Merge branch 'main' into grpc-streaming-timeout

Signed-off-by: Isaac <[email protected]>

Author: jukie

.github/workflows/build_and_test.yaml

@@ -117,7 +117,7 @@ jobs:
       run: make build-multiarch PLATFORMS="linux_amd64 linux_arm64"
 
     - name: Upload EG Binaries
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
       with:
         name: envoy-gateway
         path: bin/
@@ -156,7 +156,7 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0  # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53  # v6.0.0
       with:
         name: envoy-gateway
         path: bin/
@@ -210,7 +210,7 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0  # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53  # v6.0.0
       with:
         name: envoy-gateway
         path: bin/
@@ -265,7 +265,7 @@ jobs:
       run: make benchmark
 
     - name: Upload Benchmark report
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
       with:
         name: benchmark-report
         path: ./test/benchmark/benchmark_report/
@@ -293,7 +293,7 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Download EG Binaries
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0  # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53  # v6.0.0
       with:
         name: envoy-gateway
         path: bin/

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
     - uses: ./tools/github-actions/setup-deps
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047  # v3.29.5
+      uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb  # v3.29.5
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@16140ae1a102900babc80a33c44059580f687047  # v3.29.5
+      uses: github/codeql-action/autobuild@4e94bd11f71e507f7f87df81788dff88d1dacbfb  # v3.29.5
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047  # v3.29.5
+      uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb  # v3.29.5
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/experimental_conformance.yaml

@@ -60,7 +60,7 @@ jobs:
         run: make experimental-conformance
 
       - name: Upload Conformance Report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
         with:
           name: conformance-report-k8s-${{ matrix.target.version }}-${{ matrix.target.profile }}
           path: ./test/conformance/conformance-report-k8s-${{ matrix.target.version }}-${{ matrix.target.profile }}.yaml

.github/workflows/release.yaml

@@ -42,7 +42,7 @@ jobs:
         run: cd test/benchmark && zip -r benchmark_report.zip benchmark_report
 
       - name: Upload Benchmark Report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
         with:
           name: benchmark_report
           path: test/benchmark/benchmark_report.zip
@@ -81,7 +81,7 @@ jobs:
           IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.without_v_release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push
 
       - name: Download Benchmark Report
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0  # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53  # v6.0.0
         with:
           name: benchmark_report
           path: release-artifacts

.github/workflows/scorecard.yml

@@ -33,13 +33,13 @@ jobs:
         publish_results: true
 
     - name: "Upload artifact"
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
       with:
         name: SARIF file
         path: results.sarif
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047  # v3.29.5
+      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb  # v3.29.5
       with:
         sarif_file: results.sarif

api/v1alpha1/connection_types.go

@@ -70,6 +70,45 @@ type BackendConnection struct {
 	// +optional
 	// +notImplementedHide
 	SocketBufferLimit *resource.Quantity `json:"socketBufferLimit,omitempty"`
+
+	// Preconnect configures proactive upstream connections to reduce latency by establishing
+	// connections before they’re needed and avoiding connection establishment overhead.
+	//
+	// If unset, Envoy will fetch connections as needed to serve in-flight requests.
+	//
+	// +optional
+	Preconnect *PreconnectPolicy `json:"preconnect,omitempty"`
+}
+
+// Preconnect configures proactive upstream connections to avoid
+// connection establishment overhead and reduce latency.
+type PreconnectPolicy struct {
+	// PerEndpointPercent configures how many additional connections to maintain per
+	// upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+	// percentage of the connections required by active streams
+	// (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+	//
+	// Allowed value range is between 100-300. When both PerEndpointPercent and
+	// PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+	//
+	// +kubebuilder:validation:Minimum=100
+	// +kubebuilder:validation:Maximum=300
+	// +optional
+	PerEndpointPercent *uint32 `json:"perEndpointPercent,omitempty"`
+
+	// PredictivePercent configures how many additional connections to maintain
+	// across the cluster by anticipating which upstream endpoint the load balancer
+	// will select next, useful for low-QPS services. Relies on deterministic
+	// loadbalancing and is only supported with Random or RoundRobin.
+	// Expressed as a percentage of the connections required by active streams
+	// (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+	//
+	// Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+	// set Envoy ensures both are satisfied per host (max of the two).
+	//
+	// +kubebuilder:validation:Minimum=100
+	// +optional
+	PredictivePercent *uint32 `json:"predictivePercent,omitempty"`
 }
 
 type ConnectionLimit struct {

api/v1alpha1/shared_types.go

@@ -585,6 +585,8 @@ type BackendCluster struct {
 
 // ClusterSettings provides the various knobs that can be set to control how traffic to a given
 // backend will be configured.
+//
+// +kubebuilder:validation:XValidation:rule="!((has(self.connection) && has(self.connection.preconnect) && has(self.connection.preconnect.predictivePercent)) && !(has(self.loadBalancer) && has(self.loadBalancer.type) && self.loadBalancer.type in ['Random', 'RoundRobin']))",message="predictivePercent in preconnect policy only works with RoundRobin or Random load balancers"
 type ClusterSettings struct {
 	// LoadBalancer policy to apply when routing traffic from the gateway to
 	// the backend endpoints. Defaults to `LeastRequest`.

