Merge branch 'main' of https://github.com/envoyproxy/envoy into dev-r…

…efactor-execution-context

.azure-pipelines/ci.yml

@@ -214,11 +214,10 @@ steps:
     # Any PR or CI run in envoy-presubmit uses the fake SCM hash
     if [[ "${{ variables['Build.Reason'] }}" == "PullRequest" || "${{ variables['Build.DefinitionName'] }}" == 'envoy-presubmit' ]]; then
         # sha1sum of `ENVOY_PULL_REQUEST`
-        BAZEL_FAKE_SCM_REVISION=e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9
+        echo "e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9" > .BAZEL_FAKE_SCM_REVISION
     fi
     echo "##vso[task.setvariable variable=BAZEL_BUILD_EXTRA_OPTIONS]${BAZEL_BUILD_EXTRA_OPTIONS}"
     echo "##vso[task.setvariable variable=BAZEL_EXTRA_TEST_OPTIONS]${BAZEL_EXTRA_TEST_OPTIONS}"
-    echo "##vso[task.setvariable variable=BAZEL_FAKE_SCM_REVISION]${BAZEL_FAKE_SCM_REVISION}"
     echo "##vso[task.setvariable variable=BAZEL_STARTUP_EXTRA_OPTIONS]${{ parameters.bazelStartupExtraOptions }}"
     echo "##vso[task.setvariable variable=CI_TARGET_BRANCH]${CI_TARGET_BRANCH}"
     echo "##vso[task.setvariable variable=ENVOY_DOCKER_BUILD_DIR]$(Build.StagingDirectory)"

.bazelrc

@@ -43,10 +43,6 @@ build:windows --action_env=PATH --host_action_env=PATH
 # Requires setting `BAZEL_VOLATILE_DIRTY` in the env.
 build --action_env=BAZEL_VOLATILE_DIRTY --host_action_env=BAZEL_VOLATILE_DIRTY
 
-# Prevent stamped caches from busting (eg in PRs)
-# Requires setting `BAZEL_FAKE_SCM_REVISION` in the env.
-build --action_env=BAZEL_FAKE_SCM_REVISION --host_action_env=BAZEL_FAKE_SCM_REVISION
-
 build --test_summary=terse
 
 build:docs-ci --action_env=DOCS_RST_CHECK=1 --host_action_env=DOCS_RST_CHECK=1
@@ -515,19 +511,27 @@ build:rbe-engflow --bes_timeout=3600s
 build:rbe-engflow --bes_upload_mode=fully_async
 build:rbe-engflow --nolegacy_important_outputs
 
-build:cache-envoy-engflow --google_default_credentials=false
+# RBE (Engflow Envoy)
+build:common-envoy-engflow --google_default_credentials=false
+build:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
+build:common-envoy-engflow --grpc_keepalive_time=30s
+
 build:cache-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com
 build:cache-envoy-engflow --remote_timeout=3600s
-build:cache-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
-build:cache-envoy-engflow --grpc_keepalive_time=30s
 build:bes-envoy-engflow --bes_backend=grpcs://morganite.cluster.engflow.com/
 build:bes-envoy-engflow --bes_results_url=https://morganite.cluster.engflow.com/invocation/
 build:bes-envoy-engflow --bes_timeout=3600s
 build:bes-envoy-engflow --bes_upload_mode=fully_async
-build:rbe-envoy-engflow --config=cache-envoy-engflow
-build:rbe-envoy-engflow --config=bes-envoy-engflow
+build:bes-envoy-engflow --nolegacy_important_outputs
 build:rbe-envoy-engflow --remote_executor=grpcs://morganite.cluster.engflow.com
 build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
+build:rbe-envoy-engflow --jobs=200
+build:rbe-envoy-engflow --define=engflow_rbe=true
+
+build:remote-envoy-engflow --config=common-envoy-engflow
+build:remote-envoy-engflow --config=cache-envoy-engflow
+build:remote-envoy-engflow --config=bes-envoy-engflow
+build:remote-envoy-engflow --config=rbe-envoy-engflow
 
