Merge branch 'master' into health-check-transport-match

Signed-off-by: Spencer Lewis <slewis@squareup.com>
* master: (46 commits)
  allow specifying the API version of bootstrap from the command line (envoyproxy#10803)
  config: adding connect matcher (unused) (envoyproxy#10894)
  Add missing dependency on `assert.h` (envoyproxy#10918)
  Lower heap and disk space used by kafka tests (envoyproxy#10915)
  [tools] handle commits merged without PR in deprecated script (envoyproxy#10723)
  tools: including working tree in modified_since_last_github_commit.sh diff. (envoyproxy#10911)
  rocketmq_proxy: implement rocketmq proxy
  [docs] PR template to include commit message (envoyproxy#10900)
  docs: breaking long word to stop content overflow. (envoyproxy#10880)
  Delete legacy connection pool code. (envoyproxy#10881)
  wasm: clarify how configuration is passed (envoyproxy#10782)
  issue template: clarify security/crash reporting (envoyproxy#10885)
  api/faq: add entry on incremental xDS. (envoyproxy#10876)
  router: retry overloaded requests (envoyproxy#10847)
  Remove inclusion of pthread.h, not needed for linux compilation (envoyproxy#10895)
  request_id: Add option to always set request id in response (envoyproxy#10808)
  xray: Use correct types for segment document output (envoyproxy#10834)
  router: fixing a watermark bug for streaming retries (envoyproxy#10866)
  http: auditing Path() calls for safety with Pathless CONNECT (envoyproxy#10851)
  Remove hardcoded type urls Part.2 (envoyproxy#10848)
  ...

.azure-pipelines/pipelines.yml

@@ -132,17 +132,22 @@ jobs:
     steps:
       - powershell: |
           .\ci\windows_ci_setup.ps1
+          Write-Host "##vso[task.prependpath]$env:TOOLS_BIN_DIR\usr\bin"
+          Write-Host "##vso[task.prependpath]$env:VC_TOOLS_BIN_X64;$env:VC_CMAKE_PATH\CMake\bin;$env:VC_CMAKE_PATH\Ninja"
           Write-Host "##vso[task.prependpath]$env:TOOLS_BIN_DIR"
         displayName: "Install dependencies"
         env:
           TOOLS_BIN_DIR: $(Pipeline.Workspace)\bin
+          VC_CMAKE_PATH: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise\\Common7\\IDE\\CommonExtensions\\Microsoft\\CMake"
+          VC_TOOLS_BIN_X64: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise\\VC\\Tools\\MSVC\\14.25.28610\\bin\\HostX64\\x64"
 
       - bash: ci/windows_ci_steps.sh
         displayName: "Run Windows CI"
         env:
-          TMPDIR: $(Agent.TempDirectory)
           BAZEL_VC: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise\\VC"
-          BAZEL_SH: "C:\\Program Files\\Git\\bin\\bash.exe"
+          BAZEL_SH: $(Pipeline.Workspace)/bin/usr/bin/bash.exe
           BAZEL_REMOTE_CACHE: grpcs://remotebuildexecution.googleapis.com
           BAZEL_REMOTE_INSTANCE: projects/envoy-ci/instances/default_instance
           GCP_SERVICE_ACCOUNT_KEY: $(GcpServiceAccountKey)
+          MSYS2_ARG_CONV_EXCL: "*"
+          TMPDIR: $(Agent.TempDirectory)

.bazelrc

@@ -10,7 +10,7 @@
 # Startup options cannot be selected via config.
 startup --host_jvm_args=-Xmx2g
 
-build --workspace_status_command=bazel/get_workspace_status
+build --workspace_status_command="bash bazel/get_workspace_status"
 build --experimental_local_memory_estimate
 build --experimental_strict_action_env=true
 build --host_force_python=PY3
@@ -205,5 +205,46 @@ build:compdb --strip=always
 build:compdb --build_tag_filters=-nocompdb
 build:compdb --define=ENVOY_CONFIG_COMPILATION_DATABASE=1
 
+# Windows build quirks
+build:windows --action_env=TMPDIR
+build:windows --define signal_trace=disabled
+build:windows --define hot_restart=disabled
+build:windows --define tcmalloc=disabled
+build:windows --define manual_stamp=manual_stamp
+
+# Should not be required after upstream fix to bazel,
+# and already a no-op to linux/macos builds
+# see issue https://github.com/bazelbuild/rules_foreign_cc/issues/301
+build:windows --copt="-DCARES_STATICLIB"
+build:windows --copt="-DNGHTTP2_STATICLIB"
+build:windows --copt="-DCURL_STATICLIB"
+
+# Required to work around build defects on Windows MSVC cl
+# Unguarded gcc pragmas in quiche are not recognized by MSVC
+build:msvc-cl --copt="/wd4068"
+# Allows 'nodiscard' function return values to be discarded
+build:msvc-cl --copt="/wd4834"
+# Allows inline functions to be undefined
+build:msvc-cl --copt="/wd4506"
+build:msvc-cl --copt="-D_SILENCE_EXPERIMENTAL_FILESYSTEM_DEPRECATION_WARNING"
+
+# Required to work around Windows clang-cl build defects
+# Ignore conflicting definitions of _WIN32_WINNT
+# Overriding __TIME__ etc is problematic (and is actually an invalid no-op)
+build:clang-cl --copt="-Wno-macro-redefined"
+build:clang-cl --copt="-Wno-builtin-macro-redefined"
+build:clang-cl --action_env=USE_CLANG_CL=1
+
+# Defaults to 'auto' - Off for windows, so override to linux behavior
+build:windows --enable_runfiles=yes
+
+# This should become adopted by bazel as the default
+build:windows --features=compiler_param_file
+
+# These options attempt to force a monolithic binary including the CRT
+build:windows --features=fully_static_link
+build:windows --features=static_link_msvcrt
+build:windows --dynamic_mode=off
+
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc

CODEOWNERS

@@ -16,6 +16,8 @@
 extensions/filters/common/original_src @snowp @klarose
 # dubbo_proxy extension
 /*/extensions/filters/network/dubbo_proxy @zyfjeff @lizan
+# rocketmq_proxy extension
+/*/extensions/filters/network/rocketmq_proxy @aaron-ai @lizhanhui @lizan
 # thrift_proxy extension
 /*/extensions/filters/network/thrift_proxy @zuercher @brian-pane
 # compressor used by http compression filters
@@ -40,6 +42,8 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/tracers/xray @marcomagdy @lavignes @mattklein123
 # mysql_proxy extension
 /*/extensions/filters/network/mysql_proxy @rshriram @venilnoronha @mattklein123
+# postgres_proxy extension
+/*/extensions/filters/network/postgres_proxy @fabriziomello @cpakulski @dio
 # quic extension
 /*/extensions/quic_listeners/ @alyssawilk @danzh2010 @mattklein123 @mpwarres @wu-bin
 # zookeeper_proxy extension

CONTRIBUTING.md

@@ -97,6 +97,8 @@ versioning guidelines:
   colon. Examples:
   * "docs: fix grammar error"
   * "http conn man: add new feature"
+* Your PR commit message will be used as the commit message when your PR is merged. You should 
+  update this field if your PR diverges during review.
 * Your PR description should have details on what the PR does. If it fixes an existing issue it
   should end with "Fixes #XXX".
 * When all of the tests are passing and all other conditions described herein are satisfied, a
@@ -190,10 +192,12 @@ and false.
   organization specific shortcuts into the code.
 * If there is a question on who should review a PR please discuss in Slack.
 * Anyone is welcome to review any PR that they want, whether they are a maintainer or not.
+* Please make sure that the PR title, commit message, and description are updated if the PR changes 
+  significantly during review.
 * Please **clean up the title and body** before merging. By default, GitHub fills the squash merge
   title with the original title, and the commit body with every individual commit from the PR.
   The maintainer doing the merge should make sure the title follows the guidelines above and should
-  overwrite the body with the original extended description from the PR (cleaning it up if necessary)
+  overwrite the body with the original commit message from the PR (cleaning it up if necessary)
   while preserving the PR author's final DCO sign-off.
 * If a PR includes a deprecation/breaking change, notification should be sent to the
   [envoy-announce](https://groups.google.com/forum/#!forum/envoy-announce) email list.

ISSUES.md

@@ -0,0 +1,54 @@
+**If you are reporting *any* crash or *any* potential security issue, *do not*
+open an issue in this repo. Please report the issue via emailing
+envoy-security@googlegroups.com where the issue will be triaged appropriately.**
+
+**Issue Template**
+
+*Title*: *One line description*
+
+*Description*:
+>Describe the issue. Please be detailed. If a feature request, please
+describe the desired behaviour, what scenario it enables and how it
+would be used.
+
+[optional *Relevant Links*:]
+>Any extra documentation required to understand the issue.
+
+**Bug Template**
+
+*Title*: *One line description*
+
+*Description*:
+>What issue is being seen? Describe what should be happening instead of
+the bug, for example: Envoy should not crash, the expected value isn't
+returned, etc.
+
+*Repro steps*:
+> Include sample requests, environment, etc. All data and inputs
+required to reproduce the bug.
+
+>**Note**: The [Envoy_collect tool](https://github.com/envoyproxy/envoy/blob/master/tools/envoy_collect/README.md)
+gathers a tarball with debug logs, config and the following admin
+endpoints: /stats, /clusters and /server_info. Please note if there are
+privacy concerns, sanitize the data prior to sharing the tarball/pasting.
+
+*Admin and Stats Output*:
+>Include the admin output for the following endpoints: /stats,
+/clusters, /routes, /server_info. For more information, refer to the
+[admin endpoint documentation.](https://www.envoyproxy.io/docs/envoy/latest/operations/admin)
+
+>**Note**: If there are privacy concerns, sanitize the data prior to
+sharing.
+
+*Config*:
+>Include the config used to configure Envoy.
+
+*Logs*:
+>Include the access logs and the Envoy logs.
+
+>**Note**: If there are privacy concerns, sanitize the data prior to
+sharing.
+
+*Call Stack*:
+> If the Envoy binary is crashing, a call stack is **required**.
+Please refer to the [Bazel Stack trace documentation](https://github.com/envoyproxy/envoy/tree/master/bazel#stack-trace-symbol-resolution).

