Merge branch 'main' into mmdb-reload

Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>

.github/config.yml

@@ -48,11 +48,6 @@ checks:
     required: true
     on-run:
     - mobile-cc
-  mobile-compile-time-options:
-    name: Mobile/Compile time options
-    on-run:
-    - mobile-compile-time-cc
-    - mobile-compile-time-options
   mobile-coverage:
     name: Mobile/Coverage
     required: true
@@ -217,32 +212,6 @@ run:
     - test/integration/*
     - test/mocks/**/*
     - test/test_common/**/*
-  mobile-compile-time-cc:
-    paths:
-    - .bazelrc
-    - .bazelversion
-    - .github/config.yml
-    - api/**/*
-    - bazel/external/quiche.BUILD
-    - bazel/repository_locations.bzl
-    - envoy/**/*
-    - mobile/.bazelrc
-    - mobile/**/*
-    - source/**/*
-    - test/config/**/*
-    - test/integration/*
-    - test/mocks/**/*
-    - test/test_common/**/*
-  mobile-compile-time-options:
-    paths:
-    - .bazelrc
-    - .bazelversion
-    - .github/config.yml
-    - bazel/external/quiche.BUILD
-    - bazel/repository_locations.bzl
-    - mobile/.bazelrc
-    - mobile/**/*
-    - tools/code_format/check_format.py
   mobile-coverage:
     paths:
     - .bazelrc

api/bazel/api_build_system.bzl

@@ -22,6 +22,7 @@ _CC_PROTO_DESCRIPTOR_SUFFIX = "_cc_proto_descriptor"
 _CC_GRPC_SUFFIX = "_cc_grpc"
 _GO_PROTO_SUFFIX = "_go_proto"
 _GO_IMPORTPATH_PREFIX = "github.com/envoyproxy/go-control-plane/"
+_JAVA_PROTO_SUFFIX = "_java_proto"
 
 _COMMON_PROTO_DEPS = [
     "@com_google_protobuf//:any_proto",
@@ -67,7 +68,8 @@ def api_cc_py_proto_library(
         srcs = [],
         deps = [],
         linkstatic = 0,
-        has_services = 0):
+        has_services = 0,
+        java = True):
     relative_name = ":" + name
     proto_library(
         name = name,
@@ -109,6 +111,13 @@ def api_cc_py_proto_library(
         visibility = ["//visibility:public"],
     )
 
+    if java:
+        native.java_proto_library(
+            name = name + _JAVA_PROTO_SUFFIX,
+            visibility = ["//visibility:public"],
+            deps = [relative_name],
+        )
+
     # Optionally define gRPC services
     if has_services:
         # TODO: when Python services are required, add to the below stub generations.

api/bazel/repositories.bzl

@@ -16,6 +16,9 @@ def api_dependencies():
     external_http_archive(
         name = "bazel_skylib",
     )
+    external_http_archive(
+        name = "rules_jvm_external",
+    )
     external_http_archive(
         name = "com_envoyproxy_protoc_gen_validate",
         patch_args = ["-p1"],

api/bazel/repository_locations.bzl

@@ -34,6 +34,19 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/protoc-gen-validate/blob/v{version}/LICENSE",
     ),
+    rules_jvm_external = dict(
+        project_name = "Java Rules for Bazel",
+        project_desc = "Bazel rules for Java",
+        project_url = "https://github.com/bazelbuild/rules_jvm_external",
+        version = "6.1",
+        strip_prefix = "rules_jvm_external-{version}",
+        sha256 = "08ea921df02ffe9924123b0686dc04fd0ff875710bfadb7ad42badb931b0fd50",
+        urls = ["https://github.com/bazelbuild/rules_jvm_external/releases/download/{version}/rules_jvm_external-{version}.tar.gz"],
+        release_date = "2024-04-26",
+        use_category = ["build"],
+        license = "Apache-2.0",
+        license_url = "https://github.com/bazelbuild/rules_jvm_external/blob/{version}/LICENSE",
+    ),
     com_github_cncf_xds = dict(
         project_name = "xDS API",
         project_desc = "xDS API Working Group (xDS-WG)",

api/envoy/config/cluster/v3/outlier_detection.proto

@@ -21,7 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // See the :ref:`architecture overview <arch_overview_outlier_detection>` for
 // more information on outlier detection.
-// [#next-free-field: 25]
+// [#next-free-field: 26]
 message OutlierDetection {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.cluster.OutlierDetection";
@@ -42,8 +42,8 @@ message OutlierDetection {
   // Defaults to 30000ms or 30s.
   google.protobuf.Duration base_ejection_time = 3 [(validate.rules).duration = {gt {}}];
 
-  // The maximum % of an upstream cluster that can be ejected due to outlier
-  // detection. Defaults to 10% but will eject at least one host regardless of the value.
+  // The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 10% .
+  // Will eject at least one host regardless of the value if :ref:`always_eject_one_host<envoy_v3_api_field_config.cluster.v3.OutlierDetection.always_eject_one_host>` is enabled.
   google.protobuf.UInt32Value max_ejection_percent = 4 [(validate.rules).uint32 = {lte: 100}];
 
   // The % chance that a host will be actually ejected when an outlier status
@@ -173,4 +173,8 @@ message OutlierDetection {
   // Set of host's passive monitors.
   // [#not-implemented-hide:]
   repeated core.v3.TypedExtensionConfig monitors = 24;
+
+  // If enabled, at least one host is ejected regardless of the value of :ref:`max_ejection_percent<envoy_v3_api_field_config.cluster.v3.OutlierDetection.max_ejection_percent>`.
+  // Defaults to false.
+  google.protobuf.BoolValue always_eject_one_host = 25;
 }

api/envoy/data/dns/v3/dns_table.proto

@@ -128,7 +128,15 @@ message DnsTable {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.data.dns.v2alpha.DnsTable.DnsVirtualDomain";
 
-    // A domain name for which Envoy will respond to query requests
+    // A domain name for which Envoy will respond to query requests.
+    // Wildcard records are supported on the first label only, e.g. ``*.example.com`` or ``*.subdomain.example.com``.
+    // Names such as ``*example.com``, ``subdomain.*.example.com``, ``*subdomain.example.com``, etc
+    // are not valid wildcard names and asterisk will be interpreted as a literal ``*`` character.
+    // Wildcard records match subdomains on any levels, e.g. ``*.example.com`` will match
+    // ``foo.example.com``, ``bar.foo.example.com``, ``baz.bar.foo.example.com``, etc. In case there are multiple
+    // wildcard records, the longest wildcard match will be used, e.g. if there are wildcard records for
+    // ``*.example.com`` and ``*.foo.example.com`` and the query is for ``bar.foo.example.com``, the latter will be used.
+    // Specific records will always take precedence over wildcard records.
     string name = 1 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}];
 
     // The configuration containing the method to determine the address of this endpoint

api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -98,7 +98,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter
 // name.
 //
-// [#next-free-field: 19]
+// [#next-free-field: 20]
 message ExternalProcessor {
   // Describes the route cache action to be taken when an external processor response
   // is received in response to request headers.
@@ -256,6 +256,13 @@ message ExternalProcessor {
   // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set.
   RouteCacheAction route_cache_action = 18
       [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"];
+
+  // Specifies the deferred closure timeout for gRPC stream that connects to external processor. Currently, the deferred stream closure
+  // is only used in :ref:`observability_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.observability_mode>`.
+  // In observability mode, gRPC streams may be held open to the external processor longer than the lifetime of the regular client to
+  // backend stream lifetime. In this case, Envoy will eventually timeout the external processor stream according to this time limit.
+  // The default value is 5000 milliseconds (5 seconds) if not specified.
+  google.protobuf.Duration deferred_close_timeout = 19;
 }
 
 // The MetadataOptions structure defines options for the sending and receiving of

api/envoy/extensions/filters/http/grpc_json_transcoder/v3/transcoder.proto

@@ -18,7 +18,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // gRPC-JSON transcoder :ref:`configuration overview <config_http_filters_grpc_json_transcoder>`.
 // [#extension: envoy.filters.http.grpc_json_transcoder]
 
-// [#next-free-field: 17]
+// [#next-free-field: 18]
 // GrpcJsonTranscoder filter configuration.
 // The filter itself can be used per route / per virtual host or on the general level. The most
 // specific one is being used for a given route. If the list of services is empty - filter
@@ -88,7 +88,8 @@ message GrpcJsonTranscoder {
     // When set to true, the request will be rejected with a ``HTTP 400 Bad Request``.
     //
     // The fields
-    // :ref:`ignore_unknown_query_parameters <envoy_v3_api_field_extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder.ignore_unknown_query_parameters>`
+    // :ref:`ignore_unknown_query_parameters <envoy_v3_api_field_extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder.ignore_unknown_query_parameters>`,
+    // :ref:`capture_unknown_query_parameters <envoy_v3_api_field_extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder.capture_unknown_query_parameters>`,
     // and
     // :ref:`ignored_query_parameters <envoy_v3_api_field_extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder.ignored_query_parameters>`
     // have priority over this strict validation behavior.
@@ -288,4 +289,20 @@ message GrpcJsonTranscoder {
   //
   // If unset, the current stream buffer size is used.
   google.protobuf.UInt32Value max_response_body_size = 16 [(validate.rules).uint32 = {gt: 0}];
+
+  // If true, query parameters that cannot be mapped to a corresponding
+  // protobuf field are captured in an HttpBody extension of UnknownQueryParams.
+  bool capture_unknown_query_parameters = 17;
+}
+
+// ``UnknownQueryParams`` is added as an extension field in ``HttpBody`` if
+// ``GrpcJsonTranscoder::capture_unknown_query_parameters`` is true and unknown query
+// parameters were present in the request.
+message UnknownQueryParams {
+  message Values {
+    repeated string values = 1;
+  }
+
+  // A map from unrecognized query parameter keys, to the values associated with those keys.
+  map<string, Values> key = 1;
 }

api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -74,7 +74,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 17]
+// [#next-free-field: 18]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -155,6 +155,12 @@ message OAuth2Config {
   // in a week.
   // This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``defaul_expires_in`` is used.
   google.protobuf.Duration default_refresh_token_expires_in = 15;
+
+  // If set to true, Envoy will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
+  // Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter
+  // will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
+  // sessions would not set the IdToken cookie header.
+  bool disable_id_token_set_cookie = 17;
 }
 
 // Filter config.

bazel/BUILD

@@ -419,11 +419,6 @@ config_setting(
     values = {"define": "static_extension_registration=disabled"},
 )
 
-config_setting(
-    name = "disable_envoy_mobile_xds",
-    values = {"define": "envoy_mobile_xds=disabled"},
-)
-
 config_setting(
     name = "disable_yaml",
     values = {"define": "envoy_yaml=disabled"},
@@ -476,6 +471,11 @@ selects.config_setting_group(
     ],
 )
 
+config_setting(
+    name = "disable_nghttp2",
+    values = {"define": "nghttp2=disabled"},
+)
+
 config_setting(
     name = "disable_google_grpc",
     values = {"define": "google_grpc=disabled"},

bazel/envoy_build_system.bzl

@@ -35,13 +35,14 @@ load(
     _envoy_select_boringssl = "envoy_select_boringssl",
     _envoy_select_disable_exceptions = "envoy_select_disable_exceptions",
     _envoy_select_disable_logging = "envoy_select_disable_logging",
+    _envoy_select_enable_exceptions = "envoy_select_enable_exceptions",
     _envoy_select_enable_http3 = "envoy_select_enable_http3",
     _envoy_select_enable_http_datagrams = "envoy_select_enable_http_datagrams",
     _envoy_select_enable_yaml = "envoy_select_enable_yaml",
     _envoy_select_envoy_mobile_listener = "envoy_select_envoy_mobile_listener",
-    _envoy_select_envoy_mobile_xds = "envoy_select_envoy_mobile_xds",
     _envoy_select_google_grpc = "envoy_select_google_grpc",
     _envoy_select_hot_restart = "envoy_select_hot_restart",
+    _envoy_select_nghttp2 = "envoy_select_nghttp2",
     _envoy_select_signal_trace = "envoy_select_signal_trace",
     _envoy_select_static_extension_registration = "envoy_select_static_extension_registration",
     _envoy_select_wasm_cpp_tests = "envoy_select_wasm_cpp_tests",
@@ -234,14 +235,15 @@ envoy_select_admin_no_html = _envoy_select_admin_no_html
 envoy_select_admin_functionality = _envoy_select_admin_functionality
 envoy_select_static_extension_registration = _envoy_select_static_extension_registration
 envoy_select_envoy_mobile_listener = _envoy_select_envoy_mobile_listener
-envoy_select_envoy_mobile_xds = _envoy_select_envoy_mobile_xds
 envoy_select_boringssl = _envoy_select_boringssl
 envoy_select_disable_logging = _envoy_select_disable_logging
 envoy_select_google_grpc = _envoy_select_google_grpc
 envoy_select_enable_http3 = _envoy_select_enable_http3
 envoy_select_enable_yaml = _envoy_select_enable_yaml
 envoy_select_disable_exceptions = _envoy_select_disable_exceptions
+envoy_select_enable_exceptions = _envoy_select_enable_exceptions
 envoy_select_hot_restart = _envoy_select_hot_restart
+envoy_select_nghttp2 = _envoy_select_nghttp2
 envoy_select_enable_http_datagrams = _envoy_select_enable_http_datagrams
 envoy_select_signal_trace = _envoy_select_signal_trace
 envoy_select_wasm_cpp_tests = _envoy_select_wasm_cpp_tests

bazel/envoy_internal.bzl

@@ -1,6 +1,6 @@
 # DO NOT LOAD THIS FILE. Targets from this file should be considered private
 # and not used outside of the @envoy//bazel package.
-load(":envoy_select.bzl", "envoy_select_admin_html", "envoy_select_disable_exceptions", "envoy_select_disable_logging", "envoy_select_google_grpc", "envoy_select_hot_restart", "envoy_select_signal_trace", "envoy_select_static_extension_registration")
+load(":envoy_select.bzl", "envoy_select_admin_html", "envoy_select_disable_exceptions", "envoy_select_disable_logging", "envoy_select_google_grpc", "envoy_select_hot_restart", "envoy_select_nghttp2", "envoy_select_signal_trace", "envoy_select_static_extension_registration")
 
 # Compute the final copts based on various options.
 def envoy_copts(repository, test = False):
@@ -119,6 +119,7 @@ def envoy_copts(repository, test = False):
                repository + "//bazel:uhv_enabled": ["-DENVOY_ENABLE_UHV"],
                "//conditions:default": [],
            }) + envoy_select_hot_restart(["-DENVOY_HOT_RESTART"], repository) + \
+           envoy_select_nghttp2(["-DENVOY_NGHTTP2"], repository) + \
            envoy_select_disable_exceptions(["-fno-exceptions"], repository) + \
            envoy_select_admin_html(["-DENVOY_ADMIN_HTML"], repository) + \
            envoy_select_static_extension_registration(["-DENVOY_STATIC_EXTENSION_REGISTRATION"], repository) + \