Merge remote-tracking branch 'origin/master' into add-clang-cl-build

Signed-off-by: William A Rowe Jr <wrowe@vmware.com>

PULL_REQUESTS.md

@@ -60,7 +60,7 @@ changes may be in [docs/root](docs/root) and/or inline with the API protos. Plea
 N/A if there were no documentation changes.
 
 Any PRs with structural changes to the dataplane should also update the [Life of a
-Request](docs/root/intro/life_of_a_request.md) documentation as appropriate.
+Request](https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request) documentation as appropriate.
 
 ### <a name="relnotes"></a>Release notes
 

STYLE.md

@@ -19,7 +19,7 @@
 # Documentation
 
 * If you are modifying the data plane structually, please keep the [Life of a
-  Request](docs/root/intro/life_of_a_request.md) documentation up-to-date.
+  Request](https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request) documentation up-to-date.
 
 # Deviations from Google C++ style guidelines
 

api/envoy/config/trace/v3/zipkin.proto

@@ -46,9 +46,7 @@ message ZipkinConfig {
     GRPC = 3;
   }
 
-  // The cluster manager cluster that hosts the Zipkin collectors. Note that the
-  // Zipkin cluster must be defined in the :ref:`Bootstrap static cluster
-  // resources <envoy_api_field_config.bootstrap.v3.Bootstrap.StaticResources.clusters>`.
+  // The cluster manager cluster that hosts the Zipkin collectors.
   string collector_cluster = 1 [(validate.rules).string = {min_len: 1}];
 
   // The API endpoint of the Zipkin service where the spans will be sent. When

bazel/BUILD

@@ -285,8 +285,8 @@ config_setting(
 )
 
 config_setting(
-    name = "enable_new_codecs_in_integration_tests",
-    values = {"define": "use_new_codecs_in_integration_tests=true"},
+    name = "enable_legacy_codecs_in_integration_tests",
+    values = {"define": "use_new_codecs_in_integration_tests=false"},
 )
 
 cc_proto_library(

bazel/envoy_select.bzl

@@ -59,9 +59,9 @@ def envoy_select_wasm_wasmtime(xs):
         "//conditions:default": [],
     })
 
-# Select the given values if use legacy codecs in test is on in the current build.
+# Select the given values by default and remove if use new codecs are disabled for current build.
 def envoy_select_new_codecs_in_integration_tests(xs, repository = ""):
     return select({
-        repository + "//bazel:enable_new_codecs_in_integration_tests": xs,
-        "//conditions:default": [],
+        repository + "//bazel:enable_legacy_codecs_in_integration_tests": [],
+        "//conditions:default": xs,
     })

configs/configgen.py

@@ -139,5 +139,7 @@ def generate_config(template_path, template, output_file, **context):
                 mongos_servers=mongos_servers)
 
 shutil.copy(os.path.join(SCRIPT_DIR, 'envoyproxy_io_proxy.yaml'), OUT_DIR)
-shutil.copy(os.path.join(SCRIPT_DIR, 'encapsulate_in_connect.yaml'), OUT_DIR)
-shutil.copy(os.path.join(SCRIPT_DIR, 'terminate_connect.yaml'), OUT_DIR)
+shutil.copy(os.path.join(SCRIPT_DIR, 'encapsulate_in_http1_connect.yaml'), OUT_DIR)
+shutil.copy(os.path.join(SCRIPT_DIR, 'encapsulate_in_http2_connect.yaml'), OUT_DIR)
+shutil.copy(os.path.join(SCRIPT_DIR, 'terminate_http1_connect.yaml'), OUT_DIR)
+shutil.copy(os.path.join(SCRIPT_DIR, 'terminate_http2_connect.yaml'), OUT_DIR)

configs/encapsulate_in_http1_connect.yaml

@@ -0,0 +1,44 @@
+# This configuration takes incoming data on port 10000 and encapsulates it in a CONNECT
+# request which is sent upstream port 10001.
+# It can be used to test TCP tunneling as described in docs/root/intro/arch_overview/http/upgrades.rst
+# and running `curl --x 127.0.0.1:10000 https://www.google.com`
+
+admin:
+  access_log_path: /tmp/admin_access.log
+  address:
+    socket_address:
+      protocol: TCP
+      address: 127.0.0.1
+      port_value: 9903
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        protocol: TCP
+        address: 127.0.0.1
+        port_value: 10000
+    filter_chains:
+    - filters:
+      - name: tcp
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          stat_prefix: tcp_stats
+          cluster: "cluster_0"
+          tunneling_config:
+            hostname: host.com:443
+  clusters:
+    - name: cluster_0
+      connect_timeout: 5s
+      # This ensures HTTP/1.1 CONNECT is used for establishing the tunnel.
+      http_protocol_options:
+        {}
+      load_assignment:
+        cluster_name: cluster_0
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: 127.0.0.1
+                      port_value: 10001

configs/encapsulate_in_connect.yaml → configs/encapsulate_in_http2_connect.yaml

@@ -26,10 +26,11 @@ static_resources:
           stat_prefix: tcp_stats
           cluster: "cluster_0"
           tunneling_config:
-            hostname: host.com
+            hostname: host.com:443
   clusters:
     - name: cluster_0
       connect_timeout: 5s
+      # This ensures HTTP/2 CONNECT is used for establishing the tunnel.
       http2_protocol_options:
         {}
       load_assignment:

configs/terminate_http1_connect.yaml

@@ -0,0 +1,61 @@
+# This configuration terminates a CONNECT request and sends the CONNECT payload upstream.
+# It can be used to test TCP tunneling as described in docs/root/intro/arch_overview/http/upgrades.rst
+# or used to test CONNECT directly, by running `curl -k -v -x 127.0.0.1:10001 https://www.google.com`
+admin:
+  access_log_path: /tmp/admin_access.log
+  address:
+    socket_address:
+      protocol: TCP
+      address: 127.0.0.1
+      port_value: 9902
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        protocol: TCP
+        address: 127.0.0.1
+        port_value: 10001
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains:
+                - "*"
+              routes:
+                - match:
+                    connect_matcher:
+                      {}
+                  route:
+                    cluster: service_google
+                    upgrade_configs:
+                      - upgrade_type: CONNECT
+                        connect_config:
+                          {}
+          http_filters:
+          - name: envoy.filters.http.router
+          http_protocol_options: {}
+          upgrade_configs:
+            - upgrade_type: CONNECT
+  clusters:
+  - name: service_google
+    connect_timeout: 0.25s
+    type: LOGICAL_DNS
+    # Comment out the following line to test on v6 networks
+    dns_lookup_family: V4_ONLY
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: service_google
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: www.google.com
+                port_value: 443

docs/root/configuration/http/http_filters/ext_authz_filter.rst

@@ -165,8 +165,7 @@ The HTTP filter outputs statistics in the *cluster.<route target cluster>.ext_au
   :widths: 1, 1, 2
 
   ok, Counter, Total responses from the filter.
-  error, Counter, Total errors (including timeouts) contacting the external service.
-  timeout, Counter, Total timeouts contacting the external service (only counted when timeout is measured when check request is created).
+  error, Counter, Total errors contacting the external service.
   denied, Counter, Total responses from the authorizations service that were to deny the traffic.
   disabled, Counter, Total requests that are allowed without calling external services due to the filter is disabled.
   failure_mode_allowed, Counter, "Total requests that were error(s) but were allowed through because

docs/root/intro/arch_overview/http/upgrades.rst

@@ -94,17 +94,32 @@ will synthesize 200 response headers, and then forward the TCP data as the HTTP
 For an example of proxying connect, please see :repo:`configs/proxy_connect.yaml <configs/proxy_connect.yaml>`
 For an example of terminating connect, please see :repo:`configs/terminate_connect.yaml <configs/terminate_connect.yaml>`
 
-Tunneling TCP over HTTP/2
-^^^^^^^^^^^^^^^^^^^^^^^^^
-Envoy also has support for transforming raw TCP into HTTP/2 CONNECT requests. This can be used to
-proxy multiplexed TCP over pre-warmed secure connections and amortize the cost of any TLS handshake.
-An example set up proxying SMTP would look something like this
+Tunneling TCP over HTTP
+^^^^^^^^^^^^^^^^^^^^^^^
+Envoy also has support for tunneling raw TCP over HTTP CONNECT requests. Find
+below some usage scenarios.
+
+HTTP/2 CONNECT can be used to proxy multiplexed TCP over pre-warmed secure connections and amortize the cost of any TLS
+handshake.
+An example set up proxying SMTP would look something like this:
 
 [SMTP Upstream] --- raw SMTP --- [L2 Envoy]  --- SMTP tunneled over HTTP/2  --- [L1 Envoy]  --- raw SMTP  --- [Client]
 
