auto-merge envoyproxy/envoy[release/v1.31] into envoyproxy/envoy-open…

…ssl[release/v1.31]

* upstream/release/v1.31:
  repo: Dev v1.31.6
  repo: Release v1.31.5
  [balsa] fix for 1xx response mixup
  happy_eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting.
  http/1: fix sending overload crash when request is reset
  github/ci: Set default runner in config (#37738)
  repo: Dev v1.31.5
  repo: Release v1.31.4
  build(deps): bump distroless/base-nossl-debian12 from `174f326` to `2a803cc` in /ci (#37410)
  ci: Boost cpu for flakey on_demand integration test (#37294)
  ci: Boost cpu for flakey grpc integration test (#37223)
  ci: Boost mem for integration test (#37009)
  ci/rbe: Boost cpus for more flakey tests (#36942)
  ci/rbe: Boost cpus for some more integration tests (#36930)
  ci/rbe: Boost cpu for another integration test (#36885)
  ci/rbe: Boost cpus for more integration tests (#36837)
  ci/rbe: Boost cpu/mem for more integration tests (#36825)
  ci/rbe: Boost cpus for a couple more integration tests (#36807)
  ci/tests: Boost more worker cores for flakey integration tests (#36793)
  Patch c-ares CVE-2024-25629 (#37269)
  changelog: Add entry for `schema_validation_tool` fix (#37335)
  ci/bazel: Fix repo config (#37349)
  github/ci: Only trigger pr-notifier ci on `main` PRs (#37336)
  validator: add in removed extension (#37261)
  limit calculated sampling exponent (#37240)
  build(deps): bump distroless/base-nossl-debian12 from `aa91f01` to `174f326` in /ci (#37119)
  deps/api: Bump `envoy_toolshed` -> 0.1.16 (#37219)
  deps: Bump python -> 3.12.3 (#35334)
  headers/geoip: Fix macro (#36964)
  bazel: Make `ci` config common (#37027)
  bazel/distribution: Cleanups to fix aquery (#36977)
  ci: Add bazel client caching (#37096)
  Add release note for "Relax recent SNI restrictions" (#37000)
  Relax recent SNI restrictions (#36950)
  ci/rbe: Boost cpu for another flakey integration test
  repo: Dev v1.31.4
  repo: Release v1.31.3
  ci: Fix coverage/docs upload redirect path (#36423)
  build(deps): bump distroless/base-nossl-debian12 from `e130c09` to `aa91f01` in /ci (#36847)
  bazel/ci: Add repo customizations (#36831)
  ci/codeql: Only run on main branch (#36806)
  ci/rbe: Boost quic integration test (#36805)
  deps/release: Bump Ubuntu -> 0e5e4a5 (#36723)
  ci/tests: Revert some integration tests to `2core` (#36784)
  ci/rbe: Switch rbe pools `2core` -> `6gig` (#36761)
  ocsp/formatting: Fix format issue in generated cert (#36763)
  test/ocsp: Renew certificates (#36755)
  ci/rbe: Switch backend RBE cluster (#36730)

Signed-off-by: tedjpoole <[email protected]>

.bazelrc

@@ -403,9 +403,9 @@ build:remote-ci --config=ci
 build:remote-ci --remote_download_minimal
 
 # Note this config is used by mobile CI also.
-build:ci --noshow_progress
-build:ci --noshow_loading_progress
-build:ci --test_output=errors
+common:ci --noshow_progress
+common:ci --noshow_loading_progress
+common:ci --test_output=errors
 
 # Fuzz builds
 
@@ -522,26 +522,28 @@ build:rbe-engflow --bes_upload_mode=fully_async
 build:rbe-engflow --nolegacy_important_outputs
 
 # RBE (Engflow Envoy)
-build:common-envoy-engflow --google_default_credentials=false
-build:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
-build:common-envoy-engflow --grpc_keepalive_time=30s
-
-build:cache-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com
-build:cache-envoy-engflow --remote_timeout=3600s
-build:bes-envoy-engflow --bes_backend=grpcs://morganite.cluster.engflow.com/
-build:bes-envoy-engflow --bes_results_url=https://morganite.cluster.engflow.com/invocation/
-build:bes-envoy-engflow --bes_timeout=3600s
-build:bes-envoy-engflow --bes_upload_mode=fully_async
-build:bes-envoy-engflow --nolegacy_important_outputs
-build:rbe-envoy-engflow --remote_executor=grpcs://morganite.cluster.engflow.com
-build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
-build:rbe-envoy-engflow --jobs=200
-build:rbe-envoy-engflow --define=engflow_rbe=true
-
-build:remote-envoy-engflow --config=common-envoy-engflow
-build:remote-envoy-engflow --config=cache-envoy-engflow
-build:remote-envoy-engflow --config=bes-envoy-engflow
-build:remote-envoy-engflow --config=rbe-envoy-engflow
+common:common-envoy-engflow --google_default_credentials=false
+common:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
+common:common-envoy-engflow --grpc_keepalive_time=30s
+
+common:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com
+common:cache-envoy-engflow --remote_timeout=3600s
+common:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/
+common:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/
+common:bes-envoy-engflow --bes_timeout=3600s
+common:bes-envoy-engflow --bes_upload_mode=fully_async
+common:bes-envoy-engflow --nolegacy_important_outputs
+common:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com
+common:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
+common:rbe-envoy-engflow --jobs=200
+common:rbe-envoy-engflow --define=engflow_rbe=true
+
+common:remote-envoy-engflow --config=common-envoy-engflow
+common:remote-envoy-engflow --config=cache-envoy-engflow
+common:remote-envoy-engflow --config=rbe-envoy-engflow
+
+common:remote-cache-envoy-engflow --config=common-envoy-engflow
+common:remote-cache-envoy-engflow --config=cache-envoy-engflow
 
 #############################################################################
 # debug: Various Bazel debugging flags
@@ -565,6 +567,7 @@ common:debug --config=debug-sandbox
 common:debug --config=debug-coverage
 common:debug --config=debug-tests
 
+try-import %workspace%/repo.bazelrc
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc
 try-import %workspace%/local_tsan.bazelrc

.github/config.yml

@@ -1,4 +1,4 @@
-agent-ubuntu: ubuntu-22.04
+agent-ubuntu: ubuntu-24.04
 build-image:
   # Authoritative configuration for build image/s
   repo: envoyproxy/envoy-build-ubuntu

.github/workflows/_publish_build.yml

@@ -66,8 +66,7 @@ jobs:
           name: Release (arm64)
           arch: arm64
           bazel-extra: >-
-            --config=cache-envoy-engflow
-            --config=bes-envoy-engflow
+            --config=remote-cache-envoy-engflow
           rbe: false
           runs-on: envoy-arm64-medium
 
@@ -84,8 +83,7 @@ jobs:
     uses: ./.github/workflows/_run.yml
     with:
       bazel-extra: >-
-        --config=cache-envoy-engflow
-        --config=bes-envoy-engflow
+        --config=remote-cache-envoy-engflow
       downloads: |
         release.${{ matrix.arch }}: release/${{ matrix.arch }}/bin/
       target: ${{ matrix.target }}
@@ -159,6 +157,11 @@ jobs:
     uses: ./.github/workflows/_run.yml
     with:
       target: release.signed
+      bazel-extra: >-
+        --//distribution:x64-packages=//distribution:custom/x64/packages.x64.tar.gz
+        --//distribution:arm64-packages=//distribution:custom/arm64/packages.arm64.tar.gz
+        --//distribution:x64-release=//distribution:custom/x64/bin/release.tar.zst
+        --//distribution:arm64-release=//distribution:custom/arm64/bin/release.tar.zst
       cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }}
       downloads: |
         packages.arm64: envoy/arm64/

.github/workflows/_publish_verify.yml

@@ -130,6 +130,5 @@ jobs:
           target: verify_distro
           arch: arm64
           bazel-extra: >-
-            --config=cache-envoy-engflow
-            --config=bes-envoy-engflow
+            --config=remote-cache-envoy-engflow
           runs-on: envoy-arm64-small

.github/workflows/codeql-push.yml

@@ -8,9 +8,11 @@ on:
     paths:
     - include/**
     - source/common/**
-    branches-ignore:
-    - dependabot/**
+    branches:
+    - main
   pull_request:
+    branches:
+    - main
 
 concurrency:
   group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}

.github/workflows/envoy-macos.yml

@@ -64,9 +64,7 @@ jobs:
             _BAZEL_BUILD_EXTRA_OPTIONS=(
               --remote_download_toplevel
               --flaky_test_attempts=2
-              --config=bes-envoy-engflow
-              --config=cache-envoy-engflow
-              --config=common-envoy-engflow
+              --config=remote-cache-envoy-engflow
               --config=ci)
             export BAZEL_BUILD_EXTRA_OPTIONS=${_BAZEL_BUILD_EXTRA_OPTIONS[*]}
 

.github/workflows/pr_notifier.yml

@@ -1,5 +1,7 @@
 on:
   pull_request:
+    branches:
+    - main
   workflow_dispatch:
   schedule:
   - cron: '0 5 * * 1,2,3,4,5'

