Merge branch 'main' of https://github.com/envoyproxy/envoy into main

.bazelignore

@@ -2,7 +2,6 @@
 api
 examples/grpc-bridge/script
 mobile
-tools/clang_tools
 tools/dev/src
 .project
 envoy-filter-example

.bazelrc

@@ -28,6 +28,8 @@ build --define envoy_mobile_listener=enabled
 build --experimental_repository_downloader_retries=2
 build --enable_platform_specific_config
 build --incompatible_merge_fixed_and_default_shell_env
+# A workaround for slow ICU download.
+build --http_timeout_scaling=6.0
 
 # Pass CC, CXX and LLVM_CONFIG variables from the environment.
 # We assume they have stable values, so this won't cause action cache misses.

.bazelversion

@@ -1 +1 @@
-7.4.0
+7.5.0

.github/dependabot.yml

@@ -79,3 +79,13 @@ updates:
   schedule:
     interval: daily
     time: "06:00"
+
+- package-ecosystem: "gomod"
+  directory: "/contrib/golang/upstreams/http/tcp/test/test_data"
+  groups:
+    contrib-golang:
+      patterns:
+      - "*"
+  schedule:
+    interval: daily
+    time: "06:00"

.vscode/tasks.json

@@ -34,10 +34,16 @@
       "problemMatcher": []
     },
     {
-      "label": "Local Fix Format",
+      "label": "Local Fix Format (All)",
       "type": "shell",
       "command": "tools/local_fix_format.sh -all",
       "problemMatcher": []
+    },
+    {
+      "label": "Local Fix Format (Changes Only)",
+      "type": "shell",
+      "command": "tools/local_fix_format.sh $(git diff --name-only | grep -E '.(h|c|cc|proto)$')",
+      "problemMatcher": []
     }
   ]
 }

api/BUILD

@@ -98,6 +98,7 @@ proto_library(
         "//contrib/envoy/extensions/regex_engines/hyperscan/v3alpha:pkg",
         "//contrib/envoy/extensions/router/cluster_specifier/golang/v3alpha:pkg",
         "//contrib/envoy/extensions/tap_sinks/udp_sink/v3alpha:pkg",
+        "//contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha:pkg",
         "//contrib/envoy/extensions/vcl/v3alpha:pkg",
         "//envoy/admin/v3:pkg",
         "//envoy/config/accesslog/v3:pkg",

api/bazel/repository_locations.bzl

@@ -131,11 +131,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.49.0",
-        sha256 = "ee8da9748249f7946d79191e36469ce7bc3b8ba80019bff1fa4289a44cbc23bf",
+        version = "1.50.0",
+        sha256 = "80c1211dfc4844499c6ddad341bb21206579883fd33cea0a2c40c82befd70602",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2025-01-07",
+        release_date = "2025-01-17",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",
@@ -158,11 +158,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_desc = "Common Expression Language -- specification and binary representation",
         project_url = "https://github.com/google/cel-spec",
         strip_prefix = "cel-spec-{version}",
-        sha256 = "0661174bb0c965c72f2d037d9d8e8717ed20f9a64f9b1be9851069f9277c9508",
-        version = "0.19.1",
+        sha256 = "f96bafe9d1c71784f631a20ccc890ae625959baf2083d00efdc883058065055a",
+        version = "0.19.2",
         urls = ["https://github.com/google/cel-spec/archive/v{version}.tar.gz"],
         use_category = ["api"],
-        release_date = "2024-12-06",
+        release_date = "2025-01-24",
         license = "Apache-2.0",
         license_url = "https://github.com/google/cel-spec/blob/v{version}/LICENSE",
     ),

api/contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+        "@com_github_cncf_xds//xds/annotations/v3:pkg",
+    ],
+)

