Merge branch 'master' into mpuncel/http2-hc-goaway

* master: (49 commits)
  sds: allow multiple init managers share sds target (envoyproxy#14357)
  [http] Remove legacy codecs (envoyproxy#14381)
  http2: Add integration tests for METADATA and RST_STREAM frame flood mitigation for upstream servers (envoyproxy#14365)
  test: start dissolving :printers_include rule. (envoyproxy#14429)
  integration tests: re-enable set_node_on_first_message_only (envoyproxy#14270)
  formatter: add a formatter that returns a google::protobuf::Struct rather than a string (envoyproxy#14258)
  ratelimit: support returning custom response bodies for non-OK responses from the external ratelimit service (envoyproxy#14189)
  deps: update protobuf to 3.14 (envoyproxy#14253)
  stream_info: add setResponseCode and update local_reply to take a normal StreamInfo (envoyproxy#14402)
  http: alpn upstream (envoyproxy#13922)
  Moved starttls integration test to test/extensions/transport_sockets/starttls. (envoyproxy#14425)
  generic conn pool: directly use thread local cluster (envoyproxy#14423)
  wasm: add mathetake to CODEOWNERS (envoyproxy#14427)
  wasm: clear route cache when modifying HTTP request headers. (envoyproxy#14318)
  tls: disable TLS inspector injection (envoyproxy#14404)
  aggregate cluster: cleanups (envoyproxy#14411)
  Mark starttls_integration_test flaky on Windows (envoyproxy#14419)
  tcp: improved unit testing (envoyproxy#14415)
  config: making protocol config explicit (envoyproxy#14362)
  wasm: dead code (envoyproxy#14407)
  ...

Signed-off-by: Michael Puncel <mpuncel@squareup.com>

.azure-pipelines/bazel.yml

@@ -66,6 +66,8 @@ steps:
   - bash: |
       echo "disk space at end of build:"
       df -h
+      # Cleanup offending files with unicode names
+      rm -rf $(Build.StagingDirectory)/tmp/*/*/external/go_sdk/test/fixedbugs
     displayName: "Check disk space at end"
     condition: always()
 

CODEOWNERS

@@ -44,6 +44,8 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/transport_sockets/proxy_protocol @alyssawilk @wez470
 # common transport socket
 /*/extensions/transport_sockets/common @alyssawilk @wez470
+# starttls transport socket
+/*/extensions/transport_sockets/starttls @cpakulski @lizan
 # sni_cluster extension
 /*/extensions/filters/network/sni_cluster @rshriram @lizan
 # sni_dynamic_forward_proxy extension
@@ -85,17 +87,17 @@ extensions/filters/common/original_src @snowp @klarose
 # attribute context
 /*/extensions/filters/common/expr @kyessenov @yangminzhu @lizan
 # webassembly access logger extensions
-/*/extensions/access_loggers/wasm @PiotrSikora @lizan
+/*/extensions/access_loggers/wasm @PiotrSikora @mathetake @lizan
 # webassembly bootstrap extensions
-/*/extensions/bootstrap/wasm @PiotrSikora @lizan
+/*/extensions/bootstrap/wasm @PiotrSikora @mathetake @lizan
 # webassembly http extensions
-/*/extensions/filters/http/wasm @PiotrSikora @lizan
+/*/extensions/filters/http/wasm @PiotrSikora @mathetake @lizan
 # webassembly network extensions
-/*/extensions/filters/network/wasm @PiotrSikora @lizan
+/*/extensions/filters/network/wasm @PiotrSikora @mathetake @lizan
 # webassembly common extension
-/*/extensions/common/wasm @PiotrSikora @lizan
+/*/extensions/common/wasm @PiotrSikora @mathetake @lizan
 # webassembly runtimes
-/*/extensions/wasm_runtime/ @PiotrSikora @lizan
+/*/extensions/wasm_runtime/ @PiotrSikora @mathetake @lizan
 # common matcher
 /*/extensions/common/matcher @mattklein123 @yangminzhu
 # common crypto extension
@@ -122,7 +124,7 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/stat_sinks/hystrix @trabetti @jmarantz
 /*/extensions/stat_sinks/metrics_service @ramaraochavali @jmarantz
 # webassembly stat-sink extensions
-/*/extensions/stat_sinks/wasm @PiotrSikora @lizan
+/*/extensions/stat_sinks/wasm @PiotrSikora @mathetake @lizan
 /*/extensions/resource_monitors/injected_resource @eziskind @htuch
 /*/extensions/resource_monitors/common @eziskind @htuch
 /*/extensions/resource_monitors/fixed_heap @eziskind @htuch

DEPENDENCY_POLICY.md

@@ -69,24 +69,39 @@ Pure developer tooling and documentation builds may reference Python via standal
 
 ## New external dependencies
 
-* Any new dependency on the Envoy data or control plane that impacts Envoy core (i.e. is not
-  specific to a single non-core extension) must be cleared with the Envoy security team, please file
-  an issue and tag
-  [@envoyproxy/security-team](https://github.com/orgs/envoyproxy/teams/security-team). While policy
-  is still [evolving](robust_to_untrusted_downstream_and_upstream), criteria that will be used in
-  evaluation include:
-  * Does the project have release versions? How often do releases happen?
-  * Does the project have a security vulnerability disclosure process and contact details?
-  * Does the project have effective governance, e.g. multiple maintainers, a governance policy?
-  * Does the project have a code review culture? Are patches reviewed by independent maintainers
-    prior to merge?
-  * Does the project enable mandatory GitHub 2FA for contributors?
-  * Does the project have evidence of high test coverage, fuzzing, static analysis (e.g. CodeQL),
-    etc.?
-
-* Dependencies for extensions that are tagged as `robust_to_untrusted_downstream` or
-  `robust_to_untrusted_downstream_and_upstream` should be sensitive to the same set of concerns
-  as the core data plane.
+Any new dependency on the Envoy data or control plane that impacts Envoy core (i.e. is not
+specific to a single non-core extension) must be cleared with the Envoy dependency shepherds and
+security team, please file an issue and tag both [dependency
+shepherds](https://github.com/orgs/envoyproxy/teams/dependency-shepherds) and
+the [@envoyproxy/security-team](https://github.com/orgs/envoyproxy/teams/security-team).
+
+The criteria below are used to evaluate new dependencies on the data, control
+and observability plane. They apply to all core dependencies and any extension
+that is robust to untrusted downstream or upstream traffic. The criteria are
+guidelines, exceptions may be granted with solid rationale. Precedent from
+existing extensions does not apply; there are extant extensions in violation of
+this policy which we will be addressing over time, they do not provide grounds
+to ignore policy criteria below.
+
+|Criteria|Requirement|Mnemonic|Weight|Rationale|
+|--------|-----------|--------|------|---------|
+|Cloud Native Computing Foundation (CNCF) [approved license](https://github.com/cncf/foundation/blob/master/allowed-third-party-license-policy.md#approved-licenses-for-allowlist)|MUST|License|High||
+|Dependencies must not substantially increase the binary size unless they are optional (i.e. confined to specific extensions)|MUST|BinarySize|High|Envoy Mobile is sensitive to binary size. We should pick dependencies that are used in core with this criteria in mind.|
+|No duplication of existing dependencies|MUST|NoDuplication|High|Avoid maintenance cost of multiple JSON parsers etc|
+|Hosted on a git repository and the archive fetch must directly reference this repository. We will NOT support intermediate artifacts built by-hand located on GCS, S3, etc.|MUST|Source|High|Flows based on manual updates are fragile (they are not tested until needed), often suffer from missing documentation and shared exercise, may fail during emergency zero day updates and have no audit trail (i.e. it's unclear how the artifact we depend upon came to be at a later date).|
+|CVE history appears reasonable, no pathological CVE arcs|MUST|SoundCVEs|High|Avoid dependencies that are CVE heavy in the same area (e.g. buffer overflow)
+|Code review (ideally PRs) before merge|MUST|Code-Review|Normal|Consistent code reviews|
+|Security vulnerability process exists, with contact details and reporting/disclosure process|MUST|SecPolicy|High|Lack of a policy implies security bugs are open zero days|
+|> 1 contributor responsible for a non-trivial number of commits|MUST|Contributors|Normal|Avoid bus factor of 1|
+|Tests run in CI|MUST|CI-Tests|Normal|Changes gated on tests|
+|High test coverage (also static/dynamic analysis, fuzzing)|SHOULD|Test-Coverage|Normal|Key dependencies must meet the same quality bar as Envoy|
+|Envoy can obtain advanced notification of vulnerabilities or of security releases|SHOULD|SecPolicy-Compat|High|Coordinated security releases possible, but most dependencies do not feature this.|
+|Do other significant projects have shared fate by using this dependency?|SHOULD|SharedFate|High|Increased likelihood of security community interest, many eyes.|
+|Releases (with release notes)|SHOULD|Releases|Normal|Discrete upgrade points, clear understanding of security implications. We have many counterexamples today (e.g. CEL, re2).|
+|Commits/releases in last 90 days|SHOULD|Active|Normal|Avoid unmaintained deps, not compulsory since some code bases are “done”|
+
+The rationale behind this policy is tracked
+[here](https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit#).
 
 ## Maintaining existing dependencies
 

GOVERNANCE.md

@@ -108,7 +108,8 @@ or you can subscribe to the iCal feed [here](webcal://kubernetes.app.opsgenie.co
 * Do a new PR to setup the next version
   * Update [VERSION](VERSION) to the next development release. E.g., "1.7.0-dev". 
   * `git mv docs/root/version_history/current.rst docs/root/version_history/v1.6.0.rst`, filling in the previous
-    release version number in the filename, and add an entry for the new file in the `toctree` in 
+    release version number in the filename and delete empty sections (like Incompatible Behavior Changes, Minor Bahavior Changes, etc).
+    Add an entry for the new file in the `toctree` in
     [version_history.rst](docs/root/version_history/version_history.rst).
   * Create a new "current" version history file at the [release
   notes](docs/root/version_history/current.rst) for the following version. E.g., "1.7.0 (pending)". Use

api/API_VERSIONING.md

@@ -67,8 +67,11 @@ experience a backward compatible break on a change. Specifically:
     may be granted for scenarios in which these stricter conditions model behavior already implied
     structurally or by documentation.
 
-The exception to the above policy is for API versions tagged `vNalpha`. Within an alpha major
-version, arbitrary breaking changes are allowed.
+An exception to the above policy exists for:
+* Changes made within 14 days of the introduction of a new API field or message.
+* API versions tagged `vNalpha`. Within an alpha major version, arbitrary breaking changes are allowed.
+* Any field, message or enum with a `[#not-implemented-hide:..` comment.
+* Any proto with a `(udpa.annotations.file_status).work_in_progress` option annotation.
 
 Note that changes to default values for wrapped types, e.g. `google.protobuf.UInt32Value` are not
 governed by the above policy. Any management server requiring stability across Envoy API or

api/BUILD

@@ -160,11 +160,13 @@ proto_library(
         "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/clusters/redis/v3:pkg",
         "//envoy/extensions/common/dynamic_forward_proxy/v3:pkg",
+        "//envoy/extensions/common/matching/v3:pkg",
         "//envoy/extensions/common/ratelimit/v3:pkg",
         "//envoy/extensions/common/tap/v3:pkg",
         "//envoy/extensions/compression/gzip/compressor/v3:pkg",
         "//envoy/extensions/compression/gzip/decompressor/v3:pkg",
         "//envoy/extensions/filters/common/fault/v3:pkg",
+        "//envoy/extensions/filters/common/matcher/action/v3:pkg",
         "//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg",
         "//envoy/extensions/filters/http/admission_control/v3alpha:pkg",
         "//envoy/extensions/filters/http/aws_lambda/v3:pkg",
@@ -244,6 +246,7 @@ proto_library(
         "//envoy/extensions/transport_sockets/proxy_protocol/v3:pkg",
         "//envoy/extensions/transport_sockets/quic/v3:pkg",
         "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg",
+        "//envoy/extensions/transport_sockets/starttls/v3:pkg",
         "//envoy/extensions/transport_sockets/tap/v3:pkg",
         "//envoy/extensions/transport_sockets/tls/v3:pkg",
         "//envoy/extensions/upstreams/http/generic/v3:pkg",

api/bazel/api_build_system.bzl

@@ -186,14 +186,14 @@ def api_proto_package(
         proto = name,
         visibility = ["//visibility:public"],
         deps = depset([_go_proto_mapping(dep) for dep in deps] + [
-            "@com_github_golang_protobuf//ptypes:go_default_library",
-            "@com_github_golang_protobuf//ptypes/any:go_default_library",
-            "@com_github_golang_protobuf//ptypes/duration:go_default_library",
-            "@com_github_golang_protobuf//ptypes/struct:go_default_library",
-            "@com_github_golang_protobuf//ptypes/timestamp:go_default_library",
-            "@com_github_golang_protobuf//ptypes/wrappers:go_default_library",
             "@com_envoyproxy_protoc_gen_validate//validate:go_default_library",
-            "@com_google_googleapis//google/api:annotations_go_proto",
-            "@com_google_googleapis//google/rpc:status_go_proto",
+            "@com_github_golang_protobuf//ptypes:go_default_library_gen",
+            "@go_googleapis//google/api:annotations_go_proto",
+            "@go_googleapis//google/rpc:status_go_proto",
+            "@io_bazel_rules_go//proto/wkt:any_go_proto",
+            "@io_bazel_rules_go//proto/wkt:duration_go_proto",
+            "@io_bazel_rules_go//proto/wkt:struct_go_proto",
+            "@io_bazel_rules_go//proto/wkt:timestamp_go_proto",
+            "@io_bazel_rules_go//proto/wkt:wrappers_go_proto",
         ]).to_list(),
     )

