Merge branch 'main' into proxy_ssl_port

Signed-off-by: Fredy Wijaya <[email protected]>

.github/workflows/envoy-sync.yml

@@ -7,6 +7,8 @@ on:
   push:
     branches:
     - main
+    - release/v1.28
+    - release/v1.31
   workflow_dispatch:
 
 concurrency:
@@ -19,6 +21,7 @@ jobs:
     if: >-
       ${{
           github.repository == 'envoyproxy/envoy'
+          && (github.ref_name == 'main')
           && (github.event.push
               || !contains(github.actor, '[bot]'))
       }}
@@ -42,3 +45,32 @@ jobs:
         ref: main
         token: ${{ steps.appauth.outputs.token }}
         workflow: envoy-sync.yaml
+
+  sync-release:
+    runs-on: ubuntu-22.04
+    if: >-
+      ${{
+          github.repository == 'envoyproxy/envoy'
+          && contains(fromJSON('["main", "release/v1.28", "release/v1.31"]'), github.ref_name)
+          && (github.event.push
+              || !contains(github.actor, '[bot]'))
+      }}
+    strategy:
+      fail-fast: false
+      matrix:
+        downstream:
+        - envoy-openssl
+    steps:
+    - uses: envoyproxy/toolshed/gh-actions/[email protected]
+      id: appauth
+      with:
+        app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }}
+        key: ${{ secrets.ENVOY_CI_SYNC_APP_KEY }}
+    - uses: envoyproxy/toolshed/gh-actions/[email protected]
+      with:
+        repository: "envoyproxy/${{ matrix.downstream }}"
+        ref: release/v1.28
+        token: ${{ steps.appauth.outputs.token }}
+        workflow: envoy-sync-receive.yaml
+        inputs: |
+          branch: ${{ github.ref_name }}

api/BUILD

@@ -382,6 +382,7 @@ proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "@com_github_cncf_xds//xds/core/v3:pkg",
+        "@com_github_cncf_xds//xds/data/orca/v3:pkg",
         "@com_github_cncf_xds//xds/type/matcher/v3:pkg",
         "@com_github_cncf_xds//xds/type/v3:pkg",
     ],

api/bazel/repository_locations.bzl

@@ -52,9 +52,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_desc = "xDS API Working Group (xDS-WG)",
         project_url = "https://github.com/cncf/xds",
         # During the UDPA -> xDS migration, we aren't working with releases.
-        version = "555b57ec207be86f811fb0c04752db6f85e3d7e2",
-        sha256 = "0c8c4f0f67fed967b51049f7d5e2ca7a9bd433970a29c88e272c8665328172f5",
-        release_date = "2024-04-23",
+        version = "b4127c9b8d78b77423fd25169f05b7476b6ea932",
+        sha256 = "aa5f1596bbef3f277dcf4700e4c1097b34301ae66f3b79cd731e3adfbaff2f8f",
+        release_date = "2024-09-05",
         strip_prefix = "xds-{version}",
         urls = ["https://github.com/cncf/xds/archive/{version}.tar.gz"],
         use_category = ["api"],

api/envoy/config/cluster/v3/cluster.proto

@@ -1162,14 +1162,13 @@ message Cluster {
   // from the LRS stream here.]
   core.v3.ConfigSource lrs_server = 42;
 
-  // [#not-implemented-hide:]
-  // A list of metric names from ORCA load reports to propagate to LRS.
+  // A list of metric names from :ref:`ORCA load reports <envoy_v3_api_msg_.xds.data.orca.v3.OrcaLoadReport>` to propagate to LRS.
   //
   // If not specified, then ORCA load reports will not be propagated to LRS.
   //
   // For map fields in the ORCA proto, the string will be of the form ``<map_field_name>.<map_key>``.
   // For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA
-  // ``named_metrics`` field.
+  // :ref:`named_metrics <envoy_v3_api_field_.xds.data.orca.v3.OrcaLoadReport.named_metrics>` field.
   //
   // The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to
   // report all entries in the ORCA named_metrics field). Note that this should be used only with trusted

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -30,7 +30,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 29]
+// [#next-free-field: 30]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v3.ExtAuthz";
@@ -296,6 +296,17 @@ message ExtAuthz {
   // added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
   // name.
   google.protobuf.Struct filter_metadata = 28;
+
+  // When set to true, the filter will emit per-stream stats for access logging. The filter state
+  // key will be the same as the filter name.
+  //
+  // If using Envoy GRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
+  // info. If not using Envoy GRPC, emits only latency. Note that stats are ONLY added to filter
+  // state if a check request is actually made to an ext_authz service.
+  //
+  // If this is false the filter will not emit stats, but filter_metadata will still be respected if
+  // it has a value.
+  bool emit_filter_state_stats = 29;
 }
 
 // Configuration for buffering the request data.

bazel/repository_locations.bzl

@@ -948,13 +948,13 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "grpc-httpjson-transcoding",
         project_desc = "Library that supports transcoding so that HTTP/JSON can be converted to gRPC",
         project_url = "https://github.com/grpc-ecosystem/grpc-httpjson-transcoding",
-        version = "ff41eb3fc9209e6197595b54f7addfa244c0bdb6",
-        sha256 = "dea66b3d2dfc150373697e25b1327877e0b7480dc2bacfff1e3fd7aa00b12790",
+        version = "20e58e7ef9c3878ae9fc89123b9aba36d6f98a7f",
+        sha256 = "2f0ea248c59f51e5376f23590a986813b96076531ffe27a805f7a37407a81a87",
         strip_prefix = "grpc-httpjson-transcoding-{version}",
         urls = ["https://github.com/grpc-ecosystem/grpc-httpjson-transcoding/archive/{version}.tar.gz"],
         use_category = ["dataplane_ext"],
         extensions = ["envoy.filters.http.grpc_json_transcoder", "envoy.filters.http.grpc_field_extraction", "envoy.filters.http.proto_message_extraction"],
-        release_date = "2023-06-07",
+        release_date = "2024-08-30",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/grpc-ecosystem/grpc-httpjson-transcoding/blob/{version}/LICENSE",

changelogs/current.yaml

@@ -196,6 +196,9 @@ removed_config_or_runtime:
 - area: dynamic forward proxy
   change: |
     Removed ``envoy.reloadable_features.normalize_host_for_preresolve_dfp_dns`` runtime flag and legacy code paths.
+- area: http
+  change: |
+    Removed the ``envoy.reloadable_features.http2_validate_authority_with_quiche`` runtime flag and its legacy code paths.
 - area: http
   change: |
     Removed ``envoy.reloadable_features.use_http3_header_normalisation`` runtime flag and legacy code paths.
@@ -289,6 +292,10 @@ new_features:
   change: |
     Added :ref:`delay_deny <envoy_v3_api_msg_extensions.filters.network.rbac.v3.RBAC>` to support deny connection after
     the configured duration.
+- area: ext_authz
+  change: |
+    Added :ref:`emit_filter_state_stats <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.emit_filter_state_stats>`
+    which when true enables filter state stats for access logging.
 - area: extension_discovery_service
   change: |
     added ECDS support for :ref:`UDP session filters

docs/root/api-v3/common_messages/common_messages_xds.rst

@@ -24,3 +24,4 @@ Common messages (XDS)
   ../../xds/core/v3/resource_locator.proto
   ../../xds/core/v3/resource_name.proto
   ../../xds/type/v3/typed_struct.proto
+  ../../xds/data/orca/v3/orca_load_report.proto

envoy/grpc/async_client.h

@@ -29,6 +29,11 @@ class AsyncRequest {
    * Signals that the request should be cancelled. No further callbacks will be invoked.
    */
   virtual void cancel() PURE;
+
+  /**
+   * Returns the underlying stream info.
+   */
+  virtual const StreamInfo::StreamInfo& streamInfo() const PURE;
 };
 
 /**

envoy/thread/thread.h

@@ -55,7 +55,16 @@ using ThreadPtr = std::unique_ptr<Thread>;
 
 // Options specified during thread creation.
 struct Options {
-  std::string name_; // A name supplied for the thread. On Linux this is limited to 15 chars.
+  // A name supplied for the thread. On Linux this is limited to 15 chars.
+  std::string name_;
+  // An optional thread priority for the thread. The value will mean different things on different
+  // platforms. For example, on Linux or Android, the values can range from -20 to 19. On Apple
+  // platforms, the value can range from 1 to 100, which is used to divide by 100 to get a [0,1]
+  // value that can be used on Apple's NSThread.setThreadPriority method.
+  //
+  // If no value is set, the thread will be created with the default thread priority for the
+  // platform.
+  absl::optional<int> priority_{absl::nullopt};
 };
 
 using OptionsOptConstRef = const absl::optional<Options>&;

mobile/library/common/internal_engine.cc

@@ -95,20 +95,10 @@ envoy_status_t InternalEngine::cancelStream(envoy_stream_t stream) {
 // copy-constructible type, so it's not possible to move capture `std::unique_ptr` with
 // `std::function`.
 envoy_status_t InternalEngine::run(std::shared_ptr<Envoy::OptionsImplBase> options) {
-  main_thread_ = thread_factory_->createThread(
-      [this, options]() mutable -> void {
-        if (thread_priority_) {
-          // Set the thread priority before invoking the thread routine.
-          const int rc = setpriority(PRIO_PROCESS, thread_factory_->currentThreadId().getId(),
-                                     *thread_priority_);
-          if (rc != 0) {
-            ENVOY_LOG(debug, "failed to set thread priority: {}", Envoy::errorDetails(errno));
-          }
-        }
-
-        main(options);
-      },
-      /* options= */ absl::nullopt, /* crash_on_failure= */ false);
+  Thread::Options thread_options;
+  thread_options.priority_ = thread_priority_;
+  main_thread_ = thread_factory_->createThread([this, options]() mutable -> void { main(options); },
+                                               thread_options, /* crash_on_failure= */ false);
   return (main_thread_ != nullptr) ? ENVOY_SUCCESS : ENVOY_FAILURE;
 }
 
@@ -330,7 +320,9 @@ envoy_status_t InternalEngine::recordCounterInc(absl::string_view elements, envo
       });
 }
 
-Event::ProvisionalDispatcher& InternalEngine::dispatcher() { return *dispatcher_; }
+Event::ProvisionalDispatcher& InternalEngine::dispatcher() const { return *dispatcher_; }
+
+Thread::PosixThreadFactory& InternalEngine::threadFactory() const { return *thread_factory_; }
 
 void statsAsText(const std::map<std::string, uint64_t>& all_stats,
                  const std::vector<Stats::ParentHistogramSharedPtr>& histograms,

mobile/library/common/internal_engine.h

@@ -56,7 +56,12 @@ class InternalEngine : public Logger::Loggable<Logger::Id::main> {
    * Accessor for the provisional event dispatcher.
    * @return Event::ProvisionalDispatcher&, the engine dispatcher.
    */
-  Event::ProvisionalDispatcher& dispatcher();
+  Event::ProvisionalDispatcher& dispatcher() const;
+
+  /**
+   * Accessor for the thread factory.
+   */
+  Thread::PosixThreadFactory& threadFactory() const;
 
   envoy_stream_t initStream();
 
@@ -158,6 +163,7 @@ class InternalEngine : public Logger::Loggable<Logger::Id::main> {
   Stats::Store& getStatsStore();
 
 private:
+  // Needs access to the private constructor.
   GTEST_FRIEND_CLASS(InternalEngineTest, ThreadCreationFailed);
 
   InternalEngine(std::unique_ptr<EngineCallbacks> callbacks, std::unique_ptr<EnvoyLogger> logger,

mobile/test/common/integration/client_integration_test.cc

@@ -206,13 +206,7 @@ void ClientIntegrationTest::basicTest() {
                                    std::to_string(request_data.length()));
 
   EnvoyStreamCallbacks stream_callbacks = createDefaultStreamCallbacks();
-  stream_callbacks.on_data_ = [this](const Buffer::Instance& buffer, uint64_t length,
-                                     bool end_stream, envoy_stream_intel) {
-    if (end_stream) {
-      std::string response_body(length, ' ');
-      buffer.copyOut(0, length, response_body.data());
-      EXPECT_EQ(response_body, "");
-    }
+  stream_callbacks.on_data_ = [this](const Buffer::Instance&, uint64_t, bool, envoy_stream_intel) {
     cc_.on_data_calls_++;
   };
 

mobile/test/common/internal_engine_test.cc

@@ -476,7 +476,7 @@ class ThreadPriorityInternalEngineTest : public InternalEngineTest {
     stream_callbacks.on_headers_ = [&](const Http::ResponseHeaderMap&, bool /* end_stream */,
                                        envoy_stream_intel) {
       // Gets the thread priority, so we can check that it's the same thread priority we set.
-      context.thread_priority = getpriority(PRIO_PROCESS, 0);
+      context.thread_priority = engine->threadFactory().currentThreadPriority();
     };
     stream_callbacks.on_complete_ = [&](envoy_stream_intel, envoy_final_stream_intel) {
       context.on_complete_notification.Notify();
@@ -496,15 +496,11 @@ class ThreadPriorityInternalEngineTest : public InternalEngineTest {
   }
 };
 
-// The setpriority() call fails on some Apple environments.
-// TODO(abeyad): investigate what to do for Apple.
-#ifndef __APPLE__
 TEST_F(ThreadPriorityInternalEngineTest, SetThreadPriority) {
   const int expected_thread_priority = 10;
   const int actual_thread_priority = startEngineWithPriority(expected_thread_priority);
   EXPECT_EQ(actual_thread_priority, expected_thread_priority);
 }
-#endif
 
 TEST_F(ThreadPriorityInternalEngineTest, SetOutOfRangeThreadPriority) {
   // 42 is outside the range of acceptable thread priorities.

source/common/common/BUILD

@@ -433,6 +433,7 @@ envoy_cc_posix_library(
     strip_include_prefix = "posix",
     deps = [
         ":assert_lib",
+        ":utility_lib",
         "//envoy/thread:thread_interface",
     ],
 )