v1.13.1 cherrypicks (#3423)

* internal/xdscache: include global rate limits for secure vhosts (#3410)

Fixes a bug where global rate limit policies were being ignored
when defined at the virtual host level on secure vhosts.

Fixes #3409.

Signed-off-by: Steve Kriss <krisss@vmware.com>

* cmd/contour: pass pointers to StatusAddressUpdater (#3412)

Fixes an issue where non-pointers were being passed to
the StatusAddressUpdater when the load balancer address
changed, which was resulting in HTTPProxies/Ingresses
not immediately getting updated with the new address.

Fixes #3411.

Signed-off-by: Steve Kriss <krisss@vmware.com>

* examples: update Envoy to 1.17.1 (#3417)

Signed-off-by: Steve Kriss <krisss@vmware.com>

Makefile

@@ -7,7 +7,7 @@ SRCDIRS := ./cmd ./internal ./apis
 LOCAL_BOOTSTRAP_CONFIG = localenvoyconfig.yaml
 SECURE_LOCAL_BOOTSTRAP_CONFIG = securelocalenvoyconfig.yaml
 PHONY = gencerts
-ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.17.0
+ENVOY_IMAGE = docker.io/envoyproxy/envoy:v1.17.1
 
 # The version of Jekyll is pinned in site/Gemfile.lock.
 # https://docs.netlify.com/configure-builds/common-configurations/#jekyll

_integration/testsuite/httpproxy/020-global-rate-limiting.yaml

@@ -37,6 +37,8 @@ $apply:
 
 ---
 
+# Test Case 1: non-TLS virtual hosts
+
 # Create the HTTPProxy without rate limits first
 # and wait until we get a 200 from it before applying
 # rate limits and counting responses. This ensures
@@ -229,3 +231,208 @@ Response := client.Get({
 check_for_status_code [msg] {
   msg := expect.response_status_is(Response, 200)
 }
+
+---
+
+# Test Case 2: TLS virtual hosts
+
+# Create a self-signed issuer to give us secrets.
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tlsvhostratelimit
+spec:
+  dnsNames:
+  - tls.vhostratelimit.projectcontour.io
+  secretName: tlsvhostratelimit
+  issuerRef:
+    name: selfsigned
+    kind: ClusterIssuer
+
+---
+
+# TLS vhost with a global rate limit policy on the virtual host.
+
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: tlsvhostratelimit
+spec:
+  virtualhost:
+    fqdn: tls.vhostratelimit.projectcontour.io
+    tls:
+      secretName: tlsvhostratelimit
+    rateLimitPolicy:
+      global:
+        descriptors:
+          - entries:
+              - genericKey:
+                  value: tlsvhostlimit
+  routes:
+  - services:
+    - name: echo
+      port: 80
+---
+
+# Make a request against the proxy, confirm a 200 response
+# is returned since we're allowed one request per hour.
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.https("/"),
+  "headers": {
+    "Host": "tls.vhostratelimit.projectcontour.io",
+    "User-Agent": client.ua("global-rate-limit"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 200)
+}
+
+---
+
+# Make another request against the proxy, confirm a 429
+# response is now gotten since we've exceeded the rate
+# limit.
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.https("/"),
+  "headers": {
+    "Host": "tls.vhostratelimit.projectcontour.io",
+    "User-Agent": client.ua("global-rate-limit"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 429)
+}
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tlsrouteratelimit
+spec:
+  dnsNames:
+  - tls.routeratelimit.projectcontour.io
+  secretName: tlsrouteratelimit
+  issuerRef:
+    name: selfsigned
+    kind: ClusterIssuer
+
+---
+
+# TLS vhost with a global rate limit policy on the route.
+
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: tlsrouteratelimit
+spec:
+  virtualhost:
+    fqdn: tls.routeratelimit.projectcontour.io
+    tls:
+      secretName: tlsrouteratelimit
+  routes:
+  - services:
+    - name: echo
+      port: 80
+    rateLimitPolicy:
+      global:
+        descriptors:
+          - entries:
+              - genericKey:
+                  value: tlsroutelimit
+  - conditions:
+      - prefix: /unlimited
+    services:
+    - name: echo
+      port: 80
+---
+
+# Make a request against the proxy, confirm a 200 response
+# is returned since we're allowed one request per hour.
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.https("/"),
+  "headers": {
+    "Host": "tls.routeratelimit.projectcontour.io",
+    "User-Agent": client.ua("global-rate-limit"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 200)
+}
+
+---
+
+# Make another request against the proxy, confirm a 429
+# response is now gotten since we've exceeded the rate
+# limit.
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.https("/"),
+  "headers": {
+    "Host": "tls.routeratelimit.projectcontour.io",
+    "User-Agent": client.ua("global-rate-limit"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 429)
+}
+
+---
+
+# Make a request against the route that doesn't have
+# rate limiting to confirm we still get a 200 for that
+# route.
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.https("/unlimited"),
+  "headers": {
+    "Host": "tls.routeratelimit.projectcontour.io",
+    "User-Agent": client.ua("global-rate-limit"),
+  },
+  "tls_insecure_skip_verify": true,
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 200)
+}

_integration/testsuite/install-ratelimit-service.sh

@@ -51,6 +51,16 @@ data:
         rate_limit:
           unit: hour
           requests_per_unit: 1
+      - key: generic_key
+        value: tlsvhostlimit
+        rate_limit:
+          unit: hour
+          requests_per_unit: 1
+      - key: generic_key
+        value: tlsroutelimit
+        rate_limit:
+          unit: hour
+          requests_per_unit: 1
 EOF
 
 # Create the ratelimit deployment, service and extension service.

cmd/contour/ingressstatus.go

@@ -116,16 +116,16 @@ func (isw *loadBalancerStatusWriter) Start(stop <-chan struct{}) error {
 			if err := isw.clients.Cache().List(context.Background(), &ingressList); err != nil {
 				isw.log.WithError(err).WithField("kind", "Ingress").Error("failed to list objects")
 			} else {
-				for _, i := range ingressList.Items {
-					u.OnAdd(i)
+				for i := range ingressList.Items {
+					u.OnAdd(&ingressList.Items[i])
 				}
 			}
 
 			if err := isw.clients.Cache().List(context.Background(), &proxyList); err != nil {
 				isw.log.WithError(err).WithField("kind", "HTTPProxy").Error("failed to list objects")
 			} else {
-				for _, i := range proxyList.Items {
-					u.OnAdd(i)
+				for i := range proxyList.Items {
+					u.OnAdd(&proxyList.Items[i])
 				}
 			}
 		}

examples/contour/03-envoy.yaml

@@ -53,7 +53,7 @@ spec:
         - --log-level info
         command:
         - envoy
-        image: docker.io/envoyproxy/envoy:v1.17.0
+        image: docker.io/envoyproxy/envoy:v1.17.1
         imagePullPolicy: IfNotPresent
         name: envoy
         env:

examples/render/contour.yaml

@@ -2120,7 +2120,7 @@ spec:
         - --log-level info
         command:
         - envoy
-        image: docker.io/envoyproxy/envoy:v1.17.0
+        image: docker.io/envoyproxy/envoy:v1.17.1
         imagePullPolicy: IfNotPresent
         name: envoy
         env: