auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]

* upstream/main: (65 commits) bazel/ci: Prepare repo for using Engflow RBE (#36293) build(deps): bump yarl from 1.11.1 to 1.12.1 in /tools/base (#36297) build(deps): bump thrift from 0.20.0 to 0.21.0 in /tools/base (#36280) build(deps): bump aiodocker from 0.22.2 to 0.23.0 in /tools/base (#36281) oauth filter: set token cookies regardless of forward_bearer_token option and ability to disable bearertoken and refreshtoken cookie (#35839) runtime: deprecating dfp_mixed_scheme (#36199) ext_proc: Add allow list for mode override (#36279) Fix asan failure (#36286) mobile: Revert accidental test changes (#36291) admin: add allocation profiler (#36136) dynamic_modules: switch to crate_universe to remove manual bindgen (#36240) tools/python: Update all deps (#36267) http: fix issues in CONNECT-UDP forwarding mode. (#36174) Change filter and access logger order in access_log_handlers_ (#35959) Refactor cache_filter to expect caches to post cb (#36184) bump grpc-httpjson-transcoding (#36229) http2: fix reported protocol error from graceful upstream close (#36205) Updates to mobile/third_party/rbe_configs/cc/ (#36269) quic: fix connection close error when blocked socket gets unblocked (#36238) Add `metric_names_for_computing_utilization` field to `ClientSideWeightedRoundRobin` LB Policy proto. (#36201) ...
envoyproxy · Sep 24, 2024 · d873043 · d873043
2 parents 6a1f8d7 + 0d39eef
commit d873043
Show file tree

Hide file tree

Showing 391 changed files with 10,028 additions and 5,818 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -25,6 +25,7 @@ build --copt=-DABSL_MIN_LOG_LEVEL=4
 build --define envoy_mobile_listener=enabled
 build --experimental_repository_downloader_retries=2
 build --enable_platform_specific_config
+build --incompatible_merge_fixed_and_default_shell_env
 
 # Pass CC, CXX and LLVM_CONFIG variables from the environment.
 # We assume they have stable values, so this won't cause action cache misses.
@@ -45,7 +46,6 @@ build --action_env=BAZEL_VOLATILE_DIRTY --host_action_env=BAZEL_VOLATILE_DIRTY
 # Prevent stamped caches from busting (eg in PRs)
 # Requires setting `BAZEL_FAKE_SCM_REVISION` in the env.
 build --action_env=BAZEL_FAKE_SCM_REVISION --host_action_env=BAZEL_FAKE_SCM_REVISION
-
 build --test_summary=terse
 
 build:docs-ci --action_env=DOCS_RST_CHECK=1 --host_action_env=DOCS_RST_CHECK=1
@@ -514,19 +514,27 @@ build:rbe-engflow --bes_timeout=3600s
 build:rbe-engflow --bes_upload_mode=fully_async
 build:rbe-engflow --nolegacy_important_outputs
 
-build:cache-envoy-engflow --google_default_credentials=false
+# RBE (Engflow Envoy)
+build:common-envoy-engflow --google_default_credentials=false
+build:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
+build:common-envoy-engflow --grpc_keepalive_time=30s
+
 build:cache-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com
 build:cache-envoy-engflow --remote_timeout=3600s
-build:cache-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
-build:cache-envoy-engflow --grpc_keepalive_time=30s
 build:bes-envoy-engflow --bes_backend=grpcs://morganite.cluster.engflow.com/
 build:bes-envoy-engflow --bes_results_url=https://morganite.cluster.engflow.com/invocation/
 build:bes-envoy-engflow --bes_timeout=3600s
 build:bes-envoy-engflow --bes_upload_mode=fully_async
-build:rbe-envoy-engflow --config=cache-envoy-engflow
-build:rbe-envoy-engflow --config=bes-envoy-engflow
+build:bes-envoy-engflow --nolegacy_important_outputs
 build:rbe-envoy-engflow --remote_executor=grpcs://morganite.cluster.engflow.com
 build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
+build:rbe-envoy-engflow --jobs=200
+build:rbe-envoy-engflow --define=engflow_rbe=true
+
+build:remote-envoy-engflow --config=common-envoy-engflow
+build:remote-envoy-engflow --config=cache-envoy-engflow
+build:remote-envoy-engflow --config=bes-envoy-engflow
+build:remote-envoy-engflow --config=rbe-envoy-engflow
 
