[release/v1.3] release v1.3.0 cherry-pick from main (#5179)

* doc: response compression (#5071)

compression docs

Signed-off-by: Huabing Zhao <[email protected]>
(cherry picked from commit 549fdde)
Signed-off-by: Guy Daich <[email protected]>

* docs: how to specify a self-signed ca for the remote jwks host in the SP JWT settings. (#5085)

* docs for jwt self-signed ca

Signed-off-by: Huabing Zhao <[email protected]>

* fix gen

Signed-off-by: Huabing Zhao <[email protected]>

* update docs

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
(cherry picked from commit fdc7849)
Signed-off-by: Guy Daich <[email protected]>

* chore: fix gen (#5166)

fix gen

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 34db8af)
Signed-off-by: Guy Daich <[email protected]>

* docs: add api key auth instructions (#5097)

* docs: add api key auth instruction

Signed-off-by: Taufik Mulyana <[email protected]>

* fix: remove unrelated links

Signed-off-by: Taufik Mulyana <[email protected]>

---------

Signed-off-by: Taufik Mulyana <[email protected]>
(cherry picked from commit b5cf087)
Signed-off-by: Guy Daich <[email protected]>

* add SECURITY.md (#5167)

Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit f7a10eb)
Signed-off-by: Guy Daich <[email protected]>

* chore: link SECURITY.md (#5168)

Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit ac9026f)
Signed-off-by: Guy Daich <[email protected]>

* build(deps): bump actions/stale from 9.0.0 to 9.1.0 (#5162)

Bumps [actions/stale](https://github.com/actions/stale) from 9.0.0 to 9.1.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](actions/stale@28ca103...5bef64f)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Arko Dasgupta <[email protected]>
(cherry picked from commit 57d4aa8)
Signed-off-by: Guy Daich <[email protected]>

* docs: rm sectionName from some of the examples (#5173)

adds whats left off from #4868

deleted the sectionName in these examples because the Service spec does
not define a port `Name`

Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit 45804e2)
Signed-off-by: Guy Daich <[email protected]>

* ci(fix): osv-scanner PR mode (#5174)

fix: osv-scanner PR mode

Signed-off-by: shahar-h <[email protected]>
Co-authored-by: Guy Daich <[email protected]>
(cherry picked from commit e904d3f)
Signed-off-by: Guy Daich <[email protected]>

* wip: docs: add standalone in container instruction (#5172)

* docs: add standalone in container instruction

Signed-off-by: Denis Shatokhin <[email protected]>

* docs: update headings and image tag

Signed-off-by: Denis Shatokhin <[email protected]>

---------

Signed-off-by: Denis Shatokhin <[email protected]>
(cherry picked from commit a3448c1)
Signed-off-by: Guy Daich <[email protected]>

* docs: update prerequisites files with installation and connectivity t… (#5094)

* docs: update prerequisites files with installation and connectivity testing steps

Signed-off-by: DeeBi9 <[email protected]>

* lint

Signed-off-by: DeeBi9 <[email protected]>

* docs: remove the Note

Signed-off-by: DeeBi9 <[email protected]>

* remove redundant code

Signed-off-by: DeeBi9 <[email protected]>

---------

Signed-off-by: DeeBi9 <[email protected]>
(cherry picked from commit 3253339)
Signed-off-by: Guy Daich <[email protected]>

* [release/v1.3] fix 1.3.0-rc.1 release note (#5175)

* fix 1.3.0-rc.1 release note

Signed-off-by: Guy Daich <[email protected]>

* more fixes

Signed-off-by: Guy Daich <[email protected]>

---------

Signed-off-by: Guy Daich <[email protected]>
(cherry picked from commit 4fba2bf)
Signed-off-by: Guy Daich <[email protected]>

* fail validation if baseInterval is 0s (#5176)

* fail validation if baseInterval is 0s

Fixes: #5147

Signed-off-by: Arko Dasgupta <[email protected]>

* more validations

Signed-off-by: Arko Dasgupta <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit 4844d9a)
Signed-off-by: Guy Daich <[email protected]>

* [release/1.3] release notes (#5177)

Signed-off-by: Guy Daich <[email protected]>
(cherry picked from commit c2215b2)
Signed-off-by: Guy Daich <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Taufik Mulyana <[email protected]>
Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: shahar-h <[email protected]>
Signed-off-by: Denis Shatokhin <[email protected]>
Signed-off-by: DeeBi9 <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Taufik Mulyana <[email protected]>
Co-authored-by: Arko Dasgupta <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shahar-h <[email protected]>
Co-authored-by: Denis Shatokhin <[email protected]>
Co-authored-by: Deepanshu Bisht <[email protected]>

Author: 8 people

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1 @@
 blank_issues_enabled: false
-contact_links:
-- name: "Crash bug"
-  url: https://github.com/envoyproxy/envoy/security/policy
-  about: "Please file any crash bug with [email protected]."

.github/ISSUE_TEMPLATE/non--crash-security--bug.md

@@ -9,8 +9,7 @@ assignees: ''
 
 *Description*:
 >What issue is being seen? Describe what should be happening instead of
-the bug, for example: Envoy should not crash, the expected value isn't
-returned, etc.
+the bug, for example: The expected value isn't returned, etc.
 
 *Repro steps*:
 > Include sample requests, environment, etc. All data and inputs

.github/workflows/osv-scanner.yml

@@ -33,7 +33,7 @@ jobs:
 
   scan-pr:
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@764c91816374ff2d8fc2095dab36eecd42d61638"  # v1.9.2
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@764c91816374ff2d8fc2095dab36eecd42d61638"  # v1.9.2
     with:
       scan-args: |-
         --skip-git

.github/workflows/stale.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
     - name: Prune Stale
-      uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e  # v9.0.0
+      uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639  # v9.1.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # Different amounts of days for issues/PRs are not currently supported but there is a PR

README.md

@@ -31,6 +31,10 @@ Kubernetes-based application gateway.
 * [Contributing guide](https://gateway.envoyproxy.io/contributions/contributing/)
 * [Developer guide](https://gateway.envoyproxy.io/contributions/develop/)
 
+## Security Reporting
+
+If youve found a security vulnerability or a process crash, please follow the instructions in [SECURITY.md](./SECURITY.md) to submit a report.
+
 ## Community Meeting
 
 The Envoy Gateway team meets every Tuesday and Thursday. We also have a separate meeting to be held in the

SECURITY.md

@@ -0,0 +1,39 @@
+# Security Policy
+
+## Reporting a Vulnerability or a Crash
+
+We take security seriously and appreciate your help in identifying and responsibly disclosing vulnerabilities to protect our users.
+
+To report a security issue:
+
+1. **Do not open a public issue** on the GitHub repository to disclose a vulnerability.
+2. Send an email to our security team at [[email protected]](mailto:[email protected]).
+3. Include the following details in your email:
+    - A detailed description of the vulnerability.
+    - Steps to reproduce the issue.
+    - Potential impact of the vulnerability.
+    - Any suggested remediation or patches (if applicable).
+
+We aim to respond to vulnerability reports within **48 hours** and will work with you to validate and address the issue. 
+Once a resolution is identified, we will coordinate a release timeline with you and provide credit if applicable (with your consent).
+
+## Security Updates
+
+Security patches are announced through:
+
+- The [GitHub Releases page](https://github.com/envoyproxy/gateway/releases)
+
+To stay up-to-date with the latest security updates, we recommend subscribing to these channels.
+
+## Best Practices for Secure Usage
+
+To minimize security risks when using Envoy Gateway:
+
+- Use the latest supported version of Envoy Gateway.
+- Regularly monitor for updates and apply patches promptly.
+
+## Contact
+
+If you have any questions about this security policy, please contact us at [[email protected]](mailto:[email protected]).
+
+Thank you for helping us ensure the security of Envoy Gateway!

VERSION

@@ -1 +1 @@
-v1.3.0-rc.1
+v1.3.0

examples/standalone/quickstart-containers.yaml

@@ -0,0 +1,46 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: eg
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: eg
+spec:
+  gatewayClassName: eg
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 8888
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: backend
+spec:
+  parentRefs:
+    - name: eg
+  hostnames:
+    - "www.example.com"
+  rules:
+    - backendRefs:
+        - group: "gateway.envoyproxy.io"
+          kind: Backend
+          name: backend
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: backend
+spec:
+  endpoints:
+    - fqdn:
+        hostname: local-server.local
+        port: 3000

