Merge branch 'main' into mmdb-reload

Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>

.github/workflows/mobile-compile_time_options.yml

@@ -56,51 +56,13 @@ jobs:
             build
             --config=mobile-remote-ci-cc-no-exceptions
             //test/performance:test_binary_size //library/cc/...
-        - name: Running C++ tests with xDS enabled
-          target: cc-tests-xds-enabled
-          args: >-
-            test
-            --config=mobile-remote-ci-cc-xds-enabled
-            //test/common/integration/...
         - name: Running C++ tests with full protos enabled
           target: cc-tests-full-protos-enabled
           args: >-
             test
             --config=mobile-remote-ci-cc-full-protos-enabled
             //test/common/... //test/cc/...
 
-  build:
-    permissions:
-      contents: read
-      packages: read
-    uses: ./.github/workflows/_run.yml
-    if: ${{ fromJSON(needs.load.outputs.request).run.mobile-compile-time-options }}
-    needs: load
-    with:
-      args: ${{ matrix.args }}
-      command: ./bazelw
-      container-command:
-      request: ${{ needs.load.outputs.request }}
-      runs-on: macos-12
-      source: ${{ matrix.source }}
-      steps-pre: ${{ matrix.steps-pre }}
-      target: ${{ matrix.target || matrix.name }}
-      trusted: ${{ fromJSON(needs.load.outputs.trusted) }}
-      timeout-minutes: 120
-      working-directory: mobile
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-        - name: swift-build
-          args: >-
-            build
-            --config=mobile-remote-ci-macos-swift
-            //library/swift:ios_framework
-          source: |
-            source ./ci/mac_ci_setup.sh
-            ./bazelw shutdown
-
   request:
     secrets:
       app-id: ${{ secrets.ENVOY_CI_APP_ID }}

.github/workflows/mobile-release.yml

@@ -72,13 +72,6 @@ jobs:
             --define=pom_version=$VERSION
             //:android_dist
           output: envoy
-        - target: xds-release
-          args: >-
-            build
-            --config=mobile-remote-release-clang-android-publish-xds
-            --define=pom_version=$VERSION
-            //:android_xds_dist
-          output: envoy_xds
 
   deploy:
     needs: release
@@ -92,7 +85,6 @@ jobs:
       matrix:
         include:
         - output: envoy
-        - output: envoy_xds
     steps:
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
       with:

api/envoy/config/core/v3/grpc_service.proto

@@ -29,6 +29,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 message GrpcService {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService";
 
+  // [#next-free-field: 6]
   message EnvoyGrpc {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.api.v2.core.GrpcService.EnvoyGrpc";
@@ -55,6 +56,12 @@ message GrpcService {
     // This limit is applied to individual messages in the streaming response and not the total size of streaming response.
     // Defaults to 0, which means unlimited.
     google.protobuf.UInt32Value max_receive_message_length = 4;
+
+    // This provides gRPC client level control over envoy generated headers.
+    // If false, the header will be sent but it can be overridden by per stream option.
+    // If true, the header will be removed and can not be overridden by per stream option.
+    // Default to false.
+    bool skip_envoy_headers = 5;
   }
 
   // [#next-free-field: 9]

api/envoy/extensions/filters/http/composite/v3/composite.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.filters.http.composite.v3;
 
+import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/extension.proto";
 
@@ -57,4 +58,13 @@ message ExecuteFilterAction {
   // Only one of ``typed_config`` or ``dynamic_config`` can be set.
   DynamicConfig dynamic_config = 2
       [(udpa.annotations.field_migrate).oneof_promotion = "config_type"];
+
+  // Probability of the action execution. If not specified, this is 100%.
+  // This allows sampling behavior for the configured actions.
+  // For example, if
+  // :ref:`default_value <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.default_value>`
+  // under the ``sample_percent`` is configured with 30%, a dice roll with that
+  // probability is done. The underline action will only be executed if the
+  // dice roll returns positive. Otherwise, the action is skipped.
+  config.core.v3.RuntimeFractionalPercent sample_percent = 3;
 }

