deps: upgrade envoy to 1.30.1 (patched)

DEPENDENCIES.md

@@ -100,6 +100,7 @@ following Free and Open Source software:
  github.com/peterbourgon/diskv v2.0.1+incompatible MIT license
  github.com/pjbgf/sha1cd v0.3.0 Apache License 2.0
  github.com/pkg/errors v0.9.1 2-clause BSD license
+ github.com/planetscale/vtprotobuf v0.6.0 3-clause BSD license
  github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 3-clause BSD license
  github.com/prometheus/client_golang v1.17.0 Apache License 2.0
  github.com/prometheus/client_model v0.5.0 Apache License 2.0
@@ -123,6 +124,7 @@ following Free and Open Source software:
  github.com/xlab/treeprint v1.2.0 MIT license
  go.opentelemetry.io/proto/otlp v1.0.0 Apache License 2.0
  go.starlark.net v0.0.0-20230525235612-a134d8f9ddca 3-clause BSD license
+ go.uber.org/goleak v1.2.1 MIT license
  go.uber.org/multierr v1.11.0 MIT license
  go.uber.org/zap v1.26.0 MIT license
  golang.org/x/crypto v0.21.0 3-clause BSD license

_cxx/envoy.mk

@@ -11,12 +11,12 @@ export ENVOY_TEST_LABEL
 
 # IF YOU MESS WITH ANY OF THESE VALUES, YOU MUST RUN `make update-base`.
 ENVOY_REPO ?= https://github.com/datawire/envoy.git
-# https://github.com/datawire/envoy/tree/rebase/release/v1.27.2
-ENVOY_COMMIT ?= 6637fd1bab315774420f3c3d97488fedb7fc710f
+# https://github.com/datawire/envoy/tree/rebase/release/v1.30.1
+ENVOY_COMMIT ?= c5eb07f628b37313fa4d3cdb14d5b3e9ed5379e9
 ENVOY_COMPILATION_MODE ?= opt
 # Increment BASE_ENVOY_RELVER on changes to `docker/base-envoy/Dockerfile`, or Envoy recipes.
 # You may reset BASE_ENVOY_RELVER when adjusting ENVOY_COMMIT.
-BASE_ENVOY_RELVER ?= 1
+BASE_ENVOY_RELVER ?= 0
 
 # Set to non-empty to enable compiling Envoy in FIPS mode.
 FIPS_MODE ?=
@@ -35,7 +35,7 @@ ENVOY_DOCKER_TAG ?= $(ENVOY_DOCKER_REPO):envoy-$(ENVOY_DOCKER_VERSION)
 # which commits are ancestors, I added `make guess-envoy-go-control-plane-commit` to do that in an
 # automated way! Still look at the commit yourself to make sure it seems sane; blindly trusting
 # machines is bad, mmkay?
-ENVOY_GO_CONTROL_PLANE_COMMIT = b501c94cb61e3235b9156629377fba229d9571d8
+ENVOY_GO_CONTROL_PLANE_COMMIT = 57c85e1829e6fe6e73fb69b8a9d9f2d3780572a5
 
 # Set ENVOY_DOCKER_REPO to the list of mirrors to check
 ENVOY_DOCKER_REPOS = docker.io/emissaryingress/base-envoy
@@ -283,4 +283,4 @@ check-envoy-version: $(OSS_HOME)/_cxx/envoy
  # them... except that gcr.io doesn't allow `manifest inspect`.
  # So just go ahead and do the `pull` :(
  $(foreach ENVOY_DOCKER_REPO,$(ENVOY_DOCKER_REPOS), docker pull $(ENVOY_DOCKER_TAG) >/dev/null$(NL))
-.PHONY: check-envoy-version
+.PHONY: check-envoy-version

api/contrib/envoy/extensions/filters/http/golang/v3alpha/golang.proto

@@ -12,7 +12,7 @@ import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.filters.http.golang.v3alpha";
 option java_outer_classname = "GolangProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/golang/v3alpha";
+option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/http/golang/v3alpha";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 

