Support glob rbac

.github/workflows/.env/nightly-tests/max_versions.env

@@ -4,4 +4,4 @@ kind_version='v0.30.0'
 helm_version='v3.18.6'
 argocd_version='v3.1.1'
 istio_version='1.27.0'
-k8sgateway_api_version='v1.3.0'
+k8sgateway_api_version='v1.4.0'

.github/workflows/static-analysis.yaml

@@ -45,11 +45,11 @@ jobs:
       uses: actions/checkout@v4
     - name: Prep Go Runner
       uses: ./.github/workflows/composite-actions/prep-go-runner
-    - uses: golangci/golangci-lint-action@v6
+    - uses: golangci/golangci-lint-action@v7
       # `make analyze` runs the linter with similar arguments to what we use here.
       # If this action fails, try running `make analyze` locally.
       with:
-        version: v1.64.5
+        version: v2.7.2
         args: --verbose --modules-download-mode=readonly --allow-parallel-runners
         skip-cache: true
         skip-save-cache: true

.golangci.yaml

@@ -5,9 +5,11 @@
 # * https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml
 # * https://golangci-lint.run/usage/configuration/
 #
+version: "2"
+
 linters:
-  # Disable all linters.
-  disable-all: true
+  # Disable all linters by default.
+  default: none
   # Enable specific linters
   # https://golangci-lint.run/usage/linters/#enabled-by-default
   enable:
@@ -17,45 +19,43 @@ linters:
     # See: https://github.com/solo-io/gloo-mesh-enterprise/blob/main/.golangci.yaml for a reference
     - bodyclose
     - ginkgolinter
-    - goimports
     - nakedret
     - predeclared
     - usestdlibvars
     - importas
-
-# Settings dedicated to specific linters.
-linters-settings:
-  importas:
-    alias:
-      - pkg: k8s.io/api/apps/v1
-        alias: appsv1
-      - pkg: k8s.io/api/core/v1
-        alias: corev1
-      - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
-        alias: metav1
-      - pkg: k8s.io/api/batch/v1
-        alias: batchv1
-      - pkg: github.com/solo-io/gloo/test/kubernetes/testutils/clients
-        alias: kubetestclients
-  nakedret:
-    # The team consensus is that naked returns hinder the readability of the code.
-    # However, named return values can still be useful as documentation for certain scenarios.
-    # By setting this to 0 in lieu of the default 30, we will effectively allow named return
-    # values as long as they are included in the return statement(s) e.g.
-    # func foo() (a, b int) {
-    #     a = 1
-    #     b = 2
-    #     c := 3
-    #     d := 4
-    #     // These are allowed
-    #     return a, b
-    #     return c, d
-    #     return d, c
-    #     // This is NOT allowed
-    #     return
-    #     // This is allowed but really, really bad. DO NOT do this.
-    #     return b, a
-    max-func-lines: 0
+  # Settings dedicated to specific linters.
+  settings:
+    importas:
+      alias:
+        - pkg: k8s.io/api/apps/v1
+          alias: appsv1
+        - pkg: k8s.io/api/core/v1
+          alias: corev1
+        - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
+          alias: metav1
+        - pkg: k8s.io/api/batch/v1
+          alias: batchv1
+        - pkg: github.com/solo-io/gloo/test/kubernetes/testutils/clients
+          alias: kubetestclients
+    nakedret:
+      # The team consensus is that naked returns hinder the readability of the code.
+      # However, named return values can still be useful as documentation for certain scenarios.
+      # By setting this to 0 in lieu of the default 30, we will effectively allow named return
+      # values as long as they are included in the return statement(s) e.g.
+      # func foo() (a, b int) {
+      #     a = 1
+      #     b = 2
+      #     c := 3
+      #     d := 4
+      #     // These are allowed
+      #     return a, b
+      #     return c, d
+      #     return d, c
+      #     // This is NOT allowed
+      #     return
+      #     // This is allowed but really, really bad. DO NOT do this.
+      #     return b, a
+      max-func-lines: 0
 
 issues:
   # Maximum count of issues with the same text.
@@ -84,17 +84,13 @@ run:
 
 # output configuration options
 output:
-  # Use default format
-  # Default:
-  #   formats:
-  #     - format: colored-line-number
-  #       path: stdout
-
-  # Print lines of code with issue.
-  print-issued-lines: true
+  formats:
+    text:
+      path: stdout
+      print-linter-name: true
+      print-issued-lines: true
 
-  # Print linter name in the end of issue text.
-  print-linter-name: true
-
-  # Sort results by: filepath, line and column.
-  sort-results: true
+# Formatters configuration (v2)
+formatters:
+  enable:
+    - goimports

.trivyignore

@@ -93,3 +93,7 @@ CVE-2025-46569
 # https://github.com/advisories/GHSA-wq9g-9vfc-cfq9
 # This CVE has been addressed in v1.18.x and later. We have opted to ignore it in v1.17.x because it only affects Portal, which is no longer has any known users on this branch. We will remove this CVE from .trivyignore when v1.17.x is no longer supported. ([issue link](https://github.com/solo-io/gloo/issues/10925))
 CVE-2025-30153
+
+# https://github.com/advisories/GHSA-pwhc-rpq9-4c8w
+# This CVE does not affect the library but the installable
+CVE-2024-25621

Makefile

@@ -182,11 +182,11 @@ install-go-tools: mod-download ## Download and install Go dependencies
 	go install github.com/golang/protobuf/protoc-gen-go
 	go install golang.org/x/tools/cmd/goimports
 	go install github.com/cratonica/2goarray
-	go install github.com/golang/mock/mockgen
+	go install go.uber.org/mock/mockgen
 	go install github.com/saiskee/gettercheck
 	go install github.com/onsi/ginkgo/v2/ginkgo@$(GINKGO_VERSION)
 	# This version must stay in sync with the version used in CI: .github/workflows/static-analysis.yaml
-	go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(LINTER_VERSION)
+	go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(LINTER_VERSION)
 	go install github.com/quasilyte/go-ruleguard/cmd/[email protected]
 	# Kubebuilder docs generation
 	go install fybrik.io/[email protected]

changelog/v1.21.0-beta10/support-glob-rbac-v1.21.0-beta7.yaml

@@ -0,0 +1,6 @@
+changelog:
+- type: NEW_FEATURE
+  description: >
+    Updating RBAC proto to enable support for glob claim types
+  issueLink: https://github.com/solo-io/solo-projects/issues/8612
+  resolvesIssue: false

changelog/v1.21.0-beta7/bump-gwapi-1.4.yaml

@@ -0,0 +1,81 @@
+changelog:
+- type: DEPENDENCY_BUMP
+  dependencyOwner: sigs.k8s.io
+  dependencyRepo: gateway-api
+  dependencyTag: v1.4.1
+- type: DEPENDENCY_BUMP
+  dependencyOwner: sigs.k8s.io
+  dependencyRepo: controller-runtime
+  dependencyTag: v0.22.1
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: cloud-builders
+  dependencyTag: v0.14.0
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: api
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: apiextensions-apiserver
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: apimachinery
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: apiserver
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: cli-runtime
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: client-go
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: code-generator
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: component-base
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: component-helpers
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: kubectl
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: k8s.io
+  dependencyRepo: metrics
+  dependencyTag: v0.34.2
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: go-utils
+  dependencyTag: v0.29.0
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: k8s-utils
+  dependencyTag: v0.12.0
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: protoc-gen-openapi
+  dependencyTag: v0.4.0
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: skv2
+  dependencyTag: v0.45.0
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: solo-apis
+  dependencyTag: v0.0.0-20251212201919-e8dd072aea09
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: solo-kit
+  dependencyTag: v0.40.0

changelog/v1.21.0-beta7/ignore-CVE-2024-25621.yaml

@@ -0,0 +1,5 @@
+changelog:
+- type: NON_USER_FACING
+  description: Add CVE-2024-25621 to .trivyignore
+  issueLink: https://github.com/solo-io/gloo/issues/11070
+

changelog/v1.21.0-beta8/hardcode-gk.yaml

@@ -0,0 +1,7 @@
+changelog:
+- type: NON_USER_FACING
+  issueLink: https://github.com/solo-io/solo-projects/issues/8681
+  resolvesIssue: false
+  description: >-
+    No longer rely on the GVK of the source object to determine the resource kind of the source in AppendSourceToVirtualHost and AppendSourceToListener,
+    just use the known GVKs. This is because a change in controller-runtime caused the GVK of the source object to be empty.

