Skip to content

Commit

Permalink
Merge pull request #15 from solo-io/cve-8feb24-patch/v1.26
Browse files Browse the repository at this point in the history
CVE 8feb24 patch/v1.26
  • Loading branch information
nfuden authored Feb 12, 2024
2 parents 2d0040c + bbe36bd commit 37f7ac7
Show file tree
Hide file tree
Showing 131 changed files with 2,632 additions and 2,993 deletions.
115 changes: 71 additions & 44 deletions .azure-pipelines/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ parameters:
displayName: "CI target"
type: string
default: release
- name: artifactName
displayName: "Artifact name"
type: string
default: ""
- name: artifactSuffix
displayName: "Suffix of artifact"
type: string
Expand Down Expand Up @@ -176,31 +180,68 @@ steps:
tmpfsDockerDisabled: "${{ parameters.tmpfsDockerDisabled }}"

- script: |
if [[ "${{ parameters.bazelUseBES }}" == 'false' ]]; then
unset GOOGLE_BES_PROJECT_ID
ENVOY_SHARED_TMP_DIR=/tmp/bazel-shared
mkdir -p "$ENVOY_SHARED_TMP_DIR"
BAZEL_BUILD_EXTRA_OPTIONS="${{ parameters.bazelBuildExtraOptions }}"
if [[ "${{ parameters.rbe }}" == "True" ]]; then
# mktemp will create a tempfile with u+rw permission minus umask, it will not be readable by all
# users by default.
GCP_SERVICE_ACCOUNT_KEY_PATH=$(mktemp -p "${ENVOY_SHARED_TMP_DIR}" -t gcp_service_account.XXXXXX.json)
bash -c 'echo "$(GcpServiceAccountKey)"' | base64 --decode > "${GCP_SERVICE_ACCOUNT_KEY_PATH}"
BAZEL_BUILD_EXTRA_OPTIONS+=" ${{ parameters.bazelConfigRBE }} --google_credentials=${GCP_SERVICE_ACCOUNT_KEY_PATH}"
ENVOY_RBE=1
if [[ "${{ parameters.bazelUseBES }}" == "True" && -n "${GOOGLE_BES_PROJECT_ID}" ]]; then
BAZEL_BUILD_EXTRA_OPTIONS+=" --config=rbe-google-bes --bes_instance_name=${GOOGLE_BES_PROJECT_ID}"
fi
else
echo "using local build cache."
# Normalize branches - `release/vX.xx`, `vX.xx`, `vX.xx.x` -> `vX.xx`
TARGET_BRANCH=$(echo "${CI_TARGET_BRANCH}" | cut -d/ -f2-)
BRANCH_NAME="$(echo "${TARGET_BRANCH}" | cut -d/ -f2 | cut -d. -f-2)"
if [[ "$BRANCH_NAME" == "merge" ]]; then
# Manually run PR commit - there is no easy way of telling which branch
# it is, so just set it to `main` - otherwise it tries to cache as `branch/merge`
BRANCH_NAME=main
fi
BAZEL_REMOTE_INSTANCE="branch/${BRANCH_NAME}"
echo "instance_name: ${BAZEL_REMOTE_INSTANCE}."
BAZEL_BUILD_EXTRA_OPTIONS+=" --config=ci --config=cache-local --remote_instance_name=${BAZEL_REMOTE_INSTANCE} --remote_timeout=600"
fi
ci/run_envoy_docker.sh 'ci/do_ci.sh fetch-${{ parameters.ciTarget }}'
condition: and(not(canceled()), not(failed()), ne('${{ parameters.cacheName }}', ''), ne(variables.CACHE_RESTORED, 'true'))
if [[ "${{ parameters.cacheTestResults }}" != "True" ]]; then
VERSION_DEV="$(cut -d- -f2 "VERSION.txt")"
# Use uncached test results for non-release scheduledruns.
if [[ $VERSION_DEV == "dev" ]]; then
BAZEL_EXTRA_TEST_OPTIONS+=" --nocache_test_results"
fi
fi
# Any PR or CI run in envoy-presubmit uses the fake SCM hash
if [[ "${{ variables['Build.Reason'] }}" == "PullRequest" || "${{ variables['Build.DefinitionName'] }}" == 'envoy-presubmit' ]]; then
# sha1sum of `ENVOY_PULL_REQUEST`
BAZEL_FAKE_SCM_REVISION=e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9
fi
echo "##vso[task.setvariable variable=BAZEL_BUILD_EXTRA_OPTIONS]${BAZEL_BUILD_EXTRA_OPTIONS}"
echo "##vso[task.setvariable variable=BAZEL_EXTRA_TEST_OPTIONS]${BAZEL_EXTRA_TEST_OPTIONS}"
echo "##vso[task.setvariable variable=BAZEL_FAKE_SCM_REVISION]${BAZEL_FAKE_SCM_REVISION}"
echo "##vso[task.setvariable variable=BAZEL_STARTUP_EXTRA_OPTIONS]${{ parameters.bazelStartupExtraOptions }}"
echo "##vso[task.setvariable variable=CI_TARGET_BRANCH]${CI_TARGET_BRANCH}"
echo "##vso[task.setvariable variable=ENVOY_BUILD_FILTER_EXAMPLE]${{ parameters.envoyBuildFilterExample }}"
echo "##vso[task.setvariable variable=ENVOY_DOCKER_BUILD_DIR]$(Build.StagingDirectory)"
echo "##vso[task.setvariable variable=ENVOY_RBE]${ENVOY_RBE}"
echo "##vso[task.setvariable variable=ENVOY_SHARED_TMP_DIR]${ENVOY_SHARED_TMP_DIR}"
echo "##vso[task.setvariable variable=GCP_SERVICE_ACCOUNT_KEY_PATH]${GCP_SERVICE_ACCOUNT_KEY_PATH}"
echo "##vso[task.setvariable variable=GITHUB_TOKEN]${{ parameters.authGithub }}"
workingDirectory: $(Build.SourcesDirectory)
env:
ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
GITHUB_TOKEN: "${{ parameters.authGithub }}"
BAZEL_STARTUP_EXTRA_OPTIONS: "${{ parameters.bazelStartupExtraOptions }}"
${{ if eq(variables['Build.Reason'], 'PullRequest') }}:
CI_TARGET_BRANCH: "origin/$(System.PullRequest.TargetBranch)"
${{ if ne(variables['Build.Reason'], 'PullRequest') }}:
CI_TARGET_BRANCH: "origin/$(Build.SourceBranchName)"
# Any PR or CI run in envoy-presubmit uses the fake SCM hash
${{ if or(eq(variables['Build.Reason'], 'PullRequest'), eq(variables['Build.DefinitionName'], 'envoy-presubmit')) }}:
# sha1sum of `ENVOY_PULL_REQUEST`
BAZEL_FAKE_SCM_REVISION: e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9
${{ if parameters.rbe }}:
GCP_SERVICE_ACCOUNT_KEY: $(GcpServiceAccountKey)
ENVOY_RBE: "1"
BAZEL_BUILD_EXTRA_OPTIONS: "${{ parameters.bazelConfigRBE }} ${{ parameters.bazelBuildExtraOptions }}"
${{ if eq(parameters.rbe, false) }}:
BAZEL_BUILD_EXTRA_OPTIONS: "--config=ci ${{ parameters.bazelBuildExtraOptions }}"
BAZEL_REMOTE_CACHE: $(LocalBuildCache)
displayName: "CI env ${{ parameters.ciTarget }}"

- script: ci/run_envoy_docker.sh 'ci/do_ci.sh fetch-${{ parameters.ciTarget }}'
condition: and(not(canceled()), not(failed()), ne('${{ parameters.cacheName }}', ''), ne(variables.CACHE_RESTORED, 'true'))
workingDirectory: $(Build.SourcesDirectory)
env:
${{ each var in parameters.env }}:
${{ var.key }}: ${{ var.value }}
displayName: "Fetch assets (${{ parameters.ciTarget }})"
Expand Down Expand Up @@ -231,34 +272,10 @@ steps:
displayName: "Enable IPv6"
condition: ${{ parameters.managedAgent }}

