diff --git a/BUILD b/BUILD index 0d3a4c12..13333180 100644 --- a/BUILD +++ b/BUILD @@ -15,20 +15,13 @@ envoy_cc_binary( "//src/application_protocols/brpc:config", "//src/application_protocols/trpc:config", "@io_istio_proxy//extensions/access_log_policy:access_log_policy_lib", - "@io_istio_proxy//extensions/metadata_exchange:metadata_exchange_lib", "@io_istio_proxy//extensions/stackdriver:stackdriver_plugin", "@io_istio_proxy//source/extensions/common/workload_discovery:api_lib", # Experimental: WIP "@io_istio_proxy//source/extensions/filters/http/alpn:config_lib", "@io_istio_proxy//source/extensions/filters/http/authn:filter_lib", - "@io_istio_proxy//source/extensions/filters/http/connect_authority", # Experimental: ambient "@io_istio_proxy//source/extensions/filters/http/istio_stats", "@io_istio_proxy//source/extensions/filters/http/peer_metadata:filter_lib", - "@io_istio_proxy//source/extensions/filters/listener/set_internal_dst_address:filter_lib", # Experimental: ambient - "@io_istio_proxy//source/extensions/filters/network/forward_downstream_sni:config_lib", - "@io_istio_proxy//source/extensions/filters/network/istio_authn:config_lib", "@io_istio_proxy//source/extensions/filters/network/metadata_exchange:config_lib", - "@io_istio_proxy//source/extensions/filters/network/sni_verifier:config_lib", - "@io_istio_proxy//source/extensions/filters/network/tcp_cluster_rewrite:config_lib", "@envoy//source/exe:envoy_main_entry_lib", ], ) diff --git a/WORKSPACE b/WORKSPACE index ab45f2ff..2db33459 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -21,14 +21,13 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") http_archive( name = "io_istio_proxy", - strip_prefix = "proxy-1.19.0", - sha256 = "f23b30ec772fd08b310d4fe2fc73855148a2a60b06f6fae08f26db765424ee68", - url = "https://github.com/istio/proxy/archive/refs/tags/1.19.0.tar.gz", + strip_prefix = "proxy-1.20.0", + sha256 = "1505346f463fd7a9a6f2b04c67f754873fcebb30783d6d121e7685139b4b7100", + url = "https://github.com/istio/proxy/archive/refs/tags/1.20.0.tar.gz", ) load( "@io_istio_proxy//bazel:repositories.bzl", - "docker_dependencies", "istioapi_dependencies", ) @@ -42,10 +41,10 @@ bind( # 1. Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz` # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed. # -# Commit date: 2023-08-30 -ENVOY_SHA = "47297e26f07520d39272e5925ac1fee05f50ced3" +# Commit date: 2024-07-02 +ENVOY_SHA = "346cc3385269016f7c36ad15a23a7b382348f7af" -ENVOY_SHA256 = "e73238b75a71cd927015c2997d2734a3f1fe21da9ec24f440780506d81088b49" +ENVOY_SHA256 = "60b7065957c9a06bad0b9edd09a812b664990a89ebdeac2095b8577895079b02" ENVOY_ORG = "envoyproxy" @@ -94,61 +93,3 @@ install_deps() load("@envoy//bazel:dependency_imports.bzl", "envoy_dependency_imports") envoy_dependency_imports() - -# Bazel @rules_pkg - -http_archive( - name = "rules_pkg", - sha256 = "aeca78988341a2ee1ba097641056d168320ecc51372ef7ff8e64b139516a4937", - urls = [ - "https://github.com/bazelbuild/rules_pkg/releases/download/0.2.6-1/rules_pkg-0.2.6.tar.gz", - "https://mirror.bazel.build/github.com/bazelbuild/rules_pkg/releases/download/0.2.6/rules_pkg-0.2.6.tar.gz", - ], -) - -load("@rules_pkg//:deps.bzl", "rules_pkg_dependencies") - -rules_pkg_dependencies() - -# Docker dependencies - -docker_dependencies() - -load( - "@io_bazel_rules_docker//repositories:repositories.bzl", - container_repositories = "repositories", -) - -container_repositories() - -load("@io_bazel_rules_docker//repositories:deps.bzl", container_deps = "deps") - -container_deps() - -load( - "@io_bazel_rules_docker//container:container.bzl", - "container_pull", -) - -container_pull( - name = "distroless_cc", - # Latest as of 10/21/2019. To update, remove this line, re-build, and copy the suggested digest. - digest = "sha256:86f16733f25964c40dcd34edf14339ddbb2287af2f7c9dfad88f0366723c00d7", - registry = "gcr.io", - repository = "distroless/cc", -) - -container_pull( - name = "bionic", - # Latest as of 10/21/2019. To update, remove this line, re-build, and copy the suggested digest. - digest = "sha256:3e83eca7870ee14a03b8026660e71ba761e6919b6982fb920d10254688a363d4", - registry = "index.docker.io", - repository = "library/ubuntu", - tag = "bionic", -) - -# End of docker dependencies - -load("//bazel:wasm.bzl", "wasm_dependencies") - -wasm_dependencies() diff --git a/bazel/extension_config/extensions_build_config.bzl b/bazel/extension_config/extensions_build_config.bzl index bf53f37a..b121532a 100644 --- a/bazel/extension_config/extensions_build_config.bzl +++ b/bazel/extension_config/extensions_build_config.bzl @@ -35,6 +35,8 @@ ENVOY_EXTENSIONS = { "envoy.compression.gzip.decompressor": "//source/extensions/compression/gzip/decompressor:config", "envoy.compression.brotli.compressor": "//source/extensions/compression/brotli/compressor:config", "envoy.compression.brotli.decompressor": "//source/extensions/compression/brotli/decompressor:config", + "envoy.compression.zstd.compressor": "//source/extensions/compression/zstd/compressor:config", + "envoy.compression.zstd.decompressor": "//source/extensions/compression/zstd/decompressor:config", # # gRPC Credentials Plugins @@ -108,12 +110,15 @@ ENVOY_EXTENSIONS = { "envoy.filters.http.compressor": "//source/extensions/filters/http/compressor:config", "envoy.filters.http.cors": "//source/extensions/filters/http/cors:config", "envoy.filters.http.composite": "//source/extensions/filters/http/composite:config", + "envoy.filters.http.connect_grpc_bridge": "//source/extensions/filters/http/connect_grpc_bridge:config", "envoy.filters.http.csrf": "//source/extensions/filters/http/csrf:config", "envoy.filters.http.decompressor": "//source/extensions/filters/http/decompressor:config", "envoy.filters.http.dynamic_forward_proxy": "//source/extensions/filters/http/dynamic_forward_proxy:config", "envoy.filters.http.ext_authz": "//source/extensions/filters/http/ext_authz:config", "envoy.filters.http.ext_proc": "//source/extensions/filters/http/ext_proc:config", "envoy.filters.http.fault": "//source/extensions/filters/http/fault:config", + "envoy.filters.http.gcp_authn": "//source/extensions/filters/http/gcp_authn:config", + "envoy.filters.http.grpc_field_extraction": "//source/extensions/filters/http/grpc_field_extraction:config", "envoy.filters.http.grpc_http1_bridge": "//source/extensions/filters/http/grpc_http1_bridge:config", "envoy.filters.http.grpc_http1_reverse_bridge": "//source/extensions/filters/http/grpc_http1_reverse_bridge:config", "envoy.filters.http.grpc_json_transcoder": "//source/extensions/filters/http/grpc_json_transcoder:config", @@ -134,6 +139,7 @@ ENVOY_EXTENSIONS = { "envoy.filters.http.ratelimit": "//source/extensions/filters/http/ratelimit:config", "envoy.filters.http.rbac": "//source/extensions/filters/http/rbac:config", "envoy.filters.http.router": "//source/extensions/filters/http/router:config", + "envoy.filters.http.set_filter_state": "//source/extensions/filters/http/set_filter_state:config", "envoy.filters.http.set_metadata": "//source/extensions/filters/http/set_metadata:config", "envoy.filters.http.tap": "//source/extensions/filters/http/tap:config", "envoy.filters.http.wasm": "//source/extensions/filters/http/wasm:config", @@ -170,6 +176,7 @@ ENVOY_EXTENSIONS = { "envoy.filters.network.redis_proxy": "//source/extensions/filters/network/redis_proxy:config", "envoy.filters.network.tcp_proxy": "//source/extensions/filters/network/tcp_proxy:config", "envoy.filters.network.thrift_proxy": "//source/extensions/filters/network/thrift_proxy:config", + "envoy.filters.network.set_filter_state": "//source/extensions/filters/network/set_filter_state:config", "envoy.filters.network.sni_cluster": "//source/extensions/filters/network/sni_cluster:config", "envoy.filters.network.sni_dynamic_forward_proxy": "//source/extensions/filters/network/sni_dynamic_forward_proxy:config", "envoy.filters.network.wasm": "//source/extensions/filters/network/wasm:config", @@ -250,7 +257,8 @@ ENVOY_EXTENSIONS = { # # CacheFilter plugins # - "envoy.extensions.http.cache.simple": "//source/extensions/http/cache/simple_http_cache:config", + "envoy.extensions.http.cache.file_system_http_cache": "//source/extensions/http/cache/file_system_http_cache:config", + "envoy.extensions.http.cache.simple": "//source/extensions/http/cache/simple_http_cache:config", # # Internal redirect predicates @@ -342,6 +350,7 @@ ENVOY_EXTENSIONS = { "envoy.formatter.metadata": "//source/extensions/formatter/metadata:config", "envoy.formatter.req_without_query": "//source/extensions/formatter/req_without_query:config", + "envoy.formatter.cel": "//source/extensions/formatter/cel:config", # # Key value store @@ -385,6 +394,12 @@ ENVOY_EXTENSIONS = { "envoy.load_balancing_policies.maglev": "//source/extensions/load_balancing_policies/maglev:config", "envoy.load_balancing_policies.ring_hash": "//source/extensions/load_balancing_policies/ring_hash:config", "envoy.load_balancing_policies.subset": "//source/extensions/load_balancing_policies/subset:config", + "envoy.load_balancing_policies.cluster_provided": "//source/extensions/load_balancing_policies/cluster_provided:config", + + # + # HTTP Early Header Mutation + # + "envoy.http.early_header_mutation.header_mutation": "//source/extensions/http/early_header_mutation/header_mutation:config", # # Config Subscription @@ -446,7 +461,7 @@ ENVOY_CONTRIB_EXTENSIONS = { # Connection Balance extensions # - "envoy.network.connection_balance.dlb": "//contrib/network/connection_balance/dlb/source:connection_balancer", + "envoy.network.connection_balance.dlb": "//contrib/dlb/source:connection_balancer", } diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 0870f7f2..dabea155 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -80,23 +80,6 @@ cc_proto_library( ":alpn_filter_config_proto_lib", ], ) - -proto_library( - name = "tcp_cluster_rewrite_config_proto_lib", - srcs = glob( - ["envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/*.proto", ], - ), - visibility = ["//visibility:public"], -) - -cc_proto_library( - name = "tcp_cluster_rewrite_config_cc_proto", - visibility = ["//visibility:public"], - deps = [ - ":tcp_cluster_rewrite_config_proto_lib", - ], -) - """ http_archive( name = "istioapi_git", @@ -114,17 +97,6 @@ cc_proto_library( name = "alpn_filter_config_cc_proto", actual = "@istioapi_git//:alpn_filter_config_cc_proto", ) - native.bind( - name = "tcp_cluster_rewrite_config_cc_proto", - actual = "@istioapi_git//:tcp_cluster_rewrite_config_cc_proto", - ) def istioapi_dependencies(): istioapi_repositories() - -def docker_dependencies(): - http_archive( - name = "io_bazel_rules_docker", - sha256 = "b1e80761a8a8243d03ebca8845e9cc1ba6c82ce7c5179ce2b295cd36f7e394bf", - urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.25.0/rules_docker-v0.25.0.tar.gz"], - ) diff --git a/envoy.bazelrc b/envoy.bazelrc index efeb63cc..b8c12ef7 100644 --- a/envoy.bazelrc +++ b/envoy.bazelrc @@ -24,12 +24,19 @@ build --platform_mappings=bazel/platform_mappings build --copt=-DABSL_MIN_LOG_LEVEL=4 build --define envoy_mobile_listener=enabled build --experimental_repository_downloader_retries=2 +build --enable_platform_specific_config -# Pass PATH, CC, CXX and LLVM_CONFIG variables from the environment. +# Pass CC, CXX and LLVM_CONFIG variables from the environment. +# We assume they have stable values, so this won't cause action cache misses. build --action_env=CC --host_action_env=CC build --action_env=CXX --host_action_env=CXX build --action_env=LLVM_CONFIG --host_action_env=LLVM_CONFIG -build --action_env=PATH --host_action_env=PATH +# Do not pass through PATH however. +# It tends to have machine-specific values, such as dynamically created temp folders. +# This would make it impossible to share remote action cache hits among machines. +# build --action_env=PATH --host_action_env=PATH +# To make our own CI green, we do need that flag on Windows though. +build:windows --action_env=PATH --host_action_env=PATH # Allow stamped caches to bust when local filesystem changes. # Requires setting `BAZEL_VOLATILE_DIRTY` in the env. @@ -39,9 +46,10 @@ build --action_env=BAZEL_VOLATILE_DIRTY --host_action_env=BAZEL_VOLATILE_DIRTY # Requires setting `BAZEL_FAKE_SCM_REVISION` in the env. build --action_env=BAZEL_FAKE_SCM_REVISION --host_action_env=BAZEL_FAKE_SCM_REVISION -build --enable_platform_specific_config build --test_summary=terse +build:docs-ci --action_env=DOCS_RST_CHECK=1 --host_action_env=DOCS_RST_CHECK=1 + # TODO(keith): Remove once these 2 are the default build --incompatible_config_setting_private_default_visibility build --incompatible_enforce_config_setting_visibility @@ -84,6 +92,14 @@ build:clang-pch --define=ENVOY_CLANG_PCH=1 # Use gold linker for gcc compiler. build:gcc --linkopt=-fuse-ld=gold +# Clang-tidy +# TODO(phlax): enable this, its throwing some errors as well as finding more issues +# build:clang-tidy --@envoy_toolshed//format/clang_tidy:executable=@envoy//tools/clang-tidy +build:clang-tidy --@envoy_toolshed//format/clang_tidy:config=//:clang_tidy_config +build:clang-tidy --aspects @envoy_toolshed//format/clang_tidy:clang_tidy.bzl%clang_tidy_aspect +build:clang-tidy --output_groups=report +build:clang-tidy --build_tag_filters=-notidy + # Basic ASAN/UBSAN that works for gcc build:asan --action_env=ENVOY_ASAN=1 build:asan --config=sanitizer @@ -209,7 +225,8 @@ build:coverage --instrumentation_filter="^//source(?!/common/quic/platform)[/:], build:coverage --remote_download_minimal build:coverage --define=tcmalloc=gperftools build:coverage --define=no_debug_info=1 -build:coverage --linkopt=-Wl,-s +# `--no-relax` is required for coverage to not err with `relocation R_X86_64_REX_GOTPCRELX` +build:coverage --linkopt=-Wl,-s,--no-relax build:coverage --test_env=ENVOY_IP_TEST_VERSIONS=v4only build:test-coverage --test_arg="-l trace" @@ -219,6 +236,8 @@ build:fuzz-coverage --config=plain-fuzzer build:fuzz-coverage --run_under=@envoy//bazel/coverage:fuzz_coverage_wrapper.sh build:fuzz-coverage --test_tag_filters=-nocoverage +build:cache-local --remote_cache=grpc://localhost:9092 + # Remote execution: https://docs.bazel.build/versions/master/remote-execution.html build:rbe-toolchain --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 @@ -337,7 +356,7 @@ build:compile-time-options --@envoy//source/extensions/filters/http/kill_request # Docker sandbox # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/main/toolchains/rbe_toolchains_config.bzl#L8 -build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:41c5a05d708972d703661b702a63ef5060125c33 +build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:fdd65c6270a8507a18d5acd6cf19a18cb695e4fa@sha256:3c8a3ce6f90dcfb5d09dc8f79bb01404d3526d420061f9a176e0a8e91e1e573e build:docker-sandbox --spawn_strategy=docker build:docker-sandbox --strategy=Javac=docker build:docker-sandbox --strategy=Closure=docker @@ -487,6 +506,20 @@ build:rbe-engflow --remote_timeout=3600s build:rbe-engflow --bes_timeout=3600s build:rbe-engflow --bes_upload_mode=fully_async +build:cache-envoy-engflow --google_default_credentials=false +build:cache-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com +build:cache-envoy-engflow --remote_timeout=3600s +build:cache-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh +build:cache-envoy-engflow --grpc_keepalive_time=30s +build:bes-envoy-engflow --bes_backend=grpcs://morganite.cluster.engflow.com/ +build:bes-envoy-engflow --bes_results_url=https://morganite.cluster.engflow.com/invocation/ +build:bes-envoy-engflow --bes_timeout=3600s +build:bes-envoy-engflow --bes_upload_mode=fully_async +build:rbe-envoy-engflow --config=cache-envoy-engflow +build:rbe-envoy-engflow --config=bes-envoy-engflow +build:rbe-envoy-engflow --remote_executor=grpcs://morganite.cluster.engflow.com +build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://docker.io/envoyproxy/envoy-build-ubuntu:fdd65c6270a8507a18d5acd6cf19a18cb695e4fa@sha256:3c8a3ce6f90dcfb5d09dc8f79bb01404d3526d420061f9a176e0a8e91e1e573e + ############################################################################# # debug: Various Bazel debugging flags ############################################################################# diff --git a/proxy.bazelrc b/proxy.bazelrc index 210fd1d3..549cecdd 100644 --- a/proxy.bazelrc +++ b/proxy.bazelrc @@ -13,6 +13,9 @@ build:remote --remote_timeout=7200 # Istio specific Bazel build/test options. # ======================================== +# Enable libc++ and C++20 by default. +build --config=libc++20 + # Need for CI image to pickup docker-credential-gcloud, PATH is fixed in rbe-toolchain-* configs. build:remote-ci --action_env=PATH=/usr/local/google-cloud-sdk/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/llvm/bin @@ -48,3 +51,19 @@ build --cxxopt -Wformat-security # Link pthread for flatbuffers build --host_linkopt=-pthread + +# CI sanitizer configuration +# +build:clang-asan-ci --config=clang-asan +build:clang-asan-ci --action_env=ENVOY_UBSAN_VPTR=1 +build:clang-asan-ci --copt=-fsanitize=vptr,function +build:clang-asan-ci --linkopt=-fsanitize=vptr,function +build:clang-asan-ci --linkopt='-L/usr/lib/llvm/lib/x86_64-unknown-linux-gnu' +build:clang-asan-ci --linkopt='-Wl,-rpath,/usr/lib/llvm/lib/x86_64-unknown-linux-gnu' +build:clang-asan-ci --linkopt='-L/usr/lib/llvm/lib/clang/14.0.0/lib/x86_64-unknown-linux-gnu' +build:clang-asan-ci --linkopt=-l:libclang_rt.ubsan_standalone.a +build:clang-asan-ci --linkopt=-l:libclang_rt.ubsan_standalone_cxx.a + +build:clang-tsan-ci --config=clang-tsan +build:clang-tsan-ci --linkopt=-L/opt/libcxx_tsan/lib +build:clang-tsan-ci --linkopt=-Wl,-rpath,/opt/libcxx_tsan/lib