envoyproxy
diff --git a/‎api/v1alpha1/authorization_types.go‎
Lines changed: 2 additions & 2 deletions b/‎api/v1alpha1/authorization_types.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎api/v1alpha1/backendtrafficpolicy_types.go‎
Lines changed: 9 additions & 0 deletions b/‎api/v1alpha1/backendtrafficpolicy_types.go‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎api/v1alpha1/clienttrafficpolicy_types.go‎
Lines changed: 27 additions & 0 deletions b/‎api/v1alpha1/clienttrafficpolicy_types.go‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎api/v1alpha1/envoygateway_helpers.go‎
Lines changed: 6 additions & 0 deletions b/‎api/v1alpha1/envoygateway_helpers.go‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎api/v1alpha1/envoygateway_types.go‎
Lines changed: 17 additions & 0 deletions b/‎api/v1alpha1/envoygateway_types.go‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎api/v1alpha1/envoyproxy_types.go‎
Lines changed: 17 additions & 15 deletions b/‎api/v1alpha1/envoyproxy_types.go‎
Lines changed: 17 additions & 15 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 15 additions & 0 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml‎
Lines changed: 7 additions & 0 deletions b/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml‎
Lines changed: 15 additions & 0 deletions b/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml‎
Lines changed: 10 additions & 5 deletions b/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml‎
Lines changed: 10 additions & 5 deletions
@@ -178,8 +178,8 @@ type JWTPrincipal struct {
 
 	// Scopes are a special type of claim in a JWT token that represents the permissions of the client.
 	//
-	// The value of the scopes field should be a space delimited string that is expected in the scope parameter,
-	// as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
+	// The value of the scopes field should be a space delimited string that is expected in the
+	// scope (or scp) claim, as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
 	//
 	// If multiple scopes are specified, all scopes must match for the rule to match.
 	//
 
@@ -122,6 +122,15 @@ type BackendTrafficPolicySpec struct {
 	//
 	// +optional
 	Telemetry *BackendTelemetry `json:"telemetry,omitempty"`
+
+	// RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend,
+	// or it can be set to "Endpoint" to use Endpoint routing.
+	// When specified, this overrides the EnvoyProxy-level setting for the relevant targeRefs.
+	// If not specified, the EnvoyProxy-level setting is used.
+	//
+	// +optional
+	// +notImplementedHide
+	RoutingType *RoutingType `json:"routingType,omitempty"`
 }
 
 type BackendTelemetry struct {
 
@@ -107,6 +107,18 @@ type ClientTrafficPolicySpec struct {
 	//
 	// +optional
 	HealthCheck *HealthCheckSettings `json:"healthCheck,omitempty"`
+	// Scheme configures how the :scheme pseudo-header is set for requests forwarded to backends.
+	//
+	// - Preserve (default): Preserves the :scheme from the original client request.
+	//   Use this when backends need to know the original client scheme for URL generation or redirects.
+	//
+	// - MatchBackend: Sets the :scheme to match the backend transport protocol.
+	//   If the backend uses TLS, the scheme is "https", otherwise "http".
+	//   Use this when backends require the scheme to match the actual transport protocol,
+	//   such as strictly HTTPS services that validate the :scheme header.
+	//
+	// +optional
+	Scheme *SchemeHeaderTransform `json:"scheme,omitempty"`
 }
 
 // HeaderSettings provides configuration options for headers on the listener.
@@ -413,6 +425,21 @@ type ClientTrafficPolicyList struct {
 	Items           []ClientTrafficPolicy `json:"items"`
 }
 
+// SchemeHeaderTransform defines how the :scheme pseudo-header is set for requests forwarded to backends.
+//
+// +kubebuilder:validation:Enum=Preserve;MatchBackend
+type SchemeHeaderTransform string
+
+const (
+	// SchemeHeaderTransformPreserve preserves the :scheme from the original client request.
+	// This is the default behavior.
+	SchemeHeaderTransformPreserve SchemeHeaderTransform = "Preserve"
+
+	// SchemeHeaderTransformMatchBackend sets the :scheme to match the backend transport protocol.
+	// If the backend uses TLS, the scheme is "https", otherwise "http".
+	SchemeHeaderTransformMatchBackend SchemeHeaderTransform = "MatchBackend"
+)
+
 func init() {
 	localSchemeBuilder.Register(&ClientTrafficPolicy{}, &ClientTrafficPolicyList{})
 }
@@ -123,6 +123,12 @@ func (e *EnvoyGateway) TopologyInjectorDisabled() bool {
 	return false
 }
 
+// GetEnvoyProxyDefaultSpec returns the default EnvoyProxySpec if specified,
+// otherwise returns nil.
+func (e *EnvoyGateway) GetEnvoyProxyDefaultSpec() *EnvoyProxySpec {
+	return e.EnvoyProxy
+}
+
 // defaultRuntimeFlags are the default runtime flags for Envoy Gateway.
 var defaultRuntimeFlags = map[RuntimeFlag]bool{
 	XDSNameSchemeV2: false,
 
@@ -110,6 +110,23 @@ type EnvoyGatewaySpec struct {
 	// RuntimeFlags defines the runtime flags for Envoy Gateway.
 	// Unlike ExtensionAPIs, these flags are temporary and will be removed in future releases once the related features are stable.
 	RuntimeFlags *RuntimeFlags `json:"runtimeFlags,omitempty"`
+
+	// EnvoyProxy defines the default EnvoyProxy configuration that applies
+	// to all managed Envoy Proxy fleet. This is an optional field and when
+	// provided, the settings from this EnvoyProxySpec serve as the base
+	// defaults for all Envoy Proxy instances.
+	//
+	// The hierarchy for EnvoyProxy configuration is (highest to lowest priority):
+	// 1. Gateway-level EnvoyProxy (referenced via Gateway.spec.infrastructure.parametersRef)
+	// 2. GatewayClass-level EnvoyProxy (referenced via GatewayClass.spec.parametersRef)
+	// 3. This EnvoyProxy default spec
+	//
+	// Currently, the most specific EnvoyProxy configuration wins completely (replace semantics).
+	// A future release will introduce merge semantics to allow combining configurations
+	// across multiple levels.
+	//
+	// +optional
+	EnvoyProxy *EnvoyProxySpec `json:"envoyProxy,omitempty"`
 }
 
 // GatewayAPI defines an experimental Gateway API resource that can be enabled.
 
@@ -102,12 +102,16 @@ type EnvoyProxySpec struct {
 	// If unspecified, the default filter order is applied.
 	// Default filter order is:
 	//
+	// - envoy.filters.http.custom_response
+	//
 	// - envoy.filters.http.health_check
 	//
 	// - envoy.filters.http.fault
 	//
 	// - envoy.filters.http.cors
 	//
+	// - envoy.filters.http.header_mutation
+	//
 	// - envoy.filters.http.ext_authz
 	//
 	// - envoy.filters.http.api_key_auth
@@ -138,8 +142,6 @@ type EnvoyProxySpec struct {
 	//
 	// - envoy.filters.http.grpc_stats
 	//
-	// - envoy.filters.http.custom_response
-	//
 	// - envoy.filters.http.credential_injector
 	//
 	// - envoy.filters.http.compressor
@@ -246,10 +248,13 @@ type FilterPosition struct {
 }
 
 // EnvoyFilter defines the type of Envoy HTTP filter.
-// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.custom_response;envoy.filters.http.credential_injector;envoy.filters.http.compressor;envoy.filters.http.dynamic_forward_proxy
+// +kubebuilder:validation:Enum=envoy.filters.http.custom_response;envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.header_mutation;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.credential_injector;envoy.filters.http.compressor;envoy.filters.http.dynamic_forward_proxy
 type EnvoyFilter string
 
 const (
+	// EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
+	EnvoyFilterCustomResponse EnvoyFilter = "envoy.filters.http.custom_response"
+
 	// EnvoyFilterHealthCheck defines the Envoy HTTP health check filter.
 	EnvoyFilterHealthCheck EnvoyFilter = "envoy.filters.http.health_check"
 
@@ -259,6 +264,9 @@ const (
 	// EnvoyFilterCORS defines the Envoy HTTP CORS filter.
 	EnvoyFilterCORS EnvoyFilter = "envoy.filters.http.cors"
 
+	// EnvoyFilterHeaderMutation defines the Envoy HTTP header mutation filter
+	EnvoyFilterHeaderMutation EnvoyFilter = "envoy.filters.http.header_mutation"
+
 	// EnvoyFilterExtAuthz defines the Envoy HTTP external authorization filter.
 	EnvoyFilterExtAuthz EnvoyFilter = "envoy.filters.http.ext_authz"
 
@@ -278,15 +286,18 @@ const (
 	// EnvoyFilterSessionPersistence defines the Envoy HTTP session persistence filter.
 	EnvoyFilterSessionPersistence EnvoyFilter = "envoy.filters.http.stateful_session"
 
+	// EnvoyFilterBuffer defines the Envoy HTTP buffer filter
+	EnvoyFilterBuffer EnvoyFilter = "envoy.filters.http.buffer"
+
+	// EnvoyFilterLua defines the Envoy HTTP Lua filter.
+	EnvoyFilterLua EnvoyFilter = "envoy.filters.http.lua"
+
 	// EnvoyFilterExtProc defines the Envoy HTTP external process filter.
 	EnvoyFilterExtProc EnvoyFilter = "envoy.filters.http.ext_proc"
 
 	// EnvoyFilterWasm defines the Envoy HTTP WebAssembly filter.
 	EnvoyFilterWasm EnvoyFilter = "envoy.filters.http.wasm"
 
-	// EnvoyFilterLua defines the Envoy HTTP Lua filter.
-	EnvoyFilterLua EnvoyFilter = "envoy.filters.http.lua"
-
 	// EnvoyFilterRBAC defines the Envoy RBAC filter.
 	EnvoyFilterRBAC EnvoyFilter = "envoy.filters.http.rbac"
 
@@ -302,9 +313,6 @@ const (
 	// EnvoyFilterGRPCStats defines the Envoy HTTP gRPC stats filter.
 	EnvoyFilterGRPCStats EnvoyFilter = "envoy.filters.http.grpc_stats"
 
-	// EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
-	EnvoyFilterCustomResponse EnvoyFilter = "envoy.filters.http.custom_response"
-
 	// EnvoyFilterCredentialInjector defines the Envoy HTTP credential injector filter.
 	EnvoyFilterCredentialInjector EnvoyFilter = "envoy.filters.http.credential_injector"
 
@@ -317,12 +325,6 @@ const (
 	// EnvoyFilterRouter defines the Envoy HTTP router filter.
 	EnvoyFilterRouter EnvoyFilter = "envoy.filters.http.router"
 
-	// EnvoyFilterBuffer defines the Envoy HTTP buffer filter
-	EnvoyFilterBuffer EnvoyFilter = "envoy.filters.http.buffer"
-
-	// EnvoyFilterHeaderMutation defines the Envoy HTTP header mutation filter
-	EnvoyFilterHeaderMutation EnvoyFilter = "envoy.filters.http.header_mutation"
-
 	// StatFormatterRouteName defines the Route Name formatter for stats
 	StatFormatterRouteName string = "%ROUTE_NAME%"
 
 
@@ -2137,6 +2137,13 @@ spec:
                         type: array
                     type: object
                 type: object
+              routingType:
+                description: |-
+                  RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend,
+                  or it can be set to "Endpoint" to use Endpoint routing.
+                  When specified, this overrides the EnvoyProxy-level setting for the relevant targeRefs.
+                  If not specified, the EnvoyProxy-level setting is used.
+                type: string
               targetRef:
                 description: |-
                   TargetRef is the name of the resource this policy is being attached to.
 