 #############################################################################
 # debug: Various Bazel debugging flags

.github/workflows/_precheck_deps.yml

@@ -29,7 +29,7 @@ jobs:
     uses: ./.github/workflows/_run.yml
     name: ${{ matrix.target }}
     with:
-      bazel-extra: '--config=rbe-envoy-engflow'
+      bazel-extra: '--config=remote-envoy-engflow'
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       request: ${{ inputs.request }}
       error-match: |

.github/workflows/_publish_build.yml

@@ -59,14 +59,15 @@ jobs:
           name: Release (x64)
           arch: x64
           bazel-extra: >-
-            --config=rbe-envoy-engflow
+            --config=remote-envoy-engflow
           rbe: true
           runs-on: ubuntu-24.04
         - target: release.server_only
           name: Release (arm64)
           arch: arm64
           bazel-extra: >-
             --config=cache-envoy-engflow
+            --config=common-envoy-engflow
             --config=bes-envoy-engflow
           rbe: false
           runs-on: envoy-arm64-medium

.github/workflows/_publish_verify.yml

@@ -30,7 +30,7 @@ jobs:
     name: ${{ matrix.name || matrix.target }}
     uses: ./.github/workflows/_run.yml
     with:
-      bazel-extra: ${{ matrix.bazel-extra || '--config=rbe-envoy-engflow' }}
+      bazel-extra: ${{ matrix.bazel-extra || '--config=remote-envoy-engflow' }}
       cache-build-image: ${{ matrix.cache-build-image }}
       cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }}
       container-command: ${{ matrix.container-command }}
@@ -85,7 +85,7 @@ jobs:
     name: ${{ matrix.name || matrix.target }}
     uses: ./.github/workflows/_run.yml
     with:
-      bazel-extra: ${{ matrix.bazel-extra || '--config=rbe-envoy-engflow' }}
+      bazel-extra: ${{ matrix.bazel-extra || '--config=remote-envoy-engflow' }}
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       cache-build-image-key-suffix: ${{ matrix.arch == 'arm64' && format('-{0}', matrix.arch) || '' }}
       container-command: ./ci/run_envoy_docker.sh

.github/workflows/_run.yml

@@ -250,6 +250,11 @@ jobs:
         passphrase-path: "${{ runner.temp }}/gpg-passphrase"
         configured-passphrase-path: /build/gpg-passphrase
 
+    - run: |
+        echo "e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9" > .BAZEL_FAKE_SCM_REVISION
+      if: >-
+        ${{ fromJSON(inputs.request).request.pr == '' }}
+
     - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.2.35
       name: Run CI ${{ inputs.command }} ${{ inputs.target }}
       with:
@@ -290,7 +295,6 @@ jobs:
           --config=remote-ci
           ${{ inputs.bazel-extra }}
           ${{ inputs.rbe == true && format('--jobs={0}', inputs.bazel-rbe-jobs) || '' }}
-        BAZEL_FAKE_SCM_REVISION: ${{ github.event_name == 'pull_request' && 'e3b4a6e9570da15ac1caffdded17a8bebdc7dfc9' || '' }}
         CI_BRANCH: >-
           ${{ inputs.trusted
               && format('refs/heads/{0}', fromJSON(inputs.request).request.target-branch)

.github/workflows/envoy-macos.yml

@@ -66,6 +66,7 @@ jobs:
               --flaky_test_attempts=2
               --config=bes-envoy-engflow
               --config=cache-envoy-engflow
+              --config=common-envoy-engflow
               --config=ci)
             export BAZEL_BUILD_EXTRA_OPTIONS=${_BAZEL_BUILD_EXTRA_OPTIONS[*]}
 

