From eddabc46c70e6dc632ebdc583661bc4e97aa57b0 Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Wed, 17 Mar 2021 19:32:58 -0600 Subject: [PATCH] envoy: upgrade to v1.17.1 (#1993) --- authorize/check_response.go | 58 ++++----- authorize/check_response_test.go | 52 ++++---- authorize/grpc.go | 18 +-- authorize/grpc_test.go | 124 ++++++++++---------- authorize/session_test.go | 16 +-- go.mod | 1 - go.sum | 2 - internal/cmd/pomerium/pomerium.go | 4 +- internal/controlplane/grpc_accesslog.go | 6 +- internal/controlplane/xds.go | 1 + internal/controlplane/xds_listeners.go | 6 + internal/controlplane/xds_listeners_test.go | 6 +- internal/controlplane/xds_tracing.go | 62 ++++++++++ internal/envoy/envoy.go | 63 ---------- internal/envoy/envoy_test.go | 66 ----------- scripts/get-envoy.bash | 2 +- 16 files changed, 213 insertions(+), 274 deletions(-) create mode 100644 internal/controlplane/xds_tracing.go diff --git a/authorize/check_response.go b/authorize/check_response.go index 29cd3d148..1a3faa65a 100644 --- a/authorize/check_response.go +++ b/authorize/check_response.go @@ -7,9 +7,9 @@ import ( "sort" "strings" - envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" - envoy_type "github.com/envoyproxy/go-control-plane/envoy/type" + envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/golang/protobuf/ptypes/wrappers" "google.golang.org/genproto/googleapis/rpc/status" "google.golang.org/grpc/codes" @@ -20,8 +20,8 @@ import ( "github.com/pomerium/pomerium/internal/urlutil" ) -func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.CheckResponse { - var requestHeaders []*envoy_api_v2_core.HeaderValueOption +func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v3.CheckResponse { + var requestHeaders []*envoy_config_core_v3.HeaderValueOption for k, v := range reply.Headers { requestHeaders = append(requestHeaders, mkHeader(k, v, false)) } @@ -29,10 +29,10 @@ func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.C sort.Slice(requestHeaders, func(i, j int) bool { return requestHeaders[i].Header.Key < requestHeaders[j].Header.Value }) - return &envoy_service_auth_v2.CheckResponse{ + return &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: int32(codes.OK), Message: reply.Message}, - HttpResponse: &envoy_service_auth_v2.CheckResponse_OkResponse{ - OkResponse: &envoy_service_auth_v2.OkHttpResponse{ + HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{ + OkResponse: &envoy_service_auth_v3.OkHttpResponse{ Headers: requestHeaders, }, }, @@ -40,9 +40,9 @@ func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.C } func (a *Authorize) deniedResponse( - in *envoy_service_auth_v2.CheckRequest, + in *envoy_service_auth_v3.CheckRequest, code int32, reason string, headers map[string]string, -) (*envoy_service_auth_v2.CheckResponse, error) { +) (*envoy_service_auth_v3.CheckResponse, error) { returnHTMLError := true inHeaders := in.GetAttributes().GetRequest().GetHttp().GetHeaders() if inHeaders != nil { @@ -56,9 +56,9 @@ func (a *Authorize) deniedResponse( } func (a *Authorize) htmlDeniedResponse( - in *envoy_service_auth_v2.CheckRequest, + in *envoy_service_auth_v3.CheckRequest, code int32, reason string, headers map[string]string, -) (*envoy_service_auth_v2.CheckResponse, error) { +) (*envoy_service_auth_v3.CheckResponse, error) { opts := a.currentOptions.Load() authenticateURL, err := opts.GetAuthenticateURL() if err != nil { @@ -106,19 +106,19 @@ func (a *Authorize) htmlDeniedResponse( log.Error().Err(err).Msg("error executing error template") } - envoyHeaders := []*envoy_api_v2_core.HeaderValueOption{ + envoyHeaders := []*envoy_config_core_v3.HeaderValueOption{ mkHeader("Content-Type", "text/html", false), } for k, v := range headers { envoyHeaders = append(envoyHeaders, mkHeader(k, v, false)) } - return &envoy_service_auth_v2.CheckResponse{ + return &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"}, - HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ - DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{ - Status: &envoy_type.HttpStatus{ - Code: envoy_type.StatusCode(code), + HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{ + DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{ + Status: &envoy_type_v3.HttpStatus{ + Code: envoy_type_v3.StatusCode(code), }, Headers: envoyHeaders, Body: buf.String(), @@ -127,20 +127,20 @@ func (a *Authorize) htmlDeniedResponse( }, nil } -func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers map[string]string) *envoy_service_auth_v2.CheckResponse { - envoyHeaders := []*envoy_api_v2_core.HeaderValueOption{ +func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers map[string]string) *envoy_service_auth_v3.CheckResponse { + envoyHeaders := []*envoy_config_core_v3.HeaderValueOption{ mkHeader("Content-Type", "text/plain", false), } for k, v := range headers { envoyHeaders = append(envoyHeaders, mkHeader(k, v, false)) } - return &envoy_service_auth_v2.CheckResponse{ + return &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"}, - HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ - DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{ - Status: &envoy_type.HttpStatus{ - Code: envoy_type.StatusCode(code), + HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{ + DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{ + Status: &envoy_type_v3.HttpStatus{ + Code: envoy_type_v3.StatusCode(code), }, Headers: envoyHeaders, Body: reason, @@ -149,7 +149,7 @@ func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers m } } -func (a *Authorize) redirectResponse(in *envoy_service_auth_v2.CheckRequest) (*envoy_service_auth_v2.CheckResponse, error) { +func (a *Authorize) redirectResponse(in *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) { opts := a.currentOptions.Load() authenticateURL, err := opts.GetAuthenticateURL() if err != nil { @@ -174,9 +174,9 @@ func (a *Authorize) redirectResponse(in *envoy_service_auth_v2.CheckRequest) (*e }) } -func mkHeader(k, v string, shouldAppend bool) *envoy_api_v2_core.HeaderValueOption { - return &envoy_api_v2_core.HeaderValueOption{ - Header: &envoy_api_v2_core.HeaderValue{ +func mkHeader(k, v string, shouldAppend bool) *envoy_config_core_v3.HeaderValueOption { + return &envoy_config_core_v3.HeaderValueOption{ + Header: &envoy_config_core_v3.HeaderValue{ Key: k, Value: v, }, diff --git a/authorize/check_response_test.go b/authorize/check_response_test.go index 0037a2c3c..a73ff9ec8 100644 --- a/authorize/check_response_test.go +++ b/authorize/check_response_test.go @@ -6,9 +6,9 @@ import ( "net/url" "testing" - envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" - envoy_type "github.com/envoyproxy/go-control-plane/envoy/type" + envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/genproto/googleapis/rpc/status" @@ -57,12 +57,12 @@ func TestAuthorize_okResponse(t *testing.T) { tests := []struct { name string reply *evaluator.Result - want *envoy_service_auth_v2.CheckResponse + want *envoy_service_auth_v3.CheckResponse }{ { "ok reply", &evaluator.Result{Status: 0, Message: "ok"}, - &envoy_service_auth_v2.CheckResponse{ + &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: 0, Message: "ok"}, }, }, @@ -75,7 +75,7 @@ func TestAuthorize_okResponse(t *testing.T) { KubernetesServiceAccountToken: "k8s-svc-account", }, }, - &envoy_service_auth_v2.CheckResponse{ + &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: 0, Message: "ok"}, }, }, @@ -88,7 +88,7 @@ func TestAuthorize_okResponse(t *testing.T) { KubernetesServiceAccountToken: "k8s-svc-account", }, }, - &envoy_service_auth_v2.CheckResponse{ + &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: 0, Message: "ok"}, }, }, @@ -98,7 +98,7 @@ func TestAuthorize_okResponse(t *testing.T) { Status: 0, Message: "ok", }, - &envoy_service_auth_v2.CheckResponse{ + &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: 0, Message: "ok"}, }, }, @@ -131,11 +131,11 @@ func TestAuthorize_deniedResponse(t *testing.T) { tests := []struct { name string - in *envoy_service_auth_v2.CheckRequest + in *envoy_service_auth_v3.CheckRequest code int32 reason string headers map[string]string - want *envoy_service_auth_v2.CheckResponse + want *envoy_service_auth_v3.CheckResponse }{ { "html denied", @@ -143,14 +143,14 @@ func TestAuthorize_deniedResponse(t *testing.T) { http.StatusBadRequest, "Access Denied", nil, - &envoy_service_auth_v2.CheckResponse{ + &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"}, - HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ - DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{ - Status: &envoy_type.HttpStatus{ - Code: envoy_type.StatusCode(codes.InvalidArgument), + HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{ + DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{ + Status: &envoy_type_v3.HttpStatus{ + Code: envoy_type_v3.StatusCode(codes.InvalidArgument), }, - Headers: []*envoy_api_v2_core.HeaderValueOption{ + Headers: []*envoy_config_core_v3.HeaderValueOption{ mkHeader("Content-Type", "text/html", false), }, Body: "Access Denied", @@ -160,10 +160,10 @@ func TestAuthorize_deniedResponse(t *testing.T) { }, { "plain text denied", - &envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Headers: map[string]string{}, }, }, @@ -172,14 +172,14 @@ func TestAuthorize_deniedResponse(t *testing.T) { http.StatusBadRequest, "Access Denied", map[string]string{}, - &envoy_service_auth_v2.CheckResponse{ + &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"}, - HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ - DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{ - Status: &envoy_type.HttpStatus{ - Code: envoy_type.StatusCode(codes.InvalidArgument), + HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{ + DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{ + Status: &envoy_type_v3.HttpStatus{ + Code: envoy_type_v3.StatusCode(codes.InvalidArgument), }, - Headers: []*envoy_api_v2_core.HeaderValueOption{ + Headers: []*envoy_config_core_v3.HeaderValueOption{ mkHeader("Content-Type", "text/plain", false), }, Body: "Access Denied", diff --git a/authorize/grpc.go b/authorize/grpc.go index dc67e1d93..41b47b255 100644 --- a/authorize/grpc.go +++ b/authorize/grpc.go @@ -24,11 +24,11 @@ import ( "github.com/pomerium/pomerium/pkg/grpc/user" "github.com/pomerium/pomerium/pkg/grpcutil" - envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" + envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" ) // Check implements the envoy auth server gRPC endpoint. -func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v2.CheckRequest) (*envoy_service_auth_v2.CheckResponse, error) { +func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) { ctx, span := trace.StartSpan(ctx, "authorize.grpc.Check") defer span.End() @@ -179,7 +179,7 @@ func getForwardAuthURL(r *http.Request) *url.URL { } // isForwardAuth returns if the current request is a forward auth route. -func (a *Authorize) isForwardAuth(req *envoy_service_auth_v2.CheckRequest) bool { +func (a *Authorize) isForwardAuth(req *envoy_service_auth_v3.CheckRequest) bool { opts := a.currentOptions.Load() if opts.ForwardAuthURL == nil { @@ -197,7 +197,7 @@ func (a *Authorize) isForwardAuth(req *envoy_service_auth_v2.CheckRequest) bool } func (a *Authorize) getEvaluatorRequestFromCheckRequest( - in *envoy_service_auth_v2.CheckRequest, + in *envoy_service_auth_v3.CheckRequest, sessionState *sessions.State, ) (*evaluator.Request, error) { requestURL := getCheckRequestURL(in) @@ -261,7 +261,7 @@ func (a *Authorize) getMatchingPolicy(requestURL url.URL) *config.Policy { return nil } -func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v2.CheckRequest) *http.Request { +func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v3.CheckRequest) *http.Request { hattrs := req.GetAttributes().GetRequest().GetHttp() u := getCheckRequestURL(req) hreq := &http.Request{ @@ -278,7 +278,7 @@ func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v2.CheckRequest) *ht return hreq } -func getCheckRequestHeaders(req *envoy_service_auth_v2.CheckRequest) map[string]string { +func getCheckRequestHeaders(req *envoy_service_auth_v3.CheckRequest) map[string]string { hdrs := make(map[string]string) ch := req.GetAttributes().GetRequest().GetHttp().GetHeaders() for k, v := range ch { @@ -287,7 +287,7 @@ func getCheckRequestHeaders(req *envoy_service_auth_v2.CheckRequest) map[string] return hdrs } -func getCheckRequestURL(req *envoy_service_auth_v2.CheckRequest) url.URL { +func getCheckRequestURL(req *envoy_service_auth_v3.CheckRequest) url.URL { h := req.GetAttributes().GetRequest().GetHttp() u := url.URL{ Scheme: h.GetScheme(), @@ -305,7 +305,7 @@ func getCheckRequestURL(req *envoy_service_auth_v2.CheckRequest) url.URL { } // getPeerCertificate gets the PEM-encoded peer certificate from the check request -func getPeerCertificate(in *envoy_service_auth_v2.CheckRequest) string { +func getPeerCertificate(in *envoy_service_auth_v3.CheckRequest) string { // ignore the error as we will just return the empty string in that case cert, _ := url.QueryUnescape(in.GetAttributes().GetSource().GetCertificate()) return cert @@ -313,7 +313,7 @@ func getPeerCertificate(in *envoy_service_auth_v2.CheckRequest) string { func logAuthorizeCheck( ctx context.Context, - in *envoy_service_auth_v2.CheckRequest, + in *envoy_service_auth_v3.CheckRequest, reply *evaluator.Result, u *user.User, ) { diff --git a/authorize/grpc_test.go b/authorize/grpc_test.go index d11a0f29d..7c72d0b55 100644 --- a/authorize/grpc_test.go +++ b/authorize/grpc_test.go @@ -6,7 +6,7 @@ import ( "net/url" "testing" - envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" + envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" "github.com/golang/protobuf/ptypes" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" @@ -63,13 +63,13 @@ func Test_getEvaluatorRequest(t *testing.T) { }) actual, err := a.getEvaluatorRequestFromCheckRequest( - &envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Source: &envoy_service_auth_v2.AttributeContext_Peer{ + &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Source: &envoy_service_auth_v3.AttributeContext_Peer{ Certificate: url.QueryEscape(certPEM), }, - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Id: "id-1234", Method: "GET", Headers: map[string]string{ @@ -110,19 +110,19 @@ func Test_getEvaluatorRequest(t *testing.T) { func Test_handleForwardAuth(t *testing.T) { tests := []struct { name string - checkReq *envoy_service_auth_v2.CheckRequest + checkReq *envoy_service_auth_v3.CheckRequest forwardAuthURL string want bool }{ { name: "enabled", - checkReq: &envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Source: &envoy_service_auth_v2.AttributeContext_Peer{ + checkReq: &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Source: &envoy_service_auth_v3.AttributeContext_Peer{ Certificate: url.QueryEscape(certPEM), }, - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Method: "GET", Path: "/verify?uri=" + url.QueryEscape("https://example.com/some/path?qs=1"), Host: "forward-auth.example.com", @@ -142,13 +142,13 @@ func Test_handleForwardAuth(t *testing.T) { }, { name: "honor x-forwarded-uri set", - checkReq: &envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Source: &envoy_service_auth_v2.AttributeContext_Peer{ + checkReq: &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Source: &envoy_service_auth_v3.AttributeContext_Peer{ Certificate: url.QueryEscape(certPEM), }, - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Method: "GET", Path: "/", Host: "forward-auth.example.com", @@ -167,13 +167,13 @@ func Test_handleForwardAuth(t *testing.T) { }, { name: "request with invalid forward auth url", - checkReq: &envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Source: &envoy_service_auth_v2.AttributeContext_Peer{ + checkReq: &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Source: &envoy_service_auth_v3.AttributeContext_Peer{ Certificate: url.QueryEscape(certPEM), }, - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Method: "GET", Path: "/verify?uri=" + url.QueryEscape("https://example.com?q=foo"), Host: "fake-forward-auth.example.com", @@ -187,13 +187,13 @@ func Test_handleForwardAuth(t *testing.T) { }, { name: "request with invalid path", - checkReq: &envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Source: &envoy_service_auth_v2.AttributeContext_Peer{ + checkReq: &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Source: &envoy_service_auth_v3.AttributeContext_Peer{ Certificate: url.QueryEscape(certPEM), }, - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Method: "GET", Path: "/foo?uri=" + url.QueryEscape("https://example.com?q=foo"), Host: "forward-auth.example.com", @@ -207,13 +207,13 @@ func Test_handleForwardAuth(t *testing.T) { }, { name: "request with empty uri", - checkReq: &envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Source: &envoy_service_auth_v2.AttributeContext_Peer{ + checkReq: &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Source: &envoy_service_auth_v3.AttributeContext_Peer{ Certificate: url.QueryEscape(certPEM), }, - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Method: "GET", Path: "/verify?uri=", Host: "forward-auth.example.com", @@ -227,13 +227,13 @@ func Test_handleForwardAuth(t *testing.T) { }, { name: "request with invalid uri", - checkReq: &envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Source: &envoy_service_auth_v2.AttributeContext_Peer{ + checkReq: &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Source: &envoy_service_auth_v3.AttributeContext_Peer{ Certificate: url.QueryEscape(certPEM), }, - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Method: "GET", Path: "/verify?uri= http://example.com/foo", Host: "forward-auth.example.com", @@ -279,13 +279,13 @@ func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) { }}, }) - actual, err := a.getEvaluatorRequestFromCheckRequest(&envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Source: &envoy_service_auth_v2.AttributeContext_Peer{ + actual, err := a.getEvaluatorRequestFromCheckRequest(&envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Source: &envoy_service_auth_v3.AttributeContext_Peer{ Certificate: url.QueryEscape(certPEM), }, - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Id: "id-1234", Method: "GET", Headers: map[string]string{ @@ -473,25 +473,25 @@ func TestAuthorize_Check(t *testing.T) { a.currentOptions.Store(&config.Options{ForwardAuthURL: mustParseURL("https://forward-auth.example.com")}) cmpOpts := []cmp.Option{ - cmpopts.IgnoreUnexported(envoy_service_auth_v2.CheckResponse{}), + cmpopts.IgnoreUnexported(envoy_service_auth_v3.CheckResponse{}), cmpopts.IgnoreUnexported(status.Status{}), - cmpopts.IgnoreTypes(envoy_service_auth_v2.DeniedHttpResponse{}), + cmpopts.IgnoreTypes(envoy_service_auth_v3.DeniedHttpResponse{}), } tests := []struct { name string - in *envoy_service_auth_v2.CheckRequest - want *envoy_service_auth_v2.CheckResponse + in *envoy_service_auth_v3.CheckRequest + want *envoy_service_auth_v3.CheckResponse wantErr bool }{ { "basic deny", - &envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Source: &envoy_service_auth_v2.AttributeContext_Peer{ + &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Source: &envoy_service_auth_v3.AttributeContext_Peer{ Certificate: url.QueryEscape(certPEM), }, - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Id: "id-1234", Method: "GET", Headers: map[string]string{ @@ -506,23 +506,23 @@ func TestAuthorize_Check(t *testing.T) { }, }, }, - &envoy_service_auth_v2.CheckResponse{ + &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: 7, Message: "Access Denied"}, - HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ - DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{}, + HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{ + DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{}, }, }, false, }, { "basic forward-auth deny", - &envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Source: &envoy_service_auth_v2.AttributeContext_Peer{ + &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Source: &envoy_service_auth_v3.AttributeContext_Peer{ Certificate: url.QueryEscape(certPEM), }, - Request: &envoy_service_auth_v2.AttributeContext_Request{ - Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ Method: "GET", Path: "/verify?uri=" + url.QueryEscape("https://example.com/some/path?qs=1"), Host: "forward-auth.example.com", @@ -531,10 +531,10 @@ func TestAuthorize_Check(t *testing.T) { }, }, }, - &envoy_service_auth_v2.CheckResponse{ + &envoy_service_auth_v3.CheckResponse{ Status: &status.Status{Code: 7, Message: "Access Denied"}, - HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ - DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{}, + HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{ + DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{}, }, }, false, diff --git a/authorize/session_test.go b/authorize/session_test.go index 798495487..fbe5a75f5 100644 --- a/authorize/session_test.go +++ b/authorize/session_test.go @@ -5,7 +5,7 @@ import ( "regexp" "testing" - envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" + envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" "github.com/stretchr/testify/assert" "github.com/pomerium/pomerium/config" @@ -25,10 +25,10 @@ func TestLoadSession(t *testing.T) { return } - load := func(t *testing.T, hattrs *envoy_service_auth_v2.AttributeContext_HttpRequest) (*sessions.State, error) { - req := getHTTPRequestFromCheckRequest(&envoy_service_auth_v2.CheckRequest{ - Attributes: &envoy_service_auth_v2.AttributeContext{ - Request: &envoy_service_auth_v2.AttributeContext_Request{ + load := func(t *testing.T, hattrs *envoy_service_auth_v3.AttributeContext_HttpRequest) (*sessions.State, error) { + req := getHTTPRequestFromCheckRequest(&envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ Http: hattrs, }, }, @@ -56,7 +56,7 @@ func TestLoadSession(t *testing.T) { } cookie := regexp.MustCompile(`^([^;]+)(;.*)?$`).ReplaceAllString(hdrs["Set-Cookie"], "$1") - hattrs := &envoy_service_auth_v2.AttributeContext_HttpRequest{ + hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{ Id: "req-1", Method: "GET", Headers: map[string]string{ @@ -71,7 +71,7 @@ func TestLoadSession(t *testing.T) { assert.NotNil(t, sess) }) t.Run("header", func(t *testing.T) { - hattrs := &envoy_service_auth_v2.AttributeContext_HttpRequest{ + hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{ Id: "req-1", Method: "GET", Headers: map[string]string{ @@ -86,7 +86,7 @@ func TestLoadSession(t *testing.T) { assert.NotNil(t, sess) }) t.Run("query param", func(t *testing.T) { - hattrs := &envoy_service_auth_v2.AttributeContext_HttpRequest{ + hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{ Id: "req-1", Method: "GET", Path: "/hello/world?" + url.Values{ diff --git a/go.mod b/go.mod index 78dc23e1c..0d1411e5f 100644 --- a/go.mod +++ b/go.mod @@ -36,7 +36,6 @@ require ( github.com/mitchellh/hashstructure/v2 v2.0.1 github.com/mitchellh/mapstructure v1.4.1 github.com/natefinch/atomic v0.0.0-20200526193002-18c0533a5b09 - github.com/nsf/jsondiff v0.0.0-20210303162244-6ea32392771e github.com/onsi/gocleanup v0.0.0-20140331211545-c1a5478700b5 github.com/open-policy-agent/opa v0.27.1 github.com/openzipkin/zipkin-go v0.2.5 diff --git a/go.sum b/go.sum index f63544517..d84b7902f 100644 --- a/go.sum +++ b/go.sum @@ -431,8 +431,6 @@ github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzE github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= -github.com/nsf/jsondiff v0.0.0-20210303162244-6ea32392771e h1:S+/ptYdZtpK/MDstwCyt+ZHdXEpz86RJZ5gyZU4txJY= -github.com/nsf/jsondiff v0.0.0-20210303162244-6ea32392771e/go.mod h1:uFMI8w+ref4v2r9jz+c9i1IfIttS/OkmLfrk1jne5hs= github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= diff --git a/internal/cmd/pomerium/pomerium.go b/internal/cmd/pomerium/pomerium.go index 247caf60f..c3c7f2a44 100644 --- a/internal/cmd/pomerium/pomerium.go +++ b/internal/cmd/pomerium/pomerium.go @@ -11,7 +11,7 @@ import ( "os/signal" "syscall" - envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" + envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" "golang.org/x/sync/errgroup" "github.com/pomerium/pomerium/authenticate" @@ -189,7 +189,7 @@ func setupAuthorize(src config.Source, controlPlane *controlplane.Server) (*auth if err != nil { return nil, fmt.Errorf("error creating authorize service: %w", err) } - envoy_service_auth_v2.RegisterAuthorizationServer(controlPlane.GRPCServer, svc) + envoy_service_auth_v3.RegisterAuthorizationServer(controlPlane.GRPCServer, svc) log.Info().Msg("enabled authorize service") src.OnConfigChange(svc.OnConfigChange) diff --git a/internal/controlplane/grpc_accesslog.go b/internal/controlplane/grpc_accesslog.go index dece7a945..5fb6507f6 100644 --- a/internal/controlplane/grpc_accesslog.go +++ b/internal/controlplane/grpc_accesslog.go @@ -3,7 +3,7 @@ package controlplane import ( "strings" - envoy_service_accesslog_v2 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v2" + envoy_service_accesslog_v3 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3" "github.com/golang/protobuf/ptypes" "github.com/rs/zerolog" @@ -11,11 +11,11 @@ import ( ) func (srv *Server) registerAccessLogHandlers() { - envoy_service_accesslog_v2.RegisterAccessLogServiceServer(srv.GRPCServer, srv) + envoy_service_accesslog_v3.RegisterAccessLogServiceServer(srv.GRPCServer, srv) } // StreamAccessLogs receives logs from envoy and prints them to stdout. -func (srv *Server) StreamAccessLogs(stream envoy_service_accesslog_v2.AccessLogService_StreamAccessLogsServer) error { +func (srv *Server) StreamAccessLogs(stream envoy_service_accesslog_v3.AccessLogService_StreamAccessLogsServer) error { for { msg, err := stream.Recv() if err != nil { diff --git a/internal/controlplane/xds.go b/internal/controlplane/xds.go index 984c4ffc7..0deac20a6 100644 --- a/internal/controlplane/xds.go +++ b/internal/controlplane/xds.go @@ -89,6 +89,7 @@ func buildAccessLogs(options *config.Options) []*envoy_config_accesslog_v3.Acces }, }, }, + TransportApiVersion: envoy_config_core_v3.ApiVersion_V3, }, }) return []*envoy_config_accesslog_v3.AccessLog{{ diff --git a/internal/controlplane/xds_listeners.go b/internal/controlplane/xds_listeners.go index 94ba221be..22acaa069 100644 --- a/internal/controlplane/xds_listeners.go +++ b/internal/controlplane/xds_listeners.go @@ -362,6 +362,7 @@ func (srv *Server) buildMainHTTPConnectionManagerFilter( }, }, IncludePeerCertificate: true, + TransportApiVersion: envoy_config_core_v3.ApiVersion_V3, }) extAuthzSetCookieLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{ @@ -433,6 +434,10 @@ func (srv *Server) buildMainHTTPConnectionManagerFilter( if err != nil { return nil, err } + tracingProvider, err := srv.buildTracingProvider(options) + if err != nil { + return nil, err + } tc := marshalAny(&envoy_http_connection_manager.HttpConnectionManager{ CodecType: envoy_http_connection_manager.HttpConnectionManager_AUTO, StatPrefix: "ingress", @@ -448,6 +453,7 @@ func (srv *Server) buildMainHTTPConnectionManagerFilter( RequestTimeout: ptypes.DurationProto(options.ReadTimeout), Tracing: &envoy_http_connection_manager.HttpConnectionManager_Tracing{ RandomSampling: &envoy_type_v3.Percent{Value: options.TracingSampleRate * 100}, + Provider: tracingProvider, }, // See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for UseRemoteAddress: &wrappers.BoolValue{Value: true}, diff --git a/internal/controlplane/xds_listeners_test.go b/internal/controlplane/xds_listeners_test.go index 348c115bb..ab8f20c28 100644 --- a/internal/controlplane/xds_listeners_test.go +++ b/internal/controlplane/xds_listeners_test.go @@ -128,7 +128,8 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) { "clusterName": "pomerium-control-plane-grpc" } }, - "logName": "ingress-http" + "logName": "ingress-http", + "transportApiVersion": "V3" } } }], @@ -156,7 +157,8 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) { "includePeerCertificate": true, "statusOnError": { "code": "InternalServerError" - } + }, + "transportApiVersion": "V3" } }, { diff --git a/internal/controlplane/xds_tracing.go b/internal/controlplane/xds_tracing.go new file mode 100644 index 000000000..cadda3e11 --- /dev/null +++ b/internal/controlplane/xds_tracing.go @@ -0,0 +1,62 @@ +package controlplane + +import ( + "fmt" + + envoy_config_trace_v3 "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3" + "google.golang.org/protobuf/types/known/anypb" + + "github.com/pomerium/pomerium/config" + "github.com/pomerium/pomerium/internal/telemetry/trace" +) + +func (srv *Server) buildTracingProvider(options *config.Options) (*envoy_config_trace_v3.Tracing_Http, error) { + tracingOptions, err := config.NewTracingOptions(options) + if err != nil { + return nil, fmt.Errorf("invalid tracing config: %w", err) + } + + switch tracingOptions.Provider { + case trace.DatadogTracingProviderName: + tracingTC, _ := anypb.New(&envoy_config_trace_v3.DatadogConfig{ + CollectorCluster: "datadog-apm", + ServiceName: tracingOptions.Service, + }) + return &envoy_config_trace_v3.Tracing_Http{ + Name: "envoy.tracers.datadog", + ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{ + TypedConfig: tracingTC, + }, + }, nil + case trace.ZipkinTracingProviderName: + if tracingOptions.ZipkinEndpoint.String() == "" { + return nil, fmt.Errorf("missing zipkin url") + } + + tracingTC, _ := anypb.New( + &envoy_config_trace_v3.OpenCensusConfig{ + ZipkinExporterEnabled: true, + ZipkinUrl: tracingOptions.ZipkinEndpoint.String(), + IncomingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{ + envoy_config_trace_v3.OpenCensusConfig_B3, + envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT, + envoy_config_trace_v3.OpenCensusConfig_CLOUD_TRACE_CONTEXT, + envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN, + }, + OutgoingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{ + envoy_config_trace_v3.OpenCensusConfig_B3, + envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT, + envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN, + }, + }, + ) + return &envoy_config_trace_v3.Tracing_Http{ + Name: "envoy.tracers.opencensus", + ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{ + TypedConfig: tracingTC, + }, + }, nil + default: + return nil, nil + } +} diff --git a/internal/envoy/envoy.go b/internal/envoy/envoy.go index 7ad59c6bb..64b4de56a 100644 --- a/internal/envoy/envoy.go +++ b/internal/envoy/envoy.go @@ -28,14 +28,12 @@ import ( envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" envoy_config_metrics_v3 "github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3" - envoy_config_trace_v3 "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3" "github.com/golang/protobuf/proto" "github.com/google/go-cmp/cmp" "github.com/natefinch/atomic" "github.com/rs/zerolog" "go.opencensus.io/stats/view" "google.golang.org/protobuf/encoding/protojson" - "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/durationpb" "github.com/pomerium/pomerium/config" @@ -393,10 +391,6 @@ func (srv *Server) buildBootstrapConfig(cfg *config.Config) ([]byte, error) { StatsConfig: srv.buildStatsConfig(), } - if err := srv.addTraceConfig(bcfg); err != nil { - return nil, fmt.Errorf("failed to add tracing config: %w", err) - } - jsonBytes, err := protojson.Marshal(proto.MessageV2(bcfg)) if err != nil { return nil, err @@ -418,63 +412,6 @@ func (srv *Server) buildStatsConfig() *envoy_config_metrics_v3.StatsConfig { return cfg } -func (srv *Server) addTraceConfig(bootCfg *envoy_config_bootstrap_v3.Bootstrap) error { - if !srv.options.tracingOptions.Enabled() { - return nil - } - - switch srv.options.tracingOptions.Provider { - default: - return nil - case trace.DatadogTracingProviderName: - tracingTC, _ := anypb.New(&envoy_config_trace_v3.DatadogConfig{ - CollectorCluster: "datadog-apm", - ServiceName: srv.options.tracingOptions.Service, - }) - bootCfg.Tracing = &envoy_config_trace_v3.Tracing{ - Http: &envoy_config_trace_v3.Tracing_Http{ - Name: "envoy.tracers.datadog", - ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{ - TypedConfig: tracingTC, - }, - }, - } - case trace.ZipkinTracingProviderName: - if srv.options.tracingOptions.ZipkinEndpoint.String() == "" { - return fmt.Errorf("missing zipkin url") - } - // TODO the outbound header list should be configurable when this moves to - // HTTPConnectionManager filters - tracingTC, _ := anypb.New( - &envoy_config_trace_v3.OpenCensusConfig{ - ZipkinExporterEnabled: true, - ZipkinUrl: srv.options.tracingOptions.ZipkinEndpoint.String(), - IncomingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{ - envoy_config_trace_v3.OpenCensusConfig_B3, - envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT, - envoy_config_trace_v3.OpenCensusConfig_CLOUD_TRACE_CONTEXT, - envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN, - }, - OutgoingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{ - envoy_config_trace_v3.OpenCensusConfig_B3, - envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT, - envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN, - }, - }, - ) - bootCfg.Tracing = &envoy_config_trace_v3.Tracing{ - Http: &envoy_config_trace_v3.Tracing_Http{ - Name: "envoy.tracers.opencensus", - ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{ - TypedConfig: tracingTC, - }, - }, - } - } - - return nil -} - var fileNameAndNumberRE = regexp.MustCompile(`^(\[[a-zA-Z0-9/-_.]+:[0-9]+])\s(.*)$`) func (srv *Server) parseLog(line string) (name string, logLevel string, msg string) { diff --git a/internal/envoy/envoy_test.go b/internal/envoy/envoy_test.go index 944479b24..7e181ae69 100644 --- a/internal/envoy/envoy_test.go +++ b/internal/envoy/envoy_test.go @@ -1,83 +1,17 @@ package envoy import ( - "fmt" "io/ioutil" - "net/url" "regexp" "strings" "testing" - envoy_config_bootstrap_v3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3" - "github.com/golang/protobuf/proto" - "github.com/nsf/jsondiff" "github.com/rs/zerolog" - "github.com/stretchr/testify/assert" - "google.golang.org/protobuf/encoding/protojson" "github.com/pomerium/pomerium/config" - "github.com/pomerium/pomerium/internal/telemetry/trace" "github.com/pomerium/pomerium/internal/testutil" ) -func jsonDump(t *testing.T, m proto.GeneratedMessage) []byte { - t.Helper() - - jsonBytes, err := protojson.Marshal(proto.MessageV2(m)) - if err != nil { - t.Fatalf("failed to marshal json: %s", err) - } - return jsonBytes -} - -func Test_addTraceConfig(t *testing.T) { - t.Parallel() - - tests := []struct { - name string - opts *config.TracingOptions - want string - wantErr bool - }{ - { - "good zipkin", - &config.TracingOptions{Provider: trace.ZipkinTracingProviderName, ZipkinEndpoint: &url.URL{Host: "localhost:9411"}}, - `{"tracing":{"http":{"name":"envoy.tracers.opencensus","typedConfig":{"@type":"type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig","zipkinExporterEnabled":true,"zipkinUrl":"//localhost:9411","incomingTraceContext":["B3","TRACE_CONTEXT","CLOUD_TRACE_CONTEXT","GRPC_TRACE_BIN"],"outgoingTraceContext":["B3","TRACE_CONTEXT","GRPC_TRACE_BIN"]}}}}`, - false, - }, - { - "good jaeger", - &config.TracingOptions{Provider: trace.JaegerTracingProviderName}, - `{}`, - false, - }, - { - "bad zipkin", - &config.TracingOptions{Provider: trace.ZipkinTracingProviderName, ZipkinEndpoint: &url.URL{}}, - `{}`, - true, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - srv := &Server{ - options: serverOptions{ - tracingOptions: *tt.opts, - }, - } - baseCfg := &envoy_config_bootstrap_v3.Bootstrap{} - - err := srv.addTraceConfig(baseCfg) - - assert.Equal(t, tt.wantErr, err != nil, "unexpected error state") - - diff, diffStr := jsondiff.Compare([]byte(tt.want), jsonDump(t, baseCfg), &jsondiff.Options{}) - assert.Equal(t, jsondiff.FullMatch, diff, fmt.Sprintf("%s: differences: %s", diff.String(), diffStr)) - }) - } -} - func Test_buildStatsConfig(t *testing.T) { tests := []struct { name string diff --git a/scripts/get-envoy.bash b/scripts/get-envoy.bash index c39d8a8b2..00d873737 100755 --- a/scripts/get-envoy.bash +++ b/scripts/get-envoy.bash @@ -4,7 +4,7 @@ set -euo pipefail PATH="$PATH:$(go env GOPATH)/bin" export PATH -_envoy_version=1.16.2 +_envoy_version=1.17.1 _dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/../bin" _target="${TARGET:-"$(go env GOOS)_$(go env GOARCH)"}"