auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]

* upstream/main: (21 commits)
  threads: Improve PosixThreadFactory method signatures (#36103)
  proxy_filter: Fix the CONNECT implementation when the hostname contains a port number (#36072)
  docker/release: Bump Ubuntu image -> adbb901 (#36097)
  vpp: Additional fix for build file mangling (#36120)
  [Geoip+ci] Fix flaky release check in ci (#36118)
  build(deps): update envoyproxy/toolshed requirement to actions-v0.2.35 (#36111)
  coverage: Adjust the coverage threshold for common/posix (#36108)
  [mobile]Configure fallback resolver for cares (#36078)
  Update QUICHE from e94fbe61a to 9808dac40 (#36098)
  mobile: Enable setting the Platform Cert Validator thread priority (#36104)
  repo/sync: Use release branch (not main) for openssl sync (#36101)
  repo/sync: Fix bad workflow condition (#36100)
  repo: Sync openssl project on push to `main` or `release/v1.28/31` (#34319)
  Followup changes for `OrcaLoadReport` handling in `Router::Filter`. (#35952)
  mobile: Fix flaky ClientIntegrationTest (#36077)
  ext_authz: add logging options (#35698)
  Mark http.grpc_stats and transport_sockets.tcp_stats as stable (#36071)
  http: remove envoy_reloadable_features_http2_validate_authority_with_quiche (#36009)
  threads: Adds the ability to set a thread priority on newly-created threads (#36019)
  redis_proxy: Fix #35983 - External Authentication should respect pipelining (#35988)
  ...

.github/workflows/envoy-sync.yml

@@ -7,6 +7,8 @@ on:
   push:
     branches:
     - main
+    - release/v1.28
+    - release/v1.31
   workflow_dispatch:
 
 concurrency:
@@ -19,6 +21,7 @@ jobs:
     if: >-
       ${{
           github.repository == 'envoyproxy/envoy'
+          && (github.ref_name == 'main')
           && (github.event.push
               || !contains(github.actor, '[bot]'))
       }}
@@ -42,3 +45,32 @@ jobs:
         ref: main
         token: ${{ steps.appauth.outputs.token }}
         workflow: envoy-sync.yaml
+
+  sync-release:
+    runs-on: ubuntu-22.04
+    if: >-
+      ${{
+          github.repository == 'envoyproxy/envoy'
+          && contains(fromJSON('["main", "release/v1.28", "release/v1.31"]'), github.ref_name)
+          && (github.event.push
+              || !contains(github.actor, '[bot]'))
+      }}
+    strategy:
+      fail-fast: false
+      matrix:
+        downstream:
+        - envoy-openssl
+    steps:
+    - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.2.35
+      id: appauth
+      with:
+        app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }}
+        key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }}
+    - uses: envoyproxy/toolshed/gh-actions/dispatch@actions-v0.2.35
+      with:
+        repository: "envoyproxy/${{ matrix.downstream }}"
+        ref: release/v1.28
+        token: ${{ steps.appauth.outputs.token }}
+        workflow: envoy-sync-receive.yaml
+        inputs: |
+          branch: ${{ github.ref_name }}

api/BUILD

@@ -382,6 +382,7 @@ proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "@com_github_cncf_xds//xds/core/v3:pkg",
+        "@com_github_cncf_xds//xds/data/orca/v3:pkg",
         "@com_github_cncf_xds//xds/type/matcher/v3:pkg",
         "@com_github_cncf_xds//xds/type/v3:pkg",
     ],

api/bazel/repository_locations.bzl

@@ -52,9 +52,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_desc = "xDS API Working Group (xDS-WG)",
         project_url = "https://github.com/cncf/xds",
         # During the UDPA -> xDS migration, we aren't working with releases.
-        version = "555b57ec207be86f811fb0c04752db6f85e3d7e2",
-        sha256 = "0c8c4f0f67fed967b51049f7d5e2ca7a9bd433970a29c88e272c8665328172f5",
-        release_date = "2024-04-23",
+        version = "b4127c9b8d78b77423fd25169f05b7476b6ea932",
+        sha256 = "aa5f1596bbef3f277dcf4700e4c1097b34301ae66f3b79cd731e3adfbaff2f8f",
+        release_date = "2024-09-05",
         strip_prefix = "xds-{version}",
         urls = ["https://github.com/cncf/xds/archive/{version}.tar.gz"],
         use_category = ["api"],

api/envoy/config/cluster/v3/cluster.proto

@@ -1162,14 +1162,13 @@ message Cluster {
   // from the LRS stream here.]
   core.v3.ConfigSource lrs_server = 42;
 
-  // [#not-implemented-hide:]
-  // A list of metric names from ORCA load reports to propagate to LRS.
+  // A list of metric names from :ref:`ORCA load reports <envoy_v3_api_msg_.xds.data.orca.v3.OrcaLoadReport>` to propagate to LRS.
   //
   // If not specified, then ORCA load reports will not be propagated to LRS.
   //
   // For map fields in the ORCA proto, the string will be of the form ``<map_field_name>.<map_key>``.
   // For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA
-  // ``named_metrics`` field.
+  // :ref:`named_metrics <envoy_v3_api_field_.xds.data.orca.v3.OrcaLoadReport.named_metrics>` field.
   //
   // The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to
   // report all entries in the ORCA named_metrics field). Note that this should be used only with trusted

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -30,7 +30,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 29]
+// [#next-free-field: 30]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v3.ExtAuthz";
@@ -296,6 +296,17 @@ message ExtAuthz {
   // added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
   // name.
   google.protobuf.Struct filter_metadata = 28;
+
+  // When set to true, the filter will emit per-stream stats for access logging. The filter state
+  // key will be the same as the filter name.
+  //
+  // If using Envoy GRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
+  // info. If not using Envoy GRPC, emits only latency. Note that stats are ONLY added to filter
+  // state if a check request is actually made to an ext_authz service.
+  //
+  // If this is false the filter will not emit stats, but filter_metadata will still be respected if
+  // it has a value.
+  bool emit_filter_state_stats = 29;
 }
 
 // Configuration for buffering the request data.

bazel/repository_locations.bzl

@@ -948,13 +948,13 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "grpc-httpjson-transcoding",
         project_desc = "Library that supports transcoding so that HTTP/JSON can be converted to gRPC",
         project_url = "https://github.com/grpc-ecosystem/grpc-httpjson-transcoding",
-        version = "ff41eb3fc9209e6197595b54f7addfa244c0bdb6",
-        sha256 = "dea66b3d2dfc150373697e25b1327877e0b7480dc2bacfff1e3fd7aa00b12790",
+        version = "20e58e7ef9c3878ae9fc89123b9aba36d6f98a7f",
+        sha256 = "2f0ea248c59f51e5376f23590a986813b96076531ffe27a805f7a37407a81a87",
         strip_prefix = "grpc-httpjson-transcoding-{version}",
         urls = ["https://github.com/grpc-ecosystem/grpc-httpjson-transcoding/archive/{version}.tar.gz"],
         use_category = ["dataplane_ext"],
         extensions = ["envoy.filters.http.grpc_json_transcoder", "envoy.filters.http.grpc_field_extraction", "envoy.filters.http.proto_message_extraction"],
-        release_date = "2023-06-07",
+        release_date = "2024-08-30",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/grpc-ecosystem/grpc-httpjson-transcoding/blob/{version}/LICENSE",
@@ -1208,12 +1208,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "QUICHE",
         project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols",
         project_url = "https://github.com/google/quiche",
-        version = "e94fbe61aae27c2587fe5c1ff0141ac7b2cacb30",
-        sha256 = "ef31887f0bd3542a9f266cd50a38bbe65022653439994675486c473e3b56dcfd",
+        version = "9808dac40e034f09d7af53d3d79589a02e39c211",
+        sha256 = "b59e6e5b9b249a8d0cb521851d54a09ac74d2beb01a233498a006f75c86c9b76",
         urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"],
         strip_prefix = "quiche-{version}",
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2024-09-05",
+        release_date = "2024-09-10",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/quiche/blob/{version}/LICENSE",

changelogs/current.yaml

@@ -128,6 +128,11 @@ bug_fixes:
     the number of requests per I/O cycle is configured and an HTTP decoder filter that pauses filter chain is present. This behavior
     can be reverted by setting the runtime guard ``envoy.reloadable_features.use_filter_manager_state_for_downstream_end_stream``
     to false.
+- area: proxy_filter
+  change: |
+    Fixed a bug in the ``CONNECT`` implementation that would cause the ``CONNECT`` request created to be invalid when the
+    hostname contains a port number. When the port number is not specified, the port 443 will be automatically added.
+    This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.proxy_ssl_port`` to ``false``.
 - area: runtime
   change: |
     Fixed an inconsistency in how boolean values are loaded in RTDS, where they were previously converted to "1"/"0"
@@ -191,6 +196,9 @@ removed_config_or_runtime:
 - area: dynamic forward proxy
   change: |
     Removed ``envoy.reloadable_features.normalize_host_for_preresolve_dfp_dns`` runtime flag and legacy code paths.
+- area: http
+  change: |
+    Removed the ``envoy.reloadable_features.http2_validate_authority_with_quiche`` runtime flag and its legacy code paths.
 - area: http
   change: |
     Removed ``envoy.reloadable_features.use_http3_header_normalisation`` runtime flag and legacy code paths.
@@ -284,6 +292,10 @@ new_features:
   change: |
     Added :ref:`delay_deny <envoy_v3_api_msg_extensions.filters.network.rbac.v3.RBAC>` to support deny connection after
     the configured duration.
+- area: ext_authz
+  change: |
+    Added :ref:`emit_filter_state_stats <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.emit_filter_state_stats>`
+    which when true enables filter state stats for access logging.
 - area: extension_discovery_service
   change: |
     added ECDS support for :ref:`UDP session filters

ci/Dockerfile-envoy

@@ -1,5 +1,5 @@
 ARG BUILD_OS=ubuntu
-ARG BUILD_TAG=22.04@sha256:340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221
+ARG BUILD_TAG=22.04@sha256:adbb90115a21969d2fe6fa7f9af4253e16d45f8d4c1e930182610c4731962658
 ARG ENVOY_VRP_BASE_IMAGE=envoy-base
 
 

contrib/vcl/source/BUILD

@@ -80,10 +80,8 @@ genrule(
         "external/vppcom.h",
     ],
     cmd = """
-        EXTERNAL_DIR=$$(dirname $(location external/libsvm.a)) \
-        && mkdir -p $$EXTERNAL_DIR \
-        && find . -name "*.a" | xargs -I{} cp -a {} $$EXTERNAL_DIR \
-        && find . -name "vppcom.h" | xargs -I{} cp -a {} $$EXTERNAL_DIR
+        find . -name "*.a" | grep -v copy_build | xargs -I{} cp -a {} $(RULEDIR)/external \
+        && find . -name "vppcom.h" | grep -v copy_build | xargs -I{} cp -a {} $(RULEDIR)/external
     """,
     tools = [":build"],
 )

docs/root/api-v3/common_messages/common_messages_xds.rst

@@ -24,3 +24,4 @@ Common messages (XDS)
   ../../xds/core/v3/resource_locator.proto
   ../../xds/core/v3/resource_name.proto
   ../../xds/type/v3/typed_struct.proto
+  ../../xds/data/orca/v3/orca_load_report.proto

envoy/grpc/async_client.h

@@ -29,6 +29,11 @@ class AsyncRequest {
    * Signals that the request should be cancelled. No further callbacks will be invoked.
    */
   virtual void cancel() PURE;
+
+  /**
+   * Returns the underlying stream info.
+   */
+  virtual const StreamInfo::StreamInfo& streamInfo() const PURE;
 };
 
 /**

envoy/thread/thread.h

@@ -55,7 +55,16 @@ using ThreadPtr = std::unique_ptr<Thread>;
 
 // Options specified during thread creation.
 struct Options {
-  std::string name_; // A name supplied for the thread. On Linux this is limited to 15 chars.
+  // A name supplied for the thread. On Linux this is limited to 15 chars.
+  std::string name_;
+  // An optional thread priority for the thread. The value will mean different things on different
+  // platforms. For example, on Linux or Android, the values can range from -20 to 19. On Apple
+  // platforms, the value can range from 1 to 100, which is used to divide by 100 to get a [0,1]
+  // value that can be used on Apple's NSThread.setThreadPriority method.
+  //
+  // If no value is set, the thread will be created with the default thread priority for the
+  // platform.
+  absl::optional<int> priority_{absl::nullopt};
 };
 
 using OptionsOptConstRef = const absl::optional<Options>&;
@@ -79,7 +88,7 @@ class ThreadFactory {
   /**
    * Return the current system thread ID
    */
-  virtual ThreadId currentThreadId() PURE;
+  virtual ThreadId currentThreadId() const PURE;
 };
 
 using ThreadFactoryPtr = std::unique_ptr<ThreadFactory>;

mobile/library/cc/engine_builder.cc

@@ -56,6 +56,11 @@ EngineBuilder& EngineBuilder::setUseCares(bool use_cares) {
   use_cares_ = use_cares;
   return *this;
 }
+
+EngineBuilder& EngineBuilder::addCaresFallbackResolver(std::string host, int port) {
+  cares_fallback_resolvers_.emplace_back(std::move(host), port);
+  return *this;
+}
 #endif
 EngineBuilder& EngineBuilder::setLogLevel(Logger::Logger::Levels log_level) {
   log_level_ = log_level;
@@ -491,6 +496,14 @@ std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> EngineBuilder::generate
 #else
   if (use_cares_) {
     envoy::extensions::network::dns_resolver::cares::v3::CaresDnsResolverConfig resolver_config;
+    if (!cares_fallback_resolvers_.empty()) {
+      for (const auto& [host, port] : cares_fallback_resolvers_) {
+        auto* address = resolver_config.add_resolvers();
+        address->mutable_socket_address()->set_address(host);
+        address->mutable_socket_address()->set_port_value(port);
+      }
+      resolver_config.set_use_resolvers_as_fallback(true);
+    }
     dns_cache_config->mutable_typed_dns_resolver_config()->set_name(
         "envoy.network.dns_resolver.cares");
     dns_cache_config->mutable_typed_dns_resolver_config()->mutable_typed_config()->PackFrom(
@@ -554,6 +567,9 @@ std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> EngineBuilder::generate
   if (platform_certificates_validation_on_) {
     envoy_mobile::extensions::cert_validator::platform_bridge::PlatformBridgeCertValidator
         validator;
+    if (network_thread_priority_.has_value()) {
+      validator.mutable_thread_priority()->set_value(*network_thread_priority_);
+    }
     validation->mutable_custom_validator_config()->set_name(
         "envoy_mobile.cert_validator.platform_bridge_cert_validator");
     validation->mutable_custom_validator_config()->mutable_typed_config()->PackFrom(validator);

mobile/library/cc/engine_builder.h

@@ -114,6 +114,7 @@ class EngineBuilder {
 #else
   // Only android supports c_ares
   EngineBuilder& setUseCares(bool use_cares);
+  EngineBuilder& addCaresFallbackResolver(std::string host, int port);
 #endif
 
   // This is separated from build() for the sake of testability
@@ -169,6 +170,7 @@ class EngineBuilder {
   bool enable_http3_ = true;
 #if !defined(__APPLE__)
   bool use_cares_ = false;
+  std::vector<std::pair<std::string, int>> cares_fallback_resolvers_;
 #endif
   std::string http3_connection_options_ = "";
   std::string http3_client_connection_options_ = "";

mobile/library/common/extensions/cert_validator/platform_bridge/BUILD

@@ -38,6 +38,7 @@ envoy_cc_library(
         "@envoy//envoy/thread:thread_interface",
         "@envoy//source/common/common:macros",
         "@envoy//source/common/common:thread_impl_lib_posix",
+        "@envoy//source/common/config:utility_lib",
         "@envoy//source/common/tls/cert_validator:cert_validator_lib",
     ],
 )

mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge.proto

@@ -2,5 +2,15 @@ syntax = "proto3";
 
 package envoy_mobile.extensions.cert_validator.platform_bridge;
 
+import "google/protobuf/wrappers.proto";
+
+// Configuration for the platform bridge cert validator.
 message PlatformBridgeCertValidator {
+  // The thread priority that will be set on the thread that is created to execute platform cert
+  // validation. The exact values and meaning of the thread priority is OS dependent. For example,
+  // on Android, the values range from -20 to 19. On iOS, supply a value between 1 to 100, which
+  // will be divided by 100 to provide a value to the OS in the range of 0 to 1.
+  //
+  // If this field is not set, the platform-specific default thread priorities will be used.
+  google.protobuf.Int32Value thread_priority = 1;
 }

mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc

@@ -3,7 +3,11 @@
 #include <list>
 #include <memory>
 
+#include "source/common/config/utility.h"
+#include "source/common/protobuf/message_validator_impl.h"
+
 #include "library/common/bridge//utility.h"
+#include "library/common/extensions/cert_validator/platform_bridge/platform_bridge.pb.h"
 #include "library/common/system/system_helper.h"
 
 namespace Envoy {
@@ -22,6 +26,15 @@ PlatformBridgeCertValidator::PlatformBridgeCertValidator(
   ENVOY_BUG(config != nullptr && config->caCert().empty() &&
                 config->certificateRevocationList().empty(),
             "Invalid certificate validation context config.");
+  if (config != nullptr && config->customValidatorConfig().has_value()) {
+    envoy_mobile::extensions::cert_validator::platform_bridge::PlatformBridgeCertValidator cfg;
+    Envoy::Config::Utility::translateOpaqueConfig(
+        config->customValidatorConfig().value().typed_config(),
+        ProtobufMessage::getStrictValidationVisitor(), cfg);
+    if (cfg.has_thread_priority()) {
+      thread_priority_ = cfg.thread_priority().value();
+    }
+  }
 }
 
 PlatformBridgeCertValidator::PlatformBridgeCertValidator(
@@ -89,12 +102,14 @@ ValidationResults PlatformBridgeCertValidator::doVerifyCertChain(
   ValidationJob job;
   job.result_callback_ = std::move(callback);
   Event::Dispatcher& dispatcher = job.result_callback_->dispatcher();
+  Thread::Options thread_options;
+  thread_options.priority_ = thread_priority_;
   job.validation_thread_ = thread_factory_->createThread(
       [this, &dispatcher, certs = std::move(certs), host = std::string(host),
        subject_alt_names = std::move(subject_alt_names)]() -> void {
-        verifyCertChainByPlatform(&dispatcher, certs, host, subject_alt_names, this);
+        verifyCertChainByPlatform(&dispatcher, certs, host, subject_alt_names);
       },
-      /* options= */ absl::nullopt, /* crash_on_failure=*/false);
+      thread_options, /* crash_on_failure=*/false);
   if (job.validation_thread_ == nullptr) {
     return {ValidationResults::ValidationStatus::Failed,
             Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt,
@@ -108,7 +123,7 @@ ValidationResults PlatformBridgeCertValidator::doVerifyCertChain(
 
 void PlatformBridgeCertValidator::verifyCertChainByPlatform(
     Event::Dispatcher* dispatcher, std::vector<std::string> cert_chain, std::string hostname,
-    std::vector<std::string> subject_alt_names, PlatformBridgeCertValidator* parent) {
+    std::vector<std::string> subject_alt_names) {
   ASSERT(!cert_chain.empty());
   ENVOY_LOG(trace, "Start verifyCertChainByPlatform for host {}", hostname);
   // This is running in a stand alone thread other than the engine thread.
@@ -122,7 +137,7 @@ void PlatformBridgeCertValidator::verifyCertChainByPlatform(
   if (!success) {
     ENVOY_LOG(debug, result.error_details);
     postVerifyResultAndCleanUp(success, std::move(hostname), result.error_details, result.tls_alert,
-                               ValidationFailureType::FailVerifyError, dispatcher, parent);
+                               ValidationFailureType::FailVerifyError, dispatcher, this);
     return;
   }
 
@@ -135,12 +150,12 @@ void PlatformBridgeCertValidator::verifyCertChainByPlatform(
     error_details = "PlatformBridgeCertValidator_verifySubjectAltName failed: SNI mismatch.";
     ENVOY_LOG(debug, error_details);
     postVerifyResultAndCleanUp(success, std::move(hostname), error_details, SSL_AD_BAD_CERTIFICATE,
-                               ValidationFailureType::FailVerifySan, dispatcher, parent);
+                               ValidationFailureType::FailVerifySan, dispatcher, this);
     return;
   }
   postVerifyResultAndCleanUp(success, std::move(hostname), error_details,
                              SSL_AD_CERTIFICATE_UNKNOWN, ValidationFailureType::Success, dispatcher,
-                             parent);
+                             this);
 }
 
 void PlatformBridgeCertValidator::postVerifyResultAndCleanUp(bool success, std::string hostname,