changelog/v1.21.0-beta9/fix-gk.yaml

@@ -0,0 +1,6 @@
+changelog:
+- type: NON_USER_FACING
+  issueLink: https://github.com/solo-io/solo-projects/issues/8681
+  resolvesIssue: false
+  description: >-
+    fix: don't assume source is listeneroption when appending source to listener in AppendSourceToListener

ci/cloudbuild/publish-artifacts.yaml

@@ -1,6 +1,6 @@
 steps:
 
-- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.13.2'
+- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.14.0'
   id: 'prepare-workspace'
   args:
   - '--repo-name'
@@ -59,7 +59,7 @@ steps:
     - '-c'
     - 'docker run --rm --privileged multiarch/qemu-user-static --reset -p yes -c yes'
 
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0'
   id: 'build-certgen-arm64-binary'
   args:
   - 'certgen-docker'
@@ -68,14 +68,15 @@ steps:
   - 'GOARCH=arm64'
 
 # Run make targets to push docker images to quay.io
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0'
   id: 'publish-docker'
   args:
   - 'publish-docker'
   dir: *dir
   env:
   - 'MULTIARCH=true'
   - 'MULTIARCH_PUSH=true'
+  - 'DOCKER_API_VERSION=1.41'
   secretEnv:
   - 'GITHUB_TOKEN'
   waitFor:
@@ -94,7 +95,7 @@ steps:
   waitFor:
   - 'publish-docker'
 
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0'
   id: 'release-chart'
   dir: *dir
   args:
@@ -109,7 +110,7 @@ steps:
   - 'gcr-auth'
 
 # Run make targets to build and push docker images to GCR
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0'
   id: 'publish-docker-extended-gcr'
   dir: *dir
   args:
@@ -118,6 +119,7 @@ steps:
   - 'MULTIARCH=true'
   - 'MULTIARCH_PUSH=true'
   - 'IMAGE_REGISTRY=gcr.io/gloo-edge'
+  - 'DOCKER_API_VERSION=1.41'
   secretEnv:
   - 'GITHUB_TOKEN'
   waitFor:

ci/cloudbuild/run-tests.yaml

@@ -1,6 +1,6 @@
 steps:
 
-- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.13.2'
+- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.14.0'
   id: 'prepare-workspace'
   args:
   - '--repo-name'
@@ -23,7 +23,7 @@ steps:
     cd /go/pkg
     gsutil cat gs://$PROJECT_ID-cache/gloo/gloo-mod.tar.gz | tar -xzf - || echo "untar mod cache failed; continuing because we can download deps as we need them"
 
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0'
   id: 'prepare-envoy'
   dir: *dir
   entrypoint: 'bash'
@@ -77,8 +77,8 @@ steps:
   waitFor:
   - 'prepare-gcr-zone'
 
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.13.2'
-  id: 'prepare-test-tools'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.14.0'
+  id: 'prepare-test-tools'  
   dir: *dir
   args:
   - 'install-test-tools'
@@ -88,7 +88,7 @@ steps:
   - 'prepare-gcr-zone'
   - 'prepare-test-credentials'
 
-- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.13.2'
+- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.14.0'
   id: 'run-tests'
   dir: *dir
   entrypoint: 'make'
@@ -99,7 +99,7 @@ steps:
   secretEnv:
   - 'JWT_PRIVATE_KEY'
 
-- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.13.2'
+- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.14.0'
   id: 'run-e2e-tests'
   dir: *dir
   entrypoint: 'make'
@@ -110,7 +110,7 @@ steps:
   secretEnv:
   - 'JWT_PRIVATE_KEY'
 
-- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.13.2'
+- name: 'gcr.io/$PROJECT_ID/e2e-go-mod-ginkgo:0.14.0'
   id: 'run-hashicorp-e2e-tests'
   dir: *dir
   entrypoint: 'make'