auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]

* upstream/main: (55 commits)
  dynamic_modules: switch to crate_universe to remove manual bindgen (#36240)
  tools/python: Update all deps (#36267)
  http: fix issues in CONNECT-UDP forwarding mode. (#36174)
  Change filter and access logger order in access_log_handlers_ (#35959)
  Refactor cache_filter to expect caches to post cb (#36184)
  bump grpc-httpjson-transcoding (#36229)
  http2: fix reported protocol error from graceful upstream close (#36205)
  Updates to mobile/third_party/rbe_configs/cc/ (#36269)
  quic: fix connection close error when blocked socket gets unblocked (#36238)
  Add `metric_names_for_computing_utilization` field to `ClientSideWeightedRoundRobin` LB Policy proto. (#36201)
  release/ci: Remove windows Docker setup (#36220)
  Fix typo in test name (#36196)
  bazel/repo: Add release hash to blow project data cache (#36262)
  chore: fix the incorrect `scope` claim name in the API doc (#36241)
  grpc-xDS: reserve vector size (#36230)
  deps: Bump `build_bazel_rules_apple` -> 3.9.0 (#36257)
  deps: Bump `aspect_bazel_lib` -> 2.9.0 (#36256)
  deps/api: Bump `com_github_bufbuild_buf` -> 1.42.0 (#36258)
  deps/api: Bump `dev_cel` -> 0.16.2 (#36259)
  deps: Bump `rules_rust` -> 0.51.0 (#36260)
  ...

.bazelrc

@@ -25,6 +25,7 @@ build --copt=-DABSL_MIN_LOG_LEVEL=4
 build --define envoy_mobile_listener=enabled
 build --experimental_repository_downloader_retries=2
 build --enable_platform_specific_config
+build --incompatible_merge_fixed_and_default_shell_env
 
 # Pass CC, CXX and LLVM_CONFIG variables from the environment.
 # We assume they have stable values, so this won't cause action cache misses.

.github/workflows/codeql-daily.yml

@@ -34,7 +34,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
+      uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3  # codeql-bundle-v3.26.8
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -73,4 +73,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
+      uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3  # codeql-bundle-v3.26.8

.github/workflows/codeql-push.yml

@@ -65,7 +65,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
+      uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3  # codeql-bundle-v3.26.8
       with:
         languages: cpp
 
@@ -108,4 +108,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d  # codeql-bundle-v3.26.7
+      uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3  # codeql-bundle-v3.26.8

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d  # v3.26.7
+      uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3  # v3.26.8
       with:
         sarif_file: results.sarif

OWNERS.md

@@ -76,7 +76,6 @@ without further review.
 
 * All senior maintainers
 * Tony Allen ([tonya11en](https://github.com/tonya11en)) (tony@allen.gg)
-* Otto van der Schaaf ([oschaaf](https://github.com/oschaaf)) (oschaaf@redhat.com)
 * Tim Walsh ([twghu](https://github.com/twghu)) (twalsh@redhat.com)
 * Pradeep Rao ([pradeepcrao](https://github.com/pradeepcrao)) (pcrao@google.com)
 * Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik)) (kateryna.nezdolii@gmail.com)

RELEASES.md

@@ -138,6 +138,6 @@ Security releases are published on a 3-monthly cycle, around the mid point betwe
 | Quarter |  Expected  |   Actual   | Difference |
 |:-------:|:----------:|:----------:|:----------:|
 | 2024 Q2 | 2024/06/04 | 2024/06/04 |   0 days   |
-| 2024 Q3 | 2024/09/03 |
+| 2024 Q3 | 2024/09/03 | 2024/09/19 |  16 days   |
 
 NOTE: Zero-day vulnerabilities, and upstream vulnerabilities disclosed to us under embargo, may necessitate an emergency release with little or no warning.

WORKSPACE

@@ -27,3 +27,7 @@ envoy_python_dependencies()
 load("//bazel:dependency_imports.bzl", "envoy_dependency_imports")
 
 envoy_dependency_imports()
+
+load("//bazel:dependency_imports_extra.bzl", "envoy_dependency_imports_extra")
+
+envoy_dependency_imports_extra()

api/bazel/repository_locations.bzl

@@ -79,9 +79,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Google APIs",
         project_desc = "Public interface definitions of Google APIs",
         project_url = "https://github.com/googleapis/googleapis",
-        version = "114a745b2841a044e98cdbb19358ed29fcf4a5f1",
-        sha256 = "9b4e0d0a04a217c06b426aefd03b82581a9510ca766d2d1c70e52bb2ad4a0703",
-        release_date = "2023-01-10",
+        version = "fd52b5754b2b268bc3a22a10f29844f206abb327",
+        sha256 = "97fc354dddfd3ea03e7bf2ad74129291ed6fad7ff39d3bd8daec738a3672eb8a",
+        release_date = "2024-09-16",
         strip_prefix = "googleapis-{version}",
         urls = ["https://github.com/googleapis/googleapis/archive/{version}.tar.gz"],
         use_category = ["api"],
@@ -144,11 +144,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.41.0",
-        sha256 = "47952564762b3f7e248fb70cba1956e68db80242fac3e825ba21eb2632074c93",
+        version = "1.42.0",
+        sha256 = "412c8bdc2a4361f796df59735eb8b8f1cb85f7bfa91f443e471bf0b090d7c6c2",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2024-09-11",
+        release_date = "2024-09-18",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",
@@ -169,11 +169,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_desc = "Common Expression Language -- specification and binary representation",
         project_url = "https://github.com/google/cel-spec",
         strip_prefix = "cel-spec-{version}",
-        sha256 = "24fd9b5aa218044f2923b8bcfccbf996eb024f05d1acbe1b27aca554f2720ac6",
-        version = "0.16.1",
+        sha256 = "ad735dcea00992c36c7e94a56bceebedad475a01ee63b49c6796c1fcb7b6a41c",
+        version = "0.16.2",
         urls = ["https://github.com/google/cel-spec/archive/v{version}.tar.gz"],
         use_category = ["api"],
-        release_date = "2024-08-28",
+        release_date = "2024-09-18",
     ),
     envoy_toolshed = dict(
         project_name = "envoy_toolshed",

api/envoy/config/core/v3/protocol.proto

@@ -56,7 +56,7 @@ message QuicKeepAliveSettings {
 }
 
 // QUIC protocol options which apply to both downstream and upstream connections.
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message QuicProtocolOptions {
   // Maximum number of streams that the client can negotiate per connection. 100
   // if not specified.
@@ -111,6 +111,10 @@ message QuicProtocolOptions {
     lte {seconds: 600}
     gte {seconds: 1}
   }];
+
+  // Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection.
+  // If not specified, one of the `default values in QUICHE <https://github.com/google/quiche/blob/main/quiche/quic/core/quic_constants.h>`_ is used.
+  google.protobuf.UInt64Value max_packet_length = 9;
 }
 
 message UpstreamHttpProtocolOptions {

api/envoy/config/listener/v3/quic_config.proto

@@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -94,4 +94,9 @@ message QuicProtocolOptions {
   // If not specified, no cmsg will be saved to QuicReceivedPacket.
   repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12
       [(validate.rules).repeated = {max_items: 1}];
+
+  // If true, the listener will reject connection-establishing packets at the
+  // QUIC layer by replying with an empty version negotiation packet to the
+  // client.
+  bool reject_new_connections = 13;
 }

api/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto

@@ -41,6 +41,12 @@ message BasicAuth {
   // If it is not specified, the username will not be forwarded.
   string forward_username_header = 2
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
+
+  // This field specifies the request header to load the basic credential from.
+  //
+  // If it is not specified, the filter loads the credential from  the "Authorization" header.
+  string authentication_header = 3
+      [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
 }
 
 // Extra settings that may be added to per-route configuration for

api/envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -63,9 +63,9 @@ message JwtProvider {
   message NormalizePayload {
     // Each claim in this list will be interpreted as a space-delimited string
     // and converted to a list of strings based on the delimited values.
-    // Example: a token with a claim ``scopes: "email profile"`` is translated
-    // to dynamic metadata  ``scopes: ["email", "profile"]`` if this field is
-    // set value ``["scopes"]``. This special handling of ``scopes`` is
+    // Example: a token with a claim ``scope: "email profile"`` is translated
+    // to dynamic metadata  ``scope: ["email", "profile"]`` if this field is
+    // set value ``["scope"]``. This special handling of ``scope`` is
     // recommended by `RFC8693
     // <https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim>`_.
     repeated string space_delimited_claims = 1;

