From 62d4517f9e491d1cb9f00862f84637f6330cebdc Mon Sep 17 00:00:00 2001 From: Evan Culver Date: Mon, 31 Oct 2022 10:50:45 -0500 Subject: [PATCH] connect: Add Envoy 1.24 to integration tests, remove Envoy 1.20 (#15093) --- .changelog/15093.txt | 6 ++++++ .circleci/config.yml | 6 +++--- agent/xds/envoy_versioning.go | 2 +- agent/xds/envoy_versioning_test.go | 5 +++-- agent/xds/proxysupport/proxysupport.go | 4 ++-- website/content/docs/connect/proxies/envoy.mdx | 2 +- 6 files changed, 16 insertions(+), 9 deletions(-) create mode 100644 .changelog/15093.txt diff --git a/.changelog/15093.txt b/.changelog/15093.txt new file mode 100644 index 0000000000..1387a7b829 --- /dev/null +++ b/.changelog/15093.txt @@ -0,0 +1,6 @@ +```release-note: improvement +connect: Add Envoy 1.24.0 to support matrix +``` +```release-note: breaking-change +connect: Removes support for Envoy 1.20 +``` diff --git a/.circleci/config.yml b/.circleci/config.yml index 6411f1d82a..38dce4495c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -24,10 +24,10 @@ references: VAULT_BINARY_VERSION: 1.9.4 GO_VERSION: 1.19.2 envoy-versions: &supported_envoy_versions - - &default_envoy_version "1.20.7" - - "1.21.5" + - &default_envoy_version "1.21.5" - "1.22.5" - - "1.23.1" + - "1.23.2" + - "1.24.0" nomad-versions: &supported_nomad_versions - &default_nomad_version "1.3.3" - "1.2.10" diff --git a/agent/xds/envoy_versioning.go b/agent/xds/envoy_versioning.go index 31955e28a4..f826705a12 100644 --- a/agent/xds/envoy_versioning.go +++ b/agent/xds/envoy_versioning.go @@ -11,7 +11,7 @@ import ( var ( // minSupportedVersion is the oldest mainline version we support. This should always be // the zero'th point release of the last element of proxysupport.EnvoyVersions. - minSupportedVersion = version.Must(version.NewVersion("1.20.0")) + minSupportedVersion = version.Must(version.NewVersion("1.21.0")) specificUnsupportedVersions = []unsupportedVersion{} ) diff --git a/agent/xds/envoy_versioning_test.go b/agent/xds/envoy_versioning_test.go index 6fc1e57eae..d90ade4a0f 100644 --- a/agent/xds/envoy_versioning_test.go +++ b/agent/xds/envoy_versioning_test.go @@ -121,6 +121,7 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) { "1.17.4": {expectErr: "Envoy 1.17.4 " + errTooOld}, "1.18.6": {expectErr: "Envoy 1.18.6 " + errTooOld}, "1.19.5": {expectErr: "Envoy 1.19.5 " + errTooOld}, + "1.20.7": {expectErr: "Envoy 1.20.7 " + errTooOld}, } // Insert a bunch of valid versions. @@ -135,10 +136,10 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) { } */ for _, v := range []string{ - "1.20.0", "1.20.1", "1.20.2", "1.20.3", "1.20.4", "1.20.5", "1.20.6", "1.20.7", "1.21.0", "1.21.1", "1.21.2", "1.21.3", "1.21.4", "1.21.5", "1.22.0", "1.22.1", "1.22.2", "1.22.3", "1.22.4", "1.22.5", - "1.23.0", "1.23.1", + "1.23.0", "1.23.1", "1.23.2", + "1.24.0", } { cases[v] = testcase{expect: supportedProxyFeatures{}} } diff --git a/agent/xds/proxysupport/proxysupport.go b/agent/xds/proxysupport/proxysupport.go index 97981197d7..62bd1d39d7 100644 --- a/agent/xds/proxysupport/proxysupport.go +++ b/agent/xds/proxysupport/proxysupport.go @@ -7,8 +7,8 @@ package proxysupport // // see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions var EnvoyVersions = []string{ - "1.23.1", + "1.24.0", + "1.23.2", "1.22.5", "1.21.5", - "1.20.7", } diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/connect/proxies/envoy.mdx index e95e25ccf5..1b62954d11 100644 --- a/website/content/docs/connect/proxies/envoy.mdx +++ b/website/content/docs/connect/proxies/envoy.mdx @@ -39,9 +39,9 @@ Consul supports **four major Envoy releases** at the beginning of each major Con | Consul Version | Compatible Envoy Versions | | ------------------- | -----------------------------------------------------------------------------------| +| 1.14.x | 1.24.0, 1.23.1, 1.22.5, 1.21.5 | | 1.13.x | 1.23.1, 1.22.5, 1.21.5, 1.20.7 | | 1.12.x | 1.22.5, 1.21.5, 1.20.7, 1.19.5 | -| 1.11.x | 1.20.7, 1.19.5, 1.18.6, 1.17.41 | 1. Envoy 1.20.1 and earlier are vulnerable to [CVE-2022-21654](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21654) and [CVE-2022-21655](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21655). Both CVEs were patched in Envoy versions 1.18.6, 1.19.3, and 1.20.2. Envoy 1.16.x and older releases are no longer supported (see [HCSEC-2022-07](https://discuss.hashicorp.com/t/hcsec-2022-07-consul-s-connect-service-mesh-affected-by-recent-envoy-security-releases/36332)). Consul 1.9.x clusters should be upgraded to 1.10.x and Envoy upgraded to the latest supported Envoy version for that release, 1.18.6.