Skip to content

Commit 6dc9a72

Browse files
ddelnanoddelnano
authored
[cloud] Upgrade envoy to v1.34 release (#2230)
Summary: [cloud] Upgrade envoy to v1.34 release Our version of envoy hasn't been upgraded in a long time and has CVEs associated with it. I'd like to get our trivy image scanning to include the cloud and vizier deps, but in the meantime I wanted to upgrade some dependencies. Relevant Issues: N/A Type of change: /kind dependencies Test Plan: Skaffolde'd a cloud with these changes and verified the Pixie UI works --------- Signed-off-by: Dom Del Nano <[email protected]>
1 parent 5b20e35 commit 6dc9a72

File tree

7 files changed

+265
-143
lines changed

7 files changed

+265
-143
lines changed

k8s/cloud/base/proxy_deployment.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,7 @@ spec:
9898
type: RuntimeDefault
9999
- name: envoy
100100
imagePullPolicy: IfNotPresent
101-
image: envoyproxy/envoy:v1.12.2@sha256:b36ee021fc4d285de7861dbaee01e7437ce1d63814ead6ae3e4dfcad4a951b2e
101+
image: envoyproxy/envoy:v1.34.2@sha256:daca6a3f353ba289cc786d2162d13d4ec2b16d921c6c3f2fc57ce6f7900ab3d9
102102
command: ["envoy"]
103103
args: ["-c", "/etc/envoy.yaml", "--service-cluster", "$(POD_NAME)"]
104104
env:

k8s/cloud/base/proxy_envoy.yaml

Lines changed: 44 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,13 @@ data:
1313
filter_chains:
1414
- filters:
1515
- name: envoy.http_connection_manager
16-
config:
16+
typed_config:
17+
"@type": >
18+
type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
1719
access_log:
1820
- name: envoy.file_access_log
19-
config:
21+
typed_config:
22+
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
2023
path: "/dev/stdout"
2124
codec_type: auto
2225
stat_prefix: ingress_http
@@ -47,31 +50,48 @@ data:
4750
expose_headers: grpc-status,grpc-message,grpc-timeout
4851
allow_credentials: true
4952
http_filters:
50-
- name: envoy.grpc_web
51-
- name: envoy.cors
52-
- name: envoy.router
53-
tls_context:
54-
common_tls_context:
55-
alpn_protocols: "h2,http/1.1"
56-
tls_certificates:
57-
- certificate_chain:
58-
filename: "/certs/tls.crt"
59-
private_key:
60-
filename: "/certs/tls.key"
53+
- name: envoy.filters.http.grpc_web
54+
typed_config:
55+
"@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
56+
- name: envoy.filters.http.cors
57+
typed_config:
58+
"@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
59+
- name: envoy.filters.http.router
60+
typed_config:
61+
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
62+
transport_socket:
63+
name: envoy.transport_sockets.tls
64+
typed_config:
65+
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
66+
common_tls_context:
67+
alpn_protocols: "h2,http/1.1"
68+
tls_certificates:
69+
- certificate_chain:
70+
filename: "/certs/tls.crt"
71+
private_key:
72+
filename: "/certs/tls.key"
6173
clusters:
6274
- name: api_service
6375
connect_timeout: 0.25s
6476
type: logical_dns
6577
http2_protocol_options: {}
6678
lb_policy: round_robin
67-
hosts:
68-
- socket_address:
69-
address: api-service
70-
port_value: 51200
71-
tls_context:
72-
common_tls_context:
73-
tls_certificates:
74-
- certificate_chain:
75-
filename: "/service-certs/client.crt"
76-
private_key:
77-
filename: "/service-certs/client.key"
79+
load_assignment:
80+
cluster_name: api_service
81+
endpoints:
82+
- lb_endpoints:
83+
- endpoint:
84+
address:
85+
socket_address:
86+
address: api-service
87+
port_value: 51200
88+
transport_socket:
89+
name: envoy.transport_sockets.tls
90+
typed_config:
91+
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
92+
common_tls_context:
93+
tls_certificates:
94+
- certificate_chain:
95+
filename: "/service-certs/client.crt"
96+
private_key:
97+
filename: "/service-certs/client.key"

k8s/cloud/dev/proxy_envoy.yaml

Lines changed: 44 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -20,10 +20,13 @@ data:
2020
filter_chains:
2121
- filters:
2222
- name: envoy.http_connection_manager
23-
config:
23+
typed_config:
24+
"@type": >
25+
type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
2426
access_log:
2527
- name: envoy.file_access_log
26-
config:
28+
typed_config:
29+
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
2730
path: "/dev/stdout"
2831
codec_type: auto
2932
stat_prefix: ingress_http
@@ -54,30 +57,48 @@ data:
5457
expose_headers: grpc-status,grpc-message,grpc-timeout
5558
allow_credentials: true
5659
http_filters:
57-
- name: envoy.grpc_web
58-
- name: envoy.cors
59-
- name: envoy.router
60-
tls_context:
61-
common_tls_context:
62-
tls_certificates:
63-
- certificate_chain:
64-
filename: "/certs/tls.crt"
65-
private_key:
66-
filename: "/certs/tls.key"
60+
- name: envoy.filters.http.grpc_web
61+
typed_config:
62+
"@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
63+
- name: envoy.filters.http.cors
64+
typed_config:
65+
"@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
66+
- name: envoy.filters.http.router
67+
typed_config:
68+
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
69+
transport_socket:
70+
name: envoy.transport_sockets.tls
71+
typed_config:
72+
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
73+
common_tls_context:
74+
alpn_protocols: "h2,http/1.1"
75+
tls_certificates:
76+
- certificate_chain:
77+
filename: "/certs/tls.crt"
78+
private_key:
79+
filename: "/certs/tls.key"
6780
clusters:
6881
- name: api_service
6982
connect_timeout: 0.25s
7083
type: logical_dns
7184
http2_protocol_options: {}
7285
lb_policy: round_robin
73-
hosts:
74-
- socket_address:
75-
address: api-service
76-
port_value: 51200
77-
tls_context:
78-
common_tls_context:
79-
tls_certificates:
80-
- certificate_chain:
81-
filename: "/service-certs/client.crt"
82-
private_key:
83-
filename: "/service-certs/client.key"
86+
load_assignment:
87+
cluster_name: api_service
88+
endpoints:
89+
- lb_endpoints:
90+
- endpoint:
91+
address:
92+
socket_address:
93+
address: api-service
94+
port_value: 51200
95+
transport_socket:
96+
name: envoy.transport_sockets.tls
97+
typed_config:
98+
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
99+
common_tls_context:
100+
tls_certificates:
101+
- certificate_chain:
102+
filename: "/service-certs/client.crt"
103+
private_key:
104+
filename: "/service-certs/client.key"

