Merge remote-tracking branch 'upstream/master' into xds-transport-next

api/envoy/config/cluster/v3/cluster.proto

@@ -818,7 +818,6 @@ message Cluster {
   // of 100 would indicate that the request took the entirety of the timeout given to it.
   bool track_timeout_budgets = 47;
 
-  // [#not-implemented-hide:]
   // Optional customization and configuration of upstream connection pool, and upstream type.
   //
   // Currently this field only applies for HTTP traffic but is designed for eventual use for custom

api/envoy/config/cluster/v4alpha/cluster.proto

@@ -819,7 +819,6 @@ message Cluster {
   // of 100 would indicate that the request took the entirety of the timeout given to it.
   bool track_timeout_budgets = 47;
 
-  // [#not-implemented-hide:]
   // Optional customization and configuration of upstream connection pool, and upstream type.
   //
   // Currently this field only applies for HTTP traffic but is designed for eventual use for custom

api/envoy/config/filter/http/health_check/v2/health_check.proto

@@ -37,6 +37,11 @@ message HealthCheck {
   // If operating in non-pass-through mode, specifies a set of upstream cluster
   // names and the minimum percentage of servers in each of those clusters that
   // must be healthy or degraded in order for the filter to return a 200.
+  //
+  // .. note::
+  //
+  //    This value is interpreted as an integer by truncating, so 12.50% will be calculated
+  //    as if it were 12%.
   map<string, type.Percent> cluster_min_healthy_percentages = 4;
 
   // Specifies a set of health check request headers to match on. The health check filter will

api/envoy/extensions/clusters/dynamic_forward_proxy/v3/cluster.proto

@@ -27,4 +27,9 @@ message ClusterConfig {
   // <envoy_api_field_extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig.dns_cache_config>`.
   common.dynamic_forward_proxy.v3.DnsCacheConfig dns_cache_config = 1
       [(validate.rules).message = {required: true}];
+
+  // If true allow the cluster configuration to disable the auto_sni and auto_san_validation options
+  // in the :ref:`cluster's upstream_http_protocol_options
+  // <envoy_api_field_config.cluster.v3.Cluster.upstream_http_protocol_options>`
+  bool allow_insecure_cluster_options = 2;
 }

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -213,6 +213,11 @@ message AuthorizationResponse {
   // Note that coexistent headers will be overridden.
   type.matcher.v3.ListStringMatcher allowed_upstream_headers = 1;
 
+  // When this :ref:`list <envoy_api_msg_type.matcher.v3.ListStringMatcher>` is set, authorization
+  // response headers that have a correspondent match will be added to the client's response. Note
+  // that coexistent headers will be appended.
+  type.matcher.v3.ListStringMatcher allowed_upstream_headers_to_append = 3;
+
   // When this :ref:`list <envoy_api_msg_type.matcher.v3.ListStringMatcher>`. is set, authorization
   // response headers that have a correspondent match will be added to the client's response. Note
   // that when this list is *not* set, all the authorization response headers, except *Authority

api/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto

@@ -213,6 +213,11 @@ message AuthorizationResponse {
   // Note that coexistent headers will be overridden.
   type.matcher.v4alpha.ListStringMatcher allowed_upstream_headers = 1;
 
+  // When this :ref:`list <envoy_api_msg_type.matcher.v4alpha.ListStringMatcher>` is set, authorization
+  // response headers that have a correspondent match will be added to the client's response. Note
+  // that coexistent headers will be appended.
+  type.matcher.v4alpha.ListStringMatcher allowed_upstream_headers_to_append = 3;
+
   // When this :ref:`list <envoy_api_msg_type.matcher.v4alpha.ListStringMatcher>`. is set, authorization
   // response headers that have a correspondent match will be added to the client's response. Note
   // that when this list is *not* set, all the authorization response headers, except *Authority

api/envoy/extensions/filters/http/health_check/v3/health_check.proto

@@ -38,6 +38,11 @@ message HealthCheck {
   // If operating in non-pass-through mode, specifies a set of upstream cluster
   // names and the minimum percentage of servers in each of those clusters that
   // must be healthy or degraded in order for the filter to return a 200.
+  //
+  // .. note::
+  //
+  //    This value is interpreted as an integer by truncating, so 12.50% will be calculated
+  //    as if it were 12%.
   map<string, type.v3.Percent> cluster_min_healthy_percentages = 4;
 
   // Specifies a set of health check request headers to match on. The health check filter will

api/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto

@@ -38,6 +38,11 @@ message HealthCheck {
   // If operating in non-pass-through mode, specifies a set of upstream cluster
   // names and the minimum percentage of servers in each of those clusters that
   // must be healthy or degraded in order for the filter to return a 200.
+  //
+  // .. note::
+  //
+  //    This value is interpreted as an integer by truncating, so 12.50% will be calculated
+  //    as if it were 12%.
   map<string, type.v3.Percent> cluster_min_healthy_percentages = 4;
 
   // Specifies a set of health check request headers to match on. The health check filter will

api/envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto

@@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Redis Proxy :ref:`configuration overview <config_network_filters_redis_proxy>`.
 // [#extension: envoy.filters.network.redis_proxy]
 
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message RedisProxy {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.redis_proxy.v2.RedisProxy";
@@ -234,6 +234,18 @@ message RedisProxy {
   // client. If an AUTH command is received when the password is not set, then an "ERR Client sent
   // AUTH, but no password is set" error will be returned.
   config.core.v3.DataSource downstream_auth_password = 6 [(udpa.annotations.sensitive) = true];
+
+  // If a username is provided an ACL style AUTH command will be required with a username and password.
+  // Authenticate Redis client connections locally by forcing downstream clients to issue a `Redis
+  // AUTH command <https://redis.io/commands/auth>`_ with this username and the *downstream_auth_password*
+  // before enabling any other command. If an AUTH command's username and password matches this username
+  // and the *downstream_auth_password* , an "OK" response will be returned to the client. If the AUTH
+  // command username or password does not match this username or the *downstream_auth_password*, then an
+  // "WRONGPASS invalid username-password pair" error will be returned. If any other command is received before AUTH when this
+  // password is set, then a "NOAUTH Authentication required." error response will be sent to the
+  // client. If an AUTH command is received when the password is not set, then an "ERR Client sent
+  // AUTH, but no ACL is set" error will be returned.
+  config.core.v3.DataSource downstream_auth_username = 7 [(udpa.annotations.sensitive) = true];
 }
 
 // RedisProtocolOptions specifies Redis upstream protocol options. This object is used in
@@ -246,4 +258,8 @@ message RedisProtocolOptions {
   // Upstream server password as defined by the `requirepass` directive
   // <https://redis.io/topics/config>`_ in the server's configuration file.
   config.core.v3.DataSource auth_password = 1 [(udpa.annotations.sensitive) = true];
+
+  // Upstream server username as defined by the `user` directive
+  // <https://redis.io/topics/acl>`_ in the server's configuration file.
+  config.core.v3.DataSource auth_username = 2 [(udpa.annotations.sensitive) = true];
 }

api/envoy/extensions/filters/udp/dns_filter/v3alpha/dns_filter.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.filters.udp.dns_filter.v3alpha;
 
+import "envoy/config/core/v3/address.proto";
 import "envoy/config/core/v3/base.proto";
 import "envoy/data/dns/v3/dns_table.proto";
 
@@ -46,14 +47,19 @@ message DnsFilterConfig {
   message ClientContextConfig {
     // Sets the maximum time we will wait for the upstream query to complete
     // We allow 5s for the upstream resolution to complete, so the minimum
-    // value here is 5
-    google.protobuf.Duration resolver_timeout = 1 [(validate.rules).duration = {gte {seconds: 5}}];
+    // value here is 1. Note that the total latency for a failed query is the
+    // number of retries multiplied by the resolver_timeout.
+    google.protobuf.Duration resolver_timeout = 1 [(validate.rules).duration = {gte {seconds: 1}}];
 
-    // A list of DNS servers to which we can forward queries
-    repeated string upstream_resolvers = 2 [(validate.rules).repeated = {
-      min_items: 1
-      items {string {min_len: 3}}
-    }];
+    // A list of DNS servers to which we can forward queries. If not
+    // specified, Envoy will use the ambient DNS resolvers in the
+    // system.
+    repeated config.core.v3.Address upstream_resolvers = 2;
+
+    // Controls how many outstanding external lookup contexts the filter tracks.
+    // The context structure allows the filter to respond to every query even if the external
+    // resolution times out or is otherwise unsuccessful
+    uint64 max_pending_lookups = 3 [(validate.rules).uint64 = {gte: 1}];
   }
 
   // The stat prefix used when emitting DNS filter statistics

api/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.filters.udp.dns_filter.v4alpha;
 
+import "envoy/config/core/v4alpha/address.proto";
 import "envoy/config/core/v4alpha/base.proto";
 import "envoy/data/dns/v4alpha/dns_table.proto";
 
@@ -56,14 +57,19 @@ message DnsFilterConfig {
 
     // Sets the maximum time we will wait for the upstream query to complete
     // We allow 5s for the upstream resolution to complete, so the minimum
-    // value here is 5
-    google.protobuf.Duration resolver_timeout = 1 [(validate.rules).duration = {gte {seconds: 5}}];
-
-    // A list of DNS servers to which we can forward queries
-    repeated string upstream_resolvers = 2 [(validate.rules).repeated = {
-      min_items: 1
-      items {string {min_len: 3}}
-    }];
+    // value here is 1. Note that the total latency for a failed query is the
+    // number of retries multiplied by the resolver_timeout.
+    google.protobuf.Duration resolver_timeout = 1 [(validate.rules).duration = {gte {seconds: 1}}];
+
+    // A list of DNS servers to which we can forward queries. If not
+    // specified, Envoy will use the ambient DNS resolvers in the
+    // system.
+    repeated config.core.v4alpha.Address upstream_resolvers = 2;
+
+    // Controls how many outstanding external lookup contexts the filter tracks.
+    // The context structure allows the filter to respond to every query even if the external
+    // resolution times out or is otherwise unsuccessful
+    uint64 max_pending_lookups = 3 [(validate.rules).uint64 = {gte: 1}];
   }
 
   // The stat prefix used when emitting DNS filter statistics

api/envoy/service/status/v3/csds.proto

@@ -64,7 +64,7 @@ message ClientStatusRequest {
 }
 
 // Detailed config (per xDS) with status.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message PerXdsConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.service.status.v2.PerXdsConfig";
@@ -79,6 +79,9 @@ message PerXdsConfig {
     admin.v3.RoutesConfigDump route_config = 4;
 
     admin.v3.ScopedRoutesConfigDump scoped_route_config = 5;
+
+    // [#not-implemented-hide:]
+    admin.v3.EndpointsConfigDump endpoint_config = 6;
   }
 }
 

api/envoy/service/status/v4alpha/csds.proto

@@ -64,7 +64,7 @@ message ClientStatusRequest {
 }
 
 // Detailed config (per xDS) with status.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message PerXdsConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.service.status.v3.PerXdsConfig";
@@ -79,6 +79,9 @@ message PerXdsConfig {
     admin.v4alpha.RoutesConfigDump route_config = 4;
 
     admin.v4alpha.ScopedRoutesConfigDump scoped_route_config = 5;
+
+    // [#not-implemented-hide:]
+    admin.v4alpha.EndpointsConfigDump endpoint_config = 6;
   }
 }
 

bazel/dependency_imports.bzl

@@ -8,7 +8,7 @@ load("@config_validation_pip3//:requirements.bzl", config_validation_pip_install
 load("@protodoc_pip3//:requirements.bzl", protodoc_pip_install = "pip_install")
 
 # go version for rules_go
-GO_VERSION = "1.13.5"
+GO_VERSION = "1.14.4"
 
 def envoy_dependency_imports(go_version = GO_VERSION):
     rules_foreign_cc_dependencies()

bazel/repository_locations.bzl

@@ -418,9 +418,9 @@ DEPENDENCY_REPOSITORIES = dict(
         cpe = "N/A",
     ),
     com_googlesource_googleurl = dict(
-        # Static snapshot of https://quiche.googlesource.com/quiche/+archive/googleurl_dbf5ad147f60afc125e99db7549402af49a5eae8.tar.gz
-        sha256 = "b40cd22cadba577b7281a76db66f6a66dd744edbad8cc2c861c2c976ef721e4d",
-        urls = ["https://storage.googleapis.com/quiche-envoy-integration/googleurl_dbf5ad147f60afc125e99db7549402af49a5eae8.tar.gz"],
+        # Static snapshot of https://quiche.googlesource.com/quiche/+archive/googleurl_6dafefa72cba2ab2ba4922d17a30618e9617c7cf.tar.gz
+        sha256 = "f1ab73ddd1a7db4e08a9e4db6c2e98e5a0a7bbaca08f5fee0d73adb02c24e44a",
+        urls = ["https://storage.googleapis.com/quiche-envoy-integration/googleurl_6dafefa72cba2ab2ba4922d17a30618e9617c7cf.tar.gz"],
         use_category = ["dataplane"],
         cpe = "N/A",
     ),
@@ -432,10 +432,14 @@ DEPENDENCY_REPOSITORIES = dict(
         use_category = ["dataplane"],
         cpe = "N/A",
     ),
+    # TODO(shikugawa): replace this with release tag after released package which includes
+    # disable pthread when build with emscripten. We use hash temporary to enable our changes to
+    # build envoy-wasm library with emscripten. https://github.com/google/re2/pull/263
     com_googlesource_code_re2 = dict(
-        sha256 = "04ee2aaebaa5038554683329afc494e684c30f82f2a1e47eb62450e59338f84d",
-        strip_prefix = "re2-2020-03-03",
-        urls = ["https://github.com/google/re2/archive/2020-03-03.tar.gz"],
+        sha256 = "455bcacd2b94fca8897decd81172c5a93e5303ea0e5816b410877c51d6179ffb",
+        strip_prefix = "re2-2b25567a8ee3b6e97c3cd05d616f296756c52759",
+        # 2020-06-08
+        urls = ["https://github.com/google/re2/archive/2b25567a8ee3b6e97c3cd05d616f296756c52759.tar.gz"],
         use_category = ["dataplane"],
         cpe = "N/A",
     ),

ci/Dockerfile-envoy-alpine

@@ -1,4 +1,4 @@
-FROM frolvlad/alpine-glibc
+FROM frolvlad/alpine-glibc:alpine-3.12_glibc-2.31
 
 RUN mkdir -p /etc/envoy
 

ci/Dockerfile-envoy-alpine-debug

@@ -1,4 +1,4 @@
-FROM frolvlad/alpine-glibc
+FROM frolvlad/alpine-glibc:alpine-3.12_glibc-2.31
 
 RUN mkdir -p /etc/envoy
 

ci/verify_examples.sh

@@ -23,8 +23,9 @@ cd ../
 
 # Test grpc bridge example
 # install go
-curl -O https://storage.googleapis.com/golang/go1.13.5.linux-amd64.tar.gz
-tar -xf go1.13.5.linux-amd64.tar.gz
+GO_VERSION="1.14.4"
+curl -O https://storage.googleapis.com/golang/go$GO_VERSION.linux-amd64.tar.gz
+tar -xf go$GO_VERSION.linux-amd64.tar.gz
 sudo mv go /usr/local
 export PATH=$PATH:/usr/local/go/bin
 export GOPATH=$HOME/go

docs/root/configuration/listeners/udp_filters/dns_filter.rst

@@ -40,8 +40,13 @@ Example Configuration
       client_config:
         resolution_timeout: 5s
         upstream_resolvers:
-        - "8.8.8.8"
-        - "8.8.4.4"
+        - socket_address:
+            address: "8.8.8.8"
+            port_value: 53
+        - socket_address:
+            address: "8.8.4.4"
+            port_value: 53
+        max_pending_lookups: 256
       server_config:
         inline_dns_table:
           known_suffixes:

docs/root/intro/arch_overview/security/threat_model.rst

@@ -15,16 +15,34 @@ highest priority concerns. Availability, in particular in areas relating to DoS
 exhaustion, is also a serious security concern for Envoy operators, in particular those utilizing
 Envoy in edge deployments.
 
-The Envoy availability stance around CPU and memory DoS, as well as Query-of-Death (QoD), is still
-evolving. We will continue to iterate and fix well known resource issues in the open, e.g. overload
-manager and watermark improvements. We will activate the security process for disclosures that
-appear to present a risk profile that is significantly greater than the current Envoy availability
-hardening status quo. Examples of disclosures that would elicit this response:
-
-* QoD; where a single query from a client can bring down an Envoy server.
-
-* Highly asymmetric resource exhaustion attacks, where very little traffic can cause resource exhaustion,
-  e.g. that delivered by a single client.
+We will activate the security release process for disclosures that meet the following criteria:
+
+* All issues that lead to loss of data confidentiality or integrity trigger the security release process.
+* An availability issue, such as Query-of-Death (QoD) or resource exhaustion needs to meet all of the
+  following criteria to trigger the security release process:
+
+  - A component tagged as hardened is affected (see `Core and extensions`_ for the list of hardened components).
+
+  - The type of traffic (upstream or downstream) that exhibits the issue matches the component's hardening tag.
+    I.e. component tagged as “hardened to untrusted downstream” is affected by downstream request.
+
+  - A resource exhaustion issue needs to meet these additional criteria:
+
+    + Not covered by an existing timeout or where applying short timeout values is impractical and either
+
+      + Memory exhaustion, including out of memory conditions, where per-request memory use 100x or more above
+	the configured header or high watermark limit. I.e. 10 KiB client request leading to 1 MiB bytes of
+	memory consumed by Envoy;
+
+      + Highly asymmetric CPU utilization where Envoy uses 100x or more CPU compared to client.
+
+
+The Envoy availability stance around CPU and memory DoS is still evolving, especially for brute force
+attacks. We acknowledge that brute force (i.e. these with amplification factor less than 100) attacks are
+likely for Envoy deployments as part of cloud infrastructure or with the use of botnets. We will continue
+to iterate and fix well known resource issues in the open, e.g. overload manager and watermark improvements.
+We will activate the security process for brute force disclosures that appear to present a risk to
+existing Envoy deployments.
 
 Note that we do not currently consider the default settings for Envoy to be safe from an availability
 perspective. It is necessary for operators to explicitly :ref:`configure <best_practices_edge>`