Merge commit '1a0363c885c2dbb1e48b03847dbd706d1ba43eba' into alphashr…

…/1.14.2

.azure-pipelines/bazel.yml

@@ -10,6 +10,9 @@ steps:
       key: '"${{ parameters.ciTarget }}" | ./WORKSPACE | **/*.bzl'
       path: $(Build.StagingDirectory)/repository_cache
 
+  - bash: .azure-pipelines/cleanup.sh
+    displayName: "Removing tools from agent"
+
   - bash: |
       echo "disk space at beginning of build:"
       df -h

.azure-pipelines/cleanup.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+# Temporary script to remove tools from Azure pipelines agent to create more disk space room.
+sudo apt-get -y update
+sudo apt-get purge -y 'ghc-*' 'zulu-*-azure-jdk' 'libllvm*' 'mysql-*' 'dotnet-*' 'cpp-*'
+
+dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -rn

.azure-pipelines/pipelines.yml

@@ -2,6 +2,7 @@ trigger:
   branches:
     include:
       - "master"
+      - "release/v*"
   tags:
     include:
       - "v*"
@@ -92,13 +93,11 @@ jobs:
       - bash: |
           set -e
           tar zxf $(Build.StagingDirectory)/bazel.release/envoy_binary.tar.gz
-          ci/docker_build.sh
-          ci/docker_push.sh
-          ci/docker_tag.sh
+          ci/docker_ci.sh
         workingDirectory: $(Build.SourcesDirectory)
         env:
           AZP_BRANCH: $(Build.SourceBranch)
-          CIRCLE_SHA1: $(Build.SourceVersion)
+          AZP_SHA1: $(Build.SourceVersion)
           DOCKERHUB_USERNAME: $(DockerUsername)
           DOCKERHUB_PASSWORD: $(DockerPassword)
 

VERSION

@@ -1 +1 @@
-1.14.1
+1.14.2

bazel/foreign_cc/BUILD

@@ -190,8 +190,8 @@ envoy_cmake_external(
     defines = ["NGHTTP2_STATICLIB"],
     lib_source = "@com_github_nghttp2_nghttp2//:all",
     static_libraries = select({
-        "//bazel:windows_x86_64": ["nghttp2_static.lib"],
-        "//conditions:default": ["libnghttp2_static.a"],
+        "//bazel:windows_x86_64": ["nghttp2.lib"],
+        "//conditions:default": ["libnghttp2.a"],
     }),
 )
 

bazel/repository_locations.bzl

@@ -126,9 +126,9 @@ REPOSITORY_LOCATIONS = dict(
         urls = ["https://github.com/moonjit/moonjit/archive/2.2.0.tar.gz"],
     ),
     com_github_nghttp2_nghttp2 = dict(
-        sha256 = "eb9d9046495a49dd40c7ef5d6c9907b51e5a6b320ea6e2add11eb8b52c982c47",
-        strip_prefix = "nghttp2-1.40.0",
-        urls = ["https://github.com/nghttp2/nghttp2/releases/download/v1.40.0/nghttp2-1.40.0.tar.gz"],
+        sha256 = "eacc6f0f8543583ecd659faf0a3f906ed03826f1d4157b536b4b385fe47c5bb8",
+        strip_prefix = "nghttp2-1.41.0",
+        urls = ["https://github.com/nghttp2/nghttp2/releases/download/v1.41.0/nghttp2-1.41.0.tar.gz"],
     ),
     io_opentracing_cpp = dict(
         sha256 = "015c4187f7a6426a2b5196f0ccd982aa87f010cf61f507ae3ce5c90523f92301",

