Revert "Sesame main rebase"

.codespell.ignorewords

@@ -6,4 +6,3 @@ od
 als
 wit
 aks
-immediatedly

.github/workflows/build_daily.yaml

@@ -10,7 +10,7 @@ on:
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  GO_VERSION: 1.21.3
+  GO_VERSION: 1.21.0
 jobs:
   e2e-envoy-xds:
     runs-on: ubuntu-latest

.github/workflows/prbuild.yaml

@@ -11,7 +11,7 @@ on:
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  GO_VERSION: 1.21.3
+  GO_VERSION: 1.21.0
 jobs:
   lint:
     runs-on: ubuntu-latest

.golangci.yml

@@ -32,30 +32,7 @@ linters-settings:
       - http.DefaultTransport
   revive:
     rules:
-    - name: blank-imports
-    - name: context-as-argument
-    - name: context-keys-type
-    - name: dot-imports
-    - name: empty-block
-    - name: error-naming
-    - name: error-return
-    - name: error-strings
-    - name: errorf
-    - name: exported
-    - name: increment-decrement
-    - name: indent-error-flow
-    - name: package-comments
-    - name: range
-    - name: receiver-naming
-    - name: redefines-builtin-id
-    - name: superfluous-else
-    - name: time-naming
-    - name: unexported-return
-    - name: unreachable-code
-    - name: unused-parameter
-    - name: use-any
-    - name: var-declaration
-    - name: var-naming
+      - name: use-any
 
 issues:
   exclude-rules:

Makefile

@@ -6,7 +6,7 @@ IMAGE := $(REGISTRY)/$(PROJECT)
 SRCDIRS := ./cmd ./internal ./apis
 LOCAL_BOOTSTRAP_CONFIG = localenvoyconfig.yaml
 SECURE_LOCAL_BOOTSTRAP_CONFIG = securelocalenvoyconfig.yaml
-ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.27.2
+ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.27.0
 GATEWAY_API_VERSION ?= $(shell grep "sigs.k8s.io/gateway-api" go.mod | awk '{print $$2}')
 
 # Used to supply a local Envoy docker container an IP to connect to that is running
@@ -44,7 +44,7 @@ endif
 IMAGE_PLATFORMS ?= linux/amd64,linux/arm64
 
 # Base build image to use.
-BUILD_BASE_IMAGE ?= golang:1.21.3
+BUILD_BASE_IMAGE ?= golang:1.21.0
 
 # Enable build with CGO.
 BUILD_CGO_ENABLED ?= 0

apis/projectcontour/v1/httpproxy.go

@@ -551,18 +551,6 @@ type Route struct {
 	// +optional
 	PathRewritePolicy *PathRewritePolicy `json:"pathRewritePolicy,omitempty"`
 	// The policy for managing request headers during proxying.
-	//
-	// You may dynamically rewrite the Host header to be forwarded
-	// upstream to the content of a request header using
-	// the below format "%REQ(X-Header-Name)%". If the value of the header
-	// is empty, it is ignored.
-	//
-	// *NOTE: Pay attention to the potential security implications of using this option.
-	// Provided header must come from trusted source.
-	//
-	// **NOTE: The header rewrite is only done while forwarding and has no bearing
-	// on the routing decision.
-	//
 	// +optional
 	RequestHeadersPolicy *HeadersPolicy `json:"requestHeadersPolicy,omitempty"`
 	// The policy for managing response headers during proxying.
@@ -1280,7 +1268,7 @@ type LoadBalancerPolicy struct {
 }
 
 // HeadersPolicy defines how headers are managed during forwarding.
-// The `Host` header is treated specially and if set in a HTTP request
+// The `Host` header is treated specially and if set in a HTTP response
 // will be used as the SNI server name when forwarding over TLS. It is an
 // error to attempt to set the `Host` header in a HTTP response.
 type HeadersPolicy struct {

apis/projectcontour/v1alpha1/contourconfig.go

@@ -391,27 +391,6 @@ type EnvoyListenerConfig struct {
 	// Single set of options are applied to all listeners.
 	// +optional
 	SocketOptions *SocketOptions `json:"socketOptions,omitempty"`
-
-	// Defines the limit on number of HTTP requests that Envoy will process from a single
-	// connection in a single I/O cycle. Requests over this limit are processed in subsequent
-	// I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is
-	// detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default
-	// value when this is not set is no limit.
-	//
-	// +kubebuilder:validation:Minimum=1
-	// +optional
-	MaxRequestsPerIOCycle *uint32 `json:"maxRequestsPerIOCycle,omitempty"`
-
-	// Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the
-	// SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed
-	// for a peer on a single HTTP/2 connection. It is recommended to not set this lower
-	// than 100 but this field can be used to bound resource usage by HTTP/2 connections
-	// and mitigate attacks like CVE-2023-44487. The default value when this is not set is
-	// unlimited.
-	//
-	// +kubebuilder:validation:Minimum=1
-	// +optional
-	HTTP2MaxConcurrentStreams *uint32 `json:"httpMaxConcurrentStreams,omitempty"`
 }
 
 // SocketOptions defines configurable socket options for Envoy listeners.

changelogs/unreleased/5731-skriss-small.md

@@ -0,0 +1 @@
+Updates to Go 1.21.0. See the [Go release notes](https://go.dev/doc/devel/release#go1.21) for more information.