Merge branch 'main' into fast_hash

Signed-off-by: Raven Black <ravenblack@dropbox.com>

.github/config.yml

@@ -211,14 +211,33 @@ run:
  - .bazelrc
  - .bazelversion
  - .github/config.yml
+ - api/**/*
  - bazel/external/quiche.BUILD
  - bazel/repository_locations.bzl
+ - envoy/**/*
  - mobile/.bazelrc
  - mobile/**/*
- - tools/code_format/check_format.py
+ - source/**/*
+ - test/config/**/*
+ - test/integration/*
+ - test/mocks/**/*
+ - test/test_common/**/*
  mobile-compile-time-cc:
  paths:
- - "**/*"
+ - .bazelrc
+ - .bazelversion
+ - .github/config.yml
+ - api/**/*
+ - bazel/external/quiche.BUILD
+ - bazel/repository_locations.bzl
+ - envoy/**/*
+ - mobile/.bazelrc
+ - mobile/**/*
+ - source/**/*
+ - test/config/**/*
+ - test/integration/*
+ - test/mocks/**/*
+ - test/test_common/**/*
  mobile-compile-time-options:
  paths:
  - .bazelrc
@@ -241,9 +260,20 @@ run:
  - tools/code_format/check_format.py
  mobile-core:
  paths:
- - "**/*"
- - "*"
+ - .bazelrc
+ - .bazelversion
+ - .github/config.yml
+ - api/**/*
+ - bazel/external/quiche.BUILD
+ - bazel/repository_locations.bzl
+ - envoy/**/*
  - mobile/.bazelrc
+ - mobile/**/*
+ - source/**/*
+ - test/config/**/*
+ - test/integration/*
+ - test/mocks/**/*
+ - test/test_common/**/*
  mobile-format:
  paths:
  - .bazelrc

.github/workflows/_precheck_deps.yml

@@ -55,4 +55,4 @@ jobs:
  ref: ${{ fromJSON(inputs.request).request.sha }}
  persist-credentials: false
  - name: Dependency Review
- uses: actions/dependency-review-action@733dd5d4a5203f238c33806593ec0f5fc5343d8c # v4.2.4
+ uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5

.github/workflows/envoy-release.yml

@@ -147,6 +147,8 @@ jobs:
  with:
  committer-name: ${{ env.COMMITTER_NAME }}
  committer-email: ${{ env.COMMITTER_EMAIL }}
+ strip-prefix: release/
+ token: ${{ steps.appauth.outputs.token }}
  - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.2.29
  name: Sync version histories
  with:
@@ -170,7 +172,7 @@ jobs:
  dry-run: ${{ ! inputs.pr }}
  GITHUB_TOKEN: ${{ steps.appauth.outputs.token }}
  title: >-
- ${{ steps.checkout.outputs.branch-name != 'main' && '[${{ steps.checkout.outputs.branch-name }}]' || '' }}
+ ${{ steps.checkout.outputs.branch-name != 'main' && format('[{0}]', steps.checkout.outputs.branch-name) || '' }}
  repo: Sync version histories
 
  ## Triggered actions

.github/workflows/mobile-perf.yml

@@ -63,6 +63,7 @@ jobs:
  # Ensure files don't leak back into the main binary
  source: >-
  rm
+ source/common/http/route_config_update_requster.h
  source/common/listener_manager/listener_manager_impl.h
  source/server/overload_manager_impl.cc
  source/common/network/listen_socket_impl.h

CODEOWNERS

@@ -387,4 +387,4 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 /contrib/language/ @realtimetodie @realtimetodie
 /contrib/dlb @mattklein123 @daixiang0
 /contrib/qat/ @giantcroc @soulxu
-/contrib/generic_proxy/ @wbpcode @soulxu @zhaohuabing @rojkov @htuch
+/contrib/generic_proxy/ @wbpcode @UNOWNED

api/bazel/BUILD

@@ -1,13 +1,13 @@
 load("@envoy_toolshed//:macros.bzl", "json_data")
 load("@io_bazel_rules_go//proto:compiler.bzl", "go_proto_compiler")
-load(":repository_locations.bzl", "REPOSITORY_LOCATIONS_SPEC")
-load(":repository_locations_utils.bzl", "load_repository_locations_spec")
 load(
  ":external_proto_deps.bzl",
  "EXTERNAL_PROTO_CC_BAZEL_DEP_MAP",
  "EXTERNAL_PROTO_GO_BAZEL_DEP_MAP",
  "EXTERNAL_PROTO_IMPORT_BAZEL_DEP_MAP",
 )
+load(":repository_locations.bzl", "REPOSITORY_LOCATIONS_SPEC")
+load(":repository_locations_utils.bzl", "load_repository_locations_spec")
 
 licenses(["notice"]) # Apache 2
 

api/bazel/repositories.bzl

@@ -51,6 +51,9 @@ def api_dependencies():
  name = "com_github_bufbuild_buf",
  build_file_content = BUF_BUILD_CONTENT,
  )
+ external_http_archive(
+ name = "dev_cel",
+ )
 
  external_http_archive(
  name = "com_github_chrusty_protoc_gen_jsonschema",

api/bazel/repository_locations.bzl

@@ -39,9 +39,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
  project_desc = "xDS API Working Group (xDS-WG)",
  project_url = "https://github.com/cncf/xds",
  # During the UDPA -> xDS migration, we aren't working with releases.
- version = "6b7cb9e61ad79c99765a1dea2bede517d1b7db3e",
- sha256 = "8671884372d3af43478d6de3e05a653fffdbbe1acc6e827680e2125a0120ccd2",
- release_date = "2024-03-22",
+ version = "0c46c01016dc5c9aeddf6c745a230c32bf62841d",
+ sha256 = "bc1626f5afe5313bac279aeca5761e276abb60c9a1ec9c187c35bfd259f4c40c",
+ release_date = "2024-03-29",
  strip_prefix = "xds-{version}",
  urls = ["https://github.com/cncf/xds/archive/{version}.tar.gz"],
  use_category = ["api"],
@@ -151,6 +151,17 @@ REPOSITORY_LOCATIONS_SPEC = dict(
  use_category = ["build"],
  release_date = "2023-05-30",
  ),
+ dev_cel = dict(
+ project_name = "CEL",
+ project_desc = "Common Expression Language -- specification and binary representation",
+ project_url = "https://github.com/google/cel-spec",
+ strip_prefix = "cel-spec-{version}",
+ sha256 = "3ee09eb69dbe77722e9dee23dc48dc2cd9f765869fcf5ffb1226587c81791a0b",
+ version = "0.15.0",
+ urls = ["https://github.com/google/cel-spec/archive/v{version}.tar.gz"],
+ use_category = ["api"],
+ release_date = "2024-03-27",
+ ),
  rules_proto_grpc = dict(
  project_name = "rules_proto_grpc",
  project_desc = "Bazel rules for building Protobuf and gRPC code and libraries from proto_library targets ",

api/envoy/config/core/v3/health_check.proto

@@ -95,12 +95,11 @@ message HealthCheck {
  // left empty (default value), the name of the cluster this health check is associated
  // with will be used. The host header can be customized for a specific endpoint by setting the
  // :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
- string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
+ string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE}];
 
  // Specifies the HTTP path that will be requested during health checking. For example
  // ``/healthcheck``.
- string path = 2
- [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
+ string path = 2 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE}];
 
  // [#not-implemented-hide:] HTTP specific payload.
  Payload send = 3;

api/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto

@@ -6,6 +6,7 @@ import "envoy/config/core/v3/base.proto";
 
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
+import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.filters.http.basic_auth.v3";
 option java_outer_classname = "BasicAuthProto";
@@ -33,4 +34,11 @@ message BasicAuth {
  // The value needs to be the htpasswd format.
  // Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
  config.core.v3.DataSource users = 1 [(udpa.annotations.sensitive) = true];
+
+ // This field specifies the header name to forward a successfully authenticated user to
+ // the backend. The header will be added to the request with the username as the value.
+ //
+ // If it is not specified, the username will not be forwarded.
+ string forward_username_header = 2
+ [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
 }

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -28,7 +28,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 23]
+// [#next-free-field: 24]
 message ExtAuthz {
  option (udpa.annotations.versioning).previous_message_type =
  "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
@@ -215,6 +215,28 @@ message ExtAuthz {
  // Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
  // Defaults to true.
  google.protobuf.BoolValue charge_cluster_response_stats = 20;
+
+ // Whether to encode the raw headers (i.e. unsanitized values & unconcatenated multi-line headers)
+ // in authentication request. Works with both HTTP and GRPC clients.
+ //
+ // When this is set to true, header values are not sanitized. Headers with the same key will also
+ // not be combined into a single, comma-separated header.
+ // Requests to GRPC services will populate the field
+ // :ref:`header_map<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.header_map>`.
+ // Requests to HTTP services will be constructed with the unsanitized header values and preserved
+ // multi-line headers with the same key.
+ //
+ // If this field is set to false, header values will be sanitized, with any non-UTF-8-compliant
+ // bytes replaced with '!'. Headers with the same key will have their values concatenated into a
+ // single comma-separated header value.
+ // Requests to GRPC services will populate the field
+ // :ref:`headers<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>`.
+ // Requests to HTTP services will have their header values sanitized and will not preserve
+ // multi-line headers with the same key.
+ //
+ // It's recommended you set this to true unless you already rely on the old behavior. False is the
+ // default only for backwards compatibility.
+ bool encode_raw_headers = 23;
 }
 
 // Configuration for buffering the request data.

api/envoy/extensions/filters/http/json_to_metadata/v3/json_to_metadata.proto

@@ -89,7 +89,7 @@ message JsonToMetadata {
  // The value in the KeyValuePair must be set.
  KeyValuePair on_missing = 3;
 
- // If the body is too large or fail to parse, apply this metadata KeyValuePair.
+ // If the body is too large or fail to parse or content-type is mismatched, apply this metadata KeyValuePair.
  //
  // The value in the KeyValuePair must be set.
  KeyValuePair on_error = 4;

api/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto

@@ -70,4 +70,19 @@ message ProxyProtocol {
  // :ref:`core.v3.ProxyProtocolConfig.pass_through_tlvs <envoy_v3_api_field_config.core.v3.ProxyProtocolConfig.pass_through_tlvs>`,
  // which controls pass-through for the upstream.
  config.core.v3.ProxyProtocolPassThroughTLVs pass_through_tlvs = 3;
+
+ // The PROXY protocol versions that won't be matched. Useful to limit the scope and attack surface of the filter.
+ //
+ // When the filter receives PROXY protocol data that is disallowed, it will reject the connection.
+ // By default, the filter will match all PROXY protocol versions.
+ // See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details.
+ //
+ // .. attention::
+ //
+ // When used in conjunction with the :ref:`allow_requests_without_proxy_protocol <envoy_v3_api_field_extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.allow_requests_without_proxy_protocol>`,
+ // the filter will not attempt to match signatures for the disallowed versions.
+ // For example, when ``disallowed_versions=V2``, ``allow_requests_without_proxy_protocol=true``,
+ // and an incoming request matches the V2 signature, the filter will allow the request through without any modification.
+ // The filter treats this request as if it did not have any PROXY protocol information.
+ repeated config.core.v3.ProxyProtocolConfig.Version disallowed_versions = 4;
 }

api/envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto

@@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // gRPC Authorization API defined by
 // :ref:`CheckRequest <envoy_v3_api_msg_service.auth.v3.CheckRequest>`.
 // A failed check will cause this filter to close the TCP connection.
-// [#next-free-field: 8]
+// [#next-free-field: 9]
 message ExtAuthz {
  option (udpa.annotations.versioning).previous_message_type =
  "envoy.config.filter.network.ext_authz.v2.ExtAuthz";
@@ -62,4 +62,10 @@ message ExtAuthz {
  // :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
  // The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
  string bootstrap_metadata_labels_key = 7;
+
+ // Specifies if the TLS session level details like SNI are sent to the external service.
+ //
+ // When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the
+ // :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
+ bool include_tls_session = 8;
 }

api/envoy/extensions/tracers/opentelemetry/samplers/v3/dynatrace_sampler.proto

@@ -2,7 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.tracers.opentelemetry.samplers.v3;
 
-import "envoy/config/core/v3/http_uri.proto";
+import "envoy/config/core/v3/http_service.proto";
 
 import "udpa/annotations/status.proto";
 
@@ -13,10 +13,9 @@ option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/tra
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Dynatrace Sampler config]
+
 // Configuration for the Dynatrace Sampler extension.
 // [#extension: envoy.tracers.opentelemetry.samplers.dynatrace]
-
-// [#next-free-field: 6]
 message DynatraceSamplerConfig {
  // The Dynatrace tenant.
  //
@@ -28,19 +27,21 @@ message DynatraceSamplerConfig {
  // The value can be obtained from the Envoy deployment page in Dynatrace.
  int32 cluster_id = 2;
 
