diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
index 033fa84d47..7e04e9cf6a 100644
--- a/.github/workflows/build_and_test.yaml
+++ b/.github/workflows/build_and_test.yaml
@@ -73,7 +73,7 @@ jobs:
needs: [build]
strategy:
matrix:
- version: [ v1.23.6, v1.24.0, v1.25.3 ]
+ version: [ v1.24.0, v1.25.3, v1.26.0 ]
steps:
- uses: actions/checkout@v3
- uses: ./tools/github-actions/setup-deps
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 8507fc96cd..3c6f43595e 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -63,4 +63,4 @@ jobs:
steps:
- name: Deploy to GitHub Pages
id: deployment
- uses: actions/deploy-pages@v1.2.3
+ uses: actions/deploy-pages@v1.2.4
diff --git a/VERSION b/VERSION
index 7f477ab201..268b0334e6 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-v0.3.0-rc.1
+v0.3.0
diff --git a/api/config/doc.go b/api/config/doc.go
new file mode 100644
index 0000000000..a9b235ea60
--- /dev/null
+++ b/api/config/doc.go
@@ -0,0 +1,6 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package config
diff --git a/api/config/v1alpha1/doc.go b/api/config/v1alpha1/doc.go
new file mode 100644
index 0000000000..cbf70c5e35
--- /dev/null
+++ b/api/config/v1alpha1/doc.go
@@ -0,0 +1,11 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+// Package v1alpha1 contains API schema definitions for the config.gateway.envoyproxy.io
+// API group.
+//
+// +kubebuilder:object:generate=true
+// +groupName=config.gateway.envoyproxy.io
+package v1alpha1
diff --git a/api/config/v1alpha1/envoygateway_types.go b/api/config/v1alpha1/envoygateway_types.go
index 5d8adbcf0e..86636da0d7 100644
--- a/api/config/v1alpha1/envoygateway_types.go
+++ b/api/config/v1alpha1/envoygateway_types.go
@@ -18,11 +18,11 @@ const (
//+kubebuilder:object:root=true
-// EnvoyGateway is the Schema for the envoygateways API.
+// EnvoyGateway is the schema for the envoygateways API.
type EnvoyGateway struct {
metav1.TypeMeta `json:",inline"`
- // EnvoyGatewaySpec defines the desired state of Envoy Gateway.
+ // EnvoyGatewaySpec defines the desired state of EnvoyGateway.
EnvoyGatewaySpec `json:",inline"`
}
@@ -45,7 +45,7 @@ type EnvoyGatewaySpec struct {
// deployed by Envoy Gateway required to implement the Global Rate limiting
// functionality. The specific rate limit service used here is the reference
// implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
- // This configuration will not be needed to enable Local Rate limiitng.
+ // This configuration is unneeded for "Local" rate limiting.
//
// +optional
RateLimit *RateLimit `json:"rateLimit,omitempty"`
@@ -56,8 +56,7 @@ type Gateway struct {
// ControllerName defines the name of the Gateway API controller. If unspecified,
// defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
// for additional details:
- //
- // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+ // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
//
// +optional
ControllerName string `json:"controllerName,omitempty"`
@@ -66,12 +65,11 @@ type Gateway struct {
// Provider defines the desired configuration of a provider.
// +union
type Provider struct {
- // Type is the type of provider to use. Supported types are:
- //
- // * Kubernetes: A provider that provides runtime configuration via the Kubernetes API.
+ // Type is the type of provider to use. Supported types are "Kubernetes".
//
// +unionDiscriminator
Type ProviderType `json:"type"`
+
// Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
// provides runtime configuration via the Kubernetes API.
//
@@ -79,7 +77,8 @@ type Provider struct {
Kubernetes *KubernetesProvider `json:"kubernetes,omitempty"`
// File defines the configuration of the File provider. File provides runtime
- // configuration defined by one or more files.
+ // configuration defined by one or more files. This type is not implemented
+ // until https://github.com/envoyproxy/gateway/issues/1001 is fixed.
//
// +optional
File *FileProvider `json:"file,omitempty"`
diff --git a/api/config/v1alpha1/envoyproxy_types.go b/api/config/v1alpha1/envoyproxy_types.go
index 8171069d6a..1eed1b1527 100644
--- a/api/config/v1alpha1/envoyproxy_types.go
+++ b/api/config/v1alpha1/envoyproxy_types.go
@@ -17,12 +17,14 @@ const (
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
-// EnvoyProxy is the Schema for the envoyproxies API
+// EnvoyProxy is the schema for the envoyproxies API.
type EnvoyProxy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec EnvoyProxySpec `json:"spec,omitempty"`
+ // EnvoyProxySpec defines the desired state of EnvoyProxy.
+ Spec EnvoyProxySpec `json:"spec,omitempty"`
+ // EnvoyProxyStatus defines the actual state of EnvoyProxy.
Status EnvoyProxyStatus `json:"status,omitempty"`
}
@@ -36,7 +38,8 @@ type EnvoyProxySpec struct {
Provider *ResourceProvider `json:"provider,omitempty"`
// Logging defines logging parameters for managed proxies. If unspecified,
- // default settings apply.
+ // default settings apply. This type is not implemented until
+ // https://github.com/envoyproxy/gateway/issues/280 is fixed.
//
// +kubebuilder:default={level: {system: info}}
Logging ProxyLogging `json:"logging,omitempty"`
@@ -47,10 +50,7 @@ type EnvoyProxySpec struct {
type ResourceProvider struct {
// Type is the type of resource provider to use. A resource provider provides
// infrastructure resources for running the data plane, e.g. Envoy proxy, and
- // optional auxiliary control planes. Supported types are:
- //
- // * Kubernetes: Provides infrastructure resources for running the data plane,
- // e.g. Envoy proxy.
+ // optional auxiliary control planes. Supported types are "Kubernetes".
//
// +unionDiscriminator
Type ProviderType `json:"type"`
@@ -74,7 +74,8 @@ type KubernetesResourceProvider struct {
EnvoyDeployment *KubernetesDeploymentSpec `json:"envoyDeployment,omitempty"`
}
-// ProxyLogging defines logging parameters for managed proxies.
+// ProxyLogging defines logging parameters for managed proxies. This type is not
+// implemented until https://github.com/envoyproxy/gateway/issues/280 is fixed.
type ProxyLogging struct {
// Level is a map of logging level per component, where the component is the key
// and the log level is the value. If unspecified, defaults to "System: Info".
@@ -84,7 +85,8 @@ type ProxyLogging struct {
}
// LogComponent defines a component that supports a configured logging level.
-//
+// This type is not implemented until https://github.com/envoyproxy/gateway/issues/280
+// is fixed.
// +kubebuilder:validation:Enum=system;upstream;http;connection;admin;client;filter;main;router;runtime
type LogComponent string
@@ -121,8 +123,8 @@ const (
LogComponentRuntime LogComponent = "runtime"
)
-// LogLevel defines a log level for system logs.
-//
+// LogLevel defines a log level for system logs. This type is not implemented until
+// https://github.com/envoyproxy/gateway/issues/280 is fixed.
// +kubebuilder:validation:Enum=debug;info;error
type LogLevel string
@@ -137,7 +139,8 @@ const (
LogLevelError LogLevel = "error"
)
-// EnvoyProxyStatus defines the observed state of EnvoyProxy
+// EnvoyProxyStatus defines the observed state of EnvoyProxy. This type is not implemented
+// until https://github.com/envoyproxy/gateway/issues/1007 is fixed.
type EnvoyProxyStatus struct {
// INSERT ADDITIONAL STATUS FIELDS - define observed state of cluster.
// Important: Run "make" to regenerate code after modifying this file.
diff --git a/api/config/v1alpha1/groupversion_info.go b/api/config/v1alpha1/groupversion_info.go
index a2bac6e402..b8d005fb16 100644
--- a/api/config/v1alpha1/groupversion_info.go
+++ b/api/config/v1alpha1/groupversion_info.go
@@ -3,10 +3,6 @@
// The full text of the Apache license is available in the LICENSE file at
// the root of the repo.
-// Package v1alpha1 contains API Schema definitions for the config v1alpha1 API group.
-//
-// +kubebuilder:object:generate=true
-// +groupName=config.gateway.envoyproxy.io
package v1alpha1
import (
diff --git a/api/config/v1alpha1/shared_types.go b/api/config/v1alpha1/shared_types.go
index f9dfcf9eb9..2563509729 100644
--- a/api/config/v1alpha1/shared_types.go
+++ b/api/config/v1alpha1/shared_types.go
@@ -19,7 +19,8 @@ const (
// ProviderTypeKubernetes defines the "Kubernetes" provider.
ProviderTypeKubernetes ProviderType = "Kubernetes"
- // ProviderTypeFile defines the "File" provider.
+ // ProviderTypeFile defines the "File" provider. This type is not implemented
+ // until https://github.com/envoyproxy/gateway/issues/1001 is fixed.
ProviderTypeFile ProviderType = "File"
)
diff --git a/api/doc.go b/api/doc.go
new file mode 100644
index 0000000000..912e4dd16e
--- /dev/null
+++ b/api/doc.go
@@ -0,0 +1,6 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package api
diff --git a/api/v1alpha1/authenticationfilter_types.go b/api/v1alpha1/authenticationfilter_types.go
index d921445a24..80c4c34837 100644
--- a/api/v1alpha1/authenticationfilter_types.go
+++ b/api/v1alpha1/authenticationfilter_types.go
@@ -29,18 +29,16 @@ type AuthenticationFilter struct {
// AuthenticationFilterSpec defines the desired state of the AuthenticationFilter type.
// +union
type AuthenticationFilterSpec struct {
- // Type defines the type of authentication provider to use. Supported provider types are:
- //
- // * JWT: A provider that uses JSON Web Token (JWT) for authenticating requests.
+ // Type defines the type of authentication provider to use. Supported provider types
+ // are "JWT".
//
// +unionDiscriminator
Type AuthenticationFilterType `json:"type"`
// JWT defines the JSON Web Token (JWT) authentication provider type. When multiple
// jwtProviders are specified, the JWT is considered valid if any of the providers
- // successfully validate the JWT. For additional details, see:
- //
- // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html
+ // successfully validate the JWT. For additional details, see
+ // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
//
// +kubebuilder:validation:MaxItems=4
// +optional
@@ -52,7 +50,8 @@ type AuthenticationFilterSpec struct {
type AuthenticationFilterType string
const (
- // JwtAuthenticationFilterProviderType is the JWT authentication provider type.
+ // JwtAuthenticationFilterProviderType is a provider that uses JSON Web Token (JWT)
+ // for authenticating requests..
JwtAuthenticationFilterProviderType AuthenticationFilterType = "JWT"
)
@@ -67,33 +66,17 @@ type JwtAuthenticationFilterProvider struct {
Name string `json:"name"`
// Issuer is the principal that issued the JWT and takes the form of a URL or email address.
- // For additional details, see:
- //
- // URL format: https://tools.ietf.org/html/rfc7519#section-4.1.1
- // Email format: https://rfc-editor.org/rfc/rfc5322.html
- //
- // URL Example:
- // issuer: https://auth.example.com
- //
- // Email Example:
- // issuer: jdoe@example.com
- //
- // If not provided, the JWT issuer is not checked.
+ // For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
+ // URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
+ // the JWT issuer is not checked.
//
// +kubebuilder:validation:MaxLength=253
// +optional
Issuer string `json:"issuer,omitempty"`
- // Audiences is a list of JWT audiences allowed to access. For additional details, see:
- //
- // https://tools.ietf.org/html/rfc7519#section-4.1.3
- //
- // Example:
- // audiences:
- // - foo.apps.example.com
- // bar.apps.example.com
- //
- // If not provided, JWT audiences are not checked.
+ // Audiences is a list of JWT audiences allowed access. For additional details, see
+ // https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
+ // are not checked.
//
// +kubebuilder:validation:MaxItems=8
// +optional
@@ -112,9 +95,6 @@ type RemoteJWKS struct {
// URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
// validate the server certificate.
//
- // Example:
- // uri: https://www.foo.com/oauth2/v1/certs
- //
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
URI string `json:"uri"`
diff --git a/api/v1alpha1/doc.go b/api/v1alpha1/doc.go
new file mode 100644
index 0000000000..ba39955fc0
--- /dev/null
+++ b/api/v1alpha1/doc.go
@@ -0,0 +1,10 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+// Package v1alpha1 contains API schema definitions for the gateway.envoyproxy.io API group.
+//
+// +kubebuilder:object:generate=true
+// +groupName=gateway.envoyproxy.io
+package v1alpha1
diff --git a/api/v1alpha1/groupversion_info.go b/api/v1alpha1/groupversion_info.go
index 648ba67929..1b13b602e8 100644
--- a/api/v1alpha1/groupversion_info.go
+++ b/api/v1alpha1/groupversion_info.go
@@ -3,10 +3,6 @@
// The full text of the Apache license is available in the LICENSE file at
// the root of the repo.
-// Package v1alpha1 contains API Schema definitions for the gateway.envoyproxy.io API group.
-//
-// +kubebuilder:object:generate=true
-// +groupName=gateway.envoyproxy.io
package v1alpha1
import (
diff --git a/api/v1alpha1/ratelimitfilter_types.go b/api/v1alpha1/ratelimitfilter_types.go
index 1365628e27..6f87bc1c91 100644
--- a/api/v1alpha1/ratelimitfilter_types.go
+++ b/api/v1alpha1/ratelimitfilter_types.go
@@ -30,13 +30,11 @@ type RateLimitFilter struct {
// +union
type RateLimitFilterSpec struct {
// Type decides the scope for the RateLimits.
- // Valid RateLimitType values are:
- //
- // * "Global" - In this mode, the rate limits are applied across all Envoy proxy instances.
+ // Valid RateLimitType values are "Global".
//
// +unionDiscriminator
Type RateLimitType `json:"type"`
- // Global rate limit configuration.
+ // Global defines global rate limit configuration.
//
// +optional
Global *GlobalRateLimit `json:"global,omitempty"`
@@ -51,7 +49,7 @@ const (
GlobalRateLimitType RateLimitType = "Global"
)
-// GlobalRateLimit defines the global rate limit configuration.
+// GlobalRateLimit defines global rate limit configuration.
type GlobalRateLimit struct {
// Rules are a list of RateLimit selectors and limits.
// Each rule and its associated limit is applied
@@ -116,29 +114,33 @@ type HeaderMatch struct {
// Value within the HTTP header. Due to the
// case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
- // Do not set this field when Type="Distinct", implying matching on any/all unique values within the header.
+ // Do not set this field when Type="Distinct", implying matching on any/all unique
+ // values within the header.
+ //
// +optional
// +kubebuilder:validation:MaxLength=1024
Value *string `json:"value,omitempty"`
}
-// HeaderMatchType specifies the semantics of how HTTP header values should be
-// compared. Valid HeaderMatchType values are:
-//
-// - "Exact": Use this type to match the exact value of the Value field against the value of the specified HTTP Header.
-// - "RegularExpression": Use this type to match a regular expression against the value of the specified HTTP Header.
-// The regex string must adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax.
-// - "Distinct": Use this type to match any and all possible unique values encountered in the specified HTTP Header.
-// Note that each unique value will receive its own rate limit bucket.
+// HeaderMatchType specifies the semantics of how HTTP header values should be compared.
+// Valid HeaderMatchType values are "Exact", "RegularExpression", and "Distinct".
//
// +kubebuilder:validation:Enum=Exact;RegularExpression;Distinct
type HeaderMatchType string
// HeaderMatchType constants.
const (
- HeaderMatchExact HeaderMatchType = "Exact"
+ // HeaderMatchExact matches the exact value of the Value field against the value of
+ // the specified HTTP Header.
+ HeaderMatchExact HeaderMatchType = "Exact"
+ // HeaderMatchRegularExpression matches a regular expression against the value of the
+ // specified HTTP Header. The regex string must adhere to the syntax documented in
+ // https://github.com/google/re2/wiki/Syntax.
HeaderMatchRegularExpression HeaderMatchType = "RegularExpression"
- HeaderMatchDistinct HeaderMatchType = "Distinct"
+ // HeaderMatchDistinct matches any and all possible unique values encountered in the
+ // specified HTTP Header. Note that each unique value will receive its own rate limit
+ // bucket.
+ HeaderMatchDistinct HeaderMatchType = "Distinct"
)
// RateLimitValue defines the limits for rate limiting.
@@ -148,12 +150,7 @@ type RateLimitValue struct {
}
// RateLimitUnit specifies the intervals for setting rate limits.
-// Valid RateLimitUnit values are:
-//
-// * "Second"
-// * "Minute"
-// * "Hour"
-// * "Day"
+// Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day".
//
// +kubebuilder:validation:Enum=Second;Minute;Hour;Day
type RateLimitUnit string
diff --git a/docs/index.html b/docs/index.html
index 28a7e5e4af..3046c16dbc 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -1,5 +1,5 @@
-
+
diff --git a/docs/latest/api/config_types.md b/docs/latest/api/config_types.md
new file mode 100644
index 0000000000..e1e08a15a6
--- /dev/null
+++ b/docs/latest/api/config_types.md
@@ -0,0 +1,279 @@
+# API Reference
+
+## Packages
+- [config.gateway.envoyproxy.io/v1alpha1](#configgatewayenvoyproxyiov1alpha1)
+
+
+## config.gateway.envoyproxy.io/v1alpha1
+
+Package v1alpha1 contains API schema definitions for the config.gateway.envoyproxy.io
+API group.
+
+
+### Resource Types
+- [EnvoyGateway](#envoygateway)
+- [EnvoyProxy](#envoyproxy)
+
+
+
+## EnvoyGateway
+
+
+
+EnvoyGateway is the schema for the envoygateways API.
+
+
+
+| Field | Description |
+| --- | --- |
+| `apiVersion` _string_ | `config.gateway.envoyproxy.io/v1alpha1`
+| `kind` _string_ | `EnvoyGateway`
+| `EnvoyGatewaySpec` _[EnvoyGatewaySpec](#envoygatewayspec)_ | EnvoyGatewaySpec defines the desired state of EnvoyGateway. |
+
+
+## EnvoyGatewaySpec
+
+
+
+EnvoyGatewaySpec defines the desired state of Envoy Gateway.
+
+_Appears in:_
+- [EnvoyGateway](#envoygateway)
+
+| Field | Description |
+| --- | --- |
+| `gateway` _[Gateway](#gateway)_ | Gateway defines desired Gateway API specific configuration. If unset, default configuration parameters will apply. |
+| `provider` _[Provider](#provider)_ | Provider defines the desired provider and provider-specific configuration. If unspecified, the Kubernetes provider is used with default configuration parameters. |
+| `rateLimit` _[RateLimit](#ratelimit)_ | RateLimit defines the configuration associated with the Rate Limit service deployed by Envoy Gateway required to implement the Global Rate limiting functionality. The specific rate limit service used here is the reference implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit. This configuration is unneeded for "Local" rate limiting. |
+
+
+## EnvoyProxy
+
+
+
+EnvoyProxy is the schema for the envoyproxies API.
+
+
+
+| Field | Description |
+| --- | --- |
+| `apiVersion` _string_ | `config.gateway.envoyproxy.io/v1alpha1`
+| `kind` _string_ | `EnvoyProxy`
+| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` _[EnvoyProxySpec](#envoyproxyspec)_ | EnvoyProxySpec defines the desired state of EnvoyProxy. |
+
+
+## EnvoyProxySpec
+
+
+
+EnvoyProxySpec defines the desired state of EnvoyProxy.
+
+_Appears in:_
+- [EnvoyProxy](#envoyproxy)
+
+| Field | Description |
+| --- | --- |
+| `provider` _[ResourceProvider](#resourceprovider)_ | Provider defines the desired resource provider and provider-specific configuration. If unspecified, the "Kubernetes" resource provider is used with default configuration parameters. |
+| `logging` _[ProxyLogging](#proxylogging)_ | Logging defines logging parameters for managed proxies. If unspecified, default settings apply. This type is not implemented until https://github.com/envoyproxy/gateway/issues/280 is fixed. |
+
+
+
+
+## FileProvider
+
+
+
+FileProvider defines configuration for the File provider.
+
+_Appears in:_
+- [Provider](#provider)
+
+
+
+## Gateway
+
+
+
+Gateway defines the desired Gateway API configuration of Envoy Gateway.
+
+_Appears in:_
+- [EnvoyGatewaySpec](#envoygatewayspec)
+
+| Field | Description |
+| --- | --- |
+| `controllerName` _string_ | ControllerName defines the name of the Gateway API controller. If unspecified, defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following for additional details: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass |
+
+
+## KubernetesDeploymentSpec
+
+
+
+KubernetesDeploymentSpec defines the desired state of the Kubernetes deployment resource.
+
+_Appears in:_
+- [KubernetesResourceProvider](#kubernetesresourceprovider)
+
+| Field | Description |
+| --- | --- |
+| `replicas` _integer_ | Replicas is the number of desired pods. Defaults to 1. |
+
+
+## KubernetesProvider
+
+
+
+KubernetesProvider defines configuration for the Kubernetes provider.
+
+_Appears in:_
+- [Provider](#provider)
+
+
+
+## KubernetesResourceProvider
+
+
+
+KubernetesResourceProvider defines configuration for the Kubernetes resource provider.
+
+_Appears in:_
+- [ResourceProvider](#resourceprovider)
+
+| Field | Description |
+| --- | --- |
+| `envoyDeployment` _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | EnvoyDeployment defines the desired state of the Envoy deployment resource. If unspecified, default settings for the manged Envoy deployment resource are applied. |
+
+
+## LogComponent
+
+_Underlying type:_ `string`
+
+LogComponent defines a component that supports a configured logging level. This type is not implemented until https://github.com/envoyproxy/gateway/issues/280 is fixed.
+
+_Appears in:_
+- [ProxyLogging](#proxylogging)
+
+
+
+## LogLevel
+
+_Underlying type:_ `string`
+
+LogLevel defines a log level for system logs. This type is not implemented until https://github.com/envoyproxy/gateway/issues/280 is fixed.
+
+_Appears in:_
+- [ProxyLogging](#proxylogging)
+
+
+
+## Provider
+
+
+
+Provider defines the desired configuration of a provider.
+
+_Appears in:_
+- [EnvoyGatewaySpec](#envoygatewayspec)
+
+| Field | Description |
+| --- | --- |
+| `type` _[ProviderType](#providertype)_ | Type is the type of provider to use. Supported types are "Kubernetes". |
+| `kubernetes` _[KubernetesProvider](#kubernetesprovider)_ | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes provides runtime configuration via the Kubernetes API. |
+| `file` _[FileProvider](#fileprovider)_ | File defines the configuration of the File provider. File provides runtime configuration defined by one or more files. This type is not implemented until https://github.com/envoyproxy/gateway/issues/1001 is fixed. |
+
+
+## ProviderType
+
+_Underlying type:_ `string`
+
+ProviderType defines the types of providers supported by Envoy Gateway.
+
+_Appears in:_
+- [Provider](#provider)
+- [ResourceProvider](#resourceprovider)
+
+
+
+## ProxyLogging
+
+
+
+ProxyLogging defines logging parameters for managed proxies. This type is not implemented until https://github.com/envoyproxy/gateway/issues/280 is fixed.
+
+_Appears in:_
+- [EnvoyProxySpec](#envoyproxyspec)
+
+| Field | Description |
+| --- | --- |
+| `level` _object (keys:[LogComponent](#logcomponent), values:[LogLevel](#loglevel))_ | Level is a map of logging level per component, where the component is the key and the log level is the value. If unspecified, defaults to "System: Info". |
+
+
+## RateLimit
+
+
+
+RateLimit defines the configuration associated with the Rate Limit Service used for Global Rate Limiting.
+
+_Appears in:_
+- [EnvoyGatewaySpec](#envoygatewayspec)
+
+| Field | Description |
+| --- | --- |
+| `backend` _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | Backend holds the configuration associated with the database backend used by the rate limit service to store state associated with global ratelimiting. |
+
+
+## RateLimitDatabaseBackend
+
+
+
+RateLimitDatabaseBackend defines the configuration associated with the database backend used by the rate limit service.
+
+_Appears in:_
+- [RateLimit](#ratelimit)
+
+| Field | Description |
+| --- | --- |
+| `type` _[RateLimitDatabaseBackendType](#ratelimitdatabasebackendtype)_ | Type is the type of database backend to use. Supported types are: * Redis: Connects to a Redis database. |
+| `redis` _[RateLimitRedisSettings](#ratelimitredissettings)_ | Redis defines the settings needed to connect to a Redis database. |
+
+
+## RateLimitDatabaseBackendType
+
+_Underlying type:_ `string`
+
+RateLimitDatabaseBackendType specifies the types of database backend to be used by the rate limit service.
+
+_Appears in:_
+- [RateLimitDatabaseBackend](#ratelimitdatabasebackend)
+
+
+
+## RateLimitRedisSettings
+
+
+
+RateLimitRedisSettings defines the configuration for connecting to a Redis database.
+
+_Appears in:_
+- [RateLimitDatabaseBackend](#ratelimitdatabasebackend)
+
+| Field | Description |
+| --- | --- |
+| `url` _string_ | URL of the Redis Database. |
+
+
+## ResourceProvider
+
+
+
+ResourceProvider defines the desired state of a resource provider.
+
+_Appears in:_
+- [EnvoyProxySpec](#envoyproxyspec)
+
+| Field | Description |
+| --- | --- |
+| `type` _[ProviderType](#providertype)_ | Type is the type of resource provider to use. A resource provider provides infrastructure resources for running the data plane, e.g. Envoy proxy, and optional auxiliary control planes. Supported types are "Kubernetes". |
+| `kubernetes` _[KubernetesResourceProvider](#kubernetesresourceprovider)_ | Kubernetes defines the desired state of the Kubernetes resource provider. Kubernetes provides infrastructure resources for running the data plane, e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings for managed Kubernetes resources are applied. |
+
+
diff --git a/docs/latest/api/extension_types.md b/docs/latest/api/extension_types.md
new file mode 100644
index 0000000000..9479da94da
--- /dev/null
+++ b/docs/latest/api/extension_types.md
@@ -0,0 +1,228 @@
+# API Reference
+
+## Packages
+- [gateway.envoyproxy.io/v1alpha1](#gatewayenvoyproxyiov1alpha1)
+
+
+## gateway.envoyproxy.io/v1alpha1
+
+Package v1alpha1 contains API schema definitions for the gateway.envoyproxy.io API group.
+
+
+### Resource Types
+- [AuthenticationFilter](#authenticationfilter)
+- [RateLimitFilter](#ratelimitfilter)
+
+
+
+## AuthenticationFilter
+
+
+
+
+
+
+
+| Field | Description |
+| --- | --- |
+| `apiVersion` _string_ | `gateway.envoyproxy.io/v1alpha1`
+| `kind` _string_ | `AuthenticationFilter`
+| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` _[AuthenticationFilterSpec](#authenticationfilterspec)_ | Spec defines the desired state of the AuthenticationFilter type. |
+
+
+## AuthenticationFilterSpec
+
+
+
+AuthenticationFilterSpec defines the desired state of the AuthenticationFilter type.
+
+_Appears in:_
+- [AuthenticationFilter](#authenticationfilter)
+
+| Field | Description |
+| --- | --- |
+| `type` _[AuthenticationFilterType](#authenticationfiltertype)_ | Type defines the type of authentication provider to use. Supported provider types are "JWT". |
+| `jwtProviders` _[JwtAuthenticationFilterProvider](#jwtauthenticationfilterprovider) array_ | JWT defines the JSON Web Token (JWT) authentication provider type. When multiple jwtProviders are specified, the JWT is considered valid if any of the providers successfully validate the JWT. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |
+
+
+## AuthenticationFilterType
+
+_Underlying type:_ `string`
+
+AuthenticationFilterType is a type of authentication provider.
+
+_Appears in:_
+- [AuthenticationFilterSpec](#authenticationfilterspec)
+
+
+
+## GlobalRateLimit
+
+
+
+GlobalRateLimit defines global rate limit configuration.
+
+_Appears in:_
+- [RateLimitFilterSpec](#ratelimitfilterspec)
+
+| Field | Description |
+| --- | --- |
+| `rules` _[RateLimitRule](#ratelimitrule) array_ | Rules are a list of RateLimit selectors and limits. Each rule and its associated limit is applied in a mutually exclusive way i.e. if multiple rules get selected, each of their associated limits get applied, so a single traffic request might increase the rate limit counters for multiple rules if selected. |
+
+
+## HeaderMatch
+
+
+
+HeaderMatch defines the match attributes within the HTTP Headers of the request.
+
+_Appears in:_
+- [RateLimitSelectCondition](#ratelimitselectcondition)
+
+| Field | Description |
+| --- | --- |
+| `type` _[HeaderMatchType](#headermatchtype)_ | Type specifies how to match against the value of the header. |
+| `name` _string_ | Name of the HTTP header. |
+| `value` _string_ | Value within the HTTP header. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent. Do not set this field when Type="Distinct", implying matching on any/all unique values within the header. |
+
+
+## HeaderMatchType
+
+_Underlying type:_ `string`
+
+HeaderMatchType specifies the semantics of how HTTP header values should be compared. Valid HeaderMatchType values are "Exact", "RegularExpression", and "Distinct".
+
+_Appears in:_
+- [HeaderMatch](#headermatch)
+
+
+
+## JwtAuthenticationFilterProvider
+
+
+
+JwtAuthenticationFilterProvider defines the JSON Web Token (JWT) authentication provider type and how JWTs should be verified:
+
+_Appears in:_
+- [AuthenticationFilterSpec](#authenticationfilterspec)
+
+| Field | Description |
+| --- | --- |
+| `name` _string_ | Name defines a unique name for the JWT provider. A name can have a variety of forms, including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels. |
+| `issuer` _string_ | Issuer is the principal that issued the JWT and takes the form of a URL or email address. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided, the JWT issuer is not checked. |
+| `audiences` _string array_ | Audiences is a list of JWT audiences allowed access. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences are not checked. |
+| `remoteJWKS` _[RemoteJWKS](#remotejwks)_ | RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint. |
+
+
+## RateLimitFilter
+
+
+
+RateLimitFilter allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow.
+
+
+
+| Field | Description |
+| --- | --- |
+| `apiVersion` _string_ | `gateway.envoyproxy.io/v1alpha1`
+| `kind` _string_ | `RateLimitFilter`
+| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` _[RateLimitFilterSpec](#ratelimitfilterspec)_ | Spec defines the desired state of RateLimitFilter. |
+
+
+## RateLimitFilterSpec
+
+
+
+RateLimitFilterSpec defines the desired state of RateLimitFilter.
+
+_Appears in:_
+- [RateLimitFilter](#ratelimitfilter)
+
+| Field | Description |
+| --- | --- |
+| `type` _[RateLimitType](#ratelimittype)_ | Type decides the scope for the RateLimits. Valid RateLimitType values are "Global". |
+| `global` _[GlobalRateLimit](#globalratelimit)_ | Global defines global rate limit configuration. |
+
+
+## RateLimitRule
+
+
+
+RateLimitRule defines the semantics for matching attributes from the incoming requests, and setting limits for them.
+
+_Appears in:_
+- [GlobalRateLimit](#globalratelimit)
+
+| Field | Description |
+| --- | --- |
+| `clientSelectors` _[RateLimitSelectCondition](#ratelimitselectcondition) array_ | ClientSelectors holds the list of select conditions to select specific clients using attributes from the traffic flow. All individual select conditions must hold True for this rule and its limit to be applied. If this field is empty, it is equivalent to True, and the limit is applied. |
+| `limit` _[RateLimitValue](#ratelimitvalue)_ | Limit holds the rate limit values. This limit is applied for traffic flows when the selectors compute to True, causing the request to be counted towards the limit. The limit is enforced and the request is ratelimited, i.e. a response with 429 HTTP status code is sent back to the client when the selected requests have reached the limit. |
+
+
+## RateLimitSelectCondition
+
+
+
+RateLimitSelectCondition specifies the attributes within the traffic flow that can be used to select a subset of clients to be ratelimited. All the individual conditions must hold True for the overall condition to hold True.
+
+_Appears in:_
+- [RateLimitRule](#ratelimitrule)
+
+| Field | Description |
+| --- | --- |
+| `headers` _[HeaderMatch](#headermatch) array_ | Headers is a list of request headers to match. Multiple header values are ANDed together, meaning, a request MUST match all the specified headers. |
+
+
+## RateLimitType
+
+_Underlying type:_ `string`
+
+RateLimitType specifies the types of RateLimiting.
+
+_Appears in:_
+- [RateLimitFilterSpec](#ratelimitfilterspec)
+
+
+
+## RateLimitUnit
+
+_Underlying type:_ `string`
+
+RateLimitUnit specifies the intervals for setting rate limits. Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day".
+
+_Appears in:_
+- [RateLimitValue](#ratelimitvalue)
+
+
+
+## RateLimitValue
+
+
+
+RateLimitValue defines the limits for rate limiting.
+
+_Appears in:_
+- [RateLimitRule](#ratelimitrule)
+
+| Field | Description |
+| --- | --- |
+| `requests` _integer_ | |
+| `unit` _[RateLimitUnit](#ratelimitunit)_ | |
+
+
+## RemoteJWKS
+
+
+
+RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
+
+_Appears in:_
+- [JwtAuthenticationFilterProvider](#jwtauthenticationfilterprovider)
+
+| Field | Description |
+| --- | --- |
+| `uri` _string_ | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate. |
+
+
diff --git a/docs/latest/api_docs.rst b/docs/latest/api_docs.rst
new file mode 100644
index 0000000000..b470527c50
--- /dev/null
+++ b/docs/latest/api_docs.rst
@@ -0,0 +1,10 @@
+API Docs
+==============
+
+API reference documentation for Envoy Gateway.
