Merge remote-tracking branch 'upstream/main' into xds_failover_plumb

Signed-off-by: Adi Suissa-Peleg <[email protected]>

.github/workflows/mobile-release.yml

@@ -114,24 +114,24 @@ jobs:
       run: |
         # https://github.com/keybase/keybase-issues/issues/2798
         export GPG_TTY=$(tty)
-        # Import gpg keys and warm the passphrase to avoid the gpg
-        # passphrase prompt when initating a deploy
-        # `--pinentry-mode=loopback` could be needed to ensure we
-        # suppress the gpg prompt
-        echo $GPG_KEY | base64 --decode > signing-key
         # The key ID C9ADE25A75333454 was obtained from a previous
         # run of the Mobile Release job. The key ID is consistent
         # between runs. Hard-coding the key ID is more straightforward
         # than using `list-secret-keys` to parse out the correct
         # key ID.
-        echo "default-key C9ADE25A75333454" >> ~/.gnupg/gpg.conf
-        gpg --passphrase $GPG_PASSPHRASE --batch --import signing-key
+        export GPG_DEFAULT_KEY=C9ADE25A75333454
+        # Import gpg keys and warm the passphrase to avoid the gpg
+        # passphrase prompt when initating a deploy
+        # `--pinentry-mode=loopback` could be needed to ensure we
+        # suppress the gpg prompt
+        echo $GPG_KEY | base64 --decode > signing-key
+        gpg --default-key $GPG_DEFAULT_KEY --passphrase $GPG_PASSPHRASE --batch --import signing-key
         shred signing-key
 
-        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}.aar
-        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-pom.xml
-        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-javadoc.jar
-        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-sources.jar
+        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}.aar
+        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-pom.xml
+        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-javadoc.jar
+        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-sources.jar
     - name: 'Release to sonatype repository'
       env:
         READWRITE_USER: ${{ secrets.EM_SONATYPE_USER }}

RELEASES.md

@@ -129,9 +129,12 @@ [email protected] -
 include in this email a link to the latest [release page](https://github.com/envoyproxy/envoy/releases) (ending in `tag/[version]`)
 * Announce in [#envoy-dev](https://envoyproxy.slack.com/archives/C78HA81DH) and [#envoy-users](https://envoyproxy.slack.com/archives/C78M4KW76) slack channels.
 
-
 ## Security release schedule
 
-There is no fixed scheduled for security fixes. Zero-day vulnerabilities might necessitate
-an emergency release with little or no warning. However, historically security release have
-happened roughly once per quarter, midway between major releases.
+Security releases are published on a 3-monthly cycle, around the mid point between major releases.
+
+| Quarter |  Expected  |   Actual   | Difference |
+|:-------:|:----------:|:----------:|:----------:|
+| 2024 Q2 | 2024/06/04 |            |            |
+
+NOTE: Zero-day vulnerabilities, and upstream vulnerabilities disclosed to us under embargo, may necessitate an emergency release with little or no warning.

bazel/external/quiche.BUILD

@@ -3982,8 +3982,10 @@ envoy_quic_cc_library(
         "quiche/quic/core/quic_stream_sequencer.cc",
         "quiche/quic/core/tls_handshaker.cc",
         "quiche/quic/core/uber_quic_stream_id_manager.cc",
+        "quiche/quic/core/web_transport_write_blocked_list.cc",
     ],
     hdrs = [
+        "quiche/common/btree_scheduler.h",
         "quiche/quic/core/handshaker_delegate_interface.h",
         "quiche/quic/core/legacy_quic_stream_id_manager.h",
         "quiche/quic/core/quic_control_frame_manager.h",
@@ -4000,6 +4002,7 @@ envoy_quic_cc_library(
         "quiche/quic/core/tls_client_handshaker.h",  # required by tls_handshaker.cc
         "quiche/quic/core/tls_handshaker.h",
         "quiche/quic/core/uber_quic_stream_id_manager.h",
+        "quiche/quic/core/web_transport_write_blocked_list.h",
     ],
     external_deps = ["ssl"],
     deps = [

bazel/repository_locations.bzl

@@ -1192,12 +1192,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "QUICHE",
         project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols",
         project_url = "https://github.com/google/quiche",
-        version = "1397c94d55af0bfc142ac7dda923cf2726857755",
-        sha256 = "ae33ab0056fd5119d9aae15abfcb69e5d6f021ec5e18e77535ec0fe0c49dfa66",
+        version = "cea6f57f9ce03a5aa2bb0e0d8adcdf3ab452c0c3",
+        sha256 = "d0187c4c3c74a709727549b020ef90471113d70047dff7d8fd9f2bfd37a6da5b",
         urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"],
         strip_prefix = "quiche-{version}",
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2024-05-16",
+        release_date = "2024-05-29",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/quiche/blob/{version}/LICENSE",

changelogs/current.yaml

@@ -200,6 +200,11 @@ new_features:
   change: |
     Added support to healthcheck with ProxyProtocol in TCP Healthcheck by setting
     :ref:`health_check_config <envoy_v3_api_field_config.core.v3.HealthCheck.TcpHealthCheck.proxy_protocol_config>`.
+- area: access_log
+  change: |
+    added new ``access_log`` command operators to retrieve upstream connection information change: ``%UPSTREAM_PEER_URI_SAN%``,
+    ``%UPSTREAM_PEER_IP_SAN%``, ``%UPSTREAM_PEER_DNS_SAN%``, ``%UPSTREAM_LOCAL_URI_SAN%``, ``%UPSTREAM_LOCAL_DNS_SAN%``,
+    ``%UPSTREAM_LOCAL_IP_SAN%``.
 - area: open_telemetry
   change: |
     added :ref:`stat_prefix

docs/root/configuration/http/http_filters/aws_request_signing_filter.rst

@@ -118,3 +118,17 @@ comes from the owning HTTP connection manager.
   signing_failed, Counter, Total requests for which signing failed (includes payload_signing_failed)
   payload_signing_added, Counter, Total requests for which the payload was buffered signing succeeded
   payload_signing_failed, Counter, Total requests for which the payload was buffered but signing failed
+
+In addition, when using the ``envoy.reloadable_features.use_http_client_to_fetch_aws_credentials`` reloadable feature, the following
+statistics are output under the ``aws.metadata_credentials_provider`` namespace:
+
+.. csv-table::
+  :header: Name, Type, Description
+  :escape: '
+  :widths: 1, 1, 2
+
+  <provider_cluster>.credential_refreshes_performed, Counter, Total credential refreshes performed by this cluster
+  <provider_cluster>.credential_refreshes_failed, Counter, Total credential refreshes failed by this cluster. For example', this would be incremented if a WebIdentity token was expired
+  <provider_cluster>.credential_refreshes_succeeded, Counter, Total successful credential refreshes for this cluster. Successful refresh would indicate credentials are available for signing
+  <provider_cluster>.metadata_refresh_state, Gauge, 0 means the cluster is in initial refresh state', ie no successful credential refreshes have been performed. In 0 state the cluster will attempt credential refresh up to a maximum of once every 30 seconds. 1 means the cluster is in normal credential expiration based refresh state
+

docs/root/configuration/observability/access_log/usage.rst

@@ -1182,6 +1182,42 @@ UDP
   UPSTREAM_PEER_CERT_V_END can be customized using a `format string <https://en.cppreference.com/w/cpp/io/manip/put_time>`_.
   See :ref:`START_TIME <config_access_log_format_start_time>` for additional format specifiers and examples.
 
+%UPSTREAM_PEER_URI_SAN%
+  HTTP/TCP/THRIFT
+    The URIs present in the SAN of the peer certificate used to establish the upstream TLS connection.
+  UDP
+    Not implemented ("-").
+
+%UPSTREAM_PEER_DNS_SAN%
+  HTTP/TCP/THRIFT
+    The DNS names present in the SAN of the peer certificate used to establish the upstream TLS connection.
+  UDP
+    Not implemented ("-").
+
+%UPSTREAM_PEER_IP_SAN%
+  HTTP/TCP/THRIFT
+    The ip addresses present in the SAN of the peer certificate used to establish the upstream TLS connection.
+  UDP
+    Not implemented ("-").
+
+%UPSTREAM_LOCAL_URI_SAN%
+  HTTP/TCP/THRIFT
+    The URIs present in the SAN of the local certificate used to establish the upstream TLS connection.
+  UDP
+    Not implemented ("-").
+
+%UPSTREAM_LOCAL_DNS_SAN%
+  HTTP/TCP/THRIFT
+    The DNS names present in the SAN of the local certificate used to establish the upstream TLS connection.
+  UDP
+    Not implemented ("-").
+
+%UPSTREAM_LOCAL_IP_SAN%
+  HTTP/TCP/THRIFT
+    The ip addresses present in the SAN of the local certificate used to establish the upstream TLS connection.
+  UDP
+    Not implemented ("-").
+
 %HOSTNAME%
   The system hostname.
 

docs/root/configuration/other_features/dlb.rst

@@ -1,19 +1,19 @@
 .. _config_connection_balance_dlb:
 
-Dlb Connection Balancer
+DLB Connection Balancer
 =======================
 
 * :ref:`v3 API reference <envoy_v3_api_msg_extensions.network.connection_balance.dlb.v3alpha.Dlb>`
 
 
 This connection balancer extension provides Envoy with low latency networking by integrating with `Intel DLB <https://networkbuilders.intel.com/solutionslibrary/queue-management-and-load-balancing-on-intel-architecture>`_ through the libdlb library.
 
-The Dlb connection balancer is only included in :ref:`contrib images <install_contrib>`
+The DLB connection balancer is only included in :ref:`contrib images <install_contrib>`.
 
 Example configuration
 ---------------------
 
-An example for Dlb connection balancer configuration is:
+An example for DLB connection balancer configuration is:
 
 .. literalinclude:: _include/dlb.yaml
     :language: yaml
@@ -22,18 +22,18 @@ An example for Dlb connection balancer configuration is:
 How it works
 ------------
 
-If enabled, the Dlb connection balancer will:
+If enabled, the DLB connection balancer will:
 
-- attach Dlb hardware
+- attach DLB hardware
 - create a queue for balancing
 - create one port to send and one port to receive for each worker thread
 - create one eventfd for each worker thread and attach each eventfd to corresponding customer
-- register each eventfd to corresponding customer and Dlb hardware
+- register each eventfd to corresponding customer and DLB hardware
 
-When new connections come, one worker thread will accept it and send it to Dlb hardware. Dlb hardware
+When new connections come, one worker thread will accept it and send it to DLB hardware. DLB hardware
 does balancing then trigger one worker thread to receive via libevent.
 
-Installing and using Dlb
-------------------------
+Installing DLB
+--------------
 
 For information on how to build/install and use libdlb see `the getting started guide <https://downloadmirror.intel.com/727424/DLB_Driver_User_Guide.pdf>`_.

envoy/secret/secret_callbacks.h

@@ -12,7 +12,7 @@ class SecretCallbacks {
 public:
   virtual ~SecretCallbacks() = default;
 
-  virtual void onAddOrUpdateSecret() PURE;
+  virtual absl::Status onAddOrUpdateSecret() PURE;
 };
 
 } // namespace Secret

envoy/server/transport_socket_config.h

@@ -87,13 +87,13 @@ class UpstreamTransportSocketConfigFactory : public virtual TransportSocketConfi
    * @param config const Protobuf::Message& supplies the config message for the transport socket
    *        implementation.
    * @param context TransportSocketFactoryContext& supplies the transport socket's context.
-   * @return Network::UpstreamTransportSocketFactoryPtr the transport socket factory instance. The
-   * returned TransportSocketFactoryPtr should not be nullptr.
+   * @return absl::StatusOr<Network::UpstreamTransportSocketFactoryPtr> the transport socket factory
+   * instance or error status. The returned TransportSocketFactoryPtr should not be nullptr.
    *
    * @throw EnvoyException if the implementation is unable to produce a factory with the provided
    *        parameters.
    */
-  virtual Network::UpstreamTransportSocketFactoryPtr
+  virtual absl::StatusOr<Network::UpstreamTransportSocketFactoryPtr>
   createTransportSocketFactory(const Protobuf::Message& config,
                                TransportSocketFactoryContext& context) PURE;
 
@@ -113,13 +113,13 @@ class DownstreamTransportSocketConfigFactory : public virtual TransportSocketCon
    * @param config const Protobuf::Message& supplies the config message for the transport socket
    *        implementation.
    * @param context TransportSocketFactoryContext& supplies the transport socket's context.
-   * @return Network::DownstreamTransportSocketFactoryPtr the transport socket factory instance. The
-   * returned TransportSocketFactoryPtr should not be nullptr.
+   * @return absl::StatusOr<Network::DownstreamTransportSocketFactoryPtr> the transport socket
+   * factory instance. The returned TransportSocketFactoryPtr should not be nullptr.
    *
    * @throw EnvoyException if the implementation is unable to produce a factory with the provided
    *        parameters.
    */
-  virtual Network::DownstreamTransportSocketFactoryPtr
+  virtual absl::StatusOr<Network::DownstreamTransportSocketFactoryPtr>
   createTransportSocketFactory(const Protobuf::Message& config,
                                TransportSocketFactoryContext& context,
                                const std::vector<std::string>& server_names) PURE;

envoy/ssl/context_config.h

@@ -81,7 +81,7 @@ class ContextConfig {
    * are downloaded from SDS server, this callback is invoked to update SSL context.
    * @param callback callback that is executed by context config.
    */
-  virtual void setSecretUpdateCallback(std::function<void()> callback) PURE;
+  virtual void setSecretUpdateCallback(std::function<absl::Status()> callback) PURE;
 
   /**
    * @return a callback which can be used to create Handshaker instances.

examples/grpc-bridge/client/requirements.txt

@@ -217,9 +217,9 @@ protobuf==5.27.0 \
     # via
     #   -r requirements.in
     #   grpcio-tools
-requests==2.32.2 \
-    --hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \
-    --hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c
+requests==2.32.3 \
+    --hash=sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 \
+    --hash=sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6
     # via -r requirements.in
 urllib3==2.0.7 \
     --hash=sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84 \

examples/single-page-app/ui/package.json

@@ -14,7 +14,7 @@
     "@chakra-ui/react": "^2.8.2",
     "@emotion/react": "^11.11.4",
     "@emotion/styled": "^11.11.5",
-    "framer-motion": "^11.2.6",
+    "framer-motion": "^11.2.9",
     "mdi-react": "^9.3.0",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",

examples/single-page-app/ui/yarn.lock

@@ -2733,10 +2733,10 @@ for-each@^0.3.3:
   dependencies:
     is-callable "^1.1.3"
 
-framer-motion@^11.2.6:
-  version "11.2.6"
-  resolved "https://registry.yarnpkg.com/framer-motion/-/framer-motion-11.2.6.tgz#ab693b24d1f6cf34ef83494ab2df59fd39b7c87e"
-  integrity sha512-XUrjjBt57e5YoHQtjwc3eNchFBuHvIgN/cS8SC4oIaAn2J/0+bLanUxXizidJKZVeHJam/JrmMnPRjYMglVn5g==
+framer-motion@^11.2.9:
+  version "11.2.9"
+  resolved "https://registry.yarnpkg.com/framer-motion/-/framer-motion-11.2.9.tgz#ba1dbaf2421b16fa8da310db7d7b39e1b5d0d3dc"
+  integrity sha512-gfxNSkp4dC3vpy2hGNQK3K9bNOKwfasqOhrqvmZzYxCPSJ9Tpv/9JlCkeCMgFdKefgPr8+JiouGjVmaDzu750w==
   dependencies:
     tslib "^2.4.0"
 

mobile/test/common/integration/test_server.cc

@@ -535,7 +535,8 @@ Network::DownstreamTransportSocketFactoryPtr TestServer::createQuicUpstreamTlsCo
       Server::Configuration::DownstreamTransportSocketConfigFactory>(
       "envoy.transport_sockets.quic");
 
-  return config_factory.createTransportSocketFactory(quic_config, factory_context, server_names);
+  return config_factory.createTransportSocketFactory(quic_config, factory_context, server_names)
+      .value();
 }
 
