Merge branch 'main' into baojr/grpc-reverse-bridge-stream

* main:
  listener: match rebalancer to listener IP family type (envoyproxy#16914)
  jwt_authn: implementation of www-authenticate header (envoyproxy#16216)
  listener: reset the file event in framework instead of listener filter doing itself (envoyproxy#17227)
  Small typo fix (envoyproxy#17247)
  Doc: Clarify request/response attributes are http-only (envoyproxy#17204)
  bazel/README.md: add aspell comment (envoyproxy#17072)
  docs: Fix broken URL links in HTTP upgrades doc (envoyproxy#17225)
  remove the wrong comment on test (envoyproxy#17233)
  upstream: allow clusters to skip waiting on warmup for initialization (envoyproxy#17179)
  JwtAuthn: support completing padding on forward jwt payload header (envoyproxy#16752)
  remove support for v2 UNSUPPORTED_REST_LEGACY (envoyproxy#16968)
  metrics service: fix wrong argument arrange on MetricsServiceSink (envoyproxy#17127)
  deps: update cel-cpp to 0.6.1 (envoyproxy#16293)
  Add ability to filter ConfigDump. (envoyproxy#16774)
  examples: fix Wasm example. (envoyproxy#17218)
  upstream: update host's socket factory when metadata is updated. (envoyproxy#16708)

Signed-off-by: Garrett Bourg <[email protected]>

api/envoy/config/cluster/v3/cluster.proto

@@ -43,7 +43,7 @@ message ClusterCollection {
 }
 
 // Configuration for a single upstream cluster.
-// [#next-free-field: 54]
+// [#next-free-field: 55]
 message Cluster {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster";
 
@@ -876,6 +876,13 @@ message Cluster {
   // DNS resolution configuration which includes the underlying dns resolver addresses and options.
   core.v3.DnsResolutionConfig dns_resolution_config = 53;
 
+  // Optional configuration for having cluster readiness block on warm-up. Currently, only applicable for
+  // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,
+  // or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`.
+  // If true, cluster readiness blocks on warm-up. If false, the cluster will complete
+  // initialization whether or not warm-up has completed. Defaults to true.
+  google.protobuf.BoolValue wait_for_warm_on_init = 54;
+
   // If specified, outlier detection will be enabled for this upstream cluster.
   // Each of the configuration values can be overridden via
   // :ref:`runtime values <config_cluster_manager_cluster_runtime_outlier_detection>`.

api/envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -52,7 +52,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //       cache_duration:
 //         seconds: 300
 //
-// [#next-free-field: 11]
+// [#next-free-field: 12]
 message JwtProvider {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider";
@@ -190,6 +190,15 @@ message JwtProvider {
   string forward_payload_header = 8
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
 
+  // When :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
+  // is specified, the base64 encoded payload will be added to the headers.
+  // Normally JWT based64 encode doesn't add padding. If this field is true,
+  // the header will be padded.
+  //
+  // This field is only relevant if :ref:`forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward_payload_header>`
+  // is specified.
+  bool pad_forward_payload_header = 11;
+
   // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
   // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
   // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*

bazel/README.md

@@ -863,7 +863,7 @@ TEST_TMPDIR=/tmp tools/gen_compilation_database.py
 ```
 
 
-# Running clang-format without docker
+# Running format linting without docker
 
 The easiest way to run the clang-format check/fix commands is to run them via
 docker, which helps ensure the right toolchain is set up. However you may prefer
@@ -876,6 +876,8 @@ To run the tools directly, you must install the correct version of clang. This
 may change over time, check the version of clang in the docker image. You must
 also have 'buildifier' installed from the bazel distribution.
 
+Note that if you run the `check_spelling.py` script you will need to have `aspell` installed.
+
 Edit the paths shown here to reflect the installation locations on your system:
 
