Merge remote-tracking branch 'origin/envoy-xds'

.github/workflows/main.yml

@@ -16,39 +16,39 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2.4.1
+        uses: docker/setup-buildx-action@v3
         with:
           driver-opts: network=host
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: dev-env container metadata
         id: meta
-        uses: docker/metadata-action@v4.3.0
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
             suffix=-dev-env
 
       - name: build-cache container metadata
         id: build_cache_meta
-        uses: docker/metadata-action@v4.3.0
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
             suffix=-build-cache-test
 
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v4.0.0
+        uses: docker/build-push-action@v5
         with:
           target: test
           pull: true
@@ -70,7 +70,7 @@ jobs:
       # arguments, but that isn't currently supported:
       # https://github.com/moby/buildkit/issues/2818
       - name: Push recent test cache
-        uses: docker/build-push-action@v4.0.0
+        uses: docker/build-push-action@v5
         with:
           target: test
           tags: ${{ steps.meta.outputs.tags }}
@@ -83,30 +83,30 @@ jobs:
     needs: [build]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2.4.1
+        uses: docker/setup-buildx-action@v3
         with:
           driver-opts: network=host
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: build-cache container metadata
         id: build_cache_meta
-        uses: docker/metadata-action@v4.3.0
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
             suffix=-build-cache-test
 
       - name: Push recent runtime cache
-        uses: docker/build-push-action@v4.0.0
+        uses: docker/build-push-action@v5
         with:
           target: runtime
           tags: ${{ steps.meta.outputs.tags }}
@@ -119,11 +119,11 @@ jobs:
     needs: [build]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: dev-env container metadata
         id: meta
-        uses: docker/metadata-action@v4.3.0
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
@@ -173,11 +173,11 @@ jobs:
         ci_node_total: [6]
         ci_node_index: [0, 1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: dev-env container metadata
         id: meta
-        uses: docker/metadata-action@v4.3.0
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
@@ -215,7 +215,7 @@ jobs:
 
       - name: Dump docker logs
         if: ${{ always() }}
-        uses: jwalton/gh-docker-logs@v2.2.1
+        uses: jwalton/gh-docker-logs@v2
         with:
           dest: test/tmp/artifacts/docker-logs
 
@@ -255,11 +255,11 @@ jobs:
           --health-timeout 90s
           --health-retries 5
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: dev-env container metadata
         id: meta
-        uses: docker/metadata-action@v4.3.0
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
@@ -294,7 +294,7 @@ jobs:
 
       - name: Dump docker logs
         if: ${{ always() }}
-        uses: jwalton/gh-docker-logs@v2.2.1
+        uses: jwalton/gh-docker-logs@v2
         with:
           dest: test/tmp/artifacts/docker-logs
 
@@ -334,11 +334,11 @@ jobs:
           --health-timeout 90s
           --health-retries 5
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: dev-env container metadata
         id: meta
-        uses: docker/metadata-action@v4.3.0
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
@@ -374,7 +374,7 @@ jobs:
 
       - name: Dump docker logs
         if: ${{ always() }}
-        uses: jwalton/gh-docker-logs@v2.2.1
+        uses: jwalton/gh-docker-logs@v2
         with:
           dest: test/tmp/artifacts/docker-logs
 
@@ -405,7 +405,7 @@ jobs:
           path: ./artifacts
 
       - name: Publish Unit Test Results
-        uses: EnricoMi/publish-unit-test-result-action@v2.3.0
+        uses: EnricoMi/publish-unit-test-result-action@v2
         with:
           junit_files: "artifacts/*/reports/**/*.xml"
           comment_mode: off

.github/workflows/release.yml

@@ -14,10 +14,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2.4.1
+        uses: docker/setup-buildx-action@v3
         with:
           driver-opts: network=host
 
@@ -31,28 +31,46 @@ jobs:
           fi
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Container metadata
-        id: meta
-        uses: docker/metadata-action@v4.3.0
+      - name: Runtime container metadata
+        id: runtime_meta
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=semver,pattern={{version}}
 
-      - name: Build and push
-        id: docker_build
-        uses: docker/[email protected]
+      - name: Runtime egress container metadata
+        id: runtime_egress_meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,prefix=egress-,pattern={{version}}
+
+      - name: Build and push runtime
+        uses: docker/build-push-action@v5
         with:
           target: runtime
           pull: true
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.runtime_meta.outputs.tags }}
+          labels: ${{ steps.runtime_meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:build-cache-runtime-recent,mode=max
+          provenance: false
+
+      - name: Build and push runtime-egress
+        uses: docker/build-push-action@v5
+        with:
+          target: runtime-egress
+          pull: true
+          push: true
+          tags: ${{ steps.runtime_egress_meta.outputs.tags }}
+          labels: ${{ steps.runtime_egress_meta.outputs.labels }}
           cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:build-cache-runtime-recent,mode=max
           provenance: false

