Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of [NET-4703] Prevent partial application of Envoy extensions into release/1.16.x #18332

Merged
merged 1 commit into from
Jul 31, 2023
Merged

Backport of [NET-4703] Prevent partial application of Envoy extensions into release/1.16.x #18332

merged 1 commit into from
Jul 31, 2023

Conversation

hc-github-team-consul-core
Copy link
Contributor

Backport

This PR is auto-generated from #18068 to be assessed for backporting due to the inclusion of the label backport/1.16.

The below text is copied from the body of the original PR.

Ensure that non-required extensions do not change xDS resources before exiting on failure by cloning proto messages prior to applying each extension.

Also avoid unnecessary cloning by moving CanApply checks up a layer and making them before application is attempted.

Description

Today, it's theoretically possible that a non-required extension could fail partway through making updates. If that extension is not configured as Required, we will not short-circuit xDS updates; the error will be logged and swallowed, allowing any other extensions to continue applying before updating xDS resources.

By proactively cloning resources that are subject to extensions, s.t. we do not pass any data by reference that is intended to be modified atomically, we can prevent the unintentional partial application of extensions regardless of their Required status.

Testing & Reproduction steps

  • Added tests that use a faulty extension to make changes, then fail, and verify that those changes are not retained
  • Added tests for newly promoted CanApply check to ensure we skip application when extensions should not be applied
  • Added tests for new Clone method of IndexedResources

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/net-4703-prevent-envoy-extension-partial-application/closely-climbing-toucan branch from e592cf0 to 4f45685 Compare July 31, 2023 19:24
@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/net-4703-prevent-envoy-extension-partial-application/closely-climbing-toucan branch from 10bf58d to 3074aee Compare July 31, 2023 19:24
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver approved these changes Jul 31, 2023
View reviewed changes
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label Jul 31, 2023
@hc-github-team-consul-core hc-github-team-consul-core merged commit 7500200 into release/1.16.x Jul 31, 2023
106 checks passed
@hc-github-team-consul-core hc-github-team-consul-core deleted the backport/zalimeni/net-4703-prevent-envoy-extension-partial-application/closely-climbing-toucan branch July 31, 2023 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver approved these changes

@zalimeni zalimeni Awaiting requested review from zalimeni

Assignees

@zalimeni zalimeni

Labels
theme/envoy/xds Related to Envoy support
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hc-github-team-consul-core @github-team-consul-core-pr-approver @zalimeni