Skip to content

Commit

Permalink
Merge pull request envoyproxy#287 from dcillera/revert-and-update
Browse files Browse the repository at this point in the history
Revert some commits and update to latest upstream 1.32
  • Loading branch information
dcillera authored Dec 19, 2024
2 parents 7e9bada + 07737b0 commit 6658e50
Show file tree
Hide file tree
Showing 53 changed files with 476 additions and 116 deletions.
49 changes: 26 additions & 23 deletions .bazelrc
Original file line number Diff line number Diff line change
Expand Up @@ -393,9 +393,9 @@ build:remote-ci --config=ci
build:remote-ci --remote_download_minimal

# Note this config is used by mobile CI also.
build:ci --noshow_progress
build:ci --noshow_loading_progress
build:ci --test_output=errors
common:ci --noshow_progress
common:ci --noshow_loading_progress
common:ci --test_output=errors

# Fuzz builds

Expand Down Expand Up @@ -512,26 +512,28 @@ build:rbe-engflow --bes_upload_mode=fully_async
build:rbe-engflow --nolegacy_important_outputs

# RBE (Engflow Envoy)
build:common-envoy-engflow --google_default_credentials=false
build:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
build:common-envoy-engflow --grpc_keepalive_time=30s

build:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com
build:cache-envoy-engflow --remote_timeout=3600s
build:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/
build:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/
build:bes-envoy-engflow --bes_timeout=3600s
build:bes-envoy-engflow --bes_upload_mode=fully_async
build:bes-envoy-engflow --nolegacy_important_outputs
build:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com
build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
build:rbe-envoy-engflow --jobs=200
build:rbe-envoy-engflow --define=engflow_rbe=true

build:remote-envoy-engflow --config=common-envoy-engflow
build:remote-envoy-engflow --config=cache-envoy-engflow
build:remote-envoy-engflow --config=bes-envoy-engflow
build:remote-envoy-engflow --config=rbe-envoy-engflow
common:common-envoy-engflow --google_default_credentials=false
common:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
common:common-envoy-engflow --grpc_keepalive_time=30s

common:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com
common:cache-envoy-engflow --remote_timeout=3600s
common:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/
common:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/
common:bes-envoy-engflow --bes_timeout=3600s
common:bes-envoy-engflow --bes_upload_mode=fully_async
common:bes-envoy-engflow --nolegacy_important_outputs
common:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com
common:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
common:rbe-envoy-engflow --jobs=200
common:rbe-envoy-engflow --define=engflow_rbe=true

common:remote-envoy-engflow --config=common-envoy-engflow
common:remote-envoy-engflow --config=cache-envoy-engflow
common:remote-envoy-engflow --config=rbe-envoy-engflow

common:remote-cache-envoy-engflow --config=common-envoy-engflow
common:remote-cache-envoy-engflow --config=cache-envoy-engflow

#############################################################################
# debug: Various Bazel debugging flags
Expand All @@ -555,6 +557,7 @@ common:debug --config=debug-sandbox
common:debug --config=debug-coverage
common:debug --config=debug-tests

try-import %workspace%/repo.bazelrc
try-import %workspace%/clang.bazelrc
try-import %workspace%/user.bazelrc
try-import %workspace%/local_tsan.bazelrc
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/_precheck_publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,7 @@ jobs:
target-suffix: arm64
arch: arm64
bazel-extra: >-
--config=common-envoy-engflow
--config=cache-envoy-engflow
--config=bes-envoy-engflow
--config=remote-cache-envoy-engflow
rbe: false
runs-on: envoy-arm64-large
timeout-minutes: 180
Expand Down
13 changes: 7 additions & 6 deletions .github/workflows/_publish_build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,7 @@ jobs:
name: Release (arm64)
arch: arm64
bazel-extra: >-
--config=cache-envoy-engflow
--config=common-envoy-engflow
--config=bes-envoy-engflow
--config=remote-cache-envoy-engflow
rbe: false
runs-on: envoy-arm64-medium

