Merge remote-tracking branch 'upstream/main' into local_ratelimit_con…

…stant_rcd

Signed-off-by: Jake Bennert <[email protected]>

OWNERS.md

@@ -78,7 +78,7 @@ without further review.
 * Otto van der Schaaf ([oschaaf](https://github.com/oschaaf)) ([email protected])
 * Tim Walsh ([twghu](https://github.com/twghu)) ([email protected])
 * Pradeep Rao ([pradeepcrao](https://github.com/pradeepcrao)) ([email protected])
-* Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik)) (nezdolik@spotify.com)
+* Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik)) (kateryna.nezdolii@gmail.com)
 * Boteng Yao ([botengyao](https://github.com/botengyao)) ([email protected])
 * Kevin Baichoo ([KBaichoo](https://github.com/KBaichoo)) ([email protected])
 * Tianyu Xia ([tyxia](https://github.com/tyxia)) ([email protected])

RELEASES.md

@@ -127,8 +127,6 @@ [email protected]
 [email protected] -
 include in this email a link to the latest [release page](https://github.com/envoyproxy/envoy/releases) (ending in `tag/[version]`)
 * Announce in [#envoy-dev](https://envoyproxy.slack.com/archives/C78HA81DH) and [#envoy-users](https://envoyproxy.slack.com/archives/C78M4KW76) slack channels.
-* Make sure we tweet the new release: either have Matt do it or email [email protected] and ask them to do an Envoy account
-  post.
 
 
 ## Security release schedule

SECURITY-INSIGHTS.yml

@@ -38,6 +38,8 @@ dependencies:
   third-party-packages: true
   dependencies-lists:
     - https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/external_deps
+  env-dependencies-policy:
+    policy-url: https://github.com/envoyproxy/envoy/blob/main/DEPENDENCY_POLICY.md
 distribution-points:
   - https://github.com/envoyproxy/envoy
 documentation:

api/bazel/repository_locations.bzl

@@ -131,11 +131,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.28.1",
-        sha256 = "870cf492d381a967d36636fdee9da44b524ea62aad163659b8dbf16a7da56987",
+        version = "1.29.0",
+        sha256 = "1033f26361e6fc30ffcfab9d4e4274ffd4af88d9c97de63d2e1721c4a07c1380",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2023-11-15",
+        release_date = "2024-01-24",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",

api/envoy/service/ext_proc/v3/external_processor.proto

@@ -91,28 +91,22 @@ message ProcessingRequest {
     // a BodyResponse message, an ImmediateResponse message, or close the stream.
     HttpBody request_body = 4;
 
-    // A chunk of the HTTP request body. Unless ``async_mode`` is ``true``, the server must send back
+    // A chunk of the HTTP response body. Unless ``async_mode`` is ``true``, the server must send back
     // a BodyResponse message or close the stream.
     HttpBody response_body = 5;
 
     // The HTTP trailers for the request path. Unless ``async_mode`` is ``true``, the server
     // must send back a TrailerResponse message or close the stream.
     //
-    // This message is only sent if the trailers processing mode is set to ``SEND``.
-    // If there are no trailers on the original downstream request, then this message
-    // will only be sent (with empty trailers waiting to be populated) if the
-    // processing mode is set before the request headers are sent, such as
-    // in the filter configuration.
+    // This message is only sent if the trailers processing mode is set to ``SEND`` and
+    // the original downstream request has trailers.
     HttpTrailers request_trailers = 6;
 
     // The HTTP trailers for the response path. Unless ``async_mode`` is ``true``, the server
     // must send back a TrailerResponse message or close the stream.
     //
-    // This message is only sent if the trailers processing mode is set to ``SEND``.
-    // If there are no trailers on the original downstream request, then this message
-    // will only be sent (with empty trailers waiting to be populated) if the
-    // processing mode is set before the request headers are sent, such as
-    // in the filter configuration.
+    // This message is only sent if the trailers processing mode is set to ``SEND`` and
+    // the original upstream response has trailers.
     HttpTrailers response_trailers = 7;
   }
 }

bazel/repository_locations.bzl

@@ -1506,11 +1506,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "rules_license",
         project_desc = "Bazel rules for checking open source licenses",
         project_url = "https://github.com/bazelbuild/rules_license",
-        version = "0.0.7",
-        sha256 = "4531deccb913639c30e5c7512a054d5d875698daeb75d8cf90f284375fe7c360",
+        version = "0.0.8",
+        sha256 = "241b06f3097fd186ff468832150d6cc142247dc42a32aaefb56d0099895fd229",
         urls = ["https://github.com/bazelbuild/rules_license/releases/download/{version}/rules_license-{version}.tar.gz"],
         use_category = ["build", "dataplane_core", "controlplane"],
-        release_date = "2023-06-16",
+        release_date = "2024-01-24",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/bazelbuild/rules_license/blob/{version}/LICENSE",

changelogs/current.yaml

@@ -20,8 +20,18 @@ removed_config_or_runtime:
 - area: http
   change: |
     Removed ``envoy.reloadable_features.allow_absolute_url_with_mixed_scheme`` runtime flag and legacy code paths.
+- area: http1
+  change: |
+    Removed ``envoy.reloadable_features.http1_allow_codec_error_response_after_1xx_headers`` runtime flag and legacy code paths.
+- area: overload manager
+  change: |
+    removed ``envoy.reloadable_features.overload_manager_error_unknown_action`` and legacy code paths.
 
 new_features:
+- area: aws_request_signing
+  change: |
+    Update ``aws_request_signing`` filter to support use as an upstream HTTP filter. This allows successful calculation of
+    signatures after the forwarding stage has completed, particularly if the path element is modified.
 - area: grpc reverse bridge
   change: |
     Change HTTP status to 200 to respect the gRPC protocol. This may cause problems for incorrect gRPC clients expecting the filter

docs/root/configuration/http/http_filters/_include/aws-request-signing-filter-upstream.yaml

@@ -0,0 +1,63 @@
+static_resources:
+  listeners:
+  - address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 10000
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          http_filters:
+          - name: envoy.filters.http.router
+            typed_config:
+              '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - domains:
+              - '*'
+              name: local_service
+              routes:
+              - match: {prefix: "/"}
+                route: {cluster: default_service}
+  clusters:
+  - name: default_service
+    load_assignment:
+      cluster_name: default_service
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: 127.0.0.1
+                port_value: 10001
+    typed_extension_protocol_options:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+        upstream_http_protocol_options:
+          auto_sni: true
+          auto_san_validation: true
+        auto_config:
+          http2_protocol_options: {}
+        http_filters:
+          - name: envoy.filters.http.aws_request_signing
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
+              service_name: vpc-lattice-svcs
+              region: '*'
+              signing_algorithm: AWS_SIGV4A
+              use_unsigned_payload: true
+              match_excluded_headers:
+              - prefix: x-envoy
+              - prefix: x-forwarded
+              - exact: x-amzn-trace-id
+          - name: envoy.filters.http.upstream_codec
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext

docs/root/configuration/http/http_filters/aws_request_signing_filter.rst

@@ -52,7 +52,7 @@ Example filter configuration:
     :linenos:
     :caption: :download:`aws-request-signing-filter.yaml <_include/aws-request-signing-filter.yaml>`
 
-Note that this filter also supports per route configuration:
+This filter also supports per route configuration. Below is an example of route-level config overriding the config at the virtual-host level.
 
