Merge branch 'main' into quiche-roll-20240129175857

Signed-off-by: Ryan Hamilton <rch@google.com>

.github/workflows/envoy-macos.yml

@@ -48,7 +48,7 @@ jobs:
       command:
       container-command:
       request: ${{ needs.load.outputs.request }}
-      runs-on: macos-12-xl
+      runs-on: macos-14-xlarge
       steps-post:
       steps-pre: ${{ matrix.steps-pre }}
       target: ${{ matrix.target }}

CODEOWNERS

@@ -4,6 +4,12 @@
 
 # api
 /api/ @envoyproxy/api-shepherds
+
+# docs/examples
+/docs/ @envoyproxy/docs-shepherds
+/examples/ @envoyproxy/docs-shepherds
+/changelogs/ @envoyproxy/docs-shepherds
+
 # access loggers
 /*/extensions/access_loggers/common @auni53 @zuercher
 /*/extensions/access_loggers/open_telemetry @itamarkam @yanavlasov

api/envoy/config/listener/v3/quic_config.proto

@@ -24,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -77,4 +77,8 @@ message QuicProtocolOptions {
   // [#extension-category: envoy.quic.server_preferred_address]
   core.v3.TypedExtensionConfig server_preferred_address_config = 9
       [(xds.annotations.v3.field_status).work_in_progress = true];
+
+  // Configure the server to send transport parameter `disable_active_migration <https://www.rfc-editor.org/rfc/rfc9000#section-18.2-4.30.1>`_.
+  // Defaults to false (do not send this transport parameter).
+  google.protobuf.BoolValue send_disable_active_migration = 10;
 }

api/envoy/config/rbac/v3/rbac.proto

@@ -194,7 +194,7 @@ message Policy {
 }
 
 // Permission defines an action (or actions) that a principal can take.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message Permission {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Permission";
 
@@ -270,6 +270,10 @@ message Permission {
     // Extension for configuring custom matchers for RBAC.
     // [#extension-category: envoy.rbac.matchers]
     core.v3.TypedExtensionConfig matcher = 12;
+
+    // URI template path matching.
+    // [#extension-category: envoy.path.match]
+    core.v3.TypedExtensionConfig uri_template = 13;
   }
 }
 

api/envoy/config/route/v3/route_components.proto

@@ -1211,7 +1211,6 @@ message RouteAction {
   // :ref:`host_rewrite_path_regex <envoy_v3_api_field_config.route.v3.RouteAction.host_rewrite_path_regex>`)
   // causes the original value of the host header, if any, to be appended to the
   // :ref:`config_http_conn_man_headers_x-forwarded-host` HTTP header if it is different to the last value appended.
-  // This can be disabled by setting the runtime guard ``envoy_reloadable_features_append_xfh_idempotent`` to false.
   bool append_x_forwarded_host = 38;
 
   // Specifies the upstream timeout for the route. If not specified, the default is 15s. This

api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -28,7 +28,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // **Current Implementation Status:**
 // All options and processing modes are implemented except for the following:
 //
-// * Dynamic metadata in responses from the external processor is ignored.
 // * "async mode" is not implemented.
 
 // The filter communicates with an external gRPC service called an "external processor"
@@ -97,7 +96,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter
 // name.
 //
-// [#next-free-field: 16]
+// [#next-free-field: 17]
 message ExternalProcessor {
   // Configuration for the gRPC service that the filter will communicate with.
   // The filter supports both the "Envoy" and "Google" gRPC clients.
@@ -203,6 +202,35 @@ message ExternalProcessor {
   // Instead, the stream to the external processor will be closed. There will be no
   // more external processing for this stream from now on.
   bool disable_immediate_response = 15;
+
+  // Options related to the sending and receiving of dynamic metadata.
+  MetadataOptions metadata_options = 16;
+}
+
+// The MetadataOptions structure defines options for the sending and receiving of
+// dynamic metadata. Specifically, which namespaces to send to the server, whether
+// metadata returned by the server may be written, and how that metadata may be written.
+message MetadataOptions {
+  message MetadataNamespaces {
+    // Specifies a list of metadata namespaces whose values, if present,
+    // will be passed to the ext_proc service as an opaque *protobuf::Struct*.
+    repeated string untyped = 1;
+
+    // Specifies a list of metadata namespaces whose values, if present,
+    // will be passed to the ext_proc service as a *protobuf::Any*. This allows
+    // envoy and the external processing server to share the protobuf message
+    // definition for safe parsing.
+    repeated string typed = 2;
+  }
+
+  // Describes which typed or untyped dynamic metadata namespaces to forward to
+  // the external processing server.
+  MetadataNamespaces forwarding_namespaces = 1;
+
+  // Describes which typed or untyped dynamic metadata namespaces to accept from
+  // the external processing server. Set to empty or leave unset to disallow writing
+  // any received dynamic metadata. Receiving of typed metadata is not supported.
+  MetadataNamespaces receiving_namespaces = 2;
 }
 
 // The HeaderForwardingRules structure specifies what headers are
@@ -245,7 +273,7 @@ message ExtProcPerRoute {
 }
 
 // Overrides that may be set on a per-route basis
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message ExtProcOverrides {
   // Set a different processing mode for this route than the default.
   ProcessingMode processing_mode = 1;
@@ -266,4 +294,11 @@ message ExtProcOverrides {
 
   // Set a different gRPC service for this route than the default.
   config.core.v3.GrpcService grpc_service = 5;
+
+  // Options related to the sending and receiving of dynamic metadata.
+  // Lists of forwarding and receiving namespaces will be overridden in their entirety,
+  // meaning the most-specific config that specifies this override will be the final
+  // config used. It is the prerogative of the control plane to ensure this
+  // most-specific config contains the correct final overrides.
+  MetadataOptions metadata_options = 6;
 }

api/envoy/service/ext_proc/v3/external_processor.proto

@@ -56,7 +56,7 @@ service ExternalProcessor {
 
 // This represents the different types of messages that Envoy can send
 // to an external processing server.
-// [#next-free-field: 8]
+// [#next-free-field: 9]
 message ProcessingRequest {
   // Specify whether the filter that sent this request is running in synchronous
   // or asynchronous mode. The choice of synchronous or asynchronous mode
@@ -109,6 +109,9 @@ message ProcessingRequest {
     // the original upstream response has trailers.
     HttpTrailers response_trailers = 7;
   }
+
+  // Dynamic metadata associated with the request.
+  config.core.v3.Metadata metadata_context = 8;
 }
 
 // For every ProcessingRequest received by the server with the ``async_mode`` field
@@ -152,9 +155,9 @@ message ProcessingResponse {
     ImmediateResponse immediate_response = 7;
   }
 
-  // [#not-implemented-hide:]
-  // Optional metadata that will be emitted as dynamic metadata to be consumed by the next
-  // filter. This metadata will be placed in the namespace ``envoy.filters.http.ext_proc``.
+  // Optional metadata that will be emitted as dynamic metadata to be consumed by
+  // following filters. This metadata will be placed in the namespace(s) specified by the top-level
+  // field name(s) of the struct.
   google.protobuf.Struct dynamic_metadata = 8;
 
   // Override how parts of the HTTP request and response are processed

bazel/dependency_imports.bzl

@@ -27,7 +27,8 @@ def envoy_dependency_imports(go_version = GO_VERSION, jq_version = JQ_VERSION, y
     rules_foreign_cc_dependencies()
     go_rules_dependencies()
     go_register_toolchains(go_version)
-    envoy_download_go_sdks(go_version)
+    if go_version != "host":
+        envoy_download_go_sdks(go_version)
     gazelle_dependencies(go_sdk = "go_sdk")
     apple_rules_dependencies()
     pip_dependencies()

changelogs/current.yaml

@@ -20,12 +20,18 @@ removed_config_or_runtime:
 - area: http
   change: |
     Removed ``envoy.reloadable_features.allow_absolute_url_with_mixed_scheme`` runtime flag and legacy code paths.
+- area: active health check
+  change: |
+    Removed ``envoy.reloadable_features.keep_endpoint_active_hc_status_on_locality_update`` runtime flag and legacy code paths.
 - area: http1
   change: |
     Removed ``envoy.reloadable_features.http1_allow_codec_error_response_after_1xx_headers`` runtime flag and legacy code paths.
 - area: overload manager
   change: |
     removed ``envoy.reloadable_features.overload_manager_error_unknown_action`` and legacy code paths.
+- area: http
+  change: |
+    Removed ``envoy_reloadable_features_append_xfh_idempotent`` runtime flag and legacy code paths.
 
