Add SXG filter extension

[cpapazian]

Commit Message: Add SXG filter extension
Additional Description: Filter to transform response to Signed HTTP Exchange (SXG) package using libsxg (https://github.com/google/libsxg). See: https://wicg.github.io/webpackage/draft-yasskin-httpbis-origin-signed-exchanges-impl.html
Risk Level: low, new filter
Testing: unit tests included, filter is based off version running in production for 4 months
Docs Changes: filter docs added
Release Notes: release notes included

Discussed previously in #9763

[repokitteh-read-only]

Hi @cpapazian, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #17215 was opened by cpapazian.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).

🐱

Caused by: #17215 was opened by cpapazian.

see: more, trace.

[cpapazian]

@rgs1 @twifkak

[moderation]

Introduces a new dependency - https://github.com/envoyproxy/envoy/blob/main/DEPENDENCY_POLICY.md#new-external-dependencies. OSSF Scorecard results:

scorecard --repo=https://github.com/google/libsxg
RESULTS
Active: Pass 10
Automatic-Dependency-Update: Fail 3
Binary-Artifacts: Pass 10
Branch-Protection: Fail 0
CI-Tests: Pass 9
CII-Best-Practices: Fail 10
Code-Review: Pass 10
Contributors: Pass 10
Frozen-Deps: Fail 10
Fuzzing: Fail 10
Packaging: Fail 10
Pull-Requests: Pass 9
SAST: Fail 10
Security-Policy: Fail 5
Signed-Releases: Fail 10
Signed-Tags: Fail 10
Token-Permissions: Fail 10
Vulnerabilities: Pass 10

[lizan]

Anyone from @envoyproxy/maintainers to sponsor?

[cpapazian]

@twifkak is it possible to get libsxg to build with cmake 3.10? the arm build is running cmake 3.10.2 currently, and fails:

-- Detecting CXX compile features - done
CMake Error at CMakeLists.txt:67 (cmake_minimum_required):
  CMake 3.13 or higher is required.  You are running version 3.10.2

https://dev.azure.com/cncf/envoy/_build/results?buildId=81398&view=logs&j=767be981-567e-57d8-68c3-2140ede0a0bd&t=1fb0b72f-6293-562d-a4d1-bb649223eaca&l=15025

running with the previous commit of libsxg (before we added the 3.13 requirement) we see:

CMake Error at CMakeLists.txt:161 (install):
  install TARGETS given no ARCHIVE DESTINATION for static library target
  "sxg_static".

https://dev.azure.com/cncf/envoy/_build/results?buildId=81199&view=logs&j=767be981-567e-57d8-68c3-2140ede0a0bd&t=1fb0b72f-6293-562d-a4d1-bb649223eaca&l=420

not really sure what to make of this. would be curious your thoughts ...

[twifkak]

@cpapazian Yep, I'll send a PR to update the minimum requirement to 3.1 (earliest I could test easily on my x86_64 laptop via https://cmake.org/files/) when RUN_TEST is off.

It looks like the subsequent error can be fixed by adding the flags -DCMAKE_INSTALL_LIBDIR=lib -DCMAKE_INSTALL_BINDIR=bin. I guess those became the default in some cmake 3.11+ version? Anyway, I'll just include those flags in the README of the same PR.

[twifkak]

@cpapazian Merged google/libsxg#95 which hopefully fixes this (with tests to prevent regression).

[cpapazian]

@yanavlasov I think this is ready for review. Let me know if there's anything else you need from me first. Thanks!

cc @rgs1

[cpapazian]

per @rgs1, we now have a contrib directory (#17595). I can move this extension there, if that makes sense. let me know which you prefer, @yanavlasov

[junr03]

@yanavlasov friendly ping on this.

[cpapazian]

@yanavlasov - per offline conversation with @rgs1, i went ahead and moved this over to contrib.

[rgs1]

@mattklein123 does this sound like a reasonable candidate for contrib/? We were initially targeting it as a regular filter, but contrib/ would be great for us so we can share the code with other parties and then possibly graduate out of contrib... Thanks!

[mattklein123]

@mattklein123 does this sound like a reasonable candidate for contrib/? We were initially targeting it as a regular filter, but contrib/ would be great for us so we can share the code with other parties and then possibly graduate out of contrib... Thanks!

Sure! Is this ready to review? I can take a look and merge if so.

[cpapazian]

Sure! Is this ready to review? I can take a look and merge if so.

Yeah, I think we're ready. @rgs1 has already taken a pass at review.

Only question we had is what to do with the libsxg dependency now that the filter has moved to contrib. It wasn't obvious to me how to dis-entangle all of the external repo stuff in the builds, and I'm not sure we even want to.

Thanks!

[mattklein123]

Thanks I'm fine with this going in for contrib for now, with a few small doc comments.

Regarding the build dependencies being in core, in a perfect world we would figure out how to have them live with the contrib extension itself but I don't think we have a good pattern for that so I'm OK with this for now, especially since bazel will only build the dependency if it's actually used.

/wait

[mattklein123]

note this is available in contrib builds only with a ref link to the contrib docs.

[mattklein123]

Can you note this is in contrib builds only with a ref link to the contrib docs. If the squash filter docs don't have that can you fix that also? (I know I automated the other docs but I think for these manual docs it is probably missing.)

[mattklein123]

Thanks!