Merge remote-tracking branch 'upstream/main' into cpp20

Change-Id: Id663fb0a88a9eb2968a86539054f7ef87aa518e6
kyessenov · Feb 29, 2024 · d07557e · d07557e
2 parents 947e3a4 + 5728604
commit d07557e
Show file tree

Hide file tree

Showing 115 changed files with 3,203 additions and 203 deletions.
diff --git a/api/envoy/extensions/tracers/opentelemetry/samplers/v3/BUILD b/api/envoy/extensions/tracers/opentelemetry/samplers/v3/BUILD
@@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2
 
 api_proto_package(
-    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+    ],
 )
diff --git a/api/envoy/extensions/tracers/opentelemetry/samplers/v3/dynatrace_sampler.proto b/api/envoy/extensions/tracers/opentelemetry/samplers/v3/dynatrace_sampler.proto
@@ -0,0 +1,53 @@
+syntax = "proto3";
+
+package envoy.extensions.tracers.opentelemetry.samplers.v3;
+
+import "envoy/config/core/v3/http_uri.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.tracers.opentelemetry.samplers.v3";
+option java_outer_classname = "DynatraceSamplerProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/opentelemetry/samplers/v3;samplersv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Dynatrace Sampler config]
+// Configuration for the Dynatrace Sampler extension.
+// [#extension: envoy.tracers.opentelemetry.samplers.dynatrace]
+
+// [#next-free-field: 6]
+message DynatraceSamplerConfig {
+  // The Dynatrace tenant.
+  //
+  // The value can be obtained from the Envoy deployment page in Dynatrace.
+  string tenant = 1;
+
+  // The id of the Dynatrace cluster id.
+  //
+  // The value can be obtained from the Envoy deployment page in Dynatrace.
+  int32 cluster_id = 2;
+
+  // The HTTP URI to fetch the sampler configuration (root spans per minute). For example:
+  //
+  // .. code-block:: yaml
+  //
+  //    http_uri:
+  //      uri: <tenant>.dev.dynatracelabs.com/api/v2/otlp/v1/traces
+  //      cluster: dynatrace
+  //      timeout: 10s
+  //
+  config.core.v3.HttpUri http_uri = 3;
+
+  // The access token to fetch the sampling configuration from the Dynatrace API
+  string token = 4;
+
+  // Default number of root spans per minute, used when the value can't be obtained from the Dynatrace API.
+  //
+  // A default value of ``1000`` is used when:
+  //
+  // - ``root_spans_per_minute`` is unset
+  // - ``root_spans_per_minute`` is set to 0
+  //
+  uint32 root_spans_per_minute = 5;
+}
diff --git a/bazel/io_opentelemetry_cpp.patch b/bazel/io_opentelemetry_cpp.patch
@@ -0,0 +1,13 @@
+# TODO: Remove once https://github.com/open-telemetry/opentelemetry-cpp/issues/2556 is merged
+
+--- a/api/include/opentelemetry/trace/span_context.h
++++ b/api/include/opentelemetry/trace/span_context.h
+@@ -30,7 +30,7 @@ class SpanContext final
+   SpanContext(bool sampled_flag, bool is_remote) noexcept
+       : trace_id_(),
+         span_id_(),
+-        trace_flags_(trace::TraceFlags((uint8_t)sampled_flag)),
++        trace_flags_(trace::TraceFlags(static_cast<uint8_t>(sampled_flag))),
+         is_remote_(is_remote),
+         trace_state_(TraceState::GetDefault())
+   {}
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -777,7 +777,11 @@ def _io_opentracing_cpp():
     )
 
 def _io_opentelemetry_api_cpp():
-    external_http_archive("io_opentelemetry_cpp")
+    external_http_archive(
+        name = "io_opentelemetry_cpp",
+        patch_args = ["-p1"],
+        patches = ["@envoy//bazel:io_opentelemetry_cpp.patch"],
+    )
     native.bind(
         name = "opentelemetry_api",
         actual = "@io_opentelemetry_cpp//api:api",

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -565,6 +565,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         extensions = [
             "envoy.tracers.opentelemetry",
             "envoy.tracers.opentelemetry.samplers.always_on",
+            "envoy.tracers.opentelemetry.samplers.dynatrace",
         ],
         release_date = "2024-02-17",
         cpe = "N/A",

diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -234,11 +234,18 @@ new_features:
     added an option to dynamically set a per downstream connection idle timeout period object under the key
     ``envoy.tcp_proxy.per_connection_idle_timeout_ms``. If this filter state value exists, it will override the idle timeout
     specified in the filter configuration and the default idle timeout.
+- area: load shed point
+  change: |
+    Added load shed point ``envoy.load_shed_points.hcm_ondata_creating_codec`` that closes connections before creating codec if
+    Envoy is under pressure, typically memory.
 - area: overload
   change: |
     added a :ref:`configuration option
     <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.append_local_overload>` to add
     ``x-envoy-local-overloaded`` header when Overload Manager is triggered.
+- area: tracing
+  change: |
+    Added support to configure a Dynatrace sampler for the OpenTelemetry tracer.
 
