Merge remote-tracking branch 'upstream/main' into set_filter_state

.azure-pipelines/pipelines.yml

@@ -45,7 +45,7 @@ variables:
 ## Variable settings
 # Caches (tip: append a version suffix while testing caches)
 - name: cacheKeyVersion
-  value: v2
+  value: v3
 - name: cacheKeyBazel
   value: '.bazelversion | ./WORKSPACE | **/*.bzl, !mobile/**, !envoy-docs/**'
 - name: cacheKeyDocker

.azure-pipelines/stage/verify.yml

@@ -12,8 +12,7 @@ jobs:
   displayName: Debs (x64)
   condition: and(not(canceled()), succeeded(), ne(stageDependencies.env.repo.outputs['changed.mobileOnly'], 'true'), ne(stageDependencies.env.repo.outputs['changed.docsOnly'], 'true'), ne(stageDependencies.env.repo.outputs['changed.examplesOnly'], 'true'))
   timeoutInMinutes: 120
-  pool:
-    vmImage: $(agentUbuntu)
+  pool: envoy-x64-small
   steps:
   - task: DownloadBuildArtifacts@0
     inputs:
@@ -27,6 +26,7 @@ jobs:
       ciTarget: verify_distro
       cacheName: verify_distro
       publishTestResults: false
+      tmpfsDockerDisabled: true
       env:
         ENVOY_DOCKER_IN_DOCKER: 1
 

.github/actions/pr_notifier/requirements.txt

@@ -210,7 +210,9 @@ pynacl==1.4.0 \
 python-dateutil==2.8.2 \
     --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \
     --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9
-    # via pygithub
+    # via
+    #   icalendar
+    #   pygithub
 pytz==2023.3.post1 \
     --hash=sha256:7b4fddbeb94a1eba4b557da24f19fdf9db575192544270a9101d8509f9f43d7b \
     --hash=sha256:ce42d816b81b68506614c11e8937d3aa9e41007ceb50bfdcb0749b921bf646c7
@@ -227,17 +229,17 @@ six==1.16.0 \
     # via
     #   pynacl
     #   python-dateutil
-slack-sdk==3.22.0 \
-    --hash=sha256:6eacce0fa4f8cfb4d84eac0d7d7e1b1926040a2df654ae86b94179bdf2bc4d8c \
-    --hash=sha256:f102a4902115dff3b97c3e8883ad4e22d54732221886fc5ef29bfc290f063b4a
+slack-sdk==3.23.0 \
+    --hash=sha256:2a8513505cced20ceee22b5b49c11d9545caa6234b56bf0ad47133ea5b357d10 \
+    --hash=sha256:9d6ebc4ff74e7983e1b27dbdb0f2bb6fc3c2a2451694686eaa2be23bbb085a73
     # via -r requirements.in
 typing-extensions==4.8.0 \
     --hash=sha256:8f92fc8806f9a6b641eaa5318da32b44d401efaac0f6678c9bc448ba3605faa0 \
     --hash=sha256:df8e4339e9cb77357558cbdbceca33c303714cf861d1eef15e1070055ae8b7ef
     # via pygithub
-urllib3==1.26.6 \
-    --hash=sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4 \
-    --hash=sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f
+urllib3==1.26.17 \
+    --hash=sha256:24d6a242c28d29af46c3fae832c36db3bbebcc533dd1bb549172cd739c82df21 \
+    --hash=sha256:94a757d178c9be92ef5539b8840d48dc9cf1b2709c9d6b588232a055c524458b
     # via
     #   pygithub
     #   requests

.github/workflows/_ci.yml

@@ -96,21 +96,26 @@ jobs:
       with:
         image_tag: ${{ inputs.cache_build_image }}
 
