Skip to content

Commit

Permalink
[release-1.7] Backport Envoy 1.15 fixes (#290)
Browse files Browse the repository at this point in the history
* docs: kick-off 1.15.1 release. (envoyproxy#12166)

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* tls: update BoringSSL-FIPS to 20190808. (envoyproxy#12170)

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* test: Exclude wasm_vm_test from CI by making it a "manual" test. (#207)

The wee v8 build times out in CI under --config=asan because the machine the job is scheduled on is too small.

Signed-off-by: Antonio Vicente <avd@google.com>

* [v1.15] http: header map security fixes for duplicate headers (#197) (#200)

Previously header matching did not match on all headers for
non-inline headers. This patch changes the default behavior to
always logically match on all headers. Multiple individual
headers will be logically concatenated with ',' similar to what
is done with inline headers. This makes the behavior effectively
consistent. This behavior can be temporary reverted by setting
the runtime value "envoy.reloadable_features.header_match_on_all_headers"
to "false".

Targeted fixes have been additionally performed on the following
extensions which make them consider all duplicate headers by default as
a comma concatenated list:
1) Any extension using CEL matching on headers.
2) The header to metadata filter.
3) The JWT filter.
4) The Lua filter.
Like primary header matching used in routing, RBAC, etc. this behavior
can be disabled by setting the runtime value
"envoy.reloadable_features.header_match_on_all_headers" to false.

Finally, the setCopy() header map API previously only set the first
header in the case of duplicate non-inline headers. setCopy() now
behaves similiarly to the other set*() APIs and replaces all found
headers with a single value. This may have had security implications
in the extauth filter which uses this API. This behavior can be disabled
by setting the runtime value
"envoy.reloadable_features.http_set_copy_replace_all_headers" to false.

Fixes https://github.com/envoyproxy/envoy-setec/issues/188

Signed-off-by: Matt Klein <mklein@lyft.com>

* backport to v1.15: Fix Kafka Repository Location (#223)

Update mirror used to fetch kafka dependency to a valid, working mirror.

Based on envoyproxy#13025
Resolves envoyproxy#13011

Signed-off-by: Antonio Vicente <avd@google.com>

* release: cutting 1.15.1 (#217)

Signed-off-by: Antonio Vicente <avd@google.com>

* docs: Fix release notes for v1.15.1 release. (envoyproxy#13318)

Signed-off-by: Antonio Vicente <avd@google.com>

* Backport flaky test and tsan fixes to releases/v1.15 branch (envoyproxy#13337)

* hds: fix integration test flakes (envoyproxy#12214)

Part of envoyproxy#12184

Signed-off-by: Matt Klein <mklein@lyft.com>
Signed-off-by: Antonio Vicente <avd@google.com>

* Switch to a tsan-instrumented libc++ for tsan tests (envoyproxy#12134)

This fixes envoyproxy#9784 and re-enables vhds_integration_test

Risk Level: Low, but will most likely increase memory usage

Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com>

Signed-off-by: Antonio Vicente <avd@google.com>

* test: shard hds_integration_test (envoyproxy#12482)

This should avoid TSAN timeout flakes.

Signed-off-by: Matt Klein <mklein@lyft.com>
Signed-off-by: Antonio Vicente <avd@google.com>

* test: shard http2_integration_test (envoyproxy#11939)

This should mitigate TSAN timeout.

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: Antonio Vicente <avd@google.com>

* test: fix http2_integration_test flake (envoyproxy#12450)

Fixes envoyproxy#12442

Signed-off-by: Matt Klein <mklein@lyft.com>
Signed-off-by: Antonio Vicente <avd@google.com>

* Kick CI

Signed-off-by: Antonio Vicente <avd@google.com>

Co-authored-by: Matt Klein <mklein@lyft.com>
Co-authored-by: Dmitri Dolguikh <ddolguik@redhat.com>
Co-authored-by: Lizan Zhou <lizan@tetrate.io>

* docs: kick off v1.15.3-dev (envoyproxy#13695)

Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

* 1.15: CI fixes backport (envoyproxy#13697)

Backport following commits to 1.15:
748b2ab (mac ci: try ignoring update failure (envoyproxy#13658), 2020-10-20)
f95f539 (ci: various improvements (envoyproxy#13660), 2020-10-20)
73d78f8 (ci: use multiple stage (envoyproxy#13557), 2020-10-15)
b7a4756 (ci: use azp for api and go-control-plane sync (envoyproxy#13550), 2020-10-14)
876a6bb (ci use azp to sync filter example (envoyproxy#13501), 2020-10-12)
a0f31ee (ci: use azp to generate docs (envoyproxy#13481), 2020-10-12)

Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Co-authored-by: asraa <asraa@google.com>

* 1.15: fix CI script (envoyproxy#13724)

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* Prevent SEGFAULT when disabling listener (envoyproxy#13515) (envoyproxy#13903)

This prevents the stop_listening overload action from causing
segmentation faults that can occur if the action is enabled after the
listener has already shut down.

Signed-off-by: Alex Konradi <akonradi@google.com>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

* proxy protocol: set downstreamRemoteAddress on StreamInfo (envoyproxy#14131) (envoyproxy#14169)

This fixes a regression which resulted in the downstreamRemoteAddress
on the StreamInfo for a connection not having the address supplied by
the proxy protocol filter, but instead having the address of the
directly connected peer.

This issue does not affect HTTP filters.

Fixes envoyproxy#14087

Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

* ci: temproray disable vhds_integration_test in TSAN (envoyproxy#12067) (envoyproxy#14217)

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* tcmalloc changed and the data coming out of tcmalloc::MallocExtension::GetNumericProperty("generic.current_allocated_bytes") (envoyproxy#14165)

Commit Message: tcmalloc changed and the data coming out of tcmalloc::MallocExtension::GetNumericProperty("generic.current_allocated_bytes") no longer appears to be deterministic, even in unthreaded tests. So disable exact mem checks till we sort that out
Additional Description:
Risk Level: low
Testing: just thread_local_store_test
Docs Changes: n/a
Release Notes: n/a

no longer appears to be deterministic, even in unthreaded tests. So disable exact mem checks till we sort that out

Signed-off-by: Joshua Marantz <jmarantz@google.com>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

Co-authored-by: Joshua Marantz <jmarantz@google.com>

* backport to v1.15: connection: Remember transport socket read resumption requests and replay them when re-enabling read. (envoyproxy#13772) (envoyproxy#14173)

* connection: Remember transport socket read resumption requests and replay them when re-enabling read. (envoyproxy#13772)

Fixes SslSocket read resumption after readDisable when processing the SSL record that contains the last bytes of the HTTP message

Signed-off-by: Antonio Vicente <avd@google.com>

* backport to 1.15: udp: properly handle truncated/dropped datagrams (envoyproxy#14122) (envoyproxy#14166)

Signed-off-by: Matt Klein <mklein@lyft.com>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Co-authored-by: Matt Klein <mklein@lyft.com>
Co-authored-by: Christoph Pakulski <christoph@tetrate.io>

* backport to 1.15: vrp: allow supervisord to open its log file (envoyproxy#14066) (envoyproxy#14280)

Commit Message: Allow supervisord to open its log file
Additional Description:
Change the default location of the log file and give supervisord
permissions to write to it.