internal/gatewayapi/backendtrafficpolicy.go

@@ -333,9 +333,12 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(
 		err = perr.WithMessage(err, "TCPKeepalive")
 		errs = errors.Join(errs, err)
 	}
-	if policy.Spec.Retry != nil {
-		rt = buildRetry(policy.Spec.Retry)
+
+	if rt, err = buildRetry(policy.Spec.Retry); err != nil {
+		err = perr.WithMessage(err, "Retry")
+		errs = errors.Join(errs, err)
 	}
+
 	if to, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings); err != nil {
 		err = perr.WithMessage(err, "Timeout")
 		errs = errors.Join(errs, err)
@@ -484,9 +487,12 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(
 		err = perr.WithMessage(err, "TCPKeepalive")
 		errs = errors.Join(errs, err)
 	}
-	if policy.Spec.Retry != nil {
-		rt = buildRetry(policy.Spec.Retry)
+
+	if rt, err = buildRetry(policy.Spec.Retry); err != nil {
+		err = perr.WithMessage(err, "Retry")
+		errs = errors.Join(errs, err)
 	}
+
 	if ct, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings); err != nil {
 		err = perr.WithMessage(err, "Timeout")
 		errs = errors.Join(errs, err)

internal/gatewayapi/clustersettings.go

@@ -72,7 +72,10 @@ func translateTrafficFeatures(policy *egv1a1.ClusterSettings) (*ir.TrafficFeatur
 		ret.HTTP2 = h2
 	}
 
-	ret.Retry = buildRetry(policy.Retry)
+	var err error
+	if ret.Retry, err = buildRetry(policy.Retry); err != nil {
+		return nil, err
+	}
 
 	// If nothing was set in any of the above calls, return nil instead of an empty
 	// container
@@ -477,9 +480,9 @@ func translateDNS(policy egv1a1.ClusterSettings) *ir.DNS {
 	}
 }
 
-func buildRetry(r *egv1a1.Retry) *ir.Retry {
+func buildRetry(r *egv1a1.Retry) (*ir.Retry, error) {
 	if r == nil {
-		return nil
+		return nil, nil
 	}
 
 	rt := &ir.Retry{}
@@ -518,13 +521,22 @@ func buildRetry(r *egv1a1.Retry) *ir.Retry {
 		if r.PerRetry.BackOff != nil {
 			if r.PerRetry.BackOff.MaxInterval != nil || r.PerRetry.BackOff.BaseInterval != nil {
 				bop := &ir.BackOffPolicy{}
+				if r.PerRetry.BackOff.BaseInterval != nil {
+					bop.BaseInterval = r.PerRetry.BackOff.BaseInterval
+					if bop.BaseInterval.Duration == 0 {
+						return nil, fmt.Errorf("baseInterval cannot be set to 0s")
+					}
+				}
 				if r.PerRetry.BackOff.MaxInterval != nil {
 					bop.MaxInterval = r.PerRetry.BackOff.MaxInterval
+					if bop.MaxInterval.Duration == 0 {
+						return nil, fmt.Errorf("maxInterval cannot be set to 0s")
+					}
+					if bop.BaseInterval != nil && bop.BaseInterval.Duration > bop.MaxInterval.Duration {
+						return nil, fmt.Errorf("maxInterval cannot be less than baseInterval")
+					}
 				}
 
-				if r.PerRetry.BackOff.BaseInterval != nil {
-					bop.BaseInterval = r.PerRetry.BackOff.BaseInterval
-				}
 				pr.BackOff = bop
 				bpr = true
 			}
@@ -535,5 +547,5 @@ func buildRetry(r *egv1a1.Retry) *ir.Retry {
 		}
 	}
 
-	return rt
+	return rt, nil
 }

internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.in.yaml

@@ -62,6 +62,44 @@ httpRoutes:
       backendRefs:
       - name: service-1
         port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-2
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-2
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/route2"
+      backendRefs:
+      - name: service-1
+        port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-3
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-2
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/route3"
+      backendRefs:
+      - name: service-1
+        port: 8080
 backendTrafficPolicies:
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: BackendTrafficPolicy
@@ -86,7 +124,7 @@ backendTrafficPolicies:
   kind: BackendTrafficPolicy
   metadata:
     namespace: default
-    name: policy-for-route
+    name: policy-for-route-1
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -106,3 +144,32 @@ backendTrafficPolicies:
         backoff:
           baseInterval: 100ms
           maxInterval: 10s
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: BackendTrafficPolicy
+  metadata:
+    namespace: default
+    name: policy-for-route-2
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-2
+    retry:
+      perRetry:
+        backoff:
+          baseInterval: 0s
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: BackendTrafficPolicy
+  metadata:
+    namespace: default
+    name: policy-for-route-3
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-3
+    retry:
+      perRetry:
+        backoff:
+          baseInterval: 2s
+          maxInterval: 1s