Merge branch 'main' into cel-ext-regex

envoyproxy · Feb 11, 2025 · dfbcd2a · dfbcd2a
2 parents 7625f5d + 85f9080
commit dfbcd2a
Show file tree

Hide file tree

Showing 66 changed files with 1,689 additions and 292 deletions.
diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml
@@ -34,7 +34,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae  # codeql-bundle-v3.27.9
+      uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0  # codeql-bundle-v3.28.9
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -75,6 +75,6 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae  # codeql-bundle-v3.27.9
+      uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0  # codeql-bundle-v3.28.9
       with:
         trap-caching: false
diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml
@@ -67,7 +67,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae  # codeql-bundle-v3.27.9
+      uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0  # codeql-bundle-v3.28.9
       with:
         languages: cpp
         trap-caching: false
@@ -112,6 +112,6 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae  # codeql-bundle-v3.27.9
+      uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0  # codeql-bundle-v3.28.9
       with:
         trap-caching: false
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -33,13 +33,13 @@ jobs:
         publish_results: true
 
     - name: "Upload artifact"
-      uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b  # v4.5.0
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08  # v4.6.0
       with:
         name: SARIF file
         path: results.sarif
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae  # v3.27.9
+      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0  # v3.28.9
       with:
         sarif_file: results.sarif
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -24,7 +24,7 @@ jobs:
 
     steps:
     - name: Prune Stale
-      uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e  # v9.0.0
+      uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639  # v9.1.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # Different amounts of days for issues/PRs are not currently supported but there is a PR

diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto b/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto
@@ -326,6 +326,7 @@ message ExternalProcessor {
   // can only be overridden by the response message from the external processing server iff the
   // :ref:`mode_override <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>` is allowed by
   // the ``allowed_override_modes`` allow-list below.
+  // Since request_header_mode is not applicable in any way, it's ignored in comparison.
   repeated ProcessingMode allowed_override_modes = 22;
 }
 

diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto b/api/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto
@@ -111,8 +111,8 @@ message ProcessingMode {
     FULL_DUPLEX_STREAMED = 4;
   }
 
-  // How to handle the request header. Default is "SEND". A value of "DEFAULT" (unset) should be used
-  // with :ref:`mode_override
+  // How to handle the request header. Default is "SEND".
+  // Note this field is ignored in :ref:`mode_override
   // <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>`, since mode
   // overrides can only affect messages exchanged after the request header is processed.
   HeaderSendMode request_header_mode = 1 [(validate.rules).enum = {defined_only: true}];

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -1218,12 +1218,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "QUICHE",
         project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols",
         project_url = "https://github.com/google/quiche",
-        version = "5a433bd7de22c23700d046346bd3d3afe5c9cd07",
-        sha256 = "39951f6fff2171a36c759d64c98a9d0bd5921172a36437d719ea5cba639c3802",
+        version = "30a43fd02bc788fe9a3edebd2dbc8e79b46ff786",
+        sha256 = "5599f0a1f0f9d76cdd177bd0450308eb998e9dc4bd785577b5917995a71845f2",
         urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"],
         strip_prefix = "quiche-{version}",
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2025-02-06",
+        release_date = "2025-02-10",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/quiche/blob/{version}/LICENSE",

diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -18,6 +18,10 @@ minor_behavior_changes:
     When :ref:`mode_override <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>`
     headers/trailers modes have the value ``DEFAULT`` (unset), no change will be made to the processing
     mode set in the filter configuration.
+- area: ext_proc
+  change: |
+    Ignore request_header_mode field of :ref:`mode_override <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>`
+    when comparing the mode_override against allowed_override_modes as request_header mode override is not applicable.
 
 bug_fixes:
 # *Changes expected to improve the state of the world and are unlikely to have negative effects*

diff --git a/contrib/golang/filters/http/test/test_data/go.mod b/contrib/golang/filters/http/test/test_data/go.mod
@@ -6,7 +6,7 @@ require github.com/envoyproxy/envoy v1.24.0
 
 require (
 	github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3
-	google.golang.org/protobuf v1.36.2
+	google.golang.org/protobuf v1.36.5
 )
 
 require (

diff --git a/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod b/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod
@@ -15,7 +15,7 @@ require (
 require (
 	github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	google.golang.org/protobuf v1.36.2
+	google.golang.org/protobuf v1.36.5
 )
 
 replace github.com/envoyproxy/envoy => ../../../../../../../
diff --git a/contrib/golang/upstreams/http/tcp/test/test_data/go.mod b/contrib/golang/upstreams/http/tcp/test/test_data/go.mod
@@ -4,6 +4,6 @@ go 1.22
 
 require github.com/envoyproxy/envoy v1.24.0
 
-require google.golang.org/protobuf v1.36.1
+require google.golang.org/protobuf v1.36.5
 
 replace github.com/envoyproxy/envoy => ../../../../../../../
diff --git a/docs/root/configuration/security/secret.rst b/docs/root/configuration/security/secret.rst
@@ -39,7 +39,7 @@ It follows the same protocol as other :ref:`xDS <xds_protocol>`.
 SDS Configuration
 -----------------
 
-:ref:`SdsSecretConfig <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SdsSecretConfig>` is used to specify the secret. Its field *name* is a required field. If its *sds_config* field is empty, the *name* field specifies the secret in the bootstrap static_resource :ref:`secrets <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.StaticResources.secrets>`. Otherwise, it specifies the SDS server as :ref:`ConfigSource <envoy_v3_api_msg_config.core.v3.ConfigSource>`. Only gRPC is supported for the SDS service so its *api_config_source* must specify a **grpc_service**.
+:ref:`SdsSecretConfig <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SdsSecretConfig>` is used to specify the secret. Its field *name* is a required field. If its *sds_config* field is empty, the *name* field specifies the secret in the bootstrap static_resource :ref:`secrets <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.StaticResources.secrets>`. Otherwise, it specifies the SDS server as :ref:`ConfigSource <envoy_v3_api_msg_config.core.v3.ConfigSource>`. When using a remote SDS service, the *api_config_source* must specify a **grpc_service** as only gRPC is supported.
 
 *SdsSecretConfig* is used in two fields in :ref:`CommonTlsContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CommonTlsContext>`. The first field is *tls_certificate_sds_secret_configs* to use SDS to get :ref:`TlsCertificate <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.TlsCertificate>`. The second field is *validation_context_sds_secret_config* to use SDS to get :ref:`CertificateValidationContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CertificateValidationContext>`.
 
@@ -177,11 +177,13 @@ In contrast, :ref:`sds_server_example` requires a restart to reload xDS certific
             tls_certificate_sds_secret_configs:
               name: tls_sds
               sds_config:
-                path: /etc/envoy/tls_certificate_sds_secret.yaml
+                path_config_source:
+                  path: /etc/envoy/tls_certificate_sds_secret.yaml
             validation_context_sds_secret_config:
               name: validation_context_sds
               sds_config:
-                path: /etc/envoy/validation_context_sds_secret.yaml
+                path_config_source:
+                  path: /etc/envoy/validation_context_sds_secret.yaml
 
 Paths to client certificate, including client's certificate chain and private key are given in SDS config file ``/etc/envoy/tls_certificate_sds_secret.yaml``:
 

diff --git a/envoy/formatter/http_formatter_context.h b/envoy/formatter/http_formatter_context.h
@@ -17,6 +17,16 @@ using AccessLogType = envoy::data::accesslog::v3::AccessLogType;
  */
 class HttpFormatterContext {
 public:
+  /**
+   * Interface for a context extension which can be used to provide non-HTTP specific data to
+   * formatters. This could be used for non-HTTP protocols to provide protocol specific data to
+   * formatters.
+   */
+  class Extension {
+  public:
+    virtual ~Extension() = default;
+  };
+
   /**
    * Constructor that uses the provided request/response headers, response trailers, local reply
    * body, and access log type. Any of the parameters can be nullptr/empty.
@@ -135,14 +145,39 @@ class HttpFormatterContext {
    */
   static constexpr absl::string_view category() { return "http"; }
 
+  /**
+   * Set the context extension.
+   * @param extension supplies the context extension.
+   */
+  HttpFormatterContext& setExtension(const Extension& extension) {
+    extension_ = extension;
+    return *this;
+  }
+
+  /**
+   * @return OptRef<const ContextExtension> the context extension.
+   */
+  OptRef<const Extension> extension() const { return extension_; }
+
+  /**
+   * @return OptRef<const ExtensionType> the context extension casted to the specified type.
+   */
+  template <class Type> OptRef<const Type> typedExtension() const {
+    const Type* typed_extension = dynamic_cast<const Type*>(extension_.ptr());
+    return makeOptRefFromPtr(typed_extension);
+  }
+
 private:
   const Http::RequestHeaderMap* request_headers_{};
   const Http::ResponseHeaderMap* response_headers_{};
   const Http::ResponseTrailerMap* response_trailers_{};
   absl::string_view local_reply_body_{};
   AccessLogType log_type_{AccessLogType::NotSet};
   const Tracing::Span* active_span_ = nullptr;
+  OptRef<const Extension> extension_;
 };
 
+using Context = HttpFormatterContext;
+
 } // namespace Formatter
 } // namespace Envoy
diff --git a/envoy/network/BUILD b/envoy/network/BUILD
@@ -106,7 +106,9 @@ envoy_cc_library(
     name = "drain_decision_interface",
     hdrs = ["drain_decision.h"],
     deps = [
-        "//envoy/common:pure_lib",
+        "//envoy/common:callback",
+        "@com_google_absl//absl/base",
+        "@com_google_absl//absl/status",
     ],
 )
 

diff --git a/envoy/network/drain_decision.h b/envoy/network/drain_decision.h
@@ -1,19 +1,40 @@
 #pragma once
 
+#include <chrono>
+#include <functional>
+
+#include "envoy/common/callback.h"
 #include "envoy/common/pure.h"
 
+#include "absl/base/attributes.h"
+#include "absl/status/status.h"
+
 namespace Envoy {
 namespace Network {
 
 class DrainDecision {
 public:
+  using DrainCloseCb = std::function<absl::Status(std::chrono::milliseconds)>;
+
   virtual ~DrainDecision() = default;
 
   /**
    * @return TRUE if a connection should be drained and closed. It is up to individual network
    *         filters to determine when this should be called for the least impact possible.
    */
   virtual bool drainClose() const PURE;
+
+  /**
+   * @brief Register a callback to be called proactively when a drain decision enters into a
+   *        'close' state.
+   *        NOTE: this API is used in prorietary builds of Envoy and can not be decommissioned.
+   *        TODO(yanavlasov): cleanup unused parts of this change without removing this API.
+   *
+   * @param cb Callback to be called once drain decision enters close state
+   * @return handle to remove callback
+   */
+  ABSL_MUST_USE_RESULT
+  virtual Common::CallbackHandlePtr addOnDrainCloseCb(DrainCloseCb cb) const PURE;
 };
 
 } // namespace Network

diff --git a/envoy/server/BUILD b/envoy/server/BUILD
@@ -52,7 +52,12 @@ envoy_cc_library(
 envoy_cc_library(
     name = "drain_manager_interface",
     hdrs = ["drain_manager.h"],
-    deps = ["//envoy/network:drain_decision_interface"],
+    deps = [
+        "//envoy/event:dispatcher_interface",
+        "//envoy/network:drain_decision_interface",
+        "//envoy/thread_local:thread_local_object",
+        "@envoy_api//envoy/config/listener/v3:pkg_cc_proto",
+    ],
 )
 
 envoy_cc_library(

diff --git a/envoy/server/drain_manager.h b/envoy/server/drain_manager.h
@@ -3,17 +3,43 @@
 #include <functional>
 #include <memory>
 
+#include "envoy/config/listener/v3/listener.pb.h"
+#include "envoy/event/dispatcher.h"
 #include "envoy/network/drain_decision.h"
+#include "envoy/thread_local/thread_local_object.h"
 
 namespace Envoy {
 namespace Server {
 
+class DrainManager;
+using DrainManagerPtr = std::unique_ptr<DrainManager>;
+
 /**
  * Handles connection draining. This concept is used globally during hot restart / server draining
- * as well as on individual listeners when they are being dynamically removed.
+ * as well as on individual listeners and filter-chains when they are being dynamically removed.
  */
-class DrainManager : public Network::DrainDecision {
+class DrainManager : public Network::DrainDecision, public ThreadLocal::ThreadLocalObject {
 public:
+  /**
+   * @brief Create a child drain-manager. Will proxy the drain status from the parent, but can also
+   * be used to enact local draining.
+   *
+   * Child managers can be used to construct "drain trees" where each node in the tree can drain
+   * independently of it's parent node, but the drain status cascades to child nodes.
+   *
+   * A notable difference to drain callbacks is that child managers are notified immediately and
+   * without a delay timing. Additionally, notifications from parent to child is a thread-safe
+   * operation whereas callback registration and triggering is not.
+   *
+   * @param dispatcher Dispatcher for the current thread in which the new child drain-manager will
+   * exist.
+   * @param drain_type The drain-type for the manager. May be different from the parent manager.
+   */
+  virtual DrainManagerPtr
+  createChildManager(Event::Dispatcher& dispatcher,
+                     envoy::config::listener::v3::Listener::DrainType drain_type) PURE;
+  virtual DrainManagerPtr createChildManager(Event::Dispatcher& dispatcher) PURE;
+
   /**
    * Invoked to begin the drain procedure. (Making drain close operations more likely).
    * @param drain_complete_cb will be invoked once the drain sequence is finished. The parameter is

diff --git a/go.mod b/go.mod
@@ -2,6 +2,6 @@ module github.com/envoyproxy/envoy
 
 go 1.22
 
-require google.golang.org/protobuf v1.36.1
+require google.golang.org/protobuf v1.36.5
 
 require github.com/google/go-cmp v0.5.9 // indirect
diff --git a/go.sum b/go.sum
@@ -1,4 +1,4 @@
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
-google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
diff --git a/mobile/envoy_build_config/BUILD b/mobile/envoy_build_config/BUILD
@@ -19,7 +19,6 @@ envoy_cc_library(
     deps = [
         "extension_registry_platform_additions",
         "@envoy//source/common/http/matching:inputs_lib",
-        "@envoy//source/common/network:default_client_connection_factory",
         "@envoy//source/common/network:socket_lib",
         "@envoy//source/common/quic:quic_transport_socket_factory_lib",
         "@envoy//source/common/router:upstream_codec_filter_lib",

diff --git a/mobile/library/common/BUILD b/mobile/library/common/BUILD
@@ -25,6 +25,7 @@ envoy_cc_library(
     deps = [
         ":engine_common_lib",
         ":engine_types_lib",
+        ":mobile_process_wide_lib",
         "//library/common/bridge:utility_lib",
         "//library/common/event:provisional_dispatcher_lib",
         "//library/common/http:client_lib",
@@ -91,3 +92,19 @@ envoy_cc_library(
         "@envoy//source/common/http:header_map_lib",
     ],
 )
+
+envoy_cc_library(
+    name = "mobile_process_wide_lib",
+    srcs = [
+        "mobile_process_wide.cc",
+    ],
+    hdrs = [
+        "mobile_process_wide.h",
+    ],
+    repository = "@envoy",
+    deps = [
+        "@envoy//source/common/common:minimal_logger_lib",
+        "@envoy//source/common/common:thread_lib",
+        "@envoy//source/server:options_base",
+    ],
+)
diff --git a/mobile/library/common/engine_common.cc b/mobile/library/common/engine_common.cc
@@ -98,12 +98,11 @@ EngineCommon::EngineCommon(std::shared_ptr<Envoy::OptionsImplBase> options) : op
         server->initialize(local_address, component_factory);
         return server;
       };
-  // `set_new_handler` is false because the application using Envoy Mobile should decide how to
-  // handle `new` memory allocation failures.
-  base_ = std::make_unique<StrippedMainBase>(
-      *options_, real_time_system_, default_listener_hooks_, prod_component_factory_,
-      std::make_unique<PlatformImpl>(), std::make_unique<Random::RandomGeneratorImpl>(), nullptr,
-      create_instance, /*set_new_handler=*/false);
+  auto random_generator = std::make_unique<Random::RandomGeneratorImpl>();
+  base_ = std::make_unique<StrippedMainBase>(*options_, prod_component_factory_,
+                                             std::make_unique<PlatformImpl>(), *random_generator);
+  base_->init(real_time_system_, default_listener_hooks_, std::move(random_generator), nullptr,
+              create_instance);
   // Disabling signal handling in the options makes it so that the server's event dispatcher _does
   // not_ listen for termination signals such as SIGTERM, SIGINT, etc
   // (https://github.com/envoyproxy/envoy/blob/048f4231310fbbead0cbe03d43ffb4307fff0517/source/server/server.cc#L519).