- // The HTTP URI to fetch the sampler configuration (root spans per minute). For example:
+ // The HTTP service to fetch the sampler configuration from the Dynatrace API (root spans per minute). For example:
  //
  // .. code-block:: yaml
  //
- // http_uri:
- // uri: <tenant>.dev.dynatracelabs.com/api/v2/samplingConfiguration
- // cluster: dynatrace
- // timeout: 10s
+ // http_service:
+ // http_uri:
+ // cluster: dynatrace
+ // uri: <tenant>.dev.dynatracelabs.com/api/v2/samplingConfiguration
+ // timeout: 10s
+ // request_headers_to_add:
+ // - header:
+ // key : "authorization"
+ // value: "Api-Token dt..."
  //
- config.core.v3.HttpUri http_uri = 3;
-
- // The access token to fetch the sampling configuration from the Dynatrace API
- string token = 4;
+ config.core.v3.HttpService http_service = 3;
 
  // Default number of root spans per minute, used when the value can't be obtained from the Dynatrace API.
  //
@@ -49,5 +50,5 @@ message DynatraceSamplerConfig {
  // - ``root_spans_per_minute`` is unset
  // - ``root_spans_per_minute`` is set to 0
  //
- uint32 root_spans_per_minute = 5;
+ uint32 root_spans_per_minute = 4;
 }

api/envoy/service/auth/v3/attribute_context.proto

@@ -7,6 +7,7 @@ import "envoy/config/core/v3/base.proto";
 
 import "google/protobuf/timestamp.proto";
 
+import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 
@@ -99,7 +100,7 @@ message AttributeContext {
 
  // This message defines attributes for an HTTP request.
  // HTTP/1.x, HTTP/2, gRPC are all considered as HTTP requests.
- // [#next-free-field: 13]
+ // [#next-free-field: 14]
  message HttpRequest {
  option (udpa.annotations.versioning).previous_message_type =
  "envoy.service.auth.v2.AttributeContext.HttpRequest";
@@ -116,7 +117,31 @@ message AttributeContext {
  // The HTTP request headers. If multiple headers share the same key, they
  // must be merged according to the HTTP spec. All header keys must be
  // lower-cased, because HTTP header keys are case-insensitive.
- map<string, string> headers = 3;
+ // Header value is encoded as UTF-8 string. Non-UTF-8 characters will be replaced by "!".
+ // This field will not be set if
+ // :ref:`encode_raw_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.encode_raw_headers>`
+ // is set to true.
+ map<string, string> headers = 3
+ [(udpa.annotations.field_migrate).oneof_promotion = "headers_type"];
+
+ // A list of the raw HTTP request headers. This is used instead of
+ // :ref:`headers <envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>` when
+ // :ref:`encode_raw_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.encode_raw_headers>`
+ // is set to true.
+ //
+ // Note that this is not actually a map type. ``header_map`` contains a single repeated field
+ // ``headers``.
+ //
+ // Here, only the ``key`` and ``raw_value`` fields will be populated for each HeaderValue, and
+ // that is only when
+ // :ref:`encode_raw_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.encode_raw_headers>`
+ // is set to true.
+ //
+ // Also, unlike the
+ // :ref:`headers <envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>`
+ // field, headers with the same key are not combined into a single comma separated header.
+ config.core.v3.HeaderMap header_map = 13
+ [(udpa.annotations.field_migrate).oneof_promotion = "headers_type"];
 
  // The request target, as it appears in the first line of the HTTP request. This includes
  // the URL path and query-string. No decoding is performed.
@@ -187,7 +212,11 @@ message AttributeContext {
  config.core.v3.Metadata route_metadata_context = 13;
 
  // TLS session details of the underlying connection.
- // This is not populated by default and will be populated if ext_authz filter's
- // :ref:`include_tls_session <config_http_filters_ext_authz>` is set to true.
+ // This is not populated by default and will be populated only if the ext_authz filter has
+ // been specifically configured to include this information.
+ // For HTTP ext_authz, that requires :ref:`include_tls_session <config_http_filters_ext_authz>`
+ // to be set to true.
+ // For network ext_authz, that requires :ref:`include_tls_session <config_network_filters_ext_authz>`
+ // to be set to true.
  TLSSession tls_session = 12;
 }