Merge remote-tracking branch 'upstream/main' into od_ext_impl

Signed-off-by: Christoph Pakulski <paker8848@gmail.com>

api/envoy/config/cluster/v3/cluster.proto

@@ -45,7 +45,7 @@ message ClusterCollection {
 }
 
 // Configuration for a single upstream cluster.
-// [#next-free-field: 57]
+// [#next-free-field: 58]
 message Cluster {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster";
 
@@ -1151,6 +1151,22 @@ message Cluster {
   // from the LRS stream here.]
   core.v3.ConfigSource lrs_server = 42;
 
+  // [#not-implemented-hide:]
+  // A list of metric names from ORCA load reports to propagate to LRS.
+  //
+  // For map fields in the ORCA proto, the string will be of the form ``<map_field_name>.<map_key>``.
+  // For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA
+  // ``named_metrics`` field.
+  //
+  // The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to
+  // report all entries in the ORCA named_metrics field). Note that this should be used only with trusted
+  // backends.
+  //
+  // The metric names in LRS will follow the same semantics as this field. In other words, if this field
+  // contains ``named_metrics.foo``, then the LRS load report will include the data with that same string
+  // as the key.
+  repeated string lrs_report_endpoint_metric = 57;
+
   // If track_timeout_budgets is true, the :ref:`timeout budget histograms
   // <config_cluster_manager_cluster_stats_timeout_budgets>` will be published for each
   // request. These show what percentage of a request's per try and global timeout was used. A value

api/envoy/config/core/v3/protocol.proto

@@ -125,10 +125,10 @@ message UpstreamHttpProtocolOptions {
   bool auto_sni = 1;
 
   // Automatic validate upstream presented certificate for new upstream connections based on the
-  // server name derived via one of the auto SNI mechanisms.
-  // This field is intended to be set with one of ``auto_sni`` or ``auto_sni_from_upstream`` fields.
-  // Does nothing if a filter before the http router filter sets the corresponding metadata and if server name
-  // is derived from a downstream header (when only ``auto_sni`` field is set).
+  // downstream HTTP host/authority header or any other arbitrary header when :ref:`override_auto_sni_header <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.override_auto_sni_header>`
+  // is set, as seen by the :ref:`router filter <config_http_filters_router>`.
+  // This field is intended to be set with ``auto_sni`` field.
+  // Does nothing if a filter before the http router filter sets the corresponding metadata.
   bool auto_san_validation = 2;
 
   // An optional alternative to the host/authority header to be used for setting the SNI value.
@@ -141,10 +141,6 @@ message UpstreamHttpProtocolOptions {
   // Does nothing if a filter before the http router filter sets the corresponding metadata.
   string override_auto_sni_header = 3
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
-
-  // Alternative mechanism for derivation of the SNI value. It uses endpoint's :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.hostname>` as the value, if ``hostname`` is set.
-  // If set, takes precedence over ``auto_sni``.
-  bool auto_sni_from_upstream = 4;
 }
 
 // Configures the alternate protocols cache which tracks alternate protocols that can be used to

api/envoy/config/endpoint/v3/load_report.proto

@@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // These are stats Envoy reports to the management server at a frequency defined by
 // :ref:`LoadStatsResponse.load_reporting_interval<envoy_v3_api_field_service.load_stats.v3.LoadStatsResponse.load_reporting_interval>`.
 // Stats per upstream region/zone and optionally per subzone.
-// [#next-free-field: 12]
+// [#next-free-field: 15]
 message UpstreamLocalityStats {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.endpoint.UpstreamLocalityStats";
@@ -75,7 +75,20 @@ message UpstreamLocalityStats {
   // [#not-implemented-hide:]
   uint64 total_fail_connections = 11 [(xds.annotations.v3.field_status).work_in_progress = true];
 
