sync from master.

.bazelversion

@@ -1 +1 @@
-3.7.2
+4.1.0

.github/dependabot.yml

@@ -75,3 +75,13 @@ updates:
     directory: "/tools/testing"
     schedule:
       interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/ci"
+    schedule:
+      interval: daily
+
+  - package-ecosystem: "docker"
+    directory: "/.devcontainer"
+    schedule:
+      interval: daily

CODEOWNERS

@@ -183,6 +183,10 @@ extensions/filters/http/oauth2 @rgs1 @derekargueta @snowp
 /*/extensions/filters/common/ext_authz @esmet @gsagula @dio
 /*/extensions/filters/http/ext_authz @esmet @gsagula @dio
 /*/extensions/filters/network/ext_authz @esmet @gsagula @dio
+# HTTP Bandwidth Limit
+/*/extensions/filters/http/bandwidth_limit @nitgoy @mattklein123 @yanavlasov @tonya11en
 # Original IP detection
 /*/extensions/http/original_ip_detection/custom_header @rgs1 @alyssawilk @antoniovicente
 /*/extensions/http/original_ip_detection/xff @rgs1 @alyssawilk @antoniovicente
+# set_metadata extension
+/*/extensions/filters/http/set_metadata @aguinet @snowp

CONTRIBUTING.md

@@ -259,6 +259,7 @@ API can be found [here](api/STYLE.md#adding-an-extension-configuration-to-the-ap
 Other changes will likely include
 
   * Editing [source/extensions/extensions_build_config.bzl](source/extensions/extensions_build_config.bzl) to include the new extensions
+  * Editing [source/extensions/extensions_metadata.yaml](source/extensions/extensions_metadata.yaml) to include metadata for the new extensions
   * Editing [docs/root/api-v3/config/config.rst](docs/root/api-v3/config/config.rst) to add area/area
   * Adding `docs/root/api-v3/config/area/area.rst` to add a table of contents for the API docs
   * Adding `source/extensions/area/well_known_names.h` for registered plugins

DEVELOPER.md

@@ -19,6 +19,8 @@ Below is a list of additional documentation to aid the development process:
 
 - [Guide to Envoy Bazel rules (managing `BUILD` files)](https://github.com/envoyproxy/envoy/blob/main/bazel/DEVELOPER.md)
 
+- [Guide to setup development environment with Visual Studio Code](https://github.com/envoyproxy/envoy/blob/main/tools/vscode/README.md)
+
 - [Using Docker for building and testing](https://github.com/envoyproxy/envoy/tree/main/ci)
 
 - [Guide to contributing to Envoy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md)

SECURITY.md

@@ -449,22 +449,23 @@ and security team to ensure they still qualify for inclusion on the list.
 
 ### Members
 
-| E-mail                                                | Organization  | End User | Last Review |
-|-------------------------------------------------------|:-------------:|:--------:|:-----------:|
-| envoy-security-team@aspenmesh.io                      | Aspen Mesh    | No       | 12/19       |
-| aws-app-mesh-security@amazon.com                      | AWS           | No       | 12/19       |
-| security@cilium.io                                    | Cilium        | No       | 12/19       |
-| vulnerabilityreports@cloudfoundry.org                 | Cloud Foundry | No       | 12/19       |
-| secalert@datawire.io                                  | Datawire      | No       | 12/19       |
-| google-internal-envoy-security@google.com             | Google        | No       | 12/19       |
-| argoprod@us.ibm.com                                   | IBM           | No       | 12/19       |
-| istio-security-vulnerability-reports@googlegroups.com | Istio         | No       | 12/19       |
-| envoy-security@microsoft.com                          | Microsoft     | No       | 2/21        |
-| secalert@redhat.com                                   | Red Hat       | No       | 12/19       |
-| envoy-security@solo.io                                | solo.io       | No       | 12/19       |
-| envoy-security@tetrate.io                             | Tetrate       | No       | 12/19       |
-| security@vmware.com                                   | VMware        | No       | 12/19       |
-| envoy-security@pinterest.com                          | Pinterest     | Yes      | 12/19       |
-| envoy-security@dropbox.com                            | Dropbox       | Yes      | 01/20       |
-| envoy-security-predisclosure@stripe.com               | Stripe        | Yes      | 01/20       |
-| envoy-security@squareup.com                           | Square        | Yes      | 05/21       |
+| Organization  | End User | Last Review |
+|:-------------:|:--------:|:-----------:|
+| Aspen Mesh    | No       | 12/19       |
+| AWS           | No       | 12/19       |
+| Cilium        | No       | 12/19       |
+| Cloud Foundry | No       | 12/19       |
+| Datawire      | No       | 12/19       |
+| Google        | No       | 12/19       |
+| IBM           | No       | 12/19       |
+| Istio         | No       | 12/19       |
+| Microsoft     | No       | 2/21        |
+| Red Hat       | No       | 12/19       |
+| solo.io       | No       | 12/19       |
+| Tetrate       | No       | 12/19       |
+| VMware        | No       | 12/19       |
+| Pinterest     | Yes      | 12/19       |
+| Dropbox       | Yes      | 01/20       |
+| Stripe        | Yes      | 01/20       |
+| Square        | Yes      | 05/21       |
+| Apple         | Yes      | 05/21       |

