envoy: Bump to v1.29

ENVOY_VERSION

@@ -1 +1 @@
-envoy-1.28.2
+envoy-1.29.3

Makefile.api

@@ -27,7 +27,7 @@ PROTO_DEPS = \
 	-I bazel-proxy/external/opencensus_proto \
 	-I bazel-proxy/external/opentelemetry_proto \
 	-I bazel-proxy/external/prometheus_metrics_model \
-	-I bazel-proxy/external/com_github_cncf_udpa
+	-I bazel-proxy/external/com_github_cncf_xds
 
 GO_OUT = go
 

WORKSPACE

@@ -14,8 +14,8 @@ ENVOY_REPO = "envoy"
 #
 # No other line in this file may have ENVOY_SHA followed by an equals sign!
 #
-# renovate: datasource=github-releases depName=envoyproxy/envoy digestVersion=v1.28.2
-ENVOY_SHA = "aecedd842dd24f208a40e39898ab376967fee308"
+# renovate: datasource=github-releases depName=envoyproxy/envoy digestVersion=v1.29.3
+ENVOY_SHA = "10e1e425fd84cc2cde985179655da08f68c9cb30"
 
 # // clang-format off: unexpected @bazel_tools reference, please indirect via a definition in //bazel
 load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")
@@ -37,6 +37,9 @@ git_repository(
         "@//patches:0003-tcp_proxy-Add-filter-state-proxy_read_before_connect.patch",
         "@//patches:0004-listener-add-socket-options.patch",
         "@//patches:0005-ci-tests-Re-issue-test-certs-33389.patch",
+        # This patch is needed to fix the build with clang for envoy 1.29+
+        # https://github.com/envoyproxy/envoy/pull/31894
+        "@//patches:0006-Patch-cel-cpp-to-not-break-build.patch",
     ],
     # // clang-format off: Envoy's format check: Only repository_locations.bzl may contains URL references
     remote = "https://github.com/envoyproxy/envoy.git",

cilium/bpf_metadata.cc

@@ -84,17 +84,17 @@ namespace {
 
 std::shared_ptr<const Cilium::PolicyHostMap>
 createHostMap(Server::Configuration::ListenerFactoryContext& context) {
-  return context.singletonManager().getTyped<const Cilium::PolicyHostMap>(
+  return context.serverFactoryContext().singletonManager().getTyped<const Cilium::PolicyHostMap>(
       SINGLETON_MANAGER_REGISTERED_NAME(cilium_host_map), [&context] {
-        auto map = std::make_shared<Cilium::PolicyHostMap>(context);
-        map->startSubscription(context);
+        auto map = std::make_shared<Cilium::PolicyHostMap>(context.serverFactoryContext());
+        map->startSubscription(context.serverFactoryContext());
         return map;
       });
 }
 
 std::shared_ptr<const Cilium::NetworkPolicyMap>
 createPolicyMap(Server::Configuration::FactoryContext& context, Cilium::CtMapSharedPtr& ct) {
-  return context.singletonManager().getTyped<const Cilium::NetworkPolicyMap>(
+  return context.serverFactoryContext().singletonManager().getTyped<const Cilium::NetworkPolicyMap>(
       SINGLETON_MANAGER_REGISTERED_NAME(cilium_network_policy), [&context, &ct] {
         auto map = std::make_shared<Cilium::NetworkPolicyMap>(context, ct);
         map->startSubscription(context);
@@ -136,13 +136,13 @@ Config::Config(const ::cilium::BpfMetadata& config,
   // configured
   std::string bpf_root = config.bpf_root();
   if (bpf_root.length() > 0) {
-    ct_maps_ = context.singletonManager().getTyped<Cilium::CtMap>(
+    ct_maps_ = context.serverFactoryContext().singletonManager().getTyped<Cilium::CtMap>(
         SINGLETON_MANAGER_REGISTERED_NAME(cilium_bpf_conntrack), [&bpf_root] {
           // Even if opening the global maps fail, local maps may still succeed
           // later.
           return std::make_shared<Cilium::CtMap>(bpf_root);
         });
-    ipcache_ = context.singletonManager().getTyped<Cilium::IPCache>(
+    ipcache_ = context.serverFactoryContext().singletonManager().getTyped<Cilium::IPCache>(
         SINGLETON_MANAGER_REGISTERED_NAME(cilium_ipcache), [&bpf_root] {
           auto ipcache = std::make_shared<Cilium::IPCache>(bpf_root);
           if (!ipcache->Open()) {

cilium/l7policy.cc

@@ -3,15 +3,12 @@
 #include <string>
 
 #include "envoy/registry/registry.h"
-#include "envoy/singleton/manager.h"
 
