envoy: Bump envoy version to 1.37.2

.github/renovate.json5

@@ -201,11 +201,11 @@
       ],
     },
     {
-      groupName: 'envoy 1.36.x',
+      groupName: 'envoy 1.37.x',
       matchDepNames: [
         'envoyproxy/envoy',
       ],
-      allowedVersions: '<=1.36',
+      allowedVersions: '<=1.37',
       matchBaseBranches: [
         'main',
       ],

ENVOY_VERSION

@@ -1 +1 @@
-envoy-1.36.6
+envoy-1.37.2

Makefile

@@ -72,6 +72,8 @@ endif
 ifdef PKG_BUILD
   $(info Registering C++ toolchains via BAZEL_BUILD_OPTS)
   BAZEL_BUILD_OPTS += --extra_toolchains=//bazel/toolchains:all
+  # Use system LLVM instead of hermetic download to avoid libtinfo.so.5 mismatch
+  BAZEL_BUILD_OPTS += --repo_env=BAZEL_LLVM_PATH=/usr/lib/llvm-18
 
   all: cilium-envoy-starter cilium-envoy
 
@@ -107,8 +109,8 @@ BUILD_DEP_HASHES: $(BUILD_DEP_FILES)
 
 clang.bazelrc: bazel/setup_clang.sh
 	$(call install_clang)
-	bazel/setup_clang.sh $$(llvm-config --prefix)
-	echo "build --config=clang" >> $@
+	bazel/setup_clang.sh /usr/lib/llvm-18
+	echo "build --config=clang-local" >> $@
 
 .PHONY: bazel-bin/cilium-envoy
 bazel-bin/cilium-envoy: $(COMPILER_DEP) SOURCE_VERSION install-bazelisk

Makefile.dev

@@ -42,7 +42,7 @@ veryclean: force-non-root clean
 precheck: force-non-root
 	tools/check_repositories.sh
 
-FORMAT_EXCLUDED_PREFIXES = "./linux/" "./proxylib/" "./starter/"  "./vendor/" "./go/" "./envoy_build_config/"
+FORMAT_EXCLUDED_PREFIXES = "./linux/" "./proxylib/" "./starter/"  "./vendor/" "./go/" "./envoy_build_config/" "./work/" "./bin/"
 
 # The default set of sources assumes all relevant sources are dependecies of some tests!
 TIDY_SOURCES ?= $(shell bazel query 'kind("source file", deps(//tests/...))' 2>/dev/null | sed -n "s/\/\/cilium:/cilium\//p; s/\/\/tests:/tests\//p")

WORKSPACE

@@ -12,8 +12,8 @@ ENVOY_REPO = "envoy"
 #
 # No other line in this file may have ENVOY_SHA followed by an equals sign!
 #
-# renovate: datasource=github-releases depName=envoyproxy/envoy digestVersion=v1.36.6
-ENVOY_SHA = "31608367a7f5f7e4ec627f4dac396577f2322fdc"
+# renovate: datasource=github-releases depName=envoyproxy/envoy digestVersion=v1.37.2
+ENVOY_SHA = "5afe27fb338b16d5bb06b3a7198bcd581b4e3dee"
 
 # // clang-format off: unexpected @bazel_tools reference, please indirect via a definition in //bazel
 load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")
@@ -42,6 +42,7 @@ git_repository(
         "@//patches:0003-original_dst_cluster-Avoid-multiple-hosts-for-the-sa.patch",
         "@//patches:0004-thread_local-reset-slot-in-worker-threads-first.patch",
         "@//patches:0005-http-header-expose-attribute.patch",
+        "@//patches:0008-repo-Make-yq-dependency-optional-for-CI-config-parsi.patch",
     ],
     # // clang-format off: Envoy's format check: Only repository_locations.bzl may contains URL references
     remote = "https://github.com/envoyproxy/envoy.git",
@@ -65,14 +66,14 @@ load("@envoy//bazel:api_repositories.bzl", "envoy_api_dependencies")
 
 envoy_api_dependencies()
 
-load("@envoy//bazel:repo.bzl", "envoy_repo")
-
-envoy_repo()
-
 load("@envoy//bazel:repositories.bzl", "envoy_dependencies")
 
 envoy_dependencies()
 
