Merge remote-tracking branch 'upstream/main' into xds_failover_sotw

Signed-off-by: Adi Suissa-Peleg <[email protected]>
adisuissa · May 31, 2024 · f0ca1a4 · f0ca1a4
2 parents 70410ba + 99bb565
commit f0ca1a4
Show file tree

Hide file tree

Showing 29 changed files with 2,369 additions and 1,210 deletions.
diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl
@@ -131,11 +131,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.32.1",
-        sha256 = "ca09415a6f0b86d9c38bde25a678dcc31b8e75492e68379e36b6c9ccd1755190",
+        version = "1.32.2",
+        sha256 = "16253b6702dd447ef941b01c9c386a2ab7c8d20bbbc86a5efa5953270f6c9010",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2024-05-21",
+        release_date = "2024-05-28",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",

diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto
@@ -323,7 +323,7 @@ message SubjectAltNameMatcher {
   type.matcher.v3.StringMatcher matcher = 2 [(validate.rules).message = {required: true}];
 }
 
-// [#next-free-field: 17]
+// [#next-free-field: 18]
 message CertificateValidationContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.CertificateValidationContext";
@@ -339,6 +339,9 @@ message CertificateValidationContext {
     ACCEPT_UNTRUSTED = 1;
   }
 
+  message SystemRootCerts {
+  }
+
   reserved 4, 5;
 
   reserved "verify_subject_alt_name";
@@ -389,6 +392,12 @@ message CertificateValidationContext {
   CertificateProviderPluginInstance ca_certificate_provider_instance = 13
       [(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"];
 
+  // Use system root certs for validation.
+  // If present, system root certs are used only if neither of the ``trusted_ca``
+  // or ``ca_certificate_provider_instance`` fields are set.
+  // [#not-implemented-hide:]
+  SystemRootCerts system_root_certs = 17;
+
   // If specified, updates of a file-based ``trusted_ca`` source will be triggered
   // by this watch. This allows explicit control over the path watched, by
   // default the parent directory of the filesystem path in ``trusted_ca`` is

diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -118,6 +118,10 @@ bug_fixes:
   change: |
     Handle ``append_action`` from :ref:`external authorization service <envoy_v3_api_msg_service.auth.v3.CheckResponse>`
     that was ignored.
+- area: oauth2
+  change: |
+    Fixed a bug that would cause Envoy to crash when recieving an Oauth callback while the Oauth upstream is unhealthy
+    (e.g. due to DNS issues).
 - area: http
   change: |
     Fix BalsaParser resetting state too early, guarded by default-true

diff --git a/contrib/generic_proxy/filters/network/source/router/BUILD b/contrib/generic_proxy/filters/network/source/router/BUILD
@@ -13,9 +13,11 @@ envoy_cc_library(
     name = "router_lib",
     srcs = [
         "router.cc",
+        "upstream.cc",
     ],
     hdrs = [
         "router.h",
+        "upstream.h",
     ],
     deps = [
         "//contrib/generic_proxy/filters/network/source:tracing_lib",
@@ -30,6 +32,7 @@ envoy_cc_library(
         "//source/common/stream_info:stream_info_lib",
         "//source/common/tracing:tracer_lib",
         "//source/common/upstream:load_balancer_context_base_lib",
+        "@com_github_google_quiche//:quiche_common_lib",
         "@envoy_api//contrib/envoy/extensions/filters/network/generic_proxy/router/v3:pkg_cc_proto",
     ],
 )