Backport of security: bump envoy version and k8s.io/apimachinery (#21033)

* security: bump envoy version and k8s.io/apimachinery

* add changelog

Author: dduzgun-security

.changelog/21033.txt

@@ -0,0 +1,9 @@
+```release-note:security
+Upgrade to support Envoy `1.27.5 and 1.28.3`. This resolves CVE
+[CVE-2024-32475](https://nvd.nist.gov/vuln/detail/CVE-2024-32475) (`auto_sni`).
+```
+
+```release-note:security
+Upgrade to support k8s.io/apimachinery `v0.18.7 or higher`. This resolves CVE
+[CVE-2020-8559](https://nvd.nist.gov/vuln/detail/CVE-2020-8559).
+```

.github/workflows/nightly-test-integrations-1.17.x.yml

@@ -74,7 +74,7 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the 
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 8 based on these values:
-          # envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"]
+          # envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.5"]
           # xds-target: ["server", "client"]
           TOTAL_RUNNERS: 4 
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
@@ -109,7 +109,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"]
+        envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.5"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

.github/workflows/nightly-test-integrations.yml

@@ -71,7 +71,7 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the 
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 8 based on these values:
-          # envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"]
+          # envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.5"]
           # xds-target: ["server", "client"]
           TOTAL_RUNNERS: 4 
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
@@ -106,7 +106,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"]
+        envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.5"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

.github/workflows/test-integrations-windows.yml

@@ -62,7 +62,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: [ "1.27.4" ]
+        envoy-version: [ "1.27.5" ]
         xds-target: [ "server", "client" ]
     env:
       ENVOY_VERSION: ${{ matrix.envoy-version }}

.github/workflows/test-integrations.yml

@@ -271,7 +271,7 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 2 based on these values:
-          # envoy-version: ["1.27.4"]
+          # envoy-version: ["1.27.5"]
           # xds-target: ["server", "client"]
           TOTAL_RUNNERS: 4
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
@@ -306,7 +306,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.27.4"]
+        envoy-version: ["1.27.5"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

envoyextensions/xdscommon/envoy_versioning_test.go

@@ -154,7 +154,7 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) {
 		"1.24.0", "1.24.1", "1.24.2", "1.24.3", "1.24.4", "1.24.5", "1.24.6", "1.24.7", "1.24.8", "1.24.9", "1.24.10", "1.24.11", "1.24.12",
 		"1.25.0", "1.25.1", "1.25.2", "1.25.3", "1.25.4", "1.25.5", "1.25.6", "1.25.7", "1.25.8", "1.25.9", "1.25.10", "1.25.11",
 		"1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6", "1.26.7", "1.26.8",
-		"1.27.0", "1.27.1", "1.27.2", "1.27.3", "1.27.4",
+		"1.27.0", "1.27.1", "1.27.2", "1.27.3", "1.27.4", "1.27.5",
 	} {
 		cases[v] = testcase{expect: SupportedProxyFeatures{}}
 	}

envoyextensions/xdscommon/proxysupport.go

@@ -12,7 +12,7 @@ import "strings"
 //
 // see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions
 var EnvoyVersions = []string{
-	"1.27.4",
+	"1.27.5",
 	"1.26.8",
 	"1.25.11",
 	"1.24.12",

go.mod

@@ -47,7 +47,7 @@ require (
 	github.com/hashicorp/go-checkpoint v0.5.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-connlimit v0.3.0
-	github.com/hashicorp/go-discover v0.0.0-20220714221025-1c234a67149a
+	github.com/hashicorp/go-discover v0.0.0-20230724184603-e89ebd1b2f65
 	github.com/hashicorp/go-hclog v1.5.0
 	github.com/hashicorp/go-immutable-radix v1.3.1
 	github.com/hashicorp/go-memdb v1.3.4