Merge branch 'main' into perf-fix

Signed-off-by: Jose Nino <jnino@lyft.com>

.bazelrc

@@ -277,7 +277,7 @@ build:remote-clang-cl --config=rbe-toolchain-clang-cl
 
 # Docker sandbox
 # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/main/toolchains/rbe_toolchains_config.bzl#L8
-build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:514e2f7bc36c1f0495a523b16aab9168a4aa13b6
+build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:d859a503314ae611bb7ca4a7b4b4a19194e199f0
 build:docker-sandbox --spawn_strategy=docker
 build:docker-sandbox --strategy=Javac=docker
 build:docker-sandbox --strategy=Closure=docker

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM gcr.io/envoy-ci/envoy-build:514e2f7bc36c1f0495a523b16aab9168a4aa13b6
+FROM gcr.io/envoy-ci/envoy-build:d859a503314ae611bb7ca4a7b4b4a19194e199f0
 
 ARG USERNAME=vscode
 ARG USER_UID=501

.flake8

@@ -5,4 +5,4 @@
 ignore = W503,W504,E121,E126,E241,E125,E127,E129,E251,E265,E303,E306,E402,E501,E502,E711,E713,E722,E741,F523,F541,F841,N803,N806,N817,W605
 
 # TODO(phlax): exclude less
-exclude = build_docs,.git,generated,test,examples,venv
+exclude = build_docs,.git,generated,test,examples,venv,tools/dev

.github/actions/pr_notifier/requirements.txt

@@ -111,9 +111,9 @@ six==1.16.0 \
     --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
     --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
     # via pynacl
-slack-sdk==3.15.1 \
-    --hash=sha256:149f11bdf1eddc446a2327acc28d77bd6d0c54a9f4b6c1433dec422f2cc1c940 \
-    --hash=sha256:8fe074124254e16172bec679421a8dd587320b3221a36a61ff9e350cbe9f9add
+slack-sdk==3.15.2 \
+    --hash=sha256:128f3bb0b5b91454a3d5f140a61f3db370a0e1b50ffe0a8d9e9ebe0e894faed7 \
+    --hash=sha256:e1fa26786169176e707676decc287fd9d3d547bbc43c0a1a4f99eb373b07da94
     # via -r requirements.in
 urllib3==1.26.6 \
     --hash=sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4 \

.github/workflows/codeql-daily.yml

@@ -26,7 +26,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@75f07e7ab2ee63cba88752d8c696324e4df67466
+      uses: github/codeql-action/init@f5d822707ee6e8fb81b04a5c0040b736da22e587
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -53,4 +53,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@75f07e7ab2ee63cba88752d8c696324e4df67466
+      uses: github/codeql-action/analyze@f5d822707ee6e8fb81b04a5c0040b736da22e587

.github/workflows/codeql-push.yml

@@ -1,3 +1,5 @@
+name: CodeQL
+
 on:
   push:
     paths:
@@ -35,7 +37,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@75f07e7ab2ee63cba88752d8c696324e4df67466
+      uses: github/codeql-action/init@f5d822707ee6e8fb81b04a5c0040b736da22e587
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -65,4 +67,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: env.BUILD_TARGETS != ''
-      uses: github/codeql-action/analyze@75f07e7ab2ee63cba88752d8c696324e4df67466
+      uses: github/codeql-action/analyze@f5d822707ee6e8fb81b04a5c0040b736da22e587

CODEOWNERS

@@ -203,6 +203,8 @@ extensions/filters/http/oauth2 @rgs1 @derekargueta @snowp
 # DNS Resolver
 /*/extensions/network/dns_resolver/cares @junr03 @yanavlasov
 /*/extensions/network/dns_resolver/apple @junr03 @yanavlasov
+# Config Validators
+/*/extensions/config/validators/minimum_clusters @adisuissa @htuch
 
 # Contrib
 /contrib/exe/ @mattklein123 @lizan

CONTRIBUTING.md

@@ -230,7 +230,9 @@ temporarily reverted by setting runtime guard ``envoy.reloadable_features.schema
 
 * Typically we try to turn around reviews within one business day.
 * See [OWNERS.md](OWNERS.md) for the current list of maintainers.
-* It is generally expected that a senior maintainer should review every PR.
+* It is generally expected that a senior maintainer should review every PR to
+  core code. Test-only or extension-only changes need only be reviewed by a
+  maintainer, or senior extension maintainer.
 * It is also generally expected that a "domain expert" for the code the PR touches should review the
   PR. This person does not necessarily need to have commit access.
 * The previous two points generally mean that every PR should have two approvals. (Exceptions can

