From 0525c821103ab6a9749b0b9a03a184d727aced9c Mon Sep 17 00:00:00 2001 From: Nathan Fudenberg Date: Fri, 20 Dec 2024 09:14:47 -0500 Subject: [PATCH] [1.18] make: Bump envoy for recent cve release (#10518) (#10524) Co-authored-by: Jenny Shu <28537278+jenshu@users.noreply.github.com> --- Makefile | 2 +- changelog/v1.18.2/envoy-cve.yaml | 11 +++++++++++ .../templates/9-gateway-proxy-configmap.yaml | 3 +++ install/test/fixtures.go | 16 ++++++++++++++++ .../envoy_config/bootstrap_extensions.yaml | 3 +++ .../envoy_config/custom_static_bootstrap.yaml | 3 +++ .../fixtures/envoy_config/overload_manager.yaml | 3 +++ .../fixtures/envoy_config/static_clusters.yaml | 3 +++ .../fixtures/envoy_config/tcp_keepalive.yaml | 3 +++ install/test/helm_test.go | 4 ++-- .../templates/gateway/proxy-deployment.yaml | 7 +++++++ test/services/envoy/bootstrap_builder.go | 4 ++++ 12 files changed, 59 insertions(+), 3 deletions(-) create mode 100644 changelog/v1.18.2/envoy-cve.yaml diff --git a/Makefile b/Makefile index dad067c6315..87cad29f4b9 100644 --- a/Makefile +++ b/Makefile @@ -54,7 +54,7 @@ SOURCES := $(shell find . -name "*.go" | grep -v test.go) # for more information, see https://github.com/solo-io/gloo/pull/9633 # and # https://soloio.slab.com/posts/extended-http-methods-design-doc-40j7pjeu -ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.31.2-patch3 +ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.31.5-patch1 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)" GCFLAGS ?= diff --git a/changelog/v1.18.2/envoy-cve.yaml b/changelog/v1.18.2/envoy-cve.yaml new file mode 100644 index 00000000000..a50ce7337cd --- /dev/null +++ b/changelog/v1.18.2/envoy-cve.yaml @@ -0,0 +1,11 @@ +changelog: + - type: DEPENDENCY_BUMP + issueLink: https://github.com/solo-io/envoy-gloo-ee/issues/868 + dependencyOwner: solo-io + dependencyRepo: envoy-gloo + dependencyTag: v1.31.5-patch1 + resolvesIssue: false + description: >- + CVE-2024-53269: Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting. + CVE-2024-53270: HTTP/1: sending overload crashes when the request is reset beforehand + CVE-2024-53271: HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset \ No newline at end of file diff --git a/install/helm/gloo/templates/9-gateway-proxy-configmap.yaml b/install/helm/gloo/templates/9-gateway-proxy-configmap.yaml index 58de5041989..801152c6de2 100644 --- a/install/helm/gloo/templates/9-gateway-proxy-configmap.yaml +++ b/install/helm/gloo/templates/9-gateway-proxy-configmap.yaml @@ -35,6 +35,9 @@ data: upstream: healthy_panic_threshold: value: {{ $spec.healthyPanicThreshold }} + envoy: # ON_LTS_UPDATE remove the reloadable feature block and this envoy block + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: diff --git a/install/test/fixtures.go b/install/test/fixtures.go index 14d98c560f2..6d4336be11e 100644 --- a/install/test/fixtures.go +++ b/install/test/fixtures.go @@ -1,5 +1,6 @@ package test +// ON_LTS_UPDATE remove the reloadable feature block var awsFmtString = ` layered_runtime: layers: @@ -10,6 +11,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 50 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: @@ -192,6 +196,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 50 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: @@ -335,6 +342,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 50 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: @@ -492,6 +502,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 50 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: @@ -686,6 +699,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 50 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: diff --git a/install/test/fixtures/envoy_config/bootstrap_extensions.yaml b/install/test/fixtures/envoy_config/bootstrap_extensions.yaml index 625d5cc5d33..ffa43fc1014 100644 --- a/install/test/fixtures/envoy_config/bootstrap_extensions.yaml +++ b/install/test/fixtures/envoy_config/bootstrap_extensions.yaml @@ -7,6 +7,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 50 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: diff --git a/install/test/fixtures/envoy_config/custom_static_bootstrap.yaml b/install/test/fixtures/envoy_config/custom_static_bootstrap.yaml index 4d393b3547d..180c76314b6 100644 --- a/install/test/fixtures/envoy_config/custom_static_bootstrap.yaml +++ b/install/test/fixtures/envoy_config/custom_static_bootstrap.yaml @@ -9,6 +9,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 50 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: diff --git a/install/test/fixtures/envoy_config/overload_manager.yaml b/install/test/fixtures/envoy_config/overload_manager.yaml index 19943c9c394..b42f496e098 100644 --- a/install/test/fixtures/envoy_config/overload_manager.yaml +++ b/install/test/fixtures/envoy_config/overload_manager.yaml @@ -7,6 +7,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 50 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: diff --git a/install/test/fixtures/envoy_config/static_clusters.yaml b/install/test/fixtures/envoy_config/static_clusters.yaml index 84f11841526..0192b0ef181 100644 --- a/install/test/fixtures/envoy_config/static_clusters.yaml +++ b/install/test/fixtures/envoy_config/static_clusters.yaml @@ -7,6 +7,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 50 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: diff --git a/install/test/fixtures/envoy_config/tcp_keepalive.yaml b/install/test/fixtures/envoy_config/tcp_keepalive.yaml index 2c21259a9ed..52bea27bec3 100644 --- a/install/test/fixtures/envoy_config/tcp_keepalive.yaml +++ b/install/test/fixtures/envoy_config/tcp_keepalive.yaml @@ -7,6 +7,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 50 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: diff --git a/install/test/helm_test.go b/install/test/helm_test.go index f74d4db00de..7c528f395d7 100644 --- a/install/test/helm_test.go +++ b/install/test/helm_test.go @@ -2839,7 +2839,7 @@ spec: // This annotation was introduced to resolve https://github.com/solo-io/gloo/issues/8392 // It triggers a new rollout of the gateway proxy if the config map it uses changes // As of PR 8733, changing the values of the deployment spec doesn't change the gateway-proxy config map, so it is safe to hardcode the checksum in the tests - "checksum/gateway-proxy-envoy-config": "27068cd033014d38f6c77522484e957ab25fa1be34a900a1f5241b8f7d62f525", + "checksum/gateway-proxy-envoy-config": "655c76a411d3b9c6035c22ef4432e6a67140bd1c759eaeadd2e72009313a5503", } deploy.Spec.Template.Spec.Volumes = []corev1.Volume{{ Name: "envoy-config", @@ -3661,7 +3661,7 @@ spec: }) // Since changing the value of gatewayProxies.gatewayProxy.readConfig changes the gateway-proxy-envoy-config configmap, we need to update the checksum on the deployment as well. // This also doubles as a check to validate that changes in the configmap change the checksum annotation on the deployment which will trigger a rollout. - gatewayProxyDeployment.Spec.Template.Annotations["checksum/gateway-proxy-envoy-config"] = "3e431b3dbb3fa7e31cedf9594474ad19e6ecc0e5a7bba59b99cf044d51546eaa" + gatewayProxyDeployment.Spec.Template.Annotations["checksum/gateway-proxy-envoy-config"] = "eed6c21fb5769def1b22999826a731539c0cbd2c1baef9139c0c52c86022ce7e" testManifest.ExpectDeploymentAppsV1(gatewayProxyDeployment) }) diff --git a/projects/gateway2/helm/gloo-gateway/templates/gateway/proxy-deployment.yaml b/projects/gateway2/helm/gloo-gateway/templates/gateway/proxy-deployment.yaml index 54c55071971..3637bf647ff 100644 --- a/projects/gateway2/helm/gloo-gateway/templates/gateway/proxy-deployment.yaml +++ b/projects/gateway2/helm/gloo-gateway/templates/gateway/proxy-deployment.yaml @@ -419,6 +419,13 @@ data: admin: address: socket_address: { address: 127.0.0.1, port_value: 19000 } + layered_runtime: + layers: + - name: static_layer + static_layer: + envoy: # ON_LTS_UPDATE remove the reloadable feature block and this envoy block + reloadable_features: + check_switch_protocol_websocket_handshake: false node: cluster: {{ include "gloo-gateway.gateway.fullname" . }}.{{ .Release.Namespace }} metadata: diff --git a/test/services/envoy/bootstrap_builder.go b/test/services/envoy/bootstrap_builder.go index 90d29889cfc..0f27795b43e 100644 --- a/test/services/envoy/bootstrap_builder.go +++ b/test/services/envoy/bootstrap_builder.go @@ -43,6 +43,7 @@ func (fbb *fileBootstrapBuilder) Build(ei *Instance) string { return b.String() } +// ON_LTS_UPDATE remove the reloadable feature block const boostrapText = ` layered_runtime: layers: @@ -51,6 +52,9 @@ layered_runtime: upstream: healthy_panic_threshold: value: 0 + envoy: + reloadable_features: + check_switch_protocol_websocket_handshake: false - name: admin_layer admin_layer: {} node: