Merge branch 'main' into metadata-matcher

Signed-off-by: Vikas Choudhary <[email protected]>

api/envoy/extensions/quic/server_preferred_address/v3/BUILD

@@ -8,6 +8,5 @@ api_proto_package(
     deps = [
         "//envoy/config/core/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",
-        "@com_github_cncf_xds//xds/annotations/v3:pkg",
     ],
 )

api/envoy/extensions/quic/server_preferred_address/v3/datasource.proto

@@ -4,8 +4,6 @@ package envoy.extensions.quic.server_preferred_address.v3;
 
 import "envoy/config/core/v3/base.proto";
 
-import "xds/annotations/v3/status.proto";
-
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
@@ -20,10 +18,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // Configuration for DataSourceServerPreferredAddressConfig.
 message DataSourceServerPreferredAddressConfig {
-  // [#comment:TODO(danzh2010): discuss with API shepherds before removing WiP status.]
-
-  option (xds.annotations.v3.message_status).work_in_progress = true;
-
   // Addresses for server preferred address for a single address family (IPv4 or IPv6).
   message AddressFamilyConfig {
     // The server preferred address sent to clients. The data must contain an IP address string.

api/envoy/extensions/quic/server_preferred_address/v3/fixed_server_preferred_address_config.proto

@@ -4,8 +4,6 @@ package envoy.extensions.quic.server_preferred_address.v3;
 
 import "envoy/config/core/v3/address.proto";
 
-import "xds/annotations/v3/status.proto";
-
 import "udpa/annotations/status.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.quic.server_preferred_address.v3";
@@ -19,10 +17,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // Configuration for FixedServerPreferredAddressConfig.
 message FixedServerPreferredAddressConfig {
-  // [#comment:TODO(danzh2010): discuss with API shepherds before removing WiP status.]
-
-  option (xds.annotations.v3.message_status).work_in_progress = true;
-
   // Addresses for server preferred address for a single address family (IPv4 or IPv6).
   message AddressFamilyConfig {
     // The server preferred address sent to clients.

bazel/external/BUILD

@@ -7,14 +7,10 @@ exports_files(["boringssl_fips.genrule_cmd"])
 cc_library(
     name = "all_external",
     srcs = [":empty.cc"],
-    defines = ["OPENTRACING_STATIC"],
-    # TODO: external/io_opentracing_cpp/BUILD.bazel:19:1: Executing genrule
-    # @io_opentracing_cpp//:generate_version_h failed - needs porting
     tags = ["skip_on_windows"],
     deps = [
         "@com_github_datadog_dd_trace_cpp//:dd_trace_cpp",
         "@com_google_googletest//:gtest",
-        "@io_opentracing_cpp//:opentracing",
     ],
 )
 

bazel/external/quiche.BUILD

@@ -3102,6 +3102,7 @@ envoy_quic_cc_library(
         ":quic_core_http_spdy_utils_lib",
         ":quic_core_types_lib",
         ":quic_platform_base",
+        "@com_google_absl//absl/base:nullability",
     ],
 )
 

bazel/foreign_cc/cares.patch

@@ -0,0 +1,58 @@
+From a070d7835d667b2fae5266fe1b790677dae47d25 Mon Sep 17 00:00:00 2001
+From: Brad House <[email protected]>
+Date: Thu, 12 Oct 2023 09:29:14 -0400
+Subject: [PATCH] Socket callbacks were passed SOCK_STREAM instead of
+ SOCK_DGRAM on udp
+
+A regression was introduced in 1.20.0 that would pass SOCK_STREAM on udp
+connections due to code refactoring.  If a client application validated this
+data, it could cause issues as seen in gRPC.
+
+Fixes Issue: #571
+Fix By: Brad House (@bradh352)
+---
+ src/lib/ares_process.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c
+index ca597db7ad..2f8e4de30d 100644
+--- a/src/lib/ares_process.c
++++ b/src/lib/ares_process.c
+@@ -1065,6 +1065,7 @@ static ares_status_t open_socket(ares_channel channel,
+   unsigned short port;
+   struct server_connection *conn;
+   ares__llist_node_t *node;
++  int type = is_tcp?SOCK_STREAM:SOCK_DGRAM;
+
+   if (is_tcp) {
+     port = aresx_sitous(server->addr.tcp_port?
+@@ -1098,8 +1099,7 @@ static ares_status_t open_socket(ares_channel channel,
+   }
+
+   /* Acquire a socket. */
+-  s = ares__open_socket(channel, server->addr.family,
+-                        is_tcp?SOCK_STREAM:SOCK_DGRAM, 0);
++  s = ares__open_socket(channel, server->addr.family, type, 0);
+   if (s == ARES_SOCKET_BAD)
+     return ARES_ECONNREFUSED;
+
+@@ -1129,8 +1129,7 @@ static ares_status_t open_socket(ares_channel channel,
+ #endif
+
+   if (channel->sock_config_cb) {
+-    int err = channel->sock_config_cb(s, SOCK_STREAM,
+-                                      channel->sock_config_cb_data);
++    int err = channel->sock_config_cb(s, type, channel->sock_config_cb_data);
+     if (err < 0) {
+       ares__close_socket(channel, s);
+       return ARES_ECONNREFUSED;
+@@ -1148,8 +1147,7 @@ static ares_status_t open_socket(ares_channel channel,
+   }
+
+   if (channel->sock_create_cb) {
+-    int err = channel->sock_create_cb(s, SOCK_STREAM,
+-                                      channel->sock_create_cb_data);
++    int err = channel->sock_create_cb(s, type, channel->sock_create_cb_data);
+     if (err < 0) {
+       ares__close_socket(channel, s);
+       return ARES_ECONNREFUSED;

bazel/repositories.bzl

@@ -333,7 +333,6 @@ def envoy_dependencies(skip_targets = []):
     _com_googlesource_googleurl()
     _io_hyperscan()
     _io_vectorscan()
-    _io_opentracing_cpp()
     _io_opentelemetry_api_cpp()
     _net_colm_open_source_colm()
     _net_colm_open_source_ragel()
@@ -444,6 +443,11 @@ def _com_github_c_ares_c_ares():
     external_http_archive(
         name = "com_github_c_ares_c_ares",
         build_file_content = BUILD_ALL_CONTENT,
+        # Patch c-ares library aith commit
+        # https://github.com/c-ares/c-ares/commit/a070d7835d667b2fae5266fe1b790677dae47d25
+        # This commit fixes an issue when the gRPC library attempts to resolve a domain name.
+        patches = ["@envoy//bazel/foreign_cc:cares.patch"],
+        patch_args = ["-p1"],
     )
     native.bind(
         name = "ares",
@@ -757,18 +761,6 @@ def _io_vectorscan():
         patches = ["@envoy//bazel/foreign_cc:vectorscan.patch"],
     )
 
-def _io_opentracing_cpp():
-    external_http_archive(
-        name = "io_opentracing_cpp",
-        patch_args = ["-p1"],
-        # Workaround for LSAN false positive in https://github.com/envoyproxy/envoy/issues/7647
-        patches = ["@envoy//bazel:io_opentracing_cpp.patch"],
-    )
-    native.bind(
-        name = "opentracing",
-        actual = "@io_opentracing_cpp//:opentracing",
-    )
-
 def _io_opentelemetry_api_cpp():
     external_http_archive(name = "io_opentelemetry_cpp")
     native.bind(
@@ -1133,10 +1125,6 @@ def _com_github_google_quiche():
     external_http_archive(
         name = "com_github_google_quiche",
         patch_cmds = ["find quiche/ -type f -name \"*.bazel\" -delete"],
-        patches = [
-            "@envoy//bazel/external:quiche_sequencer_fix.patch",
-        ],
-        patch_args = ["-p1"],
         build_file = "@envoy//bazel/external:quiche.BUILD",
     )
     native.bind(

