diff --git a/go.mod b/go.mod index 75a39a5f..afa87009 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module go.bytebuilders.dev/catalog go 1.25.3 require ( - github.com/envoyproxy/gateway v1.6.1 + github.com/envoyproxy/gateway v1.6.2 k8s.io/api v0.34.3 k8s.io/apimachinery v0.34.3 k8s.io/klog/v2 v2.130.1 @@ -14,7 +14,7 @@ require ( kubeops.dev/external-dns-operator v0.3.0 kubevault.dev/apimachinery v0.22.0 sigs.k8s.io/controller-runtime v0.22.4 - sigs.k8s.io/gateway-api v1.4.0 + sigs.k8s.io/gateway-api v1.4.1 sigs.k8s.io/randfill v1.0.0 sigs.k8s.io/yaml v1.6.0 voyagermesh.dev/installer v0.0.0-20251230080904-cdc0a2148b57 diff --git a/go.sum b/go.sum index e0afd5e4..d8370f88 100644 --- a/go.sum +++ b/go.sum @@ -24,8 +24,8 @@ github.com/docker/docker-credential-helpers v0.9.4 h1:76ItO69/AP/V4yT9V4uuuItG0B github.com/docker/docker-credential-helpers v0.9.4/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c= github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/gateway v1.6.1 h1:Etp7MR3Nix72EM8bmHWxCW3329oFRTlyvFiDQGXDvdw= -github.com/envoyproxy/gateway v1.6.1/go.mod h1:F3Spa//JPyvpg8XXa5ZAvbrG8KdjObBpPYWVVHT9Hv8= +github.com/envoyproxy/gateway v1.6.2 h1:GAoqPWMNl3ZWrjfvJ6wQ3mzuc/xPN+Vgjuf4l/0jDd8= +github.com/envoyproxy/gateway v1.6.2/go.mod h1:cLMfSmbyvOafa/ASP137PnYO069koBGY1SjNPLtjIio= github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8= github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= @@ -306,8 +306,8 @@ kubevault.dev/apimachinery v0.22.0 h1:6ysCHgKe0Sw2z35UkpiA8xfWwsGMmzpLEw6RDp5HF/ kubevault.dev/apimachinery v0.22.0/go.mod h1:QArlKB79Ho4PauRS2ioX4FEVjF79EbwAaomXhkLC/Hk= sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A= sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= -sigs.k8s.io/gateway-api v1.4.0 h1:ZwlNM6zOHq0h3WUX2gfByPs2yAEsy/EenYJB78jpQfQ= -sigs.k8s.io/gateway-api v1.4.0/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= +sigs.k8s.io/gateway-api v1.4.1 h1:NPxFutNkKNa8UfLd2CMlEuhIPMQgDQ6DXNKG9sHbJU8= +sigs.k8s.io/gateway-api v1.4.1/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= diff --git a/vendor/github.com/envoyproxy/gateway/api/v1alpha1/envoygateway_types.go b/vendor/github.com/envoyproxy/gateway/api/v1alpha1/envoygateway_types.go index 8434ee15..48a87bc5 100644 --- a/vendor/github.com/envoyproxy/gateway/api/v1alpha1/envoygateway_types.go +++ b/vendor/github.com/envoyproxy/gateway/api/v1alpha1/envoygateway_types.go @@ -251,6 +251,9 @@ type ExtensionAPISettings struct { // EnableBackend enables Envoy Gateway to // reconcile and implement the Backend resources. EnableBackend bool `json:"enableBackend"` + // DisableLua determines if Lua EnvoyExtensionPolicies should be disabled. + // If set to true, the Lua EnvoyExtensionPolicy feature will be disabled. + DisableLua bool `json:"disableLua"` } // EnvoyGatewayProvider defines the desired configuration of a provider. diff --git a/vendor/github.com/envoyproxy/gateway/api/v1alpha1/envoyproxy_types.go b/vendor/github.com/envoyproxy/gateway/api/v1alpha1/envoyproxy_types.go index 0db874ef..e9283e4c 100644 --- a/vendor/github.com/envoyproxy/gateway/api/v1alpha1/envoyproxy_types.go +++ b/vendor/github.com/envoyproxy/gateway/api/v1alpha1/envoyproxy_types.go @@ -176,23 +176,29 @@ type EnvoyProxySpec struct { LuaValidation *LuaValidation `json:"luaValidation,omitempty"` } -// +kubebuilder:validation:Enum=Strict;Disabled +// +kubebuilder:validation:Enum=Strict;InsecureSyntax;Disabled type LuaValidation string const ( // LuaValidationStrict is the default level and checks for issues during script execution. - // Recommended if your scripts only use the standard Envoy Lua stream handle API. + // Recommended if your scripts only use the standard Envoy Lua stream handle API and no external libraries. // For supported APIs, see: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api + // INFO: This validation mode executes Lua scripts from EnvoyExtensionPolicy (EEP) resources in the gateway controller. + // Since the Gateway controller watches EEPs across all namespaces (or namespaces matching the configured selector), + // unprivileged users can create EEPs in their namespaces and cause arbitrary Lua code to execute in the Gateway controller process. + // Security measures are in place to prevent unsafe Lua code from accessing critical system resources on the controller + // and fail validation, preventing the unsafe code from flowing to the data plane proxy. LuaValidationStrict LuaValidation = "Strict" - // LuaValidationSyntax checks for syntax errors in the Lua script. - // Note that this is not a full runtime validation and does not check for issues during script execution. - // This is recommended if your scripts use external libraries that are not supported by Lua runtime validation. - LuaValidationSyntax LuaValidation = "Syntax" + // LuaValidationInsecureSyntax checks for Lua syntax errors only. + // Useful if your scripts use external libraries other than the standard Envoy Lua stream handle API. + // WARNING: This mode does NOT offer any runtime validations, so no security measures are applied to validate Lua code safety. + // Not recommended unless you completely trust all EnvoyExtensionPolicy resources. + LuaValidationInsecureSyntax LuaValidation = "InsecureSyntax" - // LuaValidationDisabled disables all validations of Lua scripts. - // Scripts will be accepted and executed without any validation checks. - // This is not recommended unless both runtime and syntax validations are failing unexpectedly. + // LuaValidationDisabled disables all Lua script validations. + // WARNING: This mode does NOT offer any runtime or syntax validations, so no security measures are applied to validate Lua code safety. + // Not recommended unless you completely trust all EnvoyExtensionPolicy resources. LuaValidationDisabled LuaValidation = "Disabled" ) diff --git a/vendor/modules.txt b/vendor/modules.txt index 24d40a6c..8a7eaf88 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -41,7 +41,7 @@ github.com/docker/docker-credential-helpers/credentials ## explicit; go 1.13 github.com/emicklei/go-restful/v3 github.com/emicklei/go-restful/v3/log -# github.com/envoyproxy/gateway v1.6.1 +# github.com/envoyproxy/gateway v1.6.2 ## explicit; go 1.25.3 github.com/envoyproxy/gateway/api/v1alpha1 # github.com/evanphx/json-patch v5.9.11+incompatible @@ -910,7 +910,7 @@ sigs.k8s.io/controller-runtime/pkg/webhook/admission/metrics sigs.k8s.io/controller-runtime/pkg/webhook/conversion sigs.k8s.io/controller-runtime/pkg/webhook/conversion/metrics sigs.k8s.io/controller-runtime/pkg/webhook/internal/metrics -# sigs.k8s.io/gateway-api v1.4.0 +# sigs.k8s.io/gateway-api v1.4.1 ## explicit; go 1.24.0 sigs.k8s.io/gateway-api/apis/v1 # sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 diff --git a/vendor/sigs.k8s.io/gateway-api/apis/v1/backendtlspolicy_types.go b/vendor/sigs.k8s.io/gateway-api/apis/v1/backendtlspolicy_types.go index 5a755eb1..674dca7b 100644 --- a/vendor/sigs.k8s.io/gateway-api/apis/v1/backendtlspolicy_types.go +++ b/vendor/sigs.k8s.io/gateway-api/apis/v1/backendtlspolicy_types.go @@ -88,6 +88,12 @@ type BackendTLSPolicySpec struct { // implementation MUST ensure the `Accepted` Condition is set to // `status: False`, with Reason `Conflicted`. // + // Implementations SHOULD NOT support more than one targetRef at this + // time. Although the API technically allows for this, the current guidance + // for conflict resolution and status handling is lacking. Until that can be + // clarified in a future release, the safest approach is to support a single + // targetRef. + // // Support: Extended for Kubernetes Service // // Support: Implementation-specific for any other resource