-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v1.13] envoy: Update envoy version to 1.25.x #28331
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/test-backport-1.13 |
9ac5bfc
to
c82132b
Compare
/test-backport-1.13 |
c82132b
to
dcfba2b
Compare
/test-backport-1.13 |
Envoy 1.24 will be EOL in Oct 2023, this commit is to proactively bump envoy version to 1.25. Related build: https://github.com/cilium/proxy/actions/runs/6160387030/job/16717229803 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This is to avoid the below warning log upon agent start-up ``` 2023-02-27T06:06:18.292863957Z level=warning msg="[Deprecated field: type envoy.type.matcher.v3.RegexMatcher Using deprecated option 'envoy.type.matcher.v3.RegexMatcher.google_re2' from file regex.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this field is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override." subsys=envoy-misc threadID=724 ``` Relates: #23940 Signed-off-by: Tam Mach <tam.mach@cilium.io>
dcfba2b
to
7ceb85a
Compare
/test-backport-1.13 |
[upstream e35318f] This attribute is deprecated and derived based on sum of individual weights. ``` 2023-04-01T06:08:08.708391385Z level=warning msg="[Deprecated field: type envoy.config.route.v3.WeightedCluster Using deprecated option 'envoy.config.route.v3.WeightedCluster.total_weight' from file route_components.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this field is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override." subsys=envoy-misc threadID=79 ``` Signed-off-by: Tam Mach <tam.mach@cilium.io>
[upstream commit 4b05add] Signed-off-by: Tam Mach <tam.mach@cilium.io>
[upstream commit 466ab24] There is validation of unique domain names in envoy v1.25.x, which causes the below error in conformance test. This commit is to make sure that we don't generate two virtual hosts with same domain names if enforce https is enabled. ``` 2023-04-01T06:08:08.710574289Z level=warning msg="NACK received for versions after and up to 4; waiting for a version update before sending again" subsys=xds xdsAckedVersion= xdsClientNode="host~127.0.0.1~no-id~localdomain" xdsDetail="Only unique values for domains are permitted. Duplicate entry of domain foo.bar.com in route default/cilium-ingress-default-host-rules/listener-insecure" xdsNonce=4 xdsStreamID=9 xdsTypeURL=type.googleapis.com/envoy.config.route.v3.RouteConfiguration ``` Before ```json - '@type': type.googleapis.com/envoy.config.route.v3.RouteConfiguration name: listener-insecure virtualHosts: - domains: - foo.bar.com - foo.bar.com:* name: foo.bar.com routes: - match: safeRegex: regex: (/.*)?$ redirect: httpsRedirect: true - domains: - '*.foo.com' - '*.foo.com:*' name: '*.foo.com' routes: - match: headers: - name: :authority stringMatch: safeRegex: regex: ^[^.]+[.]foo[.]com$ safeRegex: regex: (/.*)?$ route: cluster: default/wildcard-foo-com:8080 maxStreamDuration: maxStreamDuration: 0s - domains: - foo.bar.com - foo.bar.com:* name: foo.bar.com routes: - match: safeRegex: regex: (/.*)?$ route: maxStreamDuration: maxStreamDuration: 0s weightedClusters: clusters: - name: default/foo-bar-com:http weight: 1 - name: default/foo-bar-com:http weight: 1 ``` After ```json - '@type': type.googleapis.com/envoy.config.route.v3.RouteConfiguration name: listener-insecure virtualHosts: - domains: - foo.bar.com - foo.bar.com:* name: foo.bar.com routes: - match: safeRegex: regex: (/.*)?$ redirect: httpsRedirect: true - domains: - '*.foo.com' - '*.foo.com:*' name: '*.foo.com' routes: - match: headers: - name: :authority stringMatch: safeRegex: regex: ^[^.]+[.]foo[.]com$ safeRegex: regex: (/.*)?$ route: cluster: default/wildcard-foo-com:8080 maxStreamDuration: maxStreamDuration: 0s ``` Signed-off-by: Tam Mach <tam.mach@cilium.io>
[upstream commit dbb5dcc] Signed-off-by: Tam Mach <tam.mach@cilium.io>
7ceb85a
to
4fb2c87
Compare
/test-backport-1.13 |
[upstream commit 4988e8e] Signed-off-by: Tam Mach <tam.mach@cilium.io>
[upstream commit d94c0bd] Signed-off-by: Tam Mach <tam.mach@cilium.io>
[upstream commit 6f48ae8] Signed-off-by: Tam Mach <tam.mach@cilium.io>
The istio integration is relying on cilium/istio_proxy container, which is no longer maintained, the latest version v1.10.6 was published two years ago. Just a note that this image is running with EOL envoy version which causes the double registration issue when envoy is upgraded in main Cilium build to envoy v1.25.x. Considered that this integration is no longer supported in recent Cilium releases, we can also do the same for v1.13 in favour of maintenance efforts for: - Syncing up with recent Istio versions. The latest istio release is v1.19.3, which is far ahead of v1.10.6 - Security issue with old and outdated cilium/istio_proxy image. ``` Double registration for type: 'envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext' by 'cilium.tls_wrapper' and 'envoy.transport_sockets.tls' Double registration for type: 'envoy.api.v2.auth.DownstreamTlsContext' by 'cilium.tls_wrapper' and 'envoy.transport_sockets.tls' Double registration for type: 'envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext' by 'envoy.transport_sockets.tls' and '' Double registration for type: 'envoy.api.v2.auth.DownstreamTlsContext' by 'envoy.transport_sockets.tls' and '' ``` Signed-off-by: Tam Mach <tam.mach@cilium.io>
4fb2c87
to
332981f
Compare
/test-backport-1.13 |
jrajahalme
approved these changes
Oct 23, 2023
This was referenced Oct 25, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
backport/1.13
This PR represents a backport for Cilium 1.13.x of a PR that was merged to main.
kind/backports
This PR provides functionality previously merged into master.
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Envoy 1.24 will be EOL in Oct 2023, this commit is to proactively bump envoy version to 1.25.
Related build: https://github.com/cilium/proxy/actions/runs/6160387030/job/16717229803
Note
This PR contains the backport of #24684 to pickup the fix 466ab24 for below issue.