Merge release-1.1 into master

WORKSPACE

@@ -34,14 +34,14 @@ bind(
 
 # When updating envoy sha manually please update the sha in istio.deps file also
 #
-# Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/COMMIT.zip && sha256sum COMMIT.zip`
-ENVOY_SHA = "2a2ad48a7d4b57512bc10a9593e852fe950b1c8d"
-ENVOY_SHA256 = "a86dd396bd3db8401d45f9d387d3177ba1eb8298520ef684c1deaf7b91a1af1d"
+# Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/COMMIT.tar.gz && sha256sum COMMIT.tar.gz`
+ENVOY_SHA = "bbf5674c2c9a901ec4e964e4dd1d845516e672b2"
+ENVOY_SHA256 = "a4e56688cd274db367a5ab905e4d02da6d271189c564ae05e87812c63790c7d6"
 
 http_archive(
     name = "envoy",
     strip_prefix = "envoy-" + ENVOY_SHA,
-    url = "https://github.com/envoyproxy/envoy/archive/" + ENVOY_SHA + ".zip",
+    url = "https://github.com/envoyproxy/envoy/archive/" + ENVOY_SHA + ".tar.gz",
     sha256 = ENVOY_SHA256,
 )
 

istio.deps

@@ -4,13 +4,13 @@
 		"name": "ISTIO_API",
 		"repoName": "api",
 		"file": "repositories.bzl",
-		"lastStableSHA": "1a7788d738d2c6b07ba22106fca19bfef3843fa1"
+		"lastStableSHA": "aec9db9d9a57faf688b4d5606fddede85d4d3855"
 	},
 	{
 		"_comment": "",
 		"name": "ENVOY_SHA",
 		"repoName": "envoyproxy/envoy",
 		"file": "WORKSPACE",
-		"lastStableSHA": "2a2ad48a7d4b57512bc10a9593e852fe950b1c8d"
+		"lastStableSHA": "bbf5674c2c9a901ec4e964e4dd1d845516e672b2"
 	}
 ]

protobuf.bzl

@@ -17,8 +17,8 @@
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
 # Match SHA used by Envoy
-PROTOBUF_SHA = "fa252ec2a54acb24ddc87d48fed1ecfd458445fd"
-PROTOBUF_SHA256 = "3d610ac90f8fa16e12490088605c248b85fdaf23114ce4b3605cdf81f7823604"
+PROTOBUF_SHA = "7492b5681231c79f0265793fa57dc780ae2481d6"
+PROTOBUF_SHA256 = "46f1da3a6a6db66dd240cf95a5553198f7c6e98e6ac942fceb8a1cf03291d96e"
 
 def protobuf_repositories(load_repo=True, bind=True):
     if load_repo:

repositories.bzl

@@ -19,7 +19,7 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 GOOGLETEST = "d225acc90bc3a8c420a9bcd1f033033c1ccd7fe0"
 GOOGLETEST_SHA256 = "01508c8f47c99509130f128924f07f3a60be05d039cff571bb11d60bb11a3581"
 
-def googletest_repositories(bind=True):
+def googletest_repositories(bind = True):
     BUILD = """
 # Copyright 2017 Istio Authors. All Rights Reserved.
 #
@@ -102,7 +102,7 @@ cc_library(
 ISTIO_API = "056eb85d96f09441775d79283c149d93fcbd0982"
 ISTIO_API_SHA256 = "df491c399f0a06bb2b85f43f5328c880c8e5cb5b3ce972efbd1ce137f83ebc52"
 
-def mixerapi_repositories(bind=True):
+def mixerapi_repositories(bind = True):
     BUILD = """
 # Copyright 2018 Istio Authors. All Rights Reserved.
 #
@@ -233,9 +233,9 @@ load(":cc_gogo_protobuf.bzl", "cc_gogoproto_repositories")
 load(":x_tools_imports.bzl", "go_x_tools_imports_repositories")
 load(":googleapis.bzl", "googleapis_repositories")
 
-def  mixerapi_dependencies():
-     protobuf_repositories(load_repo=True, bind=True)
-     cc_gogoproto_repositories()
-     go_x_tools_imports_repositories()
-     googleapis_repositories()
-     mixerapi_repositories()
+def mixerapi_dependencies():
+    protobuf_repositories(load_repo = True, bind = True)
+    cc_gogoproto_repositories()
+    go_x_tools_imports_repositories()
+    googleapis_repositories()
+    mixerapi_repositories()

src/envoy/http/jwt_auth/auth_store.h

@@ -27,21 +27,24 @@ namespace Envoy {
 namespace Http {
 namespace JwtAuth {
 
+typedef std::shared_ptr<const ::istio::envoy::config::filter::http::jwt_auth::
+                            v2alpha1::JwtAuthentication>
+    JwtAuthenticationConstSharedPtr;
+
 // The JWT auth store object to store config and caches.
 // It only has pubkey_cache for now. In the future it will have token cache.
 // It is per-thread and stored in thread local.
 class JwtAuthStore : public ThreadLocal::ThreadLocalObject {
  public:
   // Load the config from envoy config.
-  JwtAuthStore(const ::istio::envoy::config::filter::http::jwt_auth::v2alpha1::
-                   JwtAuthentication& config)
-      : config_(config), pubkey_cache_(config_), token_extractor_(config_) {}
+  JwtAuthStore(JwtAuthenticationConstSharedPtr config)
+      : config_(config), pubkey_cache_(*config_), token_extractor_(*config_) {}
 
