[1.18] make: Bump envoy for recent cve release (#10518) (#10524)

Co-authored-by: Jenny Shu <[email protected]>

Makefile

@@ -54,7 +54,7 @@ SOURCES := $(shell find . -name "*.go" | grep -v test.go)
 # for more information, see https://github.com/solo-io/gloo/pull/9633
 # and
 # https://soloio.slab.com/posts/extended-http-methods-design-doc-40j7pjeu
-ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.31.2-patch3
+ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.31.5-patch1
 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)"
 GCFLAGS ?=
 

changelog/v1.18.2/envoy-cve.yaml

@@ -0,0 +1,11 @@
+changelog:
+  - type: DEPENDENCY_BUMP
+    issueLink: https://github.com/solo-io/envoy-gloo-ee/issues/868
+    dependencyOwner: solo-io
+    dependencyRepo: envoy-gloo
+    dependencyTag: v1.31.5-patch1
+    resolvesIssue: false
+    description: >-
+      CVE-2024-53269: Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting.
+      CVE-2024-53270: HTTP/1: sending overload crashes when the request is reset beforehand
+      CVE-2024-53271: HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset

install/helm/gloo/templates/9-gateway-proxy-configmap.yaml

@@ -35,6 +35,9 @@ data:
           upstream:
             healthy_panic_threshold:
               value: {{ $spec.healthyPanicThreshold }}
+          envoy: #  ON_LTS_UPDATE remove the reloadable feature block and this envoy  block
+            reloadable_features:
+              check_switch_protocol_websocket_handshake: false
       - name: admin_layer
         admin_layer: {}
     node:

install/test/fixtures.go

@@ -1,5 +1,6 @@
 package test
 
+// ON_LTS_UPDATE remove the reloadable feature block
 var awsFmtString = `
 layered_runtime:
   layers:
@@ -10,6 +11,9 @@ layered_runtime:
       upstream:
         healthy_panic_threshold:
           value: 50
+      envoy:
+        reloadable_features:
+          check_switch_protocol_websocket_handshake: false
   - name: admin_layer
     admin_layer: {}
 node:
@@ -192,6 +196,9 @@ layered_runtime:
       upstream:
         healthy_panic_threshold:
           value: 50
+      envoy:
+        reloadable_features:
+          check_switch_protocol_websocket_handshake: false
   - name: admin_layer
     admin_layer: {}
 node:
@@ -335,6 +342,9 @@ layered_runtime:
       upstream:
         healthy_panic_threshold:
           value: 50
+      envoy:
+        reloadable_features:
+          check_switch_protocol_websocket_handshake: false
   - name: admin_layer
     admin_layer: {}
 node:
@@ -492,6 +502,9 @@ layered_runtime:
       upstream:
         healthy_panic_threshold:
           value: 50
+      envoy:
+        reloadable_features:
+          check_switch_protocol_websocket_handshake: false
   - name: admin_layer
     admin_layer: {}
 node:
@@ -686,6 +699,9 @@ layered_runtime:
       upstream:
         healthy_panic_threshold:
           value: 50
+      envoy:
+        reloadable_features:
+          check_switch_protocol_websocket_handshake: false
   - name: admin_layer
     admin_layer: {}
 node:

install/test/fixtures/envoy_config/bootstrap_extensions.yaml

@@ -7,6 +7,9 @@ layered_runtime:
       upstream:
         healthy_panic_threshold:
           value: 50
+      envoy:
+        reloadable_features:
+          check_switch_protocol_websocket_handshake: false
   - name: admin_layer
     admin_layer: {}
 node:

install/test/fixtures/envoy_config/custom_static_bootstrap.yaml

@@ -9,6 +9,9 @@ layered_runtime:
         upstream:
           healthy_panic_threshold:
             value: 50
+        envoy:
+          reloadable_features:
+            check_switch_protocol_websocket_handshake: false
     - name: admin_layer
       admin_layer: {}
 node:

install/test/fixtures/envoy_config/overload_manager.yaml

@@ -7,6 +7,9 @@ layered_runtime:
       upstream:
         healthy_panic_threshold:
           value: 50
+      envoy:
+        reloadable_features:
+          check_switch_protocol_websocket_handshake: false
   - name: admin_layer
     admin_layer: {}
 node:

install/test/fixtures/envoy_config/static_clusters.yaml

@@ -7,6 +7,9 @@ layered_runtime:
       upstream:
         healthy_panic_threshold:
           value: 50
+      envoy:
+        reloadable_features:
+          check_switch_protocol_websocket_handshake: false
   - name: admin_layer
     admin_layer: {}
 node:

install/test/fixtures/envoy_config/tcp_keepalive.yaml

@@ -7,6 +7,9 @@ layered_runtime:
         upstream:
           healthy_panic_threshold:
             value: 50
+        envoy:
+          reloadable_features:
+            check_switch_protocol_websocket_handshake: false
     - name: admin_layer
       admin_layer: {}
 node:

install/test/helm_test.go

@@ -2839,7 +2839,7 @@ spec:
 							// This annotation was introduced to resolve https://github.com/solo-io/gloo/issues/8392
 							// It triggers a new rollout of the gateway proxy if the config map it uses changes
 							// As of PR 8733, changing the values of the deployment spec doesn't change the gateway-proxy config map, so it is safe to hardcode the checksum in the tests
-							"checksum/gateway-proxy-envoy-config": "27068cd033014d38f6c77522484e957ab25fa1be34a900a1f5241b8f7d62f525",
+							"checksum/gateway-proxy-envoy-config": "655c76a411d3b9c6035c22ef4432e6a67140bd1c759eaeadd2e72009313a5503",
 						}
 						deploy.Spec.Template.Spec.Volumes = []corev1.Volume{{
 							Name: "envoy-config",
@@ -3661,7 +3661,7 @@ spec:
 						})
 						// Since changing the value of gatewayProxies.gatewayProxy.readConfig changes the gateway-proxy-envoy-config configmap, we need to update the checksum on the deployment as well.
 						// This also doubles as a check to validate that changes in the configmap change the checksum annotation on the deployment which will trigger a rollout.
-						gatewayProxyDeployment.Spec.Template.Annotations["checksum/gateway-proxy-envoy-config"] = "3e431b3dbb3fa7e31cedf9594474ad19e6ecc0e5a7bba59b99cf044d51546eaa"
+						gatewayProxyDeployment.Spec.Template.Annotations["checksum/gateway-proxy-envoy-config"] = "eed6c21fb5769def1b22999826a731539c0cbd2c1baef9139c0c52c86022ce7e"
 
 						testManifest.ExpectDeploymentAppsV1(gatewayProxyDeployment)
 					})

projects/gateway2/helm/gloo-gateway/templates/gateway/proxy-deployment.yaml

@@ -419,6 +419,13 @@ data:
     admin:
       address:
         socket_address: { address: 127.0.0.1, port_value: 19000 }
+    layered_runtime:
+      layers:
+      - name: static_layer
+        static_layer:
+          envoy: #  ON_LTS_UPDATE remove the reloadable feature block and this envoy  block
+            reloadable_features:
+              check_switch_protocol_websocket_handshake: false
     node:
       cluster: {{ include "gloo-gateway.gateway.fullname" . }}.{{ .Release.Namespace }}
       metadata:

test/services/envoy/bootstrap_builder.go

@@ -43,6 +43,7 @@ func (fbb *fileBootstrapBuilder) Build(ei *Instance) string {
 	return b.String()
 }
 
+// ON_LTS_UPDATE remove the reloadable feature block
 const boostrapText = `
 layered_runtime:
   layers:
@@ -51,6 +52,9 @@ layered_runtime:
       upstream:
         healthy_panic_threshold:
           value: 0
+      envoy:
+        reloadable_features:
+          check_switch_protocol_websocket_handshake: false
   - name: admin_layer
     admin_layer: {}
 node: