Skip to content

Commit

Permalink
Merge pull request #255 from envoyproxy/auto-merge-main
Browse files Browse the repository at this point in the history
auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]
  • Loading branch information
tedjpoole authored Sep 24, 2024
2 parents 6a1f8d7 + 989485d commit 66c6255
Show file tree
Hide file tree
Showing 391 changed files with 10,028 additions and 5,818 deletions.
20 changes: 14 additions & 6 deletions .bazelrc
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ build --copt=-DABSL_MIN_LOG_LEVEL=4
build --define envoy_mobile_listener=enabled
build --experimental_repository_downloader_retries=2
build --enable_platform_specific_config
build --incompatible_merge_fixed_and_default_shell_env

# Pass CC, CXX and LLVM_CONFIG variables from the environment.
# We assume they have stable values, so this won't cause action cache misses.
Expand All @@ -45,7 +46,6 @@ build --action_env=BAZEL_VOLATILE_DIRTY --host_action_env=BAZEL_VOLATILE_DIRTY
# Prevent stamped caches from busting (eg in PRs)
# Requires setting `BAZEL_FAKE_SCM_REVISION` in the env.
build --action_env=BAZEL_FAKE_SCM_REVISION --host_action_env=BAZEL_FAKE_SCM_REVISION

build --test_summary=terse

build:docs-ci --action_env=DOCS_RST_CHECK=1 --host_action_env=DOCS_RST_CHECK=1
Expand Down Expand Up @@ -514,19 +514,27 @@ build:rbe-engflow --bes_timeout=3600s
build:rbe-engflow --bes_upload_mode=fully_async
build:rbe-engflow --nolegacy_important_outputs

build:cache-envoy-engflow --google_default_credentials=false
# RBE (Engflow Envoy)
build:common-envoy-engflow --google_default_credentials=false
build:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
build:common-envoy-engflow --grpc_keepalive_time=30s

build:cache-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com
build:cache-envoy-engflow --remote_timeout=3600s
build:cache-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
build:cache-envoy-engflow --grpc_keepalive_time=30s
build:bes-envoy-engflow --bes_backend=grpcs://morganite.cluster.engflow.com/
build:bes-envoy-engflow --bes_results_url=https://morganite.cluster.engflow.com/invocation/
build:bes-envoy-engflow --bes_timeout=3600s
build:bes-envoy-engflow --bes_upload_mode=fully_async
build:rbe-envoy-engflow --config=cache-envoy-engflow
build:rbe-envoy-engflow --config=bes-envoy-engflow
build:bes-envoy-engflow --nolegacy_important_outputs
build:rbe-envoy-engflow --remote_executor=grpcs://morganite.cluster.engflow.com
build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
build:rbe-envoy-engflow --jobs=200
build:rbe-envoy-engflow --define=engflow_rbe=true

build:remote-envoy-engflow --config=common-envoy-engflow
build:remote-envoy-engflow --config=cache-envoy-engflow
build:remote-envoy-engflow --config=bes-envoy-engflow
build:remote-envoy-engflow --config=rbe-envoy-engflow

#############################################################################
# debug: Various Bazel debugging flags
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/_precheck_deps.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
uses: ./.github/workflows/_run.yml
name: ${{ matrix.target }}
with:
bazel-extra: '--config=rbe-envoy-engflow'
bazel-extra: '--config=remote-envoy-engflow'
cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
request: ${{ inputs.request }}
error-match: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/_publish_build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ jobs:
name: Release (x64)
arch: x64
bazel-extra: >-
--config=rbe-envoy-engflow
--config=remote-envoy-engflow
rbe: true
runs-on: ubuntu-24.04
- target: release.server_only
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/_publish_verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:
name: ${{ matrix.name || matrix.target }}
uses: ./.github/workflows/_run.yml
with:
bazel-extra: ${{ matrix.bazel-extra || '--config=rbe-envoy-engflow' }}
bazel-extra: ${{ matrix.bazel-extra || '--config=remote-envoy-engflow' }}
cache-build-image: ${{ matrix.cache-build-image }}
cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }}
container-command: ${{ matrix.container-command }}
Expand Down Expand Up @@ -85,7 +85,7 @@ jobs:
name: ${{ matrix.name || matrix.target }}
uses: ./.github/workflows/_run.yml
with:
bazel-extra: ${{ matrix.bazel-extra || '--config=rbe-envoy-engflow' }}
bazel-extra: ${{ matrix.bazel-extra || '--config=remote-envoy-engflow' }}
cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }}
container-command: ./ci/run_envoy_docker.sh
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/codeql-daily.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # codeql-bundle-v3.26.7
uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # codeql-bundle-v3.26.8
# Override language selection by uncommenting this and choosing your languages
with:
languages: cpp
Expand Down Expand Up @@ -73,4 +73,4 @@ jobs:
git clean -xdf
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # codeql-bundle-v3.26.7
uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # codeql-bundle-v3.26.8
4 changes: 2 additions & 2 deletions .github/workflows/codeql-push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ jobs:

- name: Initialize CodeQL
if: ${{ env.BUILD_TARGETS != '' }}
uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # codeql-bundle-v3.26.7
uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # codeql-bundle-v3.26.8
with:
languages: cpp

Expand Down Expand Up @@ -108,4 +108,4 @@ jobs:
- name: Perform CodeQL Analysis
if: ${{ env.BUILD_TARGETS != '' }}
uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # codeql-bundle-v3.26.7
uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # codeql-bundle-v3.26.8
1 change: 1 addition & 0 deletions .github/workflows/envoy-macos.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ jobs:
--flaky_test_attempts=2
--config=bes-envoy-engflow
--config=cache-envoy-engflow
--config=common-envoy-engflow
--config=ci)
export BAZEL_BUILD_EXTRA_OPTIONS=${_BAZEL_BUILD_EXTRA_OPTIONS[*]}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,6 @@ jobs:
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
with:
sarif_file: results.sarif
1 change: 0 additions & 1 deletion OWNERS.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,6 @@ without further review.

* All senior maintainers
* Tony Allen ([tonya11en](https://github.com/tonya11en)) (tony@allen.gg)
* Otto van der Schaaf ([oschaaf](https://github.com/oschaaf)) (oschaaf@redhat.com)
* Tim Walsh ([twghu](https://github.com/twghu)) (twalsh@redhat.com)
* Pradeep Rao ([pradeepcrao](https://github.com/pradeepcrao)) (pcrao@google.com)
* Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik)) (kateryna.nezdolii@gmail.com)
Expand Down
2 changes: 1 addition & 1 deletion RELEASES.md
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,6 @@ Security releases are published on a 3-monthly cycle, around the mid point betwe
| Quarter | Expected | Actual | Difference |
|:-------:|:----------:|:----------:|:----------:|
| 2024 Q2 | 2024/06/04 | 2024/06/04 | 0 days |
| 2024 Q3 | 2024/09/03 |
| 2024 Q3 | 2024/09/03 | 2024/09/19 | 16 days |

NOTE: Zero-day vulnerabilities, and upstream vulnerabilities disclosed to us under embargo, may necessitate an emergency release with little or no warning.
4 changes: 4 additions & 0 deletions WORKSPACE
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,7 @@ envoy_python_dependencies()
load("//bazel:dependency_imports.bzl", "envoy_dependency_imports")

envoy_dependency_imports()

load("//bazel:dependency_imports_extra.bzl", "envoy_dependency_imports_extra")

envoy_dependency_imports_extra()
18 changes: 9 additions & 9 deletions api/bazel/repository_locations.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -79,9 +79,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
project_name = "Google APIs",
project_desc = "Public interface definitions of Google APIs",
project_url = "https://github.com/googleapis/googleapis",
version = "114a745b2841a044e98cdbb19358ed29fcf4a5f1",
sha256 = "9b4e0d0a04a217c06b426aefd03b82581a9510ca766d2d1c70e52bb2ad4a0703",
release_date = "2023-01-10",
version = "fd52b5754b2b268bc3a22a10f29844f206abb327",
sha256 = "97fc354dddfd3ea03e7bf2ad74129291ed6fad7ff39d3bd8daec738a3672eb8a",
release_date = "2024-09-16",
strip_prefix = "googleapis-{version}",
urls = ["https://github.com/googleapis/googleapis/archive/{version}.tar.gz"],
use_category = ["api"],
Expand Down Expand Up @@ -144,11 +144,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
project_name = "buf",
project_desc = "A new way of working with Protocol Buffers.", # Used for breaking change detection in API protobufs
project_url = "https://buf.build",
version = "1.41.0",
sha256 = "47952564762b3f7e248fb70cba1956e68db80242fac3e825ba21eb2632074c93",
version = "1.42.0",
sha256 = "412c8bdc2a4361f796df59735eb8b8f1cb85f7bfa91f443e471bf0b090d7c6c2",
strip_prefix = "buf",
urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
release_date = "2024-09-11",
release_date = "2024-09-18",
use_category = ["api"],
license = "Apache-2.0",
license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",
Expand All @@ -169,11 +169,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
project_desc = "Common Expression Language -- specification and binary representation",
project_url = "https://github.com/google/cel-spec",
strip_prefix = "cel-spec-{version}",
sha256 = "24fd9b5aa218044f2923b8bcfccbf996eb024f05d1acbe1b27aca554f2720ac6",
version = "0.16.1",
sha256 = "ad735dcea00992c36c7e94a56bceebedad475a01ee63b49c6796c1fcb7b6a41c",
version = "0.16.2",
urls = ["https://github.com/google/cel-spec/archive/v{version}.tar.gz"],
use_category = ["api"],
release_date = "2024-08-28",
release_date = "2024-09-18",
),
envoy_toolshed = dict(
project_name = "envoy_toolshed",
Expand Down
6 changes: 5 additions & 1 deletion api/envoy/config/core/v3/protocol.proto
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ message QuicKeepAliveSettings {
}

// QUIC protocol options which apply to both downstream and upstream connections.
// [#next-free-field: 9]
// [#next-free-field: 10]
message QuicProtocolOptions {
// Maximum number of streams that the client can negotiate per connection. 100
// if not specified.
Expand Down Expand Up @@ -111,6 +111,10 @@ message QuicProtocolOptions {
lte {seconds: 600}
gte {seconds: 1}
}];

// Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection.
// If not specified, one of the `default values in QUICHE <https://github.com/google/quiche/blob/main/quiche/quic/core/quic_constants.h>`_ is used.
google.protobuf.UInt64Value max_packet_length = 9;
}

message UpstreamHttpProtocolOptions {
Expand Down
7 changes: 6 additions & 1 deletion api/envoy/config/listener/v3/quic_config.proto
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: QUIC listener config]

// Configuration specific to the UDP QUIC listener.
// [#next-free-field: 13]
// [#next-free-field: 14]
message QuicProtocolOptions {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.listener.QuicProtocolOptions";
Expand Down Expand Up @@ -94,4 +94,9 @@ message QuicProtocolOptions {
// If not specified, no cmsg will be saved to QuicReceivedPacket.
repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12
[(validate.rules).repeated = {max_items: 1}];

// If true, the listener will reject connection-establishing packets at the
// QUIC layer by replying with an empty version negotiation packet to the
// client.
bool reject_new_connections = 13;
}
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,12 @@ message BasicAuth {
// If it is not specified, the username will not be forwarded.
string forward_username_header = 2
[(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];

// This field specifies the request header to load the basic credential from.
//
// If it is not specified, the filter loads the credential from the "Authorization" header.
string authentication_header = 3
[(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
}

// Extra settings that may be added to per-route configuration for
Expand Down
11 changes: 10 additions & 1 deletion api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter
// name.
//
// [#next-free-field: 22]
// [#next-free-field: 23]
message ExternalProcessor {
// Describes the route cache action to be taken when an external processor response
// is received in response to request headers.
Expand Down Expand Up @@ -284,6 +284,15 @@ message ExternalProcessor {
// in a single body response message, followed by the remaining body responses.
// In all scenarios, the header-body ordering must always be maintained.
bool send_body_without_waiting_for_header_response = 21;

// When :ref:`allow_mode_override
// <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.allow_mode_override>` is enabled and
// ``allowed_override_modes`` is configured, the filter config :ref:`processing_mode
// <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
// can only be overridden by the response message from the external processing server iff the
// :ref:`mode_override <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>` is allowed by
// the ``allowed_override_modes`` allow-list below.
repeated ProcessingMode allowed_override_modes = 22;
}

// ExtProcHttpService is used for HTTP communication between the filter and the external processing service.
Expand Down
6 changes: 3 additions & 3 deletions api/envoy/extensions/filters/http/jwt_authn/v3/config.proto
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,9 @@ message JwtProvider {
message NormalizePayload {
// Each claim in this list will be interpreted as a space-delimited string
// and converted to a list of strings based on the delimited values.
// Example: a token with a claim ``scopes: "email profile"`` is translated
// to dynamic metadata ``scopes: ["email", "profile"]`` if this field is
// set value ``["scopes"]``. This special handling of ``scopes`` is
// Example: a token with a claim ``scope: "email profile"`` is translated
// to dynamic metadata ``scope: ["email", "profile"]`` if this field is
// set value ``["scope"]``. This special handling of ``scope`` is
// recommended by `RFC8693
// <https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim>`_.
repeated string space_delimited_claims = 1;
Expand Down
18 changes: 15 additions & 3 deletions api/envoy/extensions/filters/http/oauth2/v3/oauth.proto
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ message OAuth2Credentials {

// OAuth config
//
// [#next-free-field: 19]
// [#next-free-field: 21]
message OAuth2Config {
enum AuthType {
// The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
Expand Down Expand Up @@ -125,7 +125,7 @@ message OAuth2Config {
bool forward_bearer_token = 7;

// If set to true, preserve the existing authorization header.
// By default Envoy strips the existing authorization header before forwarding upstream.
// By default the client strips the existing authorization header before forwarding upstream.
// Can not be set to true if forward_bearer_token is already set to true.
// Default value is false.
bool preserve_authorization_header = 16;
Expand Down Expand Up @@ -169,11 +169,23 @@ message OAuth2Config {
// This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used.
google.protobuf.Duration default_refresh_token_expires_in = 15;

// If set to true, Envoy will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
// If set to true, the client will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
// Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter
// will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
// sessions would not set the IdToken cookie header.
bool disable_id_token_set_cookie = 17;

// If set to true, the client will not set a cookie for Access Token even if one is received from the Identity Provider.
// Enabling this option will only disable setting the cookie response header, the filter
// will still process incoming Access Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
// sessions would not set the Access Token cookie header.
bool disable_access_token_set_cookie = 19;

// If set to true, the client will not set a cookie for Refresh Token even if one is received from the Identity Provider.
// Enabling this option will only disable setting the cookie response header, the filter
// will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
// sessions would not set the Refresh Token cookie header.
bool disable_refresh_token_set_cookie = 20;
}

// Filter config.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -684,6 +684,34 @@ message HttpConnectionManager {
// purposes. If unspecified, only RFC1918 IP addresses will be considered internal.
// See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more
// information about internal/external addresses.
//
// .. warning::
// In the next release, no IP addresses will be considered trusted. If you have tooling such as probes
// on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers)
// you will have to manually include those addresses or CIDR ranges like:
//
// .. validated-code-block:: yaml
// :type-name: envoy.extensions.filters.network.http_connection_manager.v3.InternalAddressConfig
//
// cidr_ranges:
// address_prefix: 10.0.0.0
// prefix_len: 8
// cidr_ranges:
// address_prefix: 192.168.0.0
// prefix_len: 16
// cidr_ranges:
// address_prefix: 172.16.0.0
// prefix_len: 12
// cidr_ranges:
// address_prefix: 127.0.0.1
// prefix_len: 32
// cidr_ranges:
// address_prefix: fd00::
// prefix_len: 8
// cidr_ranges:
// address_prefix: ::1
// prefix_len: 128
//
InternalAddressConfig internal_address_config = 25;

// If set, Envoy will not append the remote address to the
Expand Down
Loading

0 comments on commit 66c6255

Please sign in to comment.