for different destinations. Signed-off-by: Lior Okman <lior.okman@sap.com> * Support Proxy Protocol for TLS upstreams. Signed-off-by: Lior Okman <lior.okman@sap.com> * Changed the name generated for each transport match to be more inline with other names used in other places in xDS. Signed-off-by: Lior Okman <lior.okman@sap.com> * Added one more case in the unit-test to show that upstream proxy-protocol still works. Signed-off-by: Lior Okman <lior.okman@sap.com> --------- Signed-off-by: Lior Okman <lior.okman@sap.com> * e2e: move drain settings into shutdown settings (envoyproxy#2850) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * docs: mtls to the gateway (envoyproxy#2851) * docs: mtls to the gateway Signed-off-by: Arko Dasgupta <arko@tetrate.io> * edits Signed-off-by: Arko Dasgupta <arko@tetrate.io> * add ref Signed-off-by: Arko Dasgupta <arko@tetrate.io> * typo Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> * ignore finalizers when comparing envoy proxy svc (envoyproxy#2856) * ignore finalizers when comparing envoy proxy svc Fixes: envoyproxy#1820 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Chore: remove the uncessary allAssociatedRefGrants from resourceMappings (envoyproxy#2843) * modify oidc docs Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * clear allAssociatedRefGrants Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * docs: allow users to configure custom certs for control plane auth (envoyproxy#2847) Signed-off-by: zirain <zirain2009@gmail.com> * add e2e tests for ext auth with grpc auth service (envoyproxy#2841) * add e2e tests for ext auth with grpc auth service Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add BackedTLSPolicy Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * generate TLS socket for ext auth services Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix: Address race condition disrupting graceful shutdown process (envoyproxy#2864) Signed-off-by: David Alger <davidmalger@gmail.com> * docs: move Design docs under "Get Involved" (envoyproxy#2857) * docs: move Design docs under "Get Involved" * design docs are more relevant to internal contributors than external users Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix links Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> * e2e: backend TLS policy (envoyproxy#2853) * start backendtls test Signed-off-by: Guy Daich <guy.daich@sap.com> * fix lint Signed-off-by: Guy Daich <guy.daich@sap.com> * use better name for egSetup(...) Signed-off-by: Guy Daich <guy.daich@sap.com> * add negative test Signed-off-by: Guy Daich <guy.daich@sap.com> * use static certs for test Signed-off-by: Guy Daich <guy.daich@sap.com> --------- Signed-off-by: Guy Daich <guy.daich@sap.com> * Update the user doc for OIDC (envoyproxy#2778) * user doc for oidc Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add ADOPTERS.md (envoyproxy#2865) ADOPTERS.md Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Co-authored-by: Xunzhuo <bitliu@tencent.com> * build(deps): bump softprops/action-gh-release from 1 to 2 (envoyproxy#2867) Bumps [softprops/action-gh-release](/~https://github.com/softprops/action-gh-release) from 1 to 2. - [Release notes](/~https://github.com/softprops/action-gh-release/releases) - [Changelog](/~https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@de2c0eb...d99959e) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/bufbuild/buf from 1.29.0 to 1.30.0 in /tools/src/buf (envoyproxy#2870) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](/~https://github.com/bufbuild/buf) from 1.29.0 to 1.30.0. - [Release notes](/~https://github.com/bufbuild/buf/releases) - [Changelog](/~https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](bufbuild/buf@v1.29.0...v1.30.