Merge branch 'projectcontour:main' into rollout_feature

.codespell.ignorewords

@@ -6,3 +6,4 @@ od
 als
 wit
 aks
+immediatedly

.github/workflows/build_daily.yaml

@@ -10,7 +10,7 @@ on:
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  GO_VERSION: 1.21.0
+  GO_VERSION: 1.21.3
 jobs:
   e2e-envoy-xds:
     runs-on: ubuntu-latest

.github/workflows/build_main.yaml

@@ -13,11 +13,11 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@v3
       with:
         version: latest
     - name: Log in to GHCR
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}

.github/workflows/build_tag.yaml

@@ -20,11 +20,11 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@v3
       with:
         version: latest
     - name: Log in to GHCR
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}

.github/workflows/prbuild.yaml

@@ -11,7 +11,7 @@ on:
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  GO_VERSION: 1.21.0
+  GO_VERSION: 1.21.3
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -94,7 +94,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@v3
       with:
         version: latest
     - name: Build image

Makefile

@@ -6,7 +6,7 @@ IMAGE := $(REGISTRY)/$(PROJECT)
 SRCDIRS := ./cmd ./internal ./apis
 LOCAL_BOOTSTRAP_CONFIG = localenvoyconfig.yaml
 SECURE_LOCAL_BOOTSTRAP_CONFIG = securelocalenvoyconfig.yaml
-ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.27.0
+ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.27.1
 GATEWAY_API_VERSION ?= $(shell grep "sigs.k8s.io/gateway-api" go.mod | awk '{print $$2}')
 
 # Used to supply a local Envoy docker container an IP to connect to that is running
@@ -44,7 +44,7 @@ endif
 IMAGE_PLATFORMS ?= linux/amd64,linux/arm64
 
 # Base build image to use.
-BUILD_BASE_IMAGE ?= golang:1.21.0
+BUILD_BASE_IMAGE ?= golang:1.21.3
 
 # Enable build with CGO.
 BUILD_CGO_ENABLED ?= 0

apis/projectcontour/v1/httpproxy.go

@@ -551,6 +551,18 @@ type Route struct {
 	// +optional
 	PathRewritePolicy *PathRewritePolicy `json:"pathRewritePolicy,omitempty"`
 	// The policy for managing request headers during proxying.
+	//
+	// You may dynamically rewrite the Host header to be forwarded
+	// upstream to the content of a request header using
+	// the below format "%REQ(X-Header-Name)%". If the value of the header
+	// is empty, it is ignored.
+	//
+	// *NOTE: Pay attention to the potential security implications of using this option.
+	// Provided header must come from trusted source.
+	//
+	// **NOTE: The header rewrite is only done while forwarding and has no bearing
+	// on the routing decision.
+	//
 	// +optional
 	RequestHeadersPolicy *HeadersPolicy `json:"requestHeadersPolicy,omitempty"`
 	// The policy for managing response headers during proxying.
@@ -1268,7 +1280,7 @@ type LoadBalancerPolicy struct {
 }
 
 // HeadersPolicy defines how headers are managed during forwarding.
-// The `Host` header is treated specially and if set in a HTTP response
+// The `Host` header is treated specially and if set in a HTTP request
 // will be used as the SNI server name when forwarding over TLS. It is an
 // error to attempt to set the `Host` header in a HTTP response.
 type HeadersPolicy struct {

apis/projectcontour/v1alpha1/contourconfig.go

@@ -391,6 +391,27 @@ type EnvoyListenerConfig struct {
 	// Single set of options are applied to all listeners.
 	// +optional
 	SocketOptions *SocketOptions `json:"socketOptions,omitempty"`
+
+	// Defines the limit on number of HTTP requests that Envoy will process from a single
+	// connection in a single I/O cycle. Requests over this limit are processed in subsequent
+	// I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
+	// detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
+	// value when this is not set is no limit.
+	//
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	MaxRequestsPerIOCycle *uint32 `json:"maxRequestsPerIOCycle,omitempty"`
+
+	// Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
+	// SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
+	// for a peer on a single HTTP/2 connection. It is recommended to not set this lower
+	// than 100 but this field can be used to bound resource usage by HTTP/2 connections
+	// and mitigate attacks like CVE-2023-44487. The default value when this is not set is
+	// unlimited.
+	//
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	HTTP2MaxConcurrentStreams *uint32 `json:"httpMaxConcurrentStreams,omitempty"`
 }
 
 // SocketOptions defines configurable socket options for Envoy listeners.

apis/projectcontour/v1alpha1/contourdeployment.go

@@ -215,6 +215,15 @@ type EnvoySettings struct {
 	// +kubebuilder:validation:Minimum=0
 	// +optional
 	BaseID int32 `json:"baseID,omitempty"`
+
+	// OverloadMaxHeapSize defines the maximum heap memory of the envoy controlled by the overload manager.
+	// When the value is greater than 0, the overload manager is enabled,
+	// and when envoy reaches 95% of the maximum heap size, it performs a shrink heap operation,
+	// When it reaches 98% of the maximum heap size, Envoy Will stop accepting requests.
+	// More info: https://projectcontour.io/docs/main/config/overload-manager/
+	//
+	// +optional
+	OverloadMaxHeapSize uint64 `json:"overloadMaxHeapSize,omitempty"`
 }
 
 // WorkloadType is the type of Kubernetes workload to use for a component.

changelogs/unreleased/5657-shadialtarsha-minor.md

@@ -0,0 +1,38 @@
+## Specific routes can now opt out of the virtual host's global rate limit policy
+
+Setting `rateLimitPolicy.global.disabled` flag to true on a specific route now disables the global rate limit policy inherited from the virtual host for that route.
+
+### Sample Configurations
+In the example below, `/foo` route is opted out from the global rate limit policy defined by the virtualhost.
+#### httpproxy.yaml
+```yaml
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: echo
+spec:
+  virtualhost:
+    fqdn: local.projectcontour.io
+    rateLimitPolicy:
+      global:
+        descriptors:
+          - entries:
+            - remoteAddress: {}
+            - genericKey:
+                key: vhost
+                value: local.projectcontour.io
+  routes:
+    - conditions:
+        - prefix: /
+      services:
+        - name: ingress-conformance-echo
+          port: 80
+    - conditions:
+        - prefix: /foo
+      rateLimitPolicy:
+        global:
+          disabled: true
+      services:
+        - name: ingress-conformance-echo
+          port: 80
+```

changelogs/unreleased/5672-therealak12-minor.md

@@ -0,0 +1,5 @@
+## Contour now waits for the cache sync before starting the DAG rebuild and XDS server
+
+Before this, we only waited for informer caches to sync but didn't wait for delivering the events to subscribed handlers.
+Now contour waits for the initial list of Kubernetes objects to be cached and processed by handlers (using the returned `HasSynced` methods)
+and then starts building its DAG and serving XDS. 

changelogs/unreleased/5678-clayton-gonsalves-minor.md

@@ -0,0 +1,24 @@
+## HTTPProxy: Allow Host header rewrite with dynamic headers.
+
+This Change allows the host header to be rewritten on requests using dynamic headers on the only route level.
+
+#### Example
+```yaml
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: dynamic-host-header-rewrite
+spec:
+  fqdn: local.projectcontour.io
+  routes:
+    - conditions:
+      - prefix: /
+      services:
+        - name: s1
+          port: 80
+    - requestHeaderPolicy:
+        set:
+        - name: host
+          value: "%REQ(x-rewrite-header)%"
+```
+

changelogs/unreleased/5686-izturn-small.md

@@ -0,0 +1 @@
+Add flags: `--incluster`, `--kubeconfig` for enable run the `gateway-provisioner` in or out of the cluster.

changelogs/unreleased/5699-yangyy93-small.md

@@ -0,0 +1 @@
+Gateway provisioner: Add the `overloadMaxHeapSize` configuration option to contourDeployment to allow adding [overloadManager](https://projectcontour.io/docs/main/config/overload-manager/) configuration when generating envoy's initial configuration file.

changelogs/unreleased/5752-davinci26-major.md

@@ -0,0 +1,15 @@
+## Fix bug with algorithm used to sort Envoy regex/prefix path rules
+
+Envoy greedy matches routes and as a result the order route matches are presented to Envoy is important. Contour attempts to produce consistent routing tables so that the most specific route matches are given preference. This is done to facilitate consistency when using HTTPProxy inclusion and provide a uniform user experience for route matching to be inline with Ingress and Gateway API Conformance.
+
+This changes fixes the sorting algorithm used for `Prefix` and `Regex` based path matching. Previously the algorithm lexicographically sorted based on the path match string instead of sorting them based on the length of the `Prefix`|`Regex`. i.e. Longer prefix/regexes will be sorted first in order to give preference to more specific routes, then lexicographic sorting for things of the same length.
+
+Note that for prefix matching, this change is _not_ expected to change the relative ordering of more specific prefixes vs. less specific ones when the more specific prefix match string has the less specific one as a prefix, e.g. `/foo/bar` will continue to sort before `/foo`. However, relative ordering of other combinations of prefix matches may change per the above description.
+### How to update safely
+
+Caution is advised if you update Contour and you are operating large routing tables. We advise you to:
+
+1. Deploy a duplicate Contour installation that parses the same CRDs
+2. Port-forward to the Envoy admin interface [docs](https://projectcontour.io/docs/v1.3.0/troubleshooting/)
+3. Access `http://127.0.0.1:9001/config_dump` and compare the configuration of Envoy. In particular the routes and their order. The prefix routes might be changing in order, so if they are you need to verify that the route matches as expected.
+

changelogs/unreleased/5804-skriss-small.md

@@ -0,0 +1 @@
+Gateway API: set Listeners' `ResolvedRefs` condition to `true` by default.

changelogs/unreleased/5821-sunjayBhatia-small.md

@@ -0,0 +1 @@
+Updates Envoy to v1.27.1. See the [release notes here](https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1).

