From c41a2b9e4e0c1c560e868023a7377f84729772e3 Mon Sep 17 00:00:00 2001 From: alyssawilk Date: Tue, 22 Oct 2024 17:53:19 -0400 Subject: [PATCH 01/11] runtime: removing dns_reresolve_on_eai_again (#36656) Risk Level: low Testing: n/a Docs Changes: n/a Release Notes: inline Fixes https://github.com/envoyproxy/envoy/issues/36600 Also changelog fix up from https://github.com/envoyproxy/envoy/pull/36645 Signed-off-by: Alyssa Wilk --- changelogs/current.yaml | 3 +++ source/common/runtime/runtime_features.cc | 1 - .../network/dns_resolver/getaddrinfo/getaddrinfo.cc | 6 ++---- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index f328aa411843..1c5a929cd61d 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -33,6 +33,9 @@ removed_config_or_runtime: - area: http change: | Removed runtime flag ``envoy.reloadable_features.http_route_connect_proxy_by_default`` and legacy code paths. +- area: dns + change: | + Removed runtime flag ``envoy.reloadable_features.dns_reresolve_on_eai_again`` and legacy code paths. - area: upstream change: | Removed runtime flag ``envoy.restart_features.allow_client_socket_creation_failure`` and legacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 4036c8f0ca86..c0c4eb099af6 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -39,7 +39,6 @@ RUNTIME_GUARD(envoy_reloadable_features_defer_processing_backedup_streams); RUNTIME_GUARD(envoy_reloadable_features_disallow_quic_client_udp_mmsg); RUNTIME_GUARD(envoy_reloadable_features_dns_details); RUNTIME_GUARD(envoy_reloadable_features_dns_nodata_noname_is_success); -RUNTIME_GUARD(envoy_reloadable_features_dns_reresolve_on_eai_again); RUNTIME_GUARD(envoy_reloadable_features_edf_lb_host_scheduler_init_fix); RUNTIME_GUARD(envoy_reloadable_features_edf_lb_locality_scheduler_init_fix); RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection); diff --git a/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc b/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc index 6412bc36e2bc..1988eb88e32c 100644 --- a/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc +++ b/source/extensions/network/dns_resolver/getaddrinfo/getaddrinfo.cc @@ -124,8 +124,6 @@ void GetAddrInfoDnsResolver::resolveThreadRoutine() { while (true) { std::unique_ptr next_query; absl::optional num_retries; - const bool reresolve = - Runtime::runtimeFeatureEnabled("envoy.reloadable_features.dns_reresolve_on_eai_again"); const bool treat_nodata_noname_as_success = Runtime::runtimeFeatureEnabled("envoy.reloadable_features.dns_nodata_noname_is_success"); { @@ -142,7 +140,7 @@ void GetAddrInfoDnsResolver::resolveThreadRoutine() { next_query = std::move(pending_query_info.pending_query_); num_retries = pending_query_info.num_retries_; pending_queries_.pop_front(); - if (reresolve && next_query->isCancelled()) { + if (next_query->isCancelled()) { continue; } } @@ -169,7 +167,7 @@ void GetAddrInfoDnsResolver::resolveThreadRoutine() { if (rc.return_value_ == 0) { next_query->addTrace(static_cast(GetAddrInfoTrace::Success)); response = processResponse(*next_query, addrinfo_wrapper.get()); - } else if (reresolve && rc.return_value_ == EAI_AGAIN) { + } else if (rc.return_value_ == EAI_AGAIN) { if (num_retries.has_value()) { (*num_retries)--; } From 27083e8f153a074f6a26428f84444ce213b3fbd0 Mon Sep 17 00:00:00 2001 From: Steven Jin Date: Tue, 22 Oct 2024 17:57:46 -0400 Subject: [PATCH 02/11] Allow empty resolver list for cares dns (#36735) For https://github.com/istio/istio/issues/53577 I'm trying to configure DNS resolvers (specifically `CaresDnsResolverConfig.udp_max_queries`) while using the default system resolvers. Right now, I need to add one resolver, otherwise I get a proto validation error. Commit Message: Allow empty resolver list for cares dns Additional Description: Risk Level: low Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Steven Jin Xuan --- .../network/dns_resolver/cares/v3/cares_dns_resolver.proto | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto b/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto index 8e9c114a84e1..c3a8d35a5710 100644 --- a/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto +++ b/api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto @@ -8,7 +8,6 @@ import "envoy/config/core/v3/resolver.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/status.proto"; -import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.extensions.network.dns_resolver.cares.v3"; option java_outer_classname = "CaresDnsResolverProto"; @@ -26,7 +25,7 @@ message CaresDnsResolverConfig { // :ref:`use_resolvers_as_fallback` // below dictates if the DNS client should override system defaults or only use the provided // resolvers if the system defaults are not available, i.e., as a fallback. - repeated config.core.v3.Address resolvers = 1 [(validate.rules).repeated = {min_items: 1}]; + repeated config.core.v3.Address resolvers = 1; // If true use the resolvers listed in the // :ref:`resolvers` From 3ae54ec49d97e66334d3c0eea31bec3ffde3d931 Mon Sep 17 00:00:00 2001 From: Nigel Brittain <108375408+nbaws@users.noreply.github.com> Date: Wed, 23 Oct 2024 09:05:45 +1100 Subject: [PATCH 03/11] aws: async bugfix for multiple credential handlers in upstream mode (#36707) Commit Message: aws: async bugfix for multiple credential handlers in upstream mode Additional Description: Ensures credential handlers are instantiated as singletons, to both reduce load on IMDS and container agent, but to also fix a bug encountered when multiple signer extensions (or their friends) are instantiated in upstream mode. This was reported by Animal Logic. Risk Level: Low Testing: Unit Docs Changes: N/A Release Notes: N/A Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Nigel Brittain --- .../common/aws/credentials_provider_impl.cc | 103 ++++++-- .../common/aws/credentials_provider_impl.h | 31 +-- .../filters/http/aws_lambda/config.cc | 2 +- .../http/aws_request_signing/config.cc | 5 +- .../grpc_credentials/aws_iam/config.cc | 5 +- .../aws/credentials_provider_impl_test.cc | 67 ++--- .../aws_request_signing_integration_test.cc | 242 ++++++++++++++---- 7 files changed, 330 insertions(+), 125 deletions(-) diff --git a/source/extensions/common/aws/credentials_provider_impl.cc b/source/extensions/common/aws/credentials_provider_impl.cc index d80097fd8dba..c60694755a98 100644 --- a/source/extensions/common/aws/credentials_provider_impl.cc +++ b/source/extensions/common/aws/credentials_provider_impl.cc @@ -99,7 +99,8 @@ void CachedCredentialsProviderBase::refreshIfNeeded() { } // Logic for async metadata refresh is as follows: -// Per subclass (instance profile, container credentials, web identity) +// Once server has initialized (init target) and per inherited class (instance profile, container +// credentials, web identity) // 1. Create a single cluster for async handling // 2. Create tls slot to hold cluster name and a refresh timer pointer. tls slot instantiation of // ThreadLocalCredentialsCache will register the subclass as a callback handler @@ -111,14 +112,14 @@ void CachedCredentialsProviderBase::refreshIfNeeded() { // 5. Initial credential refresh occurs in main thread and continues in main thread periodically // refreshing based on expiration time // -// The logic above occurs after init has completed, by using an init target -// TODO(suniltheta): The field context is of type ServerFactoryContextOptRef so that an -// optional empty value can be set. Especially in aws iam plugin the cluster manager +// TODO(suniltheta): The field context is of type ServerFactoryContextOptRef so +// that an optional empty value can be set. Especially in aws iam plugin the cluster manager // obtained from server factory context object is not fully initialized due to the // reasons explained in https://github.com/envoyproxy/envoy/issues/27586 which cannot // utilize http async client here to fetch AWS credentials. For time being if context // is empty then will use libcurl to fetch the credentials. + MetadataCredentialsProviderBase::MetadataCredentialsProviderBase( Api::Api& api, ServerFactoryContextOptRef context, const CurlMetadataFetcher& fetch_metadata_using_curl, @@ -132,10 +133,9 @@ MetadataCredentialsProviderBase::MetadataCredentialsProviderBase( cache_duration_(getCacheDuration()), refresh_state_(refresh_state), initialization_timer_(initialization_timer), debug_name_(cluster_name) { // Async provider cluster setup - if (context_ && useHttpAsyncClient()) { - + if (useHttpAsyncClient() && context_) { // Set up metadata credentials statistics - scope_ = context_->api().rootScope().createScope( + scope_ = api.rootScope().createScope( fmt::format("aws.metadata_credentials_provider.{}.", cluster_name_)); stats_ = std::make_shared(MetadataCredentialsProviderStats{ ALL_METADATACREDENTIALSPROVIDER_STATS(POOL_COUNTER(*scope_), POOL_GAUGE(*scope_))}); @@ -165,6 +165,7 @@ MetadataCredentialsProviderBase::ThreadLocalCredentialsCache::~ThreadLocalCreden } void MetadataCredentialsProviderBase::createCluster(bool new_timer) { + auto cluster = Utility::createInternalClusterStatic(cluster_name_, cluster_type_, uri_); // Async credential refresh timer. Only create this if it is the first time we're creating a // cluster @@ -190,11 +191,7 @@ void MetadataCredentialsProviderBase::createCluster(bool new_timer) { cluster_type_str, cluster_name_, host_port); } - // TODO(suniltheta): use random number generator here for cluster version. - // While adding multiple clusters make sure that change in random version number across - // multiple clusters won't make Envoy delete/replace previously registered internal - // cluster. - context_->clusterManager().addOrUpdateCluster(cluster, "12345"); + context_->clusterManager().addOrUpdateCluster(cluster, ""); } // A thread local callback that occurs on every worker thread during cluster initialization. @@ -562,12 +559,10 @@ void InstanceProfileCredentialsProvider::extractCredentials( setCredentialsToAllThreads( std::make_unique(access_key_id, secret_access_key, session_token)); stats_->credential_refreshes_succeeded_.inc(); - if (refresh_state_ == MetadataFetcher::MetadataReceiver::RefreshState::FirstRefresh) { - ENVOY_LOG(debug, "Metadata receiver moving to Ready state"); - refresh_state_ = MetadataFetcher::MetadataReceiver::RefreshState::Ready; - // Set receiver state in statistics - stats_->metadata_refresh_state_.set(uint64_t(refresh_state_)); - } + ENVOY_LOG(debug, "Metadata receiver moving to Ready state"); + refresh_state_ = MetadataFetcher::MetadataReceiver::RefreshState::Ready; + // Set receiver state in statistics + stats_->metadata_refresh_state_.set(uint64_t(refresh_state_)); } else { cached_credentials_ = Credentials(access_key_id, secret_access_key, session_token); } @@ -936,14 +931,27 @@ std::string sessionName(Api::Api& api) { return actual_session_name; } +// Edge case handling for cluster naming. +// +// Region is appended to the cluster name, to differentiate between multiple web identity +// credential providers configured with different regions. +// +// UUID is also appended, to differentiate two identically configured web identity credential +// providers, as we cannot make these singletons +// +// TODO: @nbaws: Modify cluster creation logic for web identity credential providers +// to allow these also to be created as singletons + std::string stsClusterName(absl::string_view region) { return absl::StrCat(STS_TOKEN_CLUSTER, "-", region); } DefaultCredentialsProviderChain::DefaultCredentialsProviderChain( - Api::Api& api, ServerFactoryContextOptRef context, absl::string_view region, + Api::Api& api, ServerFactoryContextOptRef context, Singleton::Manager& singleton_manager, + absl::string_view region, const MetadataCredentialsProviderBase::CurlMetadataFetcher& fetch_metadata_using_curl, const CredentialsProviderChainFactories& factories) { + ENVOY_LOG(debug, "Using environment credentials provider"); add(factories.createEnvironmentCredentialsProvider()); @@ -963,7 +971,9 @@ DefaultCredentialsProviderChain::DefaultCredentialsProviderChain( if (!web_token_path.empty() && !role_arn.empty()) { const auto session_name = sessionName(api); const auto sts_endpoint = Utility::getSTSEndpoint(region) + ":443"; - const auto cluster_name = stsClusterName(region); + const auto region_uuid = absl::StrCat(region, "_", context->api().randomGenerator().uuid()); + + const auto cluster_name = stsClusterName(region_uuid); ENVOY_LOG( debug, @@ -987,7 +997,7 @@ DefaultCredentialsProviderChain::DefaultCredentialsProviderChain( const auto uri = absl::StrCat(CONTAINER_METADATA_HOST, relative_uri); ENVOY_LOG(debug, "Using container role credentials provider with URI: {}", uri); add(factories.createContainerCredentialsProvider( - api, context, fetch_metadata_using_curl, MetadataFetcher::create, + api, context, singleton_manager, fetch_metadata_using_curl, MetadataFetcher::create, CONTAINER_METADATA_CLUSTER, uri, refresh_state, initialization_timer)); } else