Update envoy configuration to avoid using deprecated APIs #521
Description
Enter an issue title
Update envoy configuration to avoid using deprecated APIs
Summary
During a recent "networking onboarding", @jenspinney noticed that the envoy config dump for an application lists hidden_envoy_deprecated_* for a number of fields.
In particular, now that envoy is being kept up to date, it may be worth using current stable APIs when things are deprecated.
I don't know what's involved in doing so, though. Just creating this issue as a placeholder for discussion and consideration and to share this observation .
Here's what we see:
cf ssh $MY_APP -c 'curl localhost:61003/config_dump' > config_dump.json
cat config_dump.json | grep hidden_envoy
"hidden_envoy_deprecated_build_version": "bb7ceff4c3c5bd4555dff28b6e56d27f2f8be0a7/1.13.0/Clean/RELEASE/BoringSSL",
"hidden_envoy_deprecated_tls_context": {
"hidden_envoy_deprecated_config": {
"hidden_envoy_deprecated_tls_context": {
"hidden_envoy_deprecated_config": {
"hidden_envoy_deprecated_hosts": [
"hidden_envoy_deprecated_hosts": [
"hidden_envoy_deprecated_verify_subject_alt_name": [for example:
cat config_dump.json | jq '.configs[0].bootstrap.static_resources.listeners'
[
{
"name": "listener-8080",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 61001
}
},
"filter_chains": [
{
"hidden_envoy_deprecated_tls_context": {
"common_tls_context": {
"tls_params": {
"cipher_suites": [
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES128-GCM-SHA256"
]
},
"tls_certificate_sds_secret_configs": [
{
"name": "server-cert-and-key",
"sds_config": {
"path": "/etc/cf-assets/envoy_config/sds-server-cert-and-key.yaml"
}
}
],
"validation_context_sds_secret_config": {
"name": "server-validation-context",
"sds_config": {
"path": "/etc/cf-assets/envoy_config/sds-server-validation-context.yaml"
}
}
},
"require_client_certificate": true
},
"filters": [
{
"name": "envoy.tcp_proxy",
"hidden_envoy_deprecated_config": {
"cluster": "0-service-cluster",
"stat_prefix": "0-stats"
}
}
]
}
]
},
{
"name": "listener-2222",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 61002
}
},
"filter_chains": [
{
"hidden_envoy_deprecated_tls_context": {
"common_tls_context": {
"tls_params": {
"cipher_suites": [
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES128-GCM-SHA256"
]
},
"tls_certificate_sds_secret_configs": [
{
"name": "server-cert-and-key",
"sds_config": {
"path": "/etc/cf-assets/envoy_config/sds-server-cert-and-key.yaml"
}
}
],
"validation_context_sds_secret_config": {
"name": "server-validation-context",
"sds_config": {
"path": "/etc/cf-assets/envoy_config/sds-server-validation-context.yaml"
}
}
},
"require_client_certificate": true
},
"filters": [
{
"name": "envoy.tcp_proxy",
"hidden_envoy_deprecated_config": {
"stat_prefix": "1-stats",
"cluster": "1-service-cluster"
}
}
]
}
]
}
]
and
jq '.configs[0].bootstrap.static_resources.clusters'
[
{
"name": "0-service-cluster",
"type": "STATIC",
"connect_timeout": "0.250s",
"hidden_envoy_deprecated_hosts": [
{
"socket_address": {
"address": "10.255.130.148",
"port_value": 8080
}
}
],
"circuit_breakers": {
"thresholds": [
{
"max_connections": 4294967295
}
]
}
},
{
"name": "1-service-cluster",
"type": "STATIC",
"connect_timeout": "0.250s",
"hidden_envoy_deprecated_hosts": [
{
"socket_address": {
"address": "10.255.130.148",
"port_value": 2222
}
}
],
"circuit_breakers": {
"thresholds": [
{
"max_connections": 4294967295
}
]
}
}
]
Diego repo
Executor (I think?)
Other links
Envoy commit where it looks like they introduced this hidden_envoy_deprecated_* pattern:
envoyproxy/envoy@2ae22a8