-    # If the run is "trusted" (ie has access to secrets) then it should
-    # **not** set the ref and should use the code of the calling context.
-    - if: ${{ inputs.repo_ref && inputs.trusted }}
-      run: |
-        echo '`repo_ref` should not be set for trusted CI runs'
-        exit 1
-
     - uses: actions/checkout@v4
       name: Checkout Envoy repository
       with:
-        fetch-depth: ${{ inputs.repo_fetch_depth }}
+        fetch-depth: ${{ ! inputs.trusted && inputs.repo_fetch_depth || 0 }}
         # WARNING: This allows untrusted code to run!!!
         #  If this is set, then anything before or after in the job should be regarded as
         #  compromised.
         ref: ${{ ! inputs.trusted && inputs.repo_ref || '' }}
+
+    # If we are in a trusted CI run then the provided commit _must_ be either the latest for
+    # this branch, or an antecdent.
+    - run: |
+        if ! git merge-base --is-ancestor "${{ inputs.repo_ref }}" HEAD; then
+            echo "Provided Envoy ref (${{ inputs.repo_ref }}) is not an ancestor of current branch" >&2
+            exit 1
+        fi
+        git checkout "${{ inputs.repo_ref }}"
+      if: ${{ inputs.trusted }}
+      name: Check provided ref
+
     - name: Add safe directory
       run: git config --global --add safe.directory /__w/envoy/envoy
 

.github/workflows/_stage_publish.yml

@@ -93,6 +93,7 @@ jobs:
       run_pre_with: ${{ matrix.run_pre_with }}
       env: ${{ matrix.env }}
       trusted: true
+      repo_ref: ${{ inputs.repo_ref }}
 
   publish_docs:
     # For normal commits to Envoy main this will trigger an update in the website repo,

.github/workflows/_stage_verify.yml

@@ -50,4 +50,4 @@ jobs:
       run_pre_with: ${{ matrix.run_pre_with }}
       env: ${{ matrix.env }}
       trusted: ${{ inputs.trusted }}
-      repo_ref: ${{ ! inputs.trusted && inputs.repo_ref || '' }}
+      repo_ref: ${{ inputs.repo_ref }}

.github/workflows/envoy-publish.yml

@@ -54,7 +54,7 @@ jobs:
       trusted: ${{ needs.env.outputs.trusted == 'true' && true || false }}
       version_dev: ${{ needs.env.outputs.version_dev }}
       given_ref: ${{ inputs.ref }}
-      repo_ref: ${{ needs.env.outputs.trusted != 'true' && inputs.ref || '' }}
+      repo_ref: ${{ inputs.ref }}
     permissions:
       contents: write
     secrets:
@@ -69,4 +69,4 @@ jobs:
     with:
       trusted: ${{ needs.env.outputs.trusted == 'true' && true || false }}
       given_ref: ${{ inputs.ref }}
-      repo_ref: ${{ needs.env.outputs.trusted != 'true' && needs.env.outputs.repo_ref || '' }}
+      repo_ref: ${{ inputs.ref }}

CODEOWNERS

@@ -26,7 +26,7 @@ extensions/filters/common/original_src @klarose @mattklein123
 /*/extensions/filters/http/ext_proc @gbrail @stevenzzzz @tyxia @mattklein123 @htuch @yanavlasov
 /*/extensions/filters/common/mutation_rules @gbrail @tyxia @mattklein123 @htuch @yanavlasov
 # jwt_authn http filter extension
-/*/extensions/filters/http/jwt_authn @qiwzhang @lizan
+/*/extensions/filters/http/jwt_authn @taoxuy @lizan
 # grpc_field_extraction http filter extension
 /*/extensions/filters/http/grpc_field_extraction @taoxuy @nareddyt @yanavlasov
 # grpc_http1_reverse_bridge http filter extension
@@ -112,7 +112,7 @@ extensions/filters/common/original_src @klarose @mattklein123
 /*/extensions/filters/http/grpc_http1_bridge @jose @mattklein123
 /*/extensions/filters/http/fault @rshriram @alyssawilk
 /*/extensions/filters/common/fault @rshriram @alyssawilk
-/*/extensions/filters/http/grpc_json_transcoder @qiwzhang @lizan
+/*/extensions/filters/http/grpc_json_transcoder @nareddyt @lizan
 /*/extensions/filters/http/router @alyssawilk @mattklein123
 /*/extensions/filters/common/rbac/matchers @conqerAtapple @ggreenway @alyssawilk
 /*/extensions/filters/http/grpc_web @fengli79 @lizan

