chore(deps): bump Envoy from 1.22.2 to 1.22.7 (backport #5982)

mk/build.mk

@@ -1,15 +1,12 @@
-BUILD_INFO_GIT_TAG ?= $(shell git describe --tags 2>/dev/null || echo unknown)
-BUILD_INFO_GIT_COMMIT ?= $(shell git rev-parse HEAD 2>/dev/null || echo unknown)
-BUILD_INFO_BUILD_DATE ?= $(shell date -u +"%Y-%m-%dT%H:%M:%SZ" || echo unknown)
-BUILD_INFO_VERSION ?= $(shell $(TOOLS_DIR)/releases/version.sh)
-BUILD_INFO_ENVOY_VERSION ?= $(ENVOY_VERSION)
+build_info := $(shell $(TOOLS_DIR)/releases/version.sh)
+BUILD_INFO_VERSION ?= $(word 1, $(build_info))
 
 build_info_fields := \
 	version=$(BUILD_INFO_VERSION) \
-	gitTag=$(BUILD_INFO_GIT_TAG) \
-	gitCommit=$(BUILD_INFO_GIT_COMMIT) \
-	buildDate=$(BUILD_INFO_BUILD_DATE) \
-	Envoy=$(BUILD_INFO_ENVOY_VERSION)
+	gitTag=$(word 2, $(build_info)) \
+	gitCommit=$(word 3, $(build_info)) \
+	buildDate=$(word 4, $(build_info)) \
+	Envoy=$(word 5, $(build_info))
 build_info_ld_flags := $(foreach entry,$(build_info_fields), -X github.com/kumahq/kuma/pkg/version.$(entry))
 
 LD_FLAGS := -ldflags="-s -w $(build_info_ld_flags) $(EXTRA_LD_FLAGS)"

mk/envoy.mk

@@ -1,4 +1,6 @@
 BUILD_ENVOY_FROM_SOURCES ?= false
+ENVOY_TAG ?= v1.22.7
+ENVOY_ARTIFACT_EXT ?=
 
 ifeq ($(GOOS),linux)
 	ENVOY_DISTRO ?= alpine
@@ -44,8 +46,9 @@ ifeq ($(BUILD_ENVOY_FROM_SOURCES),true)
 	BAZEL_BUILD_EXTRA_OPTIONS=${BAZEL_BUILD_EXTRA_OPTIONS} \
 	BINARY_PATH=$@ $(BUILD_ENVOY_SCRIPT)
 else
-	ENVOY_VERSION=${ENVOY_VERSION} \
+	ENVOY_TAG=$(ENVOY_TAG) \
 	ENVOY_DISTRO=${ENVOY_DISTRO} \
+	ENVOY_ARTIFACT_EXT=${ENVOY_ARTIFACT_EXT} \
 	BINARY_PATH=$@ ${KUMA_DIR}/tools/envoy/fetch.sh
 endif
 

tools/envoy/fetch.sh

@@ -4,8 +4,9 @@
 #
 # Requires:
 # - $BINARY_PATH, path where binary will be fetched, for example 'out/envoy'
-# - $ENVOY_VERSION, version of the envoy binary to fetch
+# - $ENVOY_TAG, tag of the envoy binary to fetch
 # - $ENVOY_DISTRO, name of the distributive (i.e darwin, alpine)
+# - $ENVOY_ARTIFACT_EXT, optional artifact suffix (i.e. -extended)
 
 set -o errexit
 set -o pipefail
@@ -15,26 +16,33 @@ source "$(dirname -- "${BASH_SOURCE[0]}")/../common.sh"
 
 function download_envoy() {
     local binary_name=$1
+    local bin_dir
+    bin_dir=$(dirname "${BINARY_PATH}")
     echo "Downloading ${binary_name}"
 
     if [ ! -d "$(dirname "${BINARY_PATH}")" ]; then
       mkdir -p "$(dirname "${BINARY_PATH}")"
     fi
 
+    local tar_path="${BINARY_PATH}.tar.gz"
+
     local status
-    status=$(curl -# --location --output "${BINARY_PATH}" --write-out '%{http_code}' \
-    "https://download.konghq.com/mesh-alpine/${binary_name}")
+    status=$(curl -# --location --output "${tar_path}" --write-out '%{http_code}' \
+    "https://github.com/kumahq/envoy-builds/releases/download/${ENVOY_TAG}/${binary_name}.tar.gz")
 
     if [ "$status" -ne "200" ]; then
-        rm "${BINARY_PATH}"
         msg_err "Error: failed downloading Envoy: ${status} error"
     fi
 
+    tar -C "$bin_dir" -xzvf "${tar_path}"
+    rm "$tar_path"
+    mv "${bin_dir}/envoy-${ENVOY_DISTRO}" "${BINARY_PATH}"
+
     [ -f "${BINARY_PATH}" ] && chmod +x "${BINARY_PATH}"
 }
 
-if [[ -n "${ENVOY_VERSION}" ]]; then
-  BINARY_NAME="envoy-${ENVOY_VERSION}-${ENVOY_DISTRO}-${GOARCH}"
+if [[ -n "${ENVOY_TAG}" ]]; then
+  BINARY_NAME="envoy-${GOOS}-${GOARCH}-${ENVOY_TAG}-${ENVOY_DISTRO}-opt${ENVOY_ARTIFACT_EXT}"
   download_envoy "${BINARY_NAME}"
   exit 0
 fi

tools/envoy/version.sh

@@ -8,7 +8,7 @@ set -o nounset
 # - if ENVOY_TAG is a real git tag like 'v1.20.0' then the version is equal to '1.20.0' (without the first letter 'v').
 # - if ENVOY_TAG is a commit hash then the version will look like '1.20.1-dev-b16d390f'
 
-ENVOY_TAG=${ENVOY_TAG:-"v1.22.1"}
+ENVOY_TAG=${ENVOY_TAG:-"v1.22.7"}
 ENVOY_VERSION=$(curl --silent --location "https://raw.githubusercontent.com/envoyproxy/envoy/${ENVOY_TAG}/VERSION.txt")
 
 # for envoy versions older than v1.22.0 file 'VERSION.txt' used to be called 'VERSION'

tools/releases/distros.sh

@@ -25,21 +25,30 @@ PULP_HOST="https://api.pulp.konnect-prod.konghq.com"
 PULP_PACKAGE_TYPE="mesh"
 PULP_DIST_NAME="alpine"
 [ -z "$RELEASE_NAME" ] && RELEASE_NAME="kuma"
-ENVOY_VERSION=$("${SCRIPT_DIR}/../envoy/version.sh")
+BUILD_INFO=$("${SCRIPT_DIR}/../releases/version.sh")
+ENVOY_VERSION=$(echo "$BUILD_INFO" | cut -d " " -f 5)
+KUMA_VERSION=$(echo "$BUILD_INFO" | cut -d " " -f 1)
 [ -z "$KUMA_CONFIG_PATH" ] && KUMA_CONFIG_PATH=pkg/config/app/kuma-cp/kuma-cp.defaults.yaml
 CTL_NAME="kumactl"
+[ -z "$EBPF_PROGRAMS_IMAGE" ] && EBPF_PROGRAMS_IMAGE="kumahq/kuma-net-ebpf:0.8.6"
 
-function get_envoy() {
-  local distro=$1
-  local envoy_distro=$2
-  local arch=$3
+function get_ebpf_programs() {
+  local arch=$1
+  local system=$2
+  local kuma_dir=$3
+  local container
 
-  local status
-  status=$(curl -L -o build/envoy-"$distro" \
-    --write-out '%{http_code}' --silent --output /dev/null \
-    "https://download.konghq.com/mesh-alpine/envoy-$ENVOY_VERSION-$envoy_distro-$arch")
+  if [[ "$system" != "linux" ]]; then
+    return
+  fi
 
-  if [ "$status" -ne "200" ]; then msg_err "Error: failed downloading Envoy"; fi
+  if [[ "$arch" != "amd64" ]] && [[ "$arch" != "arm64" ]]; then
+    return
+  fi
+
+  container=$(DOCKER_DEFAULT_PLATFORM=$system/$arch docker create "$EBPF_PROGRAMS_IMAGE" copy)
+  docker cp "$container:/ebpf" "$kuma_dir"
+  docker rm -v "$container"
 }
 
 # create_kumactl_tarball packages only kumactl
@@ -81,7 +90,7 @@ function create_tarball() {
   msg ">>> Packaging ${RELEASE_NAME} for $distro ($system-$arch)..."
   msg
 
-  make GOOS="$system" GOARCH="$arch" build
+  make GOOS="$system" GOARCH="$arch" ENVOY_DISTRO="$envoy_distro" build
 
   local dest_dir=build/$RELEASE_NAME-$distro-$arch
   local kuma_subdir="$RELEASE_NAME-$KUMA_VERSION"
@@ -93,16 +102,15 @@ function create_tarball() {
   mkdir "$kuma_dir/bin"
   mkdir "$kuma_dir/conf"
 
-  get_envoy "$distro" "$envoy_distro" "$arch"
-  chmod 755 build/envoy-"$distro"
+  get_ebpf_programs "$arch" "$system" "$kuma_dir"
 
   artifact_dir=$(artifact_dir "$arch" "$system")
-  cp -p "build/envoy-$distro" "$kuma_dir"/bin/envoy
+  cp -p "$artifact_dir/envoy/envoy-$ENVOY_VERSION-$envoy_distro" "$kuma_dir/bin"
   cp -p "$artifact_dir/kuma-cp/kuma-cp" "$kuma_dir/bin"
   cp -p "$artifact_dir/kuma-dp/kuma-dp" "$kuma_dir/bin"
   cp -p "$artifact_dir/kumactl/kumactl" "$kuma_dir/bin"
-  cp -p "$artifact_dir/coredns/coredns" "$kuma_dir/bin"
   cp -p "$artifact_dir/kuma-prometheus-sd/kuma-prometheus-sd" "$kuma_dir/bin"
+  cp -p "$artifact_dir/coredns/coredns" "$kuma_dir/bin"
   cp -p "$KUMA_CONFIG_PATH" "$kuma_dir/conf/kuma-cp.conf.yml"
 
   cp tools/releases/templates/* "$kuma_dir"
@@ -188,7 +196,6 @@ function usage() {
 }
 
 function main() {
-  KUMA_VERSION=$("${SCRIPT_DIR}/version.sh")
 
