MAISTRA-2242 Cherry-pick envoyproxy/envoy#14884

api/envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v3;
 
 import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/extension.proto";
 import "envoy/type/matcher/v3/string.proto";
 
 import "google/protobuf/any.proto";
@@ -191,7 +192,7 @@ message TlsSessionTicketKeys {
       [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
 
-// [#next-free-field: 11]
+// [#next-free-field: 13]
 message CertificateValidationContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.CertificateValidationContext";
@@ -337,4 +338,16 @@ message CertificateValidationContext {
   // Certificate trust chain verification mode.
   TrustChainVerification trust_chain_verification = 10
       [(validate.rules).enum = {defined_only: true}];
+
+  // The configuration of an extension specific certificate validator.
+  // If specified, all validation is done by the specified validator,
+  // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
+  // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
+  // The following names are available here:
+  //
+  // .. _extension_envoy.tls.cert_validator.spiffe:
+  //
+  // **envoy.tls.cert_validator.spiffe**: `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.
+  // Please refer to :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig>` for more information.
+  config.core.v3.TypedExtensionConfig custom_validator_config = 12;
 }

api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto

@@ -0,0 +1,54 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.tls.v3;
+
+import "envoy/config/core/v3/base.proto";
+
+import "udpa/annotations/sensitive.proto";
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
+option java_outer_classname = "TlsSpiffeValidatorConfigProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: SPIFFE Certificate Validator]
+
+// Configuration specific to the SPIFFE certificate validator provided at
+// :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config>`.
+//
+// Example:
+//
+// .. code-block:: yaml
+//
+//  custom_validator_config:
+//    name: envoy.tls.cert_validator.spiffe
+//    typed_config:
+//      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
+//      trust_domains:
+//      - name: foo.com
+//        trust_bundle:
+//          filename: "foo.pem"
+//      - name: envoy.com
+//        trust_bundle:
+//          filename: "envoy.pem"
+//
+// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against
+// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
+// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**`
+// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
+message SPIFFECertValidatorConfig {
+  message TrustDomain {
+    // Name of the trust domain, `example.com`, `foo.bar.gov` for example.
+    // Note that this must *not* have "spiffe://" prefix.
+    string name = 1 [(validate.rules).string = {min_len: 1}];
+
+    // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.
+    config.core.v3.DataSource trust_bundle = 2;
+  }
+
+  // This field specifies trust domains used for validating incoming X.509-SVID(s).
+  repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}];
+}

bazel/envoy_library.bzl

@@ -62,6 +62,37 @@ EXTENSION_SECURITY_POSTURES = [
     "data_plane_agnostic",
 ]
 
+# Extension categories as defined by factories
+EXTENSION_CATEGORIES = [
+    "envoy.access_loggers",
+    "envoy.bootstrap",
+    "envoy.clusters",
+    "envoy.compression.compressor",
+    "envoy.compression.decompressor",
+    "envoy.filters.http",
+    "envoy.filters.listener",
+    "envoy.filters.network",
+    "envoy.filters.udp_listener",
+    "envoy.grpc_credentials",
+    "envoy.guarddog_actions",
+    "envoy.health_checkers",
+    "envoy.internal_redirect_predicates",
+    "envoy.io_socket",
+    "envoy.rate_limit_descriptors",
+    "envoy.resource_monitors",
+    "envoy.retry_host_predicates",
+    "envoy.retry_priorities",
+    "envoy.stats_sinks",
+    "envoy.thrift_proxy.filters",
+    "envoy.tracers",
+    "envoy.transport_sockets.downstream",
+    "envoy.transport_sockets.upstream",
+    "envoy.tls.cert_validator",
+    "envoy.upstreams",
+    "envoy.wasm.runtime",
+    "DELIBERATELY_OMITTED",
+]
+
 EXTENSION_STATUS_VALUES = [
     # This extension is stable and is expected to be production usable.
     "stable",

docs/root/version_history/current.rst

@@ -108,5 +108,34 @@ New Features
 * xds: added support for resource TTLs. A TTL is specified on the :ref:`Resource <envoy_api_msg_Resource>`. For SotW, a :ref:`Resource <envoy_api_msg_Resource>` can be embedded
   in the list of resources to specify the TTL.
 