.gitignore

@@ -45,3 +45,6 @@
 /tmp
 
 /src/api-umbrella/example-website/.hugo_build.lock
+
+# Added by cargo
+/target

Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "api-umbrella-postgres"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+
+[[bin]]
+name = "envoy-config-wrapper"
+path = "src/api-umbrella/bin/envoy-config-wrapper.rs"
+
+[profile.release]
+panic = "abort"
+strip = true

Dockerfile

@@ -176,3 +176,39 @@ RUN set -x && \
 EXPOSE 80 443
 
 CMD ["api-umbrella", "run"]
+
+###
+# Build - envoy-config-wrapper
+###
+FROM rust:1-slim-bookworm AS envoy-config-wrapper-build
+
+# Use the musl target for static binaries that will work in the distroless
+# image.
+RUN rustup target add "$(arch)-unknown-linux-musl"
+
+COPY Cargo.toml ./
+COPY src/api-umbrella/bin/envoy-config-wrapper.rs ./src/api-umbrella/bin/
+
+RUN cargo build --release --target "$(arch)-unknown-linux-musl"
+
+###
+# Runtime - Egress Only
+# https://github.com/envoyproxy/envoy/blob/release/v1.27/ci/Dockerfile-envoy#L60-L69
+###
+FROM gcr.io/distroless/base-nossl-debian12:nonroot AS runtime-egress
+
+# Create the needed directories as the non-root user, and then switch back to
+# the defalt workdir.
+WORKDIR /etc/envoy
+WORKDIR /var/run/envoy
+WORKDIR /home/nonroot
+
+# Copy Envoy and our config wrapper binary in so that's all that's present in
+# this distroless image.
+COPY --from=envoy-config-wrapper-build --chown=0:0 --chmod=755 ./target/*/release/envoy-config-wrapper /usr/local/bin/
+COPY --from=build --chown=0:0 --chmod=755 /app/build/work/stage/opt/api-umbrella/embedded/bin/envoy /usr/local/bin/
+
+EXPOSE 14001
+
+ENTRYPOINT ["/usr/local/bin/envoy-config-wrapper"]
+CMD ["-c", "/etc/envoy/envoy.yaml", "--use-dynamic-base-id", "--base-id-path", "/var/run/envoy/base-id"]

Gemfile

@@ -86,3 +86,6 @@ gem "awesome_print", "~> 1.9.2"
 
 # Deep freezing of objects.
 gem "ice_nine", "~> 0.11.2"
+
+# Testing SMTP directly.
+gem "net-smtp", "~> 0.4.0"

Gemfile.lock

@@ -94,7 +94,7 @@ GEM
     faraday-patron (1.0.0)
     faraday-rack (1.0.0)
     faraday-retry (1.0.3)
-    ffi (1.15.5)
+    ffi (1.16.2)
     i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     ice_nine (0.11.2)
@@ -122,6 +122,10 @@ GEM
       path_expander (~> 1.1)
     multi_json (1.15.0)
     multipart-post (2.3.0)
+    net-protocol (0.2.1)
+      timeout
+    net-smtp (0.4.0)
+      net-protocol
     nokogiri (1.15.4)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
@@ -152,7 +156,7 @@ GEM
     rainbow (3.1.1)
     regexp_parser (2.8.1)
     rexml (3.2.6)
-    rubocop (1.56.2)
+    rubocop (1.56.3)
       base64 (~> 0.1.1)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
@@ -175,6 +179,7 @@ GEM
       childprocess (>= 0.5, < 4.0)
       rubyzip (>= 1.2.2)
     thor (1.2.2)
+    timeout (0.4.0)
     typhoeus (1.4.0)
       ethon (>= 0.9.0)
     tzinfo (2.0.6)
@@ -212,6 +217,7 @@ DEPENDENCIES
   minitest-reporters (~> 1.6.0)
   minitest-sprint (~> 1.2.0)
   multi_json (~> 1.15.0)
+  net-smtp (~> 0.4.0)
   nokogiri (~> 1.14)
   oj (~> 3.10)
   pg (~> 1.5.3)

Makefile.in

@@ -15,7 +15,7 @@ export PREFIX=$(prefix)
 default: all
 
 # Download and locally install the "task" tool.
-task_version:=3.29.1
+task_version:=3.30.1
 $(source_dir)/tasks/bootstrap-$(task_version): ;
 $(work_dir)/stamp/bootstrap-$(task_version): $(source_dir)/tasks/bootstrap-$(task_version)
 	$(source_dir)/tasks/bootstrap-$(task_version)