Envoy Update to d3110f4 (May 9, 2022)

.azure-pipelines/pipelines.yml

@@ -44,22 +44,23 @@ stages:
       parameters:
         ciTarget: $(CI_TARGET)
 
-- stage: clang_tidy
-  dependsOn: ["check"]
-  pool: "x64-large"
-  jobs:
-  - job: clang_tidy
-    displayName: "do_ci.sh"
-    strategy:
-      maxParallel: 1
-      matrix:
-        clang_tidy:
-          CI_TARGET: "clang_tidy"
-    timeoutInMinutes: 120
-    steps:
-    - template: bazel.yml
-      parameters:
-        ciTarget: $(CI_TARGET)
+# TODO(#849): Renable target when file issue is resolved.
+# - stage: clang_tidy
+#   dependsOn: ["check"]
+#   pool: "x64-large"
+#   jobs:
+#   - job: clang_tidy
+#     displayName: "do_ci.sh"
+#     strategy:
+#       maxParallel: 1
+#       matrix:
+#         clang_tidy:
+#           CI_TARGET: "clang_tidy"
+#     timeoutInMinutes: 120
+#     steps:
+#     - template: bazel.yml
+#       parameters:
+#         ciTarget: $(CI_TARGET)
 
 - stage: test_gcc
   dependsOn: ["check"]
@@ -118,7 +119,7 @@ stages:
 
 - stage: release
   dependsOn:
-  - "clang_tidy"
+  # - "clang_tidy"
   - "test_gcc"
   - "sanitizers"
   - "coverage"

.bazelrc

@@ -27,7 +27,7 @@ build --incompatible_strict_action_env
 build --host_force_python=PY3
 build --java_runtime_version=remotejdk_11
 build --tool_java_runtime_version=remotejdk_11
-#build --platform_mappings=""                                                               # unique
+build --platform_mappings=""                                                               # unique
 # silence absl logspam.
 build --copt=-DABSL_MIN_LOG_LEVEL=4
 
@@ -219,9 +219,9 @@ build:rbe-toolchain-asan --linkopt -fuse-ld=lld
 build:rbe-toolchain-asan --action_env=ENVOY_UBSAN_VPTR=1
 build:rbe-toolchain-asan --copt=-fsanitize=vptr,function
 build:rbe-toolchain-asan --linkopt=-fsanitize=vptr,function
-build:rbe-toolchain-asan --linkopt=-L/opt/llvm/lib/clang/12.0.1/lib/linux
-build:rbe-toolchain-asan --linkopt=-l:libclang_rt.ubsan_standalone-x86_64.a
-build:rbe-toolchain-asan --linkopt=-l:libclang_rt.ubsan_standalone_cxx-x86_64.a
+build:rbe-toolchain-asan --linkopt='-L/opt/llvm/lib/clang/14.0.0/lib/x86_64-unknown-linux-gnu'
+build:rbe-toolchain-asan --linkopt=-l:libclang_rt.ubsan_standalone.a
+build:rbe-toolchain-asan --linkopt=-l:libclang_rt.ubsan_standalone_cxx.a
 
 build:rbe-toolchain-msan --linkopt=-L/opt/libcxx_msan/lib
 build:rbe-toolchain-msan --linkopt=-Wl,-rpath,/opt/libcxx_msan/lib
@@ -295,7 +295,7 @@ build:remote-clang-cl --config=rbe-toolchain-clang-cl
 
 # Docker sandbox
 # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/main/toolchains/rbe_toolchains_config.bzl#L8
-build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:a37d5f539f04b44e284953b4a075826ead117279
+build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:6fff5a6c67db843ddabde4533e24cab6122c7011
 build:docker-sandbox --spawn_strategy=docker
 build:docker-sandbox --strategy=Javac=docker
 build:docker-sandbox --strategy=Closure=docker
@@ -329,6 +329,10 @@ build:docker-tsan --config=rbe-toolchain-tsan
 build:remote-ci --remote_cache=grpcs://remotebuildexecution.googleapis.com
 build:remote-ci --remote_executor=grpcs://remotebuildexecution.googleapis.com
 
+# Build Event Service
+build:google-bes --bes_backend=grpcs://buildeventservice.googleapis.com
+build:google-bes --bes_results_url=https://source.cloud.google.com/results/invocations/
+
 # Fuzz builds
 