 .. literalinclude:: _include/aws-request-signing-filter-route-level-override.yaml
     :language: yaml
@@ -61,9 +61,7 @@ Note that this filter also supports per route configuration:
     :linenos:
     :caption: :download:`aws-request-signing-filter-route-level-override.yaml <_include/aws-request-signing-filter-route-level-override.yaml>`
 
-Above shows an example of route-level config overriding the config on the virtual-host level.
-
-An example of configuring this filter to use ``AWS_SIGV4A`` signing with a wildcarded region set, to a AWS VPC Lattice service:
+An example of configuring this filter to use ``AWS_SIGV4A`` signing with a wildcarded region set, to an Amazon VPC Lattice service:
 
 .. literalinclude:: _include/aws-request-signing-filter-sigv4a.yaml
     :language: yaml
@@ -72,6 +70,27 @@ An example of configuring this filter to use ``AWS_SIGV4A`` signing with a wildc
     :linenos:
     :caption: :download:`aws-request-signing-filter-sigv4a.yaml <_include/aws-request-signing-filter-sigv4a.yaml>`
 
+
+Configuration as an upstream HTTP filter
+----------------------------------------
+SigV4 or SigV4A request signatures are calculated using the HTTP host, URL and payload as input. Depending on the configuration, Envoy may modify one or more of
+these prior to forwarding to the Cluster subsystem, but after the signature has been calculated and inserted into the HTTP headers. Modifying fields in a SigV4 or SigV4A
+signed request will result in an invalid signature.
+
+To avoid invalid signatures, the AWS Request Signing Filter can be configured as an upstream HTTP filter. This allows signatures to be
+calculated as a final step before the HTTP request is forwarded upstream, ensuring signatures are correctly calculated over the updated
+HTTP fields.
+
+Configuring this filter as an upstream HTTP filter is done in a similar way to the downstream case, but using the :ref:`http_filters <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_filters>`
+filter chain within the cluster configuration.
+
+.. literalinclude:: _include/aws-request-signing-filter-upstream.yaml
+    :language: yaml
+    :lines: 47-57
+    :lineno-start: 47
+    :linenos:
+    :caption: :download:`aws-request-signing-filter-upstream.yaml <_include/aws-request-signing-filter-upstream.yaml>`
+
 .. include:: _include/aws_credentials.rst
 
 Statistics

docs/root/faq/configuration/sni.rst

@@ -19,6 +19,8 @@ The following is a YAML example of the above requirement.
     socket_address: { address: 127.0.0.1, port_value: 1234 }
   listener_filters:
   - name: "envoy.filters.listener.tls_inspector"
+    typed_config:
+      "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
   filter_chains:
   - filter_chain_match:
       server_names: ["example.com", "www.example.com"]

envoy/server/filter_config.h

@@ -117,8 +117,9 @@ class ProtocolOptionsFactory : public Config::TypedFactory {
    * @param config supplies the protobuf configuration for the filter
    * @param validation_visitor message validation visitor instance.
    * @return Upstream::ProtocolOptionsConfigConstSharedPtr the protocol options
+   * or an error message.
    */
-  virtual Upstream::ProtocolOptionsConfigConstSharedPtr
+  virtual absl::StatusOr<Upstream::ProtocolOptionsConfigConstSharedPtr>
   createProtocolOptionsConfig(const Protobuf::Message& config,
                               ProtocolOptionsFactoryContext& factory_context) {
     UNREFERENCED_PARAMETER(config);

examples/ext_authz/Dockerfile-opa

@@ -1 +1 @@
-FROM openpolicyagent/opa:0.60.0-istio@sha256:242a2dbe29b668b524daae8446fb00518ab95a46215bbc17d8b80b2d28370841
+FROM openpolicyagent/opa:0.61.0-istio@sha256:5ee86eb43bbe8a80e24d4d218a7fd568e5e5c1a782f20aa03a5643cad307034f

examples/opentelemetry/Dockerfile-opentelemetry

@@ -1,7 +1,7 @@
-FROM alpine:3.19@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 as otelc_curl
+FROM alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b as otelc_curl
 RUN apk --update add curl
 
-FROM otel/opentelemetry-collector:latest@sha256:92f6e2efd014152bee26f8324e3a511980b512a36d8793d3fee708715caaa6c0
+FROM otel/opentelemetry-collector:latest@sha256:2cfa5eb469eaf226c1fd62e6e3d38f94a8550951f49136fef3c78f38c211415e
 
 COPY --from=otelc_curl / /