diff --git a/.bazelrc b/.bazelrc index f5f0b788a4..9bae9490b9 100644 --- a/.bazelrc +++ b/.bazelrc @@ -393,9 +393,9 @@ build:remote-ci --config=ci build:remote-ci --remote_download_minimal # Note this config is used by mobile CI also. -build:ci --noshow_progress -build:ci --noshow_loading_progress -build:ci --test_output=errors +common:ci --noshow_progress +common:ci --noshow_loading_progress +common:ci --test_output=errors # Fuzz builds @@ -512,26 +512,28 @@ build:rbe-engflow --bes_upload_mode=fully_async build:rbe-engflow --nolegacy_important_outputs # RBE (Engflow Envoy) -build:common-envoy-engflow --google_default_credentials=false -build:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh -build:common-envoy-engflow --grpc_keepalive_time=30s - -build:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com -build:cache-envoy-engflow --remote_timeout=3600s -build:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/ -build:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/ -build:bes-envoy-engflow --bes_timeout=3600s -build:bes-envoy-engflow --bes_upload_mode=fully_async -build:bes-envoy-engflow --nolegacy_important_outputs -build:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com -build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2 -build:rbe-envoy-engflow --jobs=200 -build:rbe-envoy-engflow --define=engflow_rbe=true - -build:remote-envoy-engflow --config=common-envoy-engflow -build:remote-envoy-engflow --config=cache-envoy-engflow -build:remote-envoy-engflow --config=bes-envoy-engflow -build:remote-envoy-engflow --config=rbe-envoy-engflow +common:common-envoy-engflow --google_default_credentials=false +common:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh +common:common-envoy-engflow --grpc_keepalive_time=30s + +common:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com +common:cache-envoy-engflow --remote_timeout=3600s +common:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/ +common:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/ +common:bes-envoy-engflow --bes_timeout=3600s +common:bes-envoy-engflow --bes_upload_mode=fully_async +common:bes-envoy-engflow --nolegacy_important_outputs +common:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com +common:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2 +common:rbe-envoy-engflow --jobs=200 +common:rbe-envoy-engflow --define=engflow_rbe=true + +common:remote-envoy-engflow --config=common-envoy-engflow +common:remote-envoy-engflow --config=cache-envoy-engflow +common:remote-envoy-engflow --config=rbe-envoy-engflow + +common:remote-cache-envoy-engflow --config=common-envoy-engflow +common:remote-cache-envoy-engflow --config=cache-envoy-engflow ############################################################################# # debug: Various Bazel debugging flags @@ -555,6 +557,7 @@ common:debug --config=debug-sandbox common:debug --config=debug-coverage common:debug --config=debug-tests +try-import %workspace%/repo.bazelrc try-import %workspace%/clang.bazelrc try-import %workspace%/user.bazelrc try-import %workspace%/local_tsan.bazelrc diff --git a/.github/workflows/_precheck_publish.yml b/.github/workflows/_precheck_publish.yml index a8b6ae02a4..ca186549d1 100644 --- a/.github/workflows/_precheck_publish.yml +++ b/.github/workflows/_precheck_publish.yml @@ -62,9 +62,7 @@ jobs: target-suffix: arm64 arch: arm64 bazel-extra: >- - --config=common-envoy-engflow - --config=cache-envoy-engflow - --config=bes-envoy-engflow + --config=remote-cache-envoy-engflow rbe: false runs-on: envoy-arm64-large timeout-minutes: 180 diff --git a/.github/workflows/_publish_build.yml b/.github/workflows/_publish_build.yml index f03d887a6f..296a3000dc 100644 --- a/.github/workflows/_publish_build.yml +++ b/.github/workflows/_publish_build.yml @@ -67,9 +67,7 @@ jobs: name: Release (arm64) arch: arm64 bazel-extra: >- - --config=cache-envoy-engflow - --config=common-envoy-engflow - --config=bes-envoy-engflow + --config=remote-cache-envoy-engflow rbe: false runs-on: envoy-arm64-medium @@ -86,9 +84,7 @@ jobs: uses: ./.github/workflows/_run.yml with: bazel-extra: >- - --config=cache-envoy-engflow - --config=common-envoy-engflow - --config=bes-envoy-engflow + --config=remote-cache-envoy-engflow downloads: | release.${{ matrix.arch }}: release/${{ matrix.arch }}/bin/ target: ${{ matrix.target }} @@ -163,6 +159,11 @@ jobs: uses: ./.github/workflows/_run.yml with: target: release.signed + bazel-extra: >- + --//distribution:x64-packages=//distribution:custom/x64/packages.x64.tar.gz + --//distribution:arm64-packages=//distribution:custom/arm64/packages.arm64.tar.gz + --//distribution:x64-release=//distribution:custom/x64/bin/release.tar.zst + --//distribution:arm64-release=//distribution:custom/arm64/bin/release.tar.zst cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} downloads: | packages.arm64: envoy/arm64/ diff --git a/.github/workflows/_publish_verify.yml b/.github/workflows/_publish_verify.yml index 2f95ee5504..aa4e8b69b5 100644 --- a/.github/workflows/_publish_verify.yml +++ b/.github/workflows/_publish_verify.yml @@ -132,7 +132,5 @@ jobs: target: verify_distro arch: arm64 bazel-extra: >- - --config=cache-envoy-engflow - --config=common-envoy-engflow - --config=bes-envoy-engflow + --config=remote-cache-envoy-engflow runs-on: envoy-arm64-small diff --git a/.github/workflows/_run.yml b/.github/workflows/_run.yml index 0eb58ff567..f5555070f1 100644 --- a/.github/workflows/_run.yml +++ b/.github/workflows/_run.yml @@ -286,6 +286,10 @@ jobs: BAZEL_BUILD_EXTRA_OPTIONS="--google_credentials=/build/${GCP_SERVICE_ACCOUNT_KEY_FILE} --config=remote-ci --config=rbe-google" echo "BAZEL_BUILD_EXTRA_OPTIONS=${BAZEL_BUILD_EXTRA_OPTIONS}" >> "$GITHUB_ENV" + - run: | + echo "${{ vars.ENVOY_CI_BAZELRC }}" > repo.bazelrc + if: ${{ vars.ENVOY_CI_BAZELRC }} + - uses: envoyproxy/toolshed/gh-actions/github/run@actions-v0.2.37 name: Run CI ${{ inputs.command }} ${{ inputs.target }} with: diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml index 267020a223..8785a68e46 100644 --- a/.github/workflows/codeql-push.yml +++ b/.github/workflows/codeql-push.yml @@ -8,9 +8,11 @@ on: paths: - include/** - source/common/** - branches-ignore: - - dependabot/** + branches: + - main pull_request: + branches: + - main concurrency: group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} diff --git a/.github/workflows/envoy-macos.yml b/.github/workflows/envoy-macos.yml index 9859cab5aa..742949f657 100644 --- a/.github/workflows/envoy-macos.yml +++ b/.github/workflows/envoy-macos.yml @@ -67,9 +67,7 @@ jobs: _BAZEL_BUILD_EXTRA_OPTIONS=( --remote_download_toplevel --flaky_test_attempts=2 - --config=bes-envoy-engflow - --config=cache-envoy-engflow - --config=common-envoy-engflow + --config=remote-cache-envoy-engflow --config=ci) export BAZEL_BUILD_EXTRA_OPTIONS=${_BAZEL_BUILD_EXTRA_OPTIONS[*]} diff --git a/.github/workflows/pr_notifier.yml b/.github/workflows/pr_notifier.yml index 2024bee400..eb3a702462 100644 --- a/.github/workflows/pr_notifier.yml +++ b/.github/workflows/pr_notifier.yml @@ -1,5 +1,7 @@ on: pull_request: + branches: + - main workflow_dispatch: schedule: - cron: '0 5 * * 1,2,3,4,5' diff --git a/.github/workflows/request.yml b/.github/workflows/request.yml index cc37388e09..5e3b0f10ad 100644 --- a/.github/workflows/request.yml +++ b/.github/workflows/request.yml @@ -24,13 +24,6 @@ concurrency: jobs: request: - # For branches this can be pinned to a specific version if required - # NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read - uses: envoyproxy/envoy/.github/workflows/_request.yml@main - if: >- - ${{ github.repository == 'envoyproxy/envoy' - || (vars.ENVOY_CI && github.event_name != 'schedule') - || (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }} permissions: actions: read contents: read @@ -41,3 +34,15 @@ jobs: # these are required to start checks app-key: ${{ secrets.ENVOY_CI_APP_KEY }} app-id: ${{ secrets.ENVOY_CI_APP_ID }} + lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }} + lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }} + gcs-cache-key: ${{ secrets.GCS_CACHE_WRITE_KEY }} + with: + gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }} + # For branches this can be pinned to a specific version if required + # NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read + uses: envoyproxy/envoy/.github/workflows/_request.yml@main + if: >- + ${{ github.repository == 'envoyproxy/envoy' + || (vars.ENVOY_CI && github.event_name != 'schedule') + || (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }} diff --git a/VERSION.txt b/VERSION.txt index 0c15197bbb..98773de2fa 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -1.32.1-dev +1.32.3-dev diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl index a7738a68bc..c24d344f2b 100644 --- a/api/bazel/repository_locations.bzl +++ b/api/bazel/repository_locations.bzl @@ -179,12 +179,12 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "envoy_toolshed", project_desc = "Tooling, libraries, runners and checkers for Envoy proxy's CI", project_url = "https://github.com/envoyproxy/toolshed", - version = "0.1.12", - sha256 = "cbd919462d3301ffcd83bcbc3763914201e08ac97d9237cd75219725760321d0", + version = "0.1.16", + sha256 = "06939757b00b318e89996ca3d4d2468ac2da1ff48a7b2cd9146b2054c3ff4769", strip_prefix = "toolshed-bazel-v{version}/bazel", urls = ["https://github.com/envoyproxy/toolshed/archive/bazel-v{version}.tar.gz"], use_category = ["build"], - release_date = "2024-09-08", + release_date = "2024-11-18", cpe = "N/A", license = "Apache-2.0", license_url = "https://github.com/envoyproxy/envoy/blob/bazel-v{version}/LICENSE", diff --git a/api/envoy/config/cluster/v3/cluster.proto b/api/envoy/config/cluster/v3/cluster.proto index 0d2d6f1918..079a1e4977 100644 --- a/api/envoy/config/cluster/v3/cluster.proto +++ b/api/envoy/config/cluster/v3/cluster.proto @@ -965,7 +965,7 @@ message Cluster { // :ref:`STRICT_DNS` // and :ref:`LOGICAL_DNS` // this setting is ignored. - google.protobuf.Duration dns_jitter = 58; + google.protobuf.Duration dns_jitter = 58 [(validate.rules).duration = {gte {}}]; // If the DNS failure refresh rate is specified and the cluster type is either // :ref:`STRICT_DNS`, diff --git a/bazel/c-ares.patch b/bazel/c-ares.patch new file mode 100644 index 0000000000..60267f1f2c --- /dev/null +++ b/bazel/c-ares.patch @@ -0,0 +1,20 @@ +# Patch for c-ares CVE-2024-25629 +diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c +index d65ac1fcf8..018f55e8b2 100644 +--- a/src/lib/ares__read_line.c ++++ b/src/lib/ares__read_line.c +@@ -59,6 +59,14 @@ ares_status_t ares__read_line(FILE *fp, char **buf, size_t *bufsize) + return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF; + } + len = offset + ares_strlen(*buf + offset); ++ ++ /* Probably means there was an embedded NULL as the first character in ++ * the line, throw away line */ ++ if (len == 0) { ++ offset = 0; ++ continue; ++ } ++ + if ((*buf)[len - 1] == '\n') { + (*buf)[len - 1] = 0; + break; diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index be0a46d06a..97b1a9fa8d 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -305,6 +305,8 @@ def _com_github_c_ares_c_ares(): external_http_archive( name = "com_github_c_ares_c_ares", build_file_content = BUILD_ALL_CONTENT, + patch_args = ["-p1"], + patches = ["@envoy//bazel:c-ares.patch"], ) def _com_github_cyan4973_xxhash(): diff --git a/changelogs/1.29.10.yaml b/changelogs/1.29.10.yaml new file mode 100644 index 0000000000..5dc086dcaf --- /dev/null +++ b/changelogs/1.29.10.yaml @@ -0,0 +1,6 @@ +date: October 29, 2024 + +bug_fixes: +- area: tracing + change: | + Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present. diff --git a/changelogs/1.29.11.yaml b/changelogs/1.29.11.yaml new file mode 100644 index 0000000000..1ae719a513 --- /dev/null +++ b/changelogs/1.29.11.yaml @@ -0,0 +1,15 @@ +date: December 8, 2024 + +minor_behavior_changes: +- area: dns + change: | + Patched c-ares to address CVE-2024-25629. + +bug_fixes: +- area: access_log + change: | + Relaxed the restriction on SNI logging to allow the ``_`` character, even if + ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled. +- area: validation/tools + change: | + Add back missing extension for ``schema_validator_tool``. diff --git a/changelogs/1.30.7.yaml b/changelogs/1.30.7.yaml new file mode 100644 index 0000000000..5dc086dcaf --- /dev/null +++ b/changelogs/1.30.7.yaml @@ -0,0 +1,6 @@ +date: October 29, 2024 + +bug_fixes: +- area: tracing + change: | + Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present. diff --git a/changelogs/1.30.8.yaml b/changelogs/1.30.8.yaml new file mode 100644 index 0000000000..1a5d8e83f2 --- /dev/null +++ b/changelogs/1.30.8.yaml @@ -0,0 +1,18 @@ +date: December 8, 2024 + +minor_behavior_changes: +- area: dns + change: | + Patched c-ares to address CVE-2024-25629. + +bug_fixes: +- area: access_log + change: | + Relaxed the restriction on SNI logging to allow the ``_`` character, even if + ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled. +- area: tracers + change: | + Avoid possible overflow when setting span attributes in Dynatrace sampler. +- area: validation/tools + change: | + Add back missing extension for ``schema_validator_tool``. diff --git a/changelogs/1.31.3.yaml b/changelogs/1.31.3.yaml new file mode 100644 index 0000000000..5dc086dcaf --- /dev/null +++ b/changelogs/1.31.3.yaml @@ -0,0 +1,6 @@ +date: October 29, 2024 + +bug_fixes: +- area: tracing + change: | + Fixed a bug where the OpenTelemetry tracer exports the OTLP request even when no spans are present. diff --git a/changelogs/1.31.4.yaml b/changelogs/1.31.4.yaml new file mode 100644 index 0000000000..1a5d8e83f2 --- /dev/null +++ b/changelogs/1.31.4.yaml @@ -0,0 +1,18 @@ +date: December 8, 2024 + +minor_behavior_changes: +- area: dns + change: | + Patched c-ares to address CVE-2024-25629. + +bug_fixes: +- area: access_log + change: | + Relaxed the restriction on SNI logging to allow the ``_`` character, even if + ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled. +- area: tracers + change: | + Avoid possible overflow when setting span attributes in Dynatrace sampler. +- area: validation/tools + change: | + Add back missing extension for ``schema_validator_tool``. diff --git a/changelogs/1.32.1.yaml b/changelogs/1.32.1.yaml new file mode 100644 index 0000000000..faeca80a68 --- /dev/null +++ b/changelogs/1.32.1.yaml @@ -0,0 +1,6 @@ +date: October 29, 2024 + +bug_fixes: +- area: release + change: | + Container updates. diff --git a/changelogs/1.32.2.yaml b/changelogs/1.32.2.yaml new file mode 100644 index 0000000000..5ea31acf5a --- /dev/null +++ b/changelogs/1.32.2.yaml @@ -0,0 +1,27 @@ +date: December 8, 2024 + +minor_behavior_changes: +- area: dns + change: | + Patched c-ares to address CVE-2024-25629. + +bug_fixes: +- area: access_log + change: | + Relaxed the restriction on SNI logging to allow the ``_`` character, even if + ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled. +- area: original_ip_detection + change: | + Reverted :ref:`custom header + ` extension to its + original behavior by disabling automatic XFF header appending that was inadvertently introduced in PR #31831. +- area: tracers + change: | + Avoid possible overflow when setting span attributes in Dynatrace sampler. +- area: validation/tools + change: | + Add back missing extension for ``schema_validator_tool``. +- area: DNS + change: | + Fixed bug where setting ``dns_jitter `` to large values caused Envoy Bug + to fire. diff --git a/ci/Dockerfile-envoy b/ci/Dockerfile-envoy index a4a5a8303b..5b9c03bb2f 100644 --- a/ci/Dockerfile-envoy +++ b/ci/Dockerfile-envoy @@ -59,7 +59,7 @@ COPY --chown=0:0 --chmod=755 \ # STAGE: envoy-distroless -FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:e130c09889f3b6c05dacd52d2612c30811e04eefe3280a6659037cfdd018de6c AS envoy-distroless +FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:2a803cc873dc1a69a33087ee10c75755367dd2c259219893504680480ad563f0 AS envoy-distroless EXPOSE 10000 ENTRYPOINT ["/usr/local/bin/envoy"] CMD ["-c", "/etc/envoy/envoy.yaml"] diff --git a/ci/do_ci.sh b/ci/do_ci.sh index d4d2e56e4d..b976a618d2 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -935,7 +935,9 @@ case $CI_TARGET in release.signed) echo "Signing binary packages..." setup_clang_toolchain - bazel build "${BAZEL_BUILD_OPTIONS[@]}" //distribution:signed + bazel build \ + "${BAZEL_BUILD_OPTIONS[@]}" \ + //distribution:signed cp -a bazel-bin/distribution/release.signed.tar.zst "${BUILD_DIR}/envoy/" ;; diff --git a/distribution/BUILD b/distribution/BUILD index 578f6de6f3..a222747815 100644 --- a/distribution/BUILD +++ b/distribution/BUILD @@ -77,55 +77,88 @@ sh_binary( ], ) +genrule( + name = "placeholder", + outs = ["PLACEHOLDER.TXT"], + cmd = """ + touch $@ + """, +) + label_flag( name = "x64-packages", - build_setting_default = "//distribution:custom/x64/packages.x64.tar.gz", + build_setting_default = ":placeholder", ) label_flag( name = "arm64-packages", - build_setting_default = "//distribution:custom/arm64/packages.arm64.tar.gz", + build_setting_default = ":placeholder", ) label_flag( name = "x64-release", - build_setting_default = "//distribution:custom/x64/bin/release.tar.zst", + build_setting_default = ":placeholder", ) label_flag( name = "arm64-release", - build_setting_default = "//distribution:custom/arm64/bin/release.tar.zst", + build_setting_default = ":placeholder", ) genrule( name = "multi_arch_debs", + srcs = [ + ":arm64-packages", + ":x64-packages", + ], outs = ["multiarch-debs.tar.gz"], # To ensure the debs tarball is not extracted and kept as a tarball, it is # placed into a 2nd archive. cmd = """ - tmpdir=$$(mktemp -d) \ - && tmpdir2=$$(mktemp -d) \ - && tar xf $(location :x64-packages) -C "$$tmpdir" \ - && tar xf $(location :arm64-packages) -C "$$tmpdir" \ - && rm "$${tmpdir}/signing.key" \ - && mv "$${tmpdir}/deb/"* "$${tmpdir}" \ - && rm -rf "$${tmpdir}/deb/" \ - && tar cf $$tmpdir2/debs.tar.gz -C "$${tmpdir}" . \ - && tar cf $@ -C "$${tmpdir2}" . \ + tmpdir=$$(mktemp -d) + tmpdir2=$$(mktemp -d) + NEEDS_PATH= + if [[ $$(basename $(location :x64-packages)) == "PLACEHOLDER.TXT" ]]; then + NEEDS_PATH=1 + elif [[ $$(basename $(location :arm64-packages)) == "PLACEHOLDER.TXT" ]]; then + NEEDS_PATH=1 + fi + if [[ -n $$NEEDS_PATH ]]; then + echo "You must set //distribution:x64-packages and //distribution:arm64-packages to build multiarch debs" >&2 + exit 1 + fi + tar xf $(location :x64-packages) -C "$$tmpdir" + tar xf $(location :arm64-packages) -C "$$tmpdir" + rm "$${tmpdir}/signing.key" + mv "$${tmpdir}/deb/"* "$${tmpdir}" + rm -rf "$${tmpdir}/deb/" + tar cf $$tmpdir2/debs.tar.gz -C "$${tmpdir}" . + tar cf $@ -C "$${tmpdir2}" . """, - tools = [ - ":arm64-packages", - ":x64-packages", - ], ) genrule( name = "signed", + srcs = [ + ":arm64-release", + ":multi_arch_debs", + ":x64-release", + ], outs = ["release.signed.tar.zst"], cmd = """ # Sign the packages - VERSION=%s \ - && $(location //tools/distribution:sign) \ + VERSION=%s + NEEDS_PATH= + if [[ $$(basename $(location :x64-release)) == "PLACEHOLDER.TXT" ]]; then + NEEDS_PATH=1 + elif [[ $$(basename $(location :arm64-release)) == "PLACEHOLDER.TXT" ]]; then + NEEDS_PATH=1 + fi + if [[ -n $$NEEDS_PATH ]]; then + echo "You must set //distribution:x64-release and //distribution:arm64-release for signing packages" >&2 + exit 1 + fi + $(location //tools/distribution:sign) \ "bin:$(location :multi_arch_debs)" \ "x64:$(location :x64-release)" \ "arm64:$(location :arm64-release)" \ @@ -136,10 +169,5 @@ genrule( --out $@ """ % VERSION, tags = ["no-remote"], - tools = [ - ":arm64-release", - ":multi_arch_debs", - ":x64-release", - "//tools/distribution:sign", - ], + tools = ["//tools/distribution:sign"], ) diff --git a/docs/inventories/v1.29/objects.inv b/docs/inventories/v1.29/objects.inv index d6586b52fa..97f3017999 100644 Binary files a/docs/inventories/v1.29/objects.inv and b/docs/inventories/v1.29/objects.inv differ diff --git a/docs/inventories/v1.30/objects.inv b/docs/inventories/v1.30/objects.inv index f961430394..79532a36ef 100644 Binary files a/docs/inventories/v1.30/objects.inv and b/docs/inventories/v1.30/objects.inv differ diff --git a/docs/inventories/v1.31/objects.inv b/docs/inventories/v1.31/objects.inv index 8bd3786841..6481a5d392 100644 Binary files a/docs/inventories/v1.31/objects.inv and b/docs/inventories/v1.31/objects.inv differ diff --git a/docs/inventories/v1.32/objects.inv b/docs/inventories/v1.32/objects.inv new file mode 100644 index 0000000000..e153081b64 Binary files /dev/null and b/docs/inventories/v1.32/objects.inv differ diff --git a/docs/versions.yaml b/docs/versions.yaml index b77b1ede09..327c6a0fd7 100644 --- a/docs/versions.yaml +++ b/docs/versions.yaml @@ -22,6 +22,7 @@ "1.26": 1.26.8 "1.27": 1.27.7 "1.28": 1.28.7 -"1.29": 1.29.9 -"1.30": 1.30.6 -"1.31": 1.31.2 +"1.29": 1.29.11 +"1.30": 1.30.8 +"1.31": 1.31.4 +"1.32": 1.32.1 diff --git a/envoy/geoip/BUILD b/envoy/geoip/BUILD index 05d323b6a0..7f9b2462e7 100644 --- a/envoy/geoip/BUILD +++ b/envoy/geoip/BUILD @@ -1,6 +1,6 @@ load( "//bazel:envoy_build_system.bzl", - "envoy_cc_extension", + "envoy_cc_library", "envoy_package", ) @@ -11,7 +11,7 @@ envoy_package() # HTTP L7 filter that decorates request with geolocation data # Public docs: https://envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/geoip_filter -envoy_cc_extension( +envoy_cc_library( name = "geoip_provider_driver_interface", hdrs = [ "geoip_provider_driver.h", diff --git a/source/common/common/utility.cc b/source/common/common/utility.cc index ab79b2cf56..a44a794807 100644 --- a/source/common/common/utility.cc +++ b/source/common/common/utility.cc @@ -590,7 +590,8 @@ std::string StringUtil::sanitizeInvalidHostname(const absl::string_view source) std::string ret_str = std::string(source); bool sanitized = false; for (size_t i = 0; i < ret_str.size(); ++i) { - if (absl::ascii_isalnum(ret_str[i]) || ret_str[i] == '.' || ret_str[i] == '-') { + if (absl::ascii_isalnum(ret_str[i]) || ret_str[i] == '.' || ret_str[i] == '-' || + ret_str[i] == '_') { continue; } sanitized = true; diff --git a/source/common/common/utility.h b/source/common/common/utility.h index 06a404fbd6..ccd6d8443c 100644 --- a/source/common/common/utility.h +++ b/source/common/common/utility.h @@ -492,8 +492,8 @@ class StringUtil { /** * Sanitize host name strings for logging purposes. Replace invalid hostname characters (anything - * that's not alphanumeric, hyphen, or period) with underscore. The sanitized string is not a - * valid host name. + * that's not alphanumeric, hyphen, or period) with underscore. The sanitized string + * is not a valid host name. * @param source supplies the string to sanitize. * @return sanitized string. */ diff --git a/source/extensions/clusters/logical_dns/logical_dns_cluster.cc b/source/extensions/clusters/logical_dns/logical_dns_cluster.cc index ef3d443af7..264f522c12 100644 --- a/source/extensions/clusters/logical_dns/logical_dns_cluster.cc +++ b/source/extensions/clusters/logical_dns/logical_dns_cluster.cc @@ -151,7 +151,14 @@ void LogicalDnsCluster::startResolve() { final_refresh_rate = addrinfo.ttl_; } if (dns_jitter_ms_.count() != 0) { - final_refresh_rate += std::chrono::milliseconds(random_.random()) % dns_jitter_ms_; + // Note that `random_.random()` returns a uint64 while + // `dns_jitter_ms_.count()` returns a signed long that gets cast into a uint64. + // Thus, the modulo of the two will be a positive as long as + // `dns_jitter_ms_.count()` is positive. + // It is important that this be positive, otherwise `final_refresh_rate` could be + // negative causing Envoy to crash. + final_refresh_rate += + std::chrono::milliseconds(random_.random() % dns_jitter_ms_.count()); } ENVOY_LOG(debug, "DNS refresh rate reset for {}, refresh rate {} ms", dns_address_, final_refresh_rate.count()); diff --git a/source/extensions/clusters/strict_dns/strict_dns_cluster.cc b/source/extensions/clusters/strict_dns/strict_dns_cluster.cc index b379ef1e89..64641eedbc 100644 --- a/source/extensions/clusters/strict_dns/strict_dns_cluster.cc +++ b/source/extensions/clusters/strict_dns/strict_dns_cluster.cc @@ -193,8 +193,14 @@ void StrictDnsClusterImpl::ResolveTarget::startResolve() { final_refresh_rate.count() > 0); } if (parent_.dns_jitter_ms_.count() > 0) { - final_refresh_rate += - std::chrono::milliseconds(parent_.random_.random()) % parent_.dns_jitter_ms_; + // Note that `parent_.random_.random()` returns a uint64 while + // `parent_.dns_jitter_ms_.count()` returns a signed long that gets cast into a uint64. + // Thus, the modulo of the two will be a positive as long as + // `parent_dns_jitter_ms_.count()` is positive. + // It is important that this be positive, otherwise `final_refresh_rate` could be + // negative causing Envoy to crash. + final_refresh_rate += std::chrono::milliseconds(parent_.random_.random() % + parent_.dns_jitter_ms_.count()); } ENVOY_LOG(debug, "DNS refresh rate reset for {}, refresh rate {} ms", dns_address_, diff --git a/source/extensions/http/original_ip_detection/custom_header/custom_header.cc b/source/extensions/http/original_ip_detection/custom_header/custom_header.cc index c1698bb19b..a566cf9594 100644 --- a/source/extensions/http/original_ip_detection/custom_header/custom_header.cc +++ b/source/extensions/http/original_ip_detection/custom_header/custom_header.cc @@ -26,18 +26,22 @@ CustomHeaderIPDetection::CustomHeaderIPDetection( Envoy::Http::OriginalIPDetectionResult CustomHeaderIPDetection::detect(Envoy::Http::OriginalIPDetectionParams& params) { + // NOTE: The ``XFF`` header from this extension is intentionally not appended. + // To preserve the behavior prior to #31831, ``skip_xff_append`` is explicitly set to true. + constexpr bool skip_xff_append = true; + auto hdr = params.request_headers.get(header_name_); if (hdr.empty()) { - return {nullptr, false, reject_options_, false}; + return {nullptr, false, reject_options_, skip_xff_append}; } auto header_value = hdr[0]->value().getStringView(); auto addr = Network::Utility::parseInternetAddressNoThrow(std::string(header_value)); if (addr) { - return {addr, allow_trusted_address_checks_, absl::nullopt, false}; + return {addr, allow_trusted_address_checks_, absl::nullopt, skip_xff_append}; } - return {nullptr, false, reject_options_, false}; + return {nullptr, false, reject_options_, skip_xff_append}; } } // namespace CustomHeader diff --git a/source/extensions/tracers/opentelemetry/samplers/dynatrace/sampling_controller.cc b/source/extensions/tracers/opentelemetry/samplers/dynatrace/sampling_controller.cc index e14ad0fa34..e4a7643730 100644 --- a/source/extensions/tracers/opentelemetry/samplers/dynatrace/sampling_controller.cc +++ b/source/extensions/tracers/opentelemetry/samplers/dynatrace/sampling_controller.cc @@ -75,7 +75,7 @@ SamplingState SamplingController::getSamplingState(const std::string& sampling_k } absl::ReaderMutexLock ss_lock{&stream_summary_mutex_}; const uint32_t exp = stream_summary_->getN() / divisor; - return SamplingState{exp}; + return SamplingState{std::min(exp, MAX_SAMPLING_EXPONENT)}; } std::string SamplingController::getSamplingKey(const absl::string_view path_query, diff --git a/test/common/formatter/substitution_formatter_test.cc b/test/common/formatter/substitution_formatter_test.cc index 9c058bdf46..3f4615bbb9 100644 --- a/test/common/formatter/substitution_formatter_test.cc +++ b/test/common/formatter/substitution_formatter_test.cc @@ -956,6 +956,15 @@ TEST(SubstitutionFormatterTest, streamInfoFormatter) { ProtoEq(ValueUtil::nullValue())); } + { + StreamInfoFormatter upstream_format("REQUESTED_SERVER_NAME"); + std::string requested_server_name = "outbound_.8080_._.example.com"; + stream_info.downstream_connection_info_provider_->setRequestedServerName(requested_server_name); + EXPECT_EQ("outbound_.8080_._.example.com", upstream_format.formatWithContext({}, stream_info)); + EXPECT_THAT(upstream_format.formatValueWithContext({}, stream_info), + ProtoEq(ValueUtil::stringValue("outbound_.8080_._.example.com"))); + } + { StreamInfoFormatter upstream_format("REQUESTED_SERVER_NAME"); std::string requested_server_name = "stub-server"; diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index fc78e4c718..97610e514c 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -1,5 +1,6 @@ #include #include +#include #include #include #include @@ -1490,6 +1491,30 @@ TEST_F(StrictDnsClusterImplTest, TtlAsDnsRefreshRateNoJitter) { TestUtility::makeDnsResponse({}, std::chrono::seconds(5))); } +TEST_F(StrictDnsClusterImplTest, NegativeDnsJitter) { + const std::string yaml = R"EOF( + name: name + type: STRICT_DNS + lb_policy: ROUND_ROBIN + dns_refresh_rate: 4s + dns_jitter: -1s + load_assignment: + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: localhost1 + port_value: 11001 + )EOF"; + envoy::config::cluster::v3::Cluster cluster_config = parseClusterFromV3Yaml(yaml); + Envoy::Upstream::ClusterFactoryContextImpl factory_context( + server_context_, server_context_.cluster_manager_, nullptr, ssl_context_manager_, nullptr, + false); + EXPECT_THROW_WITH_MESSAGE( + auto x = *StrictDnsClusterImpl::create(cluster_config, factory_context, dns_resolver_), + EnvoyException, "Expected positive duration: seconds: -1\n"); +} TEST_F(StrictDnsClusterImplTest, TtlAsDnsRefreshRateYesJitter) { ResolverData resolver(*dns_resolver_, server_context_.dispatcher_); @@ -1533,6 +1558,40 @@ TEST_F(StrictDnsClusterImplTest, TtlAsDnsRefreshRateYesJitter) { TestUtility::makeDnsResponse({"192.168.1.1", "192.168.1.2"}, std::chrono::seconds(ttl_s))); } +TEST_F(StrictDnsClusterImplTest, ExtremeJitter) { + ResolverData resolver(*dns_resolver_, server_context_.dispatcher_); + + const std::string yaml = R"EOF( + name: name + connect_timeout: 0.25s + type: STRICT_DNS + lb_policy: ROUND_ROBIN + dns_refresh_rate: 1s + dns_jitter: 1000s + respect_dns_ttl: true + load_assignment: + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: localhost1 + port_value: 11001 + )EOF"; + envoy::config::cluster::v3::Cluster cluster_config = parseClusterFromV3Yaml(yaml); + Envoy::Upstream::ClusterFactoryContextImpl factory_context( + server_context_, server_context_.cluster_manager_, nullptr, ssl_context_manager_, nullptr, + false); + auto cluster = *StrictDnsClusterImpl::create(cluster_config, factory_context, dns_resolver_); + cluster->initialize([] {}); + + EXPECT_CALL(*resolver.timer_, enableTimer(testing::Ge(std::chrono::milliseconds(1000)), _)); + ON_CALL(random_, random()).WillByDefault(Return(std::numeric_limits::min())); + resolver.dns_callback_( + Network::DnsResolver::ResolutionStatus::Completed, "", + TestUtility::makeDnsResponse({"192.168.1.1", "192.168.1.2"}, std::chrono::seconds(1))); +} + // Ensures that HTTP/2 user defined SETTINGS parameter validation is enforced on clusters. TEST_F(StrictDnsClusterImplTest, Http2UserDefinedSettingsParametersValidation) { const std::string yaml = R"EOF( diff --git a/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc b/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc index c8b3c06248..eb99375a4c 100644 --- a/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc +++ b/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc @@ -678,8 +678,8 @@ TEST_P(TcpGrpcAccessLogIntegrationTest, SslNotTerminated) { socket_address: address: {} connection_properties: - received_bytes: 155 - sent_bytes: 155 + received_bytes: 163 + sent_bytes: 163 )EOF", Network::Test::getLoopbackAddressString(ipVersion()), Network::Test::getLoopbackAddressString(ipVersion()), @@ -737,8 +737,8 @@ TEST_P(TcpGrpcAccessLogIntegrationTest, SslNotTerminatedWithJA3) { tls_sni_hostname: sni ja3_fingerprint: "f34cc73a821433e5f56e38868737a636" connection_properties: - received_bytes: 155 - sent_bytes: 155 + received_bytes: 163 + sent_bytes: 163 )EOF", Network::Test::getLoopbackAddressString(ipVersion()), Network::Test::getLoopbackAddressString(ipVersion()), @@ -791,9 +791,11 @@ TEST_P(TcpGrpcAccessLogIntegrationTest, SslNotTerminatedWithJA3NoSNI) { downstream_direct_remote_address: socket_address: address: {} + tls_properties: + ja3_fingerprint: "54619c7296adab310ed514d06812d95f" connection_properties: - received_bytes: 143 - sent_bytes: 143 + received_bytes: 151 + sent_bytes: 151 )EOF", Network::Test::getLoopbackAddressString(ipVersion()), Network::Test::getLoopbackAddressString(ipVersion()), diff --git a/test/extensions/clusters/logical_dns/logical_dns_cluster_test.cc b/test/extensions/clusters/logical_dns/logical_dns_cluster_test.cc index 8c4a1c68d4..be489add2a 100644 --- a/test/extensions/clusters/logical_dns/logical_dns_cluster_test.cc +++ b/test/extensions/clusters/logical_dns/logical_dns_cluster_test.cc @@ -1,4 +1,5 @@ #include +#include #include #include #include @@ -47,9 +48,11 @@ class LogicalDnsClusterTest : public Event::TestUsingSimulatedTime, public testi ON_CALL(server_context_, api()).WillByDefault(ReturnRef(*api_)); } - void setupFromV3Yaml(const std::string& yaml) { + void setupFromV3Yaml(const std::string& yaml, bool expect_success = true) { ON_CALL(server_context_, api()).WillByDefault(ReturnRef(*api_)); - resolve_timer_ = new Event::MockTimer(&server_context_.dispatcher_); + if (expect_success) { + resolve_timer_ = new Event::MockTimer(&server_context_.dispatcher_); + } NiceMock cm; envoy::config::cluster::v3::Cluster cluster_config = parseClusterFromV3Yaml(yaml); Envoy::Upstream::ClusterFactoryContextImpl factory_context( @@ -647,6 +650,63 @@ TEST_F(LogicalDnsClusterTest, DNSRefreshHasJitter) { TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"}, std::chrono::seconds(3000))); } +TEST_F(LogicalDnsClusterTest, NegativeDnsJitter) { + const std::string yaml = R"EOF( + name: name + type: LOGICAL_DNS + dns_jitter: -1s + lb_policy: ROUND_ROBIN + dns_lookup_family: V4_ONLY + load_assignment: + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: foo.bar.com + port_value: 443 + )EOF"; + EXPECT_THROW_WITH_MESSAGE(setupFromV3Yaml(yaml, false), EnvoyException, + "Expected positive duration: seconds: -1\n"); +} + +TEST_F(LogicalDnsClusterTest, ExtremeJitter) { + // When random returns large values, they were being reinterpreted as very negative values causing + // negative refresh rates. + const std::string jitter_yaml = R"EOF( + name: name + type: LOGICAL_DNS + dns_refresh_rate: 1s + dns_failure_refresh_rate: + base_interval: 7s + max_interval: 10s + connect_timeout: 0.25s + dns_jitter: 1000s + lb_policy: ROUND_ROBIN + # Since the following expectResolve() requires Network::DnsLookupFamily::V4Only we need to set + # dns_lookup_family to V4_ONLY explicitly for v2 .yaml config. + dns_lookup_family: V4_ONLY + load_assignment: + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: foo.bar.com + port_value: 443 + )EOF"; + + EXPECT_CALL(initialized_, ready()); + expectResolve(Network::DnsLookupFamily::V4Only, "foo.bar.com"); + setupFromV3Yaml(jitter_yaml); + EXPECT_CALL(membership_updated_, ready()); + EXPECT_CALL(*resolve_timer_, enableTimer(testing::Ge(std::chrono::milliseconds(4000)), _)); + ON_CALL(random_, random()).WillByDefault(Return(std::numeric_limits::min())); + dns_callback_( + Network::DnsResolver::ResolutionStatus::Completed, "", + TestUtility::makeDnsResponse({"127.0.0.1", "127.0.0.2"}, std::chrono::seconds(3000))); +} + } // namespace } // namespace Upstream } // namespace Envoy diff --git a/test/extensions/filters/http/grpc_json_transcoder/BUILD b/test/extensions/filters/http/grpc_json_transcoder/BUILD index e45bb375e9..c9af479253 100644 --- a/test/extensions/filters/http/grpc_json_transcoder/BUILD +++ b/test/extensions/filters/http/grpc_json_transcoder/BUILD @@ -66,7 +66,7 @@ envoy_extension_cc_test( "//test/proto:bookstore_proto_descriptor", ], extension_names = ["envoy.filters.http.grpc_json_transcoder"], - rbe_pool = "6gig", + rbe_pool = "4core", tags = [ "cpu:3", ], diff --git a/test/extensions/filters/http/on_demand/BUILD b/test/extensions/filters/http/on_demand/BUILD index 145fc0ff8f..9c6d25f293 100644 --- a/test/extensions/filters/http/on_demand/BUILD +++ b/test/extensions/filters/http/on_demand/BUILD @@ -33,7 +33,7 @@ envoy_extension_cc_test( size = "large", srcs = ["on_demand_integration_test.cc"], extension_names = ["envoy.filters.http.on_demand"], - rbe_pool = "6gig", + rbe_pool = "4core", tags = [ "cpu:3", ], diff --git a/test/extensions/filters/http/rate_limit_quota/BUILD b/test/extensions/filters/http/rate_limit_quota/BUILD index ee9d77dce8..bcc0487087 100644 --- a/test/extensions/filters/http/rate_limit_quota/BUILD +++ b/test/extensions/filters/http/rate_limit_quota/BUILD @@ -107,7 +107,7 @@ envoy_extension_cc_test( size = "large", srcs = ["integration_test.cc"], extension_names = ["envoy.filters.http.rate_limit_quota"], - rbe_pool = "6gig", + rbe_pool = "4core", shard_count = 4, tags = [ "cpu:3", diff --git a/test/extensions/filters/http/wasm/BUILD b/test/extensions/filters/http/wasm/BUILD index 130216302e..f2be498820 100644 --- a/test/extensions/filters/http/wasm/BUILD +++ b/test/extensions/filters/http/wasm/BUILD @@ -35,7 +35,7 @@ envoy_extension_cc_test( "//test/extensions/filters/http/wasm/test_data:shared_queue_rust.wasm", ]), extension_names = ["envoy.filters.http.wasm"], - rbe_pool = "2core", + rbe_pool = "4core", shard_count = 50, tags = [ "cpu:4", @@ -86,7 +86,7 @@ envoy_extension_cc_test( "//test/extensions/filters/http/wasm/test_data:test_cpp.wasm", ]), extension_names = ["envoy.filters.http.wasm"], - rbe_pool = "2core", + rbe_pool = "4core", shard_count = 16, tags = ["skip_on_windows"], deps = [ diff --git a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc index 48fd78ccb3..53b9be07a4 100644 --- a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc +++ b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc @@ -206,8 +206,7 @@ TEST_P(TlsInspectorIntegrationTest, JA3FingerprintIsSet) { 1); EXPECT_EQ(static_cast(TestUtility::readSampleSum(test_server_->server().dispatcher(), *bytes_processed_histogram)), - // Value expected in RHEL-9 - 135); + 145); } TEST_P(TlsInspectorIntegrationTest, RequestedBufferSizeCanGrow) { @@ -253,8 +252,7 @@ TEST_P(TlsInspectorIntegrationTest, RequestedBufferSizeCanGrow) { 1); EXPECT_EQ(static_cast(TestUtility::readSampleSum(test_server_->server().dispatcher(), *bytes_processed_histogram)), - // Value expected in RHEL-9 - 395); + 