api/envoy/admin/v3/config_dump.proto

@@ -33,6 +33,7 @@ message ConfigDump {
  // * ``bootstrap``: :ref:`BootstrapConfigDump <envoy_v3_api_msg_admin.v3.BootstrapConfigDump>`
  // * ``clusters``: :ref:`ClustersConfigDump <envoy_v3_api_msg_admin.v3.ClustersConfigDump>`
  // * ``ecds_filter_http``: :ref:`EcdsConfigDump <envoy_v3_api_msg_admin.v3.EcdsConfigDump>`
+ // * ``ecds_filter_quic_listener``: :ref:`EcdsConfigDump <envoy_v3_api_msg_admin.v3.EcdsConfigDump>`
  // * ``ecds_filter_tcp_listener``: :ref:`EcdsConfigDump <envoy_v3_api_msg_admin.v3.EcdsConfigDump>`
  // * ``endpoints``: :ref:`EndpointsConfigDump <envoy_v3_api_msg_admin.v3.EndpointsConfigDump>`
  // * ``listeners``: :ref:`ListenersConfigDump <envoy_v3_api_msg_admin.v3.ListenersConfigDump>`

api/envoy/admin/v3/server_info.proto

@@ -59,7 +59,7 @@ message ServerInfo {
  config.core.v3.Node node = 7;
 }
 
-// [#next-free-field: 39]
+// [#next-free-field: 40]
 message CommandLineOptions {
  option (udpa.annotations.versioning).previous_message_type =
  "envoy.admin.v2alpha.CommandLineOptions";
@@ -98,6 +98,9 @@ message CommandLineOptions {
  // See :option:`--use-dynamic-base-id` for details.
  bool use_dynamic_base_id = 31;
 
+ // See :option:`--skip-hot-restart-on-no-parent` for details.
+ bool skip_hot_restart_on_no_parent = 39;
+
  // See :option:`--base-id-path` for details.
  string base_id_path = 32;
 

api/envoy/config/accesslog/v3/accesslog.proto

@@ -254,6 +254,9 @@ message ResponseFlagFilter {
  in: "UPE"
  in: "NC"
  in: "OM"
+ in: "DF"
+ in: "DO"
+ in: "DR"
  }
  }
  }];

api/envoy/config/bootstrap/v3/bootstrap.proto

@@ -41,7 +41,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <config_overview_bootstrap>` for more detail.
 
 // Bootstrap :ref:`configuration overview <config_overview_bootstrap>`.
-// [#next-free-field: 40]
+// [#next-free-field: 41]
 message Bootstrap {
  option (udpa.annotations.versioning).previous_message_type =
  "envoy.config.bootstrap.v2.Bootstrap";
@@ -136,6 +136,13 @@ message Bootstrap {
  bool enable_deferred_creation_stats = 1;
  }
 
+ message GrpcAsyncClientManagerConfig {
+ // Optional field to set the expiration time for the cached gRPC client object.
+ // The minimal value is 5s and the default is 50s.
+ google.protobuf.Duration max_cached_entry_idle_duration = 1
+ [(validate.rules).duration = {gte {seconds: 5}}];
+ }
+
  reserved 10, 11;
 
  reserved "runtime";
@@ -401,6 +408,9 @@ message Bootstrap {
 
  // Optional application log configuration.
  ApplicationLogConfig application_log_config = 38;
+
+ // Optional gRPC async manager config.
+ GrpcAsyncClientManagerConfig grpc_async_client_manager_config = 40;
 }
 
 // Administration interface :ref:`operations documentation
@@ -438,6 +448,7 @@ message Admin {
 }
 
 // Cluster manager :ref:`architecture overview <arch_overview_cluster_manager>`.
+// [#next-free-field: 6]
 message ClusterManager {
  option (udpa.annotations.versioning).previous_message_type =
  "envoy.config.bootstrap.v2.ClusterManager";
@@ -478,6 +489,11 @@ message ClusterManager {
  // <envoy_v3_api_field_config.core.v3.ApiConfigSource.api_type>` :ref:`GRPC
  // <envoy_v3_api_enum_value_config.core.v3.ApiConfigSource.ApiType.GRPC>`.
  core.v3.ApiConfigSource load_stats_config = 4;
+
+ // Whether the ClusterManager will create clusters on the worker threads
+ // inline during requests. This will save memory and CPU cycles in cases where
+ // there are lots of inactive clusters and > 1 worker thread.
+ bool enable_deferred_cluster_creation = 5;
 }
 