api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -684,6 +684,34 @@ message HttpConnectionManager {
   // purposes. If unspecified, only RFC1918 IP addresses will be considered internal.
   // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more
   // information about internal/external addresses.
+  //
+  // .. warning::
+  //     In the next release, no IP addresses will be considered trusted. If you have tooling such as probes
+  //     on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers)
+  //     you will have to manually include those addresses or CIDR ranges like:
+  //
+  // .. validated-code-block:: yaml
+  //   :type-name: envoy.extensions.filters.network.http_connection_manager.v3.InternalAddressConfig
+  //
+  //   cidr_ranges:
+  //       address_prefix: 10.0.0.0
+  //       prefix_len: 8
+  //   cidr_ranges:
+  //       address_prefix: 192.168.0.0
+  //       prefix_len: 16
+  //   cidr_ranges:
+  //       address_prefix: 172.16.0.0
+  //       prefix_len: 12
+  //   cidr_ranges:
+  //       address_prefix: 127.0.0.1
+  //       prefix_len: 32
+  //   cidr_ranges:
+  //       address_prefix: fd00::
+  //       prefix_len: 8
+  //   cidr_ranges:
+  //       address_prefix: ::1
+  //       prefix_len: 128
+  //
   InternalAddressConfig internal_address_config = 25;
 
   // If set, Envoy will not append the remote address to the

api/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto

@@ -30,11 +30,12 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // regardless of result. Only failed queries count toward eps. A config
 // parameter error_utilization_penalty controls the penalty to adjust endpoint
 // weights using eps and qps. The weight of a given endpoint is computed as:
-//   qps / (utilization + eps/qps * error_utilization_penalty)
+// ``qps / (utilization + eps/qps * error_utilization_penalty)``.
 //
-// See the :ref:`load balancing architecture overview<arch_overview_load_balancing_types>` for more information.
+// See the :ref:`load balancing architecture
+// overview<arch_overview_load_balancing_types>` for more information.
 //
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message ClientSideWeightedRoundRobin {
   // Whether to enable out-of-band utilization reporting collection from
   // the endpoints. By default, per-request utilization reporting is used.
@@ -68,4 +69,10 @@ message ClientSideWeightedRoundRobin {
   // calculated as eps/qps. Configuration is rejected if this value is negative.
   // Default is 1.0.
   google.protobuf.FloatValue error_utilization_penalty = 6 [(validate.rules).float = {gte: 0.0}];
+
+  // By default, endpoint weight is computed based on the :ref:`application_utilization <envoy_v3_api_field_.xds.data.orca.v3.OrcaLoadReport.application_utilization>` field reported by the endpoint.
+  // If that field is not set, then utilization will instead be computed by taking the max of the values of the metrics specified here.
+  // For map fields in the ORCA proto, the string will be of the form ``<map_field_name>.<map_key>``. For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA :ref:`named_metrics <envoy_v3_api_field_.xds.data.orca.v3.OrcaLoadReport.named_metrics>` field.
+  // If none of the specified metrics are present in the load report, then :ref:`cpu_utilization <envoy_v3_api_field_.xds.data.orca.v3.OrcaLoadReport.cpu_utilization>` is used instead.
+  repeated string metric_names_for_computing_utilization = 7;
 }

bazel/BUILD

@@ -14,6 +14,7 @@ envoy_package()
 
 exports_files([
     "gen_sh_test_runner.sh",
+    "generate_release_hash.sh",
     "sh_test_wrapper.sh",
     "test_for_benchmark_wrapper.sh",
     "repository_locations.bzl",

bazel/EXTERNAL_DEPS.md

@@ -16,7 +16,7 @@ build process.
 1. Define a new Bazel repository in [`bazel/repositories.bzl`](repositories.bzl),
    in the `envoy_dependencies()` function.
 2. Reference your new external dependency in some `envoy_cc_library` via the
-   `external_deps` attribute.
+   `deps` attribute.
 3. `bazel test //test/...`
 
 ## External CMake (preferred)
@@ -28,7 +28,7 @@ This is the preferred style of adding dependencies that use CMake for their buil
 2. Add an `envoy_cmake` rule to [`bazel/foreign_cc/BUILD`](foreign_cc/BUILD). This will reference
    the source repository in step 1.
 3. Reference your new external dependency in some `envoy_cc_library` via the name bound in step 1
-   `external_deps` attribute.
+   `deps` attribute.
 4. `bazel test //test/...`
 
 # Adding external dependencies to Envoy (Python)

bazel/dependency_imports.bzl

@@ -14,6 +14,8 @@ load("@rules_foreign_cc//foreign_cc:repositories.bzl", "rules_foreign_cc_depende
 load("@rules_fuzzing//fuzzing:repositories.bzl", "rules_fuzzing_dependencies")
 load("@rules_pkg//:deps.bzl", "rules_pkg_dependencies")
 load("@rules_proto_grpc//:repositories.bzl", "rules_proto_grpc_toolchains")
+load("@rules_rust//crate_universe:defs.bzl", "crates_repository")
+load("@rules_rust//crate_universe:repositories.bzl", "crate_universe_dependencies")
 load("@rules_rust//rust:defs.bzl", "rust_common")
 load("@rules_rust//rust:repositories.bzl", "rules_rust_dependencies", "rust_register_toolchains", "rust_repository_set")
 
@@ -51,6 +53,8 @@ def envoy_dependency_imports(go_version = GO_VERSION, jq_version = JQ_VERSION, y
             "wasm32-wasi",
         ],
     )
+    crate_universe_dependencies()
+    crates_repositories()
     shellcheck_dependencies()
     proxy_wasm_rust_sdk_dependencies()
     rules_fuzzing_dependencies(
@@ -196,3 +200,11 @@ def envoy_download_go_sdks(go_version):
         goarch = "arm64",
         version = go_version,
     )
+
+def crates_repositories():
+    crates_repository(
+        name = "dynamic_modules_rust_sdk_crate_index",
+        cargo_lockfile = "//source/extensions/dynamic_modules/sdk/rust:Cargo.lock",
+        lockfile = Label("//source/extensions/dynamic_modules/sdk/rust:Cargo.Bazel.lock"),
+        manifests = ["//source/extensions/dynamic_modules/sdk/rust:Cargo.toml"],
+    )

bazel/dependency_imports_extra.bzl

@@ -0,0 +1,5 @@
+load("@dynamic_modules_rust_sdk_crate_index//:defs.bzl", "crate_repositories")
+
+# Dependencies that rely on a first stage of envoy_dependency_imports() in dependency_imports.bzl.
+def envoy_dependency_imports_extra():
+    crate_repositories()

bazel/envoy_build_system.bzl

@@ -211,13 +211,13 @@ def envoy_proto_descriptor(name, out, srcs = [], external_deps = []):
     options.extend(["-I" + include_path for include_path in include_paths])
     options.append("--descriptor_set_out=$@")
 
-    cmd = "$(location //external:protoc) " + " ".join(options + input_files)
+    cmd = "$(location @com_google_protobuf//:protoc) " + " ".join(options + input_files)
     native.genrule(
         name = name,
         srcs = srcs,
         outs = [out],
         cmd = cmd,
-        tools = ["//external:protoc"],
+        tools = ["@com_google_protobuf//:protoc"],
     )
 
 # Dependencies on Google grpc should be wrapped with this function.

bazel/envoy_internal.bzl

@@ -166,15 +166,15 @@ def tcmalloc_external_dep(repository):
         repository + "//bazel:disable_tcmalloc": None,
         repository + "//bazel:disable_tcmalloc_on_linux_x86_64": None,
         repository + "//bazel:disable_tcmalloc_on_linux_aarch64": None,
-        repository + "//bazel:debug_tcmalloc": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:debug_tcmalloc_on_linux_x86_64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:debug_tcmalloc_on_linux_aarch64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:gperftools_tcmalloc": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:gperftools_tcmalloc_on_linux_x86_64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:gperftools_tcmalloc_on_linux_aarch64": envoy_external_dep_path("gperftools"),
-        repository + "//bazel:linux_x86_64": envoy_external_dep_path("tcmalloc"),
-        repository + "//bazel:linux_aarch64": envoy_external_dep_path("tcmalloc"),
-        "//conditions:default": envoy_external_dep_path("gperftools"),
+        repository + "//bazel:debug_tcmalloc": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:debug_tcmalloc_on_linux_x86_64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:debug_tcmalloc_on_linux_aarch64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:gperftools_tcmalloc": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:gperftools_tcmalloc_on_linux_x86_64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:gperftools_tcmalloc_on_linux_aarch64": repository + "//bazel/foreign_cc:gperftools",
+        repository + "//bazel:linux_x86_64": "@com_github_google_tcmalloc//tcmalloc",
+        repository + "//bazel:linux_aarch64": "@com_github_google_tcmalloc//tcmalloc",
+        "//conditions:default": repository + "//bazel/foreign_cc:gperftools",
     })
 
 # Select the given values if default path normalization is on in the current build.