if (!full_uri.empty()) { auto authorization_token = @@ -998,23 +1008,63 @@ DefaultCredentialsProviderChain::DefaultCredentialsProviderChain( "{} and authorization token", full_uri); add(factories.createContainerCredentialsProvider( - api, context, fetch_metadata_using_curl, MetadataFetcher::create, + api, context, singleton_manager, fetch_metadata_using_curl, MetadataFetcher::create, CONTAINER_METADATA_CLUSTER, full_uri, refresh_state, initialization_timer, authorization_token)); } else { ENVOY_LOG(debug, "Using container role credentials provider with URI: {}", full_uri); add(factories.createContainerCredentialsProvider( - api, context, fetch_metadata_using_curl, MetadataFetcher::create, + api, context, singleton_manager, fetch_metadata_using_curl, MetadataFetcher::create, CONTAINER_METADATA_CLUSTER, full_uri, refresh_state, initialization_timer)); } } else if (metadata_disabled != TRUE) { ENVOY_LOG(debug, "Using instance profile credentials provider"); add(factories.createInstanceProfileCredentialsProvider( - api, context, fetch_metadata_using_curl, MetadataFetcher::create, refresh_state, - initialization_timer, EC2_METADATA_CLUSTER)); + api, context, singleton_manager, fetch_metadata_using_curl, MetadataFetcher::create, + refresh_state, initialization_timer, EC2_METADATA_CLUSTER)); } } +// Container credentials and instance profile credentials are both singletons, as they exist only +// once on the underlying host and can be shared across all invocations of request signing consumer +// extensions +SINGLETON_MANAGER_REGISTRATION(container_credentials_provider); +SINGLETON_MANAGER_REGISTRATION(instance_profile_credentials_provider); + +CredentialsProviderSharedPtr DefaultCredentialsProviderChain::createContainerCredentialsProvider( + Api::Api& api, ServerFactoryContextOptRef context, Singleton::Manager& singleton_manager, + const MetadataCredentialsProviderBase::CurlMetadataFetcher& fetch_metadata_using_curl, + CreateMetadataFetcherCb create_metadata_fetcher_cb, absl::string_view cluster_name, + absl::string_view credential_uri, MetadataFetcher::MetadataReceiver::RefreshState refresh_state, + std::chrono::seconds initialization_timer, absl::string_view authorization_token = {}) const { + + return singleton_manager.getTyped( + SINGLETON_MANAGER_REGISTERED_NAME(container_credentials_provider), + [&context, fetch_metadata_using_curl, create_metadata_fetcher_cb, credential_uri, + refresh_state, initialization_timer, authorization_token, cluster_name, &api] { + return std::make_shared( + api, context, fetch_metadata_using_curl, create_metadata_fetcher_cb, credential_uri, + refresh_state, initialization_timer, authorization_token, cluster_name); + }); +} + +CredentialsProviderSharedPtr +DefaultCredentialsProviderChain::createInstanceProfileCredentialsProvider( + Api::Api& api, ServerFactoryContextOptRef context, Singleton::Manager& singleton_manager, + const MetadataCredentialsProviderBase::CurlMetadataFetcher& fetch_metadata_using_curl, + CreateMetadataFetcherCb create_metadata_fetcher_cb, + MetadataFetcher::MetadataReceiver::RefreshState refresh_state, + std::chrono::seconds initialization_timer, absl::string_view cluster_name) const { + return singleton_manager.getTyped( + SINGLETON_MANAGER_REGISTERED_NAME(instance_profile_credentials_provider), + [&context, fetch_metadata_using_curl, create_metadata_fetcher_cb, refresh_state, + initialization_timer, cluster_name, &api] { + return std::make_shared( + api, context, fetch_metadata_using_curl, create_metadata_fetcher_cb, refresh_state, + initialization_timer, cluster_name); + }); +} + absl::StatusOr createCredentialsProviderFromConfig( Server::Configuration::ServerFactoryContext& context, absl::string_view region, const envoy::extensions::common::aws::v3::AwsCredentialProvider& config) { @@ -1029,7 +1079,8 @@ absl::StatusOr createCredentialsProviderFromConfig const std::string& role_arn = web_identity.role_arn(); const std::string& token = web_identity.web_identity_token(); const std::string sts_endpoint = Utility::getSTSEndpoint(region) + ":443"; - const std::string cluster_name = stsClusterName(region); + const auto region_uuid = absl::StrCat(region, "_", context.api().randomGenerator().uuid()); + const std::string cluster_name = stsClusterName(region_uuid); const std::string role_session_name = sessionName(context.api()); const auto refresh_state = MetadataFetcher::MetadataReceiver::RefreshState::FirstRefresh; // This "two seconds" is a bit arbitrary, but matches the other places in the codebase. diff --git a/source/extensions/common/aws/credentials_provider_impl.h b/source/extensions/common/aws/credentials_provider_impl.h index d3cf8f5ce8b9..5d5c38de449d 100644 --- a/source/extensions/common/aws/credentials_provider_impl.h +++ b/source/extensions/common/aws/credentials_provider_impl.h @@ -252,6 +252,7 @@ class MetadataCredentialsProviderBase : public CachedCredentialsProviderBase { * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials */ class InstanceProfileCredentialsProvider : public MetadataCredentialsProviderBase, + public Envoy::Singleton::Instance, public MetadataFetcher::MetadataReceiver { public: InstanceProfileCredentialsProvider(Api::Api& api, ServerFactoryContextOptRef context, @@ -290,6 +291,7 @@ class InstanceProfileCredentialsProvider : public MetadataCredentialsProviderBas * https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html#enable_task_iam_roles */ class ContainerCredentialsProvider : public MetadataCredentialsProviderBase, + public Envoy::Singleton::Instance, public MetadataFetcher::MetadataReceiver { public: ContainerCredentialsProvider(Api::Api& api, ServerFactoryContextOptRef context, @@ -391,7 +393,7 @@ class CredentialsProviderChainFactories { std::chrono::seconds initialization_timer) const PURE; virtual CredentialsProviderSharedPtr createContainerCredentialsProvider( - Api::Api& api, ServerFactoryContextOptRef context, + Api::Api& api, ServerFactoryContextOptRef context, Singleton::Manager& singleton_manager, const MetadataCredentialsProviderBase::CurlMetadataFetcher& fetch_metadata_using_curl, CreateMetadataFetcherCb create_metadata_fetcher_cb, absl::string_view cluster_name, absl::string_view credential_uri, @@ -400,7 +402,7 @@ class CredentialsProviderChainFactories { absl::string_view authorization_token = {}) const PURE; virtual CredentialsProviderSharedPtr createInstanceProfileCredentialsProvider( - Api::Api& api, ServerFactoryContextOptRef context, + Api::Api& api, ServerFactoryContextOptRef context, Singleton::Manager& singleton_manager, const MetadataCredentialsProviderBase::CurlMetadataFetcher& fetch_metadata_using_curl, CreateMetadataFetcherCb create_metadata_fetcher_cb, MetadataFetcher::MetadataReceiver::RefreshState refresh_state, @@ -417,12 +419,15 @@ class DefaultCredentialsProviderChain : public CredentialsProviderChain, public CredentialsProviderChainFactories { public: DefaultCredentialsProviderChain( - Api::Api& api, ServerFactoryContextOptRef context, absl::string_view region, + Api::Api& api, ServerFactoryContextOptRef context, Singleton::Manager& singleton_manager, + absl::string_view region, const MetadataCredentialsProviderBase::CurlMetadataFetcher& fetch_metadata_using_curl) - : DefaultCredentialsProviderChain(api, context, region, fetch_metadata_using_curl, *this) {} + : DefaultCredentialsProviderChain(api, context, singleton_manager, region, + fetch_metadata_using_curl, *this) {} DefaultCredentialsProviderChain( - Api::Api& api, ServerFactoryContextOptRef context, absl::string_view region, + Api::Api& api, ServerFactoryContextOptRef context, Singleton::Manager& singleton_manager, + absl::string_view region, const MetadataCredentialsProviderBase::CurlMetadataFetcher& fetch_metadata_using_curl, const CredentialsProviderChainFactories& factories); @@ -437,28 +442,20 @@ class DefaultCredentialsProviderChain : public CredentialsProviderChain, } CredentialsProviderSharedPtr createContainerCredentialsProvider( - Api::Api& api, ServerFactoryContextOptRef context, + Api::Api& api, ServerFactoryContextOptRef context, Singleton::Manager& singleton_manager, const MetadataCredentialsProviderBase::CurlMetadataFetcher& fetch_metadata_using_curl, CreateMetadataFetcherCb create_metadata_fetcher_cb, absl::string_view cluster_name, absl::string_view credential_uri, MetadataFetcher::MetadataReceiver::RefreshState refresh_state, std::chrono::seconds initialization_timer, - absl::string_view authorization_token = {}) const override { - return std::make_shared( - api, context, fetch_metadata_using_curl, create_metadata_fetcher_cb, credential_uri, - refresh_state, initialization_timer, authorization_token, cluster_name); - } + absl::string_view authorization_token) const override; CredentialsProviderSharedPtr createInstanceProfileCredentialsProvider( - Api::Api& api, ServerFactoryContextOptRef context, + Api::Api& api, ServerFactoryContextOptRef context, Singleton::Manager& singleton_manager, const MetadataCredentialsProviderBase::CurlMetadataFetcher& fetch_metadata_using_curl, CreateMetadataFetcherCb create_metadata_fetcher_cb, MetadataFetcher::MetadataReceiver::RefreshState refresh_state, - std::chrono::seconds initialization_timer, absl::string_view cluster_name) const override { - return std::make_shared( - api, context, fetch_metadata_using_curl, create_metadata_fetcher_cb, refresh_state, - initialization_timer, cluster_name); - } + std::chrono::seconds initialization_timer, absl::string_view cluster_name) const override; CredentialsProviderSharedPtr createWebIdentityCredentialsProvider( Api::Api& api, ServerFactoryContextOptRef context, diff --git a/source/extensions/filters/http/aws_lambda/config.cc b/source/extensions/filters/http/aws_lambda/config.cc index 3a3cb33c33c2..36d8bcb1c09b 100644 --- a/source/extensions/filters/http/aws_lambda/config.cc +++ b/source/extensions/filters/http/aws_lambda/config.cc @@ -59,7 +59,7 @@ AwsLambdaFilterFactory::getCredentialsProvider( server_context.api(), proto_config.credentials_profile()); } return std::make_shared( - server_context.api(), makeOptRef(server_context), region, + server_context.api(), makeOptRef(server_context), server_context.singletonManager(), region, Extensions::Common::Aws::Utility::fetchMetadata); } diff --git a/source/extensions/filters/http/aws_request_signing/config.cc b/source/extensions/filters/http/aws_request_signing/config.cc index 22e490b796d1..8aa7a57dd96e 100644 --- a/source/extensions/filters/http/aws_request_signing/config.cc +++ b/source/extensions/filters/http/aws_request_signing/config.cc @@ -66,7 +66,8 @@ AwsRequestSigningFilterFactory::createFilterFactoryFromProtoTyped( ? Extensions::Common::Aws::createCredentialsProviderFromConfig( server_context, region, config.credential_provider()) : std::make_shared( - server_context.api(), makeOptRef(server_context), region, + server_context.api(), makeOptRef(server_context), + server_context.singletonManager(), region, Extensions::Common::Aws::Utility::fetchMetadata); if (!credentials_provider.ok()) { return credentials_provider.status(); @@ -135,7 +136,7 @@ AwsRequestSigningFilterFactory::createRouteSpecificFilterConfigTyped( ? Extensions::Common::Aws::createCredentialsProviderFromConfig( context, region, per_route_config.aws_request_signing().credential_provider()) : std::make_shared( - context.api(), makeOptRef(context), region, + context.api(), makeOptRef(context), context.singletonManager(), region, Extensions::Common::Aws::Utility::fetchMetadata); if (!credentials_provider.ok()) { throw EnvoyException(std::string(credentials_provider.status().message())); diff --git a/source/extensions/grpc_credentials/aws_iam/config.cc b/source/extensions/grpc_credentials/aws_iam/config.cc index ae8feb7cf78a..bba33670f454 100644 --- a/source/extensions/grpc_credentials/aws_iam/config.cc +++ b/source/extensions/grpc_credentials/aws_iam/config.cc @@ -66,9 +66,10 @@ std::shared_ptr AwsIamGrpcCredentialsFactory::getChann // libcurl to fetch the credentials. To fully get rid of curl, need to address the below // usage of AWS credentials common utils. Until then we are setting nullopt for server // factory context. + auto credentials_provider = std::make_shared( - context.api(), absl::nullopt /*Empty factory context*/, region, - Common::Aws::Utility::fetchMetadata); + context.api(), absl::nullopt /*Empty factory context*/, context.singletonManager(), + region, Common::Aws::Utility::fetchMetadata); auto signer = std::make_unique( config.service_name(), region, credentials_provider, context, // TODO: extend API to allow specifying header exclusion. ref: diff --git a/test/extensions/common/aws/credentials_provider_impl_test.cc