This reverts commit 85bba5d86f.
This goes along with revert Envoy 1.28 back to Envoy 1.27.2. When
we upgrade to 1.29, we will restore this update.
Signed-off-by: Lance Austin <laustin@datawire.io>
This reverts commit 7b7be436c5.
HTTP/3 support (udp/quic) is broken in 1.28 and will cause emissary-ingress
to shut down when Envoy tries to validate the config. In testing, 1.27 and
1.29 both are ok. So, this will temporarily revert back to Envoy 1.27.2
until 1.29 is released and we can jump to 1.29 instead.
Note: none of the current commits on the unreleased 1.28.1
branch (release/v1.28) seem to address this but rather quite a few
larger commits in master may be required thus not macking it feasible
to backport.
Signed-off-by: Lance Austin <laustin@datawire.io>
The base alpine image we use that has musl and glibc is now
updated to alpine 3.18 which ships with python 3.11. This
does the following:
- bumps the various Dockerfile base images
- unpins python and pip3
- Pushs new base-envoy image by bump baserel ver
Signed-off-by: Lance Austin <laustin@dataiwre.io>
This updates the go-control-plane so that it is using a version
that is sync'd and tested against the protos compatible with
envoy 1.27.
Signed-off-by: Lance Austin <laustin@dataiwre.io>
This bumps our custom Envoy to be based on v1.27.1. The build
process has been revamped for the following:
1. align build steps with upstream Envoy's CI steps
2. Simplify envoy.mk into a set of simple Phony targets and shell scripts
3. Remove compiling protos from general `make generate`
4. Update DEVELOPING.md to match revamped workflow
A couple of key differences are that we leverage the underlying
tools (bazel, docker) for caching and volume mounting rather than
implicit make targets. This should make it more clear what is happening
when running certain commands and will allow for more flexibility in
the dev workflow.
I tried to maintain support for FIPS_MODE but its not tested since we do not
support it and we have added it for developer. If it is not working correctly,
then follow PR's can address it as needed.
Signed-off-by: Lance Austin <laustin@dataiwre.io>
CI and local builds fail to clean-up volume if container process
has not finished shutting down when using `docker kill`. Using
docker rm ensures the container is stopped and then cleans
up the volume associated with it.
This will address CI flakes with `generate`
Signed-off-by: Lance Austin <laustin@datawire.io>
Using `make guess-envoy-go-control-plane-commit` we are
updating the go-control-plane to ensure it has been tested
against envoy 1.27.
Signed-off-by: Lance Austin <laustin@datawire.io>
Upgrades to the lastest build of our custom Envoy 1.27. Only
notable changes for Emissary-ingress are the protos
generated but most changes were just doc comments.
Signed-off-by: Lance Austin <laustin@datawire.io>
Bumps to our latest Envoy custom build based on 1.26.4 which
addresses the following CVEs:
- CVE-2023-35941 : Not affected but pulled in
- CVE-2023-35942
- CVE-2023-35943
- CVE-2023-35944
Signed-off-by: Lance Austin <laustin@datawire.io>
Envoy released a zero-day fix for CVE-2023-35945. This updates our
custom build of Envoy with the fix and our custom commits based on
Envoy 1.26.3.
Signed-off-by: Lance Austin <laustin@datawire.io>
Removes the use of the `rsync` `--mkpath` options in favor of creating
the target folder with `mkdir` instead. The `--mkpath` option is only
available in later versions of `rsync`, which are not generally
available on some platforms. While in most cases, it's better to rely
upon (and insist upon) the latest versions, upgrading `rsync` is
relatively prohibitive, and it would be better not to have this barrier
to open source use.
Signed-off-by: Rick Lane <rlane@datawire.io>
Update envoy build to include contrib extensions which includes extensions such as go-filter.
Ideally, we would have enabled only the extensions that we needed but Envoy's bazel system
doesn't include any contrib extensions whether you enable it or not in the normal source build.
The contrib build enables all contrib extensions by default and modifying the bazel source files
to exclude certain extensions would have added to maintanance complexity so all contrib extensions are
built which adds only a few MB to the final build.
