envoy: update to latest HEAD and v3alpha API (envoyproxy#16)

* envoy: update to latest HEAD and v3alpha API

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>

* envoy: update to latest HEAD

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>

* tests: fix //test/common/... and //test/extensions/... for v3alpha

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>

* tests: enable //test/integration/... and fix for v3alpha

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>

* envoy: update to latest HEAD

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>

* CI: enable builds and tests

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>

* CI: skip tests for now

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>

* CI: skip builds for now too

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>

.azure-pipelines/linux.yaml

@@ -9,30 +9,29 @@ trigger:
     - 'master'
 
 jobs:
-#  - job: build
-#    dependsOn: []
-#    pool:
-#      vmImage: 'Ubuntu 16.04'
-#    container: envoy-build-image
-#    steps:
-#      - checkout: self
-#        submodules: true
-#      - script: |
-#          bazel build //:envoy && \
-#          ./bazel-bin/envoy --version
-#        displayName: 'Build Envoy-OpenSSL'
-#  - job: test
-#    dependsOn: []
-#    pool:
-#      vmImage: 'Ubuntu 16.04'
-#    container: envoy-build-image
-#    steps:
-#      - checkout: self
-#        submodules: true
-#      - script: |
-#          bazel test //test/common/... && \
-#          bazel test //test/extensions/...
-#        displayName: 'Test Envoy-OpenSSL'
+# - job: build
+#   dependsOn: []
+#   pool:
+#     vmImage: 'Ubuntu 16.04'
+#   container: envoy-build-image
+#   steps:
+#     - checkout: self
+#       submodules: true
+#     - script: |
+#         bazel build //:envoy && \
+#         ./bazel-bin/envoy --version
+#       displayName: 'Build Envoy-OpenSSL'
+# - job: test
+#   dependsOn: []
+#   pool:
+#     vmImage: 'Ubuntu 16.04'
+#   container: envoy-build-image
+#   steps:
+#     - checkout: self
+#       submodules: true
+#     - script: |
+#         bazel test //test/common/... //test/extensions/...
+#       displayName: 'Test Envoy-OpenSSL'
 #  - job: test-envoy
 #    dependsOn: []
 #    pool:

README.md

@@ -27,6 +27,7 @@ To test the OpenSSL features run the following commands.
 ```console
 $ bazel test //test/common/...
 $ bazel test //test/extensions/...
+$ bazel test //test/integration/...
 ```
 
 ## License

jwt_verify-make-compatible-with-openssl.patch

@@ -1,18 +1,18 @@
-From b0e4badb4158934c8ec102dccc26adf3b478e6e5 Mon Sep 17 00:00:00 2001
+From e6c4e2327264ebe725ed4346a9f101087ae34fe2 Mon Sep 17 00:00:00 2001
 From: Venil Noronha <veniln@vmware.com>
 Date: Fri, 1 Nov 2019 10:10:10 -0700
 Subject: [PATCH] make compatible with openssl
 
 Signed-off-by: Venil Noronha <veniln@vmware.com>
 ---
- BUILD                 |  4 +++-
+ BUILD                 |  2 ++
  jwt_verify_lib/jwks.h |  4 ++++
  src/jwks.cc           | 20 ++++++++++++++++----
  src/verify.cc         | 13 +++++++++++--
- 4 files changed, 34 insertions(+), 7 deletions(-)
+ 4 files changed, 33 insertions(+), 6 deletions(-)
 
 diff --git a/BUILD b/BUILD
-index 60331dc..bd55255 100644
+index 96ba16c..43d1b4e 100644
 --- a/BUILD
 +++ b/BUILD
 @@ -27,6 +27,8 @@ cc_library(
@@ -25,12 +25,12 @@ index 60331dc..bd55255 100644
  )
 
 diff --git a/jwt_verify_lib/jwks.h b/jwt_verify_lib/jwks.h
-index 24a18b7..80676da 100644
+index 6094e2b..3a5c478 100644
 --- a/jwt_verify_lib/jwks.h
 +++ b/jwt_verify_lib/jwks.h
-@@ -22,6 +22,10 @@
- #include "openssl/ec.h"
+@@ -23,6 +23,10 @@
  #include "openssl/evp.h"
+ #include "openssl/pem.h"
 
 +#ifndef OPENSSL_IS_BORINGSSL
 +#include "boringssl_compat/bssl.h"
@@ -40,10 +40,10 @@ index 24a18b7..80676da 100644
  namespace jwt_verify {
 
 diff --git a/src/jwks.cc b/src/jwks.cc
-index 97b1ae8..9723c82 100644
+index e5d6c45..edf2caf 100644
 --- a/src/jwks.cc
 +++ b/src/jwks.cc
-@@ -27,6 +27,11 @@
+@@ -28,6 +28,11 @@
  #include "openssl/rsa.h"
  #include "openssl/sha.h"
 
@@ -55,7 +55,7 @@ index 97b1ae8..9723c82 100644
  namespace google {
  namespace jwt_verify {
 
-@@ -118,18 +123,25 @@ class EvpPkeyGetter : public WithStatus {
+@@ -124,18 +129,25 @@ class EvpPkeyGetter : public WithStatus {
    bssl::UniquePtr<RSA> createRsaFromJwk(const std::string& n,
                                          const std::string& e) {
      bssl::UniquePtr<RSA> rsa(RSA_new());
@@ -119,5 +119,5 @@ index 4d26c25..10fb175 100644
    }
 
 -- 
-2.14.3 (Apple Git-98)
+2.20.1
 

source/extensions/filters/http/lua/BUILD

@@ -55,10 +55,10 @@ envoy_cc_extension(
     hdrs = ["config.h"],
     security_posture = "robust_to_untrusted_downstream",
     deps = [
-        ":lua_filter_lib",
         "@envoy//include/envoy/registry",
         "@envoy//source/extensions/filters/http:well_known_names",
         "@envoy//source/extensions/filters/http/common:factory_base_lib",
-        "@envoy_api//envoy/config/filter/http/lua/v2:pkg_cc_proto",
+        ":lua_filter_lib",
+        "@envoy_api//envoy/extensions/filters/http/lua/v3alpha:pkg_cc_proto",
     ],
 )

source/extensions/filters/http/lua/config.cc

@@ -1,6 +1,7 @@
 #include "extensions/filters/http/lua/config.h"
 
-#include "envoy/config/filter/http/lua/v2/lua.pb.validate.h"
+#include "envoy/extensions/filters/http/lua/v3alpha/lua.pb.h"
+#include "envoy/extensions/filters/http/lua/v3alpha/lua.pb.validate.h"
 #include "envoy/registry/registry.h"
 
 #include "extensions/filters/http/lua/lua_filter.h"
@@ -11,7 +12,7 @@ namespace HttpFilters {
 namespace Lua {
 
 Http::FilterFactoryCb LuaFilterConfig::createFilterFactoryFromProtoTyped(
-    const envoy::config::filter::http::lua::v2::Lua& proto_config, const std::string&,
+    const envoy::extensions::filters::http::lua::v3alpha::Lua& proto_config, const std::string&,
     Server::Configuration::FactoryContext& context) {
   FilterConfigConstSharedPtr filter_config(new FilterConfig{
       proto_config.inline_code(), context.threadLocal(), context.clusterManager()});

source/extensions/filters/http/lua/config.h

@@ -1,7 +1,7 @@
 #pragma once
 
-#include "envoy/config/filter/http/lua/v2/lua.pb.h"
-#include "envoy/config/filter/http/lua/v2/lua.pb.validate.h"
+#include "envoy/extensions/filters/http/lua/v3alpha/lua.pb.h"
+#include "envoy/extensions/filters/http/lua/v3alpha/lua.pb.validate.h"
 
 #include "extensions/filters/http/common/factory_base.h"
 #include "extensions/filters/http/well_known_names.h"
@@ -14,15 +14,15 @@ namespace Lua {
 /**
  * Config registration for the Lua filter. @see NamedHttpFilterConfigFactory.
  */
-class LuaFilterConfig : public Common::FactoryBase<envoy::config::filter::http::lua::v2::Lua> {
+class LuaFilterConfig
+    : public Common::FactoryBase<envoy::extensions::filters::http::lua::v3alpha::Lua> {
 public:
   LuaFilterConfig() : FactoryBase(HttpFilterNames::get().Lua) {}
 
 private:
-  Http::FilterFactoryCb
-  createFilterFactoryFromProtoTyped(const envoy::config::filter::http::lua::v2::Lua& proto_config,
-                                    const std::string&,
-                                    Server::Configuration::FactoryContext& context) override;
+  Http::FilterFactoryCb createFilterFactoryFromProtoTyped(
+      const envoy::extensions::filters::http::lua::v3alpha::Lua& proto_config, const std::string&,
+      Server::Configuration::FactoryContext& context) override;
 };
 
 } // namespace Lua

source/extensions/filters/listener/tls_inspector/BUILD

@@ -5,6 +5,7 @@ licenses(["notice"])  # Apache 2
 
 load(
     "@envoy//bazel:envoy_build_system.bzl",
+    "envoy_cc_extension",
     "envoy_cc_library",
     "envoy_package",
 )
@@ -34,15 +35,17 @@ envoy_cc_library(
     ],
 )
 
-envoy_cc_library(
+envoy_cc_extension(
     name = "config",
     repository = "@envoy",
     srcs = ["config.cc"],
+    security_posture = "robust_to_untrusted_downstream",
     deps = [
         "@envoy//include/envoy/registry",
         "@envoy//include/envoy/server:filter_config_interface",
         "@envoy//source/extensions/filters/listener:well_known_names",
         "//source/extensions/filters/listener/tls_inspector:tls_inspector_lib",
+        "@envoy_api//envoy/extensions/filters/listener/tls_inspector/v3alpha:pkg_cc_proto",
     ],
 )
 

source/extensions/filters/listener/tls_inspector/config.cc

@@ -1,5 +1,7 @@
 #include <string>
 
+#include "envoy/extensions/filters/listener/tls_inspector/v3alpha/tls_inspector.pb.h"
+#include "envoy/extensions/filters/listener/tls_inspector/v3alpha/tls_inspector.pb.validate.h"
 #include "envoy/registry/registry.h"
 #include "envoy/server/filter_config.h"
 
@@ -27,10 +29,11 @@ class TlsInspectorConfigFactory : public Server::Configuration::NamedListenerFil
   }
 
   ProtobufTypes::MessagePtr createEmptyConfigProto() override {
-    return std::make_unique<Envoy::ProtobufWkt::Empty>();
+    return std::make_unique<
+        envoy::extensions::filters::listener::tls_inspector::v3alpha::TlsInspector>();
   }
 
-  std::string name() override { return ListenerFilterNames::get().TlsInspector; }
+  std::string name() const override { return ListenerFilterNames::get().TlsInspector; }
 };
 
 /**

source/extensions/grpc_credentials/aws_iam/BUILD

@@ -4,18 +4,20 @@ licenses(["notice"])  # Apache 2
 
 load(
     "@envoy//bazel:envoy_build_system.bzl",
-    "envoy_cc_library",
+    "envoy_cc_extension",
     "envoy_package",
 )
 
 envoy_package()
 
-envoy_cc_library(
+envoy_cc_extension(
     name = "config",
     repository = "@envoy",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
     external_deps = ["grpc"],
+    security_posture = "data_plane_agnostic",
+    status = "alpha",
     deps = [
         "@envoy//include/envoy/grpc:google_grpc_creds_interface",
         "@envoy//include/envoy/registry",
@@ -29,6 +31,7 @@ envoy_cc_library(
         "//source/extensions/filters/http/common/aws:signer_impl_lib",
         "//source/extensions/filters/http/common/aws:utility_lib",
         "@envoy//source/extensions/grpc_credentials:well_known_names",
-        "@envoy_api//envoy/config/grpc_credential/v2alpha:pkg_cc_proto",
+        "@envoy_api//envoy/config/core/v3alpha:pkg_cc_proto",
+        "@envoy_api//envoy/config/grpc_credential/v3alpha:pkg_cc_proto",
     ],
 )

source/extensions/grpc_credentials/aws_iam/config.cc

@@ -1,8 +1,9 @@
 #include "extensions/grpc_credentials/aws_iam/config.h"
 
-#include "envoy/api/v2/core/grpc_service.pb.h"
 #include "envoy/common/exception.h"
-#include "envoy/config/grpc_credential/v2alpha/aws_iam.pb.validate.h"
+#include "envoy/config/core/v3alpha/grpc_service.pb.h"
+#include "envoy/config/grpc_credential/v3alpha/aws_iam.pb.h"
+#include "envoy/config/grpc_credential/v3alpha/aws_iam.pb.validate.h"
 #include "envoy/grpc/google_grpc_creds.h"
 #include "envoy/registry/registry.h"
 
@@ -22,7 +23,7 @@ namespace GrpcCredentials {
 namespace AwsIam {
 
 std::shared_ptr<grpc::ChannelCredentials> AwsIamGrpcCredentialsFactory::getChannelCredentials(
-    const envoy::api::v2::core::GrpcService& grpc_service_config, Api::Api& api) {
+    const envoy::config::core::v3alpha::GrpcService& grpc_service_config, Api::Api& api) {
 
   const auto& google_grpc = grpc_service_config.google_grpc();
   std::shared_ptr<grpc::ChannelCredentials> creds =
@@ -31,7 +32,8 @@ std::shared_ptr<grpc::ChannelCredentials> AwsIamGrpcCredentialsFactory::getChann
   std::shared_ptr<grpc::CallCredentials> call_creds;
   for (const auto& credential : google_grpc.call_credentials()) {
     switch (credential.credential_specifier_case()) {
-    case envoy::api::v2::core::GrpcService::GoogleGrpc::CallCredentials::kFromPlugin: {
+    case envoy::config::core::v3alpha::GrpcService::GoogleGrpc::CallCredentials::
+        CredentialSpecifierCase::kFromPlugin: {
       if (credential.from_plugin().name() == GrpcCredentialsNames::get().AwsIam) {
         AwsIamGrpcCredentialsFactory credentials_factory;
         // We don't deal with validation failures here at runtime today, see
@@ -41,7 +43,7 @@ std::shared_ptr<grpc::ChannelCredentials> AwsIamGrpcCredentialsFactory::getChann
                 credential.from_plugin(), ProtobufMessage::getNullValidationVisitor(),
                 credentials_factory);
         const auto& config = Envoy::MessageUtil::downcastAndValidate<
-            const envoy::config::grpc_credential::v2alpha::AwsIamConfig&>(
+            const envoy::config::grpc_credential::v3alpha::AwsIamConfig&>(
             *config_message, ProtobufMessage::getNullValidationVisitor());
         auto credentials_provider =
             std::make_shared<HttpFilters::Common::Aws::DefaultCredentialsProviderChain>(
@@ -72,7 +74,7 @@ std::shared_ptr<grpc::ChannelCredentials> AwsIamGrpcCredentialsFactory::getChann
 }
 
 std::string AwsIamGrpcCredentialsFactory::getRegion(
-    const envoy::config::grpc_credential::v2alpha::AwsIamConfig& config) {
+    const envoy::config::grpc_credential::v3alpha::AwsIamConfig& config) {
   std::unique_ptr<HttpFilters::Common::Aws::RegionProvider> region_provider;
   if (!config.region().empty()) {
     region_provider =

source/extensions/grpc_credentials/aws_iam/config.h

@@ -1,6 +1,7 @@
 #pragma once
 
-#include "envoy/config/grpc_credential/v2alpha/aws_iam.pb.validate.h"
+#include "envoy/config/core/v3alpha/grpc_service.pb.h"
+#include "envoy/config/grpc_credential/v3alpha/aws_iam.pb.h"
 #include "envoy/grpc/google_grpc_creds.h"
 #include "envoy/http/header_map.h"
 
@@ -20,17 +21,17 @@ namespace AwsIam {
 class AwsIamGrpcCredentialsFactory : public Grpc::GoogleGrpcCredentialsFactory {
 public:
   std::shared_ptr<grpc::ChannelCredentials>
-  getChannelCredentials(const envoy::api::v2::core::GrpcService& grpc_service_config,
+  getChannelCredentials(const envoy::config::core::v3alpha::GrpcService& grpc_service_config,
                         Api::Api& api) override;
 
   Envoy::ProtobufTypes::MessagePtr createEmptyConfigProto() {
-    return std::make_unique<envoy::config::grpc_credential::v2alpha::AwsIamConfig>();
+    return std::make_unique<envoy::config::grpc_credential::v3alpha::AwsIamConfig>();
   }
 
   std::string name() const override { return GrpcCredentialsNames::get().AwsIam; }
 
 private:
-  static std::string getRegion(const envoy::config::grpc_credential::v2alpha::AwsIamConfig& config);
+  static std::string getRegion(const envoy::config::grpc_credential::v3alpha::AwsIamConfig& config);
 };
 
 /**