auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main] #273

Signed-off-by: Kevin Baichoo <[email protected]>

Commit Message: context: use server factory context as lb context Additional Description: 1. Simplify the context. We needn't more and more factory context. 2. allow the lb to access other API like runtime when loading configuration. NOTE: This PR also changed the signature of the loadConfig() method. The message validator is removed and you can use the messageValidationVisitor() of the input factory context to validate the proto message. Risk Level: low. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. --------- Signed-off-by: wangbaiping(wbpcode) <[email protected]>

…813) Signed-off-by: Greg Greenway <[email protected]>

Commit Message: Fix parameter type in JNI function Additional Description: The parameter is declared as int in https://github.com/envoyproxy/envoy/blob/main/mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java#L309, implementing it with jlong will cause undefined behavior and potential crashes. Risk Level: low Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: mobile only Signed-off-by: Renjie Tang <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

Fixes #35524 Signed-off-by: Zhimeng Shi <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

…n to clear the route cache (#36671) Commit Message: wasm: removed automatical route refreshment and add a foreign function to clear the route cache Additional Description: Here are the reasons to do this change: 1. It make it's impossible to only mofify the host or path or some headers but don't effect the route result. 2. Basically, refreshing route is not encouraged. Even the filters (ext_authz, jwt_authz, ext_proc, etc) who acutally need or want to clear the route cache will also provide a flag (and basically default to `false`) to control the behavior. 3. Refreshing route have big effect to the traffic and should only be done explicitly (code or configurations), we should never change it implicitly. Risk Level: low. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. Platform Specific Features: n/a. --------- Signed-off-by: wangbaiping/wbpcode <[email protected]> Signed-off-by: wangbaiping(wbpcode) <[email protected]>

…(#36836) Signed-off-by: Adi Suissa-Peleg <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

…786) Commit Message: Remove unused listener FilterChain on_demand_configuration field Additional Description: API added in envoyproxy/envoy#12599 but the implementation was abandoned in envoyproxy/envoy#12310. The `FilterChain.OnDemandConfiguration` message still shows up in docs, which is confusing: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto.html#config-listener-v3-filterchain-ondemandconfiguration Risk Level: low Testing: none Docs Changes: none Release Notes: Removed unused `config.listener.v3.FilterChain.OnDemandConfiguration` message Platform Specific Features: none Signed-off-by: Lann Martin <[email protected]>

Commit Message: router: converting internal_only_headers from list to vector Additional Description: Converting the use of std::list to std::vector for internal_only_headers. Typically std::vector is better than std::list in many aspects, so changing the non-mutable list to vector makes more sense. Risk Level: low - refactor only Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

supportsIpTransparent() and supportsMptcp() results depend on the OS being run on and the configuration of that OS, so remove the expectation of a specific value from the tests so that they'll pass in all environments. Signed-off-by: Greg Greenway <[email protected]>

…nges (#36702) Commit Message: srds: remove scope from scope_name_by_hash_ in case the scope key changes Additional Description: When a SRDS resource is updated such that its scope key changes, the scope_name_by_hash_ map used to detect scope key conflicts keeps the resource around under the old hash. This may cause spurious conflicts if the resource is removed and/or a resource is added with the old key, as demonstrated in the included tests. Risk Level: low Testing: CI, also added a DeltaXDS version of the test Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Eugene Chan <[email protected]> Signed-off-by: pianiststickman <[email protected]>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

add OLM scaling for max_connection_duration This allows for configuring scaling the max connection duration in response to overload. Risk Level: low Testing: integration & unit tests Docs Changes: none Release Notes: in changelog --------- Signed-off-by: antoniovleonti <[email protected]>

…(#36926) Adding a test to validate that the expected stat is incremented when the server certificate chain is too long to send to the client in the first round trip. Risk Level: Low --------- Signed-off-by: Greg Greenway <[email protected]>

…905) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…6906) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Fix #36908 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

Fix #36909 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

… (#36935) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Ryan Northey <[email protected]>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

Risk Level: high Testing: adapted tests previously Docs Changes: yes Release Notes: yes --------- Signed-off-by: Alyssa Wilk <[email protected]>

…on (#36703) Commit Message: permit dynamic SRDS resources to contain inline RDS configuration Additional Description: Currently, scoped_routes specified inline into the HCM may only contain inline route_configuration, and scoped_routes that are delivered via SRDS may only contain route_configuration_name which is used to open an RDS subscription. This PR permits resources delivered via SRDS to contain inline RouteConfiguration, forgoing the RDS subscription. Risk Level: low Testing: CI & integration Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Eugene Chan <[email protected]>

Resolve #36037 Commit Message: Support dynamic cluster selection per session in UDP proxy Additional Description: More details in envoyproxy/envoy#36037 Risk Level: low Testing: integration test Docs Changes: Release Notes: Platform Specific Features: --------- Signed-off-by: Issa Abu Kalbein <[email protected]> Signed-off-by: IssaAbuKalbein <[email protected]> Co-authored-by: Issa Abu Kalbein <[email protected]>

…6809) Commit Message: This change fixes envoyproxy/envoy#28826. Some additional discussions for context can be found in proxy-wasm/proxy-wasm-cpp-host#423. The issue reported in envoyproxy/envoy#28826 happens when proxy-wasm plugin calls proxy_send_local_response during the HTTP request proessing and HTTP response processing. This happens because in attempt to mitigate a use-after-free issue (see envoyproxy/envoy#23049) we added logic to proxy-wasm that avoids calling sendLocalReply multiple times. So now when proxy-wasm plugin calls proxy_send_local_response only the first call will result in sendLocalReply, while all subsequent calls will get ignored. At the same time, when proxy-wasm plugins call proxy_send_local_response, because it's used to report an error in the plugin, proxy-wasm also stops iteration. During HTTP request processing this leads to the following chain of events: 1. During request proxy-wasm plugin calls proxy_send_local_response 2. proxy_send_local_response calls sendLocalReply, which schedules the local reply to be processed later through the filter chain 3. Request processing filter chain gets aborted and Envoy sends the previous created local reply though the filter chain 4. Proxy-wasm plugin gets called to process the response it generated and it calls proxy_send_local_response 5. proxy_send_local_response **does not** call sendLocalReply, because proxy-wasm prevents multiple calls to sendLocalReply currently 6. proxy-wasm stops iteration So in the end the filter chain iteration is stopped for the response and because proxy_send_local_respose does not actually call sendLocalReply we don't send another locally generated response either. I think we can do slightly better and close the connection in this case. This change includes the following parts: 1. Partial rollback of envoyproxy/envoy#23049 2. Tests covering this case and some other using the actual FilterManager. The most important question is why rolling back envoyproxy/envoy#23049 now is safe? The reason why it's safe, is that since introduction of prepareLocalReplyViaFilterChain in envoyproxy/envoy#24367, calling sendLocalReply multiple times is safe - that PR basically address the issue in a generic way for all the plugins, so a proxy-wasm specific fix is not needed anymore. On top of being safe, there are additional benefits to making this change: 1. We don't end up with a stuck connection in case of errors, which is slightly better 2. We remove a failure mode from proxy_send_local_response that was introduced in envoyproxy/envoy#23049 - which is good, because proxy-wasm plugins don't have a good fallback when proxy_send_local_response is failing. Finally, why replace the current mocks with a real FilterManager? Mock implementation of sendLocalReply works fine for tests that just need to assert that sendLocalReply gets called. However, in this case we rely on the fact that it's safe to call sendLocalReply multiple times and it will do the right thing and we want to assert that the connection will get closed in the end - that cannot be tested by just checking that the sendLocalReply gets called or by relying on a simplistic mock implementation of sendLocalReply. Additional Description: Risk Level: low Testing: Manually, by reproducing the case reported in envoyproxy/envoy#28826. I also added new unit tests and verified that they pass and aren't flaky: ``` bazel test --runs_per_test=1000 //test/extensions/common/wasm:all --config=docker-clang ``` Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Fixes #28826 --------- Signed-off-by: Mikhail Krinkin <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

Risk Level: n/a (tools only) Testing: n/a Docs Changes: n/a Release Notes: n/a Signed-off-by: Alyssa Wilk <[email protected]>

Change-Id: I171afa0d240065d3f4872730fc71d70a46c03a93 Commit Message: remove listener info accessors in plugin config since they are dead code Risk Level: low Signed-off-by: Kuat Yessenov <[email protected]>

Commit Message: golang: provide method to refresh route cache Additional Description: Risk Level: Low, add new method Testing: Integration Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] Fixes #36848 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: spacewander <[email protected]>

This PR adds the API for HTTP APIKey Auth Filter that is proposed at envoyproxy/envoy#34877 and envoyproxy/gateway#2630. Commit Message: api: HTTP APIKey Auth Filter Risk Level: Low (only API) Testing: WIP (will be done after we agree on the API) Docs Changes: WIP Release Notes: WIP Platform Specific Features: No Part of: #34877 --------- Signed-off-by: Kensei Nakada <[email protected]> Signed-off-by: wangbaiping(wbpcode) <[email protected]> Co-authored-by: wangbaiping(wbpcode) <[email protected]>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…… (#36922) reinstating a false-by-default (true on android) runtime guard. Risk Level: should be a no-op for anything but android Testing: n/a Docs Changes: n/a Release Notes: n/a Signed-off-by: Alyssa Wilk <[email protected]>

Commit Message: matchers: remove unneeded ListMatcher data member Additional Description: Removed a protobuf that was kept as a data member but only used in the c'tor. Risk Level: low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

An extraneous if block was introduced merging #36702 into #36703. We're checking this condition above in L282, so this block should never be executed. Commit Message: remove a redundant if block Additional Description: n/a Risk Level: low Testing: existing CI Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Eugene Chan <[email protected]>

Signed-off-by: Adi Suissa-Peleg <[email protected]>

Currently this breaks running `bazel aquery "deps(...)"` - not sure why Signed-off-by: Ryan Northey <[email protected]>

Risk Level: medium Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

Fixes #12954 Signed-off-by: Rama Chavali <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

Signed-off-by: Adi Suissa-Peleg <[email protected]>

…derData (#36878) Signed-off-by: Adi Suissa-Peleg <[email protected]>

Commit Message: Add cancelWrapper helper function in /common. Additional Description: In the cache filter implementation where there are multiple async streams and objects in flight any of which can be aborted from outside the filter's own flow, it's convenient and clear to have a cancel operation performed on being destroyed, rather than inferring "don't call the callback" from a `weak_ptr` (which can do the wrong thing in that onDestroy can happen before destructor, and is verbose and repetitive). Implementing these cancellation functions manually every time is also error-prone and repetitive. This introduces a reusable wrapper template to facilitate cancellable callbacks. Risk Level: None, no change to production code yet. Testing: Unit tested. Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Raven Black <[email protected]>

Commit Message: Enabling envoy test cases by adding missing options for s390x Additional Description: envoy test cases were enabled for s390x, so included the missing options Signed-off-by: Surender Yadav <[email protected]>

This PR make the tests `HTTPRequestUsingProxyTest.swift` hermetic since it's causing 403 issues when hitting external URLs, for example: - https://github.com/envoyproxy/envoy/actions/runs/11671611154/job/32500065249 - https://github.com/envoyproxy/envoy/actions/runs/11670461951/job/32494723883 This PR also fixes and enables `testHTTPSRequestUsingProxy` test that was previously disabled. Risk Level: low (tests only) Testing: unit test Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Fredy Wijaya <[email protected]>

Update QUICHE from 5621f6366 to aaf48d2e5 https://github.com/google/quiche/compare/5621f6366..aaf48d2e5 ``` $ git log 5621f6366..aaf48d2e5 --date=short --no-merges --format="%ad %al %s" 2024-11-04 asedeno MASQUE: add tap bridging support for CONNECT-ETHERNET 2024-11-04 quiche-dev Fix the issue that -Wrange-loop-construct higlighted in quiche. 2024-11-01 martinduke Send raw counts of reported ECN marks in QUIC ACK frames to the debugger. 2024-11-01 wub No public description 2024-11-01 quiche-dev Mark sec-authenticated-request-headers as a repeated header 2024-10-31 ricea Remove a stray semi-colon from quiche_protocol_flags_list.h 2024-10-31 birenroy Adds unit tests for clients handling END_STREAM after 1xx headers without final response headers. 2024-10-29 wub Add transport parameter 'discard' to QUIC and switch connection option `CHP1` and `CHP2` to use it. 2024-10-29 rch Record stats when forward progress is made on a QUIC connection after changing the flow label on PTO. 2024-10-29 vasilvv Implement QuicAlarmMultiplexer. 2024-10-28 wub Deprecate gfe2_reloadable_flag_quic_add_ssl_error_stack_to_error_detail. 2024-10-28 martinduke Parser/Framer for MoQT FETCH Stream messages. 2024-10-28 martinduke Delete Subscribe ID from MoQT Object headers ``` --------- Signed-off-by: Fredy Wijaya <[email protected]>

PR updates the location of the envoy's build folder which was moved from `envoy-build-tools` to `docker`. Signed-off-by: Emmanuel Ferdman <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

Commit Message: kafka: close connection when rejectable request appears Additional Description: provides envoyproxy/envoy#36978 by making the broker filter check the requests' API key against allow/denylists in the config - if we find a request to reject, we just close the connection. There is also a bonus: this sets up a framework for "_close connection if we don't like the request_" that we can expand upon later. Risk Level: Low Testing: automated (no filtering) + manual (filtering) Docs Changes: Kafka broker .rst Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Adam Kotwasinski <[email protected]>

- Remove obsolete TODO. Refactor is not needed as we will need add a new isClosed() helper fucntion which is virtual function and will be invoked multiple layers/classes. - Use isEnvoyGrpc helper in the test Signed-off-by: tyxia <[email protected]>

Fix #36843 Signed-off-by: Ryan Northey <[email protected]>

the `envoy_package` rule works against bazel's visibility system by just making everything visible - which is a bit of an anti-pattern - but it also pulls in a lot of unused/unnecessary deps when accessing tools Signed-off-by: Ryan Northey <[email protected]>

Commit Message: wasm: remove the shutdown callback in lifetime_notifier Fixes: #35882 --------- Signed-off-by: Boteng Yao <[email protected]>

Commit Message: Downstream apply back pressure to Sidestream and Upstream when downstream buffers are overrun. Risk Level: Low, whole flow control is runtime guarded Testing: Unit test; ext_proc integration test: sidestream response to downstream triggers the back pressure. Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: tyxia <[email protected]>

…(#36994) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

See istio/istio#53426. Istio has used underscores in their SNI since the beginning and it is critical to its functionality. Usage of underscores in SNI is a bit of a grey area in the RFCs, which are extremely under-specified wrt to what exactly is the allowed formats. However, the de-facto standard is to allow them, as virtually every TLS library does so (including, but not limited to, Golang, rustls, openssl, boringssl). This PR loosens the restriction to additionally allow underscores. Note the intent of the SNI restrictions was not RFC compliance, etc -- but rather to fix [log injection](GHSA-p222-xhp9-39rc) attacks (putting ANSI escapes, HTML, etc) into logs. This change does not loosen the security properties we hoped to gain with the initial patch. Signed-off-by: John Howard <[email protected]>

**Commit Message**: add `upstream.request_attempt_count` to get the number of times a request is attempted upstream **Additional Description**: Added a new attribute to extract `upstream.request_attempt_count` from the `StreamInfo()`. This could be used in CEL Matcher for access log filtering. **Risk Level**: Low **Testing:** Added Unit Tests **Docs Changes:** Added **Release Notes:** Added --------- Signed-off-by: Rohit Agrawal <[email protected]> Signed-off-by: Rohit Agrawal <[email protected]>

Part of #21595 Risk Level: low Signed-off-by: Gustavo <[email protected]>

Followup to #36938, in debug builds, enforcing the directive that callbacks and cancellations must be on the same thread. Signed-off-by: Raven Black <[email protected]>

Adds a release note for envoyproxy/envoy#36950 (comment) Signed-off-by: John Howard <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

…#37013) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Ryan Northey <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

Workaround for #36984 Signed-off-by: Ryan Northey <[email protected]>

Signed-off-by: spacewander <[email protected]>

…ts (#36998) Signed-off-by: Greg Greenway <[email protected]>

This also includes a gRPC dependency update. Signed-off-by: Greg Greenway <[email protected]>

With reference to PR envoyproxy/envoy#36915 by mistake added the .cc extension instead of the .h extension. So fixing the extension to (options_impl_platform_linux.h). Signed-off-by: Surender Yadav <[email protected]>

@type

…36434) # Description This change adds support for specifying an optional header to ip-tagging filter instead of the default header that it uses (`x-envoy-ip-tags`). example ``` http_filters - name: ip.tagging typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.ip_tagging.v3.IPTagging request_type: BOTH ip_tag_header: "x-slack-foo-bar" ip_tags: [] ``` # Why Currently, the ip-tagging filter always writes its output into the `x-envoy-ip-tags` header. When this filter is used for more than one purpose in the same filter chain which we do at Slack in our production environment, we do need to take care of cleaning up the header in between which has been proven a bit tricky sometimes. Leaking the values in between the filter chain is bad so we try to avoid that. We would like this to be configurable. This way we can use the optional header instead of trying the use the same header however many times the same filter is used on the same filter chain in a listener. # Risk Level this is a new feature, doesn't affect the existing functionality so guessing low but open to changing if I'm wrong. # Testing added test Docs Changes: Added, alongside release notes Co-authored-by: Ariane van der Steldt [[email protected]](mailto:[email protected]) Signed-off-by: Radha Kumari [[email protected]](mailto:[email protected]) --------- Signed-off-by: Radha Kumari <[email protected]> Signed-off-by: Radha <[email protected]> Signed-off-by: Radha <[email protected]> Signed-off-by: Ariane van der Steldt <[email protected]> Co-authored-by: Adi (Suissa) Peleg <[email protected]> Co-authored-by: Ariane van der Steldt <[email protected]>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

ext_proc: refactoring onData() to make it modularized based on the comments: https://github.com/envoyproxy/envoy/pull/34942/files#r1829466794 Fixes: issue: #36970 --------- Signed-off-by: Yanjun Xiang <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

For cel, envoy_toolshed, fmt, protoc-gen-jsonschema, shellcheck rules Risk Level: Low Docs Changes: add and fix license URLs of external components Signed-off-by: Michael Kaufmann <[email protected]>

…… (#36947) ## Background We recently saw a small number of DNS queries getting timed out. There is currently no option for us to [initialize c-ares](https://c-ares.org/ares_init_options.html) by passing in a custom [timeout](https://c-ares.org/ares_init_options.html#:~:text=c%2Dares%201.5.2.-,ARES_OPT_TIMEOUTMS,-int%20timeout%3B) and [tries](https://c-ares.org/ares_init_options.html#:~:text=c%2Dares%201.5.2.-,ARES_OPT_TRIES,-int%20tries%3B) config options. ## Changes In this PR, we are adding two new options in c-ares resolver for configuring custom timeouts and tries while resolving DNS queries. Custom timeouts could be configured by specifying `query_timeout_seconds` option and custom tries could be configured by specifying `query_tries` config option. **Commit Message:** dns resolver: add options to initialize c-ares with custom timeout and tries **Additional Description:** add two new options called `query_timeout_seconds` and `query_tries` for initializing c-ares with custom timeout and tries. **Risk Level:** Low **Testing:** Added Unit/Integration Tests **Docs Changes:** Added **Release Notes:** Added **Platform Specific Features:** N/A --------- Signed-off-by: Rohit Agrawal <[email protected]>

## Description Add additional unit tests to cover edge cases in DNS cache. --- **Commit Message:** dns_cache: add more unit tests **Additional Description:** Added a few more tests to cover edge scenarios in DNS cache implementation. **Risk Level:** Very Low **Testing:** Added **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal <[email protected]>

Commit Message: Remove extraneous target source/common/common:xds_manager_lib Fairly sure that this was introduced in #36768 by mistake. I can't find any references to the target, `source/common/common/xds_manager_impl.{h,c}` don't exist. Signed-off-by: Steven Jin Xuan <[email protected]>

build file change removing an unnecessary (and disallowed) extension dependency. Risk Level: low Testing: n/a Docs Changes: n/a Release Notes: n/a Signed-off-by: Alyssa Wilk <[email protected]>

fetch doesnt work very well or in ways you would expect (may improve with bzlmod) currently this isnt used but when we add it back we will use `aquery` instead to populate the cache Signed-off-by: Ryan Northey <[email protected]>

…7018) An internal tool we have notified us that some API fields and enum-values that we use do not have comments. I've added some comments, and updated some of the ext-proc comments to make it a bit clearer. Signed-off-by: Adi Suissa-Peleg <[email protected]>

…when linking ICU tools (#37060) Commit Message: Clang and gcc are subtly different and it seems to be the cause of contrib build failures reported in envoyproxy/envoy#31807 (e.g., when using gcc to link the final binary it results in a bunch of essential for gcc C++ symbols like __gxx_personality_v0). The issue appear to be the order of the libraries when linking. gcc, when building statically linked binaries basically needs libstdc++ to be the last library or alsmot the last library in the command line. And clang does not appear to care about it much. This change provides libstdc++ library in LIBS environment variabe which will put it in the right position when building the ICU library. This works well for both clang and gcc. Additional Description: It address the issue reported in envoyproxy/envoy#31807, though by itseld this change is not enough to make gcc builds work - a few more changes are needed. Risk Level: Low Testing: built with `--config=gcc` and `--config=docker-gcc` and checked that //contrib/language/filters/http/test:language_config_test pass after the change. Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Mikhail Krinkin <[email protected]>

…37061) Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Ryan Northey <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Ryan Northey <[email protected]>

Commit Message: kafka: split protocol generation into .h and .cc files Additional Description: instead of having enormous generated `requests.h` and `responses.h`, split them into header and implementation files - this will allow me to add proper static functions in the future (such as the one converting `string request_name -> int16_t api_key` for better configs) Risk Level: low Testing: unit and integration tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a --------- Signed-off-by: Adam Kotwasinski <[email protected]>

Commit Message: When HTTP/3 is not known to work, we should attempt both QUIC and TCP at the same time instead of giving QUIC a head start and delaying the TCP connection attempt. Additional Description: In Envoy Mobile, the HTTP/3 status will be reset upon network change. Risk Level: low (runtime guarded and the default is false) Testing: unit and integration tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: quic, mobile Optional Runtime guard: `envoy.reloadable_features.quic_no_tcp_delay` (default is false) --------- Signed-off-by: Fredy Wijaya <[email protected]>