changelogs/unreleased/5827-sunjayBhatia-minor.md

@@ -0,0 +1,16 @@
+## Max HTTP requests per IO cycle is configurable as an additional mitigation for HTTP/2 CVE-2023-44487
+
+Envoy v1.27.1 mitigates CVE-2023-44487 with some default runtime settings, however the `http.max_requests_per_io_cycle` does not have a default value.
+This change allows configuring this runtime setting via Contour configuration to allow administrators of Contour to prevent abusive connections from starving resources from other valid connections.
+The default is left as the existing behavior (no limit) so as not to impact existing valid traffic.
+
+The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:
+
+```
+listener:
+  max-requests-per-io-cycle: 10
+```
+
+(Note this can be used in addition to the existing Listener configuration field `listener.max-requests-per-connection` which is used primarily for HTTP/1.1 connections and is an approximate limit for HTTP/2)
+
+See the [Envoy release notes](https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history/v1.27/v1.27.1) for more details.

changelogs/unreleased/5841-sunjayBhatia-small.md

@@ -0,0 +1 @@
+Updates to Go 1.21.3. See the [Go release notes](https://go.dev/doc/devel/release#go1.21.minor) for more information.

changelogs/unreleased/5850-sunjayBhatia-minor.md

@@ -0,0 +1,11 @@
+## HTTP/2 max concurrent streams is configurable
+
+This field can be used to limit the number of concurrent streams Envoy will allow on a single connection from a downstream peer.
+It can be used to tune resource usage and as a mitigation for DOS attacks arising from vulnerabilities like CVE-2023-44487.
+
+The Contour ConfigMap can be modified similar to the following (and Contour restarted) to set this value:
+
+```
+listener:
+  http2-max-concurrent-streams: 50
+```

cmd/contour/gatewayprovisioner.go

@@ -17,11 +17,13 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/alecthomas/kingpin/v2"
-	"github.com/novln/docker-parser/distribution/reference"
+	"github.com/projectcontour/contour/internal/k8s"
 	"github.com/projectcontour/contour/internal/provisioner"
 	"github.com/projectcontour/contour/internal/provisioner/controller"
 	"github.com/projectcontour/contour/pkg/config"
+
+	"github.com/alecthomas/kingpin/v2"
+	"github.com/distribution/reference"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -34,7 +36,7 @@ func registerGatewayProvisioner(app *kingpin.Application) (*kingpin.CmdClause, *
 
 	provisionerConfig := &gatewayProvisionerConfig{
 		contourImage:          "ghcr.io/projectcontour/contour:main",
-		envoyImage:            "docker.io/envoyproxy/envoy:v1.27.0",
+		envoyImage:            "docker.io/envoyproxy/envoy:v1.27.1",
 		metricsBindAddress:    ":8080",
 		leaderElection:        false,
 		leaderElectionID:      "0d879e31.projectcontour.io",
@@ -56,6 +58,13 @@ func registerGatewayProvisioner(app *kingpin.Application) (*kingpin.CmdClause, *
 		Default(provisionerConfig.gatewayControllerName).
 		StringVar(&provisionerConfig.gatewayControllerName)
 
+	cmd.Flag("incluster", "Use in cluster configuration.").
+		Default("true").
+		BoolVar(&provisionerConfig.inCluster)
+	cmd.Flag("kubeconfig", "Path to kubeconfig (if not in running inside a cluster).").
+		PlaceHolder("/path/to/file").
+		StringVar(&provisionerConfig.kubeconfig)
+
 	cmd.Flag("leader-election-namespace", "The namespace in which the leader election resource will be created.").
 		Default(config.GetenvOr("CONTOUR_PROVISIONER_NAMESPACE", "projectcontour")).
 		StringVar(&provisionerConfig.leaderElectionNamespace)
@@ -95,6 +104,10 @@ type gatewayProvisionerConfig struct {
 	// gatewayControllerName defines the controller string that this gateway provisioner instance
 	// will process GatewayClasses and Gateways for.
 	gatewayControllerName string
+
+	// Kubernetes client parameters.
+	inCluster  bool
+	kubeconfig string
 }
 
 func runGatewayProvisioner(config *gatewayProvisionerConfig) {
@@ -111,7 +124,14 @@ func runGatewayProvisioner(config *gatewayProvisionerConfig) {
 	setupLog.Info("using contour", "image", config.contourImage)
 	setupLog.Info("using envoy", "image", config.envoyImage)
 
-	mgr, err := createManager(ctrl.GetConfigOrDie(), config)
+	// Establish k8s core client connection.
+	restConfig, err := k8s.NewRestConfig(config.kubeconfig, config.inCluster)
+	if err != nil {
+		setupLog.Error(err, "failed to create REST config for Kubernetes clients")
+		os.Exit(1)
+	}
+
+	mgr, err := createManager(restConfig, config)
 	if err != nil {
 		setupLog.Error(err, "failed to create contour gateway provisioner")
 		os.Exit(1)