auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]

* upstream/main: (29 commits)
  OAuth2: add a nonce to the state parameter (#35919)
  contrib: upgrade go version to 1.23 (#36149)
  router: removing an exception (#35605)
  repo: Sync version histories (#36157)
  release/ci: Dont run on tags (#36146)
  release/ci: Skip build tests on publishing run (#36145)
  quic: batch packet testing (#36061)
  mobile: Make Android proxy tests hermetic (#36129)
  threads: Improve PosixThreadFactory method signatures (#36103)
  proxy_filter: Fix the CONNECT implementation when the hostname contains a port number (#36072)
  docker/release: Bump Ubuntu image -> adbb901 (#36097)
  vpp: Additional fix for build file mangling (#36120)
  [Geoip+ci] Fix flaky release check in ci (#36118)
  build(deps): update envoyproxy/toolshed requirement to actions-v0.2.35 (#36111)
  coverage: Adjust the coverage threshold for common/posix (#36108)
  [mobile]Configure fallback resolver for cares (#36078)
  Update QUICHE from e94fbe61a to 9808dac40 (#36098)
  mobile: Enable setting the Platform Cert Validator thread priority (#36104)
  repo/sync: Use release branch (not main) for openssl sync (#36101)
  repo/sync: Fix bad workflow condition (#36100)
  ...

.azure-pipelines/pipelines.yml

@@ -3,9 +3,6 @@ trigger:
     include:
     - "main"
     - "release/v*"
-  tags:
-    include:
-    - "v*"
 
 
 # PR build config is manually overridden in Azure pipelines UI with different secrets

.azure-pipelines/stages.yml

@@ -63,6 +63,7 @@ stages:
       authGPGPath: $(MaintainerGPGKey.secureFilePath)
       bucketGCP: $(GcsArtifactBucket)
       publishGithubRelease: variables['PUBLISH_GITHUB_RELEASE']
+      runBuild: stageDependencies.env.repo.outputs['run.releaseTests']
       runPrechecks: stageDependencies.env.repo.outputs['run.releaseTests']
 
 - stage: check

.github/workflows/envoy-sync.yml

@@ -7,6 +7,8 @@ on:
   push:
     branches:
     - main
+    - release/v1.28
+    - release/v1.31
   workflow_dispatch:
 
 concurrency:
@@ -19,6 +21,7 @@ jobs:
     if: >-
       ${{
           github.repository == 'envoyproxy/envoy'
+          && (github.ref_name == 'main')
           && (github.event.push
               || !contains(github.actor, '[bot]'))
       }}
@@ -42,3 +45,32 @@ jobs:
         ref: main
         token: ${{ steps.appauth.outputs.token }}
         workflow: envoy-sync.yaml
+
+  sync-release:
+    runs-on: ubuntu-22.04
+    if: >-
+      ${{
+          github.repository == 'envoyproxy/envoy'
+          && contains(fromJSON('["main", "release/v1.28", "release/v1.31"]'), github.ref_name)
+          && (github.event.push
+              || !contains(github.actor, '[bot]'))
+      }}
+    strategy:
+      fail-fast: false
+      matrix:
+        downstream:
+        - envoy-openssl
+    steps:
+    - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.2.35
+      id: appauth
+      with:
+        app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }}
+        key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }}
+    - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.2.35
+      with:
+        repository: "envoyproxy/${{ matrix.downstream }}"
+        ref: release/v1.28
+        token: ${{ steps.appauth.outputs.token }}
+        workflow: envoy-sync-receive.yaml
+        inputs: |
+          branch: ${{ github.ref_name }}

api/BUILD

@@ -382,6 +382,7 @@ proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "@com_github_cncf_xds//xds/core/v3:pkg",
+        "@com_github_cncf_xds//xds/data/orca/v3:pkg",
         "@com_github_cncf_xds//xds/type/matcher/v3:pkg",
         "@com_github_cncf_xds//xds/type/v3:pkg",
     ],

api/bazel/repository_locations.bzl

@@ -52,9 +52,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_desc = "xDS API Working Group (xDS-WG)",
         project_url = "https://github.com/cncf/xds",
         # During the UDPA -> xDS migration, we aren't working with releases.
-        version = "555b57ec207be86f811fb0c04752db6f85e3d7e2",
-        sha256 = "0c8c4f0f67fed967b51049f7d5e2ca7a9bd433970a29c88e272c8665328172f5",
-        release_date = "2024-04-23",
+        version = "b4127c9b8d78b77423fd25169f05b7476b6ea932",
+        sha256 = "aa5f1596bbef3f277dcf4700e4c1097b34301ae66f3b79cd731e3adfbaff2f8f",
+        release_date = "2024-09-05",
         strip_prefix = "xds-{version}",
         urls = ["https://github.com/cncf/xds/archive/{version}.tar.gz"],
         use_category = ["api"],

api/envoy/config/cluster/v3/cluster.proto

@@ -1162,14 +1162,13 @@ message Cluster {
   // from the LRS stream here.]
   core.v3.ConfigSource lrs_server = 42;
 
-  // [#not-implemented-hide:]
-  // A list of metric names from ORCA load reports to propagate to LRS.
+  // A list of metric names from :ref:`ORCA load reports <envoy_v3_api_msg_.xds.data.orca.v3.OrcaLoadReport>` to propagate to LRS.
   //
   // If not specified, then ORCA load reports will not be propagated to LRS.
   //
   // For map fields in the ORCA proto, the string will be of the form ``<map_field_name>.<map_key>``.
   // For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA
-  // ``named_metrics`` field.
+  // :ref:`named_metrics <envoy_v3_api_field_.xds.data.orca.v3.OrcaLoadReport.named_metrics>` field.
   //
   // The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to
   // report all entries in the ORCA named_metrics field). Note that this should be used only with trusted

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -30,7 +30,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 29]
+// [#next-free-field: 30]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v3.ExtAuthz";
@@ -296,6 +296,17 @@ message ExtAuthz {
   // added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
   // name.
   google.protobuf.Struct filter_metadata = 28;
+
+  // When set to true, the filter will emit per-stream stats for access logging. The filter state
+  // key will be the same as the filter name.
+  //
+  // If using Envoy GRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
+  // info. If not using Envoy GRPC, emits only latency. Note that stats are ONLY added to filter
+  // state if a check request is actually made to an ext_authz service.
+  //
+  // If this is false the filter will not emit stats, but filter_metadata will still be respected if
+  // it has a value.
+  bool emit_filter_state_stats = 29;
 }
 
 // Configuration for buffering the request data.

api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -27,7 +27,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#next-free-field: 6]
 message OAuth2Credentials {
-  // [#next-free-field: 6]
+  // [#next-free-field: 7]
   message CookieNames {
     // Cookie name to hold OAuth bearer token value. When the authentication server validates the
     // client and returns an authorization token back to the OAuth filter, no matter what format
@@ -52,6 +52,10 @@ message OAuth2Credentials {
     // Cookie name to hold the refresh token. Defaults to ``RefreshToken``.
     string refresh_token = 5
         [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
+    // Cookie name to hold the nonce value. Defaults to ``OauthNonce``.
+    string oauth_nonce = 6
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
   }
 
   // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server.

bazel/dependency_imports.bzl

@@ -18,7 +18,7 @@ load("@rules_rust//rust:defs.bzl", "rust_common")
 load("@rules_rust//rust:repositories.bzl", "rules_rust_dependencies", "rust_register_toolchains", "rust_repository_set")
 
 # go version for rules_go
-GO_VERSION = "1.22.5"
+GO_VERSION = "1.23.1"
 
 JQ_VERSION = "1.7"
 YQ_VERSION = "4.24.4"

bazel/repository_locations.bzl

@@ -948,13 +948,13 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "grpc-httpjson-transcoding",
         project_desc = "Library that supports transcoding so that HTTP/JSON can be converted to gRPC",
         project_url = "https://github.com/grpc-ecosystem/grpc-httpjson-transcoding",
-        version = "ff41eb3fc9209e6197595b54f7addfa244c0bdb6",
-        sha256 = "dea66b3d2dfc150373697e25b1327877e0b7480dc2bacfff1e3fd7aa00b12790",
+        version = "20e58e7ef9c3878ae9fc89123b9aba36d6f98a7f",
+        sha256 = "2f0ea248c59f51e5376f23590a986813b96076531ffe27a805f7a37407a81a87",
         strip_prefix = "grpc-httpjson-transcoding-{version}",
         urls = ["https://github.com/grpc-ecosystem/grpc-httpjson-transcoding/archive/{version}.tar.gz"],
         use_category = ["dataplane_ext"],
         extensions = ["envoy.filters.http.grpc_json_transcoder", "envoy.filters.http.grpc_field_extraction", "envoy.filters.http.proto_message_extraction"],
-        release_date = "2023-06-07",
+        release_date = "2024-08-30",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/grpc-ecosystem/grpc-httpjson-transcoding/blob/{version}/LICENSE",
@@ -1208,12 +1208,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "QUICHE",
         project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols",
         project_url = "https://github.com/google/quiche",
-        version = "e94fbe61aae27c2587fe5c1ff0141ac7b2cacb30",
-        sha256 = "ef31887f0bd3542a9f266cd50a38bbe65022653439994675486c473e3b56dcfd",
+        version = "9808dac40e034f09d7af53d3d79589a02e39c211",
+        sha256 = "b59e6e5b9b249a8d0cb521851d54a09ac74d2beb01a233498a006f75c86c9b76",
         urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"],
         strip_prefix = "quiche-{version}",
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2024-09-05",
+        release_date = "2024-09-10",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/quiche/blob/{version}/LICENSE",

changelogs/1.28.6.yaml

@@ -0,0 +1,9 @@
+date: September 13, 2024
+
+bug_fixes:
+- area: stateful_session
+  change: |
+    Support 0 TTL for proto-encoded cookies, which disables cookie expiration by Envoy.
+- area: dependencies
+  change: |
+    Update curl to mitigate CVE-2024-7264.

changelogs/1.29.8.yaml

@@ -0,0 +1,9 @@
+date: September 14, 2024
+
+bug_fixes:
+- area: stateful_session
+  change: |
+    Support 0 TTL for proto-encoded cookies, which disables cookie expiration by Envoy.
+- area: dependencies
+  change: |
+    Update curl to mitigate CVE-2024-7264.

changelogs/1.30.5.yaml

@@ -0,0 +1,6 @@
+date: September 14, 2024
+
+bug_fixes:
+- area: dependencies
+  change: |
+    Update curl to mitigate CVE-2024-7264.

changelogs/1.31.1.yaml

@@ -0,0 +1,15 @@
+date: September 14, 2024
+
+bug_fixes:
+- area: c-ares
+  change: |
+    Applying a C-ares patch to fix DNS resoultion by the Google gRPC library.
+- area: dependencies
+  change: |
+    Update curl to mitigate CVE-2024-7264.
+
+new_features:
+- area: access_log
+  change: |
+    added %UPSTREAM_CLUSTER_RAW% access log formatter to log the original upstream cluster name, regadless of whether
+    ``alt_stat_name`` is set.

changelogs/current.yaml

@@ -128,6 +128,11 @@ bug_fixes:
     the number of requests per I/O cycle is configured and an HTTP decoder filter that pauses filter chain is present. This behavior
     can be reverted by setting the runtime guard ``envoy.reloadable_features.use_filter_manager_state_for_downstream_end_stream``
     to false.
+- area: proxy_filter
+  change: |
+    Fixed a bug in the ``CONNECT`` implementation that would cause the ``CONNECT`` request created to be invalid when the
+    hostname contains a port number. When the port number is not specified, the port 443 will be automatically added.
+    This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.proxy_ssl_port`` to ``false``.
 - area: runtime
   change: |
     Fixed an inconsistency in how boolean values are loaded in RTDS, where they were previously converted to "1"/"0"
@@ -191,6 +196,9 @@ removed_config_or_runtime:
 - area: dynamic forward proxy
   change: |
     Removed ``envoy.reloadable_features.normalize_host_for_preresolve_dfp_dns`` runtime flag and legacy code paths.
+- area: http
+  change: |
+    Removed the ``envoy.reloadable_features.http2_validate_authority_with_quiche`` runtime flag and its legacy code paths.
 - area: http
   change: |
     Removed ``envoy.reloadable_features.use_http3_header_normalisation`` runtime flag and legacy code paths.
@@ -252,6 +260,8 @@ new_features:
     the auth server when a connection fails to be established.
     Added :ref:`cookie_domain <envoy_v3_api_field_extensions.filters.http.oauth2.v3.OAuth2Credentials.cookie_domain>`
     field to OAuth2 filter to allow setting the domain of cookies.
+    Added a nonce to the state parameter in the authorization request to mitigate CSRF attacks. The nonce is generated by the
+    OAuth2 filter and stored in a cookie. This feature is enabled by defaut starting from this release.
 - area: access log
   change: |
     Added support for :ref:`%DOWNSTREAM_PEER_CHAIN_FINGERPRINTS_1% <config_access_log_format_response_flags>`,
@@ -284,6 +294,10 @@ new_features:
   change: |
     Added :ref:`delay_deny <envoy_v3_api_msg_extensions.filters.network.rbac.v3.RBAC>` to support deny connection after
     the configured duration.
+- area: ext_authz
+  change: |
+    Added :ref:`emit_filter_state_stats <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.emit_filter_state_stats>`
+    which when true enables filter state stats for access logging.
 - area: extension_discovery_service
   change: |
     added ECDS support for :ref:`UDP session filters

ci/Dockerfile-envoy

@@ -1,5 +1,5 @@
 ARG BUILD_OS=ubuntu
-ARG BUILD_TAG=22.04@sha256:340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221
+ARG BUILD_TAG=22.04@sha256:adbb90115a21969d2fe6fa7f9af4253e16d45f8d4c1e930182610c4731962658
 ARG ENVOY_VRP_BASE_IMAGE=envoy-base
 
 

contrib/golang/filters/http/test/test_data/access_log/go.mod

@@ -1,6 +1,6 @@
 module example.com/access_log
 
-go 1.20
+go 1.23
 
 require github.com/envoyproxy/envoy v1.24.0
 

contrib/golang/filters/http/test/test_data/action/go.mod

@@ -1,6 +1,6 @@
 module example.com/action
 
-go 1.20
+go 1.23
 
 require github.com/envoyproxy/envoy v1.24.0
 

contrib/golang/filters/http/test/test_data/basic/go.mod

@@ -1,6 +1,6 @@
 module example.com/basic
 
-go 1.20
+go 1.23
 
 require github.com/envoyproxy/envoy v1.24.0
 

contrib/golang/filters/http/test/test_data/buffer/go.mod

@@ -1,6 +1,6 @@
 module example.com/buffer
 
-go 1.20
+go 1.23
 
 require (
 	github.com/envoyproxy/envoy v1.24.0

contrib/golang/filters/http/test/test_data/dummy/go.mod

@@ -1,6 +1,6 @@
 module example.com/dummy
 
-go 1.20
+go 1.23
 
 require github.com/envoyproxy/envoy v1.24.0
 

contrib/golang/filters/http/test/test_data/echo/go.mod

@@ -1,6 +1,6 @@
 module example.com/echo
 
-go 1.20
+go 1.23
 
 require (
 	github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa

contrib/golang/filters/http/test/test_data/metric/go.mod

@@ -1,6 +1,6 @@
 module example.com/basic
 
-go 1.20
+go 1.23
 
 require github.com/envoyproxy/envoy v1.24.0
 

contrib/golang/filters/http/test/test_data/passthrough/go.mod

@@ -1,6 +1,6 @@
 module example.com/passthrough
 
-go 1.20
+go 1.23
 
 require github.com/envoyproxy/envoy v1.24.0
 

contrib/golang/filters/http/test/test_data/property/go.mod

@@ -1,6 +1,6 @@
 module example.com/property
 
-go 1.20
+go 1.23
 
 require (
 	github.com/envoyproxy/envoy v1.24.0

contrib/golang/filters/http/test/test_data/routeconfig/go.mod

@@ -1,6 +1,6 @@
 module example.com/routeconfig
 
-go 1.20
+go 1.23
 
 require (
 	github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa

contrib/golang/filters/http/test/test_data/websocket/go.mod

@@ -1,6 +1,6 @@
 module example.com/websocket
 
-go 1.20
+go 1.23
 
 require github.com/envoyproxy/envoy v1.24.0
 

contrib/golang/filters/network/test/test_data/go.mod

@@ -1,6 +1,6 @@
 module github.com/envoyproxy/envoy/contrib/golang/filters/network/test/test_data
 
-go 1.18
+go 1.23
 
 require github.com/envoyproxy/envoy v1.24.0
 

contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod

@@ -1,6 +1,6 @@
 module example.com/routeconfig
 
-go 1.18
+go 1.23
 
 require (
 	github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa