auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]

.github/workflows/_check_build.yml

@@ -5,9 +5,6 @@ permissions:
 
 on:
   workflow_call:
-    secrets:
-      gcp-key:
-        required: true
     inputs:
       request:
         type: string
@@ -23,15 +20,13 @@ concurrency:
 
 jobs:
   build:
-    secrets:
-      gcp-key: ${{ secrets.gcp-key }}
     permissions:
       contents: read
       packages: read
     uses: ./.github/workflows/_run.yml
     name: ${{ matrix.name ||matrix.target }}
     with:
-      # bazel-extra: '--config=remote-envoy-engflow'
+      bazel-extra: '--config=remote-envoy-engflow'
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       concurrency-suffix: -${{ matrix.target }}
       error-match: |

.github/workflows/_check_san.yml

@@ -5,9 +5,6 @@ permissions:
 
 on:
   workflow_call:
-    secrets:
-      gcp-key:
-        required: true
     inputs:
       request:
         type: string
@@ -23,15 +20,13 @@ concurrency:
 
 jobs:
   san:
-    secrets:
-      gcp-key: ${{ secrets.gcp-key }}
     permissions:
       contents: read
       packages: read
     uses: ./.github/workflows/_run.yml
     name: ${{ matrix.target }}
     with:
-      # bazel-extra: '--config=remote-envoy-engflow'
+      bazel-extra: '--config=remote-envoy-engflow'
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       concurrency-suffix: -${{ matrix.target }}
       request: ${{ inputs.request }}

.github/workflows/envoy-checks.yml

@@ -41,8 +41,6 @@ jobs:
       # head-sha: ${{ github.sha }}
 
   build:
-    secrets:
-      gcp-key: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
     permissions:
       actions: read
       contents: read
@@ -75,8 +73,6 @@ jobs:
       trusted: ${{ fromJSON(needs.load.outputs.trusted) }}
 
   san:
-    secrets:
-      gcp-key: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
     permissions:
       actions: read
       contents: read

RELEASES.md

@@ -66,6 +66,7 @@ actual mechanics of the release itself.
 | 2023 Q3 | Boteng Yao ([botengyao](https://github.com/botengyao))         | Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik))              |
 | 2023 Q4 | Paul Merrison ([pmerrison](https://github.com/pmerrison))      | Brian Sonnenberg ([briansonnenberg](https://github.com/briansonnenberg)) |
 | 2024 Q2 | Ryan Northey ([phlax](https://github.com/phlax))               | Boteng Yao ([botengyao](https://github.com/botengyao))                   |
+| 2024 Q3 | Ryan Northey ([phlax](https://github.com/phlax))               | Boteng Yao ([botengyao](https://github.com/botengyao))                   |
 
 ## Major release schedule
 

api/BUILD

@@ -140,6 +140,7 @@ proto_library(
         "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/clusters/redis/v3:pkg",
         "//envoy/extensions/common/async_files/v3:pkg",
+        "//envoy/extensions/common/aws/v3:pkg",
         "//envoy/extensions/common/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/common/matching/v3:pkg",
         "//envoy/extensions/common/ratelimit/v3:pkg",

api/envoy/extensions/common/aws/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+)

api/envoy/extensions/common/aws/v3/credential_provider.proto

@@ -0,0 +1,54 @@
+syntax = "proto3";
+
+package envoy.extensions.common.aws.v3;
+
+import "udpa/annotations/sensitive.proto";
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.common.aws.v3";
+option java_outer_classname = "CredentialProviderProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/common/aws/v3;awsv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: AWS common configuration]
+
+// Configuration for AWS credential provider. Normally, this is optional and the credentials are
+// retrieved from the environment or AWS configuration files by following the default credential
+// provider chain. This is to support cases where the credentials need to be explicitly provided
+// by the control plane.
+message AwsCredentialProvider {
+  // The option to use `AssumeRoleWithWebIdentity <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>`_.
+  // If inline_credential is set, this is ignored.
+  AssumeRoleWithWebIdentityCredentialProvider assume_role_with_web_identity = 1;
+
+  // The option to use an inline credential.
+  // If this is set, it takes precedence over assume_role_with_web_identity.
+  InlineCredentialProvider inline_credential = 2;
+}
+
+// Configuration to use an inline AWS credential. This is an equivalent to setting the well-known
+// environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and the optional ``AWS_SESSION_TOKEN``.
+message InlineCredentialProvider {
+  // The AWS access key ID.
+  string access_key_id = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The AWS secret access key.
+  string secret_access_key = 2
+      [(validate.rules).string = {min_len: 1}, (udpa.annotations.sensitive) = true];
+
+  // The AWS session token. This is optional.
+  string session_token = 3 [(udpa.annotations.sensitive) = true];
+}
+
+// Configuration to use `AssumeRoleWithWebIdentity <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>`_
+// to get AWS credentials.
+message AssumeRoleWithWebIdentityCredentialProvider {
+  // The ARN of the role to assume.
+  string role_arn = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The web identity token that is provided by the identity provider to assume the role.
+  string web_identity_token = 2
+      [(validate.rules).string = {min_len: 1}, (udpa.annotations.sensitive) = true];
+}

api/envoy/extensions/filters/http/aws_request_signing/v3/BUILD

@@ -6,6 +6,7 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
+        "//envoy/extensions/common/aws/v3:pkg",
         "//envoy/type/matcher/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",
     ],

api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.filters.http.aws_request_signing.v3;
 
+import "envoy/extensions/common/aws/v3/credential_provider.proto";
 import "envoy/type/matcher/v3/string.proto";
 
 import "google/protobuf/duration.proto";
@@ -21,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.http.aws_request_signing]
 
 // Top level configuration for the AWS request signing filter.
-// [#next-free-field: 8]
+// [#next-free-field: 9]
 message AwsRequestSigning {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.aws_request_signing.v2alpha.AwsRequestSigning";
@@ -107,6 +108,10 @@ message AwsRequestSigning {
   // query_string: {}
   //
   QueryString query_string = 7;
+
+  // The credential provider for signing the request. This is optional and if not set,
+  // it will be retrieved from the procedure described in :ref:`config_http_filters_aws_request_signing`.
+  common.aws.v3.AwsCredentialProvider credential_provider = 8;
 }
 
 message AwsRequestSigningPerRoute {

api/versioning/BUILD

@@ -78,6 +78,7 @@ proto_library(
         "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/clusters/redis/v3:pkg",
         "//envoy/extensions/common/async_files/v3:pkg",
+        "//envoy/extensions/common/aws/v3:pkg",
         "//envoy/extensions/common/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/common/matching/v3:pkg",
         "//envoy/extensions/common/ratelimit/v3:pkg",

changelogs/current.yaml

@@ -32,6 +32,11 @@ removed_config_or_runtime:
     Removed runtime flag ``envoy.restart_features.allow_client_socket_creation_failure`` and legacy code paths.
 
 new_features:
+- area: aws_request_signing
+  change: |
+    Added an optional field :ref:`credential_provider
+    <envoy_v3_api_field_extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.credential_provider>`
+    to the AWS request signing filter to explicitly specify a source for AWS credentials.
 - area: tls
   change: |
     Added support for P-384 and P-521 curves for TLS server certificates.

docs/root/api-v3/common_messages/common_messages.rst

@@ -19,6 +19,7 @@ Common messages
   ../extensions/network/socket_interface/v3/default_socket_interface.proto
   ../extensions/matching/common_inputs/environment_variable/v3/input.proto
   ../config/core/v3/extension.proto
+  ../extensions/common/aws/v3/credential_provider.proto
   ../extensions/common/matching/v3/extension_matcher.proto
   ../extensions/filters/common/dependency/v3/dependency.proto
   ../extensions/regex_engines/v3/google_re2.proto

docs/root/configuration/http/http_filters/_include/aws_credentials.rst

@@ -2,7 +2,7 @@ Credentials
 -----------
 
 The filter uses a number of different credentials providers to obtain an AWS access key ID, AWS secret access key, and AWS session token.
-It moves through the credentials providers in the order described below, stopping when one of them returns an access key ID and a
+By default, it moves through the credentials providers in the order described below, stopping when one of them returns an access key ID and a
 secret access key (the session token is optional).
 
 1. Environment variables. The environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and ``AWS_SESSION_TOKEN`` are used.
@@ -46,6 +46,9 @@ secret access key (the session token is optional).
    The static internal cluster will still be added even if initially ``envoy.reloadable_features.use_http_client_to_fetch_aws_credentials`` is
    not set so that subsequently if the reloadable feature is set to ``true`` the cluster config is available to fetch the credentials.
 
+Alternatively, each AWS filter (either AWS Request Signing or AWS Lambda) has its own optional configuration to specify the source of the credentials. For example, AWS Request Signing filter
+has :ref:`credential_provider <envoy_v3_api_field_extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.credential_provider>` field.
+
 Statistics
 ----------
 

source/common/http/conn_manager_impl.h

@@ -338,7 +338,8 @@ class ConnectionManagerImpl : Logger::Loggable<Logger::Id::http>,
           : codec_saw_local_complete_(false), codec_encode_complete_(false),
             on_reset_stream_called_(false), is_zombie_stream_(false), successful_upgrade_(false),
             is_internally_destroyed_(false), is_internally_created_(false), is_tunneling_(false),
-            decorated_propagate_(true), deferred_to_next_io_iteration_(false) {}
+            decorated_propagate_(true), deferred_to_next_io_iteration_(false),
+            deferred_end_stream_(false) {}
 
       // It's possibly for the codec to see the completed response but not fully
       // encode it.

source/extensions/common/aws/BUILD

@@ -126,6 +126,7 @@ envoy_cc_library(
         "//source/common/runtime:runtime_features_lib",
         "//source/common/tracing:http_tracer_lib",
         "@com_google_absl//absl/time",
+        "@envoy_api//envoy/extensions/common/aws/v3:pkg_cc_proto",
     ],
 )