Expand All @@ -86,9 +84,7 @@ jobs:
uses: ./.github/workflows/_run.yml
with:
bazel-extra: >-
--config=cache-envoy-engflow
--config=common-envoy-engflow
--config=bes-envoy-engflow
--config=remote-cache-envoy-engflow
downloads: |
release.${{ matrix.arch }}: release/${{ matrix.arch }}/bin/
target: ${{ matrix.target }}
Expand Down Expand Up @@ -163,6 +159,11 @@ jobs:
uses: ./.github/workflows/_run.yml
with:
target: release.signed
bazel-extra: >-
--//distribution:x64-packages=//distribution:custom/x64/packages.x64.tar.gz
--//distribution:arm64-packages=//distribution:custom/arm64/packages.arm64.tar.gz
--//distribution:x64-release=//distribution:custom/x64/bin/release.tar.zst
--//distribution:arm64-release=//distribution:custom/arm64/bin/release.tar.zst
cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
downloads: |
packages.arm64: envoy/arm64/
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/_publish_verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,5 @@ jobs:
target: verify_distro
arch: arm64
bazel-extra: >-
--config=cache-envoy-engflow
--config=common-envoy-engflow
--config=bes-envoy-engflow
--config=remote-cache-envoy-engflow
runs-on: envoy-arm64-small
4 changes: 4 additions & 0 deletions .github/workflows/_run.yml
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,10 @@ jobs:
BAZEL_BUILD_EXTRA_OPTIONS="--google_credentials=/build/${GCP_SERVICE_ACCOUNT_KEY_FILE} --config=remote-ci --config=rbe-google"
echo "BAZEL_BUILD_EXTRA_OPTIONS=${BAZEL_BUILD_EXTRA_OPTIONS}" >> "$GITHUB_ENV"
- run: |
echo "${{ vars.ENVOY_CI_BAZELRC }}" > repo.bazelrc
if: ${{ vars.ENVOY_CI_BAZELRC }}
- uses: envoyproxy/toolshed/gh-actions/github/[email protected]
name: Run CI ${{ inputs.command }} ${{ inputs.target }}
with:
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/codeql-push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,11 @@ on:
paths:
- include/**
- source/common/**
branches-ignore:
- dependabot/**
branches:
- main
pull_request:
branches:
- main

concurrency:
group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/envoy-macos.yml
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,7 @@ jobs:
_BAZEL_BUILD_EXTRA_OPTIONS=(
--remote_download_toplevel
--flaky_test_attempts=2
--config=bes-envoy-engflow
--config=cache-envoy-engflow
--config=common-envoy-engflow
--config=remote-cache-envoy-engflow
--config=ci)
export BAZEL_BUILD_EXTRA_OPTIONS=${_BAZEL_BUILD_EXTRA_OPTIONS[*]}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/pr_notifier.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
on:
pull_request:
branches:
- main
workflow_dispatch:
schedule:
- cron: '0 5 * * 1,2,3,4,5'
Expand Down
19 changes: 12 additions & 7 deletions .github/workflows/request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,6 @@ concurrency:

jobs:
request:
# For branches this can be pinned to a specific version if required
# NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read
uses: envoyproxy/envoy/.github/workflows/_request.yml@main
if: >-
${{ github.repository == 'envoyproxy/envoy'
|| (vars.ENVOY_CI && github.event_name != 'schedule')
|| (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }}
permissions:
actions: read
contents: read
Expand All @@ -41,3 +34,15 @@ jobs:
# these are required to start checks
app-key: ${{ secrets.ENVOY_CI_APP_KEY }}
app-id: ${{ secrets.ENVOY_CI_APP_ID }}
lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }}
lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }}
gcs-cache-key: ${{ secrets.GCS_CACHE_WRITE_KEY }}
with:
gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }}
# For branches this can be pinned to a specific version if required
# NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read
uses: envoyproxy/envoy/.github/workflows/_request.yml@main
if: >-
${{ github.repository == 'envoyproxy/envoy'
|| (vars.ENVOY_CI && github.event_name != 'schedule')
|| (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }}
2 changes: 1 addition & 1 deletion VERSION.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.32.1-dev
1.32.3-dev
6 changes: 3 additions & 3 deletions api/bazel/repository_locations.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -179,12 +179,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
project_name = "envoy_toolshed",
project_desc = "Tooling, libraries, runners and checkers for Envoy proxy's CI",
project_url = "https://github.com/envoyproxy/toolshed",
version = "0.1.12",
sha256 = "cbd919462d3301ffcd83bcbc3763914201e08ac97d9237cd75219725760321d0",
version = "0.1.16",
sha256 = "06939757b00b318e89996ca3d4d2468ac2da1ff48a7b2cd9146b2054c3ff4769",
strip_prefix = "toolshed-bazel-v{version}/bazel",
urls = ["https://github.com/envoyproxy/toolshed/archive/bazel-v{version}.tar.gz"],
use_category = ["build"],
release_date = "2024-09-08",
release_date = "2024-11-18",
cpe = "N/A",
license = "Apache-2.0",
license_url = "https://github.com/envoyproxy/envoy/blob/bazel-v{version}/LICENSE",
Expand Down
2 changes: 1 addition & 1 deletion api/envoy/config/cluster/v3/cluster.proto
Original file line number Diff line number Diff line change
Expand Up @@ -965,7 +965,7 @@ message Cluster {
// :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
// and :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`
// this setting is ignored.
google.protobuf.Duration dns_jitter = 58;
google.protobuf.Duration dns_jitter = 58 [(validate.rules).duration = {gte {}}];

