Automator: update envoy@ in istio/proxy@master (#6402)

* Automator: update envoy@ in istio/proxy@master

* fix build

Signed-off-by: zirain <zirain2009@gmail.com>

* fix

Signed-off-by: zirain <zirain2009@gmail.com>

* fix asan

Signed-off-by: zirain <zirain2009@gmail.com>

---------

Signed-off-by: zirain <zirain2009@gmail.com>
Co-authored-by: istio-testing <istio-testing-bot@google.com>

.bazelrc

@@ -14,7 +14,10 @@ build:remote --remote_timeout=7200
 # ========================================
 
 # Enable libc++ and C++20 by default.
-build:linux --config=libc++20
+build:linux --config=clang
+
+# put /usr/local/bin before /usr/bin to avoid picking up wrong python3.6 when building envoy.tls.key_providers.cryptomb
+build:linux --action_env=PATH=/usr/lib/llvm/bin:/usr/local/bin:/bin:/usr/bin
 
 # Need for CI image to pickup docker-credential-gcloud, PATH is fixed in rbe-toolchain-* configs.
 build:remote-ci --action_env=PATH=/usr/local/google-cloud-sdk/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/llvm/bin
@@ -52,12 +55,12 @@ build:clang --host_action_env=CXX=
 
 # CI sanitizer configuration
 #
-build:clang-asan-ci --config=clang-asan
+build:clang-asan-ci --config=asan
 build:clang-asan-ci --linkopt='-L/usr/lib/llvm/lib/x86_64-unknown-linux-gnu'
 build:clang-asan-ci --linkopt='-Wl,-rpath,/usr/lib/llvm/lib/x86_64-unknown-linux-gnu'
 build:clang-asan-ci --linkopt='-L/usr/lib/llvm/lib/clang/14.0.0/lib/x86_64-unknown-linux-gnu'
 
-build:clang-tsan-ci --config=clang-tsan
+build:clang-tsan-ci --config=tsan
 build:clang-tsan-ci --linkopt=-L/opt/libcxx_tsan/lib
 build:clang-tsan-ci --linkopt=-Wl,-rpath,/opt/libcxx_tsan/lib
 

.bazelversion

@@ -1 +1 @@
-6.5.0
+7.6.0

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90",
+  "image": "gcr.io/istio-testing/build-tools-proxy:master-8e6480403f5cf4c9a4cd9d65174d01850e632e1a",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

.github/dependabot.yml

@@ -0,0 +1,14 @@
+# Configures Depdendabot to PR go security updates only
+
+version: 2
+updates:
+  # Go configuration for master branch
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # Limit number of open PRs to 0 so that we only get security updates
+    # See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
+    open-pull-requests-limit: 0
+    labels:
+      - "release-notes-none"

Makefile.core.mk

@@ -109,29 +109,6 @@ lint: lint-copyright-banner format-go lint-go tidy-go lint-scripts gen-extension
 	@scripts/check-repository.sh
 	@scripts/check-style.sh
 
-protoc = protoc -I common-protos -I extensions
-protoc_gen_docs_plugin := --docs_out=camel_case_fields=false,warnings=true,per_file=true,mode=html_fragment_with_front_matter:$(repo_dir)/
-
-metadata_exchange_path := extensions/metadata_exchange
-metadata_exchange_protos := $(wildcard $(metadata_exchange_path)/*.proto)
-metadata_exchange_docs := $(metadata_exchange_protos:.proto=.pb.html)
-$(metadata_exchange_docs): $(metadata_exchange_protos)
-	@$(protoc) -I ./extensions $(protoc_gen_docs_plugin)$(metadata_exchange_path) $^
-
-stackdriver_path := extensions/stackdriver/config/v1alpha1
-stackdriver_protos := $(wildcard $(stackdriver_path)/*.proto)
-stackdriver_docs := $(stackdriver_protos:.proto=.pb.html)
-$(stackdriver_docs): $(stackdriver_protos)
-	@$(protoc) -I ./extensions $(protoc_gen_docs_plugin)$(stackdriver_path) $^
-
-accesslog_policy_path := extensions/access_log_policy/config/v1alpha1
-accesslog_policy_protos := $(wildcard $(accesslog_policy_path)/*.proto)
-accesslog_policy_docs := $(accesslog_policy_protos:.proto=.pb.html)
-$(accesslog_policy_docs): $(accesslog_policy_protos)
-	@$(protoc) -I ./extensions $(protoc_gen_docs_plugin)$(accesslog_policy_path) $^
-
-extensions-docs:  $(metadata_exchange_docs) $(stackdriver_docs) $(accesslog_policy_docs)
-
 test_release:
 ifeq "$(shell uname -m)" "x86_64"
 	export BAZEL_BUILD_ARGS="$(BAZEL_BUILD_ARGS)" && ./scripts/release-binary.sh

WORKSPACE

@@ -22,10 +22,10 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 # 1. Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz`
 # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed.
 #
-# Commit date: 2024-10-23
-ENVOY_SHA = "6030fdb6174e75c95e290f5e974b5fa3781604ea"
+# Commit date: 2025-07-10
+ENVOY_SHA = "46bb6bc3dc41a684671fd4811eddfe82207a6d21"
 
-ENVOY_SHA256 = "e3e746e6a5c1b98452ad16b657db2915f87744dbfeea667ffc1fc7bdb53172d2"
+ENVOY_SHA256 = "e3ca4967f3cfd343cbf9983c7ec85eb1845c5d3b219e045cf008e730e9c06b61"
 
 ENVOY_ORG = "envoyproxy"
 

bazel/extension_config/extensions_build_config.bzl

@@ -44,7 +44,6 @@ ENVOY_EXTENSIONS = {
     #
 
     "envoy.grpc_credentials.file_based_metadata":       "//source/extensions/grpc_credentials/file_based_metadata:config",
-    "envoy.grpc_credentials.aws_iam":                   "//source/extensions/grpc_credentials/aws_iam:config",
 
     #
     # WASM
@@ -146,6 +145,7 @@ ENVOY_EXTENSIONS = {
     "envoy.filters.http.on_demand":                     "//source/extensions/filters/http/on_demand:config",
     "envoy.filters.http.original_src":                  "//source/extensions/filters/http/original_src:config",
     "envoy.filters.http.ratelimit":                     "//source/extensions/filters/http/ratelimit:config",
+    "envoy.filters.http.rate_limit_quota":              "//source/extensions/filters/http/rate_limit_quota:config",
     "envoy.filters.http.rbac":                          "//source/extensions/filters/http/rbac:config",
     "envoy.filters.http.router":                        "//source/extensions/filters/http/router:config",
     "envoy.filters.http.set_filter_state":              "//source/extensions/filters/http/set_filter_state:config",
@@ -202,6 +202,7 @@ ENVOY_EXTENSIONS = {
     # Resource monitors
     #
 
+    "envoy.resource_monitors.cpu_utilization":          "//source/extensions/resource_monitors/cpu_utilization:config",
     "envoy.resource_monitors.fixed_heap":               "//source/extensions/resource_monitors/fixed_heap:config",
     "envoy.resource_monitors.injected_resource":        "//source/extensions/resource_monitors/injected_resource:config",
     "envoy.resource_monitors.downstream_connections":   "//source/extensions/resource_monitors/downstream_connections:config",
@@ -356,7 +357,7 @@ ENVOY_EXTENSIONS = {
     # QUIC extensions
     #
 
-    "envoy.quic.deterministic_connection_id_generator": "//source/extensions/quic/connection_id_generator:envoy_deterministic_connection_id_generator_config",
+    "envoy.quic.deterministic_connection_id_generator": "//source/extensions/quic/connection_id_generator/deterministic:envoy_deterministic_connection_id_generator_config",
     "envoy.quic.crypto_stream.server.quiche":           "//source/extensions/quic/crypto_stream:envoy_quic_default_crypto_server_stream",
     "envoy.quic.proof_source.filter_chain":             "//source/extensions/quic/proof_source:envoy_quic_default_proof_source",
 
@@ -417,6 +418,7 @@ ENVOY_EXTENSIONS = {
     "envoy.load_balancing_policies.ring_hash":         "//source/extensions/load_balancing_policies/ring_hash:config",
     "envoy.load_balancing_policies.subset":            "//source/extensions/load_balancing_policies/subset:config",
     "envoy.load_balancing_policies.cluster_provided":  "//source/extensions/load_balancing_policies/cluster_provided:config",
+    "envoy.load_balancing_policies.override_host":     "//source/extensions/load_balancing_policies/override_host:config",
 
     #
     # HTTP Early Header Mutation

common/.commonfiles.sha

@@ -1 +1 @@
-82dc68a737b72d394c344d4fd71ff9e9ebf01852
+d46067e1a8ba3db4abe2635af5807f00ba1981e6

common/Makefile.common.mk

@@ -106,13 +106,11 @@ update-common:
 	@if [ "$(CONTRIB_OVERRIDE)" != "CONTRIBUTING.md" ]; then\
 		rm $(TMP)/common-files/files/CONTRIBUTING.md;\
 	fi
-# istio/istio.io uses the  Creative Commons Attribution 4.0 license. Don't update LICENSE with the common Apache license.
-	@LICENSE_OVERRIDE=$(shell grep -l "Creative Commons Attribution 4.0 International Public License" LICENSE)
-	@if [ "$(LICENSE_OVERRIDE)" != "LICENSE" ]; then\
-		rm $(TMP)/common-files/files/LICENSE;\
-	fi
 	@cp -a $(TMP)/common-files/files/* $(TMP)/common-files/files/.devcontainer $(TMP)/common-files/files/.gitattributes $(shell pwd)
 	@rm -fr $(TMP)/common-files
+	@if [ "$(AUTOMATOR_REPO)" == "proxy" ]; then\
+		sed -i -e 's/build-tools:/build-tools-proxy:/g' .devcontainer/devcontainer.json;\
+	fi
 	@$(or $(COMMONFILES_POSTPROCESS), true)
 
 check-clean-repo:

common/config/.golangci-format.yml

@@ -1,56 +0,0 @@
-# WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY
-#
-# The original version of this file is located in the https://github.com/istio/common-files repo.
-# If you're looking at this file in a different repo and want to make a change, please go to the
-# common-files repo, make the change there and check it in. Then come back to this repo and run
-# "make update-common".
-
-run:
-  # Timeout for analysis, e.g. 30s, 5m.
-  # Default: 1m
-  timeout: 20m
-  build-tags:
-  - integ
-  - integfuzz
-linters:
-  disable-all: true
-  enable:
-  - goimports
-  - gofumpt
-  - gci
-  fast: false
-linters-settings:
-  gci:
-    sections:
-      - standard # Captures all standard packages if they do not match another section.
-      - default # Contains all imports that could not be matched to another section type.
-      - prefix(istio.io/) # Groups all imports with the specified Prefix.
-  goimports:
-    # put imports beginning with prefix after 3rd-party packages;
-    # it's a comma-separated list of prefixes
-    local-prefixes: istio.io/
-issues:
-  # Which dirs to exclude: issues from them won't be reported.
-  # Can use regexp here: `generated.*`, regexp is applied on full path,
-  # including the path prefix if one is set.
-  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-dirs:
-    - genfiles$
-    - vendor$
-  # Which files to exclude: they will be analyzed, but issues from them won't be reported.
-  # There is no need to include all autogenerated files,
-  # we confidently recognize autogenerated files.
-  # If it's not, please let us know.
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-files:
-    - ".*\\.pb\\.go"
-    - ".*\\.gen\\.go"
-  # Maximum issues count per one linter.
-  # Set to 0 to disable.
-  # Default: 50
-  max-issues-per-linter: 0
-  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
-  max-same-issues: 0

common/config/.golangci.yml

@@ -1,262 +1,221 @@
-# WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY
-#
-# The original version of this file is located in the https://github.com/istio/common-files repo.
-# If you're looking at this file in a different repo and want to make a change, please go to the
-# common-files repo, make the change there and check it in. Then come back to this repo and run
-# "make update-common".
-
+version: "2"
 run:
-  # Timeout for analysis, e.g. 30s, 5m.
-  # Default: 1m
-  timeout: 20m
   build-tags:
     - integ
     - integfuzz
 linters:
-  disable-all: true
+  default: none
   enable:
-    - errcheck
-    - exportloopref
+    - copyloopvar
     - depguard
+    - errcheck
     - gocritic
-    - gofumpt
-    - goimports
-    - revive
-    - gosimple
+    - gosec
     - govet
     - ineffassign
     - lll
     - misspell
+    - revive
     - staticcheck
-    - stylecheck
-    - typecheck
     - unconvert
     - unparam
     - unused
-    - gci
-    - gosec
-  fast: false
-linters-settings:
-  errcheck:
-    # report about not checking of errors in type assertions: `a := b.(MyStruct)`;
-    # default is false: such cases aren't reported by default.
-    check-type-assertions: false
-    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
-    # default is false: such cases aren't reported by default.
-    check-blank: false
-  govet:
-    disable:
-      # report about shadowed variables
-      - shadow
-  goimports:
-    # put imports beginning with prefix after 3rd-party packages;
-    # it's a comma-separated list of prefixes
-    local-prefixes: istio.io/
-  misspell:
-    # Correct spellings using locale preferences for US or UK.
-    # Default is to use a neutral variety of English.
-    # Setting locale to US will correct the British spelling of 'colour' to 'color'.
-    locale: US
-    ignore-words:
-      - cancelled
-  lll:
-    # max line length, lines longer will be reported. Default is 120.
-    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
-    line-length: 160
-    # tab width in spaces. Default to 1.
-    tab-width: 1
-  revive:
-    ignore-generated-header: false
-    severity: "warning"
-    confidence: 0.0
+  settings:
+    depguard:
+      rules:
+        DenyGogoProtobuf:
+          files:
+            - $all
+          deny:
+            - pkg: github.com/gogo/protobuf
+              desc: gogo/protobuf is deprecated, use golang/protobuf
+    errcheck:
+      check-type-assertions: false
+      check-blank: false
+    gocritic:
+      disable-all: true
+      enabled-checks:
+        - appendCombine
+        - argOrder
+        - assignOp
+        - badCond
+        - boolExprSimplify
+        - builtinShadow
+        - captLocal
+        - caseOrder
+        - codegenComment
+        - commentedOutCode
+        - commentedOutImport
+        - defaultCaseOrder
+        - deprecatedComment
+        - docStub
+        - dupArg
+        - dupBranchBody
+        - dupCase
+        - dupSubExpr
+        - elseif
+        - emptyFallthrough
+        - equalFold
+        - flagDeref
+        - flagName
+        - hexLiteral
+        - indexAlloc
+        - initClause
+        - methodExprCall
+        - nilValReturn
+        - octalLiteral
+        - offBy1
+        - rangeExprCopy
+        - regexpMust
+        - sloppyLen
+        - stringXbytes
+        - switchTrue
+        - typeAssertChain
+        - typeSwitchVar
+        - typeUnparen
+        - underef
+        - unlambda
+        - unnecessaryBlock
+        - unslice
+        - valSwap
+        - weakCond
+    gosec:
+      includes:
+        - G401
+        - G402
+        - G404
+    govet:
+      disable:
+        - shadow
+    lll:
+      line-length: 160
+      tab-width: 1
+    misspell:
+      locale: US
+      ignore-rules:
+        - cancelled
+    revive:
+      confidence: 0
+      severity: warning
+      rules:
+        - name: blank-imports
+        - name: context-keys-type
+        - name: time-naming
+        - name: var-declaration
+        - name: unexported-return
+        - name: errorf
+        - name: context-as-argument
+        - name: dot-imports
+        - name: error-return
+        - name: error-strings
+        - name: error-naming
+        - name: increment-decrement
+        - name: var-naming
+        - name: package-comments
+        - name: range
+        - name: receiver-naming
+        - name: indent-error-flow
+        - name: superfluous-else
+        - name: modifies-parameter
+        - name: unreachable-code
+        - name: struct-tag
+        - name: constant-logical-expr
+        - name: bool-literal-in-expr
+        - name: redefines-builtin-id
+        - name: imports-blocklist
+        - name: range-val-in-closure
+        - name: range-val-address
+        - name: waitgroup-by-value
+        - name: atomic
+        - name: call-to-gc
+        - name: duplicated-imports
+        - name: string-of-int
+        - name: defer
+          arguments:
+            - - call-chain
+        - name: unconditional-recursion
+        - name: identical-branches
+    unparam:
+      check-exported: false
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
     rules:
-      - name: blank-imports
-      - name: context-keys-type
-      - name: time-naming
-      - name: var-declaration
-      - name: unexported-return
-      - name: errorf
-      - name: context-as-argument
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: increment-decrement
-      - name: var-naming
-      - name: package-comments
-      - name: range
-      - name: receiver-naming
-      - name: indent-error-flow
-      - name: superfluous-else
-      - name: modifies-parameter
-      - name: unreachable-code
-      - name: struct-tag
-      - name: constant-logical-expr
-      - name: bool-literal-in-expr
-      - name: redefines-builtin-id
-      - name: imports-blacklist
-      - name: range-val-in-closure
-      - name: range-val-address
-      - name: waitgroup-by-value
-      - name: atomic
-      - name: call-to-gc
-      - name: duplicated-imports
-      - name: string-of-int
-      - name: defer
-        arguments:
-          - - "call-chain"
-      - name: unconditional-recursion
-      - name: identical-branches
-        # the following rules can be enabled in the future
-        # - name: empty-lines
-        # - name: confusing-results
-        # - name: empty-block
-        # - name: get-return
-        # - name: confusing-naming
-        # - name: unexported-naming
-        # - name: early-return
-        # - name: unused-parameter
-        # - name: unnecessary-stmt
-        # - name: deep-exit
-        # - name: import-shadowing
-        # - name: modifies-value-receiver
-        # - name: unused-receiver
-        # - name: bare-return
-        # - name: flag-parameter
-        # - name: unhandled-error
-        # - name: if-return
-  unparam:
-    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
-    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
-    # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
-    # with golangci-lint call it on a directory with the changed file.
-    check-exported: false
-  gci:
-    sections:
-      - standard # Captures all standard packages if they do not match another section.
-      - default # Contains all imports that could not be matched to another section type.
-      - prefix(istio.io/) # Groups all imports with the specified Prefix.
-  gocritic:
-    # Disable all checks.
-    # Default: false
-    disable-all: true
-    # Which checks should be enabled in addition to default checks. Since we don't want
-    # all of the default checks, we do the disable-all first.
-    enabled-checks:
-      - appendCombine
-      - argOrder
-      - assignOp
-      - badCond
-      - boolExprSimplify
-      - builtinShadow
-      - captLocal
-      - caseOrder
-      - codegenComment
-      - commentedOutCode
-      - commentedOutImport
-      - defaultCaseOrder
-      - deprecatedComment
-      - docStub
-      - dupArg
-      - dupBranchBody
-      - dupCase
-      - dupSubExpr
-      - elseif
-      - emptyFallthrough
-      - equalFold
-      - flagDeref
-      - flagName
-      - hexLiteral
-      - indexAlloc
-      - initClause
-      - methodExprCall
-      - nilValReturn
-      - octalLiteral
-      - offBy1
-      - rangeExprCopy
-      - regexpMust
-      - sloppyLen
-      - stringXbytes
-      - switchTrue
-      - typeAssertChain
-      - typeSwitchVar
-      - typeUnparen
-      - underef
-      - unlambda
-      - unnecessaryBlock
-      - unslice
-      - valSwap
-      - weakCond
-  depguard:
-    rules:
-      DenyGogoProtobuf:
-        files:
-          - $all
-        deny:
-          - pkg: github.com/gogo/protobuf
-            desc: "gogo/protobuf is deprecated, use golang/protobuf"
-  gosec:
-    includes:
-      - G401
-      - G402
-      - G404
+      - linters:
+          - errcheck
+          - maligned
+        path: _test\.go$|tests/|samples/
+      - path: _test\.go$
+        text: 'dot-imports: should not use dot imports'
+      - linters:
+          - staticcheck
+        text: 'SA1019: package github.com/golang/protobuf/jsonpb'
+      - linters:
+          - staticcheck
+        text: 'SA1019: "github.com/golang/protobuf/jsonpb"'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.Dial is deprecated: use NewClient instead'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.DialContext is deprecated: use NewClient instead'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.WithBlock is deprecated'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.FailOnNonTempDialError'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.WithReturnConnectionError'
+      - path: (.+)\.go$
+        text: composite literal uses unkeyed fields
+      # TODO: remove following rule in the future
+      - linters:
+          - staticcheck
+        text: 'QF'
+      - linters:
+          - staticcheck
+        text: 'ST1005'
+      - linters:
+          - staticcheck
+        text: 'S1007'
+    paths:
+      - .*\.pb\.go
+      - .*\.gen\.go
+      - genfiles$
+      - vendor$
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  # List of regexps of issue texts to exclude, empty list by default.
-  # But independently from this option we use default exclude patterns,
-  # it can be disabled by `exclude-use-default: false`. To list all
-  # excluded by default patterns execute `golangci-lint run --help`
-  exclude:
-    - composite literal uses unkeyed fields
-  # Which dirs to exclude: issues from them won't be reported.
-  # Can use regexp here: `generated.*`, regexp is applied on full path,
-  # including the path prefix if one is set.
-  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-dirs:
-    - genfiles$
-    - vendor$
-  # Which files to exclude: they will be analyzed, but issues from them won't be reported.
-  # There is no need to include all autogenerated files,
-  # we confidently recognize autogenerated files.
-  # If it's not, please let us know.
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-files:
-    - ".*\\.pb\\.go"
-    - ".*\\.gen\\.go"
-  exclude-rules:
-    # Exclude some linters from running on test files.
-    - path: _test\.go$|^tests/|^samples/
-      linters:
-        - errcheck
-        - maligned
-    - path: _test\.go$
-      text: "dot-imports: should not use dot imports"
-    # We need to use the deprecated module since the jsonpb replacement is not backwards compatible.
-    - linters: [staticcheck]
-      text: "SA1019: package github.com/golang/protobuf/jsonpb"
-    - linters: [staticcheck]
-      text: 'SA1019: "github.com/golang/protobuf/jsonpb"'
-    # This is not helpful. The new function is not very usable and the current function will not be removed
-    - linters: [staticcheck]
-      text: 'SA1019: grpc.Dial is deprecated: use NewClient instead'
-    - linters: [staticcheck]
-      text: 'SA1019: grpc.DialContext is deprecated: use NewClient instead'
-    - linters: [staticcheck]
-      text: "SA1019: grpc.WithBlock is deprecated"
-    - linters: [staticcheck]
-      text: "SA1019: grpc.FailOnNonTempDialError"
-    - linters: [staticcheck]
-      text: "SA1019: grpc.WithReturnConnectionError"
-  # Independently from option `exclude` we use default exclude patterns,
-  # it can be disabled by this option. To list all
-  # excluded by default patterns execute `golangci-lint run --help`.
-  # Default value for this option is true.
-  exclude-use-default: true
-  # Maximum issues count per one linter.
-  # Set to 0 to disable.
-  # Default: 50
   max-issues-per-linter: 0
-  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
   max-same-issues: 0
+formatters:
+  enable:
+    - gci
+    - gofumpt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(istio.io/)
+    goimports:
+      local-prefixes:
+        - istio.io/
+  exclusions:
+    generated: lax
+    paths:
+      - .*\.pb\.go
+      - .*\.gen\.go
+      - genfiles$
+      - vendor$
+      - third_party$
+      - builtin$
+      - examples$

common/config/license-lint.yml

@@ -125,4 +125,21 @@ allowlisted_modules:
 
 # Simplified BSD (BSD-2-Clause): https://github.com/russross/blackfriday/blob/master/LICENSE.txt
 - github.com/russross/blackfriday
-- github.com/russross/blackfriday/v2
+- github.com/russross/blackfriday/v2
+
+# W3C Test Suite License, W3C 3-clause BSD License
+# gonum uses this for its some of its test files
+# gonum.org/v1/gonum/graph/formats/rdf/testdata/LICENSE.md
+- gonum.org/v1/gonum
+
+# BSD 3-clause: https://github.com/go-inf/inf/blob/v0.9.1/LICENSE
+- gopkg.in/inf.v0
+
+# BSD 3-clause: https://github.com/go-git/gcfg/blob/main/LICENSE
+- github.com/go-git/gcfg
+
+# Apache 2.0
+- github.com/aws/smithy-go
+
+# Simplified BSD License: https://github.com/gomarkdown/markdown/blob/master/LICENSE.txt
+- github.com/gomarkdown/markdown

common/scripts/format_go.sh

@@ -21,4 +21,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-golangci-lint run --fix -c ./common/config/.golangci-format.yml
+golangci-lint run --fix -c ./common/config/.golangci.yml

common/scripts/kind_provisioner.sh

@@ -32,10 +32,10 @@ set -x
 ####################################################################
 