OWNERS.md

@@ -61,6 +61,8 @@ without further review.
   * Wasm
 * Raúl Gutiérrez Segalés ([rgs1](https://github.com/rgs1)) (rgs@pinterest.com)
   * Thrift
+* Ryan Hamilton ([RyanTheOptimist](https://github.com/ryantheoptimist)) (rch@google.com)
+  * HTTP/3
 
 # Envoy security team
 
@@ -70,6 +72,9 @@ without further review.
 * William A Rowe Jr ([wrowe](https://github.com/wrowe)) (wrowe@vmware.com)
 * Otto van der Schaaf ([oschaaf](https://github.com/oschaaf)) (oschaaf@redhat.com)
 * Tim Walsh ([twghu](https://github.com/twghu)) (walsh@redhat.com)
+* Ryan Northey ([phlax](https://github.com/phlax)) (ryan@synca.io)
+* Pradeep Rao ([pradeepcrao](https://github.com/pradeepcrao)) (pcrao@google.com)
+* Ryan Hamilton ([RyanTheOptimist](https://github.com/ryantheoptimist)) (rch@google.com)
 
 In addition to the permanent Envoy security team, we have additional temporary
 contributors to envoy-setec and relevant Slack channels from:

STYLE.md

@@ -90,7 +90,7 @@
   NiceMock for mocks whose behavior is not the focus of a test.
 * [Thread
   annotations](https://github.com/abseil/abseil-cpp/blob/master/absl/base/thread_annotations.h),
-  such as `GUARDED_BY`, should be used for shared state guarded by
+  such as `ABSL_GUARDED_BY`, should be used for shared state guarded by
   locks/mutexes.
 * Functions intended to be local to a cc file should be declared in an anonymous namespace,
   rather than using the 'static' keyword. Note that the

api/BUILD

@@ -131,6 +131,7 @@ proto_library(
         "//envoy/extensions/compression/brotli/decompressor/v3:pkg",
         "//envoy/extensions/compression/gzip/compressor/v3:pkg",
         "//envoy/extensions/compression/gzip/decompressor/v3:pkg",
+        "//envoy/extensions/config/validators/minimum_clusters/v3:pkg",
         "//envoy/extensions/filters/common/dependency/v3:pkg",
         "//envoy/extensions/filters/common/fault/v3:pkg",
         "//envoy/extensions/filters/common/matcher/action/v3:pkg",

api/bazel/repositories.bzl

@@ -22,9 +22,6 @@ def api_dependencies():
     external_http_archive(
         name = "com_google_googleapis",
     )
-    external_http_archive(
-        name = "com_github_bazelbuild_buildtools",
-    )
     external_http_archive(
         name = "com_github_cncf_udpa",
     )

api/bazel/repository_locations.bzl

@@ -14,9 +14,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "protoc-gen-validate (PGV)",
         project_desc = "protoc plugin to generate polyglot message validators",
         project_url = "https://github.com/envoyproxy/protoc-gen-validate",
-        version = "0.6.2",
-        sha256 = "b02da533c77023238c556982507b9a71afc850478b637a7a13ec13f311efa5c0",
-        release_date = "2021-10-21",
+        version = "0.6.7",
+        sha256 = "4c692c62e16c168049bca2b2972b0a25222870cf53e61be30b50d761e58728bd",
+        release_date = "2022-03-04",
         strip_prefix = "protoc-gen-validate-{version}",
         urls = ["https://github.com/envoyproxy/protoc-gen-validate/archive/v{version}.tar.gz"],
         use_category = ["api"],
@@ -28,17 +28,6 @@ REPOSITORY_LOCATIONS_SPEC = dict(
             "org_golang_x_text",
         ],
     ),
-    com_github_bazelbuild_buildtools = dict(
-        project_name = "Bazel build tools",
-        project_desc = "Developer tools for working with Google's bazel buildtool.",
-        project_url = "https://github.com/bazelbuild/buildtools",
-        version = "4.2.5",
-        sha256 = "d368c47bbfc055010f118efb2962987475418737e901f7782d2a966d1dc80296",
-        release_date = "2022-01-13",
-        strip_prefix = "buildtools-{version}",
-        urls = ["https://github.com/bazelbuild/buildtools/archive/{version}.tar.gz"],
-        use_category = ["api"],
-    ),
     com_github_cncf_udpa = dict(
         project_name = "xDS API",
         project_desc = "xDS API Working Group (xDS-WG)",

api/envoy/config/cluster/v3/cluster.proto

@@ -363,12 +363,17 @@ message Cluster {
     // By tuning the parameter, is possible to achieve polynomial or exponential shape of ramp-up curve.
     //
     // During slow start window, effective weight of an endpoint would be scaled with time factor and aggression:
-    // `new_weight = weight * time_factor ^ (1 / aggression)`,
+    // `new_weight = weight * max(min_weight_percent, time_factor ^ (1 / aggression))`,
     // where `time_factor=(time_since_start_seconds / slow_start_time_seconds)`.
     //
     // As time progresses, more and more traffic would be sent to endpoint, which is in slow start window.
     // Once host exits slow start, time_factor and aggression no longer affect its weight.
     core.v3.RuntimeDouble aggression = 2;
+
+    // Configures the minimum percentage of origin weight that avoids too small new weight,
+    // which may cause endpoints in slow start mode receive no traffic in slow start window.
+    // If not specified, the default is 10%.
+    type.v3.Percent min_weight_percent = 3;
   }
 
   // Specific configuration for the RoundRobin load balancing policy.
@@ -486,7 +491,7 @@ message Cluster {
   }
 
   // Common configuration for all load balancer implementations.
-  // [#next-free-field: 8]
+  // [#next-free-field: 9]
   message CommonLbConfig {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.api.v2.Cluster.CommonLbConfig";
@@ -595,6 +600,14 @@ message Cluster {
 
     // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)
     ConsistentHashingLbConfig consistent_hashing_lb_config = 7;
+
+    // This controls what hosts are considered valid when using
+    // :ref:`host overrides <arch_overview_load_balancing_override_host>`, which is used by some
+    // filters to modify the load balancing decision.
+    //
+    // If this is unset then [UNKNOWN, HEALTHY, DEGRADED] will be applied by default. If this is
+    // set with an empty set of statuses then host overrides will be ignored by the load balancing.
+    core.v3.HealthStatusSet override_host_status = 8;
   }
 
   message RefreshRate {

api/envoy/config/core/v3/config_source.proto

@@ -3,8 +3,10 @@ syntax = "proto3";
 package envoy.config.core.v3;
 
 import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/extension.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 
+import "google/protobuf/any.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
@@ -40,7 +42,7 @@ enum ApiVersion {
 
 // API configuration source. This identifies the API type and cluster that Envoy
 // will use to fetch an xDS API.
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message ApiConfigSource {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ApiConfigSource";
 
@@ -108,6 +110,16 @@ message ApiConfigSource {
 
   // Skip the node identifier in subsequent discovery requests for streaming gRPC config types.
   bool set_node_on_first_message_only = 7;
+
+  // A list of config validators that will be executed when a new update is
+  // received from the ApiConfigSource. Note that each validator handles a
+  // specific xDS service type, and only the validators corresponding to the
+  // type url (in `:ref: DiscoveryResponse` or `:ref: DeltaDiscoveryResponse`)
+  // will be invoked.
+  // If the validator returns false or throws an exception, the config will be rejected by
+  // the client, and a NACK will be sent.
+  // [#extension-category: envoy.config.validators]
+  repeated TypedExtensionConfig config_validators = 9;
 }
 
 // Aggregated Discovery Service (ADS) options. This is currently empty, but when
@@ -240,3 +252,32 @@ message ConfigSource {
   // turn expect to be delivered.
   ApiVersion resource_api_version = 6 [(validate.rules).enum = {defined_only: true}];
 }
+
+// Configuration source specifier for a late-bound extension configuration. The
+// parent resource is warmed until all the initial extension configurations are
+// received, unless the flag to apply the default configuration is set.
+// Subsequent extension updates are atomic on a per-worker basis. Once an
+// extension configuration is applied to a request or a connection, it remains
+// constant for the duration of processing. If the initial delivery of the
+// extension configuration fails, due to a timeout for example, the optional
+// default configuration is applied. Without a default configuration, the
+// extension is disabled, until an extension configuration is received. The
+// behavior of a disabled extension depends on the context. For example, a
+// filter chain with a disabled extension filter rejects all incoming streams.
+message ExtensionConfigSource {
+  ConfigSource config_source = 1 [(validate.rules).any = {required: true}];
+
+  // Optional default configuration to use as the initial configuration if
+  // there is a failure to receive the initial extension configuration or if
+  // `apply_default_config_without_warming` flag is set.
+  google.protobuf.Any default_config = 2;
+
+  // Use the default config as the initial configuration without warming and
+  // waiting for the first discovery response. Requires the default configuration
+  // to be supplied.
+  bool apply_default_config_without_warming = 3;
+
+  // A set of permitted extension type URLs. Extension configuration updates are rejected
+  // if they do not match any type URL in the set.
+  repeated string type_urls = 4 [(validate.rules).repeated = {min_items: 1}];
+}

api/envoy/config/core/v3/extension.proto

@@ -2,8 +2,6 @@ syntax = "proto3";
 
 package envoy.config.core.v3;
 
-import "envoy/config/core/v3/config_source.proto";
-
 import "google/protobuf/any.proto";
 
 import "udpa/annotations/status.proto";
@@ -32,32 +30,3 @@ message TypedExtensionConfig {
   // <config_overview_extension_configuration>` for further details.
   google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}];
 }
-
-// Configuration source specifier for a late-bound extension configuration. The
-// parent resource is warmed until all the initial extension configurations are
-// received, unless the flag to apply the default configuration is set.
-// Subsequent extension updates are atomic on a per-worker basis. Once an
-// extension configuration is applied to a request or a connection, it remains
-// constant for the duration of processing. If the initial delivery of the
-// extension configuration fails, due to a timeout for example, the optional
-// default configuration is applied. Without a default configuration, the
-// extension is disabled, until an extension configuration is received. The
-// behavior of a disabled extension depends on the context. For example, a
-// filter chain with a disabled extension filter rejects all incoming streams.
-message ExtensionConfigSource {
-  ConfigSource config_source = 1 [(validate.rules).any = {required: true}];
-
-  // Optional default configuration to use as the initial configuration if
-  // there is a failure to receive the initial extension configuration or if
-  // `apply_default_config_without_warming` flag is set.
-  google.protobuf.Any default_config = 2;
-
-  // Use the default config as the initial configuration without warming and
-  // waiting for the first discovery response. Requires the default configuration
-  // to be supplied.
-  bool apply_default_config_without_warming = 3;
-
-  // A set of permitted extension type URLs. Extension configuration updates are rejected
-  // if they do not match any type URL in the set.
-  repeated string type_urls = 4 [(validate.rules).repeated = {min_items: 1}];
-}

api/envoy/config/core/v3/health_check.proto

@@ -54,6 +54,12 @@ enum HealthStatus {
   DEGRADED = 5;
 }
 
+message HealthStatusSet {
+  // An order-independent set of health status.
+  repeated HealthStatus statuses = 1
+      [(validate.rules).repeated = {items {enum {defined_only: true}}}];
+}
+
 // [#next-free-field: 25]
 message HealthCheck {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck";
@@ -186,6 +192,12 @@ message HealthCheck {
     // the :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
     string authority = 2
         [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
+
+    // Specifies a list of key-value pairs that should be added to the metadata of each GRPC call
+    // that is sent to the health checked cluster. For more information, including details on header value syntax,
+    // see the documentation on :ref:`custom request headers
+    // <config_http_conn_man_headers_custom_request_headers>`.
+    repeated HeaderValueOption initial_metadata = 3 [(validate.rules).repeated = {max_items: 1000}];
   }
 
   // Custom health check.

api/envoy/config/listener/v3/listener_components.proto

@@ -4,7 +4,7 @@ package envoy.config.listener.v3;
 
 import "envoy/config/core/v3/address.proto";
 import "envoy/config/core/v3/base.proto";
-import "envoy/config/core/v3/extension.proto";
+import "envoy/config/core/v3/config_source.proto";
 import "envoy/type/v3/range.proto";
 
 import "google/protobuf/any.proto";

api/envoy/extensions/common/ratelimit/v3/ratelimit.proto

@@ -17,6 +17,23 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Common rate limit components]
 
+// Defines the version of the standard to use for X-RateLimit headers.
+enum XRateLimitHeadersRFCVersion {
+  // X-RateLimit headers disabled.
+  OFF = 0;
+
+  // Use `draft RFC Version 03 <https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html>`_ where 3 headers will be added:
+  //
+  // * ``X-RateLimit-Limit`` - indicates the request-quota associated to the
+  //   client in the current time-window followed by the description of the
+  //   quota policy. The value is returned by the maximum tokens of the token bucket.
+  // * ``X-RateLimit-Remaining`` - indicates the remaining requests in the
+  //   current time-window. The value is returned by the remaining tokens in the token bucket.
+  // * ``X-RateLimit-Reset`` - indicates the number of seconds until reset of
+  //   the current time-window. The value is returned by the remaining fill interval of the token bucket.
+  DRAFT_VERSION_03 = 1;
+}
+
 // A RateLimitDescriptor is a list of hierarchical entries that are used by the service to
 // determine the final rate limit key and overall allowed limit. Here are some examples of how
 // they might be used for the domain "envoy".

api/envoy/extensions/config/validators/minimum_clusters/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)