release-1.26: Backport #5827 and #5850

[sunjayBhatia]

Commit messages:

An additional mitigation to CVE-2023-44487 available in Envoy 1.27.1. This change allows configuring the http.max_requests_per_io_cycle Envoy runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from others. The default is left as the existing behavior, that is no limit, so as not to impact existing valid traffic.

See the Envoy release notes for more information:
https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1

---

HTTP/2 max concurrent streams can be configured (#5850)

Adds a global Listener configuration field for admins to be able to
protect their installations of Contour/Envoy with a limit. Default is no
limit to ensure existing behavior is not impacted for valid traffic.
This field can be used for tuning resource usage or mitigated DOS
attacks like in CVE-2023-44487.

[sunjayBhatia]

this ends up being a new configuration field available if we do backport this (and other following) change

worth a discussion whether this is desirable or we should only include this new mitigation/feature in the latest release

[tsaarni]

Envoy also ended up introducing this new configuration in backports, which is maybe bit unusual, but I do not have strong opinion. It sounds ok for me.

That said, the Envoy version needs to get bumped. I guess to each respective release tracks according to https://projectcontour.io/resources/compatibility-matrix/ vs GHSA-jhv4-f7mr-xx76. Edit: sorry I missed it was already done #5823 😄

[codecov]

Codecov Report

Merging #5851 (304d5be) into release-1.26 (d9b2a55) will increase coverage by 0.02%.
The diff coverage is 90.69%.

Additional details and impacted files

@@               Coverage Diff                @@
##           release-1.26    #5851      +/-   ##
================================================
+ Coverage         78.56%   78.58%   +0.02%     
================================================
  Files               138      138              
  Lines             19163    19195      +32     
================================================
+ Hits              15056    15085      +29     
- Misses             3820     3823       +3     
  Partials            287      287              

Files	Coverage Δ
cmd/contour/servecontext.go	83.63% <100.00%> (+0.07%)	⬆️
internal/envoy/v3/listener.go	98.50% <100.00%> (+0.01%)	⬆️
internal/envoy/v3/runtime.go	100.00% <100.00%> (ø)
internal/xdscache/v3/listener.go	92.11% <100.00%> (+0.06%)	⬆️
internal/xdscache/v3/runtime.go	100.00% <100.00%> (ø)
pkg/config/parameters.go	86.06% <100.00%> (+0.25%)	⬆️
cmd/contour/serve.go	20.06% <0.00%> (-0.07%)	⬇️