+
+.. toctree::
+ :maxdepth: 1
+
+ Config APIs
+ Extension APIs
diff --git a/docs/latest/design/gatewayapi-support.md b/docs/latest/design/gatewayapi-support.md
new file mode 100644
index 0000000000..3ca3ef207c
--- /dev/null
+++ b/docs/latest/design/gatewayapi-support.md
@@ -0,0 +1,94 @@
+# Gateway API Support
+
+As mentioned in the [system design][] document, Envoy Gateway's managed data plane is configured dynamically through
+Kubernetes resources, primarily [Gateway API][] objects. Envoy Gateway supports configuration using the following Gateway API resources.
+
+## **GatewayClass**
+
+A [GatewayClass][] is used to configure which Gateways and other reliant resources should be managed by Envoy Gateway.
+Envoy Gateway supports a single GatewayClass resource linked to the Envoy Gateway controller and accepts in order of age (oldest first) if there are multiple.
+The [ParametersReference][] on the GatewayClass must refer to an EnvoyProxy.
+
+## **Gateway**
+
+When a [Gateway][] resource is created that references the GatwewayClass Envoy Gateway is managing then Envoy Gateway will
+create and manage a new Envoy Proxy deployment. All other Gateway API resources that are managed by this Gateway will be used
+to configure the Envoy Proxy deployment that it created. Envoy Gateway does not support Multiple certificate references or Specifying an [address][]
+for the Gateway.
+
+## **HTTPRoute**
+
+[HTTPRoutes][] are supported as the primary way to configure HTTP traffic in Envoy Gateway.
+All of the following HTTPRoute filters are supported by Envoy Gateway.
+
+- `requestHeaderModifier`: [RequestHeaderModifiers](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter) can be used to modify or add request headers before the request is proxied to its destination.
+- `responseHeaderModifier`: [ResponseHeaderModifiers](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter) can be used to modify or add response headers before the response is sent back to the client.
+- `requestMirror`: [RequestMirrors](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter) configure destinations where the requests should also be mirrored to. Responses to mirrored requests will be ignored.
+- `requestRedirect`: [RequestRedirects](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter) configure policied for how requests that match the HTTPRoute should be modified and then redirected.
+- `urlRewrite`: [UrlRewrites](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter) allow for modification of the request's hostname and path before it is proxied to its destination.
+- `extensionRef`: [ExtensionRefs] are used by Envoy Gateway to add additional support for Ratelimitg and Authentication. For more information about Envoy Gateay's implementation of these filters please refer to the [Ratelimiting][] and [Authentication][] documentation.
+
+**Note:** currently the only [BackendRef][] kind (the destination where traffic should be sent to) that Envoy Gateway supports are [Kubernetes Services][]. Routing traffic to other destinations such as arbitrary URLs is not currently possible.
+
+**Note:** the `filters` field within [HTTPBackendRef][] is not supported.
+
+## **TCPRoute**
+
+[TCPRoutes][] are used to configure routing of raw TCP traffic. Traffic can be forwarded to the desired BackendRef(s) based on a port.
+
+**Note:** TCPRoutes only support proxying in non-transparent mode i.e. the backend will see the source IP and port of the deployed
+Envoy instance instead of the client.
+
+## **UDPRoute**
+
+[UDPRoutes][] are used to configure routing of raw UDP traffic. Traffic can be forwarded to the desired BackendRef(s) based on a port.
+
+**Note:** Similar to TCPRoutes, UDPRoutes only support proxying in non-transparent mode i.e. the backend will see the source IP and port of the deployed
+Envoy instance instead of the client.
+
+## **GRPCRoute**
+
+[GRPCRoutes][] configure routing of [gRPC][] requests. They offer request matching by hostname, gRPC service, gRPC method, or HTTP/2 Header.
+Similar to HTTPRoutes, Envoy Gateway supports the following filters on GRPCRoutes to provide additional traffic processing.
+
+- `requestHeaderModifier`: [RequestHeaderModifiers](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter) can be used to modify or add request headers before the request is proxied to its destination.
+- `responseHeaderModifier`: [ResponseHeaderModifiers](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter) can be used to modify or add response headers before the response is sent back to the client.
+- `requestMirror`: [RequestMirrors](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter) configure destinations where the requests should also be mirrored to. Responses to mirrored requests will be ignored.
+
+**Note:** currently the only [BackendRef](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter) kind (the destination where traffic should be sent to) that Envoy Gateway supports are [Kubernetes Services][]. Routing traffic to other destinations such as arbitrary URLs is not currently possible
+
+**Note:** the `filters` field within [HTTPBackendRef][] is not supported.
+
+## **TLSRoute**
+
+[TLSRoutes][] are used similarly to TCPRoutes to configure routing of TCP traffic; however, unlike TCPRoutes, TLSRoutes can match against TLS-Specific Metadata.
+
+## **ReferenceGrant**
+
+[ReferenceGrants][] are used as a way to configure which resources in other namespaces are allowed to reference specific kinds of resources in
+the namespace of the ReferenceGrant. Normally an HTTPRoute created in namespace `foo` is not allowed to specify a Service in the `bar` namespace as the
+one of its BackendRefs. ReferenceGrants are commonly used to permit these types of cross-namespace references. Envoy Gateway supports the following use-cases for ReferenceGrants.
+
+- Allowing an HTTPRoute, GRPCRoute, TLSRoute, UDPRoute, or TCPRoute to include a BackendRef that references a Service that is not in the same namespace as the HTTPRoute.
+- Allowing an HTTPRoute's `requestMirror` filter to include a BackendRef that references a Service that is not in the same namespace as the HTTPRoute.
+- Allowing a Gateway's [SecretObjectReference][] to reference a secret that is not in the same namespace as the Gateway when configuring TLS on a Gateway.
+
+[System Design]: https://gateway.envoyproxy.io/latest/design/system-design.html
+[Gateway API]: https://gateway-api.sigs.k8s.io/
+[GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass
+[ParametersReference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference
+[Gateway]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.Gateway
+[address]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayAddress
+[HTTPRoutes]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRoute
+[Kubernetes Services]: https://kubernetes.io/docs/concepts/services-networking/service/
+[BackendRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.BackendRef
+[HTTPBackendRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPBackendRef
+[TCPRoutes]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute
+[UDPRoutes]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute
+[GRPCRoutes]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute
+[gRPC]: https://grpc.io/
+[TLSRoutes]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute
+[ReferenceGrants]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.ReferenceGrant
+[SecretObjectReference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectReference
+[Ratelimiting]: https://gateway.envoyproxy.io/latest/user/rate-limit.html
+[Authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
diff --git a/docs/latest/design_docs.rst b/docs/latest/design_docs.rst
index 8884d774a3..7909d933b2 100644
--- a/docs/latest/design_docs.rst
+++ b/docs/latest/design_docs.rst
@@ -14,4 +14,4 @@ Learn about the internal details of Envoy Gateway.
design/egctl
design/ratelimit
design/request-authentication
-
\ No newline at end of file
+ design/gatewayapi-support
diff --git a/docs/latest/dev/README.md b/docs/latest/dev/README.md
index 2c4e65356f..0c3b055b61 100644
--- a/docs/latest/dev/README.md
+++ b/docs/latest/dev/README.md
@@ -126,6 +126,14 @@ Now you are able to view the running Envoy configuration by navigating to `127.0
There are many other endpoints on the [Envoy admin interface][] that may be helpful when debugging.
+### JWT Testing
+
+An example [JSON Web Token (JWT)][jwt] and [JSON Web Key Set (JWKS)][jwks] are used for the [request authentication][]
+user guide. The JWT was created by the [JWT Debugger][], using the `RS256` algorithm. The public key from the JWTs
+verify signature was copied to [JWK Creator][] for generating the JWK. The JWK Creator was configured with matching
+settings, i.e. `Signing` public key use and the `RS256` algorithm. The generated JWK was wrapped in a JWKS structure
+and is hosted in the repo.
+
[Quickstart]: https://github.com/envoyproxy/gateway/blob/main/docs/user/quickstart.md
[make]: https://www.gnu.org/software/make/
[Github Actions]: https://docs.github.com/en/actions
@@ -137,3 +145,8 @@ There are many other endpoints on the [Envoy admin interface][] that may be help
[gateway-dev]: https://hub.docker.com/r/envoyproxy/gateway-dev/tags
[mac_connect]: https://github.com/chipmk/docker-mac-net-connect
[Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface
+[jwt]: https://tools.ietf.org/html/rfc7519
+[jwks]: https://tools.ietf.org/html/rfc7517
+[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
+[JWT Debugger]: https://jwt.io/
+[JWK Creator]: https://russelldavies.github.io/jwk-creator/
diff --git a/docs/latest/dev/releasing.md b/docs/latest/dev/releasing.md
index a4f5bb861e..f0004caf33 100644
--- a/docs/latest/dev/releasing.md
+++ b/docs/latest/dev/releasing.md
@@ -55,7 +55,7 @@ export GITHUB_REMOTE=origin
11. Push the tag to the Envoy Gateway repository.
```shell
- git push v${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER}
+ git push ${GITHUB_REMOTE} v${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER}
```
12. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc.
@@ -109,7 +109,27 @@ export GITHUB_REMOTE=origin
git checkout -b release/v${MAJOR_VERSION}.${MINOR_VERSION} $GITHUB_REMOTE/release/v${MAJOR_VERSION}.${MINOR_VERSION}
```
-6. Tag the head of your release branch with the release tag. For example:
+6. If the tip of the release branch does not match the tip of `main`, perform the following:
+
+ 1. Create a topic branch from the release branch.
+ 2. Cherry-pick the commits from `main` that differ from the release branch.
+ 3. Run tests locally, e.g. `make lint`.
+ 4. Sign, commit, and push your topic branch to your Envoy Gateway fork.
+ 5. Submit a PR to merge the topic from of your fork into the Envoy Gateway release branch.
+ 6. Do not proceed until the PR has merged and CI passes for the merged PR.
+ 7. If you are still on your topic branch, change to the release branch:
+
+ ```shell
+ git checkout release/v${MAJOR_VERSION}.${MINOR_VERSION}
+ ```
+
+ 8. Ensure your local release branch is up-to-date:
+
+ ```shell
+ git pull $GITHUB_REMOTE release/v${MAJOR_VERSION}.${MINOR_VERSION}
+ ```
+
+7. Tag the head of your release branch with the release tag. For example:
```shell
git tag -a v${MAJOR_VERSION}.${MINOR_VERSION}.0 -m 'Envoy Gateway v${MAJOR_VERSION}.${MINOR_VERSION}.0 Release'
@@ -117,18 +137,18 @@ export GITHUB_REMOTE=origin
__Note:__ The tag version differs from the release branch by including the `.0` patch version.
-7. Push the tag to the Envoy Gateway repository.
+8. Push the tag to the Envoy Gateway repository.
```shell
git push origin v${MAJOR_VERSION}.${MINOR_VERSION}.0
```
-8. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc.
-9. Confirm that the [release workflow][] completed successfully.
-10. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub.
-11. Confirm that the [release][] was created.
-12. Confirm that the steps in the [Quickstart Guide][] work as expected.
-13. [Generate][] the GitHub changelog and include the following text at the beginning of the release page:
+9. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc.
+10. Confirm that the [release workflow][] completed successfully.
+11. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub.
+12. Confirm that the [release][] was created.
+13. Confirm that the steps in the [Quickstart Guide][] work as expected.
+14. [Generate][] the GitHub changelog and include the following text at the beginning of the release page:
```console
# Release Announcement
diff --git a/docs/latest/index.rst b/docs/latest/index.rst
index 7da20035f4..b31be95cc0 100644
--- a/docs/latest/index.rst
+++ b/docs/latest/index.rst
@@ -18,6 +18,7 @@ you are interested in using or contributing to Envoy Gateway, the following reso
user_docs
design_docs
dev_docs
+ api_docs
releases
roadmap
about_docs
diff --git a/docs/latest/intro/compatibility.rst b/docs/latest/intro/compatibility.rst
index 979c89983e..bffbd8997d 100644
--- a/docs/latest/intro/compatibility.rst
+++ b/docs/latest/intro/compatibility.rst
@@ -10,9 +10,11 @@ and the Gateway API actually compiled into each Envoy Gateway release.
+--------------------------+---------------------+---------------------+----------------------------+
| Envoy Gateway version | Envoy Proxy version | Gateway API version | Kubernetes version |
+--------------------------+---------------------+---------------------+----------------------------+
+| v0.3.0 | **v1.25-latest** | **v0.6.1** | v1.24, v1.25, v1.26 |
++--------------------------+---------------------+---------------------+----------------------------+
| v0.2.0 | **v1.23-latest** | **v0.5.1** | v1.24 |
+--------------------------+---------------------+---------------------+----------------------------+
-| latest | **dev-latest** | **v0.5.1** | v1.23.6, v1.24, v1.25 |
+| latest | **dev-latest** | **v0.6.1** | v1.24, v1.25, v1.26 |
+--------------------------+---------------------+---------------------+----------------------------+
.. note::
diff --git a/docs/latest/releases.rst b/docs/latest/releases.rst
index 090c6707fd..20d05b25ac 100644
--- a/docs/latest/releases.rst
+++ b/docs/latest/releases.rst
@@ -8,3 +8,4 @@ Learn more about Envoy Gateway releases.
releases/README
releases/v0.2
+ releases/v0.3
diff --git a/docs/latest/releases/v0.3.md b/docs/latest/releases/v0.3.md
new file mode 100644
index 0000000000..96d6d6d49e
--- /dev/null
+++ b/docs/latest/releases/v0.3.md
@@ -0,0 +1,50 @@
+---
+title: Announcing Envoy Gateway v0.3
+linktitle: v0.3
+subtitle: Major Update
+description: Envoy Gateway v0.3 release announcement.
+publishdate: 2023-02-09
+release: v0.3.0
+skip_list: true
+aliases:
+- /releases/v0.3
+- /releases/v0.3.0
+---
+# Envoy Gateway Release v0.3
+
+We are pleased to announce the release of Envoy Gateway v0.3!
+
+This is the second functional release of Envoy Gateway. We would like to thank the entire Envoy Gateway community for
+helping publish the release.
+
+| [Release Notes][] | [Docs][docs] | [Compatibility Matrix][matrix] | [Download][] |
+|-------------------|--------------|--------------------------------|--------------|
+
+## What's New
+
+The release adds a ton of features and functionality. Here are some highlights:
+
+### Add Support for extended Gateway API fields
+
++ Added Support for HTTPRoute URLRewrite Filter
++ Added Support for HTTPRoute RequestMirror Filter
++ Added Support for HTTPRoute ResponseHeaderModifier Filter
+
+### Add Support for experimental Gateway APIs
+
++ Added Support for the TCPRoute API
++ Added Support for the UDPRoute API
++ Added Support for the GRPCRoute API
+
+### Add Support for Rate Limiting
+
++ Added Support for Global Rate Limiting
+
+### Add Support for Authentication
+
++ Added Support for Request Authentication
+
+[Release Notes]: https://github.com/envoyproxy/gateway/blob/main/release-notes/v0.3.0.yaml
+[matrix]: https://gateway.envoyproxy.io/v0.3.0/intro/compatibility.html
+[docs]: https://gateway.envoyproxy.io/v0.3.0/index.html
+[Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.3.0
diff --git a/docs/latest/user/authn.md b/docs/latest/user/authn.md
new file mode 100644
index 0000000000..ed86ad46c2
--- /dev/null
+++ b/docs/latest/user/authn.md
@@ -0,0 +1,94 @@
+# Request Authentication
+
+This guide provides instructions for configuring [JSON Web Token (JWT)][jwt] authentication. JWT authentication checks
+if an incoming request has a valid JWT before routing the request to a backend service. Currently, Envoy Gateway only
+supports validating a JWT from an HTTP header, e.g. `Authorization: Bearer `.
+
+## Installation
+
+Follow the steps from the [Quickstart](quickstart.md) guide to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
+
+## Configuration
+
+Allow requests with a valid JWT by creating an [AuthenticationFilter][] and referencing it from the example HTTPRoute.
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/authn/jwt.yaml
+```
+
+The HTTPRoute is now updated to authenticate requests for `/foo` and allow unauthenticated requests to `/bar`. The
+`/foo` route rule references an AuthenticationFilter that provides the JWT authentication configuration.
+
+Verify the HTTPRoute configuration and status:
+
+```shell
+kubectl get httproute/backend -o yaml
+```
+
+The AuthenticationFilter is configured for JWT authentication and uses a single [JSON Web Key Set (JWKS)][jwks]
+provider for authenticating the JWT.
+
+Verify the AuthenticationFilter configuration:
+
+```shell
+kubectl get authenticationfilter/jwt-example -o yaml
+```
+
+## Testing
+
+Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](quickstart.md) guide is set. If not, follow the
+Quickstart instructions to set the variable.
+
+```shell
+echo $GATEWAY_HOST
+```
+
+Verify that requests to `/foo` are denied without a JWT:
+
+```shell
+curl -sS -o /dev/null -H "Host: www.example.com" -w "%{http_code}\n" http://$GATEWAY_HOST/foo
+```
+
+A `401` HTTP response code should be returned.
+
+Get the JWT used for testing request authentication:
+
+```shell
+TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
+```
+
+__Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's
+header.
+
+Verify that a request to `/foo` with a valid JWT is allowed:
+
+```shell
+curl -sS -o /dev/null -H "Host: www.example.com" -H "Authorization: Bearer $TOKEN" -w "%{http_code}\n" http://$GATEWAY_HOST/foo
+```
+
+A `200` HTTP response code should be returned.
+
+Verify that requests to `/bar` are allowed __without__ a JWT:
+
+```shell
+curl -sS -o /dev/null -H "Host: www.example.com" -w "%{http_code}\n" http://$GATEWAY_HOST/bar
+```
+
+## Clean-Up
+
+Follow the steps from the [Quickstart](quickstart.md) guide to uninstall Envoy Gateway and the example manifest.
+
+Delete the AuthenticationFilter:
+
+```shell
+kubectl delete authenticationfilter/jwt-example
+```
+
+## Next Steps
+
+Checkout the [Developer Guide](../dev/README.md) to get involved in the project.
+
+[jwt]: https://tools.ietf.org/html/rfc7519
+[AuthenticationFilter]: https://github.com/envoyproxy/gateway/blob/main/api/v1alpha1/authenticationfilter_types.go
+[jwks]: https://tools.ietf.org/html/rfc7517
diff --git a/docs/latest/user/grpc-routing.md b/docs/latest/user/grpc-routing.md
new file mode 100644
index 0000000000..0cdce78a13
--- /dev/null
+++ b/docs/latest/user/grpc-routing.md
@@ -0,0 +1,100 @@
+# GRPC Routing
+
+The [GRPCRoute][] resource allows users to configure gRPC routing by matching HTTP/2 traffic and forwarding it to backend gRPC servers.
+To learn more about gRPC routing, refer to the [Gateway API documentation][].
+
+## Prerequisites
+
+Install Envoy Gateway:
+
+```shell
+kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/latest/install.yaml
+```
+
+Wait for Envoy Gateway to become available:
+
+```shell
+kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
+```
+
+## Installation
+
+Install the gRPC routing example resources:
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/grpc-routing.yaml
+```
+
+The manifest installs a [GatewayClass][], [Gateway][], a Deployment, a Service, and a GRPCRoute resource.
+The GatewayClass is a cluster-scoped resource that represents a class of Gateways that can be instantiated.
+
+__Note:__ Envoy Gateway is configured by default to manage a GatewayClass with
+`controllerName: gateway.envoyproxy.io/gatewayclass-controller`.
+
+## Verification
+
+Check the status of the GatewayClass:
+
+```shell
+kubectl get gc --selector=example=grpc-routing
+```
+
+The status should reflect "Accepted=True", indicating Envoy Gateway is managing the GatewayClass.
+
+A Gateway represents configuration of infrastructure. When a Gateway is created, [Envoy proxy][] infrastructure is
+provisioned or configured by Envoy Gateway. The `gatewayClassName` defines the name of a GatewayClass used by this
+Gateway. Check the status of the Gateway:
+
+```shell
+kubectl get gateways --selector=example=grpc-routing
+```
+
+The status should reflect "Ready=True", indicating the Envoy proxy infrastructure has been provisioned. The status also
+provides the address of the Gateway. This address is used later in the guide to test connectivity to proxied backend
+services.
+
+Check the status of the GRPCRoute:
+
+```shell
+kubectl get grpcroutes --selector=example=grpc-routing -o yaml
+```
+
+The status for the GRPCRoute should surface "Accepted=True" and a `parentRef` that references the example Gateway.
+The `example-route` matches any traffic for "grpc-example.com" and forwards it to the "yages" Service.
+
+## Testing the Configuration
+
+Before testing GRPC routing to the `yages` backend, get the Gateway's address.
+
+```shell
+export GATEWAY_HOST=$(kubectl get gateway/example-gateway -o jsonpath='{.status.addresses[0].value}')
+```
+
+Test GRPC routing to the `yages` backend using the [grpcurl][] command.
+
+```shell
+grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping
+```
+
+You should see the below response
+
+```shell
+{
+ "text": "pong"
+}
+```
+
+Envoy Gateway also supports [gRPC-Web][] requests for this configuration. The below `curl` command can be used to send a grpc-Web request with over HTTP/2. You should receive the same response seen in the previous command.
+
+```shell
+curl --http2-prior-knowledge -s ${GATEWAY_HOST}:80/yages.Echo/Ping -H 'Host: grpc-example.com' -H 'Content-Type: application/grpc-web-text' -H 'Accept: application/grpc-web-text' -XPOST -d'AAAAAAA=' | base64 -d
+```
+
+
+[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/
+[Gateway API documentation]: https://gateway-api.sigs.k8s.io/
+[GatewayClass]: https://gateway-api.sigs.k8s.io/api-types/gatewayclass/
+[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/
+[Envoy proxy]: https://www.envoyproxy.io/
+[grpcurl]: https://github.com/fullstorydev/grpcurl
+[gRPC-Web]: https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-WEB.md#protocol-differences-vs-grpc-over-http2
diff --git a/docs/latest/user/rate-limit.md b/docs/latest/user/rate-limit.md
new file mode 100644
index 0000000000..7556425318
--- /dev/null
+++ b/docs/latest/user/rate-limit.md
@@ -0,0 +1,489 @@
+# Rate limit
+
+Rate limit is a feature that allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow.
+
+Here are some reasons why you may want to implements Rate limits
+
+* To prevent malicious activity such as DDoS attacks.
+* To prevent applications and its resources (such as a database) from getting overloaded.
+* To create API limits based on user entitlements.
+
+Envoy Gateway supports [Global rate limiting][], where the rate limit is common across all the instances of Envoy proxies where its applied
+i.e. if the data plane has 2 replicas of Envoy running, and the rate limit is 10 requests/second, this limit is common and will be hit
+if 5 requests pass through the first replica and 5 requests pass through the second replica within the same second.
+
+Envoy Gateway introduces a new CRD called [RateLimitFilter][] that allows the user to describe their rate limit intent. This instantiated resource
+can be linked to a [HTTPRoute][] resource using an [ExtensionRef][] filter.
+
+## Prerequisites
+
+### Install Envoy Gateway
+
+* Follow the steps from the [Quickstart Guide](quickstart.md) to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
+
+### Install Redis
+
+* The global rate limit feature is based on [Envoy Ratelimit][] which requires a Redis instance as its caching layer.
+Lets install a Redis deployment in the `redis-system` namespce.
+
+```shell
+cat <
+ Extension APIs
diff --git a/docs/v0.3.0/conf.py b/docs/v0.3.0/conf.py
new file mode 100644
index 0000000000..76ef571754
--- /dev/null
+++ b/docs/v0.3.0/conf.py
@@ -0,0 +1,43 @@
+import os
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+ 'sphinx.ext.duration',
+ 'sphinx.ext.autosectionlabel',
+ 'myst_parser',
+]
+
+autosectionlabel_prefix_document = True
+myst_heading_anchors = 3
+
+html_theme = 'alabaster'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+version = os.environ["BUILD_VERSION"]
+envoyVersion = os.environ["ENVOY_PROXY_VERSION"]
+gatewayAPIVersion = os.environ["GATEWAYAPI_VERSION"]
+
+project = 'Envoy Gateway'
+author = 'Envoy Gateway Project Authors'
+
+copyright = 'Envoy Gateway Project Authors | GitHub | Latest Docs'
+
+source_suffix = {
+ '.rst': 'restructuredtext',
+ '.md': 'markdown',
+}
+
+variables_to_export = [
+ "version",
+ "envoyVersion",
+ "gatewayAPIVersion",
+]
+
+frozen_locals = dict(locals())
+rst_epilog = '\n'.join(map(lambda x: f".. |{x}| replace:: {frozen_locals[x]}", variables_to_export))
+del frozen_locals
diff --git a/docs/v0.3.0/design/config-api.md b/docs/v0.3.0/design/config-api.md
new file mode 100644
index 0000000000..3696860dd5
--- /dev/null
+++ b/docs/v0.3.0/design/config-api.md
@@ -0,0 +1,350 @@
+# Configuration API Design
+
+## Motivation
+
+[Issue 51][issue_51] specifies the need to design an API for configuring Envoy Gateway. The control plane is configured
+statically at startup and the data plane is configured dynamically through Kubernetes resources, primarily
+[Gateway API][gw_api] objects. Refer to the Envoy Gateway [design doc][design_doc] for additional details regarding
+Envoy Gateway terminology and configuration.
+
+## Goals
+
+* Define an __initial__ API to configure Envoy Gateway at startup.
+* Define an __initial__ API for configuring the managed data plane, e.g. Envoy proxies.
+
+## Non-Goals
+
+* Implementation of the configuration APIs.
+* Define the `status` subresource of the configuration APIs.
+* Define a __complete__ set of APIs for configuring Envoy Gateway. As stated in the [Goals](#goals), this document
+ defines the initial configuration APIs.
+* Define an API for deploying/provisioning/operating Envoy Gateway. If needed, a future Envoy Gateway operator would be
+ responsible for designing and implementing this type of API.
+* Specify tooling for managing the API, e.g. generate protos, CRDs, controller RBAC, etc.
+
+## Control Plane API
+
+The `EnvoyGateway` API defines the control plane configuration, e.g. Envoy Gateway. Key points of this API are:
+
+* It will define Envoy Gateway's startup configuration file. If the file does not exist, Envoy Gateway will start up
+ with default configuration parameters.
+* EnvoyGateway inlines the `TypeMeta` API. This allows EnvoyGateway to be versioned and managed as a GroupVersionKind
+ scheme.
+* EnvoyGateway does not contain a metadata field since it's currently represented as a static configuration file instead of
+ a Kubernetes resource.
+* Since EnvoyGateway does not surface status, EnvoyGatewaySpec is inlined.
+* If data plane static configuration is required in the future, Envoy Gateway will use a separate file for this purpose.
+
+The `v1alpha1` version and `config.gateway.envoyproxy.io` API group get generated:
+
+```go
+// gateway/api/config/v1alpha1/doc.go
+
+// Package v1alpha1 contains API Schema definitions for the config.gateway.envoyproxy.io API group.
+//
+// +groupName=config.gateway.envoyproxy.io
+package v1alpha1
+```
+
+The initial `EnvoyGateway` API:
+
+```go
+// gateway/api/config/v1alpha1/envoygateway.go
+
+package valpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EnvoyGateway is the Schema for the envoygateways API
+type EnvoyGateway struct {
+ metav1.TypeMeta `json:",inline"`
+
+ // EnvoyGatewaySpec defines the desired state of Envoy Gateway.
+ EnvoyGatewaySpec `json:",inline"`
+}
+
+// EnvoyGatewaySpec defines the desired state of Envoy Gateway configuration.
+type EnvoyGatewaySpec struct {
+ // Gateway defines Gateway-API specific configuration. If unset, default
+ // configuration parameters will apply.
+ //
+ // +optional
+ Gateway *Gateway `json:"gateway,omitempty"`
+
+ // Provider defines the desired provider configuration. If unspecified,
+ // the Kubernetes provider is used with default parameters.
+ //
+ // +optional
+ Provider *Provider `json:"provider,omitempty"`
+}
+
+// Gateway defines desired Gateway API configuration of Envoy Gateway.
+type Gateway struct {
+ // ControllerName defines the name of the Gateway API controller. If unspecified,
+ // defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
+ // for additional details:
+ //
+ // https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+ //
+ // +optional
+ ControllerName string `json:"controllerName,omitempty"`
+}
+
+// Provider defines the desired configuration of a provider.
+// +union
+type Provider struct {
+ // Type is the type of provider to use. If unset, the Kubernetes provider is used.
+ //
+ // +unionDiscriminator
+ Type ProviderType `json:"type,omitempty"`
+ // Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
+ // provides runtime configuration via the Kubernetes API.
+ //
+ // +optional
+ Kubernetes *KubernetesProvider `json:"kubernetes,omitempty"`
+
+ // File defines the configuration of the File provider. File provides runtime
+ // configuration defined by one or more files.
+ //
+ // +optional
+ File *FileProvider `json:"file,omitempty"`
+}
+
+// ProviderType defines the types of providers supported by Envoy Gateway.
+type ProviderType string
+
+const (
+ // KubernetesProviderType defines the "Kubernetes" provider.
+ KubernetesProviderType ProviderType = "Kubernetes"
+
+ // FileProviderType defines the "File" provider.
+ FileProviderType ProviderType = "File"
+)
+
+// KubernetesProvider defines configuration for the Kubernetes provider.
+type KubernetesProvider struct {
+ // TODO: Add config as use cases are better understood.
+}
+
+// FileProvider defines configuration for the File provider.
+type FileProvider struct {
+ // TODO: Add config as use cases are better understood.
+}
+```
+
+__Note:__ Provider-specific configuration is defined in the `{$PROVIDER_NAME}Provider` API.
+
+### Gateway
+
+Gateway defines desired configuration of [Gateway API][gw_api] controllers that reconcile and translate Gateway API
+resources into the Intermediate Representation (IR). Refer to the Envoy Gateway [design doc][design_doc] for additional
+details.
+
+### Provider
+
+Provider defines the desired configuration of an Envoy Gateway provider. A provider is an infrastructure component that
+Envoy Gateway calls to establish its runtime configuration. Provider is a [union type][union]. Therefore, Envoy Gateway
+can be configured with only one provider based on the `type` discriminator field. Refer to the Envoy Gateway
+[design doc][design_doc] for additional details.
+
+### Control Plane Configuration
+
+The configuration file is defined by the EnvoyGateway API type. At startup, Envoy Gateway searches for the configuration
+at "/etc/envoy-gateway/config.yaml".
+
+Start Envoy Gateway:
+
+```shell
+$ ./envoy-gateway
+```
+
+Since the configuration file does not exist, Envoy Gateway will start with default configuration parameters.
+
+The Kubernetes provider can be configured explicitly using `provider.kubernetes`:
+
+```yaml
+$ cat << EOF > /etc/envoy-gateway/config.yaml
+apiVersion: config.gateway.envoyproxy.io/v1alpha1
+kind: EnvoyGateway
+provider:
+ type: Kubernetes
+ kubernetes: {}
+EOF
+```
+
+This configuration will cause Envoy Gateway to use the Kubernetes provider with default configuration parameters.
+
+The Kubernetes provider can be configured using the `provider` field. For example, the `foo` field can be set to "bar":
+
+```yaml
+$ cat << EOF > /etc/envoy-gateway/config.yaml
+apiVersion: config.gateway.envoyproxy.io/v1alpha1
+kind: EnvoyGateway
+provider:
+ type: Kubernetes
+ kubernetes:
+ foo: bar
+EOF
+```
+
+__Note:__ The Provider API from the Kubernetes package is currently undefined and `foo: bar` is provided for
+illustration purposes only.
+
+The same API structure is followed for each supported provider. The following example causes Envoy Gateway to use the
+File provider:
+
+```yaml
+$ cat << EOF > /etc/envoy-gateway/config.yaml
+apiVersion: config.gateway.envoyproxy.io/v1alpha1
+kind: EnvoyGateway
+provider:
+ type: File
+ file:
+ foo: bar
+EOF
+```
+
+__Note:__ The Provider API from the File package is currently undefined and `foo: bar` is provided for illustration
+purposes only.
+
+Gateway API-related configuration is expressed through the `gateway` field. If unspecified, Envoy Gateway will use
+default configuration parameters for `gateway`. The following example causes the [GatewayClass][gc] controller to
+manage GatewayClasses with controllerName `foo` instead of the default `gateway.envoyproxy.io/gatewayclass-controller`:
+
+```yaml
+$ cat << EOF > /etc/envoy-gateway/config.yaml
+apiVersion: config.gateway.envoyproxy.io/v1alpha1
+kind: EnvoyGateway
+gateway:
+ controllerName: foo
+```
+
+With any of the above configuration examples, Envoy Gateway can be started without any additional arguments:
+
+```shell
+$ ./envoy-gateway
+```
+
+## Data Plane API
+
+The data plane is configured dynamically through Kubernetes resources, primarily [Gateway API][gw_api] objects.
+Optionally, the data plane infrastructure can be configured by referencing a [custom resource (CR)][cr] through
+`spec.parametersRef` of the managed GatewayClass. The `EnvoyProxy` API defines the data plane infrastructure
+configuration and is represented as the CR referenced by the managed GatewayClass. Key points of this API are:
+
+* If unreferenced by `gatewayclass.spec.parametersRef`, default parameters will be used to configure the data plane
+ infrastructure, e.g. expose Envoy network endpoints using a LoadBalancer service.