- script: |
if [[ "${{ parameters.bazelUseBES }}" == 'false' ]]; then
unset GOOGLE_BES_PROJECT_ID
fi
ci/run_envoy_docker.sh 'ci/do_ci.sh ${{ parameters.ciTarget }}'
- script: ci/run_envoy_docker.sh 'ci/do_ci.sh ${{ parameters.ciTarget }}'
workingDirectory: $(Build.SourcesDirectory)
env:
ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
ENVOY_BUILD_FILTER_EXAMPLE: ${{ parameters.envoyBuildFilterExample }}
GITHUB_TOKEN: "${{ parameters.authGithub }}"
BAZEL_STARTUP_EXTRA_OPTIONS: "${{ parameters.bazelStartupExtraOptions }}"
${{ if ne(parameters['cacheTestResults'], true) }}:
BAZEL_NO_CACHE_TEST_RESULTS: 1
${{ if eq(variables['Build.Reason'], 'PullRequest') }}:
CI_TARGET_BRANCH: "origin/$(System.PullRequest.TargetBranch)"
${{ if ne(variables['Build.Reason'], 'PullRequest') }}:
CI_TARGET_BRANCH: "origin/$(Build.SourceBranchName)"
# Any PR or CI run in envoy-presubmit uses the fake SCM hash
${{ if or(eq(variables['Build.Reason'], 'PullRequest'), eq(variables['Build.DefinitionName'], 'envoy-presubmit')) }}:
# sha1sum of `ENVOY_PULL_REQUEST`
BAZEL_FAKE_SCM_REVISION: e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9
${{ if parameters.rbe }}:
GCP_SERVICE_ACCOUNT_KEY: $(GcpServiceAccountKey)
ENVOY_RBE: "1"
BAZEL_BUILD_EXTRA_OPTIONS: "${{ parameters.bazelConfigRBE }} ${{ parameters.bazelBuildExtraOptions }}"
${{ if eq(parameters.rbe, false) }}:
BAZEL_BUILD_EXTRA_OPTIONS: "--config=ci ${{ parameters.bazelBuildExtraOptions }}"
BAZEL_REMOTE_CACHE: $(LocalBuildCache)
${{ each var in parameters.env }}:
${{ var.key }}: ${{ var.value }}
displayName: "Run CI script ${{ parameters.ciTarget }}"
Expand Down Expand Up @@ -296,6 +313,13 @@ steps:
- ${{ each pair in step }}:
${{ pair.key }}: ${{ pair.value }}

- bash: |
if [[ -n "$GCP_SERVICE_ACCOUNT_KEY_PATH" && -e "$GCP_SERVICE_ACCOUNT_KEY_PATH" ]]; then
echo "Removed key: ${GCP_SERVICE_ACCOUNT_KEY_PATH}"
rm -rf "$GCP_SERVICE_ACCOUNT_KEY_PATH"
fi
condition: not(canceled())

