Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pr/jrajahalme/envoy 1.17.3 backport v1.8 #16115

Merged
merged 9 commits into from
May 13, 2021
Merged

Pr/jrajahalme/envoy 1.17.3 backport v1.8 #16115

merged 9 commits into from
May 13, 2021

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented May 12, 2021
edited

Once this PR is merged, you can update the PR labels via:

$ for pr in 12331 15232 14462 16102; do contrib/backporting/set-labels.py $pr done 1.8; done

@jrajahalme jrajahalme added kind/backports This PR provides functionality previously merged into master. backport/1.8 labels May 12, 2021
@jrajahalme jrajahalme requested review from a team as code owners May 12, 2021 10:31
@jrajahalme jrajahalme marked this pull request as draft May 12, 2021 10:32
@jrajahalme
Copy link
Member Author

test-backport-1.8

@jrajahalme jrajahalme force-pushed the pr/jrajahalme/envoy-1.17.3-backport-v1.8 branch from 0434818 to 718164a Compare May 12, 2021 15:43
@jrajahalme
Copy link
Member Author

Added #14462

@jrajahalme
Copy link
Member Author

test-backport-1.8

@joestringer joestringer mentioned this pull request May 12, 2021
Merged
@jrajahalme
Copy link
Member Author

Travis CI for amd64 failed due to docker pull rate limit, arm64 build succeeded:

toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

@jrajahalme
Copy link
Member Author

Will rerun after rebase once #16105 lands.

@joestringer
Copy link
Member

Every test other than Travis passed.

jrajahalme and others added 8 commits May 12, 2021 15:19
@jrajahalme
envoy: Remove deprecated regex program size field.
2ed47da 
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
envoy: Use v3 APIs
93c4254 
[ upstream commit df0c9bb ]

Envoy v2 APIs have been deprecarted in the newer Envoy releases,
prepare for their removal by shifting to v3 APIs.

NPDS and NPHDS still use v2 API elements for backwards compatibility
with running Istio sidecars.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
envoy: Move NPDS to Envoy API v3
cac5c26 
[ upstream commit e8d7307 ]

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
envoy: Update API for Kafka
c781e3e 
[ upstream commit 09af6a6 ]

Add access log message type for Kafka. Split multiple topics to
separate access log messages on the cilium agent side for backwards
compatibility.

Refine the so far unused Kafka rule message.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
envoy: Do not use deprecated fields
a7fb9ec 
Use new options instead of these deprecated fields to avoid deprecation warnings:

- RouteAction.max_grpc_timeout
- Cluster.protocol_selection
- Cluster.http2_protocol_options

Define runtime option "overload.global_downstream_max_connections" to avoid a warning like:

       "there is no configured limit to the number of allowed active connections.
       Set a limit via the runtime key overload.global_downstream_max_connections"

Fixes: #14919
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
envoy: Avoid copying protobuf.Message
2f78429 
[ upstream commit 2df25bb ]

protobuf.Message may contain a mutex, which trips the go vet linter in
the CI.

Fix by using .String() instead on debug messages, and using a pointer
to transfer ownership rather than a copy.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
checker: Add ExportedEquals checker
62a1ee8 
[ upstream commit f4407e7 ]

The updated protobuf implementation contains cyclical data structures
and unexported fields that can not be compared.

Add a new checker "ExportedEquals" that only compares exported fields
of the given data structures. This ignoring of unexported fields is
not safe for comparing arbitrary data structures which may store
internal state in unexported fields.

Use this new "ExportedEquals" checker to compare protobuf
Messages. This avoids comparing global data structures pointer to by
protobuf implementation specific fields.

Avoid infinite recursion by keeping track which pointers have already
been followed.

Change existing use of checker.Equals to use simple Equals or HasLen
instead when possible.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
envoy: Update Envoy to release 1.17.3
e833482 
[ upstream commit d7b7672 ]

Update Envoy to release 1.17.3 which fixes CVE-2021-29492.

Configure cilium-envoy with path normalization, path slash merge, and
path escaped slash unescaping by default. This setting can be reverted
with Cilium agent option --http-normalize-path=false.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the pr/jrajahalme/envoy-1.17.3-backport-v1.8 branch from 718164a to e833482 Compare May 12, 2021 22:20
@jrajahalme
Copy link
Member Author

test-backport-1.8

@jrajahalme jrajahalme marked this pull request as ready for review May 12, 2021 22:22
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label May 12, 2021
@jrajahalme
Revert "envoy: Specify API version 2 explicitly on command line"
3a93ce3 
This reverts commit 60aa69b.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the pr/jrajahalme/envoy-1.17.3-backport-v1.8 branch from 1db3dab to 3a93ce3 Compare May 12, 2021 22:28
@cilium cilium deleted a comment from maintainer-s-little-helper bot May 12, 2021
@cilium cilium deleted a comment from maintainer-s-little-helper bot May 12, 2021
@jrajahalme jrajahalme removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label May 12, 2021
@jrajahalme
Copy link
Member Author

test-backport-1.8

joestringer
joestringer approved these changes May 12, 2021
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recognize that this is quite a bit of churn for v1.8 this late, but given that (1) these are mostly backports for changes that users have been running already in v1.9 for some time and (2) the security background for this (+ benefits for future updates), I think it's a reasonable tradeoff.

@joestringer
Copy link
Member

joestringer commented May 13, 2021
edited

Unit tests pass for me locally. Privileged unit tests fail for me locally the same way that the runtime CI does.

EDIT: This is already known, #16040 , fixed by #16072 which is marked to be backported.

@joestringer
Copy link
Member

Everything else passed, good to merge 👍

@joestringer joestringer merged commit 67a6c9a into v1.8 May 13, 2021
@joestringer joestringer deleted the pr/jrajahalme/envoy-1.17.3-backport-v1.8 branch May 13, 2021 00:48
@joestringer joestringer mentioned this pull request May 13, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@nathanjsweet nathanjsweet Awaiting requested review from nathanjsweet

Assignees

@nathanjsweet nathanjsweet

Labels
kind/backports This PR provides functionality previously merged into master.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jrajahalme @joestringer @nathanjsweet