k8s/cloud/prod/proxy_envoy.yaml

Lines changed: 44 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,13 @@ data:
1515
filter_chains:
1616
- filters:
1717
- name: envoy.http_connection_manager
18-
config:
18+
typed_config:
19+
"@type": >
20+
type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
1921
access_log:
2022
- name: envoy.file_access_log
21-
config:
23+
typed_config:
24+
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
2225
path: "/dev/stdout"
2326
codec_type: auto
2427
stat_prefix: ingress_http
@@ -49,31 +52,48 @@ data:
4952
expose_headers: grpc-status,grpc-message,grpc-timeout
5053
allow_credentials: true
5154
http_filters:
52-
- name: envoy.grpc_web
53-
- name: envoy.cors
54-
- name: envoy.router
55-
tls_context:
56-
common_tls_context:
57-
alpn_protocols: "h2,http/1.1"
58-
tls_certificates:
59-
- certificate_chain:
60-
filename: "/certs/tls.crt"
61-
private_key:
62-
filename: "/certs/tls.key"
55+
- name: envoy.filters.http.grpc_web
56+
typed_config:
57+
"@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
58+
- name: envoy.filters.http.cors
59+
typed_config:
60+
"@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
61+
- name: envoy.filters.http.router
62+
typed_config:
63+
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
64+
transport_socket:
65+
name: envoy.transport_sockets.tls
66+
typed_config:
67+
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
68+
common_tls_context:
69+
alpn_protocols: "h2,http/1.1"
70+
tls_certificates:
71+
- certificate_chain:
72+
filename: "/certs/tls.crt"
73+
private_key:
74+
filename: "/certs/tls.key"
6375
clusters:
6476
- name: api_service
6577
connect_timeout: 0.25s
6678
type: logical_dns
6779
http2_protocol_options: {}
6880
lb_policy: round_robin
69-
hosts:
70-
- socket_address:
71-
address: api-service
72-
port_value: 51200
73-
tls_context:
74-
common_tls_context:
75-
tls_certificates:
76-
- certificate_chain:
77-
filename: "/service-certs/client.crt"
78-
private_key:
79-
filename: "/service-certs/client.key"
81+
load_assignment:
82+
cluster_name: api_service
83+
endpoints:
84+
- lb_endpoints:
85+
- endpoint:
86+
address:
87+
socket_address:
88+
address: api-service
89+
port_value: 51200
90+
transport_socket:
91+
name: envoy.transport_sockets.tls
92+
typed_config:
93+
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
94+
common_tls_context:
95+
tls_certificates:
96+
- certificate_chain:
97+
filename: "/service-certs/client.crt"
98+
private_key:
99+
filename: "/service-certs/client.key"

k8s/cloud/public/base/proxy_envoy.yaml

Lines changed: 44 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -20,10 +20,13 @@ data:
2020
filter_chains:
2121
- filters:
2222
- name: envoy.http_connection_manager
23-
config:
23+
typed_config:
24+
"@type": >
25+
type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
2426
access_log:
2527
- name: envoy.file_access_log
26-
config:
28+
typed_config:
29+
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
2730
path: "/dev/stdout"
2831
codec_type: auto
2932
stat_prefix: ingress_http
@@ -54,30 +57,48 @@ data:
5457
expose_headers: grpc-status,grpc-message,grpc-timeout
5558
allow_credentials: true
5659
http_filters:
57-
- name: envoy.grpc_web
58-
- name: envoy.cors
59-
- name: envoy.router
60-
tls_context:
61-
common_tls_context:
62-
tls_certificates:
63-
- certificate_chain:
64-
filename: "/certs/tls.crt"
65-
private_key:
66-
filename: "/certs/tls.key"
60+
- name: envoy.filters.http.grpc_web
61+
typed_config:
62+
"@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
63+
- name: envoy.filters.http.cors
64+
typed_config:
65+
"@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
66+
- name: envoy.filters.http.router
67+
typed_config:
68+
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
69+
transport_socket:
70+
name: envoy.transport_sockets.tls
71+
typed_config:
72+
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
73+
common_tls_context:
74+
alpn_protocols: "h2,http/1.1"
75+
tls_certificates:
76+
- certificate_chain:
77+
filename: "/certs/tls.crt"
78+
private_key:
79+
filename: "/certs/tls.key"
6780
clusters:
6881
- name: api_service
6982
connect_timeout: 0.25s
7083
type: logical_dns
7184
http2_protocol_options: {}
7285
lb_policy: round_robin
73-
hosts:
74-
- socket_address:
75-
address: api-service
76-
port_value: 51200
77-
tls_context:
78-
common_tls_context:
79-
tls_certificates:
80-
- certificate_chain:
81-
filename: "/service-certs/client.crt"
82-
private_key:
83-
filename: "/service-certs/client.key"
86+
load_assignment:
87+
cluster_name: api_service
88+
endpoints:
89+
- lb_endpoints:
90+
- endpoint:
91+
address:
92+
socket_address:
93+
address: api-service
94+
port_value: 51200
95+
transport_socket:
96+
name: envoy.transport_sockets.tls
97+
typed_config:
98+
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
99+
common_tls_context:
100+
tls_certificates:
101+
- certificate_chain:
102+
filename: "/service-certs/client.crt"
103+
private_key:
104+
filename: "/service-certs/client.key"

0 commit comments

Comments
 (0)