diff --git a/config/envoyconfig/listeners.go b/config/envoyconfig/listeners.go index 53cbddb65..8bd935677 100644 --- a/config/envoyconfig/listeners.go +++ b/config/envoyconfig/listeners.go @@ -2,6 +2,7 @@ package envoyconfig import ( "context" + "crypto/tls" "encoding/base64" "fmt" "net" @@ -99,6 +100,34 @@ func (b *Builder) BuildListeners(ctx context.Context, cfg *config.Config) ([]*en return listeners, nil } +func getAllCertificates(cfg *config.Config) ([]tls.Certificate, error) { + allCertificates, err := cfg.AllCertificates() + if err != nil { + return nil, fmt.Errorf("error collecting all certificates: %w", err) + } + wc, err := cfg.GetCertificateForServerName("*") + if err != nil { + return nil, fmt.Errorf("error getting wildcard certificate: %w", err) + } + + // wildcard certificate must be first so that it is used as the default certificate + // when no SNI matches + return append([]tls.Certificate{*wc}, allCertificates...), nil +} + +func (b *Builder) buildTLSSocket(ctx context.Context, cfg *config.Config, certs []tls.Certificate) (*envoy_config_core_v3.TransportSocket, error) { + tlsContext, err := b.buildDownstreamTLSContextMulti(ctx, cfg, certs) + if err != nil { + return nil, err + } + return &envoy_config_core_v3.TransportSocket{ + Name: "tls", + ConfigType: &envoy_config_core_v3.TransportSocket_TypedConfig{ + TypedConfig: marshalAny(tlsContext), + }, + }, nil +} + func (b *Builder) buildMainListener(ctx context.Context, cfg *config.Config) (*envoy_config_listener_v3.Listener, error) { li := newEnvoyListener("http-ingress") if cfg.Options.UseProxyProtocol { @@ -108,7 +137,7 @@ func (b *Builder) buildMainListener(ctx context.Context, cfg *config.Config) (*e if cfg.Options.InsecureServer { li.Address = buildAddress(cfg.Options.Addr, 80) - filter, err := b.buildMainHTTPConnectionManagerFilter(cfg.Options, false) + filter, err := b.buildMainHTTPConnectionManagerFilter(cfg.Options) if err != nil { return nil, err } @@ -122,39 +151,25 @@ func (b *Builder) buildMainListener(ctx context.Context, cfg *config.Config) (*e li.Address = buildAddress(cfg.Options.Addr, 443) li.ListenerFilters = append(li.ListenerFilters, TLSInspectorFilter()) - allCertificates, _ := cfg.AllCertificates() - - serverNames, err := getAllServerNames(cfg, cfg.Options.Addr) + allCertificates, err := getAllCertificates(cfg) if err != nil { return nil, err } - for _, serverName := range serverNames { - requireStrictTransportSecurity := cryptutil.HasCertificateForServerName(allCertificates, serverName) - filter, err := b.buildMainHTTPConnectionManagerFilter(cfg.Options, requireStrictTransportSecurity) - if err != nil { - return nil, err - } - filterChain := &envoy_config_listener_v3.FilterChain{ - Filters: []*envoy_config_listener_v3.Filter{filter}, - } - if serverName != "*" { - filterChain.FilterChainMatch = &envoy_config_listener_v3.FilterChainMatch{ - ServerNames: []string{serverName}, - } - } - tlsContext := b.buildDownstreamTLSContext(ctx, cfg, serverName) - if tlsContext != nil { - tlsConfig := marshalAny(tlsContext) - filterChain.TransportSocket = &envoy_config_core_v3.TransportSocket{ - Name: "tls", - ConfigType: &envoy_config_core_v3.TransportSocket_TypedConfig{ - TypedConfig: tlsConfig, - }, - } - } - li.FilterChains = append(li.FilterChains, filterChain) + filter, err := b.buildMainHTTPConnectionManagerFilter(cfg.Options, allCertificates...) + if err != nil { + return nil, err } + filterChain := &envoy_config_listener_v3.FilterChain{ + Filters: []*envoy_config_listener_v3.Filter{filter}, + } + li.FilterChains = append(li.FilterChains, filterChain) + + sock, err := b.buildTLSSocket(ctx, cfg, allCertificates) + if err != nil { + return nil, fmt.Errorf("error building TLS socket: %w", err) + } + filterChain.TransportSocket = sock } return li, nil } @@ -240,7 +255,7 @@ func (b *Builder) buildMetricsListener(cfg *config.Config) (*envoy_config_listen func (b *Builder) buildMainHTTPConnectionManagerFilter( options *config.Options, - requireStrictTransportSecurity bool, + certs ...tls.Certificate, ) (*envoy_config_listener_v3.Filter, error) { authorizeURLs, err := options.GetInternalAuthorizeURLs() if err != nil { @@ -259,6 +274,7 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter( var virtualHosts []*envoy_config_route_v3.VirtualHost for _, host := range allHosts { + requireStrictTransportSecurity := cryptutil.HasCertificateForServerName(certs, host) vh, err := b.buildVirtualHost(options, host, host, requireStrictTransportSecurity) if err != nil { return nil, err @@ -290,7 +306,7 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter( } } - vh, err := b.buildVirtualHost(options, "catch-all", "*", requireStrictTransportSecurity) + vh, err := b.buildVirtualHost(options, "catch-all", "*", false) if err != nil { return nil, err } @@ -350,7 +366,7 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter( UseRemoteAddress: &wrappers.BoolValue{Value: true}, SkipXffAppend: options.SkipXffAppend, XffNumTrustedHops: options.XffNumTrustedHops, - LocalReplyConfig: b.buildLocalReplyConfig(options, requireStrictTransportSecurity), + LocalReplyConfig: b.buildLocalReplyConfig(options, false), }), nil } @@ -424,32 +440,21 @@ func (b *Builder) buildGRPCListener(ctx context.Context, cfg *config.Config) (*e TLSInspectorFilter(), } - serverNames, err := getAllServerNames(cfg, cfg.Options.GRPCAddr) + allCertificates, err := getAllCertificates(cfg) if err != nil { return nil, err } - for _, serverName := range serverNames { - filterChain := &envoy_config_listener_v3.FilterChain{ - Filters: []*envoy_config_listener_v3.Filter{filter}, - } - if serverName != "*" { - filterChain.FilterChainMatch = &envoy_config_listener_v3.FilterChainMatch{ - ServerNames: []string{serverName}, - } - } - tlsContext := b.buildDownstreamTLSContext(ctx, cfg, serverName) - if tlsContext != nil { - tlsConfig := marshalAny(tlsContext) - filterChain.TransportSocket = &envoy_config_core_v3.TransportSocket{ - Name: "tls", - ConfigType: &envoy_config_core_v3.TransportSocket_TypedConfig{ - TypedConfig: tlsConfig, - }, - } - } - li.FilterChains = append(li.FilterChains, filterChain) + sock, err := b.buildTLSSocket(ctx, cfg, allCertificates) + if err != nil { + return nil, fmt.Errorf("error building TLS socket: %w", err) } + + filterChain := &envoy_config_listener_v3.FilterChain{ + Filters: []*envoy_config_listener_v3.Filter{filter}, + TransportSocket: sock, + } + li.FilterChains = append(li.FilterChains, filterChain) } return li, nil } @@ -519,65 +524,46 @@ func (b *Builder) buildRouteConfiguration(name string, virtualHosts []*envoy_con }, nil } -func (b *Builder) buildDownstreamTLSContext(ctx context.Context, +func (b *Builder) buildDownstreamTLSContextMulti( + ctx context.Context, cfg *config.Config, - serverName string, -) *envoy_extensions_transport_sockets_tls_v3.DownstreamTlsContext { - cert, err := cfg.GetCertificateForServerName(serverName) - if err != nil { - log.Warn(ctx).Str("domain", serverName).Err(err).Msg("failed to get certificate for domain") - return nil + certs []tls.Certificate) ( + *envoy_extensions_transport_sockets_tls_v3.DownstreamTlsContext, + error, +) { + envoyCerts := make([]*envoy_extensions_transport_sockets_tls_v3.TlsCertificate, 0, len(certs)) + for i := range certs { + cert := &certs[i] + if err := validateCertificate(cert); err != nil { + return nil, fmt.Errorf("invalid certificate for domain %s: %w", cert.Leaf.Subject.CommonName, err) + } + envoyCert := b.envoyTLSCertificateFromGoTLSCertificate(ctx, cert) + envoyCerts = append(envoyCerts, envoyCert) } - - err = validateCertificate(cert) - if err != nil { - log.Warn(ctx).Str("domain", serverName).Err(err).Msg("invalid certificate for domain") - return nil - } - - var alpnProtocols []string - switch cfg.Options.GetCodecType() { - case config.CodecTypeHTTP1: - alpnProtocols = []string{"http/1.1"} - case config.CodecTypeHTTP2: - alpnProtocols = []string{"h2"} - default: - alpnProtocols = []string{"h2", "http/1.1"} - } - - envoyCert := b.envoyTLSCertificateFromGoTLSCertificate(ctx, cert) return &envoy_extensions_transport_sockets_tls_v3.DownstreamTlsContext{ CommonTlsContext: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext{ TlsParams: tlsParams, - TlsCertificates: []*envoy_extensions_transport_sockets_tls_v3.TlsCertificate{envoyCert}, - AlpnProtocols: alpnProtocols, - ValidationContextType: b.buildDownstreamValidationContext(ctx, cfg, serverName), - }, + TlsCertificates: envoyCerts, + AlpnProtocols: getALPNProtos(cfg.Options), + ValidationContextType: b.buildDownstreamValidationContext(ctx, cfg), + }}, nil +} + +func getALPNProtos(opts *config.Options) []string { + switch opts.GetCodecType() { + case config.CodecTypeHTTP1: + return []string{"http/1.1"} + case config.CodecTypeHTTP2: + return []string{"h2"} + default: + return []string{"h2", "http/1.1"} } } -func (b *Builder) buildDownstreamValidationContext(ctx context.Context, +func (b *Builder) buildDownstreamValidationContext( + ctx context.Context, cfg *config.Config, - serverName string, ) *envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext { - needsClientCert := false - - if ca, _ := cfg.Options.GetClientCA(); len(ca) > 0 { - needsClientCert = true - } - if !needsClientCert { - for _, p := range getPoliciesForServerName(cfg.Options, serverName) { - if p.TLSDownstreamClientCA != "" { - needsClientCert = true - break - } - } - } - - if !needsClientCert { - return nil - } - // trusted_ca is left blank because we verify the client certificate in the authorize service vc := &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{ ValidationContext: &envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext{ @@ -670,16 +656,6 @@ func urlMatchesHost(u *url.URL, host string) bool { return false } -func getPoliciesForServerName(options *config.Options, serverName string) []config.Policy { - var policies []config.Policy - for _, p := range options.GetAllPolicies() { - if p.Source != nil && urlutil.MatchesServerName(*p.Source.URL, serverName) { - policies = append(policies, p) - } - } - return policies -} - // newEnvoyListener creates envoy listener with certain default values func newEnvoyListener(name string) *envoy_config_listener_v3.Listener { return &envoy_config_listener_v3.Listener{ diff --git a/config/envoyconfig/listeners_test.go b/config/envoyconfig/listeners_test.go index 72357711c..a8b67e909 100644 --- a/config/envoyconfig/listeners_test.go +++ b/config/envoyconfig/listeners_test.go @@ -1,11 +1,14 @@ package envoyconfig import ( + "bytes" "context" + "embed" "encoding/base64" "os" "path/filepath" "testing" + "text/template" envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" "github.com/stretchr/testify/assert" @@ -22,6 +25,20 @@ const ( aExampleComKey = `LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRFpodFdpWXNPUDZFZEsKb3o5OVVlRnN1bmZSSTNjUGZtTnMwNjlBcFhGeSt0UlRMaGhmdnRrSzFNM0JFMzFiN1hPZmJENUMzUTdKb0JlbApWUWZmZGdxZmwvVzZvTjJYZENMNXBWSjlxTHQvY2dnMjdyd2dPc0Y5SlhCdjIzUTllelE1Q2lZZjhmUjk5MHNjClI1MDQ0aWJUMnA1THRRZTQrNWhYUFRYT2JhNDJxRDZSWVVZOWRydnhsWStHbUpPeVBvbDdZbmFYSHM3OG5BamcKcGdVZE9NdDhwY2dwTlNIQ3pCMWZBT2MyajJWS3pNbmlvQ3pEaTRnaDlEc2NXa3ZMZWphRGVwN2UzL1NiakMwdQozc2lTM1FKdlpZZUxEcjJxVGxTRm55QWZtVzh2WncrYm9zZTdyWk1ubU5UY1RQUjFXa1gwZ3UvczkvQzlGZThpCkgyUWVnQ3FuQWdNQkFBRUNnZ0VCQUsrclFrLzNyck5EQkgvMFFrdTBtbll5U0p6dkpUR3dBaDlhL01jYVZQcGsKTXFCU000RHZJVnlyNnRZb0pTN2VIbWY3QkhUL0RQZ3JmNjBYZEZvMGUvUFN4ckhIUSswUjcwVHBEQ3RLM3REWAppR2JFZWMwVlpqam95VnFzUWIxOUIvbWdocFY1MHRiL3BQcmJvczdUWkVQbTQ3dUVJUTUwc055VEpDYm5VSy8xCnhla2ZmZ3hMbmZlRUxoaXhDNE1XYjMzWG9GNU5VdWduQ2pUakthUFNNUmpISm9YSFlGWjdZdEdlSEd1aDR2UGwKOU5TM0YxT2l0MWNnQzNCSm1BM28yZmhYbTRGR1FhQzNjYUdXTzE5eHAwRWE1eXQ0RHZOTWp5WlgvSkx1Qko0NQpsZU5jUSs3c3U0dW0vY0hqcFFVenlvZmoydFBIU085QXczWGY0L2lmN0hFQ2dZRUE1SWMzMzVKUUhJVlQwc003CnhkY3haYmppbUE5alBWMDFXSXh0di8zbzFJWm5TUGFocEFuYXVwZGZqRkhKZmJTYlZXaUJTaUZpb2RTR3pIdDgKTlZNTGFyVzVreDl5N1luYXdnZjJuQjc2VG03aFl6L3h5T3AxNXFRbmswVW9DdnQ2MHp6dDl5UE5KQ1pWalFwNgp4cUw4T1c4emNlUGpxZzJBTHRtcVhpNitZRXNDZ1lFQTg2ME5zSHMzNktFZE91Q1o1TXF6NVRLSmVYSzQ5ZkdBCjdxcjM5Sm9RcWYzbEhSSWozUlFlNERkWmQ5NUFXcFRKUEJXdnp6NVROOWdwNHVnb3VGc0tCaG82YWtsUEZTUFIKRkZwWCtGZE56eHJGTlAwZHhydmN0bXU2OW91MFR0QU1jd1hYWFJuR1BuK0xDTnVUUHZndHZTTnRwSEZMb0dzUQorVDFpTjhpWS9aVUNnWUJpMVJQVjdkb1ZxNWVuNCtWYTE0azJlL0lMWDBSRkNxV0NpU0VCMGxhNmF2SUtQUmVFCjhQb1dqbGExUWIzSlRxMkxEMm95M0NOaTU1M3dtMHNKYU1QY1A0RmxYa2wrNzRxYk5ZUnkybmJZS3QzdzVYdTAKcjZtVHVOU2d2VnptK3dHUWo1NCtyczRPWDBIS2dJaStsVWhOc29qbUxXK05ZTTlaODZyWmxvK2c1d0tCZ0VMQQplRXlOSko2c2JCWng2cFo3Vk5hSGhwTm5jdldreDc0WnhiMFM2MWUxL3FwOUNxZ0lXQUR5Q0tkR2tmaCtZN1g2Cjl1TmQzbXdnNGpDUGlvQWVLRnZObVl6K01oVEhjQUlVVVo3dFE1cGxhZnAvRUVZZHRuT2VoV1ArbDFFenV3VlQKWjFEUXU3YnBONHdnb25DUWllOFRJbmoydEZIb29vaTBZUkNJK2lnVkFvR0JBSUxaOXd4WDlnMmVNYU9xUFk1dgo5RGxxNFVEZlpaYkprNFZPbmhjR0pWQUNXbmlpNTU0Y1RCSEkxUTdBT0ZQOHRqK3d3YWJBOWRMaUpDdzJzd0E2ClQrdnhiK1NySGxEUnFON3NNRUQ1Z091REo0eHJxRVdLZ3ZkSEsvME9EMC9ZMUFvSCt2aDlJMHVaV0RRNnNLcXcKeFcrbDk0UTZXSW1xYnpDODZsa3JXa0lCCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K` ) +var ( + //go:embed