diff --git a/bazel/BUILD b/bazel/BUILD index 17319f4c35ef2..ab7a54d68e07c 100644 --- a/bazel/BUILD +++ b/bazel/BUILD @@ -430,6 +430,16 @@ config_setting( values = {"define": "wasm=disabled"}, ) +# This config setting enables Universal Header Validator and disables +# HTTP header compliance checks in codecs. +# This setting is temporary to transition header validation into UHV without +# impacting production builds of Envoy. +# This setting is enabled for the bazel.compile_time_options CI target. +config_setting( + name = "uhv_enabled", + values = {"define": "uhv=enabled"}, +) + # Alias pointing to the selected version of BoringSSL: # - BoringSSL FIPS from @boringssl_fips//:ssl, # - non-FIPS BoringSSL from @boringssl//:ssl. diff --git a/bazel/envoy_internal.bzl b/bazel/envoy_internal.bzl index b942be424c1f4..e1767530cac50 100644 --- a/bazel/envoy_internal.bzl +++ b/bazel/envoy_internal.bzl @@ -118,6 +118,9 @@ def envoy_copts(repository, test = False): # APPLE_USE_RFC_3542 is needed to support IPV6_PKTINFO in MAC OS. repository + "//bazel:apple": ["-D__APPLE_USE_RFC_3542"], "//conditions:default": [], + }) + select({ + repository + "//bazel:uhv_enabled": ["-DENVOY_ENABLE_UHV"], + "//conditions:default": [], }) + envoy_select_hot_restart(["-DENVOY_HOT_RESTART"], repository) + \ envoy_select_enable_http3(["-DENVOY_ENABLE_QUIC"], repository) + \ _envoy_select_perf_annotation(["-DENVOY_PERF_ANNOTATION"]) + \ diff --git a/ci/do_ci.sh b/ci/do_ci.sh index ad6e49e9ca722..6d4066175a9bb 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -348,6 +348,7 @@ elif [[ "$CI_TARGET" == "bazel.compile_time_options" ]]; then "--define" "deprecated_features=disabled" "--define" "tcmalloc=gperftools" "--define" "zlib=ng" + "--define" "uhv=enabled" "--@envoy//bazel:http3=False" "--@envoy//source/extensions/filters/http/kill_request:enabled" "--test_env=ENVOY_HAS_EXTRA_EXTENSIONS=true")