Merge branch 'main' of github.com:envoyproxy/envoy into extproc-gatew…

…ay-timeout-status Signed-off-by: Fernando Cainelli <fernando.cainelli-external@getyourguide.com>
cainelli · Jul 8, 2024 · 284d4a7 · 284d4a7
2 parents c29e45f + a7f4da3
commit 284d4a7
Show file tree

Hide file tree

Showing 95 changed files with 1,302 additions and 472 deletions.
diff --git a/api/bazel/api_build_system.bzl b/api/bazel/api_build_system.bzl
@@ -22,6 +22,7 @@ _CC_PROTO_DESCRIPTOR_SUFFIX = "_cc_proto_descriptor"
 _CC_GRPC_SUFFIX = "_cc_grpc"
 _GO_PROTO_SUFFIX = "_go_proto"
 _GO_IMPORTPATH_PREFIX = "github.com/envoyproxy/go-control-plane/"
+_JAVA_PROTO_SUFFIX = "_java_proto"
 
 _COMMON_PROTO_DEPS = [
  "@com_google_protobuf//:any_proto",
@@ -67,7 +68,8 @@ def api_cc_py_proto_library(
  srcs = [],
  deps = [],
  linkstatic = 0,
- has_services = 0):
+ has_services = 0,
+ java = True):
  relative_name = ":" + name
  proto_library(
  name = name,
@@ -109,6 +111,13 @@ def api_cc_py_proto_library(
  visibility = ["//visibility:public"],
  )
 
+ if java:
+ native.java_proto_library(
+ name = name + _JAVA_PROTO_SUFFIX,
+ visibility = ["//visibility:public"],
+ deps = [relative_name],
+ )
+
  # Optionally define gRPC services
  if has_services:
  # TODO: when Python services are required, add to the below stub generations.

diff --git a/api/bazel/repositories.bzl b/api/bazel/repositories.bzl
@@ -16,6 +16,9 @@ def api_dependencies():
  external_http_archive(
  name = "bazel_skylib",
  )
+ external_http_archive(
+ name = "rules_jvm_external",
+ )
  external_http_archive(
  name = "com_envoyproxy_protoc_gen_validate",
  patch_args = ["-p1"],

diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl
@@ -34,6 +34,19 @@ REPOSITORY_LOCATIONS_SPEC = dict(
  license = "Apache-2.0",
  license_url = "https://github.com/bufbuild/protoc-gen-validate/blob/v{version}/LICENSE",
  ),
+ rules_jvm_external = dict(
+ project_name = "Java Rules for Bazel",
+ project_desc = "Bazel rules for Java",
+ project_url = "https://github.com/bazelbuild/rules_jvm_external",
+ version = "6.1",
+ strip_prefix = "rules_jvm_external-{version}",
+ sha256 = "08ea921df02ffe9924123b0686dc04fd0ff875710bfadb7ad42badb931b0fd50",
+ urls = ["https://github.com/bazelbuild/rules_jvm_external/releases/download/{version}/rules_jvm_external-{version}.tar.gz"],
+ release_date = "2024-04-26",
+ use_category = ["build"],
+ license = "Apache-2.0",
+ license_url = "https://github.com/bazelbuild/rules_jvm_external/blob/{version}/LICENSE",
+ ),
  com_github_cncf_xds = dict(
  project_name = "xDS API",
  project_desc = "xDS API Working Group (xDS-WG)",

diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto b/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto
@@ -98,7 +98,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter
 // name.
 //
-// [#next-free-field: 19]
+// [#next-free-field: 20]
 message ExternalProcessor {
  // Describes the route cache action to be taken when an external processor response
  // is received in response to request headers.
@@ -256,6 +256,14 @@ message ExternalProcessor {
  // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set.
  RouteCacheAction route_cache_action = 18
  [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"];
+
+ // [#not-implemented-hide:]
+ // Specifies the deferred closure timeout for gRPC stream that connects to external processor. Currently, the deferred stream closure
+ // is only used in :ref:`observability_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.observability_mode>`.
+ // In observability mode, gRPC streams may be held open to the external processor longer than the lifetime of the regular client to
+ // backend stream lifetime. In this case, Envoy will eventually timeout the external processor stream according to this time limit.
+ // The default value is 5000 milliseconds (5 seconds) if not specified.
+ google.protobuf.Duration deferred_close_timeout = 19;
 }
 