api/v1alpha1/zz_generated.deepcopy.go

@@ -191,6 +191,41 @@ spec:
                       For example, 20Mi, 1Gi, 256Ki etc.
                       Note: that when the suffix is not provided, the value is interpreted as bytes.
                     x-kubernetes-int-or-string: true
+                  preconnect:
+                    description: |-
+                      Preconnect configures proactive upstream connections to reduce latency by establishing
+                      connections before they’re needed and avoiding connection establishment overhead.
+
+                      If unset, Envoy will fetch connections as needed to serve in-flight requests.
+                    properties:
+                      perEndpointPercent:
+                        description: |-
+                          PerEndpointPercent configures how many additional connections to maintain per
+                          upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+                          percentage of the connections required by active streams
+                          (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+                          Allowed value range is between 100-300. When both PerEndpointPercent and
+                          PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+                        format: int32
+                        maximum: 300
+                        minimum: 100
+                        type: integer
+                      predictivePercent:
+                        description: |-
+                          PredictivePercent configures how many additional connections to maintain
+                          across the cluster by anticipating which upstream endpoint the load balancer
+                          will select next, useful for low-QPS services. Relies on deterministic
+                          loadbalancing and is only supported with Random or RoundRobin.
+                          Expressed as a percentage of the connections required by active streams
+                          (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+                          Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+                          set Envoy ensures both are satisfied per host (max of the two).
+                        format: int32
+                        minimum: 100
+                        type: integer
+                    type: object
                   socketBufferLimit:
                     allOf:
                     - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -2273,6 +2308,12 @@ spec:
                 : true'
             - message: either compression or compressor can be set, not both
               rule: '!has(self.compression) || !has(self.compressor)'
+            - message: predictivePercent in preconnect policy only works with RoundRobin
+                or Random load balancers
+              rule: '!((has(self.connection) && has(self.connection.preconnect) &&
+                has(self.connection.preconnect.predictivePercent)) && !(has(self.loadBalancer)
+                && has(self.loadBalancer.type) && self.loadBalancer.type in [''Random'',
+                ''RoundRobin'']))'
           status:
             description: status defines the current status of BackendTrafficPolicy.
             properties:

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -302,6 +302,41 @@ spec:
                                 For example, 20Mi, 1Gi, 256Ki etc.
                                 Note: that when the suffix is not provided, the value is interpreted as bytes.
                               x-kubernetes-int-or-string: true
+                            preconnect:
+                              description: |-
+                                Preconnect configures proactive upstream connections to reduce latency by establishing
+                                connections before they’re needed and avoiding connection establishment overhead.
+
+                                If unset, Envoy will fetch connections as needed to serve in-flight requests.
+                              properties:
+                                perEndpointPercent:
+                                  description: |-
+                                    PerEndpointPercent configures how many additional connections to maintain per
+                                    upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+                                    percentage of the connections required by active streams
+                                    (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+                                    Allowed value range is between 100-300. When both PerEndpointPercent and
+                                    PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+                                  format: int32
+                                  maximum: 300
+                                  minimum: 100
+                                  type: integer
+                                predictivePercent:
+                                  description: |-
+                                    PredictivePercent configures how many additional connections to maintain
+                                    across the cluster by anticipating which upstream endpoint the load balancer
+                                    will select next, useful for low-QPS services. Relies on deterministic
+                                    loadbalancing and is only supported with Random or RoundRobin.
+                                    Expressed as a percentage of the connections required by active streams
+                                    (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+                                    Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+                                    set Envoy ensures both are satisfied per host (max of the two).
+                                  format: int32
+                                  minimum: 100
+                                  type: integer
+                              type: object
                             socketBufferLimit:
                               allOf:
                               - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
@@ -1067,6 +1102,13 @@ spec:
                               type: object
                           type: object
                       type: object
+                      x-kubernetes-validations:
+                      - message: predictivePercent in preconnect policy only works
+                          with RoundRobin or Random load balancers
+                        rule: '!((has(self.connection) && has(self.connection.preconnect)
+                          && has(self.connection.preconnect.predictivePercent)) &&
+                          !(has(self.loadBalancer) && has(self.loadBalancer.type)
+                          && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
                     failOpen:
                       default: false
                       description: |-