   while [[ $# -gt 0 ]]; do
     flag=$1

tools/releases/version.sh

@@ -1,30 +1,94 @@
 #!/usr/bin/env bash
 
-# Kuma version is built as follows:
-# 1) If a git tag is present on the current commit, then the version is a git tag (without a starting v)
-# 2) If the branch is "release-X.Y" look at the existing tags and use either X.Y.0-<shortHash> if there's none or
-#     the latest tag with a patch version increased by one (.e.g if latest tag is X.Y.1 the version will be `X.Y.2-<shortHash>`)
-# 3) In non release branch use `0.0.0-$shortHash`
-
-# Note: this format must be changed carefully, other scripts depend on it
-exactTag=$(git describe --exact-match --tags 2> /dev/null)
-# We only support tags of the format: "v?X.Y.Z(-<alphaNumericName>)?" all other tags will just be ignored and use the regular versioning scheme
-if [[ ${exactTag} =~ ^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?$ ]]; then
-  echo "${exactTag/^v//}"
-  exit 0
-fi
-
-shortHash=$(git rev-parse --short HEAD 2> /dev/null)
-currentBranch=$(git rev-parse --abbrev-ref HEAD 2> /dev/null)
-if [[ ${currentBranch} == release-* ]]; then
-    releasePrefix=${currentBranch//release-/}
-    lastGitTag=$(git tag -l | grep -E "^v?${releasePrefix}\.[0-9]+$" | sed 's/^v//'| sort -V | tail -1)
-    if [[ ${lastGitTag} ]]; then
-      IFS=. read -r major minor patch <<< "${lastGitTag}"
-      echo "${major}.${minor}.$((++patch))-preview.${shortHash}"
+function envoy_version() {
+  set -o errexit
+  set -o pipefail
+  set -o nounset
+  # Returns Envoy version by ENVOY_TAG:
+  # - if ENVOY_TAG is a real git tag like 'v1.20.0' then the version is equal to '1.20.0' (without the first letter 'v').
+  # - if ENVOY_TAG is a commit hash then the version will look like '1.20.1-dev-b16d390f'
+
+  ENVOY_TAG=${ENVOY_TAG:-"v1.22.7"}
+  ENVOY_VERSION=$(curl --silent --location "https://raw.githubusercontent.com/envoyproxy/envoy/${ENVOY_TAG}/VERSION.txt")
+
+  # for envoy versions older than v1.22.0 file 'VERSION.txt' used to be called 'VERSION'
+  if [[ "${ENVOY_VERSION}" == "404: Not Found" ]]; then
+    ENVOY_VERSION=$(curl --silent --location --fail "https://raw.githubusercontent.com/envoyproxy/envoy/${ENVOY_TAG}/VERSION")
+  fi
+
+  if [[ "${ENVOY_TAG}" =~ ^v[0-9]*\.[0-9]*\.[0-9]*$ ]]; then
+    echo "${ENVOY_VERSION}"
+  else
+    echo "${ENVOY_VERSION}-${ENVOY_TAG:0:8}"
+  fi
+  set +o errexit
+  set +o pipefail
+  set +o nounset
+}
+
+function version_info() {
+  # Kuma version info has the following format:
+  # version git-tag git-commit build-date envoy-version
+
+  # version is built as follows:
+  # 1) If a git tag is present on the current commit, then the version is a git tag (without a starting v)
+  # 2) If the branch is "release-X.Y" look at the existing tags and use either X.Y.0-<shortHash> if there's none or
+  #     the latest tag with a patch version increased by one (.e.g if latest tag is X.Y.1 the version will be `X.Y.2-<shortHash>`)
+  # 3) In non release branch use `0.0.0-$shortHash`
+
+  # git-tag - if the current HEAD has a tag then use it otherwise it's "not-tagged"
+  # git-commit - HEAD sha
+  # build-date - local date if built on CI
+
+  # Note: this format must be changed carefully, other scripts depend on it
+
+  envoyVersion=$(envoy_version)
+
+  if [[ -z "${CI}" ]]; then
+    ciDeclared="false"
+    versionDate="local-build"
+  else
+    ciDeclared="true"
+    versionDate=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+  fi
+
+  if ! command -v git &> /dev/null; then
+    shortHash="no-git"
+    currentBranch="no-git"
+    exactTag="no-git"
+    describedTag="no-git"
+    longHash="no-git"
+  else
+    if [[ "$ciDeclared" == "true" ]] || git diff --quiet && git diff --cached --quiet; then
+      longHash=$(git rev-parse HEAD 2>/dev/null || echo "no-commit")
+      shortHash=$(git rev-parse --short=9 HEAD 2> /dev/null || echo "no-commit")
+      describedTag=$(git describe --tags 2>/dev/null || echo "none")
     else
-      echo "${releasePrefix}.0-preview.${shortHash}"
+      longHash="local-build"
+      shortHash="local-build"
+      describedTag="local-build"
     fi
-else
-  echo "0.0.0-preview.${shortHash}"
-fi
+
+    currentBranch=$(git rev-parse --abbrev-ref HEAD 2> /dev/null || echo "no-branch")
+    exactTag=$(git describe --exact-match --tags 2> /dev/null || echo "not-tagged")
+    # We only support tags of the format: "v?X.Y.Z(-<alphaNumericName>)?" all other tags will just be ignored and use the regular versioning scheme
+    if [[ ${exactTag} =~ ^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?$ ]]; then
+      version="${exactTag/^v//}"
+    elif [[ ${currentBranch} == release-* ]]; then
+        releasePrefix=${currentBranch//release-/}
+        lastGitTag=$(git tag -l | grep -E "^v?${releasePrefix}\.[0-9]+$" | sed 's/^v//'| sort -V | tail -1)
+        if [[ ${lastGitTag} ]]; then
+          IFS=. read -r major minor patch <<< "${lastGitTag}"
+          version="${major}.${minor}.$((++patch))-preview.v${shortHash}"
+        else
+          version="${releasePrefix}.0-preview.v${shortHash}"
+        fi
+    else
+      version="0.0.0-preview.v${shortHash}"
+    fi
+  fi
+
+  echo "${version} ${describedTag} ${longHash} ${versionDate} ${envoyVersion}"
+}
+
+version_info