Merge branch 'main' of https://github.com/envoyproxy/envoy into dev-l…

…ocal-rate-limit-api

.github/workflows/_precheck_publish.yml

@@ -56,7 +56,7 @@ jobs:
             --config=cache-envoy-engflow
             --config=bes-envoy-engflow
           rbe: false
-          runs-on: envoy-arm64-medium
+          runs-on: envoy-arm64-large
           timeout-minutes: 180
         - target: docs
           name: Docs

api/envoy/config/core/v3/protocol.proto

@@ -209,7 +209,7 @@ message AlternateProtocolsCacheOptions {
   repeated string canonical_suffixes = 5;
 }
 
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message HttpProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.core.HttpProtocolOptions";
@@ -259,11 +259,28 @@ message HttpProtocolOptions {
   // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout>`.
   google.protobuf.Duration max_connection_duration = 3;
 
-  // The maximum number of headers. If unconfigured, the default
-  // maximum number of request headers allowed is 100. Requests that exceed this limit will receive
-  // a 431 response for HTTP/1.x and cause a stream reset for HTTP/2.
+  // The maximum number of headers (request headers if configured on HttpConnectionManager,
+  // response headers when configured on a cluster).
+  // If unconfigured, the default maximum number of headers allowed is 100.
+  // Downstream requests that exceed this limit will receive a 431 response for HTTP/1.x and cause a stream
+  // reset for HTTP/2.
+  // Upstream responses that exceed this limit will result in a 503 response.
   google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}];
 
+  // The maximum size of response headers.
+  // If unconfigured, the default is 60 KiB, except for HTTP/1 response headers which have a default
+  // of 80KiB.
+  // Responses that exceed this limit will result in a 503 response.
+  // In Envoy, this setting is only valid when configured on an upstream cluster, not on the
+  // :ref:`HTTP Connection Manager
+  // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.common_http_protocol_options>`.
+  //
+  // Note: currently some protocol codecs impose limits on the maximum size of a single header:
+  //   HTTP/2 (when using nghttp2) limits a single header to around 100kb.
+  //   HTTP/3 limits a single header to around 1024kb.
+  google.protobuf.UInt32Value max_response_headers_kb = 7
+      [(validate.rules).uint32 = {lte: 8192 gt: 0}];
+
   // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be
   // reset independent of any other timeouts. If not specified, this value is not set.
   google.protobuf.Duration max_stream_duration = 4;

api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -271,18 +271,20 @@ message ExternalProcessor {
   // The default value is 5000 milliseconds (5 seconds) if not specified.
   google.protobuf.Duration deferred_close_timeout = 19;
 
-  // [#not-implemented-hide:]
   // Send body to the side stream server once it arrives without waiting for the header response from that server.
   // It only works for STREAMED body processing mode. For any other body processing modes, it is ignored.
-  //
   // The server has two options upon receiving a header request:
-  // 1. Instant Response: Send the header response as soon as the header request is received.
-  // 2. Delayed Response: Wait for the body before sending any response.
-  //   If the server chooses the second option, it has two further choices:
-  //   2.1 Separate Responses: Send the header response first, followed by separate body responses.
-  //   2.2 Combined Response: Include both the header response and the first chunk of the body response
-  //       in a single body response message, followed by the remaining body responses.
+  //
+  // 1. Instant Response: send the header response as soon as the header request is received.
+  //
+  // 2. Delayed Response: wait for the body before sending any response.
+  //
   // In all scenarios, the header-body ordering must always be maintained.
+  //
+  // If enabled Envoy will ignore the
+  // :ref:`mode_override <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>`
+  // value that the server sends in the header response. This is because Envoy may have already
+  // sent the body to the server, prior to processing the header response.
   bool send_body_without_waiting_for_header_response = 21;
 
   // When :ref:`allow_mode_override

api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -494,6 +494,10 @@ message HttpConnectionManager {
   // The maximum request headers size for incoming connections.
   // If unconfigured, the default max request headers allowed is 60 KiB.
   // Requests that exceed this limit will receive a 431 response.
+  //
+  // Note: currently some protocol codecs impose limits on the maximum size of a single header:
+  //   HTTP/2 (when using nghttp2) limits a single header to around 100kb.
+  //   HTTP/3 limits a single header to around 1024kb.
   google.protobuf.UInt32Value max_request_headers_kb = 29
       [(validate.rules).uint32 = {lte: 8192 gt: 0}];
 

api/envoy/service/ext_proc/v3/external_processor.proto

@@ -180,7 +180,10 @@ message ProcessingResponse {
   // It is also ignored by Envoy when the ext_proc filter config
   // :ref:`allow_mode_override
   // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.allow_mode_override>`
-  // is set to false.
+  // is set to false, or
+  // :ref:`send_body_without_waiting_for_header_response
+  // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.send_body_without_waiting_for_header_response>`
+  // is set to true.
   envoy.extensions.filters.http.ext_proc.v3.ProcessingMode mode_override = 9;
 