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -29,7 +29,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 27]
+// [#next-free-field: 28]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v3.ExtAuthz";
@@ -279,6 +279,17 @@ message ExtAuthz {
   // correctness checks for all header / query parameter mutations (e.g. for invalid characters).
   // This field allows the filter to reject mutations to specific headers.
   config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;
+
+  // Enable / disable ingestion of dynamic metadata from ext_authz service.
+  //
+  // If false, the filter will ignore dynamic metadata injected by the ext_authz service. If the
+  // ext_authz service tries injecting dynamic metadata, the filter will log, increment the
+  // ``ignored_dynamic_metadata`` stat, then continue handling the response.
+  //
+  // If true, the filter will ingest dynamic metadata entries as normal.
+  //
+  // If unset, defaults to true.
+  google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;
 }
 
 // Configuration for buffering the request data.

api/envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -191,7 +191,7 @@ message JwtProvider {
 
   // If false, the JWT is removed in the request after a success verification. If true, the JWT is
   // not removed in the request. Default value is false.
-  // caveat: only works for from_header & has no effect for JWTs extracted through from_params & from_cookies.
+  // caveat: only works for from_header/from_params & has no effect for JWTs extracted through from_cookies.
   bool forward = 5;
 
   // Two fields below define where to extract the JWT from an HTTP request.
@@ -395,7 +395,7 @@ message RemoteJwks {
   //      cluster: jwt.www.googleapis.com|443
   //      timeout: 1s
   //
-  config.core.v3.HttpUri http_uri = 1;
+  config.core.v3.HttpUri http_uri = 1 [(validate.rules).message = {required: true}];
 
   // Duration after which the cached JWKS should be expired. If not specified, default cache
   // duration is 10 minutes.

api/envoy/extensions/quic/server_preferred_address/v3/datasource.proto

@@ -0,0 +1,53 @@
+syntax = "proto3";
+
+package envoy.extensions.quic.server_preferred_address.v3;
+
+import "envoy/config/core/v3/base.proto";
+
+import "xds/annotations/v3/status.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.quic.server_preferred_address.v3";
+option java_outer_classname = "DatasourceProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/server_preferred_address/v3;server_preferred_addressv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: QUIC DataSource server preferred address config]
+// [#extension: envoy.quic.server_preferred_address.datasource]
+
+// Configuration for DataSourceServerPreferredAddressConfig.
+message DataSourceServerPreferredAddressConfig {
+  // [#comment:TODO(danzh2010): discuss with API shepherds before removing WiP status.]
+
+  option (xds.annotations.v3.message_status).work_in_progress = true;
+
+  // Addresses for server preferred address for a single address family (IPv4 or IPv6).
+  message AddressFamilyConfig {
+    // The server preferred address sent to clients. The data must contain an IP address string.
+    config.core.v3.DataSource address = 1 [(validate.rules).message = {required: true}];
+
+    // The server preferred address port sent to clients. The data must contain a integer port value.
+    //
+    // If this is not specified, the listener's port is used.
+    //
+    // Note: Envoy currently must receive all packets for a QUIC connection on the same port, so unless
+    // :ref:`dnat_address <envoy_v3_api_field_extensions.quic.server_preferred_address.v3.DataSourceServerPreferredAddressConfig.AddressFamilyConfig.dnat_address>`
+    // is configured, this must be left unset.
+    config.core.v3.DataSource port = 2;
+
+    // If there is a DNAT between the client and Envoy, the address that Envoy will observe
+    // server preferred address packets being sent to. If this is not specified, it is assumed
+    // there is no DNAT and the server preferred address packets will be sent to the address advertised
+    // to clients for server preferred address.
+    config.core.v3.DataSource dnat_address = 3;
+  }
+
+  // The IPv4 address to advertise to clients for Server Preferred Address.
+  AddressFamilyConfig ipv4_config = 1;
+
+  // The IPv6 address to advertise to clients for Server Preferred Address.
+  AddressFamilyConfig ipv6_config = 2;
+}

api/envoy/extensions/quic/server_preferred_address/v3/fixed_server_preferred_address_config.proto

@@ -14,7 +14,7 @@ option java_multiple_files = true;
 option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/server_preferred_address/v3;server_preferred_addressv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
-// [#protodoc-title: QUIC server preferred address config]
+// [#protodoc-title: QUIC fixed server preferred address config]
 // [#extension: envoy.quic.server_preferred_address.fixed]
 
 // Configuration for FixedServerPreferredAddressConfig.

api/envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -314,13 +314,29 @@ message SubjectAltNameMatcher {
     DNS = 2;
     URI = 3;
     IP_ADDRESS = 4;
+    OTHER_NAME = 5;
   }
 
   // Specification of type of SAN. Note that the default enum value is an invalid choice.
   SanType san_type = 1 [(validate.rules).enum = {defined_only: true not_in: 0}];
 
   // Matcher for SAN value.
+  //
+  // The string matching for OTHER_NAME SAN values depends on their ASN.1 type:
+  //
+  //          * OBJECT: Validated against its dotted numeric notation (e.g., "1.2.3.4")
+  //          * BOOLEAN: Validated against strings "true" or "false"
+  //          * INTEGER/ENUMERATED: Validated against a string containing the integer value
+  //          * NULL: Validated against an empty string
+  //          * Other types: Validated directly against the string value
   type.matcher.v3.StringMatcher matcher = 2 [(validate.rules).message = {required: true}];
+
+  // OID Value which is required if OTHER_NAME SAN type is used.
+  // For example, UPN OID is 1.3.6.1.4.1.311.20.2.3
+  // (Reference: http://oid-info.com/get/1.3.6.1.4.1.311.20.2.3).
+  //
+  // If set for SAN types other than OTHER_NAME, it will be ignored.
+  string oid = 3;
 }
 
 // [#next-free-field: 18]

bazel/external/quiche.BUILD

@@ -5519,6 +5519,7 @@ envoy_cc_library(
         ":quiche_balsa_balsa_enums_lib",
         ":quiche_balsa_header_api_lib",
         ":quiche_balsa_header_properties_lib",
+        ":quiche_balsa_http_validation_policy_lib",
         ":quiche_balsa_standard_header_map_lib",
         ":quiche_common_callbacks",
         ":quiche_common_platform_bug_tracker",

bazel/repository_locations.bzl

@@ -1191,12 +1191,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "QUICHE",
         project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols",
         project_url = "https://github.com/google/quiche",
-        version = "cf8d05ab435919878ca0db342e05e64620b43173",
-        sha256 = "a0b89cf43edb6e17126d536ee522127f7a71ee38d2813ba0464ed1a8c62db25f",
+        version = "ee470ff425efc46ddba7cce7c7355d0f706424b2",
+        sha256 = "c6fa6340783f0eff5db95ac0f38e1d7b465c4aa8a29c5e8cae5d2f64838be9f1",
         urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"],
         strip_prefix = "quiche-{version}",
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2024-06-21",
+        release_date = "2024-07-01",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/quiche/blob/{version}/LICENSE",

changelogs/current.yaml

@@ -16,6 +16,11 @@ behavior_changes:
   change: |
     Changes the default value of ``envoy.reloadable_features.http2_use_oghttp2`` to true. This changes the codec used for HTTP/2
     requests and responses. This behavior can be reverted by setting the feature to false.
+- area: http3
+  change: |
+    Added a "happy eyeballs" feature to HTTP/3 upstream, where it assuming happy eyeballs sorting results in alternating address
+    families will attempt the first v4 and v6 address before giving up on HTTP/3.  This change can be reverted by setting
+    ``envoy.reloadable_features.http3_happy_eyeballs`` to false.
 - area: http2
   change: |
     Passes HTTP/2 DATA frames through a different codec API. This behavior can be temporarily disabled by setting the runtime
@@ -32,10 +37,20 @@ behavior_changes:
     :ref:`TlvsMetadata type <envoy_v3_api_msg_data.core.v3.TlvsMetadata>`.
     This change can be temporarily disabled by setting the runtime flag
     ``envoy.reloadable_features.use_typed_metadata_in_proxy_protocol_listener`` to ``false``.
+- area: composite_filter
+  change: |
+    Adding support for
+    :ref:`sample_percent <envoy_v3_api_field_extensions.filters.http.composite.v3.ExecuteFilterAction.sample_percent>`.
+    It specifies the probability of the action execution. If not specified, it is 100%.
 - area: golang
   change: |
     Move ``Continue``, ``SendLocalReply`` and ``RecoverPanic` from ``FilterCallbackHandler`` to ``DecoderFilterCallbacks`` and
     ``EncoderFilterCallbacks``, to support full-duplex processing.
+- area: ext_proc
+  change: |
+    Added support for observability mode. If enabled, each part of the HTTP request or response specified by ProcessingMode
+    is sent without waiting for the response from the ext_proc service. It is "Send and Go" mode that can be used by external
+    processor to observe Envoy data and status.
 
 minor_behavior_changes:
 # *Changes that may cause incompatibilities for some users, but should not for most*
@@ -108,13 +123,25 @@ minor_behavior_changes:
 - area: filters
   change: |
     Set ``WWW-Authenticate`` header for 401 responses from the Basic Auth filter.
+- area: jwt_authn
+  change: |
+    jwt_authn now validates provider URIs. If the validation is too strict it can temporarily be
+    disabled by setting the runtime guard ``envoy.reloadable_features.jwt_authn_validate_uri`` to
+    false.
 - area: http
   change: |
     Removed runtime guard ``envoy.reloadable_features.refresh_rtt_after_request`` and legacy code path.
 - area: http
   change: |
     Changing HTTP/2 semi-colon prefixed headers to being sanitized by Envoy code rather than nghttp2. Should be a functional no-op but
     guarded by ``envoy.reloadable_features.sanitize_http2_headers_without_nghttp2``.
+- area: jwt_authn
+  change: |
+    Changes the behavior of the
+    :ref:`forward <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.forward>`
+    config. Previously, the config only removes JWT if set in headers. With this addition, the config can also be
+    used to remove JWT set in query parameters. This behavior can be reverted by setting the runtime guard
+    ``envoy.reloadable_features.jwt_authn_remove_jwt_from_query_params`` to false.
 
 bug_fixes:
 # *Changes expected to improve the state of the world and are unlikely to have negative effects*
@@ -199,10 +226,22 @@ bug_fixes:
     Validate http service path_prefix
     :ref:`path_prefix <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.HttpService.path_prefix>`,
     Validate http service path_prefix configuration must start with ``/``.
+- area: local_ratelimit
+  change: |
+    Fixed a bug where the local rate limit filter would crash when the
+    :ref:`enable_x_ratelimit_headers <envoy_v3_api_msg_extensions.filters.http.ratelimit.v3.RateLimit>`
+    is set to ``DRAFT_VERSION_03`` and a send local reply is triggered before the rate limit filter is executed.
 - area: admin
   change: |
     Fixed missing :ref:`additional addresses <envoy_v3_api_msg_config.endpoint.v3.Endpoint.AdditionalAddress>`
     for :ref:`LbEndpoint <envoy_v3_api_field_config.endpoint.v3.LbEndpoint.endpoint>` in config dump.
+- area: http
+  change: |
+    Fixed a bug where additional :ref:`cookie attributes <envoy_v3_api_msg_config.route.v3.RouteAction.HashPolicy.cookie>`
+    are not sent properly to clients.
+- area: datadog
+  change: |
+    Bumped the version of datadog to resolve a crashing bug in earlier versions of the library.
 
 removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
@@ -379,6 +418,12 @@ new_features:
   change: |
     Added :ref:`bypass_overload_manager <envoy_v3_api_field_config.listener.v3.Listener.bypass_overload_manager>`
     to bypass the overload manager for a listener. When set to true, the listener will not be subject to overload protection.
+- area: ext_authz
+  change: |
+    Added
+    :ref:`enable_dynamic_metadata_ingestion
+    <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.enable_dynamic_metadata_ingestion>`,
+    which allows ext_authz to be configured to ignore dynamic metadata in ext_authz responses.
 - area: rbac
   change: |
     The RBAC filter will now log the enforced rule to the dynamic metadata field
@@ -389,6 +434,17 @@ new_features:
     Added :ref:`strip_failure_response
     <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.strip_failure_response>`
     to allow stripping the failure response details from the JWT authentication filter.
+- area: quic
+  change: |
+    Added :ref:`DataSourceServerPreferredAddressConfig
+    <envoy_v3_api_msg_extensions.quic.server_preferred_address.v3.DataSourceServerPreferredAddressConfig>` for cases when
+    the control plane does not know the correct configuration for the server preferred address.
+- area: tls
+  change: |
+    added support to match against ``OtherName`` SAN Type under :ref:`match_typed_subject_alt_names
+    <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
+    An additional field ``oid`` is added to :ref:`SubjectAltNameMatcher
+    <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SubjectAltNameMatcher>` to support this change.
 - area: geoip
   change: |
     Added ``envoy.reloadable_features.mmdb_files_reload_enabled`` runtime flag that enables reload of mmdb files by default.