sync from master

.bazelrc

@@ -20,6 +20,9 @@ build --host_javabase=@bazel_tools//tools/jdk:remote_jdk11
 build --javabase=@bazel_tools//tools/jdk:remote_jdk11
 build --enable_platform_specific_config
 
+# Allow tags to influence execution requirements
+common --experimental_allow_tags_propagation
+
 # Enable position independent code (this is the default on macOS and Windows)
 # (Workaround for https://github.com/bazelbuild/rules_foreign_cc/issues/421)
 build:linux --copt=-fPIC

.github/workflows/codeql-daily.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
+      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.

.github/workflows/codeql-push.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
+      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.

.github/workflows/pr_notifier.yml

@@ -10,7 +10,7 @@ jobs:
     if: github.repository_owner == 'envoyproxy'
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
     - name: Set up Python 3.8
       uses: actions/setup-python@v2
       with:

OWNERS.md

@@ -67,6 +67,8 @@ without further review.
 * Tony Allen ([tonya11en](https://github.com/tonya11en)) (tony@allen.gg)
 * Yan Avlasov ([yanavlasov](https://github.com/yanavlasov)) (yavlasov@google.com)
 * William A Rowe Jr ([wrowe](https://github.com/wrowe)) (wrowe@vmware.com)
+* Otto van der Schaaf ([oschaaf](https://github.com/oschaaf)) (oschaaf@redhat.com)
+* Tim Walsh ([twghu](https://github.com/twghu)) (walsh@redhat.com)
 
 # Emeritus maintainers
 

RELEASES.md

@@ -26,7 +26,7 @@ to execute tests on it.
 ### Security releases
 
 Critical security fixes are owned by the Envoy security team, which provides fixes for the
-`main` branch, and the latest release branch. Once those fixes are ready, the maintainers
+`main` branch. Once those fixes are ready, the maintainers
 of stable releases backport them to the remaining supported stable releases.
 
 ### Backports
@@ -55,6 +55,7 @@ stable releases and sending announcements about them. This role is rotating on a
 | 2021 Q1 | Rei Shimizu ([Shikugawa](https://github.com/Shikugawa))        |
 | 2021 Q2 | Dmitri Dolguikh ([dmitri-d](https://github.com/dmitri-d))      |
 | 2021 Q3 | Takeshi Yoneda ([mathetake](https://github.com/mathetake))     |
+| 2021 Q4 | Otto van der Schaaf ([oschaaf](https://github.com/oschaaf))    |
 
 ## Release schedule
 

api/BUILD

@@ -193,6 +193,7 @@ proto_library(
         "//envoy/extensions/filters/network/sni_cluster/v3:pkg",
         "//envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/filters/network/tcp_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/router/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/v3:pkg",

api/bazel/repository_locations.bzl

@@ -32,9 +32,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Bazel build tools",
         project_desc = "Developer tools for working with Google's bazel buildtool.",
         project_url = "https://github.com/bazelbuild/buildtools",
-        version = "4.2.2",
-        sha256 = "ae34c344514e08c23e90da0e2d6cb700fcd28e80c02e23e4d5715dddcb42f7b3",
-        release_date = "2021-10-07",
+        version = "4.2.3",
+        sha256 = "614c84128ddb86aab4e1f25ba2e027d32fd5c6da302ae30685b9d7973b13da1b",
+        release_date = "2021-10-26",
         strip_prefix = "buildtools-{version}",
         urls = ["https://github.com/bazelbuild/buildtools/archive/{version}.tar.gz"],
         use_category = ["api"],

api/envoy/admin/v3/server_info.proto

@@ -58,7 +58,7 @@ message ServerInfo {
   config.core.v3.Node node = 7;
 }
 
-// [#next-free-field: 38]
+// [#next-free-field: 39]
 message CommandLineOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.admin.v2alpha.CommandLineOptions";
@@ -189,4 +189,7 @@ message CommandLineOptions {
 
