Merge branch 'master' into mpuncel/http2-hc-goaway

* master: (83 commits)
  tls: Typesafe tls slots (envoyproxy#13789)
  docs(example): Correct URL for caching example page (envoyproxy#13810)
  [fuzz] Made health check fuzz more efficient (envoyproxy#13747)
  rtds: properly scope rtds stats (envoyproxy#13764)
  http: fixing a bug with IPv6 hosts (envoyproxy#13798)
  connection: Remember transport socket read resumption requests and replay them when re-enabling read. (envoyproxy#13772)
  network: adding some accessors for ALPN work. (envoyproxy#13785)
  docs: added a step about how to handle platform specific extensions (envoyproxy#13759)
  Fix identation in ip transparency code snippet (envoyproxy#13743)
  wasm: enable WAVM's stack unwinding feature (envoyproxy#13792)
  log: set route name for direct response (envoyproxy#13683)
  Use nghttp2 as external dependsncy in protocol_constraints_lib (envoyproxy#13763)
  [Windows] Update windows dev docs (envoyproxy#13741)
  cel: patch thread safety issue (envoyproxy#13739)
  Windows: Fix ssl_socket_test (envoyproxy#13264)
  apple dns: add fake api test suite (envoyproxy#13780)
  overload: scale selected timers in response to load (envoyproxy#13475)
  examples: Add dynamic configuration (control plane) sandbox (envoyproxy#13746)
  Removed exception in getResponseStatus() (envoyproxy#13314)
  network: add timeout for transport connect (envoyproxy#13610)
  ...

Signed-off-by: Michael Puncel <[email protected]>

.azure-pipelines/cve_scan.yml

@@ -0,0 +1,22 @@
+# Pipeline for running Envoy's CVE scanner on an hourly basis.
+
+# This pipeline only uses scheduled triggers.
+trigger: none
+pr: none
+
+schedules:
+- cron: "0 * * * *"
+  displayName: Hourly CVE scan
+  branches:
+    include:
+    - master
+  always: true
+
+pool:
+  vmImage: "ubuntu-18.04"
+steps:
+  - script: ci/run_envoy_docker.sh 'ci/do_ci.sh cve_scan'
+    workingDirectory: $(Build.SourcesDirectory)
+    env:
+      ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
+    displayName: "Scan for CVEs in dependencies"

.bazelrc

@@ -62,6 +62,9 @@ build:asan --copt -D__SANITIZE_ADDRESS__
 build:asan --test_env=ASAN_OPTIONS=handle_abort=1:allow_addr2line=true:check_initialization_order=true:strict_init_order=true:detect_odr_violation=1
 build:asan --test_env=UBSAN_OPTIONS=halt_on_error=true:print_stacktrace=1
 build:asan --test_env=ASAN_SYMBOLIZER_PATH
+# ASAN needs -O1 to get reasonable performance.
+build:asan --copt -O1
+build:asan --copt -fno-optimize-sibling-calls
 
 # Clang ASAN/UBSAN
 build:clang-asan --config=asan
@@ -165,6 +168,16 @@ build:rbe-toolchain-clang-libc++ --action_env=CXXFLAGS=-stdlib=libc++
 build:rbe-toolchain-clang-libc++ --action_env=LDFLAGS=-stdlib=libc++
 build:rbe-toolchain-clang-libc++ --define force_libcpp=enabled
 
+# Do not inherit from "clang-asan" to avoid picking up flags from local clang.bazelrc.
+build:rbe-toolchain-asan --config=asan
+build:rbe-toolchain-asan --linkopt -fuse-ld=lld
+build:rbe-toolchain-asan --action_env=ENVOY_UBSAN_VPTR=1
+build:rbe-toolchain-asan --copt=-fsanitize=vptr,function
+build:rbe-toolchain-asan --linkopt=-fsanitize=vptr,function
+build:rbe-toolchain-asan --linkopt=-L/opt/llvm/lib/clang/10.0.0/lib/linux
+build:rbe-toolchain-asan --linkopt=-l:libclang_rt.ubsan_standalone-x86_64.a
+build:rbe-toolchain-asan --linkopt=-l:libclang_rt.ubsan_standalone_cxx-x86_64.a
+
 build:rbe-toolchain-msan --linkopt=-L/opt/libcxx_msan/lib
 build:rbe-toolchain-msan --linkopt=-Wl,-rpath,/opt/libcxx_msan/lib
 build:rbe-toolchain-msan --config=clang-msan
@@ -215,6 +228,10 @@ build:remote-clang-libc++ --config=rbe-toolchain-clang-libc++
 build:remote-gcc --config=remote
 build:remote-gcc --config=rbe-toolchain-gcc
 
+build:remote-asan --config=remote
+build:remote-asan --config=rbe-toolchain-clang-libc++
+build:remote-asan --config=rbe-toolchain-asan
+
 build:remote-msan --config=remote
 build:remote-msan --config=rbe-toolchain-clang-libc++
 build:remote-msan --config=rbe-toolchain-msan

.bazelversion

@@ -1 +1 @@
-3.4.1
+3.6.0

.dockerignore

@@ -0,0 +1,9 @@
+/*
+!/ci
+!/configs/google-vrp
+!/configs/*yaml
+!/linux/amd64/build_release*
+!/linux/arm64/build_release*
+!/local
+!/test/config/integration/certs
+!/windows

CODEOWNERS

@@ -37,7 +37,7 @@ extensions/filters/common/original_src @snowp @klarose
 # alts transport socket extension
 /*/extensions/transport_sockets/alts @htuch @yangminzhu
 # tls transport socket extension
-/*/extensions/transport_sockets/tls @PiotrSikora @lizan
+/*/extensions/transport_sockets/tls @PiotrSikora @lizan @asraa
 # proxy protocol socket extension
 /*/extensions/transport_sockets/proxy_protocol @alyssawilk @wez470
 # common transport socket
@@ -93,7 +93,7 @@ extensions/filters/common/original_src @snowp @klarose
 # common matcher
 /*/extensions/common/matcher @mattklein123 @yangminzhu
 # common crypto extension
-/*/extensions/common/crypto @lizan @PiotrSikora @bdecoste
+/*/extensions/common/crypto @lizan @PiotrSikora @bdecoste @asraa
 /*/extensions/common/proxy_protocol @alyssawilk @wez470
 /*/extensions/common/sqlutils @cpakulski @dio
 /*/extensions/filters/http/grpc_http1_bridge @snowp @jose
@@ -108,7 +108,7 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/filters/http/squash @yuval-k @alyssawilk
 /*/extensions/filters/common/ext_authz @gsagula @dio
 /*/extensions/filters/common/original_src @klarose @snowp
-/*/extensions/filters/listener/tls_inspector @piotrsikora @htuch
+/*/extensions/filters/listener/tls_inspector @piotrsikora @htuch @asraa
 /*/extensions/grpc_credentials/example @wozz @htuch
 /*/extensions/grpc_credentials/file_based_metadata @wozz @htuch
 /*/extensions/internal_redirect @alyssawilk @penguingao

CONTRIBUTING.md

@@ -69,9 +69,10 @@ versioning guidelines:
   cause a configuration load failure, unless the feature in question is
   explicitly overridden in
   [runtime](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features)
-  config ([example](configs/using_deprecated_config.yaml)). Finally, following the deprecation
-  of the API major version where the field was first
-  marked deprecated, the entire implementation code will be removed from the Envoy implementation.
+  config ([example](configs/using_deprecated_config.yaml)), or if
+  `envoy.features.enable_all_deprecated_features` is set to true. Finally, following the deprecation
+  of the API major version where the field was first marked deprecated, the entire implementation
+  code will be removed from the Envoy implementation.
 * This policy means that organizations deploying master should have some time to get ready for
   breaking changes at the next major API version. This is typically a window of at least 12 months
   or until the organization moves to the next major API version.

EXTENSION_POLICY.md

@@ -35,6 +35,10 @@ The following procedure will be used when proposing new extensions for inclusion
   by other contributors.
   5. Any new dependencies added for this extension must comply with
   [DEPENDENCY_POLICY.md](DEPENDENCY_POLICY.md), please follow the steps detailed there.
+  6. If an extension depends on platform specific functionality, be sure to guard it in the build
+  system. See [platform specific features](./PULL_REQUESTS.md#platform-specific-features).
+  Add the extension to the necessary `*_SKIP_TARGETS` in [bazel/repositories.bzl](bazel/repositories.bzl)
+  and tag tests to be skipped/failed on the unsupported platform.
 
 ## Removing existing extensions
 
@@ -122,3 +126,14 @@ An assessment of a robust security posture for an extension is subject to the fo
 
 The current stability and security posture of all extensions can be seen
 [here](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model#core-and-extensions).
+
+## Adding Extension Points
+
+Envoy might lack the extension point necessary for an extension. In that
+case we need to install an extension point, which can be done as follows:
+
+  1. Open a GitHub issue describing the proposed extension point and use cases.
+  2. Make changes in core Envoy for the extension point.
+  3. Update [extending envoy](docs/root/extending/extending.rst) to list the new
+     extension point and add any documentation explaining the extension point.
+     At the very least this should link to the corresponding proto.

GOVERNANCE.md

@@ -87,7 +87,9 @@ or you can subscribe to the iCal feed [here](webcal://kubernetes.app.opsgenie.co
   * Remove the "Pending" tags and add dates to the top of the [release notes for this version](docs/root/version_history/current.rst).
   * Switch the [VERSION](VERSION) from a "dev" variant to a final variant. E.g., "1.6.0-dev" to
     "1.6.0".
-  * Update the [RELEASES](RELEASES.md) doc with the relevant dates.
+  * Update the [RELEASES](RELEASES.md) doc with the relevant dates. Now, or after you cut the
+    release, please also make sure there's a stable maintainer signed up for next quarter,
+    and the deadline for the next release is documented in the release schedule.
   * Get a review and merge.
 * Wait for tests to pass on [master](https://dev.azure.com/cncf/envoy/_build).
 * Create a [tagged release](https://github.com/envoyproxy/envoy/releases). The release should

RELEASES.md

@@ -46,11 +46,13 @@ schedule, initially aiming for the bi-weekly releases.
 Release managers of stable releases are responsible for approving and merging backports, tagging
 stable releases and sending announcements about them. This role is rotating on a quarterly basis.
 
-| Quarter |       Release manager        |
-|:-------:|:----------------------------:|
-| 2020 Q1 | Piotr Sikora ([PiotrSikora]) |
-| 2020 Q2 | Piotr Sikora ([PiotrSikora]) |
-| 2020 Q3 | Yuchen Dai ([lambdai])       |
+| Quarter |       Release manager                                          |
+|:-------:|:--------------------------------------------------------------:|
+| 2020 Q1 | Piotr Sikora ([PiotrSikora](https://github.com/PiotrSikora))   |
+| 2020 Q2 | Piotr Sikora ([PiotrSikora](https://github.com/PiotrSikora))   |
+| 2020 Q3 | Yuchen Dai ([lambdai](https://github.com/lambdai))             |
+| 2020 Q4 | Christoph Pakulski ([cpakulski](https://github.com/cpakulski)) |
+| 2021 Q1 | Rei Shimizu ([Shikugawa](https://github.com/Shikugawa))        |
 
 ## Release schedule
 
@@ -69,4 +71,3 @@ deadline of 3 weeks.
 
 
 [repokitteh]: https://github.com/repokitteh
-[PiotrSikora]: https://github.com/PiotrSikora

api/envoy/config/core/v3/protocol.proto

@@ -270,15 +270,17 @@ message Http2ProtocolOptions {
   // be written into the socket). Exceeding this limit triggers flood mitigation and connection is
   // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due
   // to flood mitigation. The default limit is 10000.
-  // [#comment:TODO: implement same limits for upstream outbound frames as well.]
+  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
+  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
   google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}];
 
   // Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM,
   // preventing high memory utilization when receiving continuous stream of these frames. Exceeding
   // this limit triggers flood mitigation and connection is terminated. The
   // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood
   // mitigation. The default limit is 1000.
-  // [#comment:TODO: implement same limits for upstream outbound frames as well.]
+  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
+  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
   google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}];
 
   // Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an
@@ -287,7 +289,8 @@ message Http2ProtocolOptions {
   // stat tracks the number of connections terminated due to flood mitigation.
   // Setting this to 0 will terminate connection upon receiving first frame with an empty payload
   // and no end stream flag. The default limit is 1.
-  // [#comment:TODO: implement same limits for upstream inbound frames as well.]
+  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
+  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
   google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9;
 
   // Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number
@@ -298,7 +301,8 @@ message Http2ProtocolOptions {
   //
   // the connection is terminated. The ``http2.inbound_priority_frames_flood`` stat tracks
   // the number of connections terminated due to flood mitigation. The default limit is 100.
-  // [#comment:TODO: implement same limits for upstream inbound frames as well.]
+  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
+  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
   google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10;
 
   // Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number
@@ -312,7 +316,8 @@ message Http2ProtocolOptions {
   // the number of connections terminated due to flood mitigation. The default limit is 10.
   // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control,
   // but more complex implementations that try to estimate available bandwidth require at least 2.
-  // [#comment:TODO: implement same limits for upstream inbound frames as well.]
+  // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the
+  // `envoy.reloadable_features.upstream_http2_flood_checks` flag.
   google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11
       [(validate.rules).uint32 = {gte: 1}];
 

api/envoy/config/listener/v3/listener_components.proto

@@ -180,7 +180,7 @@ message FilterChainMatch {
 
 // A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and
 // various other parameters.
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message FilterChain {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.FilterChain";
 
@@ -230,6 +230,11 @@ message FilterChain {
   // will be set up with plaintext.
   core.v3.TransportSocket transport_socket = 6;
 
+  // If present and nonzero, the amount of time to allow incoming connections to complete any
+  // transport socket negotiations. If this expires before the transport reports connection
+  // establishment, the connection is summarily closed.
+  google.protobuf.Duration transport_socket_connect_timeout = 9;
+
   // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no
   // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter
   // chain is to be dynamically updated or removed via FCDS a unique name must be provided.

api/envoy/config/overload/v3/BUILD

@@ -7,6 +7,7 @@ licenses(["notice"])  # Apache 2
 api_proto_package(
     deps = [
         "//envoy/config/overload/v2alpha:pkg",
+        "//envoy/type/v3:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",
     ],
 )