[release-1.23] Update proxy repo SHA for release-1.23.2 (#139)

* [release-1.23] Update proxy repo SHA for release-1.23.2 Signed-off-by: Jackie Elliott <[email protected]> * Explicitly set internal addresses in Http Connection Manager when PILOT_SIDECAR_USE_REMOTE_ADDRESS is set to true for the sidecar. Signed-off-by: Jackie Elliott <[email protected]> * Add unit test for setting runtimeValues in envoy config Signed-off-by: Jackie Elliott <[email protected]> * Update SHA Signed-off-by: Jackie Elliott <[email protected]> * Make gen on explicit internal address golden Signed-off-by: Jackie Elliott <[email protected]> * Fix SHA Signed-off-by: Jackie Elliott <[email protected]> * Use httpOpts instead of features useRemoteAddress to ensure it is only set for outbound sidecars Signed-off-by: Jackie Elliott <[email protected]> --------- Signed-off-by: Jackie Elliott <[email protected]>
tetratelabs · Sep 17, 2024 · da0b3f2 · da0b3f2
1 parent b56f6a2
commit da0b3f2
Show file tree

Hide file tree

Showing 6 changed files with 522 additions and 2 deletions.
diff --git a/istio.deps b/istio.deps
@@ -4,7 +4,7 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "94ed360d6e7afb84546716e194b4c2fcc601e651"
+    "lastStableSHA": "6c72b2179f5a58988b920a55b0be8346de3f7b35"
   },
   {
     "_comment": "",

diff --git a/pilot/pkg/networking/core/listener_builder.go b/pilot/pkg/networking/core/listener_builder.go
@@ -421,7 +421,10 @@ func (lb *ListenerBuilder) buildHTTPConnectionManager(httpOpts *httpListenerOpts
 	connectionManager.HttpFilters = filters
 	connectionManager.RequestIdExtension = requestidextension.BuildUUIDRequestIDExtension(reqIDExtensionCtx)
 
-	if features.EnableHCMInternalNetworks && lb.push.Networks != nil {
+	// If UseRemoteAddress is set, we must set the internal address config in preparation for envoy
+	// internal addresses defaulting to empty set. Currently, the internal addresses defaulted to
+	// all private IPs but this will change in the future.
+	if (features.EnableHCMInternalNetworks || httpOpts.useRemoteAddress) && lb.push.Networks != nil {
 		for _, internalnetwork := range lb.push.Networks.Networks {
 			iac := &hcm.HttpConnectionManager_InternalAddressConfig{}
 			for _, ne := range internalnetwork.Endpoints {

diff --git a/pilot/pkg/networking/core/listener_builder_test.go b/pilot/pkg/networking/core/listener_builder_test.go
@@ -844,6 +844,75 @@ func TestHCMInternalAddressConfig(t *testing.T) {
 	}
 }
 
+func TestUseRemoteAddressInternalAddressConfig(t *testing.T) {
+	cg := NewConfigGenTest(t, TestOptions{})
+	sidecarProxy := cg.SetupProxy(&model.Proxy{ConfigNamespace: "not-default"})
+	push := cg.PushContext()
+	cases := []struct {
+		name           string
+		networks       *meshconfig.MeshNetworks
+		expectedconfig *hcm.HttpConnectionManager_InternalAddressConfig
+	}{
+		{
+			name:           "nil networks",
+			expectedconfig: nil,
+		},
+		{
+			name:           "empty networks",
+			networks:       &meshconfig.MeshNetworks{},
+			expectedconfig: nil,
+		},
+		{
+			name: "networks populated",
+			networks: &meshconfig.MeshNetworks{
+				Networks: map[string]*meshconfig.Network{
+					"default": {
+						Endpoints: []*meshconfig.Network_NetworkEndpoints{
+							{
+								Ne: &meshconfig.Network_NetworkEndpoints_FromCidr{
+									FromCidr: "192.168.0.0/16",
+								},
+							},
+							{
+								Ne: &meshconfig.Network_NetworkEndpoints_FromCidr{
+									FromCidr: "172.16.0.0/12",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedconfig: &hcm.HttpConnectionManager_InternalAddressConfig{
+				CidrRanges: []*core.CidrRange{
+					{
+						AddressPrefix: "192.168.0.0",
+						PrefixLen:     &wrapperspb.UInt32Value{Value: 16},
+					},
+					{
+						AddressPrefix: "172.16.0.0",
+						PrefixLen:     &wrapperspb.UInt32Value{Value: 12},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			push.Networks = tt.networks
+			lb := &ListenerBuilder{
+				push:               push,
+				node:               sidecarProxy,
+				authzCustomBuilder: &authz.Builder{},
+				authzBuilder:       &authz.Builder{},
+			}
+			httpConnManager := lb.buildHTTPConnectionManager(&httpListenerOpts{useRemoteAddress: true})
+			if !reflect.DeepEqual(tt.expectedconfig, httpConnManager.InternalAddressConfig) {
+				t.Errorf("unexpected internal address config, expected: %v, got :%v", tt.expectedconfig, httpConnManager.InternalAddressConfig)
+			}
+		})
+	}
+}
+
 func TestAdditionalAddressesForIPv6(t *testing.T) {
 	test.SetForTest(t, &features.EnableAdditionalIpv4OutboundListenerForIpv6Only, true)
 	cg := NewConfigGenTest(t, TestOptions{Services: testServices})

diff --git a/pkg/bootstrap/instance_test.go b/pkg/bootstrap/instance_test.go
@@ -108,6 +108,9 @@ func TestGolden(t *testing.T) {
 		{
 			base: "default",
 		},
+		{
+			base: "explicit_internal_address",
+		},
 		{
 			base: "legacy_stats_tags_regex",
 			envVars: map[string]string{

diff --git a/pkg/bootstrap/testdata/explicit_internal_address.proxycfg b/pkg/bootstrap/testdata/explicit_internal_address.proxycfg
@@ -0,0 +1,12 @@
+config_path:               "/etc/istio/proxy"
+binary_path:               "/usr/local/bin/envoy"
+service_cluster:           "istio-proxy"
+drain_duration:            {seconds: 2}
+discovery_address:         "istio-pilot:15010"
+proxy_admin_port:          15000
+control_plane_auth_policy: NONE
+runtime_values:            [{ key: "envoy.reloadable_features.explicit_internal_address_config" value: "true" }]
+
+#
+# This matches the default configuration hardcoded in model.DefaultProxyConfig
+# Flags may override this configuration, as specified by the injector configs.