Merge remote-tracking branch 'origin/master' into PiotrSikora/wasm-cl…

…ear_route_cache

.github/workflows/stale.yml

@@ -0,0 +1,42 @@
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 */4 * * *'
+
+jobs:
+  prune_stale:
+    name: Prune Stale
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Prune Stale
+      uses: actions/stale@v3.0.14
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        # Different amounts of days for issues/PRs are not currently supported but there is a PR
+        # open for it: https://github.com/actions/stale/issues/214
+        days-before-stale: 30
+        days-before-close: 7
+        stale-issue-message: >
+          This issue has been automatically marked as stale because it has not had activity in the
+          last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity
+          occurs. Thank you for your contributions.
+        close-issue-message: >
+          This issue has been automatically closed because it has not had activity in the
+          last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot".
+          Thank you for your contributions.
+        stale-pr-message: >
+          This pull request has been automatically marked as stale because it has not had
+          activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please
+          feel free to give a status update now, ping for review, or re-open when it's ready.
+          Thank you for your contributions!
+        close-pr-message: >
+          This pull request has been automatically closed because it has not had
+          activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready.
+          Thank you for your contributions!
+        stale-issue-label: 'stale'
+        exempt-issue-labels: 'no stalebot,help wanted'
+        stale-pr-label: 'stale'
+        exempt-pr-labels: 'no stalebot'
+        operations-per-run: 500
+        ascending: true

DEPENDENCY_POLICY.md

@@ -69,24 +69,39 @@ Pure developer tooling and documentation builds may reference Python via standal
 
 ## New external dependencies
 
-* Any new dependency on the Envoy data or control plane that impacts Envoy core (i.e. is not
-  specific to a single non-core extension) must be cleared with the Envoy security team, please file
-  an issue and tag
-  [@envoyproxy/security-team](https://github.com/orgs/envoyproxy/teams/security-team). While policy
-  is still [evolving](robust_to_untrusted_downstream_and_upstream), criteria that will be used in
-  evaluation include:
-  * Does the project have release versions? How often do releases happen?
-  * Does the project have a security vulnerability disclosure process and contact details?
-  * Does the project have effective governance, e.g. multiple maintainers, a governance policy?
-  * Does the project have a code review culture? Are patches reviewed by independent maintainers
-    prior to merge?
-  * Does the project enable mandatory GitHub 2FA for contributors?
-  * Does the project have evidence of high test coverage, fuzzing, static analysis (e.g. CodeQL),
-    etc.?
-
-* Dependencies for extensions that are tagged as `robust_to_untrusted_downstream` or
-  `robust_to_untrusted_downstream_and_upstream` should be sensitive to the same set of concerns
-  as the core data plane.
+Any new dependency on the Envoy data or control plane that impacts Envoy core (i.e. is not
+specific to a single non-core extension) must be cleared with the Envoy dependency shepherds and
+security team, please file an issue and tag both [dependency
+shepherds](https://github.com/orgs/envoyproxy/teams/dependency-shepherds) and
+the [@envoyproxy/security-team](https://github.com/orgs/envoyproxy/teams/security-team).
+
+The criteria below are used to evaluate new dependencies on the data, control
+and observability plane. They apply to all core dependencies and any extension
+that is robust to untrusted downstream or upstream traffic. The criteria are
+guidelines, exceptions may be granted with solid rationale. Precedent from
+existing extensions does not apply; there are extant extensions in violation of
+this policy which we will be addressing over time, they do not provide grounds
+to ignore policy criteria below.
+
+|Criteria|Requirement|Mnemonic|Weight|Rationale|
+|--------|-----------|--------|------|---------|
+|Cloud Native Computing Foundation (CNCF) [approved license](https://github.com/cncf/foundation/blob/master/allowed-third-party-license-policy.md#approved-licenses-for-allowlist)|MUST|License|High||
+|Dependencies must not substantially increase the binary size unless they are optional (i.e. confined to specific extensions)|MUST|BinarySize|High|Envoy Mobile is sensitive to binary size. We should pick dependencies that are used in core with this criteria in mind.|
+|No duplication of existing dependencies|MUST|NoDuplication|High|Avoid maintenance cost of multiple JSON parsers etc|
+|Hosted on a git repository and the archive fetch must directly reference this repository. We will NOT support intermediate artifacts built by-hand located on GCS, S3, etc.|MUST|Source|High|Flows based on manual updates are fragile (they are not tested until needed), often suffer from missing documentation and shared exercise, may fail during emergency zero day updates and have no audit trail (i.e. it's unclear how the artifact we depend upon came to be at a later date).|
+|CVE history appears reasonable, no pathological CVE arcs|MUST|SoundCVEs|High|Avoid dependencies that are CVE heavy in the same area (e.g. buffer overflow)
+|Code review (ideally PRs) before merge|MUST|Code-Review|Normal|Consistent code reviews|
+|Security vulnerability process exists, with contact details and reporting/disclosure process|MUST|SecPolicy|High|Lack of a policy implies security bugs are open zero days|
+|> 1 contributor responsible for a non-trivial number of commits|MUST|Contributors|Normal|Avoid bus factor of 1|
+|Tests run in CI|MUST|CI-Tests|Normal|Changes gated on tests|
+|High test coverage (also static/dynamic analysis, fuzzing)|SHOULD|Test-Coverage|Normal|Key dependencies must meet the same quality bar as Envoy|
+|Envoy can obtain advanced notification of vulnerabilities or of security releases|SHOULD|SecPolicy-Compat|High|Coordinated security releases possible, but most dependencies do not feature this.|
+|Do other significant projects have shared fate by using this dependency?|SHOULD|SharedFate|High|Increased likelihood of security community interest, many eyes.|
+|Releases (with release notes)|SHOULD|Releases|Normal|Discrete upgrade points, clear understanding of security implications. We have many counterexamples today (e.g. CEL, re2).|
+|Commits/releases in last 90 days|SHOULD|Active|Normal|Avoid unmaintained deps, not compulsory since some code bases are “done”|
+
+The rationale behind this policy is tracked
+[here](https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit#).
 
 ## Maintaining existing dependencies
 

api/envoy/config/core/v3/protocol.proto

@@ -77,6 +77,10 @@ message HttpProtocolOptions {
   // .. warning::
   //   Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP
   //   FIN packets, etc.
+  //
+  // If the :ref:`overload action <config_overload_manager_overload_actions>` "envoy.overload_actions.reduce_timeouts"
+  // is configured, this timeout is scaled for downstream connections according to the value for
+  // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE <envoy_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_CONNECTION_IDLE>`.
   google.protobuf.Duration idle_timeout = 1;
 
   // The maximum duration of a connection. The duration is defined as a period since a connection

api/envoy/config/overload/v3/overload.proto

@@ -91,8 +91,15 @@ message ScaleTimersOverloadActionConfig {
     UNSPECIFIED = 0;
 
     // Adjusts the idle timer for downstream HTTP connections that takes effect when there are no active streams.
-    // This affects the value of :ref:`RouteAction.idle_timeout <envoy_v3_api_field_config.route.v3.RouteAction.idle_timeout>`.
+    // This affects the value of :ref:`HttpConnectionManager.common_http_protocol_options.idle_timeout
+    // <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.idle_timeout>`
     HTTP_DOWNSTREAM_CONNECTION_IDLE = 1;
+
+    // Adjusts the idle timer for HTTP streams initiated by downstream clients.
+    // This affects the value of :ref:`RouteAction.idle_timeout <envoy_v3_api_field_config.route.v3.RouteAction.idle_timeout>` and
+    // :ref:`HttpConnectionManager.stream_idle_timeout
+    // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_idle_timeout>`
+    HTTP_DOWNSTREAM_STREAM_IDLE = 2;
   }
 
   message ScaleTimer {

api/envoy/config/route/v3/route_components.proto

@@ -980,7 +980,7 @@ message RouteAction {
   //
   // If the :ref:`overload action <config_overload_manager_overload_actions>` "envoy.overload_actions.reduce_timeouts"
   // is configured, this timeout is scaled according to the value for
-  // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE <envoy_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_CONNECTION_IDLE>`.
+  // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE <envoy_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_STREAM_IDLE>`.
   google.protobuf.Duration idle_timeout = 24;
 
   // Indicates that the route has a retry policy. Note that if this is set,

api/envoy/config/trace/v3/zipkin.proto

@@ -20,7 +20,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // Configuration for the Zipkin tracer.
 // [#extension: envoy.tracers.zipkin]
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message ZipkinConfig {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v2.ZipkinConfig";
 
@@ -65,4 +65,8 @@ message ZipkinConfig {
   // Determines the selected collector endpoint version. By default, the ``HTTP_JSON_V1`` will be
   // used.
   CollectorEndpointVersion collector_endpoint_version = 5;
+
+  // Optional hostname to use when sending spans to the collector_cluster. Useful for collectors
+  // that require a specific hostname. Defaults to :ref:`collector_cluster <envoy_v3_api_field_config.trace.v3.ZipkinConfig.collector_cluster>` above.
+  string collector_hostname = 6;
 }

api/envoy/extensions/filters/http/compressor/v3/compressor.proto

@@ -21,40 +21,99 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Compressor :ref:`configuration overview <config_http_filters_compressor>`.
 // [#extension: envoy.filters.http.compressor]
 
-// [#next-free-field: 7]
+// [#next-free-field: 9]
 message Compressor {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.compressor.v2.Compressor";
 
+  message CommonDirectionConfig {
+    // Runtime flag that controls whether compression is enabled or not for the direction this
+    // common config is put in. If set to false, the filter will operate as a pass-through filter
+    // in the chosen direction. If the field is omitted, the filter will be enabled.
+    config.core.v3.RuntimeFeatureFlag enabled = 1;
+
+    // Minimum value of Content-Length header of request or response messages (depending on the direction
+    // this common config is put in), in bytes, which will trigger compression. The default value is 30.
+    google.protobuf.UInt32Value min_content_length = 2;
+
+    // Set of strings that allows specifying which mime-types yield compression; e.g.,
+    // application/json, text/html, etc. When this field is not defined, compression will be applied
+    // to the following mime-types: "application/javascript", "application/json",
+    // "application/xhtml+xml", "image/svg+xml", "text/css", "text/html", "text/plain", "text/xml"
+    // and their synonyms.
+    repeated string content_type = 3;
+  }
+
+  // Configuration for filter behavior on the request direction.
+  message RequestDirectionConfig {
+    CommonDirectionConfig common_config = 1;
+  }
+
+  // Configuration for filter behavior on the response direction.
+  message ResponseDirectionConfig {
+    CommonDirectionConfig common_config = 1;
+
+    // If true, disables compression when the response contains an etag header. When it is false, the
+    // filter will preserve weak etags and remove the ones that require strong validation.
+    bool disable_on_etag_header = 2;
+
+    // If true, removes accept-encoding from the request headers before dispatching it to the upstream
+    // so that responses do not get compressed before reaching the filter.
+    //
+    // .. attention::
+    //
+    //    To avoid interfering with other compression filters in the same chain use this option in
+    //    the filter closest to the upstream.
+    bool remove_accept_encoding_header = 3;
+  }
+
   // Minimum response length, in bytes, which will trigger compression. The default value is 30.
-  google.protobuf.UInt32Value content_length = 1;
+  google.protobuf.UInt32Value content_length = 1 [deprecated = true];
 
   // Set of strings that allows specifying which mime-types yield compression; e.g.,
   // application/json, text/html, etc. When this field is not defined, compression will be applied
   // to the following mime-types: "application/javascript", "application/json",
   // "application/xhtml+xml", "image/svg+xml", "text/css", "text/html", "text/plain", "text/xml"
   // and their synonyms.
-  repeated string content_type = 2;
+  repeated string content_type = 2 [deprecated = true];
 
   // If true, disables compression when the response contains an etag header. When it is false, the
   // filter will preserve weak etags and remove the ones that require strong validation.
-  bool disable_on_etag_header = 3;
+  bool disable_on_etag_header = 3 [deprecated = true];
 
   // If true, removes accept-encoding from the request headers before dispatching it to the upstream
   // so that responses do not get compressed before reaching the filter.
-  // .. attention:
+  //
+  // .. attention::
   //
   //    To avoid interfering with other compression filters in the same chain use this option in
   //    the filter closest to the upstream.
-  bool remove_accept_encoding_header = 4;
+  bool remove_accept_encoding_header = 4 [deprecated = true];
 
   // Runtime flag that controls whether the filter is enabled or not. If set to false, the
   // filter will operate as a pass-through filter. If not specified, defaults to enabled.
-  config.core.v3.RuntimeFeatureFlag runtime_enabled = 5;
+  config.core.v3.RuntimeFeatureFlag runtime_enabled = 5 [deprecated = true];
 
   // A compressor library to use for compression. Currently only
   // :ref:`envoy.compression.gzip.compressor<envoy_api_msg_extensions.compression.gzip.compressor.v3.Gzip>`
   // is included in Envoy.
   // This field is ignored if used in the context of the gzip http-filter, but is mandatory otherwise.
   config.core.v3.TypedExtensionConfig compressor_library = 6;
+
+  // Configuration for request compression. Compression is disabled by default if left empty.
+  RequestDirectionConfig request_direction_config = 7;
+
+  // Configuration for response compression. Compression is enabled by default if left empty.
+  //
+  // .. attention::
+  //
+  //    If the field is not empty then the duplicate deprecated fields of the `Compressor` message,
+  //    such as `content_length`, `content_type`, `disable_on_etag_header`,
+  //    `remove_accept_encoding_header` and `runtime_enabled`, are ignored.
+  //
+  //    Also all the statistics related to response compression will be rooted in
+  //    `<stat_prefix>.compressor.<compressor_library.name>.<compressor_library_stat_prefix>.response.*`
+  //    instead of
+  //    `<stat_prefix>.compressor.<compressor_library.name>.<compressor_library_stat_prefix>.*`.
+  ResponseDirectionConfig response_direction_config = 8;
 }