   // When ext_proc server receives a request message, in case it needs more
@@ -285,9 +288,6 @@ message CommonResponse {
   // Instructions on how to manipulate the headers. When responding to an
   // HttpBody request, header mutations will only take effect if
   // the current processing mode for the body is BUFFERED.
-  // [#comment:TODO(yanjunxiang-google) rephrase last sentence once send_body_without_waiting_for_header_response is not hidden:
-  // the current processing mode for the body is: 1) BUFFERED; 2) or STREAMED and
-  // the :ref:`send_body_without_waiting_for_header_response <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.send_body_without_waiting_for_header_response>` is enabled.]
   HeaderMutation header_mutation = 2;
 
   // Replace the body of the last message sent to the remote server on this

bazel/BUILD

@@ -517,6 +517,11 @@ config_setting(
     values = {"define": "perf_annotation=enabled"},
 )
 
+config_setting(
+    name = "enable_execution_context",
+    values = {"define": "execution_context=enabled"},
+)
+
 config_setting(
     name = "enable_perf_tracing",
     values = {"define": "perf_tracing=enabled"},

bazel/envoy_internal.bzl

@@ -125,6 +125,7 @@ def envoy_copts(repository, test = False):
            envoy_select_static_extension_registration(["-DENVOY_STATIC_EXTENSION_REGISTRATION"], repository) + \
            envoy_select_disable_logging(["-DENVOY_DISABLE_LOGGING"], repository) + \
            _envoy_select_perf_annotation(["-DENVOY_PERF_ANNOTATION"]) + \
+           _envoy_select_execution_context() + \
            _envoy_select_perfetto(["-DENVOY_PERFETTO"]) + \
            envoy_select_google_grpc(["-DENVOY_GOOGLE_GRPC"], repository) + \
            envoy_select_signal_trace(["-DENVOY_HANDLE_SIGNALS"], repository) + \
@@ -190,6 +191,12 @@ def _envoy_select_perf_annotation(xs):
         "//conditions:default": [],
     })
 
+def _envoy_select_execution_context():
+    return select({
+        "@envoy//bazel:enable_execution_context": ["-DENVOY_ENABLE_EXECUTION_CONTEXT"],
+        "//conditions:default": [],
+    })
+
 def _envoy_select_perfetto(xs):
     return select({
         "@envoy//bazel:enable_perf_tracing": xs,

changelogs/current.yaml

@@ -54,6 +54,10 @@ behavior_changes:
     <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.access_log>`.
     This change can be disabled by setting the runtime guard flag
     ``envoy.reloadable_features.filter_access_loggers_first`` to ``false``.
+- area: monitoring
+  change: |
+    Removed runtime feature flag ``envoy.restart_features.enable_execution_context``. The execution context feature
+    now could be enabled only by setting compile option ``--define=execution_context=enabled``.
 
 minor_behavior_changes:
 # *Changes that may cause incompatibilities for some users, but should not for most*
@@ -77,6 +81,10 @@ minor_behavior_changes:
   change: |
     When Lua script executes httpCall, backpressure is exercised when receiving body from downstream client. This behavior can be reverted
     by setting the runtime guard ``envoy.reloadable_features.lua_flow_control_while_http_call`` to false.
+- area: ext_proc
+  change: |
+    Added support for :ref:`send_body_without_waiting_for_header_response
+    <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.send_body_without_waiting_for_header_response>`.
 - area: http
   change: |
     Modified the authority header value validator to allow the same characters as oghttp2
@@ -292,6 +300,10 @@ new_features:
   change: |
     Added full feature absl::FormatTime() support to the DateFormatter. This allows the timepoint formatters (like
     ``%START_TIME%``) to use ``%E#S``, ``%E*S``, ``%E#f`` and ``%E*f`` to format the subsecond part of the timepoint.
+- area: http
+  change: |
+    Added configuration setting for the :ref:`maximum size of response headers
+    <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_response_headers_kb>` in responses.
 - area: http_11_proxy
   change: |
     Added the option to configure the transport socket via locality or endpoint metadata.

docs/root/intro/arch_overview/advanced/attributes.rst

@@ -93,6 +93,7 @@ Response attributes are only available after the request completes.
    response.trailers, "map<string, string>", All response trailers indexed by the lower-cased trailer name
    response.size, int, Size of the response body
    response.total_size, int, Total size of the response including the approximate uncompressed size of the headers and the trailers
+   response.backend_latency, duration, Duration between the first byte sent to and the last byte received from the upstream backend
 
 Connection attributes
 ---------------------

envoy/common/BUILD

@@ -124,15 +124,19 @@ envoy_cc_library(
 envoy_cc_library(
     name = "execution_context",
     hdrs = ["execution_context.h"],
-    deps = [":pure_lib"],
+    deps = [
+        ":pure_lib",
+        ":scope_tracker_interface",
+    ],
 )
 
 envoy_cc_library(
     name = "scope_tracker_interface",
     hdrs = ["scope_tracker.h"],
     deps = [
-        ":execution_context",
+        ":optref_lib",
         ":pure_lib",
+        "//envoy/stream_info:stream_info_interface",
     ],
 )
 

envoy/common/execution_context.h

@@ -3,22 +3,25 @@
 #include <cstddef>
 
 #include "envoy/common/pure.h"
+#include "envoy/common/scope_tracker.h"
+#include "envoy/stream_info/stream_info.h"
 
 #include "source/common/common/non_copyable.h"
 
 namespace Envoy {
 
+#ifdef ENVOY_ENABLE_EXECUTION_CONTEXT
+
+static constexpr absl::string_view kConnectionExecutionContextFilterStateName =
+    "envoy.network.connection_execution_context";
+
 class ScopedExecutionContext;
 
 // ExecutionContext can be inherited by subclasses to represent arbitrary information associated
 // with the execution of a piece of code. activate/deactivate are called when the said execution
 // starts/ends. For an example usage, please see
 // https://github.com/envoyproxy/envoy/issues/32012.
-class ExecutionContext : NonCopyable {
-public:
-  ExecutionContext() = default;
-  virtual ~ExecutionContext() = default;
-
+class ExecutionContext : public StreamInfo::FilterState::Object, NonCopyable {
 protected:
   // Called when the current thread starts to run code on behalf of the owner of this object.
   // protected because it should only be called by ScopedExecutionContext.
@@ -43,7 +46,8 @@ class ExecutionContext : NonCopyable {
 class ScopedExecutionContext : NonCopyable {
 public:
   ScopedExecutionContext() : ScopedExecutionContext(nullptr) {}
-  ScopedExecutionContext(ExecutionContext* context) : context_(context) {
+  ScopedExecutionContext(const ScopeTrackedObject* object)
+      : context_(object != nullptr ? getExecutionContext(object->trackedStream()) : nullptr) {
     if (context_ != nullptr) {
       context_->activate();
     }
@@ -62,7 +66,18 @@ class ScopedExecutionContext : NonCopyable {
   bool isNull() const { return context_ == nullptr; }
 
 private:
+  ExecutionContext* getExecutionContext(OptRef<const StreamInfo::StreamInfo> info) {
+    if (!info.has_value()) {
+      return nullptr;
+    }
+    const auto* const_context = info->filterState().getDataReadOnly<ExecutionContext>(
+        kConnectionExecutionContextFilterStateName);
+    return const_cast<ExecutionContext*>(const_context);
+  }
+
   ExecutionContext* context_;
 };
 
+#endif
+
 } // namespace Envoy

envoy/common/scope_tracker.h

@@ -2,16 +2,17 @@
 
 #include <ostream>
 
-#include "envoy/common/execution_context.h"
+#include "envoy/common/optref.h"
 #include "envoy/common/pure.h"
+#include "envoy/stream_info/stream_info.h"
 
 namespace Envoy {
 
 /*
  * An interface for tracking the scope of work. Implementors of this interface
  * can be registered to the dispatcher when they're active on the stack. If a
- * fatal error occurs while they were active, the dumpState method will be
- * called.
+ * fatal error occurs while they were active, the dumpState() method will be
+ * called to output the active state.
  *
  * Currently this is only used for the L4 network connection and L7 stream.
  */
@@ -20,9 +21,11 @@ class ScopeTrackedObject {
   virtual ~ScopeTrackedObject() = default;
 