api/bazel/repository_locations.bzl

@@ -14,23 +14,30 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "protoc-gen-validate (PGV)",
         project_desc = "protoc plugin to generate polyglot message validators",
         project_url = "https://github.com/envoyproxy/protoc-gen-validate",
-        version = "278964a8052f96a2f514add0298098f63fb7f47f",
-        sha256 = "e368733c9fb7f8489591ffaf269170d7658cc0cd1ee322b601512b769446d3c8",
+        version = "1bcea29601b5624234a19b3d7f0ebd9e9984f583",
+        sha256 = "2062bbe50eddf3c98490339721fb02b5b5cd78f610f163b98bbf95ba7105553f",
         strip_prefix = "protoc-gen-validate-{version}",
         urls = ["https://github.com/envoyproxy/protoc-gen-validate/archive/{version}.tar.gz"],
-        release_date = "2020-06-08",
+        release_date = "2020-11-30",
         use_category = ["api"],
+        implied_untracked_deps = [
+            "com_github_iancoleman_strcase",
+            "com_github_lyft_protoc_gen_star",
+            "com_github_spf13_afero",
+            "org_golang_google_genproto",
+            "org_golang_x_text",
+        ],
     ),
     com_github_cncf_udpa = dict(
         project_name = "xDS API",
         project_desc = "xDS API Working Group (xDS-WG)",
         project_url = "https://github.com/cncf/udpa",
         # During the UDPA -> xDS migration, we aren't working with releases.
-        version = "5459f2c994033b0afed7e4a70ac7e90c90c1ffee",
-        sha256 = "c1f5c2438cf725b5f66aa4210dbc4bb691020c5ed4f64d2bc6638b06a11482f1",
+        version = "cc1b757b3eddccaaaf0743cbb107742bb7e3ee4f",
+        sha256 = "822a007cf155855d0c08a2e753a39e222e5816b904436196244066a818a8a230",
         strip_prefix = "udpa-{version}",
         urls = ["https://github.com/cncf/udpa/archive/{version}.tar.gz"],
-        release_date = "2020-11-20",
+        release_date = "2020-12-11",
         use_category = ["api"],
     ),
     com_github_openzipkin_zipkinapi = dict(

api/envoy/config/bootstrap/v3/bootstrap.proto

@@ -38,7 +38,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <config_overview_bootstrap>` for more detail.
 
 // Bootstrap :ref:`configuration overview <config_overview_bootstrap>`.
-// [#next-free-field: 29]
+// [#next-free-field: 30]
 message Bootstrap {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.bootstrap.v2.Bootstrap";
@@ -166,12 +166,23 @@ message Bootstrap {
   // Optional duration between flushes to configured stats sinks. For
   // performance reasons Envoy latches counters and only flushes counters and
   // gauges at a periodic interval. If not specified the default is 5000ms (5
-  // seconds).
+  // seconds). Only one of `stats_flush_interval` or `stats_flush_on_admin`
+  // can be set.
   // Duration must be at least 1ms and at most 5 min.
-  google.protobuf.Duration stats_flush_interval = 7 [(validate.rules).duration = {
-    lt {seconds: 300}
-    gte {nanos: 1000000}
-  }];
+  google.protobuf.Duration stats_flush_interval = 7 [
+    (validate.rules).duration = {
+      lt {seconds: 300}
+      gte {nanos: 1000000}
+    },
+    (udpa.annotations.field_migrate).oneof_promotion = "stats_flush"
+  ];
+
+  oneof stats_flush {
+    // Flush stats to sinks only when queried for on the admin interface. If set,
+    // a flush timer is not created. Only one of `stats_flush_on_admin` or
+    // `stats_flush_interval` can be set.
+    bool stats_flush_on_admin = 29 [(validate.rules).bool = {const: true}];
+  }
 
   // Optional watchdog configuration.
   // This is for a single watchdog configuration for the entire system.

api/envoy/config/common/matcher/v3/matcher.proto

@@ -25,7 +25,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // might repeat several times until the final OnMatch (or no match) is decided.
 //
 // This API is a work in progress.
-// [#not-implemented-hide:]
 message Matcher {
   // What to do if a match is successful.
   message OnMatch {

api/envoy/config/core/v3/protocol.proto

@@ -77,6 +77,10 @@ message HttpProtocolOptions {
   // .. warning::
   //   Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP
   //   FIN packets, etc.
+  //
+  // If the :ref:`overload action <config_overload_manager_overload_actions>` "envoy.overload_actions.reduce_timeouts"
+  // is configured, this timeout is scaled for downstream connections according to the value for
+  // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE <envoy_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_CONNECTION_IDLE>`.
   google.protobuf.Duration idle_timeout = 1;
 
   // The maximum duration of a connection. The duration is defined as a period since a connection