- script: |
set -e
sudo .azure-pipelines/docker/save_cache.sh "$(Build.StagingDirectory)" /mnt/cache/all true true
Expand All @@ -318,6 +342,9 @@ steps:
- task: PublishBuildArtifacts@1
inputs:
pathtoPublish: "$(Build.StagingDirectory)/envoy"
artifactName: ${{ parameters.ciTarget }}
${{ if eq(parameters.artifactName, '') }}:
artifactName: ${{ parameters.ciTarget }}
${{ if ne(parameters.artifactName, '') }}:
artifactName: ${{ parameters.artifactName }}
timeoutInMinutes: 10
condition: eq(${{ parameters.publishEnvoy }}, 'true')
8 changes: 8 additions & 0 deletions .azure-pipelines/env.yml
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,8 @@ jobs:
RUN_CHECKS=true
RUN_DOCKER=true
RUN_PACKAGING=true
RUN_RELEASE_TESTS=true
if [[ "$(changed.mobileOnly)" == true || "$(changed.docsOnly)" == true ]]; then
RUN_BUILD=false
RUN_DOCKER=false
Expand All @@ -156,10 +158,15 @@ jobs:
RUN_CHECKS=false
RUN_PACKAGING=false
fi
if [[ "$ISSTABLEBRANCH" == True && -n "$POSTSUBMIT" && "$(state.isDev)" == false ]]; then
RUN_RELEASE_TESTS=false
fi
echo "##vso[task.setvariable variable=build;isoutput=true]${RUN_BUILD}"
echo "##vso[task.setvariable variable=checks;isoutput=true]${RUN_CHECKS}"
echo "##vso[task.setvariable variable=docker;isoutput=true]${RUN_DOCKER}"
echo "##vso[task.setvariable variable=packaging;isoutput=true]${RUN_PACKAGING}"
echo "##vso[task.setvariable variable=releaseTests;isoutput=true]${RUN_RELEASE_TESTS}"
displayName: "Decide what to run"
workingDirectory: $(Build.SourcesDirectory)
Expand Down Expand Up @@ -211,6 +218,7 @@ jobs:
echo "env.outputs['run.build']: $(run.build)"
echo "env.outputs['run.checks']: $(run.checks)"
echo "env.outputs['run.packaging']: $(run.packaging)"
echo "env.outputs['run.releaseTests']: $(run.releaseTests)"
echo
echo "env.outputs['publish.githubRelease']: $(publish.githubRelease)"
echo "env.outputs['publish.dockerhub]: $(publish.dockerhub)"
Expand Down
11 changes: 3 additions & 8 deletions .azure-pipelines/pipelines.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@ stages:
# Presubmit/default
- ${{ if eq(variables.pipelineDefault, true) }}:
- template: stages.yml
parameters:
buildStageDeps:
- env

# Scheduled run anywhere
- ${{ if eq(variables.pipelineScheduled, true) }}:
Expand All @@ -80,10 +83,6 @@ stages:
- env
checkStageDeps:
- env
macBuildStageDeps:
- env
windowsBuildStageDeps:
- env

# Postsubmit main/release branches
- ${{ if eq(variables.pipelinePostsubmit, true) }}:
Expand All @@ -96,7 +95,3 @@ stages:
- env
checkStageDeps:
- env
macBuildStageDeps:
- env
windowsBuildStageDeps:
- env
8 changes: 0 additions & 8 deletions .azure-pipelines/stage/checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -101,15 +101,7 @@ jobs:
displayName: "Upload $(CI_TARGET) Report to GCS"
condition: and(not(canceled()), or(eq(variables['CI_TARGET'], 'coverage'), eq(variables['CI_TARGET'], 'fuzz_coverage')))
env:
ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
ENVOY_RBE: "1"
BAZEL_BUILD_EXTRA_OPTIONS: "--config=ci --config=rbe-google --jobs=$(RbeJobs)"
GCP_SERVICE_ACCOUNT_KEY: ${{ parameters.authGCP }}
GCS_ARTIFACT_BUCKET: ${{ parameters.bucketGCP }}
${{ if eq(variables['Build.Reason'], 'PullRequest') }}:
BAZEL_REMOTE_INSTANCE_BRANCH: "$(System.PullRequest.TargetBranch)"
${{ if ne(variables['Build.Reason'], 'PullRequest') }}:
BAZEL_REMOTE_INSTANCE_BRANCH: "$(Build.SourceBranchName)"

- job: complete
displayName: "Checks complete"
Expand Down
16 changes: 15 additions & 1 deletion .azure-pipelines/stage/linux.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ parameters:
displayName: "Artifact suffix"
type: string
default:
- name: runTests
displayName: "Run release tests"
type: string
default: true
- name: rbe
displayName: "Use RBE"
type: boolean
Expand Down Expand Up @@ -45,10 +49,20 @@ jobs:
timeoutInMinutes: ${{ parameters.timeoutBuild }}
pool: ${{ parameters.pool }}
steps:
- bash: |
if [[ "${{ parameters.runTests }}" == "false" ]]; then
CI_TARGET="release.server_only"
else
CI_TARGET="release"
fi
echo "${CI_TARGET}"
echo "##vso[task.setvariable variable=value;isoutput=true]${CI_TARGET}"
name: target
- template: ../ci.yml
parameters:
artifactName: release
managedAgent: ${{ parameters.managedAgent }}
ciTarget: release
ciTarget: $(target.value)
cacheName: "release"
bazelBuildExtraOptions: ${{ parameters.bazelBuildExtraOptions }}
cacheTestResults: ${{ parameters.cacheTestResults }}
Expand Down
56 changes: 0 additions & 56 deletions .azure-pipelines/stage/macos.yml

This file was deleted.

31 changes: 18 additions & 13 deletions .azure-pipelines/stage/prechecks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,25 @@ parameters:
type: string
default: ""

# Timeout/s
- name: timeoutPrechecks
type: number
# Building the rst from protos can take a while even with RBE if there is
# a lot of change - eg protobuf changed, or a primitve proto changed.
default: 40

- name: runPrechecks
displayName: "Run prechecks"
type: string
default: true

jobs:
- job: prechecks
displayName: Precheck
timeoutInMinutes: 20
timeoutInMinutes: ${{ parameters.timeoutPrechecks }}
condition: |
and(not(canceled()),
eq(${{ parameters.runPrechecks }}, 'true'))
pool:
vmImage: $(agentUbuntu)
variables:
Expand Down Expand Up @@ -85,15 +99,15 @@ jobs:
authGPGKey: ${{ parameters.authGPGKey }}
# GNUPGHOME inside the container
pathGPGConfiguredHome: /build/.gnupg
pathGPGHome: /tmp/envoy-docker-build/.gnupg
pathGPGHome: $(Build.StagingDirectory)/.gnupg
- bash: |
set -e
ci/run_envoy_docker.sh "
echo AUTHORITY > /tmp/authority \
&& gpg --clearsign /tmp/authority \
&& cat /tmp/authority.asc \
&& gpg --verify /tmp/authority.asc"
rm -rf /tmp/envoy-docker-build/.gnupg
rm -rf $(Build.StagingDirectory)/.gnupg
displayName: "Ensure container CI can sign with GPG"
condition: and(not(canceled()), eq(variables['CI_TARGET'], 'docs'))
Expand All @@ -115,10 +129,6 @@ jobs:
ci/run_envoy_docker.sh 'ci/do_ci.sh dockerhub-readme'
displayName: "Dockerhub publishing test"
env:
ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
ENVOY_RBE: "1"
BAZEL_BUILD_EXTRA_OPTIONS: "--config=remote-ci --config=rbe-google --jobs=$(RbeJobs)"
GCP_SERVICE_ACCOUNT_KEY: ${{ parameters.authGCP }}
GCS_ARTIFACT_BUCKET: ${{ parameters.bucketGCP }}
condition: eq(variables['CI_TARGET'], 'docs')
Expand All @@ -141,14 +151,9 @@ jobs:
condition: and(failed(), eq(variables['CI_TARGET'], 'check_and_fix_proto_format'))

# Publish docs
- script: |
ci/run_envoy_docker.sh 'ci/do_ci.sh docs-upload'
- script: ci/run_envoy_docker.sh 'ci/do_ci.sh docs-upload'
displayName: "Upload Docs to GCS"
env:
ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
ENVOY_RBE: "1"
BAZEL_BUILD_EXTRA_OPTIONS: "--config=remote-ci --config=rbe-google --jobs=$(RbeJobs)"
GCP_SERVICE_ACCOUNT_KEY: ${{ parameters.authGCP }}
GCS_ARTIFACT_BUCKET: ${{ parameters.bucketGCP }}
condition: eq(variables['CI_TARGET'], 'docs')

Expand Down
Loading

0 comments on commit 37f7ac7

Please sign in to comment.