-
Notifications
You must be signed in to change notification settings - Fork 277
envoy: update to latest version and fix typed proto usage #4834
envoy: update to latest version and fix typed proto usage #4834
Conversation
5d03d3f
to
a45e2b5
Compare
- Updates Envoy to its latest available version (v1.22.2 for Linux, v1.22.1 for Windows). The latest version includes the latest released security fix. We could not update Envoy previously due to a blocking bug: envoyproxy/envoy#20113 - Updates filter names to custom names as wellknown names are deprecated in Envoy (with 1 exception for the http.rbac filter). Envoy will use the TypeURL in the proto to determine which filter to use instead. Wellknown names are not required and using them is confusing because not all filters are defined in the legacy wellknown pkg (e.g. http.local_ratelimit). See: envoyproxy/envoy#21759 envoyproxy/envoy#21763 envoyproxy/go-control-plane#293 envoyproxy/go-control-plane#552 - Uses the distroless image as the alpine image has been discontinued: envoyproxy/envoy#21758 - Updates tests to use custom filter names - Adds `proto_types.go` to aid dynamic proto resolution for typed configs using `any.Any()`. This helps resolve protos where dynamic resolution is necessary. - Updated Prometheus' ConfigMap to reflect changes to Envoy metrics prefixes Signed-off-by: Shashank Ram <shashr2204@gmail.com>
a45e2b5
to
41ada0f
Compare
The distroless envoy image scares me a bit; I understand Envoy dropped support for alpine (which is kind of shocking to me tbh), but I wonder about users looking to debug their envoy sidecars who now are left without a shell |
That's a fair concern that would be better addressed by resolving #682, similar to Linkerd's approach. |
Will #682 be a part of v1.2? |
No it won't, but I think that would be the best way to go for debugging purpose, vs bundling all tools into the default Envoy image. Alternatively, we could use the Envoy Ubuntu image, but that goes against the idea to use security hardened images. We already use distroless images for the control planes, so I am fine to use the same for Envoy. |
Description:
envoy: update to latest version and fix typed proto usage
Updates Envoy to its latest available version
(v1.22.2 for Linux, v1.22.1 for Windows).
The latest version includes the latest released
security fix.
We could not update Envoy previously due to a blocking bug:
Difference in how connections are handled for draining listeners from v1.19.1 to v1.20.x,v1.21.x envoyproxy/envoy#20113
Updates filter names to custom names as wellknown
names are deprecated in Envoy (with 1 exception
for the http.rbac filter). Envoy will use the
TypeURL in the proto to determine which filter
to use instead. Wellknown names are not required
and using them is confusing because not all filters
are defined in the legacy wellknown pkg (e.g.
http.local_ratelimit).
See:
Clearly document whether filter names matter envoyproxy/envoy#21759
docs: remove guidance to use names envoyproxy/envoy#21763
Wellknown filter names are deprecated envoyproxy/go-control-plane#293
Is there any rule about about wellknown package? envoyproxy/go-control-plane#552
Uses the distroless image as the alpine image has been
discontinued: When will the v1.22.2 envoy-alpine image be available on Dockerhub? envoyproxy/envoy#21758
Updates tests to use custom filter names
Adds
proto_types.go
to aid dynamic proto resolutionfor typed configs using
any.Any()
. This helps resolveprotos where dynamic resolution is necessary.
Also adds the typed proto for rate limiting to the http_filters,
without which Envoy will not be able to perform rate limiting
of HTTP traffic.
Updates Prometheus' ConfigMap to reflect changes to
Envoy metrics prefixes
Updates Contour's envoy and control plane image
so they are compatible.
Testing done:
CI, unit tests
Affected area:
Please answer the following questions with yes/no.
Does this change contain code from or inspired by another project?
no
Is this a breaking change?
no
Has documentation corresponding to this change been updated in the osm-docs repo (if applicable)?
will be updated once this change is merged