   /**
-   * If the tracked object has a ExecutionContext, returns it. Returns nullptr otherwise.
+   * Return the tracked stream info that related to the scope tracked object (L4
+   * network connection or L7 stream).
+   * @return optional reference to stream info of stream (L4 connection or L7 stream).
    */
-  virtual ExecutionContext* executionContext() const { return nullptr; }
+  virtual OptRef<const StreamInfo::StreamInfo> trackedStream() const { return {}; }
 
   /**
    * Dump debug state of the object in question to the provided ostream.

envoy/network/BUILD

@@ -25,6 +25,7 @@ envoy_cc_library(
         ":filter_interface",
         ":listen_socket_interface",
         "//envoy/buffer:buffer_interface",
+        "//envoy/common:scope_tracker_interface",
         "//envoy/event:deferred_deletable",
         "//envoy/ssl:connection_interface",
         "//envoy/stream_info:stream_info_interface",
@@ -174,7 +175,6 @@ envoy_cc_library(
     deps = [
         ":io_handle_interface",
         ":socket_interface",
-        "//envoy/common:scope_tracker_interface",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
 )

envoy/network/listen_socket.h

@@ -7,7 +7,6 @@
 
 #include "envoy/common/exception.h"
 #include "envoy/common/pure.h"
-#include "envoy/common/scope_tracker.h"
 #include "envoy/config/core/v3/base.pb.h"
 #include "envoy/network/address.h"
 #include "envoy/network/io_handle.h"
@@ -26,7 +25,7 @@ namespace Network {
  * TODO(jrajahalme): Hide internals (e.g., fd) from listener filters by providing callbacks filters
  * may need (set/getsockopt(), peek(), recv(), etc.)
  */
-class ConnectionSocket : public virtual Socket, public virtual ScopeTrackedObject {
+class ConnectionSocket : public virtual Socket {
 public:
   /**
    * Set detected transport protocol (e.g. RAW_BUFFER, TLS).
@@ -83,6 +82,16 @@ class ConnectionSocket : public virtual Socket, public virtual ScopeTrackedObjec
    * return value is cwnd(in packets) times the connection's MSS.
    */
   virtual absl::optional<uint64_t> congestionWindowInBytes() const PURE;
+
+  /**
+   * Dump debug state of the object in question to the provided ostream.
+   *
+   * This is called on Envoy fatal errors, so should do minimal memory allocation.
+   *
+   * @param os the ostream to output to.
+   * @param indent_level how far to indent, for pretty-printed classes and subclasses.
+   */
+  virtual void dumpState(std::ostream& os, int indent_level = 0) const PURE;
 };
 
 using ConnectionSocketPtr = std::unique_ptr<ConnectionSocket>;

envoy/upstream/upstream.h

@@ -1068,6 +1068,11 @@ class ClusterInfo : public Http::FilterChainFactory {
    */
   virtual uint32_t maxResponseHeadersCount() const PURE;
 
+  /**
+   * @return uint32_t the maximum total size of response headers in KB.
+   */
+  virtual absl::optional<uint16_t> maxResponseHeadersKb() const PURE;
+
   /**
    * @return the human readable name of the cluster.
    */

source/common/common/scope_tracker.h

@@ -18,9 +18,7 @@ namespace Envoy {
 class ScopeTrackerScopeState {
 public:
   ScopeTrackerScopeState(const ScopeTrackedObject* object, Event::ScopeTracker& tracker)
-      : registered_object_(object),
-        scoped_execution_context_(executionContextEnabled() ? object->executionContext() : nullptr),
-        tracker_(tracker) {
+      : registered_object_(object), tracker_(tracker) {
     tracker_.pushTrackedObject(registered_object_);
   }
 
@@ -36,14 +34,13 @@ class ScopeTrackerScopeState {
 
 private:
   friend class ScopeTrackerScopeStateTest;
-  static bool& executionContextEnabled() {
-    static bool enabled =
-        Runtime::runtimeFeatureEnabled("envoy.restart_features.enable_execution_context");
-    return enabled;
-  }
+
   const ScopeTrackedObject* registered_object_;
-  ScopedExecutionContext scoped_execution_context_;
   Event::ScopeTracker& tracker_;
+
+#ifdef ENVOY_ENABLE_EXECUTION_CONTEXT
+  ScopedExecutionContext scoped_execution_context_{registered_object_};
+#endif
 };
 
 } // namespace Envoy