+load("@envoy//bazel:bazel_deps.bzl", "envoy_bazel_dependencies")
+
+envoy_bazel_dependencies()
+
 load("@envoy//bazel:repositories_extra.bzl", "envoy_dependencies_extra")
 
 envoy_dependencies_extra()
@@ -81,10 +82,66 @@ load("@envoy//bazel:python_dependencies.bzl", "envoy_python_dependencies")
 
 envoy_python_dependencies()
 
+load("@bazel_gazelle//:deps.bzl", "go_repository")
 load("@envoy//bazel:dependency_imports.bzl", "envoy_dependency_imports")
 
+go_repository(
+    name = "org_golang_x_text",
+    build_external = "external",
+    importpath = "golang.org/x/text",
+    sum = "h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=",
+    version = "v0.33.0",
+)
+
+go_repository(
+    name = "org_golang_x_tools",
+    build_external = "external",
+    importpath = "golang.org/x/tools",
+    sum = "h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=",
+    version = "v0.41.0",
+)
+
+go_repository(
+    name = "org_golang_x_net",
+    build_external = "external",
+    importpath = "golang.org/x/net",
+    sum = "h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=",
+    version = "v0.49.0",
+)
+
+go_repository(
+    name = "org_golang_x_sys",
+    build_external = "external",
+    importpath = "golang.org/x/sys",
+    sum = "h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=",
+    version = "v0.42.0",
+)
+
+go_repository(
+    name = "org_golang_x_mod",
+    build_external = "external",
+    importpath = "golang.org/x/mod",
+    sum = "h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=",
+    version = "v0.32.0",
+)
+
 envoy_dependency_imports()
 
+load("@envoy//bazel:repo.bzl", "envoy_repo")
+
+envoy_repo()
+
+load("@envoy//bazel:toolchains.bzl", "envoy_toolchains")
+
+envoy_toolchains()
+
+# When BAZEL_LLVM_PATH is set, envoy_toolchains() skips creating the
+# llvm_toolchain_llvm repo, but envoy's clang-format target still depends on it.
+# Provide it only if it wasn't already created.
+load("//bazel:local_llvm.bzl", "local_llvm_repo")
+
+local_llvm_repo(name = "llvm_toolchain_llvm")
+
 load("@envoy//bazel:dependency_imports_extra.bzl", "envoy_dependency_imports_extra")
 
 envoy_dependency_imports_extra()

bazel/local_llvm.bzl

@@ -0,0 +1,38 @@
+"""Repository rule to provide llvm_toolchain_llvm when using a local LLVM toolchain.
+
+When BAZEL_LLVM_PATH is set (local toolchain mode), the toolchains_llvm
+llvm_toolchain() macro skips creating the llvm_toolchain_llvm repository.
+Envoy's tools/clang-format target still depends on @llvm_toolchain_llvm//:clang-format,
+so we need to provide it.
+"""
+
+def _local_llvm_repo_impl(repository_ctx):
+    llvm_path = repository_ctx.os.environ.get("BAZEL_LLVM_PATH", "")
+    clang_format = None
+
+    if llvm_path:
+        candidate = repository_ctx.path(llvm_path + "/bin/clang-format")
+        if candidate.exists:
+            clang_format = candidate
+
+    if not clang_format:
+        clang_format = repository_ctx.which("clang-format")
+
+    if not clang_format:
+        fail("Could not find clang-format. Set BAZEL_LLVM_PATH or ensure clang-format is on PATH.")
+
+    repository_ctx.symlink(clang_format, "bin/clang-format")
+    repository_ctx.file("BUILD.bazel", """\
+package(default_visibility = ["//visibility:public"])
+
+filegroup(
+    name = "clang-format",
+    srcs = ["bin/clang-format"],
+)
+""")
+
+local_llvm_repo = repository_rule(
+    implementation = _local_llvm_repo_impl,
+    environ = ["BAZEL_LLVM_PATH", "PATH"],
+    local = True,
+)

bazel/setup_clang.sh

@@ -20,11 +20,11 @@ LLVM_TARGET="$(llvm-config --host-target)"
 RT_LIBRARY_PATH="${LLVM_LIBDIR}/clang/${LLVM_VERSION}/lib/${LLVM_TARGET}"
 
