Skip to content

Commit 42867b7

Browse files
nfudenjbohanon
andauthored
1.28 | bazel: update to a newer version of envoy-fork with http2 continuation cve (#322)
* bazel: update to a newer version of envoy-fork with http2 continuation cve * Use private pool cloud build worker (#316) * use 16core private worker * mimic build-bot's repo tag * sub-job tag --------- Co-authored-by: Jacob Bohanon <[email protected]>
1 parent 5ddcf40 commit 42867b7

File tree

5 files changed

+27
-9
lines changed

5 files changed

+27
-9
lines changed

bazel/repository_locations.bzl

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
REPOSITORY_LOCATIONS = dict(
22
envoy = dict(
3-
# envoy 1.28.1 with backported ext_proc updates
4-
commit = "47d4c36d399b9daae47cd7f6c4d41cf75e7e3ff8",
3+
# envoy 1.28.2 with backported ext_proc updates
4+
commit = "3a260838159e2d4ba6d2499e1d6bd6740e55fce5",
55
remote = "https://github.com/solo-io/envoy-fork",
66
),
77
inja = dict(
+10
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
changelog:
2+
- type: DEPENDENCY_BUMP
3+
dependencyOwner: solo-io
4+
dependencyRepo: envoy-fork
5+
dependencyTag: v1.28.2
6+
resolvesIssue: false
7+
issueLink: https://github.com/solo-io/solo-projects/issues/6008
8+
description: >-
9+
Update Envoy to latest from forked 1.28.2
10+
Tackles the http2 crazy cve CVE-2024-30255

ci/cloudbuild.yaml

+10-1
Original file line numberDiff line numberDiff line change
@@ -53,14 +53,23 @@ steps:
5353
- 'TAGGED_VERSION=$TAG_NAME'
5454

5555
options:
56-
machineType: 'N1_HIGHCPU_32'
56+
pool:
57+
name: 'projects/solo-public/locations/us-central1/workerPools/envoy-gloo-runner'
5758
timeout: 20000s
5859

5960
artifacts:
6061
objects:
6162
location: 'gs://solo-public-artifacts.solo.io/envoy/$COMMIT_SHA/'
6263
paths: ['linux/amd64/build_envoy_release/envoy']
6364

65+
tags:
66+
- "repo_envoy-gloo"
67+
# This tag can be used to filter for or out jobs which are spawned by the main job
68+
# submitted by build-bot. It's somewhat redundant as one could filter on `tags~^pr`
69+
# to achieve the same effect since that tag is added to main jobs by build-bot,
70+
# but this is somewhat less esoteric
71+
- "sub-job"
72+
6473
availableSecrets:
6574
inline:
6675
- kmsKeyName: projects/solo-public/locations/global/keyRings/build/cryptoKeys/build-key

ci/do_ci.sh

+1-4
Original file line numberDiff line numberDiff line change
@@ -31,11 +31,8 @@ fi
3131

3232
export ENVOY_SRCDIR=$SOURCE_DIR
3333

34-
# google cloud build times out when using full throttle.
35-
export NUM_CPUS=10
36-
3734
# google cloud build doesn't like ipv6
38-
export BAZEL_EXTRA_TEST_OPTIONS="--test_env=ENVOY_IP_TEST_VERSIONS=v4only --test_output=errors --jobs=${NUM_CPUS}"
35+
export BAZEL_EXTRA_TEST_OPTIONS="--test_env=ENVOY_IP_TEST_VERSIONS=v4only --test_output=errors"
3936

4037
# We do not need/want to build the Envoy contrib filters so we replace the
4138
# associated targets with the ENVOY_BUILD values

cloudbuild.yaml

+4-2
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,12 @@
11
steps:
22

33
- name: 'gcr.io/cloud-builders/gcloud'
4-
args: ['builds','submit','--config=ci/cloudbuild.yaml','--substitutions','TAG_NAME=$TAG_NAME,COMMIT_SHA=$COMMIT_SHA,_BUILD_TYPE=']
4+
id: "standard"
5+
args: ['builds','submit','--region=us-central1','--config=ci/cloudbuild.yaml','--substitutions','TAG_NAME=$TAG_NAME,COMMIT_SHA=$COMMIT_SHA,_BUILD_TYPE=']
56

67
- name: 'gcr.io/cloud-builders/gcloud'
7-
args: ['builds','submit','--config=ci/cloudbuild.yaml','--substitutions','COMMIT_SHA=$COMMIT_SHA,_BUILD_TYPE=clang-asan']
8+
id: "asan"
9+
args: ['builds','submit','--region=us-central1','--config=ci/cloudbuild.yaml','--substitutions','COMMIT_SHA=$COMMIT_SHA,_BUILD_TYPE=clang-asan']
810
waitFor: ['-']
911

1012
timeout: 20000s

0 commit comments

Comments
 (0)