 Network::DownstreamTransportSocketFactoryPtr TestServer::createUpstreamTlsContext(

source/common/formatter/stream_info_formatter.cc

@@ -1352,6 +1352,54 @@ const StreamInfoFormatterProviderLookupTable& getKnownStreamInfoFormatterProvide
                     return result;
                   });
             }}},
+          {"UPSTREAM_PEER_URI_SAN",
+           {CommandSyntaxChecker::COMMAND_ONLY,
+            [](const std::string&, absl::optional<size_t>) {
+              return std::make_unique<StreamInfoUpstreamSslConnectionInfoFormatterProvider>(
+                  [](const Ssl::ConnectionInfo& connection_info) {
+                    return absl::StrJoin(connection_info.uriSanPeerCertificate(), ",");
+                  });
+            }}},
+          {"UPSTREAM_PEER_DNS_SAN",
+           {CommandSyntaxChecker::COMMAND_ONLY,
+            [](const std::string&, absl::optional<size_t>) {
+              return std::make_unique<StreamInfoUpstreamSslConnectionInfoFormatterProvider>(
+                  [](const Ssl::ConnectionInfo& connection_info) {
+                    return absl::StrJoin(connection_info.dnsSansPeerCertificate(), ",");
+                  });
+            }}},
+          {"UPSTREAM_PEER_IP_SAN",
+           {CommandSyntaxChecker::COMMAND_ONLY,
+            [](const std::string&, absl::optional<size_t>) {
+              return std::make_unique<StreamInfoUpstreamSslConnectionInfoFormatterProvider>(
+                  [](const Ssl::ConnectionInfo& connection_info) {
+                    return absl::StrJoin(connection_info.ipSansPeerCertificate(), ",");
+                  });
+            }}},
+          {"UPSTREAM_LOCAL_URI_SAN",
+           {CommandSyntaxChecker::COMMAND_ONLY,
+            [](const std::string&, absl::optional<size_t>) {
+              return std::make_unique<StreamInfoUpstreamSslConnectionInfoFormatterProvider>(
+                  [](const Ssl::ConnectionInfo& connection_info) {
+                    return absl::StrJoin(connection_info.uriSanLocalCertificate(), ",");
+                  });
+            }}},
+          {"UPSTREAM_LOCAL_DNS_SAN",
+           {CommandSyntaxChecker::COMMAND_ONLY,
+            [](const std::string&, absl::optional<size_t>) {
+              return std::make_unique<StreamInfoUpstreamSslConnectionInfoFormatterProvider>(
+                  [](const Ssl::ConnectionInfo& connection_info) {
+                    return absl::StrJoin(connection_info.dnsSansLocalCertificate(), ",");
+                  });
+            }}},
+          {"UPSTREAM_LOCAL_IP_SAN",
+           {CommandSyntaxChecker::COMMAND_ONLY,
+            [](const std::string&, absl::optional<size_t>) {
+              return std::make_unique<StreamInfoUpstreamSslConnectionInfoFormatterProvider>(
+                  [](const Ssl::ConnectionInfo& connection_info) {
+                    return absl::StrJoin(connection_info.ipSansLocalCertificate(), ",");
+                  });
+            }}},
           {"DOWNSTREAM_PEER_URI_SAN",
            {CommandSyntaxChecker::COMMAND_ONLY,
             [](const std::string&, absl::optional<size_t>) {

source/common/grpc/async_client_impl.cc

@@ -21,9 +21,11 @@ AsyncClientImpl::AsyncClientImpl(Upstream::ClusterManager& cm,
           PROTOBUF_GET_WRAPPED_OR_DEFAULT(config.envoy_grpc(), max_receive_message_length, 0)),
       cm_(cm), remote_cluster_name_(config.envoy_grpc().cluster_name()),
       host_name_(config.envoy_grpc().authority()), time_source_(time_source),
-      metadata_parser_(Router::HeaderParser::configure(
-          config.initial_metadata(),
-          envoy::config::core::v3::HeaderValueOption::OVERWRITE_IF_EXISTS_OR_ADD)),
+      metadata_parser_(THROW_OR_RETURN_VALUE(
+          Router::HeaderParser::configure(
+              config.initial_metadata(),
+              envoy::config::core::v3::HeaderValueOption::OVERWRITE_IF_EXISTS_OR_ADD),
+          Router::HeaderParserPtr)),
       retry_policy_(
           config.has_retry_policy()
               ? absl::optional<envoy::config::route::v3::