405); } INSTANTIATE_TEST_SUITE_P(IpVersions, TlsInspectorIntegrationTest, diff --git a/test/extensions/filters/network/redis_proxy/BUILD b/test/extensions/filters/network/redis_proxy/BUILD index e6846ca9a8..a26eeecb1b 100644 --- a/test/extensions/filters/network/redis_proxy/BUILD +++ b/test/extensions/filters/network/redis_proxy/BUILD @@ -18,7 +18,7 @@ envoy_extension_cc_test( name = "command_splitter_impl_test", srcs = ["command_splitter_impl_test.cc"], extension_names = ["envoy.filters.network.redis_proxy"], - rbe_pool = "2core", + rbe_pool = "4core", deps = [ ":redis_mocks", "//source/common/stats:isolated_store_lib", diff --git a/test/extensions/http/original_ip_detection/custom_header/custom_header_test.cc b/test/extensions/http/original_ip_detection/custom_header/custom_header_test.cc index 1ef2722a60..b26904a2e4 100644 --- a/test/extensions/http/original_ip_detection/custom_header/custom_header_test.cc +++ b/test/extensions/http/original_ip_detection/custom_header/custom_header_test.cc @@ -99,6 +99,46 @@ TEST_F(CustomHeaderTest, FallbacksToDefaultResponseCode) { EXPECT_EQ(reject_options.body, ""); } +TEST_F(CustomHeaderTest, SkipXFFAppendBehavior) { + // Test all scenarios to ensure XFF header is never appended + + // When header is missing + { + Envoy::Http::TestRequestHeaderMapImpl headers{{"x-other", "abc"}}; + Envoy::Http::OriginalIPDetectionParams params = {headers, nullptr}; + auto result = custom_header_extension_->detect(params); + + EXPECT_TRUE(result.skip_xff_append) << "XFF append should be skipped when header is missing"; + } + + // When header contains invalid IP + { + Envoy::Http::TestRequestHeaderMapImpl headers{{"x-real-ip", "not-a-real-ip"}}; + Envoy::Http::OriginalIPDetectionParams params = {headers, nullptr}; + auto result = custom_header_extension_->detect(params); + + EXPECT_TRUE(result.skip_xff_append) << "XFF append should be skipped for invalid IP"; + } + + // When header contains valid IPv4 + { + Envoy::Http::TestRequestHeaderMapImpl headers{{"x-real-ip", "1.2.3.4"}}; + Envoy::Http::OriginalIPDetectionParams params = {headers, nullptr}; + auto result = custom_header_extension_->detect(params); + + EXPECT_TRUE(result.skip_xff_append) << "XFF append should be skipped for valid IPv4"; + } + + // When header contains valid IPv6 + { + Envoy::Http::TestRequestHeaderMapImpl headers{{"x-real-ip", "fc00::1"}}; + Envoy::Http::OriginalIPDetectionParams params = {headers, nullptr}; + auto result = custom_header_extension_->detect(params); + + EXPECT_TRUE(result.skip_xff_append) << "XFF append should be skipped for valid IPv6"; + } +} + } // namespace CustomHeader } // namespace OriginalIPDetection } // namespace Http diff --git a/test/extensions/tracers/opentelemetry/samplers/dynatrace/sampling_controller_test.cc b/test/extensions/tracers/opentelemetry/samplers/dynatrace/sampling_controller_test.cc index f56f2c86d4..17da6ac7cb 100644 --- a/test/extensions/tracers/opentelemetry/samplers/dynatrace/sampling_controller_test.cc +++ b/test/extensions/tracers/opentelemetry/samplers/dynatrace/sampling_controller_test.cc @@ -206,6 +206,13 @@ TEST(SamplingControllerTest, TestWarmup) { EXPECT_EQ(sc.getSamplingState("GET_1").getExponent(), 8); EXPECT_EQ(sc.getSamplingState("GET_6").getExponent(), 8); EXPECT_EQ(sc.getSamplingState("GET_789").getExponent(), 8); + + offerEntry(sc, "GET_7", 10000); + EXPECT_EQ(sc.getSamplingState("GET_1").getExponent(), SamplingController::MAX_SAMPLING_EXPONENT); + EXPECT_EQ(sc.getSamplingState("GET_6").getExponent(), SamplingController::MAX_SAMPLING_EXPONENT); + EXPECT_EQ(sc.getSamplingState("GET_789").getExponent(), + SamplingController::MAX_SAMPLING_EXPONENT); + EXPECT_EQ(sc.getSamplingState("GET_7").getExponent(), SamplingController::MAX_SAMPLING_EXPONENT); } // Test getting sampling state from an empty SamplingController diff --git a/test/integration/BUILD b/test/integration/BUILD index 1977ebfce3..5a0c863e81 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -59,7 +59,7 @@ envoy_cc_test( srcs = envoy_select_admin_functionality( ["ads_integration_test.cc"], ), - rbe_pool = "6gig", + rbe_pool = "4core", tags = [ "cpu:3", ], @@ -2514,7 +2514,7 @@ envoy_cc_test( "//conditions:default": ["quic_protocol_integration_test.cc"], }), data = ["//test/config/integration/certs"], - rbe_pool = "2core", + rbe_pool = "4core", shard_count = 16, tags = [ "cpu:4", diff --git a/test/tools/schema_validator/BUILD b/test/tools/schema_validator/BUILD index 8865766b45..607a118e17 100644 --- a/test/tools/schema_validator/BUILD +++ b/test/tools/schema_validator/BUILD @@ -33,6 +33,7 @@ envoy_cc_test_library( "//source/common/protobuf:utility_lib", "//source/common/stats:isolated_store_lib", "//source/common/version:version_lib", + "//source/extensions/filters/http/match_delegate:config", "//test/test_common:utility_lib", "@com_github_mirror_tclap//:tclap", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", diff --git a/tools/base/requirements.in b/tools/base/requirements.in index d6108945bb..9d576ad11a 100644 --- a/tools/base/requirements.in +++ b/tools/base/requirements.in @@ -27,7 +27,7 @@ frozendict>=2.3.7 gitpython gsutil icalendar -jinja2 +jinja2>=3.1.4 kafka-python-ng multidict>=6.0.2 orjson diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index eb8d9c90dc..cf541d039e 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.11 +# This file is autogenerated by pip-compile with Python 3.12 # by the following command: # # pip-compile --allow-unsafe --generate-hashes requirements.in