b/test/extensions/common/aws/credentials_provider_impl_test.cc index 49d5cd1481fd..bb0b04e8ca3b 100644 --- a/test/extensions/common/aws/credentials_provider_impl_test.cc +++ b/test/extensions/common/aws/credentials_provider_impl_test.cc @@ -2486,14 +2486,14 @@ class DefaultCredentialsProviderChainTest : public testing::Test { MetadataFetcher::MetadataReceiver::RefreshState, std::chrono::seconds), (const)); MOCK_METHOD(CredentialsProviderSharedPtr, createContainerCredentialsProvider, - (Api::Api&, ServerFactoryContextOptRef, + (Api::Api&, ServerFactoryContextOptRef, Singleton::Manager&, const MetadataCredentialsProviderBase::CurlMetadataFetcher&, CreateMetadataFetcherCb, absl::string_view, absl::string_view, MetadataFetcher::MetadataReceiver::RefreshState, std::chrono::seconds, absl::string_view), (const)); MOCK_METHOD(CredentialsProviderSharedPtr, createInstanceProfileCredentialsProvider, - (Api::Api&, ServerFactoryContextOptRef, + (Api::Api&, ServerFactoryContextOptRef, Singleton::Manager&, const MetadataCredentialsProviderBase::CurlMetadataFetcher&, CreateMetadataFetcherCb, MetadataFetcher::MetadataReceiver::RefreshState, std::chrono::seconds, absl::string_view), @@ -2505,51 +2505,53 @@ class DefaultCredentialsProviderChainTest : public testing::Test { Api::ApiPtr api_; NiceMock cluster_manager_; NiceMock context_; - NiceMock factories_; }; TEST_F(DefaultCredentialsProviderChainTest, NoEnvironmentVars) { EXPECT_CALL(factories_, createCredentialsFileCredentialsProvider(Ref(*api_))); - EXPECT_CALL(factories_, createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _)); + EXPECT_CALL(factories_, + createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _, _)); - DefaultCredentialsProviderChain chain(*api_, context_, "region", DummyMetadataFetcher(), - factories_); + DefaultCredentialsProviderChain chain(*api_, context_, context_.singletonManager(), "region", + DummyMetadataFetcher(), factories_); } TEST_F(DefaultCredentialsProviderChainTest, MetadataDisabled) { TestEnvironment::setEnvVar("AWS_EC2_METADATA_DISABLED", "true", 1); EXPECT_CALL(factories_, createCredentialsFileCredentialsProvider(Ref(*api_))); - EXPECT_CALL(factories_, createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _)) + EXPECT_CALL(factories_, createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _, _)) .Times(0); - DefaultCredentialsProviderChain chain(*api_, context_, "region", DummyMetadataFetcher(), - factories_); + DefaultCredentialsProviderChain chain(*api_, context_, context_.singletonManager(), "region", + DummyMetadataFetcher(), factories_); } TEST_F(DefaultCredentialsProviderChainTest, MetadataNotDisabled) { TestEnvironment::setEnvVar("AWS_EC2_METADATA_DISABLED", "false", 1); EXPECT_CALL(factories_, createCredentialsFileCredentialsProvider(Ref(*api_))); - EXPECT_CALL(factories_, createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _)); - DefaultCredentialsProviderChain chain(*api_, context_, "region", DummyMetadataFetcher(), - factories_); + EXPECT_CALL(factories_, + createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _, _)); + DefaultCredentialsProviderChain chain(*api_, context_, context_.singletonManager(), "region", + DummyMetadataFetcher(), factories_); } TEST_F(DefaultCredentialsProviderChainTest, RelativeUri) { TestEnvironment::setEnvVar("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI", "/path/to/creds", 1); EXPECT_CALL(factories_, createCredentialsFileCredentialsProvider(Ref(*api_))); - EXPECT_CALL(factories_, createContainerCredentialsProvider( - Ref(*api_), _, _, _, _, "169.254.170.2:80/path/to/creds", _, _, "")); - DefaultCredentialsProviderChain chain(*api_, context_, "region", DummyMetadataFetcher(), - factories_); + EXPECT_CALL(factories_, + createContainerCredentialsProvider(Ref(*api_), _, _, _, _, _, + "169.254.170.2:80/path/to/creds", _, _, "")); + DefaultCredentialsProviderChain chain(*api_, context_, context_.singletonManager(), "region", + DummyMetadataFetcher(), factories_); } TEST_F(DefaultCredentialsProviderChainTest, FullUriNoAuthorizationToken) { TestEnvironment::setEnvVar("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://host/path/to/creds", 1); EXPECT_CALL(factories_, createCredentialsFileCredentialsProvider(Ref(*api_))); EXPECT_CALL(factories_, createContainerCredentialsProvider( - Ref(*api_), _, _, _, _, "http://host/path/to/creds", _, _, "")); - DefaultCredentialsProviderChain chain(*api_, context_, "region", DummyMetadataFetcher(), - factories_); + Ref(*api_), _, _, _, _, _, "http://host/path/to/creds", _, _, "")); + DefaultCredentialsProviderChain chain(*api_, context_, context_.singletonManager(), "region", + DummyMetadataFetcher(), factories_); } TEST_F(DefaultCredentialsProviderChainTest, FullUriWithAuthorizationToken) { @@ -2557,18 +2559,19 @@ TEST_F(DefaultCredentialsProviderChainTest, FullUriWithAuthorizationToken) { TestEnvironment::setEnvVar("AWS_CONTAINER_AUTHORIZATION_TOKEN", "auth_token", 1); EXPECT_CALL(factories_, createCredentialsFileCredentialsProvider(Ref(*api_))); EXPECT_CALL(factories_, - createContainerCredentialsProvider(Ref(*api_), _, _, _, _, + createContainerCredentialsProvider(Ref(*api_), _, _, _, _, _, "http://host/path/to/creds", _, _, "auth_token")); - DefaultCredentialsProviderChain chain(*api_, context_, "region", DummyMetadataFetcher(), - factories_); + DefaultCredentialsProviderChain chain(*api_, context_, context_.singletonManager(), "region", + DummyMetadataFetcher(), factories_); } TEST_F(DefaultCredentialsProviderChainTest, NoWebIdentityRoleArn) { TestEnvironment::setEnvVar("AWS_WEB_IDENTITY_TOKEN_FILE", "/path/to/web_token", 1); EXPECT_CALL(factories_, createCredentialsFileCredentialsProvider(Ref(*api_))); - EXPECT_CALL(factories_, createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _)); - DefaultCredentialsProviderChain chain(*api_, context_, "region", DummyMetadataFetcher(), - factories_); + EXPECT_CALL(factories_, + createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _, _)); + DefaultCredentialsProviderChain chain(*api_, context_, context_.singletonManager(), "region", + DummyMetadataFetcher(), factories_); } TEST_F(DefaultCredentialsProviderChainTest, NoWebIdentitySessionName) { @@ -2580,10 +2583,11 @@ TEST_F(DefaultCredentialsProviderChainTest, NoWebIdentitySessionName) { createWebIdentityCredentialsProvider( Ref(*api_), _, _, _, _, "/path/to/web_token", _, "sts.region.amazonaws.com:443", "aws:iam::123456789012:role/arn", "1234567890000000", _, _)); - EXPECT_CALL(factories_, createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _)); + EXPECT_CALL(factories_, + createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _, _)); - DefaultCredentialsProviderChain chain(*api_, context_, "region", DummyMetadataFetcher(), - factories_); + DefaultCredentialsProviderChain chain(*api_, context_, context_.singletonManager(), "region", + DummyMetadataFetcher(), factories_); } TEST_F(DefaultCredentialsProviderChainTest, WebIdentityWithSessionName) { @@ -2591,13 +2595,14 @@ TEST_F(DefaultCredentialsProviderChainTest, WebIdentityWithSessionName) { TestEnvironment::setEnvVar("AWS_ROLE_ARN", "aws:iam::123456789012:role/arn", 1); TestEnvironment::setEnvVar("AWS_ROLE_SESSION_NAME", "role-session-name", 1); EXPECT_CALL(factories_, createCredentialsFileCredentialsProvider(Ref(*api_))); - EXPECT_CALL(factories_, createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _)); + EXPECT_CALL(factories_, + createInstanceProfileCredentialsProvider(Ref(*api_), _, _, _, _, _, _, _)); EXPECT_CALL(factories_, createWebIdentityCredentialsProvider( Ref(*api_), _, _, _, _, "/path/to/web_token", _, "sts.region.amazonaws.com:443", "aws:iam::123456789012:role/arn", "role-session-name", _, _)); - DefaultCredentialsProviderChain chain(*api_, context_, "region", DummyMetadataFetcher(), - factories_); + DefaultCredentialsProviderChain chain(*api_, context_, context_.singletonManager(), "region", + DummyMetadataFetcher(), factories_); } TEST(CredentialsProviderChainTest, getCredentials_noCredentials) { diff --git a/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc b/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc index ab25ca80d041..2485df00e2b3 100644 --- a/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc +++ b/test/extensions/filters/http/aws_request_signing/aws_request_signing_integration_test.cc @@ -5,6 +5,7 @@ #include "source/common/upstream/cluster_factory_impl.h" #include "source/extensions/clusters/logical_dns/logical_dns_cluster.h" +#include "test/common/upstream/utility.h" #include "test/extensions/common/aws/mocks.h" #include "test/integration/http_integration.h" #include "test/test_common/registry.h" @@ -283,16 +284,17 @@ class InitializeFilterTest : public ::testing::Test, public HttpIntegrationTest }); } - void addUpstreamProtocolOptions() { - config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { - auto* cluster = bootstrap.mutable_static_resources()->mutable_clusters(0); - - ConfigHelper::HttpProtocolOptions protocol_options; - protocol_options.mutable_upstream_http_protocol_options()->set_auto_sni(true); - protocol_options.mutable_upstream_http_protocol_options()->set_auto_san_validation(true); - protocol_options.mutable_explicit_http_config()->mutable_http_protocol_options(); - ConfigHelper::setProtocolOptions(*cluster, protocol_options); - }); + void addUpstreamProtocolOptions(int index = 0) { + config_helper_.addConfigModifier( + [&, index](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + auto* cluster = bootstrap.mutable_static_resources()->mutable_clusters(index); + + ConfigHelper::HttpProtocolOptions protocol_options; + protocol_options.mutable_upstream_http_protocol_options()->set_auto_sni(true); + protocol_options.mutable_upstream_http_protocol_options()->set_auto_san_validation(true); + protocol_options.mutable_explicit_http_config()->mutable_http_protocol_options(); + ConfigHelper::setProtocolOptions(*cluster, protocol_options); + }); } ~InitializeFilterTest() override { @@ -321,9 +323,20 @@ TEST_F(InitializeFilterTest, TestWithOneClusterStandard) { addStandardFilter(); initialize(); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_service_internal-ap-" - "southeast-2.credential_refreshes_performed", - 1, std::chrono::seconds(10)); + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + + test_server_->waitForCounterGe(fmt::format("{}.credential_refreshes_performed", sts_name), 1, + std::chrono::seconds(10)); } TEST_F(InitializeFilterTest, TestWithOneClusterStandardUpstream) { @@ -338,9 +351,50 @@ TEST_F(InitializeFilterTest, TestWithOneClusterStandardUpstream) { addStandardFilter(false); addUpstreamProtocolOptions(); initialize(); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_service_internal-ap-" - "southeast-2.credential_refreshes_performed", - 1, std::chrono::seconds(10)); + + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + + test_server_->waitForCounterGe(fmt::format("{}.credential_refreshes_performed", sts_name), 1, + std::chrono::seconds(10)); +} + +TEST_F(InitializeFilterTest, TestWithTwoClustersUpstreamCheckForSingletonIMDS) { + + // Instance Profile Credentials only + dnsSetup(); + + config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + *bootstrap.mutable_static_resources()->add_clusters() = + config_helper_.buildStaticCluster("cluster_1", 12345, "127.0.0.1"); + auto* cluster = bootstrap.mutable_static_resources()->mutable_clusters(0); + ConfigHelper::HttpProtocolOptions protocol_options; + protocol_options.mutable_upstream_http_protocol_options()->set_auto_sni(true); + protocol_options.mutable_upstream_http_protocol_options()->set_auto_san_validation(true); + protocol_options.mutable_explicit_http_config()->mutable_http_protocol_options(); + ConfigHelper::setProtocolOptions(*cluster, protocol_options); + auto* cluster1 = bootstrap.mutable_static_resources()->mutable_clusters(1); + ConfigHelper::setProtocolOptions(*cluster1, protocol_options); + addStandardFilter(false); + }); + + initialize(); + // We should see a successful credential refresh + test_server_->waitForCounterGe("aws.metadata_credentials_provider.ec2_instance_metadata_server_" + "internal.credential_refreshes_performed", + 1); + // If credential refresh has succeeded, then check we added only a single cluster via the + // extension + EXPECT_EQ(test_server_->counter("cluster_manager.cluster_added"), 1); } TEST_F(InitializeFilterTest, TestWithOneClusterRouteLevel) { @@ -352,9 +406,20 @@ TEST_F(InitializeFilterTest, TestWithOneClusterRouteLevel) { TestEnvironment::setEnvVar("AWS_ROLE_SESSION_NAME", "role-session-name", 1); addPerRouteFilter(AWS_REQUEST_SIGNING_CONFIG_SIGV4_ROUTE_LEVEL); initialize(); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_" - "service_internal-ap-southeast-2.credential_refreshes_performed", - 1, std::chrono::seconds(10)); + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + + test_server_->waitForCounterGe(fmt::format("{}.credential_refreshes_performed", sts_name), 1, + std::chrono::seconds(10)); } TEST_F(InitializeFilterTest, TestWithOneClusterRouteLevelAndStandard) { @@ -367,9 +432,20 @@ TEST_F(InitializeFilterTest, TestWithOneClusterRouteLevelAndStandard) { addStandardFilter(); addPerRouteFilter(AWS_REQUEST_SIGNING_CONFIG_SIGV4_ROUTE_LEVEL); initialize(); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_" - "service_internal-ap-southeast-2.credential_refreshes_performed", - 1, std::chrono::seconds(10)); + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + + test_server_->waitForCounterGe(fmt::format("{}.credential_refreshes_performed", sts_name), 1, + std::chrono::seconds(10)); } TEST_F(InitializeFilterTest, TestWithTwoClustersStandard) { @@ -387,9 +463,20 @@ TEST_F(InitializeFilterTest, TestWithTwoClustersStandard) { test_server_->waitForCounterGe("aws.metadata_credentials_provider.ecs_task_" "metadata_server_internal.credential_refreshes_performed", 1); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_" - "service_internal-ap-southeast-2.credential_refreshes_performed", - 1, std::chrono::seconds(10)); + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + + test_server_->waitForCounterGe(fmt::format("{}.credential_refreshes_performed", sts_name), 1, + std::chrono::seconds(10)); } TEST_F(InitializeFilterTest, TestWithTwoClustersRouteLevel) { @@ -406,9 +493,20 @@ TEST_F(InitializeFilterTest, TestWithTwoClustersRouteLevel) { test_server_->waitForCounterGe("aws.metadata_credentials_provider.ecs_task_" "metadata_server_internal.credential_refreshes_performed", 1); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_" - "service_internal-ap-southeast-2.credential_refreshes_performed", - 1, std::chrono::seconds(10)); + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + + test_server_->waitForCounterGe(fmt::format("{}.credential_refreshes_performed", sts_name), 1, + std::chrono::seconds(10)); } TEST_F(InitializeFilterTest, TestWithTwoClustersRouteLevelAndStandard) { @@ -426,9 +524,20 @@ TEST_F(InitializeFilterTest, TestWithTwoClustersRouteLevelAndStandard) { test_server_->waitForCounterGe("aws.metadata_credentials_provider.ecs_task_" "metadata_server_internal.credential_refreshes_performed", 1); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_" - "service_internal-ap-southeast-2.credential_refreshes_performed", - 1, std::chrono::seconds(10)); + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + + test_server_->waitForCounterGe(fmt::format("{}.credential_refreshes_performed", sts_name), 1, + std::chrono::seconds(10)); } TEST_F(InitializeFilterTest, TestWithTwoClustersStandardInstanceProfile) { @@ -442,9 +551,20 @@ TEST_F(InitializeFilterTest, TestWithTwoClustersStandardInstanceProfile) { test_server_->waitForCounterGe("aws.metadata_credentials_provider.ec2_instance_" "metadata_server_internal.credential_refreshes_performed", 1); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_" - "service_internal-ap-southeast-2.credential_refreshes_performed", - 1, std::chrono::seconds(10)); + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + + test_server_->waitForCounterGe(fmt::format("{}.credential_refreshes_performed", sts_name), 1, + std::chrono::seconds(10)); } TEST_F(InitializeFilterTest, TestWithTwoClustersRouteLevelInstanceProfile) { @@ -458,9 +578,20 @@ TEST_F(InitializeFilterTest, TestWithTwoClustersRouteLevelInstanceProfile) { test_server_->waitForCounterGe("aws.metadata_credentials_provider.ec2_instance_" "metadata_server_internal.credential_refreshes_performed", 1); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_" - "service_internal-ap-southeast-2.credential_refreshes_performed", - 1, std::chrono::seconds(10)); + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + + test_server_->waitForCounterGe(fmt::format("{}.credential_refreshes_performed", sts_name), 1, + std::chrono::seconds(10)); } TEST_F(InitializeFilterTest, TestWithTwoClustersRouteLevelAndStandardInstanceProfile) { @@ -475,9 +606,20 @@ TEST_F(InitializeFilterTest, TestWithTwoClustersRouteLevelAndStandardInstancePro test_server_->waitForCounterGe("aws.metadata_credentials_provider.ec2_instance_" "metadata_server_internal.credential_refreshes_performed", 1); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_" - "service_internal-ap-southeast-2.credential_refreshes_performed", - 1, std::chrono::seconds(10)); + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + + test_server_->waitForCounterGe(fmt::format("{}.credential_refreshes_performed", sts_name), 1, + std::chrono::seconds(10)); } class CdsInteractionTest : public testing::Test, public HttpIntegrationTest { @@ -574,16 +716,24 @@ TEST_F(CdsInteractionTest, ClusterRemovalRecreatesSTSCluster) { initialize(); test_server_->waitForCounterGe("cluster_manager.cluster_added", 2); + std::string uuid; + std::string prefix = "cluster.sts_token_service_internal-ap-southeast-2_"; + for (const auto& c : test_server_->counters()) { + if (absl::StartsWith(c->name(), prefix)) { + uuid = c->name().substr(prefix.size(), 36); + } + } + EXPECT_FALSE(uuid.empty()); + std::string sts_name = fmt::format("aws.metadata_credentials_provider.sts_token_" + "service_internal-ap-southeast-2_{}", + uuid); + cluster_.set_name("testing"); cds_helper_.setCds({cluster_}); // Should delete our sts cluster and cluster_0 - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_" - "service_internal-ap-southeast-2.clusters_removed_by_cds", - 1); - test_server_->waitForCounterGe("aws.metadata_credentials_provider.sts_token_" - "service_internal-ap-southeast-2.clusters_readded_after_cds", - 1); + test_server_->waitForCounterGe(fmt::format("{}.clusters_removed_by_cds", sts_name), 1); + test_server_->waitForCounterGe(fmt::format("{}.clusters_readded_after_cds", sts_name), 1); } TEST_F(CdsInteractionTest, ClusterRemovalRecreatesIMDSCluster) { From ab79826a8ceb3050246f297f97d848c79c31041e Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 22 Oct 2024 23:10:35 +0100 Subject: [PATCH 04/11] ci/coverage: Remove more cruft in diskspace hack (#36720) Signed-off-by: Ryan Northey --- .github/workflows/_check_coverage.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/_check_coverage.yml b/.github/workflows/_check_coverage.yml index 3ad92610f966..7a1309805960 100644 --- a/.github/workflows/_check_coverage.yml +++ b/.github/workflows/_check_coverage.yml @@ -35,6 +35,7 @@ jobs: cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} concurrency-suffix: -${{ matrix.target }} diskspace-hack: ${{ matrix.diskspace-hack || false }} + diskspace-hack-paths: ${{ matrix.diskspace-hack-paths || '' }} error-match: | ERROR error: @@ -58,5 +59,8 @@ jobs: - target: coverage name: Coverage diskspace-hack: true + diskspace-hack-paths: | + /opt/hostedtoolcache + /usr/local - target: fuzz_coverage name: Fuzz coverage From 5e94ec7c8bdb82cbf311bf252ef8657b1041fd69 Mon Sep 17 00:00:00 2001 From: phlax Date: Tue, 22 Oct 2024 23:10:50 +0100 Subject: [PATCH 05/11] ci/macos: Increase timeout to 120m (#36719) when caches are blown this CI takes longer than the current 90s allowed Signed-off-by: Ryan Northey --- .github/workflows/envoy-macos.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/envoy-macos.yml b/.github/workflows/envoy-macos.yml index 9859cab5aae5..77ad847b4051 100644 --- a/.github/workflows/envoy-macos.yml +++ b/.github/workflows/envoy-macos.yml @@ -53,7 +53,7 @@ jobs: steps-pre: ${{ matrix.steps-pre }} target: ${{ matrix.target }} target-name: ${{ matrix.target-name }} - timeout-minutes: 90 + timeout-minutes: 120 trusted: ${{ fromJSON(needs.load.outputs.trusted) }} strategy: fail-fast: false From e70064bb0f0f99570fc8370eb33878844bd87497 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 09:33:27 +0100 Subject: [PATCH 06/11] build(deps): bump orjson from 3.10.9 to 3.10.10 in /tools/base (#36776) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/base/requirements.txt | 117 ++++++++++++++++++------------------ 1 file changed, 59 insertions(+), 58 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index 6483f18dad0e..33850b90083e 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -981,64 +981,65 @@ oauth2client==4.1.3 \ # via # gcs-oauth2-boto-plugin # google-apitools -orjson==3.10.9 \ - --hash=sha256:01f5fef452b4d7615f2e94153479370a4b59e0c964efb32dd902978f807a45cd \ - --hash=sha256:060e020d85d0ec145bc1b536b1fd9c10a0519c91991ead9724d6f759ebe26b9a \ - --hash=sha256:063ca59d93d93d1387f0c4bb766c6d4f5b0e423fe7c366d0bd4401a56d1669d1 \ - --hash=sha256:0a9fc7a6cf2b229ddc323e136df13b3fb4466c50d84ed600cd0898223dd2fea3 \ - --hash=sha256:0ab6e3ad10e964392f0e838751bcce2ef9c8fa8be7deddffff83088e5791566d \ - --hash=sha256:0bf37bf0ca538065c34efe1803378b2dadd7e05b06610a086c2857f15ee59e12 \ - --hash=sha256:0c4f5e0360b7f0aba91dafe12469108109a0e8973956d4a9865ca262a6881406 \ - --hash=sha256:0e492b93e122264c2dc78700859122631a4715bda88fabf57d9226954cfe7ec5 \ - --hash=sha256:12e2efe81356b8448f1cd130f8d75d3718de583112d71f2e2f8baa81bd835bb9 \ - --hash=sha256:1471c3274b1a4a9b8f4b9ed6effaea9ad885796373797515c44b365b375c256d \ - --hash=sha256:1b3069b7e2f57f3eef2282029b9c2ba21f08a55f1018e483663a3356f046af4c \ - --hash=sha256:1c3a1e845916a3739ab4162bb48dee66e0e727a19faf397176a7db0d9826cc3c \ - --hash=sha256:2314846e1029a2d2b899140f350eaaf3a73281df43ba84ac44d94ca861b5b269 \ - --hash=sha256:2920c8754f1aedc98bd357ec172af18ce48f5f1017a92244c85fe41d16d3c6e0 \ - --hash=sha256:2ea7a98f3295ed8adb6730a5788cc78dafea28300d19932a1d2143457f7db802 \ - --hash=sha256:41d8cac575acd15918903d74cfaabb5dbe57b357b93341332f647d1013928dcc \ - --hash=sha256:43ad5560db54331c007dc38be5ba7706cb72974a29ae8227019d89305d750a6f \ - --hash=sha256:485358fe9892d6bfd88e5885b66bf88496e1842c8f35f61682ff9928b12a6cf0 \ - --hash=sha256:68ef65223baab00f469c8698f771ab3e6ccf6af2a987e77de5b566b4ec651150 \ - --hash=sha256:6f130848205fea90a2cb9fa2b11cafff9a9f31f4efad225800bc8b9e4a702f24 \ - --hash=sha256:6fdf8d32b6d94019dc15163542d345e9ce4c4661f56b318608aa3088a1a3a23b \ - --hash=sha256:71f73439999fe662843da3607cdf6e75b1551c330f487e5801d463d969091c63 \ - --hash=sha256:731e8859fc99b398c286320726906404091141e9223dd5e9e6917f7e32e1cc68 \ - --hash=sha256:74f5a7a7f282d326be71b722b0c350da7af6f5f15b9378da177e0e4a09bd91a3 \ - --hash=sha256:75b061c11f5aab979a95927a76394b4a85e3e4d63d0a2a16b56a4f7c6503afab \ - --hash=sha256:77d277fa138d4bf145e8b24042004891c188c52ac8492724a183f42b0031cf0c \ - --hash=sha256:7ae82992c00b480c3cc7dac6739324554be8c5d8e858a90044928506a3333ef4 \ - --hash=sha256:7d9d83a91168aa48309acba804e393b7d9216b66f15e38f339b9fbb00db8986d \ - --hash=sha256:80e0c013e50cf7198319d8137931684eb9f32daa067e8276d9dbdd4010bb4add \ - --hash=sha256:938b7fcd79cf06fe348fb24b6163fbaa2fdc9fbed8b1f06318f24467f1487e63 \ - --hash=sha256:95361c4197c7ce9afdf56255de6f4e2474c39d16a277cce31d1b99a2520486d8 \ - --hash=sha256:9d989152df8f60a76867354e0e08d896292ab9fb96a7ef89a5b3838de174522c \ - --hash=sha256:a04f912c32463386ba117591c99a3d9e40b3b69bed9c5123d89dff06f0f5a4b0 \ - --hash=sha256:a377186a11b48c55969e34f0aa414c2826a234f212d6f2b312ba512e3cdb2c6f \ - --hash=sha256:a4948961b6bce1e2086b2cf0b56cc454cdab589d40c7f85be71fb5a5556c51d3 \ - --hash=sha256:ae82ca347829ca47431767b079f96bb977f592189250ccdede676339a80c8982 \ - --hash=sha256:b4289b5d1f88fd05dcafdd7a1f3b17bb722e77712b7618f98e86bdda560e0a1a \ - --hash=sha256:b61b08f6397f004570fd6a840f4a58946b63b4c7029408cdedb45fe85c7d17f7 \ - --hash=sha256:bdce39f96149a74fddeb2674c54f1da5e57724d32952eb6df2ac719b66d453cc \ - --hash=sha256:bfba9605e85bfd19b83a21c2c25c2bed2000d5f097f3fa3ad5b5f8a7263a3148 \ - --hash=sha256:c378074e0c46035dc66e57006993233ec66bf8487d501bab41649b4b7289ed4d \ - --hash=sha256:c7fa3ff6a0d9d15a0d0d2254cca16cd919156a18423654ce5574591392fe9914 \ - --hash=sha256:ca54e6f320e33c8a6e471c424ee16576361d905c15d69e134c2906d3fcb31795 \ - --hash=sha256:cc32a9e43c7693011ccde6f8eff8cba75ca0d2a55de11092faa4a716101e67f5 \ - --hash=sha256:d11383701d4b58e795039b662ada46987744293d57bfa2719e7379b8d67bc796 \ - --hash=sha256:d6ae1b1733e4528e45675ed09a732b6ac37d716bce2facaf467f84ce774adecd \ - --hash=sha256:e0014038a17a1fe273da0a5489787677ef5a64566ab383ad6d929e44ed5683f4 \ - --hash=sha256:e1e91b90c0c26bd79593967c1adef421bcff88c9e723d49c93bb7ad8af80bc6b \ - --hash=sha256:e29bbf08d907756c145a3a3a1f7ce2f11f15e3edbd3342842589d6030981b76f \ - --hash=sha256:e403429e2947a059545e305d97e4b0eb90d3bb44b396d6f327d7ae2018391e13 \ - --hash=sha256:e9ff9521b5be0340c8e686bcfe2619777fd7583f71e7b494601cc91ad3919d2e \ - --hash=sha256:f11949024f785ace1a516db32fa6255f6227226b2c988abf66f5aee61d43d8f7 \ - --hash=sha256:f3bd9df47385b8fabb3b2ee1e83f9960b8accc1905be971a1c257f16c32b491e \ - --hash=sha256:f52d993504827503411df2d60e60acf52885561458d6273f99ecd172f31c4352 \ - --hash=sha256:f9a9eb03a29c9b30b6c8bb35e5fa20d96589a76e0042005be59b7c3af10a7e43 \ - --hash=sha256:fd5083906825d7f5d23089425ce5424d783d6294020bcabb8518a3e1f97833e5 \ - --hash=sha256:fe91c2259c4a859356b6db1c6e649b40577492f66d483da8b8af6da0f87c00e3 +orjson==3.10.10 \ + --hash=sha256:019481fa9ea5ff13b5d5d95e6fd5ab25ded0810c80b150c2c7b1cc8660b662a7 \ + --hash=sha256:081b3fc6a86d72efeb67c13d0ea7c030017bd95f9868b1e329a376edc456153b \ + --hash=sha256:0c25908eb86968613216f3db4d3003f1c45d78eb9046b71056ca327ff92bdbd4 \ + --hash=sha256:0dd57eff09894938b4c86d4b871a479260f9e156fa7f12f8cad4b39ea8028bb5 \ + --hash=sha256:1dcbb0ca5fafb2b378b2c74419480ab2486326974826bbf6588f4dc62137570a \ + --hash=sha256:218cb0bc03340144b6328a9ff78f0932e642199ac184dd74b01ad691f42f93ff \ + --hash=sha256:23458d31fa50ec18e0ec4b0b4343730928296b11111df5f547c75913714116b2 \ + --hash=sha256:23776265c5215ec532de6238a52707048401a568f0fa0d938008e92a147fe2c7 \ + --hash=sha256:24ac62336da9bda1bd93c0491eff0613003b48d3cb5d01470842e7b52a40d5b4 \ + --hash=sha256:2787cd9dedc591c989f3facd7e3e86508eafdc9536a26ec277699c0aa63c685b \ + --hash=sha256:37949383c4df7b4337ce82ee35b6d7471e55195efa7dcb45ab8226ceadb0fe3b \ + --hash=sha256:384cd13579a1b4cd689d218e329f459eb9ddc504fa48c5a83ef4889db7fd7a4f \ + --hash=sha256:3b2625cb37b8fb42e2147404e5ff7ef08712099197a9cd38895006d7053e69d6 \ + --hash=sha256:44bffae68c291f94ff5a9b4149fe9d1bdd4cd0ff0fb575bcea8351d48db629a1 \ + --hash=sha256:5a059afddbaa6dd733b5a2d76a90dbc8af790b993b1b5cb97a1176ca713b5df8 \ + --hash=sha256:6514449d2c202a75183f807bc755167713297c69f1db57a89a1ef4a0170ee269 \ + --hash=sha256:65f9886d3bae65be026219c0a5f32dbbe91a9e6272f56d092ab22561ad0ea33b \ + --hash=sha256:672f9874a8a8fb9bb1b771331d31ba27f57702c8106cdbadad8bda5d10bc1019 \ + --hash=sha256:68b65c93617bcafa7f04b74ae8bc2cc214bd5cb45168a953256ff83015c6747d \ + --hash=sha256:6f9b5c59f7e2a1a410f971c5ebc68f1995822837cd10905ee255f96074537ee6 \ + --hash=sha256:730ed5350147db7beb23ddaf072f490329e90a1d059711d364b49fe352ec987b \ + --hash=sha256:75c38f5647e02d423807d252ce4528bf6a95bd776af999cb1fb48867ed01d1f6 \ + --hash=sha256:766f21487a53aee8524b97ca9582d5c6541b03ab6210fbaf10142ae2f3ced2aa \ + --hash=sha256:78bee66a988f1a333dc0b6257503d63553b1957889c17b2c4ed72385cd1b96ae \ + --hash=sha256:7948cfb909353fce2135dcdbe4521a5e7e1159484e0bb024c1722f272488f2b8 \ + --hash=sha256:804b18e2b88022c8905bb79bd2cbe59c0cd014b9328f43da8d3b28441995cda4 \ + --hash=sha256:829700cc18503efc0cf502d630f612884258020d98a317679cd2054af0259568 \ + --hash=sha256:848ea3b55ab5ccc9d7bbd420d69432628b691fba3ca8ae3148c35156cbd282aa \ + --hash=sha256:8564f48f3620861f5ef1e080ce7cd122ee89d7d6dacf25fcae675ff63b4d6e05 \ + --hash=sha256:879e99486c0fbb256266c7c6a67ff84f46035e4f8749ac6317cc83dacd7f993a \ + --hash=sha256:8cc2a654c08755cef90b468ff17c102e2def0edd62898b2486767204a7f5cc9c \ + --hash=sha256:9972572a1d042ec9ee421b6da69f7cc823da5962237563fa548ab17f152f0b9b \ + --hash=sha256:a12f2003695b10817f0fa8b8fca982ed7f5761dcb0d93cff4f2f9f6709903fd7 \ + --hash=sha256:a8f4bf5f1c85bea2170800020d53a8877812892697f9c2de73d576c9307a8a5f \ + --hash=sha256:aaf29ce0bb5d3320824ec3d1508652421000ba466abd63bdd52c64bcce9eb1fa \ + --hash=sha256:b3be81c42f1242cbed03cbb3973501fcaa2675a0af638f8be494eaf37143d999 \ + --hash=sha256:b788a579b113acf1c57e0a68e558be71d5d09aa67f62ca1f68e01117e550a998 \ + --hash=sha256:bca84df16d6b49325a4084fd8b2fe2229cb415e15c46c529f868c3387bb1339d \ + --hash=sha256:c14ce70e8f39bd71f9f80423801b5d10bf93d1dceffdecd04df0f64d2c69bc01 \ + --hash=sha256:c5bf161a32b479034098c5b81f2608f09167ad2fa1c06abd4e527ea6bf4837a9 \ + --hash=sha256:d5ef198bafdef4aa9d49a4165ba53ffdc0a9e1c7b6f76178572ab33118afea25 \ + --hash=sha256:d78e4cacced5781b01d9bc0f0cd8b70b906a0e109825cb41c1b03f9c41e4ce86 \ + --hash=sha256:d9bbd3a4b92256875cb058c3381b782649b9a3c68a4aa9a2fff020c2f9cfc1be \ + --hash=sha256:dbde6d70cd95ab4d11ea8ac5e738e30764e510fc54d777336eec09bb93b8576c \ + --hash=sha256:dbf3c20c6a7db69df58672a0d5815647ecf78c8e62a4d9bd284e8621c1fe5ccb \ + --hash=sha256:dc6993ab1c2ae7dd0711161e303f1db69062955ac2668181bfdf2dd410e65258 \ + --hash=sha256:dddd5516bcc93e723d029c1633ae79c4417477b4f57dad9bfeeb6bc0315e654a \ + --hash=sha256:e0ceb5e0e8c4f010ac787d29ae6299846935044686509e2f0f06ed441c1ca949 \ + --hash=sha256:e2277ec2cea3775640dc81ab5195bb5b2ada2fe0ea6eee4677474edc75ea6785 \ + --hash=sha256:e27b4c6437315df3024f0835887127dac2a0a3ff643500ec27088d2588fa5ae1 \ + --hash=sha256:e3e67b537ac0c835b25b5f7d40d83816abd2d3f4c0b0866ee981a045287a54f3 \ + --hash=sha256:e4d0d9fe174cc7a5bdce2e6c378bcdb4c49b2bf522a8f996aa586020e1b96cee \ + --hash=sha256:e6eb2598df518281ba0cbc30d24c5b06124ccf7e19169e883c14e0831217a0bc \ + --hash=sha256:e8e28406f97fc2ea0c6150f4c1b6e8261453318930b334abc419214c82314f85 \ + --hash=sha256:eb0a42831372ec2b05acc9ee45af77bcaccbd91257345f93780a8e654efc75db \ + --hash=sha256:f0c4f37f8bf3f1075c6cc8dd8a9f843689a4b618628f8812d0a71e6968b95ffd \ + --hash=sha256:f1d647ca8d62afeb774340a343c7fc023efacfd3a39f70c798991063f0c681dd \ + --hash=sha256:ff38c5fb749347768a603be1fb8a31856458af839f31f064c5aa74aca5be9efe # via # -r requirements.in # envoy-base-utils From 4db5a573fd9d5840657a17d2b02761fc660350c6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 09:33:50 +0100 Subject: [PATCH 07/11] build(deps): bump protobuf from 5.28.2 to 5.28.3 in /tools/base (#36775) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/base/requirements.txt | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index 33850b90083e..d0964ed6ebdf 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -1172,18 +1172,18 @@ propcache==0.2.0 \ --hash=sha256:fc2db02409338bf36590aa985a461b2c96fce91f8e7e0f14c50c5fcc4f229016 \ --hash=sha256:ffcad6c564fe6b9b8916c1aefbb37a362deebf9394bd2974e9d84232e3e08504 # via yarl -protobuf==5.28.2 \ - --hash=sha256:2c69461a7fcc8e24be697624c09a839976d82ae75062b11a0972e41fd2cd9132 \ - --hash=sha256:35cfcb15f213449af7ff6198d6eb5f739c37d7e4f1c09b5d0641babf2cc0c68f \ - --hash=sha256:52235802093bd8a2811abbe8bf0ab9c5f54cca0a751fdd3f6ac2a21438bffece \ - --hash=sha256:59379674ff119717404f7454647913787034f03fe7049cbef1d74a97bb4593f0 \ - --hash=sha256:5e8a95246d581eef20471b5d5ba010d55f66740942b95ba9b872d918c459452f \ - --hash=sha256:87317e9bcda04a32f2ee82089a204d3a2f0d3c8aeed16568c7daf4756e4f1fe0 \ - --hash=sha256:8ddc60bf374785fb7cb12510b267f59067fa10087325b8e1855b898a0d81d276 \ - --hash=sha256:a8b9403fc70764b08d2f593ce44f1d2920c5077bf7d311fefec999f8c40f78b7 \ - --hash=sha256:c0ea0123dac3399a2eeb1a1443d82b7afc9ff40241433296769f7da42d142ec3 \ - --hash=sha256:ca53faf29896c526863366a52a8f4d88e69cd04ec9571ed6082fa117fac3ab36 \ - --hash=sha256:eeea10f3dc0ac7e6b4933d32db20662902b4ab81bf28df12218aa389e9c2102d +protobuf==5.28.3 \ + --hash=sha256:0c4eec6f987338617072592b97943fdbe30d019c56126493111cf24344c1cc24 \ + --hash=sha256:135658402f71bbd49500322c0f736145731b16fc79dc8f367ab544a17eab4535 \ + --hash=sha256:27b246b3723692bf1068d5734ddaf2fccc2cdd6e0c9b47fe099244d80200593b \ + --hash=sha256:3e6101d095dfd119513cde7259aa703d16c6bbdfae2554dfe5cfdbe94e32d548 \ + --hash=sha256:3fa2de6b8b29d12c61911505d893afe7320ce7ccba4df913e2971461fa36d584 \ + --hash=sha256:64badbc49180a5e401f373f9ce7ab1d18b63f7dd4a9cdc43c92b9f0b481cef7b \ + --hash=sha256:70585a70fc2dd4818c51287ceef5bdba6387f88a578c86d47bb34669b5552c36 \ + --hash=sha256:712319fbdddb46f21abb66cd33cb9e491a5763b2febd8f228251add221981135 \ + --hash=sha256:91fba8f445723fcf400fdbe9ca796b19d3b1242cd873907979b9ed71e4afe868 \ + --hash=sha256:a3f6857551e53ce35e60b403b8a27b0295f7d6eb63d10484f12bc6879c715687 \ + --hash=sha256:cee1757663fa32a1ee673434fcf3bf24dd54763c79690201208bafec62f19eed # via # -r requirements.in # envoy-base-utils From 742a3b02e3b2a9dfb877a7e378607c6ed0c2aa53 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 09:34:16 +0100 Subject: [PATCH 08/11] build(deps): bump github/codeql-action from 3.26.13 to 3.27.0 (#36774) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-daily.yml | 4 ++-- .github/workflows/codeql-push.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml index 95be6367221f..b5d58a73f762 100644 --- a/.github/workflows/codeql-daily.yml +++ b/.github/workflows/codeql-daily.yml @@ -34,7 +34,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # codeql-bundle-v3.26.13 + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # codeql-bundle-v3.27.0 # Override language selection by uncommenting this and choosing your languages with: languages: cpp @@ -74,4 +74,4 @@ jobs: git clean -xdf - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # codeql-bundle-v3.26.13 + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # codeql-bundle-v3.27.0 diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml index 267020a22386..7eaf29d08f70 100644 --- a/.github/workflows/codeql-push.yml +++ b/.github/workflows/codeql-push.yml @@ -65,7 +65,7 @@ jobs: - name: Initialize CodeQL if: ${{ env.BUILD_TARGETS != '' }} - uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # codeql-bundle-v3.26.13 + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # codeql-bundle-v3.27.0 with: languages: cpp @@ -109,4 +109,4 @@ jobs: - name: Perform CodeQL Analysis if: ${{ env.BUILD_TARGETS != '' }} - uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # codeql-bundle-v3.26.13 + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # codeql-bundle-v3.27.0 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 018bb5c0dd74..740be892f172 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: sarif_file: results.sarif From fda7c57c47f1d56333b732494866b0d30cd5fca8 Mon Sep 17 00:00:00 2001 From: alyssawilk Date: Wed, 23 Oct 2024 08:56:07 -0400 Subject: [PATCH 09/11] mobile: resolving how forcev6 works on mobile platforms (#36732) envoy.reloadable_features.always_use_v6 turns out to be beneficial on android and harmful on iOS. Changing the defaults and removing the knob, accordingly. Risk Level: low: removing an off-by-default flag. Testing: in production Docs Changes: n/a Release Notes: n/a Signed-off-by: Alyssa Wilk --- mobile/library/cc/engine_builder.cc | 6 ---- mobile/library/cc/engine_builder.h | 2 -- .../engine/EnvoyConfiguration.java | 33 +++++++++---------- .../envoymobile/engine/JniLibrary.java | 15 ++++----- .../impl/NativeCronvoyEngineBuilderImpl.java | 15 ++------- mobile/library/jni/jni_impl.cc | 28 +++++++--------- .../envoyproxy/envoymobile/EngineBuilder.kt | 13 -------- .../library/objective-c/EnvoyConfiguration.h | 2 -- .../library/objective-c/EnvoyConfiguration.mm | 3 -- mobile/library/swift/EngineBuilder.swift | 15 --------- mobile/test/cc/unit/envoy_config_test.cc | 2 -- .../engine/EnvoyConfigurationTest.kt | 5 --- mobile/test/swift/EngineBuilderTests.swift | 14 -------- .../apps/experimental/ViewController.swift | 1 - source/common/network/address_impl.cc | 7 ++-- source/common/runtime/runtime_features.cc | 4 --- 16 files changed, 41 insertions(+), 124 deletions(-) diff --git a/mobile/library/cc/engine_builder.cc b/mobile/library/cc/engine_builder.cc index 4ad18cb41100..f5bd56498b36 100644 --- a/mobile/library/cc/engine_builder.cc +++ b/mobile/library/cc/engine_builder.cc @@ -227,11 +227,6 @@ EngineBuilder& EngineBuilder::setNumTimeoutsToTriggerPortMigration(int num_timeo return *this; } -EngineBuilder& EngineBuilder::setForceAlwaysUsev6(bool value) { - always_use_v6_ = value; - return *this; -} - EngineBuilder& EngineBuilder::enableInterfaceBinding(bool interface_binding_on) { enable_interface_binding_ = interface_binding_on; return *this; @@ -862,7 +857,6 @@ std::unique_ptr EngineBuilder::generate (*reloadable_features.mutable_fields())[guard_and_value.first].set_bool_value( guard_and_value.second); } - (*reloadable_features.mutable_fields())["always_use_v6"].set_bool_value(always_use_v6_); (*reloadable_features.mutable_fields())["prefer_quic_client_udp_gro"].set_bool_value( use_gro_if_available_); ProtobufWkt::Struct& restart_features = diff --git a/mobile/library/cc/engine_builder.h b/mobile/library/cc/engine_builder.h index b44f6e550798..d93531fff3f6 100644 --- a/mobile/library/cc/engine_builder.h +++ b/mobile/library/cc/engine_builder.h @@ -75,7 +75,6 @@ class EngineBuilder { EngineBuilder& enablePlatformCertificatesValidation(bool platform_certificates_validation_on); EngineBuilder& enableDnsCache(bool dns_cache_on, int save_interval_seconds = 1); - EngineBuilder& setForceAlwaysUsev6(bool value); // Adds the hostnames that should be pre-resolved by DNS prior to the first request issued for // that host. When invoked, any previous preresolve hostname entries get cleared and only the ones // provided in the hostnames argument get set. @@ -184,7 +183,6 @@ class EngineBuilder { std::vector> quic_hints_; std::vector quic_suffixes_; int num_timeouts_to_trigger_port_migration_ = 0; - bool always_use_v6_ = false; #if defined(__APPLE__) // TODO(abeyad): once stable, consider setting the default to true. bool respect_system_proxy_settings_ = false; diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/EnvoyConfiguration.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/EnvoyConfiguration.java index b174b2be82db..b4d3e6cee5db 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/EnvoyConfiguration.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/EnvoyConfiguration.java @@ -38,7 +38,6 @@ public enum TrustChainVerification { public final boolean enableHttp3; public final boolean useCares; public final List> caresFallbackResolvers; - public final boolean forceV6; public final boolean useGro; public final String http3ConnectionOptions; public final String http3ClientConnectionOptions; @@ -93,7 +92,6 @@ public enum TrustChainVerification { * @param enableHttp3 whether to enable experimental support for * HTTP/3 (QUIC). * @param useCares whether to use the c_ares library for DNS - * @param forceV6 whether to map v4 address to v6 * @param useGro whether to use UDP GRO on upstream QUIC * connections, if available. * @param http3ConnectionOptions connection options to be used in HTTP/3. @@ -140,14 +138,14 @@ public EnvoyConfiguration( int dnsFailureRefreshSecondsMax, int dnsQueryTimeoutSeconds, int dnsMinRefreshSeconds, List dnsPreresolveHostnames, boolean enableDNSCache, int dnsCacheSaveIntervalSeconds, int dnsNumRetries, boolean enableDrainPostDnsRefresh, boolean enableHttp3, boolean useCares, - boolean forceV6, boolean useGro, String http3ConnectionOptions, - String http3ClientConnectionOptions, Map quicHints, - List quicCanonicalSuffixes, boolean enableGzipDecompression, - boolean enableBrotliDecompression, int numTimeoutsToTriggerPortMigration, - boolean enableSocketTagging, boolean enableInterfaceBinding, - int h2ConnectionKeepaliveIdleIntervalMilliseconds, int h2ConnectionKeepaliveTimeoutSeconds, - int maxConnectionsPerHost, int streamIdleTimeoutSeconds, int perTryIdleTimeoutSeconds, - String appVersion, String appId, TrustChainVerification trustChainVerification, + boolean useGro, String http3ConnectionOptions, String http3ClientConnectionOptions, + Map quicHints, List quicCanonicalSuffixes, + boolean enableGzipDecompression, boolean enableBrotliDecompression, + int numTimeoutsToTriggerPortMigration, boolean enableSocketTagging, + boolean enableInterfaceBinding, int h2ConnectionKeepaliveIdleIntervalMilliseconds, + int h2ConnectionKeepaliveTimeoutSeconds, int maxConnectionsPerHost, + int streamIdleTimeoutSeconds, int perTryIdleTimeoutSeconds, String appVersion, String appId, + TrustChainVerification trustChainVerification, List nativeFilterChain, List httpPlatformFilterFactories, Map stringAccessors, @@ -174,7 +172,6 @@ public EnvoyConfiguration( this.caresFallbackResolvers.add( new Pair(hostAndPort.first, String.valueOf(hostAndPort.second))); } - this.forceV6 = forceV6; this.useGro = useGro; this.http3ConnectionOptions = http3ConnectionOptions; this.http3ClientConnectionOptions = http3ClientConnectionOptions; @@ -239,13 +236,13 @@ public long createBootstrap() { connectTimeoutSeconds, dnsRefreshSeconds, dnsFailureRefreshSecondsBase, dnsFailureRefreshSecondsMax, dnsQueryTimeoutSeconds, dnsMinRefreshSeconds, dnsPreresolve, enableDNSCache, dnsCacheSaveIntervalSeconds, dnsNumRetries, enableDrainPostDnsRefresh, - enableHttp3, useCares, forceV6, useGro, http3ConnectionOptions, - http3ClientConnectionOptions, quicHints, quicSuffixes, enableGzipDecompression, - enableBrotliDecompression, numTimeoutsToTriggerPortMigration, enableSocketTagging, - enableInterfaceBinding, h2ConnectionKeepaliveIdleIntervalMilliseconds, - h2ConnectionKeepaliveTimeoutSeconds, maxConnectionsPerHost, streamIdleTimeoutSeconds, - perTryIdleTimeoutSeconds, appVersion, appId, enforceTrustChainVerification, filterChain, - enablePlatformCertificatesValidation, upstreamTlsSni, runtimeGuards, caresFallbackResolvers, + enableHttp3, useCares, useGro, http3ConnectionOptions, http3ClientConnectionOptions, + quicHints, quicSuffixes, enableGzipDecompression, enableBrotliDecompression, + numTimeoutsToTriggerPortMigration, enableSocketTagging, enableInterfaceBinding, + h2ConnectionKeepaliveIdleIntervalMilliseconds, h2ConnectionKeepaliveTimeoutSeconds, + maxConnectionsPerHost, streamIdleTimeoutSeconds, perTryIdleTimeoutSeconds, appVersion, + appId, enforceTrustChainVerification, filterChain, enablePlatformCertificatesValidation, + upstreamTlsSni, runtimeGuards, caresFallbackResolvers, h3ConnectionKeepaliveInitialIntervalMilliseconds); } } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java index 4c42f53fcd58..8b639236df4d 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java @@ -304,14 +304,13 @@ public static native long createBootstrap( long dnsFailureRefreshSecondsMax, long dnsQueryTimeoutSeconds, long dnsMinRefreshSeconds, byte[][] dnsPreresolveHostnames, boolean enableDNSCache, long dnsCacheSaveIntervalSeconds, int dnsNumRetries, boolean enableDrainPostDnsRefresh, boolean enableHttp3, boolean useCares, - boolean forceV6, boolean useGro, String http3ConnectionOptions, - String http3ClientConnectionOptions, byte[][] quicHints, byte[][] quicCanonicalSuffixes, - boolean enableGzipDecompression, boolean enableBrotliDecompression, - int numTimeoutsToTriggerPortMigration, boolean enableSocketTagging, - boolean enableInterfaceBinding, long h2ConnectionKeepaliveIdleIntervalMilliseconds, - long h2ConnectionKeepaliveTimeoutSeconds, long maxConnectionsPerHost, - long streamIdleTimeoutSeconds, long perTryIdleTimeoutSeconds, String appVersion, String appId, - boolean trustChainVerification, byte[][] filterChain, + boolean useGro, String http3ConnectionOptions, String http3ClientConnectionOptions, + byte[][] quicHints, byte[][] quicCanonicalSuffixes, boolean enableGzipDecompression, + boolean enableBrotliDecompression, int numTimeoutsToTriggerPortMigration, + boolean enableSocketTagging, boolean enableInterfaceBinding, + long h2ConnectionKeepaliveIdleIntervalMilliseconds, long h2ConnectionKeepaliveTimeoutSeconds, + long maxConnectionsPerHost, long streamIdleTimeoutSeconds, long perTryIdleTimeoutSeconds, + String appVersion, String appId, boolean trustChainVerification, byte[][] filterChain, boolean enablePlatformCertificatesValidation, String upstreamTlsSni, byte[][] runtimeGuards, byte[][] cares_fallback_resolvers, long h3ConnectionKeepaliveInitialIntervalMilliseconds); diff --git a/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java b/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java index 4b14e877326b..ab184e8a9f38 100644 --- a/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java +++ b/mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java @@ -52,7 +52,6 @@ public class NativeCronvoyEngineBuilderImpl extends CronvoyEngineBuilderImpl { private final boolean mEnableDnsFilterUnroutableFamilies = true; private boolean mUseCares = false; private final List> mCaresFallbackResolvers = new ArrayList<>(); - private boolean mForceV6 = true; private boolean mUseGro = false; private boolean mEnableDrainPostDnsRefresh = false; private final boolean mEnableGzipDecompression = true; @@ -112,16 +111,6 @@ public NativeCronvoyEngineBuilderImpl addCaresFallbackResolver(String host, int return this; } - /** - * Set whether to map v4 address to v6. - * - * @param enable If true, map v4 address to v6. - */ - public NativeCronvoyEngineBuilderImpl setForceV6(boolean enable) { - mForceV6 = enable; - return this; - } - /** * Specify whether to use UDP GRO for upstream QUIC/HTTP3 sockets, if GRO is available on the * system. @@ -301,8 +290,8 @@ private EnvoyConfiguration createEnvoyConfiguration() { mConnectTimeoutSeconds, mDnsRefreshSeconds, mDnsFailureRefreshSecondsBase, mDnsFailureRefreshSecondsMax, mDnsQueryTimeoutSeconds, mDnsMinRefreshSeconds, mDnsPreresolveHostnames, mEnableDNSCache, mDnsCacheSaveIntervalSeconds, - mDnsNumRetries.orElse(-1), mEnableDrainPostDnsRefresh, quicEnabled(), mUseCares, mForceV6, - mUseGro, quicConnectionOptions(), quicClientConnectionOptions(), quicHints(), + mDnsNumRetries.orElse(-1), mEnableDrainPostDnsRefresh, quicEnabled(), mUseCares, mUseGro, + quicConnectionOptions(), quicClientConnectionOptions(), quicHints(), quicCanonicalSuffixes(), mEnableGzipDecompression, brotliEnabled(), numTimeoutsToTriggerPortMigration(), mEnableSocketTag, mEnableInterfaceBinding, mH2ConnectionKeepaliveIdleIntervalMilliseconds, mH2ConnectionKeepaliveTimeoutSeconds, diff --git a/mobile/library/jni/jni_impl.cc b/mobile/library/jni/jni_impl.cc index 1e572b429634..e57d6a8f103c 100644 --- a/mobile/library/jni/jni_impl.cc +++ b/mobile/library/jni/jni_impl.cc @@ -1218,11 +1218,10 @@ void configureBuilder(Envoy::JNI::JniHelper& jni_helper, jlong connect_timeout_s jlong dns_min_refresh_seconds, jobjectArray dns_preresolve_hostnames, jboolean enable_dns_cache, jlong dns_cache_save_interval_seconds, jint dns_num_retries, jboolean enable_drain_post_dns_refresh, - jboolean enable_http3, jboolean use_cares, jboolean force_v6, - jboolean use_gro, jstring http3_connection_options, - jstring http3_client_connection_options, jobjectArray quic_hints, - jobjectArray quic_canonical_suffixes, jboolean enable_gzip_decompression, - jboolean enable_brotli_decompression, + jboolean enable_http3, jboolean use_cares, jboolean use_gro, + jstring http3_connection_options, jstring http3_client_connection_options, + jobjectArray quic_hints, jobjectArray quic_canonical_suffixes, + jboolean enable_gzip_decompression, jboolean enable_brotli_decompression, jlong num_timeouts_to_trigger_port_migration, jboolean enable_socket_tagging, jboolean enable_interface_binding, jlong h2_connection_keepalive_idle_interval_milliseconds, @@ -1286,7 +1285,6 @@ void configureBuilder(Envoy::JNI::JniHelper& jni_helper, jlong connect_timeout_s builder.enforceTrustChainVerification(trust_chain_verification == JNI_TRUE); builder.enablePlatformCertificatesValidation(enable_platform_certificates_validation == JNI_TRUE); builder.setUpstreamTlsSni(Envoy::JNI::javaStringToCppString(jni_helper, upstream_tls_sni)); - builder.setForceAlwaysUsev6(force_v6 == JNI_TRUE); builder.setKeepAliveInitialIntervalMilliseconds( (h3_connection_keepalive_initial_interval_milliseconds)); @@ -1327,12 +1325,11 @@ extern "C" JNIEXPORT jlong JNICALL Java_io_envoyproxy_envoymobile_engine_JniLibr jobjectArray dns_preresolve_hostnames, jboolean enable_dns_cache, jlong dns_cache_save_interval_seconds, jint dns_num_retries, jboolean enable_drain_post_dns_refresh, jboolean enable_http3, jboolean use_cares, - jboolean force_v6, jboolean use_gro, jstring http3_connection_options, - jstring http3_client_connection_options, jobjectArray quic_hints, - jobjectArray quic_canonical_suffixes, jboolean enable_gzip_decompression, - jboolean enable_brotli_decompression, jlong num_timeouts_to_trigger_port_migration, - jboolean enable_socket_tagging, jboolean enable_interface_binding, - jlong h2_connection_keepalive_idle_interval_milliseconds, + jboolean use_gro, jstring http3_connection_options, jstring http3_client_connection_options, + jobjectArray quic_hints, jobjectArray quic_canonical_suffixes, + jboolean enable_gzip_decompression, jboolean enable_brotli_decompression, + jlong num_timeouts_to_trigger_port_migration, jboolean enable_socket_tagging, + jboolean enable_interface_binding, jlong h2_connection_keepalive_idle_interval_milliseconds, jlong h2_connection_keepalive_timeout_seconds, jlong max_connections_per_host, jlong stream_idle_timeout_seconds, jlong per_try_idle_timeout_seconds, jstring app_version, jstring app_id, jboolean trust_chain_verification, jobjectArray filter_chain, @@ -1346,16 +1343,15 @@ extern "C" JNIEXPORT jlong JNICALL Java_io_envoyproxy_envoymobile_engine_JniLibr jni_helper, connect_timeout_seconds, dns_refresh_seconds, dns_failure_refresh_seconds_base, dns_failure_refresh_seconds_max, dns_query_timeout_seconds, dns_min_refresh_seconds, dns_preresolve_hostnames, enable_dns_cache, dns_cache_save_interval_seconds, dns_num_retries, - enable_drain_post_dns_refresh, enable_http3, use_cares, force_v6, use_gro, - http3_connection_options, http3_client_connection_options, quic_hints, - quic_canonical_suffixes, enable_gzip_decompression, enable_brotli_decompression, + enable_drain_post_dns_refresh, enable_http3, use_cares, use_gro, http3_connection_options, + http3_client_connection_options, quic_hints, quic_canonical_suffixes, + enable_gzip_decompression, enable_brotli_decompression, num_timeouts_to_trigger_port_migration, enable_socket_tagging, enable_interface_binding, h2_connection_keepalive_idle_interval_milliseconds, h2_connection_keepalive_timeout_seconds, max_connections_per_host, stream_idle_timeout_seconds, per_try_idle_timeout_seconds, app_version, app_id, trust_chain_verification, filter_chain, enable_platform_certificates_validation, upstream_tls_sni, runtime_guards, cares_fallback_resolvers, h3_connection_keepalive_initial_interval_milliseconds, builder); - return reinterpret_cast(builder.generateBootstrap().release()); } diff --git a/mobile/library/kotlin/io/envoyproxy/envoymobile/EngineBuilder.kt b/mobile/library/kotlin/io/envoyproxy/envoymobile/EngineBuilder.kt index 61608a6c9912..9b285beadf8e 100644 --- a/mobile/library/kotlin/io/envoyproxy/envoymobile/EngineBuilder.kt +++ b/mobile/library/kotlin/io/envoyproxy/envoymobile/EngineBuilder.kt @@ -41,7 +41,6 @@ open class EngineBuilder() { internal var enableHttp3 = true internal var useCares = false internal var caresFallbackResolvers = mutableListOf>() - internal var forceV6 = true private var useGro = false private var http3ConnectionOptions = "" private var http3ClientConnectionOptions = "" @@ -234,17 +233,6 @@ open class EngineBuilder() { return this } - /** - * Specify whether local ipv4 addresses should be mapped to ipv6. Defaults to true. - * - * @param forceV6 whether or not to translate v4 to v6. - * @return This builder. - */ - fun forceV6(forceV6: Boolean): EngineBuilder { - this.forceV6 = forceV6 - return this - } - /** * Specify whether to use UDP GRO for upstream QUIC/HTTP3 sockets, if GRO is available on the * system. @@ -577,7 +565,6 @@ open class EngineBuilder() { enableDrainPostDnsRefresh, enableHttp3, useCares, - forceV6, useGro, http3ConnectionOptions, http3ClientConnectionOptions, diff --git a/mobile/library/objective-c/EnvoyConfiguration.h b/mobile/library/objective-c/EnvoyConfiguration.h index 57f6c825e29c..a22080fba2ea 100644 --- a/mobile/library/objective-c/EnvoyConfiguration.h +++ b/mobile/library/objective-c/EnvoyConfiguration.h @@ -31,7 +31,6 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, assign) BOOL enableInterfaceBinding; @property (nonatomic, assign) BOOL enableDrainPostDnsRefresh; @property (nonatomic, assign) BOOL enforceTrustChainVerification; -@property (nonatomic, assign) BOOL forceIPv6; @property (nonatomic, assign) BOOL enablePlatformCertificateValidation; @property (nonatomic, strong, nullable) NSString *upstreamTlsSni; @property (nonatomic, assign) BOOL respectSystemProxySettings; @@ -70,7 +69,6 @@ NS_ASSUME_NONNULL_BEGIN enableInterfaceBinding:(BOOL)enableInterfaceBinding enableDrainPostDnsRefresh:(BOOL)enableDrainPostDnsRefresh enforceTrustChainVerification:(BOOL)enforceTrustChainVerification - forceIPv6:(BOOL)forceIPv6 enablePlatformCertificateValidation:(BOOL)enablePlatformCertificateValidation upstreamTlsSni:(nullable NSString *)upstreamTlsSni respectSystemProxySettings:(BOOL)respectSystemProxySettings diff --git a/mobile/library/objective-c/EnvoyConfiguration.mm b/mobile/library/objective-c/EnvoyConfiguration.mm index 187d7bd90489..7164bc392116 100644 --- a/mobile/library/objective-c/EnvoyConfiguration.mm +++ b/mobile/library/objective-c/EnvoyConfiguration.mm @@ -85,7 +85,6 @@ - (instancetype)initWithConnectTimeoutSeconds:(UInt32)connectTimeoutSeconds enableInterfaceBinding:(BOOL)enableInterfaceBinding enableDrainPostDnsRefresh:(BOOL)enableDrainPostDnsRefresh enforceTrustChainVerification:(BOOL)enforceTrustChainVerification - forceIPv6:(BOOL)forceIPv6 enablePlatformCertificateValidation:(BOOL)enablePlatformCertificateValidation upstreamTlsSni:(nullable NSString *)upstreamTlsSni respectSystemProxySettings:(BOOL)respectSystemProxySettings @@ -132,7 +131,6 @@ - (instancetype)initWithConnectTimeoutSeconds:(UInt32)connectTimeoutSeconds self.enableInterfaceBinding = enableInterfaceBinding; self.enableDrainPostDnsRefresh = enableDrainPostDnsRefresh; self.enforceTrustChainVerification = enforceTrustChainVerification; - self.forceIPv6 = forceIPv6; self.enablePlatformCertificateValidation = enablePlatformCertificateValidation; self.upstreamTlsSni = upstreamTlsSni; self.respectSystemProxySettings = respectSystemProxySettings; @@ -203,7 +201,6 @@ - (instancetype)initWithConnectTimeoutSeconds:(UInt32)connectTimeoutSeconds builder.enableDrainPostDnsRefresh(self.enableDrainPostDnsRefresh); builder.enableInterfaceBinding(self.enableInterfaceBinding); builder.enforceTrustChainVerification(self.enforceTrustChainVerification); - builder.setForceAlwaysUsev6(self.forceIPv6); builder.addH2ConnectionKeepaliveIdleIntervalMilliseconds( self.h2ConnectionKeepaliveIdleIntervalMilliseconds); builder.addH2ConnectionKeepaliveTimeoutSeconds(self.h2ConnectionKeepaliveTimeoutSeconds); diff --git a/mobile/library/swift/EngineBuilder.swift b/mobile/library/swift/EngineBuilder.swift index b601529c46ab..0a54655eae1d 100644 --- a/mobile/library/swift/EngineBuilder.swift +++ b/mobile/library/swift/EngineBuilder.swift @@ -1,4 +1,3 @@ -// swiftlint:disable type_body_length @_implementationOnly import EnvoyEngine import Foundation @@ -28,7 +27,6 @@ open class EngineBuilder: NSObject { private var upstreamTlsSni: String? private var respectSystemProxySettings: Bool = false private var enableDrainPostDnsRefresh: Bool = false - private var forceIPv6: Bool = false private var h2ConnectionKeepaliveIdleIntervalMilliseconds: UInt32 = 1 private var h2ConnectionKeepaliveTimeoutSeconds: UInt32 = 10 private var maxConnectionsPerHost: UInt32 = 7 @@ -296,18 +294,6 @@ open class EngineBuilder: NSObject { return self } - /// Specify whether to remap IPv4 addresses to the IPv6 space and always force connections - /// to use IPv6. Note this is an experimental option and should be enabled with caution. - /// - /// - parameter forceIPv6: whether to force connections to use IPv6. - /// - /// - returns: This builder. - @discardableResult - public func forceIPv6(_ forceIPv6: Bool) -> Self { - self.forceIPv6 = forceIPv6 - return self - } - /// Add a rate at which to ping h2 connections on new stream creation if the connection has /// sat idle. Defaults to 1 millisecond which effectively enables h2 ping functionality /// and results in a connection ping on every new stream creation. Set it to @@ -576,7 +562,6 @@ open class EngineBuilder: NSObject { enableInterfaceBinding: self.enableInterfaceBinding, enableDrainPostDnsRefresh: self.enableDrainPostDnsRefresh, enforceTrustChainVerification: self.enforceTrustChainVerification, - forceIPv6: self.forceIPv6, enablePlatformCertificateValidation: self.enablePlatformCertificateValidation, upstreamTlsSni: self.upstreamTlsSni, respectSystemProxySettings: self.respectSystemProxySettings, diff --git a/mobile/test/cc/unit/envoy_config_test.cc b/mobile/test/cc/unit/envoy_config_test.cc index 3d3f161bc8a8..4a12be3b3b33 100644 --- a/mobile/test/cc/unit/envoy_config_test.cc +++ b/mobile/test/cc/unit/envoy_config_test.cc @@ -84,7 +84,6 @@ TEST(TestConfig, ConfigIsApplied) { .addRuntimeGuard("test_feature_false", true) .enableDnsCache(true, /* save_interval_seconds */ 101) .addDnsPreresolveHostnames({"lyft.com", "google.com"}) - .setForceAlwaysUsev6(true) .setUseGroIfAvailable(true) .setDeviceOs("probably-ubuntu-on-CI"); @@ -108,7 +107,6 @@ TEST(TestConfig, ConfigIsApplied) { "num_timeouts_to_trigger_port_migration { value: 4 }", "idle_network_timeout { seconds: 30 }", "key: \"dns_persistent_cache\" save_interval { seconds: 101 }", - "key: \"always_use_v6\" value { bool_value: true }", "key: \"prefer_quic_client_udp_gro\" value { bool_value: true }", "key: \"test_feature_false\" value { bool_value: true }", "key: \"device_os\" value { string_value: \"probably-ubuntu-on-CI\" } }", diff --git a/mobile/test/java/io/envoyproxy/envoymobile/engine/EnvoyConfigurationTest.kt b/mobile/test/java/io/envoyproxy/envoymobile/engine/EnvoyConfigurationTest.kt index 9fd4d9736b1f..ade0380f20a4 100644 --- a/mobile/test/java/io/envoyproxy/envoymobile/engine/EnvoyConfigurationTest.kt +++ b/mobile/test/java/io/envoyproxy/envoymobile/engine/EnvoyConfigurationTest.kt @@ -84,7 +84,6 @@ class EnvoyConfigurationTest { enableHttp3: Boolean = true, enableCares: Boolean = false, caresFallbackResolvers: MutableList> = mutableListOf(Pair("1.2.3.4", 88)), - forceV6: Boolean = true, enableGro: Boolean = false, http3ConnectionOptions: String = "5RTO", http3ClientConnectionOptions: String = "MPQC", @@ -132,7 +131,6 @@ class EnvoyConfigurationTest { enableDrainPostDnsRefresh, enableHttp3, enableCares, - forceV6, enableGro, http3ConnectionOptions, http3ClientConnectionOptions, @@ -184,9 +182,6 @@ class EnvoyConfigurationTest { assertThat(resolvedTemplate).contains("hostname1") assertThat(resolvedTemplate).contains("num_retries { value: 3 }") - // Forcing IPv6 - assertThat(resolvedTemplate).contains("key: \"always_use_v6\" value { bool_value: true }") - // H2 Ping assertThat(resolvedTemplate).contains("connection_idle_interval { nanos: 222000000 }") assertThat(resolvedTemplate).contains("connection_keepalive { timeout { seconds: 333 }") diff --git a/mobile/test/swift/EngineBuilderTests.swift b/mobile/test/swift/EngineBuilderTests.swift index c14110611544..d78e2a2ddf01 100644 --- a/mobile/test/swift/EngineBuilderTests.swift +++ b/mobile/test/swift/EngineBuilderTests.swift @@ -79,20 +79,6 @@ final class EngineBuilderTests: XCTestCase { self.waitForExpectations(timeout: 0.01) } - func testForceIPv6AddsToConfigurationWhenRunningEnvoy() { - let expectation = self.expectation(description: "Run called with force IPv6") - MockEnvoyEngine.onRunWithConfig = { config, _ in - XCTAssertTrue(config.forceIPv6) - expectation.fulfill() - } - - _ = EngineBuilder() - .addEngineType(MockEnvoyEngine.self) - .forceIPv6(true) - .build() - self.waitForExpectations(timeout: 0.01) - } - func testAddingConnectTimeoutSecondsAddsToConfigurationWhenRunningEnvoy() { let expectation = self.expectation(description: "Run called with expected data") MockEnvoyEngine.onRunWithConfig = { config, _ in diff --git a/mobile/test/swift/apps/experimental/ViewController.swift b/mobile/test/swift/apps/experimental/ViewController.swift index 64aa02113204..9140dc5003ea 100644 --- a/mobile/test/swift/apps/experimental/ViewController.swift +++ b/mobile/test/swift/apps/experimental/ViewController.swift @@ -39,7 +39,6 @@ final class ViewController: UITableViewController { .addStringAccessor(name: "demo-accessor", accessor: { return "PlatformString" }) .addKeyValueStore(name: "demo-kv-store", keyValueStore: UserDefaults.standard) .setEventTracker { NSLog("Envoy event emitted: \($0)") } - .forceIPv6(true) .build() self.streamClient = engine.streamClient() self.pulseClient = engine.pulseClient() diff --git a/source/common/network/address_impl.cc b/source/common/network/address_impl.cc index 599f5464f168..ca5fba23242b 100644 --- a/source/common/network/address_impl.cc +++ b/source/common/network/address_impl.cc @@ -48,8 +48,11 @@ InstanceConstSharedPtr throwOnError(StatusOr address) { } // namespace bool forceV6() { -#if defined(__APPLE__) || defined(__ANDROID_API__) - return Runtime::runtimeFeatureEnabled("envoy.reloadable_features.always_use_v6"); + // It turns out Android doesn't handle v4 addresses over v6 networks + // gracefully in all situations but does handle mapped v4 addresses + // gracefully, so always use mapped addresses to work around this. +#if defined(__ANDROID_API__) + return true; #else return false; #endif diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index c0c4eb099af6..29f51f0b475a 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -124,10 +124,6 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_unified_mux); FALSE_RUNTIME_GUARD(envoy_reloadable_features_http2_use_oghttp2); // Used to track if runtime is initialized. FALSE_RUNTIME_GUARD(envoy_reloadable_features_runtime_initialized); -// TODO(mattklein123): Flip this to true and/or remove completely once verified by Envoy Mobile. -// TODO(mattklein123): Also unit test this if this sticks and this becomes the default for Apple & -// Android. -FALSE_RUNTIME_GUARD(envoy_reloadable_features_always_use_v6); // TODO(vikaschoudhary16) flip this to true only after all the // TcpProxy::Filter::HttpStreamDecoderFilterCallbacks are implemented or commented as unnecessary FALSE_RUNTIME_GUARD(envoy_restart_features_upstream_http_filters_with_tcp_proxy); From 6030fdb6174e75c95e290f5e974b5fa3781604ea Mon Sep 17 00:00:00 2001 From: phlax Date: Wed, 23 Oct 2024 15:18:57 +0100 Subject: [PATCH 10/11] ci/tests: Revert some integration tests to `2core` (#36784) Signed-off-by: Ryan Northey --- test/common/http/BUILD | 2 +- test/integration/BUILD | 14 +++++++------- test/integration/python/BUILD | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/test/common/http/BUILD b/test/common/http/BUILD index 986ce0c707c7..f385d007872e 100644 --- a/test/common/http/BUILD +++ b/test/common/http/BUILD @@ -293,7 +293,7 @@ envoy_cc_test( "conn_manager_impl_test.cc", "conn_manager_impl_test_2.cc", ], - rbe_pool = "6gig", + rbe_pool = "2core", deps = [ ":conn_manager_impl_test_base_lib", ":custom_header_extension_lib", diff --git a/test/integration/BUILD b/test/integration/BUILD index