api/contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha/golang.proto

@@ -0,0 +1,52 @@
+syntax = "proto3";
+
+package envoy.extensions.upstreams.http.tcp.golang.v3alpha;
+
+import "google/protobuf/any.proto";
+
+import "xds/annotations/v3/status.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.tcp.golang.v3alpha";
+option java_outer_classname = "GolangProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+option (xds.annotations.v3.file_status).work_in_progress = true;
+
+// [#protodoc-title: Golang]
+//
+// This bridge enables an Http client to connect to a TCP server via a Golang plugin, facilitating Protocol Convert from HTTP to any RPC protocol in Envoy.
+//
+// For an overview of the Golang HTTP TCP bridge please see the :ref:`configuration reference documentation <config_http_tcp_bridge_golang>`.
+// [#extension: envoy.upstreams.http.tcp.golang]
+
+// [#extension-category: envoy.upstreams]
+message Config {
+  // Globally unique ID for a dynamic library file.
+  string library_id = 1 [(validate.rules).string = {min_len: 1}];
+
+  // Path to a dynamic library implementing the
+  // :repo:`HttpTcpBridge API <contrib/golang/common/go/api.HttpTcpBridge>`
+  // interface.
+  string library_path = 2 [(validate.rules).string = {min_len: 1}];
+
+  // Globally unique name of the Go plugin.
+  //
+  // This name **must** be consistent with the name registered in ``tcp::RegisterHttpTcpBridgeFactoryAndConfigParser``
+  //
+  string plugin_name = 3 [(validate.rules).string = {min_len: 1}];
+
+  // Configuration for the Go plugin.
+  //
+  // .. note::
+  //     This configuration is only parsed in the Golang plugin, and is therefore not validated
+  //     by Envoy.
+  //
+  //     See the :repo:`HttpTcpBridge API <contrib/golang/common/go/api/filter.go>`
+  //     for more information about how the plugin's configuration data can be accessed.
+  //
+  google.protobuf.Any plugin_config = 4;
+}

api/envoy/config/core/v3/proxy_protocol.proto

@@ -32,6 +32,15 @@ message ProxyProtocolPassThroughTLVs {
   repeated uint32 tlv_type = 2 [(validate.rules).repeated = {items {uint32 {lt: 256}}}];
 }
 
+// Represents a single Type-Length-Value (TLV) entry.
+message TlvEntry {
+  // The type of the TLV. Must be a uint8 (0-255) as per the Proxy Protocol v2 specification.
+  uint32 type = 1 [(validate.rules).uint32 = {lt: 256}];
+
+  // The value of the TLV. Must be at least one byte long.
+  bytes value = 2 [(validate.rules).bytes = {min_len: 1}];
+}
+
 message ProxyProtocolConfig {
   enum Version {
     // PROXY protocol version 1. Human readable format.
@@ -47,4 +56,35 @@ message ProxyProtocolConfig {
   // This config controls which TLVs can be passed to upstream if it is Proxy Protocol
   // V2 header. If there is no setting for this field, no TLVs will be passed through.
   ProxyProtocolPassThroughTLVs pass_through_tlvs = 2;
+
+  // This config allows additional TLVs to be included in the upstream PROXY protocol
+  // V2 header. Unlike ``pass_through_tlvs``, which passes TLVs from the downstream request,
+  // ``added_tlvs`` provides an extension mechanism for defining new TLVs that are included
+  // with the upstream request. These TLVs may not be present in the downstream request and
+  // can be defined at either the transport socket level or the host level to provide more
+  // granular control over the TLVs that are included in the upstream request.
+  //
+  // Host-level TLVs are specified in the ``metadata.typed_filter_metadata`` field under the
+  // ``envoy.transport_sockets.proxy_protocol`` namespace.
+  //
+  // .. literalinclude:: /_configs/repo/proxy_protocol.yaml
+  //    :language: yaml
+  //    :lines: 49-57
+  //    :linenos:
+  //    :lineno-start: 49
+  //    :caption: :download:`proxy_protocol.yaml </_configs/repo/proxy_protocol.yaml>`
+  //
+  // **Precedence behavior**:
+  //
+  // - When a TLV is defined at both the host level and the transport socket level, the value
+  //   from the host level configuration takes precedence. This allows users to define default TLVs
+  //   at the transport socket level and override them at the host level.
+  // - Any TLV defined in the ``pass_through_tlvs`` field will be overridden by either the host-level
+  //   or transport socket-level TLV.
+  repeated TlvEntry added_tlvs = 3;
+}
+
+message PerHostConfig {
+  // Enables per-host configuration for Proxy Protocol.
+  repeated TlvEntry added_tlvs = 1;
 }

api/envoy/config/filter/http/jwt_authn/v2alpha/README.md

@@ -60,7 +60,7 @@ bespoke: beta:true,jwt_value:"eyJFbnZveSI6ICJyb2NrcyJ9.e30.c2lnbmVk",trace=1234
 The header `name` may be `Authorization`.
 
 The `value_prefix` must match exactly, i.e., case-sensitively.
-If the `value_prefix` is not found, the header is skipped: not considered as a source for a JWT token.
+If the `value_prefix` is not found, the header is skipped: not considered as a source for a JWT.
 
 If there are no JWT-legal characters after the `value_prefix`, the entire string after it
-is taken to be the JWT token. This is unlikely to succeed; the error will reported by the JWT parser.
+is taken to be the JWT. This is unlikely to succeed; the error will reported by the JWT parser.

api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto

@@ -36,7 +36,7 @@ option (udpa.annotations.file_status).package_version_status = FROZEN;
 // * issuer: the principal that issues the JWT. It has to match the one from the token.
 // * allowed audiences: the ones in the token have to be listed here.
 // * how to fetch public key JWKS to verify the token signature.
-// * how to extract JWT token in the request.
+// * how to extract the JWT in the request.
 // * how to pass successfully verified token payload.
 //
 // Example:
@@ -137,7 +137,7 @@ message JwtProvider {
   // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
   // its provider specified or from the default locations.
   //
-  // Specify the HTTP headers to extract JWT token. For examples, following config:
+  // Specify the HTTP headers to extract the JWT. For examples, following config:
   //
   // .. code-block:: yaml
   //
@@ -209,7 +209,7 @@ message RemoteJwks {
   google.protobuf.Duration cache_duration = 2;
 }
 
-// This message specifies a header location to extract JWT token.
+// This message specifies a header location to extract JWT.
 message JwtHeader {
   // The HTTP header name.
   string name = 1 [(validate.rules).string = {min_bytes: 1}];
@@ -305,7 +305,7 @@ message JwtRequirement {
     // The requirement is always satisfied even if JWT is missing or the JWT
     // verification fails. A typical usage is: this filter is used to only verify
     // JWTs and pass the verified JWT payloads to another filter, the other filter
-    // will make decision. In this mode, all JWT tokens will be verified.
+    // will make decision. In this mode, all JWTs will be verified.
     google.protobuf.Empty allow_missing_or_failed = 5;
 
     // The requirement is satisfied if JWT is missing, but failed if JWT is

api/envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto

@@ -33,7 +33,7 @@ message DnsCacheCircuitBreakers {
 
 // Configuration for the dynamic forward proxy DNS cache. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
-// [#next-free-field: 15]
+// [#next-free-field: 16]
 message DnsCacheConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.common.dynamic_forward_proxy.v2alpha.DnsCacheConfig";
@@ -94,6 +94,12 @@ message DnsCacheConfig {
   //   value depending on timing. This is similar to how other circuit breakers work.
   google.protobuf.UInt32Value max_hosts = 5 [(validate.rules).uint32 = {gt: 0}];
 
+  // Disable the DNS refresh on failure. If this field is set to true, it will ignore the
+  // :ref:`typed_dns_resolver_config <envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.dns_failure_refresh_rate>`.
+  // If not specified, it defaults to false. By enabling this feature, the failed hosts will now be treated as a cache miss,
+  // allowing the failed hosts to be resolved on demand.
+  bool disable_dns_refresh_on_failure = 15;
+
   // If the DNS failure refresh rate is specified,
   // this is used as the cache's DNS refresh rate when DNS requests are failing. If this setting is
   // not specified, the failure refresh rate defaults to the dns_refresh_rate.

api/envoy/extensions/common/ratelimit/v3/ratelimit.proto

@@ -103,8 +103,10 @@ message RateLimitDescriptor {
     // Descriptor key.
     string key = 1 [(validate.rules).string = {min_len: 1}];
 
-    // Descriptor value.
-    string value = 2 [(validate.rules).string = {min_len: 1}];
+    // Descriptor value. Blank value is treated as wildcard to create dynamic token buckets for each unique value.
+    // Blank Values as wild card is currently supported only with envoy server instance level HTTP local rate limiting
+    // and will not work if HTTP local rate limiting is enabled per connection level.
+    string value = 2 [(validate.rules).string = {min_len: 0}];
   }
 
   // Override rate limit to apply to this descriptor instead of the limit

api/envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto

@@ -16,6 +16,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // [#protodoc-title: HTTP filter for dynamic modules]
+// [#extension: envoy.filters.http.dynamic_modules]
 
 // Configuration of the HTTP filter for dynamic modules. This filter allows loading shared object files
 // that can be loaded via dlopen by the HTTP filter.

api/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto

@@ -22,9 +22,18 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 message ProcessingMode {
   // Control how headers and trailers are handled
   enum HeaderSendMode {
-    // The default HeaderSendMode depends on which part of the message is being
-    // processed. By default, request and response headers are sent,
-    // while trailers are skipped.
+    // When used to configure the ext_proc filter :ref:`processing_mode
+    // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`,
+    // the default HeaderSendMode depends on which part of the message is being processed. By
+    // default, request and response headers are sent, while trailers are skipped.
+    //
+    // When used in :ref:`mode_override
+    // <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>` or
+    // :ref:`allowed_override_modes
+    // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.allowed_override_modes>`,
+    // a value of DEFAULT indicates that there is no change from the behavior that is configured for
+    // the filter in :ref:`processing_mode
+    // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`.
     DEFAULT = 0;
 
     // Send the header or trailer.
@@ -102,7 +111,10 @@ message ProcessingMode {
     FULL_DUPLEX_STREAMED = 4;
   }
 
-  // How to handle the request header. Default is "SEND".
+  // How to handle the request header. Default is "SEND". A value of "DEFAULT" (unset) should be used
+  // with :ref:`mode_override
+  // <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>`, since mode
+  // overrides can only affect messages exchanged after the request header is processed.
   HeaderSendMode request_header_mode = 1 [(validate.rules).enum = {defined_only: true}];
 
   // How to handle the response header. Default is "SEND".

api/envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -35,7 +35,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // * issuer: the principal that issues the JWT. If specified, it has to match the ``iss`` field in JWT.
 // * allowed audiences: the ones in the token have to be listed here.
 // * how to fetch public key JWKS to verify the token signature.
-// * how to extract JWT token in the request.
+// * how to extract the JWT in the request.
 // * how to pass successfully verified token payload.
 //
 // Example:
@@ -208,7 +208,7 @@ message JwtProvider {
   // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
   // its provider specified or from the default locations.
   //
-  // Specify the HTTP headers to extract JWT token. For examples, following config:
+  // Specify the HTTP headers to extract the JWT. For examples, following config:
   //
   // .. code-block:: yaml
   //
@@ -348,7 +348,7 @@ message JwtProvider {
   uint32 clock_skew_seconds = 10;
 
   // Enables JWT cache, its size is specified by ``jwt_cache_size``.
-  // Only valid JWT tokens are cached.
+  // Only valid JWTs are cached.
   JwtCacheConfig jwt_cache_config = 12;
 
   // Add JWT claim to HTTP Header
@@ -365,7 +365,7 @@ message JwtProvider {
   // This header is only reserved for jwt claim; any other value will be overwritten.
   repeated JwtClaimToHeader claim_to_headers = 15;
 
-  // Clears route cache in order to allow JWT token to correctly affect
+  // Clears route cache in order to allow the JWT to correctly affect
   // routing decisions. Filter clears all cached routes when:
   //
   // 1. The field is set to ``true``.
@@ -378,7 +378,7 @@ message JwtProvider {
 
 // This message specifies JWT Cache configuration.
 message JwtCacheConfig {
-  // The unit is number of JWT tokens, default to 100.
+  // The unit is number of JWTs, default to 100.
   uint32 jwt_cache_size = 1;
 }
 
@@ -469,7 +469,7 @@ message JwksAsyncFetch {
   google.protobuf.Duration failed_refetch_duration = 2;
 }
 
-// This message specifies a header location to extract JWT token.
+// This message specifies a header location to extract the JWT.
 message JwtHeader {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.jwt_authn.v2alpha.JwtHeader";
@@ -576,7 +576,7 @@ message JwtRequirement {
     // The requirement is always satisfied even if JWT is missing or the JWT
     // verification fails. A typical usage is: this filter is used to only verify
     // JWTs and pass the verified JWT payloads to another filter, the other filter
-    // will make decision. In this mode, all JWT tokens will be verified.
+    // will make decision. In this mode, all JWTs will be verified.
     google.protobuf.Empty allow_missing_or_failed = 5;
 
     // The requirement is satisfied if JWT is missing, but failed if JWT is