Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

Commit 08c646b

Browse files
shashankramshashankram
authored
envoy: update to latest version and fix typed proto usage (#4834)
- Updates Envoy to its latest available version (v1.22.2 for Linux, v1.22.1 for Windows). The latest version includes the latest released security fix. We could not update Envoy previously due to a blocking bug: envoyproxy/envoy#20113 - Updates filter names to custom names as wellknown names are deprecated in Envoy (with 1 exception for the http.rbac filter). Envoy will use the TypeURL in the proto to determine which filter to use instead. Wellknown names are not required and using them is confusing because not all filters are defined in the legacy wellknown pkg (e.g. http.local_ratelimit). See: envoyproxy/envoy#21759 envoyproxy/envoy#21763 envoyproxy/go-control-plane#293 envoyproxy/go-control-plane#552 - Uses the distroless image as the alpine image has been discontinued: envoyproxy/envoy#21758 - Updates tests to use custom filter names - Adds `proto_types.go` to aid dynamic proto resolution for typed configs using `any.Any()`. This helps resolve protos where dynamic resolution is necessary. - Updated Prometheus' ConfigMap to reflect changes to Envoy metrics prefixes Signed-off-by: Shashank Ram <[email protected]>
1 parent 28b3238 commit 08c646b

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

43 files changed

+646
-183
lines changed

charts/osm/README.md

+4-4
Original file line numberDiff line numberDiff line change
@@ -59,9 +59,9 @@ The following table lists the configurable parameters of the osm chart and their
5959

6060
| Key | Type | Default | Description |
6161
|-----|------|---------|-------------|
62-
| contour.contour | object | `{"image":{"registry":"docker.io","repository":"projectcontour/contour","tag":"v1.18.0"}}` | Contour controller configuration |
62+
| contour.contour | object | `{"image":{"registry":"docker.io","repository":"projectcontour/contour","tag":"v1.21.1"}}` | Contour controller configuration |
6363
| contour.enabled | bool | `false` | Enables deployment of Contour control plane and gateway |
64-
| contour.envoy | object | `{"image":{"registry":"docker.io","repository":"envoyproxy/envoy-alpine","tag":"v1.19.3"}}` | Contour envoy edge proxy configuration |
64+
| contour.envoy | object | `{"image":{"registry":"docker.io","repository":"envoyproxy/envoy-distroless","tag":"v1.22.2"}}` | Contour envoy edge proxy configuration |
6565
| osm.caBundleSecretName | string | `"osm-ca-bundle"` | The Kubernetes secret name to store CA bundle for the root CA used in OSM |
6666
| osm.certificateProvider.certKeyBitSize | int | `2048` | Certificate key bit size for data plane certificates issued to workloads to communicate over mTLS |
6767
| osm.certificateProvider.kind | string | `"tresor"` | The Certificate manager type: `tresor`, `vault` or `cert-manager` |
@@ -163,8 +163,8 @@ The following table lists the configurable parameters of the osm chart and their
163163
| osm.prometheus.resources | object | `{"limits":{"cpu":"1","memory":"2G"},"requests":{"cpu":"0.5","memory":"512M"}}` | Prometheus's container resource parameters |
164164
| osm.prometheus.retention | object | `{"time":"15d"}` | Prometheus data rentention configuration |
165165
| osm.prometheus.retention.time | string | `"15d"` | Prometheus data retention time |
166-
| osm.sidecarImage | string | `"envoyproxy/envoy-alpine:v1.19.3@sha256:874e699857e023d9234b10ffc5af39ccfc9011feab89638e56ac4042ecd4b0f3"` | Envoy sidecar image for Linux workloads |
167-
| osm.sidecarWindowsImage | string | `"envoyproxy/envoy-windows:v1.19.3@sha256:f990f024e7e95f07b6c0d416684734607761e382c35d1ba9414c7e3fbf23969c"` | Envoy sidecar image for Windows workloads |
166+
| osm.sidecarImage | string | `"envoyproxy/envoy-distroless:v1.22.2@sha256:541d31419b95e3c62d8cc0967db9cdb4ad2782cc08faa6f15f04c081200e324a"` | Envoy sidecar image for Linux workloads |
167+
| osm.sidecarWindowsImage | string | `"envoyproxy/envoy-windows:v1.22.1@sha256:92733f8e5beae5c45df204a0e13edbd29e99adf962d1b1c7869b197d85c64bd0"` | Envoy sidecar image for Windows workloads |
168168
| osm.tracing.address | string | `""` | Address of the tracing collector service (must contain the namespace). When left empty, this is computed in helper template to "jaeger.<osm-namespace>.svc.cluster.local". Please override for BYO-tracing as documented in tracing.md |
169169
| osm.tracing.enable | bool | `false` | Toggles Envoy's tracing functionality on/off for all sidecar proxies in the mesh |
170170
| osm.tracing.endpoint | string | `"/api/v2/spans"` | Tracing collector's API path where the spans will be sent to |

charts/osm/templates/prometheus-configmap.yaml

+18-18
Original file line numberDiff line numberDiff line change
@@ -130,43 +130,43 @@ data:
130130
target_label: __address__
131131
metric_relabel_configs:
132132
- source_labels: [__name__]
133-
regex: 'envoy_.*osm_request_(total|duration_ms_(bucket|count|sum))'
133+
regex: '.*osm_request_(total|duration_ms_(bucket|count|sum))'
134134
action: keep
135135
- source_labels: [__name__]
136136
action: replace
137-
regex: envoy_response_code_(\d{3})_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
137+
regex: response_code_(\d{3})_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
138138
target_label: response_code
139139
- source_labels: [__name__]
140140
action: replace
141-
regex: envoy_response_code_\d{3}_source_namespace_(.*)_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
141+
regex: response_code_\d{3}_source_namespace_(.*)_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
142142
target_label: source_namespace
143143
- source_labels: [__name__]
144144
action: replace
145-
regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_(.*)_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
145+
regex: response_code_\d{3}_source_namespace_.*_source_kind_(.*)_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
146146
target_label: source_kind
147147
- source_labels: [__name__]
148148
action: replace
149-
regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_(.*)_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
149+
regex: response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_(.*)_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
150150
target_label: source_name
151151
- source_labels: [__name__]
152152
action: replace
153-
regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_(.*)_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
153+
regex: response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_(.*)_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
154154
target_label: source_pod
155155
- source_labels: [__name__]
156156
action: replace
157-
regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_(.*)_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
157+
regex: response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_(.*)_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
158158
target_label: destination_namespace
159159
- source_labels: [__name__]
160160
action: replace
161-
regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_(.*)_destination_name_.*_destination_pod_.*_osm_request_total
161+
regex: response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_(.*)_destination_name_.*_destination_pod_.*_osm_request_total
162162
target_label: destination_kind
163163
- source_labels: [__name__]
164164
action: replace
165-
regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_(.*)_destination_pod_.*_osm_request_total
165+
regex: response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_(.*)_destination_pod_.*_osm_request_total
166166
target_label: destination_name
167167
- source_labels: [__name__]
168168
action: replace
169-
regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_(.*)_osm_request_total
169+
regex: response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_(.*)_osm_request_total
170170
target_label: destination_pod
171171
- source_labels: [__name__]
172172
action: replace
@@ -175,35 +175,35 @@ data:
175175
176176
- source_labels: [__name__]
177177
action: replace
178-
regex: envoy_source_namespace_(.*)_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
178+
regex: source_namespace_(.*)_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
179179
target_label: source_namespace
180180
- source_labels: [__name__]
181181
action: replace
182-
regex: envoy_source_namespace_.*_source_kind_(.*)_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
182+
regex: source_namespace_.*_source_kind_(.*)_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
183183
target_label: source_kind
184184
- source_labels: [__name__]
185185
action: replace
186-
regex: envoy_source_namespace_.*_source_kind_.*_source_name_(.*)_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
186+
regex: source_namespace_.*_source_kind_.*_source_name_(.*)_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
187187
target_label: source_name
188188
- source_labels: [__name__]
189189
action: replace
190-
regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_(.*)_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
190+
regex: source_namespace_.*_source_kind_.*_source_name_.*_source_pod_(.*)_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
191191
target_label: source_pod
192192
- source_labels: [__name__]
193193
action: replace
194-
regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_(.*)_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
194+
regex: source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_(.*)_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
195195
target_label: destination_namespace
196196
- source_labels: [__name__]
197197
action: replace
198-
regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_(.*)_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
198+
regex: source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_(.*)_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
199199
target_label: destination_kind
200200
- source_labels: [__name__]
201201
action: replace
202-
regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_(.*)_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
202+
regex: source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_(.*)_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
203203
target_label: destination_name
204204
- source_labels: [__name__]
205205
action: replace
206-
regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_(.*)_osm_request_duration_ms_(bucket|sum|count)
206+
regex: source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_(.*)_osm_request_duration_ms_(bucket|sum|count)
207207
target_label: destination_pod
208208
- source_labels: [__name__]
209209
action: replace

charts/osm/values.schema.json

+6-3
Original file line numberDiff line numberDiff line change
@@ -411,7 +411,7 @@
411411
"title": "The sidecarImage schema",
412412
"description": "The proxy side car image to run.",
413413
"examples": [
414-
"envoyproxy/envoy-alpine:v1.19.3@sha256:874e699857e023d9234b10ffc5af39ccfc9011feab89638e56ac4042ecd4b0f3"
414+
"envoyproxy/envoy-distroless:v1.22.2@sha256:541d31419b95e3c62d8cc0967db9cdb4ad2782cc08faa6f15f04c081200e324a"
415415
]
416416
},
417417
"curlImage": {
@@ -429,7 +429,7 @@
429429
"title": "The sidecarWindowsImage schema",
430430
"description": "The proxy side car image to run on Windows payloads.",
431431
"examples": [
432-
"envoyproxy/envoy-windows:v1.19.3@sha256:f990f024e7e95f07b6c0d416684734607761e382c35d1ba9414c7e3fbf23969c"
432+
"envoyproxy/envoy-windows:v1.22.1@sha256:92733f8e5beae5c45df204a0e13edbd29e99adf962d1b1c7869b197d85c64bd0"
433433
]
434434
},
435435
"trustDomain": {
@@ -716,7 +716,10 @@
716716
"type": "string",
717717
"title": "The localProxyMode schema",
718718
"description": "Proxy mode for the Envoy proxy sidecar. Acceptable values are ['Localhost', 'PodIP'].",
719-
"enum": ["Localhost","PodIP"],
719+
"enum": [
720+
"Localhost",
721+
"PodIP"
722+
],
720723
"examples": [
721724
"Localhost"
722725
]

charts/osm/values.yaml

+5-5
Original file line numberDiff line numberDiff line change
@@ -50,9 +50,9 @@ osm:
5050
# -- `osm-controller` image pull secret
5151
imagePullSecrets: []
5252
# -- Envoy sidecar image for Linux workloads
53-
sidecarImage: envoyproxy/envoy-alpine:v1.19.3@sha256:874e699857e023d9234b10ffc5af39ccfc9011feab89638e56ac4042ecd4b0f3
53+
sidecarImage: envoyproxy/envoy-distroless:v1.22.2@sha256:541d31419b95e3c62d8cc0967db9cdb4ad2782cc08faa6f15f04c081200e324a
5454
# -- Envoy sidecar image for Windows workloads
55-
sidecarWindowsImage: envoyproxy/envoy-windows:v1.19.3@sha256:f990f024e7e95f07b6c0d416684734607761e382c35d1ba9414c7e3fbf23969c
55+
sidecarWindowsImage: envoyproxy/envoy-windows:v1.22.1@sha256:92733f8e5beae5c45df204a0e13edbd29e99adf962d1b1c7869b197d85c64bd0
5656
# -- Curl image for control plane init container
5757
curlImage: curlimages/curl
5858

@@ -369,13 +369,13 @@ contour:
369369
image:
370370
registry: docker.io
371371
repository: projectcontour/contour
372-
tag: v1.18.0
372+
tag: v1.21.1
373373
# -- Contour envoy edge proxy configuration
374374
envoy:
375375
image:
376376
registry: docker.io
377-
repository: envoyproxy/envoy-alpine
378-
tag: v1.19.3
377+
repository: envoyproxy/envoy-distroless
378+
tag: v1.22.2
379379

380380
#
381381
# -- SMI configuration

docs/how_osm_uses_envoy.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ Below is a significantly paired down Listener configuration, which depicts the r
7474
},
7575
"filters":[
7676
{
77-
"name":"envoy.filters.network.http_connection_manager",
77+
"name":"http_connection_manager",
7878
"typed_config":{
7979
"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
8080
"rds":{

docs/release_notes.md

+2-1
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,15 @@
66

77
- Root certificate rotation is now supported through the new CRD, MeshRootCertificate.
88
- Along with root certificate rotation we support custom trust domains, as well as rotating to new trust domains with no downtime.
9+
- Envoy has been updated to v1.22 and uses the `envoyproxy/envoy-distroless` image instead of the deprecated `envoyproxy/envoy-alpine` image.
910

1011
### Breaking Changes
1112

1213
- The following metrics no longer use the label `common_name`, due to the fact that the common name's trust domain can rotate. Instead 2 new labels, `proxy_uuid` and `identity` have been added.
1314
- `osm_proxy_response_send_success_count`
1415
- `osm_proxy_response_send_error_count`
1516
- `osm_proxy_xds_request_count`
16-
17+
1718
## Release v1.1.0
1819

1920
### Notable changes

pkg/cli/verifier/envoy_config.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -11,14 +11,14 @@ import (
1111
xds_listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
1212
xds_route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
1313
xds_secret "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
14-
"github.com/envoyproxy/go-control-plane/pkg/wellknown"
1514
"github.com/pkg/errors"
1615
corev1 "k8s.io/api/core/v1"
1716
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1817
"k8s.io/client-go/kubernetes"
1918
"k8s.io/utils/pointer"
2019

2120
configv1alpha2 "github.com/openservicemesh/osm/pkg/apis/config/v1alpha2"
21+
"github.com/openservicemesh/osm/pkg/envoy"
2222
"github.com/openservicemesh/osm/pkg/trafficpolicy"
2323

2424
"github.com/openservicemesh/osm/pkg/constants"
@@ -332,10 +332,10 @@ func findOutboundFilterChainForServicePort(meshSvc service.MeshService, dstIPRan
332332
func getFilterForProtocol(protocol string) string {
333333
switch protocol {
334334
case constants.ProtocolHTTP:
335-
return wellknown.HTTPConnectionManager
335+
return envoy.HTTPConnectionManagerFilterName
336336

337337
case constants.ProtocolTCP, constants.ProtocolHTTPS:
338-
return wellknown.TCPProxy
338+
return envoy.TCPProxyFilterName
339339

340340
default:
341341
return ""

pkg/cli/verifier/testdata/curl_egress.json

+13-7
Original file line numberDiff line numberDiff line change
@@ -731,7 +731,7 @@
731731
"category": "envoy.filters.network"
732732
},
733733
{
734-
"name": "envoy.filters.network.http_connection_manager",
734+
"name": "http_connection_manager",
735735
"category": "envoy.filters.network"
736736
},
737737
{
@@ -1271,7 +1271,7 @@
12711271
},
12721272
"filters": [
12731273
{
1274-
"name": "envoy.filters.network.http_connection_manager",
1274+
"name": "http_connection_manager",
12751275
"typed_config": {
12761276
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
12771277
"stat_prefix": "mesh-http-conn-manager.rds-outbound.14001",
@@ -1312,7 +1312,10 @@
13121312
}
13131313
},
13141314
{
1315-
"name": "envoy.filters.http.router"
1315+
"name": "http_router",
1316+
"typed_config": {
1317+
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
1318+
}
13161319
}
13171320
],
13181321
"access_log": [
@@ -1397,7 +1400,7 @@
13971400
},
13981401
"filters": [
13991402
{
1400-
"name": "envoy.filters.network.http_connection_manager",
1403+
"name": "http_connection_manager",
14011404
"typed_config": {
14021405
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
14031406
"stat_prefix": "mesh-http-conn-manager.rds-egress.80",
@@ -1438,7 +1441,10 @@
14381441
}
14391442
},
14401443
{
1441-
"name": "envoy.filters.http.router"
1444+
"name": "http_router",
1445+
"typed_config": {
1446+
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
1447+
}
14421448
}
14431449
],
14441450
"access_log": [
@@ -1521,7 +1527,7 @@
15211527
},
15221528
"filters": [
15231529
{
1524-
"name": "envoy.filters.network.tcp_proxy",
1530+
"name": "tcp_proxy",
15251531
"typed_config": {
15261532
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
15271533
"stat_prefix": "egress-tcp-proxy.443",
@@ -1765,4 +1771,4 @@
17651771
]
17661772
}
17671773
]
1768-
}
1774+
}

0 commit comments

Comments
 (0)