 ```shell

bazel/repository_locations.bzl

@@ -833,10 +833,10 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Common Expression Language (CEL) C++ library",
         project_desc = "Common Expression Language (CEL) C++ library",
         project_url = "https://opensource.google/projects/cel",
-        version = "9841e3ee251f3cc4cd5b6dd9deee6818bc9f2854",
-        sha256 = "7e42cbad7d1068d6e7891ad101e2863e727692136d6b3a817c487b3cc7bcfdcc",
+        version = "0.6.1",
+        sha256 = "d001494f1aa7d88172af944233fac3d7f83d9183d66590aa787aa2a35aab0440",
         strip_prefix = "cel-cpp-{version}",
-        urls = ["https://github.com/google/cel-cpp/archive/{version}.tar.gz"],
+        urls = ["https://github.com/google/cel-cpp/archive/v{version}.tar.gz"],
         use_category = ["dataplane_ext"],
         extensions = [
             "envoy.access_loggers.wasm",
@@ -848,7 +848,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
             "envoy.filters.network.wasm",
             "envoy.stat_sinks.wasm",
         ],
-        release_date = "2020-12-17",
+        release_date = "2021-06-28",
         cpe = "N/A",
     ),
     com_github_google_flatbuffers = dict(

docs/root/intro/arch_overview/advanced/attributes.rst

@@ -40,7 +40,9 @@ Request attributes
 ------------------
 
 The following request attributes are generally available upon initial request
-processing, which makes them suitable for RBAC policies:
+processing, which makes them suitable for RBAC policies.
+
+``request.*`` attributes are only available in http filters.
 
 .. csv-table::
    :header: Attribute, Type, Description
@@ -76,6 +78,8 @@ Response attributes
 
 Response attributes are only available after the request completes.
 
+``response.*`` attributes are only available in http filters.
+
 .. csv-table::
    :header: Attribute, Type, Description
    :widths: 1, 1, 4

docs/root/intro/arch_overview/http/upgrades.rst

@@ -96,7 +96,7 @@ will synthesize 200 response headers, and then forward the TCP data as the HTTP
   will be forwarded *unsanitized* headers if they are in the body payload. Please use with caution
 
 For an example of proxying connect, please see :repo:`configs/proxy_connect.yaml <configs/proxy_connect.yaml>`
-For an example of terminating connect, please see :repo:`configs/terminate_connect.yaml <configs/terminate_connect.yaml>`
+For an example of terminating connect, please see :repo:`configs/terminate_http1_connect.yaml <configs/terminate_http1_connect.yaml>` and :repo:`configs/terminate_http2_connect.yaml <configs/terminate_http2_connect.yaml>`
 
 Note that for CONNECT-over-tls, Envoy can not currently be configured to do the CONNECT request in the clear
 and encrypt previously unencrypted payload in one hop. To send CONNECT in plaintext and encrypt the payload,

docs/root/intro/arch_overview/listeners/network_filter_chain.rst

@@ -16,7 +16,7 @@ chosen to serve the request. If the default filter chain is not supplied, the co
 Filter chain only update
 ------------------------
 
-:ref:`Filter chains <envoy_v3_api_msg_config.listener.v3.FilterChain>` can be updated indepedently. Upon listener config
+:ref:`Filter chains <envoy_v3_api_msg_config.listener.v3.FilterChain>` can be updated independently. Upon listener config
 update, if the listener manager determines that the listener update is a filter chain only update, the listener update
 will be executed by adding, updating and removing filter chains. The connections owned by these destroying filter chains will
 be drained as described in listener drain.

docs/root/operations/admin.rst

@@ -194,6 +194,25 @@ modify different aspects of the server:
   field, use the mask query parameter documented above. If you want only a subset of fields from the repeated
   resource, use both as documented below.
 
+.. _operations_admin_interface_config_dump_by_name_regex:
+
+.. http:get:: /config_dump?name_regex={}
+
+  Dump only the currently loaded configurations whose names match the specified regex. Can be used with
+  both `resource` and `mask` query parameters.
+
+  For example, ``/config_dump?name_regex=.*substring.*`` would return all resource types
+  whose name field matches the given regex.
+
+  Per resource, the matched name field is:
+
+  - :ref:`envoy.config.listener.v3.Listener.name <envoy_v3_api_field_config.listener.v3.Listener.name>`
+  - :ref:`envoy.config.route.v3.RouteConfiguration.name <envoy_v3_api_field_config.route.v3.RouteConfiguration.name>`
+  - :ref:`envoy.config.route.v3.ScopedRouteConfiguration.name <envoy_v3_api_field_config.route.v3.ScopedRouteConfiguration.name>`
+  - :ref:`envoy.config.cluster.v3.Cluster.name <envoy_v3_api_field_config.cluster.v3.Cluster.name>`
+  - :ref:`envoy.extensions.transport_sockets.tls.v3.Secret <envoy_v3_api_field_extensions.transport_sockets.tls.v3.Secret.name>`
+  - :ref:`envoy.config.endpoint.v3.ClusterLoadAssignment <envoy_v3_api_field_config.endpoint.v3.ClusterLoadAssignment.cluster_name>`
+
 .. _operations_admin_interface_config_dump_by_resource_and_mask:
 
 .. http:get:: /config_dump?resource={}&mask={}

docs/root/version_history/current.rst

@@ -36,6 +36,7 @@ Minor Behavior Changes
   ``envoy.reloadable_features.no_chunked_encoding_header_for_304`` to false.
 * http: the behavior of the ``present_match`` in route header matcher changed. The value of ``present_match`` is ignored in the past. The new behavior is ``present_match`` performed when value is true. absent match performed when the value is false. Please reference :ref:`present_match
   <envoy_v3_api_field_config.route.v3.HeaderMatcher.present_match>`.
+* listener: added an option when balancing across active listeners and wildcard matching is used to return the listener that matches the IP family type associated with the listener's socket address. Any unexpected behavioral changes can be reverted by setting runtime guard ``envoy.reloadable_features.listener_wildcard_match_ip_family`` to false.
 * listener: respect the :ref:`connection balance config <envoy_v3_api_field_config.listener.v3.Listener.connection_balance_config>`
   defined within the listener where the sockets are redirected to. Clear that field to restore the previous behavior.
 * tcp: switched to the new connection pool by default. Any unexpected behavioral changes can be reverted by setting runtime guard ``envoy.reloadable_features.new_tcp_connection_pool`` to false.
@@ -54,6 +55,7 @@ Bug Fixes
   reverted by setting the ``envoy.reloadable_features.http2_consume_stream_refused_errors`` runtime guard to false.
 * http: port stripping now works for CONNECT requests, though the port will be restored if the CONNECT request is sent upstream. This behavior can be temporarily reverted by setting ``envoy.reloadable_features.strip_port_from_connect`` to false.
 * http: raise max configurable max_request_headers_kb limit to 8192 KiB (8MiB) from 96 KiB in http connection manager.
+* jwt_authn: unauthorized responses now correctly include a `www-authenticate` header.
 * listener: fix the crash which could happen when the ongoing filter chain only listener update is followed by the listener removal or full listener update.
 * udp: limit each UDP listener to read maxmium 6000 packets per event loop. This behavior can be temporarily reverted by setting ``envoy.reloadable_features.udp_per_event_loop_read_limit`` to false.
 * validation: fix an issue that causes TAP sockets to panic during config validation mode.
@@ -84,6 +86,7 @@ New Features
 * bootstrap: added :ref:`dns_resolution_config <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.dns_resolution_config>` to aggregate all of the DNS resolver configuration in a single message. By setting one such configuration option ``no_default_search_domain`` as true the DNS resolver will not use the default search domains. And by setting the configuration ``resolvers`` we can specify the external DNS servers to be used for external DNS query.
 * cluster: added :ref:`dns_resolution_config <envoy_v3_api_field_config.cluster.v3.Cluster.dns_resolution_config>` to aggregate all of the DNS resolver configuration in a single message. By setting one such configuration option ``no_default_search_domain`` as true the DNS resolver will not use the default search domains.
 * cluster: added :ref:`host_rewrite_literal <envoy_v3_api_field_config.route.v3.WeightedCluster.ClusterWeight.host_rewrite_literal>` to WeightedCluster.
+* cluster: added :ref:`wait_for_warm_on_init <envoy_v3_api_field_config.cluster.v3.Cluster.wait_for_warm_on_init>`, which allows cluster readiness to not block on cluster warm-up. It is true by default, which preserves existing behavior. Currently, only applicable for DNS-based clusters.
 * composite filter: can now be used with filters that also add an access logger, such as the WASM filter.
 * config: added stat :ref:`config_reload_time_ms <subscription_statistics>`.
 * connection_limit: added new :ref:`Network connection limit filter <config_network_filters_connection_limit>`.
@@ -107,6 +110,7 @@ New Features
 * http: added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options <envoy_v3_api_field_config.listener.v3.UdpListenerConfig.quic_options>` for downstream and the new http3_protocol_options in :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` for upstream HTTP/3.
 * input matcher: a new input matcher that :ref:`matches an IP address against a list of CIDR ranges <envoy_v3_api_file_envoy/extensions/matching/input_matchers/ip/v3/ip.proto>`.
 * jwt_authn: added support to fetch remote jwks asynchronously specified by :ref:`async_fetch <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.RemoteJwks.async_fetch>`.
+* jwt_authn: added support to add padding in the forwarded JWT payload specified by :ref:`pad_forward_payload_header <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.pad_forward_payload_header>`.
 * listener: added ability to change an existing listener's address.
 * listener: added filter chain match support for :ref:`direct source address <envoy_v3_api_field_config.listener.v3.FilterChainMatch.direct_source_prefix_ranges>`.
 * local_rate_limit_filter: added suppoort for locally rate limiting http requests on a per connection basis. This can be enabled by setting the :ref:`local_rate_limit_per_downstream_connection <envoy_v3_api_field_extensions.filters.http.local_ratelimit.v3.LocalRateLimit.local_rate_limit_per_downstream_connection>` field to true.

envoy/server/BUILD

@@ -53,6 +53,7 @@ envoy_cc_library(
     name = "config_tracker_interface",
     hdrs = ["config_tracker.h"],
     deps = [
+        "//envoy/common:matchers_interface",
         "//source/common/common:non_copyable",
         "//source/common/protobuf",
     ],

envoy/server/config_tracker.h

@@ -4,6 +4,7 @@
 #include <map>
 #include <memory>
 
+#include "envoy/common/matchers.h"
 #include "envoy/common/pure.h"
 
 #include "source/common/common/non_copyable.h"
@@ -21,7 +22,9 @@ namespace Server {
  */
 class ConfigTracker {
 public:
-  using Cb = std::function<ProtobufTypes::MessagePtr()>;
+  // The passed StringMatcher will be matched against the `name` field of whatever
+  // proto is returned.
+  using Cb = std::function<ProtobufTypes::MessagePtr(const Matchers::StringMatcher&)>;
   using CbsMap = std::map<std::string, Cb>;
 
   /**

examples/wasm-cc/envoy_filter_http_wasm_example.cc

@@ -78,9 +78,9 @@ FilterDataStatus ExampleContext::onRequestBody(size_t body_buffer_length,
   return FilterDataStatus::Continue;
 }
 
-FilterDataStatus ExampleContext::onResponseBody(size_t /* body_buffer_length */,
+FilterDataStatus ExampleContext::onResponseBody(size_t body_buffer_length,
                                                 bool /* end_of_stream */) {
-  setBuffer(WasmBufferType::HttpResponseBody, 0, 12, "Hello, world");
+  setBuffer(WasmBufferType::HttpResponseBody, 0, body_buffer_length, "Hello, world\n");
   return FilterDataStatus::Continue;
 }