testdata/*.json + testDataFS embed.FS + testDataTemplate = template.Must(template.ParseFS(testDataFS, "testdata/*.json")) +) + +func testData(t *testing.T, name string, data interface{}) string { + t.Helper() + var buf bytes.Buffer + err := testDataTemplate.ExecuteTemplate(&buf, name, data) + require.NoError(t, err) + return buf.String() +} + func Test_buildMetricsHTTPConnectionManagerFilter(t *testing.T) { cacheDir, _ := os.UserCacheDir() certFileName := filepath.Join(cacheDir, "pomerium", "envoy", "files", "tls-crt-354e49305a5a39414a545530374e58454e48334148524c4e324258463837364355564c4e4532464b54355139495547514a38.pem") @@ -35,92 +52,10 @@ func Test_buildMetricsHTTPConnectionManagerFilter(t *testing.T) { MetricsCertificateKey: aExampleComKey, }, }) + + expect := testData(t, "metrics_http_connection_manager.json", struct{ CertFile, KeyFile string }{certFileName, keyFileName}) require.NoError(t, err) - testutil.AssertProtoJSONEqual(t, ` -{ - "name": "metrics-ingress-18010634919562279975", - "perConnectionBufferLimitBytes": 32768, - "address": { - "socketAddress": { - "address": "127.0.0.1", - "portValue": 9902 - } - }, - "filterChains": [{ - "filters": [{ - "name": "envoy.filters.network.http_connection_manager", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", - "httpFilters": [{ - "name": "envoy.filters.http.router", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" - } - }], - "routeConfig": { - "name": "metrics", - "validateClusters": false, - "virtualHosts": [{ - "name": "metrics", - "domains": ["*"], - "routes": [ - { - "name": "envoy-metrics", - "match": { - "prefix": "/metrics/envoy" - }, - "route": { - "cluster": "pomerium-envoy-admin", - "prefixRewrite": "/stats/prometheus" - } - }, - { - "name": "metrics", - "match": { - "prefix": "/" - }, - "route": { - "cluster": "pomerium-control-plane-metrics" - } - } - ] - }] - }, - "statPrefix": "metrics" - } - }], - "transportSocket": { - "name": "tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", - "commonTlsContext": { - "tlsParams": { - "cipherSuites": [ - "ECDHE-ECDSA-AES256-GCM-SHA384", - "ECDHE-RSA-AES256-GCM-SHA384", - "ECDHE-ECDSA-AES128-GCM-SHA256", - "ECDHE-RSA-AES128-GCM-SHA256", - "ECDHE-ECDSA-CHACHA20-POLY1305", - "ECDHE-RSA-CHACHA20-POLY1305" - ], - "tlsMinimumProtocolVersion": "TLSv1_2" - }, - "alpnProtocols": ["h2", "http/1.1"], - "tlsCertificates": [ - { - "certificateChain": { - "filename": "`+certFileName+`" - }, - "privateKey": { - "filename": "`+keyFileName+`" - } - } - ] - } - } - } - }] -}`, li) + testutil.AssertProtoJSONEqual(t, expect, li) } func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) { @@ -130,677 +65,17 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) { options.SkipXffAppend = true options.XffNumTrustedHops = 1 options.AuthenticateURLString = "https://authenticate.example.com" - filter, err := b.buildMainHTTPConnectionManagerFilter(options, true) + filter, err := b.buildMainHTTPConnectionManagerFilter(options) require.NoError(t, err) - testutil.AssertProtoJSONEqual(t, `{ - "name": "envoy.filters.network.http_connection_manager", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", - "accessLog": [{ - "name": "envoy.access_loggers.http_grpc", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig", - "commonConfig": { - "grpcService": { - "envoyGrpc": { - "clusterName": "pomerium-control-plane-grpc" - } - }, - "logName": "ingress-http", - "transportApiVersion": "V3" - } - } - }], - "alwaysSetRequestIdInResponse": true, - "commonHttpProtocolOptions": { - "idleTimeout": "300s" - }, - "httpFilters": [ - { - "name": "envoy.filters.http.lua", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua", - "defaultSourceCode": { - "inlineString": "local function starts_with(str, start)\n return str:sub(1, #start) == start\nend\n\nfunction envoy_on_request(request_handle)\n local headers = request_handle:headers()\n local metadata = request_handle:metadata()\n\n local remove_impersonate_headers = metadata:get(\"remove_impersonate_headers\")\n if remove_impersonate_headers then\n local to_remove = {}\n for k, v in pairs(headers) do\n if starts_with(k, \"impersonate-extra-\") or k == \"impersonate-group\" or k == \"impersonate-user\" then\n table.insert(to_remove, k)\n end\n end\n\n for k, v in pairs(to_remove) do\n headers:remove(v)\n end\n end\nend\n\nfunction envoy_on_response(response_handle)\nend\n" - } - } - }, - { - "name": "envoy.filters.http.ext_authz", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz", - "grpcService": { - "envoyGrpc": { - "clusterName": "pomerium-authorize" - }, - "timeout": "10s" - }, - "includePeerCertificate": true, - "statusOnError": { - "code": "InternalServerError" - }, - "transportApiVersion": "V3" - } - }, - { - "name": "envoy.filters.http.lua", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua", - "defaultSourceCode": { - "inlineString": "function envoy_on_request(request_handle)\n local headers = request_handle:headers()\n local dynamic_meta = request_handle:streamInfo():dynamicMetadata()\n if headers:get(\"x-pomerium-set-cookie\") ~= nil then\n dynamic_meta:set(\"envoy.filters.http.lua\", \"pomerium_set_cookie\",\n headers:get(\"x-pomerium-set-cookie\"))\n headers:remove(\"x-pomerium-set-cookie\")\n end\nend\n\nfunction envoy_on_response(response_handle)\n local headers = response_handle:headers()\n local dynamic_meta = response_handle:streamInfo():dynamicMetadata()\n local tbl = dynamic_meta:get(\"envoy.filters.http.lua\")\n if tbl ~= nil and tbl[\"pomerium_set_cookie\"] ~= nil then\n headers:add(\"set-cookie\", tbl[\"pomerium_set_cookie\"])\n end\nend\n" - } - } - }, - { - "name": "envoy.filters.http.lua", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua", - "defaultSourceCode": { - "inlineString": "function remove_pomerium_cookie(cookie_name, cookie)\n -- lua doesn't support optional capture groups\n -- so we replace twice to handle pomerium=xyz at the end of the string\n cookie = cookie:gsub(cookie_name .. \"=[^;]+; \", \"\")\n cookie = cookie:gsub(cookie_name .. \"=[^;]+\", \"\")\n return cookie\nend\n\nfunction has_prefix(str, prefix)\n return str ~= nil and str:sub(1, #prefix) == prefix\nend\n\nfunction envoy_on_request(request_handle)\n local headers = request_handle:headers()\n local metadata = request_handle:metadata()\n\n local remove_cookie_name = metadata:get(\"remove_pomerium_cookie\")\n if remove_cookie_name then\n local cookie = headers:get(\"cookie\")\n if cookie ~= nil then\n newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)\n