 #############################################################################
 # debug: Various Bazel debugging flags

diff --git a/.github/workflows/_precheck_deps.yml b/.github/workflows/_precheck_deps.yml
@@ -29,7 +29,7 @@ jobs:
     uses: ./.github/workflows/_run.yml
     name: ${{ matrix.target }}
     with:
-      bazel-extra: '--config=rbe-envoy-engflow'
+      bazel-extra: '--config=remote-envoy-engflow'
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       request: ${{ inputs.request }}
       error-match: |

diff --git a/.github/workflows/_publish_build.yml b/.github/workflows/_publish_build.yml
@@ -59,7 +59,7 @@ jobs:
           name: Release (x64)
           arch: x64
           bazel-extra: >-
-            --config=rbe-envoy-engflow
+            --config=remote-envoy-engflow
           rbe: true
           runs-on: ubuntu-24.04
         - target: release.server_only

diff --git a/.github/workflows/_publish_verify.yml b/.github/workflows/_publish_verify.yml
@@ -30,7 +30,7 @@ jobs:
     name: ${{ matrix.name || matrix.target }}
     uses: ./.github/workflows/_run.yml
     with:
-      bazel-extra: ${{ matrix.bazel-extra || '--config=rbe-envoy-engflow' }}
+      bazel-extra: ${{ matrix.bazel-extra || '--config=remote-envoy-engflow' }}
       cache-build-image: ${{ matrix.cache-build-image }}
       cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }}
       container-command: ${{ matrix.container-command }}
@@ -85,7 +85,7 @@ jobs:
     name: ${{ matrix.name || matrix.target }}
     uses: ./.github/workflows/_run.yml
     with:
-      bazel-extra: ${{ matrix.bazel-extra || '--config=rbe-envoy-engflow' }}
+      bazel-extra: ${{ matrix.bazel-extra || '--config=remote-envoy-engflow' }}
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }}
       container-command: ./ci/run_envoy_docker.sh

diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml
@@ -34,7 +34,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
+      uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3  # codeql-bundle-v3.26.8
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -73,4 +73,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
+      uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3  # codeql-bundle-v3.26.8
diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml
@@ -65,7 +65,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
+      uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3  # codeql-bundle-v3.26.8
       with:
         languages: cpp
 
@@ -108,4 +108,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
+      uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3  # codeql-bundle-v3.26.8
diff --git a/.github/workflows/envoy-macos.yml b/.github/workflows/envoy-macos.yml
@@ -66,6 +66,7 @@ jobs:
               --flaky_test_attempts=2
               --config=bes-envoy-engflow
               --config=cache-envoy-engflow
+              --config=common-envoy-engflow
               --config=ci)
             export BAZEL_BUILD_EXTRA_OPTIONS=${_BAZEL_BUILD_EXTRA_OPTIONS[*]}
 

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d  # v3.26.7
+      uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3  # v3.26.8
       with:
         sarif_file: results.sarif
diff --git a/OWNERS.md b/OWNERS.md
@@ -76,7 +76,6 @@ without further review.
 
 * All senior maintainers
 * Tony Allen ([tonya11en](https://github.com/tonya11en)) (tony@allen.gg)
-* Otto van der Schaaf ([oschaaf](https://github.com/oschaaf)) (oschaaf@redhat.com)
 * Tim Walsh ([twghu](https://github.com/twghu)) (twalsh@redhat.com)
 * Pradeep Rao ([pradeepcrao](https://github.com/pradeepcrao)) (pcrao@google.com)
 * Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik)) (kateryna.nezdolii@gmail.com)

diff --git a/RELEASES.md b/RELEASES.md
@@ -138,6 +138,6 @@ Security releases are published on a 3-monthly cycle, around the mid point betwe
 | Quarter |  Expected  |   Actual   | Difference |
 |:-------:|:----------:|:----------:|:----------:|
 | 2024 Q2 | 2024/06/04 | 2024/06/04 |   0 days   |
-| 2024 Q3 | 2024/09/03 |
+| 2024 Q3 | 2024/09/03 | 2024/09/19 |  16 days   |
 
 NOTE: Zero-day vulnerabilities, and upstream vulnerabilities disclosed to us under embargo, may necessitate an emergency release with little or no warning.
diff --git a/WORKSPACE b/WORKSPACE
@@ -27,3 +27,7 @@ envoy_python_dependencies()
 load("//bazel:dependency_imports.bzl", "envoy_dependency_imports")
 
 envoy_dependency_imports()
+
+load("//bazel:dependency_imports_extra.bzl", "envoy_dependency_imports_extra")
+
+envoy_dependency_imports_extra()
diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl
@@ -79,9 +79,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Google APIs",
         project_desc = "Public interface definitions of Google APIs",
         project_url = "https://github.com/googleapis/googleapis",
-        version = "114a745b2841a044e98cdbb19358ed29fcf4a5f1",
-        sha256 = "9b4e0d0a04a217c06b426aefd03b82581a9510ca766d2d1c70e52bb2ad4a0703",
-        release_date = "2023-01-10",
+        version = "fd52b5754b2b268bc3a22a10f29844f206abb327",
+        sha256 = "97fc354dddfd3ea03e7bf2ad74129291ed6fad7ff39d3bd8daec738a3672eb8a",
+        release_date = "2024-09-16",
         strip_prefix = "googleapis-{version}",
         urls = ["https://github.com/googleapis/googleapis/archive/{version}.tar.gz"],
         use_category = ["api"],
@@ -144,11 +144,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.41.0",
-        sha256 = "47952564762b3f7e248fb70cba1956e68db80242fac3e825ba21eb2632074c93",
+        version = "1.42.0",
+        sha256 = "412c8bdc2a4361f796df59735eb8b8f1cb85f7bfa91f443e471bf0b090d7c6c2",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2024-09-11",
+        release_date = "2024-09-18",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",
@@ -169,11 +169,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_desc = "Common Expression Language -- specification and binary representation",
         project_url = "https://github.com/google/cel-spec",
         strip_prefix = "cel-spec-{version}",
-        sha256 = "24fd9b5aa218044f2923b8bcfccbf996eb024f05d1acbe1b27aca554f2720ac6",
-        version = "0.16.1",
+        sha256 = "ad735dcea00992c36c7e94a56bceebedad475a01ee63b49c6796c1fcb7b6a41c",
+        version = "0.16.2",
         urls = ["https://github.com/google/cel-spec/archive/v{version}.tar.gz"],
         use_category = ["api"],
-        release_date = "2024-08-28",
+        release_date = "2024-09-18",
     ),
     envoy_toolshed = dict(
         project_name = "envoy_toolshed",

diff --git a/api/envoy/config/core/v3/protocol.proto b/api/envoy/config/core/v3/protocol.proto
@@ -56,7 +56,7 @@ message QuicKeepAliveSettings {
 }
 
 // QUIC protocol options which apply to both downstream and upstream connections.
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message QuicProtocolOptions {
   // Maximum number of streams that the client can negotiate per connection. 100
   // if not specified.
@@ -111,6 +111,10 @@ message QuicProtocolOptions {
     lte {seconds: 600}
     gte {seconds: 1}
   }];
+
+  // Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection.
+  // If not specified, one of the `default values in QUICHE <https://github.com/google/quiche/blob/main/quiche/quic/core/quic_constants.h>`_ is used.
+  google.protobuf.UInt64Value max_packet_length = 9;
 }
 
 message UpstreamHttpProtocolOptions {

diff --git a/api/envoy/config/listener/v3/quic_config.proto b/api/envoy/config/listener/v3/quic_config.proto
@@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -94,4 +94,9 @@ message QuicProtocolOptions {
   // If not specified, no cmsg will be saved to QuicReceivedPacket.
   repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12
       [(validate.rules).repeated = {max_items: 1}];
+
+  // If true, the listener will reject connection-establishing packets at the
+  // QUIC layer by replying with an empty version negotiation packet to the
+  // client.
+  bool reject_new_connections = 13;
 }
diff --git a/api/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto b/api/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto
@@ -41,6 +41,12 @@ message BasicAuth {
   // If it is not specified, the username will not be forwarded.
   string forward_username_header = 2
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
+
+  // This field specifies the request header to load the basic credential from.
+  //
+  // If it is not specified, the filter loads the credential from  the "Authorization" header.
+  string authentication_header = 3
+      [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
 }
 
 // Extra settings that may be added to per-route configuration for

diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto b/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto
@@ -94,7 +94,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter
 // name.
 //
-// [#next-free-field: 22]
+// [#next-free-field: 23]
 message ExternalProcessor {
   // Describes the route cache action to be taken when an external processor response
   // is received in response to request headers.
@@ -284,6 +284,15 @@ message ExternalProcessor {
   //       in a single body response message, followed by the remaining body responses.
   // In all scenarios, the header-body ordering must always be maintained.
   bool send_body_without_waiting_for_header_response = 21;
+
+  // When :ref:`allow_mode_override
+  // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.allow_mode_override>` is enabled and
+  // ``allowed_override_modes`` is configured, the filter config :ref:`processing_mode
+  // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
+  // can only be overridden by the response message from the external processing server iff the
+  // :ref:`mode_override <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>` is allowed by
+  // the ``allowed_override_modes`` allow-list below.
+  repeated ProcessingMode allowed_override_modes = 22;
 }
 
 // ExtProcHttpService is used for HTTP communication between the filter and the external processing service.

diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@@ -63,9 +63,9 @@ message JwtProvider {
   message NormalizePayload {
     // Each claim in this list will be interpreted as a space-delimited string
     // and converted to a list of strings based on the delimited values.
-    // Example: a token with a claim ``scopes: "email profile"`` is translated
-    // to dynamic metadata  ``scopes: ["email", "profile"]`` if this field is
-    // set value ``["scopes"]``. This special handling of ``scopes`` is
+    // Example: a token with a claim ``scope: "email profile"`` is translated
+    // to dynamic metadata  ``scope: ["email", "profile"]`` if this field is
+    // set value ``["scope"]``. This special handling of ``scope`` is
     // recommended by `RFC8693
     // <https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim>`_.
     repeated string space_delimited_claims = 1;

diff --git a/api/envoy/extensions/filters/http/oauth2/v3/oauth.proto b/api/envoy/extensions/filters/http/oauth2/v3/oauth.proto
@@ -84,7 +84,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 19]
+// [#next-free-field: 21]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -125,7 +125,7 @@ message OAuth2Config {
   bool forward_bearer_token = 7;
 
   // If set to true, preserve the existing authorization header.
-  // By default Envoy strips the existing authorization header before forwarding upstream.
+  // By default the client strips the existing authorization header before forwarding upstream.
   // Can not be set to true if forward_bearer_token is already set to true.
   // Default value is false.
   bool preserve_authorization_header = 16;
@@ -169,11 +169,23 @@ message OAuth2Config {
   // This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used.
   google.protobuf.Duration default_refresh_token_expires_in = 15;
 
-  // If set to true, Envoy will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
+  // If set to true, the client will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
   // Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter
   // will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
   // sessions would not set the IdToken cookie header.
   bool disable_id_token_set_cookie = 17;
+
+  // If set to true, the client will not set a cookie for Access Token even if one is received from the Identity Provider.
+  // Enabling this option will only disable setting the cookie response header, the filter
+  // will still process incoming Access Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
+  // sessions would not set the Access Token cookie header.
+  bool disable_access_token_set_cookie = 19;
+
+  // If set to true, the client will not set a cookie for Refresh Token even if one is received from the Identity Provider.
+  // Enabling this option will only disable setting the cookie response header, the filter
+  // will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
+  // sessions would not set the Refresh Token cookie header.
+  bool disable_refresh_token_set_cookie = 20;
 }
 
 // Filter config.

diff --git a/...envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/...envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
@@ -684,6 +684,34 @@ message HttpConnectionManager {
   // purposes. If unspecified, only RFC1918 IP addresses will be considered internal.
   // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more
   // information about internal/external addresses.
+  //
+  // .. warning::
+  //     In the next release, no IP addresses will be considered trusted. If you have tooling such as probes
+  //     on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers)
+  //     you will have to manually include those addresses or CIDR ranges like:
+  //
+  // .. validated-code-block:: yaml
+  //   :type-name: envoy.extensions.filters.network.http_connection_manager.v3.InternalAddressConfig
+  //
+  //   cidr_ranges:
+  //       address_prefix: 10.0.0.0
+  //       prefix_len: 8
+  //   cidr_ranges:
+  //       address_prefix: 192.168.0.0
+  //       prefix_len: 16
+  //   cidr_ranges:
+  //       address_prefix: 172.16.0.0
+  //       prefix_len: 12
+  //   cidr_ranges:
+  //       address_prefix: 127.0.0.1
+  //       prefix_len: 32
+  //   cidr_ranges:
+  //       address_prefix: fd00::
+  //       prefix_len: 8
+  //   cidr_ranges:
+  //       address_prefix: ::1
+  //       prefix_len: 128
+  //
   InternalAddressConfig internal_address_config = 25;
 
   // If set, Envoy will not append the remote address to the