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github.com/prometheus/common from 0.49.0 to 0.50.0 (envoyproxy#2871) Bumps [github.com/prometheus/common](/~https://github.com/prometheus/common) from 0.49.0 to 0.50.0. - [Release notes](/~https://github.com/prometheus/common/releases) - [Commits](prometheus/common@v0.49.0...v0.50.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump fortio.org/fortio from 1.63.3 to 1.63.4 (envoyproxy#2873) Bumps [fortio.org/fortio](/~https://github.com/fortio/fortio) from 1.63.3 to 1.63.4. - [Release notes](/~https://github.com/fortio/fortio/releases) - [Commits](fortio/fortio@v1.63.3...v1.63.4) --- updated-dependencies: - dependency-name: fortio.org/fortio dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add tetrate to adopters (envoyproxy#2874) add tetrate to adopters Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix: Don't override the ALPN array if HTTP/3 is enabled. (envoyproxy#2876) * Don't override the ALPN array if HTTP/3 is enabled. Signed-off-by: Lior Okman <lior.okman@sap.com> * Removed the unneeded CEL validation for HTTP/3 and ALPN, as well as the CEL tests. Signed-off-by: Lior Okman <lior.okman@sap.com> * Also regenerate the CRD. Signed-off-by: Lior Okman <lior.okman@sap.com> --------- Signed-off-by: Lior Okman <lior.okman@sap.com> * [e2e] eg release upgrade test (envoyproxy#2862) * [e2e] eg release upgrade test Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * fixing linit Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * Update test/e2e/tests/eg_upgrade.go Co-authored-by: zirain <zirain2009@gmail.com> Signed-off-by: Alex Volchok <alex.volchok@sap.com> * Update test/e2e/tests/eg_upgrade.go Co-authored-by: zirain <zirain2009@gmail.com> Signed-off-by: Alex Volchok <alex.volchok@sap.com> * adding updated go mod Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * fix tests Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * move eg upgrade tests to a dedicated suit Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * removing unused Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * fix code review feedbacks and move e2e clean after the eg upgrades suit Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * don't clean after this step yet Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * increase helm install / upgrade default timeouts Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * restructure test order add an option to execute a single test Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * fix kube make single test exec Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * change to rc version Signed-off-by: Alexander Volchok <alex.volchok@sap.com> * removing loadtest part, changing to simple requests Signed-off-by: Alexander Volchok <alex.volchok@sap.com> --------- Signed-off-by: Alexander Volchok <alex.volchok@sap.com> Signed-off-by: Alex Volchok <alex.volchok@sap.com> Co-authored-by: zirain <zirain2009@gmail.com> * Docs for ext auth (envoyproxy#2868) * docs for ext auth Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * Remove the uncessary \ (envoyproxy#2883) remove the \ Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * docs: backend tls policy (envoyproxy#2884) * backend tls docs Signed-off-by: Guy Daich <guy.daich@sap.com> * fix somy copy-paste mistakes Signed-off-by: Guy Daich <guy.daich@sap.com> * fix typo Signed-off-by: Guy Daich <guy.daich@sap.com> --------- Signed-off-by: Guy Daich <guy.daich@sap.com> * feat: add PolicyStatus for BackendTrafficPolicy (envoyproxy#2846) * add PolicyStatus for BTP Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix gen-check Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix ns problem, add more test and modify controller behavior Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix lint Signed-off-by: shawnh2 <shawnhxh@outlook.com> * make gateway as the ancestor of btp if it is targeting to the gateway Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix linter Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix go.mod Signed-off-by: shawnh2 <shawnhxh@outlook.com> * do some polish Signed-off-by: shawnh2 <shawnhxh@outlook.com> --------- Signed-off-by: shawnh2 <shawnhxh@outlook.com> * Change the Merge behavior to Replace for SecurityPolicy (envoyproxy#2885) * Change the Merge behavior to Replace for SecurityPolicy Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add another http route Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * e2e: add weighted backend (envoyproxy#2863) * e2e: add backend weighted Signed-off-by: ShyunnY <1147212064@qq.com> * fix: Fix weight calculation issue and use AlmostEqual func Signed-off-by: ShyunnY <1147212064@qq.com> * fix: add additional comments Signed-off-by: ShyunnY <1147212064@qq.com> --------- Signed-off-by: ShyunnY <1147212064@qq.com> Co-authored-by: Xunzhuo <bitliu@tencent.com> * http3: use service port in alt-svc header (envoyproxy#2886) Fixes: envoyproxy#2882 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * bug: add h3 alpn by default if http3 is enabled (envoyproxy#2887) Fixes: envoyproxy#2875 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: prevent policies targeting non-TLS listeners on the same port from conflicting (envoyproxy#2786) * * Validate that multiple policies that affect listener configuration don't map to the same listener filter chain. * Change the XDS listener generation so that instead of defaultFilterChain for non-TLS routes, a filterChain with a destinationPort matcher is used. This allows multiple policies attached to non-TLS listeners that differ on the destination port to provide different policies without conflicting. Signed-off-by: Lior Okman <lior.okman@sap.com> * Make hostname based routing work again for non-TLS listeners Signed-off-by: Lior Okman <lior.okman@sap.com> * Fixed testdata for egctl Signed-off-by: Lior Okman <lior.okman@sap.com> * Make the linter happy Signed-off-by: Lior Okman <lior.okman@sap.com> * Added a unit-test Signed-off-by: Lior Okman <lior.okman@sap.com> * Make the linter happy Signed-off-by: Lior Okman <lior.okman@sap.com> * Update an e2e test with the new filterChain patch Signed-off-by: Lior Okman <lior.okman@sap.com> * Revert changing the XDS translation, since a new listener is created anyways for each port. Signed-off-by: Lior Okman <lior.okman@sap.com> * Also revert the xds change in the e2e test. Signed-off-by: Lior Okman <lior.okman@sap.com> * Don't need to go over the full XDSIR map - just the current gateway. Signed-off-by: Lior Okman <lior.okman@sap.com> * Refactored to separate the validation and the translation. Renamed the helper method to a more generic name. Signed-off-by: Lior Okman <lior.okman@sap.com> --------- Signed-off-by: Lior Okman <lior.okman@sap.com> Co-authored-by: Guy Daich <guy.daich@sap.com> * chore: remove ProcessBackendTLSPoliciesAncestorRef (envoyproxy#2845) * remove ProcessBackendTLSPoliciesAncestorRef Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * Change the Merge behavior to Replace for BackendTrafficPolicy (envoyproxy#2888) * Change the Merge behavior to Replace for BackendTrafficPolicy Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * shutdown drainTimeout should also affect envoy drain time (envoyproxy#2898) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * skip publishing empty status for policies (envoyproxy#2902) * skip publishing empty status for policies * envoyproxy#2802 skips computing status if a target resource cannot be found, mainly because that target maybe irrelevant to this specific translation, its hard to proactively find that out in the provider layer * This fix ensures that any empty status is not published and resets any existing status for a policy Signed-off-by: Arko Dasgupta <arko@tetrate.io> * also fix for envoypatchpolicy Signed-off-by: Arko Dasgupta <arko@tetrate.io> * also discard status for backendtlspolicy Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> * docs: multiple gatewayclass and merge gateways deployment mode (envoyproxy#2881) * docs: multiple gatewayclass and merge gateways deployment mode Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add merged-gateways example Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * md lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * yaml lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add user guides Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: Xunzhuo <bitliu@tencent.com> * feat: add PolicyStatus for ClientTrafficPolicy (envoyproxy#2895) * add PolicyStatus for CTP Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix gen-check Signed-off-by: shawnh2 <shawnhxh@outlook.com> * revert discard policy status Signed-off-by: shawnh2 <shawnhxh@outlook.com> --------- Signed-off-by: shawnh2 <shawnhxh@outlook.com> * Use gwapiv1a2.PolicyStatus for SecurityPolicy Status (envoyproxy#2848) * use gwapiv1a2.PolicyStatus for SecurityPolicy Status Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add test for cross-ns refs Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add todo Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * Update internal/gatewayapi/securitypolicy.go Co-authored-by: sh2 <shawnhxh@outlook.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Co-authored-by: sh2 <shawnhxh@outlook.com> * Fix oidc doc (envoyproxy#2905) fix oidc doc Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * Release v1.0 (envoyproxy#2909) * add v1.0.0 release note Signed-off-by: bitliu <bitliu@tencent.com> * generate v1.0 release page Signed-off-by: bitliu <bitliu@tencent.com> * add v1.0.0 release announcement Signed-off-by: bitliu <bitliu@tencent.com> * generate v1.0.0 docs Signed-off-by: bitliu <bitliu@tencent.com> * update site links Signed-off-by: bitliu <bitliu@tencent.com> * fix linter Signed-off-by: bitliu <bitliu@tencent.com> --------- Signed-off-by: bitliu <bitliu@tencent.com> --------- Signed-off-by: bitliu <bitliu@tencent.com> Signed-off-by: yeedove <yeedove@gmail.com> Signed-off-by: Yuneui Jeong <uniglot@proton.me> Signed-off-by: Yuneui <uniglot@proton.me> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: Lior Okman <lior.okman@sap.com> Signed-off-by: Dennis Zhou <idennis.zhou@gmail.com> Signed-off-by: phantooom <xiaorui.zou@gmail.com> Signed-off-by: zou rui <xiaorui.zou@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> Signed-off-by: Ardika Bagus <me@ardikabs.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: David Alger <davidmalger@gmail.com> Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: Alexander Volchok <alex.volchok@sap.com> Signed-off-by: Alex Volchok <alex.volchok@sap.com> Signed-off-by: ShyunnY <1147212064@qq.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: Guy Daich <guy.daich@sap.com> Co-authored-by: Dennis Zhou <yeedove@gmail.com> Co-authored-by: Yuneui Jeong <uniglot@proton.me> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Lior Okman <lior.okman@sap.com> Co-authored-by: Dennis Zhou <idennis.zhou@gmail.com> Co-authored-by: zou rui <xiaorui.zou@gmail.com> Co-authored-by: Huabing Zhao <zhaohuabing@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: sh2 <shawnhxh@outlook.com> Co-authored-by: Ardika <me@ardikabs.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: David Alger <davidmalger@gmail.com> Co-authored-by: Alex Volchok <alex.volchok@sap.com> Co-authored-by: Shyunn <1147212064@qq.com> Co-authored-by: Karol Szwaj <karol.szwaj@gmail.com>
arkodg · Mar 13, 2024 · 72c0cc7 · 72c0cc7
1 parent b34aef9
commit 72c0cc7
Show file tree

Hide file tree

Showing 446 changed files with 33,966 additions and 3,200 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -32,6 +32,9 @@ updates:
       k8s.io:
         patterns:
           - "k8s.io/*"
+      go.opentelemetry.io:
+        patterns:
+          - "go.opentelemetry.io/*"
   - package-ecosystem: pip
     directory: /tools/src/codespell
     schedule:

diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -12,7 +12,6 @@ on:
     - "release/v*"
     paths-ignore:
     - "**/*.png"
-    - 'site/**'
 
 permissions:
   contents: read
@@ -81,7 +80,7 @@ jobs:
     needs: [build]
     strategy:
       matrix:
-        version: [ v1.27.3, v1.28.0, v1.29.0 ]
+        version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
     - uses: ./tools/github-actions/setup-deps
@@ -109,7 +108,7 @@ jobs:
     needs: [build]
     strategy:
       matrix:
-        version: [ v1.27.3, v1.28.0, v1.29.0 ]
+        version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
     - uses: ./tools/github-actions/setup-deps

diff --git a/.github/workflows/cherrypick.yaml b/.github/workflows/cherrypick.yaml
@@ -9,23 +9,23 @@ permissions:
   contents: read
 
 jobs:
-  cherry_pick_release_v0_6:
+  cherry_pick_release_v1_0:
     runs-on: ubuntu-22.04
-    name: Cherry pick into release-v0.6
-    if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.6') && github.event.pull_request.merged == true }}
+    name: Cherry pick into release-v1.0
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v1.0') && github.event.pull_request.merged == true }}
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
         with:
           fetch-depth: 0
-      - name: Cherry pick into release/v0.6
+      - name: Cherry pick into release/v1.0
         uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5  # v1.0.9
         with:
-          branch: release/v0.6
-          title: "[release/v0.6] {old_title}"
-          body: "Cherry picking #{old_pull_request_id} onto release/v0.6"
+          branch: release/v1.0
+          title: "[release/v1.0] {old_title}"
+          body: "Cherry picking #{old_pull_request_id} onto release/v1.0"
           labels: |
-            cherrypick/release-v0.6
+            cherrypick/release-v1.0
           # put release manager here
           reviewers: |
-            arkodg
+            Xunzhuo
diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        version: [ v1.26.6, v1.27.3, v1.28.0 ]
+        version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
     - uses: ./tools/github-actions/setup-deps

diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml
@@ -61,7 +61,7 @@ jobs:
         GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }}
 
     - name: Recreate the Latest Release and Tag
-      uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844  # v0.1.15
+      uses: softprops/action-gh-release@d99959edae48b5ffffd7b00da66dcdb0a33a52ee  # v0.1.15
       with:
         draft: false
         prerelease: true

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -40,7 +40,7 @@ jobs:
         run: OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push
 
       - name: Upload Release Manifests
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844  # v0.1.15
+        uses: softprops/action-gh-release@d99959edae48b5ffffd7b00da66dcdb0a33a52ee  # v0.1.15
         with:
           files: |
             release-artifacts/install.yaml

diff --git a/.gitignore b/.gitignore
@@ -31,3 +31,6 @@ vendor/
 
 # values.yaml file is generated from its template counterpart.
 charts/gateway-helm/values.yaml
+
+# VIM
+.*.swp
diff --git a/ADOPTERS.md b/ADOPTERS.md
@@ -0,0 +1,43 @@
+
+<!--
+
+Insert your entry using this template keeping the list alphabetically sorted:
+
+## <Company/Organization Name>
+ * Website: https://www.your-website.com
+ * Category: End User, Service Provider, etc
+ * Environments: AWS, Azure, Google Cloud, Bare Metal, etc
+ * Use Cases:
+    - ...
+ * Status:
+   - [ ] development & testing
+   - [ ] production
+ * (Option) Logo (show in the official site):
+ * (Option) Description:
+-->
+
+# Envoy Gateway Adopters
+
+This page contains a list of organizations who are users of Envoy Gateway, following the [definitions provided by the CNCF](/~https://github.com/cncf/toc/blob/main/FAQ.md#what-is-the-definition-of-an-adopter).
+
+If you would like to be included in this table, please submit a PR to this file or comment to [this issue](/~https://github.com/envoyproxy/gateway/issues/2781) and your information will be added.
+
+## AllFactors
+* Website https://allfactors.com
+* Category: End User
+* Environments:
+* Use Case:
+   - Routing all customer traffic to our various backends. Every time a new customer signs up we dynamically add a
+     route to a new hostname so Envoy Gateway is deeply integrated with our product.
+* Status: production
+* Logo: https://allfactors.com/AllFactors-Logo.svg
+
+## Tetrate
+* Website: https://www.tetrate.io
+* Category: Service Provider
+* Environments: AWS
+* Use Cases:
+   - Tetrate provides Enterprise Gateway (TEG) to end users, which includes a 100% upstream distribution of Envoy Gateway, and management to deliver applications securely, authenticate user traffic, protect services with rate limiting and WAF, and integrate with your observability stack to monitor and observe activity.
+* Status: production
+* (Option) https://tetrate.io/wp-content/uploads/2023/03/tetrate-logo-dark.svg
+* (Option) Description:
diff --git a/OWNERS b/OWNERS
@@ -15,6 +15,7 @@ maintainers:
 - zirain
 - qicz
 - zhaohuabing
+- guydc
 
 reviewers:
 
@@ -25,5 +26,4 @@ reviewers:
 - tanujd11
 - cnvergence
 - shawnh2
-- guydc
 - liorokman
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v1.0.0-rc.1
+v1.0.0
diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go
@@ -31,7 +31,7 @@ type BackendTrafficPolicy struct {
 	Spec BackendTrafficPolicySpec `json:"spec"`
 
