Skip to content

Commit

Permalink
Sesame main rebase (#4)
Browse files Browse the repository at this point in the history
* provisioner: add field overloadMaxHeapSize for envoy (projectcontour#5699)

* add field overloadMaxHeapSize

Signed-off-by: yy <yang.yang@daocloud.io>

* add changelog

Signed-off-by: yy <yang.yang@daocloud.io>

* update changelog and configuration.md

Signed-off-by: yangyang <yang.yang@daocloud.io>

---------

Signed-off-by: yy <yang.yang@daocloud.io>
Signed-off-by: yangyang <yang.yang@daocloud.io>

* build(deps): bump sigs.k8s.io/gateway-api from 0.8.0 to 0.8.1 (projectcontour#5757)

* build(deps): bump sigs.k8s.io/gateway-api from 0.8.0 to 0.8.1

Bumps [sigs.k8s.io/gateway-api](https://github.com/kubernetes-sigs/gateway-api) from 0.8.0 to 0.8.1.
- [Release notes](https://github.com/kubernetes-sigs/gateway-api/releases)
- [Changelog](https://github.com/kubernetes-sigs/gateway-api/blob/main/CHANGELOG.md)
- [Commits](kubernetes-sigs/gateway-api@v0.8.0...v0.8.1)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/gateway-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* make generate

Signed-off-by: Steve Kriss <krisss@vmware.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Steve Kriss <krisss@vmware.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Steve Kriss <krisss@vmware.com>

* build(deps): bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 (projectcontour#5781)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.12.0...v2.12.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump google.golang.org/grpc from 1.58.1 to 1.58.2 (projectcontour#5780)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.1 to 1.58.2.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.58.1...v1.58.2)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/vektra/mockery/v2 from 2.33.2 to 2.34.0 (projectcontour#5779)

Bumps [github.com/vektra/mockery/v2](https://github.com/vektra/mockery) from 2.33.2 to 2.34.0.
- [Release notes](https://github.com/vektra/mockery/releases)
- [Changelog](https://github.com/vektra/mockery/blob/master/docs/changelog.md)
- [Commits](vektra/mockery@v2.33.2...v2.34.0)

---
updated-dependencies:
- dependency-name: github.com/vektra/mockery/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Setting `disabled = true` on a route should disable the virtual host global rate limit policy (projectcontour#5657)

Support disabling global rate limiting on individual
routes by setting disabled=true.

Fixes projectcontour#5685.

Signed-off-by: shadi-altarsha <shadi.altarsha@reddit.com>

* update Go to 1.21.1 (projectcontour#5783)


Signed-off-by: Steve Kriss <krisss@vmware.com>

* Fixup: Sort path matches based on length rather than lexi (projectcontour#5752)

Since Envoy is greedy matching path routes, order is important. Contour
decides to sort the routes in a way that is not really intuitive and can
lead to suprises.

In particular even tho the comment in the code state that routes are
ordered based on legnth the reality is that they are sorted based on string
comparison. This PR fixes this.

* I think the current behaviour doesnt make much sense and it is a bit brittle.
* Updating the behaviour has significant update risk since there might be folks
that rely on this routing behaviour without really knowing it.
* Should we even merge this PR? I am of two minds and I would like some input:

1. Option (1): Merge it as and make a clear changelog/announcement about the fix
2. Option (2): Create a config flag with a feature-flag e.g. `route_sorting_strategy` and switch the implementation
to not do sorting when the flag is present. That way it allows folks to opt-out from the sorting as they need to.

Longest path based matching kinda makes sense to me now that I know about it, but it is rough edge than needs users to
be familiar with contour and it is harder to socialize in larger teams.

Signed-off-by: Sotiris Nanopoulos <sotiris.nanopoulos@reddit.com>

* build(deps): bump github.com/onsi/gomega from 1.27.10 to 1.28.0 (projectcontour#5792)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.27.10...v1.28.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/cert-manager/cert-manager (projectcontour#5791)

Bumps [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) from 1.13.0 to 1.13.1.
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Commits](cert-manager/cert-manager@v1.13.0...v1.13.1)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/vektra/mockery/v2 from 2.34.0 to 2.34.2 (projectcontour#5793)

Bumps [github.com/vektra/mockery/v2](https://github.com/vektra/mockery) from 2.34.0 to 2.34.2.
- [Release notes](https://github.com/vektra/mockery/releases)
- [Changelog](https://github.com/vektra/mockery/blob/master/docs/changelog.md)
- [Commits](vektra/mockery@v2.34.0...v2.34.2)

---
updated-dependencies:
- dependency-name: github.com/vektra/mockery/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/prometheus/client_golang (projectcontour#5790)

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.16.0 to 1.17.0.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](prometheus/client_golang@v1.16.0...v1.17.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* HTTPProxy: allow dynamic Host header rewrite (projectcontour#5678)

Allows the Host header to be rewritten to the value
of another header while forwarding the request to
the upstream. This is possible at the route level only.

Fixes projectcontour#5673.

Signed-off-by: Clayton Gonsalves <clayton.gonsalves@reddit.com>

* fix spelling errors (projectcontour#5798)

Signed-off-by: Steve Kriss <krisss@vmware.com>

* hack: bump codespell version to match GH action (projectcontour#5799)

Signed-off-by: Steve Kriss <krisss@vmware.com>

* gateway provisioner: add flags to enable running provisioner out of cluster (projectcontour#5686)

Adds --incluster and --kubeconfig flags to
the gateway provisioner to enable running
outside of the cluster.

Signed-off-by: gang.liu <gang.liu@daocloud.io>

* site: Bump Hugo to 0.119.0 (projectcontour#5795)

- Also implement more consistent toml file indenting for readability
- Asset optimization is deprecated by netlify, see: https://answers.netlify.com/t/please-read-deprecation-of-post-processing-asset-optimization/96657

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* internal/dag: default Listener ResolvedRefs to true (projectcontour#5804)

Sets Gateway Listeners' ResolvedRefs condition
to true by default, to pass updated conformance.

Closes projectcontour#5648.

Signed-off-by: Steve Kriss <krisss@vmware.com>

* build(deps): bump golang.org/x/oauth2 from 0.12.0 to 0.13.0 (projectcontour#5810)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.12.0 to 0.13.0.
- [Commits](golang/oauth2@v0.12.0...v0.13.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/vektra/mockery/v2 from 2.34.2 to 2.35.2 (projectcontour#5809)

Bumps [github.com/vektra/mockery/v2](https://github.com/vektra/mockery) from 2.34.2 to 2.35.2.
- [Release notes](https://github.com/vektra/mockery/releases)
- [Changelog](https://github.com/vektra/mockery/blob/master/docs/changelog.md)
- [Commits](vektra/mockery@v2.34.2...v2.35.2)

---
updated-dependencies:
- dependency-name: github.com/vektra/mockery/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/prometheus/client_model (projectcontour#5811)

Bumps [github.com/prometheus/client_model](https://github.com/prometheus/client_model) from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0.
- [Release notes](https://github.com/prometheus/client_model/releases)
- [Commits](https://github.com/prometheus/client_model/commits/v0.5.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_model
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* switch to github.com/distribution/parse (projectcontour#5818)

Signed-off-by: Steve Kriss <krisss@vmware.com>

* deps: Bump logrusr to v4.0.0 (projectcontour#5806)

Fixes data races found in projectcontour#5805

Also remove testing around V().Info()

logrusr has changed behavior since v3.0.0, it now tries to mimic logrus
log levels with the V() level, see:
bombsimon/logrusr@9f3fd50

In practice client-go checks if a certain verbosity level is enabled and
initializes a different logger based on that and then uses Info(f) logs,
rather than the V().Info() construction.

This commit removes the testing of log lines written with V() guarding
them and rather just tests the expected verbosity is enabled or not.

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* wait for cache sync and DAG build before starting xDS server (projectcontour#5672)

Prevents starting the XDS server and building the DAG until the cache is synced with the initial list of k8s objects and these events are processed by the event handler

Signed-off-by: Ahmad Karimi <ak12hastam@gmail.com>

* internal/xdscache: Generate uuid for snapshot version (projectcontour#5819)

Snapshotter had a data race reading/writing the snapshot version between
threads. This version is not in practice used for the contour xDS server
DiscoveryResponse versions but is in the go-control-plane version.

Fixes: projectcontour#5482

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* Bump Envoy to 1.27.1 (projectcontour#5821)

See release notes:
https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* build(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 (projectcontour#5829)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0.
- [Commits](golang/net@v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 (projectcontour#5833)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.2 to 1.58.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.58.2...v1.58.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 (projectcontour#5831)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.12.1...v2.13.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/vektra/mockery/v2 from 2.35.2 to 2.35.4 (projectcontour#5834)

Bumps [github.com/vektra/mockery/v2](https://github.com/vektra/mockery) from 2.35.2 to 2.35.4.
- [Release notes](https://github.com/vektra/mockery/releases)
- [Changelog](https://github.com/vektra/mockery/blob/master/docs/changelog.md)
- [Commits](vektra/mockery@v2.35.2...v2.35.4)

---
updated-dependencies:
- dependency-name: github.com/vektra/mockery/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (projectcontour#5832)

Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](google/go-cmp@v0.5.9...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump go to 1.21.3 (projectcontour#5841)


Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* Add configurability for HTTP requests per IO cycle (projectcontour#5827)

An additional mitigation to CVE-2023-44487 available in Envoy 1.27.1.
This change allows configuring the http.max_requests_per_io_cycle Envoy
runtime setting via Contour configuration to allow administrators of
Contour to prevent abusive connections from starving resources from
others. The default is left as the existing behavior, that is no limit,
so as not to impact existing valid traffic.

See the Envoy release notes for more information:
https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* provisioner: fix envoy-max-heapsize not set (projectcontour#5814)

* fix envoy-max-heapsize not set

Signed-off-by: yangyang <yang.yang@daocloud.io>

* add ut

Signed-off-by: yangyang <yang.yang@daocloud.io>

* update ut

Signed-off-by: yangyang <yang.yang@daocloud.io>

---------

Signed-off-by: yangyang <yang.yang@daocloud.io>

* HTTP/2 max concurrent streams can be configured (projectcontour#5850)

Adds a global Listener configuration field for admins to be able to
protect their installations of Contour/Envoy with a limit. Default is no
limit to ensure existing behavior is not impacted for valid traffic.
This field can be used for tuning resource usage or mitigated DOS
attacks like in CVE-2023-44487.

Also fixes omitempty tags on MaxRequestsPerIOCycle field.

Fixes: projectcontour#5846

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* Bump Envoy to v1.27.2 (projectcontour#5863)

See release notes:
https://www.envoyproxy.io/docs/envoy/v1.27.2/version_history/v1.27/v1.27.2

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* site: 1.26.1, 1.25.3, 1.24.6 patch releases (projectcontour#5859)


Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* test/e2e: Add race detection in e2e tests (projectcontour#5805)

Compile contour binary with -race flag and look for "DATA RACE" in
stderr. Fails test if found.

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* golangci-lint: Fix revive rules (projectcontour#5857)

When we enabled the use-any rule we disabled all the default rules that
are run by revive (see: https://revive.run/docs#golangci-lint)

This change grabs all the default rules from
https://github.com/mgechev/revive/blob/master/defaults.toml and adds the
use-any rule

Also fixes outstanding lint issues

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

* crd/ContourDeployment: Add field 'podLabels' for contour (#2)

* add pod labels field to contourDeployment

---------

Signed-off-by: yy <yang.yang@daocloud.io>
Signed-off-by: yangyang <yang.yang@daocloud.io>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Steve Kriss <krisss@vmware.com>
Signed-off-by: shadi-altarsha <shadi.altarsha@reddit.com>
Signed-off-by: Sotiris Nanopoulos <sotiris.nanopoulos@reddit.com>
Signed-off-by: Clayton Gonsalves <clayton.gonsalves@reddit.com>
Signed-off-by: gang.liu <gang.liu@daocloud.io>
Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
Signed-off-by: Ahmad Karimi <ak12hastam@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Steve Kriss <krisss@vmware.com>
Co-authored-by: Shadi Altarsha <61504589+shadialtarsha@users.noreply.github.com>
Co-authored-by: Sotiris Nanopoulos <sotiris.nanopoulos@reddit.com>
Co-authored-by: Clayton Gonsalves <101868649+clayton-gonsalves@users.noreply.github.com>
Co-authored-by: izturn <44051386+izturn@users.noreply.github.com>
Co-authored-by: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com>
Co-authored-by: Ahmad Karimi <39967326+therealak12@users.noreply.github.com>
  • Loading branch information
9 people authored Oct 19, 2023
1 parent 6123bda commit e8f6228
Show file tree
Hide file tree
Showing 113 changed files with 3,144 additions and 805 deletions.
1 change: 1 addition & 0 deletions .codespell.ignorewords
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ od
als
wit
aks
immediatedly
2 changes: 1 addition & 1 deletion .github/workflows/build_daily.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ on:
env:
GOPROXY: https://proxy.golang.org/
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
GO_VERSION: 1.21.0
GO_VERSION: 1.21.3
jobs:
e2e-envoy-xds:
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/prbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ on:
env:
GOPROXY: https://proxy.golang.org/
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
GO_VERSION: 1.21.0
GO_VERSION: 1.21.3
jobs:
lint:
runs-on: ubuntu-latest
Expand Down
25 changes: 24 additions & 1 deletion .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,30 @@ linters-settings:
- http.DefaultTransport
revive:
rules:
- name: use-any
- name: blank-imports
- name: context-as-argument
- name: context-keys-type
- name: dot-imports
- name: empty-block
- name: error-naming
- name: error-return
- name: error-strings
- name: errorf
- name: exported
- name: increment-decrement
- name: indent-error-flow
- name: package-comments
- name: range
- name: receiver-naming
- name: redefines-builtin-id
- name: superfluous-else
- name: time-naming
- name: unexported-return
- name: unreachable-code
- name: unused-parameter
- name: use-any
- name: var-declaration
- name: var-naming