-  // Stats for multi-dimensional load balancing.
+  // CPU utilization stats for multi-dimensional load balancing.
+  // This typically comes from endpoint metrics reported via ORCA.
+  UnnamedEndpointLoadMetricStats cpu_utilization = 12;
+
+  // Memory utilization for multi-dimensional load balancing.
+  // This typically comes from endpoint metrics reported via ORCA.
+  UnnamedEndpointLoadMetricStats mem_utilization = 13;
+
+  // Blended application-defined utilization for multi-dimensional load balancing.
+  // This typically comes from endpoint metrics reported via ORCA.
+  UnnamedEndpointLoadMetricStats application_utilization = 14;
+
+  // Named stats for multi-dimensional load balancing.
+  // These typically come from endpoint metrics reported via ORCA.
   repeated EndpointLoadMetricStats load_metric_stats = 5;
 
   // Endpoint granularity stats information for this locality. This information
@@ -145,6 +158,16 @@ message EndpointLoadMetricStats {
   double total_metric_value = 3;
 }
 
+// Same as EndpointLoadMetricStats, except without the metric_name field.
+message UnnamedEndpointLoadMetricStats {
+  // Number of calls that finished and included this metric.
+  uint64 num_requests_finished_with_metric = 1;
+
+  // Sum of metric values across all calls that finished with this metric for
+  // load_reporting_interval.
+  double total_metric_value = 2;
+}
+
 // Per cluster load stats. Envoy reports these stats a management server in a
 // :ref:`LoadStatsRequest<envoy_v3_api_msg_service.load_stats.v3.LoadStatsRequest>`
 // Next ID: 7

api/envoy/extensions/tracers/opentelemetry/resource_detectors/v3/static_config_resource_detector.proto

@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+package envoy.extensions.tracers.opentelemetry.resource_detectors.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.tracers.opentelemetry.resource_detectors.v3";
+option java_outer_classname = "StaticConfigResourceDetectorProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/opentelemetry/resource_detectors/v3;resource_detectorsv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Static Config Resource Detector config]
+
+// Configuration for the Static Resource detector extension.
+// The resource detector uses static config for resource attribute,
+// as per the OpenTelemetry specification.
+//
+// [#extension: envoy.tracers.opentelemetry.resource_detectors.static_config]
+message StaticConfigResourceDetectorConfig {
+  // Custom Resource attributes to be included.
+  map<string, string> attributes = 1;
+}

changelogs/current.yaml

@@ -260,6 +260,9 @@ bug_fixes:
   change: |
     Fixed missing :ref:`additional addresses <envoy_v3_api_msg_config.endpoint.v3.Endpoint.AdditionalAddress>`
     for :ref:`LbEndpoint <envoy_v3_api_field_config.endpoint.v3.LbEndpoint.endpoint>` in config dump.
+- area: tracing
+  change: |
+    Added support to configure a static config resource detector for the OpenTelemetry tracer.
 - area: http
   change: |
     Fixed a bug where additional :ref:`cookie attributes <envoy_v3_api_msg_config.route.v3.RouteAction.HashPolicy.cookie>`
@@ -524,11 +527,6 @@ new_features:
     QUIC stream reset error code will be added to transport failure reason.
     This behavior can be reverted by setting the runtime flag ``envoy.reloadable_features.report_stream_reset_error_code``
     to false.
-- area: conn pool
-  change: |
-    Added :ref:`auto_sni_from_upstream <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.auto_sni_from_upstream>`
-    to use value of :ref:`hostnames <envoy_v3_api_field_config.endpoint.v3.Endpoint.hostname>` of
-    upstream cluster's endpoints as the value for SNI.
 - area: outlier detection
   change: |
     Added :ref:`extensions framework<envoy_v3_api_field_config.cluster.v3.OutlierDetection.monitors>` and implementation of

contrib/golang/filters/http/test/test_data/property/go.mod

@@ -4,7 +4,7 @@ go 1.20
 
 require (
 	github.com/envoyproxy/envoy v1.24.0
-	google.golang.org/protobuf v1.34.1
+	google.golang.org/protobuf v1.34.2
 )
 
 replace github.com/envoyproxy/envoy => ../../../../../../../

docs/root/faq/configuration/sni.rst

@@ -76,8 +76,6 @@ To derive SNI from a downstream HTTP header like, ``host`` or ``:authority``, tu
 :ref:`auto_sni <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.auto_sni>` to override the fixed SNI in
 :ref:`UpstreamTlsContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.UpstreamTlsContext>`. A custom header other than the ``host`` or ``:authority`` can also be supplied using the optional
 :ref:`override_auto_sni_header <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.override_auto_sni_header>` field.
-Alternatively :ref:`hostnames <envoy_v3_api_field_config.endpoint.v3.Endpoint.hostname>` of cluster's endpoints can be used as the value for SNI.
-Turn on :ref:`auto_sni_from_upstream <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.auto_sni_from_upstream>` to enable this mechanism.
 If upstream will present certificates with the hostname in SAN, turn on
 :ref:`auto_san_validation <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.auto_san_validation>` too.
 It still needs a trust CA in validation context in :ref:`UpstreamTlsContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.UpstreamTlsContext>` for trust anchor.

examples/opentelemetry/Dockerfile-opentelemetry

@@ -1,7 +1,7 @@
-FROM alpine:3.20@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 as otelc_curl
+FROM alpine:3.20@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 AS otelc_curl
 RUN apk --update add curl
 
-FROM otel/opentelemetry-collector:latest@sha256:f93f0cd9b8179ad14d36f2b421ec0a6745d4c53e93ae7b01fcb76773e0bd9fdf
+FROM otel/opentelemetry-collector:latest@sha256:56b275978745d866d4e8bcb15de9e51ef259b61210b87c387bfd336a30a69acb
 
 COPY --from=otelc_curl / /
 

examples/shared/envoy/Dockerfile

@@ -2,7 +2,7 @@ ARG ENVOY_IMAGE="${ENVOY_IMAGE:-envoyproxy/envoy}"
 ARG ENVOY_VARIANT="${ENVOY_VARIANT:-dev}"
 
 
-FROM ${ENVOY_IMAGE}:${ENVOY_VARIANT} as envoy-base
+FROM ${ENVOY_IMAGE}:${ENVOY_VARIANT} AS envoy-base
 ARG ENVOY_CONFIG=envoy.yaml
 ENV ENVOY_CONFIG="$ENVOY_CONFIG"
 ENV DEBIAN_FRONTEND=noninteractive
@@ -15,7 +15,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 COPY --chmod=777 "$ENVOY_CONFIG" /etc/envoy.yaml
 CMD ["/usr/local/bin/envoy", "-c", "/etc/envoy.yaml"]
 
-FROM envoy-base as envoy-admin
+FROM envoy-base AS envoy-admin
 ARG ENVOY_ADMIN_PORT=10001
 ENV ENVOY_ADMIN_PORT="$ENVOY_ADMIN_PORT"
 HEALTHCHECK \
@@ -26,15 +26,15 @@ HEALTHCHECK \
     CMD curl -s "localhost:${ENVOY_ADMIN_PORT}/stats?filter=server.state" | grep 0 \
              && curl -s "localhost:${ENVOY_ADMIN_PORT}/stats?filter=listener_manager.workers_started" | grep 1
 
-FROM envoy-base as envoy-fault-injection
+FROM envoy-base AS envoy-fault-injection
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
     apt-get -qq update -y \
     && apt-get -qq install --no-install-recommends -y tree
 COPY enable_delay_fault_injection.sh disable_delay_fault_injection.sh enable_abort_fault_injection.sh disable_abort_fault_injection.sh send_request.sh /
 