api/BUILD

@@ -177,6 +177,7 @@ proto_library(
         "//envoy/extensions/filters/http/admission_control/v3alpha:pkg",
         "//envoy/extensions/filters/http/aws_lambda/v3:pkg",
         "//envoy/extensions/filters/http/aws_request_signing/v3:pkg",
+        "//envoy/extensions/filters/http/bandwidth_limit/v3alpha:pkg",
         "//envoy/extensions/filters/http/buffer/v3:pkg",
         "//envoy/extensions/filters/http/cache/v3alpha:pkg",
         "//envoy/extensions/filters/http/cdn_loop/v3alpha:pkg",
@@ -209,6 +210,7 @@ proto_library(
         "//envoy/extensions/filters/http/ratelimit/v3:pkg",
         "//envoy/extensions/filters/http/rbac/v3:pkg",
         "//envoy/extensions/filters/http/router/v3:pkg",
+        "//envoy/extensions/filters/http/set_metadata/v3:pkg",
         "//envoy/extensions/filters/http/squash/v3:pkg",
         "//envoy/extensions/filters/http/tap/v3:pkg",
         "//envoy/extensions/filters/http/wasm/v3:pkg",

api/STYLE.md

@@ -113,11 +113,11 @@ organization](#package-organization) above.
 To add an extension config to the API, the steps below should be followed:
 
 1. If this is still WiP and subject to breaking changes, use `vNalpha` instead of `vN` in steps
-   below. Refer to the [Cache filter config](envoy/extensions/filter/http/cache/v3alpha/cache.proto)
+   below. Refer to the [Cache filter config](envoy/extensions/filters/http/cache/v3alpha/cache.proto)
    as an example of `v3alpha`, and the
-   [Buffer filter config](envoy/extensions/filter/http/buffer/v3/buffer.proto) as an example of `v3`.
+   [Buffer filter config](envoy/extensions/filters/http/buffer/v3/buffer.proto) as an example of `v3`.
 1. Place the v3 extension configuration `.proto` in `api/envoy/extensions`, e.g.
-   `api/envoy/extensions/filter/http/foobar/v3/foobar.proto` together with an initial BUILD file:
+   `api/envoy/extensions/filters/http/foobar/v3/foobar.proto` together with an initial BUILD file:
    ```bazel
    load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 

api/envoy/config/core/v3/resolver.proto

@@ -0,0 +1,24 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "envoy/config/core/v3/address.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "ResolverProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Resolver]
+
+// DNS resolver configuration which includes the underlying dns resolver addresses and options.
+message DnsResolver {
+  // A list of dns resolver addresses
+  // Setting this value causes failure if the
+  // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
+  // server startup. Apple's API only allows overriding DNS resolvers via system settings.
+  repeated Address resolvers = 1 [(validate.rules).repeated = {min_items: 1}];
+}

api/envoy/config/listener/v3/quic_config.proto

@@ -6,9 +6,11 @@ import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/protocol.proto";
 
 import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
 
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.config.listener.v3";
 option java_outer_classname = "QuicConfigProto";
@@ -18,6 +20,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
+// [#next-free-field: 6]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -35,4 +38,14 @@ message QuicProtocolOptions {
   // Runtime flag that controls whether the listener is enabled or not. If not specified, defaults
   // to enabled.
   core.v3.RuntimeFeatureFlag enabled = 4;
+
+  // A multiplier to number of connections which is used to determine how many packets to read per
+  // event loop. A reasonable number should allow the listener to process enough payload but not
+  // starve TCP and other UDP sockets and also prevent long event loop duration.
+  // The default value is 32. This means if there are N QUIC connections, the total number of
+  // packets to read in each read event will be 32 * N.
+  // The actual number of packets to read in total by the UDP listener is also
+  // bound by 6000, regardless of this field or how many connections there are.
+  google.protobuf.UInt32Value packets_to_read_to_connection_count_ratio = 5
+      [(validate.rules).uint32 = {gte: 1}];
 }

api/envoy/config/route/v3/route_components.proto

@@ -1885,8 +1885,8 @@ message HeaderMatcher {
     //   "-1somestring"
     type.v3.Int64Range range_match = 6;
 
-    // If specified, header match will be performed based on whether the header is in the
-    // request.
+    // If specified as true, header match will be performed based on whether the header is in the
+    // request. If specified as false, header match will be performed based on whether the header is absent.
     bool present_match = 7;
 
     // If specified, header match will be performed based on the prefix of the header value.

api/envoy/extensions/common/dynamic_forward_proxy/v3/BUILD

@@ -8,6 +8,7 @@ api_proto_package(
     deps = [
         "//envoy/config/cluster/v3:pkg",
         "//envoy/config/common/dynamic_forward_proxy/v2alpha:pkg",
+        "//envoy/config/core/v3:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",
     ],
 )

api/envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.common.dynamic_forward_proxy.v3;
 
 import "envoy/config/cluster/v3/cluster.proto";
+import "envoy/config/core/v3/resolver.proto";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
@@ -27,7 +28,7 @@ message DnsCacheCircuitBreakers {
 
 // Configuration for the dynamic forward proxy DNS cache. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message DnsCacheConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.common.dynamic_forward_proxy.v2alpha.DnsCacheConfig";
@@ -101,4 +102,9 @@ message DnsCacheConfig {
   // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during
   // server startup. Apple' API only uses UDP for DNS resolution.
   bool use_tcp_for_dns_lookups = 8;
+
+  // DNS resolver configuration
+  // If specified, DNS cache will perform resolution via the underlying DNS resolvers.
+  // Otherwise, the default system resolvers (e.g., /etc/resolv.conf) will be used.
+  config.core.v3.DnsResolver dns_resolver = 9;
 }

api/envoy/extensions/filters/http/bandwidth_limit/v3alpha/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

api/envoy/extensions/filters/http/bandwidth_limit/v3alpha/bandwidth_limit.proto

@@ -0,0 +1,70 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.bandwidth_limit.v3alpha;
+
+import "envoy/config/core/v3/base.proto";
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.bandwidth_limit.v3alpha";
+option java_outer_classname = "BandwidthLimitProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).work_in_progress = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Bandwidth limit]
+// Bandwidth limit :ref:`configuration overview <config_http_filters_bandwidth_limit>`.
+// [#extension: envoy.filters.http.bandwidth_limit]
+
+// [#next-free-field: 6]
+message BandwidthLimit {
+  // Defines the mode for the bandwidth limit filter.
+  // Values represent bitmask.
+  enum EnableMode {
+    // Filter is disabled.
+    DISABLED = 0;
+
+    // Filter enabled only for incoming traffic.
+    REQUEST = 1;
+
+    // Filter enabled only for outgoing traffic.
+    RESPONSE = 2;
+
+    // Filter enabled for both incoming and outgoing traffic.
+    REQUEST_AND_RESPONSE = 3;
+  }
+
+  // The human readable prefix to use when emitting stats.
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The enable mode for the bandwidth limit filter.
+  // Default is Disabled.
+  EnableMode enable_mode = 2 [(validate.rules).enum = {defined_only: true}];
+
+  // The limit supplied in KiB/s.
+  //
+  // .. note::
+  //   It's fine for the limit to be unset for the global configuration since the bandwidth limit
+  //   can be applied at a the virtual host or route level. Thus, the limit must be set for the
+  //   per route configuration otherwise the config will be rejected.
+  //
+  // .. note::
+  //   When using per route configuration, the limit becomes unique to that route.
+  //
+  google.protobuf.UInt64Value limit_kbps = 3 [(validate.rules).uint64 = {gte: 1}];
+
+  // Optional Fill interval in milliseconds for the token refills. Defaults to 50ms.
+  // It must be at least 20ms to avoid too aggressive refills.
+  google.protobuf.Duration fill_interval = 4 [(validate.rules).duration = {
+    lte {seconds: 1}
+    gte {nanos: 20000000}
+  }];
+
+  // Runtime flag that controls whether the filter is enabled or not. If not specified, defaults
+  // to enabled.
+  config.core.v3.RuntimeFeatureFlag runtime_enabled = 5;
+}