Merge branch 'main' into dns_details

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

.github/workflows/mobile-cc_tests.yml

@@ -44,7 +44,7 @@ jobs:
       args: >-
         test
         --config=mobile-remote-ci-cc
-        //test/cc/...
+        //test/cc/... //test/common/...
       request: ${{ needs.load.outputs.request }}
       target: cc-tests
       timeout-minutes: 120

.github/workflows/mobile-compile_time_options.yml

@@ -56,17 +56,6 @@ jobs:
             build
             --config=mobile-remote-ci-cc-no-exceptions
             //test/performance:test_binary_size //library/cc/...
-        - name: Running C++ test
-          target: cc-test
-          args: >-
-            test
-            --config=mobile-remote-ci-cc-test
-          entrypoint: |
-            #!/bin/bash -e
-            export PATH=/opt/llvm/bin:$PATH
-            cd /source/mobile
-            EXTRA_ARGS=$(bazel query //test/cc/... + //test/common/... except //test/common/integration:client_integration_test)
-            exec "$@" $EXTRA_ARGS
 
   build:
     permissions:

.github/workflows/mobile-release.yml

@@ -109,17 +109,10 @@ jobs:
     - name: 'Configure gpg signing'
       env:
         GPG_KEY: ${{ secrets.EM_GPG_KEY }}
-        GPG_KEY_NAME: ${{ secrets.EM_GPG_KEY_NAME }}
         GPG_PASSPHRASE: ${{ secrets.EM_GPG_PASSPHRASE }}
       run: |
         # https://github.com/keybase/keybase-issues/issues/2798
         export GPG_TTY=$(tty)
-        # The key ID C9ADE25A75333454 was obtained from a previous
-        # run of the Mobile Release job. The key ID is consistent
-        # between runs. Hard-coding the key ID is more straightforward
-        # than using `list-secret-keys` to parse out the correct
-        # key ID.
-        export GPG_DEFAULT_KEY=C9ADE25A75333454
         # Import gpg keys and warm the passphrase to avoid the gpg
         # passphrase prompt when initating a deploy
         # `--pinentry-mode=loopback` could be needed to ensure we
@@ -128,10 +121,10 @@ jobs:
         gpg --passphrase $GPG_PASSPHRASE --batch --import signing-key
         shred signing-key
 
-        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}.aar
-        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-pom.xml
-        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-javadoc.jar
-        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-sources.jar
+        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}.aar
+        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-pom.xml
+        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-javadoc.jar
+        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-sources.jar
     - name: 'Release to sonatype repository'
       env:
         READWRITE_USER: ${{ secrets.EM_SONATYPE_USER }}

46

@@ -0,0 +1 @@
+22 -

api/bazel/repository_locations.bzl

@@ -4,9 +4,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "bazel-skylib",
         project_desc = "Common useful functions and rules for Bazel",
         project_url = "https://github.com/bazelbuild/bazel-skylib",
-        version = "1.6.1",
-        sha256 = "9f38886a40548c6e96c106b752f242130ee11aaa068a56ba7e56f4511f33e4f2",
-        release_date = "2024-04-25",
+        version = "1.7.1",
+        sha256 = "bc283cdfcd526a52c3201279cda4bc298652efa898b10b4db0837dc51652756f",
+        release_date = "2024-06-03",
         urls = ["https://github.com/bazelbuild/bazel-skylib/releases/download/{version}/bazel-skylib-{version}.tar.gz"],
         use_category = ["api"],
         license = "Apache-2.0",

api/envoy/config/core/v3/protocol.proto

@@ -651,6 +651,13 @@ message Http3ProtocolOptions {
 message SchemeHeaderTransformation {
   oneof transformation {
     // Overwrite any Scheme header with the contents of this string.
+    // If set, takes precedence over match_upstream.
     string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}];
   }
+
+  // Set the Scheme header to match the upstream transport protocol. For example, should a
+  // request be sent to the upstream over TLS, the scheme header will be set to "https". Should the
+  // request be sent over plaintext, the scheme header will be set to "http".
+  // If scheme_to_overwrite is set, this field is not used.
+  bool match_upstream = 2;
 }

api/envoy/config/listener/v3/listener.proto

@@ -53,7 +53,7 @@ message ListenerCollection {
   repeated xds.core.v3.CollectionEntry entries = 1;
 }
 
-// [#next-free-field: 35]
+// [#next-free-field: 36]
 message Listener {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Listener";
 
@@ -387,6 +387,9 @@ message Listener {
   // Whether the listener should limit connections based upon the value of
   // :ref:`global_downstream_max_connections <config_overload_manager_limiting_connections>`.
   bool ignore_global_conn_limit = 31;
+
+  // Whether the listener bypasses configured overload manager actions.
+  bool bypass_overload_manager = 35;
 }
 
 // A placeholder proto so that users can explicitly configure the standard

bazel/repository_locations.bzl

@@ -33,10 +33,10 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Gazelle",
         project_desc = "Bazel BUILD file generator for Go projects",
         project_url = "https://github.com/bazelbuild/bazel-gazelle",
-        version = "0.36.0",
-        sha256 = "75df288c4b31c81eb50f51e2e14f4763cb7548daae126817247064637fd9ea62",
+        version = "0.37.0",
+        sha256 = "d76bf7a60fd8b050444090dfa2837a4eaf9829e1165618ee35dceca5cbdf58d5",
         urls = ["https://github.com/bazelbuild/bazel-gazelle/releases/download/v{version}/bazel-gazelle-v{version}.tar.gz"],
-        release_date = "2024-04-03",
+        release_date = "2024-05-24",
         use_category = ["build"],
         license = "Apache-2.0",
         license_url = "https://github.com/bazelbuild/bazel-gazelle/blob/v{version}/LICENSE",
@@ -621,13 +621,13 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Datadog C++ Tracing Library",
         project_desc = "Datadog distributed tracing for C++",
         project_url = "https://github.com/DataDog/dd-trace-cpp",
-        version = "0.2.0",
-        sha256 = "4462f0893fa08e4ada2ebaa8f9c023ae16cdde549d77bb8c75226328221f026c",
+        version = "0.2.1",
+        sha256 = "1d3dd5dc139fca43e902c756f3eb5ca0b64a6f50a09c06215084a9fb632c0da7",
         strip_prefix = "dd-trace-cpp-{version}",
         urls = ["https://github.com/DataDog/dd-trace-cpp/archive/v{version}.tar.gz"],
         use_category = ["observability_ext"],
         extensions = ["envoy.tracers.datadog"],
-        release_date = "2024-04-02",
+        release_date = "2024-05-28",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/DataDog/dd-trace-cpp/blob/v{version}/LICENSE.md",
@@ -1065,12 +1065,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Packaging rules for Bazel",
         project_desc = "Bazel rules for the packaging distributions",
         project_url = "https://github.com/bazelbuild/rules_pkg",
-        version = "0.10.1",
-        sha256 = "d330dbe3e3004241ddb9b377416ffc5c823e3e2c08c0d56a7e1935499e7f8577",
+        version = "1.0.0",
+        sha256 = "cc1d6f58eb9bc2bfad247b20f07725dda2d6b119b62b11f1dab9a094a24222e6",
         strip_prefix = "rules_pkg-{version}",
         urls = ["https://github.com/bazelbuild/rules_pkg/archive/{version}.tar.gz"],
         use_category = ["build"],
-        release_date = "2024-02-08",
+        release_date = "2024-06-03",
         license = "Apache-2.0",
         license_url = "https://github.com/bazelbuild/rules_pkg/blob/{version}/LICENSE",
     ),

changelogs/current.yaml

@@ -197,6 +197,10 @@ new_features:
     <envoy_v3_api_field_config.route.v3.RouteAction.RequestMirrorPolicy.disable_shadow_host_suffix_append>`
     in :ref:`request_mirror_policies <envoy_v3_api_field_config.route.v3.RouteAction.request_mirror_policies>`
     for disabling appending of the ``-shadow`` suffix to the shadowed host/authority header.
+- area: http
+  change: |
+    Added field :ref:`match_upstream <envoy_v3_api_field_config.core.v3.SchemeHeaderTransformation.match_upstream>`,
+    which, when set to true, will set the downstream request ``:scheme`` to match the upstream transport protocol.
 - area: redis
   change: |
     Added support for `inline commands <https://redis.io/docs/reference/protocol-spec/#inline-commands>`_.
@@ -226,6 +230,10 @@ new_features:
     added :ref:`stat_prefix
     <envoy_v3_api_field_extensions.access_loggers.open_telemetry.v3.OpenTelemetryAccessLogConfig.stat_prefix>`
     configuration to support additional stat prefix for the OpenTelemetry logger.
+- area: listener
+  change: |
+    Added :ref:`bypass_overload_manager <envoy_v3_api_field_config.listener.v3.Listener.bypass_overload_manager>`
+    to bypass the overload manager for a listener. When set to true, the listener will not be subject to overload protection.
 
 deprecated:
 - area: tracing

contrib/golang/filters/network/source/upstream.cc

@@ -59,12 +59,15 @@ UpstreamConn::UpstreamConn(std::string addr, Dso::NetworkFilterDsoPtr dynamic_li
   }
   stream_info_ = std::make_unique<StreamInfo::StreamInfoImpl>(
       dispatcher_->timeSource(), nullptr, StreamInfo::FilterState::LifeSpan::FilterChain);
-  stream_info_->filterState()->setData(
-      "envoy.network.transport_socket.original_dst_address",
-      std::make_shared<Network::AddressObject>(
-          Network::Utility::parseInternetAddressAndPort(addr, false)),
-      StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::FilterChain,
-      StreamInfo::StreamSharingMayImpactPooling::None);
+  auto address = std::make_shared<Network::AddressObject>(
+      Network::Utility::parseInternetAddressAndPortNoThrow(addr, false));
+  if (!address) {
+    throwEnvoyExceptionOrPanic(absl::StrCat("malformed IP address: ", addr));
+  }
+  stream_info_->filterState()->setData("envoy.network.transport_socket.original_dst_address",
+                                       address, StreamInfo::FilterState::StateType::ReadOnly,
+                                       StreamInfo::FilterState::LifeSpan::FilterChain,
+                                       StreamInfo::StreamSharingMayImpactPooling::None);
 }
 
 void UpstreamConn::connect() {

envoy/network/listener.h

@@ -162,6 +162,11 @@ class ListenerInfo {
    * @return whether the listener is a Quic listener.
    */
   virtual bool isQuic() const PURE;
+
+  /**
+   * @return bool whether the listener should bypass overload manager actions
+   */
+  virtual bool shouldBypassOverloadManager() const PURE;
 };
 
 using ListenerInfoConstSharedPtr = std::shared_ptr<const ListenerInfo>;
@@ -291,6 +296,11 @@ class ListenerConfig {
    * limit.
    */
   virtual bool ignoreGlobalConnLimit() const PURE;
+
+  /**
+   * @return bool whether the listener should bypass overload manager actions
+   */
+  virtual bool shouldBypassOverloadManager() const PURE;
 };
 
 /**
@@ -468,6 +478,11 @@ class Listener {
    */
   virtual void
   configureLoadShedPoints(Server::LoadShedPointProvider& load_shed_point_provider) PURE;
+
+  /**
+   * Check whether the listener should bypass overload manager actions
+   */
+  virtual bool shouldBypassOverloadManager() const PURE;
 };
 
 using ListenerPtr = std::unique_ptr<Listener>;

envoy/server/factory_context.h

@@ -201,6 +201,12 @@ class ServerFactoryContext : public virtual CommonFactoryContext {
    */
   virtual OverloadManager& overloadManager() PURE;
 
+  /**
+   * @return NullOverloadManager& the dummy overload manager for the server for
+   * listeners that are bypassing a configured OverloadManager
+   */
+  virtual OverloadManager& nullOverloadManager() PURE;
+
   /**
    * @return whether external healthchecks are currently failed or not.
    */

envoy/server/instance.h

@@ -144,6 +144,11 @@ class Instance {
    */
   virtual OverloadManager& overloadManager() PURE;
 
+  /**
+   * @return the server's null overload manager in case we want to skip overloading the server.
+   */
+  virtual OverloadManager& nullOverloadManager() PURE;
+
   /**
    * @return the server's secret manager
    */

envoy/server/worker.h

@@ -107,10 +107,13 @@ class WorkerFactory {
   /**
    * @param index supplies the index of the worker, in the range of [0, concurrency).
    * @param overload_manager supplies the server's overload manager.
+   * @param null_overload_manager supplies the server's null overload manager for conditions where
+   * overload manager is disabled.
    * @param worker_name supplies the name of the worker, used for per-worker stats.
    * @return WorkerPtr a new worker.
    */
   virtual WorkerPtr createWorker(uint32_t index, OverloadManager& overload_manager,
+                                 OverloadManager& null_overload_manager,
                                  const std::string& worker_name) PURE;
 };
 

envoy/stream_info/stream_info.h

@@ -957,6 +957,20 @@ class StreamInfo {
    */
   virtual void setDownstreamTransportFailureReason(absl::string_view failure_reason) PURE;
 
+  /**
+   * Checked by routing filters before forwarding a request upstream.
+   * @return to override the scheme header to match the upstream transport
+   * protocol at routing filters.
+   */
+  virtual bool shouldSchemeMatchUpstream() const PURE;
+
+  /**
+   * Called if a filter decides that the scheme should match the upstream transport protocol
+   * @param should_match_upstream true to hint to routing filters to override the scheme header
+   * to match the upstream transport protocol.
+   */
+  virtual void setShouldSchemeMatchUpstream(bool should_match_upstream) PURE;
+
   /**
    * Checked by streams after finishing serving the request.
    * @return bool true if the connection should be drained once this stream has