Update istio 1.20.0

aeraki-mesh · Sep 18, 2024 · 42635e0 · 42635e0
1 parent 872306f
commit 42635e0
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 107 deletions.
diff --git a/BUILD b/BUILD
@@ -15,20 +15,13 @@ envoy_cc_binary(
         "//src/application_protocols/brpc:config",
         "//src/application_protocols/trpc:config",
         "@io_istio_proxy//extensions/access_log_policy:access_log_policy_lib",
-        "@io_istio_proxy//extensions/metadata_exchange:metadata_exchange_lib",
         "@io_istio_proxy//extensions/stackdriver:stackdriver_plugin",
         "@io_istio_proxy//source/extensions/common/workload_discovery:api_lib",  # Experimental: WIP
         "@io_istio_proxy//source/extensions/filters/http/alpn:config_lib",
         "@io_istio_proxy//source/extensions/filters/http/authn:filter_lib",
-        "@io_istio_proxy//source/extensions/filters/http/connect_authority",  # Experimental: ambient
         "@io_istio_proxy//source/extensions/filters/http/istio_stats",
         "@io_istio_proxy//source/extensions/filters/http/peer_metadata:filter_lib",
-        "@io_istio_proxy//source/extensions/filters/listener/set_internal_dst_address:filter_lib",  # Experimental: ambient
-        "@io_istio_proxy//source/extensions/filters/network/forward_downstream_sni:config_lib",
-        "@io_istio_proxy//source/extensions/filters/network/istio_authn:config_lib",
         "@io_istio_proxy//source/extensions/filters/network/metadata_exchange:config_lib",
-        "@io_istio_proxy//source/extensions/filters/network/sni_verifier:config_lib",
-        "@io_istio_proxy//source/extensions/filters/network/tcp_cluster_rewrite:config_lib",
         "@envoy//source/exe:envoy_main_entry_lib",
     ],
 )
diff --git a/WORKSPACE b/WORKSPACE
@@ -21,14 +21,13 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
 http_archive(
     name = "io_istio_proxy",
-    strip_prefix = "proxy-1.19.0",
-    sha256 = "f23b30ec772fd08b310d4fe2fc73855148a2a60b06f6fae08f26db765424ee68",
-    url = "https://github.com/istio/proxy/archive/refs/tags/1.19.0.tar.gz",
+    strip_prefix = "proxy-1.20.0",
+    sha256 = "1505346f463fd7a9a6f2b04c67f754873fcebb30783d6d121e7685139b4b7100",
+    url = "https://github.com/istio/proxy/archive/refs/tags/1.20.0.tar.gz",
 )
 
 load(
     "@io_istio_proxy//bazel:repositories.bzl",
-    "docker_dependencies",
     "istioapi_dependencies",
 )
 
@@ -42,10 +41,10 @@ bind(
 # 1. Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz`
 # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed.
 #
-# Commit date: 2023-08-30
-ENVOY_SHA = "47297e26f07520d39272e5925ac1fee05f50ced3"
+# Commit date: 2024-07-02
+ENVOY_SHA = "346cc3385269016f7c36ad15a23a7b382348f7af"
 
-ENVOY_SHA256 = "e73238b75a71cd927015c2997d2734a3f1fe21da9ec24f440780506d81088b49"
+ENVOY_SHA256 = "60b7065957c9a06bad0b9edd09a812b664990a89ebdeac2095b8577895079b02"
 
 ENVOY_ORG = "envoyproxy"
 
@@ -94,61 +93,3 @@ install_deps()
 load("@envoy//bazel:dependency_imports.bzl", "envoy_dependency_imports")
 