   // See :option:`--enable-core-dump` for details.
   bool enable_core_dump = 37;
+
+  // See :option:`--stats-tag` for details.
+  repeated string stats_tag = 38;
 }

api/envoy/config/core/v3/protocol.proto

@@ -83,15 +83,12 @@ message QuicProtocolOptions {
   google.protobuf.UInt32Value initial_connection_window_size = 3
       [(validate.rules).uint32 = {lte: 25165824 gte: 1}];
 
-  // [#not-implemented-hide:] Hiding until timeout config is supported.
   // The number of timeouts that can occur before port migration is triggered for QUIC clients.
-  // This defaults to 1. If sets to 0, port migration will not occur.
+  // This defaults to 1. If set to 0, port migration will not occur on path degrading.
   // Timeout here refers to QUIC internal path degrading timeout mechanism, such as PTO.
   // This has no effect on server sessions.
-  // Currently the value can only be 0 or 1.
-  // TODO(renjietang): Plumb through quiche to make this config able to adjust the amount of timeouts needed to trigger port migration.
   google.protobuf.UInt32Value num_timeouts_to_trigger_port_migration = 4
-      [(validate.rules).uint32 = {lte: 1 gte: 0}];
+      [(validate.rules).uint32 = {lte: 5 gte: 0}];
 
   // Probes the peer at the configured interval to solicit traffic, i.e. ACK or PATH_RESPONSE, from the peer to push back connection idle timeout.
   // If absent, use the default keepalive behavior of which a client connection sends PINGs every 15s, and a server connection doesn't do anything.
@@ -411,17 +408,13 @@ message Http2ProtocolOptions {
   // be written into the socket). Exceeding this limit triggers flood mitigation and connection is
   // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due
   // to flood mitigation. The default limit is 10000.
-  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
-  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
   google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}];
 
   // Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM,
   // preventing high memory utilization when receiving continuous stream of these frames. Exceeding
   // this limit triggers flood mitigation and connection is terminated. The
   // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood
   // mitigation. The default limit is 1000.
-  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
-  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
   google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}];
 
   // Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an
@@ -430,8 +423,6 @@ message Http2ProtocolOptions {
   // stat tracks the number of connections terminated due to flood mitigation.
   // Setting this to 0 will terminate connection upon receiving first frame with an empty payload
   // and no end stream flag. The default limit is 1.
-  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
-  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
   google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9;
 
   // Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number
@@ -445,8 +436,6 @@ message Http2ProtocolOptions {
   // `opened_streams` is incremented when Envoy send the HEADERS frame for a new stream. The
   // ``http2.inbound_priority_frames_flood`` stat tracks
   // the number of connections terminated due to flood mitigation. The default limit is 100.
-  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
-  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
   google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10;
 
   // Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number
@@ -463,8 +452,6 @@ message Http2ProtocolOptions {
   // flood mitigation. The default max_inbound_window_update_frames_per_data_frame_sent value is 10.
   // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control,
   // but more complex implementations that try to estimate available bandwidth require at least 2.
-  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
-  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
   google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11
       [(validate.rules).uint32 = {gte: 1}];
 

api/envoy/extensions/access_loggers/grpc/v3/als.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.access_loggers.grpc.v3;
 
+import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 
@@ -54,7 +55,7 @@ message TcpGrpcAccessLogConfig {
 }
 
 // Common configuration for gRPC access logs.
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message CommonGrpcAccessLogConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.accesslog.v2.CommonGrpcAccessLogConfig";
@@ -86,4 +87,13 @@ message CommonGrpcAccessLogConfig {
   // <envoy_v3_api_field_data.accesslog.v3.AccessLogCommon.filter_state_objects>`.
   // Logger will call `FilterState::Object::serializeAsProto` to serialize the filter state object.
   repeated string filter_state_objects_to_log = 5;
+
+  // Sets the retry policy when the establishment of a gRPC stream fails.
+  // If the stream succeeds once in establishing If the stream succeeds
+  // at least once in establishing itself, no retry will be performed
+  // no matter what gRPC status is received. Note that only
+  // :ref:`num_retries <envoy_v3_api_field_config.core.v3.RetryPolicy.num_retries>`
+  // will be used in this configuration. This feature is used only when you are using
+  // :ref:`Envoy gRPC client <envoy_v3_api_field_config.core.v3.GrpcService.envoy_grpc>`.
+  config.core.v3.RetryPolicy grpc_stream_retry_policy = 7;
 }