   // Get the Config.
   const ::istio::envoy::config::filter::http::jwt_auth::v2alpha1::
       JwtAuthentication&
       config() const {
-    return config_;
+    return *config_;
   }
 
   // Get the pubkey cache.
@@ -52,8 +55,7 @@ class JwtAuthStore : public ThreadLocal::ThreadLocalObject {
 
  private:
   // Store the config.
-  const ::istio::envoy::config::filter::http::jwt_auth::v2alpha1::
-      JwtAuthentication& config_;
+  JwtAuthenticationConstSharedPtr config_;
   // The public key cache, indexed by issuer.
   PubkeyCache pubkey_cache_;
   // The object to extract token.
@@ -66,22 +68,24 @@ class JwtAuthStoreFactory : public Logger::Loggable<Logger::Id::config> {
   JwtAuthStoreFactory(const ::istio::envoy::config::filter::http::jwt_auth::
                           v2alpha1::JwtAuthentication& config,
                       Server::Configuration::FactoryContext& context)
-      : config_(config), tls_(context.threadLocal().allocateSlot()) {
-    tls_->set(
-        [this](Event::Dispatcher&) -> ThreadLocal::ThreadLocalObjectSharedPtr {
-          return std::make_shared<JwtAuthStore>(config_);
-        });
+      : config_(std::make_shared<const ::istio::envoy::config::filter::http::
+                                     jwt_auth::v2alpha1::JwtAuthentication>(
+            config)),
+        tls_(context.threadLocal().allocateSlot()) {
+    tls_->set([config = this->config_](Event::Dispatcher&)
+                  -> ThreadLocal::ThreadLocalObjectSharedPtr {
+      return std::make_shared<JwtAuthStore>(config);
+    });
     ENVOY_LOG(debug, "Loaded JwtAuthConfig: {}",
-              MessageUtil::getJsonStringFromMessage(config_, true));
+              MessageUtil::getJsonStringFromMessage(*config_, true));
   }
 
   // Get per-thread auth store object.
   JwtAuthStore& store() { return tls_->getTyped<JwtAuthStore>(); }
 
  private:
   // The auth config.
-  ::istio::envoy::config::filter::http::jwt_auth::v2alpha1::JwtAuthentication
-      config_;
+  JwtAuthenticationConstSharedPtr config_;
   // Thread local slot to store per-thread auth store
   ThreadLocal::SlotPtr tls_;
 };

src/envoy/http/jwt_auth/integration_test/envoy.conf

@@ -1,65 +1,85 @@
 {
-  "listeners": [
-    {
-      "address": "tcp://{{ ip_loopback_address }}:0",
-      "bind_to_port": true,
-      "filters": [
-        {
-          "type": "read",
-          "name": "http_connection_manager",
-          "config": {
-            "codec_type": "auto",
-            "stat_prefix": "ingress_http",
-            "route_config": {
-              "virtual_hosts": [
-                {
-                  "name": "backend",
-                  "domains": ["*"],
-                  "routes": [
+  "admin": {
+    "access_log_path": "/dev/null",
+    "address": {
+      "socket_address": {
+        "address": "{{ ntop_ip_loopback_address }}",
+        "port_value": 0
+      }
+    }
+  },
+  "static_resources": {
+    "listeners": [
+      {
+        "address": {
+          "socket_address": {
+            "address": "{{ ntop_ip_loopback_address }}",
+            "port_value": 0
+          }
+        },
+        "bind_to_port": true,
+        "filter_chains": [
+          {
+            "filters": [
+              {
+                "type": "read",
+                "name": "envoy.http_connection_manager",
+                "config": {
+                  "codec_type": "auto",
+                  "stat_prefix": "ingress_http",
+                  "route_config": {
+                    "virtual_hosts": [
+                      {
+                        "routes": [
+                          {
+                            "match": {
+                              "prefix": "/"
+                            },
+                            "route": {
+                              "cluster": "service1"
+                            }
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "access_log": [
+                    {
+                      "name": "envoy.file_access_log",
+                      "config": {
+                        "path": "/dev/null"
+                      }
+                    }
+                  ],
+                  "http_filters": [
                     {
-                      "prefix": "/",
-                      "cluster": "service1"
+                      "name": "jwt-auth",
+                      "config": {}
+                    },
+                    {
+                      "name": "envoy.router",
+                      "config": {}
                     }
                   ]
                 }
-              ]
-            },
-            "access_log": [
-              {
-                "path": "/dev/stdout"
-              }
-            ],
-            "filters": [
-              {
-                "type": "decoder",
-                "name": "jwt-auth",
-                "config": {}
-              },
-              {
-                "type": "decoder",
-                "name": "router",
-                "config": {}
               }
             ]
           }
-        }
-      ]
-    }
-  ],
-  "admin": {
-    "access_log_path": "/dev/stdout",
-    "address": "tcp://{{ ip_loopback_address }}:0"
-  },
-  "cluster_manager": {
+        ]
+      }
+    ],
     "clusters": [
       {
         "name": "service1",
-        "connect_timeout_ms": 5000,
+        "connect_timeout": "5s",
         "type": "static",
-        "lb_type": "round_robin",
+        "lb_policy": "round_robin",
         "hosts": [
           {
-            "url": "tcp://{{ ip_loopback_address }}:{{ upstream_0 }}"
+            "socket_address": {
+              "address": "{{ ntop_ip_loopback_address }}",
+              "port_value": "{{ upstream_0 }}"
+            }
           }
         ]
       }