Risk Level: low
Testing: built image locally
Docs Changes: n/a
Release Notes: n/a
Platform Specific Features: n/a

Signed-off-by: Alex Konradi <akonradi@google.com>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

* rel 1.15: close release 1.15.3 (envoyproxy#14303)

Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

* Kick off rel 1.15.4. (envoyproxy#14323)

Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

* backport to 1.15: http: fix datadog and squash handling of responses without body (envoyproxy#13328) (envoyproxy#14458)

Commit Message: Fixing bugs in datadog and sqaush where unexpected bodyless responses would crash Envoy
Risk Level: low
Testing: new unit tests, updated certs
Docs Changes: n/a
Release Notes: inline
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Co-authored-by: alyssawilk <alyssar@chromium.org>

* backport 1.15: http: fixing a bug with IPv6 hosts (envoyproxy#14273)

Fixing a bug where HTTP parser offsets for IPv6 hosts did not include [] and Envoy assumed it did.
This results in mis-parsing addresses for IPv6 CONNECT requests and IPv6 hosts in fully URLs over HTTP/1.1

Risk Level: low
Testing: new unit, integration tests
Docs Changes: n/a
Release Notes: inline

Signed-off-by: Shikugawa <rei@tetrate.io>
Co-authored-by: alyssawilk <alyssar@chromium.org>

* backport to 1.15: tls: fix detection of the upstream connection close event. (envoyproxy#13858) (envoyproxy#14568)

Fixes envoyproxy#13856.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

Co-authored-by: Piotr Sikora <piotrsikora@google.com>
Co-authored-by: antonio <avd@google.com>
Co-authored-by: Matt Klein <mklein@lyft.com>
Co-authored-by: Dmitri Dolguikh <ddolguik@redhat.com>
Co-authored-by: Lizan Zhou <lizan@tetrate.io>
Co-authored-by: Christoph Pakulski <christoph@tetrate.io>
Co-authored-by: asraa <asraa@google.com>
Co-authored-by: Joshua Marantz <jmarantz@google.com>
Co-authored-by: Rei Shimizu <Shikugawa@gmail.com>
Co-authored-by: alyssawilk <alyssar@chromium.org>
  • Loading branch information
11 people authored Jan 8, 2021
1 parent 5ff81dd commit a0eff54
Show file tree
Hide file tree
Showing 159 changed files with 3,103 additions and 1,992 deletions.
442 changes: 279 additions & 163 deletions .azure-pipelines/pipelines.yml

Large diffs are not rendered by default.

10 changes: 10 additions & 0 deletions .bazelrc
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ build:clang-tsan --define ENVOY_CONFIG_TSAN=1
build:clang-tsan --copt -fsanitize=thread
build:clang-tsan --linkopt -fsanitize=thread
build:clang-tsan --linkopt -fuse-ld=lld
build:clang-tsan --build_tag_filters=-no_san,-no_tsan
build:clang-tsan --test_tag_filters=-no_san,-no_tsan
# Needed due to https://github.com/libevent/libevent/issues/777
build:clang-tsan --copt -DEVENT__DISABLE_DEBUG_MODE

Expand Down Expand Up @@ -155,6 +157,10 @@ build:rbe-toolchain-msan --linkopt=-L/opt/libcxx_msan/lib
build:rbe-toolchain-msan --linkopt=-Wl,-rpath,/opt/libcxx_msan/lib
build:rbe-toolchain-msan --config=clang-msan

build:rbe-toolchain-tsan --linkopt=-L/opt/libcxx_tsan/lib
build:rbe-toolchain-tsan --linkopt=-Wl,-rpath,/opt/libcxx_tsan/lib
build:rbe-toolchain-tsan --config=clang-tsan

build:rbe-toolchain-gcc --config=rbe-toolchain
build:rbe-toolchain-gcc --crosstool_top=@rbe_ubuntu_gcc//cc:toolchain
build:rbe-toolchain-gcc --extra_toolchains=@rbe_ubuntu_gcc//config:cc-toolchain
Expand Down Expand Up @@ -221,6 +227,10 @@ build:docker-msan --config=docker-sandbox
build:docker-msan --config=rbe-toolchain-clang-libc++
build:docker-msan --config=rbe-toolchain-msan

build:docker-tsan --config=docker-sandbox
build:docker-tsan --config=rbe-toolchain-clang-libc++
build:docker-tsan --config=rbe-toolchain-tsan

# CI configurations
build:remote-ci --remote_cache=grpcs://remotebuildexecution.googleapis.com
build:remote-ci --remote_executor=grpcs://remotebuildexecution.googleapis.com
Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.15.1-dev
1.15.4-dev
2 changes: 1 addition & 1 deletion bazel/repository_locations.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -478,7 +478,7 @@ DEPENDENCY_REPOSITORIES = dict(
kafka_server_binary = dict(
sha256 = "b9582bab0c3e8d131953b1afa72d6885ca1caae0061c2623071e7f396f2ccfee",
strip_prefix = "kafka_2.12-2.4.0",
urls = ["http://us.mirrors.quenda.co/apache/kafka/2.4.0/kafka_2.12-2.4.0.tgz"],
urls = ["https://mirrors.gigenet.com/apache/kafka/2.4.0/kafka_2.12-2.4.0.tgz"],
use_category = ["test"],
),
kafka_python_client = dict(
Expand Down
3 changes: 3 additions & 0 deletions ci/Dockerfile-envoy-google-vrp
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ ADD configs/google-vrp/supervisor.conf /etc/supervisor.conf
ADD test/config/integration/certs/serverkey.pem /etc/envoy/certs/serverkey.pem
ADD test/config/integration/certs/servercert.pem /etc/envoy/certs/servercert.pem
# ADD %local envoy bin% /usr/local/bin/envoy
RUN chmod 777 /var/log/supervisor
RUN chmod a+r /etc/supervisor.conf /etc/envoy/* /etc/envoy/certs/*
RUN chmod a+rx /usr/local/bin/launch_envoy.sh

EXPOSE 10000
EXPOSE 10001
Expand Down
13 changes: 6 additions & 7 deletions ci/api_mirror.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,15 @@
set -e

CHECKOUT_DIR=../data-plane-api
MAIN_BRANCH="refs/heads/master"
API_MAIN_BRANCH="master"

if [ -z "$CIRCLE_PULL_REQUEST" ] && [ "$CIRCLE_BRANCH" == "master" ]
then
if [[ "${AZP_BRANCH}" == "${MAIN_BRANCH}" ]]; then
echo "Cloning..."
git clone git@github.com:envoyproxy/data-plane-api "$CHECKOUT_DIR"
git clone git@github.com:envoyproxy/data-plane-api "$CHECKOUT_DIR" -b "${API_MAIN_BRANCH}"

git -C "$CHECKOUT_DIR" config user.name "data-plane-api(CircleCI)"
git -C "$CHECKOUT_DIR" config user.name "data-plane-api(Azure Pipelines)"
git -C "$CHECKOUT_DIR" config user.email data-plane-api@users.noreply.github.com
git -C "$CHECKOUT_DIR" fetch
git -C "$CHECKOUT_DIR" checkout -B master origin/master

# Determine last envoyproxy/envoy SHA in envoyproxy/data-plane-api
MIRROR_MSG="Mirrored from https://github.com/envoyproxy/envoy"
Expand Down Expand Up @@ -40,6 +39,6 @@ then
done

echo "Pushing..."
git -C "$CHECKOUT_DIR" push origin master
git -C "$CHECKOUT_DIR" push origin "${API_MAIN_BRANCH}"
echo "Done"
fi
17 changes: 15 additions & 2 deletions ci/do_ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,13 @@ elif [[ "$CI_TARGET" == "bazel.tsan" ]]; then
setup_clang_toolchain
echo "bazel TSAN debug build with tests"
echo "Building and testing envoy tests ${TEST_TARGETS}"
bazel_with_collection test ${BAZEL_BUILD_OPTIONS} -c dbg --config=clang-tsan --build_tests_only ${TEST_TARGETS}
bazel_with_collection test --config=rbe-toolchain-tsan ${BAZEL_BUILD_OPTIONS} -c dbg --build_tests_only ${TEST_TARGETS}
if [ "${ENVOY_BUILD_FILTER_EXAMPLE}" == "1" ]; then
echo "Building and testing envoy-filter-example tests..."
pushd "${ENVOY_FILTER_EXAMPLE_SRCDIR}"
bazel_with_collection test ${BAZEL_BUILD_OPTIONS} -c dbg --config=clang-tsan ${ENVOY_FILTER_EXAMPLE_TESTS}
popd
fi
exit 0
elif [[ "$CI_TARGET" == "bazel.msan" ]]; then
ENVOY_STDLIB=libc++
Expand Down Expand Up @@ -219,9 +225,16 @@ elif [[ "$CI_TARGET" == "bazel.compile_time_options" ]]; then