WORKSPACE

@@ -27,3 +27,7 @@ envoy_python_dependencies()
 load("//bazel:dependency_imports.bzl", "envoy_dependency_imports")
 
 envoy_dependency_imports()
+
+load("//bazel:dependency_imports_extra.bzl", "envoy_dependency_imports_extra")
+
+envoy_dependency_imports_extra()

api/envoy/config/core/v3/protocol.proto

@@ -56,7 +56,7 @@ message QuicKeepAliveSettings {
 }
 
 // QUIC protocol options which apply to both downstream and upstream connections.
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message QuicProtocolOptions {
   // Maximum number of streams that the client can negotiate per connection. 100
   // if not specified.
@@ -111,6 +111,10 @@ message QuicProtocolOptions {
     lte {seconds: 600}
     gte {seconds: 1}
   }];
+
+  // Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection.
+  // If not specified, one of the `default values in QUICHE <https://github.com/google/quiche/blob/main/quiche/quic/core/quic_constants.h>`_ is used.
+  google.protobuf.UInt64Value max_packet_length = 9;
 }
 
 message UpstreamHttpProtocolOptions {

api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -94,7 +94,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter
 // name.
 //
-// [#next-free-field: 22]
+// [#next-free-field: 23]
 message ExternalProcessor {
   // Describes the route cache action to be taken when an external processor response
   // is received in response to request headers.
@@ -284,6 +284,15 @@ message ExternalProcessor {
   //       in a single body response message, followed by the remaining body responses.
   // In all scenarios, the header-body ordering must always be maintained.
   bool send_body_without_waiting_for_header_response = 21;
+
+  // When :ref:`allow_mode_override
+  // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.allow_mode_override>` is enabled and
+  // ``allowed_override_modes`` is configured, the filter config :ref:`processing_mode
+  // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
+  // can only be overridden by the response message from the external processing server iff the
+  // :ref:`mode_override <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>` is allowed by
+  // the ``allowed_override_modes`` allow-list below.
+  repeated ProcessingMode allowed_override_modes = 22;
 }
 
 // ExtProcHttpService is used for HTTP communication between the filter and the external processing service.

api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -84,7 +84,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 19]
+// [#next-free-field: 21]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -125,7 +125,7 @@ message OAuth2Config {
   bool forward_bearer_token = 7;
 
   // If set to true, preserve the existing authorization header.
-  // By default Envoy strips the existing authorization header before forwarding upstream.
+  // By default the client strips the existing authorization header before forwarding upstream.
   // Can not be set to true if forward_bearer_token is already set to true.
   // Default value is false.
   bool preserve_authorization_header = 16;
@@ -169,11 +169,23 @@ message OAuth2Config {
   // This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used.
   google.protobuf.Duration default_refresh_token_expires_in = 15;
 
-  // If set to true, Envoy will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
+  // If set to true, the client will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID
   // Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter
   // will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
   // sessions would not set the IdToken cookie header.
   bool disable_id_token_set_cookie = 17;
+
+  // If set to true, the client will not set a cookie for Access Token even if one is received from the Identity Provider.
+  // Enabling this option will only disable setting the cookie response header, the filter
+  // will still process incoming Access Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
+  // sessions would not set the Access Token cookie header.
+  bool disable_access_token_set_cookie = 19;
+
+  // If set to true, the client will not set a cookie for Refresh Token even if one is received from the Identity Provider.
+  // Enabling this option will only disable setting the cookie response header, the filter
+  // will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
+  // sessions would not set the Refresh Token cookie header.
+  bool disable_refresh_token_set_cookie = 20;
 }
 
 // Filter config.

bazel/BUILD

@@ -749,6 +749,11 @@ alias(
     }),
 )
 
+config_setting(
+    name = "engflow_rbe",
+    define_values = {"engflow_rbe": "true"},
+)
+
 selects.config_setting_group(
     name = "apple",
     match_any = [

bazel/dependency_imports.bzl

@@ -14,6 +14,8 @@ load("@rules_foreign_cc//foreign_cc:repositories.bzl", "rules_foreign_cc_depende
 load("@rules_fuzzing//fuzzing:repositories.bzl", "rules_fuzzing_dependencies")
 load("@rules_pkg//:deps.bzl", "rules_pkg_dependencies")
 load("@rules_proto_grpc//:repositories.bzl", "rules_proto_grpc_toolchains")
+load("@rules_rust//crate_universe:defs.bzl", "crates_repository")
+load("@rules_rust//crate_universe:repositories.bzl", "crate_universe_dependencies")
 load("@rules_rust//rust:defs.bzl", "rust_common")
 load("@rules_rust//rust:repositories.bzl", "rules_rust_dependencies", "rust_register_toolchains", "rust_repository_set")
 
@@ -51,6 +53,8 @@ def envoy_dependency_imports(go_version = GO_VERSION, jq_version = JQ_VERSION, y
             "wasm32-wasi",
         ],
     )
+    crate_universe_dependencies()
+    crates_repositories()
     shellcheck_dependencies()
     proxy_wasm_rust_sdk_dependencies()
     rules_fuzzing_dependencies(
@@ -196,3 +200,11 @@ def envoy_download_go_sdks(go_version):
         goarch = "arm64",
         version = go_version,
     )
+
+def crates_repositories():
+    crates_repository(
+        name = "dynamic_modules_rust_sdk_crate_index",
+        cargo_lockfile = "//source/extensions/dynamic_modules/sdk/rust:Cargo.lock",
+        lockfile = Label("//source/extensions/dynamic_modules/sdk/rust:Cargo.Bazel.lock"),
+        manifests = ["//source/extensions/dynamic_modules/sdk/rust:Cargo.toml"],
+    )

bazel/dependency_imports_extra.bzl

@@ -0,0 +1,5 @@
+load("@dynamic_modules_rust_sdk_crate_index//:defs.bzl", "crate_repositories")
+
+# Dependencies that rely on a first stage of envoy_dependency_imports() in dependency_imports.bzl.
+def envoy_dependency_imports_extra():
+    crate_repositories()

bazel/envoy_binary.bzl

@@ -18,6 +18,8 @@ def envoy_cc_binary(
         data = [],
         testonly = 0,
         visibility = None,
+        rbe_pool = None,
+        exec_properties = {},
         external_deps = [],
         repository = "",
         stamp = 1,
@@ -27,6 +29,10 @@ def envoy_cc_binary(
         tags = [],
         features = [],
         linkstatic = True):
+    exec_properties = exec_properties | select({
+        repository + "//bazel:engflow_rbe": {"Pool": rbe_pool} if rbe_pool else {},
+        "//conditions:default": {},
+    })
     linker_inputs = envoy_exported_symbols_input()
 
     if not linkopts:
@@ -42,6 +48,7 @@ def envoy_cc_binary(
         data = data,
         additional_linker_inputs = linker_inputs,
         copts = envoy_copts(repository),
+        exec_properties = exec_properties,
         linkopts = linkopts,
         testonly = testonly,
         linkstatic = linkstatic,

bazel/envoy_library.bzl

@@ -98,6 +98,8 @@ def envoy_cc_library(
         hdrs = [],
         copts = [],
         visibility = None,
+        rbe_pool = None,
+        exec_properties = {},
         external_deps = [],
         tcmalloc_dep = None,
         repository = "",
@@ -112,6 +114,10 @@ def envoy_cc_library(
         linkopts = []):
     if tcmalloc_dep:
         deps += tcmalloc_external_deps(repository)
+    exec_properties = exec_properties | select({
+        repository + "//bazel:engflow_rbe": {"Pool": rbe_pool} if rbe_pool else {},
+        "//conditions:default": {},
+    })
 
     # If alwayslink is not specified, allow turning it off via --define=library_autolink=disabled
     # alwayslink is defaulted on for envoy_cc_extensions to ensure the REGISTRY macros work.
@@ -132,6 +138,7 @@ def envoy_cc_library(
         textual_hdrs = textual_hdrs,
         deps = deps + [envoy_external_dep_path(dep) for dep in external_deps] +
                envoy_pch_deps(repository, "//source/common/common:common_pch"),
+        exec_properties = exec_properties,
         alwayslink = alwayslink,
         linkstatic = envoy_linkstatic(),
         strip_include_prefix = strip_include_prefix,