+* Envoy Gateway will follow Gateway API [recommendations][gc] regarding updates to the EnvoyProxy CR:
+ > It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the
+ > state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are
+ > not propagated down to existing Gateways.
+
+The initial `EnvoyProxy` API:
+
+```go
+// gateway/api/config/v1alpha1/envoyproxy.go
+
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EnvoyProxy is the Schema for the envoyproxies API.
+type EnvoyProxy struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec EnvoyProxySpec `json:"spec,omitempty"`
+ Status EnvoyProxyStatus `json:"status,omitempty"`
+}
+
+// EnvoyProxySpec defines the desired state of Envoy Proxy infrastructure
+// configuration.
+type EnvoyProxySpec struct {
+ // Undefined by this design spec.
+}
+
+// EnvoyProxyStatus defines the observed state of EnvoyProxy.
+type EnvoyProxyStatus struct {
+ // Undefined by this design spec.
+}
+```
+
+The EnvoyProxySpec and EnvoyProxyStatus fields will be defined in the future as proxy infrastructure configuration use
+cases are better understood.
+
+### Data Plane Configuration
+
+GatewayClass and Gateway resources define the data plane infrastructure. Note that all examples assume Envoy Gateway is
+running with the Kubernetes provider.
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: GatewayClass
+metadata:
+ name: example-class
+spec:
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+ name: example-gateway
+spec:
+ gatewayClassName: example-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+```
+
+Since the GatewayClass does not define `spec.parametersRef`, the data plane is provisioned using default configuration
+parameters. The Envoy proxies will be configured with a http listener and a Kubernetes LoadBalancer service listening
+on port 80.
+
+The following example will configure the data plane to use a ClusterIP service instead of the default LoadBalancer
+service:
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: GatewayClass
+metadata:
+ name: example-class
+spec:
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ parametersRef:
+ name: example-config
+ group: config.gateway.envoyproxy.io
+ kind: EnvoyProxy
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+ name: example-gateway
+spec:
+ gatewayClassName: example-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+---
+apiVersion: config.gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+ name: example-config
+spec:
+ networkPublishing:
+ type: ClusterIPService
+```
+
+__Note:__ The NetworkPublishing API is currently undefined and is provided here for illustration purposes only.
+
+[issue_51]: https://github.com/envoyproxy/gateway/issues/51
+[design_doc]: https://github.com/envoyproxy/gateway/blob/main/docs/design/SYSTEM_DESIGN.md
+[gw_api]: https://gateway-api.sigs.k8s.io/
+[gc]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.GatewayClass
+[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
+[union]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#unions
diff --git a/docs/v0.3.0/design/egctl.md b/docs/v0.3.0/design/egctl.md
new file mode 100644
index 0000000000..53a5e7b998
--- /dev/null
+++ b/docs/v0.3.0/design/egctl.md
@@ -0,0 +1,56 @@
+# Introduce egctl
+
+## Motivation
+
+EG should provide a command line tool with following capabilities:
+
+- Collect configuration from envoy proxy and gateway
+- Analyse system configuration to diagnose any issues in envoy gateway
+
+This tool is named `egctl`.
+
+## Syntax
+
+Use the following syntax to run `egctl` commands from your terminal window:
+
+```console
+egctl [command] [entity] [name] [flags]
+```
+
+where `command`, `name`, and `flags` are:
+
+* `command`: Specifies the operation that you want to perform on one or more resources,
+ for example `config`, `version`.
+
+* `entity`: Specifies the entity the operation is being performed on such as `envoy-proxy` or `envoy-gateway`.
+
+* `name`: Specifies the name of the specified instance.
+
+* `flags`: Specifies optional flags. For example, you can use the `-c` or `--config` flags to specify the values for installing.
+
+If you need help, run `egctl help` from the terminal window.
+
+## Operation
+
+The following table includes short descriptions and the general syntax for all the `egctl` operations:
+
+| Operation | Syntax | Description |
+| --------- | -------------------------------- | --------------------------------------------------------------------------- |
+| `version` | `egctl version` | Prints out build version information. |
+| `config` | `egctl config ENTITY` | Retrieve information about proxy configuration from envoy proxy and gateway |
+| `analyze` | `egctl analyze` | Analyze EG configuration and print validation messages |
+
+## Examples
+
+Use the following set of examples to help you familiarize yourself with running the commonly used `egctl` operations:
+
+```console
+# Retrieve all information about proxy configuration from envoy
+egctl config envoy-proxy all
+
+# Retrieve listener information about proxy configuration from envoy
+egctl config envoy-proxy listener
+
+# Retrieve information about envoy gateway
+egctl config envoy-gateway
+```
diff --git a/docs/v0.3.0/design/gatewayapi-support.md b/docs/v0.3.0/design/gatewayapi-support.md
new file mode 100644
index 0000000000..3ca3ef207c
--- /dev/null
+++ b/docs/v0.3.0/design/gatewayapi-support.md
@@ -0,0 +1,94 @@
+# Gateway API Support
+
+As mentioned in the [system design][] document, Envoy Gateway's managed data plane is configured dynamically through
+Kubernetes resources, primarily [Gateway API][] objects. Envoy Gateway supports configuration using the following Gateway API resources.
+
+## **GatewayClass**
+
+A [GatewayClass][] is used to configure which Gateways and other reliant resources should be managed by Envoy Gateway.
+Envoy Gateway supports a single GatewayClass resource linked to the Envoy Gateway controller and accepts in order of age (oldest first) if there are multiple.
+The [ParametersReference][] on the GatewayClass must refer to an EnvoyProxy.
+
+## **Gateway**
+
+When a [Gateway][] resource is created that references the GatwewayClass Envoy Gateway is managing then Envoy Gateway will
+create and manage a new Envoy Proxy deployment. All other Gateway API resources that are managed by this Gateway will be used
+to configure the Envoy Proxy deployment that it created. Envoy Gateway does not support Multiple certificate references or Specifying an [address][]
+for the Gateway.
+
+## **HTTPRoute**
+
+[HTTPRoutes][] are supported as the primary way to configure HTTP traffic in Envoy Gateway.
+All of the following HTTPRoute filters are supported by Envoy Gateway.
+
+- `requestHeaderModifier`: [RequestHeaderModifiers](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter) can be used to modify or add request headers before the request is proxied to its destination.
+- `responseHeaderModifier`: [ResponseHeaderModifiers](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter) can be used to modify or add response headers before the response is sent back to the client.
+- `requestMirror`: [RequestMirrors](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter) configure destinations where the requests should also be mirrored to. Responses to mirrored requests will be ignored.
+- `requestRedirect`: [RequestRedirects](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter) configure policied for how requests that match the HTTPRoute should be modified and then redirected.
+- `urlRewrite`: [UrlRewrites](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter) allow for modification of the request's hostname and path before it is proxied to its destination.
+- `extensionRef`: [ExtensionRefs] are used by Envoy Gateway to add additional support for Ratelimitg and Authentication. For more information about Envoy Gateay's implementation of these filters please refer to the [Ratelimiting][] and [Authentication][] documentation.
+
+**Note:** currently the only [BackendRef][] kind (the destination where traffic should be sent to) that Envoy Gateway supports are [Kubernetes Services][]. Routing traffic to other destinations such as arbitrary URLs is not currently possible.
+
+**Note:** the `filters` field within [HTTPBackendRef][] is not supported.
+
+## **TCPRoute**
+
+[TCPRoutes][] are used to configure routing of raw TCP traffic. Traffic can be forwarded to the desired BackendRef(s) based on a port.
+
+**Note:** TCPRoutes only support proxying in non-transparent mode i.e. the backend will see the source IP and port of the deployed
+Envoy instance instead of the client.
+
+## **UDPRoute**
+
+[UDPRoutes][] are used to configure routing of raw UDP traffic. Traffic can be forwarded to the desired BackendRef(s) based on a port.
+
+**Note:** Similar to TCPRoutes, UDPRoutes only support proxying in non-transparent mode i.e. the backend will see the source IP and port of the deployed
+Envoy instance instead of the client.
+
+## **GRPCRoute**
+
+[GRPCRoutes][] configure routing of [gRPC][] requests. They offer request matching by hostname, gRPC service, gRPC method, or HTTP/2 Header.
+Similar to HTTPRoutes, Envoy Gateway supports the following filters on GRPCRoutes to provide additional traffic processing.
+
+- `requestHeaderModifier`: [RequestHeaderModifiers](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter) can be used to modify or add request headers before the request is proxied to its destination.
+- `responseHeaderModifier`: [ResponseHeaderModifiers](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter) can be used to modify or add response headers before the response is sent back to the client.
+- `requestMirror`: [RequestMirrors](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter) configure destinations where the requests should also be mirrored to. Responses to mirrored requests will be ignored.
+
+**Note:** currently the only [BackendRef](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter) kind (the destination where traffic should be sent to) that Envoy Gateway supports are [Kubernetes Services][]. Routing traffic to other destinations such as arbitrary URLs is not currently possible
+
+**Note:** the `filters` field within [HTTPBackendRef][] is not supported.
+
+## **TLSRoute**
+
+[TLSRoutes][] are used similarly to TCPRoutes to configure routing of TCP traffic; however, unlike TCPRoutes, TLSRoutes can match against TLS-Specific Metadata.
+
+## **ReferenceGrant**
+
+[ReferenceGrants][] are used as a way to configure which resources in other namespaces are allowed to reference specific kinds of resources in
+the namespace of the ReferenceGrant. Normally an HTTPRoute created in namespace `foo` is not allowed to specify a Service in the `bar` namespace as the
+one of its BackendRefs. ReferenceGrants are commonly used to permit these types of cross-namespace references. Envoy Gateway supports the following use-cases for ReferenceGrants.
+
+- Allowing an HTTPRoute, GRPCRoute, TLSRoute, UDPRoute, or TCPRoute to include a BackendRef that references a Service that is not in the same namespace as the HTTPRoute.
+- Allowing an HTTPRoute's `requestMirror` filter to include a BackendRef that references a Service that is not in the same namespace as the HTTPRoute.
+- Allowing a Gateway's [SecretObjectReference][] to reference a secret that is not in the same namespace as the Gateway when configuring TLS on a Gateway.
+
+[System Design]: https://gateway.envoyproxy.io/latest/design/system-design.html
+[Gateway API]: https://gateway-api.sigs.k8s.io/
+[GatewayClass]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayClass
+[ParametersReference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.ParametersReference
+[Gateway]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.Gateway
+[address]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayAddress
+[HTTPRoutes]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRoute
+[Kubernetes Services]: https://kubernetes.io/docs/concepts/services-networking/service/
+[BackendRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.BackendRef
+[HTTPBackendRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPBackendRef
+[TCPRoutes]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute
+[UDPRoutes]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute
+[GRPCRoutes]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute
+[gRPC]: https://grpc.io/
+[TLSRoutes]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute
+[ReferenceGrants]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.ReferenceGrant
+[SecretObjectReference]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.SecretObjectReference
+[Ratelimiting]: https://gateway.envoyproxy.io/latest/user/rate-limit.html
+[Authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
diff --git a/docs/v0.3.0/design/gatewayapi-translator.md b/docs/v0.3.0/design/gatewayapi-translator.md
new file mode 100644
index 0000000000..3cf0da94f5
--- /dev/null
+++ b/docs/v0.3.0/design/gatewayapi-translator.md
@@ -0,0 +1,250 @@
+# Gateway API Translator Design
+
+The Gateway API translates external resources, e.g. GatewayClass, from the configured Provider to the Intermediate
+Representation (IR).
+
+## Assumptions
+
+Initially target core conformance features only, to be followed by extended conformance features.
+
+## Inputs and Outputs
+
+The main inputs to the Gateway API translator are:
+
+- GatewayClass, Gateway, HTTPRoute, TLSRoute, Service, ReferenceGrant, Namespace, and Secret resources.
+
+__Note:__ ReferenceGrant is not fully implemented as of v0.2.
+
+The outputs of the Gateway API translator are:
+
+- Xds and Infra Internal Representations (IRs).
+- Status updates for GatewayClass, Gateways, HTTPRoutes
+
+## Listener Compatibility
+
+Envoy Gateway follows Gateway API listener compatibility spec:
+> Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. An implementation MAY group
+> Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines
+> that the Listeners in the group are “compatible”.
+
+__Note:__ Envoy Gateway does not collapse listeners across multiple Gateways.
+
+### Listener Compatibility Examples
+
+#### Example 1: Gateway with compatible Listeners (same port & protocol, different hostnames)
+
+```yaml
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+ name: gateway-1
+ namespace: envoy-gateway
+spec:
+ gatewayClassName: envoy-gateway
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: "*.envoygateway.io"
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: whales.envoygateway.io
+```
+
+#### Example 2: Gateway with compatible Listeners (same port & protocol, one hostname specified, one not)
+
+```yaml
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+ name: gateway-1
+ namespace: envoy-gateway
+spec:
+ gatewayClassName: envoy-gateway
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: "*.envoygateway.io"
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+```
+
+#### Example 3: Gateway with incompatible Listeners (same port, protocol and hostname)
+
+```yaml
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+ name: gateway-1
+ namespace: envoy-gateway
+spec:
+ gatewayClassName: envoy-gateway
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: whales.envoygateway.io
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: whales.envoygateway.io
+```
+
+#### Example 4: Gateway with incompatible Listeners (neither specify a hostname)
+
+```yaml
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+ name: gateway-1
+ namespace: envoy-gateway
+spec:
+ gatewayClassName: envoy-gateway
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ namespaces:
+ from: All
+```
+
+## Computing Status
+
+Gateway API specifies a rich set of status fields & conditions for each resource. To achieve conformance, Envoy Gateway
+must compute the appropriate status fields and conditions for managed resources.
+
+Status is computed and set for:
+
+- The managed GatewayClass (`gatewayclass.status.conditions`).
+- Each managed Gateway, based on its Listeners' status (`gateway.status.conditions`). For the Kubernetes provider, the
+ Envoy Deployment and Service status are also included to calculate Gateway status.
+- Listeners for each Gateway (`gateway.status.listeners`).
+- The ParentRef for each Route (`route.status.parents`).
+
+The Gateway API translator is responsible for calculating status conditions while translating Gateway API resources to
+the IR and publishing status over the [message bus][]. The Status Manager subscribes to these status messages and
+updates the resource status using the configured provider. For example, the Status Manager uses a Kubernetes client to
+update resource status on the Kubernetes API server.
+
+## Outline
+
+The following roughly outlines the translation process. Each step may produce (1) IR; and (2) status updates on Gateway
+API resources.
+
+1. Process Gateway Listeners
+ - Validate unique hostnames, ports, and protocols.
+ - Validate and compute supported kinds.
+ - Validate allowed namespaces (validate selector if specified).
+ - Validate TLS fields if specified, including resolving referenced Secrets.
+
+2. Process HTTPRoutes
+ - foreach route rule:
+ - compute matches
+ - [core] path exact, path prefix
+ - [core] header exact
+ - [extended] query param exact
+ - [extended] HTTP method
+ - compute filters
+ - [core] request header modifier (set/add/remove)
+ - [core] request redirect (hostname, statuscode)
+ - [extended] request mirror
+ - compute backends
+ - [core] Kubernetes services
+ - foreach route parent ref:
+ - get matching listeners (check Gateway, section name, listener validation status, listener allowed routes, hostname intersection)
+ - foreach matching listener:
+ - foreach hostname intersection with route:
+ - add each computed route rule to host
+
+## Context Structs
+
+To help store, access and manipulate information as it's processed during the translation process, a set of context
+structs are used. These structs wrap a given Gateway API type, and add additional fields and methods to support
+processing.
+
+`GatewayContext` wraps a Gateway and provides helper methods for setting conditions, accessing Listeners, etc.
+
+```go
+type GatewayContext struct {
+ // The managed Gateway
+ *v1beta1.Gateway
+
+ // A list of Gateway ListenerContexts.
+ listeners []*ListenerContext
+}
+```
+
+`ListenerContext` wraps a Listener and provides helper methods for setting conditions and other status information on
+the associated Gateway.
+
+```go
+type ListenerContext struct {
+ // The Gateway listener.
+ *v1beta1.Listener
+
+ // The Gateway this Listener belongs to.
+ gateway *v1beta1.Gateway
+
+ // An index used for managing this listener in the list of Gateway listeners.
+ listenerStatusIdx int
+
+ // Only Routes in namespaces selected by the selector may be attached
+ // to the Gateway this listener belongs to.
+ namespaceSelector labels.Selector
+
+ // The TLS Secret for this Listener, if applicable.
+ tlsSecret *v1.Secret
+}
+```
+
+`RouteContext` represents a generic Route object (HTTPRoute, TLSRoute, etc.) that can reference Gateway objects.
+
+```go
+type RouteContext interface {
+ client.Object
+
+ // GetRouteType returns the Kind of the Route object, HTTPRoute,
+ // TLSRoute, TCPRoute, UDPRoute etc.
+ GetRouteType() string
+
+ // GetHostnames returns the hosts targeted by the Route object.
+ GetHostnames() []string
+
+ // GetParentReferences returns the ParentReference of the Route object.
+ GetParentReferences() []v1beta1.ParentReference
+
+ // GetRouteParentContext returns RouteParentContext by using the Route
+ // objects' ParentReference.
+ GetRouteParentContext(forParentRef v1beta1.ParentReference) *RouteParentContext
+}
+```
+
+[message bus]: watching.md
diff --git a/docs/v0.3.0/design/ratelimit.md b/docs/v0.3.0/design/ratelimit.md
new file mode 100644
index 0000000000..824b806e59
--- /dev/null
+++ b/docs/v0.3.0/design/ratelimit.md
@@ -0,0 +1,301 @@
+# Rate Limit Design
+
+## Overview
+
+Rate limit is a feature that allows the user to limit the number of incoming requests
+to a predefined value based on attributes within the traffic flow.
+
+Here are some reasons why a user may want to implements Rate limits
+
+* To prevent malicious activity such as DDoS attacks.
+* To prevent applications and its resources (such as a database) from getting overloaded.
+* To create API limits based on user entitlements.
+
+## Scope Types
+
+The rate limit type here describes the scope of rate limits.
+
+* Global - In this case, the rate limit is common across all the instances of Envoy proxies
+where its applied i.e. if the data plane has 2 replicas of Envoy running, and the rate limit is
+10 requests/second, this limit is common and will be hit if 5 requests pass through the first replica
+and 5 requests pass through the second replica within the same second.
+
+* Local - In this case, the rate limits are specific to each instance/replica of Envoy running.
+Note - This is not part of the initial design and will be added as a future enhancement.
+
+## Match Types
+
+### Rate limit a specific traffic flow
+
+* Here is an example of a ratelimit implemented by the application developer to limit a specific user
+by matching on a custom `x-user-id` header with a value set to `one`
+
+```yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: RateLimitFilter
+metadata:
+ name: ratelimit-specific-user
+spec:
+ type: Global
+ global:
+ rules:
+ - clientSelectors:
+ - headers:
+ - name: x-user-id
+ value: one
+ limit:
+ requests: 10
+ unit: Hour
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: example
+spec:
+ parentRefs:
+ - name: eg
+ hostnames:
+ - www.example.com
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /foo
+ filters:
+ - type: ExtensionRef
+ extensionRef:
+ group: gateway.envoyproxy.io
+ kind: RateLimitFilter
+ name: ratelimit-specific-user
+ backendRefs:
+ - name: backend
+ port: 3000
+```
+
+### Rate limit all traffic flows
+
+* Here is an example of a rate limit implemented by the application developer that limits the total requests made
+to a specific route to safeguard health of internal application components. In this case, no specific `headers` match
+is specified, and the rate limit is applied to all traffic flows accepted by this `HTTPRoute`.
+
+```yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: RateLimitFilter
+metadata:
+ name: ratelimit-all-requests
+spec:
+ type: Global
+ global:
+ rules:
+ - limit:
+ requests: 1000
+ unit: Second
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: example
+spec:
+ parentRefs:
+ - name: eg
+ hostnames:
+ - www.example.com
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /foo
+ filters:
+ - type: ExtensionRef
+ extensionRef:
+ group: gateway.envoyproxy.io
+ kind: RateLimitFilter
+ name: ratelimit-all-requests
+ backendRefs:
+ - name: backend
+ port: 3000
+```
+
+### Rate limit per distinct value
+
+* Here is an example of a rate limit implemented by the application developer to limit any unique user
+by matching on a custom `x-user-id` header. Here, user A (recognised from the traffic flow using the header
+`x-user-id` and value `a`) will be rate limited at 10 requests/hour and so will user B
+(recognised from the traffic flow using the header `x-user-id` and value `b`).
+
+```yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: RateLimitFilter
+metadata:
+ name: ratelimit-per-user
+spec:
+ type: Global
+ global:
+ rules:
+ - clientSelectors:
+ - headers:
+ - type: Distinct
+ name: x-user-id
+ limit:
+ requests: 10
+ unit: Hour
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: example
+spec:
+ parentRefs:
+ - name: eg
+ hostnames:
+ - www.example.com
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /foo
+ filters:
+ - type: ExtensionRef
+ extensionRef:
+ group: gateway.envoyproxy.io
+ kind: RateLimitFilter
+ name: ratelimit-per-user
+ backendRefs:
+ - name: backend
+ port: 3000
+```
+
+## Multiple RateLimitFilters, rules and clientSelectors
+* Users can create multiple `RateLimitFilter`s and apply it to the same `HTTPRoute`. In such a case each
+`RateLimitFilter` will be applied to the route and matched (and limited) in a mutually exclusive way, independent of each other.
+* Rate limits are applied for each `RateLimitFilter` `rule` when ALL the conditions under `clientSelectors` hold true.
+
+Here's an example highlighting this -
+
+```
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: RateLimitFilter
+metadata:
+ name: ratelimit-all-safeguard-app
+spec:
+ type: Global
+ global:
+ rules:
+ - limit:
+ requests: 100
+ unit: Second
+---
+
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: RateLimitFilter
+metadata:
+ name: ratelimit-per-user
+spec:
+ type: Global
+ global:
+ rules:
+ - clientSelectors:
+ - headers:
+ - type: Distinct
+ name: x-user-id
+ limit:
+ requests: 1000
+ unit: Hour
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: example
+spec:
+ parentRefs:
+ - name: eg
+ hostnames:
+ - www.example.com
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /foo
+ filters:
+ - type: ExtensionRef
+ extensionRef:
+ group: gateway.envoyproxy.io
+ kind: RateLimitFilter
+ name: ratelimit-per-user
+ - type: ExtensionRef
+ extensionRef:
+ group: gateway.envoyproxy.io
+ kind: RateLimitFilter
+ name: ratelimit-all-safeguard-app
+ backendRefs:
+ - name: backend
+ port: 3000
+```
+
+* The user has created two `RateLimitFilter`s and has attached it to a `HTTPRoute` - one(`ratelimit-all-safeguard-app`) to
+ensure that the backend does not get overwhelmed with requests, any excess requests are rate limited irrespective of
+the attributes within the traffic flow, and another(`ratelimit-per-user`) to rate limit each distinct user client
+who can be differentiated using the `x-user-id` header, to ensure that each client does not make exessive requests to the backend.
+* If user `baz` (identified with the header and value of `x-user-id: baz`) sends 90 requests within the first second, and
+user `bar` sends 11 more requests during that same interval of 1 second, and user `bar` sends the 101th request within that second,
+the rule defined in `ratelimit-all-safeguard-app` gets activated and Envoy Gateway will ratelimit the request sent by `bar` (and any other
+request sent within that 1 second). After 1 second, the rate limit counter associated with the `ratelimit-all-safeguard-app` rule
+is reset and again evaluated.
+* If user `bar` also ends up sending 90 more requests within the hour, summing up `bar`'s total request count to 101, the rate limit rule
+defined within `ratelimit-per-user` will get activated, and `bar`'s requests will be rate limited again until the hour interval ends.
+* Within the same above hour, if `baz` sends 991 more requests, summing up `baz`'s total request count to 1001, the rate limit rule defined
+within `ratelimit-per-user` will get activated for `baz`, and `baz`'s requests will also be rate limited until the hour interval ends.
+
+## Design Decisions
+
+* The initial design uses an Extension filter to apply the Rate Limit functionality on a specific [HTTPRoute][].
+This was preferred over the [PolicyAttachment][] extension mechanism, because it is unclear whether Rate Limit
+will be required to be enforced or overridden by the platform administrator or not.
+* The RateLimitFilter can only be applied as a filter to a [HTTPRouteRule[], applying it across all backends within a [HTTPRoute][]
+and cannot be applied a filter within a [HTTPBackendRef][] for a specific backend.
+* The [HTTPRoute][] API has a [matches][] field within each [rule][] to select a specific traffic flow to be routed to
+the destination backend. The RateLimitFilter API that can be attached to an HTTPRoute via an [extensionRef][] filter,
+also has a `clientSelectors` field within each `rule` to select attributes within the traffic flow to rate limit specific clients.
+The two levels of selectors/matches allow for flexibility and aim to hold match information specific to its use, allowing the author/owner
+of each configuration to be different. It also allows the `clientSelectors` field within the RateLimitFilter to be enhanced with other matchable
+attribute such as [IP subnet][] in the future that are not relevant in the [HTTPRoute][] API.
+
+## Implementation Details
+
+### Global Rate limiting
+
+* [Global rate limiting][] in Envoy Proxy can be achieved using the following -
+ * [Actions][] can be conifgured per [xDS Route][].
+ * If the match criteria defined within these actions is met for a specific HTTP Request, a set of key value pairs called [descriptors][]
+ defined within the above actions is sent to a remote [rate limit service][], whose configuration (such as the URL for the rate limit service) is defined
+ using a [rate limit filter][].
+ * Based on information received by the rate limit service and its programmed configuration, a decision is computed, whether to rate limit
+ the HTTP Request or not, and is sent back to Envoy, which enforces this decision on the data plane.
+* Envoy Gateway will leverage this Envoy Proxy feature by -
+ * Translating the user facing RateLimitFilter API into Rate limit [Actions][] as well as Rate limit service configuration to implement
+ the desired API intent.
+ * Envoy Gateway will use the existing [reference implementation][] of the rate limit service.
+ * The Infrastructure administrator will need to enable the rate limit service using new settings that will be defined in the [EnvoyGateway][] config API.
+ * The xDS IR will be enhanced to hold the user facing rate limit intent.
+ * The xDS Translator will be enhanced to translate the rate limit field within the xDS IR into Rate limit [Actions][] as well as instantiate the [rate limit filter][].
+ * A new runner called `rate-limit` will be added that subscribes to the xDS IR messages and translates it into a new Rate Limit Infra IR which contains
+ the [rate limit service configuration][] as well as other information needed to deploy the rate limit service.
+ * The infrastructure service will be enhanced to subscribe to the Rate Limit Infra IR and deploy a provider specific rate limit service runnable entity.
+ * A Status field within the RateLimitFilter API will be added to reflect whether the specific configuration was programmed correctly in these multiple locations or not.
+
+[PolicyAttachment]: https://gateway-api.sigs.k8s.io/references/policy-attachment/
+[HTTPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRoute
+[HTTPBackendRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.HTTPBackendRef
+[matches]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteMatch
+[rule]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteMatch
+[extensionRef]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilterType
+[IP subnet]: https://en.wikipedia.org/wiki/Subnetwork
+[Actions]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-ratelimit-action
+[descriptors]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/rate_limit_filter.html?highlight=descriptor#example-1
+[Global rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
+[xDS Route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-routeaction
+[rate limit filter]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit
+[rate limit service]: https://www.envoyproxy.io/docs/envoy/latest/configuration/other_features/rate_limit#config-rate-limit-service
+[reference implementation]: https://github.com/envoyproxy/ratelimit
+[EnvoyGateway]: https://github.com/envoyproxy/gateway/blob/main/api/config/v1alpha1/envoygateway_types.go
+[rate limit service configuration]: https://github.com/envoyproxy/ratelimit#configuration
diff --git a/docs/v0.3.0/design/request-authentication.md b/docs/v0.3.0/design/request-authentication.md
new file mode 100644
index 0000000000..50490fdb5e
--- /dev/null
+++ b/docs/v0.3.0/design/request-authentication.md
@@ -0,0 +1,513 @@
+# Request Authentication
+
+## Overview
+
+[Issue 336][] specifies the need for exposing a user-facing API to configure request authentication. Request
+authentication is defined as an authentication mechanism to be enforced by Envoy on a per-request basis. A connection
+will be rejected if it contains invalid authentication information, based on the `AuthenticationFilter` API type
+proposed in this design document.
+
+Envoy Gateway leverages [Gateway API][] for configuring managed Envoy proxies. Gateway API defines core, extended, and
+implementation-specific API [support levels][] for implementors such as Envoy Gateway to expose features. Since
+implementing request authentication is not covered by `Core` or `Extended` APIs, an `Implementation-specific` API will
+be created for this purpose.
+
+## Goals
+
+* Define an API for configuring request authentication.
+* Implement [JWT] as the first supported authentication type.
+* Allow users that manage routes, e.g. [HTTPRoute][], to authenticate matching requests before forwarding to a backend
+ service.
+* Support HTTPRoutes as an Authentication API referent. HTTPRoute provides multiple [extension points][]. The
+ [HTTPRouteFilter][] is the extension point supported by the Authentication API.
+
+## Non-Goals
+
+* Allow infrastructure administrators to override or establish default authentication policies.
+* Support referents other than HTTPRoute.
+* Support Gateway API extension points other than HTTPRouteFilter.
+
+## Use-Cases
+
+These use-cases are presented as an aid for how users may attempt to utilize the outputs of the design. They are not an
+exhaustive list of features for authentication support in Envoy Gateway.
+
+As a Service Producer, I need the ability to:
+* Authenticate a request before forwarding it to a backend service.
+* Have different authentication mechanisms per route rule.
+* Choose from different authentication mechanisms supported by Envoy, e.g. OIDC.
+
+### Authentication API Type
+
+The Authentication API type defines authentication configuration for authenticating requests through managed Envoy
+proxies.
+
+```go
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+)
+
+type AuthenticationFilter struct {
+ metav1.TypeMeta
+ metav1.ObjectMeta
+
+ // Spec defines the desired state of the Authentication type.
+ Spec AuthenticationFilterSpec
+
+ // Note: The status sub-resource has been excluded but may be added in the future.
+}
+
+// AuthenticationFilterSpec defines the desired state of the AuthenticationFilter type.
+// +union
+type AuthenticationFilterSpec struct {
+ // Type defines the type of authentication provider to use. Supported provider types are:
+ //
+ // * JWT: A provider that uses JSON Web Token (JWT) for authenticating requests.
+ //
+ // +unionDiscriminator
+ Type AuthenticationFilterType
+
+ // JWT defines the JSON Web Token (JWT) authentication provider type. When multiple
+ // jwtProviders are specified, the JWT is considered valid if any of the providers
+ // successfully validate the JWT.
+ JwtProviders []JwtAuthenticationFilterProvider
+}
+
+...
+```
+
+Refer to [PR 773][] for the detailed AuthenticationFilter API spec.
+
+The status subresource is not included in the AuthenticationFilter API. Status will be surfaced by an HTTPRoute that
+references an AuthenticationFilter. For example, an HTTPRoute will surface the `ResolvedRefs=False` status condition if it
+references an AuthenticationFilter that does not exist. It may be beneficial to add AuthenticationFilter status fields in the future
+based on defined use-cases. For example, a remote [JWKS][] can be validated based on the specified URI and have an
+appropriate status condition surfaced.
+
+#### AuthenticationFilter Example
+
+The following is an AuthenticationFilter example with one JWT authentication provider:
+
+```yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: AuthenticationFilter
+metadata:
+ name: example
+spec:
+ type: JWT
+ jwtProviders:
+ - name: example
+ issuer: https://www.example.com
+ audiences:
+ - foo.com
+ remoteJwks:
+ uri: https://foo.com/jwt/public-key/jwks.json
+
+```
+
+__Note:__ `type` is a union type, allowing only one of any supported provider type such as `jwtProviders` to be
+specified.
+
+The following is an example HTTPRoute configured to use the above JWT authentication provider:
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: example
+spec:
+ parentRefs:
+ - name: eg
+ hostnames:
+ - www.example.com
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /foo
+ filters:
+ - type: ExtensionRef
+ extensionRef:
+ group: gateway.envoyproxy.io
+ kind: AuthenticationFilter
+ name: example
+ backendRefs:
+ - name: backend
+ port: 3000
+```
+
+Requests for `www.example.com/foo` will be authenticated using the referenced JWT provider before being forwarded to the
+backend service named "backend".
+
+## Implementation Details
+
+The JWT authentication type is translated to an Envoy [JWT authentication filter][] and a cluster is created for each
+remote [JWKS][]. The following examples provide additional details on how Gateway API and AuthenticationFilter resources are
+translated into Envoy configuration.
+
+### Example 1: One Route with One JWT Provider
+
+The following cluster is created from the above HTTPRoute and AuthenticationFilter:
+
+```yaml
+dynamic_clusters:
+ - name: foo.com|443
+ load_assignment:
+ cluster_name: foo.com|443
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: foo.com
+ port_value: 443
+ transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ sni: foo.com
+ common_tls_context:
+ validation_context:
+ match_subject_alt_names:
+ - exact: "*.foo.com"
+ trusted_ca:
+ filename: /etc/ssl/certs/ca-certificates.crt
+```
+
+A JWT authentication HTTP filter is added to the HTTP Connection Manager. For example:
+
+```yaml
+dynamic_resources:
+ dynamic_listeners:
+ - name: example_listener
+ address:
+ socket_address:
+ address: 1.2.3.4
+ port_value: 80
+ filter_chains:
+ - filters:
+ - name: envoy.http_connection_manager
+ http_filters:
+ - name: envoy.filters.http.jwt_authn
+ typed_config:
+ "@type": type.googleapis.com/envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication
+```
+
+This JWT authentication HTTP filter contains two fields:
+* The `providers` field specifies how a JWT should be verified, such as where to extract the token, where to fetch the
+ public key ([JWKS][]) and where to output its payload. This field is built from the source resource `namespace-name`, and
+ the JWT provider name of an AuthenticationFilter.
+* The `rules` field specifies matching rules and their requirements. If a request matches a rule, its requirement
+ applies. The requirement specifies which JWT providers should be used. This field is built from a HTTPRoute
+ `matches` rule that references the AuthenticationFilter. When a referenced Authentication specifies multiple
+ `jwtProviders`, the JWT is considered valid if __any__ of the providers successfully validate the JWT.
+
+The following JWT authentication HTTP filter `providers` configuration is created from the above AuthenticationFilter.
+
+```yaml
+providers:
+ example:
+ issuer: https://www.example.com
+ audiences:
+ - foo.com
+ remote_jwks:
+ http_uri:
+ uri: https://foo.com/jwt/public-key/jwks.json
+ cluster: example_jwks_cluster
+ timeout: 1s
+```
+
+The following JWT authentication HTTP filter `rules` configuration is created from the above HTTPRoute.
+
+```yaml
+rules:
+ - match:
+ prefix: /foo
+ requires:
+ provider_name: default-example-example
+```
+
+### Example 2: Two HTTPRoutes with Different AuthenticationFilters
+
+The following example contains:
+* Two HTTPRoutes with different hostnames.
+* Each HTTPRoute references a different AuthenticationFilter.
+* Each AuthenticationFilter contains a different JWT provider.
+
+```yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: AuthenticationFilter
+metadata:
+ name: example1
+spec:
+ type: JWT
+ jwtProviders:
+ - name: example1
+ issuer: https://www.example1.com
+ audiences:
+ - foo.com
+ remoteJwks:
+ uri: https://foo.com/jwt/public-key/jwks.json
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: AuthenticationFilter
+metadata:
+ name: example2
+spec:
+ type: JWT
+ jwtProviders:
+ - name: example2
+ issuer: https://www.example2.com
+ audiences:
+ - bar.com
+ remoteJwks:
+ uri: https://bar.com/jwt/public-key/jwks.json
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: example1
+spec:
+ hostnames:
+ - www.example1.com
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: eg
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /foo
+ filters:
+ - type: ExtensionRef
+ extensionRef:
+ group: gateway.envoyproxy.io
+ kind: AuthenticationFilter
+ name: example1
+ backendRefs:
+ - name: backend
+ port: 3000
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: example2
+spec:
+ hostnames:
+ - www.example2.com
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: eg
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /bar
+ filters:
+ - type: ExtensionRef
+ extensionRef:
+ group: gateway.envoyproxy.io
+ kind: AuthenticationFilter
+ name: example2
+ backendRefs:
+ - name: backend2
+ port: 3000
+```
+
+The following xDS configuration is created from the above example resources:
+
+```yaml
+configs:
+...
+dynamic_listeners:
+ - name: default-eg-http
+ ...
+ default_filter_chain:
+ filters:
+ - name: envoy.filters.network.http_connection_manager
+ typed_config:
+ '@type': >-
+ type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: http
+ rds:
+ config_source:
+ ...
+ route_config_name: default-eg-http
+ http_filters:
+ - name: envoy.filters.http.jwt_authn
+ typed_config:
+ '@type': >-
+ type.googleapis.com/envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication
+ providers:
+ default-example1-example1:
+ issuer: https://www.example1.com
+ audiences:
+ - foo.com
+ remote_jwks:
+ http_uri:
+ uri: https://foo.com/jwt/public-key/jwks.json
+ cluster: default-example1-example1-jwt
+ default-example2-example2:
+ issuer: https://www.example2.com
+ audiences:
+ - bar.com
+ remote_jwks:
+ http_uri:
+ uri: https://bar.com/jwt/public-key/jwks.json
+ cluster: default-example2-example2-jwt
+ rules:
+ - match:
+ exact: /foo
+ requires:
+ provider_name: default-example1-example1
+ - match:
+ exact: /bar
+ requires:
+ provider_name: default-example2-example2
+ - name: envoy.filters.http.router
+ typed_config:
+ '@type': >-
+ type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+dynamic_route_configs:
+ - route_config:
+ '@type': type.googleapis.com/envoy.config.route.v3.RouteConfiguration
+ name: default-eg-http
+ virtual_hosts:
+ - name: default-eg-http
+ domains:
+ - '*'
+ routes:
+ - match:
+ prefix: /foo
+ headers:
+ - name: ':authority'
+ string_match:
+ exact: www.example1.com
+ route:
+ cluster: default-backend-rule-0-match-0-www.example1.com
+ - match:
+ prefix: /bar
+ headers:
+ - name: ':authority'
+ string_match:
+ exact: www.example2.com
+ route:
+ cluster: default-backend2-rule-0-match-0-www.example2.com
+dynamic_active_clusters:
+ - cluster:
+ name: default-backend-rule-0-match-0-www.example.com
+ ...
+ endpoints:
+ - locality: {}
+ lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: $BACKEND_SERVICE1_IP
+ port_value: 3000
+ - cluster:
+ '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+ name: default-backend-rule-1-match-0-www.example.com
+ ...
+ endpoints:
+ - locality: {}
+ lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: $BACKEND_SERVICE2_IP
+ port_value: 3000
+...
+```
+
+__Note:__ The JWT provider cluster and route is omitted from the above example for brevity.
+
+### Implementation Outline
+
+* Update the Kubernetes provider to get/watch AuthenticationFilter resources that are referenced by managed HTTPRoutes.
+ Add the referenced AuthenticationFilter object to the resource map and publish it.
+* Update the resource translator to include the AuthenticationFilter API in HTTPRoute processing.
+* Update the xDS translator to translate an AuthenticationFilter into xDS resources. The translator should perform the
+ following:
+ * Convert a list of JWT rules from the xds IR into an Envoy JWT filter config.
+ * Create a JWT authentication HTTP filter.
+ * Build the HTTP Connection Manager (HCM) HTTP filters.
+ * Build the HCM.
+ * When building the Listener, create an HCM for each filter-chain.
+
+## Adding Authentication Types
+
+Additional authentication types can be added in the future through the `AuthenticationFilterType` API. For
+example, to add the `Foo` authentication type:
+
+Define the `Foo` authentication provider:
+
+```go
+package v1alpha1
+
+// FooAuthenticationFilterProvider defines the "Foo" authentication filter provider type.
+type FooAuthenticationFilterProvider struct {
+ // TODO: Define fields of the Foo authentication filter provider type.
+}
+```
+
+Add the `FooAuthenticationFilterProvider` type to `AuthenticationFilterSpec`:
+
+```go
+package v1alpha1
+
+type AuthenticationFilterSpec struct {
+ ...
+
+ // Foo defines the Foo authentication type. For additional
+ // details, see:
+ //
+ //
+ //
+ // +optional
+ Foo *FooAuthenticationFilterProvider
+}
+```
+
+Lastly, add the type to the `AuthenticationType` enum:
+
+```go
+// AuthenticationType is a type of authentication provider.
+// +kubebuilder:validation:Enum=JWT,FOO
+type AuthenticationFilterType string
+
+const (
+ // JwtAuthenticationProviderType is the JWT authentication provider type.
+ FooAuthenticationFilterProviderType AuthenticationFilterType = "FOO"
+)
+```
+
+The AuthenticationFilter API should support additional authentication types in the future, for example:
+- OAuth2
+- OIDC
+
+## Outstanding Questions
+
+- If Envoy Gateway owns the AuthenticationFilter API, is an xDS IR equivalent needed?
+- Should local [JWKS][] be implemented before remote [JWKS][]?
+- How should Envoy obtain the trusted CA for a remote [JWKS][]?
+- Should HTTPS be the only supported scheme for remote [JWKS][]?
+- Should OR'ing JWT providers be supported?
+- Should Authentication provide status?
+- Are the API field validation rules acceptable?
+
+[Issue 336]: https://github.com/envoyproxy/gateway/issues/336
+[Gateway API]: https://gateway-api.sigs.k8s.io/
+[support levels]: https://gateway-api.sigs.k8s.io/concepts/conformance/?h=extended#2-support-levels
+[JWT]: https://jwt.io/
+[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
+[extension points]: https://gateway-api.sigs.k8s.io/concepts/api-overview/?h=extension#extension-points
+[HTTPRouteFilter]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter
+[JWKS]: https://www.rfc-editor.org/rfc/rfc7517
+[JWT authentication filter]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter#config-http-filters-jwt-authn
+[PR 773]: https://github.com/envoyproxy/gateway/pull/733
diff --git a/docs/v0.3.0/design/roadmap.md b/docs/v0.3.0/design/roadmap.md
new file mode 100644
index 0000000000..ee219500bf
--- /dev/null
+++ b/docs/v0.3.0/design/roadmap.md
@@ -0,0 +1,74 @@
+# Roadmap
+
+This document serves as a high-level reference for Envoy Gateway users and contributors to understand the direction of
+the project.
+
+## Contributing to the Roadmap
+
+- To add a feature to the roadmap, create an [issue][issue] or join a [community meeting][meeting] to discuss your use
+ case. If your feature is accepted, a maintainer will assign your issue to a [release milestone][milestones] and update
+ this document accordingly.
+- To help with an existing roadmap item, comment on or assign yourself to the associated issue.
+- If a roadmap item doesn't have an issue, create one, assign yourself to the issue, and reference this document. A
+ maintainer will submit a [pull request][PR] to add the feature to the roadmap. __Note:__ The feature should be
+ discussed in an issue or a community meeting before implementing it.
+
+If you don't know where to start contributing, help is needed to reduce technical, automation, and documentation debt.
+Look for issues with the `help wanted` label to get started.
+
+## Details
+
+Roadmap features and timelines may change based on feedback, community contributions, etc. If you depend on a specific
+roadmap item, you're encouraged to attend a community meeting to discuss the details, or help us deliver the feature by
+contributing to the project.
+
+`Last Updated: November 2022`
+
+### [v0.2.0][v0.2.0]: Establish a Solid Foundation
+
+- Complete the core Envoy Gateway implementation- [Issue #60][60].
+- Establish initial testing, e2e, integration, etc- [Issue #64][64].
+- Establish user and developer project documentation- [Issue #17][17].
+- Achieve Gateway API conformance (e.g. routing, LB, Header transformation, etc.)- [Issue #65][65].
+- Setup a CI/CD pipeline- [Issue #63][63].
+
+### [v0.3.0][v0.3.0]: Drive Advanced Features through Extension Mechanisms
+
+- Support extended Gateway API fields [Issue #707][707].
+- Support experimental Gateway APIs such as TCPRoute [Issue #643][643], UDPRoute [Issue #641][641] and GRPCRoute [Issue #642][642].
+- Establish guidelines for leveragaing Gateway API extensions [Issue #675][675].
+- Rate Limiting [Issue #670][670].
+- Authentication [Issue #336][336].
+
+### [v0.4.0][v0.4.0]: More Advanced Features through Extension Mechanisms
+
+- Allow users to configure xDS Resources [Issue #24][24].
+
+### [v0.5.0][v0.5.0]: Manageability and Scale
+
+- Tooling for devs/infra admins to aid in managing/maintaining EG
+- Support advanced provisioning use cases (e.g. multi-cluster, serverless, etc.)
+- Perf testing (EG specifically)
+- Support for Chaos engineering?
+
+[issue]: https://github.com/envoyproxy/gateway/issues
+[meeting]: https://docs.google.com/document/d/1leqwsHX8N-XxNEyTflYjRur462ukFxd19Rnk3Uzy55I/edit?usp=sharing
+[pr]: https://github.com/envoyproxy/gateway/compare
+[milestones]: https://github.com/envoyproxy/gateway/milestones
+[v0.2.0]: https://github.com/envoyproxy/gateway/milestone/1
+[v0.3.0]: https://github.com/envoyproxy/gateway/milestone/7
+[v0.4.0]: https://github.com/envoyproxy/gateway/milestone/12
+[v0.5.0]: https://github.com/envoyproxy/gateway/milestone/13
+[17]: https://github.com/envoyproxy/gateway/issues/17
+[24]: https://github.com/envoyproxy/gateway/issues/24
+[60]: https://github.com/envoyproxy/gateway/issues/60
+[63]: https://github.com/envoyproxy/gateway/issues/63
+[64]: https://github.com/envoyproxy/gateway/issues/64
+[65]: https://github.com/envoyproxy/gateway/issues/65
+[336]: https://github.com/envoyproxy/gateway/issues/336
+[641]: https://github.com/envoyproxy/gateway/issues/641
+[642]: https://github.com/envoyproxy/gateway/issues/642
+[643]: https://github.com/envoyproxy/gateway/issues/643
+[670]: https://github.com/envoyproxy/gateway/issues/670
+[675]: https://github.com/envoyproxy/gateway/issues/675
+[707]: https://github.com/envoyproxy/gateway/issues/707
diff --git a/docs/v0.3.0/design/system-design.md b/docs/v0.3.0/design/system-design.md
new file mode 100644
index 0000000000..731cb0925b
--- /dev/null
+++ b/docs/v0.3.0/design/system-design.md
@@ -0,0 +1,171 @@
+# System Design
+
+## Goals
+
+* Define the system components needed to satisfy the requirements of Envoy Gateway.
+
+## Non-Goals
+
+* Create a detailed design and interface specification for each system component.
+
+## Terminology
+
+* Control Plane- A collection of inter-related software components for providing application gateway and routing
+ functionality. The control plane is implemented by Envoy Gateway and provides services for managing the data plane.
+ These services are detailed in the [components](#components) section.
+* Data Plane- Provides intelligent application-level traffic routing and is implemented as one or more Envoy proxies.
+
+## Architecture
+
+
+
+## Configuration
+
+Envoy Gateway is configured statically at startup and the managed data plane is configured dynamically through
+Kubernetes resources, primarily [Gateway API][gw_api] objects.
+
+### Static Configuration
+
+Static configuration is used to configure Envoy Gateway at startup, i.e. change the GatewayClass controllerName,
+configure a Provider, etc. Currently, Envoy Gateway only supports configuration through a configuration file. If the
+configuration file is not provided, Envoy Gateway starts-up with default configuration parameters.
+
+### Dynamic Configuration
+
+Dynamic configuration is based on the concept of a declaring the desired state of the data plane and using
+reconciliation loops to drive the actual state toward the desired state. The desired state of the data plane is
+defined as Kubernetes resources that provide the following services:
+
+* Infrastructure Management- Manage the data plane infrastructure, i.e. deploy, upgrade, etc. This configuration is
+ expressed through [GatewayClass][gc] and [Gateway][gw] resources. The `EnvoyProxy` [Custom Resource][cr] can be
+ referenced by `gatewayclass.spec.parametersRef` to modify data plane infrastructure default parameters,
+ e.g. expose Envoy network endpoints using a NodePort service instead of a LoadBalancer service.
+* Traffic Routing- Define how to handle application-level requests to backend services. For example, route all HTTP
+ requests for "www.example.com" to a backend service running a web server. This configuration is expressed through
+ [HTTPRoute][hroute] and [TLSRoute][troute] resources that match, filter, and route traffic to a [backend][be].
+ Although a backend can be any valid Kubernetes Group/Kind resource, Envoy Gateway only supports a [Service][svc]
+ reference.
+
+## Components
+
+Envoy Gateway is made up of several components that communicate in-process; how this communication happens is described
+in the [Watching Components Design][wcd].
+
+### Provider
+
+A Provider is an infrastructure component that Envoy Gateway calls to establish its runtime configuration, resolve
+services, persist data, etc. As of v0.2, Kubernetes is the only implemented provider. A file provider is on the roadmap
+via [Issue #37][]. Other providers can be added in the future as Envoy Gateway use cases are better understood. A
+provider is configured at start up through Envoy Gateway's [static configuration](#static-configuration).
+
+#### Kubernetes Provider
+
+* Uses Kubernetes-style controllers to reconcile Kubernetes resources that comprise the
+ [dynamic configuration](#dynamic-configuration).
+* Manages the data plane through Kubernetes API CRUD operations.
+* Uses Kubernetes for Service discovery.
+* Uses etcd (via Kubernetes API) to persist data.
+
+#### File Provider
+
+* Uses a file watcher to watch files in a directory that define the data plane configuration.
+* Manages the data plane by calling internal APIs, e.g. `CreateDataPlane()`.
+* Uses the host's DNS for Service discovery.
+* If needed, the local filesystem is used to persist data.
+
+### Resource Watcher
+
+The Resource Watcher watches resources used to establish and maintain Envoy Gateway's dynamic configuration. The
+mechanics for watching resources is provider-specific, e.g. informers, caches, etc. are used for the Kubernetes
+provider. The Resource Watcher uses the configured provider for input and provides resources to the Resource Translator
+as output.
+
+### Resource Translator
+
+The Resource Translator translates external resources, e.g. GatewayClass, from the Resource Watcher to the Intermediate
+Representation (IR). It is responsible for:
+
+* Translating infrastructure-specific resources/fields from the Resource Watcher to the Infra IR.
+* Translating proxy configuration resources/fields from the Resource Watcher to the xDS IR.
+
+__Note:__ The Resource Translator is implemented as the `Translator` API type in the `gatewayapi` package.
+
+### Intermediate Representation (IR)
+
+The Intermediate Representation defines internal data models that external resources are translated into. This allows
+Envoy Gateway to be decoupled from the external resources used for dynamic configuration. The IR consists of an Infra IR
+used as input for the Infra Manager and an xDS IR used as input for the xDS Translator.
+
+* Infra IR- Used as the internal definition of the managed data plane infrastructure.
+* xDS IR- Used as the internal definition of the managed data plane xDS configuration.
+
+### xDS Translator
+
+The xDS Translator translates the xDS IR into xDS Resources that are consumed by the xDS server.
+
+### xDS Server
+
+The xDS Server is a xDS gRPC Server based on [Go Control Plane][go_cp]. Go Control Plane implements the Delta xDS Server
+Protocol and is responsible for using xDS to configure the data plane.
+
+### Infra Manager
+
+The Infra Manager is a provider-specific component responsible for managing the following infrastructure:
+
+* Data Plane - Manages all the infrastructure required to run the managed Envoy proxies. For example, CRUD Deployment,
+ Service, etc. resources to run Envoy in a Kubernetes cluster.
+* Auxiliary Control Planes - Optional infrastructure needed to implement application Gateway features that require
+ external integrations with the managed Envoy proxies. For example, [Global Rate Limiting][grl] requires provisioning
+ and configuring the [Envoy Rate Limit Service][rls] and the [Rate Limit filter][rlf]. Such features are exposed to
+ users through the [Custom Route Filters][crf] extension.
+
+The Infra Manager consumes the Infra IR as input to manage the data plane infrastructure.
+
+## Design Decisions
+
+* Envoy Gateway consumes one [GatewayClass][gc] by comparing its configured controller name with
+ `spec.controllerName` of a GatewayClass. If multiple GatewayClasses exist with the same `spec.controllerName`, Envoy
+ Gateway follows Gateway API [guidelines][gwapi_conflicts] to resolve the conflict.
+ `gatewayclass.spec.parametersRef` refers to the `EnvoyProxy` custom resource for configuring the managed proxy
+ infrastructure. If unspecified, default configuration parameters are used for the managed proxy infrastructure.
+* Envoy Gateway manages [Gateways][gw] that reference its GatewayClass.
+ * A Gateway resource causes Envoy Gateway to provision managed Envoy proxy infrastructure.
+ * Envoy Gateway groups Listeners by Port and collapses each group of Listeners into a single Listener if the Listeners
+ in the group are compatible. Envoy Gateway considers Listeners to be compatible if all the following conditions are
+ met:
+ * Either each Listener within the group specifies the “HTTP” Protocol or each Listener within the group specifies
+ either the “HTTPS” or “TLS” Protocol.
+ * Each Listener within the group specifies a unique "Hostname".
+ * As a special case, one Listener within a group may omit "Hostname", in which case this Listener matches when no
+ other Listener matches.
+ * Envoy Gateway does __not__ merge listeners across multiple Gateways.
+* Envoy Gateway follows Gateway API [guidelines][gwapi_conflicts] to resolve any conflicts.
+ * A Gateway `listener` corresponds to an Envoy proxy [Listener][listener].
+* An [HTTPRoute][hroute] resource corresponds to an Envoy proxy [Route][route].
+ * Each [backendRef][be_ref] corresponds to an Envoy proxy [Cluster][cluster].
+* The goal is to make Envoy Gateway components extensible in the future. See the [roadmap][] for additional details.
+
+The draft for this document is [here][draft_design].
+
+[gw_api]: https://gateway-api.sigs.k8s.io
+[gc]: https://gateway-api.sigs.k8s.io/concepts/api-overview/#gatewayclass
+[gw]: https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway
+[hroute]: https://gateway-api.sigs.k8s.io/concepts/api-overview/#httproute
+[troute]: https://gateway-api.sigs.k8s.io/concepts/api-overview/#tlsroute
+[go_cp]: https://github.com/envoyproxy/go-control-plane
+[grl]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting
+[rls]: https://github.com/envoyproxy/ratelimit
+[rlf]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit
+[crf]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#filters-optional
+[gwapi_conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/#conflicts
+[listener]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listeners#config-listeners
+[route]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route
+[be_ref]: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#backendrefs-optional
+[cluster]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster
+[draft_design]: https://docs.google.com/document/d/1riyTPPYuvNzIhBdrAX8dpfxTmcobWZDSYTTB5NeybuY/edit
+[cr]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
+[be]: https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.BackendObjectReference
+[svc]: https://kubernetes.io/docs/concepts/services-networking/service/
+[ wcd ]: ./watching.md
+[Issue #37]: https://github.com/envoyproxy/gateway/issues/37
+[roadmap]: roadmap.md
diff --git a/docs/v0.3.0/design/tcp-udp-design.md b/docs/v0.3.0/design/tcp-udp-design.md
new file mode 100644
index 0000000000..276221b897
--- /dev/null
+++ b/docs/v0.3.0/design/tcp-udp-design.md
@@ -0,0 +1,47 @@
+# TCP and UDP Proxy Design
+
+Even though most of the use cases for Envoy Gateway are at Layer-7, Envoy Gateway can also work at Layer-4 to proxy TCP
+and UDP traffic. This document will explore the options we have when operating Envoy Gateway at Layer-4 and explain the
+design decision.
+
+Envoy can work as a non-transparent proxy or a transparent proxy for both [TCP](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency#arch-overview-ip-transparency-original-src-listener)
+ and [UDP](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-msg-extensions-filters-udp-udp-proxy-v3-udpproxyconfig)
+, so ideally, Envoy Gateway should also be able to work in these two modes:
+
+## Non-transparent Proxy Mode
+For TCP, Envoy terminates the downstream connection, connects the upstream with its own IP address, and proxies the
+TCP traffic from the downstream to the upstream.
+
+For UDP, Envoy receives UDP datagrams from the downstream, and uses its own IP address as the sender IP address when
+proxying the UDP datagrams to the upstream.
+
+In this mode, the upstream will see Envoy's IP address and port.
+
+## Transparent Proxy Mode
+For TCP, Envoy terminates the downstream connection, connects the upstream with the downstream IP address, and proxies
+the TCP traffic from the downstream to the upstream.
+
+For UDP, Envoy receives UDP datagrams from the downstream, and uses the downstream IP address as the sender IP address
+when proxying the UDP datagrams to the upstream.
+
+In this mode, the upstream will see the original downstream IP address and Envoy's mac address.
+
+Note: Even in transparent mode, the upstream can't see the port number of the downstream because Envoy doesn't forward
+the port number.
+
+## The Implications of Transparent Proxy Mode
+
+### Escalated Privilege
+Envoy needs to bind to the downstream IP when connecting to the upstream, which means Envoy requires escalated
+CAP_NET_ADMIN privileges. This is often considered as a bad security practice and not allowed in some sensitive deployments.
+
+### Routing
+The upstream can see the original source IP, but the original port number won't be passed, so the return
+traffic from the upstream must be routed back to Envoy because only Envoy knows how to send the return traffic back
+to the right port number of the downstream, which requires routing at the upstream side to be set up.
+In a Kubernetes cluster, Envoy Gateway will have to carefully cooperate with CNI plugins to get the routing right.
+
+## The Design Decision (For Now)
+
+The implementation will only support proxying in non-transparent mode i.e. the backend will see the source IP and
+port of the deployed Envoy instance instead of the client.
diff --git a/docs/v0.3.0/design/watching.md b/docs/v0.3.0/design/watching.md
new file mode 100644
index 0000000000..b8477a30e2
--- /dev/null
+++ b/docs/v0.3.0/design/watching.md
@@ -0,0 +1,117 @@
+# Watching Components Design
+
+Envoy Gateway is made up of several components that communicate in-process. Some of them (namely Providers) watch
+external resources, and "publish" what they see for other components to consume; others watch what another publishes and
+act on it (such as the resource translator watches what the providers publish, and then publishes its own results that
+are watched by another component). Some of these internally published results are consumed by multiple components.
+
+To facilitate this communication use the [watchable][] library. The `watchable.Map` type is very similar to the
+standard library's `sync.Map` type, but supports a `.Subscribe` (and `.SubscribeSubset`) method that promotes a pub/sub
+pattern.
+
+## Pub
+
+Many of the things we communicate around are naturally named, either by a bare "name" string or by a "name"/"namespace"
+tuple. And because `watchable.Map` is typed, it makes sense to have one map for each type of thing (very similar to if
+we were using native Go `map`s). For example, a struct that might be written to by the Kubernetes provider, and read by
+the IR translator:
+
+ ```go
+ type ResourceTable struct {
+ // gateway classes are cluster-scoped; no namespace
+ GatewayClasses watchable.Map[string, *gwapiv1b1.GatewayClass]
+
+ // gateways are namespace-scoped, so use a k8s.io/apimachinery/pkg/types.NamespacedName as the map key.
+ Gateways watchable.Map[types.NamespacedName, *gwapiv1b1.Gateway]
+
+ HTTPRoutes watchable.Map[types.NamespacedName, *gwapiv1b1.HTTPRoute]
+ }
+ ```
+
+The Kubernetes provider updates the table by calling `table.Thing.Store(name, val)` and `table.Thing.Delete(name)`;
+updating a map key with a value that is deep-equal (usually `reflect.DeepEqual`, but you can implement your own `.Equal`
+method) the current value is a no-op; it won't trigger an event for subscribers. This is handy so that the publisher
+doesn't have as much state to keep track of; it doesn't need to know "did I already publish this thing", it can just
+`.Store` its data and `watchable` will do the right thing.
+
+## Sub
+
+Meanwhile, the translator and other interested components subscribe to it with `table.Thing.Subscribe` (or
+`table.Thing.SubscribeSubset` if they only care about a few "Thing"s). So the translator goroutine might look like:
+
+ ```go
+ func(ctx context.Context) error {
+ for snapshot := range k8sTable.HTTPRoutes.Subscribe(ctx) {
+ fullState := irInput{
+ GatewayClasses: k8sTable.GatewayClasses.LoadAll(),
+ Gateways: k8sTable.Gateways.LoadAll(),
+ HTTPRoutes: snapshot.State,
+ }
+ translate(irInput)
+ }
+ }
+ ```
+
+Or, to watch multiple maps in the same loop:
+
+ ```go
+ func worker(ctx context.Context) error {
+ classCh := k8sTable.GatewayClasses.Subscribe(ctx)
+ gwCh := k8sTable.Gateways.Subscribe(ctx)
+ routeCh := k8sTable.HTTPRoutes.Subscribe(ctx)
+ for ctx.Err() == nil {
+ var arg irInput
+ select {
+ case snapshot := <-classCh:
+ arg.GatewayClasses = snapshot.State
+ case snapshot := <-gwCh:
+ arg.Gateways = snapshot.State
+ case snapshot := <-routeCh:
+ arg.Routes = snapshot.State
+ }
+ if arg.GateWayClasses == nil {
+ arg.GatewayClasses = k8sTable.GateWayClasses.LoadAll()
+ }
+ if arg.GateWays == nil {
+ arg.Gateways = k8sTable.GateWays.LoadAll()
+ }
+ if arg.HTTPRoutes == nil {
+ arg.HTTPRoutes = k8sTable.HTTPRoutes.LoadAll()
+ }
+ translate(irInput)
+ }
+ }
+ ```
+
+From the updates it gets from `.Subscribe`, it can get a full view of the map being subscribed to via `snapshot.State`;
+but it must read the other maps explicitly. Like `sync.Map`, `watchable.Map`s are thread-safe; while `.Subscribe` is a
+handy way to know when to run, `.Load` and friends can be used without subscribing.
+
+There can be any number of subscribers. For that matter, there can be any number of publishers `.Store`ing things, but
+it's probably wise to just have one publisher for each map.
+
+The channel returned from `.Subscribe` **is immediately readable** with a snapshot of the map as it existed when
+`.Subscribe` was called; and becomes readable again whenever `.Store` or `.Delete` mutates the map. If multiple
+mutations happen between reads (or if mutations happen between `.Subscribe` and the first read), they are coalesced in
+to one snapshot to be read; the `snapshot.State` is the most-recent full state, and `snapshot.Updates` is a listing of
+each of the mutations that cause this snapshot to be different than the last-read one. This way subscribers don't need
+to worry about a backlog accumulating if they can't keep up with the rate of changes from the publisher.
+
+If the map contains anything before `.Subscribe` is called, that very first read won't include `snapshot.Updates`
+entries for those pre-existing items; if you are working with `snapshot.Update` instead of `snapshot.State`, then you
+must add special handling for your first read. We have a utility function `./internal/message.HandleSubscription` to
+help with this.
+
+## Other Notes
+
+The common pattern will likely be that the entrypoint that launches the goroutines for each component instantiates the
+map, and passes them to the appropriate publishers and subscribers; same as if they were communicating via a dumb
+`chan`.
+
+A limitation of `watchable.Map` is that in order to ensure safety between goroutines, it does require that value types
+be deep-copiable; either by having a `DeepCopy` method, being a `proto.Message`, or by containing no reference types and
+so can be deep-copied by naive assignment. Fortunately, we're using `controller-gen` anyway, and `controller-gen` can
+generate `DeepCopy` methods for us: just stick a `// +k8s:deepcopy-gen=true` on the types that you want it to generate
+methods for.
+
+[watchable]: https://pkg.go.dev/github.com/telepresenceio/watchable
diff --git a/docs/v0.3.0/design_docs.rst b/docs/v0.3.0/design_docs.rst
new file mode 100644
index 0000000000..7909d933b2
--- /dev/null
+++ b/docs/v0.3.0/design_docs.rst
@@ -0,0 +1,17 @@
+Design Docs
+===========
+
+Learn about the internal details of Envoy Gateway.
+
+.. toctree::
+ :maxdepth: 2
+
+ design/system-design
+ design/gatewayapi-translator
+ design/watching
+ design/config-api
+ design/tcp-udp-design
+ design/egctl
+ design/ratelimit
+ design/request-authentication
+ design/gatewayapi-support
diff --git a/docs/v0.3.0/dev/CODEOWNERS.md b/docs/v0.3.0/dev/CODEOWNERS.md
new file mode 100644
index 0000000000..a659427ba5
--- /dev/null
+++ b/docs/v0.3.0/dev/CODEOWNERS.md
@@ -0,0 +1,4 @@
+# Maintainers
+
+## The following maintainers, listed in alphabetical order, own everything.
+* @AliceProxy @arkodg @danehans @skriss @Xunzhuo @youngnick @zirain
diff --git a/docs/v0.3.0/dev/CODE_OF_CONDUCT.md b/docs/v0.3.0/dev/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000000..a0a295770f
--- /dev/null
+++ b/docs/v0.3.0/dev/CODE_OF_CONDUCT.md
@@ -0,0 +1,3 @@
+# Community Code of Conduct
+
+Gateway follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
diff --git a/docs/v0.3.0/dev/CONTRIBUTING.md b/docs/v0.3.0/dev/CONTRIBUTING.md
new file mode 100644
index 0000000000..d7770bdeff
--- /dev/null
+++ b/docs/v0.3.0/dev/CONTRIBUTING.md
@@ -0,0 +1,183 @@
+# Contributing
+
+We welcome contributions from the community. Please carefully review the [project goals](GOALS.md)
+and following guidelines to streamline your contributions.
+
+## Communication
+
+* Before starting work on a major feature, please contact us via GitHub or Slack. We will ensure no
+ one else is working on it and ask you to open a GitHub issue.
+* A "major feature" is defined as any change that is > 100 LOC altered (not including tests), or
+ changes any user-facing behavior. We will use the GitHub issue to discuss the feature and come to
+ agreement. This is to prevent your time being wasted, as well as ours. The GitHub review process
+ for major features is also important so that [affiliations with commit access](CODEOWNERS.md) can
+ come to agreement on the design. If it's appropriate to write a design document, the document must
+ be hosted either in the GitHub issue, or linked to from the issue and hosted in a world-readable
+ location.
+* Small patches and bug fixes don't need prior communication.
+
+## Inclusivity
+
+The Envoy Gateway community has an explicit goal to be inclusive to all. As such, all PRs must adhere
+to the following guidelines for all code, APIs, and documentation:
+
+* The following words and phrases are not allowed:
+ * *Whitelist*: use allowlist instead.
+ * *Blacklist*: use denylist or blocklist instead.
+ * *Master*: use primary instead.
+ * *Slave*: use secondary or replica instead.
+* Documentation should be written in an inclusive style. The [Google developer
+ documentation](https://developers.google.com/style/inclusive-documentation) contains an excellent
+ reference on this topic.