c636de642eb6..1977ebfce3b1 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -136,7 +136,7 @@ envoy_cc_test( data = [ "//test/config/integration/certs", ], - rbe_pool = "6gig", + rbe_pool = "2core", shard_count = 4, tags = [ "cpu:3", @@ -508,7 +508,7 @@ envoy_cc_test( srcs = [ "http2_flood_integration_test.cc", ], - rbe_pool = "6gig", + rbe_pool = "2core", shard_count = 6, tags = [ "cpu:3", @@ -1041,7 +1041,7 @@ envoy_cc_test( name = "idle_timeout_integration_test", size = "large", srcs = ["idle_timeout_integration_test.cc"], - rbe_pool = "6gig", + rbe_pool = "2core", # As this test has many pauses for idle timeouts, it takes a while to run. # Shard it enough to bring the run time in line with other integration tests. shard_count = 8, @@ -1920,7 +1920,7 @@ envoy_cc_test( data = [ "//test/config/integration/certs", ], - rbe_pool = "6gig", + rbe_pool = "2core", shard_count = 30, tags = [ "cpu:3", @@ -2009,7 +2009,7 @@ envoy_cc_test( srcs = [ "tcp_async_client_integration_test.cc", ], - rbe_pool = "6gig", + rbe_pool = "2core", deps = [ ":integration_lib", "//test/integration/filters:test_network_async_tcp_filter_lib", @@ -2107,7 +2107,7 @@ envoy_cc_test( "//test/config/integration:server_xds_files", "//test/config/integration/certs", ], - rbe_pool = "6gig", + rbe_pool = "2core", tags = [ "cpu:3", ], @@ -2421,7 +2421,7 @@ envoy_cc_test( name = "direct_response_integration_test", size = "large", srcs = ["direct_response_integration_test.cc"], - rbe_pool = "6gig", + rbe_pool = "2core", tags = [ "cpu:2", ], diff --git a/test/integration/python/BUILD b/test/integration/python/BUILD index 5fee9408ca19..f04ac587f8d7 100644 --- a/test/integration/python/BUILD +++ b/test/integration/python/BUILD @@ -27,7 +27,7 @@ envoy_py_test( "//tools/h3_request", ], exec_properties = select({ - "//bazel:engflow_rbe": {"Pool": "6gig"}, + "//bazel:engflow_rbe": {"Pool": "2core"}, "//conditions:default": {}, }), main = select({ From a5f9f35a51234d451d84cba00a8d62c95cdb9834 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20R=2E=20Sede=C3=B1o?= Date: Wed, 23 Oct 2024 10:37:17 -0400 Subject: [PATCH 11/11] bump cel-cpp (#36661) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update cel-cpp to `HEAD` as of when this PR was made, and drop the now-obsolete patches. https://github.com/google/cel-cpp/commit/b03438ae95cac305d672b56c35472894a09fba19 Signed-off-by: Alejandro R. SedeƱo --- bazel/cel-cpp.patch | 217 --------------------------------- bazel/repositories.bzl | 2 - bazel/repository_locations.bzl | 6 +- 3 files changed, 3 insertions(+), 222 deletions(-) delete mode 100644 bazel/cel-cpp.patch diff --git a/bazel/cel-cpp.patch b/bazel/cel-cpp.patch deleted file mode 100644 index 71ebb3f83b0a..000000000000 --- a/bazel/cel-cpp.patch +++ /dev/null @@ -1,217 +0,0 @@ -diff --git a/base/attribute.h b/base/attribute.h -index 9462c180..d6dcce83 100644 ---- a/base/attribute.h -+++ b/base/attribute.h -@@ -23,6 +23,7 @@ - #include - - #include "absl/status/statusor.h" -+#include "absl/strings/str_cat.h" - #include "absl/strings/string_view.h" - #include "absl/types/optional.h" - #include "absl/types/span.h" -diff --git a/base/memory.h b/base/memory.h -index 3552e19a..0fbe618b 100644 ---- a/base/memory.h -+++ b/base/memory.h -@@ -166,8 +166,8 @@ std::enable_if_t, Handle> HandleFactory::Make( - #if defined(__cpp_lib_is_pointer_interconvertible) && \ - __cpp_lib_is_pointer_interconvertible >= 201907L - // Only available in C++20. -- static_assert(std::is_pointer_interconvertible_base_of_v, -- "F must be pointer interconvertible to Data"); -+// static_assert(std::is_pointer_interconvertible_base_of_v, -+// "F must be pointer interconvertible to Data"); - #endif - if (memory_manager.memory_management() == MemoryManagement::kPooling) { - void* addr; -diff --git a/eval/eval/cel_expression_flat_impl.h b/eval/eval/cel_expression_flat_impl.h -index c2a027e6..801a1463 100644 ---- a/eval/eval/cel_expression_flat_impl.h -+++ b/eval/eval/cel_expression_flat_impl.h -@@ -51,7 +51,7 @@ class CelExpressionFlatImpl : public CelExpression { - CelExpressionFlatImpl(const CelExpressionFlatImpl&) = delete; - CelExpressionFlatImpl& operator=(const CelExpressionFlatImpl&) = delete; - CelExpressionFlatImpl(CelExpressionFlatImpl&&) = default; -- CelExpressionFlatImpl& operator=(CelExpressionFlatImpl&&) = default; -+ CelExpressionFlatImpl& operator=(CelExpressionFlatImpl&&) = delete; - - // Implement CelExpression. - std::unique_ptr InitializeState( -diff --git a/eval/internal/interop.cc b/eval/internal/interop.cc -index 3acde6c3..20f8ea31 100644 ---- a/eval/internal/interop.cc -+++ b/eval/internal/interop.cc -@@ -729,13 +729,14 @@ absl::StatusOr ToLegacyValue(google::protobuf::Arena* arena, - return CelValue::CreateMessageWrapper( - MessageWrapperAccess::Make(message, type_info)); - } -- if (ProtoStructValueToMessageWrapper) { -+ // This weak symbol is never defined in Envoy, and checking it causes linker failures on macOS -+ /*if (ProtoStructValueToMessageWrapper) { - auto maybe_message_wrapper = ProtoStructValueToMessageWrapper(*value); - if (maybe_message_wrapper.has_value()) { - return CelValue::CreateMessageWrapper( - std::move(maybe_message_wrapper).value()); - } -- } -+ }*/ - return absl::UnimplementedError( - "only legacy struct types and values can be used for interop"); - } -diff --git a/eval/public/cel_value.cc b/eval/public/cel_value.cc -index 6aeff6dc..c43864cf 100644 ---- a/eval/public/cel_value.cc -+++ b/eval/public/cel_value.cc -@@ -107,7 +107,7 @@ struct DebugStringVisitor { - - } // namespace - --const absl::string_view kPayloadUrlMissingAttributePath = -+ABSL_CONST_INIT const absl::string_view kPayloadUrlMissingAttributePath = - cel::runtime_internal::kPayloadUrlMissingAttributePath; - - CelValue CelValue::CreateDuration(absl::Duration value) { -diff --git a/eval/public/containers/container_backed_map_impl.h b/eval/public/containers/container_backed_map_impl.h -index 6092eefc..7548bbf4 100644 ---- a/eval/public/containers/container_backed_map_impl.h -+++ b/eval/public/containers/container_backed_map_impl.h -@@ -30,6 +30,7 @@ class CelMapBuilder : public CelMap { - return values_map_.contains(cel_key); - } - -+ using CelMap::ListKeys; - absl::StatusOr ListKeys() const override { - return &key_list_; - } -diff --git a/eval/public/containers/internal_field_backed_map_impl.h b/eval/public/containers/internal_field_backed_map_impl.h -index ec773d9d..caa2f3a5 100644 ---- a/eval/public/containers/internal_field_backed_map_impl.h -+++ b/eval/public/containers/internal_field_backed_map_impl.h -@@ -43,6 +43,7 @@ class FieldBackedMapImpl : public CelMap { - // Presence test function. - absl::StatusOr Has(const CelValue& key) const override; - -+ using CelMap::ListKeys; - absl::StatusOr ListKeys() const override; - - protected: -diff --git a/eval/public/structs/cel_proto_lite_wrap_util.cc b/eval/public/structs/cel_proto_lite_wrap_util.cc -index 4cb21e57..35fdf7fa 100644 ---- a/eval/public/structs/cel_proto_lite_wrap_util.cc -+++ b/eval/public/structs/cel_proto_lite_wrap_util.cc -@@ -172,6 +172,7 @@ class DynamicMap : public CelMap { - - int size() const override { return values_->fields_size(); } - -+ using CelMap::ListKeys; - absl::StatusOr ListKeys() const override { - return &key_list_; - } -diff --git a/eval/public/structs/cel_proto_wrap_util.cc b/eval/public/structs/cel_proto_wrap_util.cc -index fabb5941..86a314c7 100644 ---- a/eval/public/structs/cel_proto_wrap_util.cc -+++ b/eval/public/structs/cel_proto_wrap_util.cc -@@ -137,6 +137,7 @@ class DynamicMap : public CelMap { - - int size() const override { return values_->fields_size(); } - -+ using CelMap::ListKeys; - absl::StatusOr ListKeys() const override { - return &key_list_; - } -diff --git a/extensions/select_optimization.cc b/extensions/select_optimization.cc -index 292bb715..000d5754 100644 ---- a/extensions/select_optimization.cc -+++ b/extensions/select_optimization.cc -@@ -557,7 +557,6 @@ class OptimizedSelectStep : public ExpressionStepBase { - select_path_(std::move(select_path)), - qualifiers_(std::move(qualifiers)), - presence_test_(presence_test), -- enable_wrapper_type_null_unboxing_(enable_wrapper_type_null_unboxing), - options_(options) - - { -@@ -579,7 +578,6 @@ class OptimizedSelectStep : public ExpressionStepBase { - std::vector select_path_; - std::vector qualifiers_; - bool presence_test_; -- bool enable_wrapper_type_null_unboxing_; - SelectOptimizationOptions options_; - }; - -diff --git a/internal/proto_wire.h b/internal/proto_wire.h -index deb7fd97..0a0ccedc 100644 ---- a/internal/proto_wire.h -+++ b/internal/proto_wire.h -@@ -75,7 +75,7 @@ inline constexpr size_t VarintSize(bool x ABSL_ATTRIBUTE_UNUSED) { return 1; } - // Compile-time constant for the size required to encode any value of the - // integral type `T` using varint. - template --inline constexpr size_t kMaxVarintSize = VarintSize(static_cast(~T{0})); -+inline constexpr size_t kMaxVarintSize = VarintSize(static_cast(!T{0})); - - // Enumeration of the protocol buffer wire tags, see - // https://protobuf.dev/programming-guides/encoding/#structure. -diff --git a/internal/strings.cc b/internal/strings.cc -index dc5a1189..24457aba 100644 ---- a/internal/strings.cc -+++ b/internal/strings.cc -@@ -53,12 +53,12 @@ bool CheckForClosingString(absl::string_view source, - if (closing_str.empty()) return true; - - const char* p = source.data(); -- const char* end = source.end(); -+ const char* end = p + source.size(); - - bool is_closed = false; - while (p + closing_str.length() <= end) { - if (*p != '\\') { -- size_t cur_pos = p - source.begin(); -+ size_t cur_pos = p - source.data(); - bool is_closing = - absl::StartsWith(absl::ClippedSubstr(source, cur_pos), closing_str); - if (is_closing && p + closing_str.length() < end) { -@@ -132,7 +132,7 @@ bool UnescapeInternal(absl::string_view source, absl::string_view closing_str, - dest->reserve(source.size()); - - const char* p = source.data(); -- const char* end = source.end(); -+ const char* end = p + source.size(); - const char* last_byte = end - 1; - - while (p < end) { -@@ -446,7 +446,9 @@ std::string EscapeInternal(absl::string_view src, bool escape_all_bytes, - // byte. - dest.reserve(src.size() * 4); - bool last_hex_escape = false; // true if last output char was \xNN. -- for (const char* p = src.begin(); p < src.end(); ++p) { -+ const char* p = src.data(); -+ const char* end = p + src.size(); -+ for (; p < end; ++p) { - unsigned char c = static_cast(*p); - bool is_hex_escape = false; - switch (c) { -@@ -552,7 +554,9 @@ std::string EscapeString(absl::string_view str) { - std::string EscapeBytes(absl::string_view str, bool escape_all_bytes, - char escape_quote_char) { - std::string escaped_bytes; -- for (const char* p = str.begin(); p < str.end(); ++p) { -+ const char* p = str.data(); -+ const char* end = p + str.size(); -+ for (; p < end; ++p) { - unsigned char c = *p; - if (escape_all_bytes || !absl::ascii_isprint(c)) { - escaped_bytes += "\\x"; -diff --git a/tools/flatbuffers_backed_impl.cc b/tools/flatbuffers_backed_impl.cc -index 10c0b1cb..45ba72f1 100644 ---- a/tools/flatbuffers_backed_impl.cc -+++ b/tools/flatbuffers_backed_impl.cc -@@ -130,6 +130,7 @@ class ObjectStringIndexedMapImpl : public CelMap { - return absl::nullopt; - } - -+ using CelMap::ListKeys; - absl::StatusOr ListKeys() const override { return &keys_; } - - private: diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 5cb573770f0a..3eabd0b2b7ae 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -489,8 +489,6 @@ def _com_github_facebook_zstd(): def _com_google_cel_cpp(): external_http_archive( "com_google_cel_cpp", - patches = ["@envoy//bazel:cel-cpp.patch"], - patch_args = ["-p1"], ) def _com_github_google_perfetto(): diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index ead4a03e5e4b..ce451d9ef0ef 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1254,8 +1254,8 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "Common Expression Language (CEL) C++ library", project_desc = "Common Expression Language (CEL) C++ library", project_url = "https://opensource.google/projects/cel", - version = "0abd738f9f54388452e6ebb0955eb039f9162b3d", - sha256 = "d163805320a782c5194b7496cdd5e8c9d9604eeffc1e531770cf6b130bc182fd", + version = "b03438ae95cac305d672b56c35472894a09fba19", + sha256 = "0c5778861e427c704e0c07287269d8a490af623284c50b017132e77638c7bdfb", strip_prefix = "cel-cpp-{version}", urls = ["https://github.com/google/cel-cpp/archive/{version}.tar.gz"], use_category = ["dataplane_ext"], @@ -1276,7 +1276,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( "envoy.matching.inputs.cel_data_input", "envoy.matching.matchers.cel_matcher", ], - release_date = "2023-12-20", + release_date = "2024-10-22", cpe = "N/A", ), com_github_google_flatbuffers = dict(