 
-FROM envoy-base as envoy-jaeger-native
+FROM envoy-base AS envoy-jaeger-native
 #
 # for discussion on jaeger binary compatibility, and the source of the file, see here:
 #  https://github.com/envoyproxy/envoy/issues/11382#issuecomment-638012072
@@ -47,7 +47,7 @@ RUN echo "4a7d17d4724ee890490bcd6cfdedb12a02316a3d33214348d30979abd201f1ca /usr/
          && rm /tmp/checksum
 
 
-FROM envoy-base as envoy-load-balancing
+FROM envoy-base AS envoy-load-balancing
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
     apt-get -qq update -y \
@@ -56,40 +56,40 @@ COPY ./client.py /client.py
 EXPOSE 8001
 
 
-FROM envoy-base as envoy-double-proxy-base
+FROM envoy-base AS envoy-double-proxy-base
 COPY --chmod=777 ./certs/ca.crt /certs/cacert.pem
 
 
-FROM envoy-double-proxy-base as envoy-double-proxy-frontend
+FROM envoy-double-proxy-base AS envoy-double-proxy-frontend
 COPY  --chmod=777 ./certs/postgres-frontend.example.com.crt /certs/clientcert.pem
 COPY  --chmod=777 ./certs/example.com.key /certs/clientkey.pem
 
 
-FROM envoy-double-proxy-base as envoy-double-proxy-backend
+FROM envoy-double-proxy-base AS envoy-double-proxy-backend
 COPY --chmod=777 ./certs/postgres-backend.example.com.crt /certs/servercert.pem
 COPY --chmod=777 ./certs/example.com.key /certs/serverkey.pem
 
 
-FROM envoy-base as envoy-certs
+FROM envoy-base AS envoy-certs
 COPY --chmod=777 ./certs /certs
 
 
-FROM envoy-base as envoy-lua
+FROM envoy-base AS envoy-lua
 ADD  --chmod=777 ./lib/mylibrary.lua /lib/mylibrary.lua
 
 
-FROM envoy-base as envoy-go
+FROM envoy-base AS envoy-go
 ENV GODEBUG=cgocheck=0
 COPY --chmod=777 ./lib/simple.so /lib/simple.so
 
 
-FROM envoy-base as envoy-ext_authz
+FROM envoy-base AS envoy-ext_authz
 COPY --chmod=777 ./config /etc/envoy-config
 COPY --chmod=777 ./run_envoy.sh /run_envoy.sh
 CMD ["/bin/sh", "/run_envoy.sh"]
 
 
-FROM envoy-base as envoy-dynamic-fs
+FROM envoy-base AS envoy-dynamic-fs
 COPY --chmod=777 ./configs /var/lib/envoy
 
 

examples/shared/golang/Dockerfile

@@ -1,20 +1,20 @@
-FROM debian:bookworm-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 as os-base
+FROM debian:bookworm-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 AS os-base
 RUN rm -f /etc/apt/apt.conf.d/docker-clean \
     && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' | tee /etc/apt/apt.conf.d/keep-cache
 
 
-FROM golang:1.22.5-bookworm@sha256:6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad as golang-base
+FROM golang:1.22.5-bookworm@sha256:6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad AS golang-base
 
 
-FROM golang-base as golang-control-plane-builder
+FROM golang-base AS golang-control-plane-builder
 ARG GO_RESOURCE=resource.go
 RUN git clone https://github.com/envoyproxy/go-control-plane && cd go-control-plane && git checkout b4adc3bb5fe5288bff01cd452dad418ef98c676e
 ADD "$GO_RESOURCE" /go/go-control-plane/internal/example/resource.go
 RUN cd go-control-plane && make bin/example
 WORKDIR /go/go-control-plane
 
 
-FROM os-base as golang-control-plane
+FROM os-base AS golang-control-plane
 ENV DEBIAN_FRONTEND=noninteractive
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
@@ -23,23 +23,23 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 COPY --from=golang-control-plane-builder /go/go-control-plane/bin/example /usr/local/bin/example
 
 
-FROM golang-base as golang-base-builder
+FROM golang-base AS golang-base-builder
 ARG GO_APP=.
 ARG GO_APP_NAME=grpc-service
 RUN echo "COPY $GO_APP -> ${GO_APP_NAME} ..."
 COPY "$GO_APP" /app
 
 
-FROM golang-base-builder as golang-grpc-auth-builder
+FROM golang-base-builder AS golang-grpc-auth-builder
 RUN make -C "/app/${GO_APP_NAME}"
 
 
-FROM os-base as golang-grpc-auth
+FROM os-base AS golang-grpc-auth
 COPY --from=golang-grpc-auth-builder /app/grpc-service/server /app/server
 CMD ["/app/server", "-users", "/etc/users.json"]
 
 
-FROM golang-base as golang-grpc-server-builder
+FROM golang-base AS golang-grpc-server-builder
 WORKDIR /build
 # Resolve and build Go dependencies as Docker cache
 COPY go.mod /build/go.mod
@@ -55,14 +55,14 @@ ENV CGO_ENABLED=0
 RUN go build -o server
 
 
-FROM os-base as golang-grpc-server
+FROM os-base AS golang-grpc-server
 WORKDIR /root/
 # Copy the linux amd64 binary
 COPY --from=golang-grpc-server-builder /build/server /bin/
 ENTRYPOINT /bin/server
 
 
-FROM golang-base as golang-lrs-builder
+FROM golang-base AS golang-lrs-builder
 COPY ./server /go/src/github.com/envoyproxy/envoy/example/load-reporting-service/server
 COPY *.go /go/src/github.com/envoyproxy/envoy/example/load-reporting-service/
 COPY go.sum /go/src/github.com/envoyproxy/envoy/example/load-reporting-service
@@ -72,6 +72,6 @@ RUN go mod download \
     && go install /go/src/github.com/envoyproxy/envoy/example/load-reporting-service
 
 
-FROM os-base as golang-lrs
+FROM os-base AS golang-lrs
 COPY --from=golang-lrs-builder /go/bin/load-reporting-service /usr/local/bin/load-reporting-service
 CMD ["load-reporting-service"]

examples/shared/jaeger/Dockerfile

@@ -1,4 +1,4 @@
-FROM jaegertracing/all-in-one@sha256:af17a39bf9e720f623a940df4a0ab079f360ed1a312f207d4b842186e1459637
+FROM jaegertracing/all-in-one@sha256:5734f22d8aacb7cd2998f9a62d409c1bf789dc33524d65766b8c897d658a1d04
 HEALTHCHECK \
     --interval=1s \
     --timeout=1s \

examples/shared/node/Dockerfile

@@ -1,7 +1,7 @@
-FROM node:22.4-bookworm-slim@sha256:14e3e539464a5a77bb5fd8f613cbd54d1842a900e7f4ce06f47e42f6a89a83e4 as node-base
+FROM node:22.4-bookworm-slim@sha256:14e3e539464a5a77bb5fd8f613cbd54d1842a900e7f4ce06f47e42f6a89a83e4 AS node-base
 
 
-FROM node-base as node-http-auth
+FROM node-base AS node-http-auth
 ARG NODE_APP=.
 ARG NODE_APP_NAME=http-service/server
 # Add an env to save ARG
@@ -11,7 +11,7 @@ COPY "$NODE_APP" /app
 CMD node $NODE_APP_PATH
 
 
-FROM node-base as yarn
+FROM node-base AS yarn
 ARG SERVICE_PORT=3000
 ENV DEBIAN_FRONTEND=noninteractive \
     SERVICE_PORT=$SERVICE_PORT
@@ -31,5 +31,5 @@ HEALTHCHECK \
     CMD nc -zv localhost "$SERVICE_PORT"
 
 
-FROM yarn as yarn-routed
+FROM yarn AS yarn-routed
 COPY --chmod=755 ./scripts/build-routed.sh /usr/local/bin/build.sh