 deprecated:
 - area: listener

diff --git a/ci/Dockerfile-envoy b/ci/Dockerfile-envoy
@@ -58,7 +58,7 @@ COPY --chown=0:0 --chmod=755 \
 
 
 # STAGE: envoy-distroless
-FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:0e777c69ba810353b9f3f2033280bbe7d029d81fa55760f6eec817ef595aa19c AS envoy-distroless
+FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:28dc8956c04a92ffc192d06c5da69fa747c675ee44043ba18128e747c2f539f5 AS envoy-distroless
 EXPOSE 10000
 ENTRYPOINT ["/usr/local/bin/envoy"]
 CMD ["-c", "/etc/envoy/envoy.yaml"]

diff --git a/contrib/generic_proxy/filters/network/source/BUILD b/contrib/generic_proxy/filters/network/source/BUILD
@@ -74,6 +74,7 @@ envoy_cc_library(
         "//source/common/common:matchers_lib",
         "//source/common/config:metadata_lib",
         "//source/common/config:utility_lib",
+        "//source/common/http:header_utility_lib",
         "//source/common/matcher:matcher_lib",
         "@envoy_api//contrib/envoy/extensions/filters/network/generic_proxy/action/v3:pkg_cc_proto",
         "@envoy_api//contrib/envoy/extensions/filters/network/generic_proxy/v3:pkg_cc_proto",

diff --git a/contrib/sxg/filters/http/source/BUILD b/contrib/sxg/filters/http/source/BUILD
@@ -28,6 +28,7 @@ envoy_cc_library(
         "//source/common/http:codes_lib",
         "//source/common/stats:symbol_table_lib",
         "//source/common/stats:utility_lib",
+        "//source/common/secret:secret_provider_impl_lib",
         "//source/extensions/filters/http/common:pass_through_filter_lib",
         "@envoy_api//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg_cc_proto",
         # use boringssl alias to select fips vs non-fips version.

diff --git a/contrib/sxg/filters/http/source/config.cc b/contrib/sxg/filters/http/source/config.cc
@@ -57,7 +57,8 @@ Http::FilterFactoryCb FilterFactory::createFilterFactoryFromProtoTyped(
   }
 
   auto secret_reader = std::make_shared<SDSSecretReader>(
-      secret_provider_certificate, secret_provider_private_key, server_context.api());
+      std::move(secret_provider_certificate), std::move(secret_provider_private_key),
+      server_context.threadLocal(), server_context.api());
   auto config = std::make_shared<FilterConfig>(proto_config, server_context.timeSource(),
                                                secret_reader, stat_prefix, context.scope());
   return [config](Http::FilterChainFactoryCallbacks& callbacks) -> void {

diff --git a/contrib/sxg/filters/http/source/filter_config.h b/contrib/sxg/filters/http/source/filter_config.h
@@ -4,7 +4,7 @@
 #include "envoy/stats/scope.h"
 #include "envoy/stats/stats_macros.h"
 
-#include "source/common/config/datasource.h"
+#include "source/common/secret/secret_provider_impl.h"
 #include "source/extensions/filters/http/common/pass_through_filter.h"
 
 #include "contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.pb.h"
@@ -37,39 +37,18 @@ class SecretReader {
 
 class SDSSecretReader : public SecretReader {
 public:
-  SDSSecretReader(Secret::GenericSecretConfigProviderSharedPtr certificate_provider,
-                  Secret::GenericSecretConfigProviderSharedPtr private_key_provider, Api::Api& api)
-      : update_callback_client_(readAndWatchSecret(certificate_, certificate_provider, api)),
-        update_callback_token_(readAndWatchSecret(private_key_, private_key_provider, api)) {}
-
+  SDSSecretReader(Secret::GenericSecretConfigProviderSharedPtr&& certificate_provider,
+                  Secret::GenericSecretConfigProviderSharedPtr&& private_key_provider,
+                  ThreadLocal::SlotAllocator& tls, Api::Api& api)
+      : certificate_(std::move(certificate_provider), tls, api),
+        private_key_(std::move(private_key_provider), tls, api) {}
   // SecretReader
-  const std::string& certificate() const override { return certificate_; }
-  const std::string& privateKey() const override { return private_key_; }
+  const std::string& certificate() const override { return certificate_.secret(); }
+  const std::string& privateKey() const override { return private_key_.secret(); }
 
