diff --git a/api/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/api/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto index f4d0c785..434f9777 100644 --- a/api/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +++ b/api/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto @@ -664,6 +664,34 @@ message HttpConnectionManager { // purposes. If unspecified, only RFC1918 IP addresses will be considered internal. // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more // information about internal/external addresses. + // + // .. warning:: + // In the next release, no IP addresses will be considered trusted. If you have tooling such as probes + // on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers) + // you will have to manually include those addresses or CIDR ranges like: + // + // .. validated-code-block:: yaml + // :type-name: envoy.extensions.filters.network.http_connection_manager.v3.InternalAddressConfig + // + // cidr_ranges: + // address_prefix: 10.0.0.0 + // prefix_len: 8 + // cidr_ranges: + // address_prefix: 192.168.0.0 + // prefix_len: 16 + // cidr_ranges: + // address_prefix: 172.16.0.0 + // prefix_len: 12 + // cidr_ranges: + // address_prefix: 127.0.0.1 + // prefix_len: 32 + // cidr_ranges: + // address_prefix: fd00:: + // prefix_len: 8 + // cidr_ranges: + // address_prefix: ::1 + // prefix_len: 128 + // InternalAddressConfig internal_address_config = 25; // If set, Envoy will not append the remote address to the diff --git a/server/src/test/java/io/envoyproxy/controlplane/server/EnvoyContainer.java b/server/src/test/java/io/envoyproxy/controlplane/server/EnvoyContainer.java index 2e74c4d4..12f38a42 100644 --- a/server/src/test/java/io/envoyproxy/controlplane/server/EnvoyContainer.java +++ b/server/src/test/java/io/envoyproxy/controlplane/server/EnvoyContainer.java @@ -24,7 +24,7 @@ class EnvoyContainer extends GenericContainer { EnvoyContainer(String config, Supplier controlPlanePortSupplier) { // this version is changed automatically by /tools/update-sha.sh:57 // if you change it make sure to reflect changes there - super("envoyproxy/envoy:v1.31.0"); + super("envoyproxy/envoy:v1.31.2"); this.config = config; this.controlPlanePortSupplier = controlPlanePortSupplier; } diff --git a/tools/API_SHAS b/tools/API_SHAS index faea668e..8afdcb93 100644 --- a/tools/API_SHAS +++ b/tools/API_SHAS @@ -1,9 +1,9 @@ # Update the versions here and run update-api.sh # envoy (source: SHA from https://github.com/envoyproxy/envoy) -ENVOY_SHA="7b8baff1758f0a584dcc3cb657b5032000bcb3d7" +ENVOY_SHA="cc4a75482810de4b84c301d13deb551bd3147339" -# dependencies (source: https://github.com/envoyproxy/envoy/blob/7b8baff1758f0a584dcc3cb657b5032000bcb3d7/api/bazel/repository_locations.bzl) +# dependencies (source: https://github.com/envoyproxy/envoy/blob/cc4a75482810de4b84c301d13deb551bd3147339/api/bazel/repository_locations.bzl) GOOGLEAPIS_SHA="114a745b2841a044e98cdbb19358ed29fcf4a5f1" # 2023-01-10 PGV_VERSION="1.0.4" # 2024-01-17 PROMETHEUS_SHA="0.6.1" # 2024-04-03 diff --git a/tools/envoy_release b/tools/envoy_release index d3aa7697..2aa75271 100644 --- a/tools/envoy_release +++ b/tools/envoy_release @@ -1 +1 @@ -v1.31.0 +v1.31.2