 // Allows you to specify different watchdog configs for different subsystems.

api/envoy/config/cluster/v3/cluster.proto

@@ -1236,13 +1236,38 @@ message UpstreamConnectionOptions {
  option (udpa.annotations.versioning).previous_message_type =
  "envoy.api.v2.UpstreamConnectionOptions";
 
+ enum FirstAddressFamilyVersion {
+ // respect the native ranking of destination ip addresses returned from dns
+ // resolution
+ DEFAULT = 0;
+
+ V4 = 1;
+
+ V6 = 2;
+ }
+
+ message HappyEyeballsConfig {
+ // Specify the IP address family to attempt connection first in happy
+ // eyeballs algorithm according to RFC8305#section-4.
+ FirstAddressFamilyVersion first_address_family_version = 1;
+
+ // Specify the number of addresses of the first_address_family_version being
+ // attempted for connection before the other address family.
+ google.protobuf.UInt32Value first_address_family_count = 2 [(validate.rules).uint32 = {gte: 1}];
+ }
+
  // If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
  core.v3.TcpKeepalive tcp_keepalive = 1;
 
  // If enabled, associates the interface name of the local address with the upstream connection.
  // This can be used by extensions during processing of requests. The association mechanism is
  // implementation specific. Defaults to false due to performance concerns.
  bool set_local_interface_name_on_upstream_connections = 2;
+
+ // Configurations for happy eyeballs algorithm.
+ // Add configs for first_address_family_version and first_address_family_count
+ // when sorting destination ip addresses.
+ HappyEyeballsConfig happy_eyeballs_config = 3;
 }
 
 message TrackClusterStats {
@@ -1257,4 +1282,19 @@ message TrackClusterStats {
  // <config_cluster_manager_cluster_stats_request_response_sizes>` tracking header and body sizes
  // of requests and responses will be published.
  bool request_response_sizes = 2;
+
+ // If true, some stats will be emitted per-endpoint, similar to the stats in admin ``/clusters``
+ // output.
+ //
+ // This does not currently output correct stats during a hot-restart.
+ //
+ // This is not currently implemented by all stat sinks.
+ //
+ // These stats do not honor filtering or tag extraction rules in :ref:`StatsConfig
+ // <envoy_v3_api_msg_config.metrics.v3.StatsConfig>` (but fixed-value tags are supported). Admin
+ // endpoint filtering is supported.
+ //
+ // This may not be used at the same time as
+ // :ref:`load_stats_config <envoy_v3_api_field_config.bootstrap.v3.ClusterManager.load_stats_config>`.
+ bool per_endpoint_stats = 3;
 }

api/envoy/config/cluster/v3/filter.proto

@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package envoy.config.cluster.v3;
 
+import "envoy/config/core/v3/config_source.proto";
+
 import "google/protobuf/any.proto";
 
 import "udpa/annotations/status.proto";
@@ -14,8 +16,8 @@ option java_multiple_files = true;
 option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3;clusterv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
-// [#protodoc-title: Upstream filters]
-// Upstream filters apply to the connections to the upstream cluster hosts.
+// [#protodoc-title: Upstream network filters]
+// Upstream network filters apply to the connections to the upstream cluster hosts.
 
 message Filter {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.cluster.Filter";
@@ -26,6 +28,13 @@ message Filter {
  // Filter specific configuration which depends on the filter being
  // instantiated. See the supported filters for further documentation.
  // Note that Envoy's :ref:`downstream network
- // filters <config_network_filters>` are not valid upstream filters.
+ // filters <config_network_filters>` are not valid upstream network filters.
+ // Only one of typed_config or config_discovery can be used.
  google.protobuf.Any typed_config = 2;
+
+ // Configuration source specifier for an extension configuration discovery
+ // service. In case of a failure and without the default configuration, the
+ // listener closes the connections.
+ // Only one of typed_config or config_discovery can be used.
+ core.v3.ExtensionConfigSource config_discovery = 3;
 }

api/envoy/config/cluster/v3/outlier_detection.proto

@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package envoy.config.cluster.v3;
 
