Merge remote-tracking branch 'upstream/main' into xds_failover_main

Signed-off-by: Adi Suissa-Peleg <[email protected]>
adisuissa · May 28, 2024 · a4db443 · a4db443
2 parents 5c1508e + fd1d7ed
commit a4db443
Show file tree

Hide file tree

Showing 126 changed files with 2,312 additions and 1,096 deletions.
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -293,6 +293,8 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 # Thrift
 /*/extensions/filters/network/thrift_proxy @zuercher @JuniorHsu
 /*/extensions/health_checkers/thrift @zuercher @JuniorHsu
+# Thrift to metadata
+/*/extensions/filters/http/thrift_to_metadata @JuniorHsu @zuercher
 # IP tagging
 /*/extensions/filters/http/ip_tagging @alyssawilk @JuniorHsu
 # Header to metadata

diff --git a/api/BUILD b/api/BUILD
@@ -215,6 +215,7 @@ proto_library(
         "//envoy/extensions/filters/http/set_metadata/v3:pkg",
         "//envoy/extensions/filters/http/stateful_session/v3:pkg",
         "//envoy/extensions/filters/http/tap/v3:pkg",
+        "//envoy/extensions/filters/http/thrift_to_metadata/v3:pkg",
         "//envoy/extensions/filters/http/upstream_codec/v3:pkg",
         "//envoy/extensions/filters/http/wasm/v3:pkg",
         "//envoy/extensions/filters/listener/http_inspector/v3:pkg",

diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl
@@ -131,11 +131,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.32.0",
-        sha256 = "305ca72cdd874deab5d803580ea2a930a37df0a7a81813a0d0b5f3ef5384f735",
+        version = "1.32.1",
+        sha256 = "ca09415a6f0b86d9c38bde25a678dcc31b8e75492e68379e36b6c9ccd1755190",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2024-05-16",
+        release_date = "2024-05-21",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",

diff --git a/api/envoy/extensions/filters/http/thrift_to_metadata/v3/BUILD b/api/envoy/extensions/filters/http/thrift_to_metadata/v3/BUILD
@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/extensions/filters/network/thrift_proxy/v3:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+        "@com_github_cncf_xds//xds/annotations/v3:pkg",
+    ],
+)
diff --git a/api/envoy/extensions/filters/http/thrift_to_metadata/v3/thrift_to_metadata.proto b/api/envoy/extensions/filters/http/thrift_to_metadata/v3/thrift_to_metadata.proto
@@ -0,0 +1,190 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.thrift_to_metadata.v3;
+
+import "envoy/extensions/filters/network/thrift_proxy/v3/thrift_proxy.proto";
+
+import "google/protobuf/struct.proto";
+
+import "xds/annotations/v3/status.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.thrift_to_metadata.v3";
+option java_outer_classname = "ThriftToMetadataProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/thrift_to_metadata/v3;thrift_to_metadatav3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+option (xds.annotations.v3.file_status).work_in_progress = true;
+
+// [#protodoc-title: Thrift-To-Metadata Filter]
+//
+// The Thrift to Metadata filter serves for thrift over HTTP traffic, expecting serialized
+// Thrift request and response bodies in the HTTP payload. It extracts *thrift metadata* from the
+// HTTP body and put them into the *filter metadata*. This is useful for matching load balancer
+// subsets, logging, etc.
+//
+// Thrift to Metadata :ref:`configuration overview <config_http_filters_thrift_to_metadata>`.
+// [#extension: envoy.filters.http.thrift_to_metadata]
+
+enum Field {
+  // The Thrift method name, string value.
+  METHOD_NAME = 0;
+
+  // The Thrift protocol name, string value. Values are "binary", "binary/non-strict", and "compact", with "(auto)" suffix if
+  // :ref:`protocol <envoy_v3_api_field_extensions.filters.http.thrift_to_metadata.v3.ThriftToMetadata.protocol>`
+  // is set to :ref:`AUTO_PROTOCOL<envoy_v3_api_enum_value_extensions.filters.network.thrift_proxy.v3.ProtocolType.AUTO_PROTOCOL>`
+  PROTOCOL = 1;
+
+  // The Thrift transport name, string value. Values are "framed", "header", and "unframed", with "(auto)" suffix if
+  // :ref:`transport <envoy_v3_api_field_extensions.filters.http.thrift_to_metadata.v3.ThriftToMetadata.transport>`
+  // is set to :ref:`AUTO_TRANSPORT<envoy_v3_api_enum_value_extensions.filters.network.thrift_proxy.v3.TransportType.AUTO_TRANSPORT>`
+  TRANSPORT = 2;
+
+  // The Thrift message type, singed 16-bit integer value.
+  HEADER_FLAGS = 3;
+
+  // The Thrift sequence ID, singed 32-bit integer value.
+  SEQUENCE_ID = 4;
+
+  // The Thrift message type, string value. Values in request are "call" and "oneway", and in response are "reply" and "exception".
+  MESSAGE_TYPE = 5;
+
+  // The Thrift reply type, string value. This is only valid for response rules. Values are "success" and "error".
+  REPLY_TYPE = 6;
+}
+
+message KeyValuePair {
+  // The namespace — if this is empty, the filter's namespace will be used.
+  string metadata_namespace = 1;
+
+  // The key to use within the namespace.
+  string key = 2 [(validate.rules).string = {min_len: 1}];
+
+  // When used for on_present case, if value is non-empty it'll be used instead
+  // of the field value.
+  //
+  // When used for on_missing case, a non-empty value must be provided.
+  google.protobuf.Value value = 3;
+}
+
+message FieldSelector {
+  option (xds.annotations.v3.message_status).work_in_progress = true;
+
+  // field name to log
+  string name = 1 [(validate.rules).string = {min_len: 1}];
+
+  // field id to match
+  int32 id = 2 [(validate.rules).int32 = {lte: 32767 gte: -32768}];
+
+  // next node of the field selector
+  FieldSelector child = 3;
+}
+
+// [#next-free-field: 6]
+message Rule {
+  // The field to match on. If set, takes precedence over field_selector.
+  Field field = 1;
+
+  // Specifies that a match will be performed on the value of a field in the thrift body.
+  // If set, the whole http body will be buffered to extract the field value, which
+  // may have performance implications.
+  //
+  // It's a thrift over http version of
+  // :ref:`field_selector<envoy_v3_api_field_extensions.filters.network.thrift_proxy.filters.payload_to_metadata.v3.PayloadToMetadata.Rule.field_selector>`.
+  //
+  // See also `payload-to-metadata <https://www.envoyproxy.io/docs/envoy/latest/configuration/other_protocols/thrift_filters/payload_to_metadata_filter>`_
+  // for more reference.
+  //
+  // Example:
+  //
+  // .. code-block:: yaml
+  //
+  //    method_name: foo
+  //    field_selector:
+  //      name: info
+  //      id: 2
+  //      child:
+  //        name: version
+  //        id: 1
+  //
+  // The above yaml will match on value of ``info.version`` in the below thrift schema as input of
+  // :ref:`on_present<envoy_v3_api_field_extensions.filters.http.thrift_to_metadata.v3.Rule.on_present>` or
+  // :ref:`on_missing<envoy_v3_api_field_extensions.filters.http.thrift_to_metadata.v3.Rule.on_missing>`
+  // while we are processing ``foo`` method. This rule won't be applied to ``bar`` method.
+  //
+  // .. code-block:: thrift
+  //
+  //    struct Info {
+  //      1: required string version;
+  //    }
+  //    service Server {
+  //      bool foo(1: i32 id, 2: Info info);
+  //      bool bar(1: i32 id, 2: Info info);
+  //    }
+  //
+  FieldSelector field_selector = 2 [(xds.annotations.v3.field_status).work_in_progress = true];
+
+  // If specified, :ref:`field_selector<envoy_v3_api_field_extensions.filters.http.thrift_to_metadata.v3.Rule.field_selector>`
+  // will be used to extract the field value *only* on the thrift message with method name.
+  string method_name = 3 [(xds.annotations.v3.field_status).work_in_progress = true];
+
+  // The key-value pair to set in the *filter metadata* if the field is present
+  // in *thrift metadata*.
+  //
+  // If the value in the KeyValuePair is non-empty, it'll be used instead
+  // of field value.
+  KeyValuePair on_present = 4;
+
+  // The key-value pair to set in the *filter metadata* if the field is missing
+  // in *thrift metadata*.
+  //
+  // The value in the KeyValuePair must be set, since it'll be used in lieu
+  // of the missing field value.
+  KeyValuePair on_missing = 5;
+}
+
+// The configuration for transforming thrift metadata into filter metadata.
+//
+// [#next-free-field: 7]
+message ThriftToMetadata {
+  // The list of rules to apply to http request body to extract thrift metadata.
+  repeated Rule request_rules = 1;
+
+  // The list of rules to apply to http response body to extract thrift metadata.
+  repeated Rule response_rules = 2;
+
+  // Supplies the type of transport that the Thrift proxy should use. Defaults to
+  // :ref:`AUTO_TRANSPORT<envoy_v3_api_enum_value_extensions.filters.network.thrift_proxy.v3.TransportType.AUTO_TRANSPORT>`.
+  network.thrift_proxy.v3.TransportType transport = 3
+      [(validate.rules).enum = {defined_only: true}];
+
+  // Supplies the type of protocol that the Thrift proxy should use. Defaults to
+  // :ref:`AUTO_PROTOCOL<envoy_v3_api_enum_value_extensions.filters.network.thrift_proxy.v3.ProtocolType.AUTO_PROTOCOL>`.
+  // Note that :ref:`TWITTER<envoy_v3_api_enum_value_extensions.filters.network.thrift_proxy.v3.ProtocolType.TWITTER>` is
+  // not supported due to deprecation in envoy.
+  network.thrift_proxy.v3.ProtocolType protocol = 4 [(validate.rules).enum = {defined_only: true}];
+
+  // Allowed content-type for thrift payload to filter metadata transformation.
+  // Default to ``{"application/x-thrift"}``.
+  //
+  // Set ``allow_empty_content_type`` if empty/missing content-type header
+  // is allowed.
+  repeated string allow_content_types = 5
+      [(validate.rules).repeated = {items {string {min_len: 1}}}];
+
+  // Allowed empty content-type for thrift payload to filter metadata transformation.
+  // Default to false.
+  bool allow_empty_content_type = 6;
+}
+
+// Thrift to metadata configuration on a per-route basis, which overrides the global configuration for
+// request rules and responses rules.
+message ThriftToMetadataPerRoute {
+  // The list of rules to apply to http request body to extract thrift metadata.
+  repeated Rule request_rules = 1;
+
+  // The list of rules to apply to http response body to extract thrift metadata.
+  repeated Rule response_rules = 2;
+}
diff --git a/api/versioning/BUILD b/api/versioning/BUILD
@@ -153,6 +153,7 @@ proto_library(
         "//envoy/extensions/filters/http/set_metadata/v3:pkg",
         "//envoy/extensions/filters/http/stateful_session/v3:pkg",
         "//envoy/extensions/filters/http/tap/v3:pkg",
+        "//envoy/extensions/filters/http/thrift_to_metadata/v3:pkg",
         "//envoy/extensions/filters/http/upstream_codec/v3:pkg",
         "//envoy/extensions/filters/http/wasm/v3:pkg",
         "//envoy/extensions/filters/listener/http_inspector/v3:pkg",

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -72,9 +72,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Bazel build tools",
         project_desc = "Developer tools for working with Google's bazel buildtool.",
         project_url = "https://github.com/bazelbuild/buildtools",
-        version = "7.1.1",
-        sha256 = "60a9025072ae237f325d0e7b661e1685f34922c29883888c2d06f5789462b939",
-        release_date = "2024-04-17",
+        version = "7.1.2",
+        sha256 = "39c59cb5352892292cbe3174055aac187edcb5324c9b4e2d96cb6e40bd753877",
+        release_date = "2024-05-23",
         strip_prefix = "buildtools-{version}",
         urls = ["https://github.com/bazelbuild/buildtools/archive/v{version}.tar.gz"],
         use_category = ["test_only"],
@@ -148,12 +148,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Aspect Bazel helpers",
         project_desc = "Base Starlark libraries and basic Bazel rules which are useful for constructing rulesets and BUILD files",
         project_url = "https://github.com/aspect-build/bazel-lib",
-        version = "2.7.3",
-        sha256 = "87ab4ec479ebeb00d286266aca2068caeef1bb0b1765e8f71c7b6cfee6af4226",
+        version = "2.7.6",
+        sha256 = "3a702a082560c94c2f1a9b34996a2f1364aeb979641cece34a7868508bae552e",
         strip_prefix = "bazel-lib-{version}",
         urls = ["https://github.com/aspect-build/bazel-lib/archive/v{version}.tar.gz"],
         use_category = ["build"],
-        release_date = "2024-05-08",
+        release_date = "2024-05-23",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/aspect-build/bazel-lib/blob/v{version}/LICENSE",
@@ -636,12 +636,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Benchmark",
         project_desc = "Library to benchmark code snippets",
         project_url = "https://github.com/google/benchmark",
-        version = "1.8.3",
-        sha256 = "6bc180a57d23d4d9515519f92b0c83d61b05b5bab188961f36ac7b06b0d9e9ce",
+        version = "1.8.4",
+        sha256 = "3e7059b6b11fb1bbe28e33e02519398ca94c1818874ebed18e504dc6f709be45",
         strip_prefix = "benchmark-{version}",
         urls = ["https://github.com/google/benchmark/archive/v{version}.tar.gz"],
         use_category = ["test_only"],
-        release_date = "2023-08-31",
+        release_date = "2024-05-23",
         license = "Apache-2.0",
         license_url = "https://github.com/google/benchmark/blob/v{version}/LICENSE",
     ),

diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -16,6 +16,10 @@ behavior_changes:
   change: |
     Changes the default value of ``envoy.reloadable_features.http2_use_oghttp2`` to true. This changes the codec used for HTTP/2
     requests and responses. This behavior can be reverted by setting the feature to false.
+- area: http2
+  change: |
+    Passes HTTP/2 DATA frames through a different codec API. This behavior can be temporarily disabled by setting the runtime
+    feature ``envoy.reloadable_features.http2_use_visitor_for_data`` to false.
 - area: proxy_protocol
   change: |
     Populate typed metadata by default in proxy protocol listener. Typed metadata can be consumed as
@@ -63,6 +67,10 @@ minor_behavior_changes:
     ``%UPSTREAM_REMOTE_PORT%`` and ``%UPSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%`` access log format specifiers.
     This behavior can be reverted by setting the runtime guard
     ``envoy.reloadable_features.upstream_remote_address_use_connection`` to false.
+- area: http
+  change: |
+    Changing header validation checks in the substitution format utility and CEL code to do RCF complaint header validation.
+    This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.consistent_header_validation`` to false.
 - area: quic
   change: |
     When a quic connection socket is created, the socket's detected transport protocol will be set to "quic".

diff --git a/ci/README.md b/ci/README.md
@@ -27,6 +27,10 @@ main commit at which the binary was compiled, and `latest` corresponds to a bina
 
 ## Windows 2019 Envoy image
 
+On August 31, 2023 the Envoy project ended official Windows support due to a lack of resources.
+We will continue to accept patches related to the Windows build. Until further notice, Windows
+builds are excluded from Envoy CI, as well as the Envoy release and security processes.
+
 The Windows 2019 based Envoy Docker image at [`envoyproxy/envoy-build-windows2019:<hash>`](https://hub.docker.com/r/envoyproxy/envoy-build-windows2019/)
 is used for CI checks, where `<hash>` is specified in [`envoy_build_sha.sh`](https://github.com/envoyproxy/envoy/blob/main/ci/envoy_build_sha.sh).
 Developers may work with the most recent `envoyproxy/envoy-build-windows2019` image to provide a self-contained environment for building Envoy binaries and

diff --git a/contrib/golang/filters/http/source/go/pkg/http/filter.go b/contrib/golang/filters/http/source/go/pkg/http/filter.go
@@ -33,7 +33,7 @@ package http
 import "C"
 import (
 	"fmt"
-	"runtime"
+	"runtime/debug"
 	"sync"
 	"sync/atomic"
 	"unsafe"
@@ -129,10 +129,13 @@ func (r *httpRequest) sendPanicReply(details string) {
 
 func (r *httpRequest) RecoverPanic() {
 	if e := recover(); e != nil {
-		const size = 64 << 10
-		buf := make([]byte, size)
-		buf = buf[:runtime.Stack(buf, false)]
-		api.LogErrorf("http: panic serving: %v\n%s", e, buf)
+		buf := debug.Stack()
+
+		if e == errRequestFinished || e == errFilterDestroyed {
+			api.LogInfof("http: panic serving: %v (Client may cancel the request prematurely)\n%s", e, buf)
+		} else {
+			api.LogErrorf("http: panic serving: %v\n%s", e, buf)
+		}
 
 		switch e {
 		case errRequestFinished, errFilterDestroyed:

diff --git a/docs/root/_include/windows_support_ended.rst b/docs/root/_include/windows_support_ended.rst
@@ -0,0 +1,5 @@
+.. note::
+
+  On August 31, 2023 the Envoy project ended official Windows support due to a lack of resources.
+  We will continue to accept patches related to the Windows build. Until further notice, Windows
+  builds are excluded from Envoy CI, as well as the Envoy release and security processes.