Merge remote-tracking branch 'upstream/master' into alts_frame_protector

api/envoy/api/v2/core/base.proto

@@ -133,7 +133,7 @@ enum RequestMethod {
 // Header name/value pair.
 message HeaderValue {
   // Header name.
-  string key = 1;
+  string key = 1 [(validate.rules).string.min_bytes = 1];
 
   // Header value.
   //

api/envoy/api/v2/core/health_check.proto

@@ -152,16 +152,17 @@ message HealthCheck {
     // TCP health check.
     TcpHealthCheck tcp_health_check = 9;
 
-    // Redis health check.
-    RedisHealthCheck redis_health_check = 10;
-
     // gRPC health check.
     GrpcHealthCheck grpc_health_check = 11;
 
     // Custom health check.
     CustomHealthCheck custom_health_check = 13;
   }
 
+  reserved 10; // redis_health_check is deprecated by :ref:`custom_health_check
+               // <envoy_api_field_core.HealthCheck.custom_health_check>`
+  reserved "redis_health_check";
+
   // The "no traffic interval" is a special health check interval that is used when a cluster has
   // never had traffic routed to it. This lower interval allows cluster information to be kept up to
   // date, without sending a potentially large amount of active health checking traffic for no

api/envoy/api/v2/endpoint/load_report.proto

@@ -4,6 +4,8 @@ package envoy.api.v2.endpoint;
 
 import "envoy/api/v2/core/base.proto";
 
+import "google/protobuf/duration.proto";
+
 import "validate/validate.proto";
 import "gogoproto/gogo.proto";
 
@@ -93,4 +95,10 @@ message ClusterStats {
   // The total number of dropped requests. This covers requests
   // deliberately dropped by the drop_overload policy and circuit breaking.
   uint64 total_dropped_requests = 3;
+
+  // Period over which the actual load report occurred. This will be guaranteed to include every
+  // request reported. Due to system load and delays between the *LoadStatsRequest* sent from Envoy
+  // and the *LoadStatsResponse* message sent from the management server, this may be longer than
+  // the requested load reporting interval in the *LoadStatsResponse*.
+  google.protobuf.Duration load_report_interval = 4;
 }

api/envoy/config/rbac/v2alpha/rbac.proto

@@ -16,12 +16,11 @@ option go_package = "v2alpha";
 //
 // Here is an example of RBAC configuration. It has two policies:
 //
-// * Service account "cluster.local/ns/default/sa/admin" has full access (empty permission entry
-//   means full access) to the service.
+// * Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so
+//   does "cluster.local/ns/default/sa/superuser".
 //
-// * Any user (empty principal entry means any user) can read ("GET") the service at paths with
-//   prefix "/products" or suffix "/reviews" when request header "version" set to either "v1" or
-//   "v2".
+// * Any user can read ("GET") the service at paths with prefix "/products", so long as the
+//   destination port is either 80 or 443.
 //
 //  .. code-block:: yaml
 //

api/envoy/config/resource_monitor/fixed_heap/v2alpha/BUILD

@@ -0,0 +1,8 @@
+load("//bazel:api_build_system.bzl", "api_proto_library_internal")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library_internal(
+    name = "fixed_heap",
+    srcs = ["fixed_heap.proto"],
+)

api/envoy/config/resource_monitor/fixed_heap/v2alpha/fixed_heap.proto

@@ -0,0 +1,10 @@
+syntax = "proto3";
+
+package envoy.config.resource_monitor.fixed_heap.v2alpha;
+option go_package = "v2alpha";
+
+message FixedHeapConfig {
+  // Limit of the Envoy process heap size. This is used to calculate heap memory pressure which
+  // is defined as (current heap size)/max_heap_size_bytes.
+  uint64 max_heap_size_bytes = 1;
+}

api/envoy/service/load_stats/v2/lrs.proto

@@ -63,6 +63,12 @@ message LoadStatsResponse {
   // Clusters to report stats for.
   repeated string clusters = 1 [(validate.rules).repeated .min_items = 1];
 
-  // The interval of time to collect stats. The default is 10 seconds.
+  // The minimum interval of time to collect stats over. This is only a minimum for two reasons:
+  // 1. There may be some delay from when the timer fires until stats sampling occurs.
+  // 2. For clusters that were already feature in the previous *LoadStatsResponse*, any traffic
+  //    that is observed in between the corresponding previous *LoadStatsRequest* and this
+  //    *LoadStatsResponse* will also be accumulated and billed to the cluster. This avoids a period
+  //    of inobservability that might otherwise exists between the messages. New clusters are not
+  //    subject to this consideration.
   google.protobuf.Duration load_reporting_interval = 2;
 }

bazel/README.md

@@ -36,6 +36,7 @@ On Ubuntu, run the following commands:
  apt-get install clang-format-5.0
  apt-get install autoconf
  apt-get install automake
+ apt-get install pkg-config
 ```
 
 On Fedora (maybe also other red hat distros), run the following:
@@ -53,6 +54,7 @@ brew install go
 brew install bazel
 brew install autoconf
 brew install automake
+brew install pkg-config
 ```
 
 Envoy compiles and passes tests with the version of clang installed by XCode 9.3.0:

ci/build_setup.sh

@@ -87,7 +87,7 @@ if [ "$1" != "-nofetch" ]; then
   fi
 
   # This is the hash on https://github.com/envoyproxy/envoy-filter-example.git we pin to.
-  (cd "${ENVOY_FILTER_EXAMPLE_SRCDIR}" && git fetch origin && git checkout -f 92307d723a1ead25c39f025a734fa091443efdbc)
+  (cd "${ENVOY_FILTER_EXAMPLE_SRCDIR}" && git fetch origin && git checkout -f 3e5b73305b961526ffcee7584251692a9a3ce4b3)
   cp -f "${ENVOY_SRCDIR}"/ci/WORKSPACE.filter.example "${ENVOY_FILTER_EXAMPLE_SRCDIR}"/WORKSPACE
 fi
 

docs/root/configuration/health_checkers/redis.rst

@@ -3,12 +3,22 @@
 Redis
 =====
 
-The Redis health checker is a custom health checker which checks Redis upstream hosts. It sends
-a Redis PING command and expect a PONG response. The upstream Redis server can respond with
-anything other than PONG to cause an immediate active health check failure. Optionally, Envoy can
-perform EXISTS on a user-specified key. If the key does not exist it is considered a passing healthcheck.
-This allows the user to mark a Redis instance for maintenance by setting the specified
-:ref:`key <envoy_api_field_config.health_checker.redis.v2.Redis.key>` to any value and waiting for
-traffic to drain.
+The Redis health checker is a custom health checker (with :code:`envoy.health_checkers.redis` as name)
+which checks Redis upstream hosts. It sends a Redis PING command and expect a PONG response. The upstream
+Redis server can respond with anything other than PONG to cause an immediate active health check failure.
+Optionally, Envoy can perform EXISTS on a user-specified key. If the key does not exist it is considered a
+passing healthcheck. This allows the user to mark a Redis instance for maintenance by setting the
+specified :ref:`key <envoy_api_field_config.health_checker.redis.v2.Redis.key>` to any value and waiting
+for traffic to drain.
+
+An example setting for :ref:`custom_health_check <envoy_api_msg_core.HealthCheck.CustomHealthCheck>` as a
+Redis health checker is shown below:
+
+.. code-block:: yaml
+
+  custom_health_check:
+    name: envoy.health_checkers.redis
+      config:
+        key: foo
 
 * :ref:`v2 API reference <envoy_api_msg_core.HealthCheck.CustomHealthCheck>`

docs/root/intro/arch_overview/redis.rst

@@ -43,8 +43,10 @@ For filter configuration details, see the Redis proxy filter
 The corresponding cluster definition should be configured with
 :ref:`ring hash load balancing <config_cluster_manager_cluster_lb_type>`.
 
-If active healthchecking is desired, the cluster should be configured with a
-:ref:`Redis healthcheck <config_cluster_manager_cluster_hc>`.
+If :ref:`active health checking <arch_overview_health_checking>` is desired, the
+cluster should be configured with a :ref:`custom health check
+<envoy_api_field_core.HealthCheck.custom_health_check>` which configured as a
+:ref:`Redis health checker <config_health_checkers_redis>`.
 
 If passive healthchecking is desired, also configure
 :ref:`outlier detection <config_cluster_manager_cluster_outlier_detection_summary>`.

docs/root/intro/version_history.rst

@@ -18,16 +18,18 @@ Version history
   <envoy_api_field_route.RouteAction.idle_timeout>`. This defaults to 5 minutes; if you have
   other timeouts (e.g. connection idle timeout, upstream response per-retry) that are longer than
   this in duration, you may want to consider setting a non-default per-stream idle timeout.
+* http: added generic :ref:`Upgrade support 
+  <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.upgrade_configs>`.
 * http: better handling of HEAD requests. Now sending transfer-encoding: chunked rather than content-length: 0.
 * http: response filters not applied to early error paths such as http_parser generated 400s.
-* proxy_protocol: added support for HAProxy Proxy Protocol v2 (AF_INET/AF_INET6 only).
-* http: added generic +:ref:`Upgrade support 
-  <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.upgrade_configs>`
+* http: :ref:`hpack_table_size <envoy_api_field_core.Http2ProtocolOptions.hpack_table_size>` now controls
+  dynamic table size of both: encoder and decoder.
 * listeners: added the ability to match :ref:`FilterChain <envoy_api_msg_listener.FilterChain>` using
   :ref:`destination_port <envoy_api_field_listener.FilterChainMatch.destination_port>` and
   :ref:`prefix_ranges <envoy_api_field_listener.FilterChainMatch.prefix_ranges>`.
 * lua: added :ref:`connection() <config_http_filters_lua_connection_wrapper>` wrapper and *ssl()* API.
 * lua: added :ref:`requestInfo() <config_http_filters_lua_request_info_wrapper>` wrapper and *protocol()* API.
+* proxy_protocol: added support for HAProxy Proxy Protocol v2 (AF_INET/AF_INET6 only).
 * ratelimit: added support for :repo:`api/envoy/service/ratelimit/v2/rls.proto`.
   Lyft's reference implementation of the `ratelimit <https://github.com/lyft/ratelimit>`_ service also supports the data-plane-api proto as of v1.1.0.
   Envoy can use either proto to send client requests to a ratelimit server with the use of the

examples/grpc-bridge/Dockerfile-python

@@ -3,7 +3,7 @@ FROM envoyproxy/envoy:latest
 RUN apt-get update
 RUN apt-get -q install -y python-dev \
     python-pip
-RUN pip install -q grpcio requests
+RUN pip install -q grpcio protobuf requests
 ADD ./client /client
 RUN chmod a+x /client/client.py
 RUN mkdir /var/log/envoy/

include/envoy/buffer/buffer.h

@@ -4,6 +4,7 @@
 #include <functional>
 #include <memory>
 #include <string>
+#include <tuple>
 
 #include "envoy/common/pure.h"
 
@@ -142,9 +143,11 @@ class Instance {
    * Read from a file descriptor directly into the buffer.
    * @param fd supplies the descriptor to read from.
    * @param max_length supplies the maximum length to read.
-   * @return the number of bytes read or -1 if there was an error.
+   * @return a tuple with the number of bytes read and the errno. If an error occurred, the
+   *   number of bytes read would indicate -1 and the errno would be non-zero. Otherwise, if
+   *   bytes were read, errno shouldn't be used.
    */
-  virtual int read(int fd, uint64_t max_length) PURE;
+  virtual std::tuple<int, int> read(int fd, uint64_t max_length) PURE;
 
   /**
    * Reserve space in the buffer.
@@ -173,9 +176,11 @@ class Instance {
   /**
    * Write the buffer out to a file descriptor.
    * @param fd supplies the descriptor to write to.
-   * @return the number of bytes written or -1 if there was an error.
+   * @return a tuple with the number of bytes written and the errno. If an error occurred, the
+   *   number of bytes written would indicate -1 and the errno would be non-zero. Otherwise, if
+   *   bytes were written, errno shouldn't be used.
    */
-  virtual int write(int fd) PURE;
+  virtual std::tuple<int, int> write(int fd) PURE;
 };
 
 typedef std::unique_ptr<Instance> InstancePtr;

include/envoy/server/BUILD

@@ -181,3 +181,20 @@ envoy_cc_library(
         "//source/common/protobuf",
     ],
 )
+
+envoy_cc_library(
+    name = "resource_monitor_interface",
+    hdrs = ["resource_monitor.h"],
+    deps = [
+        "//source/common/protobuf",
+    ],
+)
+
+envoy_cc_library(
+    name = "resource_monitor_config_interface",
+    hdrs = ["resource_monitor_config.h"],
+    deps = [
+        ":resource_monitor_interface",
+        "//include/envoy/event:dispatcher_interface",
+    ],
+)

include/envoy/server/filter_config.h

@@ -208,7 +208,7 @@ class NamedNetworkFilterConfigFactory {
                                                                 FactoryContext& context) {
     UNREFERENCED_PARAMETER(config);
     UNREFERENCED_PARAMETER(context);
-    NOT_IMPLEMENTED;
+    NOT_IMPLEMENTED_GCOVR_EXCL_LINE;
   }
 
   /**
@@ -260,7 +260,7 @@ class NamedHttpFilterConfigFactory {
     UNREFERENCED_PARAMETER(config);
     UNREFERENCED_PARAMETER(stat_prefix);
     UNREFERENCED_PARAMETER(context);
-    NOT_IMPLEMENTED;
+    NOT_IMPLEMENTED_GCOVR_EXCL_LINE;
   }
 
   /**

include/envoy/server/resource_monitor.h

@@ -0,0 +1,52 @@
+#pragma once
+
+#include <memory>
+
+#include "envoy/common/exception.h"
+#include "envoy/common/pure.h"
+
+namespace Envoy {
+namespace Server {
+
+// Struct for reporting usage for a particular resource.
+struct ResourceUsage {
+  // Fraction of (resource usage)/(resource limit).
+  double resource_pressure_;
+};
+
+class ResourceMonitor {
+public:
+  virtual ~ResourceMonitor() {}
+
+  /**
+   * Notifies caller of updated resource usage.
+   */
+  class Callbacks {
+  public:
+    virtual ~Callbacks() {}
+
+    /**
+     * Called when the request for updated resource usage succeeds.
+     * @param usage the updated resource usage
+     */
+    virtual void onSuccess(const ResourceUsage& usage) PURE;
+
+    /**
+     * Called when the request for updated resource usage fails.
+     * @param error the exception caught when trying to get updated resource usage
+     */
+    virtual void onFailure(const EnvoyException& error) PURE;
+  };
+
+  /**
+   * Recalculate resource usage.
+   * This must be non-blocking so if RPCs need to be made they should be
+   * done asynchronously and invoke the callback when finished.
+   */
+  virtual void updateResourceUsage(Callbacks& callbacks) PURE;
+};
+
+typedef std::unique_ptr<ResourceMonitor> ResourceMonitorPtr;
+
+} // namespace Server
+} // namespace Envoy

include/envoy/server/resource_monitor_config.h

@@ -0,0 +1,53 @@
+#pragma once
+
+#include "envoy/common/pure.h"
+#include "envoy/event/dispatcher.h"
+#include "envoy/server/resource_monitor.h"
+
+#include "common/protobuf/protobuf.h"
+
+namespace Envoy {
+namespace Server {
+namespace Configuration {
+
+class ResourceMonitorFactoryContext {
+public:
+  virtual ~ResourceMonitorFactoryContext() {}
+
+  /**
+   * @return Event::Dispatcher& the main thread's dispatcher. This dispatcher should be used
+   *         for all singleton processing.
+   */
+  virtual Event::Dispatcher& dispatcher() PURE;
+};
+
+/**
+ * Implemented by each resource monitor and registered via Registry::registerFactory()
+ * or the convenience class RegistryFactory.
+ */
+class ResourceMonitorFactory {
+public:
+  virtual ~ResourceMonitorFactory() {}
+
+  /**
+   * Create a particular resource monitor implementation.
+   * @param config const ProtoBuf::Message& supplies the config for the resource monitor
+   *        implementation.
+   * @param context ResourceMonitorFactoryContext& supplies the resource monitor's context.
+   * @return ResourceMonitorPtr the resource monitor instance. Should not be nullptr.
+   * @throw EnvoyException if the implementation is unable to produce an instance with
+   *        the provided parameters.
+   */
+  virtual ResourceMonitorPtr createResourceMonitor(const Protobuf::Message& config,
+                                                   ResourceMonitorFactoryContext& context) PURE;
+
+  /**
+   * @return std::string the identifying name for a particular implementation of a resource
+   * monitor produced by the factory.
+   */
+  virtual std::string name() PURE;
+};
+
+} // namespace Configuration
+} // namespace Server
+} // namespace Envoy