sync from master.

.bazelrc

@@ -105,9 +105,12 @@ build:clang-msan --config=sanitizer
 build:clang-msan --define ENVOY_CONFIG_MSAN=1
 build:clang-msan --copt -fsanitize=memory
 build:clang-msan --linkopt -fsanitize=memory
+build:clang-msan --linkopt -fuse-ld=lld
 build:clang-msan --copt -fsanitize-memory-track-origins=2
+build:clang-msan --test_env=MSAN_SYMBOLIZER_PATH
 # MSAN needs -O1 to get reasonable performance.
 build:clang-msan --copt -O1
+build:clang-msan --copt -fno-optimize-sibling-calls
 
 # Clang with libc++
 build:libc++ --config=clang

.clang-tidy

@@ -59,6 +59,10 @@ CheckOptions:
   - key:             readability-identifier-naming.EnumConstantCase
     value:           'CamelCase'
 
+  # Ignore GoogleTest function macros.
+  - key:             readability-identifier-naming.FunctionIgnoredRegexp
+    value:           '(TEST|TEST_F|TEST_P|INSTANTIATE_TEST_SUITE_P|MOCK_METHOD|TYPED_TEST)'
+
   - key:             readability-identifier-naming.ParameterCase
     value:           'lower_case'
 

PULL_REQUEST_TEMPLATE.md

@@ -8,9 +8,9 @@ Thank you in advance for helping to keep Envoy secure.
 
 !!!ATTENTION!!!
 
--->
 For an explanation of how to fill out the fields, please see the relevant section
 in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md)
+-->
 
 Commit Message:
 Additional Description:

api/envoy/admin/v3/config_dump.proto

@@ -57,7 +57,9 @@ message ConfigDump {
   // * *clusters*: :ref:`ClustersConfigDump <envoy_v3_api_msg_admin.v3.ClustersConfigDump>`
   // * *endpoints*:  :ref:`EndpointsConfigDump <envoy_v3_api_msg_admin.v3.EndpointsConfigDump>`
   // * *listeners*: :ref:`ListenersConfigDump <envoy_v3_api_msg_admin.v3.ListenersConfigDump>`
+  // * *scoped_routes*: :ref:`ScopedRoutesConfigDump <envoy_v3_api_msg_admin.v3.ScopedRoutesConfigDump>`
   // * *routes*:  :ref:`RoutesConfigDump <envoy_v3_api_msg_admin.v3.RoutesConfigDump>`
+  // * *secrets*:  :ref:`SecretsConfigDump <envoy_v3_api_msg_admin.v3.SecretsConfigDump>`
   //
   // EDS Configuration will only be dumped by using parameter `?include_eds`
   //

api/envoy/config/cluster/v3/cluster.proto

@@ -709,6 +709,7 @@ message Cluster {
   EdsClusterConfig eds_cluster_config = 3;
 
   // The timeout for new network connections to hosts in the cluster.
+  // If not set, a default value of 5s will be used.
   google.protobuf.Duration connect_timeout = 4 [(validate.rules).duration = {gt {}}];
 
   // Soft limit on size of the cluster’s connections read and write buffers. If

api/envoy/service/ext_proc/v3alpha/external_processor.proto

@@ -231,15 +231,18 @@ message CommonResponse {
     // stream as normal. This is the default.
     CONTINUE = 0;
 
-    // [#not-implemented-hide:]
-    // Replace the request or response with the contents
-    // of this message. If header_mutation is set, apply it to the
-    // headers. If body_mutation is set and contains a body, then add that
-    // body to the request or response, even if one does not already exist --
-    // otherwise, clear the body. Any additional body and trailers
-    // received from downstream or upstream will be ignored.
-    // This can be used to add a body to a request or response that does not
-    // have one already.
+    // Apply the specified header mutation, replace the body with the body
+    // specified in the body mutation (if present), and do not send any
+    // further messages for this request or response even if the processing
+    // mode is configured to do so.
+    //
+    // When used in response to a request_headers or response_headers message,
+    // this status makes it possible to either completely replace the body
+    // while discarding the original body, or to add a body to a message that
+    // formerly did not have one.
+    //
+    // In other words, this response makes it possible to turn an HTTP GET
+    // into a POST, PUT, or PATCH.
     CONTINUE_AND_REPLACE = 1;
   }
 

bazel/external/wee8.genrule_cmd

@@ -54,6 +54,7 @@ if [[ $${ENVOY_UBSAN_VPTR-} == "1" ]]; then
 fi
 if [[ $${ENVOY_MSAN-} == "1" ]]; then
   WEE8_BUILD_ARGS+=" is_msan=true"
+  WEE8_BUILD_ARGS+=" msan_track_origins=2"
   export LDFLAGS="$${LDFLAGS} -L/opt/libcxx_msan/lib -Wl,-rpath,/opt/libcxx_msan/lib"
 fi
 if [[ $${ENVOY_TSAN-} == "1" ]]; then

ci/Dockerfile-envoy-distroless

@@ -7,4 +7,5 @@ ADD linux/amd64/build_release${ENVOY_BINARY_SUFFIX}/* /usr/local/bin/
 
 EXPOSE 10000
 
-CMD ["envoy", "-c", "/etc/envoy/envoy.yaml"]
+ENTRYPOINT ["envoy"]
+CMD ["-c", "/etc/envoy/envoy.yaml"]

docs/root/faq/configuration/timeouts.rst

@@ -104,8 +104,8 @@ TCP
 ---
 
 * The cluster :ref:`connect_timeout <envoy_v3_api_field_config.cluster.v3.Cluster.connect_timeout>` specifies the amount
-  of time Envoy will wait for an upstream TCP connection to be established. This timeout has no
-  default, but is required in the configuration.
+  of time Envoy will wait for an upstream TCP connection to be established. If this value is not set,
+  a default value of 5 seconds will be used.
 
   .. attention::
 

docs/root/version_history/current.rst

@@ -20,6 +20,7 @@ Minor Behavior Changes
   requests to S3, ES or Glacier, which used the literal string ``UNSIGNED-PAYLOAD``. Buffering can
   be now be disabled in favor of using unsigned payloads with compatible services via the new
   `use_unsigned_payload` filter option (default false).
+* cluster: added default value of 5 seconds for :ref:`connect_timeout <envoy_v3_api_field_config.cluster.v3.Cluster.connect_timeout>`.
 * http: disable the integration between :ref:`ExtensionWithMatcher <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>`
   and HTTP filters by default to reflects its experimental status. This feature can be enabled by seting
   ``envoy.reloadable_features.experimental_matching_api`` to true.
@@ -49,6 +50,7 @@ Removed Config or Runtime
 -------------------------
 *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
 
+* event: removed ``envoy.reloadable_features.activate_timers_next_event_loop`` runtime guard and legacy code path.
 * http: removed ``envoy.reloadable_features.allow_500_after_100`` runtime guard and the legacy code path.
 * http: removed ``envoy.reloadable_features.always_apply_route_header_rules`` runtime guard and legacy code path.
 * http: removed ``envoy.reloadable_features.hcm_stream_error_on_invalid_message`` for disabling closing HTTP/1.1 connections on error. Connection-closing can still be disabled by setting the HTTP/1 configuration :ref:`override_stream_error_on_invalid_http_message <envoy_v3_api_field_config.core.v3.Http1ProtocolOptions.override_stream_error_on_invalid_http_message>`.
@@ -60,12 +62,11 @@ Removed Config or Runtime
 
 New Features
 ------------
+* crash support: restore crash context when continuing to processing requests or responses as a result of an asynchronous callback that invokes a filter directly. This is unlike the call stacks that go through the various network layers, to eventually reach the filter. For  a concrete example see: ``Envoy::Extensions::HttpFilters::Cache::CacheFilter::getHeaders`` which posts a callback on the dispatcher that will invoke the filter directly.
 * http: a new field `is_optional` is added to `extensions.filters.network.http_connection_manager.v3.HttpFilter`. When
   value is `true`, the unsupported http filter will be ignored by envoy. This is also same with unsupported http filter
   in the typed per filter config. For more information, please reference
   :ref:`HttpFilter <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpFilter.is_optional>`.
-
-* crash support: restore crash context when continuing to processing requests or responses as a result of an asynchronous callback that invokes a filter directly. This is unlike the call stacks that go through the various network layers, to eventually reach the filter. For a concrete example see: ``Envoy::Extensions::HttpFilters::Cache::CacheFilter::getHeaders`` which posts a callback on the dispatcher that will invoke the filter directly.
 * http: added support for :ref:`original IP detection extensions<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.original_ip_detection_extensions>`.
   Two initial extensions were added, the :ref:`custom header <envoy_v3_api_msg_extensions.http.original_ip_detection.custom_header.v3.CustomHeaderConfig>` extension and the
   :ref:`xff <envoy_v3_api_msg_extensions.http.original_ip_detection.xff.v3.XffConfig>` extension.

examples/cache/Dockerfile-frontenvoy

@@ -1,7 +1,5 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get -q install -y \
-    curl
 COPY ./front-envoy.yaml /etc/front-envoy.yaml
 RUN chmod go+r /etc/front-envoy.yaml
 CMD /usr/local/bin/envoy -c /etc/front-envoy.yaml --service-cluster front-proxy

examples/cors/backend/Dockerfile-frontenvoy

@@ -1,7 +1,5 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get -q install -y \
-    curl
 COPY ./front-envoy.yaml /etc/front-envoy.yaml
 RUN chmod go+r /etc/front-envoy.yaml
 CMD ["/usr/local/bin/envoy", "-c", "/etc/front-envoy.yaml", "--service-cluster", "front-proxy"]

examples/cors/frontend/Dockerfile-frontenvoy

@@ -1,7 +1,5 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get -q install -y \
-    curl
 COPY ./front-envoy.yaml /etc/front-envoy.yaml
 RUN chmod go+r /etc/front-envoy.yaml
 CMD ["/usr/local/bin/envoy", "-c", "/etc/front-envoy.yaml", "--service-cluster", "front-proxy"]

examples/csrf/crosssite/Dockerfile-frontenvoy

@@ -1,7 +1,5 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get -q install -y \
-    curl
 COPY ./front-envoy.yaml /etc/front-envoy.yaml
 RUN chmod go+r /etc/front-envoy.yaml
 CMD ["/usr/local/bin/envoy", "-c", "/etc/front-envoy.yaml", "--service-cluster", "front-proxy"]

examples/csrf/samesite/Dockerfile-frontenvoy

@@ -1,7 +1,5 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get -q install -y \
-    curl
 COPY ./front-envoy.yaml /etc/front-envoy.yaml
 RUN chmod go+r /etc/front-envoy.yaml
 CMD ["/usr/local/bin/envoy", "-c",  "/etc/front-envoy.yaml", "--service-cluster", "front-proxy"]

examples/dynamic-config-cp/Dockerfile-control-plane

@@ -1,6 +1,11 @@
 FROM golang
 
-RUN apt-get -y update && apt-get install -y -qq --no-install-recommends netcat
+RUN apt-get update \
+    && apt-get install --no-install-recommends -y netcat \
+    && apt-get autoremove -y \
+    && apt-get clean \
+    && rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/*
+
 RUN git clone https://github.com/envoyproxy/go-control-plane
 ADD ./resource.go /go/go-control-plane/internal/example/resource.go
 RUN cd go-control-plane && make bin/example

examples/dynamic-config-cp/Dockerfile-proxy

@@ -1,6 +1,5 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get -y update && apt-get install -y -qq --no-install-recommends netcat
 COPY ./envoy.yaml /etc/envoy.yaml
 RUN chmod go+r /etc/envoy.yaml
 CMD ["/usr/local/bin/envoy", "-c /etc/envoy.yaml", "-l", "debug"]

examples/ext_authz/Dockerfile-frontenvoy

@@ -1,7 +1,5 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get -q install -y \
-    curl
 COPY ./config /etc/envoy-config
 COPY ./run_envoy.sh /run_envoy.sh
 RUN chmod go+r -R /etc/envoy-config \

examples/fault-injection/Dockerfile-envoy

@@ -1,6 +1,10 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get install -y curl tree
+RUN apt-get update \
+    && apt-get install --no-install-recommends -y tree curl \
+    && apt-get autoremove -y \
+    && apt-get clean \
+    && rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/*
 COPY ./envoy.yaml /etc/envoy.yaml
 RUN chmod go+r /etc/envoy.yaml
 COPY enable_delay_fault_injection.sh disable_delay_fault_injection.sh enable_abort_fault_injection.sh disable_abort_fault_injection.sh send_request.sh /

examples/front-proxy/Dockerfile-frontenvoy

@@ -1,7 +1,10 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get -q install -y \
-    curl
+RUN apt-get update \
+    && apt-get install --no-install-recommends -y curl \
+    && apt-get autoremove -y \
+    && apt-get clean \
+    && rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/*
 COPY ./front-envoy.yaml /etc/front-envoy.yaml
 RUN chmod go+r /etc/front-envoy.yaml
 CMD ["/usr/local/bin/envoy", "-c", "/etc/front-envoy.yaml", "--service-cluster", "front-proxy"]

examples/jaeger-native-tracing/Dockerfile-frontenvoy

@@ -1,7 +1,11 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get -q install -y \
-    curl
+RUN apt-get update \
+    && apt-get install --no-install-recommends -y curl \
+    && apt-get autoremove -y \
+    && apt-get clean \
+    && rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/*
+
 COPY ./front-envoy-jaeger.yaml /etc/front-envoy.yaml
 #
 # for discussion on jaeger binary compatibility, and the source of the file, see here:

examples/skywalking-tracing/Dockerfile-frontenvoy

@@ -1,7 +1,5 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get -q install -y \
-    curl
 COPY ./front-envoy-skywalking.yaml /etc/front-envoy.yaml
 RUN chmod go+r /etc/front-envoy.yaml
 CMD /usr/local/bin/envoy -c /etc/front-envoy.yaml --service-cluster front-proxy

examples/zipkin-tracing/Dockerfile-frontenvoy

@@ -1,7 +1,5 @@
 FROM envoyproxy/envoy-dev:latest
 
-RUN apt-get update && apt-get -q install -y \
-    curl
 COPY ./front-envoy-zipkin.yaml /etc/front-envoy.yaml
 RUN chmod go+r /etc/front-envoy.yaml
 CMD ["/usr/local/bin/envoy", "-c", "/etc/front-envoy.yaml", "--service-cluster", "front-proxy"]

source/common/conn_pool/conn_pool_base.cc

@@ -142,6 +142,10 @@ ConnPoolImplBase::tryCreateNewConnection(float global_preconnect_ratio) {
       (ready_clients_.empty() && busy_clients_.empty() && connecting_clients_.empty())) {
     ENVOY_LOG(debug, "creating a new connection");
     ActiveClientPtr client = instantiateActiveClient();
+    if (client.get() == nullptr) {
+      ENVOY_LOG(trace, "connection creation failed");
+      return ConnectionResult::FailedToCreateConnection;
+    }
     ASSERT(client->state() == ActiveClient::State::CONNECTING);
     ASSERT(std::numeric_limits<uint64_t>::max() - connecting_stream_capacity_ >=
            client->effectiveConcurrentStreamLimit());
@@ -249,9 +253,19 @@ ConnectionPool::Cancellable* ConnPoolImplBase::newStream(AttachContext& context)
     // increase capacity is if the connection limits are exceeded.
     ENVOY_BUG(pending_streams_.size() <= connecting_stream_capacity_ ||
                   connecting_stream_capacity_ > old_capacity ||
-                  result == ConnectionResult::NoConnectionRateLimited,
+                  (result == ConnectionResult::NoConnectionRateLimited ||
+                   result == ConnectionResult::FailedToCreateConnection),
               fmt::format("Failed to create expected connection: {}", *this));
-    return pending;
+    if (result == ConnectionResult::FailedToCreateConnection) {
+      // This currently only happens for HTTP/3 if secrets aren't yet loaded.
+      // Trigger connection failure.
+      pending->cancel(Envoy::ConnectionPool::CancelPolicy::CloseExcess);
+      onPoolFailure(nullptr, absl::string_view(), ConnectionPool::PoolFailureReason::Overflow,
+                    context);
+      return nullptr;
+    } else {
+      return pending;
+    }
   } else {
     ENVOY_LOG(debug, "max pending streams overflow");
     onPoolFailure(nullptr, absl::string_view(), ConnectionPool::PoolFailureReason::Overflow,

source/common/conn_pool/conn_pool_base.h

@@ -248,6 +248,7 @@ class ConnPoolImplBase : protected Logger::Loggable<Logger::Id::pool> {
   virtual void onConnected(Envoy::ConnectionPool::ActiveClient&) {}
 
   enum class ConnectionResult {
+    FailedToCreateConnection,
     CreatedNewConnection,
     ShouldNotConnect,
     NoConnectionRateLimited,

source/common/event/BUILD

@@ -186,7 +186,6 @@ envoy_cc_library(
         "//include/envoy/event:timer_interface",
         "//source/common/common:scope_tracker",
         "//source/common/common:utility_lib",
-        "//source/common/runtime:runtime_features_lib",
     ],
 )
 

source/common/event/libevent_scheduler.h

@@ -43,8 +43,6 @@ namespace Event {
 // The same mechanism implements both of these operations, so they are invoked as a group.
 // - Event::SchedulableCallback::scheduleCallbackCurrentIteration(). Each of these callbacks is
 // scheduled and invoked independently.
-// - Event::Timer::enableTimer(0) if "envoy.reloadable_features.activate_timers_next_event_loop"
-// runtime feature is disabled.
 //
 // Event::FileEvent::activate and Event::SchedulableCallback::scheduleCallbackNextIteration are
 // implemented as libevent timers with a deadline of 0. Both of these actions are moved to the work