Merge branch 'main' into yanjun-hack

Signed-off-by: Joshua Marantz <[email protected]>

.github/workflows/_precheck_deps.yml

@@ -50,7 +50,7 @@ jobs:
     if: ${{ inputs.dependency-review }}
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
       with:
         ref: ${{ fromJSON(inputs.request).request.sha }}
         persist-credentials: false

.github/workflows/codeql-daily.yml

@@ -27,7 +27,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
 
     - name: Free disk space
       uses: envoyproxy/toolshed/gh-actions/[email protected]

.github/workflows/codeql-push.yml

@@ -32,7 +32,7 @@ jobs:
     if: github.repository == 'envoyproxy/envoy'
     steps:
     - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
       with:
         fetch-depth: 2
 

.github/workflows/envoy-dependency.yml

@@ -143,7 +143,7 @@ jobs:
           path: envoy
           fetch-depth: 0
         token: ${{ steps.appauth.outputs.token }}
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
       name: Checkout Envoy build tools repository
       with:
         repository: envoyproxy/envoy-build-tools
@@ -235,7 +235,7 @@ jobs:
       issues: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - name: Run dependency checker
       run: |
         TODAY_DATE=$(date -u -I"date")

.github/workflows/mobile-perf.yml

@@ -70,6 +70,7 @@ jobs:
             source/server/guarddog_impl.h
             source/server/watchdog_impl.h
             source/server/options_impl.cc
+            source/extensions/access_loggers/common/file_access_log_impl.h
           target: size-current
         - name: Main size
           args: >-

.github/workflows/mobile-release.yml

@@ -95,7 +95,7 @@ jobs:
         - output: envoy
         - output: envoy_xds
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
       with:
         fetch-depth: 0
     - name: Add safe directory

.github/workflows/mobile-traffic_director.yml

@@ -30,7 +30,7 @@ jobs:
     timeout-minutes: 120
     steps:
     - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - name: Add safe directory
       run: git config --global --add safe.directory /__w/envoy/envoy
     - name: 'Run GcpTrafficDirectorIntegrationTest'

.github/workflows/pr_notifier.yml

@@ -22,7 +22,7 @@ jobs:
               || !contains(github.actor, '[bot]'))
       }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
     - name: Notify about PRs
       run: |
         ARGS=()

.github/workflows/scorecard.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
     - name: "Checkout code"
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633  # v4.1.2
       with:
         persist-credentials: false
 

api/BUILD

@@ -73,6 +73,7 @@ proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "//contrib/envoy/extensions/compression/qatzip/compressor/v3alpha:pkg",
+        "//contrib/envoy/extensions/compression/qatzstd/compressor/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/http/checksum/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/http/dynamo/v3:pkg",
         "//contrib/envoy/extensions/filters/http/golang/v3alpha:pkg",

api/bazel/cc_proto_descriptor_library/builddefs.bzl

@@ -335,7 +335,6 @@ cc_proto_descriptor_library_aspect = aspect(
 )
 
 cc_proto_descriptor_library = rule(
-    output_to_genfiles = True,
     implementation = _cc_proto_descriptor_rule_impl,
     attrs = {
         "deps": attr.label_list(

api/bazel/repository_locations.bzl

@@ -39,9 +39,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_desc = "xDS API Working Group (xDS-WG)",
         project_url = "https://github.com/cncf/xds",
         # During the UDPA -> xDS migration, we aren't working with releases.
-        version = "3a472e524827f72d1ad621c4983dd5af54c46776",
-        sha256 = "dc305e20c9fa80822322271b50aa2ffa917bf4fd3973bcec52bfc28dc32c5927",
-        release_date = "2023-11-16",
+        version = "ee0267137e252710af66562e0d54bcf8669b74b1",
+        sha256 = "0adcd7a74d5158f710612f38e5b9ec8bd4aabd2f53ff7905e0c198028ca68dfc",
+        release_date = "2024-03-12",
         strip_prefix = "xds-{version}",
         urls = ["https://github.com/cncf/xds/archive/{version}.tar.gz"],
         use_category = ["api"],
@@ -131,11 +131,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.29.0",
-        sha256 = "1033f26361e6fc30ffcfab9d4e4274ffd4af88d9c97de63d2e1721c4a07c1380",
+        version = "1.30.0",
+        sha256 = "219f48fb1bb190e0f761e35cac0821dfd9c1b0dfda80d7aaf522347755d829ab",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2024-01-24",
+        release_date = "2024-03-07",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",

api/contrib/envoy/extensions/compression/qatzstd/compressor/v3alpha/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+)

api/contrib/envoy/extensions/compression/qatzstd/compressor/v3alpha/qatzstd.proto

@@ -0,0 +1,69 @@
+syntax = "proto3";
+
+package envoy.extensions.compression.qatzstd.compressor.v3alpha;
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.compression.qatzstd.compressor.v3alpha";
+option java_outer_classname = "QatzstdProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/compression/qatzstd/compressor/v3alpha";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Qatzstd Compressor]
+// Qatzstd :ref:`configuration overview <config_qatzstd>`.
+// [#extension: envoy.compression.qatzstd.compressor]
+
+// [#next-free-field: 8]
+message Qatzstd {
+  // Reference to http://facebook.github.io/zstd/zstd_manual.html
+  enum Strategy {
+    DEFAULT = 0;
+    FAST = 1;
+    DFAST = 2;
+    GREEDY = 3;
+    LAZY = 4;
+    LAZY2 = 5;
+    BTLAZY2 = 6;
+    BTOPT = 7;
+    BTULTRA = 8;
+    BTULTRA2 = 9;
+  }
+
+  // Set compression parameters according to pre-defined compression level table.
+  // Note that exact compression parameters are dynamically determined,
+  // depending on both compression level and source content size (when known).
+  // Value 0 means default, and default level is 3.
+  //
+  // Setting a level does not automatically set all other compression parameters
+  // to default. Setting this will however eventually dynamically impact the compression
+  // parameters which have not been manually set. The manually set
+  // ones will 'stick'.
+  google.protobuf.UInt32Value compression_level = 1 [(validate.rules).uint32 = {lte: 22 gte: 1}];
+
+  // A 32-bits checksum of content is written at end of frame. If not set, defaults to false.
+  bool enable_checksum = 2;
+
+  // The higher the value of selected strategy, the more complex it is,
+  // resulting in stronger and slower compression.
+  //
+  // Special: value 0 means "use default strategy".
+  Strategy strategy = 3 [(validate.rules).enum = {defined_only: true}];
+
+  // Value for compressor's next output buffer. If not set, defaults to 4096.
+  google.protobuf.UInt32Value chunk_size = 5 [(validate.rules).uint32 = {lte: 65536 gte: 4096}];
+
+  // Enable QAT to accelerate Zstd compression or not. If not set, defaults to false.
+  //
+  // This is useful in the case that users want to enable QAT for a period of time and disable QAT for another period of time,
+  // they don't have to change the config too much or prepare for another config that has software zstd compressor and just changing the value of this filed.
+  bool enable_qat_zstd = 6;
+
+  // Fallback to software for Qatzstd when input size is less than this value.
+  // Valid only ``enable_qat_zstd`` is ``true``. 0 means no fallback at all. If not set, defaults to 4000.
+  google.protobuf.UInt32Value qat_zstd_fallback_threshold = 7
+      [(validate.rules).uint32 = {lte: 65536 gte: 0}];
+}

api/envoy/extensions/filters/http/rbac/v3/rbac.proto

@@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.http.rbac]
 
 // RBAC filter config.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message RBAC {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.rbac.v2.RBAC";
@@ -34,6 +34,11 @@ message RBAC {
   config.rbac.v3.RBAC rules = 1
       [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"];
 
+  // If specified, rules will emit stats with the given prefix.
+  // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
+  // rules.
+  string rules_stat_prefix = 6;
+
   // The match tree to use when resolving RBAC action for incoming requests. Requests do not
   // match any matcher will be denied.
   // If absent, no enforcing RBAC matcher will be applied.

api/envoy/extensions/wasm/v3/wasm.proto

@@ -50,7 +50,7 @@ message VmConfig {
   string vm_id = 1;
 
   // The Wasm runtime type, defaults to the first available Wasm engine used at Envoy build-time.
-  // The priority to search for the available engine is: v8 -> wasmtime -> wamr -> wavm.
+  // The priority to search for the available engine is: v8 -> wasmtime -> wamr.
   // Available Wasm runtime types are registered as extensions. The following runtimes are included
   // in Envoy code base:
   //
@@ -68,11 +68,6 @@ message VmConfig {
   // **envoy.wasm.runtime.wamr**: `WAMR <https://github.com/bytecodealliance/wasm-micro-runtime/>`_-based WebAssembly runtime.
   // This runtime is not enabled in the official build.
   //
-  // .. _extension_envoy.wasm.runtime.wavm:
-  //
-  // **envoy.wasm.runtime.wavm**: `WAVM <https://wavm.github.io/>`_-based WebAssembly runtime.
-  // This runtime is not enabled in the official build.
-  //
   // .. _extension_envoy.wasm.runtime.wasmtime:
   //
   // **envoy.wasm.runtime.wasmtime**: `Wasmtime <https://wasmtime.dev/>`_-based WebAssembly runtime.

api/versioning/BUILD

@@ -10,6 +10,7 @@ proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "//contrib/envoy/extensions/compression/qatzip/compressor/v3alpha:pkg",
+        "//contrib/envoy/extensions/compression/qatzstd/compressor/v3alpha:pkg",
         "//contrib/envoy/extensions/config/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/http/checksum/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/http/dynamo/v3:pkg",

bazel/BUILD

@@ -497,12 +497,6 @@ config_setting(
     values = {"define": "zlib=ng"},
 )
 
-# TODO: consider converting WAVM VM support to an extension (https://github.com/envoyproxy/envoy/issues/12574)
-config_setting(
-    name = "wasm_wavm",
-    values = {"define": "wasm=wavm"},
-)
-
 config_setting(
     name = "wasm_v8",
     values = {"define": "wasm=v8"},

bazel/README.md

@@ -738,7 +738,6 @@ To enable a specific WebAssembly (Wasm) engine, you'll need to pass `--define wa
 * `v8` (the default included engine)
 * `wamr`
 * `wasmtime`
-* `wavm`
 
 If you're building from a custom build repository, the parameters need to prefixed with `@envoy`, for example
 `--@envoy//source/extensions/filters/http/kill_request:enabled`.

bazel/envoy_build_system.bzl

@@ -38,7 +38,6 @@ load(
     _envoy_select_wasm_v8 = "envoy_select_wasm_v8",
     _envoy_select_wasm_wamr = "envoy_select_wasm_wamr",
     _envoy_select_wasm_wasmtime = "envoy_select_wasm_wasmtime",
-    _envoy_select_wasm_wavm = "envoy_select_wasm_wavm",
 )
 load(
     ":envoy_test.bzl",
@@ -252,7 +251,6 @@ envoy_select_wasm_cpp_tests = _envoy_select_wasm_cpp_tests
 envoy_select_wasm_rust_tests = _envoy_select_wasm_rust_tests
 envoy_select_wasm_v8 = _envoy_select_wasm_v8
 envoy_select_wasm_wamr = _envoy_select_wasm_wamr
-envoy_select_wasm_wavm = _envoy_select_wasm_wavm
 envoy_select_wasm_wasmtime = _envoy_select_wasm_wasmtime
 envoy_select_linkstatic = _envoy_linkstatic
 

bazel/envoy_select.bzl

@@ -154,7 +154,6 @@ def envoy_select_wasm_v8(xs):
         "@envoy//bazel:wasm_v8": xs,
         "@envoy//bazel:wasm_wamr": [],
         "@envoy//bazel:wasm_wasmtime": [],
-        "@envoy//bazel:wasm_wavm": [],
         "@envoy//bazel:wasm_disabled": [],
         # TODO(phlax): re-enable once issues with llvm profiler are resolved
         #   (see https://github.com/envoyproxy/envoy/issues/24164)
@@ -168,7 +167,6 @@ def envoy_select_wasm_v8_bool():
         "@envoy//bazel:wasm_v8": True,
         "@envoy//bazel:wasm_wamr": False,
         "@envoy//bazel:wasm_wasmtime": False,
-        "@envoy//bazel:wasm_wavm": False,
         "@envoy//bazel:wasm_disabled": False,
         # TODO(phlax): re-enable once issues with llvm profiler are resolved
         #   (see https://github.com/envoyproxy/envoy/issues/24164)
@@ -183,13 +181,6 @@ def envoy_select_wasm_wamr(xs):
         "//conditions:default": [],
     })
 
-# Selects the given values depending on the Wasm runtimes enabled in the current build.
-def envoy_select_wasm_wavm(xs):
-    return select({
-        "@envoy//bazel:wasm_wavm": xs,
-        "//conditions:default": [],
-    })
-
 # Selects the given values depending on the Wasm runtimes enabled in the current build.
 def envoy_select_wasm_wasmtime(xs):
     return select({

bazel/external/boringssl_fips.genrule_cmd

@@ -119,7 +119,9 @@ rm -rf boringssl/build
 
 # Build BoringSSL.
 cd boringssl
-mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release ..
+# Setting -fPIC only affects the compilation of the non-module code in libcrypto.a,
+# because the FIPS module itself is already built with -fPIC.
+mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC" ..
 ninja
 ninja run_tests
 ./crypto/crypto_test