Currently all triggered CI jobs check for required caches (and prime where required) This reduces the number of vms that get booted by checking once at the beginning of a run in the request phase Signed-off-by: Ryan Northey <[email protected]>

unlike most exception PRs this includes a functional change to how Envoy handles completely invalid sockets or failed system calls. Errors should be connection-local rather than throwing to whatever might catch, so it should be a whole sale improvement and is unlikely to affect anyone whose syscalls work. Risk Level: medium Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

…(#37038) Angle brackets are not required after constructor and, maybe, aren't even correct, though I'm not 100% sure on what the standard says on the matter. It seems like clang is fine with this syntax, but when you try to build Envoy with gcc it complains: ``` ./contrib/postgres_proxy/filters/network/source/postgres_message.h: At global scope: ./contrib/postgres_proxy/filters/network/source/postgres_message.h:397:14: error: expected unqualified-id before ')' token 397 | Sequence<>() = default; | ^ Target //contrib/exe:envoy-static failed to build ``` Given that it's at least unusual to have angle brackets after constructor in a class template specialization let's remove them and satisfy both gcc and clang. It's one of the issue that prevent contrib build with gcc. It's not the original issue reported in envoyproxy/envoy#31807, but that issue is what started the investigation. Signed-off-by: Mikhail Krinkin <[email protected]>

This PR is for issue: envoyproxy/envoy#32090. One of the use case is, like compression by the external processing. This is to let the ext_proc server be able to buffer M request body chunks from Envoy first, processing them, then send N chunks back to Envoy in the STREAMED mode. It also let the server buffer the entire message, i.e, header, body, trailer, before sending back any response. The ext_proc MXN streaming works this way: 1) Enable the MXN streaming by configuring the body mode to be FULL_DUPLEX_STREAMED in the ext_proc filter config. 2) Config the trailer mode to be SEND in the ext_proc filter config. With above config, Envoy will send body to the ext_proc server as they arrival. The server can buffer the entire or partial of the body (M chunks) then streaming the mutated body(may need to split into N chunks), back to Envoy. --------- Signed-off-by: Yanjun Xiang <[email protected]>

Fix #37054 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Signed-off-by: Ryan Northey <[email protected]>

Envoy would crash when the Lua garbage collector ran if `getCluster()` had been called. This was added in #36998 Signed-off-by: Greg Greenway <[email protected]>

…(#36903) These options are related, but do not have to be used together. The existing `auto_sni` and `auto_san_validation` make Envoy set upstream TLS SNI and validate SANs based on the downstream requests's `:authority` (or override header). The new `auto_host_sni` option causes Envoy to set the upstream TLS SNI to the hostname in the cluster for the host being connected to. For example, in a DNS cluster with server1.example.com and server2.example as the cluster members, connections would have SNI of server1.example.com and server2.example.com, respectively. The new `auto_sni_san_validation` option causes Envoy to validate that the peer's server certificate has a DNS SAN that matches whatever SNI value was sent (regardless of how it's configured). This is appropriate to set in many/most configurations for normally-behaving upstream servers without special certificate validation requirements. Signed-off-by: Greg Greenway <[email protected]>

## Background This PR adds a new option called `sourced_metadata` to RBAC permissions and principals which allows specifying an optional source for the metadata to be matched. Currently it only supports Dynamic Metadata and Route Metadata. More options could be added later. **Fixes:** #34913 --- **Commit Message:** rbac: add support for matching on route metadata **Additional Description:** This PR adds a new option called `sourced_metadata` to RBAC permissions and principals which allows specifying an optional source for the metadata to be matched. **Risk Level:** Low **Testing:** Added Unit & Integration Tests **Docs Changes:** Added **Release Notes:** Added --------- Signed-off-by: Rohit Agrawal <[email protected]>

On more recent Debian/Ubuntu versions, not specifying the `arch` gives a warning like this: ``` N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'https://apt.envoyproxy.io jammy InRelease' doesn't support architecture 'i386' ``` Signed-off-by: Sebastian Lövdahl <[email protected]>

## Description This PR fixes a very small typo in the change logs for RBAC `metadata` deprecation line which is mistakenly spelled as `sourced_metadata`. --- **Commit Message:** **** **Additional Description:** Fixes a very small typo in the change logs for RBAC `metadata` deprecation line which is mistakenly spelled as `sourced_metadata`. **Risk Level:** N/A **Testing:** N/A **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal <[email protected]>

## Description This PR add some more unit tests to improve the code coverage of RBAC matchers class. --- **Commit Message:** rbac: add unit tests for matchers to increase coverage **Additional Description:** Added some more unit tests to improve the code coverage of RBAC matchers class. **Risk Level:** Very Low **Testing:** Added Unit Tests **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal <[email protected]>

Commit Message: There were a few issues with building Envoy with VCL. The fist issue is that vppinfra library is built with LTO enabled. While there is nothing wrong with enabling LTO, it apparently triggers some bug in GCC - during linking one of the LTO passes just consumes all the memory in the system and eventually crashes without finishing ( I tried to build Envoy on a system with 256GiB of memory and it wasn't enough, so it's way past what is reasonable). To workaround the issue I updated vpp_vcl.patch to conditionally disable LTO when building using GCC. Once LTO was disabled I hit another issue - the order of libraries in linker command line does matter, at least in the world of Unix-like systems. Normally, Bazel can figure out the right order, but with VPP static libraries that are built by CMake Bazel has no information to figure out what is the proper order of those libraries. And that ultimately resulted in linking failures. I considered a few options to address the issue: 1. Use alwayslink = True - while it should be the simplest and the least surprising solution to the problem, apparently, alwayslink does not do anything for static libraries, so this option does not work 2. Maintain the right order of libraries in the BUILD file - that works, but it's unusual when order of targets in Bazel srcs and deps matters, so to avoid surprising behaviour I didn't go for that option 3. Use genrule and combine different static libraries into a single static library - it should work in theory, but I couldn't refer to the `ar` tool from genrule and abandoned this option 4. Use --start-group and --end-group linker options to tell to the linker that all VPP static libraries should be considered together as a single unit - this is the option I implemented in the end. Additional Description: This is part of the work done to fix gcc builds of Envoy tracked in envoyproxy/envoy#31807. This change by itself does not address the issue completely yet, but it moves us a bit closer. Signed-off-by: Mikhail Krinkin <[email protected]>

… (#37093) Signed-off-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…37094) Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Ryan Northey <[email protected]>

Added support for upstream connection establishment time points in the COMMON_DURATION access log operator. Risk Level: Low Testing: Unit Docs Changes: Added reference to new supported time points in access log docs. Release Notes: Added Platform Specific Features: No Signed-off-by: Guy Daich <[email protected]>

…pace (#37058) Risk Level: Low Signed-off-by: Michael Kaufmann <[email protected]>

…s received. (#37083)  Commit Message: [ext_proc] Ext proc half close on destroy and defer reset till trailers received. Additional Description: In Grpc, the trailers carries the grpc-status header terminates a rpc stream. Our current flow ignores the trailers by closeStream and resetStream all together, the later resetStream call would signal the remote server a CANCEL, while clean the sidestream and ignore any possible trailers that might have been sent by ext_proc server. This PR would defer the cleanup of the side stream till a trailers been received, or till a cleanup timer fires. Risk Level: medium Testing: unit tests Docs Changes: Release Notes: Platform Specific Features: --------- Signed-off-by: Xin Zhuang <[email protected]>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

…37086) ## Description This PR adds two new benchmarks to evaluate the performance of route matching using the new [matcher tree](https://www.envoyproxy.io/docs/envoy/latest/xds/type/matcher/v3/matcher.proto#xds-type-matcher-v3-matcher-matchertree) functionality: 1. `bmRouteTableSizeWithMatcherTree` - Tests [exact matching](https://arc.net/l/quote/arnhgeme) using matcher tree 2. `bmRouteTableSizeWithPrefixMatcherTree` - Tests [prefix matching](https://arc.net/l/quote/kajwgisw) using matcher tree with nested routes These benchmarks follow the same pattern as existing route matching benchmarks, testing performance with varying table sizes from **1** to **2^13** routes. The prefix matcher benchmark creates a hierarchical structure with shelves containing multiple routes, similar to real-world use cases. ![Route Graph](https://github.com/user-attachments/assets/c59d6f71-c78e-4a64-840b-8898082054c1) ``` Running /build/bazel_root/base/execroot/envoy/bazel-out/k8-opt/bin/test/common/router/config_impl_speed_test Run on (32 X 3515.38 MHz CPU s) CPU Caches: L1 Data 48 KiB (x16) L1 Instruction 32 KiB (x16) L2 Unified 1280 KiB (x16) L3 Unified 55296 KiB (x1) Load Average: 4.80, 3.13, 9.79 -------------------------------------------------------------------------------------- Benchmark Time CPU Iterations -------------------------------------------------------------------------------------- bmRouteTableSizeWithPathPrefixMatch/1 536 ns 536 ns 1298506 bmRouteTableSizeWithPathPrefixMatch/2 587 ns 587 ns 1193335 bmRouteTableSizeWithPathPrefixMatch/4 691 ns 691 ns 1013703 bmRouteTableSizeWithPathPrefixMatch/8 846 ns 846 ns 827034 bmRouteTableSizeWithPathPrefixMatch/16 1231 ns 1231 ns 568054 bmRouteTableSizeWithPathPrefixMatch/32 1886 ns 1886 ns 373329 bmRouteTableSizeWithPathPrefixMatch/64 3223 ns 3223 ns 217808 bmRouteTableSizeWithPathPrefixMatch/128 5977 ns 5977 ns 117353 bmRouteTableSizeWithPathPrefixMatch/256 11384 ns 11384 ns 61955 bmRouteTableSizeWithPathPrefixMatch/512 21993 ns 21993 ns 31855 bmRouteTableSizeWithPathPrefixMatch/1024 48251 ns 48251 ns 14673 bmRouteTableSizeWithPathPrefixMatch/2048 104355 ns 104357 ns 5524 bmRouteTableSizeWithPathPrefixMatch/4096 205814 ns 205811 ns 3408 bmRouteTableSizeWithPathPrefixMatch/8192 410113 ns 410115 ns 1712 bmRouteTableSizeWithPathPrefixMatch/16384 851624 ns 851636 ns 828 bmRouteTableSizeWithExactPathMatch/1 534 ns 534 ns 1306682 bmRouteTableSizeWithExactPathMatch/2 584 ns 584 ns 1197580 bmRouteTableSizeWithExactPathMatch/4 689 ns 689 ns 1013885 bmRouteTableSizeWithExactPathMatch/8 843 ns 843 ns 828836 bmRouteTableSizeWithExactPathMatch/16 1227 ns 1227 ns 569857 bmRouteTableSizeWithExactPathMatch/32 1884 ns 1884 ns 371227 bmRouteTableSizeWithExactPathMatch/64 3261 ns 3261 ns 212785 bmRouteTableSizeWithExactPathMatch/128 6029 ns 6029 ns 115856 bmRouteTableSizeWithExactPathMatch/256 11367 ns 11367 ns 61665 bmRouteTableSizeWithExactPathMatch/512 22134 ns 22133 ns 31785 bmRouteTableSizeWithExactPathMatch/1024 46710 ns 46710 ns 14993 bmRouteTableSizeWithExactPathMatch/2048 110910 ns 110912 ns 6379 bmRouteTableSizeWithExactPathMatch/4096 212092 ns 212089 ns 3300 bmRouteTableSizeWithExactPathMatch/8192 417258 ns 417237 ns 1680 bmRouteTableSizeWithExactPathMatch/16384 869521 ns 869518 ns 814 bmRouteTableSizeWithRegexMatch/1 630 ns 630 ns 1111278 bmRouteTableSizeWithRegexMatch/2 763 ns 763 ns 922242 bmRouteTableSizeWithRegexMatch/4 1029 ns 1029 ns 678372 bmRouteTableSizeWithRegexMatch/8 1504 ns 1504 ns 466548 bmRouteTableSizeWithRegexMatch/16 2926 ns 2926 ns 241356 bmRouteTableSizeWithRegexMatch/32 5111 ns 5111 ns 136253 bmRouteTableSizeWithRegexMatch/64 9584 ns 9584 ns 72823 bmRouteTableSizeWithRegexMatch/128 19555 ns 19555 ns 35903 bmRouteTableSizeWithRegexMatch/256 38923 ns 38922 ns 17859 bmRouteTableSizeWithRegexMatch/512 105522 ns 105519 ns 6660 bmRouteTableSizeWithRegexMatch/1024 207458 ns 207455 ns 3321 bmRouteTableSizeWithRegexMatch/2048 416225 ns 416216 ns 1678 bmRouteTableSizeWithRegexMatch/4096 827044 ns 827016 ns 761 bmRouteTableSizeWithRegexMatch/8192 1704151 ns 1704030 ns 377 bmRouteTableSizeWithRegexMatch/16384 4776874 ns 4776656 ns 135 bmRouteTableSizeWithExactMatcherTree/1 737 ns 737 ns 954898 bmRouteTableSizeWithExactMatcherTree/2 732 ns 732 ns 955453 bmRouteTableSizeWithExactMatcherTree/4 737 ns 737 ns 944687 bmRouteTableSizeWithExactMatcherTree/8 733 ns 733 ns 960146 bmRouteTableSizeWithExactMatcherTree/16 753 ns 753 ns 930218 bmRouteTableSizeWithExactMatcherTree/32 747 ns 747 ns 939365 bmRouteTableSizeWithExactMatcherTree/64 754 ns 754 ns 927099 bmRouteTableSizeWithExactMatcherTree/128 742 ns 742 ns 941579 bmRouteTableSizeWithExactMatcherTree/256 738 ns 738 ns 946895 bmRouteTableSizeWithExactMatcherTree/512 751 ns 751 ns 939048 bmRouteTableSizeWithExactMatcherTree/1024 752 ns 752 ns 922761 bmRouteTableSizeWithExactMatcherTree/2048 745 ns 745 ns 938027 bmRouteTableSizeWithExactMatcherTree/4096 751 ns 751 ns 934409 bmRouteTableSizeWithExactMatcherTree/8192 756 ns 756 ns 929814 bmRouteTableSizeWithExactMatcherTree/16384 751 ns 751 ns 935359 bmRouteTableSizeWithPrefixMatcherTree/1 729 ns 729 ns 962058 bmRouteTableSizeWithPrefixMatcherTree/2 727 ns 727 ns 960017 bmRouteTableSizeWithPrefixMatcherTree/4 731 ns 731 ns 963227 bmRouteTableSizeWithPrefixMatcherTree/8 730 ns 730 ns 961697 bmRouteTableSizeWithPrefixMatcherTree/16 728 ns 728 ns 961949 bmRouteTableSizeWithPrefixMatcherTree/32 730 ns 730 ns 963114 bmRouteTableSizeWithPrefixMatcherTree/64 729 ns 729 ns 962356 bmRouteTableSizeWithPrefixMatcherTree/128 741 ns 741 ns 943679 bmRouteTableSizeWithPrefixMatcherTree/256 745 ns 745 ns 942793 bmRouteTableSizeWithPrefixMatcherTree/512 748 ns 748 ns 941176 bmRouteTableSizeWithPrefixMatcherTree/1024 747 ns 747 ns 932049 bmRouteTableSizeWithPrefixMatcherTree/2048 748 ns 748 ns 932930 bmRouteTableSizeWithPrefixMatcherTree/4096 743 ns 743 ns 937013 bmRouteTableSizeWithPrefixMatcherTree/8192 746 ns 746 ns 938400 bmRouteTableSizeWithPrefixMatcherTree/16384 756 ns 756 ns 938556 ``` --- **Commit Message:** benchmark: add route matcher benchmarks for exact and prefix match **Additional Description:** Add additional tests in the `config_impl_speed_test` for testing the performance of route table evaluation using the matcher semantics. **Risk Level:** Very Low **Testing:** Benchmarks run successfully with varying table sizes **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal <[email protected]>

Remove `envoy.reloadable_features.http2_use_visitor_for_data` Risk Level: low Testing: ran unit and integration tests locally Docs Changes: Release Notes: Platform Specific Features: --------- Signed-off-by: Biren Roy <[email protected]>

Signed-off-by: Adi Suissa-Peleg <[email protected]>

This readds bazel client caching which was lost in migration It should resolve the issue of failing downloads (kafka/node) in build tests - if for some reason it doesnt initially, we can tweak to ensure it does I gave up on trying to use the github actions cache as its too size-constrained so it was never going to work - so instead it uses a GCS bucket. The connection to GCP seems a bit slower than the github cache, but the implementation is faster so overall caching seems to be faster with GCS. The time required to restore caches is easily offset by speedups in actual jobs - so adding this should be an optimization Unlike the previous system it always caches against the target branch (`main`/`release/*`) and ignores any changes in a PR It also creates one cache per arch and not tailored caches for each job which saves a lot disk space and complexity, but it also means that individual jobs use more disk space Probably what its caching can be tweaked/optimized and there are some other things we probably want to add - eg bazelisk Fix #36340 Signed-off-by: Ryan Northey <[email protected]>

…t (#37101) I'm unable to recreate this test flakiness locally. However the likely culprit is a race between closing upstream connection and sending new downstream request. If Envoy takes longer to observe closed upstream connection it can send request into upstream connection that is already closing. Risk Level: Low Testing: Unit test Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Yan Avlasov <[email protected]>

…37108) This PR adds support for configuring round-robin nameserver selection in the c-ares DNS resolver. When enabled, this will rotate through the configured nameservers for each resolution request, helping to distribute query load across multiple nameservers. The feature allows better load distribution across multiple nameservers without requiring any changes to DNS server configuration. Signed-off-by: Rohit Agrawal <[email protected]>

…rpreted as negative triggering envoy bug. (#36953) Signed-off-by: Steven Jin Xuan <[email protected]>

…74f326` in /ci (#37119) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…7105) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Risk Level: low Testing: CI Signed-off-by: Alejandro R. Sedeño <[email protected]>

…#36981) Commit Message: Check canonical suffix when checking checking QUIC brokenness Additional Description: Risk Level: low. protected by default false runtime guard Testing: unit test Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Runtime guard: envoy_reloadable_features_use_canonical_suffix_for_quic_broken --------- Signed-off-by: Renjie Tang <[email protected]>

https://github.com/google/quiche/compare/aaf48d2e5..3c9db14bb ``` $ git log aaf48d2e5..3c9db14bb --date=short --no-merges --format="%ad %al %s" 2024-11-13 davidben Add missing dependency to quiche_test_support 2024-11-13 ricea Rename QuicTag kIFWA to kIFWa 2024-11-12 rch Remove unused TPCC QuicTag and rename the variables * kORBT -> kOBIT * kMIBS -> kMIDS to match their on-the-wire value. 2024-11-12 rch Deprecate --gfe2_reloadable_flag_quic_allow_host_in_request2. 2024-11-12 birenroy Allows a unit test to be exported as part of QUICHE. 2024-11-12 martinduke Change protection scheme for code that marks outgoing ECT. 2024-11-11 wub Change `QuicUnackedPacketMap::NotifyFramesAcked` and `QuicUnackedPacketMap::MaybeAggregateAckedStreamFrame` to take `QuicTransmissionInfo*&` as a input-output parameter. 2024-11-08 martinduke Add ECN counters to ACKs sent by the QuicBufferedPacketStore. 2024-11-07 rch Rename gfe2_restart_flag_quic_support_flow_label to gfe2_restart_flag_quic_support_flow_label2 now that QUIC flow label support seems to be complete. 2024-11-05 birenroy Adds backslash `\` to the list of characters allowed in a HTTP request path. 2024-11-05 rch Add support for sending IPv6 flow labels to QuicGsoBatchWriter 2024-11-05 birenroy Simplifies and modernizes SpdyDataIR. 2024-11-04 dschinazi Update googleurl in QUICHE bazel build ``` and update `bazel/external/quiche.BUILD` to add `quiche/quic/core/flow_label.h`. Risk Level: low Testing: ci --------- Signed-off-by: Alejandro R. Sedeño <[email protected]>

… (#37125) Pulls in a change to drop some dangling symlinks. No functional changes to the `proto_processing_lib` library itself. Risk Level: low Testing: ci Signed-off-by: Alejandro R. Sedeño <[email protected]>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

Protobuf 6.30.0 will change the return types of Descriptor::name() and other methods to absl::string_view. This makes the code work both before and after such a change. Commit Message: feat: prepare for breaking change in Protobuf C++ API Additional Description: This makes the implementation compatible with a future Protobuf release where various methods return absl::string_view instead of std::string or const std::string&. Risk Level: Low Testing: unit tests Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Lev Kandel <[email protected]>

Commit Message: replace access log list to access log vector Additional Description: std::list is not good choice for the scenario where needn't 0(1) insert/remove. Risk Level: low. Testing: n/a. Docs Changes: n/a. Release Notes: n/a. --------- Signed-off-by: wangbaiping(wbpcode) <[email protected]>

…#37057) ## Description This PR optimizes the CEL expression context implementation by replacing `if-else` chains with hash maps for `O(1)` lookups and improving memory management. This would enhance the performance for header and filter state access patterns while maintaining the same functionality. This change introduces constant-time lookups using `absl::flat_hash_map` and improves the overall design through static initialization of lookup maps for better performance. ## Benchmarks ### Before ``` Run on (32 X 3364.47 MHz CPU s) CPU Caches: L1 Data 48 KiB (x16) L1 Instruction 32 KiB (x16) L2 Unified 2048 KiB (x16) L3 Unified 107520 KiB (x1) Load Average: 9.07, 16.88, 15.22 ------------------------------------------------------------------------- Benchmark Time CPU Iterations ------------------------------------------------------------------------- bmRequestAttributes/100 0.179 us 0.179 us 3943200 bmRequestAttributes/10000 0.178 us 0.178 us 3768352 bmRequestAttributes/1000000 0.179 us 0.179 us 3882288 bmResponseAttributes/100 0.187 us 0.187 us 3734635 bmResponseAttributes/10000 0.180 us 0.180 us 3778717 bmResponseAttributes/1000000 0.196 us 0.196 us 3668511 bmFilterState/1000 51.6 us 51.6 us 10000 bmFilterState/10000 692 us 692 us 1025 bmFilterState/1000000 262413 us 262406 us 3 bmFilterState/10000000 3887577 us 3887332 us 1 bmConnectionAttributes/100 0.465 us 0.465 us 1521335 bmConnectionAttributes/10000 0.467 us 0.467 us 1500911 bmConnectionAttributes/1000000 0.468 us 0.468 us 1521145 ``` ### After ``` Run on (32 X 3269.07 MHz CPU s) CPU Caches: L1 Data 48 KiB (x16) L1 Instruction 32 KiB (x16) L2 Unified 2048 KiB (x16) L3 Unified 107520 KiB (x1) Load Average: 15.79, 17.71, 15.83 ------------------------------------------------------------------------- Benchmark Time CPU Iterations ------------------------------------------------------------------------- bmRequestAttributes/100 0.166 us 0.166 us 4024447 bmRequestAttributes/10000 0.167 us 0.167 us 4027806 bmRequestAttributes/1000000 0.171 us 0.171 us 4217833 bmResponseAttributes/100 0.174 us 0.174 us 3933317 bmResponseAttributes/10000 0.169 us 0.169 us 4106892 bmResponseAttributes/1000000 0.173 us 0.173 us 4110847 bmFilterState/1000 52.1 us 52.1 us 14034 bmFilterState/10000 655 us 655 us 1078 bmFilterState/1000000 251507 us 251496 us 3 bmFilterState/10000000 3806409 us 3806192 us 1 bmConnectionAttributes/100 0.435 us 0.435 us 1613013 bmConnectionAttributes/10000 0.423 us 0.423 us 1674895 bmConnectionAttributes/1000000 0.411 us 0.411 us 1729797 ``` --- **Commit Message:** filters: optimize cel expression context with constant-time lookups **Additional Description:** This commit replaces linear if-else chains with flat_hash_maps for property lookups in the CEL expression context. It also improves memory management and provides better encapsulation of implementation details. **Risk Level:** Low - No functional changes - Only performance optimizations - Existing test coverage maintained **Testing:** - All existing tests pass - No behavioral changes **Docs Changes:** N/A - internal implementation change only **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal <[email protected]>

When using Dynamic Forward Proxy cluster in addition to Strict DNS clusters, the UPSTREAM_HOST_NAME variable returns inconsistent value in access log: For Strict DNS cluster: We're getting the DNS name only as expected. For Dynamic Forward Proxy cluster: We're getting the DNS name with the port value. Risk Level: low Testing: unit Docs Changes: Added Release Notes: Added Platform Specific Features: N/A Fixes #37095 Signed-off-by: Issa Abu Kalbein <[email protected]> Signed-off-by: IssaAbuKalbein <[email protected]> Co-authored-by: Issa Abu Kalbein <[email protected]>

… /contrib/golang/filters/http/test/test_data/routeconfig in the contrib-golang group (#37169) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

… /contrib/golang/filters/http/test/test_data/property in the contrib-golang group (#37167) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

… /contrib/golang/router/cluster_specifier/test/test_data/simple in the contrib-golang group (#37165) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…37164) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

… /contrib/golang/filters/http/test/test_data/access_log in the contrib-golang group (#37163) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

… /contrib/golang/filters/http/test/test_data/echo in the contrib-golang group (#37162) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

… /contrib/golang/filters/http/test/test_data/buffer in the contrib-golang group (#37160) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

… /contrib/golang/filters/http/test/test_data/metric in the contrib-golang group (#37159) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…7133) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

… /contrib/golang/filters/http/test/test_data/add_data in the contrib-golang group (#37161) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Risk Level: Low Testing: Unit test Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Yan Avlasov <[email protected]>

This is already set on linux Signed-off-by: Greg Greenway <[email protected]>

…urable (#37175) The default is set to 10 seconds, the same value Cronet uses. Signed-off-by: Ali Beyad <[email protected]>

…ing in CEL Size extractor (#37168) ## Description We recently refactored the CEL context expression logic in [this](envoyproxy/envoy#37057) PR and as part of this refactoring the `Size` extractor's behavior got slightly changed to return the `bytes` when the `content-length` header exists but is invalid. This PR is to revert back to the original behavior of not returning anything in that case. --- **Commit Message:** filters: revert to original behavior for invalid content-length handling in CEL Size extractor **Additional Description:** This PR reverts back to the original behavior of the **Size** extractor when we have `content-length` header present but it's invalid. **Risk Level:** Low **Testing:** Added Unit Tests **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal <[email protected]>

The `FormatterBaseImpl` class stored a string in each instance where it could've stored a bool. Risk Level: low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg <[email protected]>

Currently contrib does not build with GCC because of various false positive compiler warnings turned to errors and a GCC compiler bug. Let's first start with the bug, in GCC apparently using -gsplit-dwarf (debug fission) and -fdebug-types-section (used to optimize the size of debug inforamtion), when used together, can result in a linker failure. Refer to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110885 for the GCC bug report of this issue. When it comes to Envoy, optimized builds with GCC are affected on at least GCC 11 (used by --config=docker-gcc) and GCC 12 (and I'm pretty sure the bug isn't fixed in any newer versions either, though I didn't check each version). Given that we cannot have both debug fission and a debug types section, we decided to abandon the debug types sections and keep the fission. That being said, apparently both of those options are unmaintained in GCC which poses a question of long term viability of using those or GCC. Other changes in this commit disable GCC compiler errors for various warnings that happen when building contrib. I checked those warnings and didn't find any true positive. And additionally, for warnings that exists in both Clang and GCC, Clang warnings don't trigger, so Clang also disagrees with GCC here. Additionally missing-requires warning is new and does not exist in GCC 11, but exists in later versions of GCC, so to avoid breaking on this warning for future versions of GCC I disabled it, but also tell GCC to not complain if it sees a flag related to an unknwon diagnostic. This is the last change required to make GCC contrib builds work (you can find more context and discussions in envoyproxy/envoy#31807) Risk Level: Low Testing: building with --config=gcc and --config=docker-gcc Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Fixes #31807 Signed-off-by: Mikhail Krinkin <[email protected]>

Modifying HeaderParser creation to pre-reserve vectors sizes. Small perf nit in the router ingestion. Risk Level: low Testing: N/A Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg <[email protected]>

If inotify fails to watch additional file descriptors the solution is usually a combination of setting max_user_instances as well as max_user_watches (from personal experience). In addition, it seems like the original message had `user` and `inotify` inverted by accident? Risk Level: low Testing: - Docs Changes: - Release Notes: - Platform Specific Features: - Signed-off-by: Martijn Swaagman <[email protected]>

Commit Message: udp_proxy: support coexistence of dynamic and static clusters Additional Description: Don't stop the session iteration in DynamicForwardProxy filter when the dynamic host isn't set or empty, as the session maybe routed to a non-dynamic cluster. This implementation of DynamicForwardProxy filter for udp aligns with the implementation for tcp. Risk Level: low Testing: unit and integration tests Docs Changes: Release Notes: Platform Specific Features: --------- Signed-off-by: Issa Abu Kalbein <[email protected]> Co-authored-by: Issa Abu Kalbein <[email protected]>

…#37189) https://clang.llvm.org/extra/clang-tidy/checks/performance/inefficient-vector-operation.html  Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Yury Kats <[email protected]>

Fix #37121 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

Fix #37170 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

Fix #37137 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

Fix #37120 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

…atus_draining (#37185) Signed-off-by: Sanchit-20 <[email protected]>

… test (#37182) quic: Use MaybeSendRstStreamFrame instead of ResetWriteSide in a quic test ResetWriteSide is deprecated and will be removed once this usage of it is removed. Risk Level: None - test only Testing: existing unit test Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Ryan Hamilton <[email protected]>

follow up to envoyproxy/envoy#37035

Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

Signed-off-by: Yury Kats [email protected] Signed-off-by: Yury Kats <[email protected]>

Signed-off-by: Yury Kats <[email protected]>

… (#36920) Signed-off-by: Florent Lecoultre <[email protected]>

… and logging (#37074) This PR adds field access support for ext_authz filter state object `ExtAuthzLoggingInfo`. It exposes simple fields * latency * bytesSent * bytesReceived This enables usage of ext_authz filter state in access logs, and any filter/logger using CEL after envoyproxy/envoy#35698. Signed-off-by: JACQUES Francois <[email protected]>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 --------- Signed-off-by: Alyssa Wilk <[email protected]>

https://github.com/google/quiche/compare/3c9db14bb..dbc5afc11 Risk Level: Low Testing: Existing tests pass Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Ricardo Perez Perez <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

Commit Message: Currently waitForInexactRawData is harded coded to support only 4 byte data as input. It's because the only callsite passes "\r\n\r\n". Extend to support data of any length. Also slightly adjust the signature. Additional Description: Risk Level: LOW, test only Testing: bazel test test/extensions/transport_sockets/http_11_proxy/... Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Yuchen Dai <[email protected]>

…r in CustomHeaderIPDetection (#37194) ## Description This PR restores the original behavior prior to #31831, by explicitly setting `skip_xff_append` to `true`, as appending the `XFF` header from the custom header extension is not required. See #37171 for more details. --- **Commit Message:** original_ip_detection: revert unintended XFF header appending behavior in CustomHeaderIPDetection **Additional Description:** This PR restores the pre #31831 behavior by explicitly setting `skip_xff_append` to `true`, as appending the `XFF` header from the custom header extension is not required. **Risk Level:** Low **Testing:** Added Unit Tests **Docs Changes:** N/A **Release Notes:** Added Signed-off-by: Rohit Agrawal <[email protected]>

…he pip group (#37234) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…241) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

… in /tools/base (#37247) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Allows to differentiate filter proxy-protocol filter state create by proxy-protocol filter with the one created by HCM. Currently the proxy-protocol-filter will set a filter state metadata with the following field: - source address - destination address - tlv_vector By default if at the Http Connection Manager (HCM) they are no filter state for proxy-protocol, it will set one with the source and destination address. Currently they are no way to know from that filter state if the tlv_vector is empty because there was no entry or either because proxy-protocol v1 was used or because the HCM created the state. Signed-off-by: Florent Lecoultre <[email protected]>

Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

Risk Level: Low Testing: He's great at it :-) Docs Changes: inline Release Notes: n/a Signed-off-by: Alyssa Wilk <[email protected]>

Signed-off-by: Yury Kats [email protected] Signed-off-by: Yury Kats <[email protected]>

Commit Message: Currently the RLQS client & bucket cache in use by the rate_limit_quota filter is set to be per-thread. This causes each client to only have visibility into a small section of the total traffic seen by the Envoy and multiplicatively increases the number of concurrent, managed streams to the RLQS backend. This PR will merge the bucket caches to a single, shared map that is thread-safe to access and shared via TLS. Unsafe operations (namely creation of a new index in the bucket cache & setting of quota assignments from RLQS responses) are done by the main thread against a single source-of-truth, then pushed out to worker threads (again via pointer swap + TLS). Local threads will also no longer have access to their own RLQS clients + streams. Instead, management of a single, shared RLQS stream will be done on the main thread, by a global client object. That global client object will handle the asynchronous generation & sending of RLQS UsageReports, as well as the processing of incoming RLQS Responses into actionable quota assignments for the filter worker-threads to pull from the buckets cache. Additional Description: The biggest TODO after submission will be supporting the `reporting_interval` field & handling reporting on different timers if buckets are configured with different intervals. Risk Level: Medium Testing: - New unit testing of both global & local client objects - New unit testing of filter logic - Updates to existing config unit testing - New integration testing for all of the moving parts. --------- Signed-off-by: Brian Surber <[email protected]> Signed-off-by: bsurber <[email protected]>

Commit Message: Add bsurber as a codeowner for the rate_limit_quota http extension Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: Signed-off-by: bsurber <[email protected]>

followup of envoyproxy/envoy#36920 Signed-off-by: Florent Lecoultre <[email protected]>

Fix #37258 Signed-off-by: publish-envoy[bot] Co-authored-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com>

Signed-off-by: Ryan Northey <[email protected]>

Fix #37085 Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

Fixes envoyproxy/envoy#36808 --------- Signed-off-by: Alyssa Wilk <[email protected]>

…ers (#37097) If 1xx informational headers have been fully sent to the codec, and primary response headers have not yet arrived, it is safe to send a local reply through the filter chain. Risk Level: Low Testing: Integration tests Docs Changes: None Release Notes: None --------- Signed-off-by: Paul Ogilby <[email protected]>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

Ensure that calculated sampling exponent stays below a certain limit Risk Level: Low Testing: Unit test, manual Docs Changes: N/A Release Notes: N/A Platform Specific Features: Fixes #37199 Signed-off-by: thomas.ebner <[email protected]>

…(#37076) Currently, we treat all remote grpc stream closes as errors, and log warnings and increment failure metrics for every instance. A remote grpc stream close with a 0 code is not a failure, but instead a graceful termination, so it should be a lower log level and should not increment failure metrics. Risk Level: Low --------- Signed-off-by: Brian Sonnenberg <[email protected]>

…s (#37253) The current SAN-matcher has a specific matching behavior when the matching general-type is DNS and the matcher-type is Exact. This PR refactors that behavior into a different class `DnsStringSanMatcher` and ensures that when the code creates a SAN-Matcher the correct class is used. Signed-off-by: Adi Suissa-Peleg <[email protected]>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

…de (#37216) ## Description This PR refactors the exception throwing logic in the **ext_proc** filter to use `absl::Status` returns instead of throwing exceptions. Fixes #37046 --- **Commit Message:** ext_proc: remove exception throw in ext_proc configuration parsing code **Additional Description:** This change makes the error handling in ext_proc more consistent with other parts of the codebase by using Status returns instead of exceptions. The validation logic remains unchanged. **Risk Level:** Low **Testing:** - Added new Unit Tests around config validation - Existing unit tests modified to verify status returns - Integration tests remain unchanged as external behavior is the same **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal <[email protected]>

Signed-off-by: Greg Greenway <[email protected]>

…#37099) Commit Message: Save resolved upstream address in filter state in SNI dynamic forward proxy Additional Description: Risk Level: Low Testing: Added unit tests and am also consuming this change from filter state in a subsequent filter Docs Changes: Fixed a typo in doc and added new field to proto Release Notes: Added a description in change log Platform Specific Features: Signed-off-by: Santosh Rao <[email protected]>

…(#37069) Make `ScopedExecutionContext` no-op if `!ExecutionContext::isEnabled()`. This saves a call to `ScopeTrackedObject::trackedStream()` when execution context is disabled. Commit Message: Make ScopedExecutionContext no-op if !ExecutionContext::isEnabled(). Additional Description: Risk Level: None. Testing: Existing execution_context_test.cc. Docs Changes: N/A Release Notes: N/A Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Bin Wu <[email protected]>

followup of envoyproxy/envoy#36920 Signed-off-by: Florent Lecoultre <[email protected]>

…276) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…7277) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…0 (#37278) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

…y. (#37127) Signed-off-by: Misha Efimov <[email protected]>

…#37177) Commit Message: Add `ConnectionPoolSettings` in proxy_protocol upstream transport socket. It customizes the behavior of connection pool. Additional Description: Risk Level: LOW Testing: CI Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] Fixes #37126 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Yuchen Dai <[email protected]>

Commit Message: http: make streaming shadows on by default. Additional Description: Flips `envoy_reloadable_features_streaming_shadow` to default-true. Risk Level: low Testing: integration, unit Docs Changes: none Release Notes: none Optional Runtime guard: still `envoy_reloadable_features_streaming_shadow`. --------- Signed-off-by: Paul Ogilby <[email protected]>

Commit Message: dynamic_modules: HTTP filter config implementation Additional Description: This expands the ABI for HTTP filter configurations. Especially this adds two even hooks coupled with the life cycle of HTTP filter config handled in the main thread. The key idea is to do the direct pointer (context) passing between the boundary; This allows us to avoid maintaining IDs and global mapping state, which makes it easier to test as well as it has benefit in terms of performance. E.g. there's no need to look up "contexts" on each event hook entry. The next follow-up PR will add per-stream event hooks (filter implementation). After the event hooks are done, module->Envoy functions will be added (e.g. accessing headers, etc.) Risk Level: low Testing: done Docs Changes: n/a Release Notes: n/a Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Takeshi Yoneda <[email protected]>

…n error (#37267) Commit Message: json: replacing IS_ENVOY_BUG when a large number value is used with an error Additional Description: Followup to #36919. In #36919, there was a behavior change when the JSON library parsed a large number. Prior to #36919 Envoy would have thrown an exception which ended up rejecting the value or erroring out. After that an ENVOY_BUG was introduced, but probably shouldn't have had, as Envoy may receive a value that is large and should handle it correctly (e.g., when ingesting a config). This was detected due to fuzz bug [379811166](https://g-issues.oss-fuzz.com/issues/379811166). Risk Level: low Testing: Added fuzz test case, and updated the unit-tests. Docs Changes: N/A (no docs were updated in the original PR). Release Notes: N/A (no release notes were introduced in the original PR). Platform Specific Features: N/A Signed-off-by: Adi Suissa-Peleg <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

Risk Level: n/a (mobile only) Testing: new e2e test Docs Changes: n/a Release Notes: n/a Signed-off-by: Alyssa Wilk <[email protected]>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

Commit Message: dynamic_modules: enables rustfmt.toml Additional Description: This enables the root configuration for rustfmt as a follow up on envoyproxy/envoy#37070 (comment). Only formatting is done in this commit. There's no change in its code. Risk Level: low Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Takeshi Yoneda <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk <[email protected]>

`run_clang_tidy.sh` has been removed from the CI in envoyproxy/envoy#29848 and not used anymore. Furthermore, it's broken on the main branch, so it's better to remove the file completely to avoid confusing new contributors. Signed-off-by: Takeshi Yoneda <[email protected]>

…onitor (#37321) In the previous implementation, we assumed that there was only a single transport type, which means the following use cases were not supported. [A, B] to [A], no network change [A] to [A, B], no network change This PR updates the network monitor code on Android to trigger network change appropriately when there are multiple transport types. IOW, the following use cases are now supported. [A, B] to [A], trigger network change [A] to [A, B], trigger network change Risk Level: low Testing: unit test Docs Changes: n/a Release Notes: n/a Platform Specific Features: mobile Signed-off-by: Fredy Wijaya <[email protected]>

Signed-off-by: Adi Suissa-Peleg <[email protected]>

Additional Description: We have uses cases where LB policies need to be able to write to request metadata when choosing or picking hosts. The metadata can be used in logging or by HTTP filters. This PR makes access to the request stream info non `const`. Risk Level: Low Testing: Unit tests Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A --------- Signed-off-by: Yan Avlasov <[email protected]>

…37323) Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Ryan Northey <[email protected]>

…37330) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…37331) Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Ryan Northey <[email protected]>

…#37333) Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Ryan Northey <[email protected]>

Change-Id: I35f8f86bfa165d415e4fbc9f3a7c037e968cac25 Commit Message: add wasm overview Risk Level: low Testing: none Docs Changes: yes --------- Signed-off-by: Kuat Yessenov <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…(#37344) Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Ryan Northey <[email protected]>

Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> Co-authored-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>

Signed-off-by: Rohit Agrawal <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## Description Adds new functionality to Lua filter flor allowing overriding the upstream host address. **Example:** ```lua function envoy_on_request(request_handle) request_handle:setUpstreamOverrideHost("192.168.21.11", true) end ``` --- **Commit Message:** adds new function to the LUA script for setting upstream host override **Additional Description:** The new `setUpstreamOverrideHost()` allows the dynamic upstream host override from Lua scripts. **Risk Level:** Low **Testing:** Added Unit + Integration tests **Docs Changes:** Added **Release Notes:** Added --------- Signed-off-by: Rohit Agrawal <[email protected]>

Commit Message: Adds logger id for dynamic_modules Additional Description: This commit adds a logger_id for the core dynamic_modules extension. * https://github.com/envoyproxy/envoy/tree/main/source/extensions/dynamic_modules * https://github.com/envoyproxy/envoy/tree/main/source/extensions/filters/http/dynamic_modules This is to mainly avoid unnecessarily requesting review from logger owners into dynamic_modules PRs just for adding one line. Risk Level: low Testing: none Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Takeshi Yoneda <[email protected]>

…ching API (#37158) Add more details for routing using Generic Matching API Signed-off-by: Kirtimaan <[email protected]>

c-ares is currently behind on upgrades due to incompatibility with gRPC. Patching c-ares CVE-2024-25629 to avoid scanner complaints. Signed-off-by: Yan Avlasov <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

Currently if the request stage fails or is cancelled it causes the publish wf to fail rather than just being skipped as the others do - this should fix that Signed-off-by: Ryan Northey <[email protected]>

This commit disables clang-tidy for the whole ABI header which is a pure C file. Previously, I added `// NOLINT` comment line on each place, clang-tidy is only for C++ source code, so this disables it considering the readability. This shouldn't be a problem as the header only has types and function declarations. Signed-off-by: Takeshi Yoneda <[email protected]>

Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Yury Kats <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>

…348) Signed-off-by: Rohit Agrawal <[email protected]>

… (#37354) This removes the unnecessary default bazelrc configuration used in .devcontainer. This was a cause of #23239 people asked about multiple times before. Closes #23239 Signed-off-by: Takeshi Yoneda <[email protected]>

Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: wangbaiping(wbpcode) <[email protected]>

* upstream/main: cors: remove unnecessary code (#37274) Removes setting `BAZEL_BUILD_EXTRA_OPTIONS` in .devcontainer/setup.sh (#37354) docs: added more info for LUA filter's setUpstreamOverrideHost() (#37348) changelog: Add entry for `schema_validation_tool` fix (#37335) ci/bazel: Fix repo config (#37349) Fix unchecked StatusOr dereference (#37337) dynamic_modules: exclude abi.h from clang-tidy (#37317) ci/publishing: Minor workflow fix (#37315) github/ci: Only trigger pr-notifier ci on `main` PRs (#37336) Patch c-ares CVE-2024-25629 (#37269) Add details and example of sublinear route matching using Generic Matching API (#37158) Adds logger id for dynamic_modules (#37296) lua: add new function to set upstream host override (#37327) build(deps): bump orjson from 3.10.11 to 3.10.12 in /tools/base (#37342) docs: added more info for stateful_session filter params (#37345) deps: Bump `envoy_examples` -> 0.0.8 (#37346) build(deps): bump envoyproxy/toolshed from actions-v0.3.10 to 0.3.11 (#37344) build(deps): bump icalendar from 6.0.1 to 6.1.0 in /tools/base (#37341) ci: Remove unused gsutil tooling (#37332) wasm: add basic docs (#37181) build(deps): bump envoyproxy/toolshed from actions-v0.3.9 to 0.3.10 (#37333) build(deps): bump envoyproxy/toolshed from actions-v0.3.8 to 0.3.9 (#37331) build(deps): bump envoyproxy/toolshed from actions-v0.3.6 to 0.3.8 (#37330) build(deps): bump envoyproxy/toolshed from actions-v0.3.5 to 0.3.6 (#37323) Grant LB policies write access to connection stream info (#37298) cors: refactor loop to if (#37257) mobile: Support for multiple transport types on the Android network monitor (#37321) Removes unused and unreferenced run_clang_tidy.sh (#37320) mobile: moving hds prod factory out of E-M build (#37291) build(deps): bump yarl from 1.17.2 to 1.18.0 in /tools/base (#37301) build(deps): bump aiohttp from 3.11.6 to 3.11.7 in /tools/base (#37303) dynamic_modules: enables rustfmt.toml (#37295) logger: remove exceptions (#37265) regex: removing exceptions (#37264) secret provider: removing exceptions (#37221) mobile: allowing for immediate pool drain on network change (#37290) ci: Boost cpu for flakey on_demand integration test (#37294) json: replacing IS_ENVOY_BUG when a large number value is used with an error (#37267) dynamic_modules: HTTP filter config implementation (#37070) http: make streaming shadows on by default (#37227) api: add ConnectionPoolSettings into ProxyProtocolUpstreamTransport (#37177) client-side-WRR-LB: Improve Client Side Weighted Round Robin lb policy. (#37127) outlier: removing exceptions (#37262) build(deps): bump actions/dependency-review-action from 4.4.0 to 4.5.0 (#37278) build(deps): bump setuptools from 75.5.0 to 75.6.0 in /tools/base (#37277) build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 (#37279) build(deps): bump aiodocker from 0.23.0 to 0.24.0 in /tools/base (#37276) add docs for lua filter and change log (#37246) Make ScopedExecutionContext no-op if !ExecutionContext::isEnabled(). (#37069) SNI dynamic forward proxy: Support saving resolved upstream address (#37099) fix spelling in a comment (#37272) ext_proc: remove exception throw in ext_proc configuration parsing code (#37216) hds: not including for E-M (#37043) SAN-matcher: refactoring DNS exact SAN matcher out of regular matchers (#37253) Change handling of graceful case of LoadStatsReporting onRemoteClose (#37076) limit calculated sampling exponent (#37240) health check: remove exceptions (#37263) http: allow local replies to traverse the filter chain after 1xx headers (#37097) validator: add in removed extension (#37261) deps: Bump `com_github_gabime_spdlog` -> 1.15.0 (#37204) deps/python: Manually bump yarl to resolve dependabot issues (#37245) repo: Sync version histories (#37260) stream_info_formatter.cc format file (#37244) Update rate_limit_quota CODEOWNERS (#37255) rlqs: Shared, global RLQS client & buckets cache (#34009) perf: Optimize HedgePolicyImpl class layout (#37211) maintainers: promoting Boteng! (#37231) validation context: removing exceptions (#37220) deps: Bump `envoy_examples` -> 0.0.7 (#37248) proxy-protocol-filter: add version to filter state (#36934) build(deps): bump envoy-distribution-distrotest from 0.0.11 to 0.0.12 in /tools/base (#37247) python/tools: Update distrotest to retry apt failures (#37243) proto: moving a utility to the one call location (#36990) build(deps): bump slack-sdk from 3.33.3 to 3.33.4 in /tools/base (#37241) build(deps): bump aiohttp from 3.10.10 to 3.10.11 in /tools/base in the pip group (#37234) original_ip_detection: revert unintended XFF header appending behavior in CustomHeaderIPDetection (#37194) test: extend waitForInexactRawData (#37179) ci: Boost cpu for flakey grpc integration test (#37223) Update QUICHE from 3c9db14bb to dbc5afc11 (#37235) utility: remove exceptions for translation (#37042) ext_authz: expose fields latency, bytesSent and bytesReceived for CEL and logging (#37074) feature: make always accessible the original downstream local address (#36920) refactor: Optimize HeadersToAddEntry class layout (#37215) refactor: Optimize UpstreamCodecFilter class layout (#37213) deps/api: Bump `envoy_toolshed` -> 0.1.16 (#37219) build fix (#37149) quic: Use MaybeSendRstStreamFrame instead of ResetWriteSide in a quic test (#37182) runtime: deprecating envoy.reloadable_features.exclude_host_in_eds_status_draining (#37185) deps: Bump `aspect_bazel_lib` -> 2.9.4 (#37203) deps: Bump `build_bazel_rules_apple` -> 3.13.0 (#37202) deps/api: Bump `com_github_bufbuild_buf` -> 1.47.2 (#37206) deps/api: Bump `rules_proto` -> 7.0.2 (#37205) Resolve performance-inefficient-vector-operation clang-tidy warning (#37189) udp_proxy: support coexistence of dynamic and static clusters (#37016) doc: update inotify assertion to provide more accurate feedback (#37111) router: pre-reserve header_parser vectors by their sizes (#37130) [contrib] Disable GCC warnings and broken features (#37131) sub-formatter: store a bool instead of a string (#37141) filters: revert to original behavior for invalid content-length handling in CEL Size extractor (#37168) mobile: Make the Apple proxy settings monitor refresh interval configurable (#37175) mac: set `-Wno-deprecated-declarations` (#37148) Add CEL test using typed_filter_config (#37174) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 in /contrib/golang/filters/http/test/test_data/add_data in the contrib-golang group (#37161) build(deps): bump yapf from 0.40.2 to 0.43.0 in /tools/base (#37132) build(deps): bump setuptools from 75.4.0 to 75.5.0 in /tools/base (#37133) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 in /contrib/golang/filters/http/test/test_data/metric in the contrib-golang group (#37159) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 in /contrib/golang/filters/http/test/test_data/buffer in the contrib-golang group (#37160) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 in /contrib/golang/filters/http/test/test_data/echo in the contrib-golang group (#37162) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 in /contrib/golang/filters/http/test/test_data/access_log in the contrib-golang group (#37163) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 (#37164) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 in /contrib/golang/router/cluster_specifier/test/test_data/simple in the contrib-golang group (#37165) build(deps): bump github/codeql-action from 3.27.3 to 3.27.4 (#37166) build(deps): bump google.golang.org/protobuf from 1.34.2 to 1.35.2 in /contrib/golang/filters/http/test/test_data/property in the contrib-golang group (#37167) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 in /contrib/golang/filters/http/test/test_data/routeconfig in the contrib-golang group (#37169) access_log: add UPSTREAM_HOST_NAME_WITHOUT_PORT variable (#37114) filters: optimize cel expression context with constant-time lookups (#37057) replace access log list to access log vector (#37103) feat: prepare for breaking change in Protobuf C++ API (#37066) iouring: compiling out for E-M linux (#37035) bump proto_processing_lib to 11d825fb33f92eefcbacbd7b0db9eea8df6e8acb (#37125) Update QUICHE from aaf48d2e5 to 3c9db14bb (#37128) [quic]Check canonical suffix when checking checking QUIC brokenness (#36981) bump protobuf to 28.3 (#37113) build(deps): bump github/codeql-action from 3.27.0 to 3.27.3 (#37118) build(deps): bump gsutil from 5.30 to 5.31 in /tools/base (#36545) build(deps): bump setuptools from 75.3.0 to 75.4.0 in /tools/base (#37105) build(deps): bump distroless/base-nossl-debian12 from `aa91f01` to `174f326` in /ci (#37119) Fix a bug where DNS jitter can cause milliseconds duration to be interpreted as negative triggering envoy bug. (#36953) dns: add round-robin nameserver rotation option to c-ares resolver (#37108) Remove race between closing upstream connection and downstream request (#37101) ci: Add bazel client caching (#37096) tests: use makeOptRef to create an OptRef object (#37110) http2: removes the false path for an old runtime feature (#37067) benchmark: add route matcher benchmarks for exact and prefix match (#37086) lua cluster_specifier: fix lua reference for multiple clusters (#37100) odcds: only including if needed (#37034) ext_proc: Ext proc half close on destroy and defer reset till trailers received. (#37083) exceptions: Make THROW_OR_RETURN_VALUE work outside the "Envoy" namespace (#37058) access log: support upstream connect timing in COMMON_DURATION (#37077) build(deps): bump aio-api-bazel from 0.0.2 to 0.0.3 in /tools/base (#37094) build(deps): update envoyproxy/toolshed requirement to actions-v0.3.5 (#37093) [contrib][vcl] Fix VCL builds with GCC (#37075) rbac: add unit tests for matchers to increase coverage (#37080) changelog: fix a small typo in rbac deprecation line (#37082) Add `arch` to APT repository configuration (#37068) rbac: add support for matching on route metadata (#36957) tls: add options to validate SANs and send SNI for upstream hostname (#36903) lua cluster_specifier: fix crash in getCluster() (#37073) deps: Bump `rules_rust` -> 0.54.1 (#37056) Enhance ext_proc filter to support MXN streaming (#34942) [contrib][postgres] Remove <> after constructor in the PG proxy code (#37038) socket: removing some exceptions (#36991) ci: Shift (Docker) cache priming to request workflow (#37028) quic: Don't delay TCP attempt when HTTP/3 status is unknown (#37040) kafka: split protocol generation into .h and .cc files (#37017) bazel/ci: Add pre/post repository shas to report (#37062) ci: Rename request/checks workflow (#37033) bazel: Make `ci` config common (#37027) build(deps): bump envoyproxy/toolshed from actions-v0.3.1 to 0.3.2 (#37061) [contrib][http language filter] Change position of libstdc++ library when linking ICU tools (#37060) docs/proto: Adding comments to fields/enums that have no comments (#37018) bazel/ci: Remove old fetch setup (#37014) router: removing unused files (#37019) Remove extraneous target source/common/common:xds_manager_lib (#37041) dns_cache: add more unit tests (#37032) dns resolver: add options to initialize c-ares with custom timeout an… (#36947) docs: add and fix license URLs (#37029) deps: Bump `envoy_examples` -> 0.0.6 (#37023) build(deps): bump pygithub from 2.4.0 to 2.5.0 in /tools/base (#37022) ext_proc: refactoring onData() to make it modularized (#36999) proto: removing some exceptions (#36965) ip-tagging filter: add support for an optional ip-tag-header field (#36434) S390x - Fix typo for envoy test (#37015) boringssl: update to latest chromium stable version (#36899) lua cluster_specifier: give access to cluster connection/request counts (#36998) golang: expose add{Decoded,Encoded}Data (#36959) ci/codeql: Disable "trap" caching (#36985) ci: Boost mem for integration test (#37009) build(deps): bump envoyproxy/toolshed from actions-v0.2.38 to 0.3.1 (#37013) docs/bazel: Fix target visibility (#37008) ci/coverage: Fix duplicate flag warning (#36987) Add release note for "Relax recent SNI restrictions" (#37000) Make CancelWrapper enforce thread constraint (#36993) stats: add tag extraction rules for google_grpc client (#36673) attributes: add new attribute upstream.request_attempt_count (#36939) Relax recent SNI restrictions (#36950) build(deps): bump envoyproxy/toolshed from actions-v0.2.37 to 0.2.38 (#36994) flow_control: downstream push back sidestream (#35827) wasm: remove the shutdown callback in lifetime_notifier (#36688) tools: Remove `envoy_package` (#36948) deps: Bump `com_google_cel_cpp` -> 0.10.0 (#36940) ext_proc: clean up (#36956) kafka: close connection when rejectable request appears (#36979) github/ci: Fix workflow concurrency (#36952) bazel/distribution: Cleanups to fix aquery (#36977) docs: update envoy build location (#36986) Update QUICHE from 5621f6366 to aaf48d2e5 (#36976) mobile: Fix HTTPRequestUsingProxyTest.swift (#36980) Added envoy test missing options for s390x (#36915) Add cancelWrapper helper function in /common. (#36938) router: use template method to avoid unused memory allocations in HeaderData (#36878) xds: delta-xDS avoid copying resources (#36832) deps/api: Bump `envoy_toolshed` -> 0.1.15 (#36969) github/ci: Workaround `macos-12` brownout by boosting images (#36972) sds: relax backing cluster check to allow dynamic clusters (#36694) json: reduce exceptions (#36919) headers/geoip: Fix macro (#36964) ads-replacement: adding hook and cluster-manager support (#36768) srds: remove a redundant if block (#36944) ci: Quieten GCS artifact uploads (#36949) matchers: remove unneeded ListMatcher data member (#36902) Partial revert of "mobile: resolving how forcev6 works on mobile plat… (#36922) build(deps): bump orjson from 3.10.10 to 3.10.11 in /tools/base (#36960) address: removing some exceptions (#36754) api: HTTP APIKey Auth Filter (#36709) golang: provide method to refresh route cache (#36863) wasm: remove unused public interfaces (#36941) tools: updating oncall test triage location (#36937) ci/rbe: Boost cpus for more flakey tests (#36942) wasm: prevent stuck connections in case of multiple local replies (#36809) udp_proxy: Support dynamic cluster selection per session (#36868) srds: permit dynamic SRDS resources to contain inline RDS configuration (#36703) http: removing the default trusted address list (#36643) proto: reducing exceptions (#36872) ci/rbe: Boost cpus for some more integration tests (#36930) build(deps): bump envoy-base-utils from 0.5.6 to 0.5.7 in /tools/base (#36935) deps/api: Bump `com_github_bufbuild_buf` -> 1.46.0 (#36933) deps: Bump `build_bazel_rules_apple` -> 3.11.2 (#36932) build(deps): bump setuptools from 75.2.0 to 75.3.0 in /tools/base (#36906) build(deps): bump slack-sdk from 3.33.2 to 3.33.3 in /tools/base (#36905) tests: add integration test to quic_stats for long certificate chain (#36926) add OLM scaling for max_connection_duration (#36816) config: removing unpackToOrThrow in favor of unpackTo (#36821) srds: remove scope from scope_name_by_hash_ in case the scope key changes (#36702) test: fix os_sys_calls_test in some less common environments (#36923) tools/python: Fix macro format issue (#36916) router: converting internal_only_headers from list to vector (#36898) Remove unused listener FilterChain on_demand_configuration field (#36786) tools/python: Fix namespacing in entry_point macros (#36914) route: remove redundant loader reference in weighted cluster entries (#36836) wasm: removed automatical route refreshment and add a foreign function to clear the route cache (#36671) deps/api: Bump `envoy_toolshed` -> 0.1.13 (#36892) ci/rbe: Boost cpu for another integration test (#36901) tls: Expose well-known certificate subject fields in Lua filter (#35994) bazel/deps: Fix `rules_license` setup (#36900) [mobile]fix jni parameter type (#36896) quic: add debug visitor to export various quic stats from quiche (#36813) context: use server factory context as lb context (#36874) runtime: removed defer processing flag and legacy codepaths. (#36731) http2: protects client against stream not found (#36573) ci/rbe: Boost cpu for another integration test (#36885) build(deps): bump actions/dependency-review-action from 4.3.5 to 4.4.0 (#36883) fix typo in the code comment (#36875) Update QUICHE from 0d1ce7087 to 5621f6366 (#36869) mobile: Fix a PAC proxy error check bug (#36876) runtime: Enable UDP GRO by default (#36811) Deprecating and removing envoy.reloadable_features.edf_lb_locality_scheduler_init_fix (#36835) ci: Use repo settings for upload buckets (#36870) flow_control: Refactor setWatermark (#36738) bazel/ci: Add repo customizations (#36831) deps: Bump `bazel_features` -> 1.20.0 (#36855) deps: Bump `rules_python` -> 0.37.2 (#36854) dependabot: add missing contrib-golang group to some gomod (#36849) build(deps): bump distroless/base-nossl-debian12 from `e130c09` to `aa91f01` in /ci (#36847) ci/coverage: Fix accidental ws (#36839) oauth2: enable `use_refresh_token` by default (#36065) Update QUICHE from 408e786de to 0d1ce7087 (#36822) ci/rbe: Boost cpus for more integration tests (#36837) ci/coverage: Fix coverage flake in `source/extensions/common` (#36838) route: Downgrade advisory log message (#36797) runtime: deprecate validate_grpc_header (#36757) rbe/ci: Bump cpus for kv/store integration test (#36834) deps: Bump `build_bazel_rules_apple` -> 3.10.0 (#36833) protobuf.patch: a bunch of updates, mostly backports (#36823) coverage: loosen (#36830) ci/rbe: Boost cpu/mem for more integration tests (#36825) deps: Bump `com_github_awslabs_aws_c_auth` -> 0.8.0 (#36827) deps: Bump `aspect_bazel_lib` -> 2.9.3 (#36726) deps/api: Bump `dev_cel` -> 0.18.0 (#36826) build(deps): bump slack-sdk from 3.33.1 to 3.33.2 in /tools/base (#36824) router: clean up unnecessary field (#36814) request id: minor optimization or fix to the request id logic (#36773) deps: Bump `com_github_nghttp2_nghttp2` -> 1.64.0 (#36743) Set resource `telemetry.sdk.*` and scope `otel.scope.name|version` attributes for the OpenTelemetry tracer (#36787) Backport grpc change to fix some protoc warnings (#36795) wasm: restart wasm vm if it's failed because runtime error (#36456) deps: Bump `rules_python` -> 0.37.1 (#36817) proxy_protocol: use no-throw addresses to remove exception handling (#36815) tools/python: Remove unused loading of old py macro (#36820) tools/python: Use newer `entry_point` rule (#36803) ci/codeql: Only run on main branch (#36806) ci/rbe: Adjust keepalives for cache (envoy and mobile) (#36810) ci/rbe: Boost cpus for a couple more integration tests (#36807) tls: support IP SANs for IP versions not supported by host OS (#36770) dynamic_modules: scaffolds config API & HTTP Filter (#36448) Refactor UDP proxy to support deferred cluster selection (#36700) coverage: ratcheting (#36762) quic: remove runtime guard and code for legacy cert handling (#36772) Deprecating and removing envoy.reloadable_features.edf_lb_host_scheduler_init_fix (#36794) build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#36798) [balsa] Add runtime flag for http_inspector parser (#36672) tls: reduce memory use per connection by 712 bytes (#36767) ci/tests: Boost more worker cores for flakey integration tests (#36793) bump cel-cpp (#36661) ci/tests: Revert some integration tests to `2core` (#36784) mobile: resolving how forcev6 works on mobile platforms (#36732) build(deps): bump github/codeql-action from 3.26.13 to 3.27.0 (#36774) build(deps): bump protobuf from 5.28.2 to 5.28.3 in /tools/base (#36775) build(deps): bump orjson from 3.10.9 to 3.10.10 in /tools/base (#36776) ci/macos: Increase timeout to 120m (#36719) ci/coverage: Remove more cruft in diskspace hack (#36720) aws: async bugfix for multiple credential handlers in upstream mode (#36707) Allow empty resolver list for cares dns (#36735) runtime: removing dns_reresolve_on_eai_again (#36656) mobile: Adds proxy.pac to test PAC file URL (#36765) ci/rbe: Switch rbe pools `2core` -> `6gig` (#36761) ocsp/formatting: Fix format issue in generated cert (#36763) deps: Switch hosting server for kafka server binary download (#36748) test/ocsp: Renew certificates (#36755) upstream: removing exceptions from hostimpl (#36582) deps: Bump `rules_rust` -> 0.53.0 (#36727) deps: Bump `rules_jvm_external` -> 6.4 (#36721) build(deps): bump actions/dependency-review-action from 4.3.4 to 4.3.5 (#36740) Add support for OtherName, Email SAN substitution formatters (#36502) wasm: remove redundant xds attributes (#36619) apple_dns: Add DNS query trace (#36678) mobile: Fixes for the Apple PAC proxy resolver (#36698) mobile: change to being more aggressive about HTTP/3 retries (#36734) ci/rbe: Switch backend RBE cluster (#36730) deps/release: Bump Ubuntu -> 0e5e4a5 (#36723) Fix documentation for TcpProxy.metadata_match (#36683) build: fix compile commands generation (#36693) add test suites for classes in hash_policy.cc file (#36708) router: remove send_local_reply_when_no_buffer_and_upstream_request guard (#36620) mobile: add knob for h3 keepalive (#36646) test: Add a knob to disable admin server in IntegrationTestServer (#36684) build(deps): bump orjson from 3.10.7 to 3.10.9 in /tools/base (#36714) build(deps): bump envoy-base-utils from 0.5.5 to 0.5.6 in /tools/base (#36690) build(deps): bump cryptography from 43.0.1 to 43.0.3 in /tools/base (#36715) aws_signing: support for dynamically configurable credential (#36217) http: initializes a field of ConnectionManagerImpl::ActiveStream::State. (#36642) test: deflake an integration test (#36674) ci/rbe: Use engflow for non-coverage checks (#36687) xds-failover: fixing runtime feature flag in tests (#36659) security-release: update the q3 release record (#36689) Signed-off-by: tedjpoole <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main] #273

auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main] #273

Commits on Oct 29, 2024

Commits on Oct 30, 2024

Commits on Oct 31, 2024

Commits on Nov 1, 2024

Commits on Nov 2, 2024

Commits on Nov 4, 2024

Commits on Nov 5, 2024

Commits on Nov 6, 2024

Commits on Nov 7, 2024

Commits on Nov 8, 2024

Commits on Nov 9, 2024

Commits on Nov 10, 2024

Commits on Nov 11, 2024

Commits on Nov 12, 2024

Commits on Nov 13, 2024

Commits on Nov 14, 2024

Commits on Nov 15, 2024

Commits on Nov 16, 2024

Commits on Nov 17, 2024

Commits on Nov 18, 2024

Commits on Nov 19, 2024

Commits on Nov 20, 2024

Commits on Nov 21, 2024

Commits on Nov 22, 2024

Commits on Nov 23, 2024

Commits on Nov 24, 2024

Commits on Nov 25, 2024

Commits on Nov 26, 2024

auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main] #273

Are you sure you want to change the base?

auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main] #273

Commits on Oct 29, 2024

Commits on Oct 30, 2024

Commits on Oct 31, 2024

Commits on Nov 1, 2024

Commits on Nov 2, 2024

Commits on Nov 4, 2024

Commits on Nov 5, 2024

Commits on Nov 6, 2024

Commits on Nov 7, 2024

Commits on Nov 8, 2024

Commits on Nov 9, 2024

Commits on Nov 10, 2024

Commits on Nov 11, 2024

Commits on Nov 12, 2024

Commits on Nov 13, 2024

Commits on Nov 14, 2024

Commits on Nov 15, 2024

Commits on Nov 16, 2024

Commits on Nov 17, 2024

Commits on Nov 18, 2024

Commits on Nov 19, 2024

Commits on Nov 20, 2024

Commits on Nov 21, 2024

Commits on Nov 22, 2024

Commits on Nov 23, 2024

Commits on Nov 24, 2024

Commits on Nov 25, 2024

Commits on Nov 26, 2024