[release-1.6] cherry-pick for v1.6.1 (#7664)

* fix: oidc authentication endpoint was overwritten by discovered value (#7460)

fix: oid authentication endpoint was overriden by discovered value

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 50dcb15)
Signed-off-by: Huabing Zhao <[email protected]>

* fix: do not return 500 for all requests when part of BackendRefs are invalid (#7488)

* do not return 500 for all requests when part of BackendRefs are invalid

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 2899416)
Signed-off-by: Huabing Zhao <[email protected]>

* fix: prevent skeleton route status entries for unmanaged GatewayClasses (#7536)

* fix: prevent skeleton route status entries for unmanaged GatewayClasses

When processing policies (EnvoyExtensionPolicy, SecurityPolicy), the translator
was calling GetRouteParentContext for ALL parentRefs in a route, even those
referencing gateways with different GatewayClasses not managed by this translator.

GetRouteParentContext creates a skeleton RouteParentStatus entry with just the
controllerName when called on a parentRef that hasn't been processed yet. Since
all GatewayClass instances share the same controller name, these skeleton entries
persisted in status without conditions.

The fix checks if a parentRef context already exists before attempting to apply
policy configuration to it. If the context doesn't exist, it means this parentRef
wasn't processed by this translator and should be skipped.

Signed-off-by: Raj Singh <[email protected]>

* fix: also prevent skeleton entries in BackendTrafficPolicy processing

The same issue exists in BackendTrafficPolicy route processing - calling
GetRouteParentContext for all parentRefs creates skeleton status entries.

Apply the same fix: check if parentRef context exists before adding to list.

Signed-off-by: Raj Singh <[email protected]>

---------

Signed-off-by: Raj Singh <[email protected]>
(cherry picked from commit ff13742)
Signed-off-by: Huabing Zhao <[email protected]>

* treat too many addresses as programmed (#7542)

Signed-off-by: cong <[email protected]>
(cherry picked from commit 7cb5f72)
Signed-off-by: Huabing Zhao <[email protected]>

* bechmark: fix cpu sampling (#7581)

use fixed duration for cpu rate

Signed-off-by: Huabing Zhao <[email protected]>
(cherry picked from commit 536486f)
Signed-off-by: Huabing Zhao <[email protected]>

* chore: bump golang.org/x/crypto (#7588)

* chore: bump golang.org/x/crypto

Signed-off-by: zirain <[email protected]>

* fix gen

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
(cherry picked from commit 70fa59a)
Signed-off-by: Huabing Zhao <[email protected]>

* findOwningGateway should return controller based on linked GatewayClass (#7611)

* fix: filter Gateway by controller in findOwningGateway

Prevent cross-controller Gateway mutations by validating GatewayClass

Signed-off-by: Sudipto Baral <[email protected]>
(cherry picked from commit ba8e0e2)
Signed-off-by: Huabing Zhao <[email protected]>

* fix: use default when namespace is unset (#7612)

* fix: use default when namespace is unset

Signed-off-by: zirain <[email protected]>

* fix

Signed-off-by: zirain <[email protected]>

* fix test

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
(cherry picked from commit be2cc73)
Signed-off-by: Huabing Zhao <[email protected]>

* bump Gateway API v1.4.1 (#7653)

Signed-off-by: zirain <[email protected]>
(cherry picked from commit 0fa26d7)
Signed-off-by: Huabing Zhao <[email protected]>

* update release note

Signed-off-by: Huabing Zhao <[email protected]>

* fix gen check

Signed-off-by: Huabing Zhao <[email protected]>

* ci: add script to free disk space (#7534)

* feat: free disk space

Signed-off-by: Shreemaan Abhishek <[email protected]>

* lint

Signed-off-by: Shreemaan Abhishek <[email protected]>

* cleanup

Signed-off-by: Shreemaan Abhishek <[email protected]>

* make target and tools/hack

Signed-off-by: Shreemaan Abhishek <[email protected]>

* lint

Signed-off-by: Shreemaan Abhishek <[email protected]>

* modular action

Signed-off-by: Shreemaan Abhishek <[email protected]>

---------

Signed-off-by: Shreemaan Abhishek <[email protected]>
(cherry picked from commit 4312f38)
Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Raj Singh <[email protected]>
Signed-off-by: cong <[email protected]>
Signed-off-by: zirain <[email protected]>
Signed-off-by: Sudipto Baral <[email protected]>
Signed-off-by: Shreemaan Abhishek <[email protected]>
Co-authored-by: Raj Singh <[email protected]>
Co-authored-by: 聪 <[email protected]>
Co-authored-by: zirain <[email protected]>
Co-authored-by: Sudipto Baral <[email protected]>
Co-authored-by: shreealt <[email protected]>

Author: 6 people

.github/workflows/build_and_test.yaml

@@ -208,6 +208,7 @@ jobs:
     steps:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
     - uses: ./tools/github-actions/setup-deps
+    - uses: ./tools/github-actions/reclaim-storage
 
     - name: Download EG Binaries
       uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53  # v6.0.0

charts/gateway-crds-helm/templates/experimental-gatewayapi-crds.yaml

@@ -25,7 +25,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.4.0
+    gateway.networking.k8s.io/bundle-version: v1.4.1
     gateway.networking.k8s.io/channel: standard
   labels:
     gateway.networking.k8s.io/policy: Direct
@@ -130,6 +130,12 @@ spec:
                   implementation MUST ensure the `Accepted` Condition is set to
                   `status: False`, with Reason `Conflicted`.
 
+                  Implementations SHOULD NOT support more than one targetRef at this
+                  time. Although the API technically allows for this, the current guidance
+                  for conflict resolution and status handling is lacking. Until that can be
+                  clarified in a future release, the safest approach is to support a single
+                  targetRef.
+
                   Support: Extended for Kubernetes Service
 
                   Support: Implementation-specific for any other resource
@@ -775,6 +781,12 @@ spec:
                   implementation MUST ensure the `Accepted` Condition is set to
                   `status: False`, with Reason `Conflicted`.
 
+                  Implementations SHOULD NOT support more than one targetRef at this
+                  time. Although the API technically allows for this, the current guidance
+                  for conflict resolution and status handling is lacking. Until that can be
+                  clarified in a future release, the safest approach is to support a single
+                  targetRef.
+
                   Support: Extended for Kubernetes Service
 
                   Support: Implementation-specific for any other resource
@@ -1332,6 +1344,8 @@ spec:
         type: object
     served: false
     storage: false
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""
@@ -1347,7 +1361,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.4.0
+    gateway.networking.k8s.io/bundle-version: v1.4.1
     gateway.networking.k8s.io/channel: standard
   name: gatewayclasses.gateway.networking.k8s.io
 spec:
@@ -1866,7 +1880,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.4.0
+    gateway.networking.k8s.io/bundle-version: v1.4.1
     gateway.networking.k8s.io/channel: standard
   name: gateways.gateway.networking.k8s.io
 spec:
@@ -4123,7 +4137,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.4.0
+    gateway.networking.k8s.io/bundle-version: v1.4.1
     gateway.networking.k8s.io/channel: standard
   name: grpcroutes.gateway.networking.k8s.io
 spec:
@@ -6197,7 +6211,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.4.0
+    gateway.networking.k8s.io/bundle-version: v1.4.1
     gateway.networking.k8s.io/channel: standard
   name: httproutes.gateway.networking.k8s.io
 spec:
@@ -7073,6 +7087,9 @@ spec:
                                       enum:
                                       - 301
                                       - 302
+                                      - 303
+                                      - 307
+                                      - 308
                                       type: integer
                                   type: object
                                 responseHeaderModifier:
@@ -8007,6 +8024,9 @@ spec:
                                 enum:
                                 - 301
                                 - 302
+                                - 303
+                                - 307
+                                - 308
                                 type: integer
                             type: object
                           responseHeaderModifier:
@@ -9882,6 +9902,9 @@ spec:
                                       enum:
                                       - 301
                                       - 302
+                                      - 303
+                                      - 307
+                                      - 308
                                       type: integer
                                   type: object
                                 responseHeaderModifier:
@@ -10816,6 +10839,9 @@ spec:
                                 enum:
                                 - 301
                                 - 302
+                                - 303
+                                - 307
+                                - 308
                                 type: integer
                             type: object
                           responseHeaderModifier:
@@ -11844,7 +11870,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
-    gateway.networking.k8s.io/bundle-version: v1.4.0
+    gateway.networking.k8s.io/bundle-version: v1.4.1
     gateway.networking.k8s.io/channel: standard
   name: referencegrants.gateway.networking.k8s.io
 spec: