Merge pull request #4938 from emissary-ingress/hqudsi/envoy-1.25-upgrade

Upgrade envoy to v1.25.3

CHANGELOG.md

@@ -90,6 +90,10 @@ it will be removed; but as it won't be user-visible this isn't considered a brea
 
 ### Emissary-ingress and Ambassador Edge Stack
 
+- Feature: This upgrades Emissary-ingress to be built on Envoy v1.25.3. This provides
+  Emissary-ingress with the latest security patches, performances enhancments, and features offered
+  by the envoy proxy.
+
 ## [3.5.0] February 15, 2023
 [3.5.0]: https://github.com/emissary-ingress/emissary/compare/v3.4.0...v3.5.0
 

_cxx/envoy.mk

@@ -13,12 +13,12 @@ RSYNC_EXTRAS ?=
 
 # IF YOU MESS WITH ANY OF THESE VALUES, YOU MUST RUN `make update-base`.
   ENVOY_REPO ?= $(if $(IS_PRIVATE),[email protected]:datawire/envoy-private.git,https://github.com/datawire/envoy.git)
-  # rebase/release/v1.24.2 - with boringSSL cve patch and c-ares dep update
-	ENVOY_COMMIT ?= 5a4aed880cb9b76df21448e75d42fe95a77c3893
+  # rebase/release/v1.25.3
+  ENVOY_COMMIT ?= b8eb98c4a04bd1e0d21230e7a7c99f37a04f255b
   ENVOY_COMPILATION_MODE ?= opt
   # Increment BASE_ENVOY_RELVER on changes to `docker/base-envoy/Dockerfile`, or Envoy recipes.
   # You may reset BASE_ENVOY_RELVER when adjusting ENVOY_COMMIT.
-  BASE_ENVOY_RELVER ?= 1
+  BASE_ENVOY_RELVER ?= 0
 
   # Set to non-empty to enable compiling Envoy in FIPS mode.
   FIPS_MODE ?=
@@ -37,7 +37,7 @@ RSYNC_EXTRAS ?=
 # which commits are ancestors, I added `make guess-envoy-go-control-plane-commit` to do that in an
 # automated way!  Still look at the commit yourself to make sure it seems sane; blindly trusting
 # machines is bad, mmkay?
-ENVOY_GO_CONTROL_PLANE_COMMIT = 799a7af9e5b9b3c492642319bf6a71cdfffc9cac
+ENVOY_GO_CONTROL_PLANE_COMMIT = 335df8c6b7f10ee07fa8322126911b9da27ff94b
 
 # Set ENVOY_DOCKER_REPO to the list of mirrors that we should
 # sanity-check that things get pushed to.
@@ -169,7 +169,7 @@ $(OSS_HOME)/_cxx/envoy-build-container.txt: $(OSS_HOME)/_cxx/envoy-build-image.t
 	    if [ -e $@ ]; then \
 	        docker kill $$(cat $@) || true; \
 	    fi; \
-	    docker run --detach --rm --privileged --volume=envoy-build:/root:rw $$(cat $<) tail -f /dev/null > $@; \
+	    docker run --network=host --detach --rm --privileged --volume=envoy-build:/root:rw $$(cat $<) tail -f /dev/null > $@; \
 	}
 $(OSS_HOME)/_cxx/envoy-build-container.txt.clean: %.clean:
 	if [ -e $* ]; then docker kill $$(cat $*) || true; fi

api/envoy/admin/v3/config_dump.proto

@@ -32,6 +32,8 @@ message ConfigDump {
   //
   // * ``bootstrap``: :ref:`BootstrapConfigDump <envoy_v3_api_msg_admin.v3.BootstrapConfigDump>`
   // * ``clusters``: :ref:`ClustersConfigDump <envoy_v3_api_msg_admin.v3.ClustersConfigDump>`
+  // * ``ecds_filter_http``: :ref:`EcdsConfigDump <envoy_v3_api_msg_admin.v3.EcdsConfigDump>`
+  // * ``ecds_filter_tcp_listener``: :ref:`EcdsConfigDump <envoy_v3_api_msg_admin.v3.EcdsConfigDump>`
   // * ``endpoints``:  :ref:`EndpointsConfigDump <envoy_v3_api_msg_admin.v3.EndpointsConfigDump>`
   // * ``listeners``: :ref:`ListenersConfigDump <envoy_v3_api_msg_admin.v3.ListenersConfigDump>`
   // * ``scoped_routes``: :ref:`ScopedRoutesConfigDump <envoy_v3_api_msg_admin.v3.ScopedRoutesConfigDump>`
@@ -40,6 +42,9 @@ message ConfigDump {
   //
   // EDS Configuration will only be dumped by using parameter ``?include_eds``
   //
+  // Currently ECDS is supported in HTTP and listener filters. Note, ECDS configuration for
+  // either HTTP or listener filter will only be dumped if it is actually configured.
+  //
   // You can filter output with the resource and mask query parameters.
   // See :ref:`/config_dump?resource={} <operations_admin_interface_config_dump_by_resource>`,
   // :ref:`/config_dump?mask={} <operations_admin_interface_config_dump_by_mask>`,

api/envoy/admin/v3/config_dump_shared.proto

@@ -370,3 +370,43 @@ message EndpointsConfigDump {
   // The dynamically loaded endpoint configs.
   repeated DynamicEndpointConfig dynamic_endpoint_configs = 3;
 }
+
+// Envoy's ECDS service fills this message with all currently extension
+// configuration. Extension configuration information can be used to recreate
+// an Envoy ECDS listener and HTTP filters as static filters or by returning
+// them in ECDS response.
+message EcdsConfigDump {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.EcdsConfigDump";
+
+  // [#next-free-field: 6]
+  message EcdsFilterConfig {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.EcdsConfigDump.EcdsFilterConfig";
+
+    // This is the per-resource version information. This version is currently
+    // taken from the :ref:`version_info
+    // <envoy_v3_api_field_service.discovery.v3.DiscoveryResponse.version_info>`
+    // field at the time that the ECDS filter was loaded.
+    string version_info = 1;
+
+    // The ECDS filter config.
+    google.protobuf.Any ecds_filter = 2;
+
+    // The timestamp when the ECDS filter was last updated.
+    google.protobuf.Timestamp last_updated = 3;
+
+    // Set if the last update failed, cleared after the next successful update.
+    // The ``error_state`` field contains the rejected version of this
+    // particular resource along with the reason and timestamp. For successfully
+    // updated or acknowledged resource, this field should be empty.
+    // [#not-implemented-hide:]
+    UpdateFailureState error_state = 4;
+
+    // The client status of this resource.
+    // [#not-implemented-hide:]
+    ClientResourceStatus client_status = 5;
+  }
+
+  // The ECDS filter configs.
+  repeated EcdsFilterConfig ecds_filters = 1;
+}

api/envoy/api/v2/core/grpc_service.proto

@@ -100,7 +100,7 @@ message GrpcService {
       message StsService {
         // URI of the token exchange service that handles token exchange requests.
         // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by
-        // https://github.com/envoyproxy/protoc-gen-validate/issues/303]
+        // https://github.com/bufbuild/protoc-gen-validate/issues/303]
         string token_exchange_service_uri = 1;
 
         // Location of the target service or resource where the client

api/envoy/config/bootstrap/v3/bootstrap.proto

@@ -41,7 +41,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <config_overview_bootstrap>` for more detail.
 
 // Bootstrap :ref:`configuration overview <config_overview_bootstrap>`.
-// [#next-free-field: 36]
+// [#next-free-field: 37]
 message Bootstrap {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.bootstrap.v2.Bootstrap";
@@ -342,6 +342,18 @@ message Bootstrap {
   // TODO(abeyad): Add public-facing documentation.
   // [#not-implemented-hide:]
   core.v3.TypedExtensionConfig xds_delegate_extension = 35;
+
+  // Optional XdsConfigTracker configuration, which allows tracking xDS responses in external components,
+  // e.g., external tracer or monitor. It provides the process point when receive, ingest, or fail to
+  // process xDS resources and messages. If a value is not specified, no XdsConfigTracker will be used.
+  //
+  // .. note::
+  //
+  //    There are no in-repo extensions currently, and the :repo:`XdsConfigTracker <envoy/config/xds_config_tracker.h>`
+  //    interface should be implemented before using.
+  //    See :repo:`xds_config_tracker_integration_test <test/integration/xds_config_tracker_integration_test.cc>`
+  //    for an example usage of the interface.
+  core.v3.TypedExtensionConfig xds_config_tracker_extension = 36;
 }
 