@@ -880,6 +880,21 @@ spec:
                       For more information on security implications, see haproxy.org/download/2.1/doc/proxy-protocol.txt
                     type: boolean
                 type: object
+              scheme:
+                description: |-
+                  Scheme configures how the :scheme pseudo-header is set for requests forwarded to backends.
+
+                  - Preserve (default): Preserves the :scheme from the original client request.
+                    Use this when backends need to know the original client scheme for URL generation or redirects.
+
+                  - MatchBackend: Sets the :scheme to match the backend transport protocol.
+                    If the backend uses TLS, the scheme is "https", otherwise "http".
+                    Use this when backends require the scheme to match the actual transport protocol,
+                    such as strictly HTTPS services that validate the :scheme header.
+                enum:
+                - Preserve
+                - MatchBackend
+                type: string
               targetRef:
                 description: |-
                   TargetRef is the name of the resource this policy is being attached to.
 
@@ -284,12 +284,16 @@ spec:
                   If unspecified, the default filter order is applied.
                   Default filter order is:
 
+                  - envoy.filters.http.custom_response
+
                   - envoy.filters.http.health_check
 
                   - envoy.filters.http.fault
 
                   - envoy.filters.http.cors
 
+                  - envoy.filters.http.header_mutation
+
                   - envoy.filters.http.ext_authz
 
                   - envoy.filters.http.api_key_auth
@@ -320,8 +324,6 @@ spec:
 
                   - envoy.filters.http.grpc_stats
 
-                  - envoy.filters.http.custom_response
-
                   - envoy.filters.http.credential_injector
 
                   - envoy.filters.http.compressor
@@ -340,9 +342,11 @@ spec:
                         After defines the filter that should come after the filter.
                         Only one of Before or After must be set.
                       enum:
+                      - envoy.filters.http.custom_response
                       - envoy.filters.http.health_check
                       - envoy.filters.http.fault
                       - envoy.filters.http.cors
+                      - envoy.filters.http.header_mutation
                       - envoy.filters.http.ext_authz
                       - envoy.filters.http.api_key_auth
                       - envoy.filters.http.basic_auth
@@ -358,7 +362,6 @@ spec:
                       - envoy.filters.http.ratelimit
                       - envoy.filters.http.grpc_web
                       - envoy.filters.http.grpc_stats
-                      - envoy.filters.http.custom_response
                       - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
                       - envoy.filters.http.dynamic_forward_proxy
@@ -368,9 +371,11 @@ spec:
                         Before defines the filter that should come before the filter.
                         Only one of Before or After must be set.
                       enum:
+                      - envoy.filters.http.custom_response
                       - envoy.filters.http.health_check
                       - envoy.filters.http.fault
                       - envoy.filters.http.cors
+                      - envoy.filters.http.header_mutation
                       - envoy.filters.http.ext_authz
                       - envoy.filters.http.api_key_auth
                       - envoy.filters.http.basic_auth
@@ -386,17 +391,18 @@ spec:
                       - envoy.filters.http.ratelimit
                       - envoy.filters.http.grpc_web
                       - envoy.filters.http.grpc_stats
-                      - envoy.filters.http.custom_response
                       - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
                       - envoy.filters.http.dynamic_forward_proxy
                       type: string
                     name:
                       description: Name of the filter.
                       enum:
+                      - envoy.filters.http.custom_response
                       - envoy.filters.http.health_check
                       - envoy.filters.http.fault
                       - envoy.filters.http.cors
+                      - envoy.filters.http.header_mutation
                       - envoy.filters.http.ext_authz
                       - envoy.filters.http.api_key_auth
                       - envoy.filters.http.basic_auth
@@ -412,7 +418,6 @@ spec:
                       - envoy.filters.http.ratelimit
                       - envoy.filters.http.grpc_web
                       - envoy.filters.http.grpc_stats
-                      - envoy.filters.http.custom_response
                       - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
                       - envoy.filters.http.dynamic_forward_proxy