bazel/repository_locations.bzl

@@ -563,24 +563,6 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         license = "BSD-3-Clause",
         license_url = "https://github.com/VectorCamp/vectorscan/blob/vectorscan/{version}/LICENSE",
     ),
-    io_opentracing_cpp = dict(
-        project_name = "OpenTracing",
-        project_desc = "Vendor-neutral APIs and instrumentation for distributed tracing",
-        project_url = "https://opentracing.io",
-        version = "1.5.1",
-        sha256 = "015c4187f7a6426a2b5196f0ccd982aa87f010cf61f507ae3ce5c90523f92301",
-        strip_prefix = "opentracing-cpp-{version}",
-        urls = ["https://github.com/opentracing/opentracing-cpp/archive/v{version}.tar.gz"],
-        use_category = ["observability_ext"],
-        extensions = [
-            "envoy.tracers.datadog",
-            "envoy.tracers.dynamic_ot",
-        ],
-        release_date = "2019-01-16",
-        cpe = "N/A",
-        license = "Apache-2.0",
-        license_url = "https://github.com/opentracing/opentracing-cpp/blob/v{version}/LICENSE",
-    ),
     io_opentelemetry_cpp = dict(
         project_name = "OpenTelemetry",
         project_desc = "Observability framework and toolkit designed to create and manage telemetry data such as traces, metrics, and logs.",
@@ -1204,12 +1186,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "QUICHE",
         project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols",
         project_url = "https://github.com/google/quiche",
-        version = "f8ca4ffbe5eb5c099bd11ba3e90553fa282c8421",
-        sha256 = "7648ede3f32bc6367a629b245d268c9be47ba05e23b4345a54152dabeba387d9",
+        version = "f4ed5e0c74485fb302367b833b8974373fed9e4c",
+        sha256 = "05e40b18e78b76a14bfa02eca1d6ebcf4c2ea0333c5db9fbe04287f912db2c20",
         urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"],
         strip_prefix = "quiche-{version}",
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2024-07-17",
+        release_date = "2024-07-26",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/quiche/blob/{version}/LICENSE",

changelogs/current.yaml

@@ -26,6 +26,9 @@ bug_fixes:
 - area: quic
   change: |
     Fixes access log formatter %CONNECTION_ID% for QUIC connections.
+- area: c-ares
+  change: |
+    Applying a C-ares patch to fix DNS resoultion by the Google gRPC library.
 - area: ext_authz
   change: |
     Fixed fail-open behavior of the :ref:`failure_mode_allow config option
@@ -77,6 +80,10 @@ removed_config_or_runtime:
 - area: stateful_session
   change: |
     Removed ``envoy.reloadable_features.stateful_session_encode_ttl_in_cookie`` runtime flag and legacy code paths.
+- area: upstream flow control
+  change: |
+    Removed ``envoy.reloadable_features.upstream_wait_for_response_headers_before_disabling_read`` runtime flag
+    and legacy code paths.
 
 new_features:
 - area: tls
@@ -108,5 +115,9 @@ new_features:
   change: |
     Added dynamic metadata matcher support :ref:`Dynamic metadata input <extension_envoy.matching.inputs.dynamic_metadata>`
     and :ref:`Dynamic metadata input matcher <extension_envoy.matching.matchers.metadata_matcher>`.
+- area: access_log
+  change: |
+    Added new access log command operators ``%START_TIME_LOCAL%`` and ``%EMIT_TIME_LOCAL%``,
+    similar to  ``%START_TIME%`` and ``%EMIT_TIME%``, but use local time zone.
 
 deprecated:

docs/root/configuration/observability/access_log/usage.rst

@@ -170,6 +170,11 @@ The following command operators are supported:
 
   In typed JSON logs, START_TIME is always rendered as a string.
 
+.. _config_access_log_format_start_time_local:
+
+%START_TIME_LOCAL%
+  Same as :ref:`START_TIME <config_access_log_format_start_time>`, but use local time zone.
+
 .. _config_access_log_format_emit_time:
 
 %EMIT_TIME%
@@ -178,6 +183,11 @@ The following command operators are supported:
   EMIT_TIME can be customized using a `format string <https://en.cppreference.com/w/cpp/io/manip/put_time>`_.
   See :ref:`START_TIME <config_access_log_format_start_time>` for additional format specifiers and examples.
 
+.. _config_access_log_format_emit_time_local:
+
+%EMIT_TIME_LOCAL%
+  Same as :ref:`EMIT_TIME <config_access_log_format_emit_time>`, but use local time zone.
+
 %REQUEST_HEADERS_BYTES%
   HTTP
     Uncompressed bytes of request headers.

envoy/http/http_server_properties_cache.h

@@ -199,18 +199,5 @@ class HttpServerPropertiesCacheManager {
 
 using HttpServerPropertiesCacheManagerSharedPtr = std::shared_ptr<HttpServerPropertiesCacheManager>;
 
-/**
- * Factory for getting an alternate protocols cache manager.
- */
-class HttpServerPropertiesCacheManagerFactory {
-public:
-  virtual ~HttpServerPropertiesCacheManagerFactory() = default;
-
-  /**
-   * Get the alternate protocols cache manager.
-   */
-  virtual HttpServerPropertiesCacheManagerSharedPtr get() PURE;
-};
-
 } // namespace Http
 } // namespace Envoy

envoy/server/BUILD

@@ -181,6 +181,7 @@ envoy_cc_library(
         "//envoy/http:codes_interface",
         "//envoy/http:context_interface",
         "//envoy/http:filter_interface",
+        "//envoy/http:http_server_properties_cache_interface",
         "//envoy/init:manager_interface",
         "//envoy/local_info:local_info_interface",
         "//envoy/network:drain_decision_interface",

envoy/server/factory_context.h

@@ -13,6 +13,7 @@
 #include "envoy/http/codes.h"
 #include "envoy/http/context.h"
 #include "envoy/http/filter.h"
+#include "envoy/http/http_server_properties_cache.h"
 #include "envoy/init/manager.h"
 #include "envoy/network/drain_decision.h"
 #include "envoy/network/filter.h"
@@ -120,6 +121,11 @@ class CommonFactoryContext {
    */
   virtual Upstream::ClusterManager& clusterManager() PURE;
 
+  /**
+   * @return const Http::HttpServerPropertiesCacheManager& instance for use by the entire server.
+   */
+  virtual Http::HttpServerPropertiesCacheManager& httpServerPropertiesCacheManager() PURE;
+
   /**
    * @return TimeSource& a reference to the time source.
    */

envoy/server/instance.h

@@ -13,6 +13,7 @@
 #include "envoy/event/timer.h"
 #include "envoy/grpc/context.h"
 #include "envoy/http/context.h"
+#include "envoy/http/http_server_properties_cache.h"
 #include "envoy/init/manager.h"
 #include "envoy/local_info/local_info.h"
 #include "envoy/network/listen_socket.h"
@@ -71,6 +72,11 @@ class Instance {
    */
   virtual const Upstream::ClusterManager& clusterManager() const PURE;
 
+  /**
+   * @return const Http::HttpServerPropertiesCacheManager& instance for use by the entire server.
+   */
+  virtual Http::HttpServerPropertiesCacheManager& httpServerPropertiesCacheManager() PURE;
+
   /**
    * @return Ssl::ContextManager& singleton for use by the entire server.
    */

mobile/examples/java/hello_world/MainActivity.java

@@ -137,7 +137,7 @@ private void makeRequest() {
           return Unit.INSTANCE;
         })
         .start(Executors.newSingleThreadExecutor())
-        .sendHeaders(requestHeaders, true);
+        .sendHeaders(requestHeaders, /* endStream= */ true, /* idempotent= */ false);
 
     clear_text = !clear_text;
   }

mobile/library/cc/stream.cc

@@ -10,8 +10,8 @@ namespace Platform {
 
 Stream::Stream(InternalEngine* engine, envoy_stream_t handle) : engine_(engine), handle_(handle) {}
 
-Stream& Stream::sendHeaders(Http::RequestHeaderMapPtr headers, bool end_stream) {
-  engine_->sendHeaders(handle_, std::move(headers), end_stream);
+Stream& Stream::sendHeaders(Http::RequestHeaderMapPtr headers, bool end_stream, bool idempotent) {
+  engine_->sendHeaders(handle_, std::move(headers), end_stream, idempotent);
   return *this;
 }
 

mobile/library/cc/stream.h

@@ -21,8 +21,11 @@ class Stream {
    *
    * @param headers the headers to send.
    * @param end_stream indicates whether to close the stream locally after sending this frame.
+   * @param idempotent indicates that the request is idempotent. When idempotent is set to true
+   *                   Envoy Mobile will retry on HTTP/3 post-handshake failures. By default, it is
+   *                   set to false.
    */
-  Stream& sendHeaders(Http::RequestHeaderMapPtr headers, bool end_stream);
+  Stream& sendHeaders(Http::RequestHeaderMapPtr headers, bool end_stream, bool idempotent = false);
 
   /**
    * Send data over an open HTTP stream. This method can be invoked multiple times.