Merge remote-tracking branch 'upstream/main' into temp_disable_failov…

…er_tests

Signed-off-by: Adi Suissa-Peleg <[email protected]>

api/bazel/api_build_system.bzl

@@ -22,6 +22,7 @@ _CC_PROTO_DESCRIPTOR_SUFFIX = "_cc_proto_descriptor"
 _CC_GRPC_SUFFIX = "_cc_grpc"
 _GO_PROTO_SUFFIX = "_go_proto"
 _GO_IMPORTPATH_PREFIX = "github.com/envoyproxy/go-control-plane/"
+_JAVA_PROTO_SUFFIX = "_java_proto"
 
 _COMMON_PROTO_DEPS = [
     "@com_google_protobuf//:any_proto",
@@ -67,7 +68,8 @@ def api_cc_py_proto_library(
         srcs = [],
         deps = [],
         linkstatic = 0,
-        has_services = 0):
+        has_services = 0,
+        java = True):
     relative_name = ":" + name
     proto_library(
         name = name,
@@ -109,6 +111,13 @@ def api_cc_py_proto_library(
         visibility = ["//visibility:public"],
     )
 
+    if java:
+        native.java_proto_library(
+            name = name + _JAVA_PROTO_SUFFIX,
+            visibility = ["//visibility:public"],
+            deps = [relative_name],
+        )
+
     # Optionally define gRPC services
     if has_services:
         # TODO: when Python services are required, add to the below stub generations.

api/bazel/repositories.bzl

@@ -16,6 +16,9 @@ def api_dependencies():
     external_http_archive(
         name = "bazel_skylib",
     )
+    external_http_archive(
+        name = "rules_jvm_external",
+    )
     external_http_archive(
         name = "com_envoyproxy_protoc_gen_validate",
         patch_args = ["-p1"],

api/bazel/repository_locations.bzl

@@ -34,6 +34,19 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/protoc-gen-validate/blob/v{version}/LICENSE",
     ),
+    rules_jvm_external = dict(
+        project_name = "Java Rules for Bazel",
+        project_desc = "Bazel rules for Java",
+        project_url = "https://github.com/bazelbuild/rules_jvm_external",
+        version = "6.1",
+        strip_prefix = "rules_jvm_external-{version}",
+        sha256 = "08ea921df02ffe9924123b0686dc04fd0ff875710bfadb7ad42badb931b0fd50",
+        urls = ["https://github.com/bazelbuild/rules_jvm_external/releases/download/{version}/rules_jvm_external-{version}.tar.gz"],
+        release_date = "2024-04-26",
+        use_category = ["build"],
+        license = "Apache-2.0",
+        license_url = "https://github.com/bazelbuild/rules_jvm_external/blob/{version}/LICENSE",
+    ),
     com_github_cncf_xds = dict(
         project_name = "xDS API",
         project_desc = "xDS API Working Group (xDS-WG)",

api/envoy/config/cluster/v3/outlier_detection.proto

@@ -21,7 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // See the :ref:`architecture overview <arch_overview_outlier_detection>` for
 // more information on outlier detection.
-// [#next-free-field: 25]
+// [#next-free-field: 26]
 message OutlierDetection {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.cluster.OutlierDetection";
@@ -42,8 +42,8 @@ message OutlierDetection {
   // Defaults to 30000ms or 30s.
   google.protobuf.Duration base_ejection_time = 3 [(validate.rules).duration = {gt {}}];
 
-  // The maximum % of an upstream cluster that can be ejected due to outlier
-  // detection. Defaults to 10% but will eject at least one host regardless of the value.
+  // The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 10% .
+  // Will eject at least one host regardless of the value if :ref:`always_eject_one_host<envoy_v3_api_field_config.cluster.v3.OutlierDetection.always_eject_one_host>` is enabled.
   google.protobuf.UInt32Value max_ejection_percent = 4 [(validate.rules).uint32 = {lte: 100}];
 
