Merge branch 'main' into remove-warninglog-dynatrace-detector

Signed-off-by: Joao Grassi <[email protected]>

.bazelrc

@@ -84,7 +84,6 @@ build:sanitizer --linkopt -ldl
 
 # Common flags for Clang
 build:clang --action_env=BAZEL_COMPILER=clang
-build:clang --action_env=CC=clang --action_env=CXX=clang++
 build:clang --linkopt=-fuse-ld=lld
 build:clang --action_env=CC=clang --host_action_env=CC=clang
 build:clang --action_env=CXX=clang++ --host_action_env=CXX=clang++
@@ -202,6 +201,7 @@ build:libc++ --action_env=BAZEL_CXXOPTS=-stdlib=libc++
 build:libc++ --action_env=BAZEL_LINKLIBS=-l%:libc++.a:-l%:libc++abi.a
 build:libc++ --action_env=BAZEL_LINKOPTS=-lm:-pthread
 build:libc++ --define force_libcpp=enabled
+build:clang-libc++ --config=libc++
 
 build:libc++20 --config=libc++
 # gRPC has a lot of deprecated-enum-enum-conversion warning. Remove once it is addressed

VERSION.txt

@@ -1 +1 @@
-1.30.0-dev
+1.31.0-dev

bazel/external/boringssl_fips.genrule_cmd

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -eo pipefail
 
 export CXXFLAGS=''
 export LDFLAGS=''
@@ -21,6 +21,7 @@ fi
 # ROOT=$(dirname $(rootpath boringssl/BUILDING.md))/..
 ROOT=./external/boringssl_fips
 pushd "$ROOT"
+export HOME="$PWD"
 
 # Build tools requirements (from section 12.1 of https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf):
 # - Clang compiler version 12.0.0 (https://releases.llvm.org/download.html)
@@ -29,7 +30,7 @@ pushd "$ROOT"
 # - Cmake version 3.20.1 (https://cmake.org/download/)
 
 # Override $PATH for build tools, to avoid picking up anything else.
-export PATH="$(dirname `which cmake`):/usr/bin:/bin"
+export PATH="/usr/bin:/bin"
 
 # Clang
 VERSION=12.0.0
@@ -42,9 +43,9 @@ else
 fi
 
 curl -sLO https://github.com/llvm/llvm-project/releases/download/llvmorg-"$VERSION"/clang+llvm-"$VERSION"-"$PLATFORM".tar.xz
+echo "$SHA256" clang+llvm-"$VERSION"-"$PLATFORM".tar.xz | sha256sum --check
 tar xf clang+llvm-"$VERSION"-"$PLATFORM".tar.xz
 
-export HOME="$PWD"
 printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain
 export PATH="$PWD/clang+llvm-$VERSION-$PLATFORM/bin:$PATH"
 

bazel/repositories.bzl

@@ -37,8 +37,8 @@ WINDOWS_SKIP_TARGETS = [
 NO_HTTP3_SKIP_TARGETS = [
     "envoy.quic.crypto_stream.server.quiche",
     "envoy.quic.deterministic_connection_id_generator",
-    "envoy.quic.crypto_stream.server.quiche",
     "envoy.quic.proof_source.filter_chain",
+    "envoy.quic.server_preferred_address.fixed",
 ]
 
 # Make all contents of an external repository accessible under a filegroup.  Used for external HTTP

changelogs/summary.md

@@ -1,23 +1,24 @@
 **Summary of changes**:
 
-* Envoy Mobile can now be built without C++ exceptions using the `--define=envoy_exceptions=disabled` Bazel flag.
-* Add the logical `OR` operation to value matchers.
-* Add xDS support for Envoy Mobile Android (AAR) library.
-* Add configurable HTTP status when a global rate limit service fails.
-* Opentelemetry tracer: add support for environment resource detector.
-* Added HTTP basic auth extension.
-* Add support for ext_authz to send route metadata.
-* Allow per route body buffering configuration in ext_authz.
-* Datadog: honor extracted sampling decisions to avoid dropping samples.
-* gRPC side streams: make idle connection timeout configurable.
-* Support CEL expressions in ext_proc for extraction of request or response atributes.
-* HTTP: clear hop by hop `Transfer-Encoding` header.
-* Redis: Add support for the `WATCH` and `GETDEL` commands.
-* Adds strict mode for stateful session filter, that rejects requests if destination host is not available.
-* Internal redirects: support passing headers from response to request.
-* Add implementation of the `drop_overload` Cluster API.
-* HTTP/2: discard the `Host` header when `:authority` is present.
-* grpc_http1_bridge: add `<ignore_query_params>` option.
-* Access Log: Add `EMIT_TIME` command operator.
-* ECDS now supports composite filter.
-* Enable new oghttp2 codec for HTTP/2 connections.
+* Removed the Swift/C++ interop layer in Envoy Mobile.
+* Addd retry policy to ext_proc.
+* Added HTTP downstream remote reset response flag.
+* Added support for the Fluentd access logger.
+* Introduced `MemoryAllocatorManager` to configure heap memory release rate.
+* Envoy Mobile added `CONNECT` Proxy support for iOS.
+* Redis: support echo command.
+* Envoy Mobile setting QUIC newtowrk idle timeout to 30 seconds.
+* Sending server preferred address to non-QUICHE clients.
+* Avoid concatenation of JWT duplicated headers.
+* HTTP: Keep `Transfer-Encoding` header for `trailers`.
+* Envoy Mobile setting the socket receive buffer to 1MB for QUIC.
+* Added `FULL_SCAN` support to least-request load-balancing algorithm.
+* aws_lambda and ext_proc filters can be used as an upstream filter.
+* Hosts marked as draining in and EDS update are now excluded.
+* Envoy Mobile supports log-levels.
+* Added support for URI tempate matching for RBAC.
+* Fixed load balancing initialization bug.
+* Supporting `%UPSTREAM_CONNECTION_ID%` in access logs.
+* Added request and response attributes support to ext_proc.
+* Added support sending dynamic metadata to ext_proc.
+* Re-enable the nghttp2 codec for HTTP/2 connections by default.

ci/Dockerfile-envoy

@@ -1,5 +1,5 @@
 ARG BUILD_OS=ubuntu
-ARG BUILD_TAG=22.04@sha256:77906da86b60585ce12215807090eb327e7386c8fafb5402369e421f44eff17e
+ARG BUILD_TAG=22.04@sha256:1b8d8ff4777f36f19bfe73ee4df61e3a0b789caeff29caa019539ec7c9a57f95
 ARG ENVOY_VRP_BASE_IMAGE=envoy-base
 
 

ci/build_setup.sh

@@ -35,31 +35,6 @@ echo "ENVOY_SRCDIR=${ENVOY_SRCDIR}"
 echo "ENVOY_BUILD_TARGET=${ENVOY_BUILD_TARGET}"
 echo "ENVOY_BUILD_ARCH=${ENVOY_BUILD_ARCH}"
 
-function setup_clang_toolchain() {
-  if [[ -n "$CLANG_TOOLCHAIN_SETUP" ]]; then
-    return
-  fi
-  export CLANG_TOOLCHAIN_SETUP=1
-  ENVOY_STDLIB="${ENVOY_STDLIB:-libc++}"
-  if [[ -z "${ENVOY_RBE}" ]]; then
-    if [[ "${ENVOY_STDLIB}" == "libc++" ]]; then
-      BAZEL_BUILD_OPTIONS+=("--config=libc++")
-    else
-      BAZEL_BUILD_OPTIONS+=("--config=clang")
-    fi
-  else
-    if [[ "${ENVOY_STDLIB}" == "libc++" ]]; then
-      BAZEL_BUILD_OPTIONS+=("--config=remote-clang-libc++")
-    else
-      BAZEL_BUILD_OPTIONS+=("--config=remote-clang")
-    fi
-  fi
-
-  BAZEL_BUILD_OPTION_LIST="${BAZEL_BUILD_OPTIONS[*]}"
-  export BAZEL_BUILD_OPTION_LIST
-  echo "clang toolchain with ${ENVOY_STDLIB} configured"
-}
-
 if [[ -z "${BUILD_DIR}" ]]; then
     echo "BUILD_DIR not set - defaulting to ~/.cache/envoy-bazel" >&2
     BUILD_DIR="${HOME}/.cache/envoy-bazel"

ci/do_ci.sh

@@ -75,7 +75,6 @@ retry () {
     done
 }
 
-
 if [[ "${ENVOY_BUILD_ARCH}" == "x86_64" ]]; then
   BUILD_ARCH_DIR="/linux/amd64"
 elif [[ "${ENVOY_BUILD_ARCH}" == "aarch64" ]]; then
@@ -85,6 +84,23 @@ else
   BUILD_ARCH_DIR="/linux/${ENVOY_BUILD_ARCH}"
 fi
 
+setup_clang_toolchain() {
+    CONFIG_PARTS=()
+    if [[ -n "${ENVOY_RBE}" ]]; then
+        CONFIG_PARTS+=("remote")
+    fi
+    CONFIG_PARTS+=("clang")
+    ENVOY_STDLIB="${ENVOY_STDLIB:-libc++}"
+    if [[ "${ENVOY_STDLIB}" == "libc++" ]]; then
+        CONFIG_PARTS+=("libc++")
+    fi
+    CONFIG="$(IFS=- ; echo "${CONFIG_PARTS[*]}")"
+    BAZEL_BUILD_OPTIONS+=("--config=${CONFIG}")
+    BAZEL_BUILD_OPTION_LIST="${BAZEL_BUILD_OPTIONS[*]}"
+    export BAZEL_BUILD_OPTION_LIST
+    echo "clang toolchain with ${ENVOY_STDLIB} configured: ${CONFIG}"
+}
+
 function collect_build_profile() {
     local output_base
     declare -g build_profile_count=${build_profile_count:-1}
@@ -257,6 +273,7 @@ case $CI_TARGET in
         # which is built with libstdc++. Using libstdc++ for whole of the API CI job to avoid unnecessary rebuild.
         ENVOY_STDLIB="libstdc++"
         setup_clang_toolchain
+        export CLANG_TOOLCHAIN_SETUP=1
         export LLVM_CONFIG="${LLVM_ROOT}"/bin/llvm-config
         echo "Run protoxform test"
         bazel run "${BAZEL_BUILD_OPTIONS[@]}" \
@@ -282,7 +299,9 @@ case $CI_TARGET in
         ;&
 
     api.go)
-        setup_clang_toolchain
+        if [[ -z "$CLANG_TOOLCHAIN_SETUP" ]]; then
+            setup_clang_toolchain
+        fi
         GO_IMPORT_BASE="github.com/envoyproxy/go-control-plane"
         GO_TARGETS=(@envoy_api//...)
         read -r -a GO_PROTOS <<< "$(bazel query "${BAZEL_GLOBAL_OPTIONS[@]}" "kind('go_proto_library', ${GO_TARGETS[*]})" | tr '\n' ' ')"
@@ -775,7 +794,6 @@ case $CI_TARGET in
         ;;
 
     msan)
-        ENVOY_STDLIB=libc++
         setup_clang_toolchain
         # rbe-toolchain-msan must comes as first to win library link order.
         BAZEL_BUILD_OPTIONS=(

ci/verify_examples.sh

@@ -17,6 +17,8 @@ FLAKY_SANDBOXES=(
     local_ratelimit
     # https://github.com/envoyproxy/envoy/issues/31333
     locality-load-balancing
+    # https://github.com/envoyproxy/envoy/issues/33533
+    lua-cluster-specifier
     # https://github.com/envoyproxy/envoy/issues/28541
     wasm-cc
     # https://github.com/envoyproxy/envoy/issues/28546

contrib/generic_proxy/filters/network/source/router/router.cc

@@ -502,7 +502,13 @@ void UpstreamRequest::onUpstreamSuccess(Upstream::HostDescriptionConstSharedPtr
 
   if (span_ != nullptr) {
     TraceContextBridge trace_context{*parent_.request_stream_};
-    span_->injectContext(trace_context, upstream_info_->upstream_host_);
+    Tracing::UpstreamContext upstream_context(
+        upstream_info_->upstream_host_.get(),       // host_
+        &upstream_info_->upstream_host_->cluster(), // cluster_
+        Tracing::ServiceType::Unknown,              // service_type_
+        false                                       // async_client_span_
+    );
+    span_->injectContext(trace_context, upstream_context);
   }
 
   sendRequestStartToUpstream();

envoy/tracing/trace_driver.h

@@ -14,6 +14,47 @@ namespace Tracing {
 class Span;
 using SpanPtr = std::unique_ptr<Span>;
 
+/**
+ * The upstream sevice type.
+ */
+enum class ServiceType {
+  // Service type is unknown.
+  Unknown,
+  // Service is treated as HTTP.
+  Http,
+  // Service is treated as GoogleGrpc.
+  GoogleGrpc,
+  // Service is treated as EnvoyGrpc.
+  EnvoyGrpc
+};
+
+/**
+ * Contains upstream context information essential for the injectContext process.
+ *
+ * @param host Optional reference to the upstream host description.
+ * @param cluster Optional reference to the upstream cluster information.
+ * @param service_type The type of service the upstream context relates to.
+ * @param async_client_span Indicates if the injectContext originates from an asynchronous
+ * client.
+ */
+struct UpstreamContext {
+  UpstreamContext(const Upstream::HostDescription* host = nullptr,
+                  const Upstream::ClusterInfo* cluster = nullptr,
+                  const ServiceType service_type = ServiceType::Unknown,
+                  const bool async_client_span = false)
+      : host_(makeOptRefFromPtr(host)), cluster_(makeOptRefFromPtr(cluster)),
+        service_type_(service_type), async_client_span_(async_client_span) {}
+
+  OptRef<const Upstream::HostDescription> host_;
+  OptRef<const Upstream::ClusterInfo> cluster_;
+  const ServiceType service_type_;
+
+  // TODO(botengyao): further distinction for the shared upstream code path can be
+  // added if needed. Setting this flag to true only means it is called from async
+  // client at current stage.
+  const bool async_client_span_;
+};
+
 /**
  * Basic abstraction for span.
  */
@@ -51,10 +92,9 @@ class Span {
    * Mutate the provided headers with the context necessary to propagate this
    * (implementation-specific) trace.
    * @param request_headers the headers to which propagation context will be added
-   * @param upstream connecting host description
+   * @param upstream upstream context info
    */
-  virtual void injectContext(TraceContext& trace_conext,
-                             const Upstream::HostDescriptionConstSharedPtr& upstream) PURE;
+  virtual void injectContext(TraceContext& trace_conext, const UpstreamContext& upstream) PURE;
 
   /**
    * Create and start a child Span, with this Span as its parent in the trace.

examples/mysql/Dockerfile-mysql

@@ -1 +1 @@
-FROM mysql:8.3.0@sha256:0f2e15fb8b47db2518b1428239ed3e3fe6a6693401b2cf19552063562cfc2fc4
+FROM mysql:8.3.0@sha256:203a051f50657d045108fa38a438a109101500d42b7ac4c03d399fcce43c4f2f