 new_features:
 - area: aws_request_signing
@@ -37,6 +43,11 @@ new_features:
     Change HTTP status to 200 to respect the gRPC protocol. This may cause problems for incorrect gRPC clients expecting the filter
     to preserve HTTP 1.1 responses.  This behavioral change can be temporarily reverted by setting runtime guard
     ``envoy.reloadable_features.grpc_http1_reverse_bridge_change_http_status`` to false.
+- area: quic
+  change: |
+    Added QUIC protocol option :ref:`send_disable_active_migration
+    <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.send_disable_active_migration>` to make the server send clients a transport
+    parameter to discourage client endpoints from active migration.
 - area: ext_proc
   change: |
     implemented
@@ -48,5 +59,18 @@ new_features:
   change: |
     added support for :ref:`%UPSTREAM_CONNECTION_ID% <config_access_log_format_upstream_connection_id>` for the upstream connection
     identifier.
+- area: ext_proc
+  change: |
+    added
+    :ref:`metadata_options <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.metadata_options>`
+    config API to enable sending and receiving metadata from/to the external processing server. Both typed and untyped dynamic
+    metadata may be sent to the server. If
+    :ref:`receiving_namespaces <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.MetadataOptions.receiving_namespaces>`
+    is defined, returned metadata may be written to the specified allowed namespaces.
+- area: rbac
+  change: |
+    Added :ref:`uri_template<envoy_v3_api_field_config.rbac.v3.Permission.uri_template>` which uses existing
+    :ref:`UriTemplateMatchConfig<envoy_v3_api_msg_extensions.path.match.uri_template.v3.UriTemplateMatchConfig>`
+    to allow use of glob patterns for URI path matching in RBAC.
 
 deprecated:

contrib/generic_proxy/filters/network/source/stats.cc

@@ -18,7 +18,7 @@ CodeOrFlags::CodeOrFlags(Server::Configuration::ServerFactoryContext& context)
     code_stat_names_.push_back(pool_.add(std::to_string(i)));
   }
 
-  for (const auto& flag : StreamInfo::ResponseFlagUtils::ALL_RESPONSE_STRINGS_FLAGS) {
+  for (const auto& flag : StreamInfo::ResponseFlagUtils::CORE_RESPONSE_FLAGS) {
     flag_stat_names_.emplace(flag.second, pool_.add(flag.first.short_string_));
   }
 
@@ -42,13 +42,13 @@ Stats::StatName CodeOrFlags::statNameFromFlag(StreamInfo::ResponseFlag flag) con
 
 absl::InlinedVector<StreamInfo::ResponseFlag, 2>
 getResponseFlags(const StreamInfo::StreamInfo& info) {
-  if (info.responseFlags() == 0) {
+  if (!info.hasAnyResponseFlag()) {
     return {};
   }
 
   absl::InlinedVector<StreamInfo::ResponseFlag, 2> flags;
 
-  for (const auto& flag : StreamInfo::ResponseFlagUtils::ALL_RESPONSE_STRINGS_FLAGS) {
+  for (const auto& flag : StreamInfo::ResponseFlagUtils::CORE_RESPONSE_FLAGS) {
     if (info.hasResponseFlag(flag.second)) {
       flags.push_back(flag.second);
     }

contrib/generic_proxy/filters/network/test/BUILD

@@ -121,3 +121,15 @@ envoy_cc_test(
         "//test/mocks/server:factory_context_mocks",
     ],
 )
+
+envoy_cc_test(
+    name = "access_log_test",
+    srcs = [
+        "access_log_test.cc",
+    ],
+    deps = [
+        ":fake_codec_lib",
+        "//contrib/generic_proxy/filters/network/source:access_log_lib",
+        "//test/mocks/stream_info:stream_info_mocks",
+    ],
+)