 envoy_dependency_imports()
-
-# Bazel @rules_pkg
-
-http_archive(
-    name = "rules_pkg",
-    sha256 = "aeca78988341a2ee1ba097641056d168320ecc51372ef7ff8e64b139516a4937",
-    urls = [
-        "https://github.com/bazelbuild/rules_pkg/releases/download/0.2.6-1/rules_pkg-0.2.6.tar.gz",
-        "https://mirror.bazel.build/github.com/bazelbuild/rules_pkg/releases/download/0.2.6/rules_pkg-0.2.6.tar.gz",
-    ],
-)
-
-load("@rules_pkg//:deps.bzl", "rules_pkg_dependencies")
-
-rules_pkg_dependencies()
-
-# Docker dependencies
-
-docker_dependencies()
-
-load(
-    "@io_bazel_rules_docker//repositories:repositories.bzl",
-    container_repositories = "repositories",
-)
-
-container_repositories()
-
-load("@io_bazel_rules_docker//repositories:deps.bzl", container_deps = "deps")
-
-container_deps()
-
-load(
-    "@io_bazel_rules_docker//container:container.bzl",
-    "container_pull",
-)
-
-container_pull(
-    name = "distroless_cc",
-    # Latest as of 10/21/2019. To update, remove this line, re-build, and copy the suggested digest.
-    digest = "sha256:86f16733f25964c40dcd34edf14339ddbb2287af2f7c9dfad88f0366723c00d7",
-    registry = "gcr.io",
-    repository = "distroless/cc",
-)
-
-container_pull(
-    name = "bionic",
-    # Latest as of 10/21/2019. To update, remove this line, re-build, and copy the suggested digest.
-    digest = "sha256:3e83eca7870ee14a03b8026660e71ba761e6919b6982fb920d10254688a363d4",
-    registry = "index.docker.io",
-    repository = "library/ubuntu",
-    tag = "bionic",
-)
-
-# End of docker dependencies
-
-load("//bazel:wasm.bzl", "wasm_dependencies")
-
-wasm_dependencies()
diff --git a/bazel/extension_config/extensions_build_config.bzl b/bazel/extension_config/extensions_build_config.bzl
@@ -35,6 +35,8 @@ ENVOY_EXTENSIONS = {
     "envoy.compression.gzip.decompressor":              "//source/extensions/compression/gzip/decompressor:config",
     "envoy.compression.brotli.compressor":              "//source/extensions/compression/brotli/compressor:config",
     "envoy.compression.brotli.decompressor":            "//source/extensions/compression/brotli/decompressor:config",
+    "envoy.compression.zstd.compressor":                "//source/extensions/compression/zstd/compressor:config",
+    "envoy.compression.zstd.decompressor":              "//source/extensions/compression/zstd/decompressor:config",
 
     #
     # gRPC Credentials Plugins
@@ -108,12 +110,15 @@ ENVOY_EXTENSIONS = {
     "envoy.filters.http.compressor":                    "//source/extensions/filters/http/compressor:config",
     "envoy.filters.http.cors":                          "//source/extensions/filters/http/cors:config",
     "envoy.filters.http.composite":                     "//source/extensions/filters/http/composite:config",
+    "envoy.filters.http.connect_grpc_bridge":           "//source/extensions/filters/http/connect_grpc_bridge:config",
     "envoy.filters.http.csrf":                          "//source/extensions/filters/http/csrf:config",
     "envoy.filters.http.decompressor":                  "//source/extensions/filters/http/decompressor:config",
     "envoy.filters.http.dynamic_forward_proxy":         "//source/extensions/filters/http/dynamic_forward_proxy:config",
     "envoy.filters.http.ext_authz":                     "//source/extensions/filters/http/ext_authz:config",
     "envoy.filters.http.ext_proc":                      "//source/extensions/filters/http/ext_proc:config",
     "envoy.filters.http.fault":                         "//source/extensions/filters/http/fault:config",
+    "envoy.filters.http.gcp_authn":                      "//source/extensions/filters/http/gcp_authn:config",
+    "envoy.filters.http.grpc_field_extraction":         "//source/extensions/filters/http/grpc_field_extraction:config",
     "envoy.filters.http.grpc_http1_bridge":             "//source/extensions/filters/http/grpc_http1_bridge:config",
     "envoy.filters.http.grpc_http1_reverse_bridge":     "//source/extensions/filters/http/grpc_http1_reverse_bridge:config",
     "envoy.filters.http.grpc_json_transcoder":          "//source/extensions/filters/http/grpc_json_transcoder:config",
@@ -134,6 +139,7 @@ ENVOY_EXTENSIONS = {
     "envoy.filters.http.ratelimit":                     "//source/extensions/filters/http/ratelimit:config",
     "envoy.filters.http.rbac":                          "//source/extensions/filters/http/rbac:config",
     "envoy.filters.http.router":                        "//source/extensions/filters/http/router:config",
+    "envoy.filters.http.set_filter_state":              "//source/extensions/filters/http/set_filter_state:config",
     "envoy.filters.http.set_metadata":                  "//source/extensions/filters/http/set_metadata:config",
     "envoy.filters.http.tap":                           "//source/extensions/filters/http/tap:config",
     "envoy.filters.http.wasm":                          "//source/extensions/filters/http/wasm:config",
@@ -170,6 +176,7 @@ ENVOY_EXTENSIONS = {
     "envoy.filters.network.redis_proxy":                          "//source/extensions/filters/network/redis_proxy:config",
     "envoy.filters.network.tcp_proxy":                            "//source/extensions/filters/network/tcp_proxy:config",
     "envoy.filters.network.thrift_proxy":                         "//source/extensions/filters/network/thrift_proxy:config",
+    "envoy.filters.network.set_filter_state":                     "//source/extensions/filters/network/set_filter_state:config",
     "envoy.filters.network.sni_cluster":                          "//source/extensions/filters/network/sni_cluster:config",
     "envoy.filters.network.sni_dynamic_forward_proxy":            "//source/extensions/filters/network/sni_dynamic_forward_proxy:config",
     "envoy.filters.network.wasm":                                 "//source/extensions/filters/network/wasm:config",
@@ -250,7 +257,8 @@ ENVOY_EXTENSIONS = {
     #
     # CacheFilter plugins
     #
-    "envoy.extensions.http.cache.simple":               "//source/extensions/http/cache/simple_http_cache:config",
+    "envoy.extensions.http.cache.file_system_http_cache":   "//source/extensions/http/cache/file_system_http_cache:config",
+    "envoy.extensions.http.cache.simple":                   "//source/extensions/http/cache/simple_http_cache:config",
 