 echo "# Generated file, do not edit. If you want to disable clang, just delete this file.
-build:clang --action_env='PATH=${PATH}' --host_action_env='PATH=${PATH}'
-build:clang --action_env='LLVM_CONFIG=${LLVM_PREFIX}/bin/llvm-config' --host_action_env='LLVM_CONFIG=${LLVM_PREFIX}/bin/llvm-config'
-build:clang --repo_env='LLVM_CONFIG=${LLVM_PREFIX}/bin/llvm-config'
-build:clang --linkopt='-L$(llvm-config --libdir)'
-build:clang --linkopt='-Wl,-rpath,$(llvm-config --libdir)'
+build:clang-local --action_env='PATH=${PATH}' --host_action_env='PATH=${PATH}'
+build:clang-local --action_env='LLVM_CONFIG=${LLVM_PREFIX}/bin/llvm-config' --host_action_env='LLVM_CONFIG=${LLVM_PREFIX}/bin/llvm-config'
+build:clang-local --repo_env='LLVM_CONFIG=${LLVM_PREFIX}/bin/llvm-config'
+build:clang-local --linkopt='-L$(llvm-config --libdir)'
+build:clang-local --linkopt='-Wl,-rpath,$(llvm-config --libdir)'
 
 build:clang-asan --linkopt='-L${RT_LIBRARY_PATH}'
 " >"${BAZELRC_FILE}"

cilium/grpc_subscription.cc

@@ -183,7 +183,8 @@ subscribe(const std::string& type_url, const LocalInfo::LocalInfo& local_info,
           Config::SubscriptionFactory::RetryInitialDelayMs,
           Config::SubscriptionFactory::RetryMaxDelayMs, random),
       /*target_xds_authority_=*/"",
-      /*eds_resources_cache_=*/nullptr // EDS cache is only used for ADS.
+      /*eds_resources_cache_=*/nullptr, // EDS cache is only used for ADS.
+      /*skip_subsequent_node_=*/api_config_source.set_node_on_first_message_only(),
   };
 
   return std::make_unique<Config::GrpcSubscriptionImpl>(

cilium/grpc_subscription.h

@@ -25,8 +25,8 @@ extern envoy::config::core::v3::ConfigSource cilium_xds_api_config;
 // GrpcMux wrapper to get access to control plane identifier
 class GrpcMuxImpl : public Config::GrpcMuxImpl {
 public:
-  GrpcMuxImpl(Config::GrpcMuxContext& grpc_mux_context, bool skip_subsequent_node)
-      : Config::GrpcMuxImpl(grpc_mux_context, skip_subsequent_node) {}
+  GrpcMuxImpl(Config::GrpcMuxContext& grpc_mux_context, bool /*skip_subsequent_node*/)
+      : Config::GrpcMuxImpl(grpc_mux_context) {}
 
   ~GrpcMuxImpl() override = default;
 

cilium/secret_watcher.cc

@@ -156,15 +156,14 @@ DownstreamTLSContext::DownstreamTLSContext(const NetworkPolicyMapImpl& parent,
     server_names_.emplace_back(config.server_names(i));
   }
   auto server_config_or_error = Extensions::TransportSockets::Tls::ServerContextConfigImpl::create(
-      context_config, parent.transportFactoryContext(), false);
+      context_config, parent.transportFactoryContext(), server_names_, false);
   // NOLINTNEXTLINE(performance-unnecessary-copy-initialization)
   THROW_IF_NOT_OK(server_config_or_error.status());
   server_config_ = std::move(server_config_or_error.value());
 
   auto create_server_context = [this]() {
     ENVOY_LOG(debug, "Server secret is updated.");
-    auto ctx_or_error =
-        manager_.createSslServerContext(scope_, *server_config_, server_names_, nullptr);
+    auto ctx_or_error = manager_.createSslServerContext(scope_, *server_config_, nullptr);
     // NOLINTNEXTLINE(performance-unnecessary-copy-initialization)
     THROW_IF_NOT_OK(ctx_or_error.status());
     auto ctx = std::move(ctx_or_error.value());