headers:replace(\"cookie\", newcookie)\n end\n end\n\n local remove_authorization = metadata:get(\"remove_pomerium_authorization\")\n if remove_authorization then\n local authorization = headers:get(\"authorization\")\n local authorization_prefix = \"Pomerium \"\n if has_prefix(authorization, authorization_prefix) then\n headers:remove(\"authorization\")\n end\n\n headers:remove('x-pomerium-authorization')\n end\nend\n\nfunction envoy_on_response(response_handle) end\n" - } - } - }, - { - "name": "envoy.filters.http.lua", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua", - "defaultSourceCode": { - "inlineString": "function replace_prefix(str, prefix, value)\n return str:gsub(\"^\"..prefix, value)\nend\n\nfunction envoy_on_request(request_handle)\nend\n\nfunction envoy_on_response(response_handle)\n local headers = response_handle:headers()\n local metadata = response_handle:metadata()\n\n -- should be in the form:\n -- [{\n -- \"header\":\"Location\",\n -- \"prefix\":\"http://localhost:8000/two/\",\n -- \"value\":\"http://frontend/one/\"\n -- }]\n local rewrite_response_headers = metadata:get(\"rewrite_response_headers\")\n if rewrite_response_headers then\n for _, obj in pairs(rewrite_response_headers) do\n local hdr = headers:get(obj.header)\n if hdr ~= nil then\n local newhdr = replace_prefix(hdr, obj.prefix, obj.value)\n headers:replace(obj.header, newhdr)\n end\n end\n end\nend\n" - } - } - }, - { - "name": "envoy.filters.http.router", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" - } - } - ], - "requestTimeout": "30s", - "routeConfig": { - "name": "main", - "virtualHosts": [ - { - "name": "authenticate.example.com", - "domains": ["authenticate.example.com"], - "responseHeadersToAdd": [{ - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header": { - "key": "Strict-Transport-Security", - "value": "max-age=31536000; includeSubDomains; preload" - } - }, - { - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header": { - "key": "X-Frame-Options", - "value": "SAMEORIGIN" - } - }, - { - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header": { - "key": "X-XSS-Protection", - "value": "1; mode=block" - } - }], - "routes": [ - { - "name": "pomerium-path-/.pomerium/jwt", - "match": { - "path": "/.pomerium/jwt" - }, - "route": { - "cluster": "pomerium-control-plane-http" - } - }, - { - "name": "pomerium-path-/.pomerium/webauthn", - "match": { - "path": "/.pomerium/webauthn" - }, - "route": { - "cluster": "pomerium-control-plane-http" - } - }, - { - "name": "pomerium-path-/ping", - "match": { - "path": "/ping" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/healthz", - "match": { - "path": "/healthz" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/.pomerium", - "match": { - "path": "/.pomerium" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-prefix-/.pomerium/", - "match": { - "prefix": "/.pomerium/" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/.well-known/pomerium", - "match": { - "path": "/.well-known/pomerium" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-prefix-/.well-known/pomerium/", - "match": { - "prefix": "/.well-known/pomerium/" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/robots.txt", - "match": { - "path": "/robots.txt" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/oauth2/callback", - "match": { - "path": "/oauth2/callback" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/", - "match": { - "path": "/" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - } - ] - }, - { - "name": "authenticate.example.com:443", - "domains": ["authenticate.example.com:443"], - "responseHeadersToAdd": [{ - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header": { - "key": "Strict-Transport-Security", - "value": "max-age=31536000; includeSubDomains; preload" - } - }, - { - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header": { - "key": "X-Frame-Options", - "value": "SAMEORIGIN" - } - }, - { - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header": { - "key": "X-XSS-Protection", - "value": "1; mode=block" - } - }], - "routes": [ - { - "name": "pomerium-path-/.pomerium/jwt", - "match": { - "path": "/.pomerium/jwt" - }, - "route": { - "cluster": "pomerium-control-plane-http" - } - }, - { - "name": "pomerium-path-/.pomerium/webauthn", - "match": { - "path": "/.pomerium/webauthn" - }, - "route": { - "cluster": "pomerium-control-plane-http" - } - }, - { - "name": "pomerium-path-/ping", - "match": { - "path": "/ping" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/healthz", - "match": { - "path": "/healthz" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/.pomerium", - "match": { - "path": "/.pomerium" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-prefix-/.pomerium/", - "match": { - "prefix": "/.pomerium/" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/.well-known/pomerium", - "match": { - "path": "/.well-known/pomerium" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-prefix-/.well-known/pomerium/", - "match": { - "prefix": "/.well-known/pomerium/" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/robots.txt", - "match": { - "path": "/robots.txt" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/oauth2/callback", - "match": { - "path": "/oauth2/callback" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/", - "match": { - "path": "/" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - } - ] - }, - { - "name": "catch-all", - "domains": ["*"], - "responseHeadersToAdd": [{ - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header": { - "key": "Strict-Transport-Security", - "value": "max-age=31536000; includeSubDomains; preload" - } - }, - { - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header": { - "key": "X-Frame-Options", - "value": "SAMEORIGIN" - } - }, - { - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header": { - "key": "X-XSS-Protection", - "value": "1; mode=block" - } - }], - "routes": [ - { - "name": "pomerium-path-/.pomerium/jwt", - "match": { - "path": "/.pomerium/jwt" - }, - "route": { - "cluster": "pomerium-control-plane-http" - } - }, - { - "name": "pomerium-path-/.pomerium/webauthn", - "match": { - "path": "/.pomerium/webauthn" - }, - "route": { - "cluster": "pomerium-control-plane-http" - } - }, - { - "name": "pomerium-path-/ping", - "match": { - "path": "/ping" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/healthz", - "match": { - "path": "/healthz" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/.pomerium", - "match": { - "path": "/.pomerium" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-prefix-/.pomerium/", - "match": { - "prefix": "/.pomerium/" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/.well-known/pomerium", - "match": { - "path": "/.well-known/pomerium" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-prefix-/.well-known/pomerium/", - "match": { - "prefix": "/.well-known/pomerium/" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - }, - { - "name": "pomerium-path-/robots.txt", - "match": { - "path": "/robots.txt" - }, - "route": { - "cluster": "pomerium-control-plane-http" - }, - "typedPerFilterConfig": { - "envoy.filters.http.ext_authz": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", - "disabled": true - } - } - } - ] - } - ], - "validateClusters": false - }, - "statPrefix": "ingress", - "tracing": { - "randomSampling": { - "value": 0.01 - } - }, - "useRemoteAddress": true, - "skipXffAppend": true, - "xffNumTrustedHops": 1, - "httpProtocolOptions": { - "headerKeyFormat": { - "statefulFormatter": { - "name": "preserve_case", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig" - } - } - } - }, - "localReplyConfig":{ - "mappers":[ - { - "filter":{ - "responseFlagFilter":{} - }, - "headersToAdd":[ - { - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header":{ - "key":"Strict-Transport-Security", - "value":"max-age=31536000; includeSubDomains; preload" - } - }, - { - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header":{ - "key":"X-Frame-Options", - "value":"SAMEORIGIN" - } - }, - { - "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", - "header":{ - "key":"X-XSS-Protection", - "value":"1; mode=block" - } - } - ] - } - ] - } - } - }`, filter) + testutil.AssertProtoJSONEqual(t, testData(t, "main_http_connection_manager_filter.json", nil), filter) } func Test_buildDownstreamTLSContext(t *testing.T) { b := New("local-grpc", "local-http", "local-metrics", filemgr.NewManager(), nil) - cacheDir, _ := os.UserCacheDir() - certFileName := filepath.Join(cacheDir, "pomerium", "envoy", "files", "tls-crt-354e49305a5a39414a545530374e58454e48334148524c4e324258463837364355564c4e4532464b54355139495547514a38.pem") - keyFileName := filepath.Join(cacheDir, "pomerium", "envoy", "files", "tls-key-3350415a38414e4e4a4655424e55393430474147324651433949384e485341334b5157364f424b4c5856365a545937383735.pem") - t.Run("no-validation", func(t *testing.T) { - downstreamTLSContext := b.buildDownstreamTLSContext(context.Background(), &config.Config{Options: &config.Options{ - Cert: aExampleComCert, - Key: aExampleComKey, - }}, "a.example.com") - + downstreamTLSContext, err := b.buildDownstreamTLSContextMulti(context.Background(), &config.Config{Options: &config.Options{}}, nil) + require.NoError(t, err) testutil.AssertProtoJSONEqual(t, `{ "commonTlsContext": { "tlsParams": { @@ -815,26 +90,17 @@ func Test_buildDownstreamTLSContext(t *testing.T) { "tlsMinimumProtocolVersion": "TLSv1_2" }, "alpnProtocols": ["h2", "http/1.1"], - "tlsCertificates": [ - { - "certificateChain": { - "filename": "`+certFileName+`" - }, - "privateKey": { - "filename": "`+keyFileName+`" - } - } - ] + "validationContext": { + "trustChainVerification": "ACCEPT_UNTRUSTED" + } } }`, downstreamTLSContext) }) t.Run("client-ca", func(t *testing.T) { - downstreamTLSContext := b.buildDownstreamTLSContext(context.Background(), &config.Config{Options: &config.Options{ - Cert: aExampleComCert, - Key: aExampleComKey, + downstreamTLSContext, err := b.buildDownstreamTLSContextMulti(context.Background(), &config.Config{Options: &config.Options{ ClientCA: "TEST", - }}, "a.example.com") - + }}, nil) + require.NoError(t, err) testutil.AssertProtoJSONEqual(t, `{ "commonTlsContext": { "tlsParams": { @@ -849,16 +115,6 @@ func Test_buildDownstreamTLSContext(t *testing.T) { "tlsMinimumProtocolVersion": "TLSv1_2" }, "alpnProtocols": ["h2", "http/1.1"], - "tlsCertificates": [ - { - "certificateChain": { - "filename": "`+certFileName+`" - }, - "privateKey": { - "filename": "`+keyFileName+`" - } - } - ], "validationContext": { "trustChainVerification": "ACCEPT_UNTRUSTED" } @@ -866,16 +122,15 @@ func Test_buildDownstreamTLSContext(t *testing.T) { }`, downstreamTLSContext) }) t.Run("policy-client-ca", func(t *testing.T) { - downstreamTLSContext := b.buildDownstreamTLSContext(context.Background(), &config.Config{Options: &config.Options{ - Cert: aExampleComCert, - Key: aExampleComKey, + downstreamTLSContext, err := b.buildDownstreamTLSContextMulti(context.Background(), &config.Config{Options: &config.Options{ Policies: []config.Policy{ { Source: &config.StringURL{URL: mustParseURL(t, "https://a.example.com:1234")}, TLSDownstreamClientCA: "TEST", }, }, - }}, "a.example.com") + }}, nil) + require.NoError(t, err) testutil.AssertProtoJSONEqual(t, `{ "commonTlsContext": { @@ -891,16 +146,6 @@ func Test_buildDownstreamTLSContext(t *testing.T) { "tlsMinimumProtocolVersion": "TLSv1_2" }, "alpnProtocols": ["h2", "http/1.1"], - "tlsCertificates": [ - { - "certificateChain": { - "filename": "`+certFileName+`" - }, - "privateKey": { - "filename": "`+keyFileName+`" - } - } - ], "validationContext": { "trustChainVerification": "ACCEPT_UNTRUSTED" } @@ -908,11 +153,12 @@ func Test_buildDownstreamTLSContext(t *testing.T) { }`, downstreamTLSContext) }) t.Run("http1", func(t *testing.T) { - downstreamTLSContext := b.buildDownstreamTLSContext(context.Background(), &config.Config{Options: &config.Options{ + downstreamTLSContext, err := b.buildDownstreamTLSContextMulti(context.Background(), &config.Config{Options: &config.Options{ Cert: aExampleComCert, Key: aExampleComKey, CodecType: config.CodecTypeHTTP1, - }}, "a.example.com") + }}, nil) + require.NoError(t, err) testutil.AssertProtoJSONEqual(t, `{ "commonTlsContext": { @@ -928,25 +174,19 @@ func Test_buildDownstreamTLSContext(t *testing.T) { "tlsMinimumProtocolVersion": "TLSv1_2" }, "alpnProtocols": ["http/1.1"], - "tlsCertificates": [ - { - "certificateChain": { - "filename": "`+certFileName+`" - }, - "privateKey": { - "filename": "`+keyFileName+`" - } - } - ] + "validationContext": { + "trustChainVerification": "ACCEPT_UNTRUSTED" + } } }`, downstreamTLSContext) }) t.Run("http2", func(t *testing.T) { - downstreamTLSContext := b.buildDownstreamTLSContext(context.Background(), &config.Config{Options: &config.Options{ + downstreamTLSContext, err := b.buildDownstreamTLSContextMulti(context.Background(), &config.Config{Options: &config.Options{ Cert: aExampleComCert, Key: aExampleComKey, CodecType: config.CodecTypeHTTP2, - }}, "a.example.com") + }}, nil) + require.NoError(t, err) testutil.AssertProtoJSONEqual(t, `{ "commonTlsContext": { @@ -962,16 +202,9 @@ func Test_buildDownstreamTLSContext(t *testing.T) { "tlsMinimumProtocolVersion": "TLSv1_2" }, "alpnProtocols": ["h2"], - "tlsCertificates": [ - { - "certificateChain": { - "filename": "`+certFileName+`" - }, - "privateKey": { - "filename": "`+keyFileName+`" - } - } - ] + "validationContext": { + "trustChainVerification": "ACCEPT_UNTRUSTED" + } } }`, downstreamTLSContext) }) diff --git a/config/envoyconfig/testdata/main_http_connection_manager_filter.json b/config/envoyconfig/testdata/main_http_connection_manager_filter.json new file mode 100644 index 000000000..b99a2b0d8 --- /dev/null +++ b/config/envoyconfig/testdata/main_http_connection_manager_filter.json @@ -0,0 +1,634 @@ +{ + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "accessLog": [ + { + "name": "envoy.access_loggers.http_grpc", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig", + "commonConfig": { + "grpcService": { + "envoyGrpc": { + "clusterName": "pomerium-control-plane-grpc" + } + }, + "logName": "ingress-http", + "transportApiVersion": "V3" + } + } + } + ], + "alwaysSetRequestIdInResponse": true, + "commonHttpProtocolOptions": { + "idleTimeout": "300s" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.lua", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua", + "defaultSourceCode": { + "inlineString": "local function starts_with(str, start)\n return str:sub(1, #start) == start\nend\n\nfunction envoy_on_request(request_handle)\n local headers = request_handle:headers()\n local metadata = request_handle:metadata()\n\n local remove_impersonate_headers = metadata:get(\"remove_impersonate_headers\")\n if remove_impersonate_headers then\n local to_remove = {}\n for k, v in pairs(headers) do\n if starts_with(k, \"impersonate-extra-\") or k == \"impersonate-group\" or k == \"impersonate-user\" then\n table.insert(to_remove, k)\n end\n end\n\n for k, v in pairs(to_remove) do\n headers:remove(v)\n end\n end\nend\n\nfunction envoy_on_response(response_handle)\nend\n" + } + } + }, + { + "name": "envoy.filters.http.ext_authz", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz", + "grpcService": { + "envoyGrpc": { + "clusterName": "pomerium-authorize" + }, + "timeout": "10s" + }, + "includePeerCertificate": true, + "statusOnError": { + "code": "InternalServerError" + }, + "transportApiVersion": "V3" + } + }, + { + "name": "envoy.filters.http.lua", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua", + "defaultSourceCode": { + "inlineString": "function envoy_on_request(request_handle)\n local headers = request_handle:headers()\n local dynamic_meta = request_handle:streamInfo():dynamicMetadata()\n if headers:get(\"x-pomerium-set-cookie\") ~= nil then\n dynamic_meta:set(\"envoy.filters.http.lua\", \"pomerium_set_cookie\",\n headers:get(\"x-pomerium-set-cookie\"))\n headers:remove(\"x-pomerium-set-cookie\")\n end\nend\n\nfunction envoy_on_response(response_handle)\n local headers = response_handle:headers()\n local dynamic_meta = response_handle:streamInfo():dynamicMetadata()\n local tbl = dynamic_meta:get(\"envoy.filters.http.lua\")\n if tbl ~= nil and tbl[\"pomerium_set_cookie\"] ~= nil then\n headers:add(\"set-cookie\", tbl[\"pomerium_set_cookie\"])\n end\nend\n" + } + } + }, + { + "name": "envoy.filters.http.lua", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua", + "defaultSourceCode": { + "inlineString": "function remove_pomerium_cookie(cookie_name, cookie)\n -- lua doesn't support optional capture groups\n -- so we replace twice to handle pomerium=xyz at the end of the string\n cookie = cookie:gsub(cookie_name .. \"=[^;]+; \", \"\")\n cookie = cookie:gsub(cookie_name .. \"=[^;]+\", \"\")\n return cookie\nend\n\nfunction has_prefix(str, prefix)\n return str ~= nil and str:sub(1, #prefix) == prefix\nend\n\nfunction envoy_on_request(request_handle)\n local headers = request_handle:headers()\n local metadata = request_handle:metadata()\n\n local remove_cookie_name = metadata:get(\"remove_pomerium_cookie\")\n if remove_cookie_name then\n local cookie = headers:get(\"cookie\")\n if cookie ~= nil then\n newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)\n headers:replace(\"cookie\", newcookie)\n end\n end\n\n local remove_authorization = metadata:get(\"remove_pomerium_authorization\")\n if remove_authorization then\n local authorization = headers:get(\"authorization\")\n local authorization_prefix = \"Pomerium \"\n if has_prefix(authorization, authorization_prefix) then\n headers:remove(\"authorization\")\n end\n\n headers:remove('x-pomerium-authorization')\n end\nend\n\nfunction envoy_on_response(response_handle) end\n" + } + } + }, + { + "name": "envoy.filters.http.lua", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua", + "defaultSourceCode": { + "inlineString": "function replace_prefix(str, prefix, value)\n return str:gsub(\"^\"..prefix, value)\nend\n\nfunction envoy_on_request(request_handle)\nend\n\nfunction envoy_on_response(response_handle)\n local headers = response_handle:headers()\n local metadata = response_handle:metadata()\n\n -- should be in the form:\n -- [{\n -- \"header\":\"Location\",\n -- \"prefix\":\"http://localhost:8000/two/\",\n -- \"value\":\"http://frontend/one/\"\n -- }]\n local rewrite_response_headers = metadata:get(\"rewrite_response_headers\")\n if rewrite_response_headers then\n for _, obj in pairs(rewrite_response_headers) do\n local hdr = headers:get(obj.header)\n if hdr ~= nil then\n local newhdr = replace_prefix(hdr, obj.prefix, obj.value)\n headers:replace(obj.header, newhdr)\n end\n end\n end\nend\n" + } + } + }, + { + "name": "envoy.filters.http.router", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + } + ], + "httpProtocolOptions": { + "headerKeyFormat": { + "statefulFormatter": { + "name": "preserve_case", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig" + } + } + } + }, + "localReplyConfig": { + "mappers": [ + { + "filter": { + "responseFlagFilter": {} + }, + "headersToAdd": [ + { + "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", + "header": { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + } + }, + { + "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", + "header": { + "key": "X-XSS-Protection", + "value": "1; mode=block" + } + } + ] + } + ] + }, + "requestTimeout": "30s", + "routeConfig": { + "name": "main", + "validateClusters": false, + "virtualHosts": [ + { + "domains": ["authenticate.example.com"], + "name": "authenticate.example.com", + "responseHeadersToAdd": [ + { + "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", + "header": { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + } + }, + { + "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", + "header": { + "key": "X-XSS-Protection", + "value": "1; mode=block" + } + } + ], + "routes": [ + { + "match": { + "path": "/.pomerium/jwt" + }, + "name": "pomerium-path-/.pomerium/jwt", + "route": { + "cluster": "pomerium-control-plane-http" + } + }, + { + "match": { + "path": "/.pomerium/webauthn" + }, + "name": "pomerium-path-/.pomerium/webauthn", + "route": { + "cluster": "pomerium-control-plane-http" + } + }, + { + "match": { + "path": "/ping" + }, + "name": "pomerium-path-/ping", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/healthz" + }, + "name": "pomerium-path-/healthz", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/.pomerium" + }, + "name": "pomerium-path-/.pomerium", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "prefix": "/.pomerium/" + }, + "name": "pomerium-prefix-/.pomerium/", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/.well-known/pomerium" + }, + "name": "pomerium-path-/.well-known/pomerium", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "prefix": "/.well-known/pomerium/" + }, + "name": "pomerium-prefix-/.well-known/pomerium/", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/robots.txt" + }, + "name": "pomerium-path-/robots.txt", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/oauth2/callback" + }, + "name": "pomerium-path-/oauth2/callback", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/" + }, + "name": "pomerium-path-/", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + } + ] + }, + { + "domains": ["authenticate.example.com:443"], + "name": "authenticate.example.com:443", + "responseHeadersToAdd": [ + { + "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", + "header": { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + } + }, + { + "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", + "header": { + "key": "X-XSS-Protection", + "value": "1; mode=block" + } + } + ], + "routes": [ + { + "match": { + "path": "/.pomerium/jwt" + }, + "name": "pomerium-path-/.pomerium/jwt", + "route": { + "cluster": "pomerium-control-plane-http" + } + }, + { + "match": { + "path": "/.pomerium/webauthn" + }, + "name": "pomerium-path-/.pomerium/webauthn", + "route": { + "cluster": "pomerium-control-plane-http" + } + }, + { + "match": { + "path": "/ping" + }, + "name": "pomerium-path-/ping", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/healthz" + }, + "name": "pomerium-path-/healthz", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/.pomerium" + }, + "name": "pomerium-path-/.pomerium", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "prefix": "/.pomerium/" + }, + "name": "pomerium-prefix-/.pomerium/", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/.well-known/pomerium" + }, + "name": "pomerium-path-/.well-known/pomerium", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "prefix": "/.well-known/pomerium/" + }, + "name": "pomerium-prefix-/.well-known/pomerium/", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/robots.txt" + }, + "name": "pomerium-path-/robots.txt", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/oauth2/callback" + }, + "name": "pomerium-path-/oauth2/callback", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/" + }, + "name": "pomerium-path-/", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + } + ] + }, + { + "domains": ["*"], + "name": "catch-all", + "responseHeadersToAdd": [ + { + "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", + "header": { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + } + }, + { + "appendAction": "OVERWRITE_IF_EXISTS_OR_ADD", + "header": { + "key": "X-XSS-Protection", + "value": "1; mode=block" + } + } + ], + "routes": [ + { + "match": { + "path": "/.pomerium/jwt" + }, + "name": "pomerium-path-/.pomerium/jwt", + "route": { + "cluster": "pomerium-control-plane-http" + } + }, + { + "match": { + "path": "/.pomerium/webauthn" + }, + "name": "pomerium-path-/.pomerium/webauthn", + "route": { + "cluster": "pomerium-control-plane-http" + } + }, + { + "match": { + "path": "/ping" + }, + "name": "pomerium-path-/ping", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/healthz" + }, + "name": "pomerium-path-/healthz", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/.pomerium" + }, + "name": "pomerium-path-/.pomerium", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "prefix": "/.pomerium/" + }, + "name": "pomerium-prefix-/.pomerium/", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/.well-known/pomerium" + }, + "name": "pomerium-path-/.well-known/pomerium", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "prefix": "/.well-known/pomerium/" + }, + "name": "pomerium-prefix-/.well-known/pomerium/", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + }, + { + "match": { + "path": "/robots.txt" + }, + "name": "pomerium-path-/robots.txt", + "route": { + "cluster": "pomerium-control-plane-http" + }, + "typedPerFilterConfig": { + "envoy.filters.http.ext_authz": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute", + "disabled": true + } + } + } + ] + } + ] + }, + "skipXffAppend": true, + "statPrefix": "ingress", + "tracing": { + "randomSampling": { + "value": 0.01 + } + }, + "useRemoteAddress": true, + "xffNumTrustedHops": 1 + } +} diff --git a/config/envoyconfig/testdata/metrics_http_connection_manager.json b/config/envoyconfig/testdata/metrics_http_connection_manager.json new file mode 100644 index 000000000..64d8b77d7 --- /dev/null +++ b/config/envoyconfig/testdata/metrics_http_connection_manager.json @@ -0,0 +1,92 @@ +{ + "name": "metrics-ingress-18010634919562279975", + "perConnectionBufferLimitBytes": 32768, + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9902 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "httpFilters": [ + { + "name": "envoy.filters.http.router", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + } + ], + "routeConfig": { + "name": "metrics", + "validateClusters": false, + "virtualHosts": [ + { + "name": "metrics", + "domains": ["*"], + "routes": [ + { + "name": "envoy-metrics", + "match": { + "prefix": "/metrics/envoy" + }, + "route": { + "cluster": "pomerium-envoy-admin", + "prefixRewrite": "/stats/prometheus" + } + }, + { + "name": "metrics", + "match": { + "prefix": "/" + }, + "route": { + "cluster": "pomerium-control-plane-metrics" + } + } + ] + } + ] + }, + "statPrefix": "metrics" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + "cipherSuites": [ + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES128-GCM-SHA256", + "ECDHE-ECDSA-CHACHA20-POLY1305", + "ECDHE-RSA-CHACHA20-POLY1305" + ], + "tlsMinimumProtocolVersion": "TLSv1_2" + }, + "alpnProtocols": ["h2", "http/1.1"], + "tlsCertificates": [ + { + "certificateChain": { + "filename": "{{.CertFile}}" + }, + "privateKey": { + "filename": "{{.KeyFile}}" + } + } + ] + } + } + } + } + ] +} diff --git a/go.mod b/go.mod index 27737bec9..8dc523d03 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/client9/misspell v0.3.4 github.com/coreos/go-oidc/v3 v3.5.0 github.com/docker/docker v20.10.23+incompatible - github.com/envoyproxy/go-control-plane v0.10.3-0.20220819153403-8a9be01c9575 + github.com/envoyproxy/go-control-plane v0.11.0 github.com/envoyproxy/protoc-gen-validate v0.9.1 github.com/fsnotify/fsnotify v1.6.0 github.com/go-chi/chi/v5 v5.0.8 @@ -139,7 +139,7 @@ require ( github.com/breml/bidichk v0.2.3 // indirect github.com/breml/errchkjson v0.3.0 // indirect github.com/butuzov/ireturn v0.1.1 // indirect - github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect + github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/charithe/durationcheck v0.0.9 // indirect github.com/chavacava/garif v0.0.0-20220630083739-93517212f375 // indirect github.com/cloudflare/circl v1.3.2 diff --git a/go.sum b/go.sum index b6be096a5..d3f1bfd7f 100644 --- a/go.sum +++ b/go.sum @@ -109,7 +109,6 @@ github.com/allegro/bigcache v1.2.1-0.20190218064605-e24eb225f156 h1:eMwmnE/GDgah github.com/allegro/bigcache v1.2.1-0.20190218064605-e24eb225f156/go.mod h1:Cb/ax3seSYIx7SuZdm2G2xzfwmv3TPSk2ucNfQESPXM= github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY= github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= -github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= @@ -181,8 +180,8 @@ github.com/caddyserver/certmagic v0.17.2/go.mod h1:ouWUuC490GOLJzkyN35eXfV8bSbwM github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4= github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/census-instrumentation/opencensus-proto v0.3.0 h1:t/LhUZLVitR1Ow2YOnduCsavhwFUklBMoGVYUCqmCqk= -github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= +github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -205,11 +204,6 @@ github.com/cloudflare/circl v1.3.2/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSb github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= -github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc h1:PYXxkRUBGUMa5xgMVMDl62vEklZvKpVaxQeN9ie7Hfk= github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= @@ -271,12 +265,9 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= -github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= -github.com/envoyproxy/go-control-plane v0.10.3-0.20220819153403-8a9be01c9575 h1:yrCCU7Wf6E1dMmWDfMuD9cT+fABNmOaCI8KzS9shMrE= -github.com/envoyproxy/go-control-plane v0.10.3-0.20220819153403-8a9be01c9575/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34= +github.com/envoyproxy/go-control-plane v0.11.0 h1:jtLewhRR2vMRNnq2ZZUoCjUlgut+Y0+sDDWPOfwOi1o= +github.com/envoyproxy/go-control-plane v0.11.0/go.mod h1:VnHyVMpzcLvCFt9yUz1UnCwHLhwx1WguiVDV7pTG/tI= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo= github.com/envoyproxy/protoc-gen-validate v0.9.1 h1:PS7VIOgmSVhWUEeZwTe7z7zouA22Cr590PzXKbZHOVY= github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w= github.com/esimonov/ifshort v1.0.4 h1:6SID4yGWfRae/M7hkVDVVyppy8q/v9OuxNdmjLQStBA= @@ -365,7 +356,6 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= -github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -440,7 +430,6 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -512,8 +501,6 @@ github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:Fecb github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -617,7 +604,6 @@ github.com/lufeee/execinquery v1.2.1 h1:hf0Ems4SHcUGBxpGN7Jz78z1ppVkP/837ZlETPCE github.com/lufeee/execinquery v1.2.1/go.mod h1:EC7DrEKView09ocscGHC+apXMIaorh4xqSxS/dy8SbM= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= -github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/lyft/protoc-gen-star v0.6.1 h1:erE0rdztuaDq3bpGifD95wfoPrSZc95nGA6tbiNYh6M= github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= @@ -818,7 +804,6 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqn github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= -github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= github.com/rs/cors v1.8.3 h1:O+qNyWn7Z+F9M0ILBHgMVPuB1xTOucVd5gtaYyXBpRo= @@ -874,7 +859,6 @@ github.com/sourcegraph/go-diff v0.6.1/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag07 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= -github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/afero v1.9.3 h1:41FoI0fD7OR7mGcKE/aOiLkGreyf8ifIOQmJANWogMk= github.com/spf13/afero v1.9.3/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= @@ -1003,8 +987,6 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= @@ -1075,7 +1057,6 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -1121,7 +1102,6 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= @@ -1141,7 +1121,6 @@ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M= @@ -1219,7 +1198,6 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1252,7 +1230,6 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= @@ -1405,7 +1382,6 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= @@ -1419,8 +1395,6 @@ google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220329172620-7be39ac1afc7/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w= google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -1438,14 +1412,9 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= google.golang.org/grpc v1.52.3 h1:pf7sOysg4LdgBqduXveGKrcEwbStiK2rtfghdzlUYDQ= google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= @@ -1484,7 +1453,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/scripts/get-envoy.bash b/scripts/get-envoy.bash index 36a1a4501..14b3ea590 100755 --- a/scripts/get-envoy.bash +++ b/scripts/get-envoy.bash @@ -5,7 +5,7 @@ PATH="$PATH:$(go env GOPATH)/bin" export PATH _project_root="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/.." -_envoy_version=1.24.0 +_envoy_version=1.25.0 _dir="$_project_root/pkg/envoy/files" for _target in darwin-amd64 darwin-arm64 linux-amd64 linux-arm64; do