exit 0
elif [[ "$CI_TARGET" == "bazel.api" ]]; then
# Use libstdc++ because the API booster links to prebuilt libclang*/libLLVM* installed in /opt/llvm/lib,
# which is built with libstdc++. Using libstdc++ for whole of the API CI job to avoid unnecessary rebuild.
ENVOY_STDLIB="libstdc++"
setup_clang_toolchain
export LLVM_CONFIG="${LLVM_ROOT}"/bin/llvm-config
echo "Validating API structure..."
./tools/api/validate_structure.py
echo "Testing API and API Boosting..."
bazel_with_collection test "${BAZEL_BUILD_OPTIONS[@]}" -c fastbuild @envoy_api_canonical//test/... @envoy_api_canonical//tools/... \
@envoy_api_canonical//tools:tap2pcap_test @envoy_dev//clang_tools/api_booster/...
echo "Building API..."
bazel build ${BAZEL_BUILD_OPTIONS} -c fastbuild @envoy_api_canonical//envoy/...
echo "Testing API..."
Expand All @@ -231,7 +244,7 @@ elif [[ "$CI_TARGET" == "bazel.api" ]]; then
bazel_with_collection test ${BAZEL_BUILD_OPTIONS} -c fastbuild @envoy_dev//clang_tools/api_booster/...
echo "Testing API boosting (golden C++ tests)..."
# We use custom BAZEL_BUILD_OPTIONS here; the API booster isn't capable of working with libc++ yet.
LLVM_CONFIG="${LLVM_ROOT}"/bin/llvm-config BAZEL_BUILD_OPTIONS="--config=clang" python3.8 ./tools/api_boost/api_boost_test.py
BAZEL_BUILD_OPTIONS="${BAZEL_BUILD_OPTIONS[*]}" python3.8 ./tools/api_boost/api_boost_test.py
exit 0
elif [[ "$CI_TARGET" == "bazel.coverage" ]]; then
setup_clang_toolchain
Expand Down
13 changes: 6 additions & 7 deletions ci/filter_example_mirror.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,15 @@ set -e

ENVOY_SRCDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")/../" && pwd)
CHECKOUT_DIR=../envoy-filter-example
MAIN_BRANCH="refs/heads/master"
FILTER_EXAMPLE_MAIN_BRANCH="master"

if [ -z "$CIRCLE_PULL_REQUEST" ] && [ "$CIRCLE_BRANCH" == "master" ]
then
if [[ "${AZP_BRANCH}" == "${MAIN_BRANCH}" ]]; then
echo "Cloning..."
git clone git@github.com:envoyproxy/envoy-filter-example "$CHECKOUT_DIR"
git clone git@github.com:envoyproxy/envoy-filter-example "$CHECKOUT_DIR" -b "${FILTER_EXAMPLE_MAIN_BRANCH}"

git -C "$CHECKOUT_DIR" config user.name "envoy-filter-example(CircleCI)"
git -C "$CHECKOUT_DIR" config user.name "envoy-filter-example(Azure Pipelines)"
git -C "$CHECKOUT_DIR" config user.email envoy-filter-example@users.noreply.github.com
git -C "$CHECKOUT_DIR" fetch
git -C "$CHECKOUT_DIR" checkout -B master origin/master

echo "Updating Submodule..."
# Update submodule to latest Envoy SHA
Expand All @@ -26,6 +25,6 @@ then

echo "Committing, and Pushing..."
git -C "$CHECKOUT_DIR" commit -a -m "Update Envoy submodule to $ENVOY_SHA"
git -C "$CHECKOUT_DIR" push origin master
git -C "$CHECKOUT_DIR" push origin "${FILTER_EXAMPLE_MAIN_BRANCH}"
echo "Done"
fi
10 changes: 7 additions & 3 deletions ci/go_mirror.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,11 @@

set -e

if [ -z "$CIRCLE_PULL_REQUEST" ] && [ "$CIRCLE_BRANCH" == "master" ]
then
tools/api/generate_go_protobuf.py
MAIN_BRANCH="refs/heads/master"

# shellcheck source=ci/setup_cache.sh
. "$(dirname "$0")"/setup_cache.sh

if [[ "${AZP_BRANCH}" == "${MAIN_BRANCH}" ]]; then
BAZEL_BUILD_OPTIONS="${BAZEL_BUILD_EXTRA_OPTIONS}" tools/api/generate_go_protobuf.py
fi
20 changes: 17 additions & 3 deletions ci/mac_ci_setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,23 @@ function install {
fi
}

if ! brew update; then
echo "Failed to update homebrew"
exit 1
function retry () {
local returns=1 i=1
while ((i<=HOMEBREW_RETRY_ATTEMPTS)); do
if "$@"; then
returns=0
break
else
sleep "$HOMEBREW_RETRY_INTERVAL";
((i++))
fi
done
return "$returns"
}

if ! retry brew update; then
# Do not exit early if update fails.
echo "Failed to update homebrew"
fi

DEPS="automake cmake coreutils go libtool wget ninja"
Expand Down
2 changes: 2 additions & 0 deletions ci/run_envoy_docker.sh
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,15 @@ USER_GROUP=root

[[ -t 1 ]] && ENVOY_DOCKER_OPTIONS+=" -it"
[[ -f .git ]] && [[ ! -d .git ]] && ENVOY_DOCKER_OPTIONS+=" -v $(git rev-parse --git-common-dir):$(git rev-parse --git-common-dir)"
[[ -n "${SSH_AUTH_SOCK}" ]] && ENVOY_DOCKER_OPTIONS+=" -v ${SSH_AUTH_SOCK}:${SSH_AUTH_SOCK} -e SSH_AUTH_SOCK"

export ENVOY_BUILD_IMAGE="${IMAGE_NAME}:${IMAGE_ID}"

mkdir -p "${ENVOY_DOCKER_BUILD_DIR}"
# Since we specify an explicit hash, docker-run will pull from the remote repo if missing.
docker run --rm ${ENVOY_DOCKER_OPTIONS} -e HTTP_PROXY=${http_proxy} -e HTTPS_PROXY=${https_proxy} -e NO_PROXY=${no_proxy} \
-u "${USER}":"${USER_GROUP}" -v "${ENVOY_DOCKER_BUILD_DIR}":/build -v /var/run/docker.sock:/var/run/docker.sock \
-e AZP_BRANCH \
-e BAZEL_BUILD_EXTRA_OPTIONS -e BAZEL_EXTRA_TEST_OPTIONS -e BAZEL_REMOTE_CACHE -e ENVOY_STDLIB -e BUILD_REASON \
-e BAZEL_REMOTE_INSTANCE -e GCP_SERVICE_ACCOUNT_KEY -e NUM_CPUS -e ENVOY_RBE -e FUZZIT_API_KEY -e ENVOY_BUILD_IMAGE \
-e ENVOY_SRCDIR -e ENVOY_BUILD_TARGET -e SYSTEM_PULLREQUEST_TARGETBRANCH -e SYSTEM_PULLREQUEST_PULLREQUESTNUMBER \
Expand Down
1 change: 1 addition & 0 deletions configs/google-vrp/supervisor.conf
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
[supervisord]
nodaemon=true
logfile=/var/log/supervisor/supervisord.log

[program:envoy-edge]
command=launch_envoy.sh -c /etc/envoy/envoy-edge.yaml %(ENV_ENVOY_EDGE_EXTRA_ARGS)s
Expand Down
17 changes: 11 additions & 6 deletions docs/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,30 @@

set -e

RELEASE_TAG_REGEX="^refs/tags/v.*"

if [[ "${AZP_BRANCH}" =~ ${RELEASE_TAG_REGEX} ]]; then
DOCS_TAG="${AZP_BRANCH/refs\/tags\//}"
fi

# We need to set ENVOY_DOCS_VERSION_STRING and ENVOY_DOCS_RELEASE_LEVEL for Sphinx.
# We also validate that the tag and version match at this point if needed.
if [ -n "$CIRCLE_TAG" ]
then
if [[ -n "${DOCS_TAG}" ]]; then
# Check the git tag matches the version number in the VERSION file.
VERSION_NUMBER=$(cat VERSION)
if [ "v${VERSION_NUMBER}" != "${CIRCLE_TAG}" ]; then
if [[ "v${VERSION_NUMBER}" != "${DOCS_TAG}" ]]; then
echo "Given git tag does not match the VERSION file content:"
echo "${CIRCLE_TAG} vs $(cat VERSION)"
echo "${DOCS_TAG} vs $(cat VERSION)"
exit 1
fi
# Check the version_history.rst contains current release version.
grep --fixed-strings "$VERSION_NUMBER" docs/root/version_history/current.rst \
|| (echo "Git tag not found in version_history/current.rst" && exit 1)

# Now that we know there is a match, we can use the tag.
export ENVOY_DOCS_VERSION_STRING="tag-$CIRCLE_TAG"
export ENVOY_DOCS_VERSION_STRING="tag-${DOCS_TAG}"
export ENVOY_DOCS_RELEASE_LEVEL=tagged
export ENVOY_BLOB_SHA="$CIRCLE_TAG"
export ENVOY_BLOB_SHA="${DOCS_TAG}"
else
BUILD_SHA=$(git rev-parse HEAD)
VERSION_NUM=$(cat VERSION)
Expand Down
37 changes: 19 additions & 18 deletions docs/publish.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,35 +10,36 @@
set -e

DOCS_DIR=generated/docs
CHECKOUT_DIR=../envoy-docs
BUILD_SHA=`git rev-parse HEAD`

if [ -n "$CIRCLE_TAG" ]
then
PUBLISH_DIR="$CHECKOUT_DIR"/docs/envoy/"$CIRCLE_TAG"
elif [ -z "$CIRCLE_PULL_REQUEST" ] && [ "$CIRCLE_BRANCH" == "master" ]
then
PUBLISH_DIR="$CHECKOUT_DIR"/docs/envoy/latest
CHECKOUT_DIR=envoy-docs
BUILD_SHA=$(git rev-parse HEAD)

MAIN_BRANCH="refs/heads/master"
RELEASE_TAG_REGEX="^refs/tags/v.*"

if [[ "${AZP_BRANCH}" =~ ${RELEASE_TAG_REGEX} ]]; then
PUBLISH_DIR="${CHECKOUT_DIR}"/docs/envoy/"${AZP_BRANCH/refs\/tags\//}"
elif [[ "$AZP_BRANCH" == "${MAIN_BRANCH}" ]]; then
PUBLISH_DIR="${CHECKOUT_DIR}"/docs/envoy/latest
else
echo "Ignoring docs push"
exit 0
fi

DOCS_MAIN_BRANCH="master"

echo 'cloning'
git clone git@github.com:envoyproxy/envoyproxy.github.io "$CHECKOUT_DIR"
git clone git@github.com:envoyproxy/envoyproxy.github.io "${CHECKOUT_DIR}" -b "${DOCS_MAIN_BRANCH}" --depth 1

git -C "$CHECKOUT_DIR" fetch
git -C "$CHECKOUT_DIR" checkout -B master origin/master
rm -fr "$PUBLISH_DIR"
mkdir -p "$PUBLISH_DIR"
cp -r "$DOCS_DIR"/* "$PUBLISH_DIR"
cd "$CHECKOUT_DIR"
cd "${CHECKOUT_DIR}"

git config user.name "envoy-docs(travis)"
git config user.name "envoy-docs(Azure Pipelines)"
git config user.email envoy-docs@users.noreply.github.com
echo 'add'

set -x

git add .
echo 'commit'
git commit -m "docs envoy@$BUILD_SHA"
echo 'push'
git push origin master
git push origin "${DOCS_MAIN_BRANCH}"
9 changes: 9 additions & 0 deletions docs/root/version_history/current.rst
Original file line number Diff line number Diff line change
@@ -1,2 +1,11 @@
1.15.1 (Pending)
================
1.15.4 (Pending)
================

Changes
-------

* http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses.
* http: fixed bugs in datadog and squash filter's handling of responses with no bodies.
* tls: fix detection of the upstream connection close event.
12 changes: 6 additions & 6 deletions docs/root/version_history/v1.15.1.rst
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
1.15.1 (TBD)
============
1.15.1 (September 29, 2020)
===========================

Changes
-------
* http: fixed CVE-2020-25017. Previously header matching did not match on all headers for non-inline
headers. This patch changes the default behavior to always logically match on all headers.
Multiple individual headers will be logically concatenated with ',' similar to what is done with
inline headers. This makes the behavior effectively consistent. This behavior can be temporary
reverted by setting the runtime value "envoy.reloadable_features.header_match_on_all_headers" to
reverted by setting the runtime value `envoy.reloadable_features.header_match_on_all_headers` to
"false".

Targeted fixes have been additionally performed on the following extensions which make them
Expand All @@ -19,9 +19,9 @@ Changes
4. The Lua filter.

Like primary header matching used in routing, RBAC, etc. this behavior can be disabled by setting
the runtime value "envoy.reloadable_features.header_match_on_all_headers" to false.
* http: The setCopy() header map API previously only set the first header in the case of duplicate
the runtime value `envoy.reloadable_features.header_match_on_all_headers` to false.
* http: the setCopy() header map API previously only set the first header in the case of duplicate
non-inline headers. setCopy() now behaves similarly to the other set*() APIs and replaces all found
headers with a single value. This may have had security implications in the extauth filter which
uses this API. This behavior can be disabled by setting the runtime value
"envoy.reloadable_features.http_set_copy_replace_all_headers" to false.
`envoy.reloadable_features.http_set_copy_replace_all_headers` to false.
6 changes: 6 additions & 0 deletions docs/root/version_history/v1.15.2.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
1.15.2 (September 29, 2020)
===========================

Changes
-------
* docs: fix docs for v1.15.1.
10 changes: 10 additions & 0 deletions docs/root/version_history/v1.15.3.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
1.15.3 (December 7, 2020)
=========================

Changes
-------
* listener: fix crash when disabling or re-enabling listeners due to overload while processing LDS updates.
* proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy.
* tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers.
* udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash.
* vrp: allow supervisord to open its log file.
2 changes: 2 additions & 0 deletions docs/root/version_history/version_history.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ Version history
:titlesonly:

current
v1.15.3
v1.15.2
v1.15.1
v1.15.0
v1.14.3
Expand Down
3 changes: 3 additions & 0 deletions include/envoy/network/io_handle.h
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,9 @@ class IoHandle {
Address::InstanceConstSharedPtr peer_address_;
// The payload length of this packet.
unsigned int msg_len_{0};
// If true indicates a successful syscall, but the packet was dropped due to truncation. We do
// not support receiving truncated packets.
bool truncated_and_dropped_{false};
};

/**
Expand Down
Loading

0 comments on commit a0eff54

Please sign in to comment.