Merge branch 'main' into formatter/raw-cluster-name

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>

CODEOWNERS

@@ -343,6 +343,8 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 /*/extensions/geoip_providers/maxmind @nezdolik @ravenblackx
 # Match delegate extension
 /*/extensions/filters/http/match_delegate @wbpcode @jstraceski @tyxia
+# Generic proxy and related extensions
+/*/extensions/filters/network/generic_proxy/ @wbpcode @soulxu
 
 /*/extensions/health_checkers/common @zuercher @botengyao
 

api/BUILD

@@ -81,13 +81,7 @@ proto_library(
         "//contrib/envoy/extensions/filters/http/squash/v3:pkg",
         "//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/client_ssl_auth/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/action/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3:pkg",
         "//contrib/envoy/extensions/filters/network/generic_proxy/codecs/kafka/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/matcher/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/router/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/v3:pkg",
         "//contrib/envoy/extensions/filters/network/golang/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/kafka_broker/v3:pkg",
         "//contrib/envoy/extensions/filters/network/kafka_mesh/v3alpha:pkg",
@@ -230,6 +224,12 @@ proto_library(
         "//envoy/extensions/filters/network/dubbo_proxy/v3:pkg",
         "//envoy/extensions/filters/network/echo/v3:pkg",
         "//envoy/extensions/filters/network/ext_authz/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/action/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/codecs/http1/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/matcher/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/router/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/v3:pkg",
         "//envoy/extensions/filters/network/http_connection_manager/v3:pkg",
         "//envoy/extensions/filters/network/local_ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/mongo_proxy/v3:pkg",

api/bazel/repository_locations.bzl

@@ -144,11 +144,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.34.0",
-        sha256 = "82dcf1a5f45498b539a04d764e3cb274a13c8d94271c92508fc1624d227895ff",
+        version = "1.35.0",
+        sha256 = "a75c622b5d6fae792a0e64a04baa296681eacba7ce0c3c35d25c8b42da2f71e1",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2024-06-21",
+        release_date = "2024-07-22",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",

api/envoy/config/filter/http/ext_authz/v2/ext_authz.proto

@@ -40,11 +40,12 @@ message ExtAuthz {
   //
   //  1. When set to true, the filter will *accept* client request even if the communication with
   //  the authorization service has failed, or if the authorization service has returned a HTTP 5xx
-  //  error.
+  //  error. In case with GRPC authorization service, only PermissionDenied (7) and Unauthenticated (16)
+  //  status codes will *reject* client requests. And other GRPC statuses will *accept* client requests.
   //
   //  2. When set to false, ext-authz will *reject* client requests and return a *Forbidden*
   //  response if the communication with the authorization service has failed, or if the
-  //  authorization service has returned a HTTP 5xx error.
+  //  authorization service has returned a HTTP 5xx error or any non-Ok GRPC status.
   //
   // Note that errors can be *always* tracked in the :ref:`stats
   // <config_http_filters_ext_authz_stats>`.

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -11,6 +11,7 @@ import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/string.proto";
 import "envoy/type/v3/http_status.proto";
 
+import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
 import "envoy/annotations/deprecation.proto";
@@ -29,7 +30,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 28]
+// [#next-free-field: 29]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v3.ExtAuthz";
@@ -56,11 +57,12 @@ message ExtAuthz {
   //
   //  1. When set to true, the filter will ``accept`` client request even if the communication with
   //  the authorization service has failed, or if the authorization service has returned a HTTP 5xx
-  //  error.
+  //  error. In case with GRPC authorization service, only PermissionDenied (7) and Unauthenticated (16)
+  //  status codes will ``reject`` client requests. And other GRPC statuses will ``accept`` client requests.
   //
   //  2. When set to false, ext-authz will ``reject`` client requests and return a ``Forbidden``
   //  response if the communication with the authorization service has failed, or if the
-  //  authorization service has returned a HTTP 5xx error.
+  //  authorization service has returned a HTTP 5xx error or any non-Ok GRPC status.
   //
   // Note that errors can be ``always`` tracked in the :ref:`stats
   // <config_http_filters_ext_authz_stats>`.
@@ -290,6 +292,11 @@ message ExtAuthz {
   //
   // If unset, defaults to true.
   google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;
+
+  // Additional metadata to be added to the filter state for logging purposes. The metadata will be
+  // added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
+  // name.
+  google.protobuf.Struct filter_metadata = 28;
 }
 
 // Configuration for buffering the request data.

api/contrib/envoy/extensions/filters/network/generic_proxy/action/v3/action.proto → api/envoy/extensions/filters/network/generic_proxy/action/v3/action.proto

@@ -16,7 +16,7 @@ import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.action.v3";
 option java_outer_classname = "ActionProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/action/v3;actionv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/action/v3;actionv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto → api/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto

@@ -9,7 +9,7 @@ import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.codecs.dubbo.v3";
 option java_outer_classname = "DubboProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3;dubbov3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3;dubbov3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto → api/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto

@@ -11,7 +11,7 @@ import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.codecs.http1.v3";
 option java_outer_classname = "Http1Proto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3;http1v3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3;http1v3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto → api/envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto

@@ -12,7 +12,7 @@ import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.matcher.v3";
 option java_outer_classname = "MatcherProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/matcher/v3;matcherv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/matcher/v3;matcherv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/router/v3/router.proto → api/envoy/extensions/filters/network/generic_proxy/router/v3/router.proto

@@ -9,7 +9,7 @@ import "udpa/annotations/status.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.router.v3";
 option java_outer_classname = "RouterProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/router/v3;routerv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/router/v3;routerv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto → api/envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto

@@ -2,10 +2,10 @@ syntax = "proto3";
 
 package envoy.extensions.filters.network.generic_proxy.v3;
 
-import "contrib/envoy/extensions/filters/network/generic_proxy/v3/route.proto";
 import "envoy/config/accesslog/v3/accesslog.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/extension.proto";
+import "envoy/extensions/filters/network/generic_proxy/v3/route.proto";
 import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto";
 
 import "xds/annotations/v3/status.proto";
@@ -16,7 +16,7 @@ import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.v3";
 option java_outer_classname = "GenericProxyProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/v3;generic_proxyv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/v3;generic_proxyv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/contrib/envoy/extensions/filters/network/generic_proxy/v3/route.proto → api/envoy/extensions/filters/network/generic_proxy/v3/route.proto

@@ -11,7 +11,7 @@ import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.v3";
 option java_outer_classname = "RouteProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/v3;generic_proxyv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/v3;generic_proxyv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/envoy/extensions/transport_sockets/tls/v3/tls.proto

@@ -63,7 +63,7 @@ message UpstreamTlsContext {
   google.protobuf.BoolValue enforce_rsa_key_usage = 5;
 }
 
-// [#next-free-field: 11]
+// [#next-free-field: 12]
 message DownstreamTlsContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.DownstreamTlsContext";
@@ -140,6 +140,11 @@ message DownstreamTlsContext {
   // If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config.
   // Defaults to false. See more details in :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>`.
   google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9;
+
+  // By default, Envoy as a server uses its preferred cipher during the handshake.
+  // Setting this to true would allow the downstream client's preferred cipher to be used instead.
+  // Has no effect when using TLSv1_3.
+  bool prefer_client_ciphers = 11;
 }
 
 // TLS key log configuration.

api/envoy/service/ext_proc/v3/external_processor.proto

@@ -206,12 +206,8 @@ message ProcessingResponse {
 message HttpHeaders {
   // The HTTP request headers. All header keys will be
   // lower-cased, because HTTP header keys are case-insensitive.
-  // The ``headers`` encoding is based on the runtime guard
-  // envoy_reloadable_features_send_header_raw_value setting.
-  // When it is true, the header value is encoded in the
+  // The header value is encoded in the
   // :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
-  // When it is false, the header value is encoded in the
-  // :ref:`value <envoy_v3_api_field_config.core.v3.HeaderValue.value>` field.
   config.core.v3.HeaderMap headers = 1;
 
   // [#not-implemented-hide:]
@@ -235,12 +231,8 @@ message HttpBody {
 
 // This message contains the trailers.
 message HttpTrailers {
-  // The ``trailers`` encoding is based on the runtime guard
-  // envoy_reloadable_features_send_header_raw_value setting.
-  // When it is true, the header value is encoded in the
+  // The header value is encoded in the
   // :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
-  // When it is false, the header value is encoded in the
-  // :ref:`value <envoy_v3_api_field_config.core.v3.HeaderValue.value>` field.
   config.core.v3.HeaderMap trailers = 1;
 }
 
@@ -308,12 +300,8 @@ message CommonResponse {
   // Add new trailers to the message. This may be used when responding to either a
   // HttpHeaders or HttpBody message, but only if this message is returned
   // along with the CONTINUE_AND_REPLACE status.
-  // The ``trailers`` encoding is based on the runtime guard
-  // envoy_reloadable_features_send_header_raw_value setting.
-  // When it is true, the header value is encoded in the
+  // The header value is encoded in the
   // :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
-  // When it is false, the header value is encoded in the
-  // :ref:`value <envoy_v3_api_field_config.core.v3.HeaderValue.value>` field.
   config.core.v3.HeaderMap trailers = 4;
 
   // Clear the route cache for the current client request. This is necessary
@@ -362,12 +350,8 @@ message HeaderMutation {
   // Add or replace HTTP headers. Attempts to set the value of
   // any ``x-envoy`` header, and attempts to set the ``:method``,
   // ``:authority``, ``:scheme``, or ``host`` headers will be ignored.
-  // The ``set_headers`` encoding is based on the runtime guard
-  // envoy_reloadable_features_send_header_raw_value setting.
-  // When it is true, the header value is encoded in the
+  // The header value is encoded in the
   // :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
-  // When it is false, the header value is encoded in the
-  // :ref:`value <envoy_v3_api_field_config.core.v3.HeaderValue.value>` field.
   repeated config.core.v3.HeaderValueOption set_headers = 1;
 
   // Remove these HTTP headers. Attempts to remove system headers --

api/versioning/BUILD

@@ -19,13 +19,7 @@ proto_library(
         "//contrib/envoy/extensions/filters/http/squash/v3:pkg",
         "//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/client_ssl_auth/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/action/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3:pkg",
         "//contrib/envoy/extensions/filters/network/generic_proxy/codecs/kafka/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/matcher/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/router/v3:pkg",
-        "//contrib/envoy/extensions/filters/network/generic_proxy/v3:pkg",
         "//contrib/envoy/extensions/filters/network/golang/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/kafka_broker/v3:pkg",
         "//contrib/envoy/extensions/filters/network/kafka_mesh/v3alpha:pkg",
@@ -168,6 +162,12 @@ proto_library(
         "//envoy/extensions/filters/network/dubbo_proxy/v3:pkg",
         "//envoy/extensions/filters/network/echo/v3:pkg",
         "//envoy/extensions/filters/network/ext_authz/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/action/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/codecs/http1/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/matcher/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/router/v3:pkg",
+        "//envoy/extensions/filters/network/generic_proxy/v3:pkg",
         "//envoy/extensions/filters/network/http_connection_manager/v3:pkg",
         "//envoy/extensions/filters/network/local_ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/mongo_proxy/v3:pkg",