feat(envoy-update): update envoy to 1.36

.bazelversion

@@ -1 +1 @@
-6.3.2
+7.7.1

BUILD

@@ -37,7 +37,7 @@ envoy_cc_binary(
     deps = [
         "//extensions/access_log_policy:access_log_policy_lib",
         "//extensions/metadata_exchange:metadata_exchange_lib",
-        "//extensions/stackdriver:stackdriver_plugin",
+        # "//extensions/stackdriver:stackdriver_plugin",
         "//source/extensions/common/workload_discovery:api_lib",  # Experimental: WIP
         "//source/extensions/filters/http/alpn:config_lib",
         "//source/extensions/filters/http/authn:filter_lib",
@@ -58,7 +58,7 @@ envoy_cc_binary(
         "@envoy//contrib/golang/router/cluster_specifier/source:config",
         "@envoy//contrib/mcp_sse_stateful_session/filters/http/source:config",
         "@envoy//contrib/mcp_sse_stateful_session/http/source:config",
-        "@envoy//source/common/http/match_delegate:config",
+        "@envoy//source/extensions/filters/http/match_delegate:config",
         "@envoy//source/exe:envoy_main_entry_lib",
     ],
 )

bazel/extension_config/extensions_build_config.bzl

@@ -43,7 +43,7 @@ ENVOY_EXTENSIONS = {
     #
 
     "envoy.grpc_credentials.file_based_metadata":       "//source/extensions/grpc_credentials/file_based_metadata:config",
-    "envoy.grpc_credentials.aws_iam":                   "//source/extensions/grpc_credentials/aws_iam:config",
+    # "envoy.grpc_credentials.aws_iam" removed in Envoy 1.36
 
     #
     # WASM
@@ -219,10 +219,10 @@ ENVOY_EXTENSIONS = {
     # Tracers
     #
 
-    "envoy.tracers.dynamic_ot":                         "//source/extensions/tracers/dynamic_ot:config",
+    # "envoy.tracers.dynamic_ot" removed in Envoy 1.36
     "envoy.tracers.datadog":                            "//source/extensions/tracers/datadog:config",
     "envoy.tracers.zipkin":                             "//source/extensions/tracers/zipkin:config",
-    "envoy.tracers.opencensus":                         "//source/extensions/tracers/opencensus:config",
+    # "envoy.tracers.opencensus" removed in Envoy 1.36
     "envoy.tracers.xray":                               "//source/extensions/tracers/xray:config",
     "envoy.tracers.skywalking":                         "//source/extensions/tracers/skywalking:config",
     "envoy.tracers.opentelemetry":                      "//source/extensions/tracers/opentelemetry:config",
@@ -287,7 +287,7 @@ ENVOY_EXTENSIONS = {
     "envoy.wasm.runtime.null":                          "//source/extensions/wasm_runtime/null:config",
     "envoy.wasm.runtime.v8":                            "//source/extensions/wasm_runtime/v8:config",
     "envoy.wasm.runtime.wamr":                          "//source/extensions/wasm_runtime/wamr:config",
-    "envoy.wasm.runtime.wavm":                          "//source/extensions/wasm_runtime/wavm:config",
+    # "envoy.wasm.runtime.wavm" removed in Envoy 1.36
     "envoy.wasm.runtime.wasmtime":                      "//source/extensions/wasm_runtime/wasmtime:config",
 
     #
@@ -340,7 +340,7 @@ ENVOY_EXTENSIONS = {
     # QUIC extensions
     #
 
-    "envoy.quic.deterministic_connection_id_generator": "//source/extensions/quic/connection_id_generator:envoy_deterministic_connection_id_generator_config",
+    "envoy.quic.deterministic_connection_id_generator": "//source/extensions/quic/connection_id_generator/deterministic:envoy_deterministic_connection_id_generator_config",
     "envoy.quic.crypto_stream.server.quiche":           "//source/extensions/quic/crypto_stream:envoy_quic_default_crypto_server_stream",
     "envoy.quic.proof_source.filter_chain":             "//source/extensions/quic/proof_source:envoy_quic_default_proof_source",
 
@@ -382,7 +382,7 @@ ENVOY_EXTENSIONS = {
     # Custom matchers
     #
 
-    "envoy.matching.custom_matchers.trie_matcher":     "//source/extensions/common/matcher:trie_matcher_lib",
+    # "envoy.matching.custom_matchers.trie_matcher" removed in Envoy 1.36, use ip_range_matcher or domain_matcher instead
 
     #
     # Header Validators
@@ -419,9 +419,9 @@ ENVOY_CONTRIB_EXTENSIONS = {
     # HTTP filters
     #
 
-    "envoy.filters.http.dynamo":                                "//contrib/dynamo/filters/http/dynamo:config",
+    "envoy.filters.http.dynamo":                                "//contrib/dynamo/filters/http/source:config",
     "envoy.filters.http.golang":                                "//contrib/golang/filters/http/source:config",
-    "envoy.filters.http.squash":                                "//contrib/squash/filters/http/source:config",
+    # "envoy.filters.http.squash" removed in Envoy 1.36
     "envoy.filters.http.sxg":                                   "//contrib/sxg/filters/http/source:config",
 
     #
@@ -430,7 +430,7 @@ ENVOY_CONTRIB_EXTENSIONS = {
 
     "envoy.filters.network.client_ssl_auth":                    "//contrib/client_ssl_auth/filters/network/source:config",
     "envoy.filters.network.golang":                             "//contrib/golang/filters/network/source:config",
-    "envoy.filters.network.kafka_broker":                       "//contrib/kafka/filters/network/source:kafka_broker_config_lib",
+    "envoy.filters.network.kafka_broker":                       "//contrib/kafka/filters/network/source/broker:config_lib",
     "envoy.filters.network.kafka_mesh":                         "//contrib/kafka/filters/network/source/mesh:config_lib",
     "envoy.filters.network.mysql_proxy":                        "//contrib/mysql_proxy/filters/network/source:config",
     "envoy.filters.network.postgres_proxy":                     "//contrib/postgres_proxy/filters/network/source:config",
@@ -462,7 +462,7 @@ ENVOY_CONTRIB_EXTENSIONS = {
     # Connection Balance extensions
     #
 
-    "envoy.network.connection_balance.dlb":                     "//contrib/network/connection_balance/dlb/source:connection_balancer",
+    "envoy.network.connection_balance.dlb":                     "//contrib/dlb/source:connection_balancer",
 }
 
 
@@ -473,7 +473,7 @@ ISTIO_DISABLED_EXTENSIONS = [
 
 # on istio 1.12 we enable all contrib extension for 0 migration pain.
 ISTIO_ENABLED_CONTRIB_EXTENSIONS = [
-    "envoy.filters.http.squash",
+    # "envoy.filters.http.squash",  # Removed in Envoy 1.36
     "envoy.filters.http.sxg",
     "envoy.filters.network.kafka_broker",
     "envoy.filters.network.kafka_mesh",

envoy.bazelrc

@@ -10,6 +10,8 @@
 # Startup options cannot be selected via config.
 startup --host_jvm_args=-Xmx3g
 
+common --noenable_bzlmod
+
 fetch --color=yes
 run --color=yes
 
@@ -57,7 +59,7 @@ common --experimental_allow_tags_propagation
 # (Workaround for https://github.com/bazelbuild/rules_foreign_cc/issues/421)
 build:linux --copt=-fPIC
 build:linux --copt=-Wno-deprecated-declarations
-build:linux --cxxopt=-std=c++17 --host_cxxopt=-std=c++17
+build:linux --cxxopt=-std=c++20 --host_cxxopt=-std=c++20
 build:linux --conlyopt=-fexceptions
 build:linux --fission=dbg,opt
 build:linux --features=per_object_debug_info
@@ -117,7 +119,7 @@ build:clang-asan --linkopt --rtlib=compiler-rt
 build:clang-asan --linkopt --unwindlib=libgcc
 
 # macOS
-build:macos --cxxopt=-std=c++17 --host_cxxopt=-std=c++17
+build:macos --cxxopt=-std=c++20 --host_cxxopt=-std=c++20
 build:macos --action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin
 build:macos --host_action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin
 build:macos --define tcmalloc=disabled

extensions/common/BUILD

@@ -182,6 +182,9 @@ envoy_cc_library(
     ],
     repository = "@envoy",
     visibility = ["//visibility:public"],
+    deps = [
+        "@com_google_absl//absl/strings",
+    ],
 )
 
 envoy_cc_library(
@@ -192,8 +195,11 @@ envoy_cc_library(
     visibility = ["//visibility:public"],
     deps = [
         ":node_info_fb_cc",
+        "@envoy//envoy/common:hashable_interface",
         "@envoy//envoy/network:filter_interface",
-        "@envoy//source/exe:envoy_common_lib",
+        "@envoy//envoy/ssl:connection_interface",
+        "@envoy//envoy/stream_info:filter_state_interface",
+        "@envoy//source/common/common:minimal_logger_lib",
     ],
 )
 

scripts/release-binary.sh

@@ -83,11 +83,11 @@ if [ "${DST}" == "none" ]; then
   DST=""
 fi
 
-# Make sure the release binaries are built on x86_64 Ubuntu 16.04 (Xenial)
+# Make sure the release binaries are built on x86_64 Ubuntu 18.04 (Bionic)
 if [ "${CHECK}" -eq 1 ] ; then
   if [[ "${BAZEL_BUILD_ARGS}" != *"--config=remote-"* ]]; then
     UBUNTU_RELEASE=${UBUNTU_RELEASE:-$(lsb_release -c -s)}
-    [[ "${UBUNTU_RELEASE}" == 'xenial' ]] || { echo 'Must run on Ubuntu 16.04 (Xenial).'; exit 1; }
+    [[ "${UBUNTU_RELEASE}" == 'bionic' ]] || { echo 'Must run on Ubuntu Bionic.'; exit 1; }
   fi
   [[ "$(uname -m)" == 'x86_64' ]] || { echo 'Must run on x86_64.'; exit 1; }
 fi

source/extensions/common/BUILD

@@ -36,7 +36,9 @@ envoy_cc_library(
         ":utils_lib",
         "//src/istio/authn:context_proto_cc_proto",
         "//src/istio/utils:attribute_names_lib",
-        "@envoy//source/exe:envoy_common_lib",
+        "@envoy//envoy/http:filter_interface",
+        "@envoy//source/common/common:base64_lib",
+        "@envoy//source/common/common:minimal_logger_lib",
     ],
 )
 
@@ -52,7 +54,9 @@ envoy_cc_library(
     repository = "@envoy",
     visibility = ["//visibility:public"],
     deps = [
-        "@envoy//source/exe:envoy_common_lib",
+        "@envoy//envoy/network:connection_interface",
+        "@envoy//envoy/ssl:connection_interface",
+        "@envoy//source/common/common:minimal_logger_lib",
     ],
 )
 

source/extensions/common/authn.cc

@@ -72,7 +72,7 @@ void Authentication::SaveAuthAttributesToStruct(const istio::authn::Result& resu
   }
 }
 
-const ProtobufWkt::Struct*
+const ::google::protobuf::Struct*
 Authentication::GetResultFromMetadata(const envoy::config::core::v3::Metadata& metadata) {
   const auto& iter = metadata.filter_metadata().find(Utils::IstioFilterName::kAuthentication);
   if (iter == metadata.filter_metadata().end()) {

source/extensions/common/authn.h

@@ -32,7 +32,7 @@ class Authentication : public Logger::Loggable<Logger::Id::filter> {
   // the input metadata is the request info's dynamic metadata. Authentication
   // result, if available, is stored under authentication filter metdata.
   // Returns nullptr if there is no data for that filter.
-  static const ProtobufWkt::Struct*
+  static const ::google::protobuf::Struct*
   GetResultFromMetadata(const envoy::config::core::v3::Metadata& metadata);
 };
 

source/extensions/common/workload_discovery/api.cc

@@ -120,17 +120,19 @@ class WorkloadMetadataProviderImpl : public WorkloadMetadataProvider, public Sin
         : Config::SubscriptionBase<istio::workload::Workload>(
               parent.factory_context_.messageValidationVisitor(), "uid"),
           parent_(parent) {
-      subscription_ = parent.factory_context_.clusterManager()
+      auto subscription_or_error = parent.factory_context_.clusterManager()
                           .subscriptionFactory()
                           .subscriptionFromConfigSource(
                               parent.config_source_, Grpc::Common::typeUrl(getResourceName()),
                               *parent.scope_, *this, resource_decoder_, {});
+      THROW_IF_NOT_OK(subscription_or_error.status());
+      subscription_ = std::move(subscription_or_error.value());
     }
     void start() { subscription_->start({}); }
 
