envoy: upgrade to v1.17.1 (#1993)

2025-08-03 00:40:25 +02:00 · 2021-03-17 19:32:58 -06:00 · 2021-03-17 19:32:58 -06:00 · eddabc46c7
commit eddabc46c7
parent 4530a0832b
16 changed files with 213 additions and 274 deletions
--- a/internal/cmd/pomerium/pomerium.go
+++ b/internal/cmd/pomerium/pomerium.go
@ -11,7 +11,7 @@ import (
 	"os/signal"
 	"syscall"

-	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
+	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	"golang.org/x/sync/errgroup"

 	"github.com/pomerium/pomerium/authenticate"
@ -189,7 +189,7 @@ func setupAuthorize(src config.Source, controlPlane *controlplane.Server) (*auth
 	if err != nil {
 		return nil, fmt.Errorf("error creating authorize service: %w", err)
 	}
-	envoy_service_auth_v2.RegisterAuthorizationServer(controlPlane.GRPCServer, svc)
+	envoy_service_auth_v3.RegisterAuthorizationServer(controlPlane.GRPCServer, svc)

 	log.Info().Msg("enabled authorize service")
 	src.OnConfigChange(svc.OnConfigChange)
--- a/internal/controlplane/grpc_accesslog.go
+++ b/internal/controlplane/grpc_accesslog.go
@ -3,7 +3,7 @@ package controlplane
 import (
 	"strings"

-	envoy_service_accesslog_v2 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v2"
+	envoy_service_accesslog_v3 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3"
 	"github.com/golang/protobuf/ptypes"
 	"github.com/rs/zerolog"

@ -11,11 +11,11 @@ import (
 )

 func (srv *Server) registerAccessLogHandlers() {
-	envoy_service_accesslog_v2.RegisterAccessLogServiceServer(srv.GRPCServer, srv)
+	envoy_service_accesslog_v3.RegisterAccessLogServiceServer(srv.GRPCServer, srv)
 }

 // StreamAccessLogs receives logs from envoy and prints them to stdout.
-func (srv *Server) StreamAccessLogs(stream envoy_service_accesslog_v2.AccessLogService_StreamAccessLogsServer) error {
+func (srv *Server) StreamAccessLogs(stream envoy_service_accesslog_v3.AccessLogService_StreamAccessLogsServer) error {
 	for {
 		msg, err := stream.Recv()
 		if err != nil {
--- a/internal/controlplane/xds.go
+++ b/internal/controlplane/xds.go
@ -89,6 +89,7 @@ func buildAccessLogs(options *config.Options) []*envoy_config_accesslog_v3.Acces
 					},
 				},
 			},
+			TransportApiVersion: envoy_config_core_v3.ApiVersion_V3,
 		},
 	})
 	return []*envoy_config_accesslog_v3.AccessLog{{
--- a/internal/controlplane/xds_listeners.go
+++ b/internal/controlplane/xds_listeners.go
@ -362,6 +362,7 @@ func (srv *Server) buildMainHTTPConnectionManagerFilter(
 			},
 		},
 		IncludePeerCertificate: true,
+		TransportApiVersion:    envoy_config_core_v3.ApiVersion_V3,
 	})

 	extAuthzSetCookieLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
@ -433,6 +434,10 @@ func (srv *Server) buildMainHTTPConnectionManagerFilter(
 	if err != nil {
 		return nil, err
 	}
+	tracingProvider, err := srv.buildTracingProvider(options)
+	if err != nil {
+		return nil, err
+	}
 	tc := marshalAny(&envoy_http_connection_manager.HttpConnectionManager{
 		CodecType:  envoy_http_connection_manager.HttpConnectionManager_AUTO,
 		StatPrefix: "ingress",
@ -448,6 +453,7 @@ func (srv *Server) buildMainHTTPConnectionManagerFilter(
 		RequestTimeout: ptypes.DurationProto(options.ReadTimeout),
 		Tracing: &envoy_http_connection_manager.HttpConnectionManager_Tracing{
 			RandomSampling: &envoy_type_v3.Percent{Value: options.TracingSampleRate * 100},
+			Provider:       tracingProvider,
 		},
 		// See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
 		UseRemoteAddress: &wrappers.BoolValue{Value: true},
--- a/internal/controlplane/xds_listeners_test.go
+++ b/internal/controlplane/xds_listeners_test.go
@ -128,7 +128,8 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 								"clusterName": "pomerium-control-plane-grpc"
 							}
 						},
-						"logName": "ingress-http"
+						"logName": "ingress-http",
+						"transportApiVersion": "V3"
 					}
 				}
 			}],
@ -156,7 +157,8 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 						"includePeerCertificate": true,
 						"statusOnError": {
 							"code": "InternalServerError"
-						}
+						},
+						"transportApiVersion": "V3"
 					}
 				},
 				{
--- a/internal/controlplane/xds_tracing.go
+++ b/internal/controlplane/xds_tracing.go
@ -0,0 +1,62 @@
+package controlplane
+
+import (
+	"fmt"
+
+	envoy_config_trace_v3 "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3"
+	"google.golang.org/protobuf/types/known/anypb"
+
+	"github.com/pomerium/pomerium/config"
+	"github.com/pomerium/pomerium/internal/telemetry/trace"
+)
+
+func (srv *Server) buildTracingProvider(options *config.Options) (*envoy_config_trace_v3.Tracing_Http, error) {
+	tracingOptions, err := config.NewTracingOptions(options)
+	if err != nil {
+		return nil, fmt.Errorf("invalid tracing config: %w", err)
+	}
+
+	switch tracingOptions.Provider {
+	case trace.DatadogTracingProviderName:
+		tracingTC, _ := anypb.New(&envoy_config_trace_v3.DatadogConfig{
+			CollectorCluster: "datadog-apm",
+			ServiceName:      tracingOptions.Service,
+		})
+		return &envoy_config_trace_v3.Tracing_Http{
+			Name: "envoy.tracers.datadog",
+			ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{
+				TypedConfig: tracingTC,
+			},
+		}, nil
+	case trace.ZipkinTracingProviderName:
+		if tracingOptions.ZipkinEndpoint.String() == "" {
+			return nil, fmt.Errorf("missing zipkin url")
+		}
+
+		tracingTC, _ := anypb.New(
+			&envoy_config_trace_v3.OpenCensusConfig{
+				ZipkinExporterEnabled: true,
+				ZipkinUrl:             tracingOptions.ZipkinEndpoint.String(),
+				IncomingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{
+					envoy_config_trace_v3.OpenCensusConfig_B3,
+					envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT,
+					envoy_config_trace_v3.OpenCensusConfig_CLOUD_TRACE_CONTEXT,
+					envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN,
+				},
+				OutgoingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{
+					envoy_config_trace_v3.OpenCensusConfig_B3,
+					envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT,
+					envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN,
+				},
+			},
+		)
+		return &envoy_config_trace_v3.Tracing_Http{
+			Name: "envoy.tracers.opencensus",
+			ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{
+				TypedConfig: tracingTC,
+			},
+		}, nil
+	default:
+		return nil, nil
+	}
+}
--- a/internal/envoy/envoy.go
+++ b/internal/envoy/envoy.go
@ -28,14 +28,12 @@ import (
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3"
 	envoy_config_metrics_v3 "github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3"
-	envoy_config_trace_v3 "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3"
 	"github.com/golang/protobuf/proto"
 	"github.com/google/go-cmp/cmp"
 	"github.com/natefinch/atomic"
 	"github.com/rs/zerolog"
 	"go.opencensus.io/stats/view"
 	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/durationpb"

 	"github.com/pomerium/pomerium/config"
@ -393,10 +391,6 @@ func (srv *Server) buildBootstrapConfig(cfg *config.Config) ([]byte, error) {
 		StatsConfig:      srv.buildStatsConfig(),
 	}

-	if err := srv.addTraceConfig(bcfg); err != nil {
-		return nil, fmt.Errorf("failed to add tracing config: %w", err)
-	}
-
 	jsonBytes, err := protojson.Marshal(proto.MessageV2(bcfg))
 	if err != nil {
 		return nil, err
@ -418,63 +412,6 @@ func (srv *Server) buildStatsConfig() *envoy_config_metrics_v3.StatsConfig {
 	return cfg
 }

-func (srv *Server) addTraceConfig(bootCfg *envoy_config_bootstrap_v3.Bootstrap) error {
-	if !srv.options.tracingOptions.Enabled() {
-		return nil
-	}
-
-	switch srv.options.tracingOptions.Provider {
-	default:
-		return nil
-	case trace.DatadogTracingProviderName:
-		tracingTC, _ := anypb.New(&envoy_config_trace_v3.DatadogConfig{
-			CollectorCluster: "datadog-apm",
-			ServiceName:      srv.options.tracingOptions.Service,
-		})
-		bootCfg.Tracing = &envoy_config_trace_v3.Tracing{
-			Http: &envoy_config_trace_v3.Tracing_Http{
-				Name: "envoy.tracers.datadog",
-				ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{
-					TypedConfig: tracingTC,
-				},
-			},
-		}
-	case trace.ZipkinTracingProviderName:
-		if srv.options.tracingOptions.ZipkinEndpoint.String() == "" {
-			return fmt.Errorf("missing zipkin url")
-		}
-		// TODO the outbound header list should be configurable when this moves to
-		// HTTPConnectionManager filters
-		tracingTC, _ := anypb.New(
-			&envoy_config_trace_v3.OpenCensusConfig{
-				ZipkinExporterEnabled: true,
-				ZipkinUrl:             srv.options.tracingOptions.ZipkinEndpoint.String(),
-				IncomingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{
-					envoy_config_trace_v3.OpenCensusConfig_B3,
-					envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT,
-					envoy_config_trace_v3.OpenCensusConfig_CLOUD_TRACE_CONTEXT,
-					envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN,
-				},
-				OutgoingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{
-					envoy_config_trace_v3.OpenCensusConfig_B3,
-					envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT,
-					envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN,
-				},
-			},
-		)
-		bootCfg.Tracing = &envoy_config_trace_v3.Tracing{
-			Http: &envoy_config_trace_v3.Tracing_Http{
-				Name: "envoy.tracers.opencensus",
-				ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{
-					TypedConfig: tracingTC,
-				},
-			},
-		}
-	}
-
-	return nil
-}
-
 var fileNameAndNumberRE = regexp.MustCompile(`^(\[[a-zA-Z0-9/-_.]+:[0-9]+])\s(.*)$`)

 func (srv *Server) parseLog(line string) (name string, logLevel string, msg string) {
--- a/internal/envoy/envoy_test.go
+++ b/internal/envoy/envoy_test.go
@ -1,83 +1,17 @@
 package envoy

 import (
-	"fmt"
 	"io/ioutil"
-	"net/url"
 	"regexp"
 	"strings"
 	"testing"

-	envoy_config_bootstrap_v3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3"
-	"github.com/golang/protobuf/proto"
-	"github.com/nsf/jsondiff"
 	"github.com/rs/zerolog"
-	"github.com/stretchr/testify/assert"
-	"google.golang.org/protobuf/encoding/protojson"

 	"github.com/pomerium/pomerium/config"
-	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/internal/testutil"
 )

-func jsonDump(t *testing.T, m proto.GeneratedMessage) []byte {
-	t.Helper()
-
-	jsonBytes, err := protojson.Marshal(proto.MessageV2(m))
-	if err != nil {
-		t.Fatalf("failed to marshal json: %s", err)
-	}
-	return jsonBytes
-}
-
-func Test_addTraceConfig(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name    string
-		opts    *config.TracingOptions
-		want    string
-		wantErr bool
-	}{
-		{
-			"good zipkin",
-			&config.TracingOptions{Provider: trace.ZipkinTracingProviderName, ZipkinEndpoint: &url.URL{Host: "localhost:9411"}},
-			`{"tracing":{"http":{"name":"envoy.tracers.opencensus","typedConfig":{"@type":"type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig","zipkinExporterEnabled":true,"zipkinUrl":"//localhost:9411","incomingTraceContext":["B3","TRACE_CONTEXT","CLOUD_TRACE_CONTEXT","GRPC_TRACE_BIN"],"outgoingTraceContext":["B3","TRACE_CONTEXT","GRPC_TRACE_BIN"]}}}}`,
-			false,
-		},
-		{
-			"good jaeger",
-			&config.TracingOptions{Provider: trace.JaegerTracingProviderName},
-			`{}`,
-			false,
-		},
-		{
-			"bad zipkin",
-			&config.TracingOptions{Provider: trace.ZipkinTracingProviderName, ZipkinEndpoint: &url.URL{}},
-			`{}`,
-			true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			srv := &Server{
-				options: serverOptions{
-					tracingOptions: *tt.opts,
-				},
-			}
-			baseCfg := &envoy_config_bootstrap_v3.Bootstrap{}
-
-			err := srv.addTraceConfig(baseCfg)
-
-			assert.Equal(t, tt.wantErr, err != nil, "unexpected error state")
-
-			diff, diffStr := jsondiff.Compare([]byte(tt.want), jsonDump(t, baseCfg), &jsondiff.Options{})
-			assert.Equal(t, jsondiff.FullMatch, diff, fmt.Sprintf("%s: differences: %s", diff.String(), diffStr))
-		})
-	}
-}
-
 func Test_buildStatsConfig(t *testing.T) {
 	tests := []struct {
 		name string