Merge branch 'envoyproxy:main' into fluentd_reconnect

ohadvano · Mar 15, 2024 · 608f750 · 608f750
2 parents d2491cd + e0b82a7
commit 608f750
Show file tree

Hide file tree

Showing 84 changed files with 803 additions and 404 deletions.
diff --git a/.github/config.yml b/.github/config.yml
@@ -150,27 +150,8 @@ checks:
     - publish
     - verify
     required: true
-  windows:
-    name: Envoy/Windows
-    required: true
-    on-run:
-    - build-windows
 
 run:
-  build-windows:
-    paths:
-    - .bazelrc
-    - .bazelversion
-    - .github/config.yml
-    - api/**/*
-    - bazel/**/*
-    - ci/**/*
-    - configs/**/*
-    - contrib/**/*
-    - envoy/**/*
-    - source/**/*
-    - test/**/*
-    - VERSION.txt
   build-macos:
     paths:
     - .bazelrc

diff --git a/.github/workflows/envoy-windows.yml b/.github/workflows/envoy-windows.yml
diff --git a/.github/workflows/mobile-perf.yml b/.github/workflows/mobile-perf.yml
@@ -70,6 +70,7 @@ jobs:
             source/server/guarddog_impl.h
             source/server/watchdog_impl.h
             source/server/options_impl.cc
+            source/extensions/access_loggers/common/file_access_log_impl.h
           target: size-current
         - name: Main size
           args: >-

diff --git a/api/envoy/config/core/v3/health_check.proto b/api/envoy/config/core/v3/health_check.proto
@@ -62,7 +62,7 @@ message HealthStatusSet {
       [(validate.rules).repeated = {items {enum {defined_only: true}}}];
 }
 
-// [#next-free-field: 26]
+// [#next-free-field: 27]
 message HealthCheck {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck";
 
@@ -392,6 +392,11 @@ message HealthCheck {
   // The default value is false.
   bool always_log_health_check_failures = 19;
 
+  // If set to true, health check success events will always be logged. If set to false, only host addition event will be logged
+  // if it is the first successful health check, or if the healthy threshold is reached.
+  // The default value is false.
+  bool always_log_health_check_success = 26;
+
   // This allows overriding the cluster TLS settings, just for health check connections.
   TlsOptions tls_options = 21;
 

diff --git a/api/envoy/config/core/v3/protocol.proto b/api/envoy/config/core/v3/protocol.proto
@@ -486,10 +486,10 @@ message Http2ProtocolOptions {
   // Allows proxying Websocket and other upgrades over H2 connect.
   bool allow_connect = 5;
 
-  // [#not-implemented-hide:] Hiding until envoy has full metadata support.
+  // [#not-implemented-hide:] Hiding until Envoy has full metadata support.
   // Still under implementation. DO NOT USE.
   //
-  // Allows metadata. See [metadata
+  // Allows sending and receiving HTTP/2 METADATA frames. See [metadata
   // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more
   // information.
   bool allow_metadata = 6;
@@ -618,7 +618,7 @@ message GrpcProtocolOptions {
 }
 
 // A message which allows using HTTP/3.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message Http3ProtocolOptions {
   QuicProtocolOptions quic_protocol_options = 1;
 
@@ -637,6 +637,14 @@ message Http3ProtocolOptions {
   // <https://datatracker.ietf.org/doc/draft-ietf-httpbis-h3-websockets/>`_
   // Note that HTTP/3 CONNECT is not yet an RFC.
   bool allow_extended_connect = 5 [(xds.annotations.v3.field_status).work_in_progress = true];
+
+  // [#not-implemented-hide:] Hiding until Envoy has full metadata support.
+  // Still under implementation. DO NOT USE.
+  //
+  // Allows sending and receiving HTTP/3 METADATA frames. See [metadata
+  // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more
+  // information.
+  bool allow_metadata = 6;
 }
 
 // A message to control transformations to the :scheme header

diff --git a/api/envoy/data/core/v3/health_check_event.proto b/api/envoy/data/core/v3/health_check_event.proto
@@ -35,7 +35,7 @@ enum HealthCheckerType {
   THRIFT = 4;
 }
 
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message HealthCheckEvent {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.data.core.v2alpha.HealthCheckEvent";
@@ -55,6 +55,12 @@ message HealthCheckEvent {
     // Host addition.
     HealthCheckAddHealthy add_healthy_event = 5;
 
+    // A health check was successful. Note: a host will be considered healthy either if it is
+    // the first ever health check, or if the healthy threshold is reached. This kind of event
+    // indicate that a health check was successful, but does not indicates that the host is
+    // considered healthy. A host is considered healthy if HealthCheckAddHealthy kind of event is sent.
+    HealthCheckSuccessful successful_health_check_event = 12;
+
     // Host failure.
     HealthCheckFailure health_check_failure_event = 7;
 
@@ -93,6 +99,9 @@ message HealthCheckAddHealthy {
   bool first_check = 1;
 }
 
+message HealthCheckSuccessful {
+}
+
 message HealthCheckFailure {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.data.core.v2alpha.HealthCheckFailure";

diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@@ -54,7 +54,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //       cache_duration:
 //         seconds: 300
 //
-// [#next-free-field: 20]
+// [#next-free-field: 22]
 message JwtProvider {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider";
@@ -119,6 +119,34 @@ message JwtProvider {
   //
   type.matcher.v3.StringMatcher subjects = 19;
 
+  // Requires that the credential contains an `expiration <https://tools.ietf.org/html/rfc7519#section-4.1.4>`_.
+  // For instance, this could implement JWT-SVID
+  // `expiration restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#33-expiration-time>`_.
+  // Unlike ``max_lifetime``, this only requires that expiration is present, where ``max_lifetime`` also checks the value.
+  //
+  // Example:
+  //
+  // .. code-block:: yaml
+  //
+  //     require_expiration: true
+  //
+  bool require_expiration = 20;
+
+  // Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime
+  // is the difference between the current time and the expiration of the credential. For instance,
+  // the following example will reject credentials that have a lifetime longer than 24 hours. If not set,
+  // expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence
+  // over ``require_expiration``.
+  //
+  // Example:
+  //
+  // .. code-block:: yaml
+  //
+  //     max_lifetime:
+  //       seconds: 86400
+  //
+  google.protobuf.Duration max_lifetime = 21;
+
   // `JSON Web Key Set (JWKS) <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed to
   // validate signature of a JWT. This field specifies where to fetch JWKS.
   oneof jwks_source_specifier {

diff --git a/bazel/external/boringssl_fips.genrule_cmd b/bazel/external/boringssl_fips.genrule_cmd
@@ -119,7 +119,9 @@ rm -rf boringssl/build
 
 # Build BoringSSL.
 cd boringssl
-mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release ..
+# Setting -fPIC only affects the compilation of the non-module code in libcrypto.a,
+# because the FIPS module itself is already built with -fPIC.
+mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC" ..
 ninja
 ninja run_tests
 ./crypto/crypto_test

diff --git a/bazel/foreign_cc/vpp_vcl.patch b/bazel/foreign_cc/vpp_vcl.patch
@@ -1,8 +1,8 @@
 diff --git src/CMakeLists.txt src/CMakeLists.txt
-index fb4463e33..de1ef8990 100644
+index 68d0a4fe6..958918ef1 100644
 --- src/CMakeLists.txt
 +++ src/CMakeLists.txt
-@@ -31,12 +31,8 @@ include(cmake/ccache.cmake)
+@@ -50,13 +50,8 @@ include(cmake/ccache.cmake)
  ##############################################################################
  # VPP Version
  ##############################################################################
@@ -12,12 +12,12 @@ index fb4463e33..de1ef8990 100644
 -  OUTPUT_VARIABLE VPP_VERSION
 -  OUTPUT_STRIP_TRAILING_WHITESPACE
 -)
-+
-+set(VPP_VERSION 23.06-release)
- string(REPLACE "-" ";" VPP_LIB_VERSION ${VPP_VERSION})
- list(GET VPP_LIB_VERSION 0 VPP_LIB_VERSION)
-
-@@ -215,8 +211,7 @@ elseif("${CMAKE_SYSTEM_NAME}" STREQUAL "Linux")
+
++set(VPP_VERSION 24.03-dev)
+ if (VPP_PLATFORM)
+   set(VPP_VERSION ${VPP_VERSION}-${VPP_PLATFORM_NAME})
+ endif()
+@@ -277,8 +272,7 @@ elseif(${CMAKE_SYSTEM_NAME} MATCHES "Linux|FreeBSD")
    find_package(OpenSSL)
    set(SUBDIRS
      vppinfra svm vlib vlibmemory vlibapi vnet vpp vat vat2 vcl vpp-api
@@ -47,11 +47,11 @@ index 45b3944eb..b1dcc56e1 100644
 @@ -24,7 +24,7 @@ macro(add_vpp_library lib)
    set_target_properties(${lo} PROPERTIES POSITION_INDEPENDENT_CODE ON)
    target_compile_options(${lo} PUBLIC ${VPP_DEFAULT_MARCH_FLAGS})
- 
+
 -  add_library(${lib} SHARED)
 +  add_library(${lib} STATIC)
    target_sources(${lib} PRIVATE $<TARGET_OBJECTS:${lo}>)
- 
+
    if(VPP_LIB_VERSION)
 diff --git src/tools/vppapigen/CMakeLists.txt src/tools/vppapigen/CMakeLists.txt
 index 04ebed548..bfabc3a67 100644
@@ -60,7 +60,7 @@ index 04ebed548..bfabc3a67 100644
 @@ -11,22 +11,6 @@
  # See the License for the specific language governing permissions and
  # limitations under the License.
- 
+
 -find_package(
 -  Python3
 -  REQUIRED
@@ -97,15 +97,15 @@ index 2b0ce9999..f28a17302 100755
 +
  import ply.lex as lex
  import ply.yacc as yacc
- 
+
 diff --git src/vcl/CMakeLists.txt src/vcl/CMakeLists.txt
 index 610b422d1..c5e6f8ca8 100644
 --- src/vcl/CMakeLists.txt
 +++ src/vcl/CMakeLists.txt
 @@ -35,6 +35,8 @@ if (LDP_HAS_GNU_SOURCE)
    add_compile_definitions(HAVE_GNU_SOURCE)
  endif(LDP_HAS_GNU_SOURCE)
- 
+
 +file(COPY vppcom.h DESTINATION ${CMAKE_LIBRARY_OUTPUT_DIRECTORY})
 +
  add_vpp_library(vcl_ldpreload