issues:
exclude-rules:
Expand Down
4 changes: 2 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ IMAGE := $(REGISTRY)/$(PROJECT)
SRCDIRS := ./cmd ./internal ./apis
LOCAL_BOOTSTRAP_CONFIG = localenvoyconfig.yaml
SECURE_LOCAL_BOOTSTRAP_CONFIG = securelocalenvoyconfig.yaml
ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.27.0
ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.27.2
GATEWAY_API_VERSION ?= $(shell grep "sigs.k8s.io/gateway-api" go.mod | awk '{print $$2}')

# Used to supply a local Envoy docker container an IP to connect to that is running
Expand Down Expand Up @@ -44,7 +44,7 @@ endif
IMAGE_PLATFORMS ?= linux/amd64,linux/arm64

# Base build image to use.
BUILD_BASE_IMAGE ?= golang:1.21.0
BUILD_BASE_IMAGE ?= golang:1.21.3

# Enable build with CGO.
BUILD_CGO_ENABLED ?= 0
Expand Down
14 changes: 13 additions & 1 deletion apis/projectcontour/v1/httpproxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -551,6 +551,18 @@ type Route struct {
// +optional
PathRewritePolicy *PathRewritePolicy `json:"pathRewritePolicy,omitempty"`
// The policy for managing request headers during proxying.
//
// You may dynamically rewrite the Host header to be forwarded
// upstream to the content of a request header using
// the below format "%REQ(X-Header-Name)%". If the value of the header
// is empty, it is ignored.
//
// *NOTE: Pay attention to the potential security implications of using this option.
// Provided header must come from trusted source.
//
// **NOTE: The header rewrite is only done while forwarding and has no bearing
// on the routing decision.
//
// +optional
RequestHeadersPolicy *HeadersPolicy `json:"requestHeadersPolicy,omitempty"`
// The policy for managing response headers during proxying.
Expand Down Expand Up @@ -1268,7 +1280,7 @@ type LoadBalancerPolicy struct {
}

// HeadersPolicy defines how headers are managed during forwarding.
// The `Host` header is treated specially and if set in a HTTP response
// The `Host` header is treated specially and if set in a HTTP request
// will be used as the SNI server name when forwarding over TLS. It is an
// error to attempt to set the `Host` header in a HTTP response.
type HeadersPolicy struct {
Expand Down
21 changes: 21 additions & 0 deletions apis/projectcontour/v1alpha1/contourconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -391,6 +391,27 @@ type EnvoyListenerConfig struct {
// Single set of options are applied to all listeners.
// +optional
SocketOptions *SocketOptions `json:"socketOptions,omitempty"`

// Defines the limit on number of HTTP requests that Envoy will process from a single
// connection in a single I/O cycle. Requests over this limit are processed in subsequent
// I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
// detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
// value when this is not set is no limit.
//
// +kubebuilder:validation:Minimum=1
// +optional
MaxRequestsPerIOCycle *uint32 `json:"maxRequestsPerIOCycle,omitempty"`

// Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
// SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
// for a peer on a single HTTP/2 connection. It is recommended to not set this lower
// than 100 but this field can be used to bound resource usage by HTTP/2 connections
// and mitigate attacks like CVE-2023-44487. The default value when this is not set is
// unlimited.
//
// +kubebuilder:validation:Minimum=1
// +optional
HTTP2MaxConcurrentStreams *uint32 `json:"httpMaxConcurrentStreams,omitempty"`
}

// SocketOptions defines configurable socket options for Envoy listeners.
Expand Down
10 changes: 10 additions & 0 deletions apis/projectcontour/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

57 changes: 57 additions & 0 deletions changelogs/CHANGELOG-v1.24.6.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
We are delighted to present version v1.24.6 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

- [All Changes](#all-changes)
- [Installing/Upgrading](#installing-and-upgrading)
- [Compatible Kubernetes Versions](#compatible-kubernetes-versions)

# All Changes

This release includes various dependency bumps and fixes for [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487), including:

- Update to Envoy v1.25.11. See the release notes for v1.25.10 [here](https://www.envoyproxy.io/docs/envoy/v1.25.10/version_history/v1.25/v1.25.10) and v1.25.11 [here](https://www.envoyproxy.io/docs/envoy/v1.25.11/version_history/v1.25/v1.25.11).
- Update to Go v1.20.10. See the [Go release notes](https://go.dev/doc/devel/release#go1.20.minor) for more information.

Additional mitigations have been added for CVE-2023-44487 in the form of new configuration fields:

## Max HTTP requests per IO cycle is configurable as an additional mitigation for HTTP/2 CVE-2023-44487

Envoy mitigates CVE-2023-44487 with some default runtime settings, however the `http.max_requests_per_io_cycle` does not have a default value.
This change allows configuring this runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from other valid connections.
The default is left as the existing behavior (no limit) so as not to impact existing valid traffic.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

```
listener:
max-requests-per-io-cycle: 10
```

(Note this can be used in addition to the existing Listener configuration field `listener.max-requests-per-connection` which is used primarily for HTTP/1.1 connections and is an approximate limit for HTTP/2)

## HTTP/2 max concurrent streams is configurable

This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

```
listener:
http2-max-concurrent-streams: 50
```


# Installing and Upgrading

For a fresh install of Contour, consult the [getting started documentation](https://projectcontour.io/getting-started/).

To upgrade an existing Contour installation, please consult the [upgrade documentation](https://projectcontour.io/resources/upgrading/).


# Compatible Kubernetes Versions

Contour v1.24.6 is tested against Kubernetes 1.24 through 1.26.


# Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this [page](https://github.com/projectcontour/contour/blob/master/ADOPTERS.md). If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this [GitHub thread](https://github.com/projectcontour/contour/issues/1269).
57 changes: 57 additions & 0 deletions changelogs/CHANGELOG-v1.25.3.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
We are delighted to present version v1.25.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

- [All Changes](#all-changes)
- [Installing/Upgrading](#installing-and-upgrading)
- [Compatible Kubernetes Versions](#compatible-kubernetes-versions)

# All Changes

This release includes various dependency bumps and fixes for [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487), including:

- Update to Envoy v1.26.6. See the release notes for v1.26.5 [here](https://www.envoyproxy.io/docs/envoy/v1.26.5/version_history/v1.26/v1.26.5) and v1.26.6 [here](https://www.envoyproxy.io/docs/envoy/v1.26.6/version_history/v1.26/v1.26.6).
- Update to Go v1.20.10. See the [Go release notes](https://go.dev/doc/devel/release#go1.20.minor) for more information.

Additional mitigations have been added for CVE-2023-44487 in the form of new configuration fields:

## Max HTTP requests per IO cycle is configurable as an additional mitigation for HTTP/2 CVE-2023-44487

Envoy mitigates CVE-2023-44487 with some default runtime settings, however the `http.max_requests_per_io_cycle` does not have a default value.
This change allows configuring this runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from other valid connections.
The default is left as the existing behavior (no limit) so as not to impact existing valid traffic.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

```
listener:
max-requests-per-io-cycle: 10
```

(Note this can be used in addition to the existing Listener configuration field `listener.max-requests-per-connection` which is used primarily for HTTP/1.1 connections and is an approximate limit for HTTP/2)

## HTTP/2 max concurrent streams is configurable

This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

```
listener:
http2-max-concurrent-streams: 50
```


# Installing and Upgrading

For a fresh install of Contour, consult the [getting started documentation](https://projectcontour.io/getting-started/).

To upgrade an existing Contour installation, please consult the [upgrade documentation](https://projectcontour.io/resources/upgrading/).


# Compatible Kubernetes Versions

Contour v1.25.3 is tested against Kubernetes 1.25 through 1.27.


# Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this [page](https://github.com/projectcontour/contour/blob/master/ADOPTERS.md). If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this [GitHub thread](https://github.com/projectcontour/contour/issues/1269).
57 changes: 57 additions & 0 deletions changelogs/CHANGELOG-v1.26.1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
We are delighted to present version v1.26.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

- [All Changes](#all-changes)
- [Installing/Upgrading](#installing-and-upgrading)
- [Compatible Kubernetes Versions](#compatible-kubernetes-versions)

# All Changes

This release includes various dependency bumps and fixes for [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487), including:

- Updates Envoy to v1.27.2. See the release notes for v1.27.1 [here](https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1) and v1.27.2 [here](https://www.envoyproxy.io/docs/envoy/v1.27.2/version_history/v1.27/v1.27.2).
- Update to Go v1.20.10. See the [Go release notes](https://go.dev/doc/devel/release#go1.20.minor) for more information.

Additional mitigations have been added for CVE-2023-44487 in the form of new configuration fields:

## Max HTTP requests per IO cycle is configurable as an additional mitigation for HTTP/2 CVE-2023-44487

Envoy mitigates CVE-2023-44487 with some default runtime settings, however the `http.max_requests_per_io_cycle` does not have a default value.
This change allows configuring this runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from other valid connections.
The default is left as the existing behavior (no limit) so as not to impact existing valid traffic.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

```
listener:
max-requests-per-io-cycle: 10
```

(Note this can be used in addition to the existing Listener configuration field `listener.max-requests-per-connection` which is used primarily for HTTP/1.1 connections and is an approximate limit for HTTP/2)

## HTTP/2 max concurrent streams is configurable

This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.

The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:

```
listener:
http2-max-concurrent-streams: 50
```


# Installing and Upgrading

For a fresh install of Contour, consult the [getting started documentation](https://projectcontour.io/getting-started/).

To upgrade an existing Contour installation, please consult the [upgrade documentation](https://projectcontour.io/resources/upgrading/).


# Compatible Kubernetes Versions

Contour v1.26.1 is tested against Kubernetes 1.26 through 1.28.


# Are you a Contour user? We would love to know!
If you're using Contour and want to add your organization to our adopters list, please visit this [page](https://github.com/projectcontour/contour/blob/master/ADOPTERS.md). If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this [GitHub thread](https://github.com/projectcontour/contour/issues/1269).
38 changes: 38 additions & 0 deletions changelogs/unreleased/5657-shadialtarsha-minor.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
## Specific routes can now opt out of the virtual host's global rate limit policy

Setting `rateLimitPolicy.global.disabled` flag to true on a specific route now disables the global rate limit policy inherited from the virtual host for that route.

### Sample Configurations
In the example below, `/foo` route is opted out from the global rate limit policy defined by the virtualhost.
#### httpproxy.yaml
```yaml
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: echo
spec:
virtualhost:
fqdn: local.projectcontour.io
rateLimitPolicy:
global:
descriptors:
- entries:
- remoteAddress: {}
- genericKey:
key: vhost
value: local.projectcontour.io
routes:
- conditions:
- prefix: /
services:
- name: ingress-conformance-echo
port: 80
- conditions:
- prefix: /foo
rateLimitPolicy:
global:
disabled: true
services:
- name: ingress-conformance-echo
port: 80
```
5 changes: 5 additions & 0 deletions changelogs/unreleased/5672-therealak12-minor.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## Contour now waits for the cache sync before starting the DAG rebuild and XDS server

Before this, we only waited for informer caches to sync but didn't wait for delivering the events to subscribed handlers.
Now contour waits for the initial list of Kubernetes objects to be cached and processed by handlers (using the returned `HasSynced` methods)
and then starts building its DAG and serving XDS.
24 changes: 24 additions & 0 deletions changelogs/unreleased/5678-clayton-gonsalves-minor.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
## HTTPProxy: Allow Host header rewrite with dynamic headers.

This Change allows the host header to be rewritten on requests using dynamic headers on the only route level.

#### Example
```yaml
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: dynamic-host-header-rewrite
spec:
fqdn: local.projectcontour.io
routes:
- conditions:
- prefix: /
services:
- name: s1
port: 80
- requestHeaderPolicy:
set:
- name: host
value: "%REQ(x-rewrite-header)%"
```
1 change: 1 addition & 0 deletions changelogs/unreleased/5686-izturn-small.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add flags: `--incluster`, `--kubeconfig` for enable run the `gateway-provisioner` in or out of the cluster.
1 change: 0 additions & 1 deletion changelogs/unreleased/5731-skriss-small.md

This file was deleted.

Loading

0 comments on commit e8f6228

Please sign in to comment.