 	// status defines the current status of BackendTrafficPolicy.
-	Status BackendTrafficPolicyStatus `json:"status,omitempty"`
+	Status gwapiv1a2.PolicyStatus `json:"status,omitempty"`
 }
 
 // spec defines the desired state of BackendTrafficPolicy.
@@ -98,17 +98,6 @@ type BackendTrafficPolicySpec struct {
 	Compression []*Compression `json:"compression,omitempty"`
 }
 
-// BackendTrafficPolicyStatus defines the state of BackendTrafficPolicy
-type BackendTrafficPolicyStatus struct {
-	// Conditions describe the current conditions of the BackendTrafficPolicy.
-	//
-	// +optional
-	// +listType=map
-	// +listMapKey=type
-	// +kubebuilder:validation:MaxItems=8
-	Conditions []metav1.Condition `json:"conditions,omitempty"`
-}
-
 // +kubebuilder:object:root=true
 // BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources.
 type BackendTrafficPolicyList struct {

diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -31,10 +31,9 @@ type ClientTrafficPolicy struct {
 	Spec ClientTrafficPolicySpec `json:"spec"`
 
 	// Status defines the current status of ClientTrafficPolicy.
-	Status ClientTrafficPolicyStatus `json:"status,omitempty"`
+	Status gwapiv1a2.PolicyStatus `json:"status,omitempty"`
 }
 
-// +kubebuilder:validation:XValidation:rule="has(self.http3) && has(self.tls) && has(self.tls.alpnProtocols) ? self.tls.alpnProtocols.size() == 0 : true",message="alpn protocols can't be set if HTTP/3 is enabled"
 // ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy.
 type ClientTrafficPolicySpec struct {
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
@@ -175,17 +174,6 @@ type HTTP10Settings struct {
 	UseDefaultHost *bool `json:"useDefaultHost,omitempty"`
 }
 
-// ClientTrafficPolicyStatus defines the state of ClientTrafficPolicy
-type ClientTrafficPolicyStatus struct {
-	// Conditions describe the current conditions of the ClientTrafficPolicy.
-	//
-	// +optional
-	// +listType=map
-	// +listMapKey=type
-	// +kubebuilder:validation:MaxItems=8
-	Conditions []metav1.Condition `json:"conditions,omitempty"`
-}
-
 const (
 	// PolicyConditionOverridden indicates whether the policy has
 	// completely attached to all the sections within the target or not.

diff --git a/api/v1alpha1/kubernetes_helpers.go b/api/v1alpha1/kubernetes_helpers.go
@@ -17,12 +17,6 @@ import (
 	"k8s.io/utils/ptr"
 )
 
-// DefaultKubernetesDeploymentReplicas returns the default replica settings.
-func DefaultKubernetesDeploymentReplicas() *int32 {
-	repl := int32(DefaultDeploymentReplicas)
-	return &repl
-}
-
 // DefaultKubernetesDeploymentStrategy returns the default deployment strategy settings.
 func DefaultKubernetesDeploymentStrategy() *appv1.DeploymentStrategy {
 	return &appv1.DeploymentStrategy{
@@ -38,7 +32,6 @@ func DefaultKubernetesContainerImage(image string) *string {
 // DefaultKubernetesDeployment returns a new KubernetesDeploymentSpec with default settings.
 func DefaultKubernetesDeployment(image string) *KubernetesDeploymentSpec {
 	return &KubernetesDeploymentSpec{
-		Replicas:  DefaultKubernetesDeploymentReplicas(),
 		Strategy:  DefaultKubernetesDeploymentStrategy(),
 		Pod:       DefaultKubernetesPod(),
 		Container: DefaultKubernetesContainer(image),
@@ -96,10 +89,6 @@ func GetKubernetesServiceExternalTrafficPolicy(serviceExternalTrafficPolicy Serv
 