 // The MetadataOptions structure defines options for the sending and receiving of

diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -134,6 +134,12 @@ minor_behavior_changes:
  change: |
  Changing HTTP/2 semi-colon prefixed headers to being sanitized by Envoy code rather than nghttp2. Should be a functional no-op but
  guarded by ``envoy.reloadable_features.sanitize_http2_headers_without_nghttp2``.
+- area: http
+ change: |
+ http: envoy will now proxy 104 headers from upstream, though as with 100s only the first 1xx response
+ headers will be sent.104 headers are designated by ietf's draft-ietf-httpbis-resumable-upload rfc.
+ This behavioral can be temporarily reverted by setting runtime guard
+ ``envoy.reloadable_features.proxy_104`` to ``false``.
 - area: jwt_authn
  change: |
  Changes the behavior of the
@@ -241,6 +247,9 @@ bug_fixes:
 - area: datadog
  change: |
  Bumped the version of datadog to resolve a crashing bug in earlier versions of the library.
+- area: lua
+ change: |
+ Fixed a bug where the user data will reference a dangling pointer to the Lua state and cause a crash.
 
 removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`

diff --git a/ci/README.md b/ci/README.md
@@ -172,6 +172,7 @@ The `./ci/run_envoy_docker.sh './ci/do_ci.sh <TARGET>'` targets are:
 * `clang_tidy <files>` &mdash; build and run clang-tidy specified source files, if no files specified, runs against the diff with the last GitHub commit.
 * `check_proto_format`&mdash; check configuration, formatting and build issues in API proto files.
 * `fix_proto_format`&mdash; fix configuration, formatting and build issues in API proto files.
+* `check_and_fix_proto_format` &mdash; check and fix configuration, fomatting and build issues in API proto files.
 * `format`&mdash; run validation, linting and formatting tools.
 * `docs`&mdash; build documentation tree in `generated/docs`.
 

diff --git a/contrib/generic_proxy/filters/network/source/codecs/http1/config.cc b/contrib/generic_proxy/filters/network/source/codecs/http1/config.cc
@@ -604,6 +604,7 @@ Http::Http1::CallbackResult Http1ClientCodec::onMessageCompleteImpl() {
  // 101 Switching Protocols response. Ignore it because we don't support upgrade for now.
  // 102 Processing response. Ignore it.
  // 103 Early Hints response. Ignore it.
+ // 104 Upload Resumption Supported response. Ignore it.
 
  // Return success to continue parsing the actual response.
  return Http::Http1::CallbackResult::Success;

diff --git a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc
@@ -1,6 +1,6 @@
 #include "source/common/network/connection_impl.h"
 #include "source/common/tls/client_ssl_socket.h"
-#include "source/common/tls/context_config_impl.h"
+#include "source/common/tls/server_context_config_impl.h"
 #include "source/common/tls/server_ssl_socket.h"
 #include "source/extensions/filters/network/common/factory_base.h"
 

diff --git a/envoy/http/codec.h b/envoy/http/codec.h
@@ -145,7 +145,8 @@ class ResponseEncoder : public virtual StreamEncoder {
 public:
  /**
  * Encode supported 1xx headers.
- * Currently 100-Continue, 102-Processing, and 103-Early-Data headers are supported.
+ * Currently 100-Continue, 102-Processing, 103-Early-Data, and 104-Upload-Resumption-Supported
+ * headers are supported.
  * @param headers supplies the 1xx header map to encode.
  */
  virtual void encode1xxHeaders(const ResponseHeaderMap& headers) PURE;
@@ -270,7 +271,8 @@ class ResponseDecoder : public virtual StreamDecoder {
 public:
  /**
  * Called with decoded 1xx headers.
- * Currently 100-Continue, 102-Processing, and 103-Early-Data headers are supported.
+ * Currently 100-Continue, 102-Processing, 103-Early-Data, and 104-Upload-Resumption-Supported
+ * headers are supported.
  * @param headers supplies the decoded 1xx headers map.
  */
  virtual void decode1xxHeaders(ResponseHeaderMapPtr&& headers) PURE;

diff --git a/mobile/.bazelrc b/mobile/.bazelrc
@@ -30,6 +30,7 @@ build --use_top_level_targets_for_symlinks
 build --experimental_repository_downloader_retries=2
 build --define=google_grpc=disabled
 build --define=envoy_yaml=disabled
+build --define=envoy_full_protos=disabled
 
 # We don't have a ton of Swift in Envoy Mobile, so always build with WMO
 # This also helps work around a bug in rules_swift: https://github.com/bazelbuild/rules_swift/issues/949
@@ -64,6 +65,7 @@ build:mobile-dbg-common --copt="-fdebug-compilation-dir" --copt="/proc/self/cwd"
 # https://github.com/envoyproxy/envoy/tree/master/bazel#enabling-optional-features
 build:ios --define=manual_stamp=manual_stamp
 build:ios --test_timeout=390,750,1500,5700
+build:ios --define=envoy_full_protos=enabled
 
 # Default flags for builds targeting Android
 build:android --define=logger=android
@@ -175,7 +177,6 @@ build:mobile-remote-ci-linux-clang --config=mobile-remote-ci-linux
 build:mobile-remote-ci-linux-asan --config=mobile-clang-asan
 build:mobile-remote-ci-linux-asan --config=mobile-remote-ci-linux-clang
 build:mobile-remote-ci-linux-asan --config=remote-ci
-build:mobile-remote-ci-linux-asan --define=envoy_full_protos=disabled
 build:mobile-remote-ci-linux-asan --build_tests_only
 test:mobile-remote-ci-linux-asan --test_env=ENVOY_IP_TEST_VERSIONS=v4only
 
@@ -185,7 +186,6 @@ test:mobile-remote-ci-linux-asan --test_env=ENVOY_IP_TEST_VERSIONS=v4only
 build:mobile-remote-ci-linux-tsan --config=clang-tsan
 build:mobile-remote-ci-linux-tsan --config=mobile-remote-ci-linux-clang
 build:mobile-remote-ci-linux-tsan --config=remote-ci
-build:mobile-remote-ci-linux-tsan --define=envoy_full_protos=disabled
 build:mobile-remote-ci-linux-tsan --build_tests_only
 test:mobile-remote-ci-linux-tsan --test_env=ENVOY_IP_TEST_VERSIONS=v4only
 
@@ -200,7 +200,6 @@ build:mobile-ci-linux-coverage --action_env=BAZEL_LLVM_COV=/opt/llvm/bin/llvm-co
 build:mobile-ci-linux-coverage --test_env=BAZEL_LLVM_COV=/opt/llm/bin/llvm-cov
 build:mobile-ci-linux-coverage --action_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1
 build:mobile-ci-linux-coverage --test_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1
-build:mobile-ci-linux-coverage --define=envoy_full_protos=disabled
 build:mobile-ci-linux-coverage --build_tests_only
 
 #############################################################################
@@ -229,6 +228,7 @@ build:mobile-remote-ci-macos --xcode_version_config=//ci:xcode_config
 build:mobile-remote-ci-macos --remote_download_toplevel
 build:mobile-remote-ci-macos --config=ci
 build:mobile-remote-ci-macos --config=remote
+build:mobile-remote-ci-macos --define=envoy_full_protos=disabled
 
 build:mobile-remote-ci --config=mobile-remote-ci-linux-clang
 build:mobile-remote-ci --config=remote-ci
@@ -240,7 +240,6 @@ test:mobile-remote-ci-android --config=mobile-remote-ci
 test:mobile-remote-ci-android --config=mobile-test-android
 
 build:mobile-remote-ci-cc --config=mobile-remote-ci
-build:mobile-remote-ci-cc --define=envoy_full_protos=disabled
 test:mobile-remote-ci-cc --action_env=LD_LIBRARY_PATH
 
 build:mobile-remote-ci-cc-no-exceptions --config=mobile-remote-ci-cc
@@ -249,18 +248,11 @@ build:mobile-remote-ci-cc-no-exceptions --copt=-fno-exceptions
 
 build:mobile-remote-ci-cc-full-protos-enabled --config=mobile-remote-ci-cc
 test:mobile-remote-ci-cc-full-protos-enabled --config=mobile-remote-ci-cc
-test:mobile-remote-ci-cc-full-protos-enabled --define=envoy_full_protos=enabled
 
 build:mobile-remote-ci-macos-kotlin --config=mobile-remote-ci-macos
 build:mobile-remote-ci-macos-kotlin --fat_apk_cpu=x86_64
 
-# TODO(alyssar) remove in a follow-up PR
-build:mobile-remote-ci-macos-swift --config=mobile-remote-ci-macos
-build:mobile-remote-ci-macos-swift --config=mobile-test-ios
-build:mobile-remote-ci-macos-swift --@envoy//bazel:http3=False
-
 build:mobile-remote-ci-core --config=mobile-remote-ci
-build:mobile-remote-ci-core --define=envoy_full_protos=disabled
 test:mobile-remote-ci-core --action_env=LD_LIBRARY_PATH
 
 build:mobile-remote-ci-macos-ios --config=mobile-remote-ci-macos

diff --git a/mobile/examples/cc/fetch_client/fetch_client.cc b/mobile/examples/cc/fetch_client/fetch_client.cc
@@ -28,15 +28,16 @@ Fetch::Fetch()
 }
 
 envoy_status_t Fetch::fetch(const std::vector<absl::string_view>& urls,
- const std::vector<absl::string_view>& quic_hints) {
+ const std::vector<absl::string_view>& quic_hints,
+ std::vector<Http::Protocol>& protocols) {
  absl::Notification engine_running;
  dispatcher_ = api_->allocateDispatcher("fetch_client");
  Thread::ThreadPtr envoy_thread = api_->threadFactory().createThread(
  [this, &engine_running, &quic_hints]() -> void { runEngine(engine_running, quic_hints); });
  engine_running.WaitForNotification();
  envoy_status_t status = ENVOY_SUCCESS;
  for (const absl::string_view url : urls) {
- status = sendRequest(url);
+ status = sendRequest(url, protocols);
  if (status == ENVOY_FAILURE) {
  break;
  }
@@ -50,7 +51,8 @@ envoy_status_t Fetch::fetch(const std::vector<absl::string_view>& urls,
  return status;
 }
 
-envoy_status_t Fetch::sendRequest(absl::string_view url_string) {
+envoy_status_t Fetch::sendRequest(absl::string_view url_string,
+ std::vector<Http::Protocol>& protocols) {
  Http::Utility::Url url;
  if (!url.initialize(url_string, /*is_connect_request=*/false)) {
  std::cerr << "Unable to parse url: '" << url_string << "'\n";
@@ -80,12 +82,13 @@ envoy_status_t Fetch::sendRequest(absl::string_view url_string) {
  std::cerr << "Received final data\n";
  }
  };
- stream_callbacks.on_complete_ = [&request_finished](envoy_stream_intel,
- envoy_final_stream_intel final_intel) {
- std::cerr << "Request finished after "
- << final_intel.stream_end_ms - final_intel.stream_start_ms << "ms\n";
- request_finished.Notify();
- };
+ stream_callbacks.on_complete_ =
+ [&request_finished, &protocols](envoy_stream_intel, envoy_final_stream_intel final_intel) {
+ std::cerr << "Request finished after "
+ << final_intel.stream_end_ms - final_intel.stream_start_ms << "ms\n";
+ protocols.push_back(static_cast<Http::Protocol>(final_intel.upstream_protocol));
+ request_finished.Notify();
+ };
  stream_callbacks.on_error_ = [&request_finished, &status](const EnvoyError& error,
  envoy_stream_intel,
  envoy_final_stream_intel final_intel) {
@@ -117,7 +120,8 @@ envoy_status_t Fetch::sendRequest(absl::string_view url_string) {
 void Fetch::runEngine(absl::Notification& engine_running,
  const std::vector<absl::string_view>& quic_hints) {
  Platform::EngineBuilder engine_builder;
- engine_builder.setLogLevel(Logger::Logger::debug);
+ engine_builder.setLogLevel(Logger::Logger::trace);
+ engine_builder.addRuntimeGuard("dns_cache_set_ip_version_to_remove", true);
  engine_builder.setOnEngineRunning([&engine_running]() { engine_running.Notify(); });
  if (!quic_hints.empty()) {
  engine_builder.enableHttp3(true);

diff --git a/mobile/examples/cc/fetch_client/fetch_client.h b/mobile/examples/cc/fetch_client/fetch_client.h
@@ -28,14 +28,16 @@ class Fetch {
 
  /**
  * Sends requests to the specified URLs. When QUIC hints are not empty, HTTP/3 will be enabled.
+ * The `protocols` output parameter will be updated upon successful fetch.
  */
  envoy_status_t fetch(const std::vector<absl::string_view>& urls,
- const std::vector<absl::string_view>& quic_hints = {});
+ const std::vector<absl::string_view>& quic_hints,
+ std::vector<Http::Protocol>& protocols);
 
 private:
  void runEngine(absl::Notification& engine_running,
  const std::vector<absl::string_view>& quic_hints);
- envoy_status_t sendRequest(absl::string_view url);
+ envoy_status_t sendRequest(absl::string_view url, std::vector<Http::Protocol>& protocols);
 