// If the DNS failure refresh rate is specified and the cluster type is either
// :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,
Expand Down
20 changes: 20 additions & 0 deletions bazel/c-ares.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Patch for c-ares CVE-2024-25629
diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c
index d65ac1fcf8..018f55e8b2 100644
--- a/src/lib/ares__read_line.c
+++ b/src/lib/ares__read_line.c
@@ -59,6 +59,14 @@ ares_status_t ares__read_line(FILE *fp, char **buf, size_t *bufsize)
return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
}
len = offset + ares_strlen(*buf + offset);
+
+ /* Probably means there was an embedded NULL as the first character in
+ * the line, throw away line */
+ if (len == 0) {
+ offset = 0;
+ continue;
+ }
+
if ((*buf)[len - 1] == '\n') {
(*buf)[len - 1] = 0;
break;
2 changes: 2 additions & 0 deletions bazel/repositories.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,8 @@ def _com_github_c_ares_c_ares():
external_http_archive(
name = "com_github_c_ares_c_ares",
build_file_content = BUILD_ALL_CONTENT,
patch_args = ["-p1"],
patches = ["@envoy//bazel:c-ares.patch"],
)

def _com_github_cyan4973_xxhash():
Expand Down
6 changes: 6 additions & 0 deletions changelogs/1.29.10.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
date: October 29, 2024

bug_fixes:
- area: tracing
change: |
Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present.
15 changes: 15 additions & 0 deletions changelogs/1.29.11.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
date: December 8, 2024

minor_behavior_changes:
- area: dns
change: |
Patched c-ares to address CVE-2024-25629.
bug_fixes:
- area: access_log
change: |
Relaxed the restriction on SNI logging to allow the ``_`` character, even if
``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
- area: validation/tools
change: |
Add back missing extension for ``schema_validator_tool``.
6 changes: 6 additions & 0 deletions changelogs/1.30.7.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
date: October 29, 2024

bug_fixes:
- area: tracing
change: |
Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present.
18 changes: 18 additions & 0 deletions changelogs/1.30.8.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
date: December 8, 2024

minor_behavior_changes:
- area: dns
change: |
Patched c-ares to address CVE-2024-25629.
bug_fixes:
- area: access_log
change: |
Relaxed the restriction on SNI logging to allow the ``_`` character, even if
``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
- area: tracers
change: |
Avoid possible overflow when setting span attributes in Dynatrace sampler.
- area: validation/tools
change: |
Add back missing extension for ``schema_validator_tool``.
6 changes: 6 additions & 0 deletions changelogs/1.31.3.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
date: October 29, 2024

bug_fixes:
- area: tracing
change: |
Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present.
18 changes: 18 additions & 0 deletions changelogs/1.31.4.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
date: December 8, 2024

minor_behavior_changes:
- area: dns
change: |
Patched c-ares to address CVE-2024-25629.
bug_fixes:
- area: access_log
change: |
Relaxed the restriction on SNI logging to allow the ``_`` character, even if
``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
- area: tracers
change: |
Avoid possible overflow when setting span attributes in Dynatrace sampler.
- area: validation/tools
change: |
Add back missing extension for ``schema_validator_tool``.
6 changes: 6 additions & 0 deletions changelogs/1.32.1.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
date: October 29, 2024

bug_fixes:
- area: release
change: |
Container updates.
27 changes: 27 additions & 0 deletions changelogs/1.32.2.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
date: December 8, 2024

minor_behavior_changes:
- area: dns
change: |
Patched c-ares to address CVE-2024-25629.
bug_fixes:
- area: access_log
change: |
Relaxed the restriction on SNI logging to allow the ``_`` character, even if
``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
- area: original_ip_detection
change: |
Reverted :ref:`custom header
<envoy_v3_api_msg_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig>` extension to its
original behavior by disabling automatic XFF header appending that was inadvertently introduced in PR #31831.
- area: tracers
change: |
Avoid possible overflow when setting span attributes in Dynatrace sampler.
- area: validation/tools
change: |
Add back missing extension for ``schema_validator_tool``.
- area: DNS
change: |
Fixed bug where setting ``dns_jitter <envoy_v3_api_field_config.cluster.v3.Cluster.dns_jitter>`` to large values caused Envoy Bug
to fire.
2 changes: 1 addition & 1 deletion ci/Dockerfile-envoy
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ COPY --chown=0:0 --chmod=755 \


# STAGE: envoy-distroless
FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:e130c09889f3b6c05dacd52d2612c30811e04eefe3280a6659037cfdd018de6c AS envoy-distroless
FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:2a803cc873dc1a69a33087ee10c75755367dd2c259219893504680480ad563f0 AS envoy-distroless
EXPOSE 10000
ENTRYPOINT ["/usr/local/bin/envoy"]
CMD ["-c", "/etc/envoy/envoy.yaml"]
Expand Down
4 changes: 3 additions & 1 deletion ci/do_ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -935,7 +935,9 @@ case $CI_TARGET in
release.signed)
echo "Signing binary packages..."
setup_clang_toolchain
bazel build "${BAZEL_BUILD_OPTIONS[@]}" //distribution:signed
bazel build \
"${BAZEL_BUILD_OPTIONS[@]}" \
//distribution:signed
cp -a bazel-bin/distribution/release.signed.tar.zst "${BUILD_DIR}/envoy/"
;;

Expand Down
Loading

0 comments on commit 6658e50

Please sign in to comment.