+* The above policy is not considered definitive and may be amended in the future as industry best
+ practices evolve. Additional comments on this topic may be provided by maintainers during code
+ review.
+
+## Submitting a PR
+
+* Fork the repo.
+* Hack
+* DCO sign-off each commit. This can be done with `git commit -s`.
+* Submit your PR.
+* Tests will automatically run for you.
+* We will **not** merge any PR that is not passing tests.
+* PRs are expected to have 100% test coverage for added code. This can be verified with a coverage
+ build. If your PR cannot have 100% coverage for some reason please clearly explain why when you
+ open it.
+* Any PR that changes user-facing behavior **must** have associated documentation in the [docs](https://github.com/envoyproxy/gateway/tree/main/docs) folder of the repo as
+ well as the [changelog](../releases).
+* All code comments and documentation are expected to have proper English grammar and punctuation.
+ If you are not a fluent English speaker (or a bad writer ;-)) please let us know and we will try
+ to find some help but there are no guarantees.
+* Your PR title should be descriptive, and generally start with a subsystem name followed by a
+ colon. Examples:
+ * "docs: fix grammar error"
+ * "translator: add new feature"
+* Your PR commit message will be used as the commit message when your PR is merged. You should
+ update this field if your PR diverges during review.
+* Your PR description should have details on what the PR does. If it fixes an existing issue it
+ should end with "Fixes #XXX".
+* If your PR is co-authored or based on an earlier PR from another contributor,
+ please attribute them with `Co-authored-by: name `. See
+ GitHub's [multiple author
+ guidance](https://help.github.com/en/github/committing-changes-to-your-project/creating-a-commit-with-multiple-authors)
+ for further details.
+* When all tests are passing and all other conditions described herein are satisfied, a maintainer
+ will be assigned to review and merge the PR.
+* Once you submit a PR, *please do not rebase it*. It's much easier to review if subsequent commits
+ are new commits and/or merges. We squash and merge so the number of commits you have in the PR
+ doesn't matter.
+* We expect that once a PR is opened, it will be actively worked on until it is merged or closed.
+ We reserve the right to close PRs that are not making progress. This is generally defined as no
+ changes for 7 days. Obviously PRs that are closed due to lack of activity can be reopened later.
+ Closing stale PRs helps us to keep on top of all the work currently in flight.
+
+## Maintainer PR Review Policy
+
+* See [CODEOWNERS.md](CODEOWNERS.md) for the current list of maintainers.
+* A maintainer representing a different affiliation from the PR owner is required to review and
+ approve the PR.
+* When the project matures, it is expected that a "domain expert" for the code the PR touches should
+ review the PR. This person does not require commit access, just domain knowledge.
+* The above rules may be waived for PRs which only update docs or comments, or trivial changes to
+ tests and tools (where trivial is decided by the maintainer in question).
+* If there is a question on who should review a PR please discuss in Slack.
+* Anyone is welcome to review any PR that they want, whether they are a maintainer or not.
+* Please make sure that the PR title, commit message, and description are updated if the PR changes
+ significantly during review.
+* Please **clean up the title and body** before merging. By default, GitHub fills the squash merge
+ title with the original title, and the commit body with every individual commit from the PR.
+ The maintainer doing the merge should make sure the title follows the guidelines above and should
+ overwrite the body with the original commit message from the PR (cleaning it up if necessary)
+ while preserving the PR author's final DCO sign-off.
+
+## Decision making
+
+This is a new and complex project, and we need to make a lot of decisions very quickly.
+To this end, we've settled on this process for making (possibly contentious) decisions:
+
+* For decisions that need a record, we create an issue.
+* In that issue, we discuss opinions, then a maintainer can call for a vote in a comment.
+* Maintainers can cast binding votes on that comment by reacting or replying in another comment.
+* Non-maintainer community members are welcome to cast non-binding votes by either of these methods.
+* Voting will be resolved by simple majority.
+* In the event of deadlocks, the question will be put to steering instead.
+
+## DCO: Sign your work
+
+The sign-off is a simple line at the end of the explanation for the
+patch, which certifies that you wrote it or otherwise have the right to
+pass it on as an open-source patch. The rules are pretty simple: if you
+can certify the below (from
+[developercertificate.org](https://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+ have the right to submit it under the open source license
+ indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+ of my knowledge, is covered under an appropriate open source
+ license and I have the right under that license to submit that
+ work with modifications, whether created in whole or in part
+ by me, under the same open source license (unless I am
+ permitted to submit under a different license), as indicated
+ in the file; or
+
+(c) The contribution was provided directly to me by some other
+ person who certified (a), (b) or (c) and I have not modified
+ it.
+
+(d) I understand and agree that this project and the contribution
+ are public and that a record of the contribution (including all
+ personal information I submit with it, including my sign-off) is
+ maintained indefinitely and may be redistributed consistent with
+ this project or the open source license(s) involved.
+```
+
+then you just add a line to every git commit message:
+
+ Signed-off-by: Joe Smith
+
+using your real name (sorry, no pseudonyms or anonymous contributions.)
+
+You can add the sign-off when creating the git commit via `git commit -s`.
+
+If you want this to be automatic you can set up some aliases:
+
+```bash
+git config --add alias.amend "commit -s --amend"
+git config --add alias.c "commit -s"
+```
+
+## Fixing DCO
+
+If your PR fails the DCO check, it's necessary to fix the entire commit history in the PR. Best
+practice is to [squash](https://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)
+the commit history to a single commit, append the DCO sign-off as described above, and [force
+push](https://git-scm.com/docs/git-push#git-push---force). For example, if you have 2 commits in
+your history:
+
+```bash
+git rebase -i HEAD^^
+(interactive squash + DCO append)
+git push origin -f
+```
+
+Note, that in general rewriting history in this way is a hindrance to the review process and this
+should only be done to correct a DCO mistake.
diff --git a/docs/v0.3.0/dev/DOCS.md b/docs/v0.3.0/dev/DOCS.md
new file mode 100644
index 0000000000..fb49b9d55d
--- /dev/null
+++ b/docs/v0.3.0/dev/DOCS.md
@@ -0,0 +1,63 @@
+# Working on the Envoy Gateway Docs
+
+The documentation for the Envoy Gateway lives in the `docs/` directory. Any
+individual document can be written using either [reStructuredText] or [Markdown],
+you can choose the format that you're most comfortable with when working on the
+documentation.
+
+## Documentation Structure
+
+We supported the versioned Docs now, the directory name under docs represents
+the version of docs. The root of the latest site is in `docs/latest/index.rst`.
+This is probably where to start if you're trying to understand how things fit together.
+
+Note that the new contents should be added to `docs/latest` and will be cut off at
+the next release. The contents under `docs/v0.2.0` are auto-generated,
+and usually do not need to make changes to them, unless if you find the current release pages have
+some incorrect contents. If so, you should send a PR to update contents both of `docs/latest`
+and `docs/v0.2.0`.
+
+It's important to note that a given document _must_ have a reference in some
+`.. toctree::` section for the document to be reachable. Not everything needs
+to be in `docs/index.rst`'s `toctree` though.
+
+You can access the website which represents the current release in default,
+and you can access the website which contains the latest version changes in
+[Here][latest-website] or at the footer of the pages.
+
+## Documentation Workflow
+
+To work with the docs, just edit reStructuredText or Markdown files in `docs`,
+then run
+
+```bash
+make docs
+```
+
+This will create `docs/html` with the built HTML pages. You can view the docs
+either simply by pointing a web browser at the `file://` path to your
+`docs/html`, or by firing up a static webserver from that directory, e.g.
+
+``` shell
+make docs-serve
+```
+
+If you want to generate a new release version of the docs, like `v0.3.0`, then run
+
+```bash
+make docs-release TAG=v0.3.0
+```
+
+This will update the VERSION file at the project root, which records current release version,
+and it will be used in the pages version context and binary version output. Also, this will generate
+new dir `docs/v0.3.0`, which contains docs at v0.3.0 and updates artifact links to `v0.3.0`
+in all files under `docs/v0.3.0/user`, like `quickstart.md`, `http-routing.md` and etc.
+
+## Publishing Docs
+
+Whenever docs are pushed to `main`, CI will publish the built docs to GitHub
+Pages. For more details, see `.github/workflows/docs.yaml`.
+
+[reStructuredText]: https://docutils.sourceforge.io/docs/ref/rst/restructuredtext.html
+[Markdown]: https://daringfireball.net/projects/markdown/syntax
+[latest-website]: https://gateway.envoyproxy.io/latest
diff --git a/docs/v0.3.0/dev/GOALS.md b/docs/v0.3.0/dev/GOALS.md
new file mode 100644
index 0000000000..519be9f180
--- /dev/null
+++ b/docs/v0.3.0/dev/GOALS.md
@@ -0,0 +1,79 @@
+# Goals
+
+The high-level goal of the Envoy Gateway project is to attract more users to Envoy by lowering barriers to adoption
+through expressive, extensible, role-oriented APIs that support a multitude of ingress and L7/L4 traffic routing
+use cases; and provide a common foundation for vendors to build value-added products without having to re-engineer
+fundamental interactions.
+
+## Objectives
+
+### Expressive API
+The Envoy Gateway project will expose a simple and expressive API, with defaults set for many capabilities.
+
+The API will be the Kubernetes-native [Gateway API][], plus Envoy-specific extensions and extension points. This
+expressive and familiar API will make Envoy accessible to more users, especially application developers, and make Envoy
+a stronger option for "getting started" as compared to other proxies. Application developers will use the API out of
+the box without needing to understand in-depth concepts of Envoy Proxy or use OSS wrappers. The API will use familiar
+nouns that [users](#personas) understand.
+
+The core full-featured Envoy xDS APIs will remain available for those who need more capability and for those who
+add functionality on top of Envoy Gateway, such as commercial API gateway products.
+
+This expressive API will not be implemented by Envoy Proxy, but rather an officially supported translation layer
+on top.
+
+### Batteries included
+Envoy Gateway will simplify how Envoy is deployed and managed, allowing application developers to focus on
+delivering core business value.
+
+The project plans to include additional infrastructure components required by users to fulfill their Ingress and API
+gateway needs: It will handle Envoy infrastructure provisioning (e.g. Kubernetes Service, Deployment, et cetera), and
+possibly infrastructure provisioning of related sidecar services. It will include sensible defaults with the ability to
+override. It will include channels for improving ops by exposing status through API conditions and Kubernetes status
+sub-resources.
+
+Making an application accessible needs to be a trivial task for any developer. Similarly, infrastructure administrators
+will enjoy a simplified management model that doesn't require extensive knowledge of the solution's architecture to
+operate.
+
+### All environments
+Envoy Gateway will support running natively in Kubernetes environments as well as non-Kubernetes deployments.
+
+Initially, Kubernetes will receive the most focus, with the aim of having Envoy Gateway become the de facto
+standard for Kubernetes ingress supporting the [Gateway API][].
+Additional goals include multi-cluster support and various runtime environments.
+
+### Extensibility
+Vendors will have the ability to provide value-added products built on the Envoy Gateway foundation.
+
+It will remain easy for end-users to leverage common Envoy Proxy extension points such as providing an implementation
+for authentication methods and rate-limiting. For advanced use cases, users will have the ability to use the full power
+of xDS.
+
+Since a general-purpose API cannot address all use cases, Envoy Gateway will provide additional extension points
+for flexibility. As such, Envoy Gateway will form the base of vendor-provided managed control plane solutions,
+allowing vendors to shift to a higher management plane layer.
+
+## Non-objectives
+
+### Cannibalize vendor models
+Vendors need to have the ability to drive commercial value, so the goal is not to cannibalize any existing vendor
+monetization model, though some vendors may be affected by it.
+
+### Disrupt current Envoy usage patterns
+Envoy Gateway is purely an additive convenience layer and is not meant to disrupt any usage pattern of any user
+with Envoy Proxy, xDS, or go-control-plane.
+
+## Personas
+_In order of priority_
+
+### 1. Application developer
+The application developer spends the majority of their time developing business logic code. They require the ability to
+manage access to their application.
+
+### 2. Infrastructure administrators
+The infrastructure administrators are responsible for the installation, maintenance, and operation of
+API gateways appliances in infrastructure, such as CRDs, roles, service accounts, certificates, etc.
+Infrastructure administrators support the needs of application developers by managing instances of Envoy Gateway.
+
+[Gateway API]: https://gateway-api.sigs.k8s.io/
diff --git a/docs/v0.3.0/dev/README.md b/docs/v0.3.0/dev/README.md
new file mode 100644
index 0000000000..0c3b055b61
--- /dev/null
+++ b/docs/v0.3.0/dev/README.md
@@ -0,0 +1,152 @@
+# Developer Guide
+
+Envoy Gateway is built using a [make][]-based build system. Our CI is based on [Github Actions][] using [workflows][].
+
+## Prerequisites
+
+### go
+
+* Version: 1.19
+* Installation Guide: https://go.dev/doc/install
+
+### make
+
+* Recommended Version: 4.0 or later
+* Installation Guide: https://www.gnu.org/software/make
+
+### docker
+
+* Optional when you want to build a Docker image or run `make` inside Docker.
+* Recommended Version: 20.10.16
+* Installation Guide: https://docs.docker.com/engine/install
+
+### python3
+
+* Need a `python3` program
+* Must have a functioning `venv` module; this is part of the standard
+ library, but some distributions (such as Debian and Ubuntu) replace
+ it with a stub and require you to install a `python3-venv` package
+ separately.
+
+## Quickstart
+
+* Run `make help` to see all the available targets to build, test and run Envoy Gateway.
+
+### Building
+
+* Run `make build` to build the Envoy Gateway binary. __Note:__ The binary gets generated in the `bin/` directory
+
+### Testing
+
+* Run `make test` to run the golang tests.
+
+### Running Linters
+
+* Run `make lint` to make sure your code passes all the linter checks.
+
+### Building and Pushing the Image
+
+* Run `IMAGE=docker.io/you/gateway-dev make image` to build the docker image.
+* Run `IMAGE=docker.io/you/gateway-dev make push-multiarch` to build and push the multi-arch docker image.
+
+__Note:__ Replace `IMAGE` with your registry's image name.
+
+### Deploying Envoy Gateway for Test/Dev
+
+* Run `make create-cluster` to create a [Kind][] cluster.
+
+#### Option 1: Use the Latest [gateway-dev][] Image
+
+* Run `TAG=latest make kube-deploy` to deploy Envoy Gateway in the Kind cluster using the latest image. Replace `latest`
+ to use a different image tag.
+
+#### Option 2: Use a Custom Image
+
+* Run `make kube-install-image` to build an image from the tip of your current branch and load it in the Kind cluster.
+* Run `make kube-deploy` to install Envoy Gateway into the Kind cluster using your custom image.
+
+### Deploying Envoy Gateway in Kubernetes
+
+* Run `TAG=latest make kube-deploy` to deploy Envoy Gateway using the latest image into a Kubernetes cluster (linked to
+ the current kube context). Preface the command with `IMAGE` or replace `TAG` to use a different Envoy Gateway image or
+ tag.
+* Run `make kube-undeploy` to uninstall Envoy Gateway from the cluster.
+
+__Note:__ Envoy Gateway is tested against Kubernetes v1.24.0.
+
+### Demo Setup
+
+* Run `make kube-demo` to deploy a demo backend service, gatewayclass, gateway and httproute resource
+(similar to steps outlined in the [Quickstart][] docs) and test the configuration.
+* Run `make kube-demo-undeploy` to delete the resources created by the `make kube-demo` command.
+
+### Run Gateway API Conformance Tests
+
+The commands below deploy Envoy Gateway to a Kubernetes cluster and run the Gateway API conformance tests. Refer to the
+Gateway API [conformance homepage][] to learn more about the tests. If Envoy Gateway is already installed, run
+`TAG=latest make run-conformance` to run the conformance tests.
+
+#### On a Linux Host
+
+* Run `TAG=latest make conformance` to create a Kind cluster, install Envoy Gateway using the latest [gateway-dev][]
+ image, and run Gateway API conformance tests.
+
+#### On a Mac Host
+
+Since Mac doesn't support [directly exposing][] the Docker network to the Mac host, use one of the following
+workarounds to run conformance tests:
+
+* Deploy your own Kubernetes cluster or use Docker Desktop with [Kubernetes support][] and then run
+ `TAG=latest make kube-deploy run-conformance`. This will install Envoy Gateway using the latest [gateway-dev][] image
+ to the Kubernetes cluster using the current kubectl context and run the conformance tests. Use `make kube-undeploy` to
+ uninstall Envoy Gateway.
+* Install and run [Docker Mac Net Connect][mac_connect] and then run `TAG=latest make conformance`.
+
+__Note:__ Preface commands with `IMAGE` or replace `TAG` to use a different Envoy Gateway image or tag. If `TAG`
+is unspecified, the short SHA of your current branch is used.
+
+### Debugging the Envoy Config
+
+An easy way to view the envoy config that Envoy Gateway is using is to port-forward to the admin interface port
+(currently `19000`) on the Envoy deployment that corresponds to a Gateway so that it can be accessed locally.
+
+Get the name of the Envoy deployment. The following example is for Gateway `eg` in the `default` namespace:
+
+```shell
+export ENVOY_DEPLOYMENT=$(kubectl get deploy -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}')
+```
+
+Port forward the admin interface port:
+
+```shell
+kubectl port-forward deploy/${ENVOY_DEPLOYMENT} -n envoy-gateway-system 19000:19000
+```
+
+Now you are able to view the running Envoy configuration by navigating to `127.0.0.1:19000/config_dump`.
+
+There are many other endpoints on the [Envoy admin interface][] that may be helpful when debugging.
+
+### JWT Testing
+
+An example [JSON Web Token (JWT)][jwt] and [JSON Web Key Set (JWKS)][jwks] are used for the [request authentication][]
+user guide. The JWT was created by the [JWT Debugger][], using the `RS256` algorithm. The public key from the JWTs
+verify signature was copied to [JWK Creator][] for generating the JWK. The JWK Creator was configured with matching
+settings, i.e. `Signing` public key use and the `RS256` algorithm. The generated JWK was wrapped in a JWKS structure
+and is hosted in the repo.
+
+[Quickstart]: https://github.com/envoyproxy/gateway/blob/main/docs/user/quickstart.md
+[make]: https://www.gnu.org/software/make/
+[Github Actions]: https://docs.github.com/en/actions
+[workflows]: https://github.com/envoyproxy/gateway/tree/main/.github/workflows
+[Kind]: https://kind.sigs.k8s.io/
+[conformance homepage]: https://gateway-api.sigs.k8s.io/concepts/conformance/
+[directly exposing]: https://kind.sigs.k8s.io/docs/user/loadbalancer/
+[Kubernetes support]: https://docs.docker.com/desktop/kubernetes/
+[gateway-dev]: https://hub.docker.com/r/envoyproxy/gateway-dev/tags
+[mac_connect]: https://github.com/chipmk/docker-mac-net-connect
+[Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface
+[jwt]: https://tools.ietf.org/html/rfc7519
+[jwks]: https://tools.ietf.org/html/rfc7517
+[request authentication]: https://gateway.envoyproxy.io/latest/user/authn.html
+[JWT Debugger]: https://jwt.io/
+[JWK Creator]: https://russelldavies.github.io/jwk-creator/
diff --git a/docs/v0.3.0/dev/releasing.md b/docs/v0.3.0/dev/releasing.md
new file mode 100644
index 0000000000..f0004caf33
--- /dev/null
+++ b/docs/v0.3.0/dev/releasing.md
@@ -0,0 +1,195 @@
+# Release Process
+
+This document guides maintainers through the process of creating an Envoy Gateway release.
+
+- [Release Candidate](#release-candidate)
+- [Minor Release](#minor-release)
+- [Announce the Release](#announce-the-release)
+
+## Release Candidate
+
+The following steps should be used for creating a release candidate.
+
+### Prerequisites
+
+- Permissions to push to the Envoy Gateway repository.
+
+Set environment variables for use in subsequent steps:
+
+```shell
+export MAJOR_VERSION=0
+export MINOR_VERSION=3
+export RELEASE_CANDIDATE_NUMBER=1
+export GITHUB_REMOTE=origin
+```
+
+1. Clone the repo, checkout the `main` branch, ensure it’s up-to-date, and your local branch is clean.
+2. Create a topic branch for adding the release notes and updating the [VERSION][] file with the release version. Refer to previous [release notes][] and [VERSION][] for additional details.
+3. Sign, commit, and push your changes to your fork.
+4. Submit a [Pull Request][] to merge the changes into the `main` branch. Do not proceed until your PR has merged and
+ the [Build and Test][] has successfully completed.
+5. Create a new release branch from `main`. The release branch should be named
+ `release/v${MAJOR_VERSION}.${MINOR_VERSION}`, e.g. `release/v0.3`.
+
+ ```shell
+ git checkout -b release/v${MAJOR_VERSION}.${MINOR_VERSION}
+ ```
+
+6. Push the branch to the Envoy Gateway repo.
+
+ ```shell
+ git push ${GITHUB_REMOTE} release/v${MAJOR_VERSION}.${MINOR_VERSION}
+ ```
+
+7. Create a topic branch for updating the Envoy proxy image to the tag supported by the release. Reference [PR #958][]
+ for additional details on updating the image tag.
+8. Sign, commit, and push your changes to your fork.
+9. Submit a [Pull Request][] to merge the changes into the `release/v${MAJOR_VERSION}.${MINOR_VERSION}` branch. Do not
+ proceed until your PR has merged into the release branch and the [Build and Test][] has completed for your PR.
+10. Ensure your release branch is up-to-date and tag the head of your release branch with the release candidate number.
+
+ ```shell
+ git tag -a v${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER} -m 'Envoy Gateway v${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER} Release Candidate'
+ ```
+
+11. Push the tag to the Envoy Gateway repository.
+
+ ```shell
+ git push ${GITHUB_REMOTE} v${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER}
+ ```
+
+12. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc.
+13. Confirm that the [release workflow][] completed successfully.
+14. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub.
+15. Confirm that the [release][] was created.
+16. Note that the [Quickstart Guide][] references are __not__ updated for release candidates. However, test
+ the quickstart steps using the release candidate by manually updating the links.
+17. [Generate][] the GitHub changelog.
+18. Ensure you check the "This is a pre-release" checkbox when editing the GitHub release.
+19. If you find any bugs in this process, please create an issue.
+
+## Minor Release
+
+The following steps should be used for creating a minor release.
+
+### Prerequisites
+
+- Permissions to push to the Envoy Gateway repository.
+- A release branch that has been cut from the corresponding release candidate. Refer to the
+ [Release Candidate](#release-candidate) section for additional details on cutting a release candidate.
+
+Set environment variables for use in subsequent steps:
+
+```shell
+export MAJOR_VERSION=0
+export MINOR_VERSION=3
+export GITHUB_REMOTE=origin
+```
+
+1. Clone the repo, checkout the `main` branch, ensure it’s up-to-date, and your local branch is clean.
+2. Create a topic branch for adding the release notes, release announcement, and versioned release docs.
+
+ 1. Create the release notes. Reference previous [release notes][] for additional details. __Note:__ The release
+ notes should be an accumulation of the release candidate release notes and any changes since the release
+ candidate.
+ 2. Create a release announcement. Refer to [PR #635] as an example release announcement.
+ 3. Generate the versioned release docs:
+
+ ``` shell
+ make docs-release TAG=v${MAJOR_VERSION}.${MINOR_VERSION}
+ ```
+
+3. Sign, commit, and push your changes to your fork.
+4. Submit a [Pull Request][] to merge the changes into the `main` branch. Do not proceed until all your PRs have merged
+ and the [Build and Test][] has completed for your final PR.
+
+5. Checkout the release branch.
+
+ ```shell
+ git checkout -b release/v${MAJOR_VERSION}.${MINOR_VERSION} $GITHUB_REMOTE/release/v${MAJOR_VERSION}.${MINOR_VERSION}
+ ```
+
+6. If the tip of the release branch does not match the tip of `main`, perform the following:
+
+ 1. Create a topic branch from the release branch.
+ 2. Cherry-pick the commits from `main` that differ from the release branch.
+ 3. Run tests locally, e.g. `make lint`.
+ 4. Sign, commit, and push your topic branch to your Envoy Gateway fork.
+ 5. Submit a PR to merge the topic from of your fork into the Envoy Gateway release branch.
+ 6. Do not proceed until the PR has merged and CI passes for the merged PR.
+ 7. If you are still on your topic branch, change to the release branch:
+
+ ```shell
+ git checkout release/v${MAJOR_VERSION}.${MINOR_VERSION}
+ ```
+
+ 8. Ensure your local release branch is up-to-date:
+
+ ```shell
+ git pull $GITHUB_REMOTE release/v${MAJOR_VERSION}.${MINOR_VERSION}
+ ```
+
+7. Tag the head of your release branch with the release tag. For example:
+
+ ```shell
+ git tag -a v${MAJOR_VERSION}.${MINOR_VERSION}.0 -m 'Envoy Gateway v${MAJOR_VERSION}.${MINOR_VERSION}.0 Release'
+ ```
+
+ __Note:__ The tag version differs from the release branch by including the `.0` patch version.
+
+8. Push the tag to the Envoy Gateway repository.
+
+ ```shell
+ git push origin v${MAJOR_VERSION}.${MINOR_VERSION}.0
+ ```
+
+9. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc.
+10. Confirm that the [release workflow][] completed successfully.
+11. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub.
+12. Confirm that the [release][] was created.
+13. Confirm that the steps in the [Quickstart Guide][] work as expected.
+14. [Generate][] the GitHub changelog and include the following text at the beginning of the release page:
+
+ ```console
+ # Release Announcement
+
+ Check out the [v${MAJOR_VERSION}.${MINOR_VERSION} release announcement]
+ (https://gateway.envoyproxy.io/releases/v${MAJOR_VERSION}.${MINOR_VERSION}.html) to learn more about the release.
+ ```
+
+If you find any bugs in this process, please create an issue.
+
+## Announce the Release
+
+It's important that the world knows about the release. Use the following steps to announce the release.
+
+1. Set the release information in the Envoy Gateway Slack channel. For example:
+
+ ```shell
+ Envoy Gateway v${MAJOR_VERSION}.${MINOR_VERSION} has been released: https://github.com/envoyproxy/gateway/releases/tag/v${MAJOR_VERSION}.${MINOR_VERSION}.0
+ ```
+
+2. Send a message to the Envoy Gateway Slack channel. For example:
+
+ ```shell
+ On behalf of the entire Envoy Gateway community, I am pleased to announce the release of Envoy Gateway
+ v${MAJOR_VERSION}.${MINOR_VERSION}. A big thank you to all the contributors that made this release possible.
+ Refer to the official v${MAJOR_VERSION}.${MINOR_VERSION} announcement for release details and the project docs
+ to start using Envoy Gateway.
+ ...
+ ```
+
+ Link to the GitHub release and release announcement page that highlights the release.
+
+[release notes]: https://github.com/envoyproxy/gateway/tree/main/release-notes
+[Pull Request]: https://github.com/envoyproxy/gateway/pulls
+[Quickstart Guide]: https://github.com/envoyproxy/gateway/blob/main/docs/user/quickstart.md
+[Build and Test]: https://github.com/envoyproxy/gateway/blob/main/.github/workflows/build_and_test.yaml
+[release GitHub action]: https://github.com/envoyproxy/gateway/blob/main/.github/workflows/release.yaml
+[release workflow]: https://github.com/envoyproxy/gateway/actions/workflows/release.yaml
+[image]: https://hub.docker.com/r/envoyproxy/gateway/tags
+[release]: https://github.com/envoyproxy/gateway/releases
+[Generate]: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+[PR #635]: https://github.com/envoyproxy/gateway/pull/635
+[PR #958]: https://github.com/envoyproxy/gateway/pull/958
+[VERSION]: https://github.com/envoyproxy/gateway/blob/main/VERSION
diff --git a/docs/v0.3.0/dev_docs.rst b/docs/v0.3.0/dev_docs.rst
new file mode 100644
index 0000000000..e546e14c1a
--- /dev/null
+++ b/docs/v0.3.0/dev_docs.rst
@@ -0,0 +1,15 @@
+Developer Docs
+==============
+
+Learn how to contribute to Envoy Gateway.
+
+.. toctree::
+ :maxdepth: 1
+
+ dev/GOALS
+ dev/CODE_OF_CONDUCT
+ dev/CODEOWNERS
+ dev/CONTRIBUTING
+ dev/README
+ dev/DOCS
+ dev/releasing
diff --git a/docs/v0.3.0/get_involved.rst b/docs/v0.3.0/get_involved.rst
new file mode 100644
index 0000000000..f17febd565
--- /dev/null
+++ b/docs/v0.3.0/get_involved.rst
@@ -0,0 +1,9 @@
+Getting Involved
+================
+
+We welcome contributions from the community. Please carefully review the
+`project goals `_
+and the
+`code of conduct `_
+before diving in.
+
diff --git a/docs/v0.3.0/images/architecture.png b/docs/v0.3.0/images/architecture.png
new file mode 100644
index 0000000000..1d4131fbea
Binary files /dev/null and b/docs/v0.3.0/images/architecture.png differ
diff --git a/docs/v0.3.0/index.rst b/docs/v0.3.0/index.rst
new file mode 100644
index 0000000000..b31be95cc0
--- /dev/null
+++ b/docs/v0.3.0/index.rst
@@ -0,0 +1,33 @@
+`Envoy Gateway `_
+====================
+
+Release: |version|
+
+.. image:: https://img.shields.io/badge/slack-join-orange.svg
+ :target: https://envoyproxy.slack.com/archives/C03E6NHLESV
+ :alt: Join the Envoy Slack
+
+Envoy Gateway is an open source project for managing `Envoy Proxy`_ as a standalone or Kubernetes-based application
+gateway. `Gateway API`_ resources are used to dynamically provision and configure the managed Envoy Proxies. Whether
+you are interested in using or contributing to Envoy Gateway, the following resources will help you get started:
+
+.. toctree::
+ :maxdepth: 1
+
+ intro/compatibility
+ user_docs
+ design_docs
+ dev_docs
+ api_docs
+ releases
+ roadmap
+ about_docs
+ get_involved
+
+.. note::
+
+ This project is under active development. Many, many features are not
+ complete. We would love for you to :doc:`get involved`.
+
+.. _Envoy Proxy: https://www.envoyproxy.io/
+.. _Gateway API: https://gateway-api.sigs.k8s.io/
diff --git a/docs/v0.3.0/intro/compatibility.rst b/docs/v0.3.0/intro/compatibility.rst
new file mode 100644
index 0000000000..bffbd8997d
--- /dev/null
+++ b/docs/v0.3.0/intro/compatibility.rst
@@ -0,0 +1,23 @@
+Compatibility Matrix
+====================
+
+Envoy Gateway relies on the Envoy Proxy and the Gateway API, and runs
+within a Kubernetes cluster. Not all versions of each of these products
+can function together for Envoy Gateway. Supported version combinations
+are listed below; **bold** type indicates the versions of the Envoy Proxy
+and the Gateway API actually compiled into each Envoy Gateway release.
+
++--------------------------+---------------------+---------------------+----------------------------+
+| Envoy Gateway version | Envoy Proxy version | Gateway API version | Kubernetes version |
++--------------------------+---------------------+---------------------+----------------------------+
+| v0.3.0 | **v1.25-latest** | **v0.6.1** | v1.24, v1.25, v1.26 |
++--------------------------+---------------------+---------------------+----------------------------+
+| v0.2.0 | **v1.23-latest** | **v0.5.1** | v1.24 |
++--------------------------+---------------------+---------------------+----------------------------+
+| latest | **dev-latest** | **v0.6.1** | v1.24, v1.25, v1.26 |
++--------------------------+---------------------+---------------------+----------------------------+
+
+.. note::
+
+ This project is under active development. Many, many features are not
+ complete. We would love for you to :doc:`get involved<../get_involved>`.
diff --git a/docs/v0.3.0/releases.rst b/docs/v0.3.0/releases.rst
new file mode 100644
index 0000000000..20d05b25ac
--- /dev/null
+++ b/docs/v0.3.0/releases.rst
@@ -0,0 +1,11 @@
+Releases
+========
+
+Learn more about Envoy Gateway releases.
+
+.. toctree::
+ :maxdepth: 1
+
+ releases/README
+ releases/v0.2
+ releases/v0.3
diff --git a/docs/v0.3.0/releases/README.md b/docs/v0.3.0/releases/README.md
new file mode 100644
index 0000000000..a63298a610
--- /dev/null
+++ b/docs/v0.3.0/releases/README.md
@@ -0,0 +1,41 @@
+# Release Details
+
+This document provides details for Envoy Gateway releases. Envoy Gateway follows the Semantic Versioning [v2.0.0 spec][]
+for release versioning. Since Envoy Gateway is a new project, minor releases are the only defined releases. Envoy
+Gateway maintainers will establish additional release details, e.g. patch releases, at a future date.
+
+## Stable Releases
+
+Stable releases of Envoy Gateway include:
+
+* Minor Releases- A new release branch and corresponding tag are created from the `main` branch. A minor release
+ is supported for 6 months following the release date. As the project matures, Envoy Gateway maintainers will reassess
+ the support timeframe.
+
+Minor releases happen quarterly and follow the schedule below.
+
+## Release Management
+
+Minor releases are handled by a designated Envoy Gateway maintainer. This maintainer is considered the Release Manager
+for the release. The details for creating a release are outlined in the [release guide][]. The Release Manager is
+responsible for coordinating the overall release. This includes identifying issues to be fixed in the release,
+communications with the Envoy Gateway community, and the mechanics of the release.