 // defaultKubernetesDeploymentSpec fill a default KubernetesDeploymentSpec if unspecified.
 func (deployment *KubernetesDeploymentSpec) defaultKubernetesDeploymentSpec(image string) {
-	if deployment.Replicas == nil {
-		deployment.Replicas = DefaultKubernetesDeploymentReplicas()
-	}
-
 	if deployment.Strategy == nil {
 		deployment.Strategy = DefaultKubernetesDeploymentStrategy()
 	}
@@ -121,6 +110,7 @@ func (deployment *KubernetesDeploymentSpec) defaultKubernetesDeploymentSpec(imag
 	}
 }
 
+// setDefault fill a default HorizontalPodAutoscalerSpec if unspecified
 func (hpa *KubernetesHorizontalPodAutoscalerSpec) setDefault() {
 	if len(hpa.Metrics) == 0 {
 		hpa.Metrics = DefaultEnvoyProxyHpaMetrics()

diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go
@@ -31,7 +31,7 @@ type SecurityPolicy struct {
 	Spec SecurityPolicySpec `json:"spec"`
 
 	// Status defines the current status of SecurityPolicy.
-	Status SecurityPolicyStatus `json:"status,omitempty"`
+	Status gwapiv1a2.PolicyStatus `json:"status,omitempty"`
 }
 
 // SecurityPolicySpec defines the desired state of SecurityPolicy.

diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go
@@ -126,10 +126,6 @@ type KubernetesPodSpec struct {
 	// +optional
 	Volumes []corev1.Volume `json:"volumes,omitempty"`
 
-	// HostNetwork, If this is set to true, the pod will use host's network namespace.
-	// +optional
-	HostNetwork bool `json:"hostNetwork,omitempty"`
-
 	// ImagePullSecrets is an optional list of references to secrets
 	// in the same namespace to use for pulling any of the images used by this PodSpec.
 	// If specified, these secrets will be passed to individual puller implementations for them to use.
@@ -348,6 +344,8 @@ const (
 )
 
 // KubernetesHorizontalPodAutoscalerSpec defines Kubernetes Horizontal Pod Autoscaler settings of Envoy Proxy Deployment.
+// When HPA is enabled, it is recommended that the value in `KubernetesDeploymentSpec.replicas` be removed, otherwise
+// Envoy Gateway will revert back to this value every time reconciliation occurs.
 // See k8s.io.autoscaling.v2.HorizontalPodAutoScalerSpec.
 //
 // +kubebuilder:validation:XValidation:message="maxReplicas cannot be less than minReplicas",rule="!has(self.minReplicas) || self.maxReplicas >= self.minReplicas"

diff --git a/api/v1alpha1/validation/envoygateway_validate_test.go b/api/v1alpha1/validation/envoygateway_validate_test.go
@@ -668,8 +668,7 @@ func TestEnvoyGatewayProvider(t *testing.T) {
 
 	envoyGatewayProvider.Kubernetes = &v1alpha1.EnvoyGatewayKubernetesProvider{
 		RateLimitDeployment: &v1alpha1.KubernetesDeploymentSpec{
-			Replicas: nil,
-			Pod:      nil,
+			Pod: nil,
 			Container: &v1alpha1.KubernetesContainerSpec{
 				Resources:       nil,
 				SecurityContext: nil,
@@ -684,8 +683,6 @@ func TestEnvoyGatewayProvider(t *testing.T) {
 
 	assert.NotNil(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment)
 	assert.Equal(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment, v1alpha1.DefaultKubernetesDeployment(v1alpha1.DefaultRateLimitImage))
-	assert.NotNil(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Replicas)
-	assert.Equal(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Replicas, v1alpha1.DefaultKubernetesDeploymentReplicas())
 	assert.NotNil(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Pod)
 	assert.Equal(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Pod, v1alpha1.DefaultKubernetesPod())
 	assert.NotNil(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Container)

diff --git a/api/v1alpha1/validation/envoyproxy_validate.go b/api/v1alpha1/validation/envoyproxy_validate.go
@@ -9,17 +9,15 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
-	"reflect"
 
 	bootstrapv3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3"
 	clusterv3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
 	"github.com/google/go-cmp/cmp"
-	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/testing/protocmp"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
-	"sigs.k8s.io/yaml"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+	"github.com/envoyproxy/gateway/internal/utils/proto"
 	"github.com/envoyproxy/gateway/internal/xds/bootstrap"
 	_ "github.com/envoyproxy/gateway/internal/xds/extensions" // register the generated types to support protojson unmarshalling
 )
@@ -140,42 +138,33 @@ func validateService(spec *egv1a1.EnvoyProxySpec) []error {
 }
 
 func validateBootstrap(boostrapConfig *egv1a1.ProxyBootstrap) error {
+	// Validate user bootstrap config
 	defaultBootstrap := &bootstrapv3.Bootstrap{}
 	// TODO: need validate when enable prometheus?
 	defaultBootstrapStr, err := bootstrap.GetRenderedBootstrapConfig(nil)
 	if err != nil {
 		return err
 	}
+	if err := proto.FromYAML([]byte(defaultBootstrapStr), defaultBootstrap); err != nil {
+		return fmt.Errorf("unable to unmarshal default bootstrap: %w", err)
+	}
+	if err := defaultBootstrap.Validate(); err != nil {
+		return fmt.Errorf("default bootstrap validation failed: %w", err)
+	}
 
+	// Validate user bootstrap config
 	userBootstrapStr, err := bootstrap.ApplyBootstrapConfig(boostrapConfig, defaultBootstrapStr)
 	if err != nil {
 		return err
 	}
-
-	jsonData, err := yaml.YAMLToJSON([]byte(userBootstrapStr))
-	if err != nil {
-		return fmt.Errorf("unable to convert user bootstrap to json: %w", err)
-	}
-
 	userBootstrap := &bootstrapv3.Bootstrap{}
-	if err := protojson.Unmarshal(jsonData, userBootstrap); err != nil {
-		return fmt.Errorf("unable to unmarshal user bootstrap: %w", err)
+	if err := proto.FromYAML([]byte(userBootstrapStr), userBootstrap); err != nil {
+		return fmt.Errorf("failed to parse default bootstrap config: %w", err)
 	}
-
-	// Call Validate method
 	if err := userBootstrap.Validate(); err != nil {
 		return fmt.Errorf("validation failed for user bootstrap: %w", err)
 	}
 
-	jsonData, err = yaml.YAMLToJSON([]byte(defaultBootstrapStr))
-	if err != nil {
-		return fmt.Errorf("unable to convert default bootstrap to json: %w", err)
-	}
-
-	if err := protojson.Unmarshal(jsonData, defaultBootstrap); err != nil {
-		return fmt.Errorf("unable to unmarshal default bootstrap: %w", err)
-	}
-
 	// Ensure dynamic resources config is same
 	if userBootstrap.DynamicResources == nil ||
 		cmp.Diff(userBootstrap.DynamicResources, defaultBootstrap.DynamicResources, protocmp.Transform()) != "" {
@@ -196,9 +185,8 @@ func validateBootstrap(boostrapConfig *egv1a1.ProxyBootstrap) error {
 			break
 		}
 	}
-
-	// nolint // Circumvents this error "Error: copylocks: call of reflect.DeepEqual copies lock value:"
-	if userXdsCluster == nil || !reflect.DeepEqual(*userXdsCluster.LoadAssignment, *defaultXdsCluster.LoadAssignment) {
+	if userXdsCluster == nil ||
+		cmp.Diff(userXdsCluster.LoadAssignment, defaultXdsCluster.LoadAssignment, protocmp.Transform()) != "" {
 		return fmt.Errorf("xds_cluster's loadAssigntment cannot be modified")
 	}
-Original file line number
+Diff line change
@@ Expand Up / @@ -31,3 +31,6 @@ vendor/ @@
     # values.yaml file is generated from its template counterpart.
     charts/gateway-helm/values.yaml
+    # VIM
+    .*.swp