ISSUE_TEMPLATE.md

@@ -1,56 +1,12 @@
-**WARNING: If you want to report crashes, leaking of sensitive information,
-and/or other security issues, please consider
-[reporting them using appropriate channels](https://github.com/envoyproxy/envoy#reporting-security-vulnerabilities).**
+!!!ATTENTION!!!
 
-**Issue Template**
+If you are reporting *any* crash or *any* potential security issue, *do not*
+open an issue in this repo. Please report the issue via emailing
+envoy-security@googlegroups.com where the issue will be triaged appropriately.
+Thank you in advance for helping to keep Envoy secure.
 
-*Title*: *One line description*
+!!!ATTENTION!!!
 
-*Description*:
->Describe the issue. Please be detailed. If a feature request, please
-describe the desired behaviour, what scenario it enables and how it
-would be used.
-
-[optional *Relevant Links*:]
->Any extra documentation required to understand the issue.
-
-
-
-**Bug Template**
-
-*Title*: *One line description*
-
-*Description*:
->What issue is being seen? Describe what should be happening instead of
-the bug, for example: Envoy should not crash, the expected value isn't
-returned, etc.
-
-*Repro steps*:
-> Include sample requests, environment, etc. All data and inputs
-required to reproduce the bug.
-
->**Note**: The [Envoy_collect tool](https://github.com/envoyproxy/envoy/blob/master/tools/envoy_collect/README.md)
-gathers a tarball with debug logs, config and the following admin
-endpoints: /stats, /clusters and /server_info. Please note if there are
-privacy concerns, sanitize the data prior to sharing the tarball/pasting.
-
-*Admin and Stats Output*:
->Include the admin output for the following endpoints: /stats,
-/clusters, /routes, /server_info. For more information, refer to the
-[admin endpoint documentation.](https://www.envoyproxy.io/docs/envoy/latest/operations/admin)
-
->**Note**: If there are privacy concerns, sanitize the data prior to
-sharing.
-
-*Config*:
->Include the config used to configure Envoy.
-
-*Logs*:
->Include the access logs and the Envoy logs.
-
->**Note**: If there are privacy concerns, sanitize the data prior to
-sharing.
-
-*Call Stack*:
-> If the Envoy binary is crashing, a call stack is **required**.
-Please refer to the [Bazel Stack trace documentation](https://github.com/envoyproxy/envoy/tree/master/bazel#stack-trace-symbol-resolution).
+If this is not a crash or potential security issue please use
+[ISSUES.md](https://github.com/envoyproxy/envoy/blob/master/ISSUES.md) as a
+template.

PULL_REQUESTS.md

@@ -12,13 +12,21 @@ explaining the overall change. Both the component and the explanation must be lo
 * router:add x-envoy-overloaded header
 * tls: add support for specifying TLS session ticket keys
 
-### <a name="desc"></a>Description
+### <a name="desc"></a>Commit Message
 
-The description field should include a more verbose explanation of what this PR
-does. If this PR causes a change in behavior it should document the behavior
-before and after   If fixing a bug, please describe what the original issue is and
-how the change resolves it. If it is configuration controlled, it should note
-how the feature is enabled etc...
+The commit message field should include an explanation of what this PR
+does. This will be used as the final commit message that maintainers will use to
+populate the commit message when merging. If this PR causes a change in behavior
+it should document the behavior before and after. If fixing a bug, please
+describe what the original issue is and how the change resolves it. If it is
+configuration controlled, it should note how the feature is enabled etc...
+
+
+### <a name="desc"></a>Additional Description
+
+The additional description field should include information of what this PR does
+that may be out of scope for a commit message. This could include additional
+information or context useful to reviewers.
 
