Merge branch 'main' into optref-const

Signed-off-by: Joshua Marantz <[email protected]>
jmarantz · Feb 8, 2024 · f8d86b7 · f8d86b7
2 parents 3d7d1ff + d14ce54
commit f8d86b7
Show file tree

Hide file tree

Showing 123 changed files with 1,133 additions and 443 deletions.
diff --git a/api/envoy/extensions/filters/http/aws_lambda/v3/aws_lambda.proto b/api/envoy/extensions/filters/http/aws_lambda/v3/aws_lambda.proto
@@ -42,6 +42,19 @@ message Config {
 
   // Determines the way to invoke the Lambda function.
   InvocationMode invocation_mode = 3 [(validate.rules).enum = {defined_only: true}];
+
+  // Indicates that before signing headers, the host header will be swapped with
+  // this value. If not set or empty, the original host header value
+  // will be used and no rewrite will happen.
+  //
+  // Note: this rewrite affects both signing and host header forwarding. However, this
+  // option shouldn't be used with
+  // :ref:`HCM host rewrite <envoy_v3_api_field_config.route.v3.RouteAction.host_rewrite_literal>` given that the
+  // value set here would be used for signing whereas the value set in the HCM would be used
+  // for host header forwarding which is not the desired outcome.
+  // Changing the value of the host header can result in a different route to be selected
+  // if an HTTP filter after AWS lambda re-evaluates the route (clears route cache).
+  string host_rewrite = 4;
 }
 
 // Per-route configuration for AWS Lambda. This can be useful when invoking a different Lambda function or a different

diff --git a/bazel/cel-cpp.patch b/bazel/cel-cpp.patch
@@ -1,3 +1,24 @@
+diff --git a/eval/internal/interop.cc b/eval/internal/interop.cc
+index 3acde6c..20f8ea3 100644
+--- a/eval/internal/interop.cc
++++ b/eval/internal/interop.cc
+@@ -729,13 +729,14 @@ absl::StatusOr<CelValue> ToLegacyValue(google::protobuf::Arena* arena,
+         return CelValue::CreateMessageWrapper(
+             MessageWrapperAccess::Make(message, type_info));
+       }
+-      if (ProtoStructValueToMessageWrapper) {
++      // This weak symbol is never defined in Envoy, and checking it causes linker failures on macOS
++      /*if (ProtoStructValueToMessageWrapper) {
+         auto maybe_message_wrapper = ProtoStructValueToMessageWrapper(*value);
+         if (maybe_message_wrapper.has_value()) {
+           return CelValue::CreateMessageWrapper(
+               std::move(maybe_message_wrapper).value());
+         }
+-      }
++      }*/
+       return absl::UnimplementedError(
+           "only legacy struct types and values can be used for interop");
+     }
 diff --git a/eval/public/cel_value.cc b/eval/public/cel_value.cc
 index 6aeff6d..c43864c 100644
 --- a/eval/public/cel_value.cc

diff --git a/bazel/envoy_binary.bzl b/bazel/envoy_binary.bzl
@@ -25,7 +25,8 @@ def envoy_cc_binary(
         deps = [],
         linkopts = [],
         tags = [],
-        features = []):
+        features = [],
+        linkstatic = True):
     linker_inputs = envoy_exported_symbols_input()
 
     if not linkopts:
@@ -43,7 +44,7 @@ def envoy_cc_binary(
         copts = envoy_copts(repository),
         linkopts = linkopts,
         testonly = testonly,
-        linkstatic = 1,
+        linkstatic = linkstatic,
         visibility = visibility,
         malloc = tcmalloc_external_dep(repository),
         stamp = stamp,

diff --git a/bazel/envoy_build_system.bzl b/bazel/envoy_build_system.bzl
@@ -53,6 +53,10 @@ load(
     _envoy_py_test_binary = "envoy_py_test_binary",
     _envoy_sh_test = "envoy_sh_test",
 )
+load(
+    ":envoy_internal.bzl",
+    _envoy_linkstatic = "envoy_linkstatic",
+)
 load(
     ":envoy_mobile_defines.bzl",
     _envoy_mobile_defines = "envoy_mobile_defines",
@@ -250,6 +254,7 @@ envoy_select_wasm_v8 = _envoy_select_wasm_v8
 envoy_select_wasm_wamr = _envoy_select_wasm_wamr
 envoy_select_wasm_wavm = _envoy_select_wasm_wavm
 envoy_select_wasm_wasmtime = _envoy_select_wasm_wasmtime
+envoy_select_linkstatic = _envoy_linkstatic
 
 # Binary wrappers (from envoy_binary.bzl)
 envoy_cc_binary = _envoy_cc_binary

diff --git a/bazel/envoy_test.bzl b/bazel/envoy_test.bzl
@@ -228,6 +228,7 @@ def envoy_cc_test_binary(
         tags = [],
         deps = [],
         stamp = 0,
+        linkstatic = True,
         **kargs):
     envoy_cc_binary(
         name,
@@ -238,6 +239,7 @@ def envoy_cc_test_binary(
             "@envoy//test/test_common:test_version_linkstamp",
         ],
         stamp = stamp,
+        linkstatic = linkstatic,
         **kargs
     )
 

diff --git a/bazel/external/quiche.BUILD b/bazel/external/quiche.BUILD
@@ -2906,6 +2906,7 @@ envoy_quic_cc_library(
         ":quic_core_versions_lib",
         ":quic_platform_base",
         ":quiche_common_text_utils_lib",
+        ":quiche_common_wire_serialization",
         "@com_google_absl//absl/cleanup",
     ],
 )
@@ -2929,6 +2930,7 @@ envoy_cc_library(
         "quiche/quic/core/frames/quic_path_challenge_frame.cc",
         "quiche/quic/core/frames/quic_path_response_frame.cc",
         "quiche/quic/core/frames/quic_ping_frame.cc",
+        "quiche/quic/core/frames/quic_reset_stream_at_frame.cc",
         "quiche/quic/core/frames/quic_retire_connection_id_frame.cc",
         "quiche/quic/core/frames/quic_rst_stream_frame.cc",
         "quiche/quic/core/frames/quic_stop_sending_frame.cc",
@@ -2956,6 +2958,7 @@ envoy_cc_library(
         "quiche/quic/core/frames/quic_path_challenge_frame.h",
         "quiche/quic/core/frames/quic_path_response_frame.h",
         "quiche/quic/core/frames/quic_ping_frame.h",
+        "quiche/quic/core/frames/quic_reset_stream_at_frame.h",
         "quiche/quic/core/frames/quic_retire_connection_id_frame.h",
         "quiche/quic/core/frames/quic_rst_stream_frame.h",
         "quiche/quic/core/frames/quic_stop_sending_frame.h",
@@ -3571,15 +3574,6 @@ envoy_quic_cc_library(
     ],
 )
 
-envoy_cc_library(
-    name = "quic_core_protocol_flags_list_lib",
-    hdrs = ["quiche/quic/core/quic_protocol_flags_list.h"],
-    copts = quiche_copts,
-    repository = "@envoy",
-    tags = ["nofips"],
-    visibility = ["//visibility:public"],
-)
-
 envoy_quic_cc_library(
     name = "quic_core_qpack_blocking_manager_lib",
     srcs = ["quiche/quic/core/qpack/qpack_blocking_manager.cc"],

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -376,12 +376,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "gRPC",
         project_desc = "gRPC C core library",
         project_url = "https://grpc.io",
-        version = "1.59.3",
-        sha256 = "ea281bb3489520ad4fb96ae84b45ed194a1f0b944d3e74f925f5e019d31ecd0f",
+        version = "1.59.4",
+        sha256 = "6edc67c2ad200c5b618c421f6e8c1b734a4aa3e741975e683491da03390ebf63",
         strip_prefix = "grpc-{version}",
         urls = ["https://github.com/grpc/grpc/archive/v{version}.tar.gz"],
         use_category = ["dataplane_core", "controlplane"],
-        release_date = "2023-11-17",
+        release_date = "2024-02-05",
         cpe = "cpe:2.3:a:grpc:grpc:*",
         license = "Apache-2.0",
         license_url = "https://github.com/grpc/grpc/blob/v{version}/LICENSE",
@@ -1175,12 +1175,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "QUICHE",
         project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols",
         project_url = "https://github.com/google/quiche",
-        version = "b5d556774fb971506e5912a357f0f8fb8ef08d12",
-        sha256 = "f600af67bfccec4a0e8b88f721371756429975b1956269ae034ce08247ae55bd",
+        version = "60a22a631bdf944e26407d32a767b4aba953bc39",
+        sha256 = "70213d0e4016ce79db9f3dfc5e94b4e707c54b69e00fae7ea2593a08e9dfd11e",
         urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"],
         strip_prefix = "quiche-{version}",
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2024-02-01",
+        release_date = "2024-02-05",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/quiche/blob/{version}/LICENSE",

diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -19,12 +19,22 @@ minor_behavior_changes:
 - area: golang
   change: |
     Change ``RegisterHttpFilterConfigFactoryAndParser`` to ``RegisterHttpFilterFactoryAndConfigParser``.
+- area: QUIC
+  change: |
+    Port migration is default turned off. QUIC client connections will no longer attempt to migrate to a new port when connections
+    is degrading. Can be manually turned on via
+    :ref:`port_migration <envoy_v3_api_field_config.core.v3.QuicProtocolOptions.num_timeouts_to_trigger_port_migration>`.
 
 bug_fixes:
 # *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: tracers
   change: |
     use unary RPC calls for OpenTelemetry trace exports, rather than client-side streaming connections.
+- area: load balancing
+  change: |
+    Added randomization in locality load-balancing initialization. This helps desynchronizing Envoys across
+    a fleet by randomizing the scheduler starting point. This can be temporarily reverted by setting runtime guard
+    ``envoy.reloadable_features.edf_lb_locality_scheduler_init_fix`` to false.
 - area: UDP and TCP tunneling
   change: |
     fixed a bug where second HTTP response headers received would cause Envoy to crash in cases where
@@ -57,6 +67,10 @@ new_features:
   change: |
     Update ``aws_request_signing`` filter to support use as an upstream HTTP filter. This allows successful calculation of
     signatures after the forwarding stage has completed, particularly if the path element is modified.
+- area: aws_lambda
+  change: |
+    Update ``aws_lambda`` filter to support use as an upstream HTTP filter. This allows successful calculation of
+    signatures after the forwarding stage has completed, particularly if the path element is modified.
 - area: grpc reverse bridge
   change: |
     Change HTTP status to 200 to respect the gRPC protocol. This may cause problems for incorrect gRPC clients expecting the filter
@@ -78,6 +92,10 @@ new_features:
   change: |
     added support for :ref:`%UPSTREAM_CONNECTION_ID% <config_access_log_format_upstream_connection_id>` for the upstream connection
     identifier.
+- area: aws_lambda
+  change: |
+    Added :ref:`host_rewrite <envoy_v3_api_field_extensions.filters.http.aws_lambda.v3.Config.host_rewrite>` config to be used
+    during signature.
 - area: ext_proc
   change: |
     added

diff --git a/contrib/generic_proxy/filters/network/source/router/router.cc b/contrib/generic_proxy/filters/network/source/router/router.cc
@@ -286,7 +286,8 @@ UpstreamRequest::UpstreamRequest(RouterFilter& parent, GenericUpstreamSharedPtr
   expects_response_ = !options.oneWayStream();
 
   // Set tracing config.
-  if (tracing_config_ = parent_.callbacks_->tracingConfig(); tracing_config_.has_value()) {
+  tracing_config_ = parent_.callbacks_->tracingConfig();
+  if (tracing_config_.has_value() && tracing_config_->spawnUpstreamSpan()) {
     span_ = parent_.callbacks_->activeSpan().spawnChild(
         tracing_config_.value().get(),
         absl::StrCat("router ", parent_.cluster_->observabilityName(), " egress"),

diff --git a/contrib/generic_proxy/filters/network/test/router/router_test.cc b/contrib/generic_proxy/filters/network/test/router/router_test.cc
@@ -251,6 +251,7 @@ class RouterFilterTest : public testing::TestWithParam<TestParameters> {
     if (with_tracing_) {
       EXPECT_CALL(mock_filter_callback_, tracingConfig())
           .WillOnce(Return(OptRef<const Tracing::Config>{tracing_config_}));
+      EXPECT_CALL(tracing_config_, spawnUpstreamSpan()).WillOnce(Return(true));
       EXPECT_CALL(active_span_, spawnChild_(_, "router observability_name egress", _))
           .WillOnce(Invoke([this](const Tracing::Config&, const std::string&, SystemTime) {
             child_span_ = new NiceMock<Tracing::MockSpan>();

diff --git a/docs/root/configuration/http/http_filters/_include/aws-lambda-filter-upstream.yaml b/docs/root/configuration/http/http_filters/_include/aws-lambda-filter-upstream.yaml
@@ -0,0 +1,57 @@
+static_resources:
+  listeners:
+  - address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 10000
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          http_filters:
+          - name: envoy.filters.http.router
+            typed_config:
+              '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - domains:
+              - '*'
+              name: local_service
+              routes:
+              - match: {prefix: "/"}
+                route: {cluster: default_service}
+  clusters:
+  - name: default_service
+    load_assignment:
+      cluster_name: default_service
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: 127.0.0.1
+                port_value: 10001
+    typed_extension_protocol_options:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+        upstream_http_protocol_options:
+          auto_sni: true
+          auto_san_validation: true
+        auto_config:
+          http2_protocol_options: {}
+        http_filters:
+          - name: envoy.filters.http.aws_lambda
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.aws_lambda.v3.Config
+              arn: "arn:aws:lambda:us-west-2:987654321:function:hello_envoy"
+              payload_passthrough: false
+          - name: envoy.filters.http.upstream_codec
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
diff --git a/docs/root/configuration/http/http_filters/aws_lambda_filter.rst b/docs/root/configuration/http/http_filters/aws_lambda_filter.rst
@@ -94,6 +94,7 @@ If you use the per-filter configuration, the target cluster *must* have the foll
         com.amazonaws.lambda:
           egress_gateway: true
 
+If you use the upstream filter configuration, this metadata is not required.
 
 Below are some examples that show how the filter can be used in different deployment scenarios.
 
@@ -185,6 +186,25 @@ An example with the Lambda metadata applied to a weighted-cluster:
         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
         sni: "*.amazonaws.com"
 
+Configuration as an upstream HTTP filter
+----------------------------------------
+SigV4 or SigV4A request signatures are calculated using the HTTP host, URL and payload as input. Depending on the configuration, Envoy may modify one or more of
+these prior to forwarding to the Cluster subsystem, but after the signature has been calculated and inserted into the HTTP headers. Modifying fields in a SigV4 or SigV4A
+signed request will result in an invalid signature.
+
+To avoid invalid signatures, the AWS Request Signing Filter can be configured as an upstream HTTP filter. This allows signatures to be
+calculated as a final step before the HTTP request is forwarded upstream, ensuring signatures are correctly calculated over the updated
+HTTP fields.
+
+Configuring this filter as an upstream HTTP filter is done in a similar way to the downstream case, but using the :ref:`http_filters <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_filters>`
+filter chain within the cluster configuration.
+
+.. literalinclude:: _include/aws-lambda-filter-upstream.yaml
+    :language: yaml
+    :lines: 26-50
+    :lineno-start: 26
+    :linenos:
+    :caption: :download:`aws-lambda-filter-upstream.yaml <_include/aws-lambda-filter-upstream.yaml>`
 
 .. include:: _include/aws_credentials.rst
 

diff --git a/envoy/common/io/io_uring.h b/envoy/common/io/io_uring.h
@@ -450,23 +450,27 @@ class IoUringWorker : public ThreadLocal::ThreadLocalObject {
 };
 
 /**
- * Abstract factory for IoUring wrappers.
+ * Abstract factory for IoUringWorker wrappers.
  */
-class IoUringFactory {
+class IoUringWorkerFactory {
 public:
-  virtual ~IoUringFactory() = default;
+  virtual ~IoUringWorkerFactory() = default;
 
   /**
-   * Returns an instance of IoUring and creates it if needed for the current
-   * thread.
+   * Returns the current thread's IoUringWorker. If the thread have not registered a IoUringWorker,
+   * an absl::nullopt will be returned.
    */
-  virtual IoUring& getOrCreate() const PURE;
+  virtual OptRef<IoUringWorker> getIoUringWorker() PURE;
 
   /**
-   * Initializes a factory upon server readiness. For example this method can be
-   * used to set TLS.
+   * Initializes a IoUringWorkerFactory upon server readiness. The method is used to set the TLS.
    */
-  virtual void onServerInitialized() PURE;
+  virtual void onWorkerThreadInitialized() PURE;
+
+  /**
+   * Indicates whether the current thread has been registered for a IoUringWorker.
+   */
+  virtual bool currentThreadRegistered() PURE;
 };
 
 } // namespace Io