     #
     # Internal redirect predicates
@@ -342,6 +350,7 @@ ENVOY_EXTENSIONS = {
 
     "envoy.formatter.metadata":                         "//source/extensions/formatter/metadata:config",
     "envoy.formatter.req_without_query":                "//source/extensions/formatter/req_without_query:config",
+    "envoy.formatter.cel":                              "//source/extensions/formatter/cel:config",
 
     #
     # Key value store
@@ -385,6 +394,12 @@ ENVOY_EXTENSIONS = {
     "envoy.load_balancing_policies.maglev":            "//source/extensions/load_balancing_policies/maglev:config",
     "envoy.load_balancing_policies.ring_hash":         "//source/extensions/load_balancing_policies/ring_hash:config",
     "envoy.load_balancing_policies.subset":            "//source/extensions/load_balancing_policies/subset:config",
+    "envoy.load_balancing_policies.cluster_provided":  "//source/extensions/load_balancing_policies/cluster_provided:config",
+
+    #
+    # HTTP Early Header Mutation
+    #
+    "envoy.http.early_header_mutation.header_mutation": "//source/extensions/http/early_header_mutation/header_mutation:config",
 
     #
     # Config Subscription
@@ -446,7 +461,7 @@ ENVOY_CONTRIB_EXTENSIONS = {
     # Connection Balance extensions
     #
 
-    "envoy.network.connection_balance.dlb":                     "//contrib/network/connection_balance/dlb/source:connection_balancer",
+    "envoy.network.connection_balance.dlb":                     "//contrib/dlb/source:connection_balancer",
 }
 
 

diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -80,23 +80,6 @@ cc_proto_library(
         ":alpn_filter_config_proto_lib",
     ],
 )
-
-proto_library(
-    name = "tcp_cluster_rewrite_config_proto_lib",
-    srcs = glob(
-        ["envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/*.proto", ],
-    ),
-    visibility = ["//visibility:public"],
-)
-
-cc_proto_library(
-    name = "tcp_cluster_rewrite_config_cc_proto",
-    visibility = ["//visibility:public"],
-    deps = [
-        ":tcp_cluster_rewrite_config_proto_lib",
-    ],
-)
-
 """
     http_archive(
         name = "istioapi_git",
@@ -114,17 +97,6 @@ cc_proto_library(
             name = "alpn_filter_config_cc_proto",
             actual = "@istioapi_git//:alpn_filter_config_cc_proto",
         )
-        native.bind(
-            name = "tcp_cluster_rewrite_config_cc_proto",
-            actual = "@istioapi_git//:tcp_cluster_rewrite_config_cc_proto",
-        )
 
 def istioapi_dependencies():
     istioapi_repositories()
-
-def docker_dependencies():
-    http_archive(
-        name = "io_bazel_rules_docker",
-        sha256 = "b1e80761a8a8243d03ebca8845e9cc1ba6c82ce7c5179ce2b295cd36f7e394bf",
-        urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.25.0/rules_docker-v0.25.0.tar.gz"],
-    )
diff --git a/envoy.bazelrc b/envoy.bazelrc
@@ -24,12 +24,19 @@ build --platform_mappings=bazel/platform_mappings
 build --copt=-DABSL_MIN_LOG_LEVEL=4
 build --define envoy_mobile_listener=enabled
 build --experimental_repository_downloader_retries=2
+build --enable_platform_specific_config
 
-# Pass PATH, CC, CXX and LLVM_CONFIG variables from the environment.
+# Pass CC, CXX and LLVM_CONFIG variables from the environment.
+# We assume they have stable values, so this won't cause action cache misses.
 build --action_env=CC --host_action_env=CC
 build --action_env=CXX --host_action_env=CXX
 build --action_env=LLVM_CONFIG --host_action_env=LLVM_CONFIG
-build --action_env=PATH --host_action_env=PATH
+# Do not pass through PATH however.
+# It tends to have machine-specific values, such as dynamically created temp folders.
+# This would make it impossible to share remote action cache hits among machines.
+# build --action_env=PATH --host_action_env=PATH
+# To make our own CI green, we do need that flag on Windows though.
+build:windows --action_env=PATH --host_action_env=PATH
 
 # Allow stamped caches to bust when local filesystem changes.
 # Requires setting `BAZEL_VOLATILE_DIRTY` in the env.
@@ -39,9 +46,10 @@ build --action_env=BAZEL_VOLATILE_DIRTY --host_action_env=BAZEL_VOLATILE_DIRTY
 # Requires setting `BAZEL_FAKE_SCM_REVISION` in the env.
 build --action_env=BAZEL_FAKE_SCM_REVISION --host_action_env=BAZEL_FAKE_SCM_REVISION
 
-build --enable_platform_specific_config
 build --test_summary=terse
 
+build:docs-ci --action_env=DOCS_RST_CHECK=1 --host_action_env=DOCS_RST_CHECK=1
+
 # TODO(keith): Remove once these 2 are the default
 build --incompatible_config_setting_private_default_visibility
 build --incompatible_enforce_config_setting_visibility
@@ -84,6 +92,14 @@ build:clang-pch --define=ENVOY_CLANG_PCH=1
 # Use gold linker for gcc compiler.
 build:gcc --linkopt=-fuse-ld=gold
 
+# Clang-tidy
+# TODO(phlax): enable this, its throwing some errors as well as finding more issues
+# build:clang-tidy --@envoy_toolshed//format/clang_tidy:executable=@envoy//tools/clang-tidy
+build:clang-tidy --@envoy_toolshed//format/clang_tidy:config=//:clang_tidy_config
+build:clang-tidy --aspects @envoy_toolshed//format/clang_tidy:clang_tidy.bzl%clang_tidy_aspect
+build:clang-tidy --output_groups=report
+build:clang-tidy --build_tag_filters=-notidy
+
 # Basic ASAN/UBSAN that works for gcc
 build:asan --action_env=ENVOY_ASAN=1
 build:asan --config=sanitizer
@@ -209,7 +225,8 @@ build:coverage --instrumentation_filter="^//source(?!/common/quic/platform)[/:],
 build:coverage --remote_download_minimal
 build:coverage --define=tcmalloc=gperftools
 build:coverage --define=no_debug_info=1
-build:coverage --linkopt=-Wl,-s
+# `--no-relax` is required for coverage to not err with `relocation R_X86_64_REX_GOTPCRELX`
+build:coverage --linkopt=-Wl,-s,--no-relax
 build:coverage --test_env=ENVOY_IP_TEST_VERSIONS=v4only
 
 build:test-coverage --test_arg="-l trace"
@@ -219,6 +236,8 @@ build:fuzz-coverage --config=plain-fuzzer
 build:fuzz-coverage --run_under=@envoy//bazel/coverage:fuzz_coverage_wrapper.sh
 build:fuzz-coverage --test_tag_filters=-nocoverage
 
+build:cache-local --remote_cache=grpc://localhost:9092
+
 # Remote execution: https://docs.bazel.build/versions/master/remote-execution.html
 build:rbe-toolchain --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
 
@@ -337,7 +356,7 @@ build:compile-time-options --@envoy//source/extensions/filters/http/kill_request
 
 # Docker sandbox
 # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/main/toolchains/rbe_toolchains_config.bzl#L8
-build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:41c5a05d708972d703661b702a63ef5060125c33
+build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:fdd65c6270a8507a18d5acd6cf19a18cb695e4fa@sha256:3c8a3ce6f90dcfb5d09dc8f79bb01404d3526d420061f9a176e0a8e91e1e573e
 build:docker-sandbox --spawn_strategy=docker
 build:docker-sandbox --strategy=Javac=docker
 build:docker-sandbox --strategy=Closure=docker
@@ -487,6 +506,20 @@ build:rbe-engflow --remote_timeout=3600s
 build:rbe-engflow --bes_timeout=3600s
 build:rbe-engflow --bes_upload_mode=fully_async
 
+build:cache-envoy-engflow --google_default_credentials=false
+build:cache-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com
+build:cache-envoy-engflow --remote_timeout=3600s
+build:cache-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
+build:cache-envoy-engflow --grpc_keepalive_time=30s
+build:bes-envoy-engflow --bes_backend=grpcs://morganite.cluster.engflow.com/
+build:bes-envoy-engflow --bes_results_url=https://morganite.cluster.engflow.com/invocation/
+build:bes-envoy-engflow --bes_timeout=3600s
+build:bes-envoy-engflow --bes_upload_mode=fully_async
+build:rbe-envoy-engflow --config=cache-envoy-engflow
+build:rbe-envoy-engflow --config=bes-envoy-engflow
+build:rbe-envoy-engflow --remote_executor=grpcs://morganite.cluster.engflow.com
+build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://docker.io/envoyproxy/envoy-build-ubuntu:fdd65c6270a8507a18d5acd6cf19a18cb695e4fa@sha256:3c8a3ce6f90dcfb5d09dc8f79bb01404d3526d420061f9a176e0a8e91e1e573e
+
 #############################################################################
 # debug: Various Bazel debugging flags
 #############################################################################

diff --git a/proxy.bazelrc b/proxy.bazelrc
@@ -13,6 +13,9 @@ build:remote --remote_timeout=7200
 # Istio specific Bazel build/test options.
 # ========================================
 
+# Enable libc++ and C++20 by default.
+build --config=libc++20
+
 # Need for CI image to pickup docker-credential-gcloud, PATH is fixed in rbe-toolchain-* configs.
 build:remote-ci --action_env=PATH=/usr/local/google-cloud-sdk/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/llvm/bin
 
@@ -48,3 +51,19 @@ build --cxxopt -Wformat-security
 
 # Link pthread for flatbuffers
 build --host_linkopt=-pthread
+
+# CI sanitizer configuration
+#
+build:clang-asan-ci --config=clang-asan
+build:clang-asan-ci --action_env=ENVOY_UBSAN_VPTR=1
+build:clang-asan-ci --copt=-fsanitize=vptr,function
+build:clang-asan-ci --linkopt=-fsanitize=vptr,function
+build:clang-asan-ci --linkopt='-L/usr/lib/llvm/lib/x86_64-unknown-linux-gnu'
+build:clang-asan-ci --linkopt='-Wl,-rpath,/usr/lib/llvm/lib/x86_64-unknown-linux-gnu'
+build:clang-asan-ci --linkopt='-L/usr/lib/llvm/lib/clang/14.0.0/lib/x86_64-unknown-linux-gnu'
+build:clang-asan-ci --linkopt=-l:libclang_rt.ubsan_standalone.a
+build:clang-asan-ci --linkopt=-l:libclang_rt.ubsan_standalone_cxx.a
+
+build:clang-tsan-ci --config=clang-tsan
+build:clang-tsan-ci --linkopt=-L/opt/libcxx_tsan/lib
+build:clang-tsan-ci --linkopt=-Wl,-rpath,/opt/libcxx_tsan/lib