Merge branch 'main' into refactor/dns-api

Signed-off-by: Steven Jin Xuan <[email protected]>

.bazelrc

@@ -91,7 +91,7 @@ build:clang-pch --spawn_strategy=local
 build:clang-pch --define=ENVOY_CLANG_PCH=1
 
 # Use gold linker for gcc compiler.
-build:gcc --linkopt=-fuse-ld=gold
+build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold
 build:gcc --test_env=HEAPCHECK=
 build:gcc --action_env=BAZEL_COMPILER=gcc
 build:gcc --action_env=CC=gcc --action_env=CXX=g++

.github/workflows/_check_coverage.yml

@@ -42,6 +42,12 @@ jobs:
         lower than limit
       rbe: true
       request: ${{ inputs.request }}
+      steps-post: |
+        - run: ci/run_envoy_docker.sh 'ci/do_ci.sh ${{ matrix.target }}-upload'
+          shell: bash
+          env:
+            GCS_ARTIFACT_BUCKET: ${{ inputs.trusted && 'envoy-postsubmit' || 'envoy-pr' }}
+            GCS_REDIRECT_PATH: ${{ fromJSON(inputs.request).request.pr || fromJSON(inputs.request).request.target-branch }}
       target: ${{ matrix.target }}
       timeout-minutes: 180
       trusted: ${{ inputs.trusted }}

.github/workflows/_precheck_publish.yml

@@ -5,6 +5,9 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      gcp-key:
+        required: true
     inputs:
       request:
         type: string
@@ -20,6 +23,8 @@ concurrency:
 
 jobs:
   publish:
+    secrets:
+      gcp-key: ${{ secrets.gcp-key }}
     permissions:
       contents: read
       packages: read
@@ -30,6 +35,7 @@ jobs:
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && '-arm64' || '' }}
       concurrency-suffix: -${{ matrix.target }}${{ matrix.arch && format('-{0}', matrix.arch) || '' }}
+      gcs-only: "true"
       rbe: ${{ matrix.rbe }}
       request: ${{ inputs.request }}
       runs-on: ${{ matrix.runs-on || 'ubuntu-24.04' }}
@@ -38,6 +44,7 @@ jobs:
         ERROR
         error:
         Error:
+      steps-post: ${{ matrix.steps-post }}
       target: ${{ matrix.target }}
       target-suffix: ${{ matrix.target-suffix }}
       trusted: ${{ inputs.trusted }}
@@ -67,3 +74,9 @@ jobs:
             --config=remote-envoy-engflow
             --config=docs-ci
           rbe: true
+          steps-post: |
+            - run: ci/run_envoy_docker.sh 'ci/do_ci.sh docs-upload'
+              shell: bash
+              env:
+                GCS_ARTIFACT_BUCKET: ${{ inputs.trusted && 'envoy-postsubmit' || 'envoy-pr' }}
+                GCS_REDIRECT_PATH: ${{ fromJSON(inputs.request).request.pr || fromJSON(inputs.request).request.target-branch }}

.github/workflows/_run.yml

@@ -69,6 +69,8 @@ on:
           Error:
       fail-match:
         type: string
+      gcs-only:
+        type: string
       import-gpg:
         type: boolean
         default: false
@@ -277,9 +279,12 @@ jobs:
         GCP_SERVICE_ACCOUNT_KEY_PATH=$(mktemp -p "${{ runner.temp }}" -t gcp_service_account.XXXXXX.json)
         echo "${{ secrets.gcp-key }}" | base64 --decode > "${GCP_SERVICE_ACCOUNT_KEY_PATH}"
         GCP_SERVICE_ACCOUNT_KEY_FILE="$(basename "${GCP_SERVICE_ACCOUNT_KEY_PATH}")"
+        echo "GCP_SERVICE_ACCOUNT_KEY_PATH=/build/${GCP_SERVICE_ACCOUNT_KEY_FILE}" >> "$GITHUB_ENV"
+        if [[ "${{ inputs.gcs-only }}" != "" ]]; then
+            exit 0
+        fi
         BAZEL_BUILD_EXTRA_OPTIONS="--google_credentials=/build/${GCP_SERVICE_ACCOUNT_KEY_FILE} --config=remote-ci --config=rbe-google"
         echo "BAZEL_BUILD_EXTRA_OPTIONS=${BAZEL_BUILD_EXTRA_OPTIONS}" >> "$GITHUB_ENV"
-        echo "GCP_SERVICE_ACCOUNT_KEY_PATH=${GCP_SERVICE_ACCOUNT_KEY_PATH}" >> "$GITHUB_ENV"
 
     - uses: envoyproxy/toolshed/gh-actions/github/[email protected]
       name: Run CI ${{ inputs.command }} ${{ inputs.target }}

.github/workflows/codeql-daily.yml

@@ -34,7 +34,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628  # codeql-bundle-v3.26.9
+      uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea  # codeql-bundle-v3.26.11
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -64,6 +64,7 @@ jobs:
            --spawn_strategy=local \
            --discard_analysis_cache \
            --nouse_action_cache \
+           --features="-layering_check" \
            --config=clang-libc++ \
            --config=ci \
            //source/common/http/...
@@ -73,4 +74,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628  # codeql-bundle-v3.26.9
+      uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea  # codeql-bundle-v3.26.11

.github/workflows/codeql-push.yml

@@ -65,7 +65,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628  # codeql-bundle-v3.26.9
+      uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea  # codeql-bundle-v3.26.11
       with:
         languages: cpp
 
@@ -96,6 +96,7 @@ jobs:
            --spawn_strategy=local \
            --discard_analysis_cache \
            --nouse_action_cache \
+           --features="-layering_check" \
            --config=clang-libc++ \
            --config=ci \
            $BUILD_TARGETS
@@ -108,4 +109,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628  # codeql-bundle-v3.26.9
+      uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea  # codeql-bundle-v3.26.11

.github/workflows/envoy-checks.yml

@@ -59,7 +59,7 @@ jobs:
 
   coverage:
     secrets:
-      gcp-key: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+      gcp-key: ${{ fromJSON(needs.load.outputs.trusted) && secrets.GCP_SERVICE_ACCOUNT_KEY_TRUSTED || secrets.GCP_SERVICE_ACCOUNT_KEY }}
     permissions:
       actions: read
       contents: read

.github/workflows/envoy-prechecks.yml

@@ -67,6 +67,8 @@ jobs:
       trusted: ${{ fromJSON(needs.load.outputs.trusted) }}
 
   publish:
+    secrets:
+      gcp-key: ${{ fromJSON(needs.load.outputs.trusted) && secrets.GCP_SERVICE_ACCOUNT_KEY_TRUSTED || secrets.GCP_SERVICE_ACCOUNT_KEY }}
     permissions:
       actions: read
       contents: read

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628  # v3.26.9
+      uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea  # v3.26.11
       with:
         sarif_file: results.sarif

GOVERNANCE.md

@@ -1,34 +1,22 @@
 # Process for becoming a maintainer
 
-## Your organization is not yet a maintainer
+Becoming a maintainer generally means that you are going to be spending substantial time on
+Envoy for the foreseeable future. You should have domain expertise and be extremely proficient in C++.
 
-* Express interest to the senior maintainers that your organization is interested in becoming a
-  maintainer. Becoming a maintainer generally means that you are going to be spending substantial
-  time (>25%) on Envoy for the foreseeable future. You should have domain expertise and be extremely
-  proficient in C++. Ultimately your goal is to become a senior maintainer that will represent your
-  organization.
+* Express interest to the
+  [envoy-maintainers](https://groups.google.com/forum/#!forum/envoy-announce)
+  that you are interested in becoming a maintainer and, if your company does not have pre-existing maintainers,
+  that your organization is interested in and willing to sponsoring a maintainer.
 * We will expect you to start contributing increasingly complicated PRs, under the guidance
-  of the existing senior maintainers.
-* We may ask you to do some PRs from our backlog.
+  of the existing maintainers.
+* We may ask you to fix some issues from our backlog.
 * As you gain experience with the code base and our standards, we will ask you to do code reviews
   for incoming PRs (i.e., all maintainers are expected to shoulder a proportional share of
   community reviews).
-* After a period of approximately 2-3 months of working together and making sure we see eye to eye,
-  the existing senior maintainers will confer and decide whether to grant maintainer status or not.
-  We make no guarantees on the length of time this will take, but 2-3 months is the approximate
-  goal.
-
-## Your organization is currently a maintainer
-
-* First decide whether your organization really needs more people with maintainer access. Valid
-  reasons are "blast radius", a large organization that is working on multiple unrelated projects,
-  etc.
-* Contact a senior maintainer for your organization and express interest.
-* Start doing PRs and code reviews under the guidance of your senior maintainer.
-* After a period of 1-2 months the existing senior maintainers will discuss granting "standard"
-  maintainer access.
-* "Standard" maintainer access can be upgraded to "senior" maintainer access after another 1-2
-  months of work and another conference of the existing senior committers.
+* After a period of approximately 2-3 months of contributions demonstrating understanding of (at least parts of)
+  the Envoy code base, reach back out to the maintainers list asking for feedback.  At this point, you will either
+  be granted maintainer status, or be given actionable feedback on any remaining gaps between the contributions
+  demonstrated and those expected of maintainers, at which point you can close those gaps and reach back out.
 
 ## Maintainer responsibilities
 

api/envoy/config/core/v3/protocol.proto

@@ -262,6 +262,8 @@ message HttpProtocolOptions {
   // The maximum number of headers (request headers if configured on HttpConnectionManager,
   // response headers when configured on a cluster).
   // If unconfigured, the default maximum number of headers allowed is 100.
+  // The default value for requests can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_count``.
+  // The default value for responses can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_count``.
   // Downstream requests that exceed this limit will receive a 431 response for HTTP/1.x and cause a stream
   // reset for HTTP/2.
   // Upstream responses that exceed this limit will result in a 503 response.
@@ -270,6 +272,7 @@ message HttpProtocolOptions {
   // The maximum size of response headers.
   // If unconfigured, the default is 60 KiB, except for HTTP/1 response headers which have a default
   // of 80KiB.
+  // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_size_kb``.
   // Responses that exceed this limit will result in a 503 response.
   // In Envoy, this setting is only valid when configured on an upstream cluster, not on the
   // :ref:`HTTP Connection Manager

api/envoy/extensions/filters/http/local_ratelimit/v3/BUILD

@@ -7,6 +7,7 @@ licenses(["notice"])  # Apache 2
 api_proto_package(
     deps = [
         "//envoy/config/core/v3:pkg",
+        "//envoy/config/route/v3:pkg",
         "//envoy/extensions/common/ratelimit/v3:pkg",
         "//envoy/type/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",

api/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.filters.http.local_ratelimit.v3;
 
 import "envoy/config/core/v3/base.proto";
+import "envoy/config/route/v3/route_components.proto";
 import "envoy/extensions/common/ratelimit/v3/ratelimit.proto";
 import "envoy/type/v3/http_status.proto";
 import "envoy/type/v3/token_bucket.proto";
@@ -22,7 +23,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Local Rate limit :ref:`configuration overview <config_http_filters_local_rate_limit>`.
 // [#extension: envoy.filters.http.local_ratelimit]
 
-// [#next-free-field: 17]
+// [#next-free-field: 18]
 message LocalRateLimit {
   // The human readable prefix to use when emitting stats.
   string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
@@ -147,4 +148,23 @@ message LocalRateLimit {
   // of the default ``UNAVAILABLE`` gRPC code for a rate limited gRPC call. The
   // HTTP code will be 200 for a gRPC response.
   bool rate_limited_as_resource_exhausted = 15;
+
+  // Rate limit configuration that is used to generate a list of descriptor entries based on
+  // the request context. The generated entries will be used to find one or multiple matched rate
+  // limit rule from the ``descriptors``.
+  // If this is set, then
+  // :ref:`VirtualHost.rate_limits<envoy_v3_api_field_config.route.v3.VirtualHost.rate_limits>` or
+  // :ref:`RouteAction.rate_limits<envoy_v3_api_field_config.route.v3.RouteAction.rate_limits>` fields
+  // will be ignored.
+  //
+  // .. note::
+  //   Not all configuration fields of
+  //   :ref:`rate limit config <envoy_v3_api_msg_config.route.v3.RateLimit>` is supported at here.
+  //   Following fields are not supported:
+  //
+  //   1. :ref:`rate limit stage <envoy_v3_api_field_config.route.v3.RateLimit.stage>`.
+  //   2. :ref:`dynamic metadata <envoy_v3_api_field_config.route.v3.RateLimit.Action.dynamic_metadata>`.
+  //   3. :ref:`disable_key <envoy_v3_api_field_config.route.v3.RateLimit.disable_key>`.
+  //   4. :ref:`override limit <envoy_v3_api_field_config.route.v3.RateLimit.limit>`.
+  repeated config.route.v3.RateLimit rate_limits = 17;
 }

api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -493,6 +493,7 @@ message HttpConnectionManager {
 
   // The maximum request headers size for incoming connections.
   // If unconfigured, the default max request headers allowed is 60 KiB.
+  // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_size_kb``.
   // Requests that exceed this limit will receive a 431 response.
   //
   // Note: currently some protocol codecs impose limits on the maximum size of a single header:

api/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto

@@ -5,7 +5,6 @@ package envoy.extensions.transport_sockets.http_11_proxy.v3;
 import "envoy/config/core/v3/base.proto";
 
 import "udpa/annotations/status.proto";
-import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.http_11_proxy.v3";
 option java_outer_classname = "UpstreamHttp11ConnectProto";
@@ -34,6 +33,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // proxy address in ``config::core::v3::Address`` format.
 //
 message Http11ProxyUpstreamTransport {
-  // The underlying transport socket being wrapped.
-  config.core.v3.TransportSocket transport_socket = 1 [(validate.rules).message = {required: true}];
+  // The underlying transport socket being wrapped. Defaults to plaintext (raw_buffer) if unset.
+  config.core.v3.TransportSocket transport_socket = 1;
 }

api/envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -290,12 +290,12 @@ message TlsSessionTicketKeys {
 // respect to the TLS handshake.
 // [#not-implemented-hide:]
 message CertificateProviderPluginInstance {
-  // Provider instance name. If not present, defaults to "default".
+  // Provider instance name.
   //
   // Instance names should generally be defined not in terms of the underlying provider
   // implementation (e.g., "file_watcher") but rather in terms of the function of the
   // certificates (e.g., "foo_deployment_identity").
-  string instance_name = 1;
+  string instance_name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
   // a root-certificate (validation context) or "example.com" to specify a certificate for a

bazel/cel-cpp.patch

@@ -1,3 +1,15 @@
+diff --git a/base/attribute.h b/base/attribute.h
+index 9462c180..d6dcce83 100644
+--- a/base/attribute.h
++++ b/base/attribute.h
+@@ -23,6 +23,7 @@
+ #include <vector>
+
+ #include "absl/status/statusor.h"
++#include "absl/strings/str_cat.h"
+ #include "absl/strings/string_view.h"
+ #include "absl/types/optional.h"
+ #include "absl/types/span.h"
 diff --git a/base/memory.h b/base/memory.h
 index 3552e19..0fbe618 100644
 --- a/base/memory.h

bazel/external/boringssl_fips.genrule_cmd

@@ -44,7 +44,7 @@ fi
 
 curl -sLO https://github.com/llvm/llvm-project/releases/download/llvmorg-"$VERSION"/clang+llvm-"$VERSION"-"$PLATFORM".tar.xz
 echo "$SHA256" clang+llvm-"$VERSION"-"$PLATFORM".tar.xz | sha256sum --check
-tar xf clang+llvm-"$VERSION"-"$PLATFORM".tar.xz
+tar xf clang+llvm-"$VERSION"-"$PLATFORM".tar.xz --no-same-owner
 
 printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain
 export PATH="$PWD/clang+llvm-$VERSION-$PLATFORM/bin:$PATH"
@@ -66,7 +66,7 @@ fi
 
 curl -sLO https://dl.google.com/go/go"$VERSION"."$PLATFORM".tar.gz \
   && echo "$SHA256" go"$VERSION"."$PLATFORM".tar.gz | sha256sum --check
-tar xf go"$VERSION"."$PLATFORM".tar.gz
+tar xf go"$VERSION"."$PLATFORM".tar.gz --no-same-owner
 
 export GOPATH="$PWD/gopath"
 export GOROOT="$PWD/go"
@@ -82,7 +82,7 @@ VERSION=1.10.2
 SHA256=ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed
 curl -sLO https://github.com/ninja-build/ninja/archive/refs/tags/v"$VERSION".tar.gz \
   && echo "$SHA256" v"$VERSION".tar.gz | sha256sum --check
-tar -xvf v"$VERSION".tar.gz
+tar -xvf v"$VERSION".tar.gz --no-same-owner
 cd ninja-"$VERSION"
 python3 ./configure.py --bootstrap
 
@@ -106,7 +106,7 @@ fi
 
 curl -sLO https://github.com/Kitware/CMake/releases/download/v"$VERSION"/cmake-"$VERSION"-"$PLATFORM".tar.gz \
   && echo "$SHA256" cmake-"$VERSION"-"$PLATFORM".tar.gz | sha256sum --check
-tar xf cmake-"$VERSION"-"$PLATFORM".tar.gz
+tar xf cmake-"$VERSION"-"$PLATFORM".tar.gz --no-same-owner
 
 export PATH="$PWD/cmake-$VERSION-$PLATFORM/bin:$PATH"
 

bazel/external/quiche.BUILD

@@ -4775,6 +4775,7 @@ envoy_quiche_platform_impl_cc_library(
         "@com_google_absl//absl/flags:flag",
         "@com_google_absl//absl/log:absl_check",
         "@com_google_absl//absl/log:absl_log",
+        "@com_google_absl//absl/log:flags",
     ],
 )