Add grpc_httpjson_transcoder external dependency to core

[qiwzhang]

This is for #15299 to address #7763

Title: Add grpc_httpjson_transcoder external dependency to core

Description:
grpc_httpjson_transcoding external dependency is already used by http filter extension grpc_transcoder.

In order to support url_template in RouteMatch, propose to add this dependency to core:

Following items (from check list) may have issues:

• SecPolicy: no
• CI-Tests: no
• Releases: no

[qiwzhang]

@envoyproxy/dependency-shepherds @envoyproxy/security-team

[dio]

@qiwzhang do you accept external contributions for enabling CI in that repo? :).

[qiwzhang]

Yes @dio

[qiwzhang]

Hi @nareddyt could you help to add CI test for grpc_httpjson_transcoding repo?

[nareddyt]

I still do not have admin access to the repo. I will try again.

[moderation]

Full results from OSSF Scorecard is:

scorecard --repo=https://github.com/grpc-ecosystem/grpc-httpjson-transcoding

RESULTS
-------
Active: Pass 10
Branch-Protection: Fail 0
CI-Tests: Fail 4
CII-Best-Practices: Fail 10
Code-Review: Pass 10
Contributors: Pass 10
Frozen-Deps: Fail 5
Fuzzing: Fail 10
Packaging: Fail 0
Pull-Requests: Pass 10
SAST: Fail 10
Security-Policy: Fail 0
Signed-Releases: Fail 0
Signed-Tags: Fail 0

Descriptions of categories at https://github.com/ossf/scorecard#checks. In addition to adding a security policy and CI, doing code scanning with CodeQL might be another quick win. Some of the dependencies in repositories.bzl are themselves old - protobuf 3.10.1 as an example.

[nareddyt]

@qiwzhang I was planning on updating the dep for protobuf tomorrow. I can handle CI setup as well once I have permissions.

I don't have background on the other items. @moderation which ones are hard blockers?

[moderation]

@nareddyt CI and Security Policy are both MUST for core deps - https://github.com/envoyproxy/envoy/blob/main/DEPENDENCY_POLICY.md#new-external-dependencies (and I've added links to my comment above)

[qiwzhang]

@moderation

1. CI is added
2. security policy is added.

Could you check again?

Thanks

[moderation]

scorecard is picking up your security policy. Not sure why your CI score is unchanged.

RESULTS                    
-------                    
Active: Pass 10            
Branch-Protection: Fail 0  
CI-Tests: Fail 4           
CII-Best-Practices: Fail 10
Code-Review: Pass 10       
Contributors: Pass 10      
Frozen-Deps: Fail 5        
Fuzzing: Fail 10           
Packaging: Fail 0          
Pull-Requests: Pass 10     
SAST: Fail 10              
Security-Policy: Pass 10   
Signed-Releases: Fail 0    
Signed-Tags: Fail 0        

@envoyproxy/dependency-shepherds for review

[antoniovicente]

Is it worth considering splitting the url_template code into a separate library that can be consumed by core?

Do we have benchmarks that compare the url_template implementation from grpc_httpjson_transcoder to equivalent RE2 regexps that match the same inputs?

[qiwzhang]

It is a good idea to split path_matcher code used for url_template match from grpc_httpjson_transcoder. I will explore that.

[qiwzhang]

For performance, @nareddyt has a performance test. Maybe he can add url_template perf test with the pending pr to get the number

[nareddyt]

For performance, @nareddyt has a performance test. Maybe he can add url_template perf test with the pending pr to get the number

Sure, I'll get started on that today.

[nareddyt]

@antoniovicente @qiwzhang the benchmark is added in #15493. Fairly interesting - I expected it to be slow, but not slower than the equivalent regex route matchers. I guess building the whole tree structure but not taking advantage of combining multiple routes adds a lot of overhead.

[qiwzhang]

This issue can be replaced by #15506