Merge remote-tracking branch 'upstream/main' into update_deps_cel

Change-Id: I3de3c8c8b04d8269d1961e082cf33886aca19b03

.clang-tidy

@@ -83,6 +83,7 @@ CheckOptions:
     |Returns(Default)?WorkerId$|
     |^sched_getaffinity$|
     |^shutdownThread_$|
+    |^envoy_dynamic_module(.*)$|
     |TEST|
     |^use_count$)
 - key: readability-identifier-naming.ParameterCase

.github/workflows/codeql-daily.yml

@@ -34,7 +34,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa  # codeql-bundle-v3.26.0
+      uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6  # codeql-bundle-v3.26.5
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -68,4 +68,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa  # codeql-bundle-v3.26.0
+      uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6  # codeql-bundle-v3.26.5

.github/workflows/codeql-push.yml

@@ -65,7 +65,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa  # codeql-bundle-v3.26.0
+      uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6  # codeql-bundle-v3.26.5
       with:
         languages: cpp
 
@@ -109,4 +109,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa  # codeql-bundle-v3.26.0
+      uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6  # codeql-bundle-v3.26.5

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa  # v3.26.0
+      uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6  # v3.26.5
       with:
         sarif_file: results.sarif

BUILD

@@ -1,10 +1,7 @@
-load("//bazel:envoy_build_system.bzl", "envoy_package")
 load("//tools/python:namespace.bzl", "envoy_py_namespace")
 
 licenses(["notice"])  # Apache 2
 
-envoy_package()
-
 envoy_py_namespace()
 
 exports_files([
@@ -22,11 +19,13 @@ exports_files([
 alias(
     name = "envoy",
     actual = "//source/exe:envoy",
+    visibility = ["//visibility:public"],
 )
 
 alias(
     name = "envoy.stripped",
     actual = "//source/exe:envoy-static.stripped",
+    visibility = ["//visibility:public"],
 )
 