 # Shared fuzzing configuration.

.bazelversion

@@ -1 +1 @@
-6.0.0-pre.20220414.2
+6.0.0-pre.20220421.3

MAINTAINERS.md

@@ -76,10 +76,10 @@ important maintenance task. When performing the update, follow this procedure:
 1. Run `ci/do_ci.sh test`. Sometimes the dependency update comes with changes
    that break our build. Include any changes required to Nighthawk to fix that
    in the same PR.
-1. Create a PR with a title like `Update Envoy to 9753819 (Jan 24th 2021)`,
-   describe all performed changes in the PR's description.
 1. If the PR ends up modifying any c++ files, execute `ci/do_ci.sh fix_format`
    to reformat the files and avoid a CI failure.
 1. Execute `tools/update_cli_readme_documentation.sh --mode fix` to regenerate the
    portion of our documentation that captures the CLI help output. This will
    prevent a CI failure in case any flags changed in the PR or upstream.
+1. Create a PR with a title like `Update Envoy to 9753819 (Jan 24th 2021)`,
+   describe all performed changes in the PR's description.

bazel/repositories.bzl

@@ -1,7 +1,7 @@
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
-ENVOY_COMMIT = "69135f81b18b6653d80ecac34669427d3dd75306"
-ENVOY_SHA = "45b06e53ef251165690a82acee55c41b6ae34e87d58ab2f005cec3dcb72e9249"
+ENVOY_COMMIT = "d3110f49cf4b14e7aa05388ec2ddc052c402381c"
+ENVOY_SHA = "90cb3c5e8d6f3632edc7a26e6443937dfff03a7c3c13ffbc47516e93110e3518"
 
 HDR_HISTOGRAM_C_VERSION = "0.11.2"  # October 12th, 2020
 HDR_HISTOGRAM_C_SHA = "637f28b5f64de2e268131e4e34e6eef0b91cf5ff99167db447d9b2825eae6bad"

ci/run_envoy_docker.sh

@@ -15,6 +15,7 @@ read -ra ENVOY_DOCKER_OPTIONS <<< "${ENVOY_DOCKER_OPTIONS:-}"
 export HTTP_PROXY="${http_proxy:-}"
 export HTTPS_PROXY="${https_proxy:-}"
 export NO_PROXY="${no_proxy:-}"
+export GOPROXY="${go_proxy:-}"
 
 if is_windows; then
   [[ -z "${IMAGE_NAME}" ]] && IMAGE_NAME="envoyproxy/envoy-build-windows2019"
@@ -73,13 +74,15 @@ docker run --rm \
        -e HTTP_PROXY \
        -e HTTPS_PROXY \
        -e NO_PROXY \
+       -e GOPROXY \
        -e BAZEL_STARTUP_OPTIONS \
        -e BAZEL_BUILD_EXTRA_OPTIONS \
        -e BAZEL_EXTRA_TEST_OPTIONS \
        -e BAZEL_REMOTE_CACHE \
        -e ENVOY_STDLIB \
        -e BUILD_REASON \
        -e BAZEL_REMOTE_INSTANCE \
+       -e GOOGLE_BES_PROJECT_ID \
        -e GCP_SERVICE_ACCOUNT_KEY \
        -e NUM_CPUS \
        -e ENVOY_RBE \

source/client/stream_decoder.cc

@@ -183,7 +183,7 @@ void StreamDecoder::setupForTracing() {
   uuid_generator.set(*headers_copy, true);
   uuid_generator.setTraceReason(*headers_copy, Envoy::Tracing::Reason::ClientForced);
   active_span_ = http_tracer_->startSpan(config_, *headers_copy, stream_info_, tracing_decision);
-  active_span_->injectContext(*headers_copy);
+  active_span_->injectContext(*headers_copy, /*upstream=*/nullptr);
   request_headers_.reset(headers_copy.release());
   // We pass in a fake remote address; recently trace finalization mandates setting this, and will
   // segfault without it.

test/integration/configurations/nighthawk_https_origin_dsa.yaml

@@ -0,0 +1,58 @@
+admin:
+  access_log:
+    - name: envoy.access_loggers.file
+      typed_config:
+        '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+        path: $tmpdir/nighthawk-test-server-admin-access.log
+  profile_path: $tmpdir/nighthawk-test-server.prof
+  address:
+    socket_address: { address: $server_ip, port_value: 0 }
+static_resources:
+  listeners:
+    - address:
+        socket_address:
+          address: $server_ip
+          port_value: 0
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                generate_request_id: false
+                codec_type: AUTO
+                stat_prefix: ingress_http
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: service
+                      domains:
+                        - "*"
+                http_filters:
+                  - name: dynamic-delay
+                  - name: test-server
+                    typed_config:
+                      "@type": type.googleapis.com/nighthawk.server.ResponseOptions
+                      response_body_size: 10
+                      v3_response_headers:
+                        - { header: { key: "x-nh", value: "1" } }
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+                      dynamic_stats: false
+          transport_socket:
+            name: tls
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+              common_tls_context:
+                tls_certificates:    
+                  - certificate_chain:
+                      inline_string: |
+                        @inject-runfile:nighthawk/external/envoy/test/config/integration/certs/server_ecdsacert.pem
+                    private_key:
+                      inline_string: |
+                        @inject-runfile:nighthawk/external/envoy/test/config/integration/certs/server_ecdsakey.pem
+layered_runtime:
+  layers:
+  - name: static_layer
+    static_layer:
+      envoy.reloadable_features.no_extension_lookup_by_name: false

test/integration/test_integration_basics.py

@@ -367,7 +367,7 @@ def test_h3_quic_with_custom_upstream_bind_configuration(quic_test_server_fixtur
   asserts.assertCounterEqual(counters, "upstream_cx_http3_total", 1)
 
 
-def _do_tls_configuration_test(https_test_server_fixture, cli_parameter, use_h2):
+def _do_tls_configuration_test(https_test_server_fixture, cli_parameter, use_h2, ciphers):
   """Test with different ciphers.
 
   For a given choice of (--tls-context, --transport-socket) x (H1, H2),
@@ -377,6 +377,7 @@ def _do_tls_configuration_test(https_test_server_fixture, cli_parameter, use_h2)
     https_test_server_fixture: pytest.fixture that controls a test server and client
     cli_parameter: string, --tls-context or --transport-socket
     use_h2: boolean, whether to pass --h2
+    ciphers: list[string], list of ciphers to use with TLS
   """
   if cli_parameter == "--tls-context":
     json_template = "{common_tls_context:{tls_params:{cipher_suites:[\"-ALL:%s\"]}}}"
@@ -386,10 +387,7 @@ def _do_tls_configuration_test(https_test_server_fixture, cli_parameter, use_h2)
         "\"@type\":\"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext\",",
         "common_tls_context:{tls_params:{cipher_suites:[\"-ALL:%s\"]}}}}")
 
-  for cipher in [
-      "AES128-GCM-SHA256",
-      "ECDHE-RSA-AES256-GCM-SHA384",
-  ]:
+  for cipher in ciphers:
     parsed_json, _ = https_test_server_fixture.runNighthawkClient(
         (["--protocol", "http2"] if use_h2 else []) + [
             "--duration", "10", "--termination-predicate", "benchmark.http_2xx:0", cli_parameter,
@@ -402,30 +400,82 @@ def _do_tls_configuration_test(https_test_server_fixture, cli_parameter, use_h2)
 
 @pytest.mark.parametrize('server_config',
                          ["nighthawk/test/integration/configurations/nighthawk_https_origin.yaml"])
-def test_https_h1_tls_context_configuration(https_test_server_fixture):
-  """Test that specifying tls cipher suites works with the h1 pool."""
-  _do_tls_configuration_test(https_test_server_fixture, "--tls-context", use_h2=False)
+def test_https_h1_tls_context_configuration_rsa(https_test_server_fixture):
+  """Test that specifying RSA compatible tls cipher suites works with the h1 pool."""
+  _do_tls_configuration_test(https_test_server_fixture,
+                             "--tls-context",
+                             use_h2=False,
+                             ciphers=["ECDHE-RSA-AES256-GCM-SHA384"])
 
 
 @pytest.mark.parametrize('server_config',
                          ["nighthawk/test/integration/configurations/nighthawk_https_origin.yaml"])
-def test_https_h1_transport_socket_configuration(https_test_server_fixture):
-  """Test that specifying tls cipher suites via transport socket works with the h1 pool."""
-  _do_tls_configuration_test(https_test_server_fixture, "--transport-socket", use_h2=False)
+def test_https_h1_transport_socket_configuration_rsa(https_test_server_fixture):
+  """Test that specifying RSA compatible tls cipher suites via transport socket works with the h1 pool."""
+  _do_tls_configuration_test(https_test_server_fixture,
+                             "--transport-socket",
+                             use_h2=False,
+                             ciphers=["ECDHE-RSA-AES256-GCM-SHA384"])
 
 
 @pytest.mark.parametrize('server_config',
                          ["nighthawk/test/integration/configurations/nighthawk_https_origin.yaml"])
-def test_https_h2_tls_context_configuration(https_test_server_fixture):
-  """Test that specifying tls cipher suites works with the h2 pool."""
-  _do_tls_configuration_test(https_test_server_fixture, "--tls-context", use_h2=True)
+def test_https_h2_tls_context_configuration_rsa(https_test_server_fixture):
+  """Test that specifying RSA compatible tls cipher suites works with the h2 pool."""
+  _do_tls_configuration_test(https_test_server_fixture,
+                             "--tls-context",
+                             use_h2=True,
+                             ciphers=["ECDHE-RSA-AES256-GCM-SHA384"])
 
 
 @pytest.mark.parametrize('server_config',
                          ["nighthawk/test/integration/configurations/nighthawk_https_origin.yaml"])
-def test_https_h2_transport_socket_configuration(https_test_server_fixture):
-  """Test that specifying tls cipher suites via transport socket works with the h2 pool."""
-  _do_tls_configuration_test(https_test_server_fixture, "--transport-socket", use_h2=True)
+def test_https_h2_transport_socket_configuration_rsa(https_test_server_fixture):
+  """Test that specifying RSA compatible tls cipher suites via transport socket works with the h2 pool."""
+  _do_tls_configuration_test(https_test_server_fixture,
+                             "--transport-socket",
+                             use_h2=True,
+                             ciphers=["ECDHE-RSA-AES256-GCM-SHA384"])
+
+
+@pytest.mark.parametrize(
+    'server_config', ["nighthawk/test/integration/configurations/nighthawk_https_origin_dsa.yaml"])
+def test_https_h1_tls_context_configuration_dsa(https_test_server_fixture):
+  """Test that specifying DSA comptible tls cipher suites works with the h1 pool."""
+  _do_tls_configuration_test(https_test_server_fixture,
+                             "--tls-context",
+                             use_h2=False,
+                             ciphers=["ECDHE-ECDSA-AES256-GCM-SHA384"])
+
+
+@pytest.mark.parametrize(
+    'server_config', ["nighthawk/test/integration/configurations/nighthawk_https_origin_dsa.yaml"])
+def test_https_h1_transport_socket_configuration_dsa(https_test_server_fixture):
+  """Test that specifying DSA comptible tls cipher suites via transport socket works with the h1 pool."""
+  _do_tls_configuration_test(https_test_server_fixture,
+                             "--transport-socket",
+                             use_h2=False,
+                             ciphers=["ECDHE-ECDSA-AES256-GCM-SHA384"])
+
+
+@pytest.mark.parametrize(
+    'server_config', ["nighthawk/test/integration/configurations/nighthawk_https_origin_dsa.yaml"])
+def test_https_h2_tls_context_configuration_dsa(https_test_server_fixture):
+  """Test that specifying DSA comptible tls cipher suites works with the h2 pool."""
+  _do_tls_configuration_test(https_test_server_fixture,
+                             "--tls-context",
+                             use_h2=True,
+                             ciphers=["ECDHE-ECDSA-AES256-GCM-SHA384"])
+
+
+@pytest.mark.parametrize(
+    'server_config', ["nighthawk/test/integration/configurations/nighthawk_https_origin_dsa.yaml"])
+def test_https_h2_transport_socket_configuration_dsa(https_test_server_fixture):
+  """Test that specifying DSA comptible tls cipher suites via transport socket works with the h2 pool."""
+  _do_tls_configuration_test(https_test_server_fixture,
+                             "--transport-socket",
+                             use_h2=True,
+                             ciphers=["ECDHE-ECDSA-AES256-GCM-SHA384"])
 
 
 @pytest.mark.parametrize('server_config',

test/stream_decoder_test.cc

@@ -135,7 +135,7 @@ TEST_F(StreamDecoderTest, LatencyIsMeasured) {
                      const Envoy::Tracing::Decision) -> Envoy::Tracing::Span* {
             EXPECT_EQ(Envoy::Tracing::OperationName::Egress, config.operationName());
             auto* span = new Envoy::Tracing::MockSpan();
-            EXPECT_CALL(*span, injectContext(_));
+            EXPECT_CALL(*span, injectContext(_, _));
             EXPECT_CALL(*span, setTag(_, _)).Times(12);
             EXPECT_CALL(*span, finishSpan());
             return span;