Signed-off-by: Hamzah Qudsi <hqudsi@datawire.io>
Add protobuf for go filter under api/contrib. Because the go filter is not part of the core envoy protobufs (api/envoy), the Makefiles have been updated to also build select api/contrib protos based on need. You can specify which additional contrib protos to build in _cxx/envoy.mk and it will build only the contrib protos listed to minimize the total build time for make generate.
Signed-off-by: Hamzah Qudsi <hqudsi@datawire.io>
This bumps the go-control-plane version to the latest version of envoy
where the protobufs were sync'd with envoy upstream v1.26.
Bumping it, introduced a new RateLimitConfigDiscoverService which modified
the generated code/imports. These new files were not copied over and also
didn't replace the imports with the `github.com/emissary-ingress` namespaced
packages. The envoy.mk file was updated to include the new folder and
import pattern replacement
Signed-off-by: Lance Austin <laustin@datawire.io>
Updates to custom envoy build based on release/v1.26 branch as of v1.26.1
release.
Executed `make-generate` to populate new proto files and compiled
protobufs.
Signed-off-by: Lance Austin <laustin@datawire.io>
Upgrades Envoy to v1.25.4 which includes various security patches including CVE-2023-27487, CVE-2023-27491, CVE-2023-27492, CVE-2023-27493, CVE-2023-27488, and CVE-2023-27496.
Signed-off-by: Hamzah Qudsi <hqudsi@datawire.io>
Updates envoy to 1.25.3 with custom patches on top for emissary-ingress specific features. Also Updates go-control-plane and pull for updated protos.
Notable Items:
- contains patches for CVE-2023-25194, CVE-2023-26489 and CVE-2023-27477
- http: enhanced dynamic forward proxy cluster to allow_coalesced_connections for HTTP/2 and HTTP/3 connections
- http: added append_x_forwarded_port to append the x-forwarded-port header to HTTP upstream requests
- http: added support of header mutation to the HTTP connection manager via early header mutation field
- tcp: added idle_timeout to support per client idle timeout for tcp connection pool. The timeout is guarded by envoy.reloadable_features.tcp_pool_idle_timeout and timeout defaults to 10 minutes if runtime flag is enabled.
- tls: added support for intermediate CA as trusted CA. The peer certificate issued by an intermediate CA will be trusted by building valid partial chain. Before, it could not be verified without trusting its ancestor root CA and building a full chain. trust_ca.
- golang: added new HTTP golang extension filter.
Signed-off-by: Hamzah Qudsi <hqudsi@datawire.io>
Updates to the latest release of envoy 1.24.2. It includes two notable
changes which are it pulls in a patch for boringssl CVE-2023-0286
and pulls in a dependency update for c-ares.
- bumps base alpine image used for static envoy layer to
frolvlad/alpine-glibc:alpine-3.17_glibc-2.34 to match base-python.
- fixes envoy build so that it sets the /root/envoy as a safe directory
in git when doing build to fix build error.
Signed-off-by: Lance Austin <laustin@datawire.io>
* deps: update envoy to 1.24.1 and control-plane
Bumps to Envoy 1.24.1 with custom commits rebased on top for Emissary-ingress and Edge Stack specific features. Updates the go-control-plane to match the version of Envoy commits to ensure proto's are sync'd.
Notable items:
- removed support for lightstep driver and adjusted test for it
- updated Tracing test span name behavior change due to envoy bugfix in 1.24 (see below for more info)
In commit 230d007989, Envoy 1.24 fixed a bug where the behavior for cluster stats didn't match the docs and expected behavior.
Previously, upstream stats were generated using `cluster.name` but really they should have been `cluster.alt_stat_name` and fallback to `cluster.name`. This can be seen here in Envoy:
141f28cf62/source/common/upstream/upstream_impl.cc (L889)
Now that this has been fixed and matches that behavior it causes
an issue with the KAT tests for TracingService. The TracingService
will always have an alt_stat_name for its cluster because we either
take the provided stats_name provided in the TracingService CRD or
we fallback to using the `service`.