 filegroup(

CODEOWNERS

@@ -29,14 +29,14 @@ extensions/filters/common/original_src @klarose @mattklein123
 # cdn_loop extension
 /*/extensions/filters/http/cdn_loop @justin-mp @penguingao @alyssawilk
 # external processing filter
-/*/extensions/filters/http/ext_proc @gbrail @stevenzzzz @tyxia @mattklein123 @htuch @yanavlasov
-/*/extensions/filters/common/mutation_rules @gbrail @tyxia @mattklein123 @htuch @yanavlasov
+/*/extensions/filters/http/ext_proc @gbrail @stevenzzzz @tyxia @mattklein123 @yanavlasov
+/*/extensions/filters/common/mutation_rules @gbrail @tyxia @mattklein123 @yanavlasov
 # jwt_authn http filter extension
 /*/extensions/filters/http/jwt_authn @taoxuy @lizan @tyxia @yanavlasov
 # grpc_field_extraction http filter extension
 /*/extensions/filters/http/grpc_field_extraction @taoxuy @nareddyt @yanavlasov
-# proto_message_logging http filter extension
-/*/extensions/filters/http/proto_message_logging @dchakarwarti @taoxuy @yanavlasov
+# proto_message_extraction http filter extension
+/*/extensions/filters/http/proto_message_extraction @dchakarwarti @taoxuy @shuoyang2016 @yanavlasov
 # grpc_http1_reverse_bridge http filter extension
 /*/extensions/filters/http/grpc_http1_reverse_bridge @zuercher @mattklein123
 # alts transport socket extension
@@ -68,7 +68,7 @@ extensions/filters/common/original_src @klarose @mattklein123
 # tracers.skywalking extension
 /*/extensions/tracers/skywalking @wbpcode @Shikugawa
 # tracers.opentelemetry extension
-/*/extensions/tracers/opentelemetry @alexanderellis @htuch
+/*/extensions/tracers/opentelemetry @alexanderellis @yanavlasov
 # quic extension
 /*/extensions/quic/ @alyssawilk @danzh2010 @mattklein123 @mpwarres @wu-bin @ggreenway
 # UDP packet writer
@@ -128,8 +128,8 @@ extensions/filters/common/original_src @klarose @mattklein123
 /*/extensions/filters/http/connect_grpc_bridge @jchadwick-buf @mattklein123
 /*/extensions/filters/common/original_src @klarose @mattklein123
 /*/extensions/filters/listener/tls_inspector @ggreenway @KBaichoo
-/*/extensions/grpc_credentials/example @wozz @htuch
-/*/extensions/grpc_credentials/file_based_metadata @wozz @htuch
+/*/extensions/grpc_credentials/example @wozz @yanavlasov
+/*/extensions/grpc_credentials/file_based_metadata @wozz @yanavlasov
 /*/extensions/internal_redirect @alyssawilk @penguingao
 /*/extensions/stat_sinks/dog_statsd @taiki45 @jmarantz
 /*/extensions/stat_sinks/graphite_statsd @vaccarium @mattklein123
@@ -138,22 +138,22 @@ extensions/filters/common/original_src @klarose @mattklein123
 /*/extensions/stat_sinks/open_telemetry @ohadvano @mattklein123
 # webassembly stat-sink extensions
 /*/extensions/stat_sinks/wasm @mpwarres @lizan @UNOWNED
-/*/extensions/resource_monitors/injected_resource @eziskind @htuch
-/*/extensions/resource_monitors/common @eziskind @htuch @nezdolik
-/*/extensions/resource_monitors/fixed_heap @eziskind @htuch @nezdolik
+/*/extensions/resource_monitors/injected_resource @eziskind @yanavlasov
+/*/extensions/resource_monitors/common @eziskind @yanavlasov @nezdolik
+/*/extensions/resource_monitors/fixed_heap @eziskind @yanavlasov @nezdolik
 /*/extensions/resource_monitors/downstream_connections @nezdolik @mattklein123
 /*/extensions/retry/priority @alyssawilk @mattklein123
 /*/extensions/retry/priority/previous_priorities @alyssawilk @mattklein123
 /*/extensions/retry/host @alyssawilk @mattklein123
 /*/extensions/filters/network/http_connection_manager @alyssawilk @mattklein123
 /*/extensions/filters/network/tcp_proxy @alyssawilk @zuercher @ggreenway
-/*/extensions/filters/network/echo @htuch @alyssawilk
+/*/extensions/filters/network/echo @yanavlasov @alyssawilk
 /*/extensions/filters/udp/dns_filter @mattklein123 @yanjunxiang-google
 /*/extensions/filters/network/direct_response @kyessenov @zuercher
 /*/extensions/filters/udp/udp_proxy @mattklein123 @danzh2010
 /*/extensions/clusters/aggregate @yxue @mattklein123
 # support for on-demand VHDS requests
-/*/extensions/filters/http/on_demand @dmitri-d @htuch @kyessenov
+/*/extensions/filters/http/on_demand @dmitri-d @yanavlasov @kyessenov
 /*/extensions/filters/network/connection_limit @mattklein123 @alyssawilk @delong-coder
 /*/extensions/filters/http/aws_request_signing @derekargueta @suniltheta @mattklein123 @marcomagdy @nbaws
 /*/extensions/filters/http/aws_lambda @suniltheta @mattklein123 @marcomagdy @nbaws
@@ -170,7 +170,7 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 /*/extensions/filters/http/local_ratelimit @mattklein123 @wbpcode
 /*/extensions/filters/common/local_ratelimit @mattklein123 @wbpcode
 # HTTP Kill Request
-/*/extensions/filters/http/kill_request @qqustc @htuch
+/*/extensions/filters/http/kill_request @qqustc @yanavlasov
 # Rate limit expression descriptor
 /*/extensions/rate_limit_descriptors/expr @kyessenov @cpakulski
 # hash input matcher
@@ -223,7 +223,7 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 # Key Value store
 /*/extensions/key_value @alyssawilk @ryantheoptimist
 # Config Validators
-/*/extensions/config/validators/minimum_clusters @adisuissa @htuch
+/*/extensions/config/validators/minimum_clusters @adisuissa @yanavlasov
 # File system based extensions
 /*/extensions/common/async_files @mattklein123 @ravenblackx
 /*/extensions/filters/http/file_system_buffer @mattklein123 @ravenblackx
@@ -335,7 +335,7 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 # String matching extensions
 /*/extensions/string_matcher/ @ggreenway @cpakulski
 # Header mutation
-/*/extensions/filters/http/header_mutation @wbpcode @htuch @soulxu
+/*/extensions/filters/http/header_mutation @wbpcode @yanavlasov @soulxu
 # Health checkers
 /*/extensions/health_checkers/grpc @zuercher @botengyao
 /*/extensions/health_checkers/http @zuercher @botengyao