   // The % chance that a host will be actually ejected when an outlier status
@@ -173,4 +173,8 @@ message OutlierDetection {
   // Set of host's passive monitors.
   // [#not-implemented-hide:]
   repeated core.v3.TypedExtensionConfig monitors = 24;
+
+  // If enabled, at least one host is ejected regardless of the value of :ref:`max_ejection_percent<envoy_v3_api_field_config.cluster.v3.OutlierDetection.max_ejection_percent>`.
+  // Defaults to false.
+  google.protobuf.BoolValue always_eject_one_host = 25;
 }

api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -98,7 +98,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter
 // name.
 //
-// [#next-free-field: 19]
+// [#next-free-field: 20]
 message ExternalProcessor {
   // Describes the route cache action to be taken when an external processor response
   // is received in response to request headers.
@@ -256,6 +256,14 @@ message ExternalProcessor {
   // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set.
   RouteCacheAction route_cache_action = 18
       [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"];
+
+  // [#not-implemented-hide:]
+  // Specifies the deferred closure timeout for gRPC stream that connects to external processor. Currently, the deferred stream closure
+  // is only used in :ref:`observability_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.observability_mode>`.
+  // In observability mode, gRPC streams may be held open to the external processor longer than the lifetime of the regular client to
+  // backend stream lifetime. In this case, Envoy will eventually timeout the external processor stream according to this time limit.
+  // The default value is 5000 milliseconds (5 seconds) if not specified.
+  google.protobuf.Duration deferred_close_timeout = 19;
 }
 
 // The MetadataOptions structure defines options for the sending and receiving of

api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -74,7 +74,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 17]
+// [#next-free-field: 18]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -155,6 +155,12 @@ message OAuth2Config {
   // in a week.
   // This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``defaul_expires_in`` is used.
   google.protobuf.Duration default_refresh_token_expires_in = 15;
+
+  // If set to true, Envoy will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
+  // Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter
+  // will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
+  // sessions would not set the IdToken cookie header.
+  bool disable_id_token_set_cookie = 17;
 }
 
 // Filter config.

changelogs/current.yaml

@@ -49,6 +49,10 @@ behavior_changes:
 
 minor_behavior_changes:
 # *Changes that may cause incompatibilities for some users, but should not for most*
+- area: ext_proc
+  change: |
+    Timeout errors in external processor now returns 504 Gateway Timeout to downstream clients.
+    The previous behavior was returning 500 Internal Server Error.
 - area: dfp
   change: |
     Changed dynamic forward proxy so local reply errors include DNS resolution details.  This behavior can be temporarily
@@ -130,6 +134,12 @@ minor_behavior_changes:
   change: |
     Changing HTTP/2 semi-colon prefixed headers to being sanitized by Envoy code rather than nghttp2. Should be a functional no-op but
     guarded by ``envoy.reloadable_features.sanitize_http2_headers_without_nghttp2``.
+- area: http
+  change: |
+    http: envoy will now proxy 104 headers from upstream, though as with 100s only the first 1xx response
+    headers will be sent.104 headers are designated by ietf's draft-ietf-httpbis-resumable-upload rfc.
+    This behavioral can be temporarily reverted by setting runtime guard
+    ``envoy.reloadable_features.proxy_104`` to ``false``.
 - area: jwt_authn
   change: |
     Changes the behavior of the
@@ -237,6 +247,9 @@ bug_fixes:
 - area: datadog
   change: |
     Bumped the version of datadog to resolve a crashing bug in earlier versions of the library.
+- area: lua
+  change: |
+    Fixed a bug where the user data will reference a dangling pointer to the Lua state and cause a crash.
 
 removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
@@ -303,6 +316,9 @@ removed_config_or_runtime:
 - area: jwt
   change: |
     Removed ``envoy.reloadable_features.token_passed_entirely`` runtime flag and legacy code paths.
+- area: outlier detection
+  change: |
+    Removed ``envoy.reloadable_features.check_mep_on_first_eject`` runtime flag and legacy code paths.
 - area: http
   change: |
     Removed ``envoy.reloadable_features.stop_decode_metadata_on_local_reply`` runtime flag and legacy code paths.
@@ -412,6 +428,10 @@ new_features:
     to listen to file changes and dynamically update the response when :ref:`watched_directory
     <envoy_v3_api_field_config.core.v3.datasource.watched_directory>`
     is configured in :ref:`DataSource <envoy_v3_api_msg_config.core.v3.datasource>`.
+- area: outlier detection
+  change: |
+    Added :ref:`always_eject_one_host<envoy_v3_api_field_config.cluster.v3.OutlierDetection.always_eject_one_host>`
+    to optionally override the :ref:`max_ejection_percent<envoy_v3_api_field_config.cluster.v3.OutlierDetection.max_ejection_percent>`.
 - area: listener
   change: |
     Added :ref:`bypass_overload_manager <envoy_v3_api_field_config.listener.v3.Listener.bypass_overload_manager>`
@@ -452,6 +472,10 @@ new_features:
   change: |
     Added support for flow control in Envoy gRPC side stream. This behavior can be disabled by setting the runtime flag
     ``envoy.reloadable_features.grpc_side_stream_flow_control`` to false.
+- area: oauth
+  change: |
+    Added :ref:`disable_id_token_set_cookie <envoy_v3_api_field_extensions.filters.http.oauth2.v3.OAuth2Config.disable_id_token_set_cookie>`
+    to disable setting the ID Token cookie.
 
