Skip to content

Commit

Permalink
bump contour to latest patch (#992)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dprotaso
dprotaso authored Oct 24, 2023
1 parent 82798ba commit 5c5a007
Show file tree
Hide file tree
Showing 20 changed files with 438 additions and 148 deletions.
32 changes: 26 additions & 6 deletions config/contour/external.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,16 @@ spec:
disableMergeSlashes:
description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths. \n Contour's default is false."
type: boolean
httpMaxConcurrentStreams:
description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited.
format: int32
minimum: 1
type: integer
maxRequestsPerIOCycle:
description: Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default value when this is not set is no limit.
format: int32
minimum: 1
type: integer
serverHeaderTransformation:
description: "Defines the action to be applied to the Server header on the response path. When configured as overwrite, overwrites any Server header with \"envoy\". When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\". When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. \n Values: `overwrite` (default), `append_if_absent`, `pass_through` \n Other values will produce an error. Contour's default is overwrite."
type: string
Expand Down Expand Up @@ -2259,6 +2269,16 @@ spec:
disableMergeSlashes:
description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths. \n Contour's default is false."
type: boolean
httpMaxConcurrentStreams:
description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited.
format: int32
minimum: 1
type: integer
maxRequestsPerIOCycle:
description: Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default value when this is not set is no limit.
format: int32
minimum: 1
type: integer
serverHeaderTransformation:
description: "Defines the action to be applied to the Server header on the response path. When configured as overwrite, overwrites any Server header with \"envoy\". When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\". When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. \n Values: `overwrite` (default), `append_if_absent`, `pass_through` \n Other values will produce an error. Contour's default is overwrite."
type: string
Expand Down Expand Up @@ -4975,7 +4995,7 @@ rules:
apiVersion: batch/v1
kind: Job
metadata:
name: contour-certgen-v1.25.0
name: contour-certgen-v1.25.3
namespace: contour-external
labels:
networking.knative.dev/ingress-provider: contour
Expand All @@ -4987,7 +5007,7 @@ spec:
spec:
containers:
- name: contour
image: ghcr.io/projectcontour/contour:v1.25.0
image: ghcr.io/projectcontour/contour:v1.25.3
imagePullPolicy: IfNotPresent
command:
- contour
Expand Down Expand Up @@ -5220,7 +5240,7 @@ spec:
- --config-path=/config/contour.yaml
command:
- contour
image: ghcr.io/projectcontour/contour:v1.25.0
image: ghcr.io/projectcontour/contour:v1.25.3
imagePullPolicy: IfNotPresent
name: contour
ports:
Expand Down Expand Up @@ -5309,7 +5329,7 @@ spec:
args:
- envoy
- shutdown-manager
image: ghcr.io/projectcontour/contour:v1.25.0
image: ghcr.io/projectcontour/contour:v1.25.3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
Expand Down Expand Up @@ -5337,7 +5357,7 @@ spec:
- --log-level info
command:
- envoy
image: docker.io/envoyproxy/envoy:v1.26.1
image: docker.io/envoyproxy/envoy:v1.26.6
imagePullPolicy: IfNotPresent
name: envoy
env:
Expand Down Expand Up @@ -5399,7 +5419,7 @@ spec:
- --envoy-key-file=/certs/tls.key
command:
- contour
image: ghcr.io/projectcontour/contour:v1.25.0
image: ghcr.io/projectcontour/contour:v1.25.3
imagePullPolicy: IfNotPresent
name: envoy-initconfig
volumeMounts:
Expand Down
32 changes: 26 additions & 6 deletions config/contour/internal.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,16 @@ spec:
disableMergeSlashes:
description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths. \n Contour's default is false."
type: boolean
httpMaxConcurrentStreams:
description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited.
format: int32
minimum: 1
type: integer
maxRequestsPerIOCycle:
description: Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default value when this is not set is no limit.
format: int32
minimum: 1
type: integer
serverHeaderTransformation:
description: "Defines the action to be applied to the Server header on the response path. When configured as overwrite, overwrites any Server header with \"envoy\". When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\". When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. \n Values: `overwrite` (default), `append_if_absent`, `pass_through` \n Other values will produce an error. Contour's default is overwrite."
type: string
Expand Down Expand Up @@ -2259,6 +2269,16 @@ spec:
disableMergeSlashes:
description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths. \n Contour's default is false."
type: boolean
httpMaxConcurrentStreams:
description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited.
format: int32
minimum: 1
type: integer
maxRequestsPerIOCycle:
description: Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default value when this is not set is no limit.
format: int32
minimum: 1
type: integer
serverHeaderTransformation:
description: "Defines the action to be applied to the Server header on the response path. When configured as overwrite, overwrites any Server header with \"envoy\". When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\". When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. \n Values: `overwrite` (default), `append_if_absent`, `pass_through` \n Other values will produce an error. Contour's default is overwrite."
type: string
Expand Down Expand Up @@ -4975,7 +4995,7 @@ rules:
apiVersion: batch/v1
kind: Job
metadata:
name: contour-certgen-v1.25.0
name: contour-certgen-v1.25.3
namespace: contour-internal
labels:
networking.knative.dev/ingress-provider: contour
Expand All @@ -4987,7 +5007,7 @@ spec:
spec:
containers:
- name: contour
image: ghcr.io/projectcontour/contour:v1.25.0
image: ghcr.io/projectcontour/contour:v1.25.3
imagePullPolicy: IfNotPresent
command:
- contour
Expand Down Expand Up @@ -5219,7 +5239,7 @@ spec:
- --config-path=/config/contour.yaml
command:
- contour
image: ghcr.io/projectcontour/contour:v1.25.0
image: ghcr.io/projectcontour/contour:v1.25.3
imagePullPolicy: IfNotPresent
name: contour
ports:
Expand Down Expand Up @@ -5308,7 +5328,7 @@ spec:
args:
- envoy
- shutdown-manager
image: ghcr.io/projectcontour/contour:v1.25.0
image: ghcr.io/projectcontour/contour:v1.25.3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
Expand Down Expand Up @@ -5336,7 +5356,7 @@ spec:
- --log-level info
command:
- envoy
image: docker.io/envoyproxy/envoy:v1.26.1
image: docker.io/envoyproxy/envoy:v1.26.6
imagePullPolicy: IfNotPresent
name: envoy
env:
Expand Down Expand Up @@ -5398,7 +5418,7 @@ spec:
- --envoy-key-file=/certs/tls.key
command:
- contour
image: ghcr.io/projectcontour/contour:v1.25.0
image: ghcr.io/projectcontour/contour:v1.25.3
imagePullPolicy: IfNotPresent
name: envoy-initconfig
volumeMounts:
Expand Down
26 changes: 13 additions & 13 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ replace (

require (
github.com/google/go-cmp v0.5.9
github.com/projectcontour/contour v1.25.0
github.com/projectcontour/contour v1.25.3
go.uber.org/zap v1.21.0
k8s.io/api v0.26.5
k8s.io/apimachinery v0.27.1
k8s.io/client-go v0.26.5
k8s.io/api v0.26.9
k8s.io/apimachinery v0.27.6
k8s.io/client-go v0.26.9
knative.dev/hack v0.0.0-20230712131415-ddae80293c43
knative.dev/networking v0.0.0-20231012062757-a5958051caf8
knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626
Expand Down Expand Up @@ -53,7 +53,7 @@ require (
github.com/gorilla/websocket v1.4.2 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
github.com/hashicorp/golang-lru v0.5.4 // indirect
github.com/imdario/mergo v0.3.15 // indirect
github.com/imdario/mergo v0.3.16 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kelseyhightower/envconfig v1.4.0 // indirect
Expand All @@ -73,7 +73,7 @@ require (
github.com/spf13/pflag v1.0.5 // indirect
go.opencensus.io v0.24.0 // indirect
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/automaxprocs v1.5.2 // indirect
go.uber.org/automaxprocs v1.5.3 // indirect
go.uber.org/multierr v1.8.0 // indirect
golang.org/x/mod v0.10.0 // indirect
golang.org/x/net v0.17.0 // indirect
Expand All @@ -83,23 +83,23 @@ require (
golang.org/x/term v0.13.0 // indirect
golang.org/x/text v0.13.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.8.0 // indirect
golang.org/x/tools v0.9.3 // indirect
gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
google.golang.org/api v0.124.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230525234025-438c736192d0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a // indirect
google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20230526203410-71b5a4ffd15e // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 // indirect
google.golang.org/grpc v1.56.1 // indirect
google.golang.org/grpc v1.56.3 // indirect
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apiextensions-apiserver v0.26.5 // indirect
k8s.io/code-generator v0.26.5 // indirect
k8s.io/apiextensions-apiserver v0.26.9 // indirect
k8s.io/code-generator v0.26.9 // indirect
k8s.io/gengo v0.0.0-20221011193443-fad74ee6edd9 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a // indirect
k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
Expand Down
Loading

0 comments on commit 5c5a007

Please sign in to comment.