Merge branch 'main' into fluentd-tracer

Signed-off-by: Kevin Tan <kevintan250@gmail.com>

.github/workflows/_run.yml

@@ -401,6 +401,7 @@ jobs:
           ${{ inputs.bazel-extra }}
           ${{ inputs.rbe == true && format('--jobs={0}', inputs.bazel-rbe-jobs) || '' }}
           ${{ github.event_name == 'schedule' && '--nocache_test_results' || '' }}
+          ${{ inputs.rbe == true && inputs.trusted && '--remote_execution_priority=1' || '' }}
         CI_BRANCH: >-
           ${{ inputs.trusted
               && format('refs/heads/{0}', fromJSON(inputs.request).request.target-branch)

CODEOWNERS

@@ -31,6 +31,7 @@ extensions/filters/common/original_src @klarose @mattklein123
 # external processing filter
 /*/extensions/filters/http/ext_proc @gbrail @stevenzzzz @tyxia @mattklein123 @yanavlasov @yanjunxiang-google
 /*/extensions/filters/common/mutation_rules @gbrail @tyxia @mattklein123 @yanavlasov
+/*/extensions/http/ext_proc/response_processors/save_processing_response @pradeepcrao @botengyao @yanjunxiang-google
 # jwt_authn http filter extension
 /*/extensions/filters/http/jwt_authn @taoxuy @lizan @tyxia @yanavlasov
 # grpc_field_extraction http filter extension

README.md

@@ -94,6 +94,10 @@ positively or negatively.
 
 For further details please see our complete [security release process](SECURITY.md).
 
+### ppc64le builds
+
+Builds for the ppc64le architecture or using aws-lc are not covered by the envoy security policy. The ppc64le architecture is currently best-effort and not maintained by the Envoy maintainers.
+
 ## Releases
 
 For further details please see our [release process](https://github.com/envoyproxy/envoy/blob/main/RELEASES.md).

api/BUILD

@@ -273,6 +273,7 @@ proto_library(
         "//envoy/extensions/http/custom_response/local_response_policy/v3:pkg",
         "//envoy/extensions/http/custom_response/redirect_policy/v3:pkg",
         "//envoy/extensions/http/early_header_mutation/header_mutation/v3:pkg",
+        "//envoy/extensions/http/ext_proc/response_processors/save_processing_response/v3:pkg",
         "//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
         "//envoy/extensions/http/header_validators/envoy_default/v3:pkg",
         "//envoy/extensions/http/injected_credentials/generic/v3:pkg",

api/bazel/repositories.bzl

@@ -27,15 +27,16 @@ def api_dependencies():
     external_http_archive(
         name = "com_google_googleapis",
     )
-
     external_http_archive(
         name = "com_github_cncf_xds",
     )
-
     external_http_archive(
         name = "prometheus_metrics_model",
         build_file_content = PROMETHEUSMETRICS_BUILD_CONTENT,
     )
+    external_http_archive(
+        name = "rules_buf",
+    )
     external_http_archive(
         name = "rules_proto",
     )
@@ -47,14 +48,9 @@ def api_dependencies():
         name = "opentelemetry_proto",
         build_file_content = OPENTELEMETRY_BUILD_CONTENT,
     )
-    external_http_archive(
-        name = "com_github_bufbuild_buf",
-        build_file_content = BUF_BUILD_CONTENT,
-    )
     external_http_archive(
         name = "dev_cel",
     )
-
     external_http_archive(
         name = "com_github_chrusty_protoc_gen_jsonschema",
     )
@@ -387,17 +383,3 @@ go_grpc_library(
     ],
 )
 """
-
-BUF_BUILD_CONTENT = """
-package(
-    default_visibility = ["//visibility:public"],
-)
-
-filegroup(
-    name = "buf",
-    srcs = [
-        "@com_github_bufbuild_buf//:bin/buf",
-    ],
-    tags = ["manual"], # buf is downloaded as a linux binary; tagged manual to prevent build for non-linux users
-)
-"""

api/bazel/repository_locations.bzl

@@ -101,6 +101,19 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         license = "Apache-2.0",
         license_url = "https://github.com/prometheus/client_model/blob/v{version}/LICENSE",
     ),
+    rules_buf = dict(
+        project_name = "Bazel rules for Buf",
+        project_desc = "Bazel rules for Buf",
+        project_url = "https://github.com/bufbuild/rules_buf",
+        version = "0.3.0",
+        sha256 = "89c6d6e6523802ee7f1210340a69fab4ee0b47554953a1ecbe359319fd3f93dc",
+        release_date = "2024-05-22",
+        strip_prefix = "rules_buf-{version}",
+        urls = ["https://github.com/bufbuild/rules_buf/archive/refs/tags/v{version}.tar.gz"],
+        use_category = ["api"],
+        license = "Apache-2.0",
+        license_url = "https://github.com/bufbuild/rules_buf/blob/{version}/LICENSE",
+    ),
     rules_proto = dict(
         project_name = "Protobuf Rules for Bazel",
         project_desc = "Protocol buffer rules for Bazel",
@@ -127,19 +140,6 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         license = "Apache-2.0",
         license_url = "https://github.com/open-telemetry/opentelemetry-proto/blob/v{version}/LICENSE",
     ),
-    com_github_bufbuild_buf = dict(
-        project_name = "buf",
-        project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
-        project_url = "https://buf.build",
-        version = "1.50.0",
-        sha256 = "80c1211dfc4844499c6ddad341bb21206579883fd33cea0a2c40c82befd70602",
-        strip_prefix = "buf",
-        urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2025-01-17",
-        use_category = ["api"],
-        license = "Apache-2.0",
-        license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",
-    ),
     com_github_chrusty_protoc_gen_jsonschema = dict(
         project_name = "protoc-gen-jsonschema",
         project_desc = "Protobuf to JSON-Schema compiler",