api/envoy/extensions/filters/http/aws_request_signing/v3/BUILD

@@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2
 
 api_proto_package(
-    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+    deps = [
+        "//envoy/type/matcher/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
 )

api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto

@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package envoy.extensions.filters.http.aws_request_signing.v3;
 
+import "envoy/type/matcher/v3/string.proto";
+
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -16,6 +18,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.http.aws_request_signing]
 
 // Top level configuration for the AWS request signing filter.
+// [#next-free-field: 6]
 message AwsRequestSigning {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.aws_request_signing.v2alpha.AwsRequestSigning";
@@ -48,4 +51,15 @@ message AwsRequestSigning {
   // to calculate the payload hash. Not all services support this option. See the `S3
   // <https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html>`_ policy for details.
   bool use_unsigned_payload = 4;
+
+  // A list of request header string matchers that will be excluded from signing. The excluded header can be matched by
+  // any patterns defined in the StringMatcher proto (e.g. exact string, prefix, regex, etc).
+  //
+  // Example:
+  // match_excluded_headers:
+  // - prefix: x-envoy
+  // - exact: foo
+  // - exact: bar
+  // When applied, all headers that start with "x-envoy" and headers "foo" and "bar" will not be signed.
+  repeated type.matcher.v3.StringMatcher match_excluded_headers = 5;
 }

api/envoy/extensions/filters/http/bandwidth_limit/v3/bandwidth_limit.proto

@@ -19,7 +19,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Bandwidth limit :ref:`configuration overview <config_http_filters_bandwidth_limit>`.
 // [#extension: envoy.filters.http.bandwidth_limit]
 
-// [#next-free-field: 6]
+// [#next-free-field: 8]
 message BandwidthLimit {
   // Defines the mode for the bandwidth limit filter.
   // Values represent bitmask.
@@ -66,4 +66,19 @@ message BandwidthLimit {
   // Runtime flag that controls whether the filter is enabled or not. If not specified, defaults
   // to enabled.
   config.core.v3.RuntimeFeatureFlag runtime_enabled = 5;
+
+  // Enable response trailers.
+  //
+  // .. note::
+  //
+  //   * If set true, the response trailers *bandwidth-request-delay-ms* and *bandwidth-response-delay-ms* will be added, prefixed by *response_trailer_prefix*.
+  //   * bandwidth-request-delay-ms: delay time in milliseconds it took for the request stream transfer.
+  //   * bandwidth-response-delay-ms: delay time in milliseconds it took for the response stream transfer.
+  //   * If :ref:`enable_mode <envoy_v3_api_field_extensions.filters.http.bandwidth_limit.v3.BandwidthLimit.enable_mode>` is DISABLED or REQUEST, the trailers will not be set.
+  //   * If both the request and response delay time is 0, the trailers will not be set.
+  //
+  bool enable_response_trailers = 6;
+
+  // Optional The prefix for the response trailers.
+  string response_trailer_prefix = 7;
 }

api/envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto

@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package envoy.extensions.filters.listener.tls_inspector.v3;
 
+import "google/protobuf/wrappers.proto";
+
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 
@@ -17,4 +19,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 message TlsInspector {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.listener.tls_inspector.v2.TlsInspector";
+
+  // Populate `JA3` fingerprint hash using data from the TLS Client Hello packet. Default is false.
+  google.protobuf.BoolValue enable_ja3_fingerprinting = 1;
 }

api/envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/type/matcher/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)