The tests previously was asserting that the trace name
was equal to cluster name but instead it now needs to
be asserted that it is the `service` due to the behavior
change,
Signed-off-by: Lance Austin <laustin@datawire.io>
The Envoy build system still uses an old protoc-gen-go that outputs
code that isn't formatted in accordance with Go 1.19's gofmt. Even
generated code should be gofmt'ed, so do that as a post-processing
step when copying the code in to our tree.
Signed-off-by: Luke Shumaker <lukeshu@datawire.io>
Go 1.19's `gofmt` is more prescriptive than previous versions about
how code-blocks in doc-comments are indented (see
https://go.dev/doc/comment). Because of this, if we were to use Go
1.19's `gofmt` to format `log_test.go` as-is, it would change the
indentation of the Apache License notice. That's not really a problem
in itself, but it points out a problem to us: that the license notice
is being treated as a doc comment, which it shouldn't be. So use
`sed` to insert a newline to prevent it from being treated as a doc
comment.
Signed-off-by: Luke Shumaker <lukeshu@datawire.io>
This updates the envoy-control-plane commit based on the results
of running `make guess-envoy-go-control-plane-commit`.
A follow-up commit will regenerate the types and address any
issues.
Signed-off-by: Lance Austin <laustin@datawire.io>
This address the issue outlined here:
https://github.com/emissary-ingress/emissary/issues/4418
TL;DR
Address behavior change in Git due to dev container being
rebuilt and Git being patched in Ubuntu.
Signed-off-by: Lance Austin <laustin@datawire.io>
This updates emissary-ingress to envoy 1.23 with additional commits
that support custom features for Emissary-ingress.
Signed-off-by: Lance Austin <laustin@datawire.io>
This commit upgrades to the latest tagged go-control-plane version of v0.10.1. When using the commit provided by `make guess-envoy-go-control-plane-commit` it introduced behavior that was causing a test failure in `pkg/gateway/dispatch.go`. In the future, we will need to investigate that error and update accordingly then.
Due to the go-control-plane dropping support for the v2 api's, the gateway, ambex and entrypoint packages needed to be update to remove the v2 xDS api's and only support v3 xDS.
Signed-off-by: Lance Austin <laustin@datawire.io>
This bumps the envoy version used from 1.17 to 1.22. The commit address's refactoring that occurred with the protobufs and fixes. It also regenerates
- re-ran `make generate` & `make go-mod-tidy`
- fixed small issue due to dropping envoy backported fields to v2 apis
- add `no_extension_lookup_by_name` to bootstrap config
In Envoy 1.22, the default for looking up extensions is now by `@type` rather than just `name`. This adds the `envoy.reloadable_features.no_extension_lookup_by_name: False` to the bootstrap to temporarily revert this behavior so that our current config continues to work.
See https://www.envoyproxy.io/docs/envoy/v1.22.0/version_history/current#minor-behavior-changes for more information. Future PR's should address converting over to using @types.
Co-authored-by: Luke Shumaker <lukeshu@datawire.io>
Signed-off-by: Lance Austin <laustin@datawire.io>
1. Strictly check for tags matching 'datawire-*' to remove the temptation
to jump the gun and create an 'ambassador-*' or 'emissary-*' tag
before we know that's actually the commit that will be in the released
Ambassador/Emissary. This temptation has bitten us several times
before.
2. Don't just check the tip of the PR ('HEAD'), also check that all
intermediate commits in the PR are also (ancestors of?) a tag. We
don't want history to get lost!
Signed-off-by: Luke Shumaker <lukeshu@datawire.io>
A bunch of the methods that formerly returned an ecp_v2_cache.Resource
interface now return a boxed wrapper struct (ecp_v2_cache.ResourceWithTtl),
so we need to unbox that by adding ".Resource" in a bunch of places.
Also, it introduced some code that the linter is unhappy with, so add and
another exception for it.
Signed-off-by: Luke Shumaker <lukeshu@datawire.io>
Flynn
Alice Wasko
Tenshin Higashi
Lance Austin
Lance Austin
Rick Lane
Hamzah Qudsi
Sirish Bathina
Luke Shumaker