OWNERS.md

@@ -11,8 +11,6 @@ routing PRs, questions, etc. to the right place.
 * Matt Klein ([mattklein123](https://github.com/mattklein123)) ([email protected])
   * Catch-all, "all the things", and generally trying to make himself obsolete as fast as
     possible.
-* Harvey Tuch ([htuch](https://github.com/htuch)) ([email protected])
-  * xDS APIs, configuration and control plane.
 * Alyssa Wilk ([alyssawilk](https://github.com/alyssawilk)) ([email protected])
   * HTTP, flow control, cluster manager, load balancing, and core networking (listeners,
     connections, etc.), Envoy Mobile.
@@ -107,6 +105,7 @@ without further review.
 * Rafal Augustyniak ([Augustyniak](https://github.com/Augustyniak)) ([email protected])
 * Snow Pettersen ([snowp](https://github.com/snowp)) ([email protected])
 * Lizan Zhou ([lizan](https://github.com/lizan)) ([email protected])
+* Harvey Tuch ([htuch](https://github.com/htuch)) ([email protected])
 
 # Friends of Envoy
 

SECURITY-INSIGHTS.yml

@@ -12,7 +12,6 @@ project-lifecycle:
   core-maintainers:  # from https://github.com/envoyproxy/envoy/blob/main/OWNERS.md
   # Senior maintainers
   - github:mattklein123
-  - github:htuch
   - github:alyssawilk
   - github:zuercher
   - github:lizan

STYLE.md

@@ -233,8 +233,8 @@ environment. In general, there should be no non-local network access. In additio
 
 Tests should be deterministic. They should not rely on randomness or details
 such as the current time. Instead, mocks such as
-[`MockRandomGenerator`](test/mocks/runtime/mocks.h) and
-[`Mock*TimeSource`](test/mocks/common.h) should be used.
+[`MockRandomGenerator`](test/mocks/common.h) and
+[`SimulatedTimeSystem`](test/test_common/simulated_time_system.h) should be used.
 
 # Google style guides for other languages
 

api/BUILD

@@ -200,7 +200,7 @@ proto_library(
         "//envoy/extensions/filters/http/oauth2/v3:pkg",
         "//envoy/extensions/filters/http/on_demand/v3:pkg",
         "//envoy/extensions/filters/http/original_src/v3:pkg",
-        "//envoy/extensions/filters/http/proto_message_logging/v3:pkg",
+        "//envoy/extensions/filters/http/proto_message_extraction/v3:pkg",
         "//envoy/extensions/filters/http/rate_limit_quota/v3:pkg",
         "//envoy/extensions/filters/http/ratelimit/v3:pkg",
         "//envoy/extensions/filters/http/rbac/v3:pkg",
@@ -360,6 +360,7 @@ proto_library(
         "//envoy/service/metrics/v3:pkg",
         "//envoy/service/rate_limit_quota/v3:pkg",
         "//envoy/service/ratelimit/v3:pkg",
+        "//envoy/service/redis_auth/v3:pkg",
         "//envoy/service/route/v3:pkg",
         "//envoy/service/runtime/v3:pkg",
         "//envoy/service/secret/v3:pkg",

api/bazel/repository_locations.bzl

@@ -144,11 +144,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.35.0",
-        sha256 = "a75c622b5d6fae792a0e64a04baa296681eacba7ce0c3c35d25c8b42da2f71e1",
+        version = "1.38.0",
+        sha256 = "c091639826cddbbcb55fd6391e21cb1fcf0c82452a7e273b670a0b572ddb3a8c",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2024-07-22",
+        release_date = "2024-08-22",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",
@@ -179,12 +179,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "envoy_toolshed",
         project_desc = "Tooling, libraries, runners and checkers for Envoy proxy's CI",
         project_url = "https://github.com/envoyproxy/toolshed",
-        version = "0.1.4",
-        sha256 = "7ddfd251a89518b97c4eb8064a7d37454bbd998bf29e4cd3ad8f44227b5ca7b3",
+        version = "0.1.11",
+        sha256 = "f868812bff7ae372e4b53d565ee75a999d33e09b2980cc0c3dfa40684f85bbda",
         strip_prefix = "toolshed-bazel-v{version}/bazel",
         urls = ["https://github.com/envoyproxy/toolshed/archive/bazel-v{version}.tar.gz"],
         use_category = ["build"],
-        release_date = "2024-07-22",
+        release_date = "2024-08-24",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/envoyproxy/envoy/blob/bazel-v{version}/LICENSE",

api/envoy/config/cluster/v3/cluster.proto

@@ -45,7 +45,7 @@ message ClusterCollection {
 }
 
 // Configuration for a single upstream cluster.
-// [#next-free-field: 58]
+// [#next-free-field: 59]
 message Cluster {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster";
 
