knative-extensions · knative-prow · Oct 24, 2023 · Oct 24, 2023
diff --git a/config/contour/external.yaml b/config/contour/external.yaml
@@ -344,6 +344,16 @@ spec:
                       disableMergeSlashes:
                         description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths. \n Contour's default is false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
+                      maxRequestsPerIOCycle:
+                        description: Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default value when this is not set is no limit.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       serverHeaderTransformation:
                         description: "Defines the action to be applied to the Server header on the response path. When configured as overwrite, overwrites any Server header with \"envoy\". When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\". When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. \n Values: `overwrite` (default), `append_if_absent`, `pass_through` \n Other values will produce an error. Contour's default is overwrite."
                         type: string
@@ -2259,6 +2269,16 @@ spec:
                           disableMergeSlashes:
                             description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths. \n Contour's default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
+                          maxRequestsPerIOCycle:
+                            description: Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default value when this is not set is no limit.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           serverHeaderTransformation:
                             description: "Defines the action to be applied to the Server header on the response path. When configured as overwrite, overwrites any Server header with \"envoy\". When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\". When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. \n Values: `overwrite` (default), `append_if_absent`, `pass_through` \n Other values will produce an error. Contour's default is overwrite."
                             type: string
@@ -4975,7 +4995,7 @@ rules:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: contour-certgen-v1.25.0
+  name: contour-certgen-v1.25.3
   namespace: contour-external
   labels:
     networking.knative.dev/ingress-provider: contour
@@ -4987,7 +5007,7 @@ spec:
     spec:
       containers:
       - name: contour
-        image: ghcr.io/projectcontour/contour:v1.25.0
+        image: ghcr.io/projectcontour/contour:v1.25.3
         imagePullPolicy: IfNotPresent
         command:
         - contour
@@ -5220,7 +5240,7 @@ spec:
         - --config-path=/config/contour.yaml
         command:
         - contour
-        image: ghcr.io/projectcontour/contour:v1.25.0
+        image: ghcr.io/projectcontour/contour:v1.25.3
         imagePullPolicy: IfNotPresent
         name: contour
         ports:
@@ -5309,7 +5329,7 @@ spec:
         args:
         - envoy
         - shutdown-manager
-        image: ghcr.io/projectcontour/contour:v1.25.0
+        image: ghcr.io/projectcontour/contour:v1.25.3
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -5337,7 +5357,7 @@ spec:
         - --log-level info
         command:
         - envoy
-        image: docker.io/envoyproxy/envoy:v1.26.1
+        image: docker.io/envoyproxy/envoy:v1.26.6
         imagePullPolicy: IfNotPresent
         name: envoy
         env:
@@ -5399,7 +5419,7 @@ spec:
         - --envoy-key-file=/certs/tls.key
         command:
         - contour
-        image: ghcr.io/projectcontour/contour:v1.25.0
+        image: ghcr.io/projectcontour/contour:v1.25.3
         imagePullPolicy: IfNotPresent
         name: envoy-initconfig
         volumeMounts:

diff --git a/config/contour/internal.yaml b/config/contour/internal.yaml
@@ -344,6 +344,16 @@ spec:
                       disableMergeSlashes:
                         description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths. \n Contour's default is false."
                         type: boolean
+                      httpMaxConcurrentStreams:
+                        description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited.
+                        format: int32
+                        minimum: 1
+                        type: integer
+                      maxRequestsPerIOCycle:
+                        description: Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default value when this is not set is no limit.
+                        format: int32
+                        minimum: 1
+                        type: integer
                       serverHeaderTransformation:
                         description: "Defines the action to be applied to the Server header on the response path. When configured as overwrite, overwrites any Server header with \"envoy\". When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\". When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. \n Values: `overwrite` (default), `append_if_absent`, `pass_through` \n Other values will produce an error. Contour's default is overwrite."
                         type: string
@@ -2259,6 +2269,16 @@ spec:
                           disableMergeSlashes:
                             description: "DisableMergeSlashes disables Envoy's non-standard merge_slashes path transformation option which strips duplicate slashes from request URL paths. \n Contour's default is false."
                             type: boolean
+                          httpMaxConcurrentStreams:
+                            description: Defines the value for SETTINGS_MAX_CONCURRENT_STREAMS Envoy will advertise in the SETTINGS frame in HTTP/2 connections and the limit for concurrent streams allowed for a peer on a single HTTP/2 connection. It is recommended to not set this lower than 100 but this field can be used to bound resource usage by HTTP/2 connections and mitigate attacks like CVE-2023-44487. The default value when this is not set is unlimited.
+                            format: int32
+                            minimum: 1
+                            type: integer
+                          maxRequestsPerIOCycle:
+                            description: Defines the limit on number of HTTP requests that Envoy will process from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. Can be used as a mitigation for CVE-2023-44487 when abusive traffic is detected. Configures the http.max_requests_per_io_cycle Envoy runtime setting. The default value when this is not set is no limit.
+                            format: int32
+                            minimum: 1
+                            type: integer
                           serverHeaderTransformation:
                             description: "Defines the action to be applied to the Server header on the response path. When configured as overwrite, overwrites any Server header with \"envoy\". When configured as append_if_absent, if a Server header is present, pass it through, otherwise set it to \"envoy\". When configured as pass_through, pass through the value of the Server header, and do not append a header if none is present. \n Values: `overwrite` (default), `append_if_absent`, `pass_through` \n Other values will produce an error. Contour's default is overwrite."
                             type: string
@@ -4975,7 +4995,7 @@ rules:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: contour-certgen-v1.25.0
+  name: contour-certgen-v1.25.3
   namespace: contour-internal
   labels:
     networking.knative.dev/ingress-provider: contour
@@ -4987,7 +5007,7 @@ spec:
     spec:
       containers:
       - name: contour
-        image: ghcr.io/projectcontour/contour:v1.25.0
+        image: ghcr.io/projectcontour/contour:v1.25.3
         imagePullPolicy: IfNotPresent
         command:
         - contour
@@ -5219,7 +5239,7 @@ spec:
         - --config-path=/config/contour.yaml
         command:
         - contour
-        image: ghcr.io/projectcontour/contour:v1.25.0
+        image: ghcr.io/projectcontour/contour:v1.25.3
         imagePullPolicy: IfNotPresent
         name: contour
         ports:
@@ -5308,7 +5328,7 @@ spec:
         args:
         - envoy
         - shutdown-manager
-        image: ghcr.io/projectcontour/contour:v1.25.0
+        image: ghcr.io/projectcontour/contour:v1.25.3
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -5336,7 +5356,7 @@ spec:
         - --log-level info
         command:
         - envoy
-        image: docker.io/envoyproxy/envoy:v1.26.1
+        image: docker.io/envoyproxy/envoy:v1.26.6
         imagePullPolicy: IfNotPresent
         name: envoy
         env:
@@ -5398,7 +5418,7 @@ spec:
         - --envoy-key-file=/certs/tls.key
         command:
         - contour
-        image: ghcr.io/projectcontour/contour:v1.25.0
+        image: ghcr.io/projectcontour/contour:v1.25.3
         imagePullPolicy: IfNotPresent
         name: envoy-initconfig
         volumeMounts:

diff --git a/go.mod b/go.mod
@@ -14,11 +14,11 @@ replace (
 
 require (
 	github.com/google/go-cmp v0.5.9
-	github.com/projectcontour/contour v1.25.0
+	github.com/projectcontour/contour v1.25.3
 	go.uber.org/zap v1.21.0
-	k8s.io/api v0.26.5
-	k8s.io/apimachinery v0.27.1
-	k8s.io/client-go v0.26.5
+	k8s.io/api v0.26.9
+	k8s.io/apimachinery v0.27.6
+	k8s.io/client-go v0.26.9
 	knative.dev/hack v0.0.0-20230712131415-ddae80293c43
 	knative.dev/networking v0.0.0-20231012062757-a5958051caf8
 	knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626
@@ -53,7 +53,7 @@ require (
 	github.com/gorilla/websocket v1.4.2 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
-	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
@@ -73,7 +73,7 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/automaxprocs v1.5.2 // indirect
+	go.uber.org/automaxprocs v1.5.3 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	golang.org/x/mod v0.10.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
@@ -83,23 +83,23 @@ require (
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.8.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/api v0.124.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230525234025-438c736192d0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a // indirect
+	google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230526203410-71b5a4ffd15e // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 // indirect
-	google.golang.org/grpc v1.56.1 // indirect
+	google.golang.org/grpc v1.56.3 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.26.5 // indirect
-	k8s.io/code-generator v0.26.5 // indirect
+	k8s.io/apiextensions-apiserver v0.26.9 // indirect
+	k8s.io/code-generator v0.26.9 // indirect
 	k8s.io/gengo v0.0.0-20221011193443-fad74ee6edd9 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a // indirect
+	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
 	k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect