build: making admin optional

bazel/BUILD

@@ -306,6 +306,14 @@ config_setting(
     values = {"define": "deprecated_features=disabled"},
 )
 
+selects.config_setting_group(
+    name = "disable_hot_restart_or_admin",
+    match_any = [
+        "//bazel:disable_hot_restart",
+        "//bazel:disable_admin_functionality",
+    ],
+)
+
 bool_flag(
     name = "http3",
     build_setting_default = True,
@@ -335,6 +343,11 @@ config_setting(
     values = {"define": "admin_html=disabled"},
 )
 
+config_setting(
+    name = "disable_admin_functionality",
+    values = {"define": "admin_functionality=disabled"},
+)
+
 config_setting(
     name = "disable_hot_restart_setting",
     values = {"define": "hot_restart=disabled"},

bazel/README.md

@@ -700,6 +700,7 @@ The following optional features can be disabled on the Bazel build command-line:
 * http3/quic with --//bazel:http3=False
 * autolinking libraries with --define=library_autolink=disabled
 * admin HTML home page with `--define=admin_html=disabled`
+* admin functionality with `--define=admin_functionality=disabled`
 
 ## Enabling optional features
 

bazel/envoy_build_system.bzl

@@ -18,6 +18,7 @@ load(
 load(":envoy_pch.bzl", _envoy_pch_library = "envoy_pch_library")
 load(
     ":envoy_select.bzl",
+    _envoy_select_admin_functionality = "envoy_select_admin_functionality",
     _envoy_select_admin_html = "envoy_select_admin_html",
     _envoy_select_admin_no_html = "envoy_select_admin_no_html",
     _envoy_select_boringssl = "envoy_select_boringssl",
@@ -52,8 +53,8 @@ load(
 )
 load("@bazel_skylib//rules:common_settings.bzl", "bool_flag")
 
-def envoy_package():
-    native.package(default_visibility = ["//visibility:public"])
+def envoy_package(default_visibility = ["//visibility:public"]):
+    native.package(default_visibility = default_visibility)
 
 def envoy_extension_package(enabled_default = True, default_visibility = EXTENSION_PACKAGE_VISIBILITY):
     native.package(default_visibility = default_visibility)
@@ -216,6 +217,7 @@ def envoy_google_grpc_external_deps():
 # Select wrappers (from envoy_select.bzl)
 envoy_select_admin_html = _envoy_select_admin_html
 envoy_select_admin_no_html = _envoy_select_admin_no_html
+envoy_select_admin_functionality = _envoy_select_admin_functionality
 envoy_select_boringssl = _envoy_select_boringssl
 envoy_select_google_grpc = _envoy_select_google_grpc
 envoy_select_enable_http3 = _envoy_select_enable_http3

bazel/envoy_internal.bzl

@@ -1,6 +1,6 @@
 # DO NOT LOAD THIS FILE. Targets from this file should be considered private
 # and not used outside of the @envoy//bazel package.
-load(":envoy_select.bzl", "envoy_select_admin_html", "envoy_select_enable_http3", "envoy_select_google_grpc", "envoy_select_hot_restart")
+load(":envoy_select.bzl", "envoy_select_admin_functionality", "envoy_select_admin_html", "envoy_select_enable_http3", "envoy_select_google_grpc", "envoy_select_hot_restart")
 
 # Compute the final copts based on various options.
 def envoy_copts(repository, test = False):
@@ -123,6 +123,7 @@ def envoy_copts(repository, test = False):
                "//conditions:default": [],
            }) + envoy_select_hot_restart(["-DENVOY_HOT_RESTART"], repository) + \
            envoy_select_admin_html(["-DENVOY_ADMIN_HTML"], repository) + \
+           envoy_select_admin_functionality(["-DENVOY_ADMIN_FUNCTIONALITY"], repository) + \
            envoy_select_enable_http3(["-DENVOY_ENABLE_QUIC"], repository) + \
            _envoy_select_perf_annotation(["-DENVOY_PERF_ANNOTATION"]) + \
            _envoy_select_perfetto(["-DENVOY_PERFETTO"]) + \

bazel/envoy_select.bzl

@@ -32,6 +32,13 @@ def envoy_select_admin_html(xs, repository = ""):
         "//conditions:default": xs,
     })
 
+# Selects the given values if admin functionality is enabled in the current build.
+def envoy_select_admin_functionality(xs, repository = ""):
+    return select({
+        repository + "//bazel:disable_admin_functionality": [],
+        "//conditions:default": xs,
+    })
+
 def envoy_select_admin_no_html(xs, repository = ""):
     return select({
         repository + "//bazel:disable_admin_html": xs,

ci/do_ci.sh

@@ -398,8 +398,8 @@ elif [[ "$CI_TARGET" == "bazel.compile_time_options" ]]; then
   echo "Building and testing with wasm=wamr: ${TEST_TARGETS[*]}"
   bazel_with_collection test "${BAZEL_BUILD_OPTIONS[@]}" --define wasm=wamr "${COMPILE_TIME_OPTIONS[@]}" -c dbg "${TEST_TARGETS[@]}" --test_tag_filters=-nofips --build_tests_only
 
-  echo "Building and testing with wasm=wasmtime: ${TEST_TARGETS[*]}"
-  bazel_with_collection test "${BAZEL_BUILD_OPTIONS[@]}" --define wasm=wasmtime "${COMPILE_TIME_OPTIONS[@]}" -c dbg "${TEST_TARGETS[@]}" --test_tag_filters=-nofips --build_tests_only
+  echo "Building and testing with wasm=wasmtime: and admin_functionality and admin_html disabled ${TEST_TARGETS[*]}"
+  bazel_with_collection test "${BAZEL_BUILD_OPTIONS[@]}" --define wasm=wasmtime --define admin_html=disabled --define admin_functionality=disabled "${COMPILE_TIME_OPTIONS[@]}" -c dbg "${TEST_TARGETS[@]}" --test_tag_filters=-nofips --build_tests_only
 
   echo "Building and testing with wasm=wavm: ${TEST_TARGETS[*]}"
   bazel_with_collection test "${BAZEL_BUILD_OPTIONS[@]}" --define wasm=wavm "${COMPILE_TIME_OPTIONS[@]}" -c dbg "${TEST_TARGETS[@]}" --test_tag_filters=-nofips --build_tests_only

configs/BUILD

@@ -34,14 +34,17 @@ filegroup(
             "using_deprecated_config.yaml",
             "**/*.template.yaml",
             "freebind/freebind.yaml",
+            "envoy-tap-config.yaml",
             "envoy-demo.yaml",
         ],
     ) + select({
         "//bazel:apple": ["envoy-demo.yaml"],
         "//bazel:windows_x86_64": [],
+        "//bazel:disable_admin_functionality": [],
         "//conditions:default": [
             "envoy-demo.yaml",
             "freebind/freebind.yaml",
+            "envoy-tap-config.yaml",
         ],
     }),
 )

envoy/server/admin.h

@@ -279,6 +279,11 @@ class Admin {
    */
   static RequestPtr makeStaticTextRequest(absl::string_view response_text, Http::Code code);
   static RequestPtr makeStaticTextRequest(Buffer::Instance& response_text, Http::Code code);
+
+  /**
+   * Closes the listening socket for the admin.
+   */
+  virtual void closeSocket() PURE;
 };
 
 } // namespace Server

envoy/server/factory_context.h

@@ -66,9 +66,9 @@ class FactoryContextBase {
   virtual const LocalInfo::LocalInfo& localInfo() const PURE;
 
   /**
-   * @return Server::Admin& the server's global admin HTTP endpoint.
+   * @return OptRef<Server::Admin> the global HTTP admin endpoint for the server.
    */
-  virtual Server::Admin& admin() PURE;
+  virtual OptRef<Server::Admin> admin() PURE;
 
   /**
    * @return Runtime::Loader& the singleton runtime loader for the server.

envoy/server/instance.h

@@ -47,9 +47,9 @@ class Instance {
   virtual ~Instance() = default;
 
   /**
-   * @return Admin& the global HTTP admin endpoint for the server.
+   * @return OptRef<Admin> the global HTTP admin endpoint for the server.
    */
-  virtual Admin& admin() PURE;
+  virtual OptRef<Admin> admin() PURE;
 
   /**
    * @return Api::Api& the API used by the server.

envoy/server/transport_socket_config.h

@@ -30,9 +30,9 @@ class TransportSocketFactoryContext {
   virtual ~TransportSocketFactoryContext() = default;
 
   /**
-   * @return Server::Admin& the server's admin interface.
+   * @return OptRef<Server::Admin> the global HTTP admin endpoint for the server.
    */
-  virtual Server::Admin& admin() PURE;
+  virtual OptRef<Server::Admin> admin() PURE;
 
   /**
    * @return Ssl::ContextManager& the SSL context manager.

source/common/config/config_provider_impl.cc

@@ -50,9 +50,12 @@ bool ConfigSubscriptionInstance::checkAndApplyConfigUpdate(const Protobuf::Messa
   return true;
 }
 
-ConfigProviderManagerImplBase::ConfigProviderManagerImplBase(Server::Admin& admin,
+ConfigProviderManagerImplBase::ConfigProviderManagerImplBase(OptRef<Server::Admin> admin,
                                                              const std::string& config_name) {
-  config_tracker_entry_ = admin.getConfigTracker().add(
+  if (!admin.has_value()) {
+    return;
+  }
+  config_tracker_entry_ = admin->getConfigTracker().add(
       config_name,
       [this](const Matchers::StringMatcher& name_matcher) { return dumpConfigs(name_matcher); });
   // ConfigTracker keys must be unique. We are asserting that no one has stolen the key

source/common/config/config_provider_impl.h

@@ -394,7 +394,7 @@ class ConfigProviderManagerImplBase : public ConfigProviderManager, public Singl
   using ConfigSubscriptionMap =
       absl::node_hash_map<uint64_t, std::weak_ptr<ConfigSubscriptionCommonBase>>;
 
-  ConfigProviderManagerImplBase(Server::Admin& admin, const std::string& config_name);
+  ConfigProviderManagerImplBase(OptRef<Server::Admin> admin, const std::string& config_name);
 
   const ConfigSubscriptionMap& configSubscriptions() const { return config_subscriptions_; }
 

source/common/rds/common/route_config_provider_manager_impl.h

@@ -36,7 +36,7 @@ template <class Rds, class RouteConfiguration, int NameFieldNumber, class Config
 class RouteConfigProviderManagerImpl : public RouteConfigProviderManager<Rds, RouteConfiguration>,
                                        public Singleton::Instance {
 public:
-  RouteConfigProviderManagerImpl(Server::Admin& admin)
+  RouteConfigProviderManagerImpl(OptRef<Server::Admin> admin)
       : manager_(admin, absl::AsciiStrToLower(getRdsName()) + "_routes", proto_traits_) {}
 
   // RouteConfigProviderManager

source/common/rds/route_config_provider_manager.cc

@@ -5,13 +5,16 @@
 namespace Envoy {
 namespace Rds {
 
-RouteConfigProviderManager::RouteConfigProviderManager(Server::Admin& admin,
+RouteConfigProviderManager::RouteConfigProviderManager(OptRef<Server::Admin> admin,
                                                        const std::string& config_tracker_key,
                                                        ProtoTraits& proto_traits)
-    : config_tracker_entry_(admin.getConfigTracker().add(
-          config_tracker_key,
-          [this](const Matchers::StringMatcher& matcher) { return dumpRouteConfigs(matcher); })),
-      proto_traits_(proto_traits) {
+    : proto_traits_(proto_traits) {
+  if (!admin.has_value()) {
+    return;
+  }
+  config_tracker_entry_ = admin->getConfigTracker().add(
+      config_tracker_key,
+      [this](const Matchers::StringMatcher& matcher) { return dumpRouteConfigs(matcher); });
   // ConfigTracker keys must be unique. We are asserting that no one has stolen the "routes" key
   // from us, since the returned entry will be nullptr if the key already exists.
   RELEASE_ASSERT(config_tracker_entry_, "");

source/common/rds/route_config_provider_manager.h

@@ -21,7 +21,7 @@ namespace Rds {
 
 class RouteConfigProviderManager {
 public:
-  RouteConfigProviderManager(Server::Admin& admin, const std::string& config_tracker_key,
+  RouteConfigProviderManager(OptRef<Server::Admin> admin, const std::string& config_tracker_key,
                              ProtoTraits& proto_traits);
 
   void eraseStaticProvider(RouteConfigProvider* provider);

source/common/router/rds_impl.cc

@@ -219,7 +219,7 @@ void RdsRouteConfigProviderImpl::requestVirtualHostsUpdate(
   });
 }
 
-RouteConfigProviderManagerImpl::RouteConfigProviderManagerImpl(Server::Admin& admin)
+RouteConfigProviderManagerImpl::RouteConfigProviderManagerImpl(OptRef<Server::Admin> admin)
     : manager_(admin, "routes", proto_traits_) {}
 
 Router::RouteConfigProviderSharedPtr RouteConfigProviderManagerImpl::createRdsRouteConfigProvider(

source/common/router/rds_impl.h

@@ -179,7 +179,7 @@ using ProtoTraitsImpl =
 class RouteConfigProviderManagerImpl : public RouteConfigProviderManager,
                                        public Singleton::Instance {
 public:
-  RouteConfigProviderManagerImpl(Server::Admin& admin);
+  RouteConfigProviderManagerImpl(OptRef<Server::Admin> admin);
 
   std::unique_ptr<envoy::admin::v3::RoutesConfigDump>
   dumpRouteConfigs(const Matchers::StringMatcher& name_matcher) const {

source/common/router/scoped_rds.h

@@ -268,7 +268,8 @@ class ScopedRdsConfigProvider : public Envoy::Config::MutableConfigProviderCommo
 class ScopedRoutesConfigProviderManager : public Envoy::Config::ConfigProviderManagerImplBase {
 public:
   ScopedRoutesConfigProviderManager(
-      Server::Admin& admin, Router::RouteConfigProviderManager& route_config_provider_manager)
+      OptRef<Server::Admin> admin,
+      Router::RouteConfigProviderManager& route_config_provider_manager)
       : Envoy::Config::ConfigProviderManagerImplBase(admin, "route_scopes"),
         route_config_provider_manager_(route_config_provider_manager) {}
 

source/common/secret/secret_manager_impl.cc

@@ -17,11 +17,15 @@
 namespace Envoy {
 namespace Secret {
 
-SecretManagerImpl::SecretManagerImpl(Server::ConfigTracker& config_tracker)
-    : config_tracker_entry_(
-          config_tracker.add("secrets", [this](const Matchers::StringMatcher& name_matcher) {
-            return dumpSecretConfigs(name_matcher);
-          })) {}
+SecretManagerImpl::SecretManagerImpl(OptRef<Server::ConfigTracker> config_tracker) {
+  if (config_tracker.has_value()) {
+    config_tracker_entry_ =
+        config_tracker->add("secrets", [this](const Matchers::StringMatcher& name_matcher) {
+          return dumpSecretConfigs(name_matcher);
+        });
+  }
+}
+
 void SecretManagerImpl::addStaticSecret(
     const envoy::extensions::transport_sockets::tls::v3::Secret& secret) {
   switch (secret.type_case()) {

source/common/secret/secret_manager_impl.h

@@ -18,7 +18,7 @@ namespace Secret {
 
 class SecretManagerImpl : public SecretManager {
 public:
-  SecretManagerImpl(Server::ConfigTracker& config_tracker);
+  SecretManagerImpl(OptRef<Server::ConfigTracker> config_tracker);
   void
   addStaticSecret(const envoy::extensions::transport_sockets::tls::v3::Secret& secret) override;
 

source/common/upstream/cluster_factory_impl.h

@@ -72,7 +72,7 @@ class ClusterFactoryContextImpl : public ClusterFactoryContext {
   AccessLog::AccessLogManager& logManager() override { return server_context_.accessLogManager(); }
   const LocalInfo::LocalInfo& localInfo() const override { return server_context_.localInfo(); }
   const Server::Options& options() override { return server_context_.options(); }
-  Server::Admin& admin() override { return server_context_.admin(); }
+  OptRef<Server::Admin> admin() override { return server_context_.admin(); }
   Api::Api& api() override { return server_context_.api(); }
   Singleton::Manager& singletonManager() override { return server_context_.singletonManager(); }
 

source/common/upstream/cluster_manager_impl.cc

@@ -283,7 +283,7 @@ ClusterManagerImpl::ClusterManagerImpl(
     const envoy::config::bootstrap::v3::Bootstrap& bootstrap, ClusterManagerFactory& factory,
     Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime,
     const LocalInfo::LocalInfo& local_info, AccessLog::AccessLogManager& log_manager,
-    Event::Dispatcher& main_thread_dispatcher, Server::Admin& admin,
+    Event::Dispatcher& main_thread_dispatcher, OptRef<Server::Admin> admin,
     ProtobufMessage::ValidationContext& validation_context, Api::Api& api,
     Http::Context& http_context, Grpc::Context& grpc_context, Router::Context& router_context,
     const Server::Instance& server)
@@ -292,11 +292,6 @@ ClusterManagerImpl::ClusterManagerImpl(
       bind_config_(bootstrap.cluster_manager().upstream_bind_config()), local_info_(local_info),
       cm_stats_(generateStats(stats)),
       init_helper_(*this, [this](ClusterManagerCluster& cluster) { onClusterInit(cluster); }),
-      config_tracker_entry_(
-          admin.getConfigTracker().add("clusters",
-                                       [this](const Matchers::StringMatcher& name_matcher) {
-                                         return dumpClusterConfigs(name_matcher);
-                                       })),
       time_source_(main_thread_dispatcher.timeSource()), dispatcher_(main_thread_dispatcher),
       http_context_(http_context), router_context_(router_context),
       cluster_stat_names_(stats.symbolTable()),
@@ -307,6 +302,12 @@ ClusterManagerImpl::ClusterManagerImpl(
       cluster_circuit_breakers_stat_names_(stats.symbolTable()),
       cluster_request_response_size_stat_names_(stats.symbolTable()),
       cluster_timeout_budget_stat_names_(stats.symbolTable()) {
+  if (admin.has_value()) {
+    config_tracker_entry_ = admin->getConfigTracker().add(
+        "clusters", [this](const Matchers::StringMatcher& name_matcher) {
+          return dumpClusterConfigs(name_matcher);
+        });
+  }
   async_client_manager_ = std::make_unique<Grpc::AsyncClientManagerImpl>(
       *this, tls, time_source_, api, grpc_context.statNames());
   const auto& cm_config = bootstrap.cluster_manager();

source/common/upstream/cluster_manager_impl.h

@@ -53,7 +53,7 @@ class ProdClusterManagerFactory : public ClusterManagerFactory {
   using LazyCreateDnsResolver = std::function<Network::DnsResolverSharedPtr()>;
 
   ProdClusterManagerFactory(
-      Server::Configuration::ServerFactoryContext& server_context, Server::Admin& admin,
+      Server::Configuration::ServerFactoryContext& server_context, OptRef<Server::Admin> admin,
       Runtime::Loader& runtime, Stats::Store& stats, ThreadLocal::Instance& tls,
       LazyCreateDnsResolver dns_resolver_fn, Ssl::ContextManager& ssl_context_manager,
       Event::Dispatcher& main_thread_dispatcher, const LocalInfo::LocalInfo& local_info,
@@ -108,7 +108,7 @@ class ProdClusterManagerFactory : public ClusterManagerFactory {
   Http::Context& http_context_;
   Grpc::Context& grpc_context_;
   Router::Context& router_context_;
-  Server::Admin& admin_;
+  OptRef<Server::Admin> admin_;
   Stats::Store& stats_;
   ThreadLocal::Instance& tls_;
   LazyCreateDnsResolver dns_resolver_fn_;
@@ -248,7 +248,7 @@ class ClusterManagerImpl : public ClusterManager,
                      ThreadLocal::Instance& tls, Runtime::Loader& runtime,
                      const LocalInfo::LocalInfo& local_info,
                      AccessLog::AccessLogManager& log_manager,
-                     Event::Dispatcher& main_thread_dispatcher, Server::Admin& admin,
+                     Event::Dispatcher& main_thread_dispatcher, OptRef<Server::Admin> admin,
                      ProtobufMessage::ValidationContext& validation_context, Api::Api& api,
                      Http::Context& http_context, Grpc::Context& grpc_context,
                      Router::Context& router_context, const Server::Instance& server);

source/common/upstream/upstream_impl.cc

@@ -876,7 +876,7 @@ class FactoryContextImpl : public Server::Configuration::CommonFactoryContext {
   Stats::Scope& serverScope() override { return server_scope_; }
   Singleton::Manager& singletonManager() override { return singleton_manager_; }
   ThreadLocal::SlotAllocator& threadLocal() override { return tls_; }
-  Server::Admin& admin() override { return admin_; }
+  OptRef<Server::Admin> admin() override { return admin_; }
   TimeSource& timeSource() override { return api().timeSource(); }
   ProtobufMessage::ValidationContext& messageValidationContext() override {
     // TODO(davinci26): Needs an implementation for this context. Currently not used.
@@ -905,7 +905,7 @@ class FactoryContextImpl : public Server::Configuration::CommonFactoryContext {
   Api::Api& api() override { return api_; }
 
 private:
-  Server::Admin& admin_;
+  OptRef<Server::Admin> admin_;
   Stats::Scope& server_scope_;
   Stats::Scope& stats_scope_;
   Upstream::ClusterManager& cluster_manager_;