api/envoy/config/core/v3/substitution_format_string.proto

@@ -22,7 +22,12 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Optional configuration options to be used with json_format.
 message JsonFormatOptions {
   // The output JSON string properties will be sorted.
-  bool sort_properties = 1;
+  //
+  // .. note::
+  //   As the properties are always sorted, this option has no effect and is deprecated.
+  //
+  bool sort_properties = 1
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 }
 
 // Configuration to use multiple :ref:`command operators <config_access_log_command_operators>`
@@ -101,6 +106,12 @@ message SubstitutionFormatString {
   // * for ``text_format``, the output of the empty operator is changed from ``-`` to an
   //   empty string, so that empty values are omitted entirely.
   // * for ``json_format`` the keys with null values are omitted in the output structure.
+  //
+  // .. note::
+  //   This option does not work perfectly with ``json_format`` as keys with ``null`` values
+  //   will still be included in the output. See https://github.com/envoyproxy/envoy/issues/37941
+  //   for more details.
+  //
   bool omit_empty_values = 3;
 
   // Specify a ``content_type`` field.

api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -4,6 +4,7 @@ package envoy.extensions.filters.http.ext_proc.v3;
 
 import "envoy/config/common/mutation_rules/v3/mutation_rules.proto";
 import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/extension.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 import "envoy/config/core/v3/http_service.proto";
 import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto";
@@ -96,7 +97,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter
 // name.
 //
-// [#next-free-field: 23]
+// [#next-free-field: 24]
 message ExternalProcessor {
   // Describes the route cache action to be taken when an external processor response
   // is received in response to request headers.
@@ -328,6 +329,11 @@ message ExternalProcessor {
   // the ``allowed_override_modes`` allow-list below.
   // Since request_header_mode is not applicable in any way, it's ignored in comparison.
   repeated ProcessingMode allowed_override_modes = 22;
+
+  // Decorator to introduce custom logic that runs after a message received from
+  // the External Processor is processed.
+  // [#extension-category: envoy.http.ext_proc.response_processors]
+  config.core.v3.TypedExtensionConfig on_processing_response = 23;
 }
 
 // ExtProcHttpService is used for HTTP communication between the filter and the external processing service.

api/envoy/extensions/http/ext_proc/response_processors/save_processing_response/v3/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+        "@com_github_cncf_xds//xds/annotations/v3:pkg",
+    ],
+)

api/envoy/extensions/http/ext_proc/response_processors/save_processing_response/v3/save_processing_response.proto

@@ -0,0 +1,63 @@
+syntax = "proto3";
+
+package envoy.extensions.http.ext_proc.response_processors.save_processing_response.v3;
+
+import "xds/annotations/v3/status.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.http.ext_proc.response_processors.save_processing_response.v3";
+option java_outer_classname = "SaveProcessingResponseProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/ext_proc/response_processors/save_processing_response/v3;save_processing_responsev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+option (xds.annotations.v3.file_status).work_in_progress = true;
+
+// [#protodoc-title: Save Processing Response from external processor.]
+// [#extension: envoy.http.ext_proc.response_processors.save_processing_response]
+
+// Extension to save the :ref:`response
+// <envoy_v3_api_msg_service.ext_proc.v3.ProcessingResponse>` from the external processor as
+// filter state with name
+// "envoy.http.ext_proc.response_processors.save_processing_response[.:ref:`filter_state_name_suffix
+// <envoy_v3_api_field_extensions.http.ext_proc.response_processors.save_processing_response.v3.SaveProcessingResponse.filter_state_name>`].
+// This extension supports saving of request and response headers and trailers,
+// and immediate response.
+// [#next-free-field: 7]
+message SaveProcessingResponse {
+  message SaveOptions {
+    // Whether or not to save the response for the response type.
+    bool save_response = 1;
+
+    // When true, saves the response if there was an error when processing
+    // the response from the external processor.
+    bool save_on_error = 2;
+  }
+
+  // The default filter state name is
+  // "envoy.http.ext_proc.response_processors.save_processing_response".
+  // If defined, ``filter_state_name_suffix`` is appended to this.
+  // For example, setting ``filter_state_name_suffix`` to "xyz" will set the
+  // filter state name to "envoy.http.ext_proc.response_processors.save_processing_response.xyz"
+  string filter_state_name_suffix = 1;
+
+  // Save the response to filter state when :ref:`request_headers
+  // <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.request_headers>` is set.
+  SaveOptions save_request_headers = 2;
+
+  // Save the response to filter state when :ref:`response_headers
+  // <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.response_headers>` is set.
+  SaveOptions save_response_headers = 3;
+
+  // Save the response to filter state when :ref:`request_trailers
+  // <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.request_trailers>` is set.
+  SaveOptions save_request_trailers = 4;
+
+  // Save the response to filter state when :ref:`response_trailers
+  // <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.response_trailers>` is set.
+  SaveOptions save_response_trailers = 5;
+
+  // Save the response to filter state when :ref:`immediate_response
+  // <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.immediate_response>` is set.
+  SaveOptions save_immediate_response = 6;
+}