 #include "source/common/buffer/buffer_impl.h"
-#include "source/common/common/enum_to_int.h"
 #include "source/common/config/utility.h"
 #include "source/common/http/header_map_impl.h"
 #include "source/common/http/utility.h"
 #include "source/common/network/upstream_server_name.h"
-#include "source/common/network/upstream_subject_alt_names.h"
 
 #include "cilium/api/l7policy.pb.validate.h"
 #include "cilium/network_policy.h"
@@ -22,7 +19,7 @@ namespace Cilium {
 
 class ConfigFactory : public Server::Configuration::NamedHttpFilterConfigFactory {
 public:
-  Http::FilterFactoryCb
+  absl::StatusOr<Http::FilterFactoryCb>
   createFilterFactoryFromProto(const Protobuf::Message& proto_config, const std::string&,
                                Server::Configuration::FactoryContext& context) override {
     auto config = std::make_shared<Cilium::Config>(
@@ -48,8 +45,8 @@ REGISTER_FACTORY(ConfigFactory, Server::Configuration::NamedHttpFilterConfigFact
 
 Config::Config(const std::string& access_log_path, const std::string& denied_403_body,
                Server::Configuration::FactoryContext& context)
-    : time_source_(context.timeSource()), stats_{ALL_CILIUM_STATS(
-                                              POOL_COUNTER_PREFIX(context.scope(), "cilium"))},
+    : time_source_(context.serverFactoryContext().timeSource()),
+      stats_{ALL_CILIUM_STATS(POOL_COUNTER_PREFIX(context.scope(), "cilium"))},
       denied_403_body_(denied_403_body), access_log_(nullptr) {
   if (access_log_path.length()) {
     access_log_ = AccessLog::Open(access_log_path);

cilium/network_filter.cc

@@ -56,7 +56,7 @@ namespace CiliumL3 {
 
 Config::Config(const ::cilium::NetworkFilter& config,
                Server::Configuration::FactoryContext& context)
-    : time_source_(context.timeSource()), access_log_(nullptr) {
+    : time_source_(context.serverFactoryContext().timeSource()), access_log_(nullptr) {
   const auto& access_log_path = config.access_log_path();
   if (access_log_path.length()) {
     access_log_ = Cilium::AccessLog::Open(access_log_path);

cilium/network_policy.cc

@@ -1063,28 +1063,30 @@ class PolicyInstanceImpl : public PolicyInstance {
 // Common base constructor
 // This is used directly for testing with a file-based subscription
 NetworkPolicyMap::NetworkPolicyMap(Server::Configuration::FactoryContext& context)
-    : tls_map_(context.threadLocal()),
-      local_ip_str_(context.localInfo().address()->ip()->addressAsString()),
+    : tls_map_(context.serverFactoryContext().threadLocal()),
+      local_ip_str_(context.serverFactoryContext().localInfo().address()->ip()->addressAsString()),
       name_(fmt::format("cilium.policymap.{}.{}.", local_ip_str_, ++instance_id_)),
-      scope_(context.serverScope().createScope(name_)),
+      scope_(context.serverFactoryContext().serverScope().createScope(name_)),
       init_target_(fmt::format("Cilium Network Policy subscription start"),
                    [this]() { subscription_->start({}); }),
       transport_factory_context_(
           std::make_shared<Server::Configuration::TransportSocketFactoryContextImpl>(
-              context.getServerFactoryContext(),
+              context.serverFactoryContext(),
               context.getTransportSocketFactoryContext().sslContextManager(), *scope_,
-              context.getServerFactoryContext().clusterManager(),
-              context.messageValidationContext().dynamicValidationVisitor())) {
+              context.serverFactoryContext().clusterManager(),
+              context.serverFactoryContext()
+                  .messageValidationContext()
+                  .dynamicValidationVisitor())) {
   // Use listener init manager for the first initialization
   transport_factory_context_->setInitManager(context.initManager());
   context.initManager().add(init_target_);
 