+
+| Quarter | Release Manager |
+|:-------:|:--------------------------------------------------------------:|
+| 2022 Q4 | Daneyon Hansen ([danehans](https://github.com/danehans)) |
+| 2023 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) |
+
+## Release Schedule
+
+In order to align with the Envoy Proxy [release schedule][], Envoy Gateway releases are produced on a fixed schedule
+(the 22nd day of each quarter), with an acceptable delay of up to 2 weeks, and a hard deadline of 3 weeks.
+
+| Version | Expected | Actual | Difference | End of Life |
+|:-------:|:-----------:|:-----------:|:----------:|:-----------:|
+| 0.2.0 | 2022/10/22 | 2022/10/20 | -2 day | 2023/4/20 |
+| 0.3.0 | 2023/01/22 | | | |
+
+[v2.0.0 spec]: https://semver.org/spec/v2.0.0.html
+[release guide]: ../dev/releasing.md
+[release schedule]: https://github.com/envoyproxy/envoy/blob/main/RELEASES.md#major-release-schedule
diff --git a/docs/v0.3.0/releases/v0.2.md b/docs/v0.3.0/releases/v0.2.md
new file mode 100644
index 0000000000..a0dc0e885d
--- /dev/null
+++ b/docs/v0.3.0/releases/v0.2.md
@@ -0,0 +1,50 @@
+---
+title: Announcing Envoy Gateway v0.2
+linktitle: v0.2
+subtitle: Major Update
+description: Envoy Gateway v0.2 release announcement.
+publishdate: 2022-10-20
+release: v0.2.0
+skip_list: true
+aliases:
+- /releases/v0.2
+- /releases/v0.2.0
+---
+# Envoy Gateway Release v0.2
+
+We are pleased to announce the release of Envoy Gateway v0.2!
+
+This is the first functional release of Envoy Gateway. We would like to thank the entire Envoy Gateway community for
+helping publish the release.
+
+| [Release Notes][] | [Docs][docs] | [Compatibility Matrix][matrix] | [Download][] |
+|-------------------|--------------|--------------------------------|--------------|
+
+## What's New
+
+The release adds a ton of features and functionality. Here are some highlights:
+
+### Kubernetes Support
+
+Run Envoy Gateway in a Kubernetes cluster. Checkout the [quickstart guide][] to get started with Envoy Gateway in a few
+simple steps.
+
+### Gateway API Support
+
+Envoy Gateway supports Gateway API resources for running and configuring a managed fleet of Envoy proxies. Envoy Gateway
+passes Gateway API core [conformance tests][] and supports GatewayClass, Gateway, HTTPRoute, and TLSRoute resources. See
+the [documentation][docs] for additional details on how to use Envoy Gateway for your edge proxy and API gateway needs.
+
+## Envoy Gateway at EnvoyCon NA
+
+Envoy Gateway will be at [EnvoyCon NA][] this October in Detroit. Don't miss [our talk][] to learn more about the
+release and future direction of the project.
+
+[Release Notes]: https://github.com/envoyproxy/gateway/blob/main/release-notes/v0.2.0.yaml
+[matrix]: https://gateway.envoyproxy.io/intro/compatibility.html
+[docs]: https://gateway.envoyproxy.io/index.html
+[Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.2.0
+[conformance tests]: https://gateway-api.sigs.k8s.io/concepts/conformance/?h=conformance
+[quickstart guide]: https://gateway.envoyproxy.io/user/quickstart.html
+[EnvoyCon NA]: https://events.linuxfoundation.org/envoycon-north-america/program/schedule/
+[our talk]: https://sched.co/1AO5S
diff --git a/docs/v0.3.0/releases/v0.3.md b/docs/v0.3.0/releases/v0.3.md
new file mode 100644
index 0000000000..96d6d6d49e
--- /dev/null
+++ b/docs/v0.3.0/releases/v0.3.md
@@ -0,0 +1,50 @@
+---
+title: Announcing Envoy Gateway v0.3
+linktitle: v0.3
+subtitle: Major Update
+description: Envoy Gateway v0.3 release announcement.
+publishdate: 2023-02-09
+release: v0.3.0
+skip_list: true
+aliases:
+- /releases/v0.3
+- /releases/v0.3.0
+---
+# Envoy Gateway Release v0.3
+
+We are pleased to announce the release of Envoy Gateway v0.3!
+
+This is the second functional release of Envoy Gateway. We would like to thank the entire Envoy Gateway community for
+helping publish the release.
+
+| [Release Notes][] | [Docs][docs] | [Compatibility Matrix][matrix] | [Download][] |
+|-------------------|--------------|--------------------------------|--------------|
+
+## What's New
+
+The release adds a ton of features and functionality. Here are some highlights:
+
+### Add Support for extended Gateway API fields
+
++ Added Support for HTTPRoute URLRewrite Filter
++ Added Support for HTTPRoute RequestMirror Filter
++ Added Support for HTTPRoute ResponseHeaderModifier Filter
+
+### Add Support for experimental Gateway APIs
+
++ Added Support for the TCPRoute API
++ Added Support for the UDPRoute API
++ Added Support for the GRPCRoute API
+
+### Add Support for Rate Limiting
+
++ Added Support for Global Rate Limiting
+
+### Add Support for Authentication
+
++ Added Support for Request Authentication
+
+[Release Notes]: https://github.com/envoyproxy/gateway/blob/main/release-notes/v0.3.0.yaml
+[matrix]: https://gateway.envoyproxy.io/v0.3.0/intro/compatibility.html
+[docs]: https://gateway.envoyproxy.io/v0.3.0/index.html
+[Download]: https://github.com/envoyproxy/gateway/releases/tag/v0.3.0
diff --git a/docs/v0.3.0/roadmap.rst b/docs/v0.3.0/roadmap.rst
new file mode 100644
index 0000000000..711b624550
--- /dev/null
+++ b/docs/v0.3.0/roadmap.rst
@@ -0,0 +1,9 @@
+Roadmap
+=======
+
+Learn about the future direction of Envoy Gateway.
+
+.. toctree::
+ :maxdepth: 2
+
+ design/roadmap
diff --git a/docs/v0.3.0/user/authn.md b/docs/v0.3.0/user/authn.md
new file mode 100644
index 0000000000..40ffe731a3
--- /dev/null
+++ b/docs/v0.3.0/user/authn.md
@@ -0,0 +1,94 @@
+# Request Authentication
+
+This guide provides instructions for configuring [JSON Web Token (JWT)][jwt] authentication. JWT authentication checks
+if an incoming request has a valid JWT before routing the request to a backend service. Currently, Envoy Gateway only
+supports validating a JWT from an HTTP header, e.g. `Authorization: Bearer `.
+
+## Installation
+
+Follow the steps from the [Quickstart](quickstart.md) guide to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
+
+## Configuration
+
+Allow requests with a valid JWT by creating an [AuthenticationFilter][] and referencing it from the example HTTPRoute.
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/v0.3.0/examples/kubernetes/authn/jwt.yaml
+```
+
+The HTTPRoute is now updated to authenticate requests for `/foo` and allow unauthenticated requests to `/bar`. The
+`/foo` route rule references an AuthenticationFilter that provides the JWT authentication configuration.
+
+Verify the HTTPRoute configuration and status:
+
+```shell
+kubectl get httproute/backend -o yaml
+```
+
+The AuthenticationFilter is configured for JWT authentication and uses a single [JSON Web Key Set (JWKS)][jwks]
+provider for authenticating the JWT.
+
+Verify the AuthenticationFilter configuration:
+
+```shell
+kubectl get authenticationfilter/jwt-example -o yaml
+```
+
+## Testing
+
+Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](quickstart.md) guide is set. If not, follow the
+Quickstart instructions to set the variable.
+
+```shell
+echo $GATEWAY_HOST
+```
+
+Verify that requests to `/foo` are denied without a JWT:
+
+```shell
+curl -sS -o /dev/null -H "Host: www.example.com" -w "%{http_code}\n" http://$GATEWAY_HOST/foo
+```
+
+A `401` HTTP response code should be returned.
+
+Get the JWT used for testing request authentication:
+
+```shell
+TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
+```
+
+__Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's
+header.
+
+Verify that a request to `/foo` with a valid JWT is allowed:
+
+```shell
+curl -sS -o /dev/null -H "Host: www.example.com" -H "Authorization: Bearer $TOKEN" -w "%{http_code}\n" http://$GATEWAY_HOST/foo
+```
+
+A `200` HTTP response code should be returned.
+
+Verify that requests to `/bar` are allowed __without__ a JWT:
+
+```shell
+curl -sS -o /dev/null -H "Host: www.example.com" -w "%{http_code}\n" http://$GATEWAY_HOST/bar
+```
+
+## Clean-Up
+
+Follow the steps from the [Quickstart](quickstart.md) guide to uninstall Envoy Gateway and the example manifest.
+
+Delete the AuthenticationFilter:
+
+```shell
+kubectl delete authenticationfilter/jwt-example
+```
+
+## Next Steps
+
+Checkout the [Developer Guide](../dev/README.md) to get involved in the project.
+
+[jwt]: https://tools.ietf.org/html/rfc7519
+[AuthenticationFilter]: https://github.com/envoyproxy/gateway/blob/main/api/v1alpha1/authenticationfilter_types.go
+[jwks]: https://tools.ietf.org/html/rfc7517
diff --git a/docs/v0.3.0/user/grpc-routing.md b/docs/v0.3.0/user/grpc-routing.md
new file mode 100644
index 0000000000..31a25c4426
--- /dev/null
+++ b/docs/v0.3.0/user/grpc-routing.md
@@ -0,0 +1,100 @@
+# GRPC Routing
+
+The [GRPCRoute][] resource allows users to configure gRPC routing by matching HTTP/2 traffic and forwarding it to backend gRPC servers.
+To learn more about gRPC routing, refer to the [Gateway API documentation][].
+
+## Prerequisites
+
+Install Envoy Gateway:
+
+```shell
+kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/v0.3.0/install.yaml
+```
+
+Wait for Envoy Gateway to become available:
+
+```shell
+kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
+```
+
+## Installation
+
+Install the gRPC routing example resources:
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/v0.3.0/examples/kubernetes/grpc-routing.yaml
+```
+
+The manifest installs a [GatewayClass][], [Gateway][], a Deployment, a Service, and a GRPCRoute resource.
+The GatewayClass is a cluster-scoped resource that represents a class of Gateways that can be instantiated.
+
+__Note:__ Envoy Gateway is configured by default to manage a GatewayClass with
+`controllerName: gateway.envoyproxy.io/gatewayclass-controller`.
+
+## Verification
+
+Check the status of the GatewayClass:
+
+```shell
+kubectl get gc --selector=example=grpc-routing
+```
+
+The status should reflect "Accepted=True", indicating Envoy Gateway is managing the GatewayClass.
+
+A Gateway represents configuration of infrastructure. When a Gateway is created, [Envoy proxy][] infrastructure is
+provisioned or configured by Envoy Gateway. The `gatewayClassName` defines the name of a GatewayClass used by this
+Gateway. Check the status of the Gateway:
+
+```shell
+kubectl get gateways --selector=example=grpc-routing
+```
+
+The status should reflect "Ready=True", indicating the Envoy proxy infrastructure has been provisioned. The status also
+provides the address of the Gateway. This address is used later in the guide to test connectivity to proxied backend
+services.
+
+Check the status of the GRPCRoute:
+
+```shell
+kubectl get grpcroutes --selector=example=grpc-routing -o yaml
+```
+
+The status for the GRPCRoute should surface "Accepted=True" and a `parentRef` that references the example Gateway.
+The `example-route` matches any traffic for "grpc-example.com" and forwards it to the "yages" Service.
+
+## Testing the Configuration
+
+Before testing GRPC routing to the `yages` backend, get the Gateway's address.
+
+```shell
+export GATEWAY_HOST=$(kubectl get gateway/example-gateway -o jsonpath='{.status.addresses[0].value}')
+```
+
+Test GRPC routing to the `yages` backend using the [grpcurl][] command.
+
+```shell
+grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping
+```
+
+You should see the below response
+
+```shell
+{
+ "text": "pong"
+}
+```
+
+Envoy Gateway also supports [gRPC-Web][] requests for this configuration. The below `curl` command can be used to send a grpc-Web request with over HTTP/2. You should receive the same response seen in the previous command.
+
+```shell
+curl --http2-prior-knowledge -s ${GATEWAY_HOST}:80/yages.Echo/Ping -H 'Host: grpc-example.com' -H 'Content-Type: application/grpc-web-text' -H 'Accept: application/grpc-web-text' -XPOST -d'AAAAAAA=' | base64 -d
+```
+
+
+[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/
+[Gateway API documentation]: https://gateway-api.sigs.k8s.io/
+[GatewayClass]: https://gateway-api.sigs.k8s.io/api-types/gatewayclass/
+[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/
+[Envoy proxy]: https://www.envoyproxy.io/
+[grpcurl]: https://github.com/fullstorydev/grpcurl
+[gRPC-Web]: https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-WEB.md#protocol-differences-vs-grpc-over-http2
diff --git a/docs/v0.3.0/user/http-redirect.md b/docs/v0.3.0/user/http-redirect.md
new file mode 100644
index 0000000000..dcd72749f3
--- /dev/null
+++ b/docs/v0.3.0/user/http-redirect.md
@@ -0,0 +1,127 @@
+# HTTP Redirects
+
+The [HTTPRoute][] resource can issue redirects to clients or rewrite paths sent upstream using filters. Note that
+HTTPRoute rules cannot use both filter types at once. Currently, Envoy Gateway only supports __core__
+[HTTPRoute filters][] which consist of `RequestRedirect` and `RequestHeaderModifier` at the time of this writing. To
+learn more about HTTP routing, refer to the [Gateway API documentation][].
+
+## Prerequisites
+
+Follow the steps from the [Secure Gateways](secure-gateways.md) to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTPS.
+
+## Redirects
+
+Redirects return HTTP 3XX responses to a client, instructing it to retrieve a different resource. A
+[`RequestRedirect` filter][req_filter] instructs Gateways to emit a redirect response to requests that match the rule.
+For example, to issue a permanent redirect (301) from HTTP to HTTPS, configure `requestRedirect.statusCode=301` and
+`requestRedirect.scheme="https"`:
+
+```shell
+cat < GET /get HTTP/1.1
+> Host: headers.example
+> User-Agent: curl/7.81.0
+> Accept: */*
+> add-header: something
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< content-length: 474
+< x-envoy-upstream-service-time: 0
+< server: envoy
+<
+...
+ "headers": {
+ "Accept": [
+ "*/*"
+ ],
+ "Add-Header": [
+ "something",
+ "foo"
+ ],
+...
+```
+
+## Setting Request Headers
+
+Setting headers is similar to adding headers. If the request does not have the header configured by the filter, then it
+will be added, but unlike [adding request headers](#adding-request-headers) which will append the value of the header if
+the request already contains it, setting a header will cause the value to be replaced by the value configured in the
+filter.
+
+```shell
+cat < GET /get HTTP/1.1
+> Host: headers.example
+> User-Agent: curl/7.81.0
+> Accept: */*
+> add-header: something
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< content-length: 474
+< x-envoy-upstream-service-time: 0
+< server: envoy
+<
+ "headers": {
+ "Accept": [
+ "*/*"
+ ],
+ "Set-Header": [
+ "foo"
+ ],
+...
+```
+
+## Removing Request Headers
+
+Headers can be removed from a request by simply supplying a list of header names.
+
+Setting headers is similar to adding headers. If the request does not have the header configured by the filter, then it
+will be added, but unlike [adding request headers](#adding-request-headers) which will append the value of the header if
+the request already contains it, setting a header will cause the value to be replaced by the value configured in the
+filter.
+
+```shell
+cat < GET /get HTTP/1.1
+> Host: headers.example
+> User-Agent: curl/7.81.0
+> Accept: */*
+> add-header: something
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< content-length: 474
+< x-envoy-upstream-service-time: 0
+< server: envoy
+<
+
+ "headers": {
+ "Accept": [
+ "*/*"
+ ],
+ "Add-Header": [
+ "something"
+ ],
+...
+```
+
+## Combining Filters
+
+Headers can be added/set/removed in a single filter on the same HTTPRoute and they will all perform as expected
+
+```shell
+cat < GET /get HTTP/1.1
+> Host: headers.example
+> User-Agent: curl/7.81.0
+> Accept: */*
+> X-Echo-Set-Header: X-Foo: value1
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< content-length: 474
+< x-envoy-upstream-service-time: 0
+< server: envoy
+< x-foo: value1
+< add-header: foo
+<
+...
+ "headers": {
+ "Accept": [
+ "*/*"
+ ],
+ "X-Echo-Set-Header": [
+ "X-Foo: value1"
+ ]
+...
+```
+
+## Setting Response Headers
+
+Setting headers is similar to adding headers. If the response does not have the header configured by the filter, then it
+will be added, but unlike [adding response headers](#adding-response-headers) which will append the value of the header
+if the response already contains it, setting a header will cause the value to be replaced by the value configured in the
+filter.
+
+```shell
+cat < GET /get HTTP/1.1
+> Host: headers.example
+> User-Agent: curl/7.81.0
+> Accept: */*
+> X-Echo-Set-Header: set-header: value1
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< content-length: 474
+< x-envoy-upstream-service-time: 0
+< server: envoy
+< set-header: foo
+<
+ "headers": {
+ "Accept": [
+ "*/*"
+ ],
+ "X-Echo-Set-Header": [
+ "set-header": value1"
+ ]
+...
+```
+
+## Removing Response Headers
+
+Headers can be removed from a response by simply supplying a list of header names.
+
+Setting headers is similar to adding headers. If the response does not have the header configured by the filter, then it
+will be added, but unlike [adding response headers](#adding-response-headers) which will append the value of the header
+if the response already contains it, setting a header will cause the value to be replaced by the value configured in the
+filter.
+
+```shell
+cat < GET /get HTTP/1.1
+> Host: headers.example
+> User-Agent: curl/7.81.0
+> Accept: */*
+> X-Echo-Set-Header: remove-header: value1
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< content-length: 474
+< x-envoy-upstream-service-time: 0
+< server: envoy
+<
+
+ "headers": {
+ "Accept": [
+ "*/*"
+ ],
+ "X-Echo-Set-Header": [
+ "remove-header": value1"
+ ]
+...
+```
+
+## Combining Filters
+
+Headers can be added/set/removed in a single filter on the same HTTPRoute and they will all perform as expected
+
+```shell
+cat < GET /get HTTP/1.1
+> Host: backends.example
+> User-Agent: curl/7.81.0
+> Accept: */*
+> add-header: something
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< content-length: 474
+< x-envoy-upstream-service-time: 0
+< server: envoy
+<
+...
+ "namespace": "default",
+ "ingress": "",
+ "service": "",
+ "pod": "backend-79665566f5-s589f"
+...
+```
+
+## Multiple backendRefs
+
+If multiple backendRefs are configured, then traffic will be split between the backendRefs equally unless a weight is
+configured.
+
+First, create a second instance of the example app from the quickstart:
+
+```shell
+cat < GET /get HTTP/1.1
+> Host: backends.example
+> User-Agent: curl/7.81.0
+> Accept: */*
+> add-header: something
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< content-length: 474
+< x-envoy-upstream-service-time: 0
+< server: envoy
+<
+...
+ "namespace": "default",
+ "ingress": "",
+ "service": "",
+ "pod": "backend-75bcd4c969-lsxpz"
+...
+```
+
+## Weighted backendRefs
+
+If multiple backendRefs are configured and an un-even traffic split between the backends is desired, then the `weight`
+field can be used to control the weight of requests to each backend. If weight is not configured for a backendRef it is
+assumed to be `1`.
+
+The [weight field in a backendRef][backendRefs] controls the distribution of the traffic split. The proportion of
+requests to a single backendRef is calculated by dividing its `weight` by the sum of all backendRef weights in the
+HTTPRoute. The weight is not a percentage and the sum of all weights does not need to add up to 100.
+
+The HTTPRoute below will configure the gateway to send 80% of the traffic to the backend service, and 20% to the
+backend-2 service.
+
+```shell
+cat < GET /get HTTP/1.1
+> Host: backends.example
+> User-Agent: curl/7.81.0
+> Accept: */*
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 500 Internal Server Error
+< server: envoy
+< content-length: 0
+<
+```
+
+[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/
+[backendRefs]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.BackendRef
diff --git a/docs/v0.3.0/user/http-urlrewrite.md b/docs/v0.3.0/user/http-urlrewrite.md
new file mode 100644
index 0000000000..88e29c3269
--- /dev/null
+++ b/docs/v0.3.0/user/http-urlrewrite.md
@@ -0,0 +1,295 @@
+# HTTP URL Rewrite
+
+[HTTPURLRewriteFilter][] defines a filter that modifies a request during forwarding. At most one of these filters may be
+used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequestRedirect filter.
+
+## Prerequisites
+
+Follow the steps from the [Quickstart Guide](quickstart.md) to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
+
+## Rewrite URL Prefix Path
+
+You can configure to rewrite the prefix in the url like below. In this example, any curls to
+`http://${GATEWAY_HOST}/get/xxx` will be rewritten to `http://${GATEWAY_HOST}/replace/xxx`.
+
+```shell
+cat < GET /get/origin/path HTTP/1.1
+> Host: path.rewrite.example
+> User-Agent: curl/7.85.0
+> Accept: */*
+>
+
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< date: Wed, 21 Dec 2022 11:03:28 GMT
+< content-length: 503
+< x-envoy-upstream-service-time: 0
+< server: envoy
+<
+{
+ "path": "/replace/origin/path",
+ "host": "path.rewrite.example",
+ "method": "GET",
+ "proto": "HTTP/1.1",
+ "headers": {
+ "Accept": [
+ "*/*"
+ ],
+ "User-Agent": [
+ "curl/7.85.0"
+ ],
+ "X-Envoy-Expected-Rq-Timeout-Ms": [
+ "15000"
+ ],
+ "X-Envoy-Original-Path": [
+ "/get/origin/path"
+ ],
+ "X-Forwarded-Proto": [
+ "http"
+ ],
+ "X-Request-Id": [
+ "fd84b842-9937-4fb5-83c7-61470d854b90"
+ ]
+ },
+ "namespace": "default",
+ "ingress": "",
+ "service": "",
+ "pod": "backend-6fdd4b9bd8-8vlc5"
+...
+```
+
+You can see that the `X-Envoy-Original-Path` is `/get/origin/path`, but the actual path is `/replace/origin/path`.
+
+## Rewrite URL Full Path
+
+You can configure to rewrite the fullpath in the url like below. In this example, any request sent to
+`http://${GATEWAY_HOST}/get/origin/path/xxxx` will be rewritten to
+`http://${GATEWAY_HOST}/force/replace/fullpath`.
+
+```shell
+cat < GET /get/origin/path/extra HTTP/1.1
+> Host: path.rewrite.example
+> User-Agent: curl/7.85.0
+> Accept: */*
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< date: Wed, 21 Dec 2022 11:09:31 GMT
+< content-length: 512
+< x-envoy-upstream-service-time: 0
+< server: envoy
+<
+{
+ "path": "/force/replace/fullpath",
+ "host": "path.rewrite.example",
+ "method": "GET",
+ "proto": "HTTP/1.1",
+ "headers": {
+ "Accept": [
+ "*/*"
+ ],
+ "User-Agent": [
+ "curl/7.85.0"
+ ],
+ "X-Envoy-Expected-Rq-Timeout-Ms": [
+ "15000"
+ ],
+ "X-Envoy-Original-Path": [
+ "/get/origin/path/extra"
+ ],
+ "X-Forwarded-Proto": [
+ "http"
+ ],
+ "X-Request-Id": [
+ "8ab774d6-9ffa-4faa-abbb-f45b0db00895"
+ ]
+ },
+ "namespace": "default",
+ "ingress": "",
+ "service": "",
+ "pod": "backend-6fdd4b9bd8-8vlc5"
+...
+```
+
+You can see that the `X-Envoy-Original-Path` is `/get/origin/path/extra`, but the actual path is
+`/force/replace/fullpath`.
+
+## Rewrite Host Name
+
+You can configure to rewrite the hostname like below. In this example, any requests sent to
+`http://${GATEWAY_HOST}/get` with `--header "Host: path.rewrite.example"` will rewrite host into `envoygateway.io`.
+
+```shell
+cat < GET /get HTTP/1.1
+> Host: path.rewrite.example
+> User-Agent: curl/7.85.0
+> Accept: */*
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< x-content-type-options: nosniff
+< date: Wed, 21 Dec 2022 11:15:15 GMT
+< content-length: 481
+< x-envoy-upstream-service-time: 0
+< server: envoy
+<
+{
+ "path": "/get",
+ "host": "envoygateway.io",
+ "method": "GET",
+ "proto": "HTTP/1.1",
+ "headers": {
+ "Accept": [
+ "*/*"
+ ],
+ "User-Agent": [
+ "curl/7.85.0"
+ ],
+ "X-Envoy-Expected-Rq-Timeout-Ms": [
+ "15000"
+ ],
+ "X-Forwarded-Host": [
+ "path.rewrite.example"
+ ],
+ "X-Forwarded-Proto": [
+ "http"
+ ],
+ "X-Request-Id": [
+ "39aa447c-97b9-45a3-a675-9fb266ab1af0"
+ ]
+ },
+ "namespace": "default",
+ "ingress": "",
+ "service": "",
+ "pod": "backend-6fdd4b9bd8-8vlc5"
+...
+```
+
+You can see that the `X-Forwarded-Host` is `path.rewrite.example`, but the actual host is `envoygateway.io`.
+
+[HTTPURLRewriteFilter]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPURLRewriteFilter
diff --git a/docs/v0.3.0/user/quickstart.md b/docs/v0.3.0/user/quickstart.md
new file mode 100644
index 0000000000..a11d3cbe7b
--- /dev/null
+++ b/docs/v0.3.0/user/quickstart.md
@@ -0,0 +1,97 @@
+# Quickstart
+
+This guide will help you get started with Envoy Gateway in a few simple steps.
+
+## Prerequisites
+
+A Kubernetes cluster.
+
+__Note:__ Refer to the [Compatibility Matrix](../intro/compatibility.rst) for supported Kubernetes versions.
+
+## Installation
+
+Install the Gateway API CRDs and Envoy Gateway:
+
+```shell
+kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/v0.3.0/install.yaml
+```
+
+Wait for Envoy Gateway to become available:
+
+```shell
+kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
+```
+
+Install the GatewayClass, Gateway, HTTPRoute and example app:
+
+```shell
+kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/v0.3.0/quickstart.yaml
+```
+
+**Note**: [`quickstart.yaml`] defines that Envoy Gateway will listen for
+traffic on port 80 on its globally-routable IP address, to make it easy to use
+browsers to test Envoy Gateway. When Envoy Gateway sees that its Listener is
+using a privileged port (<1024), it will map this internally to an
+unprivileged port, so that Envoy Gateway doesn't need additional privileges.
+It's important to be aware of this mapping, since you may need to take it into
+consideration when debugging.
+
+[`quickstart.yaml`]: https://github.com/envoyproxy/gateway/releases/download/v0.3.0/quickstart.yaml
+
+## Testing the Configuration
+
+Get the name of the Envoy service created the by the example Gateway:
+
+```shell
+export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}')
+```
+
+Port forward to the Envoy service:
+
+```shell
+kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 8888:80 &
+```
+
+Curl the example app through Envoy proxy:
+
+```shell
+curl --verbose --header "Host: www.example.com" http://localhost:8888/get
+```
+
+### External LoadBalancer Support
+
+You can also test the same functionality by sending traffic to the External IP. To get the external IP of the
+Envoy service, run:
+
+```shell
+export GATEWAY_HOST=$(kubectl get svc/${ENVOY_SERVICE} -n envoy-gateway-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+```
+
+In certain environments, the load balancer may be exposed using a hostname, instead of an IP address. If so, replace
+`ip` in the above command with `hostname`.
+
+Curl the example app through Envoy proxy:
+
+```shell
+curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/get
+```
+
+## Clean-Up
+
+Use the steps in this section to uninstall everything from the quickstart guide.
+
+Delete the GatewayClass, Gateway, HTTPRoute and Example App:
+
+```shell
+kubectl delete -f https://github.com/envoyproxy/gateway/releases/download/v0.3.0/quickstart.yaml --ignore-not-found=true
+```
+
+Delete the Gateway API CRDs and Envoy Gateway:
+
+```shell
+kubectl delete -f https://github.com/envoyproxy/gateway/releases/download/v0.3.0/install.yaml --ignore-not-found=true
+```
+
+## Next Steps
+
+Checkout the [Developer Guide](../dev/README.md) to get involved in the project.
diff --git a/docs/v0.3.0/user/rate-limit.md b/docs/v0.3.0/user/rate-limit.md
new file mode 100644
index 0000000000..0f6cdf65ac
--- /dev/null
+++ b/docs/v0.3.0/user/rate-limit.md
@@ -0,0 +1,489 @@
+# Rate limit
+
+Rate limit is a feature that allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow.
+
+Here are some reasons why you may want to implements Rate limits
+
+* To prevent malicious activity such as DDoS attacks.
+* To prevent applications and its resources (such as a database) from getting overloaded.
+* To create API limits based on user entitlements.
+
+Envoy Gateway supports [Global rate limiting][], where the rate limit is common across all the instances of Envoy proxies where its applied
+i.e. if the data plane has 2 replicas of Envoy running, and the rate limit is 10 requests/second, this limit is common and will be hit
+if 5 requests pass through the first replica and 5 requests pass through the second replica within the same second.
+
+Envoy Gateway introduces a new CRD called [RateLimitFilter][] that allows the user to describe their rate limit intent. This instantiated resource
+can be linked to a [HTTPRoute][] resource using an [ExtensionRef][] filter.
+
+## Prerequisites
+
+### Install Envoy Gateway
+
+* Follow the steps from the [Quickstart Guide](quickstart.md) to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
+
+### Install Redis
+
+* The global rate limit feature is based on [Envoy Ratelimit][] which requires a Redis instance as its caching layer.
+Lets install a Redis deployment in the `redis-system` namespce.
+
+```shell
+cat <> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> @49.51.177.138 -p 5300 foo.bar.com
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58125
+;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 3
+;; WARNING: recursion requested but not available
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 1232
+; COOKIE: 24fb86eba96ebf62 (echoed)
+;; QUESTION SECTION:
+;foo.bar.com. IN A
+
+;; ADDITIONAL SECTION:
+foo.bar.com. 0 IN A 10.244.0.19
+_udp.foo.bar.com. 0 IN SRV 0 0 42376 .
+
+;; Query time: 1 msec
+;; SERVER: 49.51.177.138#5300(49.51.177.138) (UDP)
+;; WHEN: Fri Jan 13 10:20:34 UTC 2023
+;; MSG SIZE rcvd: 114
+```
+
+## Clean-Up
+
+Follow the steps from the [Quickstart Guide](quickstart.md) to uninstall Envoy Gateway.
+
+Delete the CoreDNS example manifest and the UDPRoute:
+
+```shell
+kubectl delete deploy/coredns
+kubectl delete service/coredns
+kubectl delete cm/coredns
+kubectl delete udproute/coredns
+```
+
+## Next Steps
+
+Checkout the [Developer Guide](../dev/README.md) to get involved in the project.
+
+[UDPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute
+[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/v0.3.0/configuration/listeners/udp_filters/udp_proxy
diff --git a/docs/v0.3.0/user_docs.rst b/docs/v0.3.0/user_docs.rst
new file mode 100644
index 0000000000..3669c0613a
--- /dev/null
+++ b/docs/v0.3.0/user_docs.rst
@@ -0,0 +1,22 @@
+User Guides
+===========
+
+Learn how to deploy, use, and operate Envoy Gateway.