 # DEFAULT_KIND_IMAGE is used to set the Kubernetes version for KinD unless overridden in params to setup_kind_cluster(s)
-DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.28.4"
+DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.33.1"
 
 # the default kind cluster should be ipv4 if not otherwise specified
-IP_FAMILY="${IP_FAMILY:-ipv4}"
+KIND_IP_FAMILY="${KIND_IP_FAMILY:-ipv4}"
 
 # COMMON_SCRIPTS contains the directory this file is in.
 COMMON_SCRIPTS=$(dirname "${BASH_SOURCE:-$0}")
@@ -147,7 +147,7 @@ function setup_kind_cluster_retry() {
 # 1. NAME: Name of the Kind cluster (optional)
 # 2. IMAGE: Node image used by KinD (optional)
 # 3. CONFIG: KinD cluster configuration YAML file. If not specified then DEFAULT_CLUSTER_YAML is used
-# 4. NOMETALBINSTALL: Dont install matllb if set.
+# 4. NOMETALBINSTALL: Dont install metalb if set.
 # This function returns 0 when everything goes well, or 1 otherwise
 # If Kind cluster was already created then it would be cleaned up in case of errors
 function setup_kind_cluster() {
@@ -186,16 +186,25 @@ function setup_kind_cluster() {
 
   # Create KinD cluster
   if ! (yq eval "${CONFIG}" --expression ".networking.disableDefaultCNI = ${KIND_DISABLE_CNI}" \
-    --expression ".networking.ipFamily = \"${IP_FAMILY}\"" | \
+    --expression ".networking.ipFamily = \"${KIND_IP_FAMILY}\"" | \
     kind create cluster --name="${NAME}" -v4 --retain --image "${IMAGE}" ${KIND_WAIT_FLAG:+"$KIND_WAIT_FLAG"} --config -); then
     echo "Could not setup KinD environment. Something wrong with KinD setup. Exporting logs."
     return 9
+    # kubectl config set clusters.kind-istio-testing.server https://istio-testing-control-plane:6443
   fi
+
+  if [[ -n "${DEVCONTAINER:-}" ]]; then
+    # identify our docker container id using proc and regex
+    containerid=$(grep 'resolv.conf' /proc/self/mountinfo | sed 's/.*\/docker\/containers\/\([0-9a-f]*\).*/\1/')
+    docker network connect kind "$containerid"
+    kind export kubeconfig --name="${NAME}" --internal
+  fi
+
   # Workaround kind issue causing taints to not be removed in 1.24
   kubectl taint nodes "${NAME}"-control-plane node-role.kubernetes.io/control-plane- 2>/dev/null || true
 
   # Determine what CNI to install
-  case "${KUBERNETES_CNI:-}" in 
+  case "${KUBERNETES_CNI:-}" in
 
     "calico")
       echo "Installing Calico CNI"
@@ -230,7 +239,7 @@ function setup_kind_cluster() {
   # https://github.com/coredns/coredns/issues/2494#issuecomment-457215452
   # CoreDNS should handle those domains and answer with NXDOMAIN instead of SERVFAIL
   # otherwise pods stops trying to resolve the domain.
-  if [ "${IP_FAMILY}" = "ipv6" ] || [ "${IP_FAMILY}" = "dual" ]; then
+  if [ "${KIND_IP_FAMILY}" = "ipv6" ] || [ "${KIND_IP_FAMILY}" = "dual" ]; then
     # Get the current config
     original_coredns=$(kubectl get -oyaml -n=kube-system configmap/coredns)
     echo "Original CoreDNS config:"
@@ -267,14 +276,14 @@ function cleanup_kind_clusters() {
 # setup_kind_clusters sets up a given number of kind clusters with given topology
 # as specified in cluster topology configuration file.
 # 1. IMAGE = docker image used as node by KinD
-# 2. IP_FAMILY = either ipv4 or ipv6
+# 2. KIND_IP_FAMILY = either ipv4 or ipv6 or dual
 #
 # NOTE: Please call load_cluster_topology before calling this method as it expects
 # cluster topology information to be loaded in advance
 function setup_kind_clusters() {
   IMAGE="${1:-"${DEFAULT_KIND_IMAGE}"}"
   KUBECONFIG_DIR="${ARTIFACTS:-$(mktemp -d)}/kubeconfig"
-  IP_FAMILY="${2:-ipv4}"
+  KIND_IP_FAMILY="${2:-ipv4}"
 
   check_default_cluster_yaml
 

common/scripts/lint_go.sh

@@ -21,8 +21,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+GOLANGCILINT_RUN_ARGS=(--output.text.path stdout --output.junit-xml.path "${ARTIFACTS}"/junit-lint.xml)
+
 if [[ "${ARTIFACTS}" != "" ]]; then
-  golangci-lint run -v -c ./common/config/.golangci.yml --out-format colored-line-number,junit-xml:"${ARTIFACTS}"/junit-lint.xml
+  golangci-lint run -v -c ./common/config/.golangci.yml "${GOLANGCILINT_RUN_ARGS[@]}"
 else
   golangci-lint run -v -c ./common/config/.golangci.yml
 fi

common/scripts/run.sh

@@ -47,7 +47,9 @@ read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
     "${DOCKER_RUN_OPTIONS[@]}" \
     --init \
     --sig-proxy=true \
+    --cap-add=SYS_ADMIN \
     ${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock} \
+    -e DOCKER_HOST=${DOCKER_SOCKET_HOST:-unix:///var/run/docker.sock} \
     $CONTAINER_OPTIONS \
     --env-file <(env | grep -v ${ENV_BLOCKLIST}) \
     -e IN_BUILD_CONTAINER=1 \

common/scripts/setup_env.sh

@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90
+  IMAGE_VERSION=master-8e6480403f5cf4c9a4cd9d65174d01850e632e1a
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools

envoy.bazelrc

@@ -8,8 +8,11 @@
 # leave room for compiler/linker.
 # The number 3G is chosen heuristically to both support large VM and small VM with RBE.
 # Startup options cannot be selected via config.
+# TODO: Adding just to test android
 startup --host_jvm_args=-Xmx3g
 
+common --noenable_bzlmod
+
 fetch --color=yes
 run --color=yes
 
@@ -19,13 +22,20 @@ build --workspace_status_command="bash bazel/get_workspace_status"
 build --incompatible_strict_action_env
 build --java_runtime_version=remotejdk_11
 build --tool_java_runtime_version=remotejdk_11
+build --java_language_version=11
+build --tool_java_language_version=11
 build --platform_mappings=bazel/platform_mappings
 # silence absl logspam.
 build --copt=-DABSL_MIN_LOG_LEVEL=4
+# Global C++ standard and common warning suppressions
+build --cxxopt=-std=c++20 --host_cxxopt=-std=c++20
+build --copt=-Wno-deprecated-declarations
 build --define envoy_mobile_listener=enabled
 build --experimental_repository_downloader_retries=2
 build --enable_platform_specific_config
 build --incompatible_merge_fixed_and_default_shell_env
+# A workaround for slow ICU download.
+build --http_timeout_scaling=6.0
 
 # Pass CC, CXX and LLVM_CONFIG variables from the environment.
 # We assume they have stable values, so this won't cause action cache misses.
@@ -57,18 +67,16 @@ test --experimental_ui_max_stdouterr_bytes=11712829 #default 1048576
 # Allow tags to influence execution requirements
 common --experimental_allow_tags_propagation
 
+build:linux --copt=-fdebug-types-section
 # Enable position independent code (this is the default on macOS and Windows)
 # (Workaround for https://github.com/bazelbuild/rules_foreign_cc/issues/421)
-build:linux --copt=-fdebug-types-section
 build:linux --copt=-fPIC
-build:linux --copt=-Wno-deprecated-declarations
-build:linux --cxxopt=-std=c++20 --host_cxxopt=-std=c++20
 build:linux --cxxopt=-fsized-deallocation --host_cxxopt=-fsized-deallocation
 build:linux --conlyopt=-fexceptions
 build:linux --fission=dbg,opt
 build:linux --features=per_object_debug_info
 build:linux --action_env=BAZEL_LINKLIBS=-l%:libstdc++.a
-build:linux --action_env=BAZEL_LINKOPTS=-lm
+build:linux --action_env=BAZEL_LINKOPTS=-lm:-fuse-ld=gold
 
 # We already have absl in the build, define absl=1 to tell googletest to use absl for backtrace.
 build --define absl=1
@@ -80,21 +88,46 @@ build --@com_googlesource_googleurl//build_config:system_icu=0
 build:sanitizer --define tcmalloc=disabled
 build:sanitizer --linkopt -ldl
 
-# Common flags for Clang
-build:clang --action_env=BAZEL_COMPILER=clang
-build:clang --linkopt=-fuse-ld=lld
-build:clang --action_env=CC=clang --host_action_env=CC=clang
-build:clang --action_env=CXX=clang++ --host_action_env=CXX=clang++
+# Common flags for Clang (shared between all clang variants)
+build:clang-common --action_env=BAZEL_COMPILER=clang
+build:clang-common --linkopt=-fuse-ld=lld
+build:clang-common --action_env=CC=clang --host_action_env=CC=clang
+build:clang-common --action_env=CXX=clang++ --host_action_env=CXX=clang++
+build:clang-common --incompatible_enable_cc_toolchain_resolution=false
+
+# Clang with libc++ (default)
+build:clang --config=clang-common
+build:clang --config=libc++
+
+build:arm64-clang --config=clang
 
 # Flags for Clang + PCH
 build:clang-pch --spawn_strategy=local
 build:clang-pch --define=ENVOY_CLANG_PCH=1
 
+# libstdc++ - currently only used for gcc
+build:libstdc++ --@envoy//bazel:libc++=false
+build:libstdc++ --@envoy//bazel:libstdc++=true
+
 # Use gold linker for gcc compiler.
-build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold
+build:gcc --config=libstdc++
 build:gcc --test_env=HEAPCHECK=
 build:gcc --action_env=BAZEL_COMPILER=gcc
 build:gcc --action_env=CC=gcc --action_env=CXX=g++
+# This is to work around a bug in GCC that makes debug-types-section
+# option not play well with fission:
+# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110885
+build:gcc --copt=-fno-debug-types-section
+# These trigger errors in multiple places both in Envoy dependecies
+# and in Envoy code itself when using GCC.
+# And in all cases the reports appear to be clear false positives.
+build:gcc --copt=-Wno-error=restrict
+build:gcc --copt=-Wno-error=uninitialized
+build:gcc --cxxopt=-Wno-missing-requires
+build:gcc --cxxopt=-Wno-dangling-reference
+build:gcc --cxxopt=-Wno-nonnull-compare
+build:gcc --incompatible_enable_cc_toolchain_resolution=false
+build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold
 
 # Clang-tidy
 # TODO(phlax): enable this, its throwing some errors as well as finding more issues
@@ -104,44 +137,40 @@ build:clang-tidy --aspects @envoy_toolshed//format/clang_tidy:clang_tidy.bzl%cla
 build:clang-tidy --output_groups=report
 build:clang-tidy --build_tag_filters=-notidy
 
-# Basic ASAN/UBSAN that works for gcc
-build:asan --config=sanitizer
+# Basic ASAN/UBSAN that works for gcc or llvm
+build:asan-common --config=sanitizer
 # ASAN install its signal handler, disable ours so the stacktrace will be printed by ASAN
-build:asan --define signal_trace=disabled
-build:asan --define ENVOY_CONFIG_ASAN=1
-build:asan --build_tag_filters=-no_san
-build:asan --test_tag_filters=-no_san
-build:asan --copt -fsanitize=address,undefined
-build:asan --linkopt -fsanitize=address,undefined
-# vptr and function sanitizer are enabled in clang-asan if it is set up via bazel/setup_clang.sh.
-build:asan --copt -fno-sanitize=vptr,function
-build:asan --linkopt -fno-sanitize=vptr,function
-build:asan --copt -DADDRESS_SANITIZER=1
-build:asan --copt -DUNDEFINED_SANITIZER=1
-build:asan --copt -D__SANITIZE_ADDRESS__
-build:asan --test_env=ASAN_OPTIONS=handle_abort=1:allow_addr2line=true:check_initialization_order=true:strict_init_order=true:detect_odr_violation=1
-build:asan --test_env=UBSAN_OPTIONS=halt_on_error=true:print_stacktrace=1
-build:asan --test_env=ASAN_SYMBOLIZER_PATH
+build:asan-common --define signal_trace=disabled
+build:asan-common --define ENVOY_CONFIG_ASAN=1
+build:asan-common --build_tag_filters=-no_san
+build:asan-common --test_tag_filters=-no_san
+build:asan-common --copt -fsanitize=address,undefined
+build:asan-common --linkopt -fsanitize=address,undefined
+# vptr and function sanitizer are enabled in asan if it is set up via bazel/setup_clang.sh.
+build:asan-common --copt -fno-sanitize=vptr,function
+build:asan-common --linkopt -fno-sanitize=vptr,function
+build:asan-common --copt -DADDRESS_SANITIZER=1
+build:asan-common --copt -DUNDEFINED_SANITIZER=1
+build:asan-common --copt -D__SANITIZE_ADDRESS__
+build:asan-common --test_env=ASAN_OPTIONS=handle_abort=1:allow_addr2line=true:check_initialization_order=true:strict_init_order=true:detect_odr_violation=1
+build:asan-common --test_env=UBSAN_OPTIONS=halt_on_error=true:print_stacktrace=1
+build:asan-common --test_env=ASAN_SYMBOLIZER_PATH
 # ASAN needs -O1 to get reasonable performance.
-build:asan --copt -O1
-build:asan --copt -fno-optimize-sibling-calls
+build:asan-common --copt -O1
+build:asan-common --copt -fno-optimize-sibling-calls
 
-# Clang ASAN/UBSAN
-build:clang-asan-common --config=clang
-build:clang-asan-common --config=asan
-build:clang-asan-common --linkopt -fuse-ld=lld
-build:clang-asan-common --linkopt --rtlib=compiler-rt
-build:clang-asan-common --linkopt --unwindlib=libgcc
-
-build:clang-asan --config=clang-asan-common
-build:clang-asan --linkopt=-l:libclang_rt.ubsan_standalone.a
-build:clang-asan --linkopt=-l:libclang_rt.ubsan_standalone_cxx.a
-build:clang-asan --action_env=ENVOY_UBSAN_VPTR=1
-build:clang-asan --copt=-fsanitize=vptr,function
-build:clang-asan --linkopt=-fsanitize=vptr,function
+# ASAN config with clang runtime
+build:asan --config=asan-common
+build:asan --linkopt --rtlib=compiler-rt
+build:asan --linkopt --unwindlib=libgcc
+build:asan --linkopt=-l:libclang_rt.ubsan_standalone.a
+build:asan --linkopt=-l:libclang_rt.ubsan_standalone_cxx.a
+build:asan --action_env=ENVOY_UBSAN_VPTR=1
+build:asan --copt=-fsanitize=vptr,function
+build:asan --linkopt=-fsanitize=vptr,function
+build:asan --linkopt='-L/opt/llvm/lib/clang/18/lib/x86_64-unknown-linux-gnu'
 
 # macOS
-build:macos --cxxopt=-std=c++20 --host_cxxopt=-std=c++20
 build:macos --action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin
 build:macos --host_action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin
 build:macos --define tcmalloc=disabled
@@ -156,54 +185,47 @@ build:macos-asan --copt -DGRPC_BAZEL_BUILD
 # Dynamic link cause issues like: `dyld: malformed mach-o: load commands size (59272) > 32768`
 build:macos-asan --dynamic_mode=off
 
-# Clang TSAN
-build:clang-tsan --action_env=ENVOY_TSAN=1
-build:clang-tsan --config=sanitizer
-build:clang-tsan --define ENVOY_CONFIG_TSAN=1
-build:clang-tsan --copt -fsanitize=thread
-build:clang-tsan --linkopt -fsanitize=thread
-build:clang-tsan --linkopt -fuse-ld=lld
-build:clang-tsan --copt -DTHREAD_SANITIZER=1
-build:clang-tsan --build_tag_filters=-no_san,-no_tsan
-build:clang-tsan --test_tag_filters=-no_san,-no_tsan
+# Base TSAN config
+build:tsan --action_env=ENVOY_TSAN=1
+build:tsan --config=sanitizer
+build:tsan --define ENVOY_CONFIG_TSAN=1
+build:tsan --copt -fsanitize=thread
+build:tsan --linkopt -fsanitize=thread
+build:tsan --copt -DTHREAD_SANITIZER=1
+build:tsan --build_tag_filters=-no_san,-no_tsan
+build:tsan --test_tag_filters=-no_san,-no_tsan
 # Needed due to https://github.com/libevent/libevent/issues/777
-build:clang-tsan --copt -DEVENT__DISABLE_DEBUG_MODE
+build:tsan --copt -DEVENT__DISABLE_DEBUG_MODE
 # https://github.com/abseil/abseil-cpp/issues/760
 # https://github.com/google/sanitizers/issues/953
-build:clang-tsan --test_env="TSAN_OPTIONS=report_atomic_races=0"
-build:clang-tsan --test_timeout=120,600,1500,4800
+build:tsan --test_env="TSAN_OPTIONS=report_atomic_races=0"
+build:tsan --test_timeout=120,600,1500,4800
 
-# Clang MSAN - this is the base config for remote-msan and docker-msan. To run this config without
-# our build image, follow https://github.com/google/sanitizers/wiki/MemorySanitizerLibcxxHowTo
-# with libc++ instruction and provide corresponding `--copt` and `--linkopt` as well.
-build:clang-msan --action_env=ENVOY_MSAN=1
-build:clang-msan --config=sanitizer
-build:clang-msan --build_tag_filters=-no_san
-build:clang-msan --test_tag_filters=-no_san
-build:clang-msan --define ENVOY_CONFIG_MSAN=1
-build:clang-msan --copt -fsanitize=memory
-build:clang-msan --linkopt -fsanitize=memory
-build:clang-msan --linkopt -fuse-ld=lld
-build:clang-msan --copt -fsanitize-memory-track-origins=2
-build:clang-msan --copt -DMEMORY_SANITIZER=1
-build:clang-msan --test_env=MSAN_SYMBOLIZER_PATH
+# Base MSAN config
+build:msan --action_env=ENVOY_MSAN=1
+build:msan --config=sanitizer
+build:msan --build_tag_filters=-no_san
+build:msan --test_tag_filters=-no_san
+build:msan --define ENVOY_CONFIG_MSAN=1
+build:msan --copt -fsanitize=memory
+build:msan --linkopt -fsanitize=memory
+build:msan --copt -fsanitize-memory-track-origins=2
+build:msan --copt -DMEMORY_SANITIZER=1
+build:msan --test_env=MSAN_SYMBOLIZER_PATH
 # MSAN needs -O1 to get reasonable performance.
-build:clang-msan --copt -O1
-build:clang-msan --copt -fno-optimize-sibling-calls
+build:msan --copt -O1
+build:msan --copt -fno-optimize-sibling-calls
 
-# Clang with libc++
-build:libc++ --config=clang
 build:libc++ --action_env=CXXFLAGS=-stdlib=libc++
 build:libc++ --action_env=LDFLAGS=-stdlib=libc++
 build:libc++ --action_env=BAZEL_CXXOPTS=-stdlib=libc++
 build:libc++ --action_env=BAZEL_LINKLIBS=-l%:libc++.a:-l%:libc++abi.a
 build:libc++ --action_env=BAZEL_LINKOPTS=-lm:-pthread
 build:libc++ --define force_libcpp=enabled
-build:clang-libc++ --config=libc++
+build:libc++ --@envoy//bazel:libc++=true
+
+
 
-build:libc++20 --config=libc++
-# gRPC has a lot of deprecated-enum-enum-conversion warning. Remove once it is addressed
-build:libc++20 --copt=-Wno-error=deprecated-enum-enum-conversion
 
 # Optimize build for binary size reduction.
 build:sizeopt -c opt --copt -Os
@@ -220,7 +242,6 @@ build:coverage --action_env=GCOV=llvm-profdata
 build:coverage --copt=-DNDEBUG
 # 1.5x original timeout + 300s for trace merger in all categories
 build:coverage --test_timeout=390,750,1500,5700
-build:coverage --define=dynamic_link_tests=true
 build:coverage --define=ENVOY_CONFIG_COVERAGE=1
 build:coverage --cxxopt="-DENVOY_CONFIG_COVERAGE=1"
 build:coverage --test_env=HEAPCHECK=
@@ -239,6 +260,9 @@ build:coverage --define=no_debug_info=1
 # `--no-relax` is required for coverage to not err with `relocation R_X86_64_REX_GOTPCRELX`
 build:coverage --linkopt=-Wl,-s,--no-relax
 build:coverage --test_env=ENVOY_IP_TEST_VERSIONS=v4only
+build:coverage --define=dynamic_link_tests=false
+# Use custom report generator that also generates HTML
+build:coverage --coverage_report_generator=@envoy//tools/coverage:report_generator
 
 build:test-coverage --test_arg="-l trace"
 build:test-coverage --test_arg="--log-path /dev/null"
@@ -246,45 +270,39 @@ build:test-coverage --test_tag_filters=-nocoverage,-fuzz_target
 build:fuzz-coverage --config=plain-fuzzer
 build:fuzz-coverage --run_under=@envoy//bazel/coverage:fuzz_coverage_wrapper.sh
 build:fuzz-coverage --test_tag_filters=-nocoverage
+# Existing fuzz tests don't need a full WASM runtime and in generally we don't really want to
+# fuzz dependencies anyways. On the other hand, disabling WASM reduces the build time and
+# resources required to build and run the tests.
+build:fuzz-coverage --define=wasm=disabled
+build:fuzz-coverage --config=fuzz-coverage-config
+build:fuzz-coverage-config --//tools/coverage:config=//test:fuzz_coverage_config
 
 build:cache-local --remote_cache=grpc://localhost:9092
 
 # Remote execution: https://docs.bazel.build/versions/master/remote-execution.html
 build:rbe-toolchain --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
+build:rbe-toolchain --incompatible_enable_cc_toolchain_resolution=false
 
 build:rbe-toolchain-clang --config=rbe-toolchain
+build:rbe-toolchain-clang --config=clang
 build:rbe-toolchain-clang --platforms=@envoy//bazel/rbe/toolchains:rbe_linux_clang_platform
 build:rbe-toolchain-clang --host_platform=@envoy//bazel/rbe/toolchains:rbe_linux_clang_platform
 build:rbe-toolchain-clang --crosstool_top=@envoy//bazel/rbe/toolchains/configs/linux/clang/cc:toolchain
 build:rbe-toolchain-clang --extra_toolchains=@envoy//bazel/rbe/toolchains/configs/linux/clang/config:cc-toolchain
 build:rbe-toolchain-clang --action_env=CC=clang --action_env=CXX=clang++
 
-build:rbe-toolchain-clang-libc++ --config=rbe-toolchain
-build:rbe-toolchain-clang-libc++ --platforms=@envoy//bazel/rbe/toolchains:rbe_linux_clang_libcxx_platform
-build:rbe-toolchain-clang-libc++ --host_platform=@envoy//bazel/rbe/toolchains:rbe_linux_clang_libcxx_platform
-build:rbe-toolchain-clang-libc++ --crosstool_top=@envoy//bazel/rbe/toolchains/configs/linux/clang_libcxx/cc:toolchain
-build:rbe-toolchain-clang-libc++ --extra_toolchains=@envoy//bazel/rbe/toolchains/configs/linux/clang_libcxx/config:cc-toolchain
-build:rbe-toolchain-clang-libc++ --action_env=CC=clang --action_env=CXX=clang++
-build:rbe-toolchain-clang-libc++ --action_env=CXXFLAGS=-stdlib=libc++
-build:rbe-toolchain-clang-libc++ --action_env=LDFLAGS=-stdlib=libc++
-build:rbe-toolchain-clang-libc++ --define force_libcpp=enabled
 
-build:rbe-toolchain-asan --config=clang-asan
-build:rbe-toolchain-asan --linkopt -fuse-ld=lld
-build:rbe-toolchain-asan --action_env=ENVOY_UBSAN_VPTR=1
-build:rbe-toolchain-asan --copt=-fsanitize=vptr,function
-build:rbe-toolchain-asan --linkopt=-fsanitize=vptr,function
-build:rbe-toolchain-asan --linkopt='-L/opt/llvm/lib/clang/14.0.0/lib/x86_64-unknown-linux-gnu'
-build:rbe-toolchain-asan --linkopt=-l:libclang_rt.ubsan_standalone.a
-build:rbe-toolchain-asan --linkopt=-l:libclang_rt.ubsan_standalone_cxx.a
+build:rbe-toolchain-arm64-clang --config=rbe-toolchain
+build:rbe-toolchain-arm64-clang --config=clang
+build:rbe-toolchain-arm64-clang --platforms=@envoy//bazel/rbe/toolchains:rbe_linux_arm64_clang_platform
+build:rbe-toolchain-arm64-clang --host_platform=@envoy//bazel/rbe/toolchains:rbe_linux_arm64_clang_platform
+build:rbe-toolchain-arm64-clang --crosstool_top=@envoy//bazel/rbe/toolchains/configs/linux/clang/cc:toolchain
+build:rbe-toolchain-arm64-clang --extra_toolchains=@envoy//bazel/rbe/toolchains/configs/linux/clang/config:cc-toolchain-arm64
+build:rbe-toolchain-arm64-clang --action_env=CC=clang --action_env=CXX=clang++
 
-build:rbe-toolchain-msan --linkopt=-L/opt/libcxx_msan/lib
-build:rbe-toolchain-msan --linkopt=-Wl,-rpath,/opt/libcxx_msan/lib
-build:rbe-toolchain-msan --config=clang-msan
 
-build:rbe-toolchain-tsan --linkopt=-L/opt/libcxx_tsan/lib
-build:rbe-toolchain-tsan --linkopt=-Wl,-rpath,/opt/libcxx_tsan/lib
-build:rbe-toolchain-tsan --config=clang-tsan
+# Sanitizer configs - CI uses the *-common configs directly
+# Note: clang config comes from rbe-toolchain-clang to avoid duplication
 
 build:rbe-toolchain-gcc --config=rbe-toolchain
 build:rbe-toolchain-gcc --platforms=@envoy//bazel/rbe/toolchains:rbe_linux_gcc_platform
@@ -310,24 +328,26 @@ build:remote-windows --remote_download_toplevel
 build:remote-clang --config=remote
 build:remote-clang --config=rbe-toolchain-clang
 
-build:remote-clang-libc++ --config=remote
-build:remote-clang-libc++ --config=rbe-toolchain-clang-libc++
+
+build:remote-arm64-clang --config=remote
+build:remote-arm64-clang --config=rbe-toolchain-arm64-clang
+
 
 build:remote-gcc --config=remote
 build:remote-gcc --config=gcc
 build:remote-gcc --config=rbe-toolchain-gcc
 
 build:remote-asan --config=remote
-build:remote-asan --config=rbe-toolchain-clang-libc++
-build:remote-asan --config=rbe-toolchain-asan
+build:remote-asan --config=rbe-toolchain-clang
+build:remote-asan --config=asan
 
 build:remote-msan --config=remote
-build:remote-msan --config=rbe-toolchain-clang-libc++
-build:remote-msan --config=rbe-toolchain-msan
+build:remote-msan --config=rbe-toolchain-clang
+build:remote-msan --config=msan
 
 build:remote-tsan --config=remote
-build:remote-tsan --config=rbe-toolchain-clang-libc++
-build:remote-tsan --config=rbe-toolchain-tsan
+build:remote-tsan --config=rbe-toolchain-clang
+build:remote-tsan --config=tsan
 
 build:remote-msvc-cl --config=remote-windows
 build:remote-msvc-cl --config=msvc-cl
@@ -351,14 +371,15 @@ build:compile-time-options --define=deprecated_features=disabled
 build:compile-time-options --define=tcmalloc=gperftools
 build:compile-time-options --define=zlib=ng
 build:compile-time-options --define=uhv=enabled
-build:compile-time-options --config=libc++20
+# gRPC has a lot of deprecated-enum-enum-conversion warnings with C++20
+build:compile-time-options --copt=-Wno-error=deprecated-enum-enum-conversion
 build:compile-time-options --test_env=ENVOY_HAS_EXTRA_EXTENSIONS=true
 build:compile-time-options --@envoy//bazel:http3=False
 build:compile-time-options --@envoy//source/extensions/filters/http/kill_request:enabled
 
 # Docker sandbox
 # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/main/toolchains/rbe_toolchains_config.bzl#L8
-build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:f94a38f62220a2b017878b790b6ea98a0f6c5f9c@sha256:2dd96b6f43c08ccabd5f4747fce5854f5f96af509b32e5cf6493f136e9833649
+build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:f4a881a1205e8e6db1a57162faf3df7aed88eae8@sha256:b10346fe2eee41733dbab0e02322c47a538bf3938d093a5daebad9699860b814
 build:docker-sandbox --spawn_strategy=docker
 build:docker-sandbox --strategy=Javac=docker
 build:docker-sandbox --strategy=Closure=docker
@@ -370,39 +391,37 @@ build:docker-sandbox --experimental_enable_docker_sandbox
 build:docker-clang --config=docker-sandbox
 build:docker-clang --config=rbe-toolchain-clang
 
-build:docker-clang-libc++ --config=docker-sandbox
-build:docker-clang-libc++ --config=rbe-toolchain-clang-libc++
 
 build:docker-gcc --config=docker-sandbox
+build:docker-gcc --config=gcc
 build:docker-gcc --config=rbe-toolchain-gcc
 
 build:docker-asan --config=docker-sandbox
-build:docker-asan --config=rbe-toolchain-clang-libc++
-build:docker-asan --config=rbe-toolchain-asan
+build:docker-asan --config=rbe-toolchain-clang
+build:docker-asan --config=asan
 
 build:docker-msan --config=docker-sandbox
-build:docker-msan --config=rbe-toolchain-clang-libc++
-build:docker-msan --config=rbe-toolchain-msan
+build:docker-msan --config=rbe-toolchain-clang
+build:docker-msan --config=msan
 
 build:docker-tsan --config=docker-sandbox
-build:docker-tsan --config=rbe-toolchain-clang-libc++
-build:docker-tsan --config=rbe-toolchain-tsan
+build:docker-tsan --config=rbe-toolchain-clang
+build:docker-tsan --config=tsan
 
 # CI configurations
 build:remote-ci --config=ci
 build:remote-ci --remote_download_minimal
 
 # Note this config is used by mobile CI also.
-build:ci --noshow_progress
-build:ci --noshow_loading_progress
-build:ci --test_output=errors
+common:ci --noshow_progress
+common:ci --noshow_loading_progress
+common:ci --test_output=errors
 
 # Fuzz builds
 
 # Shared fuzzing configuration.
 build:fuzzing --define=ENVOY_CONFIG_ASAN=1
 build:fuzzing --copt=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-build:fuzzing --config=libc++
 
 # Fuzzing without ASAN. This is useful for profiling fuzzers without any ASAN artifacts.
 build:plain-fuzzer --config=fuzzing
@@ -413,13 +432,16 @@ build:plain-fuzzer --define=FUZZING_ENGINE=libfuzzer
 build:plain-fuzzer --copt=-fsanitize=fuzzer-no-link
 build:plain-fuzzer --linkopt=-fsanitize=fuzzer-no-link
 
+# ASAN fuzzer
 build:asan-fuzzer --config=plain-fuzzer
-build:asan-fuzzer --config=clang-asan
+build:asan-fuzzer --config=asan
 build:asan-fuzzer --copt=-fno-omit-frame-pointer
 # Remove UBSAN halt_on_error to avoid crashing on protobuf errors.
 build:asan-fuzzer --test_env=UBSAN_OPTIONS=print_stacktrace=1
+build:asan-fuzzer --linkopt=-lc++
 
 build:oss-fuzz --config=fuzzing
+build:oss-fuzz --config=libc++
 build:oss-fuzz --define=FUZZING_ENGINE=oss-fuzz
 build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_instrumentation=oss-fuzz
 build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_sanitizer=none
@@ -505,33 +527,41 @@ build:rbe-engflow --remote_executor=grpcs://envoy.cluster.engflow.com
 build:rbe-engflow --bes_backend=grpcs://envoy.cluster.engflow.com/
 build:rbe-engflow --bes_results_url=https://envoy.cluster.engflow.com/invocation/
 build:rbe-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
-build:rbe-engflow --grpc_keepalive_time=30s
+build:rbe-engflow --grpc_keepalive_time=60s
+build:rbe-engflow --grpc_keepalive_timeout=30s
 build:rbe-engflow --remote_timeout=3600s
 build:rbe-engflow --bes_timeout=3600s
 build:rbe-engflow --bes_upload_mode=fully_async
 build:rbe-engflow --nolegacy_important_outputs
 
 # RBE (Engflow Envoy)
-build:common-envoy-engflow --google_default_credentials=false
-build:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
-build:common-envoy-engflow --grpc_keepalive_time=30s
+common:common-envoy-engflow --google_default_credentials=false
+common:common-envoy-engflow --credential_helper=*.engflow.com=%workspace%/bazel/engflow-bazel-credential-helper.sh
+common:common-envoy-engflow --grpc_keepalive_time=60s
+common:common-envoy-engflow --grpc_keepalive_timeout=30s
 
-build:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com
-build:cache-envoy-engflow --remote_timeout=3600s
-build:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/
-build:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/
-build:bes-envoy-engflow --bes_timeout=3600s
-build:bes-envoy-engflow --bes_upload_mode=fully_async
-build:bes-envoy-engflow --nolegacy_important_outputs
-build:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com
-build:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:7adc40c09508f957624c4d2e0f5aeecb73a59207ee6ded53b107eac828c091b2
-build:rbe-envoy-engflow --jobs=200
-build:rbe-envoy-engflow --define=engflow_rbe=true
+common:cache-envoy-engflow --remote_cache=grpcs://mordenite.cluster.engflow.com
+common:cache-envoy-engflow --remote_timeout=3600s
+# common:cache-envoy-engflow --remote_instance_name=llvm-18
+common:bes-envoy-engflow --bes_backend=grpcs://mordenite.cluster.engflow.com/
+common:bes-envoy-engflow --bes_results_url=https://mordenite.cluster.engflow.com/invocation/
+common:bes-envoy-engflow --bes_timeout=3600s
+common:bes-envoy-engflow --bes_upload_mode=fully_async
+common:bes-envoy-engflow --nolegacy_important_outputs
+common:rbe-envoy-engflow --remote_executor=grpcs://mordenite.cluster.engflow.com
+common:rbe-envoy-engflow --remote_default_exec_properties=container-image=docker://gcr.io/envoy-ci/envoy-build@sha256:95d7afdea0f0f8881e88fa5e581db4f50907d0745ac8d90e00357ac1a316abe5
+common:rbe-envoy-engflow --jobs=200
+common:rbe-envoy-engflow --define=engflow_rbe=true
 
-build:remote-envoy-engflow --config=common-envoy-engflow
-build:remote-envoy-engflow --config=cache-envoy-engflow
-build:remote-envoy-engflow --config=bes-envoy-engflow
-build:remote-envoy-engflow --config=rbe-envoy-engflow
+common:remote-envoy-engflow --config=common-envoy-engflow
+common:remote-envoy-engflow --config=cache-envoy-engflow
+common:remote-envoy-engflow --config=rbe-envoy-engflow
+
+common:remote-cache-envoy-engflow --config=common-envoy-engflow
+common:remote-cache-envoy-engflow --config=cache-envoy-engflow
+
+# Specifies the rustfmt.toml for all rustfmt_test targets.
+build --@rules_rust//rust/settings:rustfmt.toml=//:rustfmt.toml
 
 #############################################################################
 # debug: Various Bazel debugging flags
@@ -555,6 +585,7 @@ common:debug --config=debug-sandbox
 common:debug --config=debug-coverage
 common:debug --config=debug-tests
 
+try-import %workspace%/repo.bazelrc
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc
 try-import %workspace%/local_tsan.bazelrc

extensions/common/metadata_object.cc

@@ -16,6 +16,7 @@
 
 #include "envoy/registry/registry.h"
 #include "source/common/common/hash.h"
+#include "source/common/protobuf/utility.h"
 
 #include "absl/strings/str_join.h"
 
@@ -59,7 +60,52 @@ absl::optional<absl::string_view> toSuffix(WorkloadType workload_type) {
 
 } // namespace
 
-absl::optional<std::string> WorkloadMetadataObject::serializeAsString() const {
+Envoy::ProtobufTypes::MessagePtr WorkloadMetadataObject::serializeAsProto() const {
+  auto message = std::make_unique<Envoy::ProtobufWkt::Struct>();
+  const auto suffix = toSuffix(workload_type_);
+  if (suffix) {
+    (*message->mutable_fields())[WorkloadTypeToken].set_string_value(*suffix);
+  }
+  if (!workload_name_.empty()) {
+    (*message->mutable_fields())[WorkloadNameToken].set_string_value(workload_name_);
+  }
+  if (!cluster_name_.empty()) {
+    (*message->mutable_fields())[InstanceNameToken].set_string_value(instance_name_);
+  }
+  if (!cluster_name_.empty()) {
+    (*message->mutable_fields())[ClusterNameToken].set_string_value(cluster_name_);
+  }
+  if (!namespace_name_.empty()) {
+    (*message->mutable_fields())[NamespaceNameToken].set_string_value(namespace_name_);
+  }
+  if (!canonical_name_.empty()) {
+    (*message->mutable_fields())[ServiceNameToken].set_string_value(canonical_name_);
+  }
+  if (!canonical_revision_.empty()) {
+    (*message->mutable_fields())[ServiceVersionToken].set_string_value(canonical_revision_);
+  }
+  if (!app_name_.empty()) {
+    (*message->mutable_fields())[AppNameToken].set_string_value(app_name_);
+  }
+  if (!app_version_.empty()) {
+    (*message->mutable_fields())[AppVersionToken].set_string_value(app_version_);
+  }
+  if (!identity_.empty()) {
+    (*message->mutable_fields())[IdentityToken].set_string_value(identity_);
+  }
+
+  if (!labels_.empty()) {
+    auto* labels = (*message->mutable_fields())[LabelsToken].mutable_struct_value();
+    for (const auto& l : labels_) {
+      (*labels->mutable_fields())[std::string(l.first)].set_string_value(std::string(l.second));
+    }
+  }
+
+  return message;
+}
+
+std::vector<std::pair<absl::string_view, absl::string_view>>
+WorkloadMetadataObject::serializeAsPairs() const {
   std::vector<std::pair<absl::string_view, absl::string_view>> parts;
   const auto suffix = toSuffix(workload_type_);
   if (suffix) {
@@ -89,6 +135,16 @@ absl::optional<std::string> WorkloadMetadataObject::serializeAsString() const {
   if (!app_version_.empty()) {
     parts.push_back({AppVersionToken, app_version_});
   }
+  if (!labels_.empty()) {
+    for (const auto& l : labels_) {
+      parts.push_back({absl::StrCat("labels[]", l.first), absl::string_view(l.second)});
+    }
+  }
+  return parts;
+}
+
+absl::optional<std::string> WorkloadMetadataObject::serializeAsString() const {
+  const auto parts = serializeAsPairs();
   return absl::StrJoin(parts, ",", absl::PairFormatter("="));
 }
 
@@ -151,6 +207,11 @@ google::protobuf::Struct convertWorkloadMetadataToStruct(const WorkloadMetadataO
   if (!obj.app_version_.empty()) {
     (*labels->mutable_fields())[AppVersionLabel].set_string_value(obj.app_version_);
   }
+  if (!obj.getLabels().empty()) {
+    for (const auto& lbl : obj.getLabels()) {
+      (*labels->mutable_fields())[std::string(lbl.first)].set_string_value(std::string(lbl.second));
+    }
+  }
   if (const auto owner = obj.owner(); owner.has_value()) {
     (*metadata.mutable_fields())[OwnerMetadataField].set_string_value(*owner);
   }
@@ -160,8 +221,15 @@ google::protobuf::Struct convertWorkloadMetadataToStruct(const WorkloadMetadataO
 // Convert struct to a metadata object.
 std::unique_ptr<WorkloadMetadataObject>
 convertStructToWorkloadMetadata(const google::protobuf::Struct& metadata) {
+  return convertStructToWorkloadMetadata(metadata, {});
+}
+
+std::unique_ptr<WorkloadMetadataObject>
+convertStructToWorkloadMetadata(const google::protobuf::Struct& metadata,
+                                const absl::flat_hash_set<std::string>& additional_labels) {
   absl::string_view instance, namespace_name, owner, workload, cluster, canonical_name,
       canonical_revision, app_name, app_version;
+  std::vector<std::pair<std::string, std::string>> labels;
   for (const auto& it : metadata.fields()) {
     if (it.first == InstanceMetadataField) {
       instance = it.second.string_value();
@@ -183,13 +251,19 @@ convertStructToWorkloadMetadata(const google::protobuf::Struct& metadata) {
           app_name = labels_it.second.string_value();
         } else if (labels_it.first == AppVersionLabel) {
           app_version = labels_it.second.string_value();
+        } else if (!additional_labels.empty() &&
+                   additional_labels.contains(std::string(labels_it.first))) {
+          labels.push_back(
+              {std::string(labels_it.first), std::string(labels_it.second.string_value())});
         }
       }
     }
   }
-  return std::make_unique<WorkloadMetadataObject>(instance, cluster, namespace_name, workload,
-                                                  canonical_name, canonical_revision, app_name,
-                                                  app_version, parseOwner(owner, workload), "");
+  auto obj = std::make_unique<WorkloadMetadataObject>(instance, cluster, namespace_name, workload,
+                                                      canonical_name, canonical_revision, app_name,
+                                                      app_version, parseOwner(owner, workload), "");
+  obj->setLabels(labels);
+  return obj;
 }
 
 absl::optional<WorkloadMetadataObject>

extensions/common/metadata_object.h

@@ -17,7 +17,8 @@
 #include "envoy/common/hashable.h"
 #include "envoy/stream_info/filter_state.h"
 
-#include "absl/strings/str_split.h"
+#include "source/common/protobuf/protobuf.h"
+
 #include "absl/types/optional.h"
 
 #include "google/protobuf/struct.pb.h"
@@ -75,6 +76,8 @@ constexpr absl::string_view AppVersionToken = "version";
 constexpr absl::string_view WorkloadNameToken = "workload";
 constexpr absl::string_view WorkloadTypeToken = "type";
 constexpr absl::string_view InstanceNameToken = "name";
+constexpr absl::string_view LabelsToken = "labels";
+constexpr absl::string_view IdentityToken = "identity";
 
 constexpr absl::string_view InstanceMetadataField = "NAME";
 constexpr absl::string_view NamespaceMetadataField = "NAMESPACE";
@@ -98,11 +101,15 @@ public:
         workload_type_(workload_type), identity_(identity) {}
 
   absl::optional<uint64_t> hash() const override;
+  Envoy::ProtobufTypes::MessagePtr serializeAsProto() const override;
+  std::vector<std::pair<absl::string_view, absl::string_view>> serializeAsPairs() const;
   absl::optional<std::string> serializeAsString() const override;
   absl::optional<std::string> owner() const;
   bool hasFieldSupport() const override { return true; }
   using Envoy::StreamInfo::FilterState::Object::FieldType;
   FieldType getField(absl::string_view) const override;
+  void setLabels(std::vector<std::pair<std::string, std::string>> labels) { labels_ = labels; }
+  std::vector<std::pair<std::string, std::string>> getLabels() const { return labels_; }
 
   const std::string instance_name_;
   const std::string cluster_name_;
@@ -114,6 +121,7 @@ public:
   const std::string app_version_;
   const WorkloadType workload_type_;
   const std::string identity_;
+  std::vector<std::pair<std::string, std::string>> labels_;
 };
 
 // Parse string workload type.
@@ -129,6 +137,10 @@ google::protobuf::Struct convertWorkloadMetadataToStruct(const WorkloadMetadataO
 std::unique_ptr<WorkloadMetadataObject>
 convertStructToWorkloadMetadata(const google::protobuf::Struct& metadata);
 
+std::unique_ptr<WorkloadMetadataObject>
+convertStructToWorkloadMetadata(const google::protobuf::Struct& metadata,
+                                const absl::flat_hash_set<std::string>& additional_labels);
+
 // Convert endpoint metadata string to a metadata object.
 // Telemetry metadata is compressed into a semicolon separated string:
 // workload-name;namespace;canonical-service-name;canonical-service-revision;cluster-id.

extensions/common/metadata_object_test.cc

@@ -22,6 +22,7 @@
 namespace Istio {
 namespace Common {
 
+using Envoy::Protobuf::util::MessageDifferencer;
 using ::testing::NiceMock;
 
 TEST(WorkloadMetadataObjectTest, Baggage) {
@@ -60,9 +61,24 @@ void checkStructConversion(const Envoy::StreamInfo::FilterState::Object& data) {
   auto pb = convertWorkloadMetadataToStruct(obj);
   auto obj2 = convertStructToWorkloadMetadata(pb);
   EXPECT_EQ(obj2->serializeAsString(), obj.serializeAsString());
+  MessageDifferencer::Equals(*(obj2->serializeAsProto()), *(obj.serializeAsProto()));
   EXPECT_EQ(obj2->hash(), obj.hash());
 }
 
+TEST(WorkloadMetadataObjectTest, ConversionWithLabels) {
+  WorkloadMetadataObject deploy("pod-foo-1234", "my-cluster", "default", "foo", "foo-service",
+                                "v1alpha3", "", "", WorkloadType::Deployment, "");
+  deploy.setLabels({{"label1", "value1"}, {"label2", "value2"}});
+  auto pb = convertWorkloadMetadataToStruct(deploy);
+  auto obj1 = convertStructToWorkloadMetadata(pb, {"label1", "label2"});
+  EXPECT_EQ(obj1->getLabels().size(), 2);
+  auto obj2 = convertStructToWorkloadMetadata(pb, {"label1"});
+  EXPECT_EQ(obj2->getLabels().size(), 1);
+  absl::flat_hash_set<std::string> empty;
+  auto obj3 = convertStructToWorkloadMetadata(pb, empty);
+  EXPECT_EQ(obj3->getLabels().size(), 0);
+}
+
 TEST(WorkloadMetadataObjectTest, Conversion) {
   {
     const auto r = convertBaggageToWorkloadMetadata(

go.mod

@@ -1,32 +1,33 @@
 module istio.io/proxy
 
-go 1.22.0
+go 1.24
 
 require (
-	github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b
-	github.com/envoyproxy/go-control-plane v0.13.2-0.20241016223134-a28839d97f6f
+	github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f
+	github.com/envoyproxy/go-control-plane v0.13.5-0.20250705082150-f8f2cd45490a
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4
 	github.com/golang/protobuf v1.5.4
-	github.com/google/go-cmp v0.6.0
-	github.com/prometheus/client_model v0.6.0
+	github.com/google/go-cmp v0.7.0
+	github.com/prometheus/client_model v0.6.1
 	github.com/prometheus/common v0.46.0
 	go.opentelemetry.io/proto/otlp v1.1.0
 	go.starlark.net v0.0.0-20240123142251-f86470692795
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157
-	google.golang.org/grpc v1.65.0
-	google.golang.org/protobuf v1.34.2
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a
+	google.golang.org/grpc v1.73.0
+	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v2 v2.4.0
 	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
-	cel.dev/expr v0.15.0 // indirect
-	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
+	cel.dev/expr v0.23.0 // indirect
+	github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
-	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a // indirect
 )

go.sum

@@ -1,21 +1,29 @@
-cel.dev/expr v0.15.0 h1:O1jzfJCQBfL5BFoYktaxwIhuttaQPsVWerH9/EEKx0w=
-cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg=
-github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
-github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
-github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw=
-github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
+cel.dev/expr v0.23.0 h1:wUb94w6OYQS4uXraxo9U+wUAs9jT47Xvl4iPgAwM2ss=
+cel.dev/expr v0.23.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
+github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f h1:C5bqEmzEPLsHm9Mv73lSE9e9bKV23aB1vxOsmZrkl3k=
+github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/envoyproxy/go-control-plane v0.13.2-0.20241016223134-a28839d97f6f h1:aKex1vzOzP5rFhA/WZjr/MngS9JtSkxyW55B5lQNXTQ=
-github.com/envoyproxy/go-control-plane v0.13.2-0.20241016223134-a28839d97f6f/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw=
-github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM=
-github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4=
+github.com/envoyproxy/go-control-plane v0.13.5-0.20250705082150-f8f2cd45490a h1:k0yPxzI8NWvWx9TKX3ysJabi1XEkrKmutgfIe27WX7M=
+github.com/envoyproxy/go-control-plane v0.13.5-0.20250705082150-f8f2cd45490a/go.mod h1:whHrEUXbTAzBJlzd3Gz4us5zEFP1gL6o3LbfA+a/xbg=
+github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
+github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
+github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
+github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
+github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
+github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -26,34 +34,46 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgm
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos=
-github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y=
 github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=
 go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY=
 go.starlark.net v0.0.0-20240123142251-f86470692795 h1:LmbG8Pq7KDGkglKVn8VpZOZj6vb9b8nKEGcg9l03epM=
 go.starlark.net v0.0.0-20240123142251-f86470692795/go.mod h1:LcLNIzVOMp4oV+uusnpk+VU+SzXaJakUuBjoCSWH5dM=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw=
-google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 h1:Zy9XzmMEflZ/MAaA7vNcoebnRAld7FsPW1EeBB7V0m8=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
-google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
-google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a h1:SGktgSolFCo75dnHJF2yMvnns6jCmHFJ0vE4Vn2JKvQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a/go.mod h1:a77HrdMjoeKbnd2jmgcWdaS++ZLZAEq3orIOAEIKiVw=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
+google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

scripts/release-binary.sh

@@ -134,7 +134,7 @@ do
       fi
       ;;
     "debug")
-      CONFIG_PARAMS="--config=debug"
+      CONFIG_PARAMS="-c dbg"
       BINARY_BASE_NAME="${BASE_BINARY_NAME}-debug"
       # shellcheck disable=SC2086
       BAZEL_OUT="$(bazel info ${BAZEL_BUILD_ARGS} output_path)/${ARCH_NAME}-dbg/bin"

source/extensions/common/workload_discovery/api.cc

@@ -31,6 +31,7 @@
 namespace Envoy::Extensions::Common::WorkloadDiscovery {
 namespace {
 constexpr absl::string_view DefaultNamespace = "default";
+constexpr absl::string_view DefaultServiceAccount = "default";
 constexpr absl::string_view DefaultTrustDomain = "cluster.local";
 Istio::Common::WorkloadMetadataObject convert(const istio::workload::Workload& workload) {
   auto workload_type = Istio::Common::WorkloadType::Deployment;
@@ -50,6 +51,7 @@ Istio::Common::WorkloadMetadataObject convert(const istio::workload::Workload& w
 
   absl::string_view ns = workload.namespace_();
   absl::string_view trust_domain = workload.trust_domain();
+  absl::string_view service_account = workload.service_account();
   // Trust domain may be elided if it's equal to "cluster.local"
   if (trust_domain.empty()) {
     trust_domain = DefaultTrustDomain;
@@ -58,10 +60,14 @@ Istio::Common::WorkloadMetadataObject convert(const istio::workload::Workload& w
   if (ns.empty()) {
     ns = DefaultNamespace;
   }
-  const auto identity = absl::StrCat("spiffe://", trust_domain, "/ns/", workload.namespace_(),
-                                     "/sa/", workload.service_account());
+  // The service account may be elided if it's equal to "default"
+  if (service_account.empty()) {
+    service_account = DefaultServiceAccount;
+  }
+  const auto identity =
+      absl::StrCat("spiffe://", trust_domain, "/ns/", ns, "/sa/", service_account);
   return Istio::Common::WorkloadMetadataObject(
-      workload.name(), workload.cluster_id(), workload.namespace_(), workload.workload_name(),
+      workload.name(), workload.cluster_id(), ns, workload.workload_name(),
       workload.canonical_name(), workload.canonical_revision(), workload.canonical_name(),
       workload.canonical_revision(), workload_type, identity);
 }
@@ -243,6 +249,8 @@ public:
         });
   }
 
+  void onWorkerThreadInitialized() override{};
+
 private:
   Server::Configuration::ServerFactoryContext& factory_context_;
   const istio::workload::BootstrapExtension config_;

source/extensions/filters/http/alpn/config.pb.html

@@ -1,101 +0,0 @@
----
-title: ALPN filter for overriding ALPN for upstream TLS connections.
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-number_of_entries: 3
----
-<h2 id="FilterConfig">FilterConfig</h2>
-<section>
-<p>FilterConfig is the config for Istio-specific filter.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="FilterConfig-alpn_override">
-<td><code>alpn_override</code></td>
-<td><code><a href="#FilterConfig-AlpnOverride">AlpnOverride[]</a></code></td>
-<td>
-<p>Map from upstream protocol to list of ALPN</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="FilterConfig-AlpnOverride">FilterConfig.AlpnOverride</h2>
-<section>
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="FilterConfig-AlpnOverride-upstream_protocol">
-<td><code>upstream_protocol</code></td>
-<td><code><a href="#FilterConfig-Protocol">Protocol</a></code></td>
-<td>
-<p>Upstream protocol</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="FilterConfig-AlpnOverride-alpn_override">
-<td><code>alpn_override</code></td>
-<td><code>string[]</code></td>
-<td>
-<p>A list of ALPN that will override the ALPN for upstream TLS connections.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="FilterConfig-Protocol">FilterConfig.Protocol</h2>
-<section>
-<p>Upstream protocols</p>
-
-<table class="enum-values">
-<thead>
-<tr>
-<th>Name</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="FilterConfig-Protocol-HTTP10">
-<td><code>HTTP10</code></td>
-<td>
-</td>
-</tr>
-<tr id="FilterConfig-Protocol-HTTP11">
-<td><code>HTTP11</code></td>
-<td>
-</td>
-</tr>
-<tr id="FilterConfig-Protocol-HTTP2">
-<td><code>HTTP2</code></td>
-<td>
-</td>
-</tr>
-</tbody>
-</table>
-</section>

source/extensions/filters/http/istio_stats/config.pb.html

@@ -1,293 +0,0 @@
----
-title: Stats Config
-description: Configuration for Stats Filter.
-location: https://istio.io/docs/reference/config/proxy_extensions/stats.html
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-weight: 20
-number_of_entries: 5
----
-<h2 id="MetricConfig">MetricConfig</h2>
-<section>
-<p>Metric instance configuration overrides.
-The metric value and the metric type are optional and permit changing the
-reported value for an existing metric.
-The standard metrics are optimized and reported through a &ldquo;fast-path&rdquo;.
-The customizations allow full configurability, at the cost of a &ldquo;slower&rdquo;
-path.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="MetricConfig-dimensions">
-<td><code>dimensions</code></td>
-<td><code>map&lt;string,&nbsp;string&gt;</code></td>
-<td>
-<p>(Optional) Collection of tag names and tag expressions to include in the
-metric. Conflicts are resolved by the tag name by overriding previously
-supplied values.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricConfig-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
-<td>
-<p>(Optional) Metric name to restrict the override to a metric. If not
-specified, applies to all.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricConfig-tags_to_remove">
-<td><code>tags_to_remove</code></td>
-<td><code>string[]</code></td>
-<td>
-<p>(Optional) A list of tags to remove.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricConfig-match">
-<td><code>match</code></td>
-<td><code>string</code></td>
-<td>
-<p>NOT IMPLEMENTED. (Optional) Conditional enabling the override.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricConfig-drop">
-<td><code>drop</code></td>
-<td><code>bool</code></td>
-<td>
-<p>(Optional) If this is set to true, the metric(s) selected by this
-configuration will not be generated or reported.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="MetricDefinition">MetricDefinition</h2>
-<section>
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="MetricDefinition-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
-<td>
-<p>Metric name.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricDefinition-value">
-<td><code>value</code></td>
-<td><code>string</code></td>
-<td>
-<p>Metric value expression.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricDefinition-type">
-<td><code>type</code></td>
-<td><code><a href="#MetricType">MetricType</a></code></td>
-<td>
-<p>Metric type.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="PluginConfig">PluginConfig</h2>
-<section>
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="PluginConfig-disable_host_header_fallback">
-<td><code>disable_host_header_fallback</code></td>
-<td><code>bool</code></td>
-<td>
-<p>Optional: Disable using host header as a fallback if destination service is
-not available from the controlplane. Disable the fallback if the host
-header originates outsides the mesh, like at ingress.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-tcp_reporting_duration">
-<td><code>tcp_reporting_duration</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
-<td>
-<p>Optional. Allows configuration of the time between calls out to for TCP
-metrics reporting. The default duration is <code>5s</code>.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-metrics">
-<td><code>metrics</code></td>
-<td><code><a href="#MetricConfig">MetricConfig[]</a></code></td>
-<td>
-<p>Metric overrides.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-definitions">
-<td><code>definitions</code></td>
-<td><code><a href="#MetricDefinition">MetricDefinition[]</a></code></td>
-<td>
-<p>Metric definitions.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-reporter">
-<td><code>reporter</code></td>
-<td><code><a href="#Reporter">Reporter</a></code></td>
-<td>
-<p>Proxy deployment type.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-rotation_interval">
-<td><code>rotation_interval</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
-<td>
-<p>Metric scope rotation interval. Set to 0 to disable the metric scope rotation.
-Defaults to 0.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-graceful_deletion_interval">
-<td><code>graceful_deletion_interval</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
-<td>
-<p>Metric expiry graceful deletion interval. No-op if the metric rotation is disabled.
-Defaults to 5m. Must be &gt;=1s.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="MetricType">MetricType</h2>
-<section>
-<table class="enum-values">
-<thead>
-<tr>
-<th>Name</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="MetricType-COUNTER">
-<td><code>COUNTER</code></td>
-<td>
-</td>
-</tr>
-<tr id="MetricType-GAUGE">
-<td><code>GAUGE</code></td>
-<td>
-</td>
-</tr>
-<tr id="MetricType-HISTOGRAM">
-<td><code>HISTOGRAM</code></td>
-<td>
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="Reporter">Reporter</h2>
-<section>
-<p>Specifies the proxy deployment type.</p>
-
-<table class="enum-values">
-<thead>
-<tr>
-<th>Name</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Reporter-UNSPECIFIED">
-<td><code>UNSPECIFIED</code></td>
-<td>
-<p>Default value is inferred from the listener direction, as either client or
-server sidecar.</p>
-
-</td>
-</tr>
-<tr id="Reporter-SERVER_GATEWAY">
-<td><code>SERVER_GATEWAY</code></td>
-<td>
-<p>Shared server gateway, e.g. &ldquo;waypoint&rdquo;.</p>
-
-</td>
-</tr>
-</tbody>
-</table>
-</section>

source/extensions/filters/http/istio_stats/istio_stats.cc

@@ -28,6 +28,7 @@
 #include "source/common/network/utility.h"
 #include "source/common/stream_info/utility.h"
 #include "source/extensions/filters/common/expr/context.h"
+#include "source/extensions/filters/common/expr/cel_state.h"
 #include "source/extensions/filters/common/expr/evaluator.h"
 #include "source/extensions/filters/http/common/pass_through_filter.h"
 #include "source/extensions/filters/http/grpc_stats/grpc_stats_filter.h"
@@ -122,13 +123,40 @@ bool peerInfoRead(Reporter reporter, const StreamInfo::FilterState& filter_state
          filter_state.hasDataWithName(Istio::Common::NoPeer);
 }
 
-const Istio::Common::WorkloadMetadataObject* peerInfo(Reporter reporter,
-                                                      const StreamInfo::FilterState& filter_state) {
+std::optional<Istio::Common::WorkloadMetadataObject>
+peerInfo(Reporter reporter, const StreamInfo::FilterState& filter_state) {
   const auto& filter_state_key =
       reporter == Reporter::ServerSidecar || reporter == Reporter::ServerGateway
           ? Istio::Common::DownstreamPeer
           : Istio::Common::UpstreamPeer;
-  return filter_state.getDataReadOnly<Istio::Common::WorkloadMetadataObject>(filter_state_key);
+  // This's a workaround before FilterStateObject support operation like `.labels['role']`.
+  // The workaround is to use CelState to store the peer metadata.
+  // Rebuild the WorkloadMetadataObject from the CelState.
+  const auto* cel_state =
+      filter_state.getDataReadOnly<Envoy::Extensions::Filters::Common::Expr::CelState>(
+          filter_state_key);
+  if (!cel_state) {
+    return {};
+  }
+
+  ProtobufWkt::Struct obj;
+  if (!obj.ParseFromString(absl::string_view(cel_state->value()))) {
+    return {};
+  }
+
+  Istio::Common::WorkloadMetadataObject peer_info(
+      extractString(obj, Istio::Common::InstanceNameToken),
+      extractString(obj, Istio::Common::ClusterNameToken),
+      extractString(obj, Istio::Common::NamespaceNameToken),
+      extractString(obj, Istio::Common::WorkloadNameToken),
+      extractString(obj, Istio::Common::ServiceNameToken),
+      extractString(obj, Istio::Common::ServiceVersionToken),
+      extractString(obj, Istio::Common::AppNameToken),
+      extractString(obj, Istio::Common::AppVersionToken),
+      Istio::Common::fromSuffix(extractString(obj, Istio::Common::WorkloadTypeToken)),
+      extractString(obj, Istio::Common::IdentityToken));
+
+  return peer_info;
 }
 
 // Process-wide context shared with all filter instances.
@@ -313,8 +341,6 @@ using ContextSharedPtr = std::shared_ptr<Context>;
 
 SINGLETON_MANAGER_REGISTRATION(Context)
 
-using google::api::expr::runtime::CelValue;
-
 // Instructions on dropping, creating, and overriding labels.
 // This is not the "hot path" of the metrics system and thus, fairly
 // unoptimized.
@@ -651,6 +677,13 @@ struct Config : public Logger::Loggable<Logger::Id::filter> {
           Protobuf::Arena arena;
           auto eval_status = compiled_exprs[id].first->Evaluate(*this, &arena);
           if (!eval_status.ok() || eval_status.value().IsError()) {
+            if (!eval_status.ok()) {
+              ENVOY_LOG(debug, "Failed to evaluate metric expression: {}", eval_status.status());
+            }
+            if (eval_status.value().IsError()) {
+              ENVOY_LOG(debug, "Failed to evaluate metric expression: {}",
+                        eval_status.value().ErrorOrDie()->message());
+            }
             expr_values_.push_back(std::make_pair(parent_.context_->unknown_, 0));
           } else {
             const auto string_value = Filters::Common::Expr::print(eval_status.value());
@@ -769,6 +802,7 @@ struct Config : public Logger::Loggable<Logger::Id::filter> {
 using ConfigSharedPtr = std::shared_ptr<Config>;
 
 class IstioStatsFilter : public Http::PassThroughFilter,
+                         public Logger::Loggable<Logger::Id::filter>,
                          public AccessLog::Instance,
                          public Network::ReadFilter,
                          public Network::ConnectionCallbacks {
@@ -895,6 +929,7 @@ private:
         const auto& info = decoder_callbacks_->streamInfo();
         peer_read_ = peerInfoRead(config_->reporter(), info.filterState());
         if (peer_read_ || end_stream) {
+          ENVOY_LOG(trace, "Populating peer metadata from HTTP MX.");
           populatePeerInfo(info, info.filterState());
         }
         if (is_grpc_ && (peer_read_ || end_stream)) {
@@ -933,6 +968,7 @@ private:
       peer_read_ = peerInfoRead(config_->reporter(), filter_state);
       // Report connection open once peer info is read or connection is closed.
       if (peer_read_ || end_stream) {
+        ENVOY_LOG(trace, "Populating peer metadata from TCP MX.");
         populatePeerInfo(info, filter_state);
         tags_.push_back({context_.request_protocol_, context_.tcp_});
         populateFlagsAndConnectionSecurity(info);
@@ -977,9 +1013,9 @@ private:
                         const StreamInfo::FilterState& filter_state) {
     // Compute peer info with client-side fallbacks.
     absl::optional<Istio::Common::WorkloadMetadataObject> peer;
-    const auto* object = peerInfo(config_->reporter(), filter_state);
+    auto object = peerInfo(config_->reporter(), filter_state);
     if (object) {
-      peer.emplace(*object);
+      peer.emplace(object.value());
     } else if (config_->reporter() == Reporter::ClientSidecar) {
       if (auto label_obj = extractEndpointMetadata(info); label_obj) {
         peer.emplace(label_obj.value());
@@ -1040,7 +1076,7 @@ private:
       }
     }
 
-    absl::string_view peer_san;
+    std::string peer_san;
     absl::string_view local_san;
     switch (config_->reporter()) {
     case Reporter::ServerSidecar:
@@ -1071,9 +1107,19 @@ private:
     case Reporter::ClientSidecar: {
       const Ssl::ConnectionInfoConstSharedPtr ssl_info =
           info.upstreamInfo() ? info.upstreamInfo()->upstreamSslConnection() : nullptr;
+      std::optional<Istio::Common::WorkloadMetadataObject> endpoint_peer;
       if (ssl_info && !ssl_info->uriSanPeerCertificate().empty()) {
         peer_san = ssl_info->uriSanPeerCertificate()[0];
       }
+      if (peer_san.empty()) {
+        auto endpoint_object = peerInfo(config_->reporter(), filter_state);
+        if (endpoint_object) {
+          endpoint_peer.emplace(endpoint_object.value());
+          peer_san = endpoint_peer->identity_;
+        }
+      }
+      // This won't work for sidecar/ingress -> ambient becuase of the CONNECT
+      // tunnel.
       if (ssl_info && !ssl_info->uriSanLocalCertificate().empty()) {
         local_san = ssl_info->uriSanLocalCertificate()[0];
       }
@@ -1121,38 +1167,51 @@ private:
       switch (config_->reporter()) {
       case Reporter::ServerGateway: {
         std::optional<Istio::Common::WorkloadMetadataObject> endpoint_peer;
-        const auto* endpoint_object = peerInfo(Reporter::ClientSidecar, filter_state);
+        auto endpoint_object = peerInfo(Reporter::ClientSidecar, filter_state);
         if (endpoint_object) {
-          endpoint_peer.emplace(*endpoint_object);
+          endpoint_peer.emplace(endpoint_object.value());
         }
         tags_.push_back(
-            {context_.destination_workload_,
-             endpoint_peer ? pool_.add(endpoint_peer->workload_name_) : context_.unknown_});
+            {context_.destination_workload_, endpoint_peer && !endpoint_peer->workload_name_.empty()
+                                                 ? pool_.add(endpoint_peer->workload_name_)
+                                                 : context_.unknown_});
         tags_.push_back({context_.destination_workload_namespace_,
                          endpoint_peer && !endpoint_peer->namespace_name_.empty()
                              ? pool_.add(endpoint_peer->namespace_name_)
                              : context_.unknown_});
-        tags_.push_back({context_.destination_principal_,
-                         endpoint_peer ? pool_.add(endpoint_peer->identity_) : context_.unknown_});
+        tags_.push_back(
+            {context_.destination_principal_, endpoint_peer && !endpoint_peer->identity_.empty()
+                                                  ? pool_.add(endpoint_peer->identity_)
+                                                  : context_.unknown_});
         // Endpoint encoding does not have app and version.
         tags_.push_back(
             {context_.destination_app_, endpoint_peer && !endpoint_peer->app_name_.empty()
                                             ? pool_.add(endpoint_peer->app_name_)
                                             : context_.unknown_});
-        tags_.push_back({context_.destination_version_, endpoint_peer
-                                                            ? pool_.add(endpoint_peer->app_version_)
-                                                            : context_.unknown_});
-        auto canonical_name =
-            endpoint_peer ? pool_.add(endpoint_peer->canonical_name_) : context_.unknown_;
-        tags_.push_back({context_.destination_service_,
-                         service_host.empty() ? canonical_name : pool_.add(service_host)});
-        tags_.push_back({context_.destination_canonical_service_, canonical_name});
         tags_.push_back(
-            {context_.destination_canonical_revision_,
-             endpoint_peer ? pool_.add(endpoint_peer->canonical_revision_) : context_.unknown_});
+            {context_.destination_version_, endpoint_peer && !endpoint_peer->app_version_.empty()
+                                                ? pool_.add(endpoint_peer->app_version_)
+                                                : context_.unknown_});
+        tags_.push_back({context_.destination_service_,
+                         service_host.empty() ? context_.unknown_ : pool_.add(service_host)});
+        tags_.push_back({context_.destination_canonical_service_,
+                         endpoint_peer && !endpoint_peer->canonical_name_.empty()
+                             ? pool_.add(endpoint_peer->canonical_name_)
+                             : context_.unknown_});
+        tags_.push_back({context_.destination_canonical_revision_,
+                         endpoint_peer && !endpoint_peer->canonical_revision_.empty()
+                             ? pool_.add(endpoint_peer->canonical_revision_)
+                             : context_.unknown_});
         tags_.push_back({context_.destination_service_name_, service_host_name.empty()
-                                                                 ? canonical_name
+                                                                 ? context_.unknown_
                                                                  : pool_.add(service_host_name)});
+        tags_.push_back({context_.destination_service_namespace_, !service_namespace.empty()
+                                                                      ? pool_.add(service_namespace)
+                                                                      : context_.unknown_});
+        tags_.push_back(
+            {context_.destination_cluster_, endpoint_peer && !endpoint_peer->cluster_name_.empty()
+                                                ? pool_.add(endpoint_peer->cluster_name_)
+                                                : context_.unknown_});
         break;
       }
       default:
@@ -1170,10 +1229,10 @@ private:
         tags_.push_back({context_.destination_service_name_, service_host_name.empty()
                                                                  ? context_.canonical_name_
                                                                  : pool_.add(service_host_name)});
+        tags_.push_back({context_.destination_service_namespace_, context_.namespace_});
+        tags_.push_back({context_.destination_cluster_, context_.cluster_name_});
         break;
       }
-      tags_.push_back({context_.destination_service_namespace_, context_.namespace_});
-      tags_.push_back({context_.destination_cluster_, context_.cluster_name_});
 
       break;
     }

source/extensions/filters/http/peer_metadata/BUILD

@@ -19,6 +19,7 @@ load(
     "@envoy//bazel:envoy_build_system.bzl",
     "envoy_cc_library",
     "envoy_cc_test",
+    "envoy_proto_library",
 )
 
 package(default_visibility = ["//visibility:public"])
@@ -40,17 +41,13 @@ envoy_cc_library(
         "@envoy//source/common/http:header_utility_lib",
         "@envoy//source/common/http:utility_lib",
         "@envoy//source/common/network:utility_lib",
+        "@envoy//source/extensions/filters/common/expr:cel_state_lib",
         "@envoy//source/extensions/filters/http/common:factory_base_lib",
         "@envoy//source/extensions/filters/http/common:pass_through_filter_lib",
     ],
 )
 
-cc_proto_library(
-    name = "config_cc_proto",
-    deps = ["config"],
-)
-
-proto_library(
+envoy_proto_library(
     name = "config",
     srcs = ["config.proto"],
 )

source/extensions/filters/http/peer_metadata/config.pb.html

@@ -1,202 +0,0 @@
----
-title: io.istio.http.peer_metadata
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-number_of_entries: 6
----
-<h2 id="Config">Config</h2>
-<section>
-<p>Peer metadata provider filter. This filter encapsulates the discovery of the
-peer telemetry attributes for consumption by the telemetry filters.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Config-downstream_discovery">
-<td><code>downstream_discovery</code></td>
-<td><code><a href="#Config-DiscoveryMethod">DiscoveryMethod[]</a></code></td>
-<td>
-<p>The order of the derivation of the downstream peer metadata, in the precedence order.
-First successful lookup wins.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="Config-upstream_discovery">
-<td><code>upstream_discovery</code></td>
-<td><code><a href="#Config-DiscoveryMethod">DiscoveryMethod[]</a></code></td>
-<td>
-<p>The order of the derivation of the upstream peer metadata, in the precedence order.
-First successful lookup wins.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="Config-downstream_propagation">
-<td><code>downstream_propagation</code></td>
-<td><code><a href="#Config-PropagationMethod">PropagationMethod[]</a></code></td>
-<td>
-<p>Downstream injection of the metadata via a response header.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="Config-upstream_propagation">
-<td><code>upstream_propagation</code></td>
-<td><code><a href="#Config-PropagationMethod">PropagationMethod[]</a></code></td>
-<td>
-<p>Upstream injection of the metadata via a request header.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="Config-shared_with_upstream">
-<td><code>shared_with_upstream</code></td>
-<td><code>bool</code></td>
-<td>
-<p>True to enable sharing with the upstream.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="Config-Baggage">Config.Baggage</h2>
-<section>
-<p>DEPRECATED.
-This method uses <code>baggage</code> header encoding.</p>
-
-</section>
-<h2 id="Config-WorkloadDiscovery">Config.WorkloadDiscovery</h2>
-<section>
-<p>This method uses the workload metadata xDS. Requires that the bootstrap extension is enabled.
-For downstream discovery, the remote address is the lookup key in xDS.
-For upstream discovery:</p>
-<ul>
-<li>
-<p>If the upstream host address is an IP, this IP is used as the lookup key;</p>
-</li>
-<li>
-<p>If the upstream host address is internal, uses the
-&ldquo;filter_metadata.tunnel.destination&rdquo; dynamic metadata value as the lookup key.</p>
-</li>
-</ul>
-
-</section>
-<h2 id="Config-IstioHeaders">Config.IstioHeaders</h2>
-<section>
-<p>This method uses Istio HTTP metadata exchange headers, e.g. <code>x-envoy-peer-metadata</code>. Removes these headers if found.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Config-IstioHeaders-skip_external_clusters">
-<td><code>skip_external_clusters</code></td>
-<td><code>bool</code></td>
-<td>
-<p>Strip x-envoy-peer-metadata and x-envoy-peer-metadata-id headers on HTTP requests to services outside the mesh.
-Detects upstream clusters with <code>istio</code> and <code>external</code> filter metadata fields</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="Config-DiscoveryMethod">Config.DiscoveryMethod</h2>
-<section>
-<p>An exhaustive list of the derivation methods.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Config-DiscoveryMethod-baggage" class="oneof oneof-start">
-<td><code>baggage</code></td>
-<td><code><a href="#Config-Baggage">Baggage (oneof)</a></code></td>
-<td>
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="Config-DiscoveryMethod-workload_discovery" class="oneof">
-<td><code>workload_discovery</code></td>
-<td><code><a href="#Config-WorkloadDiscovery">WorkloadDiscovery (oneof)</a></code></td>
-<td>
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="Config-DiscoveryMethod-istio_headers" class="oneof">
-<td><code>istio_headers</code></td>
-<td><code><a href="#Config-IstioHeaders">IstioHeaders (oneof)</a></code></td>
-<td>
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="Config-PropagationMethod">Config.PropagationMethod</h2>
-<section>
-<p>An exhaustive list of the metadata propagation methods.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Config-PropagationMethod-istio_headers" class="oneof oneof-start">
-<td><code>istio_headers</code></td>
-<td><code><a href="#Config-IstioHeaders">IstioHeaders (oneof)</a></code></td>
-<td>
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>

source/extensions/filters/http/peer_metadata/config.proto

@@ -75,4 +75,8 @@ message Config {
 
   // True to enable sharing with the upstream.
   bool shared_with_upstream = 5;
+
+  // Additional labels to be added to the peer metadata to help your understand the traffic.
+  // e.g. `role`, `location` etc.
+  repeated string additional_labels = 6;
 }

source/extensions/filters/http/peer_metadata/filter.cc

@@ -29,6 +29,8 @@ namespace Extensions {
 namespace HttpFilters {
 namespace PeerMetadata {
 
+using ::Envoy::Extensions::Filters::Common::Expr::CelState;
+
 class XDSMethod : public DiscoveryMethod {
 public:
   XDSMethod(bool downstream, Server::Configuration::ServerFactoryContext& factory_context)
@@ -78,11 +80,17 @@ absl::optional<PeerInfo> XDSMethod::derivePeerInfo(const StreamInfo::StreamInfo&
       }
     }
   }
+  if (!peer_address) {
+    return {};
+  }
+  ENVOY_LOG_MISC(debug, "Peer address: {}", peer_address->asString());
   return metadata_provider_->GetMetadata(peer_address);
 }
 
-MXMethod::MXMethod(bool downstream, Server::Configuration::ServerFactoryContext& factory_context)
-    : downstream_(downstream), tls_(factory_context.threadLocal()) {
+MXMethod::MXMethod(bool downstream, const absl::flat_hash_set<std::string> additional_labels,
+                   Server::Configuration::ServerFactoryContext& factory_context)
+    : downstream_(downstream), tls_(factory_context.threadLocal()),
+      additional_labels_(additional_labels) {
   tls_.set([](Event::Dispatcher&) { return std::make_shared<MXCache>(); });
 }
 
@@ -126,7 +134,7 @@ absl::optional<PeerInfo> MXMethod::lookup(absl::string_view id, absl::string_vie
   if (!metadata.ParseFromString(bytes)) {
     return {};
   }
-  const auto out = Istio::Common::convertStructToWorkloadMetadata(metadata);
+  auto out = Istio::Common::convertStructToWorkloadMetadata(metadata, additional_labels_);
   if (max_peer_cache_size_ > 0 && !id.empty()) {
     // do not let the cache grow beyond max cache size.
     if (static_cast<uint32_t>(cache.size()) > max_peer_cache_size_) {
@@ -139,15 +147,17 @@ absl::optional<PeerInfo> MXMethod::lookup(absl::string_view id, absl::string_vie
 
 MXPropagationMethod::MXPropagationMethod(
     bool downstream, Server::Configuration::ServerFactoryContext& factory_context,
+    const absl::flat_hash_set<std::string>& additional_labels,
     const io::istio::http::peer_metadata::Config_IstioHeaders& istio_headers)
     : downstream_(downstream), id_(factory_context.localInfo().node().id()),
-      value_(computeValue(factory_context)),
+      value_(computeValue(additional_labels, factory_context)),
       skip_external_clusters_(istio_headers.skip_external_clusters()) {}
 
 std::string MXPropagationMethod::computeValue(
+    const absl::flat_hash_set<std::string>& additional_labels,
     Server::Configuration::ServerFactoryContext& factory_context) const {
-  const auto obj =
-      Istio::Common::convertStructToWorkloadMetadata(factory_context.localInfo().node().metadata());
+  const auto obj = Istio::Common::convertStructToWorkloadMetadata(
+      factory_context.localInfo().node().metadata(), additional_labels);
   const google::protobuf::Struct metadata = Istio::Common::convertWorkloadMetadataToStruct(*obj);
   const std::string metadata_bytes = Istio::Common::serializeToStringDeterministic(metadata);
   return Base64::encode(metadata_bytes.data(), metadata_bytes.size());
@@ -155,10 +165,8 @@ std::string MXPropagationMethod::computeValue(
 
 void MXPropagationMethod::inject(const StreamInfo::StreamInfo& info, Http::HeaderMap& headers,
                                  Context& ctx) const {
-  if (skip_external_clusters_) {
-    if (skipMXHeaders(info)) {
-      return;
-    }
+  if (skipMXHeaders(skip_external_clusters_, info)) {
+    return;
   }
   if (!downstream_ || ctx.request_peer_id_received_) {
     headers.setReference(Headers::get().ExchangeMetadataHeaderId, id_);
@@ -171,19 +179,24 @@ void MXPropagationMethod::inject(const StreamInfo::StreamInfo& info, Http::Heade
 FilterConfig::FilterConfig(const io::istio::http::peer_metadata::Config& config,
                            Server::Configuration::FactoryContext& factory_context)
     : shared_with_upstream_(config.shared_with_upstream()),
-      downstream_discovery_(
-          buildDiscoveryMethods(config.downstream_discovery(), true, factory_context)),
-      upstream_discovery_(
-          buildDiscoveryMethods(config.upstream_discovery(), false, factory_context)),
-      downstream_propagation_(
-          buildPropagationMethods(config.downstream_propagation(), true, factory_context)),
-      upstream_propagation_(
-          buildPropagationMethods(config.upstream_propagation(), false, factory_context)) {}
+      downstream_discovery_(buildDiscoveryMethods(config.downstream_discovery(),
+                                                  buildAdditionalLabels(config.additional_labels()),
+                                                  true, factory_context)),
+      upstream_discovery_(buildDiscoveryMethods(config.upstream_discovery(),
+                                                buildAdditionalLabels(config.additional_labels()),
+                                                false, factory_context)),
+      downstream_propagation_(buildPropagationMethods(
+          config.downstream_propagation(), buildAdditionalLabels(config.additional_labels()), true,
+          factory_context)),
+      upstream_propagation_(buildPropagationMethods(
+          config.upstream_propagation(), buildAdditionalLabels(config.additional_labels()), false,
+          factory_context)) {}
 
 std::vector<DiscoveryMethodPtr> FilterConfig::buildDiscoveryMethods(
     const Protobuf::RepeatedPtrField<io::istio::http::peer_metadata::Config::DiscoveryMethod>&
         config,
-    bool downstream, Server::Configuration::FactoryContext& factory_context) const {
+    const absl::flat_hash_set<std::string>& additional_labels, bool downstream,
+    Server::Configuration::FactoryContext& factory_context) const {
   std::vector<DiscoveryMethodPtr> methods;
   methods.reserve(config.size());
   for (const auto& method : config) {
@@ -195,8 +208,8 @@ std::vector<DiscoveryMethodPtr> FilterConfig::buildDiscoveryMethods(
       break;
     case io::istio::http::peer_metadata::Config::DiscoveryMethod::MethodSpecifierCase::
         kIstioHeaders:
-      methods.push_back(
-          std::make_unique<MXMethod>(downstream, factory_context.serverFactoryContext()));
+      methods.push_back(std::make_unique<MXMethod>(downstream, additional_labels,
+                                                   factory_context.serverFactoryContext()));
       break;
     default:
       break;
@@ -208,15 +221,17 @@ std::vector<DiscoveryMethodPtr> FilterConfig::buildDiscoveryMethods(
 std::vector<PropagationMethodPtr> FilterConfig::buildPropagationMethods(
     const Protobuf::RepeatedPtrField<io::istio::http::peer_metadata::Config::PropagationMethod>&
         config,
-    bool downstream, Server::Configuration::FactoryContext& factory_context) const {
+    const absl::flat_hash_set<std::string>& additional_labels, bool downstream,
+    Server::Configuration::FactoryContext& factory_context) const {
   std::vector<PropagationMethodPtr> methods;
   methods.reserve(config.size());
   for (const auto& method : config) {
     switch (method.method_specifier_case()) {
     case io::istio::http::peer_metadata::Config::PropagationMethod::MethodSpecifierCase::
         kIstioHeaders:
-      methods.push_back(std::make_unique<MXPropagationMethod>(
-          downstream, factory_context.serverFactoryContext(), method.istio_headers()));
+      methods.push_back(
+          std::make_unique<MXPropagationMethod>(downstream, factory_context.serverFactoryContext(),
+                                                additional_labels, method.istio_headers()));
       break;
     default:
       break;
@@ -225,6 +240,15 @@ std::vector<PropagationMethodPtr> FilterConfig::buildPropagationMethods(
   return methods;
 }
 
+absl::flat_hash_set<std::string>
+FilterConfig::buildAdditionalLabels(const Protobuf::RepeatedPtrField<std::string>& labels) const {
+  absl::flat_hash_set<std::string> result;
+  for (const auto& label : labels) {
+    result.emplace(label);
+  }
+  return result;
+}
+
 void FilterConfig::discoverDownstream(StreamInfo::StreamInfo& info, Http::RequestHeaderMap& headers,
                                       Context& ctx) const {
   discover(info, true, headers, ctx);
@@ -268,8 +292,12 @@ void FilterConfig::setFilterState(StreamInfo::StreamInfo& info, bool downstream,
   const absl::string_view key =
       downstream ? Istio::Common::DownstreamPeer : Istio::Common::UpstreamPeer;
   if (!info.filterState()->hasDataWithName(key)) {
+    // Use CelState to allow operation filter_state.upstream_peer.labels['role']
+    auto pb = value.serializeAsProto();
+    auto peer_info = std::make_unique<CelState>(FilterConfig::peerInfoPrototype());
+    peer_info->setValue(absl::string_view(pb->SerializeAsString()));
     info.filterState()->setData(
-        key, std::make_shared<PeerInfo>(value), StreamInfo::FilterState::StateType::Mutable,
+        key, std::move(peer_info), StreamInfo::FilterState::StateType::Mutable,
         StreamInfo::FilterState::LifeSpan::FilterChain, sharedWithUpstream());
   } else {
     ENVOY_LOG(debug, "Duplicate peer metadata, skipping");
@@ -282,19 +310,34 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers,
   return Http::FilterHeadersStatus::Continue;
 }
 
-bool MXPropagationMethod::skipMXHeaders(const StreamInfo::StreamInfo& info) const {
+bool MXPropagationMethod::skipMXHeaders(const bool skip_external_clusters,
+                                        const StreamInfo::StreamInfo& info) const {
+  // We skip metadata in two cases.
+  // 1. skip_external_clusters is enabled, and we detect the upstream as external.
   const auto& cluster_info = info.upstreamClusterInfo();
   if (cluster_info && cluster_info.value()) {
     const auto& cluster_name = cluster_info.value()->name();
-    if (cluster_name == "PassthroughCluster") {
+    // PassthroughCluster is always considered external
+    if (skip_external_clusters && cluster_name == "PassthroughCluster") {
       return true;
     }
     const auto& filter_metadata = cluster_info.value()->metadata().filter_metadata();
     const auto& it = filter_metadata.find("istio");
+    // Otherwise, cluster must be tagged as external
     if (it != filter_metadata.end()) {
-      const auto& skip_mx = it->second.fields().find("external");
+      if (skip_external_clusters) {
+        const auto& skip_mx = it->second.fields().find("external");
+        if (skip_mx != it->second.fields().end()) {
+          if (skip_mx->second.bool_value()) {
+            return true;
+          }
+        }
+      }
+      const auto& skip_mx = it->second.fields().find("disable_mx");
       if (skip_mx != it->second.fields().end()) {
-        return skip_mx->second.bool_value();
+        if (skip_mx->second.bool_value()) {
+          return true;
+        }
       }
     }
   }

source/extensions/filters/http/peer_metadata/filter.h

@@ -14,6 +14,7 @@
 
 #pragma once
 
+#include "source/extensions/filters/common/expr/cel_state.h"
 #include "source/extensions/filters/http/common/factory_base.h"
 #include "source/extensions/filters/http/common/pass_through_filter.h"
 #include "source/extensions/filters/http/peer_metadata/config.pb.h"
@@ -25,6 +26,9 @@ namespace Extensions {
 namespace HttpFilters {
 namespace PeerMetadata {
 
+using ::Envoy::Extensions::Filters::Common::Expr::CelStatePrototype;
+using ::Envoy::Extensions::Filters::Common::Expr::CelStateType;
+
 struct HeaderValues {
   const Http::LowerCaseString ExchangeMetadataHeader{"x-envoy-peer-metadata"};
   const Http::LowerCaseString ExchangeMetadataHeaderId{"x-envoy-peer-metadata-id"};
@@ -52,7 +56,8 @@ using DiscoveryMethodPtr = std::unique_ptr<DiscoveryMethod>;
 
 class MXMethod : public DiscoveryMethod {
 public:
-  MXMethod(bool downstream, Server::Configuration::ServerFactoryContext& factory_context);
+  MXMethod(bool downstream, const absl::flat_hash_set<std::string> additional_labels,
+           Server::Configuration::ServerFactoryContext& factory_context);
   absl::optional<PeerInfo> derivePeerInfo(const StreamInfo::StreamInfo&, Http::HeaderMap&,
                                           Context&) const override;
   void remove(Http::HeaderMap&) const override;
@@ -64,6 +69,7 @@ private:
     absl::flat_hash_map<std::string, PeerInfo> cache_;
   };
   mutable ThreadLocal::TypedSlot<MXCache> tls_;
+  const absl::flat_hash_set<std::string> additional_labels_;
   const int64_t max_peer_cache_size_{500};
 };
 
@@ -79,16 +85,18 @@ using PropagationMethodPtr = std::unique_ptr<PropagationMethod>;
 class MXPropagationMethod : public PropagationMethod {
 public:
   MXPropagationMethod(bool downstream, Server::Configuration::ServerFactoryContext& factory_context,
+                      const absl::flat_hash_set<std::string>& additional_labels,
                       const io::istio::http::peer_metadata::Config_IstioHeaders&);
   void inject(const StreamInfo::StreamInfo&, Http::HeaderMap&, Context&) const override;
 
 private:
   const bool downstream_;
-  std::string computeValue(Server::Configuration::ServerFactoryContext&) const;
+  std::string computeValue(const absl::flat_hash_set<std::string>&,
+                           Server::Configuration::ServerFactoryContext&) const;
   const std::string id_;
   const std::string value_;
   const bool skip_external_clusters_;
-  bool skipMXHeaders(const StreamInfo::StreamInfo&) const;
+  bool skipMXHeaders(const bool, const StreamInfo::StreamInfo&) const;
 };
 
 class FilterConfig : public Logger::Loggable<Logger::Id::filter> {
@@ -100,13 +108,24 @@ public:
   void injectDownstream(const StreamInfo::StreamInfo&, Http::ResponseHeaderMap&, Context&) const;
   void injectUpstream(const StreamInfo::StreamInfo&, Http::RequestHeaderMap&, Context&) const;
 
+  static const CelStatePrototype& peerInfoPrototype() {
+    static const CelStatePrototype* const prototype = new CelStatePrototype(
+        true, CelStateType::Protobuf, "type.googleapis.com/google.protobuf.Struct",
+        StreamInfo::FilterState::LifeSpan::FilterChain);
+    return *prototype;
+  }
+
 private:
   std::vector<DiscoveryMethodPtr> buildDiscoveryMethods(
       const Protobuf::RepeatedPtrField<io::istio::http::peer_metadata::Config::DiscoveryMethod>&,
-      bool downstream, Server::Configuration::FactoryContext&) const;
+      const absl::flat_hash_set<std::string>& additional_labels, bool downstream,
+      Server::Configuration::FactoryContext&) const;
   std::vector<PropagationMethodPtr> buildPropagationMethods(
       const Protobuf::RepeatedPtrField<io::istio::http::peer_metadata::Config::PropagationMethod>&,
-      bool downstream, Server::Configuration::FactoryContext&) const;
+      const absl::flat_hash_set<std::string>& additional_labels, bool downstream,
+      Server::Configuration::FactoryContext&) const;
+  absl::flat_hash_set<std::string>
+  buildAdditionalLabels(const Protobuf::RepeatedPtrField<std::string>&) const;
   StreamInfo::StreamSharingMayImpactPooling sharedWithUpstream() const {
     return shared_with_upstream_
                ? StreamInfo::StreamSharingMayImpactPooling::SharedWithUpstreamConnectionOnce

source/extensions/filters/http/peer_metadata/filter_test.cc

@@ -79,11 +79,23 @@ protected:
         downstream ? Istio::Common::DownstreamPeer : Istio::Common::UpstreamPeer));
   }
   void checkPeerNamespace(bool downstream, const std::string& expected) {
-    const auto* obj = stream_info_.filterState()->getDataReadOnly<WorkloadMetadataObject>(
-        downstream ? Istio::Common::DownstreamPeer : Istio::Common::UpstreamPeer);
-    ASSERT_NE(nullptr, obj);
-    EXPECT_EQ(expected, obj->namespace_name_);
+    const auto* cel_state =
+        stream_info_.filterState()
+            ->getDataReadOnly<Envoy::Extensions::Filters::Common::Expr::CelState>(
+                downstream ? Istio::Common::DownstreamPeer : Istio::Common::UpstreamPeer);
+    ProtobufWkt::Struct obj;
+    ASSERT_TRUE(obj.ParseFromString(cel_state->value().data()));
+    EXPECT_EQ(expected, extractString(obj, "namespace"));
   }
+
+  absl::string_view extractString(const ProtobufWkt::Struct& metadata, absl::string_view key) {
+    const auto& it = metadata.fields().find(key);
+    if (it == metadata.fields().end()) {
+      return {};
+    }
+    return it->second.string_value();
+  }
+
   void checkShared(bool expected) {
     EXPECT_EQ(expected,
               stream_info_.filterState()->objectsSharedWithUpstreamConnection()->size() > 0);
@@ -270,7 +282,8 @@ TEST_F(PeerMetadataTest, DownstreamFallbackSecond) {
 
 TEST(MXMethod, Cache) {
   NiceMock<Server::Configuration::MockServerFactoryContext> context;
-  MXMethod method(true, context);
+  absl::flat_hash_set<std::string> additional_labels;
+  MXMethod method(true, additional_labels, context);
   NiceMock<StreamInfo::MockStreamInfo> stream_info;
   Http::TestRequestHeaderMapImpl request_headers;
   const int32_t max = 1000;
@@ -385,6 +398,20 @@ TEST_F(PeerMetadataTest, DownstreamMXPropagation) {
   checkNoPeer(false);
 }
 
+TEST_F(PeerMetadataTest, DownstreamMXPropagationWithAdditionalLabels) {
+  initialize(R"EOF(
+    downstream_propagation:
+      - istio_headers: {}
+    additional_labels:
+      - foo
+      - bar
+  )EOF");
+  EXPECT_EQ(0, request_headers_.size());
+  EXPECT_EQ(0, response_headers_.size());
+  checkNoPeer(true);
+  checkNoPeer(false);
+}
+
 TEST_F(PeerMetadataTest, DownstreamMXDiscoveryPropagation) {
   request_headers_.setReference(Headers::get().ExchangeMetadataHeaderId, "test-pod");
   request_headers_.setReference(Headers::get().ExchangeMetadataHeader, SampleIstioHeader);

source/extensions/filters/network/metadata_exchange/BUILD

@@ -43,7 +43,6 @@ envoy_cc_library(
         "//source/extensions/common/workload_discovery:api_lib",
         "//source/extensions/filters/network/metadata_exchange/config:metadata_exchange_cc_proto",
         "@com_google_absl//absl/base:core_headers",
-        "@com_google_absl//absl/base:endian",
         "@com_google_absl//absl/strings",
         "@envoy//envoy/local_info:local_info_interface",
         "@envoy//envoy/network:connection_interface",
@@ -52,10 +51,12 @@ envoy_cc_library(
         "@envoy//envoy/stats:stats_macros",
         "@envoy//envoy/stream_info:filter_state_interface",
         "@envoy//source/common/http:utility_lib",
+        "@envoy//source/common/network:filter_state_dst_address_lib",
         "@envoy//source/common/network:utility_lib",
         "@envoy//source/common/protobuf",
         "@envoy//source/common/protobuf:utility_lib",
         "@envoy//source/common/stream_info:bool_accessor_lib",
+        "@envoy//source/extensions/filters/common/expr:cel_state_lib",
     ],
 )
 

source/extensions/filters/network/metadata_exchange/config.cc

@@ -31,9 +31,16 @@ Network::FilterFactoryCb createFilterFactoryHelper(
     Server::Configuration::ServerFactoryContext& context, FilterDirection filter_direction) {
   ASSERT(!proto_config.protocol().empty());
 
+  absl::flat_hash_set<std::string> additional_labels;
+  if (!proto_config.additional_labels().empty()) {
+    for (const auto& label : proto_config.additional_labels()) {
+      additional_labels.emplace(label);
+    }
+  }
+
   MetadataExchangeConfigSharedPtr filter_config(std::make_shared<MetadataExchangeConfig>(
       StatPrefix, proto_config.protocol(), filter_direction, proto_config.enable_discovery(),
-      context, context.scope()));
+      additional_labels, context, context.scope()));
   return [filter_config, &context](Network::FilterManager& filter_manager) -> void {
     filter_manager.addFilter(
         std::make_shared<MetadataExchangeFilter>(filter_config, context.localInfo()));

source/extensions/filters/network/metadata_exchange/config/metadata_exchange.pb.html

@@ -1,47 +0,0 @@
----
-title: envoy.tcp.metadataexchange.config
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-number_of_entries: 1
----
-<h2 id="MetadataExchange">MetadataExchange</h2>
-<section>
-<p>[#protodoc-title: MetadataExchange protocol match and data transfer]
-MetadataExchange protocol match and data transfer</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="MetadataExchange-protocol">
-<td><code>protocol</code></td>
-<td><code>string</code></td>
-<td>
-<p>Protocol that Alpn should support on the server.
-[#comment:TODO(GargNupur): Make it a list.]</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetadataExchange-enable_discovery">
-<td><code>enable_discovery</code></td>
-<td><code>bool</code></td>
-<td>
-<p>If true, will attempt to use WDS in case the prefix peer metadata is not available.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>

source/extensions/filters/network/metadata_exchange/config/metadata_exchange.proto

@@ -31,4 +31,8 @@ message MetadataExchange {
 
   // If true, will attempt to use WDS in case the prefix peer metadata is not available.
   bool enable_discovery = 2;
+
+  // Additional labels to be added to the peer metadata to help your understand the traffic.
+  // e.g. `role`, `location` etc.
+  repeated string additional_labels = 3;
 }

source/extensions/filters/network/metadata_exchange/metadata_exchange.cc

@@ -25,12 +25,17 @@
 #include "envoy/stats/scope.h"
 #include "source/common/buffer/buffer_impl.h"
 #include "source/common/protobuf/utility.h"
+#include "source/common/network/utility.h"
+#include "source/common/network/filter_state_dst_address.h"
 #include "source/extensions/filters/network/metadata_exchange/metadata_exchange_initial_header.h"
 #include "source/common/stream_info/bool_accessor_impl.h"
 
 namespace Envoy {
 namespace Tcp {
 namespace MetadataExchange {
+
+using ::Envoy::Extensions::Filters::Common::Expr::CelState;
+
 namespace {
 
 // Sentinel key in the filter state, indicating that the peer metadata is
@@ -58,9 +63,11 @@ std::unique_ptr<Buffer::OwnedImpl> constructProxyHeaderData(const ProtobufWkt::A
 MetadataExchangeConfig::MetadataExchangeConfig(
     const std::string& stat_prefix, const std::string& protocol,
     const FilterDirection filter_direction, bool enable_discovery,
+    const absl::flat_hash_set<std::string> additional_labels,
     Server::Configuration::ServerFactoryContext& factory_context, Stats::Scope& scope)
     : scope_(scope), stat_prefix_(stat_prefix), protocol_(protocol),
-      filter_direction_(filter_direction), stats_(generateStats(stat_prefix, scope)) {
+      filter_direction_(filter_direction), stats_(generateStats(stat_prefix, scope)),
+      additional_labels_(additional_labels) {
   if (enable_discovery) {
     metadata_provider_ = Extensions::Common::WorkloadDiscovery::GetProvider(factory_context);
   }
@@ -179,9 +186,10 @@ void MetadataExchangeFilter::writeNodeMetadata() {
   if (conn_state_ != WriteMetadata) {
     return;
   }
-
+  ENVOY_LOG(trace, "Writing metadata to the connection.");
   ProtobufWkt::Struct data;
-  const auto obj = Istio::Common::convertStructToWorkloadMetadata(local_info_.node().metadata());
+  const auto obj = Istio::Common::convertStructToWorkloadMetadata(local_info_.node().metadata(),
+                                                                  config_->additional_labels_);
   *(*data.mutable_fields())[ExchangeMetadataHeader].mutable_struct_value() =
       Istio::Common::convertWorkloadMetadataToStruct(*obj);
   std::string metadata_id = getMetadataId();
@@ -255,31 +263,98 @@ void MetadataExchangeFilter::tryReadProxyData(Buffer::Instance& data) {
   ProtobufWkt::Struct value_struct = MessageUtil::anyConvert<ProtobufWkt::Struct>(proxy_data);
   auto key_metadata_it = value_struct.fields().find(ExchangeMetadataHeader);
   if (key_metadata_it != value_struct.fields().end()) {
-    updatePeer(
-        *Istio::Common::convertStructToWorkloadMetadata(key_metadata_it->second.struct_value()));
+    updatePeer(*Istio::Common::convertStructToWorkloadMetadata(
+        key_metadata_it->second.struct_value(), config_->additional_labels_));
   }
 }
 
-void MetadataExchangeFilter::updatePeer(const Istio::Common::WorkloadMetadataObject& obj) {
+void MetadataExchangeFilter::updatePeer(const Istio::Common::WorkloadMetadataObject& value) {
+  updatePeer(value, config_->filter_direction_);
+}
+
+void MetadataExchangeFilter::updatePeer(const Istio::Common::WorkloadMetadataObject& value,
+                                        FilterDirection direction) {
+  auto filter_state_key = direction == FilterDirection::Downstream ? Istio::Common::DownstreamPeer
+                                                                   : Istio::Common::UpstreamPeer;
+  auto pb = value.serializeAsProto();
+  auto peer_info = std::make_shared<CelState>(MetadataExchangeConfig::peerInfoPrototype());
+  peer_info->setValue(absl::string_view(pb->SerializeAsString()));
+
   read_callbacks_->connection().streamInfo().filterState()->setData(
-      config_->filter_direction_ == FilterDirection::Downstream ? Istio::Common::DownstreamPeer
-                                                                : Istio::Common::UpstreamPeer,
-      std::make_shared<Istio::Common::WorkloadMetadataObject>(obj),
-      StreamInfo::FilterState::StateType::Mutable, StreamInfo::FilterState::LifeSpan::Connection);
+      filter_state_key, std::move(peer_info), StreamInfo::FilterState::StateType::Mutable,
+      StreamInfo::FilterState::LifeSpan::Connection);
 }
 
 std::string MetadataExchangeFilter::getMetadataId() { return local_info_.node().id(); }
 
 void MetadataExchangeFilter::setMetadataNotFoundFilterState() {
   if (config_->metadata_provider_) {
+    Network::Address::InstanceConstSharedPtr upstream_peer;
+    const StreamInfo::StreamInfo& info = read_callbacks_->connection().streamInfo();
+    if (info.upstreamInfo()) {
+      auto upstream_host = info.upstreamInfo().value().get().upstreamHost();
+      if (upstream_host) {
+        const auto address = upstream_host->address();
+        ENVOY_LOG(debug, "Trying to check upstream host info of host {}", address->asString());
+        switch (address->type()) {
+        case Network::Address::Type::Ip:
+          upstream_peer = upstream_host->address();
+          break;
+        case Network::Address::Type::EnvoyInternal:
+          if (upstream_host->metadata()) {
+            ENVOY_LOG(debug, "Trying to check filter metadata of host {}",
+                      upstream_host->address()->asString());
+            const auto& filter_metadata = upstream_host->metadata()->filter_metadata();
+            const auto& it = filter_metadata.find("envoy.filters.listener.original_dst");
+            if (it != filter_metadata.end()) {
+              const auto& destination_it = it->second.fields().find("local");
+              if (destination_it != it->second.fields().end()) {
+                upstream_peer = Network::Utility::parseInternetAddressAndPortNoThrow(
+                    destination_it->second.string_value(), /*v6only=*/false);
+              }
+            }
+          }
+          break;
+        default:
+          break;
+        }
+      }
+    }
+    // Get our metadata differently based on the direction of the filter
+    auto downstream_peer_address = [&]() -> Network::Address::InstanceConstSharedPtr {
+      if (upstream_peer) {
+        // Query upstream peer data and save it in metadata for stats
+        const auto metadata_object = config_->metadata_provider_->GetMetadata(upstream_peer);
+        if (metadata_object) {
+          ENVOY_LOG(debug, "Metadata found for upstream peer address {}",
+                    upstream_peer->asString());
+          updatePeer(metadata_object.value(), FilterDirection::Upstream);
+        }
+      }
+
+      // Regardless, return the downstream address for downstream metadata
+      return read_callbacks_->connection().connectionInfoProvider().remoteAddress();
+    };
+
+    auto upstream_peer_address = [&]() -> Network::Address::InstanceConstSharedPtr {
+      if (upstream_peer) {
+        return upstream_peer;
+      }
+      ENVOY_LOG(debug, "Upstream peer address is null. Fall back to localAddress");
+      return read_callbacks_->connection().connectionInfoProvider().localAddress();
+    };
     const Network::Address::InstanceConstSharedPtr peer_address =
-        read_callbacks_->connection().connectionInfoProvider().remoteAddress();
+        config_->filter_direction_ == FilterDirection::Downstream ? downstream_peer_address()
+                                                                  : upstream_peer_address();
     ENVOY_LOG(debug, "Look up metadata based on peer address {}", peer_address->asString());
     const auto metadata_object = config_->metadata_provider_->GetMetadata(peer_address);
     if (metadata_object) {
+      ENVOY_LOG(trace, "Metadata found for peer address {}", peer_address->asString());
       updatePeer(metadata_object.value());
       config_->stats().metadata_added_.inc();
       return;
+    } else {
+      ENVOY_LOG(debug, "Metadata not found for peer address {}", peer_address->asString());
     }
   }
   read_callbacks_->connection().streamInfo().filterState()->setData(

source/extensions/filters/network/metadata_exchange/metadata_exchange.h

@@ -25,6 +25,7 @@
 #include "envoy/stream_info/filter_state.h"
 #include "source/common/common/stl_helpers.h"
 #include "source/common/protobuf/protobuf.h"
+#include "source/extensions/filters/common/expr/cel_state.h"
 #include "source/extensions/filters/network/metadata_exchange/config/metadata_exchange.pb.h"
 #include "source/extensions/common/workload_discovery/api.h"
 
@@ -34,6 +35,9 @@ namespace Envoy {
 namespace Tcp {
 namespace MetadataExchange {
 
+using ::Envoy::Extensions::Filters::Common::Expr::CelStatePrototype;
+using ::Envoy::Extensions::Filters::Common::Expr::CelStateType;
+
 /**
  * All MetadataExchange filter stats. @see stats_macros.h
  */
@@ -64,6 +68,7 @@ class MetadataExchangeConfig {
 public:
   MetadataExchangeConfig(const std::string& stat_prefix, const std::string& protocol,
                          const FilterDirection filter_direction, bool enable_discovery,
+                         const absl::flat_hash_set<std::string> additional_labels,
                          Server::Configuration::ServerFactoryContext& factory_context,
                          Stats::Scope& scope);
 
@@ -81,6 +86,14 @@ public:
   Extensions::Common::WorkloadDiscovery::WorkloadMetadataProviderSharedPtr metadata_provider_;
   // Stats for MetadataExchange Filter.
   MetadataExchangeStats stats_;
+  const absl::flat_hash_set<std::string> additional_labels_;
+
+  static const CelStatePrototype& peerInfoPrototype() {
+    static const CelStatePrototype* const prototype = new CelStatePrototype(
+        true, CelStateType::Protobuf, "type.googleapis.com/google.protobuf.Struct",
+        StreamInfo::FilterState::LifeSpan::Connection);
+    return *prototype;
+  }
 
 private:
   MetadataExchangeStats generateStats(const std::string& prefix, Stats::Scope& scope) {
@@ -125,6 +138,7 @@ private:
   void tryReadProxyData(Buffer::Instance& data);
 
   // Helper function to share the metadata with other filters.
+  void updatePeer(const Istio::Common::WorkloadMetadataObject& obj, FilterDirection direction);
   void updatePeer(const Istio::Common::WorkloadMetadataObject& obj);
 
   // Helper function to get metadata id.

source/extensions/filters/network/metadata_exchange/metadata_exchange_test.cc

@@ -56,9 +56,12 @@ class MetadataExchangeFilterTest : public testing::Test {
 public:
   MetadataExchangeFilterTest() { ENVOY_LOG_MISC(info, "test"); }
 
-  void initialize() {
+  void initialize() { initialize(absl::flat_hash_set<std::string>()); }
+
+  void initialize(absl::flat_hash_set<std::string> additional_labels) {
     config_ = std::make_shared<MetadataExchangeConfig>(
-        stat_prefix_, "istio2", FilterDirection::Downstream, false, context_, *scope_.rootScope());
+        stat_prefix_, "istio2", FilterDirection::Downstream, false, additional_labels, context_,
+        *scope_.rootScope());
     filter_ = std::make_unique<MetadataExchangeFilter>(config_, local_info_);
     filter_->initializeReadFilterCallbacks(read_filter_callbacks_);
     filter_->initializeWriteFilterCallbacks(write_filter_callbacks_);
@@ -117,6 +120,29 @@ TEST_F(MetadataExchangeFilterTest, MetadataExchangeFound) {
   EXPECT_EQ(1UL, config_->stats().alpn_protocol_found_.value());
 }
 
+TEST_F(MetadataExchangeFilterTest, MetadataExchangeAdditionalLabels) {
+  initialize({"role"});
+  initializeStructValues();
+
+  EXPECT_CALL(read_filter_callbacks_.connection_, nextProtocol()).WillRepeatedly(Return("istio2"));
+
+  ::Envoy::Buffer::OwnedImpl data;
+  MetadataExchangeInitialHeader initial_header;
+  Envoy::ProtobufWkt::Any productpage_any_value;
+  productpage_any_value.set_type_url("type.googleapis.com/google.protobuf.Struct");
+  *productpage_any_value.mutable_value() = productpage_value_.SerializeAsString();
+  ConstructProxyHeaderData(data, productpage_any_value, &initial_header);
+  ::Envoy::Buffer::OwnedImpl world{"world"};
+  data.add(world);
+
+  EXPECT_EQ(Envoy::Network::FilterStatus::Continue, filter_->onData(data, false));
+  EXPECT_EQ(data.toString(), "world");
+
+  EXPECT_EQ(0UL, config_->stats().initial_header_not_found_.value());
+  EXPECT_EQ(0UL, config_->stats().header_not_found_.value());
+  EXPECT_EQ(1UL, config_->stats().alpn_protocol_found_.value());
+}
+
 TEST_F(MetadataExchangeFilterTest, MetadataExchangeNotFound) {
   initialize();
 

test/envoye2e/driver/otel.go

@@ -114,6 +114,7 @@ func (v *verify) Run(p *Params) error {
 		return fmt.Errorf("timed out waiting for all metrics to match")
 	}
 }
+
 func (v *verify) Cleanup() {
 }
 

test/envoye2e/http_metadata_exchange/exchange_test.go

@@ -128,3 +128,42 @@ func TestNativeHTTPExchange(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestHTTPExchangeAdditionalLabels(t *testing.T) {
+	params := driver.NewTestParams(t, map[string]string{}, envoye2e.ProxyE2ETests)
+	params.Vars["ServerMetadata"] = params.LoadTestData("testdata/server_node_metadata.json.tmpl")
+	params.Vars["ServerHTTPFilters"] = params.LoadTestData("testdata/filters/mx_native_inbound_labels.yaml.tmpl")
+	// TCP MX should not break HTTP MX when there is no TCP prefix or TCP MX ALPN.
+	params.Vars["ServerNetworkFilters"] = params.LoadTestData("testdata/filters/server_mx_network_filter.yaml.tmpl")
+	metadata := EncodeMetadata(t, params)
+	if err := (&driver.Scenario{
+		Steps: []driver.Step{
+			&driver.XDS{},
+			&driver.Update{Node: "server", Version: "0", Listeners: []string{driver.LoadTestData("testdata/listener/server.yaml.tmpl")}},
+			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl"), Concurrency: 2},
+			&driver.Sleep{Duration: 1 * time.Second},
+			&driver.Repeat{
+				// Must be high enough to exercise cache eviction.
+				N: 1000,
+				Step: &driver.HTTPCall{
+					IP:   "127.0.0.2",
+					Port: params.Ports.ServerPort,
+					Body: "hello, world!",
+					RequestHeaders: map[string]string{
+						"x-envoy-peer-metadata-id": "client{{ .N }}",
+						"x-envoy-peer-metadata":    metadata,
+					},
+					ResponseHeaders: map[string]string{
+						"x-envoy-peer-metadata-id": "server",
+						"x-envoy-peer-metadata":    driver.Any,
+					},
+				},
+			},
+			&driver.Stats{AdminPort: params.Ports.ServerAdmin, Matchers: map[string]driver.StatMatcher{
+				"envoy_server_envoy_bug_failures": &driver.ExactStat{Metric: "testdata/metric/envoy_bug_failures.yaml"},
+			}},
+		},
+	}).Run(params); err != nil {
+		t.Fatal(err)
+	}
+}

test/envoye2e/inventory.go

@@ -34,11 +34,14 @@ func init() {
 		"TestPassthroughCONNECT/h2",
 		"TestHTTPExchange",
 		"TestNativeHTTPExchange",
+		"TestHTTPExchangeAdditionalLabels",
 		"TestStats403Failure/#00",
 		"TestStatsECDS/#00",
 		"TestStatsEndpointLabels/#00",
 		"TestStatsServerWaypointProxy",
-		"TestStatsServerWaypointProxyCONNECT",
+		"TestStatsServerWaypointProxyCONNECT/full_metadata",
+		"TestStatsServerWaypointProxyCONNECT/empty_metadata",
+		"TestTCPStatsServerWaypointProxyCONNECT",
 		"TestStatsGrpc/#00",
 		"TestStatsGrpcStream/#00",
 		"TestStatsParallel/Default",
@@ -55,5 +58,8 @@ func init() {
 		"TestTCPMetadataExchangeWithConnectionTermination",
 		"TestTCPMetadataNotFoundReporting",
 		"TestStatsDestinationServiceNamespacePrecedence",
+		"TestAdditionalLabels",
+		"TestTCPMXAdditionalLabels",
+		"TestStatsClientSidecarCONNECT",
 	}...)
 }

test/envoye2e/stats_plugin/stats_test.go

@@ -602,6 +602,14 @@ canonical_revision: version-1
 uid: //v1/pod/default/ratings
 service_account: ratings
 trust_domain: cluster.global
+cluster_id: ratings-cluster
+`
+
+// A mostly empty metadata.
+// All workloads are guaranteed to have a UID and ought to have a namespace as well.
+const EmptyMetadata = `
+uid: //v1/pod/default/ratings
+namespace: default
 `
 
 const ProductPageMetadata = `
@@ -654,7 +662,94 @@ func TestStatsServerWaypointProxy(t *testing.T) {
 	}
 }
 
+func TestStatsClientSidecarCONNECT(t *testing.T) {
+	params := driver.NewTestParams(t, map[string]string{
+		"RequestCount":            "10",
+		"EnableDelta":             "true",
+		"EnableMetadataDiscovery": "true",
+		"StatsFilterServerConfig": driver.LoadTestJSON("testdata/stats/server_config.yaml"),
+		"StatsFilterClientConfig": driver.LoadTestJSON("testdata/stats/client_config.yaml"),
+	}, envoye2e.ProxyE2ETests)
+	params.Vars["ServerClusterName"] = "internal_outbound"
+	params.Vars["ServerInternalAddress"] = "internal_inbound"
+	params.Vars["ClientMetadata"] = params.LoadTestData("testdata/client_node_metadata.json.tmpl")
+	params.Vars["ServerMetadata"] = params.LoadTestData("testdata/server_waypoint_proxy_node_metadata.json.tmpl")
+	params.Vars["ServerHTTPFilters"] = driver.LoadTestData("testdata/filters/mx_waypoint.yaml.tmpl") + "\n" +
+		driver.LoadTestData("testdata/filters/stats_inbound.yaml.tmpl")
+	params.Vars["EnableTunnelEndpointMetadata"] = "true"
+	params.Vars["EnableOriginalDstPortOverride"] = "true"
+	params.Vars["ClientHTTPFilters"] = driver.LoadTestData("testdata/filters/mx_native_outbound.yaml.tmpl") + "\n" +
+		driver.LoadTestData("testdata/filters/stats_outbound.yaml.tmpl")
+
+	if err := (&driver.Scenario{
+		Steps: []driver.Step{
+			&driver.XDS{},
+			&driver.Update{
+				Node: "client", Version: "0",
+				Clusters: []string{
+					driver.LoadTestData("testdata/cluster/internal_outbound.yaml.tmpl"),
+					driver.LoadTestData("testdata/cluster/original_dst.yaml.tmpl"),
+				},
+				Listeners: []string{
+					driver.LoadTestData("testdata/listener/client.yaml.tmpl"),
+					driver.LoadTestData("testdata/listener/internal_outbound.yaml.tmpl"),
+				},
+				Secrets: []string{
+					driver.LoadTestData("testdata/secret/client.yaml.tmpl"),
+				},
+			},
+			&driver.Update{
+				Node: "server", Version: "0",
+				Clusters: []string{
+					driver.LoadTestData("testdata/cluster/internal_inbound.yaml.tmpl"),
+				},
+				Listeners: []string{
+					driver.LoadTestData("testdata/listener/terminate_connect.yaml.tmpl"),
+					driver.LoadTestData("testdata/listener/server.yaml.tmpl"),
+				},
+				Secrets: []string{
+					driver.LoadTestData("testdata/secret/server.yaml.tmpl"),
+				},
+			},
+			&driver.UpdateWorkloadMetadata{Workloads: []driver.WorkloadMetadata{{
+				Address:  "127.0.0.1",
+				Metadata: ProductPageMetadata,
+			}, {
+				Address:  "127.0.0.2", // We're going to pretend our server is a mesh service
+				Metadata: BackendMetadata,
+			}}},
+			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")},
+			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl")},
+			&driver.Sleep{Duration: 1 * time.Second},
+			&driver.Repeat{
+				N: 10,
+				Step: &driver.HTTPCall{
+					Port:         params.Ports.ClientPort,
+					ResponseCode: 200,
+				},
+			},
+			&driver.Stats{
+				AdminPort: params.Ports.ClientAdmin,
+				Matchers: map[string]driver.StatMatcher{
+					"istio_requests_total": &driver.ExactStat{Metric: "testdata/metric/client_sidecar_connect_request_total.yaml.tmpl"},
+				},
+			},
+		},
+	}).Run(params); err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestStatsServerWaypointProxyCONNECT(t *testing.T) {
+	t.Run("full metadata", func(t *testing.T) {
+		runStatsServerWaypointProxyCONNECT(t, BackendMetadata, "testdata/metric/server_waypoint_proxy_connect_request_total.yaml.tmpl")
+	})
+	t.Run("empty metadata", func(t *testing.T) {
+		runStatsServerWaypointProxyCONNECT(t, EmptyMetadata, "testdata/metric/server_waypoint_proxy_connect_emptymeta_request_total.yaml.tmpl")
+	})
+}
+
+func runStatsServerWaypointProxyCONNECT(t *testing.T, backendMetadata string, metricResult string) {
 	params := driver.NewTestParams(t, map[string]string{
 		"RequestCount":            "10",
 		"EnableDelta":             "true",
@@ -704,7 +799,7 @@ func TestStatsServerWaypointProxyCONNECT(t *testing.T) {
 				Metadata: ProductPageMetadata,
 			}, {
 				Address:  "127.0.0.3",
-				Metadata: BackendMetadata,
+				Metadata: backendMetadata,
 			}}},
 			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")},
 			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl")},
@@ -719,7 +814,80 @@ func TestStatsServerWaypointProxyCONNECT(t *testing.T) {
 			&driver.Stats{
 				AdminPort: params.Ports.ServerAdmin,
 				Matchers: map[string]driver.StatMatcher{
-					"istio_requests_total": &driver.ExactStat{Metric: "testdata/metric/server_waypoint_proxy_connect_request_total.yaml.tmpl"},
+					"istio_requests_total": &driver.ExactStat{Metric: metricResult},
+				},
+			},
+		},
+	}).Run(params); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestTCPStatsServerWaypointProxyCONNECT(t *testing.T) {
+	params := driver.NewTestParams(t, map[string]string{
+		"EnableDelta":             "true",
+		"EnableMetadataDiscovery": "true",
+		"DisableDirectResponse":   "true",
+		"ConnectionCount":         "10",
+		"StatsFilterServerConfig": driver.LoadTestJSON("testdata/stats/server_waypoint_proxy_config.yaml"),
+	}, envoye2e.ProxyE2ETests)
+	params.Vars["ServerClusterName"] = "internal_outbound"
+	params.Vars["ServerInternalAddress"] = "internal_inbound"
+	params.Vars["ServerMetadata"] = params.LoadTestData("testdata/server_waypoint_proxy_node_metadata.json.tmpl")
+	params.Vars["ServerNetworkFilters"] = driver.LoadTestData("testdata/filters/mx_waypoint_tcp.yaml.tmpl") + "\n" +
+		driver.LoadTestData("testdata/filters/stats_inbound.yaml.tmpl")
+	params.Vars["EnableTunnelEndpointMetadata"] = "true"
+	params.Vars["EnableOriginalDstPortOverride"] = "true"
+
+	if err := (&driver.Scenario{
+		Steps: []driver.Step{
+			&driver.XDS{},
+			&driver.Update{
+				Node: "client", Version: "0",
+				Clusters: []string{
+					driver.LoadTestData("testdata/cluster/internal_outbound.yaml.tmpl"),
+					driver.LoadTestData("testdata/cluster/original_dst.yaml.tmpl"),
+				},
+				Listeners: []string{
+					driver.LoadTestData("testdata/listener/tcp_client.yaml.tmpl"),
+					driver.LoadTestData("testdata/listener/internal_outbound.yaml.tmpl"),
+				},
+				Secrets: []string{
+					driver.LoadTestData("testdata/secret/client.yaml.tmpl"),
+				},
+			},
+			&driver.Update{
+				Node: "server", Version: "0",
+				Clusters: []string{
+					driver.LoadTestData("testdata/cluster/internal_inbound.yaml.tmpl"),
+				},
+				Listeners: []string{
+					driver.LoadTestData("testdata/listener/terminate_connect.yaml.tmpl"),
+					driver.LoadTestData("testdata/listener/tcp_waypoint_server.yaml.tmpl"),
+				},
+				Secrets: []string{
+					driver.LoadTestData("testdata/secret/server.yaml.tmpl"),
+				},
+			},
+			&driver.UpdateWorkloadMetadata{Workloads: []driver.WorkloadMetadata{{
+				Address:  "127.0.0.1",
+				Metadata: ProductPageMetadata,
+			}, {
+				Address:  "127.0.0.3",
+				Metadata: BackendMetadata,
+			}}},
+			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")},
+			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl")},
+			&driver.Sleep{Duration: 1 * time.Second},
+			&driver.TCPServer{Prefix: "hello"},
+			&driver.Repeat{
+				N:    10,
+				Step: &driver.TCPConnection{},
+			},
+			&driver.Stats{
+				AdminPort: params.Ports.ServerAdmin,
+				Matchers: map[string]driver.StatMatcher{
+					"istio_tcp_connections_opened_total": &driver.ExactStat{Metric: "testdata/metric/server_waypoint_proxy_connect_connections_opened_total.yaml.tmpl"},
 				},
 			},
 		},
@@ -808,3 +976,50 @@ func TestStatsDestinationServiceNamespacePrecedence(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestAdditionalLabels(t *testing.T) {
+	env.SkipTSan(t)
+	params := driver.NewTestParams(t, map[string]string{
+		"RequestCount":            "10",
+		"StatsFilterClientConfig": driver.LoadTestJSON("testdata/stats/client_additional_labels.yaml"),
+		"StatsFilterServerConfig": driver.LoadTestJSON("testdata/stats/server_additional_labels.yaml"),
+		"ResponseCodeClass":       "2xx",
+	}, envoye2e.ProxyE2ETests)
+	params.Vars["ClientMetadata"] = params.LoadTestData("testdata/client_node_metadata.json.tmpl")
+	params.Vars["ServerMetadata"] = params.LoadTestData("testdata/server_node_metadata.json.tmpl")
+	params.Vars["ServerHTTPFilters"] = driver.LoadTestData("testdata/filters/mx_native_inbound_labels.yaml.tmpl") + "\n" +
+		driver.LoadTestData("testdata/filters/stats_inbound.yaml.tmpl")
+	params.Vars["ClientHTTPFilters"] = driver.LoadTestData("testdata/filters/mx_native_outbound_labels.yaml.tmpl") + "\n" +
+		driver.LoadTestData("testdata/filters/stats_outbound.yaml.tmpl")
+	if err := (&driver.Scenario{
+		Steps: []driver.Step{
+			&driver.XDS{},
+			&driver.Update{Node: "client", Version: "0", Listeners: []string{params.LoadTestData("testdata/listener/client.yaml.tmpl")}},
+			&driver.Update{Node: "server", Version: "0", Listeners: []string{params.LoadTestData("testdata/listener/server.yaml.tmpl")}},
+			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl")},
+			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")},
+			&driver.Sleep{Duration: 1 * time.Second},
+			&driver.Repeat{
+				N: 10,
+				Step: &driver.HTTPCall{
+					Port: params.Ports.ClientPort,
+					Body: "hello, world!",
+				},
+			},
+			&driver.Stats{
+				AdminPort: params.Ports.ServerAdmin,
+				Matchers: map[string]driver.StatMatcher{
+					"istio_requests_total": &driver.ExactStat{Metric: "testdata/metric/server_request_total_labels.yaml.tmpl"},
+				},
+			},
+			&driver.Stats{
+				AdminPort: params.Ports.ClientAdmin,
+				Matchers: map[string]driver.StatMatcher{
+					"istio_requests_total": &driver.ExactStat{Metric: "testdata/metric/client_request_total_labels.yaml.tmpl"},
+				},
+			},
+		},
+	}).Run(params); err != nil {
+		t.Fatal(err)
+	}
+}

test/envoye2e/tcp_metadata_exchange/tcp_metadata_exchange_test.go

@@ -66,9 +66,10 @@ func TestTCPMetadataExchange(t *testing.T) {
 						Clusters:  []string{params.LoadTestData("testdata/cluster/tcp_server.yaml.tmpl")},
 						Listeners: []string{params.LoadTestData("testdata/listener/tcp_server.yaml.tmpl")},
 					},
-					&driver.UpdateWorkloadMetadata{Workloads: []driver.WorkloadMetadata{{
-						Address: "127.0.0.1",
-						Metadata: `
+					&driver.UpdateWorkloadMetadata{Workloads: []driver.WorkloadMetadata{
+						{
+							Address: "127.0.0.1",
+							Metadata: `
 namespace: default
 workload_name: productpage-v1
 workload_type: DEPLOYMENT
@@ -76,9 +77,10 @@ canonical_name: productpage-v1
 canonical_revision: version-1
 cluster_id: client-cluster
 uid: //v1/pod/default/productpage
-`}, {
-						Address: "127.0.0.2",
-						Metadata: `
+`,
+						}, {
+							Address: "127.0.0.2",
+							Metadata: `
 namespace: default
 workload_name: ratings-v1
 workload_type: DEPLOYMENT
@@ -86,7 +88,8 @@ canonical_name: ratings
 canonical_revision: version-1
 cluster_id: server-cluster
 uid: //v1/pod/default/ratings
-`},
+`,
+						},
 					}},
 					&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")},
 					&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl")},
@@ -117,6 +120,68 @@ uid: //v1/pod/default/ratings
 	}
 }
 
+func TestTCPMXAdditionalLabels(t *testing.T) {
+	params := driver.NewTestParams(t, map[string]string{
+		"DisableDirectResponse": "true",
+		"StatsConfig":           driver.LoadTestData("testdata/bootstrap/stats.yaml.tmpl"),
+	}, envoye2e.ProxyE2ETests)
+	mxStats := map[string]driver.StatMatcher{
+		"envoy_metadata_exchange_metadata_added": &driver.ExactStat{Metric: "testdata/metric/tcp_server_mx_stats_metadata_added.yaml.tmpl"},
+	}
+	params.Vars["AlpnProtocol"] = "mx-protocol"
+	mxStats["envoy_metadata_exchange_alpn_protocol_found"] = &driver.ExactStat{Metric: "testdata/metric/tcp_server_mx_stats_alpn_found.yaml.tmpl"}
+	params.Vars["EnableAdditionalLabels"] = "true"
+	params.Vars["ClientMetadata"] = params.LoadTestData("testdata/client_node_metadata.json.tmpl")
+	params.Vars["ServerMetadata"] = params.LoadTestData("testdata/server_node_metadata.json.tmpl")
+	params.Vars["ServerNetworkFilters"] = params.LoadTestData("testdata/filters/server_mx_network_filter.yaml.tmpl") + "\n" +
+		params.LoadTestData("testdata/filters/server_stats_network_filter.yaml.tmpl")
+	params.Vars["ClientUpstreamFilters"] = params.LoadTestData("testdata/filters/client_mx_network_filter.yaml.tmpl")
+	params.Vars["ClientNetworkFilters"] = params.LoadTestData("testdata/filters/client_stats_network_filter.yaml.tmpl")
+	params.Vars["ClientClusterTLSContext"] = params.LoadTestData("testdata/transport_socket/client.yaml.tmpl")
+	params.Vars["ServerListenerTLSContext"] = params.LoadTestData("testdata/transport_socket/server.yaml.tmpl")
+
+	if err := (&driver.Scenario{
+		Steps: []driver.Step{
+			&driver.XDS{},
+			&driver.Update{
+				Node:      "client",
+				Version:   "0",
+				Clusters:  []string{params.LoadTestData("testdata/cluster/tcp_client.yaml.tmpl")},
+				Listeners: []string{params.LoadTestData("testdata/listener/tcp_client.yaml.tmpl")},
+			},
+			&driver.Update{
+				Node:      "server",
+				Version:   "0",
+				Clusters:  []string{params.LoadTestData("testdata/cluster/tcp_server.yaml.tmpl")},
+				Listeners: []string{params.LoadTestData("testdata/listener/tcp_server.yaml.tmpl")},
+			},
+			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")},
+			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/server.yaml.tmpl")},
+			&driver.Sleep{Duration: 1 * time.Second},
+			&driver.TCPServer{Prefix: "hello"},
+			&driver.Repeat{
+				N:    10,
+				Step: &driver.TCPConnection{},
+			},
+			&driver.Stats{AdminPort: params.Ports.ClientAdmin, Matchers: map[string]driver.StatMatcher{
+				"istio_tcp_connections_closed_total": &driver.ExactStat{Metric: "testdata/metric/tcp_client_connection_close.yaml.tmpl"},
+				"istio_tcp_connections_opened_total": &driver.ExactStat{Metric: "testdata/metric/tcp_client_connection_open.yaml.tmpl"},
+				"istio_tcp_received_bytes_total":     &driver.ExactStat{Metric: "testdata/metric/tcp_client_received_bytes.yaml.tmpl"},
+				"istio_tcp_sent_bytes_total":         &driver.ExactStat{Metric: "testdata/metric/tcp_client_sent_bytes.yaml.tmpl"},
+			}},
+			&driver.Stats{AdminPort: params.Ports.ServerAdmin, Matchers: map[string]driver.StatMatcher{
+				"istio_tcp_connections_closed_total": &driver.ExactStat{Metric: "testdata/metric/tcp_server_connection_close.yaml.tmpl"},
+				"istio_tcp_connections_opened_total": &driver.ExactStat{Metric: "testdata/metric/tcp_server_connection_open.yaml.tmpl"},
+				"istio_tcp_received_bytes_total":     &driver.ExactStat{Metric: "testdata/metric/tcp_server_received_bytes.yaml.tmpl"},
+				"istio_tcp_sent_bytes_total":         &driver.ExactStat{Metric: "testdata/metric/tcp_server_sent_bytes.yaml.tmpl"},
+			}},
+			&driver.Stats{AdminPort: params.Ports.ServerAdmin, Matchers: mxStats},
+		},
+	}).Run(params); err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestTCPMetadataExchangeNoAlpn(t *testing.T) {
 	params := driver.NewTestParams(t, map[string]string{
 		"DisableDirectResponse": "true",
@@ -234,9 +299,10 @@ func TestTCPMetadataNotFoundReporting(t *testing.T) {
 				Clusters:  []string{params.LoadTestData("testdata/cluster/tcp_client_unknown.yaml.tmpl")},
 				Listeners: []string{params.LoadTestData("testdata/listener/tcp_client.yaml.tmpl")},
 			},
-			&driver.UpdateWorkloadMetadata{Workloads: []driver.WorkloadMetadata{{
-				Address: "127.0.0.1",
-				Metadata: `
+			&driver.UpdateWorkloadMetadata{Workloads: []driver.WorkloadMetadata{
+				{
+					Address: "127.0.0.1",
+					Metadata: `
 namespace: default
 workload_name: productpage-v1
 workload_type: DEPLOYMENT
@@ -244,7 +310,8 @@ canonical_name: productpage-v1
 canonical_revision: version-1
 cluster_id: client-cluster
 uid: //v1/pod/default/productpage
-`},
+`,
+				},
 			}},
 			&driver.Envoy{Bootstrap: params.LoadTestData("testdata/bootstrap/client.yaml.tmpl")},
 			&driver.Sleep{Duration: 1 * time.Second},

testdata/certs/stackdriver.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAte/T9swhDpn0WlUtkdcE6giqD5/ixS5PbkaNvz9a4rw1CnJ/
-MxXlNJLURPhEzlVqyWfFqAui6ibHr/fKYKqvZKhMJo7FwAXw0FXYkYm4pG6RuV1f
-RpPaMQTLfox4ojQ5hbEM65+yNiGRxTq6opbuH6oYoHGNyaOsl28GfUSwF37PbhGt
-9IaVp1tPHg+SMTJ8eFT46+NjoxizMZxPW8l1xphqhrWPv0qUbVtWRV5emTpu6iks
-yFxNu6yivNJsKqeHrZZDb0LnCFkNA4jKhM+kw6Bq0Tej4zb8AFVIgAp8RUNgvPGt
-pyUWa7dL6UNd0P+6QXy52Y5vrVZRIc5pNxjlswIDAQABAoIBAAgF3WkCs2p7a4UY
-QHwv6S2Q2D78I/niAuqv/cwzNQTOm+AsEGPmUUcyOl4YPKCEr8LV6qdwa+y7bQ7b
-dHcyz602prUEkr/XAzmMr5IrapMFtTNhZLQuDO8gcQDRnPg6KVc16YXyct9kN5Nk
-9Zn54eJPk+pvV3tO1muPH9AiWUmP4PFxnjYQTQwA9jj7s1diYqK+9cr+BpkiI5IA
-WVVAOwse6KuStb0hQM3YyoUMQ7zxepCi4cgjFeXfPWblFsQrml46Xc3LsYKh19e6
-NxfFJ1833yYUzmy34hNPH0ZARtMcx/8FU4v2LvjR544cLioI8mtqfXd43UjlBS2r
-/iBewaECgYEA5EeXPPHvdM58Vg0XZCGCZME244jTl7KAnMP9ThM8+I0Ypn6M6Ids
-HX83682b2BZfW2MfhWs7HvO9/g4qgycLrL2EM2JICtzCcOKe3FExB/jwnrTO3D54
-DzIXxU9JL1/E09Bdkte5t4hEJ2RvswPMCUejOT6Hjnf9BvocxO8/SDsCgYEAzAea
-LyJB0JDD2NPa61oe0UgShS5IhmOvO8wOUnWWNP/s6pxSWO0yF1eWAfTEZ5PuyO6M
-t5KOT9NY0/kFTg/6PDcMNqhlZXFFQArDadzJvS32+/L1DD9hqsunZ25yi30uMpa2
-9JsuKra6JtIX2bsIbGHDdL0wn4CdqwBv7qgl+OkCgYAoATfK0WcyZCE7/01TGeA9
-AfM5irfyBLEvR9VzQkHUGP3x54mQEnNq8+l75GtkQf9yB3v1qKYStYpdJGRk2Ynd
-OtUZICcZ6DgXCk/msj/SctjQJ0V9KWFm4FN0G4Hq0HCw4foUCsQcGsA+2wYMLCUs
-lyZOmNuupu5rs5cpF/hSEwKBgQCXRGem3GIpTLs3LdMYPOeuSB4bCbaRlKSd0+sm
-bbGgt8IiKyXOcoV50uEPsDZRiNc3t80yaQED4/Dur6ikOKpRLIrslysd673o/lHl
-UeFsVgDQyU+u9ermYzlJMRTRoEy5Cw64CblPx8v57jfqoIVdPZpZGc9L4mKDHr7e
-FWKZyQKBgHZCTc6SHxbWYJX8fIEc4gpQiKs60MNj8Gt+dorn0mx5RvbRw8aNwenJ
-UUk0O8HBQtJ74giSAY/iLa8LCqTIPvwTYOjahZvdSqtQhmGawebye70jJ703JLmm
-uCkUhbGCgaCjciAIYMdHToZhWX2AHgou1aZcmnktJpxx6zEZ3RWb
------END RSA PRIVATE KEY-----

testdata/certs/stackdriver.pem

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDgzCCAmugAwIBAgIUWuIdooRJ4EbBKVPXu4RxWMjdNb0wDQYJKoZIhvcNAQEL
-BQAwUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMSEwHwYDVQQKDBhJbnRlcm5l
-dCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMDAyMjAw
-MDM1NTNaFw0zMDAyMTcwMDM1NTNaMFExCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJD
-QTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRIwEAYDVQQDDAls
-b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC179P2zCEO
-mfRaVS2R1wTqCKoPn+LFLk9uRo2/P1rivDUKcn8zFeU0ktRE+ETOVWrJZ8WoC6Lq
-Jsev98pgqq9kqEwmjsXABfDQVdiRibikbpG5XV9Gk9oxBMt+jHiiNDmFsQzrn7I2
-IZHFOrqilu4fqhigcY3Jo6yXbwZ9RLAXfs9uEa30hpWnW08eD5IxMnx4VPjr42Oj
-GLMxnE9byXXGmGqGtY+/SpRtW1ZFXl6ZOm7qKSzIXE27rKK80mwqp4etlkNvQucI
-WQ0DiMqEz6TDoGrRN6PjNvwAVUiACnxFQ2C88a2nJRZrt0vpQ13Q/7pBfLnZjm+t
-VlEhzmk3GOWzAgMBAAGjUzBRMB0GA1UdDgQWBBRHexBONqhsiM5OtjGMI0zNS2O9
-kDAfBgNVHSMEGDAWgBRHexBONqhsiM5OtjGMI0zNS2O9kDAPBgNVHRMBAf8EBTAD
-AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCPupx7dcgg0W92x40VsOxNs1mkVcM1pTeV
-OFykviaGwmSuNivIWilhV2Ap2DUlLa/FyR7ZIbJEKOdaREQD9p9dO03ZZTsSexKn
-9Cqkdv6J+a4AjNAyvqMKv8J6uGBiLLyDdwAInVUz5F4VcRf1BfzF8TW48wBHsZKr
-buG4AC68BJ5NdwaZ704kwq4ymNaQNMccna5tBDBumqy06uRdbw6lB9lCqDuc+DQV
-i8IdktB8ppiQmsXYNirnd5VhUykO/LknObcv3Y4rbqj+JLAWHrR4ibpdn1e+85by
-ZxVLTAnP6SvWwtvswDXLRXIAtAzK5m5Nl0MNg6KjG3U4I1yV/Ps3
------END CERTIFICATE-----

testdata/client_node_metadata.json.tmpl

@@ -10,7 +10,8 @@
     "pod-template-hash": "84975bc778",
     "version": "v1",
     "service.istio.io/canonical-name": "productpage-v1",
-    "service.istio.io/canonical-revision": "version-1"
+    "service.istio.io/canonical-revision": "version-1",
+    "role": "client"
 },
 "MESH_ID": "mesh",
 "NAME": "productpage-v1-84975bc778-pxz2w",

testdata/cluster/internal_outbound.yaml.tmpl

@@ -1,4 +1,11 @@
 name: internal_outbound
+metadata:
+  filter_metadata:
+    istio:
+      services:
+        - host: server.default.svc.cluster.local
+          name: server
+          namespace: default
 load_assignment:
   cluster_name: internal_outbound
   endpoints:
@@ -12,6 +19,8 @@ load_assignment:
         filter_metadata:
           envoy.filters.listener.original_dst:
             local: 127.0.0.2:{{ .Ports.ServerPort }}
+          istio:
+            workload: ratings-v1;default;ratings;version-1;server-cluster
 {{- end }}
 transport_socket:
   name: envoy.transport_sockets.internal_upstream

testdata/filters/client_mx_network_filter.yaml.tmpl

@@ -7,3 +7,7 @@
 {{- if eq .Vars.EnableMetadataDiscovery "true" }}
       enable_discovery: true
 {{- end }}
+{{- if eq .Vars.EnableAdditionalLabels "true" }}
+      additional_labels:
+      - role
+{{- end }}

testdata/filters/client_stats_network_filter.yaml.tmpl

@@ -18,4 +18,10 @@
     type_url: type.googleapis.com/stats.PluginConfig
     value:
       tcp_reporting_duration: 1s
+      {{- if eq .Vars.EnableAdditionalLabels "true" }}
+      metrics:
+      - name: tcp_connections_opened_total
+        dimensions:
+          role: filter_state.upstream_peer.labels['role']
+      {{- end }}
 {{ end }}

testdata/filters/mx_native_inbound_labels.yaml.tmpl

@@ -0,0 +1,11 @@
+- name: mx_inbound{{.N}}
+  typed_config:
+    "@type": type.googleapis.com/udpa.type.v1.TypedStruct
+    type_url: type.googleapis.com/io.istio.http.peer_metadata.Config
+    value:
+      downstream_discovery:
+      - istio_headers: {}
+      downstream_propagation:
+      - istio_headers: {}
+      additional_labels:
+      - role

testdata/filters/mx_native_outbound.yaml.tmpl

@@ -5,5 +5,6 @@
     value:
       upstream_discovery:
       - istio_headers: {}
+      - workload_discovery: {}
       upstream_propagation:
       - istio_headers: {}

testdata/filters/mx_native_outbound_labels.yaml.tmpl

@@ -0,0 +1,11 @@
+- name: mx_outbound{{.N}}
+  typed_config:
+    "@type": type.googleapis.com/udpa.type.v1.TypedStruct
+    type_url: type.googleapis.com/io.istio.http.peer_metadata.Config
+    value:
+      upstream_discovery:
+      - istio_headers: {}
+      upstream_propagation:
+      - istio_headers: {}
+      additional_labels:
+      - role

testdata/filters/mx_waypoint_tcp.yaml.tmpl

@@ -0,0 +1,7 @@
+- name: tc_mx_inbound{{.N}}
+  typed_config:
+    "@type": type.googleapis.com/udpa.type.v1.TypedStruct
+    type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
+    value:
+      protocol: "istio-peer-exchange"
+      enable_discovery: true

testdata/filters/server_mx_network_filter.yaml.tmpl

@@ -7,3 +7,7 @@
 {{- if eq .Vars.EnableMetadataDiscovery "true" }}
       enable_discovery: true
 {{- end }}
+{{- if eq .Vars.EnableAdditionalLabels "true" }}
+      additional_labels:
+      - role
+{{- end }}

testdata/filters/server_stats_network_filter.yaml.tmpl

@@ -18,4 +18,10 @@
     type_url: type.googleapis.com/stats.PluginConfig
     value:
       tcp_reporting_duration: 1s
+    {{- if eq .Vars.EnableAdditionalLabels "true" }}
+      metrics:
+      - name: tcp_connections_opened_total
+        dimensions:
+          role: filter_state.downstream_peer.labels['role']
+    {{- end }}
 {{ end }}

testdata/filters/stackdriver_inbound.yaml.tmpl

@@ -1,20 +0,0 @@
-- name: stackdriver_inbound
-  typed_config:
-    "@type": type.googleapis.com/udpa.type.v1.TypedStruct
-    type_url: envoy.extensions.filters.http.wasm.v3.Wasm
-    value:
-      config:
-        root_id: "stackdriver_inbound"
-        vm_config:
-          {{- if .Vars.ReloadVM }}
-          vm_id: "stackdriver_inbound_{{ .Vars.Version }}"
-          {{- else }}
-          vm_id: "stackdriver_inbound"
-          {{- end }}
-          runtime: "envoy.wasm.runtime.null"
-          code:
-            local: { inline_string: "envoy.wasm.null.stackdriver" }
-        configuration:
-          "@type": "type.googleapis.com/google.protobuf.StringValue"
-          value: |
-            {"enable_audit_log": true, "metric_expiry_duration": "10s", "metrics_overrides": {"server/request_count":{"tag_overrides":{"api_version":"'v12'"}}, "server/request_bytes":{"drop": true}, "server/connection_open_count":{"tag_overrides":{"mesh_uid":"'override'", "foo":"'ignored'"}}}}

testdata/filters/stackdriver_inbound_logs_filter.yaml.tmpl

@@ -1,20 +0,0 @@
-- name: stackdriver_inbound
-  typed_config:
-    "@type": type.googleapis.com/udpa.type.v1.TypedStruct
-    type_url: envoy.extensions.filters.http.wasm.v3.Wasm
-    value:
-      config:
-        root_id: "stackdriver_inbound"
-        vm_config:
-          {{- if .Vars.ReloadVM }}
-          vm_id: "stackdriver_inbound_{{ .Vars.Version }}"
-          {{- else }}
-          vm_id: "stackdriver_inbound"
-          {{- end }}
-          runtime: "envoy.wasm.runtime.null"
-          code:
-            local: { inline_string: "envoy.wasm.null.stackdriver" }
-        configuration:
-          "@type": "type.googleapis.com/google.protobuf.StringValue"
-          value: |
-            {"access_logging_filter_expression": "request.headers['x-filter'] != 'filter'"}

testdata/filters/stackdriver_network_inbound.yaml.tmpl

@@ -1,20 +0,0 @@
-- name: envoy.filters.network.wasm
-  typed_config:
-    "@type": type.googleapis.com/udpa.type.v1.TypedStruct
-    type_url: envoy.extensions.filters.network.wasm.v3.Wasm
-    value:
-      config:
-        root_id: "stackdriver_inbound"
-        vm_config:
-          {{- if .Vars.ReloadVM }}
-          vm_id: "stackdriver_inbound_{{ .Vars.Version }}"
-          {{- else }}
-          vm_id: "stackdriver_inbound"
-          {{- end }}
-          runtime: "envoy.wasm.runtime.null"
-          code:
-            local: { inline_string: "envoy.wasm.null.stackdriver" }
-        configuration:
-          "@type": "type.googleapis.com/google.protobuf.StringValue"
-          value: |
-            {"metrics_overrides": {"server/request_bytes":{"drop": true}, "server/connection_open_count":{"tag_overrides":{"mesh_uid":"'override'"}}}}

testdata/filters/stackdriver_network_outbound.yaml.tmpl

@@ -1,20 +0,0 @@
-- name: envoy.filters.network.wasm
-  typed_config:
-    "@type": type.googleapis.com/udpa.type.v1.TypedStruct
-    type_url: envoy.extensions.filters.network.wasm.v3.Wasm
-    value:
-      config:
-        root_id: "stackdriver_outbound"
-        vm_config:
-          {{- if .Vars.ReloadVM }}
-          vm_id: "stackdriver_outbound_{{ .Vars.Version }}"
-          {{- else }}
-          vm_id: "stackdriver_outbound"
-          {{- end }}
-          runtime: "envoy.wasm.runtime.null"
-          code:
-            local: { inline_string: "envoy.wasm.null.stackdriver" }
-        configuration:
-          "@type": "type.googleapis.com/google.protobuf.StringValue"
-          value: |
-            {"access_logging": "FULL", "metrics_overrides": {"client/request_bytes":{"drop": true}, "client/request_count":{"tag_overrides":{"request_operation":"'override'"}}}}

testdata/filters/stackdriver_outbound.yaml.tmpl

@@ -1,26 +0,0 @@
-- name: stackdriver_outbound
-  typed_config:
-    "@type": type.googleapis.com/udpa.type.v1.TypedStruct
-    type_url: envoy.extensions.filters.http.wasm.v3.Wasm
-    value:
-      config:
-        root_id: "stackdriver_outbound"
-        vm_config:
-          {{- if .Vars.ReloadVM }}
-          vm_id: "stackdriver_outbound_{{ .Vars.Version }}"
-          {{- else }}
-          vm_id: "stackdriver_outbound"
-          {{- end }}
-          runtime: "envoy.wasm.runtime.null"
-          code:
-            local: { inline_string: "envoy.wasm.null.stackdriver" }
-        configuration:
-          "@type": "type.googleapis.com/google.protobuf.StringValue"
-          value: |
-            {{- if .Vars.JustSendErrorClientLog }}
-            {"access_logging": "ERRORS_ONLY", "enable_audit_log": true, "metrics_overrides": {"client/request_bytes":{"drop": true}, "client/request_count":{"tag_overrides":{"request_operation":"'override'"}}}}
-            {{- else if .Vars.StackdriverFilterCustomClientConfig }}
-            {{ .Vars.StackdriverFilterCustomClientConfig | fill }}
-            {{- else }}
-            {"access_logging": "FULL", "enable_audit_log": true, "metrics_overrides": {"client/request_bytes":{"drop": true}, "client/request_count":{"tag_overrides":{"request_operation":"'override'"}}}}
-            {{- end }}

testdata/filters/stackdriver_outbound_logs_filter.yaml.tmpl

@@ -1,20 +0,0 @@
-- name: stackdriver_outbound
-  typed_config:
-    "@type": type.googleapis.com/udpa.type.v1.TypedStruct
-    type_url: envoy.extensions.filters.http.wasm.v3.Wasm
-    value:
-      config:
-        root_id: "stackdriver_outbound"
-        vm_config:
-          {{- if .Vars.ReloadVM }}
-          vm_id: "stackdriver_outbound_{{ .Vars.Version }}"
-          {{- else }}
-          vm_id: "stackdriver_outbound"
-          {{- end }}
-          runtime: "envoy.wasm.runtime.null"
-          code:
-            local: { inline_string: "envoy.wasm.null.stackdriver" }
-        configuration:
-          "@type": "type.googleapis.com/google.protobuf.StringValue"
-          value: |
-            {"access_logging": "FULL", "access_logging_filter_expression": "request.headers['x-filter'] != 'filter'"}

testdata/listener/tcp_client.yaml.tmpl

@@ -20,4 +20,8 @@ filter_chains:
       type_url: envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
       value:
         stat_prefix: outbound_tcp
+        {{- if .Vars.ServerClusterName }}
+        cluster: {{ .Vars.ServerClusterName}}
+        {{- else }}
         cluster: outbound|9080|tcp|server.default.svc.cluster.local
+        {{- end }}

testdata/listener/tcp_waypoint_server.yaml.tmpl

@@ -0,0 +1,29 @@
+{{- if ne .Vars.ServerListeners "" }}
+{{ .Vars.ServerListeners }}
+{{- else }}
+{{- if ne .Vars.ServerInternalAddress "" }}
+name: {{ .Vars.ServerInternalAddress }}
+{{- else }}
+name: server
+{{- end }}
+traffic_direction: INBOUND
+{{- if ne .Vars.ServerInternalAddress "" }}
+internal_listener: {}
+{{- else }}
+address:
+  socket_address:
+    address: 127.0.0.2
+    port_value: {{ .Ports.ServerPort }}
+{{- end }}
+filter_chains:
+- filters:
+{{ .Vars.ServerNetworkFilters | fill | indent 2 }}
+  - name: tcp_proxy
+    typed_config:
+      "@type": type.googleapis.com/udpa.type.v1.TypedStruct
+      type_url: envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+      value:
+        stat_prefix: server_inbound_tcp
+        cluster: server-inbound-cluster
+{{ .Vars.ServerListenerTLSContext | indent 2 }}
+{{- end }}

testdata/metric/client_request_total_labels.yaml.tmpl

@@ -0,0 +1,62 @@
+name: istio_requests_total
+type: COUNTER
+metric:
+- counter:
+    value: {{ .Vars.RequestCount }}
+  label:
+  - name: reporter
+    value: source
+  - name: source_workload
+    value: productpage-v1
+  - name: source_canonical_service
+    value: productpage-v1
+  - name: source_canonical_revision
+    value: version-1
+  - name: source_workload_namespace
+    value: default
+  - name: source_principal
+    value: unknown
+  - name: source_app
+    value: productpage
+  - name: source_version
+    value: v1
+  - name: source_cluster
+    value: client-cluster
+  - name: destination_workload
+    value: ratings-v1
+  - name: destination_workload_namespace
+    value: default
+  - name: destination_principal
+    value: unknown
+  - name: destination_app
+    value: ratings
+  - name: destination_version
+    value: v1
+  - name: destination_service
+    value: server.default.svc.cluster.local
+  - name: destination_canonical_service
+    value: ratings
+  - name: destination_canonical_revision
+    value: version-1
+  - name: destination_service_name
+    value: server
+  - name: destination_service_namespace
+    value: default
+  - name: destination_cluster
+    value: server-cluster
+  - name: request_protocol
+    {{- if .Vars.GrpcResponseStatus }}
+    value: grpc
+    {{- else }}
+    value: http
+    {{- end }}
+  - name: response_code
+    value: "200"
+  - name: grpc_response_status
+    value: "{{ .Vars.GrpcResponseStatus }}"
+  - name: response_flags
+    value: "-"
+  - name: connection_security_policy
+    value: unknown
+  - name: role
+    value: server

testdata/metric/client_sidecar_connect_request_total.yaml.tmpl

@@ -0,0 +1,60 @@
+name: istio_requests_total
+type: COUNTER
+metric:
+- counter:
+    value: {{ .Vars.RequestCount }}
+  label:
+  - name: reporter
+    value: source
+  - name: source_workload
+    value: productpage-v1
+  - name: source_canonical_service
+    value: productpage-v1
+  - name: source_canonical_revision
+    value: version-1
+  - name: source_workload_namespace
+    value: default
+  - name: source_principal
+    value: unknown
+  - name: source_app
+    value: productpage
+  - name: source_version
+    value: v1
+  - name: source_cluster
+    value: client-cluster
+  - name: destination_workload
+    value: ratings-v1
+  - name: destination_workload_namespace
+    value: default
+  - name: destination_principal
+    value: spiffe://cluster.global/ns/default/sa/ratings
+  - name: destination_app
+    value: ratings
+  - name: destination_version
+    value: version-1
+  - name: destination_service
+    value: server.default.svc.cluster.local
+  - name: destination_canonical_service
+    value: ratings
+  - name: destination_canonical_revision
+    value: version-1
+  - name: destination_service_name
+    value: server
+  - name: destination_service_namespace
+    value: default
+  - name: destination_cluster
+    value: ratings-cluster
+  - name: request_protocol
+    {{- if .Vars.GrpcResponseStatus }}
+    value: grpc
+    {{- else }}
+    value: http
+    {{- end }}
+  - name: response_code
+    value: "200"
+  - name: grpc_response_status
+    value: "{{ .Vars.GrpcResponseStatus }}"
+  - name: response_flags
+    value: "-"
+  - name: connection_security_policy
+    value: unknown # Because we can't verify the source principal (dumb reason)

testdata/metric/server_request_total_labels.yaml.tmpl

@@ -0,0 +1,62 @@
+name: istio_requests_total
+type: COUNTER
+metric:
+- counter:
+    value: {{ .Vars.RequestCount }}
+  label:
+  - name: reporter
+    value: destination
+  - name: source_workload
+    value: productpage-v1
+  - name: source_canonical_service
+    value: productpage-v1
+  - name: source_canonical_revision
+    value: version-1
+  - name: source_workload_namespace
+    value: default
+  - name: source_principal
+    value: unknown
+  - name: source_app
+    value: productpage
+  - name: source_version
+    value: v1
+  - name: source_cluster
+    value: client-cluster
+  - name: destination_workload
+    value: ratings-v1
+  - name: destination_workload_namespace
+    value: default
+  - name: destination_principal
+    value: unknown
+  - name: destination_app
+    value: ratings
+  - name: destination_version
+    value: v1
+  - name: destination_service
+    value: server.default.svc.cluster.local
+  - name: destination_canonical_service
+    value: ratings
+  - name: destination_canonical_revision
+    value: version-1
+  - name: destination_service_name
+    value: server
+  - name: destination_service_namespace
+    value: default
+  - name: destination_cluster
+    value: server-cluster
+  - name: request_protocol
+    {{- if .Vars.GrpcResponseStatus }}
+    value: grpc
+    {{- else }}
+    value: http
+    {{- end }}
+  - name: response_code
+    value: "200"
+  - name: grpc_response_status
+    value: "{{ .Vars.GrpcResponseStatus }}"
+  - name: response_flags
+    value: "-"
+  - name: connection_security_policy
+    value: none
+  - name: role
+    value: client

testdata/metric/server_waypoint_proxy_connect_connections_opened_total.yaml.tmpl

@@ -0,0 +1,52 @@
+name: istio_tcp_connections_opened_total
+type: COUNTER
+metric:
+- counter:
+    value: 10
+  label:
+  - name: reporter
+    value: waypoint
+  - name: source_workload
+    value: productpage-v1
+  - name: source_canonical_service
+    value: unknown
+  - name: source_canonical_revision
+    value: latest
+  - name: source_workload_namespace
+    value: default
+  - name: source_principal
+    value: spiffe://cluster.local/ns/default/sa/client
+  - name: source_app
+    value: unknown
+  - name: source_version
+    value: unknown
+  - name: source_cluster
+    value: unknown
+  - name: destination_workload
+    value: ratings-v1
+  - name: destination_workload_namespace
+    value: default
+  - name: destination_principal
+    value: spiffe://cluster.global/ns/default/sa/ratings
+  - name: destination_app
+    value: ratings
+  - name: destination_version
+    value: version-1
+  - name: destination_service
+    value: server.default.svc.cluster.local
+  - name: destination_canonical_service
+    value: ratings
+  - name: destination_canonical_revision
+    value: version-1
+  - name: destination_service_name
+    value: server
+  - name: destination_service_namespace
+    value: default
+  - name: destination_cluster
+    value: ratings-cluster
+  - name: request_protocol
+    value: tcp
+  - name: response_flags
+    value: "-"
+  - name: connection_security_policy
+    value: mutual_tls

testdata/metric/server_waypoint_proxy_connect_emptymeta_request_total.yaml.tmpl

@@ -0,0 +1,60 @@
+name: istio_requests_total
+type: COUNTER
+metric:
+- counter:
+    value: {{ .Vars.RequestCount }}
+  label:
+  - name: reporter
+    value: waypoint
+  - name: source_workload
+    value: productpage-v1
+  - name: source_canonical_service
+    value: unknown
+  - name: source_canonical_revision
+    value: latest
+  - name: source_workload_namespace
+    value: default
+  - name: source_principal
+    value: spiffe://cluster.local/ns/default/sa/client
+  - name: source_app
+    value: unknown
+  - name: source_version
+    value: unknown
+  - name: source_cluster
+    value: unknown
+  - name: destination_workload
+    value: unknown
+  - name: destination_workload_namespace
+    value: default
+  - name: destination_principal
+    value: spiffe://cluster.local/ns/default/sa/default
+  - name: destination_app
+    value: unknown
+  - name: destination_version
+    value: unknown
+  - name: destination_service
+    value: server.default.svc.cluster.local
+  - name: destination_canonical_service
+    value: unknown
+  - name: destination_canonical_revision
+    value: unknown
+  - name: destination_service_name
+    value: server
+  - name: destination_service_namespace
+    value: default
+  - name: destination_cluster
+    value: unknown
+  - name: request_protocol
+    {{- if .Vars.GrpcResponseStatus }}
+    value: grpc
+    {{- else }}
+    value: http
+    {{- end }}
+  - name: response_code
+    value: "200"
+  - name: grpc_response_status
+    value: "{{ .Vars.GrpcResponseStatus }}"
+  - name: response_flags
+    value: "-"
+  - name: connection_security_policy
+    value: mutual_tls

testdata/metric/server_waypoint_proxy_connect_request_total.yaml.tmpl

@@ -43,7 +43,7 @@ metric:
   - name: destination_service_namespace
     value: default
   - name: destination_cluster
-    value: server-cluster
+    value: ratings-cluster
   - name: request_protocol
     {{- if .Vars.GrpcResponseStatus }}
     value: grpc

testdata/metric/server_waypoint_proxy_request_total.yaml.tmpl

@@ -43,7 +43,7 @@ metric:
   - name: destination_service_namespace
     value: default
   - name: destination_cluster
-    value: server-cluster
+    value: ratings-cluster
   - name: request_protocol
     {{- if .Vars.GrpcResponseStatus }}
     value: grpc

testdata/metric/stackdriver_callout_metric.yaml.tmpl

@@ -1,8 +0,0 @@
-name: type_logging_success_true_envoy_export_call
-type: COUNTER
-metric:
-- counter:
-    value: 1
-  label:
-  - name: wasm_filter
-    value: stackdriver_filter

testdata/metric/stackdriver_gateway_callout_metric.yaml.tmpl

@@ -1,8 +0,0 @@
-name: type_logging_success_true_envoy_export_call
-type: COUNTER
-metric:
-- counter:
-    value: 2
-  label:
-  - name: wasm_filter
-    value: stackdriver_filter

testdata/metric/tcp_client_connection_open.yaml.tmpl

@@ -55,3 +55,7 @@ metric:
     value: "-"
   - name: connection_security_policy
     value: unknown
+{{- if eq .Vars.EnableAdditionalLabels "true" }}
+  - name: role
+    value: unknown
+{{- end }}

testdata/metric/tcp_server_connection_open.yaml.tmpl

@@ -57,3 +57,7 @@ metric:
     value: "-"
   - name: connection_security_policy
     value: mutual_tls
+{{- if eq .Vars.EnableAdditionalLabels "true" }}
+  - name: role
+    value: client
+{{- end }}

testdata/server_node_metadata.json.tmpl

@@ -10,7 +10,8 @@
     "pod-template-hash": "84975bc778",
     "version": "v1",
     "service.istio.io/canonical-name": "ratings",
-    "service.istio.io/canonical-revision": "version-1"
+    "service.istio.io/canonical-revision": "version-1",
+    "role": "server"
 },
 "MESH_ID": "proj-123",
 "NAME": "ratings-v1-84975bc778-pxz2w",

testdata/stats/client_additional_labels.yaml

@@ -0,0 +1,4 @@
+metrics:
+  - name: requests_total
+    dimensions:
+      role: filter_state.upstream_peer.labels['role']

testdata/stats/server_additional_labels.yaml

@@ -0,0 +1,4 @@
+metrics:
+  - name: requests_total
+    dimensions:
+      role: filter_state.downstream_peer.labels['role']

testdata/testdata.gen.go

@@ -12,6 +12,7 @@
 // listener/tcp_client.yaml.tmpl
 // listener/tcp_passthrough.yaml.tmpl
 // listener/tcp_server.yaml.tmpl
+// listener/tcp_waypoint_server.yaml.tmpl
 // listener/terminate_connect.yaml.tmpl
 package testdata
 
@@ -746,7 +747,11 @@ filter_chains:
       type_url: envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
       value:
         stat_prefix: outbound_tcp
+        {{- if .Vars.ServerClusterName }}
+        cluster: {{ .Vars.ServerClusterName}}
+        {{- else }}
         cluster: outbound|9080|tcp|server.default.svc.cluster.local
+        {{- end }}
 `)
 
 func listenerTcp_clientYamlTmplBytes() ([]byte, error) {
@@ -847,6 +852,52 @@ func listenerTcp_serverYamlTmpl() (*asset, error) {
 	return a, nil
 }
 
+var _listenerTcp_waypoint_serverYamlTmpl = []byte(`{{- if ne .Vars.ServerListeners "" }}
+{{ .Vars.ServerListeners }}
+{{- else }}
+{{- if ne .Vars.ServerInternalAddress "" }}
+name: {{ .Vars.ServerInternalAddress }}
+{{- else }}
+name: server
+{{- end }}
+traffic_direction: INBOUND
+{{- if ne .Vars.ServerInternalAddress "" }}
+internal_listener: {}
+{{- else }}
+address:
+  socket_address:
+    address: 127.0.0.2
+    port_value: {{ .Ports.ServerPort }}
+{{- end }}
+filter_chains:
+- filters:
+{{ .Vars.ServerNetworkFilters | fill | indent 2 }}
+  - name: tcp_proxy
+    typed_config:
+      "@type": type.googleapis.com/udpa.type.v1.TypedStruct
+      type_url: envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+      value:
+        stat_prefix: server_inbound_tcp
+        cluster: server-inbound-cluster
+{{ .Vars.ServerListenerTLSContext | indent 2 }}
+{{- end }}
+`)
+
+func listenerTcp_waypoint_serverYamlTmplBytes() ([]byte, error) {
+	return _listenerTcp_waypoint_serverYamlTmpl, nil
+}
+
+func listenerTcp_waypoint_serverYamlTmpl() (*asset, error) {
+	bytes, err := listenerTcp_waypoint_serverYamlTmplBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "listener/tcp_waypoint_server.yaml.tmpl", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
 var _listenerTerminate_connectYamlTmpl = []byte(`name: terminate_connect
 address:
   socket_address:
@@ -1051,6 +1102,7 @@ var _bindata = map[string]func() (*asset, error){
 	"listener/tcp_client.yaml.tmpl":                          listenerTcp_clientYamlTmpl,
 	"listener/tcp_passthrough.yaml.tmpl":                     listenerTcp_passthroughYamlTmpl,
 	"listener/tcp_server.yaml.tmpl":                          listenerTcp_serverYamlTmpl,
+	"listener/tcp_waypoint_server.yaml.tmpl":                 listenerTcp_waypoint_serverYamlTmpl,
 	"listener/terminate_connect.yaml.tmpl":                   listenerTerminate_connectYamlTmpl,
 }
 
@@ -1103,14 +1155,15 @@ var _bintree = &bintree{nil, map[string]*bintree{
 		"stats.yaml.tmpl":                              &bintree{bootstrapStatsYamlTmpl, map[string]*bintree{}},
 	}},
 	"listener": &bintree{nil, map[string]*bintree{
-		"client.yaml.tmpl":             &bintree{listenerClientYamlTmpl, map[string]*bintree{}},
-		"client_passthrough.yaml.tmpl": &bintree{listenerClient_passthroughYamlTmpl, map[string]*bintree{}},
-		"internal_outbound.yaml.tmpl":  &bintree{listenerInternal_outboundYamlTmpl, map[string]*bintree{}},
-		"server.yaml.tmpl":             &bintree{listenerServerYamlTmpl, map[string]*bintree{}},
-		"tcp_client.yaml.tmpl":         &bintree{listenerTcp_clientYamlTmpl, map[string]*bintree{}},
-		"tcp_passthrough.yaml.tmpl":    &bintree{listenerTcp_passthroughYamlTmpl, map[string]*bintree{}},
-		"tcp_server.yaml.tmpl":         &bintree{listenerTcp_serverYamlTmpl, map[string]*bintree{}},
-		"terminate_connect.yaml.tmpl":  &bintree{listenerTerminate_connectYamlTmpl, map[string]*bintree{}},
+		"client.yaml.tmpl":              &bintree{listenerClientYamlTmpl, map[string]*bintree{}},
+		"client_passthrough.yaml.tmpl":  &bintree{listenerClient_passthroughYamlTmpl, map[string]*bintree{}},
+		"internal_outbound.yaml.tmpl":   &bintree{listenerInternal_outboundYamlTmpl, map[string]*bintree{}},
+		"server.yaml.tmpl":              &bintree{listenerServerYamlTmpl, map[string]*bintree{}},
+		"tcp_client.yaml.tmpl":          &bintree{listenerTcp_clientYamlTmpl, map[string]*bintree{}},
+		"tcp_passthrough.yaml.tmpl":     &bintree{listenerTcp_passthroughYamlTmpl, map[string]*bintree{}},
+		"tcp_server.yaml.tmpl":          &bintree{listenerTcp_serverYamlTmpl, map[string]*bintree{}},
+		"tcp_waypoint_server.yaml.tmpl": &bintree{listenerTcp_waypoint_serverYamlTmpl, map[string]*bintree{}},
+		"terminate_connect.yaml.tmpl":   &bintree{listenerTerminate_connectYamlTmpl, map[string]*bintree{}},
 	}},
 }}
 

tools/gen_compilation_database.py

@@ -0,0 +1,146 @@
+#!/usr/bin/env python3
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import json
+import os
+import shlex
+import subprocess
+from pathlib import Path
+
+
+# This method is equivalent to https://github.com/grailbio/bazel-compilation-database/blob/master/generate.py
+def generate_compilation_database(args):
+    # We need to download all remote outputs for generated source code. This option lives here to override those
+    # specified in bazelrc.
+    bazel_startup_options = shlex.split(os.environ.get("BAZEL_STARTUP_OPTION_LIST", ""))
+    bazel_options = shlex.split(os.environ.get("BAZEL_BUILD_OPTION_LIST", "")) + [
+        "--config=compdb",
+        "--remote_download_outputs=all",
+    ]
+
+    source_dir_targets = args.bazel_targets
+
+    subprocess.check_call(["bazel", *bazel_startup_options, "build"] + bazel_options + [
+        "--aspects=@bazel_compdb//:aspects.bzl%compilation_database_aspect",
+        "--output_groups=compdb_files,header_files"
+    ] + source_dir_targets)
+
+    execroot = subprocess.check_output(
+        ["bazel", *bazel_startup_options, "info", *bazel_options,
+         "execution_root"]).decode().strip()
+
+    db_entries = []
+    for db in Path(execroot).glob('**/*.compile_commands.json'):
+        db_entries.extend(json.loads(db.read_text()))
+
+    def replace_execroot_marker(db_entry):
+        if 'directory' in db_entry and db_entry['directory'] == '__EXEC_ROOT__':
+            db_entry['directory'] = execroot
+        if 'command' in db_entry:
+            db_entry['command'] = (
+                db_entry['command'].replace('-isysroot __BAZEL_XCODE_SDKROOT__', ''))
+        return db_entry
+
+    return list(map(replace_execroot_marker, db_entries))
+
+
+def is_header(filename):
+    for ext in (".h", ".hh", ".hpp", ".hxx"):
+        if filename.endswith(ext):
+            return True
+    return False
+
+
+def is_compile_target(target, args):
+    filename = target["file"]
+    if is_header(filename):
+        if args.include_all:
+            return True
+        if not args.include_headers:
+            return False
+
+    if filename.startswith("bazel-out/"):
+        if args.include_all:
+            return True
+        if not args.include_genfiles:
+            return False
+
+    if filename.startswith("external/"):
+        if args.include_all:
+            return True
+        if not args.include_external:
+            return False
+
+    return True
+
+
+def modify_compile_command(target, args):
+    cc, options = target["command"].split(" ", 1)
+
+    # Workaround for bazel added C++11 options, those doesn't affect build itself but
+    # clang-tidy will misinterpret them.
+    options = options.replace("-std=c++0x ", "")
+    options = options.replace("-std=c++11 ", "")
+
+    if args.vscode:
+        # Visual Studio Code doesn't seem to like "-iquote". Replace it with
+        # old-style "-I".
+        options = options.replace("-iquote ", "-I ")
+
+    if args.system_clang:
+        if cc.find("clang"):
+            cc = "clang++"
+
+    if is_header(target["file"]):
+        options += " -Wno-pragma-once-outside-header -Wno-unused-const-variable"
+        options += " -Wno-unused-function"
+        # By treating external/envoy* as C++ files we are able to use this script from subrepos that
+        # depend on Envoy targets.
+        if not target["file"].startswith("external/") or target["file"].startswith(
+                "external/envoy"):
+            # *.h file is treated as C header by default while our headers files are all C++20.
+            options = "-x c++ -std=c++20 -fexceptions " + options
+
+    target["command"] = " ".join([cc, options])
+    return target
+
+
+def fix_compilation_database(args, db):
+    db = [modify_compile_command(target, args) for target in db if is_compile_target(target, args)]
+
+    with open("compile_commands.json", "w") as db_file:
+        json.dump(db, db_file, indent=2)
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Generate JSON compilation database')
+    parser.add_argument('--include_external', action='store_true')
+    parser.add_argument('--include_genfiles', action='store_true')
+    parser.add_argument('--include_headers', action='store_true')
+    parser.add_argument('--vscode', action='store_true')
+    parser.add_argument('--include_all', action='store_true')
+    parser.add_argument(
+        '--system-clang',
+        action='store_true',
+        help=
+        'Use `clang++` instead of the bazel wrapper for commands. This may help if `clangd` cannot find/run the tools.'
+    )
+    parser.add_argument(
+        'bazel_targets', nargs='*', default=[
+            "//source/...",
+        ])
+    args = parser.parse_args()
+    fix_compilation_database(args, generate_compilation_database(args))

tools/vscode/refresh_compdb.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+opts=(--vscode)
+
+# Setting TEST_TMPDIR here so the compdb headers won't be overwritten by another bazel run
+TEST_TMPDIR=${BUILD_DIR:-/tmp}/envoy-compdb tools/gen_compilation_database.py \
+    "${opts[@]}"
+
+# Kill clangd to reload the compilation database
+pkill clangd || :