envoyproxy
diff --git a/‎.github/workflows/build_and_test.yaml‎
Lines changed: 16 additions & 18 deletions b/‎.github/workflows/build_and_test.yaml‎
Lines changed: 16 additions & 18 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/experimental_conformance.yaml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/experimental_conformance.yaml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/scorecard.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecard.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎VERSION‎
Lines changed: 1 addition & 1 deletion b/‎VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/v1alpha1/connection_types.go‎
Lines changed: 3 additions & 4 deletions b/‎api/v1alpha1/connection_types.go‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎api/v1alpha1/envoygateway_types.go‎
Lines changed: 9 additions & 0 deletions b/‎api/v1alpha1/envoygateway_types.go‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎api/v1alpha1/loadbalancer_types.go‎
Lines changed: 43 additions & 0 deletions b/‎api/v1alpha1/loadbalancer_types.go‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎api/v1alpha1/oidc_types.go‎
Lines changed: 7 additions & 0 deletions b/‎api/v1alpha1/oidc_types.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎api/v1alpha1/shared_types.go‎
Lines changed: 4 additions & 1 deletion b/‎api/v1alpha1/shared_types.go‎
Lines changed: 4 additions & 1 deletion
@@ -86,20 +86,20 @@ jobs:
       fail-fast: false
       matrix:
         target:
-        - version: v1.30.10
+        - version: v1.30.13
           ipFamily: ipv4
           profile: default
-        - version: v1.31.6
+        - version: v1.31.9
           ipFamily: ipv4
           profile: default
-        - version: v1.32.3
+        - version: v1.32.5
           ipFamily: ipv6  # only run ipv6 test on this version to save time
           profile: default
         # TODO: this's IPv4 first, need a way to test IPv6 first.
-        - version: v1.33.0
+        - version: v1.33.1
           ipFamily: dual  # only run dual test on latest version to save time
           profile: default
-        - version: v1.33.0
+        - version: v1.33.1
           ipFamily: dual  # only run dual test on latest version to save time
           profile: gateway-namespace-mode
     steps:
@@ -133,27 +133,22 @@ jobs:
       fail-fast: false
       matrix:
         target:
-        - version: v1.30.10
+        - version: v1.30.13
           ipFamily: ipv4
           profile: default
-          loadQPS: 1000
-        - version: v1.31.6
+        - version: v1.31.9
           ipFamily: ipv4
           profile: default
-          loadQPS: 2000
-        - version: v1.32.3
+        - version: v1.32.5
           ipFamily: ipv6  # only run ipv6 test on this version to save time
           profile: default
-          loadQPS: 3000
         # TODO: this's IPv4 first, need a way to test IPv6 first.
-        - version: v1.33.0
+        - version: v1.33.1
           ipFamily: dual  # only run dual test on latest version to save time
           profile: default
-          loadQPS: 4000
-        - version: v1.33.0
+        - version: v1.33.1
           ipFamily: dual  # only run dual test on latest version to save time
           profile: gateway-namespace-mode
-          loadQPS: 5000
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - uses: ./tools/github-actions/setup-deps
@@ -177,10 +172,13 @@ jobs:
         IP_FAMILY: ${{ matrix.target.ipFamily }}
         KUBE_DEPLOY_PROFILE: ${{ matrix.target.profile }}
         E2E_TIMEOUT: 1h
-        # use the loadQPS from the matrix to set the QPS for the E2E tests
-        # this is used to determine whether the flaky tests are due to load or not
-        E2E_BACKEND_UPGRADE_QPS: ${{ matrix.target.loadQPS }}
         NUM_WORKERS: 2
+        # QPS more than 3000 may cause e2e flaky test.
+        # This is not the limit of Envoy Gateway,
+        # but the limit of running e2e tests in github CI.
+        E2E_BACKEND_UPGRADE_QPS: "3000"
+        # Cluster trust bundle reach beta in v1.33, so we can enable it for v1.33 and later.
+        ENABLE_CLUSTER_TRUST_BUNDLE: ${{ startsWith(matrix.target.version, 'v1.33') }}
       run: make e2e
 
   benchmark-test:
 
