Merge branch 'main' into retry_policy_ext

Signed-off-by: Xin Zhuang <stevenzzz@google.com>

.bazelrc

@@ -510,16 +510,18 @@ build:rbe-engflow --remote_timeout=3600s
 build:rbe-engflow --bes_timeout=3600s
 build:rbe-engflow --bes_upload_mode=fully_async
 
-build:rbe-envoy-engflow --google_default_credentials=false
-build:rbe-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com
+build:cache-envoy-engflow --google_default_credentials=false
+build:cache-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com
+build:cache-envoy-engflow --remote_timeout=3600s
+build:cache-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
+build:cache-envoy-engflow --grpc_keepalive_time=30s
+build:bes-envoy-engflow --bes_backend=grpcs://morganite.cluster.engflow.com/
+build:bes-envoy-engflow --bes_results_url=https://morganite.cluster.engflow.com/invocation/
+build:bes-envoy-engflow --bes_timeout=3600s
+build:bes-envoy-engflow --bes_upload_mode=fully_async
+build:rbe-envoy-engflow --config=cache-envoy-engflow
+build:rbe-envoy-engflow --config=bes-envoy-engflow
 build:rbe-envoy-engflow --remote_executor=grpcs://morganite.cluster.engflow.com
-build:rbe-envoy-engflow --bes_backend=grpcs://morganite.cluster.engflow.com/
-build:rbe-envoy-engflow --bes_results_url=https://morganite.cluster.engflow.com/invocation/
-build:rbe-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
-build:rbe-envoy-engflow --grpc_keepalive_time=30s
-build:rbe-envoy-engflow --remote_timeout=3600s
-build:rbe-envoy-engflow --bes_timeout=3600s
-build:rbe-envoy-engflow --bes_upload_mode=fully_async
 build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://docker.io/envoyproxy/envoy-build-ubuntu:0ca52447572ee105a4730da5e76fe47c9c5a7c64@sha256:d736c58f06f36848e7966752cc7e01519cc1b5101a178d5c6634807e8ac3deab
 
 #############################################################################

.github/workflows/_precheck_deps.yml

@@ -55,4 +55,4 @@ jobs:
         ref: ${{ fromJSON(inputs.request).request.sha }}
         persist-credentials: false
     - name: Dependency Review
-      uses: actions/dependency-review-action@80f10bf419f34980065523f5efca7ebed17576aa  # v4.1.0
+      uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce  # v4.1.3

.github/workflows/envoy-macos.yml

@@ -37,8 +37,6 @@ jobs:
     permissions:
       contents: read
       packages: read
-    secrets:
-      rbe-key: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
     if: ${{ fromJSON(needs.load.outputs.request).run.build-macos }}
     needs:
     - load
@@ -49,6 +47,7 @@ jobs:
       container-command:
       request: ${{ needs.load.outputs.request }}
       runs-on: macos-14-xlarge
+      source: ${{ matrix.source }}
       steps-post:
       steps-pre: ${{ matrix.steps-pre }}
       target: ${{ matrix.target }}
@@ -59,19 +58,14 @@ jobs:
         include:
         - target: ci/mac_ci_steps.sh
           name: macOS
-          steps-pre: |
-            - run: ./ci/mac_ci_setup.sh
-              shell: bash
-              name: Setup macos
           source: |
-            GCP_SERVICE_ACCOUNT_KEY_PATH=$(mktemp -t gcp_service_account.XXXXXX.json)
-            bash -c "echo \"${RBE_KEY}\" | base64 --decode > \"${GCP_SERVICE_ACCOUNT_KEY_PATH}\""
+            source ./ci/mac_ci_setup.sh
             _BAZEL_BUILD_EXTRA_OPTIONS=(
               --remote_download_toplevel
               --flaky_test_attempts=2
-              --config=cache-google
-              --config=ci
-              --google_credentials=${GCP_SERVICE_ACCOUNT_KEY_PATH})
+              --config=bes-envoy-engflow
+              --config=cache-envoy-engflow
+              --config=ci)
             export BAZEL_BUILD_EXTRA_OPTIONS=${_BAZEL_BUILD_EXTRA_OPTIONS[*]}
 
   request:

.github/workflows/mobile-compile_time_options.yml

@@ -103,10 +103,7 @@ jobs:
             --config=mobile-remote-ci-macos-swift
             //library/swift:ios_framework
           source: |
-            # TODO(fredyw): A workaround since mobile/WORKSPACE requires Android SDK to be available
-            # and the GitHub Action runner image no longer includes Android SDK 30:
-            # https://github.com/actions/runner-images/issues/8952
-            ./ci/mac_ci_setup.sh --android
+            source ./ci/mac_ci_setup.sh
             ./bazelw shutdown
 
   request:

.github/workflows/mobile-ios_build.yml

@@ -44,10 +44,7 @@ jobs:
       request: ${{ needs.load.outputs.request }}
       runs-on: macos-12
       source: |
-        # TODO(fredyw): A workaround since mobile/WORKSPACE requires Android SDK to be available
-        # and the GitHub Action runner image no longer includes Android SDK 30:
-        # https://github.com/actions/runner-images/issues/8952
-        ./ci/mac_ci_setup.sh --android
+        source ./ci/mac_ci_setup.sh
         ./bazelw shutdown
       steps-post: ${{ matrix.steps-post }}
       target: ${{ matrix.target }}
@@ -86,17 +83,17 @@ jobs:
       request: ${{ needs.load.outputs.request }}
       runs-on: macos-12
       source: |
-        # TODO(fredyw): A workaround since mobile/WORKSPACE requires Android SDK to be available
-        # and the GitHub Action runner image no longer includes Android SDK 30:
-        # https://github.com/actions/runner-images/issues/8952
-        ./ci/mac_ci_setup.sh --android
+        source ./ci/mac_ci_setup.sh
         ./bazelw shutdown
       steps-post: |
         - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@680d414be3f56cbb161dfdebebece85d81c3f686  # actions-v0.2.24
           with:
             app: ${{ matrix.app }}
             args: ${{ matrix.args || '--config=mobile-remote-ci-macos-ios' }}
             expected: received headers with status ${{ matrix.expected-status }}
+          env:
+            ANDROID_NDK_HOME:
+            ANDROID_HOME:
       target: ${{ matrix.target }}
       timeout-minutes: ${{ matrix.timeout-minutes }}
       trusted: ${{ fromJSON(needs.load.outputs.trusted) }}
@@ -131,10 +128,7 @@ jobs:
       request: ${{ needs.load.outputs.request }}
       runs-on: macos-12
       source: |
-        # TODO(fredyw): A workaround since mobile/WORKSPACE requires Android SDK to be available
-        # and the GitHub Action runner image no longer includes Android SDK 30:
-        # https://github.com/actions/runner-images/issues/8952
-        ./ci/mac_ci_setup.sh --android
+        source ./ci/mac_ci_setup.sh
       steps-post: |
         - uses: envoyproxy/toolshed/gh-actions/envoy/ios/post@680d414be3f56cbb161dfdebebece85d81c3f686  # actions-v0.2.24
           with:
@@ -143,6 +137,9 @@ jobs:
             expected: >-
               ${{ matrix.expected
                   || format('received headers with status {0}', matrix.expected-status) }}
+          env:
+            ANDROID_NDK_HOME:
+            ANDROID_HOME:
       target: ${{ matrix.target }}
       timeout-minutes: 50
       trusted: ${{ fromJSON(needs.load.outputs.trusted) }}