+* access log: added the :ref:`formatters <envoy_v3_api_field_config.core.v3.SubstitutionFormatString.formatters>` extension point for custom formatters (command operators).
+* access log: support command operator: %FILTER_CHAIN_NAME% for the downstream tcp and http request.
+* access log: support command operator: %REQUEST_HEADERS_BYTES%, %RESPONSE_HEADERS_BYTES%, and %RESPONSE_TRAILERS_BYTES%.
+* compression: add brotli :ref:`compressor <envoy_v3_api_msg_extensions.compression.brotli.compressor.v3.Brotli>` and :ref:`decompressor <envoy_v3_api_msg_extensions.compression.brotli.decompressor.v3.Brotli>`.
+* config: add `envoy.features.fail_on_any_deprecated_feature` runtime key, which matches the behaviour of compile-time flag `ENVOY_DISABLE_DEPRECATED_FEATURES`, i.e. use of deprecated fields will cause a crash.
+* config: the ``Node`` :ref:`dynamic context parameters <envoy_v3_api_field_config.core.v3.Node.dynamic_parameters>` are populated in discovery requests when set on the server instance.
+* dispatcher: supports a stack of `Envoy::ScopeTrackedObject` instead of a single tracked object. This will allow Envoy to dump more debug information on crash.
+* ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK authorization checks via gRPC.
+* ext_authz: added :ref:`allowed_client_headers_on_success <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.allowed_client_headers_on_success>` to support sending response headers to downstream clients on OK external authorization checks via HTTP.
+* grpc_json_transcoder: added :ref:`request_validation_options <envoy_v3_api_field_extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder.request_validation_options>` to reject invalid requests early.
+* grpc_json_transcoder: filter can now be configured on per-route/per-vhost level as well. Leaving empty list of services in the filter configuration disables transcoding on the specific route.
+* http: added support for `Envoy::ScopeTrackedObject` for HTTP/1 and HTTP/2 dispatching. Crashes while inside the dispatching loop should dump debug information.
+* http: added support for :ref:`preconnecting <envoy_v3_api_msg_config.cluster.v3.Cluster.PreconnectPolicy>`. Preconnecting is off by default, but recommended for clusters serving latency-sensitive traffic, especially if using HTTP/1.1.
+* http: added new runtime config `envoy.reloadable_features.check_unsupported_typed_per_filter_config`, the default value is true. When the value is true, envoy will reject virtual host-specific typed per filter config when the filter doesn't support it.
+* http: change frame flood and abuse checks to the upstream HTTP/2 codec to ON by default. It can be disabled by setting the `envoy.reloadable_features.upstream_http2_flood_checks` runtime key to false.
+* json: introduced new JSON parser (https://github.com/nlohmann/json) to replace RapidJSON. The new parser is disabled by default. To test the new RapidJSON parser, enable the runtime feature `envoy.reloadable_features.remove_legacy_json`.
+* log: added a new custom flag ``%j`` to the log pattern to print the actual message to log as JSON escaped string.
+* original_dst: added support for :ref:`Original Destination <config_listener_filters_original_dst>` on Windows. This enables the use of Envoy as a sidecar proxy on Windows.
+* overload: add support for scaling :ref:`transport connection timeouts<envoy_v3_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.TRANSPORT_SOCKET_CONNECT>`. This can be used to reduce the TLS handshake timeout in response to overload.
+* postgres: added ability to :ref:`terminate SSL<envoy_v3_api_field_extensions.filters.network.postgres_proxy.v3alpha.PostgresProxy.terminate_ssl>`.
+* route config: added :ref:`allow_post field <envoy_v3_api_field_config.route.v3.RouteAction.UpgradeConfig.ConnectConfig.allow_post>` for allowing POST payload as raw TCP.
+* route config: added :ref:`max_direct_response_body_size_bytes <envoy_v3_api_field_config.route.v3.RouteConfiguration.max_direct_response_body_size_bytes>` to set maximum :ref:`direct response body <envoy_v3_api_field_config.route.v3.DirectResponseAction.body>` size in bytes. If not specified the default remains 4096 bytes.
+* server: added *fips_mode* to :ref:`server compilation settings <server_compilation_settings_statistics>` related statistic.
+* tcp_proxy: add support for converting raw TCP streams into HTTP/1.1 CONNECT requests. See :ref:`upgrade documentation <tunneling-tcp-over-http>` for details.
+* tcp_proxy: added a :ref:`use_post field <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig.use_post>` for using HTTP POST to proxy TCP streams.
+* tcp_proxy: added a :ref:`headers_to_add field <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig.headers_to_add>` for setting additional headers to the HTTP requests for TCP proxing.
+* thrift_proxy: added a :ref:`max_requests_per_connection field <envoy_v3_api_field_extensions.filters.network.thrift_proxy.v3.ThriftProxy.max_requests_per_connection>` for setting maximum requests for per downstream connection.
+* tls peer certificate validation: added :ref:`SPIFFE validator <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig>` for supporting isolated multiple trust bundles in a single listener or cluster.
+
 Deprecated
 ----------