+import "envoy/config/core/v3/extension.proto";
+
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
@@ -19,7 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // See the :ref:`architecture overview <arch_overview_outlier_detection>` for
 // more information on outlier detection.
-// [#next-free-field: 23]
+// [#next-free-field: 25]
 message OutlierDetection {
  option (udpa.annotations.versioning).previous_message_type =
  "envoy.api.v2.cluster.OutlierDetection";
@@ -161,4 +163,14 @@ message OutlierDetection {
  // See :ref:`max_ejection_time_jitter<envoy_v3_api_field_config.cluster.v3.OutlierDetection.base_ejection_time>`
  // Defaults to 0s.
  google.protobuf.Duration max_ejection_time_jitter = 22;
+
+ // If active health checking is enabled and a host is ejected by outlier detection, a successful active health check
+ // unejects the host by default and considers it as healthy. Unejection also clears all the outlier detection counters.
+ // To change this default behavior set this config to ``false`` where active health checking will not uneject the host.
+ // Defaults to true.
+ google.protobuf.BoolValue successful_active_health_check_uneject_host = 23;
+
+ // Set of host's passive monitors.
+ // [#not-implemented-hide:]
+ repeated core.v3.TypedExtensionConfig monitors = 24;
 }

api/envoy/config/common/matcher/v3/matcher.proto

@@ -6,8 +6,6 @@ import "envoy/config/core/v3/extension.proto";
 import "envoy/config/route/v3/route_components.proto";
 import "envoy/type/matcher/v3/string.proto";
 
-import "xds/annotations/v3/status.proto";
-
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
@@ -24,9 +22,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // is found the action specified by the most specific on_no_match will be evaluated.
 // As an on_no_match might result in another matching tree being evaluated, this process
 // might repeat several times until the final OnMatch (or no match) is decided.
+//
+// .. note::
+// Please use the syntactically equivalent :ref:`matching API <envoy_v3_api_msg_.xds.type.matcher.v3.Matcher>`
 message Matcher {
- option (xds.annotations.v3.message_status).work_in_progress = true;
-
  // What to do if a match is successful.
  message OnMatch {
  oneof on_match {

api/envoy/config/core/v3/address.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.config.core.v3;
 
+import "envoy/config/core/v3/extension.proto";
 import "envoy/config/core/v3/socket_option.proto";
 
 import "google/protobuf/wrappers.proto";
@@ -130,7 +131,7 @@ message ExtraSourceAddress {
  SocketOptionsOverride socket_options = 2;
 }
 
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message BindConfig {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BindConfig";
 
@@ -150,20 +151,22 @@ message BindConfig {
  // precompiled binaries.
  repeated SocketOption socket_options = 3;
 
- // Extra source addresses appended to the address specified in the `source_address`
- // field. This enables to specify multiple source addresses. Currently, only one extra
- // address can be supported, and the extra address should have a different IP version
- // with the address in the `source_address` field. The address which has the same IP
- // version with the target host's address IP version will be used as bind address. If more
- // than one extra address specified, only the first address matched IP version will be
- // returned. If there is no same IP version address found, the address in the `source_address`
- // will be returned.
+ // Extra source addresses appended to the address specified in the ``source_address``
+ // field. This enables to specify multiple source addresses.
+ // The source address selection is determined by :ref:`local_address_selector
+ // <envoy_v3_api_field_config.core.v3.BindConfig.local_address_selector>`.
  repeated ExtraSourceAddress extra_source_addresses = 5;
 
  // Deprecated by
  // :ref:`extra_source_addresses <envoy_v3_api_field_config.core.v3.BindConfig.extra_source_addresses>`
  repeated SocketAddress additional_source_addresses = 4
  [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
+
+ // Custom local address selector to override the default (i.e.
+ // :ref:`DefaultLocalAddressSelector
+ // <envoy_v3_api_msg_config.upstream.local_address_selector.v3.DefaultLocalAddressSelector>`).
+ // [#extension-category: envoy.upstream.local_address_selector]
+ TypedExtensionConfig local_address_selector = 6;
 }
 
 // Addresses specify either a logical or physical address and port, which are