.github/workflows/request.yml

@@ -22,18 +22,25 @@ concurrency:
 
 jobs:
   request:
-    # For branches this can be pinned to a specific version if required
-    # NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read
-    uses: envoyproxy/envoy/.github/workflows/_request.yml@main
-    if: ${{ vars.ENVOY_CI || github.repository == 'envoyproxy/envoy' }}
     permissions:
       actions: read
       contents: read
-      # required for engflow/bazel caching (not yet used)
       packages: read
       # required to fetch merge commit
       pull-requests: read
     secrets:
       # these are required to start checks
       app-key: ${{ secrets.ENVOY_CI_APP_KEY }}
       app-id: ${{ secrets.ENVOY_CI_APP_ID }}
+      lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }}
+      lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }}
+      gcs-cache-key: ${{ secrets.GCS_CACHE_WRITE_KEY }}
+    with:
+      gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }}
+    # For branches this can be pinned to a specific version if required
+    # NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read
+    uses: envoyproxy/envoy/.github/workflows/_request.yml@main
+    if: >-
+      ${{ github.repository == 'envoyproxy/envoy'
+          || (vars.ENVOY_CI && github.event_name != 'schedule')
+          || (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }}

VERSION.txt

@@ -1 +1 @@
-1.31.3-dev
+1.31.6-dev

api/bazel/repository_locations.bzl

@@ -190,12 +190,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "envoy_toolshed",
         project_desc = "Tooling, libraries, runners and checkers for Envoy proxy's CI",
         project_url = "https://github.com/envoyproxy/toolshed",
-        version = "0.1.3",
-        sha256 = "ee6d0b08ae3d9659f5fc34d752578af195147b153f8ca68eb4f8530aceb764d9",
+        version = "0.1.16",
+        sha256 = "06939757b00b318e89996ca3d4d2468ac2da1ff48a7b2cd9146b2054c3ff4769",
         strip_prefix = "toolshed-bazel-v{version}/bazel",
         urls = ["https://github.com/envoyproxy/toolshed/archive/bazel-v{version}.tar.gz"],
         use_category = ["build"],
-        release_date = "2024-04-16",
+        release_date = "2024-11-18",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/envoyproxy/envoy/blob/bazel-v{version}/LICENSE",

bazel/foreign_cc/cares.patch

@@ -56,3 +56,22 @@ index ca597db7ad..2f8e4de30d 100644
      if (err < 0) {
        ares__close_socket(channel, s);
        return ARES_ECONNREFUSED;
+diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c
+index 38beda6f..9fbdc5e6 100644
+--- a/src/lib/ares__read_line.c
++++ b/src/lib/ares__read_line.c
+@@ -60,6 +60,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
+       if (!fgets(*buf + offset, bytestoread, fp))
+         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+       len = offset + strlen(*buf + offset);
++
++      /* Probably means there was an embedded NULL as the first character in
++       * the line, throw away line */
++      if (len == 0) {
++        offset = 0;
++        continue;
++      }
++
+       if ((*buf)[len - 1] == '\n')
+         {
+           (*buf)[len - 1] = 0;

bazel/python_dependencies.bzl

@@ -1,6 +1,6 @@
 load("@com_google_protobuf//bazel:system_python.bzl", "system_python")
 load("@envoy_toolshed//:packages.bzl", "load_packages")
-load("@python3_11//:defs.bzl", "interpreter")
+load("@python3_12//:defs.bzl", "interpreter")
 load("@rules_python//python:pip.bzl", "pip_parse")
 
 def envoy_python_dependencies():

bazel/repositories.bzl

@@ -1464,13 +1464,6 @@ filegroup(
         build_file_content = BUILD_ALL_CONTENT,
     )
 
-    # This archive provides Kafka client in Python, so we can use it to interact with Kafka server
-    # during integration tests.
-    external_http_archive(
-        name = "kafka_python_client",
-        build_file_content = BUILD_ALL_CONTENT,
-    )
-
 def _com_github_fdio_vpp_vcl():
     external_http_archive(
         name = "com_github_fdio_vpp_vcl",

bazel/repositories_extra.bzl

@@ -9,7 +9,7 @@ def _python_minor_version(python_version):
     return "_".join(python_version.split(".")[:-1])
 
 # Python version for `rules_python`
-PYTHON_VERSION = "3.11.9"
+PYTHON_VERSION = "3.12.3"
 PYTHON_MINOR_VERSION = _python_minor_version(PYTHON_VERSION)
 
 # Envoy deps that rely on a first stage of dependency loading in envoy_dependencies().

bazel/repository_locations.bzl

@@ -1380,19 +1380,6 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         release_date = "2023-07-21",
         use_category = ["test_only"],
     ),
-    kafka_python_client = dict(
-        project_name = "Kafka (Python client)",
-        project_desc = "Open-source distributed event streaming platform",
-        project_url = "https://kafka.apache.org",
-        version = "2.0.2",
-        sha256 = "5dcf87c559e7aee4f18d621a02e247db3e3552ee4589ca611d51eef87b37efed",
-        strip_prefix = "kafka-python-{version}",
-        urls = ["https://github.com/dpkp/kafka-python/archive/{version}.tar.gz"],
-        release_date = "2020-09-30",
-        use_category = ["test_only"],
-        license = "Apache-2.0",
-        license_url = "https://github.com/dpkp/kafka-python/blob/{version}/LICENSE",
-    ),
     proxy_wasm_cpp_sdk = dict(
         project_name = "WebAssembly for Proxies (C++ SDK)",
         project_desc = "WebAssembly for Proxies (C++ SDK)",

changelogs/1.29.10.yaml

@@ -0,0 +1,6 @@
+date: October 29, 2024
+
+bug_fixes:
+- area: tracing
+  change: |
+    Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present.

changelogs/1.29.11.yaml

@@ -0,0 +1,15 @@
+date: December 8, 2024
+
+minor_behavior_changes:
+- area: dns
+  change: |
+    Patched c-ares to address CVE-2024-25629.
+
+bug_fixes:
+- area: access_log
+  change: |
+    Relaxed the restriction on SNI logging to allow the ``_`` character, even if
+    ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
+- area: validation/tools
+  change: |
+    Add back missing extension for ``schema_validator_tool``.

changelogs/1.29.12.yaml

@@ -0,0 +1,6 @@
+date: December 18, 2024
+
+bug_fixes:
+- area: http/1
+  change: |
+    Fixes sending overload crashes when HTTP/1 request is reset.

changelogs/1.30.7.yaml

@@ -0,0 +1,6 @@
+date: October 29, 2024
+
+bug_fixes:
+- area: tracing
+  change: |
+    Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present.

changelogs/1.30.8.yaml

@@ -0,0 +1,18 @@
+date: December 8, 2024
+
+minor_behavior_changes:
+- area: dns
+  change: |
+    Patched c-ares to address CVE-2024-25629.
+
+bug_fixes:
+- area: access_log
+  change: |
+    Relaxed the restriction on SNI logging to allow the ``_`` character, even if
+    ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
+- area: tracers
+  change: |
+    Avoid possible overflow when setting span attributes in Dynatrace sampler.
+- area: validation/tools
+  change: |
+    Add back missing extension for ``schema_validator_tool``.

changelogs/1.30.9.yaml

@@ -0,0 +1,9 @@
+date: December 18, 2024
+
+bug_fixes:
+- area: http/1
+  change: |
+    Fixes sending overload crashes when HTTP/1 request is reset.
+- area: happy_eyeballs
+  change: |
+    Validate that ``additional_address`` are IP addresses instead of crashing when sorting.

changelogs/1.31.3.yaml

@@ -0,0 +1,6 @@
+date: October 29, 2024
+
+bug_fixes:
+- area: tracing
+  change: |
+    Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present.

changelogs/1.31.4.yaml

@@ -0,0 +1,18 @@
+date: December 8, 2024
+
+minor_behavior_changes:
+- area: dns
+  change: |
+    Patched c-ares to address CVE-2024-25629.
+
+bug_fixes:
+- area: access_log
+  change: |
+    Relaxed the restriction on SNI logging to allow the ``_`` character, even if
+    ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled.
+- area: tracers
+  change: |
+    Avoid possible overflow when setting span attributes in Dynatrace sampler.
+- area: validation/tools
+  change: |
+    Add back missing extension for ``schema_validator_tool``.

changelogs/1.31.5.yaml

@@ -0,0 +1,13 @@
+date: December 18, 2024
+
+bug_fixes:
+- area: http/1
+  change: |
+    Fixes sending overload crashes when HTTP/1 request is reset.
+- area: happy_eyeballs
+  change: |
+    Validate that ``additional_address`` are IP addresses instead of crashing when sorting.
+- area: balsa
+  change: |
+    Fix incorrect handling of non-101 1xx responses. This fix can be temporarily reverted by setting runtime guard
+    ``envoy.reloadable_features.wait_for_first_byte_before_balsa_msg_done`` to false.

changelogs/current.yaml

@@ -8,9 +8,6 @@ minor_behavior_changes:
 
 bug_fixes:
 # *Changes expected to improve the state of the world and are unlikely to have negative effects*
-- area: tracing
-  change: |
-    Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present.
 
 removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`