 private:
-  Envoy::Common::CallbackHandlePtr
-  readAndWatchSecret(std::string& value,
-                     Secret::GenericSecretConfigProviderSharedPtr& secret_provider, Api::Api& api) {
-    const auto* secret = secret_provider->secret();
-    if (secret != nullptr) {
-      value =
-          THROW_OR_RETURN_VALUE(Config::DataSource::read(secret->secret(), true, api), std::string);
-    }
-
-    return secret_provider->addUpdateCallback([secret_provider, &api, &value]() {
-      const auto* secret = secret_provider->secret();
-      if (secret != nullptr) {
-        value = THROW_OR_RETURN_VALUE(Config::DataSource::read(secret->secret(), true, api),
-                                      std::string);
-      }
-    });
-  }
-
-  std::string certificate_;
-  std::string private_key_;
-
-  Envoy::Common::CallbackHandlePtr update_callback_client_;
-  Envoy::Common::CallbackHandlePtr update_callback_token_;
+  Secret::ThreadLocalGenericSecretProvider certificate_;
+  Secret::ThreadLocalGenericSecretProvider private_key_;
 };
 
 class FilterConfig : public Logger::Loggable<Logger::Id::filter> {

diff --git a/contrib/sxg/filters/http/test/filter_test.cc b/contrib/sxg/filters/http/test/filter_test.cc
@@ -380,7 +380,9 @@ TEST_F(FilterTest, SdsDynamicGenericSecret) {
       config_source, "private_key", secret_context, init_manager);
   auto private_key_callback = secret_context.cluster_manager_.subscription_factory_.callbacks_;
 
-  SDSSecretReader secret_reader(certificate_secret_provider, private_key_secret_provider, *api);
+  NiceMock<ThreadLocal::MockInstance> tls;
+  SDSSecretReader secret_reader(std::move(certificate_secret_provider),
+                                std::move(private_key_secret_provider), tls, *api);
   EXPECT_TRUE(secret_reader.certificate().empty());
   EXPECT_TRUE(secret_reader.privateKey().empty());
 

diff --git a/docs/root/configuration/operations/overload_manager/overload_manager.rst b/docs/root/configuration/operations/overload_manager/overload_manager.rst
@@ -165,6 +165,11 @@ The following core load shed points are supported:
     - Envoy will send a ``GOAWAY`` while processing HTTP2 requests at the codec
       level which will eventually drain the HTTP/2 connection.
 
+  * - envoy.load_shed_points.hcm_ondata_creating_codec
+    - Envoy will close the connections before creating codec if Envoy is under
+      pressure, typically memory. This happens once geting data from the
+      connection.
+
 .. _config_overload_manager_reducing_timeouts:
 
 Reducing timeouts

diff --git a/envoy/network/BUILD b/envoy/network/BUILD
@@ -58,6 +58,12 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "parent_drained_callback_registrar_interface",
+    hdrs = ["parent_drained_callback_registrar.h"],
+    deps = [":address_interface"],
+)
+
 envoy_cc_library(
     name = "udp_packet_writer_handler_interface",
     hdrs = ["udp_packet_writer_handler.h"],

diff --git a/envoy/network/parent_drained_callback_registrar.h b/envoy/network/parent_drained_callback_registrar.h
@@ -0,0 +1,29 @@
+#pragma once
+
+#include "envoy/network/address.h"
+
+#include "absl/functional/any_invocable.h"
+
+namespace Envoy {
+namespace Network {
+
+/**
+ * An interface through which a UDP listen socket, especially a QUIC socket, can
+ * postpone reading during hot restart until the parent instance is drained.
+ */
+class ParentDrainedCallbackRegistrar {
+public:
+  /**
+   * @param address is the address of the listener.
+   * @param callback the function to call when the listener matching address is
+   *                 drained on the parent instance.
+   */
+  virtual void registerParentDrainedCallback(const Address::InstanceConstSharedPtr& address,
+                                             absl::AnyInvocable<void()> callback) PURE;
+
+protected:
+  virtual ~ParentDrainedCallbackRegistrar() = default;
+};
+
+} // namespace Network
+} // namespace Envoy
diff --git a/envoy/network/socket.h b/envoy/network/socket.h
@@ -542,6 +542,13 @@ class Socket {
    * @return the socket options stored earlier with addOption() and addOptions() calls, if any.
    */
   virtual const OptionsSharedPtr& options() const PURE;
+
+  /**
+   * @return a ParentDrainedCallbackRegistrar for UDP listen sockets during hot restart.
+   */
+  virtual OptRef<class ParentDrainedCallbackRegistrar> parentDrainedCallbackRegistrar() const {
+    return absl::nullopt;
+  }
 };
 
 using SocketPtr = std::unique_ptr<Socket>;

diff --git a/envoy/server/hot_restart.h b/envoy/server/hot_restart.h
@@ -62,6 +62,17 @@ class HotRestart {
   virtual void
   registerUdpForwardingListener(Network::Address::InstanceConstSharedPtr address,
                                 std::shared_ptr<Network::UdpListenerConfig> listener_config) PURE;
+
+  /**
+   * @return An interface on which registerParentDrainedCallback can be called during
+   *         creation of a listener, or nullopt if there is no parent instance.
+   *
+   *         If this is set, any UDP listener should start paused and only begin listening
+   *         when the parent instance is drained; this allows draining QUIC listeners to
+   *         catch their own packets and forward unrecognized packets to the child instance.
+   */
+  virtual OptRef<Network::ParentDrainedCallbackRegistrar> parentDrainedCallbackRegistrar() PURE;
+
   /**
    * Initialize the parent logic of our restarter. Meant to be called after initialization of a
    * new child has begun. The hot restart implementation needs to be created early to deal with

diff --git a/envoy/server/overload/load_shed_point.h b/envoy/server/overload/load_shed_point.h
@@ -26,6 +26,8 @@ class LoadShedPointNameValues {
   // which will eventually drain the HTTP/2 connection.
   const std::string H2ServerGoAwayOnDispatch =
       "envoy.load_shed_points.http2_server_go_away_on_dispatch";
+
+  const std::string HcmCodecCreation = "envoy.load_shed_points.hcm_ondata_creating_codec";
 };
 
 using LoadShedPointName = ConstSingleton<LoadShedPointNameValues>;

diff --git a/source/common/access_log/access_log_impl.cc b/source/common/access_log/access_log_impl.cc
@@ -15,6 +15,7 @@
 #include "source/common/common/utility.h"
 #include "source/common/config/metadata.h"
 #include "source/common/config/utility.h"
+#include "source/common/grpc/common.h"
 #include "source/common/http/header_map_impl.h"
 #include "source/common/http/header_utility.h"
 #include "source/common/http/headers.h"

diff --git a/source/common/common/BUILD b/source/common/common/BUILD
@@ -319,6 +319,7 @@ envoy_cc_library(
         "//envoy/common:matchers_interface",
         "//source/common/common:regex_lib",
         "//source/common/config:metadata_lib",
+        "//source/common/config:utility_lib",
         "//source/common/http:path_utility_lib",
         "//source/common/protobuf",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",

diff --git a/source/common/config/BUILD b/source/common/config/BUILD
@@ -226,15 +226,10 @@ envoy_cc_library(
         "//source/common/common:backoff_lib",
         "//source/common/common:hash_lib",
         "//source/common/common:hex_lib",
-        "//source/common/grpc:common_lib",
         "//source/common/protobuf",
         "//source/common/protobuf:utility_lib",
         "//source/common/runtime:runtime_features_lib",
         "//source/common/singleton:const_singleton",
-        "//source/common/stats:histogram_lib",
-        "//source/common/stats:stats_lib",
-        "//source/common/stats:stats_matcher_lib",
-        "//source/common/stats:tag_producer_lib",
         "//source/common/version:api_version_lib",
         "@com_github_cncf_xds//udpa/type/v1:pkg_cc_proto",
         "@com_github_cncf_xds//xds/type/v3:pkg_cc_proto",
@@ -245,6 +240,19 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "stats_utility_lib",
+    srcs = ["stats_utility.cc"],
+    hdrs = ["stats_utility.h"],
+    deps = [
+        "//source/common/stats:histogram_lib",
+        "//source/common/stats:stats_lib",
+        "//source/common/stats:stats_matcher_lib",
+        "//source/common/stats:tag_producer_lib",
+        "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto",
+    ],
+)
+
 envoy_cc_library(
     name = "subscription_base_interface",
     hdrs = ["subscription_base.h"],

diff --git a/source/common/config/stats_utility.cc b/source/common/config/stats_utility.cc
@@ -0,0 +1,17 @@
+#include "source/common/config/stats_utility.h"
+
+#include "source/common/stats/histogram_impl.h"
+#include "source/common/stats/stats_matcher_impl.h"
+#include "source/common/stats/tag_producer_impl.h"
+
+namespace Envoy {
+namespace Config {
+
+Stats::TagProducerPtr
+StatsUtility::createTagProducer(const envoy::config::bootstrap::v3::Bootstrap& bootstrap,
+                                const Stats::TagVector& cli_tags) {
+  return std::make_unique<Stats::TagProducerImpl>(bootstrap.stats_config(), cli_tags);
+}
+
+} // namespace Config
+} // namespace Envoy