Merge pull request #263 from envoyproxy/auto-merge-main

auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]

.bazelrc

@@ -91,7 +91,7 @@ build:clang-pch --spawn_strategy=local
 build:clang-pch --define=ENVOY_CLANG_PCH=1
 
 # Use gold linker for gcc compiler.
-build:gcc --linkopt=-fuse-ld=gold
+build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold
 build:gcc --test_env=HEAPCHECK=
 build:gcc --action_env=BAZEL_COMPILER=gcc
 build:gcc --action_env=CC=gcc --action_env=CXX=g++

.github/workflows/_precheck_deps.yml

@@ -51,7 +51,7 @@ jobs:
     if: ${{ inputs.dependency-review }}
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       with:
         ref: ${{ fromJSON(inputs.request).request.sha }}
         persist-credentials: false

.github/workflows/codeql-daily.yml

@@ -27,14 +27,14 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
 
     - name: Free disk space
       uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.2.36
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628  # codeql-bundle-v3.26.9
+      uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b  # codeql-bundle-v3.26.12
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -64,6 +64,7 @@ jobs:
            --spawn_strategy=local \
            --discard_analysis_cache \
            --nouse_action_cache \
+           --features="-layering_check" \
            --config=clang-libc++ \
            --config=ci \
            //source/common/http/...
@@ -73,4 +74,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628  # codeql-bundle-v3.26.9
+      uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b  # codeql-bundle-v3.26.12

.github/workflows/codeql-push.yml

@@ -32,7 +32,7 @@ jobs:
     if: github.repository == 'envoyproxy/envoy'
     steps:
     - name: Checkout repository
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       with:
         fetch-depth: 2
 
@@ -65,7 +65,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628  # codeql-bundle-v3.26.9
+      uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b  # codeql-bundle-v3.26.12
       with:
         languages: cpp
 
@@ -96,6 +96,7 @@ jobs:
            --spawn_strategy=local \
            --discard_analysis_cache \
            --nouse_action_cache \
+           --features="-layering_check" \
            --config=clang-libc++ \
            --config=ci \
            $BUILD_TARGETS
@@ -108,4 +109,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628  # codeql-bundle-v3.26.9
+      uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b  # codeql-bundle-v3.26.12

.github/workflows/envoy-dependency.yml

@@ -146,7 +146,7 @@ jobs:
           path: envoy
           fetch-depth: 0
         token: ${{ steps.appauth.outputs.token }}
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       name: Checkout Envoy build tools repository
       with:
         repository: envoyproxy/envoy-build-tools
@@ -238,7 +238,7 @@ jobs:
       issues: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - name: Run dependency checker
       run: |
         TODAY_DATE=$(date -u -I"date")

.github/workflows/mobile-release.yml

@@ -86,7 +86,7 @@ jobs:
         include:
         - output: envoy
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       with:
         fetch-depth: 0
     - name: Add safe directory

.github/workflows/mobile-traffic_director.yml

@@ -30,7 +30,7 @@ jobs:
     timeout-minutes: 120
     steps:
     - name: Checkout repository
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - name: Add safe directory
       run: git config --global --add safe.directory /__w/envoy/envoy
     - name: 'Run GcpTrafficDirectorIntegrationTest'

.github/workflows/pr_notifier.yml

@@ -22,7 +22,7 @@ jobs:
               || !contains(github.actor, '[bot]'))
       }}
     steps:
-    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
     - name: Notify about PRs
       run: |
         ARGS=()

.github/workflows/scorecard.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
     - name: "Checkout code"
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
+      uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4.2.1
       with:
         persist-credentials: false
 
@@ -33,13 +33,13 @@ jobs:
         publish_results: true
 
     - name: "Upload artifact"
-      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
       with:
         name: SARIF file
         path: results.sarif
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628  # v3.26.9
+      uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b  # v3.26.12
       with:
         sarif_file: results.sarif

GOVERNANCE.md

@@ -1,34 +1,22 @@
 # Process for becoming a maintainer
 
-## Your organization is not yet a maintainer
+Becoming a maintainer generally means that you are going to be spending substantial time on
+Envoy for the foreseeable future. You should have domain expertise and be extremely proficient in C++.
 
-* Express interest to the senior maintainers that your organization is interested in becoming a
-  maintainer. Becoming a maintainer generally means that you are going to be spending substantial
-  time (>25%) on Envoy for the foreseeable future. You should have domain expertise and be extremely
-  proficient in C++. Ultimately your goal is to become a senior maintainer that will represent your
-  organization.
+* Express interest to the
+  [envoy-maintainers](https://groups.google.com/forum/#!forum/envoy-announce)
+  that you are interested in becoming a maintainer and, if your company does not have pre-existing maintainers,
+  that your organization is interested in and willing to sponsoring a maintainer.
 * We will expect you to start contributing increasingly complicated PRs, under the guidance
-  of the existing senior maintainers.
-* We may ask you to do some PRs from our backlog.
+  of the existing maintainers.
+* We may ask you to fix some issues from our backlog.
 * As you gain experience with the code base and our standards, we will ask you to do code reviews
   for incoming PRs (i.e., all maintainers are expected to shoulder a proportional share of
   community reviews).
-* After a period of approximately 2-3 months of working together and making sure we see eye to eye,
-  the existing senior maintainers will confer and decide whether to grant maintainer status or not.
-  We make no guarantees on the length of time this will take, but 2-3 months is the approximate
-  goal.
-
-## Your organization is currently a maintainer
-
-* First decide whether your organization really needs more people with maintainer access. Valid
-  reasons are "blast radius", a large organization that is working on multiple unrelated projects,
-  etc.
-* Contact a senior maintainer for your organization and express interest.
-* Start doing PRs and code reviews under the guidance of your senior maintainer.
-* After a period of 1-2 months the existing senior maintainers will discuss granting "standard"
-  maintainer access.
-* "Standard" maintainer access can be upgraded to "senior" maintainer access after another 1-2
-  months of work and another conference of the existing senior committers.
+* After a period of approximately 2-3 months of contributions demonstrating understanding of (at least parts of)
+  the Envoy code base, reach back out to the maintainers list asking for feedback.  At this point, you will either
+  be granted maintainer status, or be given actionable feedback on any remaining gaps between the contributions
+  demonstrated and those expected of maintainers, at which point you can close those gaps and reach back out.
 
 ## Maintainer responsibilities
 

RELEASES.md

@@ -121,7 +121,7 @@ deadline of 3 weeks.
 * Switch the repo back to "dev" mode by running `bazel run @envoy_repo//:dev`. This tool will create a commit with the
   necessary changes to continue development.
 * Create a pull request with that commit.
-* Run the deprecate_versions.py script (`bazel run //tools/deprecate_version:deprecate_version`)
+* Run the deprecate_guards.py script (`bazel run //tools/deprecate_guards:deprecate_guards`)
 * If you haven't done this before, request posting permission from admins for all the groups in the next bullet.
 * Craft a witty/uplifting email and send it to all the email aliases:
 envoy-announce@googlegroups.com

api/envoy/config/core/v3/protocol.proto

@@ -262,6 +262,8 @@ message HttpProtocolOptions {
   // The maximum number of headers (request headers if configured on HttpConnectionManager,
   // response headers when configured on a cluster).
   // If unconfigured, the default maximum number of headers allowed is 100.
+  // The default value for requests can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_count``.
+  // The default value for responses can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_count``.
   // Downstream requests that exceed this limit will receive a 431 response for HTTP/1.x and cause a stream
   // reset for HTTP/2.
   // Upstream responses that exceed this limit will result in a 503 response.
@@ -270,6 +272,7 @@ message HttpProtocolOptions {
   // The maximum size of response headers.
   // If unconfigured, the default is 60 KiB, except for HTTP/1 response headers which have a default
   // of 80KiB.
+  // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_size_kb``.
   // Responses that exceed this limit will result in a 503 response.
   // In Envoy, this setting is only valid when configured on an upstream cluster, not on the
   // :ref:`HTTP Connection Manager

api/envoy/extensions/filters/http/local_ratelimit/v3/BUILD

@@ -7,6 +7,7 @@ licenses(["notice"])  # Apache 2
 api_proto_package(
     deps = [
         "//envoy/config/core/v3:pkg",
+        "//envoy/config/route/v3:pkg",
         "//envoy/extensions/common/ratelimit/v3:pkg",
         "//envoy/type/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",

api/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.filters.http.local_ratelimit.v3;
 
 import "envoy/config/core/v3/base.proto";
+import "envoy/config/route/v3/route_components.proto";
 import "envoy/extensions/common/ratelimit/v3/ratelimit.proto";
 import "envoy/type/v3/http_status.proto";
 import "envoy/type/v3/token_bucket.proto";
@@ -22,7 +23,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Local Rate limit :ref:`configuration overview <config_http_filters_local_rate_limit>`.
 // [#extension: envoy.filters.http.local_ratelimit]
 
-// [#next-free-field: 17]
+// [#next-free-field: 18]
 message LocalRateLimit {
   // The human readable prefix to use when emitting stats.
   string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
@@ -147,4 +148,23 @@ message LocalRateLimit {
   // of the default ``UNAVAILABLE`` gRPC code for a rate limited gRPC call. The
   // HTTP code will be 200 for a gRPC response.
   bool rate_limited_as_resource_exhausted = 15;
+
+  // Rate limit configuration that is used to generate a list of descriptor entries based on
+  // the request context. The generated entries will be used to find one or multiple matched rate
+  // limit rule from the ``descriptors``.
+  // If this is set, then
+  // :ref:`VirtualHost.rate_limits<envoy_v3_api_field_config.route.v3.VirtualHost.rate_limits>` or
+  // :ref:`RouteAction.rate_limits<envoy_v3_api_field_config.route.v3.RouteAction.rate_limits>` fields
+  // will be ignored.
+  //
+  // .. note::
+  //   Not all configuration fields of
+  //   :ref:`rate limit config <envoy_v3_api_msg_config.route.v3.RateLimit>` is supported at here.
+  //   Following fields are not supported:
+  //
+  //   1. :ref:`rate limit stage <envoy_v3_api_field_config.route.v3.RateLimit.stage>`.
+  //   2. :ref:`dynamic metadata <envoy_v3_api_field_config.route.v3.RateLimit.Action.dynamic_metadata>`.
+  //   3. :ref:`disable_key <envoy_v3_api_field_config.route.v3.RateLimit.disable_key>`.
+  //   4. :ref:`override limit <envoy_v3_api_field_config.route.v3.RateLimit.limit>`.
+  repeated config.route.v3.RateLimit rate_limits = 17;
 }

api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -493,6 +493,7 @@ message HttpConnectionManager {
 
   // The maximum request headers size for incoming connections.
   // If unconfigured, the default max request headers allowed is 60 KiB.
+  // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_size_kb``.
   // Requests that exceed this limit will receive a 431 response.
   //
   // Note: currently some protocol codecs impose limits on the maximum size of a single header:

api/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto

@@ -5,7 +5,6 @@ package envoy.extensions.transport_sockets.http_11_proxy.v3;
 import "envoy/config/core/v3/base.proto";
 
 import "udpa/annotations/status.proto";
-import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.http_11_proxy.v3";
 option java_outer_classname = "UpstreamHttp11ConnectProto";
@@ -34,6 +33,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // proxy address in ``config::core::v3::Address`` format.
 //
 message Http11ProxyUpstreamTransport {
-  // The underlying transport socket being wrapped.
-  config.core.v3.TransportSocket transport_socket = 1 [(validate.rules).message = {required: true}];
+  // The underlying transport socket being wrapped. Defaults to plaintext (raw_buffer) if unset.
+  config.core.v3.TransportSocket transport_socket = 1;
 }

api/envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -290,12 +290,12 @@ message TlsSessionTicketKeys {
 // respect to the TLS handshake.
 // [#not-implemented-hide:]
 message CertificateProviderPluginInstance {
-  // Provider instance name. If not present, defaults to "default".
+  // Provider instance name.
   //
   // Instance names should generally be defined not in terms of the underlying provider
   // implementation (e.g., "file_watcher") but rather in terms of the function of the
   // certificates (e.g., "foo_deployment_identity").
-  string instance_name = 1;
+  string instance_name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
   // a root-certificate (validation context) or "example.com" to specify a certificate for a

bazel/cel-cpp.patch

@@ -1,3 +1,15 @@
+diff --git a/base/attribute.h b/base/attribute.h
+index 9462c180..d6dcce83 100644
+--- a/base/attribute.h
++++ b/base/attribute.h
+@@ -23,6 +23,7 @@
+ #include <vector>
+
+ #include "absl/status/statusor.h"
++#include "absl/strings/str_cat.h"
+ #include "absl/strings/string_view.h"
+ #include "absl/types/optional.h"
+ #include "absl/types/span.h"
 diff --git a/base/memory.h b/base/memory.h
 index 3552e19..0fbe618 100644
 --- a/base/memory.h

bazel/external/aws-c-auth.BUILD

@@ -0,0 +1,19 @@
+licenses(["notice"])  # Apache 2
+
+# Test data for test/extensions/common/aws/sigv4_signer_corpus_test
+filegroup(
+    name = "sigv4_tests",
+    srcs = glob(
+        ["tests/aws-signing-test-suite/v4/**"],
+    ),
+    visibility = ["//visibility:public"],
+)
+
+# Test data for test/extensions/common/aws/sigv4a_signer_corpus_test
+filegroup(
+    name = "sigv4a_tests",
+    srcs = glob(
+        ["tests/aws-signing-test-suite/v4a/**"],
+    ),
+    visibility = ["//visibility:public"],
+)