   private:
     // Config::SubscriptionCallbacks
-    void onConfigUpdate(const std::vector<Config::DecodedResourceRef>& resources,
+    absl::Status onConfigUpdate(const std::vector<Config::DecodedResourceRef>& resources,
                         const std::string&) override {
       AddressIndexSharedPtr index = std::make_shared<AddressIndex>();
       for (const auto& resource : resources) {
@@ -143,8 +145,9 @@ class WorkloadMetadataProviderImpl : public WorkloadMetadataProvider, public Sin
         }
       }
       parent_.reset(index);
+      return absl::OkStatus();
     }
-    void onConfigUpdate(const std::vector<Config::DecodedResourceRef>& added_resources,
+    absl::Status onConfigUpdate(const std::vector<Config::DecodedResourceRef>& added_resources,
                         const Protobuf::RepeatedPtrField<std::string>& removed_resources,
                         const std::string&) override {
       AddressIndexSharedPtr added = std::make_shared<AddressIndex>();
@@ -163,6 +166,7 @@ class WorkloadMetadataProviderImpl : public WorkloadMetadataProvider, public Sin
         removed->push_back(resource);
       }
       parent_.update(added, removed);
+      return absl::OkStatus();
     }
     void onConfigUpdateFailed(Config::ConfigUpdateFailureReason, const EnvoyException*) override {
       // Do nothing - feature is automatically disabled.
@@ -211,6 +215,10 @@ class WorkloadDiscoveryExtension : public Server::BootstrapExtension {
                                                                 factory_context_);
         });
   }
+
+  void onWorkerThreadInitialized() override {
+    // No per-worker initialization needed
+  }
 
 private:
   Server::Configuration::ServerFactoryContext& factory_context_;

source/extensions/filters/http/alpn/BUILD

@@ -47,7 +47,7 @@ envoy_cc_library(
         ":alpn_filter",
         "//source/extensions/common:filter_names_lib",
         "@envoy//envoy/registry",
-        "@envoy//source/exe:envoy_common_lib",
+        "@envoy//envoy/server:filter_config_interface",
         "@envoy//source/extensions/filters/http/common:factory_base_lib",
     ],
 )

source/extensions/filters/http/alpn/config.cc

@@ -24,10 +24,10 @@ using istio::envoy::config::filter::http::alpn::v2alpha1::FilterConfig;
 namespace Envoy {
 namespace Http {
 namespace Alpn {
-Http::FilterFactoryCb
+absl::StatusOr<Http::FilterFactoryCb>
 AlpnConfigFactory::createFilterFactoryFromProto(const Protobuf::Message& config, const std::string&,
                                                 Server::Configuration::FactoryContext& context) {
-  return createFilterFactory(dynamic_cast<const FilterConfig&>(config), context.clusterManager());
+  return createFilterFactory(dynamic_cast<const FilterConfig&>(config), context.serverFactoryContext().clusterManager());
 }
 
 ProtobufTypes::MessagePtr AlpnConfigFactory::createEmptyConfigProto() {

source/extensions/filters/http/alpn/config.h

@@ -28,7 +28,7 @@ namespace Alpn {
 class AlpnConfigFactory : public Server::Configuration::NamedHttpFilterConfigFactory {
 public:
   // Server::Configuration::NamedHttpFilterConfigFactory
-  Http::FilterFactoryCb
+  absl::StatusOr<Http::FilterFactoryCb>
   createFilterFactoryFromProto(const Protobuf::Message& config, const std::string& stat_prefix,
                                Server::Configuration::FactoryContext& context) override;
   ProtobufTypes::MessagePtr createEmptyConfigProto() override;

source/extensions/filters/http/authn/BUILD

@@ -47,7 +47,9 @@ envoy_cc_library(
         "//source/extensions/common:filter_names_lib",
         "//source/extensions/common:utils_lib",
         "//src/istio/authn:context_proto_cc_proto",
+        "@envoy//source/common/config:metadata_lib",
         "@envoy//source/common/http:headers_lib",
+        "@envoy//source/common/http:utility_lib",
         "@envoy//source/extensions/filters/http:well_known_names",
     ],
 )
@@ -69,7 +71,10 @@ envoy_cc_library(
         "//source/extensions/common:filter_names_lib",
         "//source/extensions/common:utils_lib",
         "//src/istio/authn:context_proto_cc_proto",
-        "@envoy//source/exe:envoy_common_lib",
+        "@envoy//envoy/http:filter_interface",
+        "@envoy//envoy/server:filter_config_interface",
+        "@envoy//source/common/common:minimal_logger_lib",
+        "@envoy//source/common/http:utility_lib",
     ],
 )
 