  Thread::MutexBasicLockable lock_;
  Logger::Context logging_context_;

diff --git a/mobile/examples/cc/fetch_client/fetch_client_main.cc b/mobile/examples/cc/fetch_client/fetch_client_main.cc
@@ -15,7 +15,8 @@ int main(int argc, char** argv) {
  for (int i = 1; i < argc; ++i) {
  urls.push_back(argv[i]);
  }
- client.fetch(urls);
+ std::vector<Envoy::Http::Protocol> protocols;
+ client.fetch(urls, /* quic_hints=*/{}, /* protocols= */ protocols);
 
  exit(0);
 }
diff --git a/mobile/examples/kotlin/hello_world/MainActivity.kt b/mobile/examples/kotlin/hello_world/MainActivity.kt
@@ -8,6 +8,8 @@ import android.util.Log
 import androidx.recyclerview.widget.DividerItemDecoration
 import androidx.recyclerview.widget.LinearLayoutManager
 import androidx.recyclerview.widget.RecyclerView
+import com.google.protobuf.Any
+import com.google.protobuf.ByteString
 import io.envoyproxy.envoymobile.AndroidEngineBuilder
 import io.envoyproxy.envoymobile.Element
 import io.envoyproxy.envoymobile.Engine
@@ -57,7 +59,12 @@ class MainActivity : Activity() {
  .addPlatformFilter(::AsyncDemoFilter)
  .addNativeFilter(
  "envoy.filters.http.buffer",
- "[type.googleapis.com/envoy.extensions.filters.http.buffer.v3.Buffer] { max_request_bytes: { value: 5242880 } }"
+ Any.newBuilder()
+ .setTypeUrl("type.googleapis.com/envoy.extensions.filters.http.buffer.v3.Buffer")
+ .setValue(ByteString.empty())
+ .build()
+ .toByteArray()
+ .toString(Charsets.UTF_8)
  )
  .addStringAccessor("demo-accessor", { "PlatformString" })
  .setOnEngineRunning { Log.d(TAG, "Envoy async internal setup completed") }

diff --git a/mobile/library/cc/engine_builder.cc b/mobile/library/cc/engine_builder.cc
@@ -31,6 +31,7 @@
 #include "fmt/core.h"
 #include "library/common/internal_engine.h"
 #include "library/common/extensions/cert_validator/platform_bridge/platform_bridge.pb.h"
+#include "library/common/extensions/filters/http/platform_bridge/filter.pb.h"
 #include "library/common/extensions/filters/http/local_error/filter.pb.h"
 #include "library/common/extensions/filters/http/network_configuration/filter.pb.h"
 #include "library/common/extensions/filters/http/socket_tag/filter.pb.h"
@@ -283,10 +284,23 @@ EngineBuilder& EngineBuilder::addNativeFilter(std::string name, std::string type
 }
 
 std::string EngineBuilder::nativeNameToConfig(absl::string_view name) {
+#ifdef ENVOY_ENABLE_FULL_PROTOS
  return absl::StrCat("[type.googleapis.com/"
  "envoymobile.extensions.filters.http.platform_bridge.PlatformBridge] {"
  "platform_filter_name: \"",
  name, "\" }");
+#else
+ envoymobile::extensions::filters::http::platform_bridge::PlatformBridge proto_config;
+ proto_config.set_platform_filter_name(name);
+ std::string ret;
+ proto_config.SerializeToString(&ret);
+ ProtobufWkt::Any any_config;
+ any_config.set_type_url(
+ "type.googleapis.com/envoymobile.extensions.filters.http.platform_bridge.PlatformBridge");
+ any_config.set_value(ret);
+ any_config.SerializeToString(&ret);
+ return ret;
+#endif
 }
 
 EngineBuilder& EngineBuilder::addPlatformFilter(const std::string& name) {
@@ -359,7 +373,8 @@ std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> EngineBuilder::generate
  RELEASE_ASSERT(!native_filter->typed_config().DebugString().empty(),
  "Failed to parse: " + (*filter).typed_config_);
 #else
- IS_ENVOY_BUG("Native filter support not implemented for this build");
+ RELEASE_ASSERT(native_filter->mutable_typed_config()->ParseFromString((*filter).typed_config_),
+ "Failed to parse binary proto: " + (*filter).typed_config_);
 #endif // !ENVOY_ENABLE_FULL_PROTOS
  }