 // Administration interface :ref:`operations documentation

api/envoy/config/cluster/v3/cluster.proto

@@ -525,6 +525,7 @@ message Cluster {
   // Specific configuration for the
   // :ref:`Original Destination <arch_overview_load_balancing_types_original_destination>`
   // load balancing policy.
+  // [#extension: envoy.clusters.original_dst]
   message OriginalDstLbConfig {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.api.v2.Cluster.OriginalDstLbConfig";
@@ -1215,6 +1216,7 @@ message LoadBalancingPolicy {
 
     reserved "config", "name", "typed_config";
 
+    // [#extension-category: envoy.load_balancing_policies]
     core.v3.TypedExtensionConfig typed_extension_config = 4;
   }
 

api/envoy/config/common/mutation_rules/v3/mutation_rules.proto

@@ -2,11 +2,13 @@ syntax = "proto3";
 
 package envoy.config.common.mutation_rules.v3;
 
+import "envoy/config/core/v3/base.proto";
 import "envoy/type/matcher/v3/regex.proto";
 
 import "google/protobuf/wrappers.proto";
 
 import "udpa/annotations/status.proto";
+import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.config.common.mutation_rules.v3";
 option java_outer_classname = "MutationRulesProto";
@@ -84,3 +86,18 @@ message HeaderMutationRules {
   // Default is false.
   google.protobuf.BoolValue disallow_is_error = 7;
 }
+
+// The HeaderMutation structure specifies an action that may be taken on HTTP
+// headers.
+message HeaderMutation {
+  oneof action {
+    option (validate.required) = true;
+
+    // Remove the specified header if it exists.
+    string remove = 1
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
+
+    // Append new header by the specified HeaderValueOption.
+    core.v3.HeaderValueOption append = 2;
+  }
+}

api/envoy/config/core/v3/address.proto

@@ -120,7 +120,6 @@ message ExtraSourceAddress {
   // The additional address to bind.
   SocketAddress address = 1 [(validate.rules).message = {required: true}];
 
-  // [#not-implemented-hide:]
   // Additional socket options that may not be present in Envoy source code or
   // precompiled binaries. If specified, this will override the
   // :ref:`socket_options <envoy_v3_api_field_config.core.v3.BindConfig.socket_options>`
@@ -136,7 +135,7 @@ message BindConfig {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BindConfig";
 
   // The address to bind to when creating a socket.
-  SocketAddress source_address = 1 [(validate.rules).message = {required: true}];
+  SocketAddress source_address = 1;
 
   // Whether to set the ``IP_FREEBIND`` option when creating the socket. When this
   // flag is set to true, allows the :ref:`source_address

api/envoy/config/core/v3/grpc_service.proto

@@ -142,7 +142,7 @@ message GrpcService {
 
         // URI of the token exchange service that handles token exchange requests.
         // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by
-        // https://github.com/envoyproxy/protoc-gen-validate/issues/303]
+        // https://github.com/bufbuild/protoc-gen-validate/issues/303]
         string token_exchange_service_uri = 1;
 
         // Location of the target service or resource where the client

api/envoy/config/core/v3/socket_option.proto

@@ -76,7 +76,6 @@ message SocketOption {
   SocketState state = 6 [(validate.rules).enum = {defined_only: true}];
 }
 
-// [#not-implemented-hide:]
 message SocketOptionsOverride {
   repeated SocketOption socket_options = 1;
 }

api/envoy/config/endpoint/v3/endpoint_components.proto

@@ -51,6 +51,10 @@ message Endpoint {
     //
     //   The form of the health check host address is expected to be a direct IP address.
     core.v3.Address address = 3;
+
+    // Optional flag to control if perform active health check for this endpoint.
+    // Active health check is enabled by default if there is a health checker.
+    bool disable_active_health_check = 4;
   }
 
   // The upstream host address.

api/envoy/config/filter/http/ext_authz/v2/ext_authz.proto

@@ -194,7 +194,7 @@ message AuthorizationResponse {
   // Note that coexistent headers will be overridden.
   type.matcher.ListStringMatcher allowed_upstream_headers = 1;
 
-  // When this :ref:`list <envoy_api_msg_type.matcher.ListStringMatcher>`. is set, authorization
+  // When this :ref:`list <envoy_api_msg_type.matcher.ListStringMatcher>` is set, authorization
   // response headers that have a correspondent match will be added to the client's response. Note
   // that when this list is *not* set, all the authorization response headers, except *Authority
   // (Host)* will be in the response to the client. When a header is included in this list, *Path*,

api/envoy/config/listener/v3/listener.proto

@@ -37,7 +37,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 message AdditionalAddress {
   core.v3.Address address = 1;
 
-  // [#not-implemented-hide:]
   // Additional socket options that may not be present in Envoy source code or
   // precompiled binaries. If specified, this will override the
   // :ref:`socket_options <envoy_v3_api_field_config.listener.v3.Listener.socket_options>`
@@ -243,7 +242,10 @@ message Listener {
   google.protobuf.BoolValue freebind = 11;
 
   // Additional socket options that may not be present in Envoy source code or
-  // precompiled binaries.
+  // precompiled binaries. The socket options can be updated for a listener when
+  // :ref:`enable_reuse_port <envoy_v3_api_field_config.listener.v3.Listener.enable_reuse_port>`
+  // is `true`. Otherwise, if socket options change during a listener update the update will be rejected
+  // to make it clear that the options were not updated.
   repeated core.v3.SocketOption socket_options = 13;
 
   // Whether the listener should accept TCP Fast Open (TFO) connections.
@@ -309,7 +311,9 @@ message Listener {
   // create one socket for each worker thread. This makes inbound connections
   // distribute among worker threads roughly evenly in cases where there are a high number
   // of connections. When this flag is set to false, all worker threads share one socket. This field
-  // defaults to true.
+  // defaults to true. The change of field will be rejected during an listener update when the
+  // runtime flag ``envoy.reloadable_features.enable_update_listener_socket_options`` is enabled.
+  // Otherwise, the update of this field will be ignored quietly.
   //
   // .. attention::
   //

api/envoy/config/listener/v3/listener_components.proto

@@ -155,6 +155,7 @@ message FilterChainMatch {
   // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``.
   //
   // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid.
+  // The value ``*`` is also not supported, and ``server_names`` should be omitted instead.
   //
   // .. attention::
   //

api/envoy/config/listener/v3/quic_config.proto

@@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 8]
+// [#next-free-field: 9]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -63,4 +63,9 @@ message QuicProtocolOptions {
   // If not specified the :ref:`default one configured by <envoy_v3_api_msg_extensions.quic.proof_source.v3.ProofSourceConfig>` will be used.
   // [#extension-category: envoy.quic.proof_source]
   core.v3.TypedExtensionConfig proof_source_config = 7;
+
+  // Config which implementation of ``quic::ConnectionIdGeneratorInterface`` to be used for this listener.
+  // If not specified the :ref:`default one configured by <envoy_v3_api_msg_extensions.quic.connection_id_generator.v3.DeterministicConnectionIdGeneratorConfig>` will be used.
+  // [#extension-category: envoy.quic.connection_id_generator]
+  core.v3.TypedExtensionConfig connection_id_generator_config = 8;
 }

api/envoy/config/rbac/v3/rbac.proto

@@ -5,6 +5,7 @@ package envoy.config.rbac.v3;
 import "envoy/config/core/v3/address.proto";
 import "envoy/config/core/v3/extension.proto";
 import "envoy/config/route/v3/route_components.proto";
+import "envoy/type/matcher/v3/filter_state.proto";
 import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/path.proto";
 import "envoy/type/matcher/v3/string.proto";
@@ -229,7 +230,7 @@ message Permission {
 
 // Principal defines an identity or a group of identities for a downstream
 // subject.
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message Principal {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Principal";
 
@@ -304,6 +305,9 @@ message Principal {
     // Metadata that describes additional information about the principal.
     type.matcher.v3.MetadataMatcher metadata = 7;
 
+    // Identifies the principal using a filter state object.
+    type.matcher.v3.FilterStateMatcher filter_state = 12;
+
     // Negates matching the provided principal. For instance, if the value of
     // ``not_id`` would match, this principal would not match. Conversely, if the
     // value of ``not_id`` would not match, this principal would match.