envoyproxy
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/scorecard.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecard.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/v1alpha1/shared_types.go‎
Lines changed: 11 additions & 0 deletions b/‎api/v1alpha1/shared_types.go‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎api/v1alpha1/validation/envoyproxy_validate.go‎
Lines changed: 18 additions & 12 deletions b/‎api/v1alpha1/validation/envoyproxy_validate.go‎
Lines changed: 18 additions & 12 deletions
diff --git a/‎api/v1alpha1/validation/envoyproxy_validate_test.go‎
Lines changed: 41 additions & 0 deletions b/‎api/v1alpha1/validation/envoyproxy_validate_test.go‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 7 additions & 0 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 7 additions & 0 deletions
@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@e12f0178983d466f2f6028f5cc7a6d786fd97f4b  # v3.29.5
+      uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2  # v3.29.5
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@e12f0178983d466f2f6028f5cc7a6d786fd97f4b  # v3.29.5
+      uses: github/codeql-action/autobuild@fdbfb4d2750291e159f0156def62b853c2798ca2  # v3.29.5
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@e12f0178983d466f2f6028f5cc7a6d786fd97f4b  # v3.29.5
+      uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2  # v3.29.5
       with:
         category: "/language:${{matrix.language}}"
@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b  # v3.29.5
+      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2  # v3.29.5
       with:
         sarif_file: results.sarif
@@ -931,6 +931,7 @@ type HTTPHeaderFilter struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=name
+	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=64
 	Set []gwapiv1.HTTPHeader `json:"set,omitempty"`
 
@@ -954,6 +955,7 @@ type HTTPHeaderFilter struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=name
+	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=64
 	Add []gwapiv1.HTTPHeader `json:"add,omitempty"`
 
@@ -977,6 +979,15 @@ type HTTPHeaderFilter struct {
 	//
 	// +optional
 	// +listType=set
+	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=64
 	Remove []string `json:"remove,omitempty"`
+
+	// RemoveOnMatch removes headers whose names match the specified string matchers.
+	// Matching is performed on the header name (case-insensitive).
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=64
+	RemoveOnMatch []StringMatch `json:"removeOnMatch,omitempty"`
 }
@@ -11,6 +11,7 @@ import (
 	"net"
 	"net/netip"
 	"regexp"
+	"strings"
 
 	"github.com/dominikbraun/graph"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
@@ -296,32 +297,34 @@ func validateFilterOrder(filterOrder []egv1a1.FilterPosition) error {
 	return nil
 }
 
-func ValidateRouteStatName(routeStatName string) error {
-	supportedOperators := map[string]bool{
+var (
+	routeStatSupportedOperators = map[string]bool{
 		egv1a1.StatFormatterRouteName:      true,
 		egv1a1.StatFormatterRouteNamespace: true,
 		egv1a1.StatFormatterRouteKind:      true,
 		egv1a1.StatFormatterRouteRuleName:  true,
 	}
 
-	if err := validateStatName(routeStatName, supportedOperators); err != nil {
-		return fmt.Errorf("unable to configure Route Stat Name: %w", err)
-	}
-
-	return nil
-}
-
-func ValidateClusterStatName(clusterStatName string) error {
-	supportedOperators := map[string]bool{
+	clusterStatSupportedOperators = map[string]bool{
 		egv1a1.StatFormatterRouteName:       true,
 		egv1a1.StatFormatterRouteNamespace:  true,
 		egv1a1.StatFormatterRouteKind:       true,
 		egv1a1.StatFormatterRouteRuleName:   true,
 		egv1a1.StatFormatterRouteRuleNumber: true,
 		egv1a1.StatFormatterBackendRefs:     true,
 	}
+)
+
+func ValidateRouteStatName(routeStatName string) error {
+	if err := validateStatName(routeStatName, routeStatSupportedOperators); err != nil {
+		return fmt.Errorf("unable to configure Route Stat Name: %w", err)
+	}
 
-	if err := validateStatName(clusterStatName, supportedOperators); err != nil {
+	return nil
+}
+
+func ValidateClusterStatName(clusterStatName string) error {
+	if err := validateStatName(clusterStatName, clusterStatSupportedOperators); err != nil {
 		return fmt.Errorf("unable to configure Cluster Stat Name: %w", err)
 	}
 
@@ -331,6 +334,9 @@ func ValidateClusterStatName(clusterStatName string) error {
 func validateStatName(statName string, supportedOperators map[string]bool) error {
 	var unsupportedOperators []string
 	matches := statNameRegex.FindAllString(statName, -1)
+	if len(matches) == 0 && strings.Contains(statName, "%") {
+		return fmt.Errorf("unable to configure stat name with invalid operator")
+	}
 	for _, operator := range matches {
 		if _, ok := supportedOperators[operator]; !ok {
 			unsupportedOperators = append(unsupportedOperators, operator)
 
@@ -964,3 +964,44 @@ func TestGetEnvoyProxyComponentLevelArgs(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateClusterStatName(t *testing.T) {
+	testCases := []struct {
+		name     string
+		statName string
+		expected bool
+	}{
+		{
+			name:     "valid cluster stat name with supported operators",
+			statName: "%ROUTE_NAME%/%ROUTE_NAMESPACE%/%BACKEND_REFS%",
+			expected: true,
+		},
+		{
+			name:     "invalid cluster stat name with unsupported operators",
+			statName: "%ROUTE_NAME%/%FOO%/%BAR%",
+			expected: false,
+		},
+		{
+			name:     "valid cluster stat name",
+			statName: "any_custom_name",
+			expected: true,
+		},
+		{
+			name:     "invalid cluster stat name",
+			statName: "%ROUTE_NAME",
+			expected: false,
+		},
+	}
+
+	for i := range testCases {
+		tc := testCases[i]
+		t.Run(tc.name, func(t *testing.T) {
+			errs := ValidateClusterStatName(tc.statName)
+			if tc.expected {
+				require.NoError(t, errs)
+			} else {
+				require.Error(t, errs)
+			}
+		})
+	}
+}