@@ -956,6 +956,17 @@ message Cluster {
   google.protobuf.Duration dns_refresh_rate = 16
       [(validate.rules).duration = {gt {nanos: 1000000}}];
 
+  // DNS jitter can be optionally specified if the cluster type is either
+  // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,
+  // or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`.
+  // DNS jitter causes the cluster to refresh DNS entries later by a random amount of time to avoid a
+  // stampede of DNS requests. This value sets the upper bound (exclusive) for the random amount.
+  // There will be no jitter if this value is omitted. For cluster types other than
+  // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
+  // and :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`
+  // this setting is ignored.
+  google.protobuf.Duration dns_jitter = 58;
+
   // If the DNS failure refresh rate is specified and the cluster type is either
   // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,
   // or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`,

api/envoy/config/core/v3/socket_cmsg_headers.proto

@@ -0,0 +1,28 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "SocketCmsgHeadersProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Socket CMSG headers]
+
+// Configuration for socket cmsg headers.
+// See `:ref:CMSG <https://man7.org/linux/man-pages/man3/cmsg.3.html>`_ for further information.
+message SocketCmsgHeaders {
+  // cmsg level. Default is unset.
+  google.protobuf.UInt32Value level = 1;
+
+  // cmsg type. Default is unset.
+  google.protobuf.UInt32Value type = 2;
+
+  // Expected size of cmsg value. Default is zero.
+  uint32 expected_size = 3;
+}

api/envoy/config/listener/v3/quic_config.proto

@@ -5,6 +5,7 @@ package envoy.config.listener.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/extension.proto";
 import "envoy/config/core/v3/protocol.proto";
+import "envoy/config/core/v3/socket_cmsg_headers.proto";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
@@ -24,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -86,4 +87,11 @@ message QuicProtocolOptions {
   // If not specified, no debug visitor will be attached to connections.
   // [#extension-category: envoy.quic.connection_debug_visitor]
   core.v3.TypedExtensionConfig connection_debug_visitor_config = 11;
+
+  // Configure a type of UDP cmsg to pass to listener filters via QuicReceivedPacket.
+  // Both level and type must be specified for cmsg to be saved.
+  // Cmsg may be truncated or omitted if expected size is not set.
+  // If not specified, no cmsg will be saved to QuicReceivedPacket.
+  repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12
+      [(validate.rules).repeated = {max_items: 1}];
 }

api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -99,7 +99,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter
 // name.
 //
-// [#next-free-field: 21]
+// [#next-free-field: 22]
 message ExternalProcessor {
   // Describes the route cache action to be taken when an external processor response
   // is received in response to request headers.
@@ -275,6 +275,20 @@ message ExternalProcessor {
   // backend stream lifetime. In this case, Envoy will eventually timeout the external processor stream according to this time limit.
   // The default value is 5000 milliseconds (5 seconds) if not specified.
   google.protobuf.Duration deferred_close_timeout = 19;
+
+  // [#not-implemented-hide:]
+  // Send body to the side stream server once it arrives without waiting for the header response from that server.
+  // It only works for STREAMED body processing mode. For any other body processing modes, it is ignored.
+  //
+  // The server has two options upon receiving a header request:
+  // 1. Instant Response: Send the header response as soon as the header request is received.
+  // 2. Delayed Response: Wait for the body before sending any response.
+  //   If the server chooses the second option, it has two further choices:
+  //   2.1 Separate Responses: Send the header response first, followed by separate body responses.
+  //   2.2 Combined Response: Include both the header response and the first chunk of the body response
+  //       in a single body response message, followed by the remaining body responses.
+  // In all scenarios, the header-body ordering must always be maintained.
+  bool send_body_without_waiting_for_header_response = 21;
 }
 
 // ExtProcHttpService is used for HTTP communication between the filter and the external processing service.

api/envoy/extensions/filters/http/grpc_field_extraction/v3/config.proto

@@ -66,7 +66,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // 1. the extracted field names/values will be wrapped in be ``field<StringValue
 // or MapValue>`` -> ``values<ListValue of StringValue or StructValue>``, which will be added in the dynamic ``metadata<google.protobuf.Struct>``.
 //
-// 2. if the field value is empty, an empty ``<ListValue>`` will be set.
+// 2. if the field value is empty, an empty ``Value`` will be set.
 //
 // Performance
 // -----------