Merge remote-tracking branch 'origin/main' into metadatavhost

.github/workflows/mobile-compile_time_options.yml

@@ -56,51 +56,13 @@ jobs:
             build
             --config=mobile-remote-ci-cc-no-exceptions
             //test/performance:test_binary_size //library/cc/...
-        - name: Running C++ tests with xDS enabled
-          target: cc-tests-xds-enabled
-          args: >-
-            test
-            --config=mobile-remote-ci-cc-xds-enabled
-            //test/common/integration/...
         - name: Running C++ tests with full protos enabled
           target: cc-tests-full-protos-enabled
           args: >-
             test
             --config=mobile-remote-ci-cc-full-protos-enabled
             //test/common/... //test/cc/...
 
-  build:
-    permissions:
-      contents: read
-      packages: read
-    uses: ./.github/workflows/_run.yml
-    if: ${{ fromJSON(needs.load.outputs.request).run.mobile-compile-time-options }}
-    needs: load
-    with:
-      args: ${{ matrix.args }}
-      command: ./bazelw
-      container-command:
-      request: ${{ needs.load.outputs.request }}
-      runs-on: macos-12
-      source: ${{ matrix.source }}
-      steps-pre: ${{ matrix.steps-pre }}
-      target: ${{ matrix.target || matrix.name }}
-      trusted: ${{ fromJSON(needs.load.outputs.trusted) }}
-      timeout-minutes: 120
-      working-directory: mobile
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-        - name: swift-build
-          args: >-
-            build
-            --config=mobile-remote-ci-macos-swift
-            //library/swift:ios_framework
-          source: |
-            source ./ci/mac_ci_setup.sh
-            ./bazelw shutdown
-
   request:
     secrets:
       app-id: ${{ secrets.ENVOY_CI_APP_ID }}

.github/workflows/mobile-release.yml

@@ -72,13 +72,6 @@ jobs:
             --define=pom_version=$VERSION
             //:android_dist
           output: envoy
-        - target: xds-release
-          args: >-
-            build
-            --config=mobile-remote-release-clang-android-publish-xds
-            --define=pom_version=$VERSION
-            //:android_xds_dist
-          output: envoy_xds
 
   deploy:
     needs: release
@@ -92,7 +85,6 @@ jobs:
       matrix:
         include:
         - output: envoy
-        - output: envoy_xds
     steps:
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
       with:

api/envoy/extensions/quic/server_preferred_address/v3/datasource.proto

@@ -0,0 +1,53 @@
+syntax = "proto3";
+
+package envoy.extensions.quic.server_preferred_address.v3;
+
+import "envoy/config/core/v3/base.proto";
+
+import "xds/annotations/v3/status.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.quic.server_preferred_address.v3";
+option java_outer_classname = "DatasourceProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/server_preferred_address/v3;server_preferred_addressv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: QUIC DataSource server preferred address config]
+// [#extension: envoy.quic.server_preferred_address.datasource]
+
+// Configuration for DataSourceServerPreferredAddressConfig.
+message DataSourceServerPreferredAddressConfig {
+  // [#comment:TODO(danzh2010): discuss with API shepherds before removing WiP status.]
+
+  option (xds.annotations.v3.message_status).work_in_progress = true;
+
+  // Addresses for server preferred address for a single address family (IPv4 or IPv6).
+  message AddressFamilyConfig {
+    // The server preferred address sent to clients. The data must contain an IP address string.
+    config.core.v3.DataSource address = 1 [(validate.rules).message = {required: true}];
+
+    // The server preferred address port sent to clients. The data must contain a integer port value.
+    //
+    // If this is not specified, the listener's port is used.
+    //
+    // Note: Envoy currently must receive all packets for a QUIC connection on the same port, so unless
+    // :ref:`dnat_address <envoy_v3_api_field_extensions.quic.server_preferred_address.v3.DataSourceServerPreferredAddressConfig.AddressFamilyConfig.dnat_address>`
+    // is configured, this must be left unset.
+    config.core.v3.DataSource port = 2;
+
+    // If there is a DNAT between the client and Envoy, the address that Envoy will observe
+    // server preferred address packets being sent to. If this is not specified, it is assumed
+    // there is no DNAT and the server preferred address packets will be sent to the address advertised
+    // to clients for server preferred address.
+    config.core.v3.DataSource dnat_address = 3;
+  }
+
+  // The IPv4 address to advertise to clients for Server Preferred Address.
+  AddressFamilyConfig ipv4_config = 1;
+
+  // The IPv6 address to advertise to clients for Server Preferred Address.
+  AddressFamilyConfig ipv6_config = 2;
+}

api/envoy/extensions/quic/server_preferred_address/v3/fixed_server_preferred_address_config.proto

@@ -14,7 +14,7 @@ option java_multiple_files = true;
 option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/server_preferred_address/v3;server_preferred_addressv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
-// [#protodoc-title: QUIC server preferred address config]
+// [#protodoc-title: QUIC fixed server preferred address config]
 // [#extension: envoy.quic.server_preferred_address.fixed]
 
 // Configuration for FixedServerPreferredAddressConfig.

changelogs/current.yaml

@@ -434,9 +434,14 @@ new_features:
     Added :ref:`strip_failure_response
     <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.strip_failure_response>`
     to allow stripping the failure response details from the JWT authentication filter.
-- area: access_log
+- area: formatter
   change: |
     added formatters for :ref:`METADATA(VIRTUAL_HOST)<envoy_v3_api_msg_extensions.formatter.metadata.v3.Metadata>`.
+- area: quic
+  change: |
+    Added :ref:`DataSourceServerPreferredAddressConfig
+    <envoy_v3_api_msg_extensions.quic.server_preferred_address.v3.DataSourceServerPreferredAddressConfig>` for cases when
+    the control plane does not know the correct configuration for the server preferred address.
 - area: tls
   change: |
     added support to match against ``OtherName`` SAN Type under :ref:`match_typed_subject_alt_names

envoy/ssl/context.h

@@ -5,6 +5,7 @@
 
 #include "envoy/admin/v3/certs.pb.h"
 #include "envoy/common/pure.h"
+#include "envoy/common/time.h"
 
 #include "absl/types/optional.h"
 
@@ -50,5 +51,44 @@ using ClientContextSharedPtr = std::shared_ptr<ClientContext>;
 class ServerContext : public virtual Context {};
 using ServerContextSharedPtr = std::shared_ptr<ServerContext>;
 
+class OcspResponseWrapper {
+public:
+  virtual ~OcspResponseWrapper() = default;
+  /**
+   * @returns the seconds until this OCSP response expires.
+   */
+  virtual uint64_t secondsUntilExpiration() const PURE;
+
+  /**
+   * @return The beginning of the validity window for this response.
+   */
+  virtual Envoy::SystemTime getThisUpdate() const PURE;
+
+  /**
+   * The time at which this response is considered to expire. If
+   * the underlying response does not have a value, then the current
+   * time is returned.
+   *
+   * @return The end of the validity window for this response.
+   */
+  virtual Envoy::SystemTime getNextUpdate() const PURE;
+
+  /**
+   * Determines whether the OCSP response can no longer be considered valid.
+   * This can be true if the nextUpdate field of the response has passed
+   * or is not present, indicating that there is always more updated information
+   * available.
+   *
+   * @returns bool if the OCSP response is expired.
+   */
+  virtual bool isExpired() PURE;
+
+  /**
+   * @return std::vector<uint8_t>& a reference to the underlying bytestring representation
+   * of the OCSP response
+   */
+  virtual const std::vector<uint8_t>& rawBytes() const PURE;
+};
+
 } // namespace Ssl
 } // namespace Envoy

mobile/.bazelrc

@@ -265,6 +265,7 @@ test:mobile-remote-ci-cc-full-protos-enabled --define=envoy_full_protos=enabled
 build:mobile-remote-ci-macos-kotlin --config=mobile-remote-ci-macos
 build:mobile-remote-ci-macos-kotlin --fat_apk_cpu=x86_64
 
+# TODO(alyssar) remove in a follow-up PR
 build:mobile-remote-ci-macos-swift --config=mobile-remote-ci-macos
 build:mobile-remote-ci-macos-swift --config=mobile-test-ios
 build:mobile-remote-ci-macos-swift --@envoy//bazel:http3=False

mobile/library/cc/engine_builder.cc

@@ -41,94 +41,6 @@
 namespace Envoy {
 namespace Platform {
 
-#ifdef ENVOY_MOBILE_XDS
-XdsBuilder::XdsBuilder(std::string xds_server_address, const uint32_t xds_server_port)
-    : xds_server_address_(std::move(xds_server_address)), xds_server_port_(xds_server_port) {}
-
-XdsBuilder& XdsBuilder::addInitialStreamHeader(std::string header, std::string value) {
-  envoy::config::core::v3::HeaderValue header_value;
-  header_value.set_key(std::move(header));
-  header_value.set_value(std::move(value));
-  xds_initial_grpc_metadata_.emplace_back(std::move(header_value));
-  return *this;
-}
-
-XdsBuilder& XdsBuilder::setSslRootCerts(std::string root_certs) {
-  ssl_root_certs_ = std::move(root_certs);
-  return *this;
-}
-
-XdsBuilder& XdsBuilder::addRuntimeDiscoveryService(std::string resource_name,
-                                                   const int timeout_in_seconds) {
-  rtds_resource_name_ = std::move(resource_name);
-  rtds_timeout_in_seconds_ = timeout_in_seconds > 0 ? timeout_in_seconds : DefaultXdsTimeout;
-  return *this;
-}
-
-XdsBuilder& XdsBuilder::addClusterDiscoveryService(std::string cds_resources_locator,
-                                                   const int timeout_in_seconds) {
-  enable_cds_ = true;
-  cds_resources_locator_ = std::move(cds_resources_locator);
-  cds_timeout_in_seconds_ = timeout_in_seconds > 0 ? timeout_in_seconds : DefaultXdsTimeout;
-  return *this;
-}
-
-void XdsBuilder::build(envoy::config::bootstrap::v3::Bootstrap& bootstrap) const {
-  auto* ads_config = bootstrap.mutable_dynamic_resources()->mutable_ads_config();
-  ads_config->set_transport_api_version(envoy::config::core::v3::ApiVersion::V3);
-  ads_config->set_set_node_on_first_message_only(true);
-  ads_config->set_api_type(envoy::config::core::v3::ApiConfigSource::GRPC);
-
-  auto& grpc_service = *ads_config->add_grpc_services();
-  grpc_service.mutable_envoy_grpc()->set_cluster_name("base");
-  grpc_service.mutable_envoy_grpc()->set_authority(
-      absl::StrCat(xds_server_address_, ":", xds_server_port_));
-
-  if (!xds_initial_grpc_metadata_.empty()) {
-    grpc_service.mutable_initial_metadata()->Assign(xds_initial_grpc_metadata_.begin(),
-                                                    xds_initial_grpc_metadata_.end());
-  }
-
-  if (!rtds_resource_name_.empty()) {
-    auto* layered_runtime = bootstrap.mutable_layered_runtime();
-    auto* layer = layered_runtime->add_layers();
-    layer->set_name("rtds_layer");
-    auto* rtds_layer = layer->mutable_rtds_layer();
-    rtds_layer->set_name(rtds_resource_name_);
-    auto* rtds_config = rtds_layer->mutable_rtds_config();
-    rtds_config->mutable_ads();
-    rtds_config->set_resource_api_version(envoy::config::core::v3::ApiVersion::V3);
-    rtds_config->mutable_initial_fetch_timeout()->set_seconds(rtds_timeout_in_seconds_);
-  }
-
-  if (enable_cds_) {
-    auto* cds_config = bootstrap.mutable_dynamic_resources()->mutable_cds_config();
-    if (cds_resources_locator_.empty()) {
-      cds_config->mutable_ads();
-    } else {
-      bootstrap.mutable_dynamic_resources()->set_cds_resources_locator(cds_resources_locator_);
-      cds_config->mutable_api_config_source()->set_api_type(
-          envoy::config::core::v3::ApiConfigSource::AGGREGATED_GRPC);
-      cds_config->mutable_api_config_source()->set_transport_api_version(
-          envoy::config::core::v3::ApiVersion::V3);
-    }
-    cds_config->mutable_initial_fetch_timeout()->set_seconds(cds_timeout_in_seconds_);
-    cds_config->set_resource_api_version(envoy::config::core::v3::ApiVersion::V3);
-    bootstrap.add_node_context_params("cluster");
-    // Stat prefixes that we use in tests.
-    auto* list =
-        bootstrap.mutable_stats_config()->mutable_stats_matcher()->mutable_inclusion_list();
-    list->add_patterns()->set_exact("cluster_manager.active_clusters");
-    list->add_patterns()->set_exact("cluster_manager.cluster_added");
-    list->add_patterns()->set_exact("cluster_manager.cluster_updated");
-    list->add_patterns()->set_exact("cluster_manager.cluster_removed");
-    // Allow SDS related stats.
-    list->add_patterns()->mutable_safe_regex()->set_regex("sds\\..*");
-    list->add_patterns()->mutable_safe_regex()->set_regex(".*\\.ssl_context_update_by_sds");
-  }
-}
-#endif
-
 EngineBuilder::EngineBuilder() : callbacks_(std::make_unique<EngineCallbacks>()) {
 #ifndef ENVOY_ENABLE_QUIC
   enable_http3_ = false;
@@ -340,33 +252,6 @@ EngineBuilder& EngineBuilder::enforceTrustChainVerification(bool trust_chain_ver
   return *this;
 }
 
-EngineBuilder& EngineBuilder::setNodeId(std::string node_id) {
-  node_id_ = std::move(node_id);
-  return *this;
-}
-
-EngineBuilder& EngineBuilder::setNodeLocality(std::string region, std::string zone,
-                                              std::string sub_zone) {
-  node_locality_ = {std::move(region), std::move(zone), std::move(sub_zone)};
-  return *this;
-}
-
-EngineBuilder& EngineBuilder::setNodeMetadata(ProtobufWkt::Struct node_metadata) {
-  node_metadata_ = std::move(node_metadata);
-  return *this;
-}
-
-#ifdef ENVOY_MOBILE_XDS
-EngineBuilder& EngineBuilder::setXds(XdsBuilder xds_builder) {
-  xds_builder_ = std::move(xds_builder);
-  // Add the XdsBuilder's xDS server hostname and port to the list of DNS addresses to preresolve in
-  // the `base` DFP cluster.
-  dns_preresolve_hostnames_.push_back(
-      {xds_builder_->xds_server_address_ /* host */, xds_builder_->xds_server_port_ /* port */});
-  return *this;
-}
-#endif
-
 EngineBuilder& EngineBuilder::setUpstreamTlsSni(std::string sni) {
   upstream_tls_sni_ = std::move(sni);
   return *this;
@@ -638,11 +523,6 @@ std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> EngineBuilder::generate
     validation->mutable_custom_validator_config()->mutable_typed_config()->PackFrom(validator);
   } else {
     std::string certs;
-#ifdef ENVOY_MOBILE_XDS
-    if (xds_builder_ && !xds_builder_->ssl_root_certs_.empty()) {
-      certs = xds_builder_->ssl_root_certs_;
-    }
-#endif
 
     if (certs.empty()) {
       // The xDS builder doesn't supply root certs, so we'll use the certs packed with Envoy Mobile,
@@ -857,16 +737,8 @@ std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> EngineBuilder::generate
 
   // Set up node
   auto* node = bootstrap->mutable_node();
-  node->set_id(node_id_.empty() ? "envoy-mobile" : node_id_);
+  node->set_id("envoy-mobile");
   node->set_cluster("envoy-mobile");
-  if (node_locality_ && !node_locality_->region.empty()) {
-    node->mutable_locality()->set_region(node_locality_->region);
-    node->mutable_locality()->set_zone(node_locality_->zone);
-    node->mutable_locality()->set_sub_zone(node_locality_->sub_zone);
-  }
-  if (node_metadata_.has_value()) {
-    *node->mutable_metadata() = *node_metadata_;
-  }
   ProtobufWkt::Struct& metadata = *node->mutable_metadata();
   (*metadata.mutable_fields())["app_id"].set_string_value(app_id_);
   (*metadata.mutable_fields())["app_version"].set_string_value(app_version_);
@@ -905,11 +777,6 @@ std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> EngineBuilder::generate
       *dns_cache_config->mutable_typed_dns_resolver_config());
 
   bootstrap->mutable_dynamic_resources();
-#ifdef ENVOY_MOBILE_XDS
-  if (xds_builder_) {
-    xds_builder_->build(*bootstrap);
-  }
-#endif
 
   envoy::config::listener::v3::ApiListenerManager api;
   auto* listener_manager = bootstrap->mutable_listener_manager();