Merge remote-tracking branch 'upstream/main' into apple_pac_proxy_res…

…olver

.bazelrc

@@ -516,14 +516,14 @@ build:common-envoy-engflow --google_default_credentials=false
 build:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
 build:common-envoy-engflow --grpc_keepalive_time=30s
 
-build:cache-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com
+build:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com
 build:cache-envoy-engflow --remote_timeout=3600s
-build:bes-envoy-engflow --bes_backend=grpcs://morganite.cluster.engflow.com/
-build:bes-envoy-engflow --bes_results_url=https://morganite.cluster.engflow.com/invocation/
+build:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/
+build:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/
 build:bes-envoy-engflow --bes_timeout=3600s
 build:bes-envoy-engflow --bes_upload_mode=fully_async
 build:bes-envoy-engflow --nolegacy_important_outputs
-build:rbe-envoy-engflow --remote_executor=grpcs://morganite.cluster.engflow.com
+build:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com
 build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
 build:rbe-envoy-engflow --jobs=200
 build:rbe-envoy-engflow --define=engflow_rbe=true

api/BUILD

@@ -140,6 +140,7 @@ proto_library(
         "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/clusters/redis/v3:pkg",
         "//envoy/extensions/common/async_files/v3:pkg",
+        "//envoy/extensions/common/aws/v3:pkg",
         "//envoy/extensions/common/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/common/matching/v3:pkg",
         "//envoy/extensions/common/ratelimit/v3:pkg",

api/envoy/config/core/v3/protocol.proto

@@ -39,19 +39,16 @@ message QuicKeepAliveSettings {
   //
   // If zero, disable keepalive probing.
   // If absent, use the QUICHE default interval to probe.
-  google.protobuf.Duration max_interval = 1 [(validate.rules).duration = {
-    lte {}
-    gte {seconds: 1}
-  }];
+  google.protobuf.Duration max_interval = 1;
 
   // The interval to send the first few keep-alive probing packets to prevent connection from hitting the idle timeout. Subsequent probes will be sent, each one with an interval exponentially longer than previous one, till it reaches :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>`. And the probes afterwards will always use :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>`.
   //
   // The value should be smaller than :ref:`connection idle_timeout <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.idle_timeout>` to prevent idle timeout and smaller than max_interval to take effect.
   //
-  // If absent or zero, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>`  is also zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time.
+  // If absent, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>` is zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time.
   google.protobuf.Duration initial_interval = 2 [(validate.rules).duration = {
     lte {}
-    gte {seconds: 1}
+    gte {nanos: 1000000}
   }];
 }
 

api/envoy/extensions/common/aws/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+)

api/envoy/extensions/common/aws/v3/credential_provider.proto

@@ -0,0 +1,54 @@
+syntax = "proto3";
+
+package envoy.extensions.common.aws.v3;
+
+import "udpa/annotations/sensitive.proto";
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.common.aws.v3";
+option java_outer_classname = "CredentialProviderProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/common/aws/v3;awsv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: AWS common configuration]
+
+// Configuration for AWS credential provider. Normally, this is optional and the credentials are
+// retrieved from the environment or AWS configuration files by following the default credential
+// provider chain. This is to support cases where the credentials need to be explicitly provided
+// by the control plane.
+message AwsCredentialProvider {
+  // The option to use `AssumeRoleWithWebIdentity <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>`_.
+  // If inline_credential is set, this is ignored.
+  AssumeRoleWithWebIdentityCredentialProvider assume_role_with_web_identity = 1;
+
+  // The option to use an inline credential.
+  // If this is set, it takes precedence over assume_role_with_web_identity.
+  InlineCredentialProvider inline_credential = 2;
+}
+
+// Configuration to use an inline AWS credential. This is an equivalent to setting the well-known
+// environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and the optional ``AWS_SESSION_TOKEN``.
+message InlineCredentialProvider {
+  // The AWS access key ID.
+  string access_key_id = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The AWS secret access key.
+  string secret_access_key = 2
+      [(validate.rules).string = {min_len: 1}, (udpa.annotations.sensitive) = true];
+
+  // The AWS session token. This is optional.
+  string session_token = 3 [(udpa.annotations.sensitive) = true];
+}
+
+// Configuration to use `AssumeRoleWithWebIdentity <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>`_
+// to get AWS credentials.
+message AssumeRoleWithWebIdentityCredentialProvider {
+  // The ARN of the role to assume.
+  string role_arn = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The web identity token that is provided by the identity provider to assume the role.
+  string web_identity_token = 2
+      [(validate.rules).string = {min_len: 1}, (udpa.annotations.sensitive) = true];
+}

api/envoy/extensions/filters/http/aws_request_signing/v3/BUILD

@@ -6,6 +6,7 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
+        "//envoy/extensions/common/aws/v3:pkg",
         "//envoy/type/matcher/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",
     ],

api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.filters.http.aws_request_signing.v3;
 
+import "envoy/extensions/common/aws/v3/credential_provider.proto";
 import "envoy/type/matcher/v3/string.proto";
 
 import "google/protobuf/duration.proto";
@@ -21,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.http.aws_request_signing]
 
 // Top level configuration for the AWS request signing filter.
-// [#next-free-field: 8]
+// [#next-free-field: 9]
 message AwsRequestSigning {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.aws_request_signing.v2alpha.AwsRequestSigning";
@@ -107,6 +108,10 @@ message AwsRequestSigning {
   // query_string: {}
   //
   QueryString query_string = 7;
+
+  // The credential provider for signing the request. This is optional and if not set,
+  // it will be retrieved from the procedure described in :ref:`config_http_filters_aws_request_signing`.
+  common.aws.v3.AwsCredentialProvider credential_provider = 8;
 }
 
 message AwsRequestSigningPerRoute {

api/envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto

@@ -175,9 +175,9 @@ message TcpProxy {
   // :ref:`TcpProxy.weighted_clusters <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.weighted_clusters>`.
   OnDemand on_demand = 14;
 
-  // Optional endpoint metadata match criteria. Only endpoints in the upstream
-  // cluster with metadata matching that set in metadata_match will be
-  // considered. The filter name should be specified as ``envoy.lb``.
+  // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints
+  // in the upstream cluster with metadata matching what is set in this field will be considered
+  // for load balancing. The filter name should be specified as ``envoy.lb``.
   config.core.v3.Metadata metadata_match = 9;
 
   // The idle timeout for connections managed by the TCP proxy filter. The idle timeout

api/versioning/BUILD

@@ -78,6 +78,7 @@ proto_library(
         "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/clusters/redis/v3:pkg",
         "//envoy/extensions/common/async_files/v3:pkg",
+        "//envoy/extensions/common/aws/v3:pkg",
         "//envoy/extensions/common/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/common/matching/v3:pkg",
         "//envoy/extensions/common/ratelimit/v3:pkg",

changelogs/current.yaml

@@ -24,6 +24,9 @@ bug_fixes:
 
 removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
+- area: router
+  change: |
+    Removed runtime guard ``envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request``.
 - area: http
   change: |
     Removed runtime flag ``envoy.reloadable_features.http_route_connect_proxy_by_default`` and legacy code paths.
@@ -32,6 +35,11 @@ removed_config_or_runtime:
     Removed runtime flag ``envoy.restart_features.allow_client_socket_creation_failure`` and legacy code paths.
 
 new_features:
+- area: aws_request_signing
+  change: |
+    Added an optional field :ref:`credential_provider
+    <envoy_v3_api_field_extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.credential_provider>`
+    to the AWS request signing filter to explicitly specify a source for AWS credentials.
 - area: tls
   change: |
     Added support for P-384 and P-521 curves for TLS server certificates.

ci/Dockerfile-envoy

@@ -1,6 +1,6 @@
 ARG BUILD_OS=ubuntu
 ARG BUILD_TAG=22.04
-ARG BUILD_SHA=58b87898e82351c6cf9cf5b9f3c20257bb9e2dcf33af051e12ce532d7f94e3fe
+ARG BUILD_SHA=0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97
 ARG ENVOY_VRP_BASE_IMAGE=envoy-base
 
 

ci/do_ci.sh

@@ -1026,6 +1026,7 @@ case $CI_TARGET in
         ;;
 
     refresh_compdb)
+        setup_clang_toolchain
         # Override the BAZEL_STARTUP_OPTIONS to setting different output directory.
         # So the compdb headers won't be overwritten by another bazel run.
         for i in "${!BAZEL_STARTUP_OPTIONS[@]}"; do

docs/root/api-v3/common_messages/common_messages.rst

@@ -19,6 +19,7 @@ Common messages
   ../extensions/network/socket_interface/v3/default_socket_interface.proto
   ../extensions/matching/common_inputs/environment_variable/v3/input.proto
   ../config/core/v3/extension.proto
+  ../extensions/common/aws/v3/credential_provider.proto
   ../extensions/common/matching/v3/extension_matcher.proto
   ../extensions/filters/common/dependency/v3/dependency.proto
   ../extensions/regex_engines/v3/google_re2.proto

docs/root/configuration/http/http_filters/_include/aws_credentials.rst

@@ -2,7 +2,7 @@ Credentials
 -----------
 
 The filter uses a number of different credentials providers to obtain an AWS access key ID, AWS secret access key, and AWS session token.
-It moves through the credentials providers in the order described below, stopping when one of them returns an access key ID and a
+By default, it moves through the credentials providers in the order described below, stopping when one of them returns an access key ID and a
 secret access key (the session token is optional).
 
 1. Environment variables. The environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and ``AWS_SESSION_TOKEN`` are used.
@@ -46,6 +46,9 @@ secret access key (the session token is optional).
    The static internal cluster will still be added even if initially ``envoy.reloadable_features.use_http_client_to_fetch_aws_credentials`` is
    not set so that subsequently if the reloadable feature is set to ``true`` the cluster config is available to fetch the credentials.
 
+Alternatively, each AWS filter (either AWS Request Signing or AWS Lambda) has its own optional configuration to specify the source of the credentials. For example, AWS Request Signing filter
+has :ref:`credential_provider <envoy_v3_api_field_extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.credential_provider>` field.
+
 Statistics
 ----------
 

mobile/library/cc/engine_builder.cc

@@ -273,6 +273,12 @@ EngineBuilder::setQuicConnectionIdleTimeoutSeconds(int quic_connection_idle_time
   return *this;
 }
 
+EngineBuilder&
+EngineBuilder::setKeepAliveInitialIntervalMilliseconds(int keepalive_initial_interval_ms) {
+  keepalive_initial_interval_ms_ = keepalive_initial_interval_ms;
+  return *this;
+}
+
 EngineBuilder&
 EngineBuilder::enablePlatformCertificatesValidation(bool platform_certificates_validation_on) {
   platform_certificates_validation_on_ = platform_certificates_validation_on;
@@ -759,6 +765,14 @@ std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> EngineBuilder::generate
         ->mutable_idle_network_timeout()
         ->set_seconds(quic_connection_idle_timeout_seconds_);
 
+    auto* quic_protocol_options = alpn_options.mutable_auto_config()
+                                      ->mutable_http3_protocol_options()
+                                      ->mutable_quic_protocol_options();
+    if (keepalive_initial_interval_ms_ > 0) {
+      quic_protocol_options->mutable_connection_keepalive()->mutable_initial_interval()->set_nanos(
+          keepalive_initial_interval_ms_ * 1000 * 1000);
+    }
+
     base_cluster->mutable_transport_socket()->mutable_typed_config()->PackFrom(h3_proxy_socket);
     (*base_cluster->mutable_typed_extension_protocol_options())
         ["envoy.extensions.upstreams.http.v3.HttpProtocolOptions"]

mobile/library/cc/engine_builder.h

@@ -108,6 +108,9 @@ class EngineBuilder {
   // Sets the QUIC connection idle timeout in seconds.
   EngineBuilder& setQuicConnectionIdleTimeoutSeconds(int quic_connection_idle_timeout_seconds);
 
+  // Sets the QUIC connection keepalive initial interval in nanoseconds
+  EngineBuilder& setKeepAliveInitialIntervalMilliseconds(int keepalive_initial_interval_ms);
+
 #if defined(__APPLE__)
   // Right now, this API is only used by Apple (iOS) to register the Apple proxy resolver API for
   // use in reading and using the system proxy settings.
@@ -210,6 +213,8 @@ class EngineBuilder {
   const uint32_t initial_stream_window_size_ = 6 * 1024 * 1024;      // 6MB
   const uint32_t initial_connection_window_size_ = 15 * 1024 * 1024; // 15MB
   int quic_connection_idle_timeout_seconds_ = 30;
+
+  int keepalive_initial_interval_ms_ = 0;
 };
 
 using EngineBuilderSharedPtr = std::shared_ptr<EngineBuilder>;

mobile/library/java/io/envoyproxy/envoymobile/engine/EnvoyConfiguration.java

@@ -64,6 +64,7 @@ public enum TrustChainVerification {
   public final Map<String, String> runtimeGuards;
   public final boolean enablePlatformCertificatesValidation;
   public final String upstreamTlsSni;
+  public final int h3ConnectionKeepaliveInitialIntervalMilliseconds;
 
   /**
    * Create a new instance of the configuration.
@@ -131,6 +132,8 @@ public enum TrustChainVerification {
    * @param upstreamTlsSni                                the upstream TLS socket SNI override.
    * @param caresFallbackResolvers                        A list of host port pair that's used as
    *     c-ares's fallback resolvers.
+   * @param h3ConnectionKeepaliveInitialIntervalMilliseconds the initial keepalive ping timeout for
+   * HTTP/3.
    */
   public EnvoyConfiguration(
       int connectTimeoutSeconds, int dnsRefreshSeconds, int dnsFailureRefreshSecondsBase,
@@ -150,7 +153,8 @@ public EnvoyConfiguration(
       Map<String, EnvoyStringAccessor> stringAccessors,
       Map<String, EnvoyKeyValueStore> keyValueStores, Map<String, Boolean> runtimeGuards,
       boolean enablePlatformCertificatesValidation, String upstreamTlsSni,
-      List<Pair<String, Integer>> caresFallbackResolvers) {
+      List<Pair<String, Integer>> caresFallbackResolvers,
+      int h3ConnectionKeepaliveInitialIntervalMilliseconds) {
     JniLibrary.load();
     this.connectTimeoutSeconds = connectTimeoutSeconds;
     this.dnsRefreshSeconds = dnsRefreshSeconds;
@@ -213,6 +217,8 @@ public EnvoyConfiguration(
     }
     this.enablePlatformCertificatesValidation = enablePlatformCertificatesValidation;
     this.upstreamTlsSni = upstreamTlsSni;
+    this.h3ConnectionKeepaliveInitialIntervalMilliseconds =
+        h3ConnectionKeepaliveInitialIntervalMilliseconds;
   }
 
   public long createBootstrap() {
@@ -239,7 +245,7 @@ public long createBootstrap() {
         enableInterfaceBinding, h2ConnectionKeepaliveIdleIntervalMilliseconds,
         h2ConnectionKeepaliveTimeoutSeconds, maxConnectionsPerHost, streamIdleTimeoutSeconds,
         perTryIdleTimeoutSeconds, appVersion, appId, enforceTrustChainVerification, filterChain,
-        enablePlatformCertificatesValidation, upstreamTlsSni, runtimeGuards,
-        caresFallbackResolvers);
+        enablePlatformCertificatesValidation, upstreamTlsSni, runtimeGuards, caresFallbackResolvers,
+        h3ConnectionKeepaliveInitialIntervalMilliseconds);
   }
 }

mobile/library/java/io/envoyproxy/envoymobile/engine/JniLibrary.java

@@ -313,7 +313,7 @@ public static native long createBootstrap(
       long streamIdleTimeoutSeconds, long perTryIdleTimeoutSeconds, String appVersion, String appId,
       boolean trustChainVerification, byte[][] filterChain,
       boolean enablePlatformCertificatesValidation, String upstreamTlsSni, byte[][] runtimeGuards,
-      byte[][] cares_fallback_resolvers);
+      byte[][] cares_fallback_resolvers, long h3ConnectionKeepaliveInitialIntervalMilliseconds);
 
   /**
    * Initializes c-ares.

mobile/library/java/org/chromium/net/impl/NativeCronvoyEngineBuilderImpl.java

@@ -69,6 +69,7 @@ public class NativeCronvoyEngineBuilderImpl extends CronvoyEngineBuilderImpl {
   private TrustChainVerification mTrustChainVerification = VERIFY_TRUST_CHAIN;
   private final boolean mEnablePlatformCertificatesValidation = true;
   private String mUpstreamTlsSni = "";
+  private int mH3ConnectionKeepaliveInitialIntervalMilliseconds = 0;
 
   private final Map<String, Boolean> mRuntimeGuards = new HashMap<>();
 
@@ -234,6 +235,12 @@ public NativeCronvoyEngineBuilderImpl setUpstreamTlsSni(String sni) {
     return this;
   }
 
+  public NativeCronvoyEngineBuilderImpl
+  setH3ConnectionKeepaliveInitialIntervalMilliseconds(int interval) {
+    mH3ConnectionKeepaliveInitialIntervalMilliseconds = interval;
+    return this;
+  }
+
   public NativeCronvoyEngineBuilderImpl setConnectTimeoutSeconds(int connectTimeout) {
     mConnectTimeoutSeconds = connectTimeout;
     return this;
@@ -302,6 +309,6 @@ mUseGro, quicConnectionOptions(), quicClientConnectionOptions(), quicHints(),
         mMaxConnectionsPerHost, mStreamIdleTimeoutSeconds, mPerTryIdleTimeoutSeconds, mAppVersion,
         mAppId, mTrustChainVerification, nativeFilterChain, platformFilterChain, stringAccessors,
         keyValueStores, mRuntimeGuards, mEnablePlatformCertificatesValidation, mUpstreamTlsSni,
-        mCaresFallbackResolvers);
+        mCaresFallbackResolvers, mH3ConnectionKeepaliveInitialIntervalMilliseconds);
   }
 }