+
+.. toctree::
+ :maxdepth: 1
+
+ user/quickstart
+ user/http-routing
+ user/http-redirect
+ user/http-urlrewrite
+ user/http-traffic-splitting
+ user/http-request-headers
+ user/http-response-headers
+ user/secure-gateways
+ user/tls-passthrough
+ user/tcp-routing
+ user/udp-routing
+ user/grpc-routing
+ user/authn
+ user/rate-limit
diff --git a/examples/kubernetes/authn/jwks.json b/examples/kubernetes/authn/jwks.json
new file mode 100644
index 0000000000..6cd882726b
--- /dev/null
+++ b/examples/kubernetes/authn/jwks.json
@@ -0,0 +1 @@
+{"keys":[{"kty":"RSA","n":"u1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0_IzW7yWR7QkrmBL7jTKEn5u-qKhbwKfBstIs-bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW_VDL5AaWTg0nLVkjRo9z-40RQzuVaE8AkAFmxZzow3x-VJYKdjykkJ0iT9wCS0DRTXu269V264Vf_3jvredZiKRkgwlL9xNAwxXFg0x_XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC-9aGVd-Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmw","e":"AQAB","alg":"RS256","use":"sig"}]}
diff --git a/examples/kubernetes/authn/jwt.yaml b/examples/kubernetes/authn/jwt.yaml
new file mode 100644
index 0000000000..db113716a9
--- /dev/null
+++ b/examples/kubernetes/authn/jwt.yaml
@@ -0,0 +1,47 @@
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: AuthenticationFilter
+metadata:
+ name: jwt-example
+spec:
+ type: JWT
+ jwtProviders:
+ - name: example
+ remoteJWKS:
+ uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: backend
+spec:
+ parentRefs:
+ - name: eg
+ hostnames:
+ - "www.example.com"
+ rules:
+ - backendRefs:
+ - group: ""
+ kind: Service
+ name: backend
+ port: 3000
+ weight: 1
+ filters:
+ - extensionRef:
+ group: gateway.envoyproxy.io
+ kind: AuthenticationFilter
+ name: jwt-example
+ type: ExtensionRef
+ matches:
+ - path:
+ type: PathPrefix
+ value: /foo
+ - backendRefs:
+ - group: ""
+ kind: Service
+ name: backend
+ port: 3000
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /bar
diff --git a/examples/kubernetes/authn/test.jwt b/examples/kubernetes/authn/test.jwt
new file mode 100644
index 0000000000..1c9d949adf
--- /dev/null
+++ b/examples/kubernetes/authn/test.jwt
@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ
diff --git a/examples/kubernetes/grpc-routing.yaml b/examples/kubernetes/grpc-routing.yaml
new file mode 100644
index 0000000000..388dc09aa4
--- /dev/null
+++ b/examples/kubernetes/grpc-routing.yaml
@@ -0,0 +1,81 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: GatewayClass
+metadata:
+ name: example-gateway-class
+ labels:
+ example: grpc-routing
+spec:
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+ name: example-gateway
+ labels:
+ example: grpc-routing
+spec:
+ gatewayClassName: example-gateway-class
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: yages
+ example: grpc-routing
+ name: yages
+spec:
+ selector:
+ matchLabels:
+ app: yages
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: yages
+ spec:
+ containers:
+ - name: grpcsrv
+ image: quay.io/mhausenblas/yages:0.1.0
+ ports:
+ - containerPort: 9000
+ protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: yages
+ example: grpc-routing
+ name: yages
+spec:
+ type: ClusterIP
+ ports:
+ - name: http
+ port: 9000
+ protocol: TCP
+ targetPort: 9000
+ selector:
+ app: yages
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: GRPCRoute
+metadata:
+ name: yages
+ labels:
+ example: grpc-routing
+spec:
+ parentRefs:
+ - name: example-gateway
+ hostnames:
+ - "grpc-example.com"
+ rules:
+ - backendRefs:
+ - group: ""
+ kind: Service
+ name: yages
+ port: 9000
+ weight: 1
diff --git a/go.mod b/go.mod
index 945c32eb57..c8f16e2071 100644
--- a/go.mod
+++ b/go.mod
@@ -23,8 +23,8 @@ require (
k8s.io/apimachinery v0.26.1
k8s.io/client-go v0.26.1
k8s.io/utils v0.0.0-20221128185143-99ec85e7a448
- sigs.k8s.io/controller-runtime v0.14.2
- sigs.k8s.io/gateway-api v0.6.0
+ sigs.k8s.io/controller-runtime v0.14.4
+ sigs.k8s.io/gateway-api v0.6.1
sigs.k8s.io/yaml v1.3.0
)
diff --git a/go.sum b/go.sum
index 341363197c..04b73bff51 100644
--- a/go.sum
+++ b/go.sum
@@ -719,10 +719,10 @@ k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/controller-runtime v0.14.2 h1:P6IwDhbsRWsBClt/8/h8Zy36bCuGuW5Op7MHpFrN/60=
-sigs.k8s.io/controller-runtime v0.14.2/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0=
-sigs.k8s.io/gateway-api v0.6.0 h1:v2FqrN2ROWZLrSnI2o91taHR8Sj3s+Eh3QU7gLNWIqA=
-sigs.k8s.io/gateway-api v0.6.0/go.mod h1:EYJT+jlPWTeNskjV0JTki/03WX1cyAnBhwBJfYHpV/0=
+sigs.k8s.io/controller-runtime v0.14.4 h1:Kd/Qgx5pd2XUL08eOV2vwIq3L9GhIbJ5Nxengbd4/0M=
+sigs.k8s.io/controller-runtime v0.14.4/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0=
+sigs.k8s.io/gateway-api v0.6.1 h1:d/nIkhtbU0zVoFsriKi8lXwBYKNopz3EGeSwDqxeTRs=
+sigs.k8s.io/gateway-api v0.6.1/go.mod h1:EYJT+jlPWTeNskjV0JTki/03WX1cyAnBhwBJfYHpV/0=
sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go
index 98b8eea816..b48beafc1a 100644
--- a/internal/gatewayapi/filters.go
+++ b/internal/gatewayapi/filters.go
@@ -684,6 +684,12 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *v1beta1.LocalObjec
t.processUnresolvedHTTPFilter(errMsg, filterContext)
return
}
+ if !t.GlobalRateLimitEnabled {
+ errMsg := fmt.Sprintf("Enable Ratelimit in the EnvoyGateway config to configure RateLimitFilter: %s/%s",
+ filterNs, extFilter.Name)
+ t.processUnresolvedHTTPFilter(errMsg, filterContext)
+ return
+ }
rateLimit := &ir.RateLimit{
Global: &ir.GlobalRateLimit{
Rules: make([]*ir.RateLimitRule, len(rateLimitFilter.Spec.Global.Rules)),
diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go
index 6a522da29b..7952d6c14c 100644
--- a/internal/gatewayapi/listener.go
+++ b/internal/gatewayapi/listener.go
@@ -56,8 +56,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
case v1beta1.TLSProtocolType:
t.validateAllowedRoutes(listener, KindTLSRoute)
case v1beta1.HTTPProtocolType, v1beta1.HTTPSProtocolType:
- // Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- t.validateAllowedRoutes(listener, KindHTTPRoute) // , KindGRPCRoute)
+ t.validateAllowedRoutes(listener, KindHTTPRoute, KindGRPCRoute)
case v1beta1.TCPProtocolType:
t.validateAllowedRoutes(listener, KindTCPRoute)
case v1beta1.UDPProtocolType:
diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go
index f919b203a7..6e3e91db75 100644
--- a/internal/gatewayapi/route.go
+++ b/internal/gatewayapi/route.go
@@ -162,15 +162,10 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe
func (t *Translator) processHTTPRouteRule(httpRoute *HTTPRouteContext, ruleIdx int, httpFiltersContext *HTTPFiltersContext, rule v1beta1.HTTPRouteRule) []*ir.HTTPRoute {
var ruleRoutes []*ir.HTTPRoute
- // If no matches are specified, the default is a prefix
- // path match on "/", which has the effect of matching every
- // HTTP request.
+ // If no matches are specified, the implementation MUST match every HTTP request.
if len(rule.Matches) == 0 {
irRoute := &ir.HTTPRoute{
Name: routeName(httpRoute, ruleIdx, -1),
- PathMatch: &ir.StringMatch{
- Prefix: StringPtr("/"),
- },
}
applyHTTPFiltersContexttoIRRoute(httpFiltersContext, irRoute)
ruleRoutes = append(ruleRoutes, irRoute)
diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go
index 24769c0019..36baacb2d0 100644
--- a/internal/gatewayapi/runner/runner.go
+++ b/internal/gatewayapi/runner/runner.go
@@ -55,7 +55,8 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
// Translate and publish IRs.
t := &gatewayapi.Translator{
- GatewayClassName: v1beta1.ObjectName(update.Key),
+ GatewayClassName: v1beta1.ObjectName(update.Key),
+ GlobalRateLimitEnabled: r.EnvoyGateway.RateLimit != nil,
}
// Translate to IR
result := t.Translate(val)
diff --git a/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml
index 8ab5db16b1..197350495e 100644
--- a/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml
+++ b/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml
index ecc24ee38b..cbfabf6c0d 100644
--- a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml
index e0dc7b9912..77a713d820 100644
--- a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-namespaces-selector.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-namespaces-selector.out.yaml
index 6445a1a950..ca29b4a2d0 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-namespaces-selector.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-namespaces-selector.out.yaml
@@ -25,9 +25,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml
index b862d1cb2c..56796a08e9 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml
@@ -25,7 +25,7 @@ gateways:
- type: ResolvedRefs
status: "False"
reason: InvalidRouteKinds
- message: "FooRoute is not supported, kind must be one of [HTTPRoute]"
+ message: "FooRoute is not supported, kind must be one of [HTTPRoute GRPCRoute]"
- type: Programmed
status: "False"
reason: Invalid
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml
index 2dbaa4fe7f..6a2bc86935 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml
@@ -24,9 +24,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-certificate-refs.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-certificate-refs.out.yaml
index 6988251faa..2c833ec64d 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-certificate-refs.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-certificate-refs.out.yaml
@@ -21,9 +21,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml
index ed7772e2d0..b977bc34f8 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml
@@ -23,9 +23,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: ResolvedRefs
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml
index ee637005f0..1b65b61684 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml
@@ -24,9 +24,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: ResolvedRefs
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml
index cc136316ca..ed528ceea0 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml
@@ -23,9 +23,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: ResolvedRefs
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-missing-allowed-namespaces-selector.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-missing-allowed-namespaces-selector.out.yaml
index fd76907c08..840677528d 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-missing-allowed-namespaces-selector.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-missing-allowed-namespaces-selector.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml
index 4e12b18782..ada48115a1 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml
@@ -24,9 +24,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml
index 717a4acc92..ba567ad9da 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml
@@ -43,9 +43,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml
index 08ab3cebca..c87265514e 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml
@@ -23,9 +23,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml
index d99ff51855..8e44f4517a 100644
--- a/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml
index 9ac8606715..dfc919e2c0 100644
--- a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml
@@ -23,9 +23,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-http-and-tlsroute-same-hostname-and-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-http-and-tlsroute-same-hostname-and-port.out.yaml
index 7cfd2f0be8..6c9d2c52fe 100644
--- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-http-and-tlsroute-same-hostname-and-port.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-http-and-tlsroute-same-hostname-and-port.out.yaml
@@ -29,9 +29,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
conditions:
- type: Conflicted
status: "True"
diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml
index 0a8dbe49bd..a1adbc2f79 100644
--- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml
@@ -27,9 +27,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
AttachedRoutes: 2
conditions:
- type: Programmed
@@ -40,9 +39,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
AttachedRoutes: 2
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-hostname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-hostname.out.yaml
index 750fe1bbfd..a8c0338088 100644
--- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-hostname.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-hostname.out.yaml
@@ -27,9 +27,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
conditions:
- type: Conflicted
status: "True"
@@ -43,9 +42,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
conditions:
- type: Conflicted
status: "True"
diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-incompatible-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-incompatible-protocol.out.yaml
index ebce62cfa8..2fef42d83c 100644
--- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-incompatible-protocol.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-incompatible-protocol.out.yaml
@@ -27,9 +27,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
conditions:
- type: Conflicted
status: "True"
@@ -43,9 +42,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
conditions:
- type: Conflicted
status: "True"
diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml
index 4c2a7aedaa..ea329c1c2d 100644
--- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml
@@ -26,9 +26,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
AttachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml
index 5d18eb6d13..4dc246cd4a 100644
--- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml
@@ -26,9 +26,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
AttachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml
index 1e35904a82..c079abc9d3 100644
--- a/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml
+++ b/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml
index cb8b2b505a..6317a505ca 100644
--- a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml
+++ b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml
index 17fad6913e..e164bc777e 100644
--- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml
@@ -69,9 +69,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -82,9 +81,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -95,9 +93,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -108,9 +105,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -121,9 +117,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -134,9 +129,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -147,9 +141,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -160,9 +153,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml
index 3becf27dcc..888cec7b82 100644
--- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml
@@ -69,9 +69,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -82,9 +81,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -95,9 +93,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -108,9 +105,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -121,9 +117,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -134,9 +129,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -147,9 +141,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -160,9 +153,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml
index 9708ba2179..9eaaff055c 100644
--- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml
@@ -29,9 +29,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -42,9 +41,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml
index 2a91cfc2fa..48fda6fe31 100644
--- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml
@@ -27,9 +27,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -40,9 +39,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml
index 589fef477f..9c3c5b1610 100644
--- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml
index c63ffaff08..9c46f62816 100644
--- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml
index 6100711322..3284e46801 100644
--- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml
@@ -27,9 +27,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: Programmed
@@ -40,9 +39,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml
index 0a0e3b07e5..8f4a72fdab 100644
--- a/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml b/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml
index 116fe1bceb..c656347068 100644
--- a/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml
index 90002b9fc5..9bc2ab142a 100644
--- a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml
index 4bb84b11b9..92d6bcd835 100644
--- a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml
index 45c75a5192..1392c99fda 100644
--- a/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml b/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml
index 67b1ac08d4..73b62d2247 100644
--- a/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml
@@ -19,6 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
@@ -62,8 +64,6 @@ xdsIR:
- "*"
routes:
- name: default-httproute-1-rule-0-match--1-*
- pathMatch:
- prefix: "/"
destinations:
- host: 7.7.7.7
port: 8080
diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml
index 614e48d4fb..e1b32d78b8 100644
--- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml
index 4e5267b77f..988c92257b 100644
--- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml
index 4294262fdd..e5f12f7a2e 100644
--- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml
index 0a75822aae..5ed6519cd1 100644
--- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml
index d78407b9b4..6b9e635658 100644
--- a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml
index f2a2cebc46..26ee5e62cd 100644
--- a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml
index a0de9906f3..66734cf3c6 100644
--- a/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml
index 65078fb253..c7d970f4b8 100644
--- a/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml
index 6633cb693d..808f1a56fb 100644
--- a/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml
index dfa525d74c..25c9b78cb5 100644
--- a/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml
index 5f0487305a..ca2070932c 100644
--- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml
index 12486d8599..219f59ad8e 100644
--- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml
index ced06b6d63..9782dae7db 100644
--- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml
index bfe9084f58..062dc105a1 100644
--- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml
index 674a906147..65fac131f8 100644
--- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml
index 7675eb61f3..7aa9f45a02 100644
--- a/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-ratelimitfilter.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-ratelimitfilter.out.yaml
index 8acb3ec82e..87e6e492a1 100644
--- a/internal/gatewayapi/testdata/httproute-with-invalid-ratelimitfilter.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-invalid-ratelimitfilter.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml
index 2a12e0569f..71797efd24 100644
--- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml
index f21678a5c8..ca51c868ce 100644
--- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml
index e2b5788c36..d8210da353 100644
--- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml
index 1205a2c381..9d6aac7a9a 100644
--- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml
index 334acccc07..0306711322 100644
--- a/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-non-existent-authenfilter-ref.out.yaml b/internal/gatewayapi/testdata/httproute-with-non-existent-authenfilter-ref.out.yaml
index e703cb32b9..2fddf2b4f2 100644
--- a/internal/gatewayapi/testdata/httproute-with-non-existent-authenfilter-ref.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-non-existent-authenfilter-ref.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-non-matching-authenfilter-ref.out.yaml b/internal/gatewayapi/testdata/httproute-with-non-matching-authenfilter-ref.out.yaml
index 6c92311f8b..39695171fe 100644
--- a/internal/gatewayapi/testdata/httproute-with-non-matching-authenfilter-ref.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-non-matching-authenfilter-ref.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml
index 4ecd620471..9e27285d05 100644
--- a/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 0
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml
index 05d8b36395..5c7eaae72b 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml
index f1c22a74c0..71636d2de9 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml
index fd6580f09d..4a2d2d4fae 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml
index 40ab220216..79a022b654 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml
index 539fa60e9c..992e9ede5e 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml
index 0bd19c88ac..e40c12c99b 100644
--- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml
index 6d6508de86..e4c3cf4a48 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml
index 9d6645b0b7..66bb526438 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml
index c42fec4d24..b0fd746b0d 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml
index 9ed56f7592..ed03bdc322 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml
index 212a0e9526..c0e2f4b1fc 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml
index 70ab526411..e9186328cc 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml
index ef5d31cebd..ff7be180ea 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml
index 749061fdac..8182e7022e 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml
index 552a9b737c..c91e70c26a 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml
index 59ed845080..a5e7dac437 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml
index 11b80f8a28..caf07769b0 100644
--- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml
index 6e7d2f356e..57e444ece3 100644
--- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml
index e857b382bc..b5c519bda4 100644
--- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml
index 78f81eeebf..d8600ab357 100644
--- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml
index a28e840d5f..5fb12c1cc4 100644
--- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml
index 4c30c0d775..870cfb13d2 100644
--- a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml
index c0d3a3d3f5..77b1dbe425 100644
--- a/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml
index 78c38ef508..31201bfaaf 100644
--- a/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml
index 056148fd01..b6c9b72b80 100644
--- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml
index 4488ba83e0..196d0782f7 100644
--- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml
index 91fa694a1d..188ccef163 100644
--- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml
index dc2ee071cf..e419329711 100644
--- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml
index a658701888..fa74572d94 100644
--- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml
index 25e880f527..25794a648b 100644
--- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml
index 84b7624cfb..55de97aa1b 100644
--- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml
index 520669ccea..d119a0b68e 100644
--- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml
index 8fe273d438..270f29f220 100644
--- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml
index 77513245f1..dc054b67c7 100644
--- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-valid-authenfilter.out.yaml b/internal/gatewayapi/testdata/httproute-with-valid-authenfilter.out.yaml
index 4cf66b13bc..3bc81f0f44 100644
--- a/internal/gatewayapi/testdata/httproute-with-valid-authenfilter.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-valid-authenfilter.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-valid-multi-match-authenfilter.out.yaml b/internal/gatewayapi/testdata/httproute-with-valid-multi-match-authenfilter.out.yaml
index 05f22036e5..67b8df4680 100644
--- a/internal/gatewayapi/testdata/httproute-with-valid-multi-match-authenfilter.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-valid-multi-match-authenfilter.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-valid-multi-match-multi-authenfilter.out.yaml b/internal/gatewayapi/testdata/httproute-with-valid-multi-match-multi-authenfilter.out.yaml
index c594682630..54a9c93d19 100644
--- a/internal/gatewayapi/testdata/httproute-with-valid-multi-match-multi-authenfilter.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-valid-multi-match-multi-authenfilter.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-valid-ratelimitfilter.out.yaml b/internal/gatewayapi/testdata/httproute-with-valid-ratelimitfilter.out.yaml
index 5b984b50c2..8be7071f2e 100644
--- a/internal/gatewayapi/testdata/httproute-with-valid-ratelimitfilter.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-valid-ratelimitfilter.out.yaml
@@ -20,9 +20,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml
index d9f11730d6..b8c0cc61c4 100644
--- a/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml
+++ b/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 1
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml b/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml
index 4b105d8f9e..6a6cec386b 100644
--- a/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml
+++ b/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml
@@ -19,9 +19,8 @@ gateways:
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- # Uncomment when https://github.com/envoyproxy/gateway/issues/950 is fixed
- #- group: gateway.networking.k8s.io
- #kind: GRPCRoute
+ - group: gateway.networking.k8s.io
+ kind: GRPCRoute
attachedRoutes: 5
conditions:
- type: Programmed
diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go
index 2d2e312664..9f6084fa00 100644
--- a/internal/gatewayapi/translator.go
+++ b/internal/gatewayapi/translator.go
@@ -57,6 +57,10 @@ type Translator struct {
// the Infra IR. If unspecified, the default proxy
// image will be used.
ProxyImage string
+
+ // GlobalRateLimitEnabled is true when global
+ // ratelimiting has been configured by the admin.
+ GlobalRateLimitEnabled bool
}
type TranslateResult struct {
diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go
index 8651fa4106..9b3238c682 100644
--- a/internal/gatewayapi/translator_test.go
+++ b/internal/gatewayapi/translator_test.go
@@ -47,8 +47,9 @@ func TestTranslate(t *testing.T) {
mustUnmarshal(t, string(output), want)
translator := &Translator{
- GatewayClassName: "envoy-gateway-class",
- ProxyImage: "envoyproxy/envoy:translator-tests",
+ GatewayClassName: "envoy-gateway-class",
+ ProxyImage: "envoyproxy/envoy:translator-tests",
+ GlobalRateLimitEnabled: true,
}
// Add common test fixtures
diff --git a/internal/globalratelimit/runner/runner.go b/internal/globalratelimit/runner/runner.go
index 0f1ed3c995..053dd31fb0 100644
--- a/internal/globalratelimit/runner/runner.go
+++ b/internal/globalratelimit/runner/runner.go
@@ -48,9 +48,15 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
var xdsIRs []*ir.Xds
snapshot := <-xdsIRCh
r.Logger.Info("received a notification")
+ // Skip translation if state is empty
+ if len(snapshot.State) == 0 {
+ continue
+ }
+
for _, value := range snapshot.State {
xdsIRs = append(xdsIRs, value)
}
+
// Translate to ratelimit infra IR
result, err := r.translate(xdsIRs)
if err != nil {
diff --git a/internal/infrastructure/kubernetes/deployment.go b/internal/infrastructure/kubernetes/deployment.go
index ba31cd6278..9142c435db 100644
--- a/internal/infrastructure/kubernetes/deployment.go
+++ b/internal/infrastructure/kubernetes/deployment.go
@@ -53,10 +53,10 @@ const (
// rateLimitInfraName is the name for rate-limit resources.
rateLimitInfraName = "envoy-ratelimit"
- // rateLimitInfraHTTPPort is the http port that the rate limit service listens on.
- rateLimitInfraHTTPPort = 8080
+ // rateLimitInfraGRPCPort is the grpc port that the rate limit service listens on.
+ rateLimitInfraGRPCPort = 8081
// rateLimitInfraImage is the container image for the rate limit service.
- rateLimitInfraImage = "envoyproxy/ratelimit:latest"
+ rateLimitInfraImage = "envoyproxy/ratelimit:f28024e3"
)
//go:embed bootstrap.yaml.tpl
@@ -362,7 +362,7 @@ func expectedRateLimitContainers(infra *ir.RateLimitInfra) []corev1.Container {
ports := []corev1.ContainerPort{
{
Name: "http",
- ContainerPort: rateLimitInfraHTTPPort,
+ ContainerPort: rateLimitInfraGRPCPort,
Protocol: corev1.ProtocolTCP,
},
}
diff --git a/internal/infrastructure/kubernetes/infra.go b/internal/infrastructure/kubernetes/infra.go
index 3d297ea4e0..80a8d57ccc 100644
--- a/internal/infrastructure/kubernetes/infra.go
+++ b/internal/infrastructure/kubernetes/infra.go
@@ -91,24 +91,24 @@ func (i *Infra) CreateOrUpdateRateLimitInfra(ctx context.Context, infra *ir.Rate
if infra == nil {
return errors.New("ratelimit infra ir is nil")
}
-
- if err := i.deleteRateLimitService(ctx, infra); err != nil {
+ if err := i.createOrUpdateRateLimitServiceAccount(ctx, infra); err != nil {
return err
}
- if err := i.deleteRateLimitDeployment(ctx, infra); err != nil {
+ if err := i.createOrUpdateRateLimitConfigMap(ctx, infra); err != nil {
return err
}
- if err := i.deleteRateLimitConfigMap(ctx, infra); err != nil {
+ if err := i.createOrUpdateRateLimitDeployment(ctx, infra); err != nil {
return err
}
- if err := i.deleteRateLimitServiceAccount(ctx, infra); err != nil {
+ if err := i.createOrUpdateRateLimitService(ctx, infra); err != nil {
return err
}
return nil
+
}
// DeleteRateLimitInfra removes the managed kube infra, if it doesn't exist.
@@ -116,22 +116,22 @@ func (i *Infra) DeleteRateLimitInfra(ctx context.Context, infra *ir.RateLimitInf
if infra == nil {
return errors.New("ratelimit infra ir is nil")
}
- if err := i.createOrUpdateRateLimitServiceAccount(ctx, infra); err != nil {
+
+ if err := i.deleteRateLimitService(ctx, infra); err != nil {
return err
}
- if err := i.createOrUpdateRateLimitConfigMap(ctx, infra); err != nil {
+ if err := i.deleteRateLimitDeployment(ctx, infra); err != nil {
return err
}
- if err := i.createOrUpdateRateLimitDeployment(ctx, infra); err != nil {
+ if err := i.deleteRateLimitConfigMap(ctx, infra); err != nil {
return err
}
- if err := i.createOrUpdateRateLimitService(ctx, infra); err != nil {
+ if err := i.deleteRateLimitServiceAccount(ctx, infra); err != nil {
return err
}
return nil
-
}
diff --git a/internal/infrastructure/kubernetes/service.go b/internal/infrastructure/kubernetes/service.go
index 10740bb1ff..5c0a9483c3 100644
--- a/internal/infrastructure/kubernetes/service.go
+++ b/internal/infrastructure/kubernetes/service.go
@@ -125,8 +125,8 @@ func (i *Infra) expectedRateLimitService(_ *ir.RateLimitInfra) *corev1.Service {
{
Name: "http",
Protocol: corev1.ProtocolTCP,
- Port: rateLimitInfraHTTPPort,
- TargetPort: intstr.IntOrString{IntVal: rateLimitInfraHTTPPort},
+ Port: rateLimitInfraGRPCPort,
+ TargetPort: intstr.IntOrString{IntVal: rateLimitInfraGRPCPort},
},
}
@@ -151,6 +151,11 @@ func (i *Infra) expectedRateLimitService(_ *ir.RateLimitInfra) *corev1.Service {
return svc
}
+// GetRateLimitServiceURL returns the URL for the rate limit service.
+func GetRateLimitServiceURL(namespace string) string {
+ return fmt.Sprintf("grpc://%s.%s.svc.cluster.local:%d", rateLimitInfraName, namespace, rateLimitInfraGRPCPort)
+}
+
// createOrUpdateRateLimitService creates a Service in the kube api server based on the provided infra,
// if it doesn't exist or updates it if it does.
func (i *Infra) createOrUpdateRateLimitService(ctx context.Context, infra *ir.RateLimitInfra) error {
diff --git a/internal/provider/kubernetes/config/crd/bases/config.gateway.envoyproxy.io_envoyproxies.yaml b/internal/provider/kubernetes/config/crd/bases/config.gateway.envoyproxy.io_envoyproxies.yaml
index 3223dc8aae..4267c21cd9 100644
--- a/internal/provider/kubernetes/config/crd/bases/config.gateway.envoyproxy.io_envoyproxies.yaml
+++ b/internal/provider/kubernetes/config/crd/bases/config.gateway.envoyproxy.io_envoyproxies.yaml
@@ -18,7 +18,7 @@ spec:
- name: v1alpha1
schema:
openAPIV3Schema:
- description: EnvoyProxy is the Schema for the envoyproxies API
+ description: EnvoyProxy is the schema for the envoyproxies API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
@@ -40,11 +40,14 @@ spec:
level:
system: info
description: Logging defines logging parameters for managed proxies.
- If unspecified, default settings apply.
+ If unspecified, default settings apply. This type is not implemented
+ until https://github.com/envoyproxy/gateway/issues/280 is fixed.
properties:
level:
additionalProperties:
- description: LogLevel defines a log level for system logs.
+ description: LogLevel defines a log level for system logs. This
+ type is not implemented until https://github.com/envoyproxy/gateway/issues/280
+ is fixed.
enum:
- debug
- info
@@ -82,11 +85,10 @@ spec:
type: object
type: object
type:
- description: "Type is the type of resource provider to use. A
- resource provider provides infrastructure resources for running
- the data plane, e.g. Envoy proxy, and optional auxiliary control
- planes. Supported types are: \n * Kubernetes: Provides infrastructure
- resources for running the data plane, e.g. Envoy proxy."
+ description: Type is the type of resource provider to use. A resource
+ provider provides infrastructure resources for running the data
+ plane, e.g. Envoy proxy, and optional auxiliary control planes.
+ Supported types are "Kubernetes".
enum:
- Kubernetes
type: string
@@ -95,7 +97,7 @@ spec:
type: object
type: object
status:
- description: EnvoyProxyStatus defines the observed state of EnvoyProxy
+ description: EnvoyProxyStatus defines the actual state of EnvoyProxy.
type: object
type: object
served: true
diff --git a/internal/provider/kubernetes/config/crd/bases/gateway.envoyproxy.io_authenticationfilters.yaml b/internal/provider/kubernetes/config/crd/bases/gateway.envoyproxy.io_authenticationfilters.yaml
index 7bf8b8684c..0be6709dca 100644
--- a/internal/provider/kubernetes/config/crd/bases/gateway.envoyproxy.io_authenticationfilters.yaml
+++ b/internal/provider/kubernetes/config/crd/bases/gateway.envoyproxy.io_authenticationfilters.yaml
@@ -36,32 +36,29 @@ spec:
type.
properties:
jwtProviders:
- description: "JWT defines the JSON Web Token (JWT) authentication
- provider type. When multiple jwtProviders are specified, the JWT
- is considered valid if any of the providers successfully validate
- the JWT. For additional details, see: \n https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html"
+ description: JWT defines the JSON Web Token (JWT) authentication provider
+ type. When multiple jwtProviders are specified, the JWT is considered
+ valid if any of the providers successfully validate the JWT. For
+ additional details, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
items:
description: 'JwtAuthenticationFilterProvider defines the JSON Web
Token (JWT) authentication provider type and how JWTs should be
verified:'
properties:
audiences:
- description: "Audiences is a list of JWT audiences allowed to
- access. For additional details, see: \n https://tools.ietf.org/html/rfc7519#section-4.1.3
- \n Example: audiences: - foo.apps.example.com bar.apps.example.com
- \n If not provided, JWT audiences are not checked."
+ description: Audiences is a list of JWT audiences allowed access.
+ For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.3.
+ If not provided, JWT audiences are not checked.
items:
type: string
maxItems: 8
type: array
issuer:
- description: "Issuer is the principal that issued the JWT and
+ description: Issuer is the principal that issued the JWT and
takes the form of a URL or email address. For additional details,
- see: \n URL format: https://tools.ietf.org/html/rfc7519#section-4.1.1
- Email format: https://rfc-editor.org/rfc/rfc5322.html \n URL
- Example: issuer: https://auth.example.com \n Email Example:
- issuer: jdoe@example.com \n If not provided, the JWT issuer
- is not checked."
+ see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
+ URL format and https://rfc-editor.org/rfc/rfc5322.html for
+ email format. If not provided, the JWT issuer is not checked.
maxLength: 253
type: string
name:
@@ -76,9 +73,8 @@ spec:
Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
properties:
uri:
- description: "URI is the HTTPS URI to fetch the JWKS. Envoy's
+ description: URI is the HTTPS URI to fetch the JWKS. Envoy's
system trust bundle is used to validate the server certificate.
- \n Example: uri: https://www.foo.com/oauth2/v1/certs"
maxLength: 253
minLength: 1
type: string
@@ -92,9 +88,8 @@ spec:
maxItems: 4
type: array
type:
- description: "Type defines the type of authentication provider to
- use. Supported provider types are: \n * JWT: A provider that uses
- JSON Web Token (JWT) for authenticating requests."
+ description: Type defines the type of authentication provider to use.
+ Supported provider types are "JWT".
enum:
- JWT
type: string
diff --git a/internal/provider/kubernetes/config/crd/bases/gateway.envoyproxy.io_ratelimitfilters.yaml b/internal/provider/kubernetes/config/crd/bases/gateway.envoyproxy.io_ratelimitfilters.yaml
index 8aa43e98a1..5414b0cd84 100644
--- a/internal/provider/kubernetes/config/crd/bases/gateway.envoyproxy.io_ratelimitfilters.yaml
+++ b/internal/provider/kubernetes/config/crd/bases/gateway.envoyproxy.io_ratelimitfilters.yaml
@@ -37,7 +37,7 @@ spec:
description: Spec defines the desired state of RateLimitFilter.
properties:
global:
- description: Global rate limit configuration.
+ description: Global defines global rate limit configuration.
properties:
rules:
description: Rules are a list of RateLimit selectors and limits.
@@ -118,9 +118,9 @@ spec:
requests:
type: integer
unit:
- description: "RateLimitUnit specifies the intervals
- for setting rate limits. Valid RateLimitUnit values
- are: \n * \"Second\" * \"Minute\" * \"Hour\" * \"Day\""
+ description: RateLimitUnit specifies the intervals for
+ setting rate limits. Valid RateLimitUnit values are
+ "Second", "Minute", "Hour", and "Day".
enum:
- Second
- Minute
@@ -140,9 +140,8 @@ spec:
- rules
type: object
type:
- description: "Type decides the scope for the RateLimits. Valid RateLimitType
- values are: \n * \"Global\" - In this mode, the rate limits are
- applied across all Envoy proxy instances."
