Merge remote-tracking branch 'upstream/main' into upstream_set_original

.azure-pipelines/docker/save_cache.sh

@@ -36,6 +36,7 @@ if [[ "$CACHE_BAZEL" == "true" ]]; then
     ./.azure-pipelines/docker/create_cache.sh \
         "${BAZEL_CACHE_TARBALL}" \
         "${ENVOY_DOCKER_BUILD_DIR}" \
+        .cache \
         bazel_root/install \
         bazel_root/base/external \
         repository_cache

.azure-pipelines/pipelines.yml

@@ -45,7 +45,7 @@ variables:
 ## Variable settings
 # Caches (tip: append a version suffix while testing caches)
 - name: cacheKeyVersion
-  value: v1
+  value: v2
 - name: cacheKeyBazel
   value: '.bazelversion | ./WORKSPACE | **/*.bzl, !mobile/**, !envoy-docs/**'
 - name: cacheKeyDocker

.bazelrc

@@ -343,7 +343,7 @@ build:compile-time-options --@envoy//source/extensions/filters/http/kill_request
 
 # Docker sandbox
 # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/main/toolchains/rbe_toolchains_config.bzl#L8
-build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:1f2f7ee78f894859de0fa7a415b0bedde1f6c560@sha256:6a6a64be3f4e3c4380531ad1624f9419d1fe99dde4e5eeb04e2d538a92f27205
+build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:56f235b141079013e64912d676fe7da981368402@sha256:d44499c6fd28a8a6a75dc61668b8a9e7bc3d99db11f9a61e8ea1d1f39c20a236
 build:docker-sandbox --spawn_strategy=docker
 build:docker-sandbox --strategy=Javac=docker
 build:docker-sandbox --strategy=Closure=docker

.clang-tidy

@@ -1,85 +1,77 @@
-Checks:           '-clang-analyzer-core.NonNullParamChecker,
-                   -clang-analyzer-optin.cplusplus.UninitializedObject,
-                   abseil-duration-*,
-                   abseil-faster-strsplit-delimiter,
-                   abseil-no-namespace,
-                   abseil-redundant-strcat-calls,
-                   abseil-str-cat-append,
-                   abseil-string-find-startswith,
-                   abseil-upgrade-duration-conversions,
-                   bugprone-assert-side-effect,
-                   bugprone-unused-raii,
-                   bugprone-use-after-move,
-                   clang-analyzer-core.DivideZero,
-                   misc-unused-using-decls,
-                   modernize-deprecated-headers,
-                   modernize-loop-convert,
-                   modernize-make-shared,
-                   modernize-make-unique,
-                   modernize-return-braced-init-list,
-                   modernize-use-default-member-init,
-                   modernize-use-equals-default,
-                   modernize-use-nullptr,
-                   modernize-use-override,
-                   modernize-use-using,
-                   performance-faster-string-find,
-                   performance-for-range-copy,
-                   performance-inefficient-algorithm,
-                   performance-inefficient-vector-operation,
-                   performance-noexcept-move-constructor,
-                   performance-move-constructor-init,
-                   performance-type-promotion-in-math-fn,
-                   performance-unnecessary-copy-initialization,
-                   readability-braces-around-statements,
-                   readability-container-size-empty,
-                   readability-identifier-naming,
-                   readability-redundant-control-flow,
-                   readability-redundant-member-init,
-                   readability-redundant-smartptr-get,
-                   readability-redundant-string-cstr'
-
-WarningsAsErrors:  '*'
+Checks: >
+  -clang-analyzer-core.NonNullParamChecker,
+  -clang-analyzer-optin.cplusplus.UninitializedObject,
+  abseil-duration-*,
+  abseil-faster-strsplit-delimiter,
+  abseil-no-namespace,
+  abseil-redundant-strcat-calls,
+  abseil-str-cat-append,
+  abseil-string-find-startswith,
+  abseil-upgrade-duration-conversions,
+  bugprone-assert-side-effect,
+  bugprone-unused-raii,
+  bugprone-use-after-move,
+  clang-analyzer-core.DivideZero,
+  misc-unused-using-decls,
+  modernize-deprecated-headers,
+  modernize-loop-convert,
+  modernize-make-shared,
+  modernize-make-unique,
+  modernize-return-braced-init-list,
+  modernize-use-default-member-init,
+  modernize-use-equals-default,
+  modernize-use-nullptr,
+  modernize-use-override,
+  modernize-use-using,
+  performance-faster-string-find,
+  performance-for-range-copy,
+  performance-inefficient-algorithm,
+  performance-inefficient-vector-operation,
+  performance-noexcept-move-constructor,
+  performance-move-constructor-init,
+  performance-type-promotion-in-math-fn,
+  performance-unnecessary-copy-initialization,
+  readability-braces-around-statements,
+  readability-container-size-empty,
+  readability-identifier-naming,
+  readability-redundant-control-flow,
+  readability-redundant-member-init,
+  readability-redundant-smartptr-get,
+  readability-redundant-string-cstr
 
 CheckOptions:
-  - key:             bugprone-assert-side-effect.AssertMacros
-    value:           'ASSERT'
-
-  - key:             bugprone-dangling-handle.HandleClasses
-    value:           'std::basic_string_view;std::experimental::basic_string_view;absl::string_view'
-
-  - key:             modernize-use-auto.MinTypeNameLength
-    value:           '10'
-
-  - key:             readability-identifier-naming.ClassCase
-    value:           'CamelCase'
-
-  - key:             readability-identifier-naming.EnumCase
-    value:           'CamelCase'
-
-  - key:             readability-identifier-naming.EnumConstantCase
-    value:           'CamelCase'
-
-  # Ignore GoogleTest function macros.
-  - key:             readability-identifier-naming.FunctionIgnoredRegexp
-    value:           '(TEST|TEST_F|TEST_P|INSTANTIATE_TEST_SUITE_P|MOCK_METHOD|TYPED_TEST)'
-
-  - key:             readability-identifier-naming.ParameterCase
-    value:           'lower_case'
-
-  - key:             readability-identifier-naming.PrivateMemberCase
-    value:           'lower_case'
-
-  - key:             readability-identifier-naming.PrivateMemberSuffix
-    value:           '_'
-
-  - key:             readability-identifier-naming.StructCase
-    value:           'CamelCase'
-
-  - key:             readability-identifier-naming.TypeAliasCase
-    value:           'CamelCase'
+- key: cppcoreguidelines-unused-variable.IgnorePattern
+  value: "^_$"
+- key: bugprone-assert-side-effect.AssertMacros
+  value: 'ASSERT'
+- key: bugprone-dangling-handle.HandleClasses
+  value: 'std::basic_string_view;std::experimental::basic_string_view;absl::string_view'
+- key: modernize-use-auto.MinTypeNameLength
+  value: '10'
+- key: readability-identifier-naming.ClassCase
+  value: 'CamelCase'
+- key: readability-identifier-naming.EnumCase
+  value: 'CamelCase'
+- key: readability-identifier-naming.EnumConstantCase
+  value: 'CamelCase'
+# Ignore GoogleTest function macros.
+- key: readability-identifier-naming.FunctionIgnoredRegexp
+  value: '(TEST|TEST_F|TEST_P|INSTANTIATE_TEST_SUITE_P|MOCK_METHOD|TYPED_TEST)'
+- key: readability-identifier-naming.ParameterCase
+  value: 'lower_case'
+- key: readability-identifier-naming.PrivateMemberCase
+  value: 'lower_case'
+- key: readability-identifier-naming.PrivateMemberSuffix
+  value: '_'
+- key: readability-identifier-naming.StructCase
+  value: 'CamelCase'
+- key: readability-identifier-naming.TypeAliasCase
+  value: 'CamelCase'
+- key: readability-identifier-naming.UnionCase
+  value: 'CamelCase'
+- key: readability-identifier-naming.FunctionCase
+  value: 'camelBack'
 
