Merge branch 'main' into connect

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

.github/workflows/pr_notifier.yml

@@ -29,7 +29,7 @@ jobs:
         if [[ "${{ github.event_name }}" == 'pull_request' ]]; then
             ARGS+=(--dry_run)
         fi
-        bazel run //tools/repo:notify -- "${ARGS[@]}"
+        bazel run --config=ci //tools/repo:notify -- "${ARGS[@]}"
       env:
         SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

BUILD

@@ -16,6 +16,7 @@ exports_files([
     "CODEOWNERS",
     "OWNERS.md",
     ".github/config.yml",
+    "reviewers.yaml",
 ])
 
 alias(

api/envoy/admin/v3/server_info.proto

@@ -59,7 +59,7 @@ message ServerInfo {
   config.core.v3.Node node = 7;
 }
 
-// [#next-free-field: 40]
+// [#next-free-field: 41]
 message CommandLineOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.admin.v2alpha.CommandLineOptions";
@@ -101,6 +101,9 @@ message CommandLineOptions {
   // See :option:`--skip-hot-restart-on-no-parent` for details.
   bool skip_hot_restart_on_no_parent = 39;
 
+  // See :option:`--skip-hot-restart-parent-stats` for details.
+  bool skip_hot_restart_parent_stats = 40;
+
   // See :option:`--base-id-path` for details.
   string base_id_path = 32;
 

api/envoy/config/core/v3/health_check.proto

@@ -5,6 +5,7 @@ package envoy.config.core.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/event_service_config.proto";
 import "envoy/config/core/v3/extension.proto";
+import "envoy/config/core/v3/proxy_protocol.proto";
 import "envoy/type/matcher/v3/string.proto";
 import "envoy/type/v3/http.proto";
 import "envoy/type/v3/range.proto";
@@ -177,6 +178,13 @@ message HealthCheck {
     // payload block must be found, and in the order specified, but not
     // necessarily contiguous.
     repeated Payload receive = 2;
+
+    // When setting this value, it tries to attempt health check request with ProxyProtocol.
+    // When ``send`` is presented, they are sent after preceding ProxyProtocol header.
+    // Only ProxyProtocol header is sent when ``send`` is not presented.
+    // It allows to use both ProxyProtocol V1 and V2. In V1, it presents L3/L4. In V2, it includes
+    // LOCAL command and doesn't include L3/L4.
+    ProxyProtocolConfig proxy_protocol_config = 3;
   }
 
   message RedisHealthCheck {

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -28,7 +28,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 25]
+// [#next-free-field: 26]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
@@ -219,8 +219,17 @@ message ExtAuthz {
   //  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting),
   //  consequently the value of *Content-Length* of the authorization request reflects the size of
   //  its payload size.
+  //
+  // .. note::
+  //
+  //  3. This can be overridden by the field ``disallowed_headers`` below. That is, if a header
+  //  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
   type.matcher.v3.ListStringMatcher allowed_headers = 17;
 
+  // If set, specifically disallow any header in this list to be forwarded to the external
+  // authentication server. This overrides the above ``allowed_headers`` if a header matches both.
+  type.matcher.v3.ListStringMatcher disallowed_headers = 25;
+
   // Specifies if the TLS session level details like SNI are sent to the external service.
   //
   // When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the

bazel/external/googleurl.patch

@@ -29,15 +29,37 @@ diff --git a/base/containers/checked_iterators.h b/base/containers/checked_itera
 index dc8d2ba..9306697 100644
 --- a/base/containers/checked_iterators.h
 +++ b/base/containers/checked_iterators.h
-@@ -237,9 +237,11 @@ using CheckedContiguousConstIterator = CheckedContiguousIterator<const T>;
+@@ -237,9 +237,32 @@ using CheckedContiguousConstIterator = CheckedContiguousIterator<const T>;
  // [3] https://wg21.link/pointer.traits.optmem
- namespace std {
+-namespace std {
 
 +#ifdef SUPPORTS_CPP_17_CONTIGUOUS_ITERATOR
++#if defined(_LIBCPP_VERSION)
++
++// TODO(crbug.com/1284275): Remove when C++20 is on by default, as the use
++// of `iterator_concept` above should suffice.
++_LIBCPP_BEGIN_NAMESPACE_STD
++
++// TODO(crbug.com/1449299): https://reviews.llvm.org/D150801 renamed this from
++// `__is_cpp17_contiguous_iterator` to `__libcpp_is_contiguous_iterator`. Clean
++// up the old spelling after libc++ rolls.
++template <typename T>
++struct __is_cpp17_contiguous_iterator;
  template <typename T>
  struct __is_cpp17_contiguous_iterator<::gurl_base::CheckedContiguousIterator<T>>
      : true_type {};
++template <typename T>
++struct __libcpp_is_contiguous_iterator;
++template <typename T>
++struct __libcpp_is_contiguous_iterator<::gurl_base::CheckedContiguousIterator<T>>
++    : true_type {};
++
++_LIBCPP_END_NAMESPACE_STD
++
 +#endif
++#endif
++
++namespace std {
 
  template <typename T>
  struct pointer_traits<::gurl_base::CheckedContiguousIterator<T>> {

bazel/foreign_cc/dlb.patch

@@ -0,0 +1,20 @@
+---
+ Makefile    |    2 -
+ 1 files changed, 0(+), 2 deletions(-)
+
+diff --git a/dlb/libdlb/Makefile b/dlb/libdlb/Makefile
+index 0ff7c00..d2429ea 100644
+--- a/dlb/libdlb/Makefile
++++ b/dlb/libdlb/Makefile
+@@ -54,8 +54,6 @@ lib: $(LIB) $(SLIB)
+
+ $(BUILD_DIR):
+ 	@mkdir $@
+-	@echo copying dlb2_user.h, please make sure the driver was built.
+-	@cp $(DLB2_USER_HEADER_DIR)/dlb2_user.h .
+
+ $(BUILD_DIR)/%.o: %.c | $(BUILD_DIR)
+ 	@echo Compiling $@
+-- 
+2.25.1
+

bazel/repositories.bzl

@@ -1372,12 +1372,13 @@ def _intel_dlb():
         build_file_content = """
 filegroup(
     name = "libdlb",
-    srcs = glob([
-        "dlb/libdlb/**",
-    ]),
+    srcs = glob(["dlb/libdlb/*"]),
     visibility = ["@envoy//contrib/dlb/source:__pkg__"],
 )
 """,
+        patch_args = ["-p1"],
+        patches = ["@envoy//bazel/foreign_cc:dlb.patch"],
+        patch_cmds = ["cp dlb/driver/dlb2/uapi/linux/dlb2_user.h dlb/libdlb/"],
     )
 
 def _rules_fuzzing():

bazel/repository_locations.bzl

@@ -84,11 +84,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_desc = "Bazel rules for fuzz tests",
         project_url = "https://github.com/bazelbuild/rules_fuzzing",
         # Patch contains workaround for https://github.com/bazelbuild/rules_python/issues/1221
-        version = "0.4.1",
-        sha256 = "f6f3f42c48576acd5653bf07637deee2ae4ebb77ccdb0dacc67c184508bedc8c",
+        version = "0.5.2",
+        sha256 = "3ec0eee05b243552cc4a784b30323d088bf73cb2177ddda02c827e68981933f1",
         strip_prefix = "rules_fuzzing-{version}",
         urls = ["https://github.com/bazelbuild/rules_fuzzing/archive/v{version}.tar.gz"],
-        release_date = "2023-10-19",
+        release_date = "2024-05-14",
         use_category = ["test_only"],
         implied_untracked_deps = [
             # This is a repository rule generated to define an OSS-Fuzz fuzzing
@@ -1038,9 +1038,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Python rules for Bazel",
         project_desc = "Bazel rules for the Python language",
         project_url = "https://github.com/bazelbuild/rules_python",
-        version = "0.31.0",
-        sha256 = "c68bdc4fbec25de5b5493b8819cfc877c4ea299c0dcb15c244c5a00208cde311",
-        release_date = "2024-02-13",
+        version = "0.32.2",
+        sha256 = "4912ced70dc1a2a8e4b86cec233b192ca053e82bc72d877b98e126156e8f228d",
+        release_date = "2024-05-14",
         strip_prefix = "rules_python-{version}",
         urls = ["https://github.com/bazelbuild/rules_python/archive/{version}.tar.gz"],
         use_category = ["build"],
@@ -1484,12 +1484,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Intel Dlb",
         project_desc = "Dlb",
         project_url = "https://networkbuilders.intel.com/solutionslibrary/queue-management-and-load-balancing-on-intel-architecture",
-        version = "8.0.0",
-        sha256 = "075533229bb2bd2f945ec8089a707205f3f8e8d87a8030e9208603d997236171",
-        urls = ["https://downloadmirror.intel.com/763709/dlb_linux_src_release8.0.0.txz"],
+        version = "8.8.0",
+        sha256 = "564534254ef32bfed56e0a464c53fca0907e446b30929c253210e2c3d6de58b9",
+        urls = ["https://downloadmirror.intel.com/819078/dlb_linux_src_release_8.8.0.txz"],
         use_category = ["dataplane_ext"],
         extensions = ["envoy.network.connection_balance.dlb"],
-        release_date = "2022-12-15",
+        release_date = "2023-12-15",
         cpe = "N/A",
     ),
     libpfm = dict(

