Merge branch 'envoyproxy:main' into upstream_connection_id_support

.bazelrc

@@ -260,14 +260,14 @@ build:rbe-toolchain-clang --platforms=@envoy_build_tools//toolchains:rbe_linux_c
 build:rbe-toolchain-clang --host_platform=@envoy_build_tools//toolchains:rbe_linux_clang_platform
 build:rbe-toolchain-clang --crosstool_top=@envoy_build_tools//toolchains/configs/linux/clang/cc:toolchain
 build:rbe-toolchain-clang --extra_toolchains=@envoy_build_tools//toolchains/configs/linux/clang/config:cc-toolchain
-build:rbe-toolchain-clang --action_env=CC=clang --action_env=CXX=clang++ --action_env=PATH=/usr/sbin:/usr/bin:/sbin:/bin:/opt/llvm/bin
+build:rbe-toolchain-clang --action_env=CC=clang --action_env=CXX=clang++
 
 build:rbe-toolchain-clang-libc++ --config=rbe-toolchain
 build:rbe-toolchain-clang-libc++ --platforms=@envoy_build_tools//toolchains:rbe_linux_clang_libcxx_platform
 build:rbe-toolchain-clang-libc++ --host_platform=@envoy_build_tools//toolchains:rbe_linux_clang_libcxx_platform
 build:rbe-toolchain-clang-libc++ --crosstool_top=@envoy_build_tools//toolchains/configs/linux/clang_libcxx/cc:toolchain
 build:rbe-toolchain-clang-libc++ --extra_toolchains=@envoy_build_tools//toolchains/configs/linux/clang_libcxx/config:cc-toolchain
-build:rbe-toolchain-clang-libc++ --action_env=CC=clang --action_env=CXX=clang++ --action_env=PATH=/usr/sbin:/usr/bin:/sbin:/bin:/opt/llvm/bin
+build:rbe-toolchain-clang-libc++ --action_env=CC=clang --action_env=CXX=clang++
 build:rbe-toolchain-clang-libc++ --action_env=CXXFLAGS=-stdlib=libc++
 build:rbe-toolchain-clang-libc++ --action_env=LDFLAGS=-stdlib=libc++
 build:rbe-toolchain-clang-libc++ --define force_libcpp=enabled

.github/workflows/_publish_build.yml

@@ -6,6 +6,10 @@ permissions:
 on:
   workflow_call:
     secrets:
+      dockerhub-username:
+        required: false
+      dockerhub-password:
+        required: false
       gpg-key:
         required: true
       gpg-key-password:
@@ -113,6 +117,9 @@ jobs:
     permissions:
       contents: read
       packages: read
+    secrets:
+      dockerhub-username: ${{ secrets.dockerhub-username }}
+      dockerhub-password: ${{ secrets.dockerhub-password }}
     name: ${{ matrix.name || matrix.target }}
     needs:
     - binary

.github/workflows/_run.yml

@@ -8,6 +8,8 @@ on:
     secrets:
       app-id:
       app-key:
+      dockerhub-username:
+      dockerhub-password:
       gpg-key:
       gpg-key-password:
       rbe-key:
@@ -279,6 +281,8 @@ jobs:
         working-directory: ${{ inputs.working-directory }}
       env:
         GITHUB_TOKEN: ${{ inputs.trusted && steps.appauth.outputs.token || github.token }}
+        DOCKERHUB_USERNAME: ${{ secrets.dockerhub-username }}
+        DOCKERHUB_PASSWORD: ${{ secrets.dockerhub-password }}
         ENVOY_DOCKER_BUILD_DIR: ${{ runner.temp }}
         ENVOY_RBE: ${{ inputs.rbe == true && 1 || '' }}
         RBE_KEY: ${{ secrets.rbe-key }}
@@ -287,6 +291,10 @@ jobs:
           ${{ inputs.bazel-extra }}
           ${{ inputs.rbe == true && format('--jobs={0}', inputs.bazel-rbe-jobs) || '' }}
         BAZEL_FAKE_SCM_REVISION: ${{ github.event_name == 'pull_request' && 'e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9' || '' }}
+        CI_BRANCH: >-
+          ${{ inputs.trusted
+              && format('refs/heads/{0}', fromJSON(inputs.request).request.target-branch)
+              || '' }}
         CI_SHA1: ${{ github.sha }}
         CI_TARGET_BRANCH: ${{ fromJSON(inputs.request).request.target-branch }}
         MOUNT_GPG_HOME: ${{ inputs.import-gpg && 1 || '' }}

.github/workflows/envoy-publish.yml

@@ -55,6 +55,14 @@ jobs:
       contents: read
       packages: read
     secrets:
+      dockerhub-username: >-
+        ${{ fromJSON(needs.load.outputs.trusted)
+            && secrets.DOCKERHUB_USERNAME
+            || '' }}
+      dockerhub-password: >-
+        ${{ fromJSON(needs.load.outputs.trusted)
+            && secrets.DOCKERHUB_PASSWORD
+            || '' }}
       gpg-key: ${{ fromJSON(needs.load.outputs.trusted) && secrets.ENVOY_GPG_MAINTAINER_KEY || secrets.ENVOY_GPG_SNAKEOIL_KEY }}
       gpg-key-password: >-
         ${{ fromJSON(needs.load.outputs.trusted)

api/bazel/repository_locations.bzl

@@ -169,11 +169,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_desc = "Common Expression Language -- specification and binary representation",
         project_url = "https://github.com/google/cel-spec",
         strip_prefix = "cel-spec-{version}",
-        sha256 = "3ee09eb69dbe77722e9dee23dc48dc2cd9f765869fcf5ffb1226587c81791a0b",
-        version = "0.15.0",
+        sha256 = "24fd9b5aa218044f2923b8bcfccbf996eb024f05d1acbe1b27aca554f2720ac6",
+        version = "0.16.1",
         urls = ["https://github.com/google/cel-spec/archive/v{version}.tar.gz"],
         use_category = ["api"],
-        release_date = "2024-03-27",
+        release_date = "2024-08-28",
     ),
     envoy_toolshed = dict(
         project_name = "envoy_toolshed",

api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -28,11 +28,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // The External Processing filter allows an external service to act on HTTP traffic in a flexible way.
 
-// **Current Implementation Status:**
-// All options and processing modes are implemented except for the following:
-//
-// * "async mode" is not implemented.
-
 // The filter communicates with an external gRPC service called an "external processor"
 // that can do a variety of things with the request and response:
 //

bazel/external/quiche.BUILD

@@ -3898,12 +3898,14 @@ envoy_quic_cc_library(
         "quiche/quic/core/chlo_extractor.cc",
         "quiche/quic/core/quic_buffered_packet_store.cc",
         "quiche/quic/core/quic_dispatcher.cc",
+        "quiche/quic/core/quic_dispatcher_stats.cc",
         "quiche/quic/core/tls_chlo_extractor.cc",
     ],
     hdrs = [
         "quiche/quic/core/chlo_extractor.h",
         "quiche/quic/core/quic_buffered_packet_store.h",
         "quiche/quic/core/quic_dispatcher.h",
+        "quiche/quic/core/quic_dispatcher_stats.h",
         "quiche/quic/core/tls_chlo_extractor.h",
     ],
     deps = [

bazel/repository_locations.bzl

@@ -96,12 +96,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "envoy_examples",
         project_desc = "Envoy proxy examples",
         project_url = "https://github.com/envoyproxy/examples",
-        version = "0.0.4",
-        sha256 = "a90a00ebea98a06e521d1c80c137085b542ff5c5ed6fec23afcb1fc165cc4b62",
+        version = "0.0.5",
+        sha256 = "2660070645623edbf4136d3a47109249bd53ffd8ff99ea13159439ad0be757cc",
         strip_prefix = "examples-{version}",
         urls = ["https://github.com/envoyproxy/examples/archive/v{version}.tar.gz"],
         use_category = ["test_only"],
-        release_date = "2024-08-22",
+        release_date = "2024-09-05",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/envoyproxy/examples/blob/v{version}/LICENSE",
@@ -1221,12 +1221,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "QUICHE",
         project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols",
         project_url = "https://github.com/google/quiche",
-        version = "36723962ef5c9f3f9f42093ff9cbe057bc7a80c4",
-        sha256 = "8735afd08104215a8487cc9f2ffff1adc16e6168dc61c4e65127a3fb23d90c54",
+        version = "8da3bbb0b08b151d410de69a6fbe73b1974a044e",
+        sha256 = "a183fe0516e601f2f4568ef68a9da462742f240be5035ef0cbd7e2ff4a40a40c",
         urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"],
         strip_prefix = "quiche-{version}",
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2024-08-11",
+        release_date = "2024-09-03",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/quiche/blob/{version}/LICENSE",

bazel/setup_clang.sh

@@ -5,27 +5,25 @@ set -e
 BAZELRC_FILE="${BAZELRC_FILE:-./clang.bazelrc}"
 
 LLVM_PREFIX=$1
+LLVM_CONFIG="${LLVM_PREFIX}/bin/llvm-config"
 
-if [[ ! -e "${LLVM_PREFIX}/bin/llvm-config" ]]; then
+if [[ ! -e "${LLVM_CONFIG}" ]]; then
   echo "Error: cannot find local llvm-config in ${LLVM_PREFIX}."
   exit 1
 fi
 
-PATH="$("${LLVM_PREFIX}"/bin/llvm-config --bindir):${PATH}"
-export PATH
-
-LLVM_VERSION="$(llvm-config --version)"
-LLVM_LIBDIR="$(llvm-config --libdir)"
-LLVM_TARGET="$(llvm-config --host-target)"
+LLVM_VERSION="$("${LLVM_CONFIG}" --version)"
+LLVM_LIBDIR="$("${LLVM_CONFIG}" --libdir)"
+LLVM_TARGET="$("${LLVM_CONFIG}" --host-target)"
 
 RT_LIBRARY_PATH="${LLVM_LIBDIR}/clang/${LLVM_VERSION}/lib/${LLVM_TARGET}"
 
-echo "# Generated file, do not edit. If you want to disable clang, just delete this file.
-build:clang --action_env='PATH=${PATH}' --host_action_env='PATH=${PATH}'
-build:clang --action_env='LLVM_CONFIG=${LLVM_PREFIX}/bin/llvm-config' --host_action_env='LLVM_CONFIG=${LLVM_PREFIX}/bin/llvm-config'
-build:clang --repo_env='LLVM_CONFIG=${LLVM_PREFIX}/bin/llvm-config'
-build:clang --linkopt='-L$(llvm-config --libdir)'
-build:clang --linkopt='-Wl,-rpath,$(llvm-config --libdir)'
+cat <<EOF > "${BAZELRC_FILE}"
+# Generated file, do not edit. If you want to disable clang, just delete this file.
+build:clang --action_env=LLVM_CONFIG=${LLVM_CONFIG} --host_action_env=LLVM_CONFIG=${LLVM_CONFIG}
+build:clang --repo_env=LLVM_CONFIG=${LLVM_CONFIG}
+build:clang --linkopt=-L${LLVM_LIBDIR}
+build:clang --linkopt=-Wl,-rpath,${LLVM_LIBDIR}
 
-build:clang-asan --linkopt='-L${RT_LIBRARY_PATH}'
-" >"${BAZELRC_FILE}"
+build:clang-asan --linkopt=-L${RT_LIBRARY_PATH}
+EOF

changelogs/current.yaml

@@ -113,6 +113,12 @@ bug_fixes:
   change: |
     RBAC will now allow stat prefixes configured in per-route config to override the base config's
     stat prefix.
+- area: http3
+  change: |
+    Fixed a bug where an empty trailers block could be sent. This would occur if a filter removed
+    the last trailer - a likely occurrence with the ``grpc_web_filter``. This change makes HTTP/3 codec
+    behave the same way HTTP/2 codec does, converting an empty trailers block to no trailers.
+    This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.http3_remove_empty_trailers`` to ``false``.
 - area: http
   change: |
     Fixed a bug where an incomplete request (missing body or trailers) may be proxied to the upstream when the limit on

ci/Dockerfile-envoy

@@ -58,7 +58,7 @@ COPY --chown=0:0 --chmod=755 \
 
 
 # STAGE: envoy-distroless
-FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:9652482d535c6e2b68823b7dbd9175eefe33edf12e86c02ab8e68fb38fd159b4 AS envoy-distroless
+FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:fb10a979880367004a93467d9dad87eea1af67c6adda0a0060d2e785a8c1a0e6 AS envoy-distroless
 EXPOSE 10000
 ENTRYPOINT ["/usr/local/bin/envoy"]
 CMD ["-c", "/etc/envoy/envoy.yaml"]

ci/format_pre.sh

@@ -58,12 +58,6 @@ bazel "${BAZEL_STARTUP_OPTIONS[@]}" run "${BAZEL_BUILD_OPTIONS[@]}" //configs:ex
 CURRENT=spelling
 "${ENVOY_SRCDIR}/tools/spelling/check_spelling_pedantic.py" --mark check
 
-# TODO(phlax): move clang/buildifier checks to bazel rules (/aspects)
-if [[ -n "$CI_BRANCH" ]]; then
-    CURRENT=check_format_test
-    "${ENVOY_SRCDIR}/tools/code_format/check_format_test_helper.sh" --log=WARN
-fi
-
 CURRENT=check_format
 bazel "${BAZEL_STARTUP_OPTIONS[@]}" run "${BAZEL_BUILD_OPTIONS[@]}" //tools/code_format:check_format -- fix --fail_on_diff
 

docs/root/start/sandboxes/setup.rst

@@ -70,21 +70,21 @@ You can `find instructions for installing Git on various operating systems here
 
 .. _start_sandboxes_setup_envoy:
 
-Clone the Envoy repository
---------------------------
+Clone the Envoy examples repository
+-----------------------------------
 
-If you have not cloned the `Envoy repository <https://github.com/envoyproxy/envoy>`_ already,
+If you have not cloned the `Envoy examples repository <https://github.com/envoyproxy/examples>`_ already,
 clone it with:
 
 .. tabs::
 
    .. code-tab:: console SSH
 
-      git clone [email protected]:envoyproxy/envoy
+      git clone [email protected]:envoyproxy/examples
 
    .. code-tab:: console HTTPS
 
-      git clone https://github.com/envoyproxy/envoy.git
+      git clone https://github.com/envoyproxy/examples.git
 
 .. _start_sandboxes_setup_additional:
 

mobile/.bazelrc

@@ -245,17 +245,6 @@ test:mobile-remote-ci-android --config=mobile-test-android
 build:mobile-remote-ci-cc --config=mobile-remote-ci
 test:mobile-remote-ci-cc --action_env=LD_LIBRARY_PATH
 
-# TODO(alyssar) remove in a follow-up PR
-build:mobile-remote-ci-cc-no-exceptions --config=mobile-remote-ci-cc
-build:mobile-remote-ci-cc-no-exceptions --define envoy_exceptions=disabled
-build:mobile-remote-ci-cc-no-exceptions --copt=-fno-exceptions
-
-build:mobile-remote-ci-cc-full-protos-enabled --config=mobile-remote-ci-cc
-test:mobile-remote-ci-cc-full-protos-enabled --config=mobile-remote-ci-cc
-
-build:mobile-remote-ci-macos-kotlin --config=mobile-remote-ci-macos
-build:mobile-remote-ci-macos-kotlin --fat_apk_cpu=x86_64
-
 build:mobile-remote-ci-core --config=mobile-remote-ci
 test:mobile-remote-ci-core --action_env=LD_LIBRARY_PATH
 

mobile/library/cc/engine_builder.cc

@@ -321,6 +321,11 @@ EngineBuilder& EngineBuilder::addRuntimeGuard(std::string guard, bool value) {
   return *this;
 }
 
+EngineBuilder& EngineBuilder::addRestartRuntimeGuard(std::string guard, bool value) {
+  restart_runtime_guards_.emplace_back(std::move(guard), value);
+  return *this;
+}
+
 #if defined(__APPLE__)
 EngineBuilder& EngineBuilder::respectSystemProxySettings(bool value) {
   respect_system_proxy_settings_ = value;
@@ -818,6 +823,10 @@ std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> EngineBuilder::generate
   // needed to be merged with the default off due to unresolved test issues. Once those are fixed,
   // and the default for `allow_client_socket_creation_failure` is true, we can remove this.
   (*restart_features.mutable_fields())["allow_client_socket_creation_failure"].set_bool_value(true);
+  for (auto& guard_and_value : restart_runtime_guards_) {
+    (*restart_features.mutable_fields())[guard_and_value.first].set_bool_value(
+        guard_and_value.second);
+  }
 
   (*runtime_values.mutable_fields())["disallow_global_stats"].set_bool_value(true);
   ProtobufWkt::Struct& overload_values =

mobile/library/cc/engine_builder.h

@@ -89,6 +89,11 @@ class EngineBuilder {
   // For example if the runtime guard is `envoy.reloadable_features.use_foo`, the guard name is
   // `use_foo`.
   EngineBuilder& addRuntimeGuard(std::string guard, bool value);
+  // Adds a runtime guard for the `envoy.restart_features.<guard>`. Restart features cannot be
+  // changed after the Envoy applicable has started and initialized.
+  // For example if the runtime guard is `envoy.restart_features.use_foo`, the guard name is
+  // `use_foo`.
+  EngineBuilder& addRestartRuntimeGuard(std::string guard, bool value);
 
   // These functions don't affect the Bootstrap configuration but instead perform registrations.
   EngineBuilder& addKeyValueStore(std::string name, KeyValueStoreSharedPtr key_value_store);
@@ -183,6 +188,7 @@ class EngineBuilder {
   std::vector<std::pair<std::string /* host */, uint32_t /* port */>> dns_preresolve_hostnames_;
 
   std::vector<std::pair<std::string, bool>> runtime_guards_;
+  std::vector<std::pair<std::string, bool>> restart_runtime_guards_;
   absl::flat_hash_map<std::string, StringAccessorSharedPtr> string_accessors_;
   bool use_gro_if_available_ = false;
 

mobile/library/common/internal_engine.cc

@@ -281,10 +281,14 @@ envoy_status_t InternalEngine::resetConnectivityState() {
   return dispatcher_->post([&]() -> void { connectivity_manager_->resetConnectivityState(); });
 }
 
-envoy_status_t InternalEngine::setPreferredNetwork(NetworkType network) {
-  return dispatcher_->post([&, network]() -> void {
-    envoy_netconf_t configuration_key =
-        Network::ConnectivityManagerImpl::setPreferredNetwork(network);
+void InternalEngine::onDefaultNetworkAvailable() {
+  ENVOY_LOG_MISC(trace, "Calling the default network available callback");
+}
+
+void InternalEngine::onDefaultNetworkChanged(NetworkType network) {
+  ENVOY_LOG_MISC(trace, "Calling the default network changed callback");
+  dispatcher_->post([&, network]() -> void {
+    envoy_netconf_t configuration = Network::ConnectivityManagerImpl::setPreferredNetwork(network);
     if (Runtime::runtimeFeatureEnabled(
             "envoy.reloadable_features.dns_cache_set_ip_version_to_remove")) {
       // The IP version to remove flag must be set first before refreshing the DNS cache so that
@@ -305,10 +309,15 @@ envoy_status_t InternalEngine::setPreferredNetwork(NetworkType network) {
           [](Http::HttpServerPropertiesCache& cache) { cache.resetBrokenness(); };
       cache_manager.forEachThreadLocalCache(clear_brokenness);
     }
-    connectivity_manager_->refreshDns(configuration_key, true);
+    connectivity_manager_->refreshDns(configuration, true);
   });
 }
 
+void InternalEngine::onDefaultNetworkUnavailable() {
+  ENVOY_LOG_MISC(trace, "Calling the default network unavailable callback");
+  dispatcher_->post([&]() -> void { connectivity_manager_->dnsCache()->stop(); });
+}
+
 envoy_status_t InternalEngine::recordCounterInc(absl::string_view elements, envoy_stats_tags tags,
                                                 uint64_t count) {
   return dispatcher_->post(

mobile/library/common/internal_engine.h

@@ -106,9 +106,15 @@ class InternalEngine : public Logger::Loggable<Logger::Id::main> {
   // to networkConnectivityManager after doing a dispatcher post (thread context switch)
   envoy_status_t setProxySettings(const char* host, const uint16_t port);
   envoy_status_t resetConnectivityState();
+
+  /**
+   * This function is called when the default network is available. This function is currently
+   * no-op.
+   */
+  void onDefaultNetworkAvailable();
+
   /**
-   * This function does the following on a network change event (such as switching from WiFI to
-   * cellular, WIFi A to WiFI B, etc.).
+   * This function does the following when the default network configuration was changed.
    *
    * - Sets the preferred network.
    * - Check for IPv6 connectivity. If there is no IPv6 no connectivity, it will call
@@ -117,7 +123,15 @@ class InternalEngine : public Logger::Loggable<Logger::Id::main> {
    * - Force refresh the hosts in the DNS cache (will take `setIpVersionToRemove` into account).
    * - Optionally (if configured) clear HTTP/3 broken status.
    */
-  envoy_status_t setPreferredNetwork(NetworkType network);
+  void onDefaultNetworkChanged(NetworkType network);
+
+  /**
+   * This functions does the following when the default network is unavailable.
+   *
+   * - Cancel the DNS pending queries.
+   * - Stop the DNS timeout and refresh timers.
+   */
+  void onDefaultNetworkUnavailable();
 
   /**
    * Increment a counter with a given string of elements and by the given count.