Page MenuHomePhabricator

Upgrade envoyproxy to 1.16.2
Closed, ResolvedPublic

Description

As part of the evaluation of envoy as a suitable TLS termination layer for the Traffic Team we need to upgrade it to version 1.16.2.

We need 1.16.0 cause it ships OCSP stapling support (https://www.envoyproxy.io/docs/envoy/v1.16.2/version_history/v1.16.0):

1.16.0 changelog excerpt
tls: added OCSP stapling support through the ocsp_staple and ocsp_staple_policy configuration options. See OCSP Stapling for usage and runtime flags.

1.16.1 ships a TLS fix and 1.16.2 a HTTP 1/.1 parsing fix, so I strongly recommend targeting 1.16.2:

1.16.1 changelog excerpt
tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection’s internal buffers.
1.16.2 changelog excerpt
http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Vgutierrez triaged this task as Medium priority.Jan 7 2021, 11:13 AM
Vgutierrez moved this task from Backlog to TLS on the Traffic board.

there are some issues with the python requirements of envoy 1.16.2 as it requires python 3.6 or higher and clearly the building environment isn't fulfilling the requirement. So a tiny workaround is required to build 1.16.2 on builder-envoy-03:

the error
generating docs...
Traceback (most recent call last):
  File "tools/dependency/validate_test.py", line 6, in <module>
    import validate
  File "/source/tools/dependency/validate.py", line 90
    deps_query = ' union '.join(f'deps({l})' for l in targets)
                                           ^
SyntaxError: invalid syntax
the workaround
diff --git a/ci/do_ci.sh b/ci/do_ci.sh
index bda21807..526aa839 100755
--- a/ci/do_ci.sh
+++ b/ci/do_ci.sh
@@ -411,8 +411,8 @@ elif [[ "$CI_TARGET" == "fix_spelling_pedantic" ]]; then
 elif [[ "$CI_TARGET" == "docs" ]]; then
   echo "generating docs..."
   # Validate dependency relationships between core/extensions and external deps.
-  tools/dependency/validate_test.py
-  tools/dependency/validate.py
+#  tools/dependency/validate_test.py
+#  tools/dependency/validate.py
   # Build docs.
   BAZEL_BUILD_OPTIONS="${BAZEL_BUILD_OPTIONS[*]}" docs/build.sh
   exit 0

@Vgutierrez we can create a new building env based on buster I think, that's much better as an option.

I suggest to activate configuration option
accept_http_10
(bool) Handle incoming HTTP/1.0 and HTTP 0.9 requests. This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1 style connect logic, dechunking, and handling lack of client host iff
because php function file_get_contents() uses protocol http/1.0

Envoy seems to be on 1.18.2 now. Can this be closed, or was there any other deployment need this ticket addresses?

AFAIK this was only impacting envoy as the TLS terminator of the CDN and we went with HAProxy so this can be closed

BCornwall claimed this task.

Great, thanks!