bazel/rules_fuzzing.patch

@@ -1,8 +1,8 @@
 diff --git a/fuzzing/private/oss_fuzz/package.bzl b/fuzzing/private/oss_fuzz/package.bzl
-index e5e9dc4..a3bb1b8 100644
+index 4f4e636..a1add46 100644
 --- a/fuzzing/private/oss_fuzz/package.bzl
 +++ b/fuzzing/private/oss_fuzz/package.bzl
-@@ -71,7 +71,7 @@ def _oss_fuzz_package_impl(ctx):
+@@ -79,7 +79,7 @@ def _oss_fuzz_package_impl(ctx):
              if [[ -n "{options_path}" ]]; then
                  ln -s "$(pwd)/{options_path}" "$STAGING_DIR/{base_name}.options"
              fi
@@ -12,18 +12,17 @@ index e5e9dc4..a3bb1b8 100644
              base_name = ctx.attr.base_name,
              binary_path = binary_info.binary_file.path,
 diff --git a/fuzzing/tools/validate_dict.py b/fuzzing/tools/validate_dict.py
-index d561e68..24e3adc 100644
+index 52cbcb8..dac313a 100644
 --- a/fuzzing/tools/validate_dict.py
 +++ b/fuzzing/tools/validate_dict.py
-@@ -19,6 +19,11 @@ Validates and merges a set of fuzzing dictionary files into a single output.
+@@ -22,6 +22,10 @@ from absl import flags
+ from fuzzing.tools.dict_validation import validate_line
+ from sys import stderr
 
- from absl import app
- from absl import flags
-+
 +import os
 +import sys
 +sys.path += [os.path.dirname(__file__)]
 +
- from dict_validation import validate_line
- from sys import stderr
+ FLAGS = flags.FLAGS
 
+ flags.DEFINE_list("dict_list", [],

changelogs/current.yaml

@@ -22,6 +22,11 @@ minor_behavior_changes:
 - area: tracers
   change: |
     Set status code for OpenTelemetry tracers (previously unset).
+- area: config
+  change: |
+    Stricter validation of a ``google.protobuf.Duration`` field in a config, rejecting invalid values (where the number
+    of years is over 292). This can be temporarily reverted by setting runtime guard
+    ``envoy.reloadable_features.strict_duration_validation`` to ``false``.
 - area: xds
   change: |
     Updated xDS-TP path naming to better comply with RFC-3986. Encoded resource paths can now include an a colon ``:``,
@@ -41,6 +46,12 @@ minor_behavior_changes:
     as successful queries with empty results, instead of as DNS failures. This change brings the
     getaddrinfo behavior in-line with the c-ares resolver behavior. This behavior can be reverted by
     setting the runtime guard ``envoy.reloadable_features.dns_nodata_noname_is_success`` to false.
+- area: access_log
+  change: |
+    The upstream connection address, rather than the upstream host address, will be used for the ``%UPSTREAM_REMOTE_ADDRESS%``,
+    ``%UPSTREAM_REMOTE_PORT%`` and ``%UPSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%`` access log format specifiers.
+    This behavior can be reverted by setting the runtime guard
+    ``envoy.reloadable_features.upstream_remote_address_use_connection`` to false.
 
 bug_fixes:
 # *Changes expected to improve the state of the world and are unlikely to have negative effects*
@@ -76,6 +87,10 @@ bug_fixes:
   change: |
     Handle ``append_action`` from :ref:`external authorization service <envoy_v3_api_msg_service.auth.v3.CheckResponse>`
     that was ignored.
+- area: http
+  change: |
+    Fix BalsaParser resetting state too early, guarded by default-true
+    ``envoy.reloadable_features.http1_balsa_delay_reset``.
 
 removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
@@ -102,10 +117,19 @@ removed_config_or_runtime:
     Removed ``envoy.reloadable_features.copy_response_code_to_downstream_stream_info`` runtime flag and legacy code paths.
 
 new_features:
+- area: hot_restart
+  change: |
+    Added new command-line flag :option:`--skip-hot-restart-parent-stats`.
 - area: matching
   change: |
     Added :ref:`Filter State Input <envoy_v3_api_msg_extensions.matching.common_inputs.network.v3.FilterStateInput>`
     for matching http input based on filter state objects.
+- area: ext_authz
+  change: |
+    Added :ref:`disallowed_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.disallowed_headers>`
+    to specify headers that should never be sent to the external authentication service. Overrides
+    :ref:`allowed_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.allowed_headers>`
+    if a header matches both.
 - area: quic
   change: |
     Added support for QUIC server preferred address when there is a DNAT between the client and Envoy. See
@@ -124,6 +148,14 @@ new_features:
 - area: redis
   change: |
     Added support for `inline commands <https://redis.io/docs/reference/protocol-spec/#inline-commands>`_.
+- area: access_log
+  change: |
+    added support for :ref:`%UPSTREAM_HOST_NAME% <config_access_log_format_upstream_host_name>` for the upstream host
+    identifier.
+- area: healthcheck
+  change: |
+    Added support to healthcheck with ProxyProtocol in TCP Healthcheck by setting
+    :ref:`health_check_config <envoy_v3_api_field_config.core.v3.HealthCheck.TcpHealthCheck.proxy_protocol_config>`.
 
 deprecated:
 - area: tracing

ci/Dockerfile-envoy

@@ -1,5 +1,5 @@
 ARG BUILD_OS=ubuntu
-ARG BUILD_TAG=22.04@sha256:1b8d8ff4777f36f19bfe73ee4df61e3a0b789caeff29caa019539ec7c9a57f95
+ARG BUILD_TAG=22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2
 ARG ENVOY_VRP_BASE_IMAGE=envoy-base
 
 

contrib/dlb/source/BUILD

@@ -16,7 +16,6 @@ envoy_contrib_package()
 make(
     name = "dlb",
     env = {"DLB_DISABLE_DOMAIN_SERVER": "TRUE"},
-    includes = [],
     lib_source = "@intel_dlb//:libdlb",
     out_static_libs = ["libdlb.a"],
     postfix_script = "mv libdlb.a $INSTALLDIR/lib && rm -rf $INSTALLDIR/include && mkdir -p $INSTALLDIR/include && cp -L *.h $INSTALLDIR/include",

contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc

@@ -1,6 +1,7 @@
 #include "source/common/network/connection_impl.h"
+#include "source/common/tls/client_ssl_socket.h"
 #include "source/common/tls/context_config_impl.h"
-#include "source/common/tls/ssl_socket.h"
+#include "source/common/tls/server_ssl_socket.h"
 #include "source/extensions/filters/network/common/factory_base.h"
 
 #include "test/integration/fake_upstream.h"

docs/root/configuration/observability/access_log/usage.rst

@@ -563,8 +563,13 @@ UDP
 .. _config_access_log_format_upstream_host:
 
 %UPSTREAM_HOST%
-  Upstream host URL (e.g., tcp://ip:port for TCP connections). Identical to the :ref:`UPSTREAM_REMOTE_ADDRESS
-  <config_access_log_format_upstream_remote_address>` value.
+  Main address of upstream host (e.g., ip:port for TCP connections).
+
+.. _config_access_log_format_upstream_host_name:
+
+%UPSTREAM_HOST_NAME%
+  Upstream host name (e.g., DNS name). If no DNS name is available, the main address of the upstream host
+  (e.g., ip:port for TCP connections) will be used.
 
 %UPSTREAM_CLUSTER%
   Upstream cluster to which the upstream host belongs to. :ref:`alt_stat_name
@@ -586,7 +591,8 @@ UDP
 
 %UPSTREAM_REMOTE_ADDRESS%
   Remote address of the upstream connection. If the address is an IP address it includes both
-  address and port. Identical to the :ref:`UPSTREAM_HOST <config_access_log_format_upstream_host>` value.
+  address and port. Identical to the :ref:`UPSTREAM_HOST <config_access_log_format_upstream_host>` value if the upstream
+  host only has one address and connection is established successfully.
 
 %UPSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%
   Remote address of the upstream connection, without any port component.

docs/root/operations/cli.rst

@@ -77,6 +77,15 @@ following are the command line options that Envoy supports.
   an unexpected parent termination after interprocess communication is established will still cause
   the child instance to terminate due to failing communication.
 
+.. option:: --skip-hot-restart-parent-stats
+
+  *(optional)* In conjunction with :option:`--restart-epoch`, this flag allows for hot restart
+  to proceed without duplicating stats from the parent instance. Transferring stats can be an
+  expensive operation; skipping it can prevent overloading the main thread with this work, or
+  potentially dramatically increased memory load.
+
+  Has no effect if hot restarting is not in use.
+
 .. option:: --base-id-path <path_string>
 
   *(optional)* Writes the base ID to the given path. While this option is compatible with

envoy/config/dynamic_extension_config_provider.h

@@ -35,13 +35,14 @@ class DynamicExtensionConfigProviderBase {
   /**
    * Removes the current configuration from the provider.
    * @param cb the continuation callback for a completed configuration application on all threads.
+   * @return status indicating if the config was successfully removed.
    */
-  virtual void onConfigRemoved(ConfigAppliedCb applied_on_all_threads) PURE;
+  virtual absl::Status onConfigRemoved(ConfigAppliedCb applied_on_all_threads) PURE;
 
   /**
    * Applies the default configuration if one is set, otherwise does nothing.
    */
-  virtual void applyDefaultConfiguration() PURE;
+  virtual absl::Status applyDefaultConfiguration() PURE;
   /**
    * Return Network::ListenerFilterMatcherSharedPtr& the listener filter matcher.
    */