source/extensions/filters/http/authn/authn_utils.cc

@@ -29,8 +29,6 @@ namespace AuthN {
 namespace {
 // The JWT audience key name
 static const std::string kJwtAudienceKey = "aud";
-// The JWT issuer key name
-static const std::string kJwtIssuerKey = "iss";
 // The key name for the original claims in an exchanged token
 static const std::string kExchangedTokenOriginalPayload = "original_claims";
 

source/extensions/filters/http/authn/filter_context.cc

@@ -67,7 +67,7 @@ void FilterContext::setPrincipal(const iaapi::PrincipalBinding& binding) {
     return;
   default:
     // Should never come here.
-    ENVOY_LOG(error, "Invalid binding value {}", binding);
+    ENVOY_LOG(error, "Invalid binding value {}", static_cast<int>(binding));
     return;
   }
 }

source/extensions/filters/http/authn/http_filter.cc

@@ -78,7 +78,7 @@ FilterHeadersStatus AuthenticationFilter::decodeHeaders(RequestHeaderMap& header
   if (filter_context_ != nullptr) {
     // Save auth results in the metadata, could be used later by RBAC and/or
     // mixer filter.
-    ProtobufWkt::Struct data;
+    ::google::protobuf::Struct data;
     Utils::Authentication::SaveAuthAttributesToStruct(filter_context_->authenticationResult(),
                                                       data);
     decoder_callbacks_->streamInfo().setDynamicMetadata(Utils::IstioFilterName::kAuthentication,

source/extensions/filters/http/authn/http_filter_factory.cc

@@ -32,7 +32,7 @@ namespace iaapi = istio::authentication::v1alpha1;
 class AuthnFilterConfig : public NamedHttpFilterConfigFactory,
                           public Logger::Loggable<Logger::Id::filter> {
 public:
-  Http::FilterFactoryCb createFilterFactoryFromProto(const Protobuf::Message& proto_config,
+  absl::StatusOr<Http::FilterFactoryCb> createFilterFactoryFromProto(const Protobuf::Message& proto_config,
                                                      const std::string&, FactoryContext&) override {
     auto filter_config = dynamic_cast<const FilterConfig&>(proto_config);
     return createFilterFactory(filter_config);

source/extensions/filters/http/authn/http_filter_test.cc

@@ -172,7 +172,7 @@ TEST_F(AuthenticationFilterTest, AllPass) {
   const auto* data = Utils::Authentication::GetResultFromMetadata(stream_info.dynamicMetadata());
   ASSERT_TRUE(data);
 
-  ProtobufWkt::Struct expected_data;
+  ::google::protobuf::Struct expected_data;
   ASSERT_TRUE(Protobuf::TextFormat::ParseFromString(R"(
        fields {
          key: "source.namespace"
@@ -237,7 +237,7 @@ TEST_F(AuthenticationFilterTest, IgnoreBothPass) {
   const auto* data = Utils::Authentication::GetResultFromMetadata(stream_info.dynamicMetadata());
   ASSERT_TRUE(data);
 
-  ProtobufWkt::Struct expected_data;
+  ::google::protobuf::Struct expected_data;
   ASSERT_TRUE(Protobuf::TextFormat::ParseFromString(R"(
        fields {
          key: "source.namespace"

source/extensions/filters/http/connect_authority/filter.h

@@ -56,7 +56,7 @@ class FilterConfigFactory : public Common::FactoryBase<io::istio::http::connect_
       callbacks.addStreamFilter(filter);
     };
   }
-  Router::RouteSpecificFilterConfigConstSharedPtr
+  absl::StatusOr<Router::RouteSpecificFilterConfigConstSharedPtr>
   createRouteSpecificFilterConfigTyped(const io::istio::http::connect_authority::Config& config,
                                        Envoy::Server::Configuration::ServerFactoryContext&,
                                        ProtobufMessage::ValidationVisitor&) override {