+ description: Type decides the scope for the RateLimits. Valid RateLimitType
+ values are "Global".
enum:
- Global
type: string
diff --git a/internal/provider/kubernetes/testdata/in/gateway-experimental-crd.yaml b/internal/provider/kubernetes/testdata/in/gateway-experimental-crd.yaml
index a9d429a970..ed5e32d92c 100644
--- a/internal/provider/kubernetes/testdata/in/gateway-experimental-crd.yaml
+++ b/internal/provider/kubernetes/testdata/in/gateway-experimental-crd.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
- gateway.networking.k8s.io/bundle-version: v0.6.0
+ gateway.networking.k8s.io/bundle-version: v0.6.1
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: gateways.gateway.networking.k8s.io
diff --git a/internal/provider/kubernetes/testdata/in/gatewayclass-experimental-crd.yaml b/internal/provider/kubernetes/testdata/in/gatewayclass-experimental-crd.yaml
index 9dae2ad7ab..ec036fad3b 100644
--- a/internal/provider/kubernetes/testdata/in/gatewayclass-experimental-crd.yaml
+++ b/internal/provider/kubernetes/testdata/in/gatewayclass-experimental-crd.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
- gateway.networking.k8s.io/bundle-version: v0.6.0
+ gateway.networking.k8s.io/bundle-version: v0.6.1
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: gatewayclasses.gateway.networking.k8s.io
diff --git a/internal/provider/kubernetes/testdata/in/grpcroute-experimental-crd.yaml b/internal/provider/kubernetes/testdata/in/grpcroute-experimental-crd.yaml
index 99b30f98bd..388f5b9d5c 100644
--- a/internal/provider/kubernetes/testdata/in/grpcroute-experimental-crd.yaml
+++ b/internal/provider/kubernetes/testdata/in/grpcroute-experimental-crd.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
- gateway.networking.k8s.io/bundle-version: v0.6.0
+ gateway.networking.k8s.io/bundle-version: v0.6.1
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: grpcroutes.gateway.networking.k8s.io
diff --git a/internal/provider/kubernetes/testdata/in/httproute-experimental-crd.yaml b/internal/provider/kubernetes/testdata/in/httproute-experimental-crd.yaml
index 439ff44421..29aa0a4719 100644
--- a/internal/provider/kubernetes/testdata/in/httproute-experimental-crd.yaml
+++ b/internal/provider/kubernetes/testdata/in/httproute-experimental-crd.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
- gateway.networking.k8s.io/bundle-version: v0.6.0
+ gateway.networking.k8s.io/bundle-version: v0.6.1
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: httproutes.gateway.networking.k8s.io
diff --git a/internal/provider/kubernetes/testdata/in/referencegrant-experimental-crd.yaml b/internal/provider/kubernetes/testdata/in/referencegrant-experimental-crd.yaml
index 513c8025ff..da6b472415 100644
--- a/internal/provider/kubernetes/testdata/in/referencegrant-experimental-crd.yaml
+++ b/internal/provider/kubernetes/testdata/in/referencegrant-experimental-crd.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
- gateway.networking.k8s.io/bundle-version: v0.6.0
+ gateway.networking.k8s.io/bundle-version: v0.6.1
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: referencegrants.gateway.networking.k8s.io
diff --git a/internal/provider/kubernetes/testdata/in/tcproute-experimental-crd.yaml b/internal/provider/kubernetes/testdata/in/tcproute-experimental-crd.yaml
index 9924e0ab33..af2fbd5aae 100644
--- a/internal/provider/kubernetes/testdata/in/tcproute-experimental-crd.yaml
+++ b/internal/provider/kubernetes/testdata/in/tcproute-experimental-crd.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
- gateway.networking.k8s.io/bundle-version: v0.6.0
+ gateway.networking.k8s.io/bundle-version: v0.6.1
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: tcproutes.gateway.networking.k8s.io
diff --git a/internal/provider/kubernetes/testdata/in/tlsroute-experimental-crd.yaml b/internal/provider/kubernetes/testdata/in/tlsroute-experimental-crd.yaml
index ffb230461a..aceddb9dd2 100644
--- a/internal/provider/kubernetes/testdata/in/tlsroute-experimental-crd.yaml
+++ b/internal/provider/kubernetes/testdata/in/tlsroute-experimental-crd.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
- gateway.networking.k8s.io/bundle-version: v0.6.0
+ gateway.networking.k8s.io/bundle-version: v0.6.1
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: tlsroutes.gateway.networking.k8s.io
diff --git a/internal/provider/kubernetes/testdata/in/udproute-experimental-crd.yaml b/internal/provider/kubernetes/testdata/in/udproute-experimental-crd.yaml
index 7c2deaa555..857518c9b4 100644
--- a/internal/provider/kubernetes/testdata/in/udproute-experimental-crd.yaml
+++ b/internal/provider/kubernetes/testdata/in/udproute-experimental-crd.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
- gateway.networking.k8s.io/bundle-version: v0.6.0
+ gateway.networking.k8s.io/bundle-version: v0.6.1
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: udproutes.gateway.networking.k8s.io
diff --git a/internal/xds/translator/authentication.go b/internal/xds/translator/authentication.go
index 14c703fbac..9324234da2 100644
--- a/internal/xds/translator/authentication.go
+++ b/internal/xds/translator/authentication.go
@@ -24,7 +24,6 @@ import (
tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
"github.com/envoyproxy/go-control-plane/pkg/resource/v3"
"github.com/envoyproxy/go-control-plane/pkg/wellknown"
- wkt "github.com/envoyproxy/go-control-plane/pkg/wellknown"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/durationpb"
@@ -49,10 +48,6 @@ func patchHCMWithJwtAuthnFilter(mgr *hcm.HttpConnectionManager, irListener *ir.H
return errors.New("ir listener is nil")
}
- if len(irListener.Routes) == 0 {
- return errors.New("ir listener contains no routes")
- }
-
if !listenerContainsJwtAuthn(irListener) {
return nil
}
@@ -219,11 +214,10 @@ func buildClusterFromJwks(jwks *jwksCluster) (*cluster.Cluster, error) {
},
},
},
- Http2ProtocolOptions: &core.Http2ProtocolOptions{},
- DnsRefreshRate: durationpb.New(30 * time.Second),
- RespectDnsTtl: true,
- DnsLookupFamily: cluster.Cluster_V4_ONLY,
- TransportSocket: tSocket,
+ DnsRefreshRate: durationpb.New(30 * time.Second),
+ RespectDnsTtl: true,
+ DnsLookupFamily: cluster.Cluster_V4_ONLY,
+ TransportSocket: tSocket,
}, nil
}
@@ -315,7 +309,7 @@ func buildJwtPerRouteConfig(irRoute *ir.HTTPRoute, listener *listener.Listener)
}
for _, filter := range filterCh.Filters {
- if filter.Name == wkt.HTTPConnectionManager {
+ if filter.Name == wellknown.HTTPConnectionManager {
// Unmarshal the filter to a jwt authn config and validate it.
hcmProto := new(hcm.HttpConnectionManager)
hcmAny := filter.GetTypedConfig()
diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go
index 2a5707843e..b73da103b3 100644
--- a/internal/xds/translator/listener.go
+++ b/internal/xds/translator/listener.go
@@ -52,7 +52,7 @@ func buildXdsTCPListener(name, address string, port uint32) *listener.Listener {
}
}
-func addXdsHTTPFilterChain(xdsListener *listener.Listener, irListener *ir.HTTPListener) error {
+func (t *Translator) addXdsHTTPFilterChain(xdsListener *listener.Listener, irListener *ir.HTTPListener) error {
routerAny, err := anypb.New(&router.Router{})
if err != nil {
return err
@@ -121,7 +121,7 @@ func addXdsHTTPFilterChain(xdsListener *listener.Listener, irListener *ir.HTTPLi
// TODO: Make this a generic interface for all API Gateway features.
// https://github.com/envoyproxy/gateway/issues/882
- patchHCMWithRateLimit(mgr, irListener)
+ t.patchHCMWithRateLimit(mgr, irListener)
// Add the jwt authn filter, if needed.
if err := patchHCMWithJwtAuthnFilter(mgr, irListener); err != nil {
diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go
index ebd7b05c15..ceb12e7df4 100644
--- a/internal/xds/translator/ratelimit.go
+++ b/internal/xds/translator/ratelimit.go
@@ -7,6 +7,7 @@ package translator
import (
"bytes"
+ "net/url"
"strconv"
"time"
@@ -17,7 +18,7 @@ import (
routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
ratelimitfilter "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ratelimit/v3"
hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
- wkt "github.com/envoyproxy/go-control-plane/pkg/wellknown"
+ "github.com/envoyproxy/go-control-plane/pkg/wellknown"
ratelimitserviceconfig "github.com/envoyproxy/ratelimit/src/config"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/durationpb"
@@ -29,15 +30,15 @@ import (
// patchHCMWithRateLimit builds and appends the Rate Limit Filter to the HTTP connection manager
// if applicable and it does not already exist.
-func patchHCMWithRateLimit(mgr *hcm.HttpConnectionManager, irListener *ir.HTTPListener) {
+func (t *Translator) patchHCMWithRateLimit(mgr *hcm.HttpConnectionManager, irListener *ir.HTTPListener) {
// Return early if rate limits dont exist
- if !isRateLimitPresent(irListener) {
+ if !t.isRateLimitPresent(irListener) {
return
}
// Return early if filter already exists.
for _, httpFilter := range mgr.HttpFilters {
- if httpFilter.Name == wkt.HTTPRateLimit {
+ if httpFilter.Name == wellknown.HTTPRateLimit {
return
}
}
@@ -48,7 +49,11 @@ func patchHCMWithRateLimit(mgr *hcm.HttpConnectionManager, irListener *ir.HTTPLi
}
// isRateLimitPresent returns true if rate limit config exists for the listener.
-func isRateLimitPresent(irListener *ir.HTTPListener) bool {
+func (t *Translator) isRateLimitPresent(irListener *ir.HTTPListener) bool {
+ // Return false if global ratelimiting is disabled.
+ if t.GlobalRateLimit == nil {
+ return false
+ }
// Return true if rate limit config exists.
for _, route := range irListener.Routes {
if route.RateLimit != nil && route.RateLimit.Global != nil {
@@ -79,7 +84,7 @@ func buildRateLimitFilter(irListener *ir.HTTPListener) *hcm.HttpFilter {
}
rateLimitFilter := &hcm.HttpFilter{
- Name: wkt.HTTPRateLimit,
+ Name: wellknown.HTTPRateLimit,
ConfigType: &hcm.HttpFilter_TypedConfig{
TypedConfig: rateLimitFilterAny,
},
@@ -256,14 +261,14 @@ func buildRateLimitServiceDescriptors(descriptorPrefix string, global *ir.Global
return yamlDescs
}
-func buildRateLimitServiceCluster(irListener *ir.HTTPListener) *cluster.Cluster {
+func (t *Translator) buildRateLimitServiceCluster(irListener *ir.HTTPListener) *cluster.Cluster {
// Return early if rate limits dont exist.
- if !isRateLimitPresent(irListener) {
+ if !t.isRateLimitPresent(irListener) {
return nil
}
clusterName := getRateLimitServiceClusterName()
- host, port := getRateLimitServiceGrpcHostPort()
+ host, port := t.getRateLimitServiceGrpcHostPort()
rateLimitServerCluster := &cluster.Cluster{
Name: clusterName,
ClusterDiscoveryType: &cluster.Cluster_Type{Type: cluster.Cluster_STRICT_DNS},
@@ -292,10 +297,10 @@ func buildRateLimitServiceCluster(irListener *ir.HTTPListener) *cluster.Cluster
},
},
},
- Http2ProtocolOptions: &core.Http2ProtocolOptions{},
- DnsRefreshRate: durationpb.New(30 * time.Second),
- RespectDnsTtl: true,
- DnsLookupFamily: cluster.Cluster_V4_ONLY,
+ TypedExtensionProtocolOptions: buildTypedExtensionProtocolOptions(),
+ DnsRefreshRate: durationpb.New(30 * time.Second),
+ RespectDnsTtl: true,
+ DnsLookupFamily: cluster.Cluster_V4_ONLY,
}
return rateLimitServerCluster
}
@@ -317,6 +322,14 @@ func getRateLimitDomain(irListener *ir.HTTPListener) string {
return irListener.Name
}
-func getRateLimitServiceGrpcHostPort() (string, int) {
- return "TODO", 0
+func (t *Translator) getRateLimitServiceGrpcHostPort() (string, int) {
+ u, err := url.Parse(t.GlobalRateLimit.ServiceURL)
+ if err != nil {
+ panic(err)
+ }
+ p, err := strconv.Atoi(u.Port())
+ if err != nil {
+ panic(err)
+ }
+ return u.Hostname(), p
}
diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go
index cd106f6569..24d1582d55 100644
--- a/internal/xds/translator/route.go
+++ b/internal/xds/translator/route.go
@@ -96,8 +96,14 @@ func buildXdsRouteMatch(pathMatch *ir.StringMatch, headerMatches []*ir.StringMat
Path: *pathMatch.Exact,
}
} else if pathMatch.Prefix != nil {
- outMatch.PathSpecifier = &routev3.RouteMatch_Prefix{
- Prefix: *pathMatch.Prefix,
+ if *pathMatch.Prefix == "/" {
+ outMatch.PathSpecifier = &routev3.RouteMatch_Prefix{
+ Prefix: "/",
+ }
+ } else {
+ outMatch.PathSpecifier = &routev3.RouteMatch_PathSeparatedPrefix{
+ PathSeparatedPrefix: *pathMatch.Prefix,
+ }
}
} else if pathMatch.SafeRegex != nil {
outMatch.PathSpecifier = &routev3.RouteMatch_SafeRegex{
diff --git a/internal/xds/translator/runner/runner.go b/internal/xds/translator/runner/runner.go
index 49ee70254e..4ded373354 100644
--- a/internal/xds/translator/runner/runner.go
+++ b/internal/xds/translator/runner/runner.go
@@ -9,6 +9,7 @@ import (
"context"
"github.com/envoyproxy/gateway/internal/envoygateway/config"
+ infra "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes"
"github.com/envoyproxy/gateway/internal/ir"
"github.com/envoyproxy/gateway/internal/message"
"github.com/envoyproxy/gateway/internal/xds/translator"
@@ -52,7 +53,16 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
r.Xds.Delete(key)
} else {
// Translate to xds resources
- result, err := translator.Translate(val)
+ t := &translator.Translator{}
+
+ // Set the rate limit service URL if global rate limiting is enabled.
+ if r.EnvoyGateway.RateLimit != nil {
+ t.GlobalRateLimit = &translator.GlobalRateLimitSettings{
+ ServiceURL: infra.GetRateLimitServiceURL(r.Namespace),
+ }
+ }
+
+ result, err := t.Translate(val)
if err != nil {
r.Logger.Error(err, "failed to translate xds ir")
} else {
diff --git a/internal/xds/translator/testdata/out/xds-ir/authn-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authn-multi-route-multi-provider.clusters.yaml
index 094af93ce6..8aa0344ef9 100644
--- a/internal/xds/translator/testdata/out/xds-ir/authn-multi-route-multi-provider.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/authn-multi-route-multi-provider.clusters.yaml
@@ -37,7 +37,6 @@
- connectTimeout: 10s
dnsLookupFamily: V4_ONLY
dnsRefreshRate: 30s
- http2ProtocolOptions: {}
lbPolicy: RANDOM
loadAssignment:
clusterName: localhost_443
@@ -62,7 +61,6 @@
- connectTimeout: 10s
dnsLookupFamily: V4_ONLY
dnsRefreshRate: 30s
- http2ProtocolOptions: {}
lbPolicy: RANDOM
loadAssignment:
clusterName: localhost_8080
diff --git a/internal/xds/translator/testdata/out/xds-ir/authn-multi-route-single-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authn-multi-route-single-provider.clusters.yaml
index 7514a02fd4..345e076290 100644
--- a/internal/xds/translator/testdata/out/xds-ir/authn-multi-route-single-provider.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/authn-multi-route-single-provider.clusters.yaml
@@ -37,7 +37,6 @@
- connectTimeout: 10s
dnsLookupFamily: V4_ONLY
dnsRefreshRate: 30s
- http2ProtocolOptions: {}
lbPolicy: RANDOM
loadAssignment:
clusterName: localhost_443
diff --git a/internal/xds/translator/testdata/out/xds-ir/authn-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authn-ratelimit.clusters.yaml
index c693e62844..19370362a5 100644
--- a/internal/xds/translator/testdata/out/xds-ir/authn-ratelimit.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/authn-ratelimit.clusters.yaml
@@ -55,7 +55,6 @@
- connectTimeout: 10s
dnsLookupFamily: V4_ONLY
dnsRefreshRate: 30s
- http2ProtocolOptions: {}
lbPolicy: RANDOM
loadAssignment:
clusterName: ratelimit_cluster
@@ -64,15 +63,19 @@
- endpoint:
address:
socketAddress:
- address: TODO
- portValue: 0
+ address: envoy-ratelimit.envoy-gateway-system.svc.cluster.local
+ portValue: 8081
name: ratelimit_cluster
respectDnsTtl: true
type: STRICT_DNS
+ typedExtensionProtocolOptions:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicitHttpConfig:
+ http2ProtocolOptions: {}
- connectTimeout: 10s
dnsLookupFamily: V4_ONLY
dnsRefreshRate: 30s
- http2ProtocolOptions: {}
lbPolicy: RANDOM
loadAssignment:
clusterName: localhost_443
diff --git a/internal/xds/translator/testdata/out/xds-ir/authn-single-route-single-match.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authn-single-route-single-match.clusters.yaml
index 5027864f4f..6fe5c6f3da 100644
--- a/internal/xds/translator/testdata/out/xds-ir/authn-single-route-single-match.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/authn-single-route-single-match.clusters.yaml
@@ -19,7 +19,6 @@
- connectTimeout: 10s
dnsLookupFamily: V4_ONLY
dnsRefreshRate: 30s
- http2ProtocolOptions: {}
lbPolicy: RANDOM
loadAssignment:
clusterName: localhost_443
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml
index c0c348cb78..b9a5c8c36b 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml
@@ -9,7 +9,7 @@
- name: :authority
stringMatch:
exact: gateway.envoyproxy.io
- prefix: /origin
+ pathSeparatedPrefix: /origin
route:
cluster: rewrite-route
regexRewrite:
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml
index 65cac050e0..e4d83c9bcb 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml
@@ -9,7 +9,7 @@
- name: :authority
stringMatch:
exact: gateway.envoyproxy.io
- prefix: /origin
+ pathSeparatedPrefix: /origin
route:
appendXForwardedHost: true
cluster: rewrite-route
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml
index 755b58263b..5b33b285d5 100644
--- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml
@@ -9,7 +9,7 @@
- name: :authority
stringMatch:
exact: gateway.envoyproxy.io
- prefix: /origin
+ pathSeparatedPrefix: /origin
route:
cluster: rewrite-route
prefixRewrite: /rewrite
diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml
index cb605d770d..dea386a0a9 100644
--- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml
@@ -55,7 +55,6 @@
- connectTimeout: 10s
dnsLookupFamily: V4_ONLY
dnsRefreshRate: 30s
- http2ProtocolOptions: {}
lbPolicy: RANDOM
loadAssignment:
clusterName: ratelimit_cluster
@@ -64,8 +63,13 @@
- endpoint:
address:
socketAddress:
- address: TODO
- portValue: 0
+ address: envoy-ratelimit.envoy-gateway-system.svc.cluster.local
+ portValue: 8081
name: ratelimit_cluster
respectDnsTtl: true
type: STRICT_DNS
+ typedExtensionProtocolOptions:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ explicitHttpConfig:
+ http2ProtocolOptions: {}
diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go
index f6d44e745d..2137a06bf0 100644
--- a/internal/xds/translator/translator.go
+++ b/internal/xds/translator/translator.go
@@ -20,15 +20,28 @@ import (
"github.com/envoyproxy/gateway/internal/xds/types"
)
+// Translator translates the xDS IR into xDS resources.
+type Translator struct {
+ // GlobalRateLimit holds the global rate limit settings
+ // required during xds translation.
+ GlobalRateLimit *GlobalRateLimitSettings
+}
+
+type GlobalRateLimitSettings struct {
+ // ServiceURL is the URL of the global
+ // rate limit service.
+ ServiceURL string
+}
+
// Translate translates the XDS IR into xDS resources
-func Translate(ir *ir.Xds) (*types.ResourceVersionTable, error) {
+func (t *Translator) Translate(ir *ir.Xds) (*types.ResourceVersionTable, error) {
if ir == nil {
return nil, errors.New("ir is nil")
}
tCtx := new(types.ResourceVersionTable)
- if err := processHTTPListenerXdsTranslation(tCtx, ir.HTTP); err != nil {
+ if err := t.processHTTPListenerXdsTranslation(tCtx, ir.HTTP); err != nil {
return nil, err
}
@@ -43,7 +56,7 @@ func Translate(ir *ir.Xds) (*types.ResourceVersionTable, error) {
return tCtx, nil
}
-func processHTTPListenerXdsTranslation(tCtx *types.ResourceVersionTable, httpListeners []*ir.HTTPListener) error {
+func (t *Translator) processHTTPListenerXdsTranslation(tCtx *types.ResourceVersionTable, httpListeners []*ir.HTTPListener) error {
for _, httpListener := range httpListeners {
addFilterChain := true
var xdsRouteCfg *route.RouteConfiguration
@@ -70,7 +83,7 @@ func processHTTPListenerXdsTranslation(tCtx *types.ResourceVersionTable, httpLis
}
if addFilterChain {
- if err := addXdsHTTPFilterChain(xdsListener, httpListener); err != nil {
+ if err := t.addXdsHTTPFilterChain(xdsListener, httpListener); err != nil {
return err
}
}
@@ -127,7 +140,7 @@ func processHTTPListenerXdsTranslation(tCtx *types.ResourceVersionTable, httpLis
// This is current O(n) right now, but it also leverages an existing
// object without allocating new memory. Consider improving it in the future.
if rlCluster := findXdsCluster(tCtx, getRateLimitServiceClusterName()); rlCluster == nil {
- rlCluster := buildRateLimitServiceCluster(httpListener)
+ rlCluster := t.buildRateLimitServiceCluster(httpListener)
// Add cluster
if rlCluster != nil {
tCtx.AddXdsResource(resource.ClusterType, rlCluster)
diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go
index 90935e6ce6..6248dbaee8 100644
--- a/internal/xds/translator/translator_test.go
+++ b/internal/xds/translator/translator_test.go
@@ -19,6 +19,7 @@ import (
"google.golang.org/protobuf/proto"
"sigs.k8s.io/yaml"
+ infra "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes"
"github.com/envoyproxy/gateway/internal/ir"
)
@@ -126,7 +127,12 @@ func TestTranslateXds(t *testing.T) {
tc := tc
t.Run(tc.name, func(t *testing.T) {
ir := requireXdsIRFromInputTestData(t, "xds-ir", tc.name+".yaml")
- tCtx, err := Translate(ir)
+ tr := &Translator{
+ GlobalRateLimit: &GlobalRateLimitSettings{
+ ServiceURL: infra.GetRateLimitServiceURL("envoy-gateway-system"),
+ },
+ }
+ tCtx, err := tr.Translate(ir)
require.NoError(t, err)
listeners := tCtx.XdsResources[resource.ListenerType]
routes := tCtx.XdsResources[resource.RouteType]
diff --git a/release-notes/v0.3.0.yaml b/release-notes/v0.3.0.yaml
new file mode 100644
index 0000000000..384537c27a
--- /dev/null
+++ b/release-notes/v0.3.0.yaml
@@ -0,0 +1,81 @@
+date: February 09, 2023
+
+changes:
+ - area: documentation
+ change: |
+ Added Global Rate Limit User Docs
+ Added Request Authentication User Docs
+ Added TCP Routing User Docs
+ Added UDP Routing User Docs
+ Added GRPC Routing User Docs
+ Added HTTP Response Headers User Docs
+ Added TCP and UDP Proxy Design Docs
+ Added egctl Design Docs
+ Added Rate Limit Design Docs
+ Added Request Authentication Design Docs
+ Added Support for Versioned Docs
+ Added Support for Multiple Release Versions
+ Added Release Details Docs
+ Added API Docs Generating Tooling
+ Refactored Layout for User Docs
+
+ - area: api
+ change: |
+ Upgraded to v0.6.1 Gateway API
+ Added Support for the TCPRoute API
+ Added Support for the UDPRoute API
+ Added Support for the GRPCRoute API
+ Added Support for HTTPRoute URLRewrite Filter
+ Added Support for HTTPRoute RequestMirror Filter
+ Added Support for HTTPRoute ResponseHeaderModifier Filter
+ Added Support for Request Authentication
+ Added Support for Global Rate Limiting
+ Added Support for Routes ReferenceGrant
+ Added Support for Namespace Server Config Type
+ Added initial management of Envoy Proxy deployment via EnvoyProxy API
+
+ - area: ci-tooling-testing
+ change: |
+ Fixed Make Image Failed in Darwin
+ Fixed Wait for Job Succeeded before conformance test
+ Upgraded Echoserver Image Tag
+ Added Support for User-Facing Version
+ Added Support for Testing EG against Multiple Kubernetes Versions
+
+ - area: conformance
+ change: |
+ Enabled GatewayClassObservedGenerationBump conformance test
+ Enabled GatewayInvalidTLSConfiguration conformance test
+ Enabled GatewayInvalidRouteKind conformance test
+ Enabled HTTPRouteReferenceGrant conformance test
+ Enabled HTTPRouteMethodMatching conformance test
+ Enabled HTTPRoutePartiallyInvalidViaInvalidReferenceGrant conformance test
+ Enabled HTTPRouteInvalidParentRefNotMatchingListenerPort conformance test
+ (Currently EG passes all conformance tests except redirect and gateway/httproute ObservedGenerationBump tests. Redirect tests are failing due to a possible issue with the way upstream conformance tests have made assumptions. Skip them for now until below issues #992 #993 #994 are resolved)
+
+ - area: ir
+ change: |
+ Added TCP Listener per TLSRoute
+
+ - area: translator
+ change: |
+ Fixes Remove Stale Listener Condition
+ Added Support for Suffix Matches for Headers
+ Added Support for HTTP Method Matching to HTTPRoute
+ Added Support for Regex Match Type
+ Added Support for HTTPQueryParamMatch
+
+ - area: providers
+ change: |
+ Refactored Kubernetes Provider to Single Reconciler
+ Upgraded Kube Provider Test Data Manifests to v0.6.1
+ Removed Duplicate Settings from Bootstrap Config
+ Updated Certgen to Use EG Namespace Env
+ Added EnvoyProxy to Translator and Kube Infra Manager
+ Upgraded Envoyproxy Image to envoy-dev latest in Main
+ Removed EG Logs Private Key
+
+ - area: xds
+ change: |
+ Fixed Start xDS Server Watchable Map Panics
+ Enabled Access Logging for xDS Components
diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go
index f08cff7975..da0d4de639 100644
--- a/test/conformance/conformance_test.go
+++ b/test/conformance/conformance_test.go
@@ -48,46 +48,26 @@ func TestGatewayAPIConformance(t *testing.T) {
}
cSuite := suite.New(suite.Options{
- Client: client,
- GatewayClassName: *flags.GatewayClassName,
- Debug: *flags.ShowDebug,
- CleanupBaseResources: *flags.CleanupBaseResources,
- ValidUniqueListenerPorts: validUniqueListenerPorts,
- SupportedFeatures: map[suite.SupportedFeature]bool{
- suite.SupportHTTPRouteQueryParamMatching: true,
- suite.SupportReferenceGrant: true,
- suite.SupportHTTPResponseHeaderModification: true,
- suite.SupportHTTPRouteMethodMatching: true,
- suite.SupportRouteDestinationPortMatching: true,
+ Client: client,
+ GatewayClassName: *flags.GatewayClassName,
+ Debug: *flags.ShowDebug,
+ CleanupBaseResources: *flags.CleanupBaseResources,
+ ValidUniqueListenerPorts: validUniqueListenerPorts,
+ EnableAllSupportedFeatures: true,
+ SkipTests: []string{
+ // Remove once https://github.com/envoyproxy/gateway/issues/993 is fixed
+ tests.HTTPRouteRedirectPath.ShortName,
+ // Remove once https://github.com/envoyproxy/gateway/issues/992 is fixed
+ tests.HTTPRouteRedirectHostAndStatus.ShortName,
+ // Remove once https://github.com/envoyproxy/gateway/issues/994 is fixed
+ tests.HTTPRouteRedirectScheme.ShortName,
+ // Remove once https://github.com/envoyproxy/gateway/issues/1016 is fixed
+ tests.GatewayObservedGenerationBump.ShortName,
+ // Remove once https://github.com/envoyproxy/gateway/issues/1016 is fixed
+ tests.HTTPRouteObservedGenerationBump.ShortName,
},
})
cSuite.Setup(t)
- egTests := []suite.ConformanceTest{
- tests.HTTPRouteSimpleSameNamespace,
- tests.HTTPRouteRequestHeaderModifier,
- tests.HTTPRouteResponseHeaderModifier,
- tests.HTTPRouteQueryParamMatching,
- tests.HTTPRouteInvalidCrossNamespaceParentRef,
- tests.HTTPExactPathMatching,
- tests.HTTPRouteCrossNamespace,
- tests.HTTPRouteHeaderMatching,
- tests.HTTPRouteMethodMatching,
- tests.HTTPRouteMatchingAcrossRoutes,
- tests.HTTPRouteHostnameIntersection,
- tests.HTTPRouteListenerHostnameMatching,
- tests.HTTPRouteInvalidNonExistentBackendRef,
- tests.HTTPRouteInvalidBackendRefUnknownKind,
- tests.HTTPRouteInvalidCrossNamespaceBackendRef,
- tests.GatewaySecretReferenceGrantAllInNamespace,
- tests.GatewaySecretReferenceGrantSpecific,
- tests.GatewaySecretMissingReferenceGrant,
- tests.GatewaySecretInvalidReferenceGrant,
- tests.GatewayInvalidTLSConfiguration,
- tests.GatewayInvalidRouteKind,
- tests.HTTPRouteReferenceGrant,
- tests.HTTPRoutePartiallyInvalidViaInvalidReferenceGrant,
- tests.HTTPRouteInvalidParentRefNotMatchingListenerPort,
- }
- cSuite.Run(t, egTests)
+ cSuite.Run(t, tests.ConformanceTests)
}
diff --git a/tools/crd-ref-docs/config.yaml b/tools/crd-ref-docs/config.yaml
new file mode 100644
index 0000000000..ed1661d5e7
--- /dev/null
+++ b/tools/crd-ref-docs/config.yaml
@@ -0,0 +1,12 @@
+processor:
+ # RE2 regular expressions describing types that should be excluded from the generated documentation.
+ ignoreTypes:
+ - "(EnvoyProxy|AuthenticationFilter|RateLimitFilter)List$"
+ # RE2 regular expressions describing type fields that should be excluded from the generated documentation.
+ ignoreFields:
+ - "status$"
+ - "TypeMeta$"
+
+render:
+ # Version of Kubernetes to use when generating links to Kubernetes API documentation.
+ kubernetesVersion: 1.26
diff --git a/tools/hack/create-cluster.sh b/tools/hack/create-cluster.sh
index 6333ab60e6..b4e20e6687 100755
--- a/tools/hack/create-cluster.sh
+++ b/tools/hack/create-cluster.sh
@@ -5,7 +5,7 @@ set -euo pipefail
# Setup default values
CLUSTER_NAME=${CLUSTER_NAME:-"envoy-gateway"}
METALLB_VERSION=${METALLB_VERSION:-"v0.13.7"}
-KIND_NODE_TAG=${KIND_NODE_TAG:-"v1.25.3"}
+KIND_NODE_TAG=${KIND_NODE_TAG:-"v1.26.0"}
## Create kind cluster.
if [[ -z "${KIND_NODE_TAG}" ]]; then
diff --git a/tools/hack/docs-headings.sh b/tools/hack/docs-headings.sh
new file mode 100755
index 0000000000..7311c46092
--- /dev/null
+++ b/tools/hack/docs-headings.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Wrap sed to deal with GNU and BSD sed flags.
+run::sed() {
+ if sed --version &1 | grep -q GNU; then
+ # GNU sed
+ sed -i "$@"
+ else
+ # assume BSD sed
+ sed -i '' "$@"
+ fi
+}
+
+files=(docs/latest/api/config_types.md docs/latest/api/extension_types.md)
+
+# Required since Sphinx mst does not link to h4 headings.
+for file in "${files[@]}" ; do
+ run::sed \
+ "-es|####|##|" \
+ "$file"
+ echo "updated markdown headings for $file"
+done
diff --git a/tools/make/docs.mk b/tools/make/docs.mk
index 042182336c..a065a3493f 100644
--- a/tools/make/docs.mk
+++ b/tools/make/docs.mk
@@ -4,7 +4,7 @@ RELEASE_VERSIONS ?= $(foreach v,$(wildcard ${ROOT_DIR}/docs/*),$(notdir ${v}))
##@ Docs
.PHONY: docs
-docs: docs.clean $(tools/sphinx-build) ## Generate Envoy Gateway Docs Sources
+docs: docs.clean $(tools/sphinx-build) docs-api ## Generate Envoy Gateway Docs Sources
@$(LOG_TARGET)
mkdir -p $(DOCS_OUTPUT_DIR)
cp docs/index.html $(DOCS_OUTPUT_DIR)/index.html
@@ -32,6 +32,29 @@ docs.clean:
@$(LOG_TARGET)
rm -rf $(DOCS_OUTPUT_DIR)
+.PHONY: docs-api
+docs-api: docs-api-gen docs-api-headings
+
+.PHONY: docs-api-gen
+docs-api-gen: $(tools/crd-ref-docs)
+ $(tools/crd-ref-docs) \
+ --source-path=api/config \
+ --config=tools/crd-ref-docs/config.yaml \
+ --output-path=docs/latest/api/config_types.md \
+ --max-depth 10 \
+ --renderer=markdown
+ $(tools/crd-ref-docs) \
+ --source-path=api/v1alpha1 \
+ --config=tools/crd-ref-docs/config.yaml \
+ --output-path=docs/latest/api/extension_types.md \
+ --max-depth 10 \
+ --renderer=markdown
+
+.PHONY: docs-api-headings # Required since sphinx mst does not link to h4 headings.
+docs-api-headings:
+ @$(LOG_TARGET)
+ tools/hack/docs-headings.sh
+
.PHONY: docs-release-prepare
docs-release-prepare:
@$(LOG_TARGET)
diff --git a/tools/make/tools.mk b/tools/make/tools.mk
index d945caf79e..8eb31e2443 100644
--- a/tools/make/tools.mk
+++ b/tools/make/tools.mk
@@ -17,6 +17,7 @@ tools/golangci-lint = $(tools.bindir)/golangci-lint
tools/kustomize = $(tools.bindir)/kustomize
tools/kind = $(tools.bindir)/kind
tools/setup-envtest = $(tools.bindir)/setup-envtest
+tools/crd-ref-docs = $(tools.bindir)/crd-ref-docs
$(tools.bindir)/%: $(tools.srcdir)/%/pin.go $(tools.srcdir)/%/go.mod
cd $(