ci/docker_ci.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Do not ever set -x here, it is a security hazard as it will place the credentials below in the
+# CI logs.
+set -e
+
+# This prefix is altered for the private security images on setec builds.
+DOCKER_IMAGE_PREFIX="${DOCKER_IMAGE_PREFIX:-envoyproxy/envoy}"
+
+# Test the docker build in all cases, but use a local tag that we will overwrite before push in the
+# cases where we do push.
+for BUILD_TYPE in "" "-alpine" "-alpine-debug"; do
+    docker build -f ci/Dockerfile-envoy"${BUILD_TYPE}" -t "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}:local" .
+done
+
+MASTER_BRANCH="refs/heads/master"
+RELEASE_BRANCH_REGEX="^refs/heads/release/v.*"
+RELEASE_TAG_REGEX="^refs/tags/v.*"
+
+# Only push images for master builds, release branch builds, and tag builds.
+if [[ "${AZP_BRANCH}" != "${MASTER_BRANCH}" ]] && \
+   ! [[ "${AZP_BRANCH}" =~ ${RELEASE_BRANCH_REGEX} ]] && \
+   ! [[ "${AZP_BRANCH}" =~ ${RELEASE_TAG_REGEX} ]]; then
+    echo 'Ignoring non-master branch or tag for docker push.'
+    exit 0
+fi
+
+# For master builds and release branch builds use the dev repo. Otherwise we assume it's a tag and
+# we push to the primary repo.
+if [[ "${AZP_BRANCH}" == "${MASTER_BRANCH}" ]] || \
+   [[ "${AZP_BRANCH}" =~ ${RELEASE_BRANCH_REGEX} ]]; then
+  IMAGE_POSTFIX="-dev"
+  IMAGE_NAME="$AZP_SHA1"
+else
+  IMAGE_POSTFIX=""
+  IMAGE_NAME="${AZP_BRANCH/refs\/tags\//}"
+fi
+
+docker login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_PASSWORD"
+
+for BUILD_TYPE in "" "-alpine" "-alpine-debug"; do
+    docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}:local" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:${IMAGE_NAME}"
+    docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:${IMAGE_NAME}"
+
+    # Only push latest on master builds.
+    if [[ "${AZP_BRANCH}" == "${MASTER_BRANCH}" ]]; then
+        docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}:local" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:latest"
+        docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:latest"
+    fi
+
+    # Push vX.Y-latest to tag the latest image in a release line
+    if [[ "${AZP_BRANCH}" =~ ${RELEASE_TAG_REGEX} ]]; then
+      RELEASE_LINE=$(echo "$IMAGE_NAME" | sed -E 's/(v[0-9]+\.[0-9]+)\.[0-9]+/\1-latest/')
+      docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}:local" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:${RELEASE_LINE}"
+      docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:${RELEASE_LINE}"
+    fi
+done
+
+

ci/mac_ci_setup.sh

@@ -38,7 +38,8 @@ fi
 # Required as bazel and a foreign bazelisk are installed in the latest macos vm image, we have
 # to unlink/overwrite them to install bazelisk
 echo "Installing bazelbuild/tap/bazelisk"
-brew install --force bazelbuild/tap/bazelisk
+brew tap bazelbuild/tap
+brew reinstall --force bazelbuild/tap/bazelisk
 if ! brew link --overwrite bazelbuild/tap/bazelisk; then
     echo "Failed to install and link bazelbuild/tap/bazelisk"
     exit 1

ci/mac_ci_steps.sh

@@ -26,10 +26,10 @@ BAZEL_BUILD_OPTIONS="--curses=no --show_task_finish --verbose_failures \
 if [[ $# -gt 0 ]]; then
   TEST_TARGETS=$*
 else
-  TEST_TARGETS=//test/...
+  TEST_TARGETS=//test/integration/...
 fi
 
-if [[ "$TEST_TARGETS" == "//test/..." ]]; then
+if [[ "$TEST_TARGETS" == "//test/..." || "$TEST_TARGETS" == "//test/integration/..." ]]; then
   bazel build ${BAZEL_BUILD_OPTIONS} //source/exe:envoy-static
 fi
 bazel test ${BAZEL_BUILD_OPTIONS} ${TEST_TARGETS}

docs/root/install/building.rst

@@ -41,13 +41,9 @@ be found in the following repositories:
 * `envoyproxy/envoy-alpine-debug <https://hub.docker.com/r/envoyproxy/envoy-alpine-debug/tags/>`_:
   Release binary with debug symbols on top of a **glibc** alpine base.
 
-In the above repositories, the *latest* tag points to the latest official release.
-
 .. note::
 
-  The above repositories used to contain the dev images described below. They remain to avoid
-  breaking existing users. New dev images are added to the repositories described in the following
-  section.
+  In the above repositories, we tag a *vX.Y-latest* image for each security/stable release line.
 
 On every master commit we additionally create a set of development Docker images. These images can
 be found in the following repositories:

docs/root/intro/version_history.rst

@@ -1,6 +1,10 @@
 Version history
 ---------------
 
+1.14.2 (June 8, 2020)
+=====================
+* http: fixed CVE-2020-11080 by rejecting HTTP/2 SETTINGS frames with too many parameters.
+
 1.14.1 (April 8, 2020)
 ======================
 * request_id_extension: fixed static initialization for noop request id extension.