From eff3ed3143d0b229e0ea5b2d65608c375d26afa5 Mon Sep 17 00:00:00 2001 From: botengyao Date: Fri, 18 Oct 2024 07:11:17 -0400 Subject: [PATCH 1/5] security-release: update the q3 release record (#36689) Signed-off-by: Boteng Yao --- RELEASES.md | 1 + 1 file changed, 1 insertion(+) diff --git a/RELEASES.md b/RELEASES.md index 30a0661359..08a4be9acb 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -66,6 +66,7 @@ actual mechanics of the release itself. | 2023 Q3 | Boteng Yao ([botengyao](https://github.com/botengyao)) | Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik)) | | 2023 Q4 | Paul Merrison ([pmerrison](https://github.com/pmerrison)) | Brian Sonnenberg ([briansonnenberg](https://github.com/briansonnenberg)) | | 2024 Q2 | Ryan Northey ([phlax](https://github.com/phlax)) | Boteng Yao ([botengyao](https://github.com/botengyao)) | +| 2024 Q3 | Ryan Northey ([phlax](https://github.com/phlax)) | Boteng Yao ([botengyao](https://github.com/botengyao)) | ## Major release schedule From 421034071875c4bd266b6d0c16cf19a2f0846b5f Mon Sep 17 00:00:00 2001 From: "Adi (Suissa) Peleg" Date: Fri, 18 Oct 2024 11:13:53 -0400 Subject: [PATCH 2/5] xds-failover: fixing runtime feature flag in tests (#36659) Signed-off-by: Adi Suissa-Peleg --- .../config_subscription/grpc/grpc_mux_failover_test.cc | 3 +++ .../grpc/xds_failover_integration_test.cc | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/test/extensions/config_subscription/grpc/grpc_mux_failover_test.cc b/test/extensions/config_subscription/grpc/grpc_mux_failover_test.cc index dae34fd62e..49cf8f53ee 100644 --- a/test/extensions/config_subscription/grpc/grpc_mux_failover_test.cc +++ b/test/extensions/config_subscription/grpc/grpc_mux_failover_test.cc @@ -409,6 +409,9 @@ TEST_F(GrpcMuxFailoverTest, PrimaryOnlyAttemptsAfterPrimaryAvailable) { // will try to reconnect to the primary (and then failover), and keep // alternating between the two. TEST_F(GrpcMuxFailoverTest, AlternatingPrimaryAndFailoverAttemptsAfterFailoverAvailable) { + TestScopedRuntime scoped_runtime; + scoped_runtime.mergeValues( + {{"envoy.reloadable_features.xds_failover_to_primary_enabled", "true"}}); connectToFailover(); // Emulate a 5 times disconnects. diff --git a/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc b/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc index a1efe8febd..2715f5d4b3 100644 --- a/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc +++ b/test/extensions/config_subscription/grpc/xds_failover_integration_test.cc @@ -575,6 +575,8 @@ TEST_P(XdsFailoverAdsIntegrationTest, NoFailoverUseAfterPrimaryResponse) { // Validate that once failover responds, and then disconnects, primary will be attempted. TEST_P(XdsFailoverAdsIntegrationTest, PrimaryUseAfterFailoverResponseAndDisconnect) { + config_helper_.addRuntimeOverride("envoy.reloadable_features.xds_failover_to_primary_enabled", + "true"); // These tests are not executed with GoogleGrpc because they are flaky due to // the large timeout values for retries. SKIP_IF_GRPC_CLIENT(Grpc::ClientType::GoogleGrpc); @@ -692,6 +694,8 @@ TEST_P(XdsFailoverAdsIntegrationTest, PrimaryUseAfterFailoverResponseAndDisconne // still doesn't respond, failover will be attempted with the correct // initial_resource_versions. TEST_P(XdsFailoverAdsIntegrationTest, FailoverUseAfterFailoverResponseAndDisconnect) { + config_helper_.addRuntimeOverride("envoy.reloadable_features.xds_failover_to_primary_enabled", + "true"); // These tests are not executed with GoogleGrpc because they are flaky due to // the large timeout values for retries. SKIP_IF_GRPC_CLIENT(Grpc::ClientType::GoogleGrpc); @@ -814,6 +818,8 @@ TEST_P(XdsFailoverAdsIntegrationTest, FailoverUseAfterFailoverResponseAndDisconn // both are not responding. TEST_P(XdsFailoverAdsIntegrationTest, PrimaryAndFailoverAttemptsAfterFailoverResponseAndDisconnect) { + config_helper_.addRuntimeOverride("envoy.reloadable_features.xds_failover_to_primary_enabled", + "true"); // These tests are not executed with GoogleGrpc because they are flaky due to // the large timeout values for retries. SKIP_IF_GRPC_CLIENT(Grpc::ClientType::GoogleGrpc); From 5691519b9430b119c9580ad57e965ed482db68e8 Mon Sep 17 00:00:00 2001 From: phlax Date: Fri, 18 Oct 2024 17:01:02 +0100 Subject: [PATCH 3/5] ci/rbe: Use engflow for non-coverage checks (#36687) Signed-off-by: Ryan Northey --- .github/workflows/_check_build.yml | 7 +------ .github/workflows/_check_san.yml | 7 +------ .github/workflows/envoy-checks.yml | 4 ---- test/common/upstream/BUILD | 2 +- test/extensions/common/aws/BUILD | 2 ++ test/extensions/filters/common/ratelimit_config/BUILD | 1 + test/extensions/filters/http/ext_proc/BUILD | 2 +- .../client_side_weighted_round_robin/BUILD | 1 + test/integration/BUILD | 4 ++-- 9 files changed, 10 insertions(+), 20 deletions(-) diff --git a/.github/workflows/_check_build.yml b/.github/workflows/_check_build.yml index f3417b58ee..e4018b4d9d 100644 --- a/.github/workflows/_check_build.yml +++ b/.github/workflows/_check_build.yml @@ -5,9 +5,6 @@ permissions: on: workflow_call: - secrets: - gcp-key: - required: true inputs: request: type: string @@ -23,15 +20,13 @@ concurrency: jobs: build: - secrets: - gcp-key: ${{ secrets.gcp-key }} permissions: contents: read packages: read uses: ./.github/workflows/_run.yml name: ${{ matrix.name ||matrix.target }} with: - # bazel-extra: '--config=remote-envoy-engflow' + bazel-extra: '--config=remote-envoy-engflow' cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} concurrency-suffix: -${{ matrix.target }} error-match: | diff --git a/.github/workflows/_check_san.yml b/.github/workflows/_check_san.yml index c4119b0b24..58d183c6a4 100644 --- a/.github/workflows/_check_san.yml +++ b/.github/workflows/_check_san.yml @@ -5,9 +5,6 @@ permissions: on: workflow_call: - secrets: - gcp-key: - required: true inputs: request: type: string @@ -23,15 +20,13 @@ concurrency: jobs: san: - secrets: - gcp-key: ${{ secrets.gcp-key }} permissions: contents: read packages: read uses: ./.github/workflows/_run.yml name: ${{ matrix.target }} with: - # bazel-extra: '--config=remote-envoy-engflow' + bazel-extra: '--config=remote-envoy-engflow' cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} concurrency-suffix: -${{ matrix.target }} request: ${{ inputs.request }} diff --git a/.github/workflows/envoy-checks.yml b/.github/workflows/envoy-checks.yml index 08422f5ad5..9325ab8465 100644 --- a/.github/workflows/envoy-checks.yml +++ b/.github/workflows/envoy-checks.yml @@ -41,8 +41,6 @@ jobs: # head-sha: ${{ github.sha }} build: - secrets: - gcp-key: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }} permissions: actions: read contents: read @@ -75,8 +73,6 @@ jobs: trusted: ${{ fromJSON(needs.load.outputs.trusted) }} san: - secrets: - gcp-key: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }} permissions: actions: read contents: read diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD index a65b0d0c26..e0c8c6ed9b 100644 --- a/test/common/upstream/BUILD +++ b/test/common/upstream/BUILD @@ -87,7 +87,7 @@ envoy_cc_test( name = "cluster_manager_impl_test", size = "large", srcs = ["cluster_manager_impl_test.cc"], - rbe_pool = "2core", + rbe_pool = "4core", deps = [ ":test_cluster_manager", "//source/common/router:context_lib", diff --git a/test/extensions/common/aws/BUILD b/test/extensions/common/aws/BUILD index 21dc6d7860..57cde74571 100644 --- a/test/extensions/common/aws/BUILD +++ b/test/extensions/common/aws/BUILD @@ -43,6 +43,7 @@ envoy_cc_test( name = "sigv4_signer_corpus_test", srcs = ["sigv4_signer_corpus_test.cc"], data = ["@com_github_awslabs_aws_c_auth//:sigv4_tests"], + rbe_pool = "2core", deps = [ "//source/common/buffer:buffer_lib", "//source/common/http:message_lib", @@ -58,6 +59,7 @@ envoy_cc_test( name = "sigv4a_signer_corpus_test", srcs = ["sigv4a_signer_corpus_test.cc"], data = ["@com_github_awslabs_aws_c_auth//:sigv4a_tests"], + rbe_pool = "4core", deps = [ "//source/common/buffer:buffer_lib", "//source/common/http:message_lib", diff --git a/test/extensions/filters/common/ratelimit_config/BUILD b/test/extensions/filters/common/ratelimit_config/BUILD index bffabf03a6..b1bbfd13bc 100644 --- a/test/extensions/filters/common/ratelimit_config/BUILD +++ b/test/extensions/filters/common/ratelimit_config/BUILD @@ -20,6 +20,7 @@ envoy_proto_library( envoy_cc_test( name = "ratelimit_config_test", srcs = ["ratelimit_config_test.cc"], + rbe_pool = "2core", deps = [ ":ratelimit_config_test_proto_cc_proto", "//source/common/http:header_map_lib", diff --git a/test/extensions/filters/http/ext_proc/BUILD b/test/extensions/filters/http/ext_proc/BUILD index 21a1f5678a..8c4af27574 100644 --- a/test/extensions/filters/http/ext_proc/BUILD +++ b/test/extensions/filters/http/ext_proc/BUILD @@ -170,7 +170,7 @@ envoy_extension_cc_test( # TODO(jbohanon) use a test filter here instead of production filter "envoy.filters.http.set_metadata", ], - rbe_pool = "2core", + rbe_pool = "4core", shard_count = 8, tags = [ "cpu:3", diff --git a/test/extensions/load_balancing_policies/client_side_weighted_round_robin/BUILD b/test/extensions/load_balancing_policies/client_side_weighted_round_robin/BUILD index 0a6739e131..2f69fe0b90 100644 --- a/test/extensions/load_balancing_policies/client_side_weighted_round_robin/BUILD +++ b/test/extensions/load_balancing_policies/client_side_weighted_round_robin/BUILD @@ -15,6 +15,7 @@ envoy_extension_cc_test( name = "config_test", srcs = ["config_test.cc"], extension_names = ["envoy.load_balancing_policies.client_side_weighted_round_robin"], + rbe_pool = "2core", deps = [ "//source/extensions/load_balancing_policies/client_side_weighted_round_robin:config", "//test/mocks/server:factory_context_mocks", diff --git a/test/integration/BUILD b/test/integration/BUILD index 374b9f7b3f..840c463a42 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -1539,7 +1539,7 @@ envoy_cc_test( name = "load_stats_integration_test", size = "large", srcs = ["load_stats_integration_test.cc"], - rbe_pool = "2core", + rbe_pool = "4core", deps = [ ":http_integration_lib", "//test/config:utility_lib", @@ -2546,7 +2546,7 @@ envoy_cc_test( "//conditions:default": ["quic_http_integration_test.cc"], }), data = ["//test/config/integration/certs"], - rbe_pool = "2core", + rbe_pool = "4core", # TODO(envoyproxy/windows-dev): Diagnose failure shown only on clang-cl build, see: # https://gist.github.com/wrowe/a152cb1d12c2f751916122aed39d8517 # TODO(envoyproxy/windows-dev): Diagnose timeout, why opt build test under Windows GCP RBE From 803aea39d6fa22eadf115279085dda56e97bb37f Mon Sep 17 00:00:00 2001 From: alyssawilk Date: Fri, 18 Oct 2024 12:02:28 -0400 Subject: [PATCH 4/5] test: deflake an integration test (#36674) waitForAccessLog asserts the log you're waiting for is the last one. For periodic logging on slow machines there may end up being extra log entries so allow excess. https://github.com/envoyproxy/envoy/actions/runs/11371697784/job/31634429494 Signed-off-by: Alyssa Wilk --- test/integration/protocol_integration_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/protocol_integration_test.cc b/test/integration/protocol_integration_test.cc index 8b4b84f843..a6119814f2 100644 --- a/test/integration/protocol_integration_test.cc +++ b/test/integration/protocol_integration_test.cc @@ -462,7 +462,7 @@ TEST_P(ProtocolIntegrationTest, PeriodicAccessLog) { {":method", "GET"}, {":path", "/test"}, {":scheme", "http"}, {":authority", "host.com"}}); waitForNextUpstreamRequest(); EXPECT_EQ(AccessLogType_Name(AccessLog::AccessLogType::DownstreamPeriodic), - waitForAccessLog(access_log_name_)); + waitForAccessLog(access_log_name_, 0, true)); upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); ASSERT_TRUE(response->waitForEndStream()); From ee6163435be32f0efd3ad068e90ea89c974991c3 Mon Sep 17 00:00:00 2001 From: birenroy Date: Fri, 18 Oct 2024 12:06:27 -0400 Subject: [PATCH 5/5] http: initializes a field of ConnectionManagerImpl::ActiveStream::State. (#36642) While debugging an issue, it became clear that this field is not properly initialized. Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: --------- Signed-off-by: Biren Roy --- source/common/http/conn_manager_impl.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source/common/http/conn_manager_impl.h b/source/common/http/conn_manager_impl.h index d4f73ccef4..ffa0aab7f6 100644 --- a/source/common/http/conn_manager_impl.h +++ b/source/common/http/conn_manager_impl.h @@ -338,7 +338,8 @@ class ConnectionManagerImpl : Logger::Loggable, : codec_saw_local_complete_(false), codec_encode_complete_(false), on_reset_stream_called_(false), is_zombie_stream_(false), successful_upgrade_(false), is_internally_destroyed_(false), is_internally_created_(false), is_tunneling_(false), - decorated_propagate_(true), deferred_to_next_io_iteration_(false) {} + decorated_propagate_(true), deferred_to_next_io_iteration_(false), + deferred_end_stream_(false) {} // It's possibly for the codec to see the completed response but not fully // encode it.