@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858  # v3.29.0
+      uses: github/codeql-action/init@39edc492dbe16b1465b0cafca41432d857bdb31a  # v3.29.1
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858  # v3.29.0
+      uses: github/codeql-action/autobuild@39edc492dbe16b1465b0cafca41432d857bdb31a  # v3.29.1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858  # v3.29.0
+      uses: github/codeql-action/analyze@39edc492dbe16b1465b0cafca41432d857bdb31a  # v3.29.1
       with:
         category: "/language:${{matrix.language}}"
@@ -23,22 +23,22 @@ jobs:
     strategy:
       matrix:
         target:
-          - version: v1.30.10
+          - version: v1.30.13
             ipFamily: ipv4
             profile: default
-          - version: v1.31.6
+          - version: v1.31.9
             ipFamily: ipv4
             profile: default
-          - version: v1.32.3
+          - version: v1.32.5
             # only run ipv6 test on this version to save time
             ipFamily: ipv6
             profile: default
           # TODO: this's IPv4 first, need a way to test IPv6 first.
-          - version: v1.33.0
+          - version: v1.33.1
             # only run dual test on latest version to save time
             ipFamily: dual
             profile: default
-          - version: v1.33.0
+          - version: v1.33.1
             # only run dual test on latest version to save time
             ipFamily: dual
             profile: gateway-namespace-mode
 
@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858  # v3.29.0
+      uses: github/codeql-action/upload-sarif@39edc492dbe16b1465b0cafca41432d857bdb31a  # v3.29.1
       with:
         sarif_file: results.sarif
@@ -1 +1 @@
-v1.4.1
+v1.4.2
@@ -39,12 +39,11 @@ type ClientConnection struct {
 
 	// MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
 	// per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
-	// this threshold will be accepted in later event loop iterations. If no value is provided Envoy will accept
-	// all connections pending accept from the kernel.
-	// It is recommended to lower this value for better overload management and reduced per-event cost.
-	// Setting it to 1 is a viable option with no noticeable impact on performance.
+	// this threshold will be accepted in later event loop iterations.
+	// Defaults to 1 and can be disabled by setting to 0 for allowing unlimited accepted connections.
 	//
 	// +optional
+	// +kubebuilder:default=1
 	MaxAcceptPerSocketEvent *uint32 `json:"maxAcceptPerSocketEvent,omitempty"`
 }
 
 
@@ -505,6 +505,7 @@ type RedisTLSSettings struct {
 // RateLimitRedisSettings defines the configuration for connecting to redis database.
 type RateLimitRedisSettings struct {
 	// URL of the Redis Database.
+	// This can reference a single Redis host or a comma delimited list for Sentinel and Cluster deployments of Redis.
 	URL string `json:"url"`
 
 	// TLS defines TLS configuration for connecting to redis database.
@@ -528,6 +529,14 @@ type ExtensionManager struct {
 	// +optional
 	PolicyResources []GroupVersionKind `json:"policyResources,omitempty"`
 
+	// BackendResources defines the set of K8s resources the extension will handle as
+	// custom backendRef resources. These resources can be referenced in HTTPRoute
+	// backendRefs to enable support for custom backend types (e.g., S3, Lambda, etc.)
+	// that are not natively supported by Envoy Gateway.
+	//
+	// +optional
+	BackendResources []GroupVersionKind `json:"backendResources,omitempty"`
+
 	// Hooks defines the set of hooks the extension supports
 	//
 	// +kubebuilder:validation:Required
 
@@ -12,6 +12,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 //
 // +kubebuilder:validation:XValidation:rule="self.type == 'ConsistentHash' ? has(self.consistentHash) : !has(self.consistentHash)",message="If LoadBalancer type is consistentHash, consistentHash field needs to be set."
 // +kubebuilder:validation:XValidation:rule="self.type in ['Random', 'ConsistentHash'] ? !has(self.slowStart) : true ",message="Currently SlowStart is only supported for RoundRobin and LeastRequest load balancers."
+// +kubebuilder:validation:XValidation:rule="self.type == 'ConsistentHash' ? !has(self.zoneAware) : true ",message="Currently ZoneAware is only supported for LeastRequest, Random, and RoundRobin load balancers."
 type LoadBalancer struct {
 	// Type decides the type of Load Balancer policy.
 	// Valid LoadBalancerType values are
@@ -34,6 +35,12 @@ type LoadBalancer struct {
 	//
 	// +optional
 	SlowStart *SlowStart `json:"slowStart,omitempty"`
+
+	// ZoneAware defines the configuration related to the distribution of requests between locality zones.
+	//
+	// +optional
+	// +notImplementedHide
+	ZoneAware *ZoneAware `json:"zoneAware,omitempty"`
 }
 
 // LoadBalancerType specifies the types of LoadBalancer.
@@ -135,3 +142,39 @@ type SlowStart struct {
 	Window *metav1.Duration `json:"window"`
 	// TODO: Add support for non-linear traffic increases based on user usage.
 }
+
+// ZoneAware defines the configuration related to the distribution of requests between locality zones.
+type ZoneAware struct {
+	// PreferLocalZone configures zone-aware routing to prefer sending traffic to the local locality zone.
+	//
+	// +optional
+	// +notImplementedHide
+	PreferLocal *PreferLocalZone `json:"preferLocal,omitempty"`
+}
+
+// PreferLocalZone configures zone-aware routing to prefer sending traffic to the local locality zone.
+type PreferLocalZone struct {
+	// ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+	// which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+	//
+	// +optional
+	// +notImplementedHide
+	Force *ForceLocalZone `json:"force,omitempty"`
+
+	// MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.
+	//
+	// +optional
+	// +notImplementedHide
+	MinEndpointsThreshold *uint64 `json:"minEndpointsThreshold,omitempty"`
+}
+
+// ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+// which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+type ForceLocalZone struct {
+	// MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+	// override. This is useful for protecting zones with fewer endpoints.
+	//
+	// +optional
+	// +notImplementedHide
+	MinEndpointsInZoneThreshold *uint32 `json:"minEndpointsInZoneThreshold,omitempty"`
+}
@@ -162,6 +162,13 @@ type OIDCProvider struct {
 	//
 	// +optional
 	TokenEndpoint *string `json:"tokenEndpoint,omitempty"`
+
+	// The OIDC Provider's [end session endpoint](https://openid.net/specs/openid-connect-core-1_0.html#RPLogout).
+	//
+	// If the end session endpoint is provided, EG will use it to log out the user from the OIDC Provider when the user accesses the logout path.
+	// EG will also try to discover the end session endpoint from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse) when authorizationEndpoint or tokenEndpoint is not provided.
+	// +optional
+	EndSessionEndpoint *string `json:"endSessionEndpoint,omitempty"`
 }
 
 // OIDCDenyRedirect defines headers to match against the request to deny redirect to the OIDC Provider.
 
@@ -231,13 +231,15 @@ type KubernetesContainerSpec struct {
 	// Image specifies the EnvoyProxy container image to be used including a tag, instead of the default image.
 	// This field is mutually exclusive with ImageRepository.
 	//
+	// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$')",message="Image must include a tag and allowed characters only (e.g., 'repo:tag')."
 	// +optional
 	Image *string `json:"image,omitempty"`
 
 	// ImageRepository specifies the container image repository to be used without specifying a tag.
 	// The default tag will be used.
 	// This field is mutually exclusive with Image.
 	//
+	// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._/-]+$')",message="ImageRepository must contain only allowed characters and must not include a tag or any colons."
 	// +optional
 	ImageRepository *string `json:"imageRepository,omitempty"`
 
@@ -385,14 +387,15 @@ const (
 // XDSTranslatorHook defines the types of hooks that an Envoy Gateway extension may support
 // for the xds-translator
 //
-// +kubebuilder:validation:Enum=VirtualHost;Route;HTTPListener;Translation
+// +kubebuilder:validation:Enum=VirtualHost;Route;HTTPListener;Translation;Cluster
 type XDSTranslatorHook string
 
 const (
 	XDSVirtualHost  XDSTranslatorHook = "VirtualHost"
 	XDSRoute        XDSTranslatorHook = "Route"
 	XDSHTTPListener XDSTranslatorHook = "HTTPListener"
 	XDSTranslation  XDSTranslatorHook = "Translation"
+	XDSCluster      XDSTranslatorHook = "Cluster"
 )
 
 // StringMatch defines how to match any strings.