+HTTP/1.1 CONNECT can be used to have TCP client connecting to its own
+destination passing through an HTTP proxy server (e.g. corporate proxy not
+supporting HTTP/2):
+
+[HTTP Server] --- raw HTTP --- [L2 Envoy]  --- HTTP tunneled over HTTP/1.1  --- [L1 Envoy]  --- raw HTTP  --- [HTTP Client]
+
+Note that when using HTTP/1 CONNECT you will end up having a TCP connection
+between L1 and L2 Envoy for each TCP client connection, it is preferable to use
+HTTP/2 when you have the choice.
+
 Examples of such a set up can be found in the Envoy example config :repo:`directory <configs/>`
-If you run `bazel-bin/source/exe/envoy-static --config-path configs/encapsulate_in_connect.yaml --base-id 1`
-and `bazel-bin/source/exe/envoy-static --config-path  configs/terminate_connect.yaml`
-you will be running two Envoys, the first listening for TCP traffic on port 10000 and encapsulating it in an HTTP/2
-CONNECT request, and the second listening for HTTP/2 on 10001, stripping the CONNECT headers, and forwarding the
+For HTTP/1.1 run `bazel-bin/source/exe/envoy-static --config-path configs/encapsulate_in_http1_connect.yaml --base-id 1`
+and `bazel-bin/source/exe/envoy-static --config-path configs/terminate_http1_connect.yaml`.
+For HTTP/2 run `bazel-bin/source/exe/envoy-static --config-path configs/encapsulate_in_http2_connect.yaml --base-id 1`
+and `bazel-bin/source/exe/envoy-static --config-path configs/terminate_http2_connect.yaml`.
+In both cases you will be running a first Envoy listening for TCP traffic on port 10000 and encapsulating it in an HTTP
+CONNECT request, and a second one listening on 10001, stripping the CONNECT headers, and forwarding the 
 original TCP upstream, in this case to google.com.

docs/root/version_history/current.rst

@@ -36,6 +36,7 @@ Bug Fixes
 * http: reject requests with missing required headers after filter chain processing.
 * http: sending CONNECT_ERROR for HTTP/2 where appropriate during CONNECT requests.
 * proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections.
+* proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy.
 * tls: fix detection of the upstream connection close event.
 * tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers.
 * udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash.

include/envoy/event/BUILD

@@ -41,10 +41,17 @@ envoy_cc_library(
     hdrs = ["file_event.h"],
 )
 
+envoy_cc_library(
+    name = "scaled_timer_minimum",
+    hdrs = ["scaled_timer_minimum.h"],
+    deps = [],
+)
+
 envoy_cc_library(
     name = "scaled_range_timer_manager_interface",
     hdrs = ["scaled_range_timer_manager.h"],
     deps = [
+        ":scaled_timer_minimum",
         ":timer_interface",
     ],
 )

include/envoy/event/scaled_range_timer_manager.h

@@ -1,60 +1,12 @@
 #pragma once
 
 #include "envoy/common/pure.h"
+#include "envoy/event/scaled_timer_minimum.h"
 #include "envoy/event/timer.h"
 
-#include "absl/types/variant.h"
-
 namespace Envoy {
 namespace Event {
 
-/**
- * Describes a minimum timer value that is equal to a scale factor applied to the maximum.
- */
-struct ScaledMinimum {
-  explicit ScaledMinimum(double scale_factor) : scale_factor_(scale_factor) {}
-  const double scale_factor_;
-};
-
-/**
- * Describes a minimum timer value that is an absolute duration.
- */
-struct AbsoluteMinimum {
-  explicit AbsoluteMinimum(std::chrono::milliseconds value) : value_(value) {}
-  const std::chrono::milliseconds value_;
-};
-
-/**
- * Class that describes how to compute a minimum timeout given a maximum timeout value. It wraps
- * ScaledMinimum and AbsoluteMinimum and provides a single computeMinimum() method.
- */
-class ScaledTimerMinimum : private absl::variant<ScaledMinimum, AbsoluteMinimum> {
-public:
-  // Use base class constructor.
-  using absl::variant<ScaledMinimum, AbsoluteMinimum>::variant;
-
-  // Computes the minimum value for a given maximum timeout. If this object was constructed with a
-  // - ScaledMinimum value:
-  //     the return value is the scale factor applied to the provided maximum.
-  // - AbsoluteMinimum:
-  //     the return value is that minimum, and the provided maximum is ignored.
-  std::chrono::milliseconds computeMinimum(std::chrono::milliseconds maximum) const {
-    struct Visitor {
-      explicit Visitor(std::chrono::milliseconds value) : value_(value) {}
-      std::chrono::milliseconds operator()(ScaledMinimum scale_factor) {
-        return std::chrono::duration_cast<std::chrono::milliseconds>(scale_factor.scale_factor_ *
-                                                                     value_);
-      }
-      std::chrono::milliseconds operator()(AbsoluteMinimum absolute_value) {
-        return absolute_value.value_;
-      }
-      const std::chrono::milliseconds value_;
-    };
-    return absl::visit<Visitor, const absl::variant<ScaledMinimum, AbsoluteMinimum>&>(
-        Visitor(maximum), *this);
-  }
-};
-
 /**
  * Class for creating Timer objects that can be adjusted towards either the minimum or maximum
  * of their range by the owner of the manager object. Users of this class can call createTimer() to