 deprecated:
 - area: tracing

ci/README.md

@@ -172,6 +172,7 @@ The `./ci/run_envoy_docker.sh './ci/do_ci.sh <TARGET>'` targets are:
 * `clang_tidy <files>` &mdash; build and run clang-tidy specified source files, if no files specified, runs against the diff with the last GitHub commit.
 * `check_proto_format`&mdash; check configuration, formatting and build issues in API proto files.
 * `fix_proto_format`&mdash; fix configuration, formatting and build issues in API proto files.
+* `check_and_fix_proto_format` &mdash; check and fix configuration, fomatting and build issues in API proto files.
 * `format`&mdash; run validation, linting and formatting tools.
 * `docs`&mdash; build documentation tree in `generated/docs`.
 

contrib/generic_proxy/filters/network/source/codecs/http1/config.cc

@@ -604,6 +604,7 @@ Http::Http1::CallbackResult Http1ClientCodec::onMessageCompleteImpl() {
     // 101 Switching Protocols response. Ignore it because we don't support upgrade for now.
     // 102 Processing response. Ignore it.
     // 103 Early Hints response. Ignore it.
+    // 104 Upload Resumption Supported response. Ignore it.
 
     // Return success to continue parsing the actual response.
     return Http::Http1::CallbackResult::Success;

contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc

@@ -1,6 +1,6 @@
 #include "source/common/network/connection_impl.h"
 #include "source/common/tls/client_ssl_socket.h"
-#include "source/common/tls/context_config_impl.h"
+#include "source/common/tls/server_context_config_impl.h"
 #include "source/common/tls/server_ssl_socket.h"
 #include "source/extensions/filters/network/common/factory_base.h"
 

docs/root/configuration/http/http_filters/aws_request_signing_filter.rst

@@ -46,6 +46,16 @@ length of time after which this URL becomes invalid, starting from the time the
 The default expiration time is 5 seconds, with a maximum of 3600 seconds. It is recommended to keep this value as small as practicable,
 as the generated URL is replayable before this time expires.
 
+Header Modification
+-------------------
+
+Unless the  :ref:`query_string <envoy_v3_api_field_extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.query_string>` signing method is used,
+the following HTTP header modifications will be made by this extension:
+- The HTTP ``authorization`` header will be replaced with the calculated SigV4/SigV4A Authorization value
+- The ``x-amz-security-token`` header will be removed, or replaced if a session token is present via credentials
+- The ``x-amz-date`` header will be replaced with the current date
+- The ``x-amz-region-set`` header will replaced if the ``AWS_SIGV4A`` signing algorithm is used
+
 Example configuration
 ---------------------
 

envoy/http/codec.h

@@ -145,7 +145,8 @@ class ResponseEncoder : public virtual StreamEncoder {
 public:
   /**
    * Encode supported 1xx headers.
-   * Currently 100-Continue, 102-Processing, and 103-Early-Data headers are supported.
+   * Currently 100-Continue, 102-Processing, 103-Early-Data, and 104-Upload-Resumption-Supported
+   * headers are supported.
    * @param headers supplies the 1xx header map to encode.
    */
   virtual void encode1xxHeaders(const ResponseHeaderMap& headers) PURE;
@@ -270,7 +271,8 @@ class ResponseDecoder : public virtual StreamDecoder {
 public:
   /**
    * Called with decoded 1xx headers.
-   * Currently 100-Continue, 102-Processing, and 103-Early-Data headers are supported.
+   * Currently 100-Continue, 102-Processing, 103-Early-Data, and 104-Upload-Resumption-Supported
+   * headers are supported.
    * @param headers supplies the decoded 1xx headers map.
    */
   virtual void decode1xxHeaders(ResponseHeaderMapPtr&& headers) PURE;

examples/zstd/docker-compose.yaml

@@ -1,5 +1,5 @@
-version: "3.7"
 services:
+
   envoy-stats:
     build:
       context: .

mobile/.bazelrc

@@ -30,6 +30,7 @@ build --use_top_level_targets_for_symlinks
 build --experimental_repository_downloader_retries=2
 build --define=google_grpc=disabled
 build --define=envoy_yaml=disabled
+build --define=envoy_full_protos=disabled
 
 # We don't have a ton of Swift in Envoy Mobile, so always build with WMO
 # This also helps work around a bug in rules_swift: https://github.com/bazelbuild/rules_swift/issues/949
@@ -64,6 +65,7 @@ build:mobile-dbg-common --copt="-fdebug-compilation-dir" --copt="/proc/self/cwd"
 # https://github.com/envoyproxy/envoy/tree/master/bazel#enabling-optional-features
 build:ios --define=manual_stamp=manual_stamp
 build:ios --test_timeout=390,750,1500,5700
+build:ios --define=envoy_full_protos=enabled
 
 # Default flags for builds targeting Android
 build:android --define=logger=android
@@ -175,7 +177,6 @@ build:mobile-remote-ci-linux-clang --config=mobile-remote-ci-linux
 build:mobile-remote-ci-linux-asan --config=mobile-clang-asan
 build:mobile-remote-ci-linux-asan --config=mobile-remote-ci-linux-clang
 build:mobile-remote-ci-linux-asan --config=remote-ci
-build:mobile-remote-ci-linux-asan --define=envoy_full_protos=disabled
 build:mobile-remote-ci-linux-asan --build_tests_only
 test:mobile-remote-ci-linux-asan --test_env=ENVOY_IP_TEST_VERSIONS=v4only
 
@@ -185,7 +186,6 @@ test:mobile-remote-ci-linux-asan --test_env=ENVOY_IP_TEST_VERSIONS=v4only
 build:mobile-remote-ci-linux-tsan --config=clang-tsan
 build:mobile-remote-ci-linux-tsan --config=mobile-remote-ci-linux-clang
 build:mobile-remote-ci-linux-tsan --config=remote-ci
-build:mobile-remote-ci-linux-tsan --define=envoy_full_protos=disabled
 build:mobile-remote-ci-linux-tsan --build_tests_only
 test:mobile-remote-ci-linux-tsan --test_env=ENVOY_IP_TEST_VERSIONS=v4only
 
@@ -200,7 +200,6 @@ build:mobile-ci-linux-coverage --action_env=BAZEL_LLVM_COV=/opt/llvm/bin/llvm-co
 build:mobile-ci-linux-coverage --test_env=BAZEL_LLVM_COV=/opt/llm/bin/llvm-cov
 build:mobile-ci-linux-coverage --action_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1
 build:mobile-ci-linux-coverage --test_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1
-build:mobile-ci-linux-coverage --define=envoy_full_protos=disabled
 build:mobile-ci-linux-coverage --build_tests_only
 
 #############################################################################
@@ -229,6 +228,7 @@ build:mobile-remote-ci-macos --xcode_version_config=//ci:xcode_config
 build:mobile-remote-ci-macos --remote_download_toplevel
 build:mobile-remote-ci-macos --config=ci
 build:mobile-remote-ci-macos --config=remote
+build:mobile-remote-ci-macos --define=envoy_full_protos=disabled
 
 build:mobile-remote-ci --config=mobile-remote-ci-linux-clang
 build:mobile-remote-ci --config=remote-ci
@@ -240,7 +240,6 @@ test:mobile-remote-ci-android --config=mobile-remote-ci
 test:mobile-remote-ci-android --config=mobile-test-android
 
 build:mobile-remote-ci-cc --config=mobile-remote-ci
-build:mobile-remote-ci-cc --define=envoy_full_protos=disabled
 test:mobile-remote-ci-cc --action_env=LD_LIBRARY_PATH
 
 build:mobile-remote-ci-cc-no-exceptions --config=mobile-remote-ci-cc
@@ -249,18 +248,11 @@ build:mobile-remote-ci-cc-no-exceptions --copt=-fno-exceptions
 
 build:mobile-remote-ci-cc-full-protos-enabled --config=mobile-remote-ci-cc
 test:mobile-remote-ci-cc-full-protos-enabled --config=mobile-remote-ci-cc
-test:mobile-remote-ci-cc-full-protos-enabled --define=envoy_full_protos=enabled
 
 build:mobile-remote-ci-macos-kotlin --config=mobile-remote-ci-macos
 build:mobile-remote-ci-macos-kotlin --fat_apk_cpu=x86_64
 
-# TODO(alyssar) remove in a follow-up PR
-build:mobile-remote-ci-macos-swift --config=mobile-remote-ci-macos
-build:mobile-remote-ci-macos-swift --config=mobile-test-ios
-build:mobile-remote-ci-macos-swift --@envoy//bazel:http3=False
-
 build:mobile-remote-ci-core --config=mobile-remote-ci
-build:mobile-remote-ci-core --define=envoy_full_protos=disabled
 test:mobile-remote-ci-core --action_env=LD_LIBRARY_PATH
 
 build:mobile-remote-ci-macos-ios --config=mobile-remote-ci-macos