Merge branch 'master' into integration-symtab

Signed-off-by: Joshua Marantz <jmarantz@google.com>

api/envoy/config/core/v3/config_source.proto

@@ -110,6 +110,10 @@ message AggregatedConfigSource {
 // specify that other data can be obtained from the same server.
 message SelfConfigSource {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SelfConfigSource";
+
+  // API version for xDS transport protocol. This describes the xDS gRPC/REST
+  // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire.
+  ApiVersion transport_api_version = 1 [(validate.rules).enum = {defined_only: true}];
 }
 
 // Rate Limit settings to be applied for discovery requests made by Envoy.

api/envoy/config/filter/network/client_ssl_auth/v2/client_ssl_auth.proto

@@ -41,6 +41,6 @@ message ClientSSLAuth {
 
   // An optional list of IP address and subnet masks that should be white
   // listed for access by the filter. If no list is provided, there is no
-  // IP white list.
+  // IP allowlist.
   repeated api.v2.core.CidrRange ip_white_list = 4;
 }

api/envoy/config/route/v3/BUILD

@@ -11,6 +11,7 @@ api_proto_package(
         "//envoy/api/v2/route:pkg",
         "//envoy/config/core/v3:pkg",
         "//envoy/type/matcher/v3:pkg",
+        "//envoy/type/metadata/v3:pkg",
         "//envoy/type/tracing/v3:pkg",
         "//envoy/type/v3:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",

api/envoy/config/route/v3/route_components.proto

@@ -7,6 +7,7 @@ import "envoy/config/core/v3/extension.proto";
 import "envoy/config/core/v3/proxy_protocol.proto";
 import "envoy/type/matcher/v3/regex.proto";
 import "envoy/type/matcher/v3/string.proto";
+import "envoy/type/metadata/v3/metadata.proto";
 import "envoy/type/tracing/v3/custom_tag.proto";
 import "envoy/type/v3/percent.proto";
 import "envoy/type/v3/range.proto";
@@ -1342,7 +1343,7 @@ message VirtualCluster {
 message RateLimit {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit";
 
-  // [#next-free-field: 7]
+  // [#next-free-field: 8]
   message Action {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.api.v2.route.RateLimit.Action";
@@ -1456,6 +1457,20 @@ message RateLimit {
       repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}];
     }
 
+    // The following descriptor entry is appended when the dynamic metadata contains a key value:
+    //
+    // .. code-block:: cpp
+    //
+    //   ("<descriptor_key>", "<value_queried_from_metadata>")
+    message DynamicMetaData {
+      // The key to use in the descriptor entry.
+      string descriptor_key = 1 [(validate.rules).string = {min_bytes: 1}];
+
+      // Metadata struct that defines the key and path to retrieve the string value. A match will
+      // only happen if the value in the dynamic metadata is of type string.
+      type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}];
+    }
+
     oneof action_specifier {
       option (validate.required) = true;
 
@@ -1476,6 +1491,9 @@ message RateLimit {
 
       // Rate limit on the existence of request headers.
       HeaderValueMatch header_value_match = 6;
+
+      // Rate limit on dynamic metadata.
+      DynamicMetaData dynamic_metadata = 7;
     }
   }
 

api/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto

@@ -4,6 +4,7 @@ package envoy.extensions.filters.listener.proxy_protocol.v3;
 
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.filters.listener.proxy_protocol.v3";
 option java_outer_classname = "ProxyProtocolProto";
@@ -17,4 +18,26 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 message ProxyProtocol {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.listener.proxy_protocol.v2.ProxyProtocol";
+
+  message KeyValuePair {
+    // The namespace — if this is empty, the filter's namespace will be used.
+    string metadata_namespace = 1;
+
+    // The key to use within the namespace.
+    string key = 2 [(validate.rules).string = {min_bytes: 1}];
+  }
+
+  // A Rule defines what metadata to apply when a header is present or missing.
+  message Rule {
+    // The type that triggers the rule - required
+    // TLV type is defined as uint8_t in proxy protocol. See `the spec
+    // <https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt>`_ for details.
+    uint32 tlv_type = 1 [(validate.rules).uint32 = {lt: 256}];
+
+    // If the TLV type is present, apply this metadata KeyValuePair.
+    KeyValuePair on_tlv_present = 2;
+  }
+
+  // The list of rules to apply to requests.
+  repeated Rule rules = 1;
 }

api/envoy/extensions/filters/network/client_ssl_auth/v3/client_ssl_auth.proto

@@ -6,6 +6,7 @@ import "envoy/config/core/v3/address.proto";
 
 import "google/protobuf/duration.proto";
 
+import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -42,6 +43,7 @@ message ClientSSLAuth {
 
   // An optional list of IP address and subnet masks that should be white
   // listed for access by the filter. If no list is provided, there is no
-  // IP white list.
-  repeated config.core.v3.CidrRange ip_white_list = 4;
+  // IP allowlist.
+  repeated config.core.v3.CidrRange ip_white_list = 4
+      [(udpa.annotations.field_migrate).rename = "ip_allowlist"];
 }

bazel/repository_locations.bzl

@@ -161,10 +161,10 @@ DEPENDENCY_REPOSITORIES = dict(
         cpe = "N/A",
     ),
     com_github_google_libprotobuf_mutator = dict(
-        sha256 = "f6def6cdf63e29a367d46c0ad9e3e31eed89d031e22e0caac126f1e62d8b3fd0",
-        strip_prefix = "libprotobuf-mutator-3521f47a2828da9ace403e4ecc4aece1a84feb36",
-        # 2020-02-04
-        urls = ["https://github.com/google/libprotobuf-mutator/archive/3521f47a2828da9ace403e4ecc4aece1a84feb36.tar.gz"],
+        sha256 = "d51365191580c4bf5e9ff104eebcfe34f7ff5f471006d7a460c15dcb3657501c",
+        strip_prefix = "libprotobuf-mutator-7a2ed51a6b682a83e345ff49fc4cfd7ca47550db",
+        # 2020-06-25
+        urls = ["https://github.com/google/libprotobuf-mutator/archive/7a2ed51a6b682a83e345ff49fc4cfd7ca47550db.tar.gz"],
         use_category = ["test"],
     ),
     com_github_gperftools_gperftools = dict(

docs/root/configuration/listeners/listener_filters/proxy_protocol.rst

@@ -11,8 +11,8 @@ which places the original coordinates (IP, PORT) into a connection-string.
 Envoy then extracts these and uses them as the remote address.
 
 In Proxy Protocol v2 there exists the concept of extensions (TLV)
-tags that are optional. This implementation skips over these without
-using them.
+tags that are optional. If the type of the TLV is added to the filter's configuration,
+the TLV will be emitted as dynamic metadata with user-specified key.
 
 This implementation supports both version 1 and version 2, it
 automatically determines on a per-connection basis which of the two
@@ -35,4 +35,4 @@ This filter emits the following statistics:
   :header: Name, Type, Description
   :widths: 1, 1, 2
 
-  downstream_cx_proxy_proto_error, Counter, Total proxy protocol errors
+  downstream_cx_proxy_proto_error, Counter, Total proxy protocol errors

docs/root/configuration/listeners/network_filters/client_ssl_auth_filter.rst

@@ -22,7 +22,7 @@ Every configured client TLS authentication filter has statistics rooted at
   update_success, Counter, Total principal update successes
   update_failure, Counter, Total principal update failures
   auth_no_ssl, Counter, Total connections ignored due to no TLS
-  auth_ip_white_list, Counter, Total connections allowed due to the IP white list
+  auth_ip_allowlist, Counter, Total connections allowed due to the IP allowlist
   auth_digest_match, Counter, Total connections allowed due to certificate match
   auth_digest_no_match, Counter, Total connections denied due to no certificate match
   total_principals, Gauge, Total loaded principals

docs/root/version_history/current.rst

@@ -7,6 +7,8 @@ Incompatible Behavior Changes
 *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 
 * build: official released binary is now built on Ubuntu 18.04, requires glibc >= 2.27.
+* client_ssl_auth: the `auth_ip_white_list` stat has been renamed to
+  :ref:`auth_ip_allowlist <config_network_filters_client_ssl_auth_stats>`.
 
 Minor Behavior Changes
 ----------------------
@@ -40,8 +42,8 @@ Bug Fixes
 * http: fixed a bug where in some cases slash was moved from path to query string when :ref:`merging of adjacent slashes<envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.merge_slashes>` is enabled.
 * http: fixed several bugs with applying correct connection close behavior across the http connection manager, health checker, and connection pool. This behavior may be temporarily reverted by setting runtime feature `envoy.reloadable_features.fix_connection_close` to false.
 * prometheus stats: fix the sort order of output lines to comply with the standard.
-* udp: the :ref:`reuse_port <envoy_api_field_Listener.reuse_port>` listener option must now be 
-  specified for UDP listeners if concurrency is > 1. This previously crashed so is considered a 
+* udp: the :ref:`reuse_port <envoy_api_field_Listener.reuse_port>` listener option must now be
+  specified for UDP listeners if concurrency is > 1. This previously crashed so is considered a
   bug fix.
 * upstream: fixed a bug where Envoy would panic when receiving a GRPC SERVICE_UNKNOWN status on the health check.
 
@@ -99,12 +101,14 @@ New Features
   interested in; behavior is allowed based on new "envoy.lrs.supports_send_all_clusters" capability
   in :ref:`client_features<envoy_v3_api_field_config.core.v3.Node.client_features>` field.
 * lrs: updated to allow to explicitly set the API version of gRPC service endpoint and message to be used.
+* lua: added tracing to the ``httpCall()`` API.
 * metrics service: added added :ref:`API version <envoy_v3_api_field_config.metrics.v3.MetricsServiceConfig.transport_api_version>` to explicitly set the version of gRPC service endpoint and message to be used.
 * network filters: added a :ref:`postgres proxy filter <config_network_filters_postgres_proxy>`.
 * network filters: added a :ref:`rocketmq proxy filter <config_network_filters_rocketmq_proxy>`.
 * performance: stats symbol table implementation (enabled by default; to disable it, add
   `--use-fake-symbol-table 1` to the command-line arguments when starting Envoy).
 * prometheus stats: fix the sort order of output lines to comply with the standard.
+* ratelimit: add support for use of dynamic metadata :ref:`dynamic_metadata <envoy_v3_api_field_config.route.v3.RateLimit.Action.dynamic_metadata>` as a ratelimit action.
 * ratelimit: added :ref:`API version <envoy_v3_api_field_config.ratelimit.v3.RateLimitServiceConfig.transport_api_version>` to explicitly set the version of gRPC service endpoint and message to be used.
 * redis: added acl support :ref:`downstream_auth_username <envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.downstream_auth_username>` for downstream client ACL authentication, and :ref:`auth_username <envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProtocolOptions.auth_username>` to configure authentication usernames for upstream Redis 6+ server clusters with ACL enabled.
 * regex: added support for enforcing max program size via runtime and stats to monitor program size for :ref:`Google RE2 <envoy_v3_api_field_type.matcher.v3.RegexMatcher.GoogleRE2.max_program_size>`.