 ### <a name="risk"></a>Risk
 

PULL_REQUEST_TEMPLATE.md

@@ -1,7 +1,8 @@
 For an explanation of how to fill out the fields, please see the relevant section
 in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/master/PULL_REQUESTS.md)
 
-Description:
+Commit Message:
+Additional Description:
 Risk Level:
 Testing:
 Docs Changes:

api/BUILD

@@ -101,7 +101,6 @@ proto_library(
         "//envoy/config/transport_socket/alts/v2alpha:pkg",
         "//envoy/config/transport_socket/raw_buffer/v2:pkg",
         "//envoy/config/transport_socket/tap/v2alpha:pkg",
-        "//envoy/config/wasm/v2alpha:pkg",
         "//envoy/data/accesslog/v2:pkg",
         "//envoy/data/cluster/v2alpha:pkg",
         "//envoy/data/core/v2alpha:pkg",
@@ -211,9 +210,11 @@ proto_library(
         "//envoy/extensions/filters/network/local_ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/mongo_proxy/v3:pkg",
         "//envoy/extensions/filters/network/mysql_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/postgres_proxy/v3alpha:pkg",
         "//envoy/extensions/filters/network/ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/rbac/v3:pkg",
         "//envoy/extensions/filters/network/redis_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/rocketmq_proxy/v3:pkg",
         "//envoy/extensions/filters/network/sni_cluster/v3:pkg",
         "//envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3alpha:pkg",
         "//envoy/extensions/filters/network/tcp_proxy/v3:pkg",

api/envoy/admin/v3/server_info.proto

@@ -54,7 +54,7 @@ message ServerInfo {
   CommandLineOptions command_line_options = 6;
 }
 
-// [#next-free-field: 29]
+// [#next-free-field: 30]
 message CommandLineOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.admin.v2alpha.CommandLineOptions";
@@ -153,4 +153,7 @@ message CommandLineOptions {
 
   // See :option:`--disable-extensions` for details.
   repeated string disabled_extensions = 28;
+
+  // See :option:`--bootstrap-version` for details.
+  uint32 bootstrap_version = 29;
 }

api/envoy/admin/v4alpha/server_info.proto

@@ -54,7 +54,7 @@ message ServerInfo {
   CommandLineOptions command_line_options = 6;
 }
 
-// [#next-free-field: 29]
+// [#next-free-field: 30]
 message CommandLineOptions {
   option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.CommandLineOptions";
 
@@ -152,4 +152,7 @@ message CommandLineOptions {
 
   // See :option:`--disable-extensions` for details.
   repeated string disabled_extensions = 28;
+
+  // See :option:`--bootstrap-version` for details.
+  uint32 bootstrap_version = 29;
 }

api/envoy/api/v2/core/config_source.proto

@@ -57,10 +57,6 @@ message ApiConfigSource {
     // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response}
     // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state
     // with every update, the xDS server only sends what has changed since the last update.
-    //
-    // DELTA_GRPC is not yet entirely implemented! Initially, only CDS is available.
-    // Do not use for other xDSes.
-    // [#comment:TODO(fredlas) update/remove this warning when appropriate.]
     DELTA_GRPC = 3;
   }
 

api/envoy/config/core/v3/config_source.proto

@@ -58,10 +58,6 @@ message ApiConfigSource {
     // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response}
     // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state
     // with every update, the xDS server only sends what has changed since the last update.
-    //
-    // DELTA_GRPC is not yet entirely implemented! Initially, only CDS is available.
-    // Do not use for other xDSes.
-    // [#comment:TODO(fredlas) update/remove this warning when appropriate.]
     DELTA_GRPC = 3;
   }
 

api/envoy/config/core/v3/health_check.proto

@@ -87,11 +87,13 @@ message HealthCheck {
     // left empty (default value), the name of the cluster this health check is associated
     // with will be used. The host header can be customized for a specific endpoint by setting the
     // :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
-    string host = 1;
+    string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
 
     // Specifies the HTTP path that will be requested during health checking. For example
     // */healthcheck*.
-    string path = 2 [(validate.rules).string = {min_bytes: 1}];
+    string path = 2 [
+      (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}
+    ];
 
     // [#not-implemented-hide:] HTTP specific payload.
     Payload send = 3;
@@ -108,7 +110,9 @@ message HealthCheck {
 
     // Specifies a list of HTTP headers that should be removed from each request that is sent to the
     // health checked cluster.
-    repeated string request_headers_to_remove = 8;
+    repeated string request_headers_to_remove = 8 [(validate.rules).repeated = {
+      items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}
+    }];
 
     // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default
     // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open
@@ -169,7 +173,8 @@ message HealthCheck {
     // left empty (default value), the name of the cluster this health check is associated
     // with will be used. The authority header can be customized for a specific endpoint by setting
     // the :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
-    string authority = 2;
+    string authority = 2
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
   }
 
   // Custom health check.