Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSSM-1955 Merge Envoy's 1.20 release branch #199

Merged
merged 7 commits into from Sep 7, 2022
Merged

OSSM-1955 Merge Envoy's 1.20 release branch #199

merged 7 commits into from Sep 7, 2022

Conversation

oschaaf
Copy link
Contributor

@oschaaf oschaaf commented Sep 1, 2022

Merge branch release/v1.20 from envoyproxy/envoy.

This should resolve CI structurally failing as observed in recent pull requests,
by pulling in a change that updates expired certificates: bfb9b97

phlax and others added 6 commits July 19, 2022 16:17
@phlax
repo: Dev 1.20.7 (#22171)
49bb1ee 
Signed-off-by: Ryan Northey <ryan@synca.io>
@phlax
[backport/v1.20] docker: Bump distroless/base-debian11:nonroot -> `…
35a6c35 
…49d2923f35d6` (#22283)

docker: Bump `distroless/base-debian11:nonroot` -> `49d2923f35d6`

Signed-off-by: Ryan Northey <ryan@synca.io>
@phlax
[backport/v1.20] repo: Release 1.20.7 (#22352)
88b03ee 
repo: Release `1.20.7`

Signed-off-by: Ryan Northey <ryan@synca.io>
@phlax
repo: Dev 1.20.8
d69e780 
Signed-off-by: Otto van der Schaaf <ovanders@redhat.com>
@phlax
Refresh integration test certificates
bfb9b97 
Some certificates have expired, causing test failures.

Signed-off-by: Otto van der Schaaf <ovanders@redhat.com>
Merge remote-tracking branch 'envoyproxy/release/v1.20' into sync-mai…
8ce7865 
…stra-2.2-upstream-1.20
@oschaaf
Copy link
Contributor Author

oschaaf commented Sep 1, 2022

Annoyingly, the CI logs have:

[ RUN      ] TestSPIFFEValidator.TestDoVerifyCertChainIntermediateCerts
test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc:313: Failure
Value of: validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)
  Actual: false
Expected: true
Stack trace:
  0x12c783a: Envoy::Extensions::TransportSockets::Tls::TestSPIFFEValidator_TestDoVerifyCertChainIntermediateCerts_Test::TestBody()
  0x33f1fbb: testing::internal::HandleSehExceptionsInMethodIfSupported<>()
  0x33e219d: testing::internal::HandleExceptionsInMethodIfSupported<>()
  0x33ca633: testing::Test::Run()
  0x33cb1fa: testing::TestInfo::Run()
... Google Test internal frames ...

[  FAILED  ] TestSPIFFEValidator.TestDoVerifyCertChainIntermediateCerts (130 ms)

git blame shows that we touched this test in 0150925 -- and indeed in that commit we modified certificate generation script to generate more certificates specifically for this test.

I'm going to the certificate regeneration script but commit just the four new files related the certs specific to this test. I suspect some inconsistency crept in as generating these may depend on the other certificates, and therefore the new ones need to be regenerated as well.

Fix TestSPIFFEValidator.TestDoVerifyCertChainIntermediateCerts
082adf4 
As we pulled in refreshed certificates from upstream, we now need
to do a partial refresh for the ones introduced in  our 0150925.
(The refresh from upstream also touched the ca & intermediate ca,
which means that the certificates we introduced ourselves are now
inconsistent with respect to who signed them -- thus causing test
failures).

Signed-off-by: Otto van der Schaaf <ovanders@redhat.com>
@oschaaf oschaaf force-pushed the sync-maistra-2.2-upstream-1.20 branch from 1c76c9e to 082adf4 Compare September 2, 2022 07:16
@oschaaf
Copy link
Contributor Author

oschaaf commented Sep 2, 2022
edited

Ugh, the failure mode for TestSPIFFEValidator.TestDoVerifyCertChainIntermediateCerts was a bit more subtle then I initially thought. 082adf4 properly addresses it with minimal changes (confirmed locally).
Note: I force pushed to keep the list of commits clean.

@jwendell jwendell changed the title [maistra-2.2] Merge Envoy's 1.20 release branch OSSM-1955 Merge Envoy's 1.20 release branch Sep 2, 2022
@jwendell
Copy link
Member

jwendell commented Sep 2, 2022

LGTM

@maistra-bot maistra-bot merged commit 24cdf78 into maistra:maistra-2.2 Sep 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jwendell jwendell jwendell approved these changes

Assignees
No one assigned
Labels
okay to merge size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@oschaaf @jwendell @maistra-bot @phlax