Merge remote-tracking branch 'upstream/main' into fix_locality_schedu…

…ler_init

Signed-off-by: Adi Suissa-Peleg <adip@google.com>

.bazelrc

@@ -226,7 +226,8 @@ build:coverage --instrumentation_filter="^//source(?!/common/quic/platform)[/:],
 build:coverage --remote_download_minimal
 build:coverage --define=tcmalloc=gperftools
 build:coverage --define=no_debug_info=1
-build:coverage --linkopt=-Wl,-s
+# `--no-relax` is required for coverage to not err with `relocation R_X86_64_REX_GOTPCRELX`
+build:coverage --linkopt=-Wl,-s,--no-relax
 build:coverage --test_env=ENVOY_IP_TEST_VERSIONS=v4only
 
 build:test-coverage --test_arg="-l trace"

.circleci/config.yml

@@ -3,6 +3,6 @@ version: 2.1
 jobs:
   build:
     docker:
-    - image: debian:bullseye-slim
+    - image: debian:bullseye-slim@sha256:d3d0d14f49b49a4dd98a436711f5646dc39e1c99203ef223d1b6620061e2c0e5
     steps:
     - run: echo "no circle on this branch"

.gitattributes

@@ -4,3 +4,6 @@
 /test/extensions/transport_sockets/tls/test_data/aes_128_key binary
 /test/extensions/transport_sockets/tls/test_data/ticket_key_* binary
 /test/**/*_corpus/* linguist-generated=true
+requirements.txt binary
+package.lock binary
+yarn.lock binary

.github/workflows/_precheck_deps.yml

@@ -55,4 +55,4 @@ jobs:
         ref: ${{ fromJSON(inputs.request).request.sha }}
         persist-credentials: false
     - name: Dependency Review
-      uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4  # v3.1.4
+      uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507  # v3.1.5

.github/workflows/_stage_verify.yml

@@ -85,5 +85,5 @@ jobs:
                 export DEBIAN_FRONTEND=noninteractive
                 sudo apt-get -qq update -y
                 sudo apt-get -qq install -y --no-install-recommends expect gettext whois
-                sudo snap install yq
+                pip install -r ./.github/workflows/verify-requirements.txt
               shell: bash

.github/workflows/codeql-daily.yml

@@ -1,3 +1,8 @@
+name: CodeQL/daily
+
+permissions:
+  contents: read
+
 on:
   schedule:
   - cron: '0 12 * * 4'
@@ -6,11 +11,13 @@ concurrency:
   group: ${{ github.head_ref-github.workflow || github.run_id }}
   cancel-in-progress: true
 
+
 jobs:
   CodeQL-Build:
 
     permissions:
       security-events: write  # for github/codeql-action/analyze to upload SARIF results
+      pull-requests: read
     strategy:
       fail-fast: false
 

.github/workflows/codeql-push.yml

@@ -1,4 +1,7 @@
-name: CodeQL
+name: CodeQL/push
+
+permissions:
+  contents: read
 
 on:
   push:
@@ -12,18 +15,18 @@ concurrency:
   group: ${{ github.head_ref-github.workflow || github.run_id }}
   cancel-in-progress: true
 
+env:
+  SEARCH_FOLDER: //source/common/...
+
+
 jobs:
   CodeQL-Build:
-
     permissions:
-      security-events: write  # for github/codeql-action/analyze to upload SARIF results
-    strategy:
-      fail-fast: false
-
-    # CodeQL runs on ubuntu-20.04
+      # for github/codeql-action/analyze to upload SARIF results
+      security-events: write
+      pull-requests: read
     runs-on: ubuntu-20.04
     if: github.repository == 'envoyproxy/envoy'
-
     steps:
     - name: Pre-cleanup
       uses: envoyproxy/toolshed/gh-actions/diskspace@6b3ddd1e42c252d68fb98973760c0ee1943c9c21  # actions-v0.2.20
@@ -36,19 +39,33 @@ jobs:
 
     - name: Get build targets
       run: |
-       . .github/workflows/get_build_targets.sh
-       echo 'BUILD_TARGETS<<EOF' >> $GITHUB_ENV
-       echo $BUILD_TARGETS_LOCAL >> $GITHUB_ENV
-       echo 'EOF' >> $GITHUB_ENV
+        # TODO(phlax): Shift this to an action
+        compare_head () {
+            while IFS= read -r line; do
+                bazel query "rdeps($SEARCH_FOLDER, $line, 1)"  2> /dev/null
+            done < <(git diff --name-only HEAD FETCH_HEAD -- source/* include/*)
+        }
+        if [[ "$GIT_EVENT" == "pull_request" ]]; then
+            git fetch https://github.com/envoyproxy/envoy.git main 2> /dev/null
+            TO_OTHER=FETCH_HEAD
+        else
+            TO_OTHER=HEAD^1
+        fi
+        BUILD_TARGETS="$(compare_head "$TO_OTHER" | grep -v '\.cc\|\.h' | sort -u | head -n 3)"
+        echo 'BUILD_TARGETS<<EOF' >> $GITHUB_ENV
+        echo "$BUILD_TARGETS" >> $GITHUB_ENV
+        echo 'EOF' >> $GITHUB_ENV
+      env:
+        GIT_EVENT: ${{ github.event_name }}
 
-    # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
+      if: ${{ env.BUILD_TARGETS != '' }}
       uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a  # codeql-bundle-v2.13.4
-      # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
 
     - name: Install deps
+      if: ${{ env.BUILD_TARGETS != '' }}
       shell: bash
       run: |
        sudo apt-get update --error-on=any
@@ -64,16 +81,25 @@ jobs:
        export PATH=bin/clang14/bin:$PATH
 
     - name: Build
+      if: ${{ env.BUILD_TARGETS != '' }}
       run: |
        bazel/setup_clang.sh bin/clang14
-       bazelisk shutdown
-       bazelisk build -c fastbuild --spawn_strategy=local --discard_analysis_cache --nouse_action_cache --config clang --config libc++ $BUILD_TARGETS
+       bazel shutdown
+       bazel build \
+           -c fastbuild \
+           --spawn_strategy=local \
+           --discard_analysis_cache \
+           --nouse_action_cache \
+           --config clang \
+           --config libc++ \
+           $BUILD_TARGETS
        echo -e "Built targets...\n$BUILD_TARGETS"
 
     - name: Clean Artifacts
+      if: ${{ env.BUILD_TARGETS != '' }}
       run: |
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      if: env.BUILD_TARGETS != ''
+      if: ${{ env.BUILD_TARGETS != '' }}
       uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a  # codeql-bundle-v2.13.4

.github/workflows/envoy-sync.yml

@@ -1,5 +1,8 @@
 name: 'Sync downstream'
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

.github/workflows/verify-requirements.in

@@ -0,0 +1 @@
+yq

.github/workflows/verify-requirements.txt

@@ -0,0 +1,74 @@
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile --allow-unsafe --generate-hashes verify-requirements.in
+#
+argcomplete==3.2.1 \
+    --hash=sha256:30891d87f3c1abe091f2142613c9d33cac84a5e15404489f033b20399b691fec \
+    --hash=sha256:437f67fb9b058da5a090df505ef9be0297c4883993f3f56cb186ff087778cfb4
+    # via yq
+pyyaml==6.0.1 \
+    --hash=sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5 \
+    --hash=sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc \
+    --hash=sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df \
+    --hash=sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741 \
+    --hash=sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206 \
+    --hash=sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27 \
+    --hash=sha256:1d4c7e777c441b20e32f52bd377e0c409713e8bb1386e1099c2415f26e479595 \
+    --hash=sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62 \
+    --hash=sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98 \
+    --hash=sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696 \
+    --hash=sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290 \
+    --hash=sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9 \
+    --hash=sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d \
+    --hash=sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6 \
+    --hash=sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867 \
+    --hash=sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47 \
+    --hash=sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486 \
+    --hash=sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6 \
+    --hash=sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3 \
+    --hash=sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007 \
+    --hash=sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938 \
+    --hash=sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0 \
+    --hash=sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c \
+    --hash=sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735 \
+    --hash=sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d \
+    --hash=sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28 \
+    --hash=sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4 \
+    --hash=sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba \
+    --hash=sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8 \
+    --hash=sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5 \
+    --hash=sha256:afd7e57eddb1a54f0f1a974bc4391af8bcce0b444685d936840f125cf046d5bd \
+    --hash=sha256:b1275ad35a5d18c62a7220633c913e1b42d44b46ee12554e5fd39c70a243d6a3 \
+    --hash=sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0 \
+    --hash=sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515 \
+    --hash=sha256:baa90d3f661d43131ca170712d903e6295d1f7a0f595074f151c0aed377c9b9c \
+    --hash=sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c \
+    --hash=sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924 \
+    --hash=sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34 \
+    --hash=sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43 \
+    --hash=sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859 \
+    --hash=sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673 \
+    --hash=sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54 \
+    --hash=sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a \
+    --hash=sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b \
+    --hash=sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab \
+    --hash=sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa \
+    --hash=sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c \
+    --hash=sha256:fca0e3a251908a499833aa292323f32437106001d436eca0e6e7833256674585 \
+    --hash=sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d \
+    --hash=sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f
+    # via yq
+tomlkit==0.12.3 \
+    --hash=sha256:75baf5012d06501f07bee5bf8e801b9f343e7aac5a92581f20f80ce632e6b5a4 \
+    --hash=sha256:b0a645a9156dc7cb5d3a1f0d4bab66db287fcb8e0430bdd4664a095ea16414ba
+    # via yq
+xmltodict==0.13.0 \
+    --hash=sha256:341595a488e3e01a85a9d8911d8912fd922ede5fecc4dce437eb4b6c8d037e56 \
+    --hash=sha256:aa89e8fd76320154a40d19a0df04a4695fb9dc5ba977cbb68ab3e4eb225e7852
+    # via yq
+yq==3.2.3 \
+    --hash=sha256:29c8fe1d36b4f64163f4d01314c6ae217539870f610216dee6025dfb5eafafb1 \
+    --hash=sha256:b50c91894dad9894d1d36ea77d5722d5495cac9482d2351e55089360a90709ae
+    # via -r verify-requirements.in

CODEOWNERS

@@ -131,8 +131,8 @@ extensions/filters/common/original_src @klarose @mattklein123
 # webassembly stat-sink extensions
 /*/extensions/stat_sinks/wasm @mpwarres @lizan
 /*/extensions/resource_monitors/injected_resource @eziskind @htuch
-/*/extensions/resource_monitors/common @eziskind @htuch
-/*/extensions/resource_monitors/fixed_heap @eziskind @htuch
+/*/extensions/resource_monitors/common @eziskind @htuch @nezdolik
+/*/extensions/resource_monitors/fixed_heap @eziskind @htuch @nezdolik
 /*/extensions/resource_monitors/downstream_connections @nezdolik @mattklein123
 /*/extensions/retry/priority @alyssawilk @mattklein123
 /*/extensions/retry/priority/previous_priorities @alyssawilk @mattklein123
@@ -305,13 +305,13 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 # Dubbo codec
 /*/extensions/common/dubbo @wbpcode @lizan
 # upstream load balancing policies
-/*/extensions/load_balancing_policies/common @wbpcode @tonya11en
-/*/extensions/load_balancing_policies/least_request @wbpcode @tonya11en
+/*/extensions/load_balancing_policies/common @wbpcode @tonya11en @nezdolik
+/*/extensions/load_balancing_policies/least_request @wbpcode @tonya11en @nezdolik
 /*/extensions/load_balancing_policies/random @wbpcode @tonya11en
-/*/extensions/load_balancing_policies/round_robin @wbpcode @tonya11en
-/*/extensions/load_balancing_policies/ring_hash @wbpcode @UNOWNED
-/*/extensions/load_balancing_policies/maglev @wbpcode @UNOWNED
-/*/extensions/load_balancing_policies/subset @wbpcode @zuercher
+/*/extensions/load_balancing_policies/round_robin @wbpcode @tonya11en @nezdolik
+/*/extensions/load_balancing_policies/ring_hash @wbpcode @nezdolik
+/*/extensions/load_balancing_policies/maglev @wbpcode @nezdolik
+/*/extensions/load_balancing_policies/subset @wbpcode @zuercher @nezdolik
 /*/extensions/load_balancing_policies/cluster_provided @wbpcode @zuercher
 # Early header mutation
 /*/extensions/http/early_header_mutation/header_mutation @wbpcode @UNOWNED

api/envoy/config/core/v3/base.proto

@@ -346,9 +346,12 @@ message HeaderValueOption {
 
   // Describes the supported actions types for header append action.
   enum HeaderAppendAction {
-    // This action will append the specified value to the existing values if the header
-    // already exists. If the header doesn't exist then this will add the header with
-    // specified key and value.
+    // If the header already exists, this action will result in:
+    //
+    // - Comma-concatenated for predefined inline headers.
+    // - Duplicate header added in the ``HeaderMap`` for other headers.
+    //
+    // If the header doesn't exist then this will add new header with specified key and value.
     APPEND_IF_EXISTS_OR_ADD = 0;
 
     // This action will add the header if it doesn't already exist. If the header

api/envoy/config/route/v3/route.proto

@@ -82,14 +82,11 @@ message RouteConfiguration {
     (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
   ];
 
-  // By default, headers that should be added/removed are evaluated from most to least specific:
-  //
-  // * route level
-  // * virtual host level
-  // * connection manager level
-  //
-  // To allow setting overrides at the route or virtual host level, this order can be reversed
-  // by setting this option to true. Defaults to false.
+  // Headers mutations at all levels are evaluated, if specified. By default, the order is from most
+  // specific (i.e. route entry level) to least specific (i.e. route configuration level). Later header
+  // mutations may override earlier mutations.
+  // This order can be reversed by setting this field to true. In other words, most specific level mutation
+  // is evaluated last.
   //
   bool most_specific_header_mutations_wins = 10;