SECURITY.md

@@ -465,11 +465,11 @@ and security team to ensure they still qualify for inclusion on the list.
 
 | Organization  | End User | Last Review |
 |:-------------:|:--------:|:-----------:|
-| Aspen Mesh    | No       | 06/21       |
 | AWS           | No       | 06/21       |
 | Cilium        | No       | 06/21       |
 | Cloud Foundry | No       | 06/21       |
 | Datawire      | No       | 06/21       |
+| F5            | No       | 06/21       |
 | Google        | No       | 06/21       |
 | IBM           | No       | 06/21       |
 | Istio         | No       | 06/21       |

api/bazel/api_build_system.bzl

@@ -11,7 +11,7 @@ load(
     "EXTERNAL_PROTO_PY_BAZEL_DEP_MAP",
 )
 load(
-    "@envoy//bazel/cc_proto_descriptor_library:builddefs.bzl",
+    "//bazel/cc_proto_descriptor_library:builddefs.bzl",
     "cc_proto_descriptor_library",
 )
 

bazel/cc_proto_descriptor_library/testdata/test1.proto → api/bazel/cc_proto_descriptor_library/testdata/test1.proto

@@ -2,8 +2,6 @@ syntax = "proto2";
 
 package testdata.dynamic_descriptors;
 
-import "bazel/cc_proto_descriptor_library/testdata/test.proto";
-
 message FooCopy {
   optional string bar = 1;
 

bazel/cc_proto_descriptor_library/text_format_transcoder.cc → api/bazel/cc_proto_descriptor_library/text_format_transcoder.cc

@@ -93,7 +93,7 @@ std::unique_ptr<google::protobuf::Message> TextFormatTranscoder::createEmptyDyna
     absl::string_view type_name, google::protobuf::io::ErrorCollector* error_collector) const {
   const google::protobuf::Descriptor* descriptor =
       internals_->descriptor_pool.FindMessageTypeByName(std::string(type_name));
-  // If you're built with the full runtime then embeddng the descriptors and
+  // If you're built with the full runtime then embedding the descriptors and
   // loading them would be information duplicated by the global descriptor
   // pool which hurts builds like superroot that are near all the blaze/forge
   // size limits. Teams that care about not silently falling into this fallback

api/envoy/config/core/v3/protocol.proto

@@ -85,7 +85,7 @@ message QuicProtocolOptions {
       [(validate.rules).uint32 = {lte: 25165824 gte: 1}];
 
   // The number of timeouts that can occur before port migration is triggered for QUIC clients.
-  // This defaults to 1. If set to 0, port migration will not occur on path degrading.
+  // This defaults to 4. If set to 0, port migration will not occur on path degrading.
   // Timeout here refers to QUIC internal path degrading timeout mechanism, such as PTO.
   // This has no effect on server sessions.
   google.protobuf.UInt32Value num_timeouts_to_trigger_port_migration = 4

api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -7,6 +7,8 @@ import "envoy/config/route/v3/route_components.proto";
 import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
 import "envoy/type/matcher/v3/path.proto";
 
+import "google/protobuf/wrappers.proto";
+
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
@@ -71,7 +73,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -123,6 +125,11 @@ message OAuth2Config {
   // Defines how ``client_id`` and ``client_secret`` are sent in OAuth client to OAuth server requests.
   // RFC https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
   AuthType auth_type = 11 [(validate.rules).enum = {defined_only: true}];
+
+  // If set to true, allows automatic access token refresh using the associated refresh token (see
+  // `RFC 6749 section 6 <https://datatracker.ietf.org/doc/html/rfc6749#section-6>`_), provided that the OAuth server supports that.
+  // Default value is false.
+  google.protobuf.BoolValue use_refresh_token = 12;
 }
 
 // Filter config.

api/envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto

@@ -3,10 +3,12 @@ syntax = "proto3";
 package envoy.extensions.filters.udp.udp_proxy.v3;
 
 import "envoy/config/accesslog/v3/accesslog.proto";
+import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/udp_socket_config.proto";
 
 import "google/protobuf/any.proto";
 import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
 
 import "xds/annotations/v3/status.proto";
 import "xds/type/matcher/v3/matcher.proto";
@@ -27,7 +29,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.udp_listener.udp_proxy]
 
 // Configuration for the UDP proxy filter.
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message UdpProxyConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.udp.udp_proxy.v2alpha.UdpProxyConfig";
@@ -62,6 +64,104 @@ message UdpProxyConfig {
     }
   }
 
+  // Configuration for tunneling UDP over other transports or application layers.
+  // Tunneling is currently supported over HTTP/2.
+  // [#next-free-field: 10]
+  message UdpTunnelingConfig {
+    // Configuration for UDP datagrams buffering.
+    message BufferOptions {
+      // If set, the filter will only buffer datagrams up to the requested limit, and will drop
+      // new UDP datagrams if the buffer contains the max_buffered_datagrams value at the time
+      // of a new datagram arrival. If not set, the default value is 1024 datagrams.
+      google.protobuf.UInt32Value max_buffered_datagrams = 1;
+
+      // If set, the filter will only buffer datagrams up to the requested total buffered bytes limit,
+      // and will drop new UDP datagrams if the buffer contains the max_buffered_datagrams value
+      // at the time of a new datagram arrival. If not set, the default value is 16,384 (16KB).
+      google.protobuf.UInt64Value max_buffered_bytes = 2;
+    }
+
+    message RetryOptions {
+      // The maximum number of unsuccessful connection attempts that will be made before giving up.
+      // If the parameter is not specified, 1 connection attempt will be made.
+      google.protobuf.UInt32Value max_connect_attempts = 1;
+    }
+
+    // The hostname to send in the synthesized CONNECT headers to the upstream proxy.
+    // This field evaluates command operators if set, otherwise returns hostname as is.
+    //
+    // Example: dynamically set hostname using filter state
+    //
+    // .. code-block:: yaml
+    //
+    //    tunneling_config:
+    //      proxy_host: "%FILTER_STATE(proxy.host.key:PLAIN)%"
+    //
+    string proxy_host = 1 [(validate.rules).string = {min_len: 1}];
+
+    // Optional port value to add to the HTTP request URI.
+    // This value can be overridden per-session by setting the required port value for
+    // the filter state key ``udp.connect.proxy_port``.
+    google.protobuf.UInt32Value proxy_port = 2;
+
+    // The target host to send in the synthesized CONNECT headers to the upstream proxy.
+    // This field evaluates command operators if set, otherwise returns hostname as is.
+    //
+    // Example: dynamically set target host using filter state
+    //
+    // .. code-block:: yaml
+    //
+    //    tunneling_config:
+    //      target_host: "%FILTER_STATE(target.host.key:PLAIN)%"
+    //
+    string target_host = 3 [(validate.rules).string = {min_len: 1}];
+
+    // The default target port to send in the CONNECT headers to the upstream proxy.
+    // This value can be overridden per-session by setting the required port value for
+    // the filter state key ``udp.connect.target_port``.
+    uint32 default_target_port = 4 [(validate.rules).uint32 = {lte: 65535 gt: 0}];
+
+    // Use POST method instead of CONNECT method to tunnel the UDP stream.
+    //
+    // .. note::
+    //   If use_post is set, the upstream stream does not comply with the connect-udp RFC, and
+    //   instead it will be a POST request. the path used in the headers will be set from the
+    //   post_path field, and the headers will not contain the target host and target port, as
+    //   required by the connect-udp protocol. This flag should be used carefully.
+    //
+    bool use_post = 5;
+
+    // The path used with POST method. Default path is ``/``. If post path is specified and
+    // use_post field isn't true, it will be rejected.
+    string post_path = 6;
+
+    // Optional retry options, in case connecting to the upstream failed.
+    RetryOptions retry_options = 7;
+
+    // Additional request headers to upstream proxy. Neither ``:-prefixed`` pseudo-headers
+    // nor the Host: header can be overridden. Values of the added headers evaluates command
+    // operators if they are set in the value template.
+    //
+    // Example: dynamically set a header with the local port
+    //
+    // .. code-block:: yaml
+    //
+    //    headers_to_add:
+    //    - header:
+    //        key: original_dst_port
+    //        value: "%DOWNSTREAM_LOCAL_PORT%"
+    //
+    repeated config.core.v3.HeaderValueOption headers_to_add = 8
+        [(validate.rules).repeated = {max_items: 1000}];
+
+    // If configured, the filter will buffer datagrams in case that it is waiting for the upstream to be
+    // ready, whether if it is during the connection process or due to upstream buffer watermarks.
+    // If this field is not configured, there will be no buffering and downstream datagrams that arrive
+    // while the upstream is not ready will be dropped. In case this field is set but the options
+    // are not configured, the default values will be applied as described in the ``BufferOptions``.
+    BufferOptions buffer_options = 9;
+  }
+
   // The stat prefix used when emitting UDP proxy filter stats.
   string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
@@ -129,4 +229,8 @@ message UdpProxyConfig {
   // Only one of use_per_packet_load_balancing or session_filters can be used.
   // [#extension-category: envoy.filters.udp.session]
   repeated SessionFilter session_filters = 11;
+
+  // If set, this configures UDP tunneling. See `Proxying UDP in HTTP <https://www.rfc-editor.org/rfc/rfc9298.html>`_.
+  // More information can be found in the UDP Proxy and HTTP upgrade documentation.
+  UdpTunnelingConfig tunneling_config = 12;
 }

bazel/README.md

@@ -285,7 +285,7 @@ Envoy can also be built with the Docker image used for CI, by installing Docker
 On Linux, run:
 
 ```
-./ci/run_envoy_docker.sh './ci/do_ci.sh bazel.dev'
+./ci/run_envoy_docker.sh './ci/do_ci.sh dev'
 ```
 
 From a Windows host with Docker installed, the Windows containers feature enabled, and bash (installed via

bazel/external/quiche.BUILD

@@ -3826,10 +3826,7 @@ envoy_quic_cc_library(
 envoy_quic_cc_library(
     name = "quic_core_qpack_qpack_stream_sender_delegate_lib",
     hdrs = ["quiche/quic/core/qpack/qpack_stream_sender_delegate.h"],
-    deps = [
-        ":quic_core_types_lib",
-        ":quic_platform_base",
-    ],
+    deps = [":quic_platform_base"],
 )
 
 envoy_quic_cc_library(

bazel/repository_locations.bzl

@@ -1210,12 +1210,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "RE2",
         project_desc = "RE2, a regular expression library",
         project_url = "https://github.com/google/re2",
-        version = "2023-07-01",
-        sha256 = "18cf85922e27fad3ed9c96a27733037da445f35eb1a2744c306a37c6d11e95c4",
+        version = "2023-09-01",
+        sha256 = "5bb6875ae1cd1e9fedde98018c346db7260655f86fdb8837e3075103acd3649b",
         strip_prefix = "re2-{version}",
         urls = ["https://github.com/google/re2/archive/{version}.tar.gz"],
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2023-06-30",
+        release_date = "2023-08-31",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/re2/blob/{version}/LICENSE",