   ENVOY_LOG(trace, "NetworkPolicyMap({}) created.", name_);
   tls_map_.set([&](Event::Dispatcher&) { return std::make_shared<ThreadLocalPolicyMap>(); });
 
-  if (context.admin().has_value()) {
+  if (context.serverFactoryContext().admin().has_value()) {
     ENVOY_LOG(debug, "Registering NetworkPolicies to config tracker");
-    config_tracker_entry_ = context.admin()->getConfigTracker().add(
+    config_tracker_entry_ = context.serverFactoryContext().admin()->getConfigTracker().add(
         "networkpolicies", [this](const Matchers::StringMatcher& name_matcher) {
           return dumpNetworkPolicyConfigs(name_matcher);
         });
@@ -1104,9 +1106,11 @@ NetworkPolicyMap::NetworkPolicyMap(Server::Configuration::FactoryContext& contex
 // pointer is formed by the caller of the constructor, hence this
 // can't be called from the constructor!
 void NetworkPolicyMap::startSubscription(Server::Configuration::FactoryContext& context) {
-  subscription_ = subscribe("type.googleapis.com/cilium.NetworkPolicy", context.localInfo(),
-                            context.clusterManager(), context.mainThreadDispatcher(),
-                            context.api().randomGenerator(), *scope_, *this,
+  subscription_ = subscribe("type.googleapis.com/cilium.NetworkPolicy",
+                            context.serverFactoryContext().localInfo(),
+                            context.serverFactoryContext().clusterManager(),
+                            context.serverFactoryContext().mainThreadDispatcher(),
+                            context.serverFactoryContext().api().randomGenerator(), *scope_, *this,
                             std::make_shared<NetworkPolicyDecoder>());
 }
 

cilium/websocket_config.cc

@@ -47,14 +47,14 @@ Config::Config(Server::Configuration::FactoryContext& context, bool client,
                const std::string& key, const std::string& version, const std::string& origin,
                const ProtobufWkt::Duration& handshake_timeout,
                const ProtobufWkt::Duration& ping_interval, bool ping_when_idle)
-    : time_source_(context.timeSource()),
-      dispatcher_(context.mainThreadDispatcher()), stats_{ALL_WEBSOCKET_STATS(POOL_COUNTER_PREFIX(
-                                                       context.scope(), "websocket"))},
-      random_(context.api().randomGenerator()), client_(client), host_(absl::AsciiStrToLower(host)),
-      path_(absl::AsciiStrToLower(path)), key_(key), version_(absl::AsciiStrToLower(version)),
-      origin_(absl::AsciiStrToLower(origin)), handshake_timeout_(std::chrono::seconds(5)),
-      ping_interval_(std::chrono::milliseconds(0)), ping_when_idle_(ping_when_idle),
-      access_log_(nullptr) {
+    : time_source_(context.serverFactoryContext().timeSource()),
+      dispatcher_(context.serverFactoryContext().mainThreadDispatcher()),
+      stats_{ALL_WEBSOCKET_STATS(POOL_COUNTER_PREFIX(context.scope(), "websocket"))},
+      random_(context.serverFactoryContext().api().randomGenerator()), client_(client),
+      host_(absl::AsciiStrToLower(host)), path_(absl::AsciiStrToLower(path)), key_(key),
+      version_(absl::AsciiStrToLower(version)), origin_(absl::AsciiStrToLower(origin)),
+      handshake_timeout_(std::chrono::seconds(5)), ping_interval_(std::chrono::milliseconds(0)),
+      ping_when_idle_(ping_when_idle), access_log_(nullptr) {
   envoy::extensions::filters::network::http_connection_manager::v3::RequestIDExtension x_rid_config;
   x_rid_config.mutable_typed_config()->PackFrom(
       envoy::extensions::request_id::uuid::v3::UuidRequestIdConfig());