.github/workflows/mobile-ios_tests.yml

@@ -44,10 +44,7 @@ jobs:
       request: ${{ needs.load.outputs.request }}
       runs-on: macos-12
       source: |
-        # TODO(fredyw): A workaround since mobile/WORKSPACE requires Android SDK to be available
-        # and the GitHub Action runner image no longer includes Android SDK 30:
-        # https://github.com/actions/runner-images/issues/8952
-        ./ci/mac_ci_setup.sh --android
+        source ./ci/mac_ci_setup.sh
       steps-post: ${{ matrix.steps-post }}
       target: ${{ matrix.target }}
       timeout-minutes: ${{ matrix.timeout-minutes }}

.github/workflows/mobile-release_validation.yml

@@ -51,10 +51,7 @@ jobs:
       request: ${{ needs.load.outputs.request }}
       runs-on: macos-12
       source: |
-        # TODO(fredyw): A workaround since mobile/WORKSPACE always requires Android SDK to be available
-        # and the GitHub Action runner image no longer includes Android SDK 30:
-        # https://github.com/actions/runner-images/issues/8952
-        ./ci/mac_ci_setup.sh --android
+        source ./ci/mac_ci_setup.sh
       # Ignore errors: Bad CRC when unzipping large files: https://bbs.archlinux.org/viewtopic.php?id=153011
       steps-post: |
         - run: |

CODEOWNERS

@@ -258,6 +258,7 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 # proxy protocol
 /*/extensions/filters/listener/proxy_protocol @ggreenway @soulxu
 # access loggers
+/*/extensions/access_loggers/fluentd @ohadvano @wbpcode
 /*/extensions/access_loggers/grpc @wbpcode @cpakulski @giantcroc @gyohuangxin
 # stats
 /*/extensions/stat_sinks/statsd @mattklein123 @suniltheta

api/BUILD

@@ -134,6 +134,7 @@ proto_library(
         "//envoy/data/tap/v3:pkg",
         "//envoy/extensions/access_loggers/file/v3:pkg",
         "//envoy/extensions/access_loggers/filters/cel/v3:pkg",
+        "//envoy/extensions/access_loggers/fluentd/v3:pkg",
         "//envoy/extensions/access_loggers/grpc/v3:pkg",
         "//envoy/extensions/access_loggers/open_telemetry/v3:pkg",
         "//envoy/extensions/access_loggers/stream/v3:pkg",

api/bazel/repositories.bzl

@@ -62,6 +62,9 @@ def api_dependencies():
     external_http_archive(
         name = "com_github_chrusty_protoc_gen_jsonschema",
     )
+    external_http_archive(
+        name = "rules_proto_grpc",
+    )
 
     external_http_archive(
         name = "envoy_toolshed",

api/bazel/repository_locations.bzl

@@ -92,9 +92,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Prometheus client model",
         project_desc = "Data model artifacts for Prometheus",
         project_url = "https://github.com/prometheus/client_model",
-        version = "0.5.0",
-        sha256 = "170873e0b91cab5da6634af1498b88876842ff3e01212e2dabf6b4e6512c948d",
-        release_date = "2023-10-03",
+        version = "0.6.0",
+        sha256 = "6f8464471e34749753e5d767b22939b98a73b2149bc551c0f017d861f8a0adeb",
+        release_date = "2024-02-16",
         strip_prefix = "client_model-{version}",
         urls = ["https://github.com/prometheus/client_model/archive/v{version}.tar.gz"],
         use_category = ["api"],
@@ -151,6 +151,17 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         use_category = ["build"],
         release_date = "2023-05-30",
     ),
+    rules_proto_grpc = dict(
+        project_name = "rules_proto_grpc",
+        project_desc = "Bazel rules for building Protobuf and gRPC code and libraries from proto_library targets ",
+        project_url = "https://github.com/rules-proto-grpc/rules_proto_grpc",
+        version = "4.4.0",
+        sha256 = "928e4205f701b7798ce32f3d2171c1918b363e9a600390a25c876f075f1efc0a",
+        strip_prefix = "rules_proto_grpc-{version}",
+        urls = ["https://github.com/rules-proto-grpc/rules_proto_grpc/releases/download/{version}/rules_proto_grpc-{version}.tar.gz"],
+        use_category = ["build"],
+        release_date = "2023-05-03",
+    ),
     envoy_toolshed = dict(
         project_name = "envoy_toolshed",
         project_desc = "Tooling, libraries, runners and checkers for Envoy proxy's CI",

api/envoy/config/core/v3/base.proto

@@ -245,15 +245,17 @@ message Metadata {
   // :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
   // fields are present in the metadata with same keys,
   // only ``typed_filter_metadata`` field will be parsed.
-  map<string, google.protobuf.Struct> filter_metadata = 1;
+  map<string, google.protobuf.Struct> filter_metadata = 1
+      [(validate.rules).map = {keys {string {min_len: 1}}}];
 
   // Key is the reverse DNS filter name, e.g. com.acme.widget. The ``envoy.*``
   // namespace is reserved for Envoy's built-in filters.
   // The value is encoded as google.protobuf.Any.
   // If both :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
   // and ``typed_filter_metadata`` fields are present in the metadata with same keys,
   // only ``typed_filter_metadata`` field will be parsed.
-  map<string, google.protobuf.Any> typed_filter_metadata = 2;
+  map<string, google.protobuf.Any> typed_filter_metadata = 2
+      [(validate.rules).map = {keys {string {min_len: 1}}}];
 }
 
 // Runtime derived uint32 with a default when not specified.

api/envoy/config/trace/v3/dynamic_ot.proto

@@ -33,11 +33,15 @@ message DynamicOtConfig {
   string library = 1 [
     deprecated = true,
     (validate.rules).string = {min_len: 1},
-    (envoy.annotations.deprecated_at_minor_version) = "3.0"
+    (envoy.annotations.deprecated_at_minor_version) = "3.0",
+    (envoy.annotations.disallowed_by_default) = true
   ];
 
   // The configuration to use when creating a tracer from the given dynamic
   // library.
-  google.protobuf.Struct config = 2
-      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
+  google.protobuf.Struct config = 2 [
+    deprecated = true,
+    (envoy.annotations.deprecated_at_minor_version) = "3.0",
+    (envoy.annotations.disallowed_by_default) = true
+  ];
 }

api/envoy/extensions/access_loggers/fluentd/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+)

api/envoy/extensions/access_loggers/fluentd/v3/fluentd.proto

@@ -0,0 +1,70 @@
+syntax = "proto3";
+
+package envoy.extensions.access_loggers.fluentd.v3;
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.access_loggers.fluentd.v3";
+option java_outer_classname = "FluentdProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/fluentd/v3;fluentdv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Fluentd access log]
+
+// Configuration for the *envoy.access_loggers.fluentd* :ref:`AccessLog <envoy_v3_api_msg_config.accesslog.v3.AccessLog>`.
+// This access log extension will send the emitted access logs over a TCP connection to an upstream that is accepting
+// the Fluentd Forward Protocol as described in: `Fluentd Forward Protocol Specification
+// <https://github.com/fluent/fluentd/wiki/Forward-Protocol-Specification-v1>`_.
+// [#extension: envoy.access_loggers.fluentd]
+// [#next-free-field: 7]
+message FluentdAccessLogConfig {
+  // The upstream cluster to connect to for streaming the Fluentd messages.
+  string cluster = 1 [(validate.rules).string = {min_len: 1}];
+
+  // A tag is a string separated with '.' (e.g. log.type) to categorize events.
+  // See: https://github.com/fluent/fluentd/wiki/Forward-Protocol-Specification-v1#message-modes
+  string tag = 2 [(validate.rules).string = {min_len: 1}];
+
+  // The prefix to use when emitting :ref:`statistics <config_access_log_stats>`.
+  string stat_prefix = 3 [(validate.rules).string = {min_len: 1}];
+
+  // Interval for flushing access logs to the TCP stream. Logger will flush requests every time
+  // this interval is elapsed, or when batch size limit is hit, whichever comes first. Defaults to
+  // 1 second.
+  google.protobuf.Duration buffer_flush_interval = 4 [(validate.rules).duration = {gt {}}];
+
+  // Soft size limit in bytes for access log entries buffer. The logger will buffer requests until
+  // this limit it hit, or every time flush interval is elapsed, whichever comes first. When the buffer
+  // limit is hit, the logger will immediately flush the buffer contents. Setting it to zero effectively
+  // disables the batching. Defaults to 16384.
+  google.protobuf.UInt32Value buffer_size_bytes = 5;
+
+  // A struct that represents the record that is sent for each log entry.
+  // https://github.com/fluent/fluentd/wiki/Forward-Protocol-Specification-v1#entry
+  // Values are rendered as strings, numbers, or boolean values as appropriate.
+  // Nested JSON objects may be produced by some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
+  // See :ref:`format string<config_access_log_format_strings>` documentation for a specific command operator details.
+  //
+  // .. validated-code-block:: yaml
+  //   :type-name: envoy.extensions.access_loggers.fluentd.v3.FluentdAccessLogConfig
+  //
+  //   record:
+  //     status: "%RESPONSE_CODE%"
+  //     message: "%LOCAL_REPLY_BODY%"
+  //
+  // The following msgpack record would be created:
+  //
+  // .. code-block:: json
+  //
+  //  {
+  //    "status": 500,
+  //    "message": "My error message"
+  //  }
+  google.protobuf.Struct record = 6 [(validate.rules).message = {required: true}];
+}

api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.filters.http.ext_proc.v3;
 
 import "envoy/config/common/mutation_rules/v3/mutation_rules.proto";
+import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto";
 import "envoy/type/matcher/v3/string.proto";
@@ -273,7 +274,7 @@ message ExtProcPerRoute {
 }
 
 // Overrides that may be set on a per-route basis
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message ExtProcOverrides {
   // Set a different processing mode for this route than the default.
   ProcessingMode processing_mode = 1;
@@ -301,4 +302,10 @@ message ExtProcOverrides {
   // config used. It is the prerogative of the control plane to ensure this
   // most-specific config contains the correct final overrides.
   MetadataOptions metadata_options = 6;
+
+  // Additional metadata to include into streams initiated to the ext_proc gRPC
+  // service. This can be used for scenarios in which additional ad hoc
+  // authorization headers (e.g. ``x-foo-bar: baz-key``) are to be injected or
+  // when a route needs to partially override inherited metadata.
+  repeated config.core.v3.HeaderValue grpc_initial_metadata = 7;
 }

api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -37,7 +37,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
 // [#extension: envoy.filters.network.http_connection_manager]
 
-// [#next-free-field: 57]
+// [#next-free-field: 58]
 message HttpConnectionManager {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager";
@@ -887,6 +887,10 @@ message HttpConnectionManager {
   // will be ignored if the ``x-forwarded-port`` header has been set by any trusted proxy in front of Envoy.
   bool append_x_forwarded_port = 51;
 
+  // Append the :ref:`config_http_conn_man_headers_x-envoy-local-overloaded` HTTP header in the scenario where
+  // the Overload Manager has been triggered.
+  bool append_local_overload = 57;
+
   // Whether the HCM will add ProxyProtocolFilterState to the Connection lifetime filter state. Defaults to ``true``.
   // This should be set to ``false`` in cases where Envoy's view of the downstream address may not correspond to the
   // actual client address, for example, if there's another proxy in front of the Envoy.

api/versioning/BUILD

@@ -72,6 +72,7 @@ proto_library(
         "//envoy/data/tap/v3:pkg",
         "//envoy/extensions/access_loggers/file/v3:pkg",
         "//envoy/extensions/access_loggers/filters/cel/v3:pkg",
+        "//envoy/extensions/access_loggers/fluentd/v3:pkg",
         "//envoy/extensions/access_loggers/grpc/v3:pkg",
         "//envoy/extensions/access_loggers/open_telemetry/v3:pkg",
         "//envoy/extensions/access_loggers/stream/v3:pkg",