api/versioning/BUILD

@@ -211,6 +211,7 @@ proto_library(
         "//envoy/extensions/http/custom_response/local_response_policy/v3:pkg",
         "//envoy/extensions/http/custom_response/redirect_policy/v3:pkg",
         "//envoy/extensions/http/early_header_mutation/header_mutation/v3:pkg",
+        "//envoy/extensions/http/ext_proc/response_processors/save_processing_response/v3:pkg",
         "//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
         "//envoy/extensions/http/header_validators/envoy_default/v3:pkg",
         "//envoy/extensions/http/injected_credentials/generic/v3:pkg",

bazel/BUILD

@@ -310,6 +310,22 @@ selects.config_setting_group(
     ],
 )
 
+selects.config_setting_group(
+    name = "disable_http3_on_linux_ppc64le",
+    match_all = [
+        ":disable_http3",
+        ":linux_ppc64le",
+    ],
+)
+
+selects.config_setting_group(
+    name = "disable_http3_on_not_x86_ppc",
+    match_all = [
+        ":disable_http3",
+        ":not_x86_ppc",
+    ],
+)
+
 selects.config_setting_group(
     name = "disable_http3_on_windows_x86_64",
     match_all = [
@@ -352,6 +368,14 @@ selects.config_setting_group(
     ],
 )
 
+selects.config_setting_group(
+    name = "enable_http3_on_linux_ppc64le",
+    match_all = [
+        ":enable_http3",
+        ":linux_ppc64le",
+    ],
+)
+
 selects.config_setting_group(
     name = "enable_http3_on_windows_x86_64",
     match_all = [
@@ -503,6 +527,14 @@ selects.config_setting_group(
     ],
 )
 
+selects.config_setting_group(
+    name = "boringssl_fips_ppc",
+    match_all = [
+        ":boringssl_fips",
+        ":linux_ppc64le",
+    ],
+)
+
 config_setting(
     name = "zlib_ng",
     constraint_values = [
@@ -544,18 +576,21 @@ config_setting(
 # Alias pointing to the selected version of BoringSSL:
 # - BoringSSL FIPS from @boringssl_fips//:ssl,
 # - non-FIPS BoringSSL from @boringssl//:ssl.
+# - aws-lc from @aws_lc//:ssl
 alias(
     name = "boringssl",
     actual = select({
-        "//bazel:boringssl_fips": "@boringssl_fips//:ssl",
+        "//bazel:boringssl_fips_ppc": "@aws_lc//:ssl",
+        "//bazel:boringssl_fips_x86": "@boringssl_fips//:ssl",
         "//conditions:default": "@boringssl//:ssl",
     }),
 )
 
 alias(
     name = "boringcrypto",
     actual = select({
-        "//bazel:boringssl_fips": "@boringssl_fips//:crypto",
+        "//bazel:boringssl_fips_ppc": "@aws_lc//:crypto",
+        "//bazel:boringssl_fips_x86": "@boringssl_fips//:crypto",
         "//conditions:default": "@boringssl//:crypto",
     }),
 )
@@ -584,6 +619,14 @@ config_setting(
     ],
 )
 
+config_setting(
+    name = "linux_ppc64le",
+    constraint_values = [
+        "@platforms//cpu:ppc64le",
+        "@platforms//os:linux",
+    ],
+)
+
 config_setting(
     name = "linux_s390x",
     constraint_values = [
@@ -793,6 +836,22 @@ selects.config_setting_group(
     ],
 )
 
+selects.config_setting_group(
+    name = "not_x86_ppc",
+    match_any = [
+        ":darwin_arm64",
+        ":ios_arm64",
+        ":ios_arm64e",
+        ":ios_armv7",
+        ":ios_armv7s",
+        ":ios_i386",
+        ":ios_sim_arm64",
+        ":linux_aarch64",
+        ":linux_mips64",
+        ":linux_s390x",
+    ],
+)
+
 selects.config_setting_group(
     name = "not_x86",
     match_any = [
@@ -806,6 +865,7 @@ selects.config_setting_group(
         ":linux_aarch64",
         ":linux_mips64",
         ":linux_ppc",
+        ":linux_ppc64le",
         ":linux_s390x",
     ],
 )