-  - key:             readability-identifier-naming.UnionCase
-    value:           'CamelCase'
+UseColor: true
 
-  - key:             readability-identifier-naming.FunctionCase
-    value:           'camelBack'
+WarningsAsErrors: '*'

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM gcr.io/envoy-ci/envoy-build:1f2f7ee78f894859de0fa7a415b0bedde1f6c560@sha256:9db54410ba9f8216cac84391ebcfb18a297c2217690c7c77bb050f78f56bb629
+FROM gcr.io/envoy-ci/envoy-build:56f235b141079013e64912d676fe7da981368402@sha256:6e3e8bd34ba568befa3f9c2fd067a1d82c1e55f0f597bcc5fddebbb644930761
 
 ARG USERNAME=vscode
 ARG USER_UID=501

.github/dependabot.yml

@@ -238,6 +238,12 @@ updates:
     interval: daily
     time: "06:00"
 
+- package-ecosystem: "gomod"
+  directory: "/contrib/golang/filters/http/test/test_data/buffer"
+  schedule:
+    interval: daily
+    time: "06:00"
+
 - package-ecosystem: "gomod"
   directory: "/contrib/golang/filters/http/test/test_data/routeconfig"
   schedule:

.github/workflows/_env.yml

@@ -12,13 +12,13 @@ on:
         default: envoyproxy/envoy-build-ubuntu
       build_image_sha:
         type: string
-        default: 6a6a64be3f4e3c4380531ad1624f9419d1fe99dde4e5eeb04e2d538a92f27205
+        default: d44499c6fd28a8a6a75dc61668b8a9e7bc3d99db11f9a61e8ea1d1f39c20a236
       build_image_mobile_sha:
         type: string
-        default: 2c9852c10f133f780a96286230b7e07582e1c99fe204943d4fa66567f8b850f6
+        default: b3cfc59c2fd1a86a2b12d303324f33d7f7248458233f3be2959fab119b11fa6f
       build_image_tag:
         type: string
-        default: 1f2f7ee78f894859de0fa7a415b0bedde1f6c560
+        default: 56f235b141079013e64912d676fe7da981368402
 
       check_mobile_run:
         type: boolean

.github/workflows/mobile-release.yml

@@ -29,7 +29,7 @@ jobs:
       contents: read
       packages: read
     name: android_release_artifacts
-    runs-on: ubuntu-22.04
+    runs-on: ${{ needs.env.outputs.agent_ubuntu }}
     timeout-minutes: 120
     container:
       image: ${{ needs.env.outputs.build_image_ubuntu_mobile }}

.yamllint

@@ -18,3 +18,8 @@ rules:
     - "false"
     # https://github.com/adrienverge/yamllint/issues/430
     - "on"
+
+yaml-files:
+- .clang-format
+- "*.yml"
+- "*.yaml"

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -78,6 +78,7 @@ message ExtAuthz {
   // 3. At least one ``authorization response header`` is added to the client request, or is used for
   // altering another client request header.
   //
+  // It is an error to set this field when the filter is configured on an upstream filter chain.
   bool clear_route_cache = 6;
 
   // Sets the HTTP status that is returned to the client when the authorization server returns an error
@@ -135,6 +136,8 @@ message ExtAuthz {
   //
   // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
   // :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
+  //
+  // It is an error to set this field when the filter is configured on an upstream filter chain.
   bool include_peer_certificate = 10;
 
   // Optional additional prefix to use when emitting statistics. This allows to distinguish
@@ -184,6 +187,8 @@ message ExtAuthz {
   //
   // When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the
   // :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
+  //
+  // It is an error to set this field when the filter is configured on an upstream filter chain.
   bool include_tls_session = 18;
 }
 

api/envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -179,7 +179,6 @@ message PrivateKeyProvider {
     google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
   }
 
-  // [#not-implemented-hide:]
   // If the private key provider isn't available (eg. the required hardware capability doesn't existed),
   // Envoy will fallback to the BoringSSL default implementation when the `fallback` is true.
   // The default value is `false`.

api/envoy/extensions/transport_sockets/tls/v3/tls.proto

@@ -63,7 +63,7 @@ message UpstreamTlsContext {
   google.protobuf.BoolValue enforce_rsa_key_usage = 5;
 }
 
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message DownstreamTlsContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.DownstreamTlsContext";
@@ -119,6 +119,10 @@ message DownstreamTlsContext {
     bool disable_stateless_session_resumption = 7;
   }
 
+  // If set to true, the TLS server will not maintain a session cache of TLS sessions. (This is
+  // relevant only for TLSv1.2 and earlier.)
+  bool disable_stateful_session_resumption = 10;
+
   // If specified, ``session_timeout`` will change the maximum lifetime (in seconds) of the TLS session.
   // Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_.
   // Only seconds can be specified (fractional seconds are ignored).

bazel/repository_locations.bzl

@@ -102,11 +102,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "envoy-build-tools",
         project_desc = "Common build tools shared by the Envoy/UDPA ecosystem",
         project_url = "https://github.com/envoyproxy/envoy-build-tools",
-        version = "b3e8ecd0f256b648a19d0f2146a966c2a6a0c0e7",
-        sha256 = "40ae52a50987feeef25510a37108aad621f4ba0ea7420d898cefd239ee56b178",
+        version = "633f57439ba683c1370fb8b1025680f1ce678caf",
+        sha256 = "88e4b7d12429d488daff522b765f0f21a3204d2c4b262b4b9d67587230415454",
         strip_prefix = "envoy-build-tools-{version}",
         urls = ["https://github.com/envoyproxy/envoy-build-tools/archive/{version}.tar.gz"],
-        release_date = "2023-09-03",
+        release_date = "2023-09-15",
         use_category = ["build"],
         license = "Apache-2.0",
         license_url = "https://github.com/envoyproxy/envoy-build-tools/blob/{version}/LICENSE",

changelogs/current.yaml

@@ -238,6 +238,11 @@ new_features:
   change: |
     added :ref:`custom_sink <envoy_v3_api_field_config.tap.v3.OutputSink.custom_sink>` type to enable writing tap data
     out to a custom sink extension.
+- area: tls
+  change: |
+    added :ref:`disable_stateful_session_resumption
+    <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.disable_stateful_session_resumption>` config option to
+    disable stateful TLS session resumption.
 - area: udp_proxy
   change: |
     added :ref:`session_filters <envoy_v3_api_field_extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.session_filters>` config to
@@ -255,6 +260,14 @@ new_features:
   change: |
     added :ref:`record_headers_received_time <envoy_v3_api_field_extensions.filters.http.tap.v3.Tap.record_headers_received_time>`
     to control writing request and response headers received time in trace output.
+- area: tls
+  change: |
+    added fallback :ref:`fallback
+    <envoy_v3_api_field_extensions.transport_sockets.tls.v3.PrivateKeyProvider.fallback>`
+    to support private key provider to fallback to boringssl tls handshake.
+    If the private key provider isn't available (eg. the required hardware capability doesn't existed),
+    Envoy will fallback to the BoringSSL default implementation when the fallback is true.
+    The default value is false.
 - area: tcp
   change: |
     added the support to detect and send TCP RST for raw buffer socket based connections. This is currently supported on Linux only.

configs/proxy_connect.yaml

@@ -1,4 +1,4 @@
-# This will proxy CONNECT requests from a downstream connecting on 127.0.0.1:10001
+# This will forward CONNECT requests from a downstream connecting on 127.0.0.1:10001
 # to an upstream listening on 127.0.0.1:10002
 admin:
   address: