bump contour to latest patch version (#993)

config/contour/external.yaml

@@ -221,8 +221,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.2
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: contourconfigurations.projectcontour.io
   labels:
     networking.knative.dev/ingress-provider: contour
@@ -345,6 +344,16 @@ spec:
                       disableMergeSlashes:
                         description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths. \n Contour's default is false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
+                      maxRequestsPerIOCycle:
+                        description: Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default value when this is not set is no limit.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       serverHeaderTransformation:
                         description: "Defines the action to be applied to the Server header on the response path. When configured as overwrite, overwrites any Server header with \"envoy\". When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\". When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. \n Values: `overwrite` (default), `append_if_absent`, `pass_through` \n Other values will produce an error. Contour's default is overwrite."
                         type: string
@@ -766,8 +775,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.2
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: contourdeployments.projectcontour.io
   labels:
     networking.knative.dev/ingress-provider: contour
@@ -883,7 +891,7 @@ spec:
                     description: 'Compute Resources required by contour container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     properties:
                       claims:
-                        description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable."
+                        description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers."
                         items:
                           description: ResourceClaim references one entry in PodSpec.ResourceClaims.
                           properties:
@@ -1317,7 +1325,7 @@ spec:
                                       description: 'resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
                                       properties:
                                         claims:
-                                          description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable."
+                                          description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers."
                                           items:
                                             description: ResourceClaim references one entry in PodSpec.ResourceClaims.
                                             properties:
@@ -2022,7 +2030,7 @@ spec:
                     description: 'Compute Resources required by envoy container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     properties:
                       claims:
-                        description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable."
+                        description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers."
                         items:
                           description: ResourceClaim references one entry in PodSpec.ResourceClaims.
                           properties:
@@ -2158,6 +2166,16 @@ spec:
                           disableMergeSlashes:
                             description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths. \n Contour's default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
+                          maxRequestsPerIOCycle:
+                            description: Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default value when this is not set is no limit.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           serverHeaderTransformation:
                             description: "Defines the action to be applied to the Server header on the response path. When configured as overwrite, overwrites any Server header with \"envoy\". When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\". When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. \n Values: `overwrite` (default), `append_if_absent`, `pass_through` \n Other values will produce an error. Contour's default is overwrite."
                             type: string
@@ -2510,8 +2528,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.2
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: extensionservices.projectcontour.io
   labels:
     networking.knative.dev/ingress-provider: contour
@@ -2776,8 +2793,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.2
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: httpproxies.projectcontour.io
   labels:
     networking.knative.dev/ingress-provider: contour
@@ -4379,8 +4395,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.2
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: tlscertificatedelegations.projectcontour.io
   labels:
     networking.knative.dev/ingress-provider: contour
@@ -4603,7 +4618,7 @@ rules:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: contour-certgen-v1.24.2
+  name: contour-certgen-v1.24.6
   namespace: contour-external
   labels:
     networking.knative.dev/ingress-provider: contour
@@ -4615,7 +4630,7 @@ spec:
     spec:
       containers:
       - name: contour
-        image: ghcr.io/projectcontour/contour:v1.24.2
+        image: ghcr.io/projectcontour/contour:v1.24.6
         imagePullPolicy: IfNotPresent
         command:
         - contour
@@ -4659,7 +4674,6 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: knative-contour
   labels:
     networking.knative.dev/ingress-provider: contour
@@ -4737,7 +4751,6 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  creationTimestamp: null
   name: contour
   namespace: contour-external
   labels:
@@ -4848,7 +4861,7 @@ spec:
         - --config-path=/config/contour.yaml
         command:
         - contour
-        image: ghcr.io/projectcontour/contour:v1.24.2
+        image: ghcr.io/projectcontour/contour:v1.24.6
         imagePullPolicy: IfNotPresent
         name: contour
         ports:
@@ -4937,7 +4950,7 @@ spec:
         args:
         - envoy
         - shutdown-manager
-        image: ghcr.io/projectcontour/contour:v1.24.2
+        image: ghcr.io/projectcontour/contour:v1.24.6
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -4965,7 +4978,7 @@ spec:
         - --log-level info
         command:
         - envoy
-        image: docker.io/envoyproxy/envoy:v1.25.2
+        image: docker.io/envoyproxy/envoy:v1.25.11
         imagePullPolicy: IfNotPresent
         name: envoy
         env:
@@ -5027,7 +5040,7 @@ spec:
         - --envoy-key-file=/certs/tls.key
         command:
         - contour
-        image: ghcr.io/projectcontour/contour:v1.24.2
+        image: ghcr.io/projectcontour/contour:v1.24.6
         imagePullPolicy: IfNotPresent
         name: envoy-initconfig
         volumeMounts: