Merge branch 'main' into feat-dm-certpckr

Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>

Author: agrawroh

.github/config.yml

@@ -110,6 +110,7 @@ checks:
     - precheck-external
     - precheck-format
     - precheck-publish
+    - precheck-publish-config
     required: true
     # yamllint disable rule:line-length
     advice:
@@ -358,6 +359,9 @@ run:
   precheck-publish:
     paths:
     - "**/*"
+  precheck-publish-config:
+    paths:
+    - "**/*"
   release:
     paths:
     - .bazelrc

.github/workflows/_precheck_publish.yml

@@ -45,6 +45,7 @@ jobs:
         ERROR
         error:
         Error:
+      skip: ${{ matrix.skip != false && true || false }}
       steps-post: ${{ matrix.steps-post }}
       target: ${{ matrix.target }}
       target-suffix: ${{ matrix.target-suffix }}
@@ -72,6 +73,7 @@ jobs:
           bazel-cache: true
           bazel-cache-output-base: docs
           rbe: true
+          skip: ${{ ! fromJSON(inputs.request).run.precheck-publish-config }}
         - target: docs
           name: Docs
           bazel-cache: true

.github/workflows/_publish_release_container.yml

@@ -141,8 +141,17 @@ jobs:
       with:
         input-format: yaml
         filter: >-
-          {manifests: .}
+          .version as $v
+          | {manifests:
+              [.manifests[]
+               | select(
+                   (.tag | test("contrib-distroless") | not)
+                   or ($v.major > 1 or ($v.major == 1 and $v.minor >= 37)))]}
         input: |
+          version:
+            major: ${{ inputs.version-major }}
+            minor: ${{ inputs.version-minor }}
+          manifests:
           - name: ${{ inputs.dockerhub-repo }}
             tag: v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }}
             registry: docker.io/envoyproxy

.github/workflows/_request.yml

@@ -202,6 +202,18 @@ jobs:
           docker:
             x64: ${{ steps.cache-exists-docker-x64.outputs.cache-hit || 'false' }}
             arm64: ${{ steps.cache-exists-docker-arm64.outputs.cache-hit || 'false' }}
+          target-branch: ${{ fromJSON(steps.env.outputs.data).request.target-branch }}
+        filter: |
+          .["target-branch"] as $branch
+          | if ($branch | test("^release/v[0-9]+\\.[0-9]+$")) then
+              ($branch | sub("^release/v"; "") + ".0") as $version_str
+              | ($version_str | utils::version) as $version
+              | if ($version.major < 1 or ($version.major == 1 and $version.minor <= 37)) then
+                  .bazel["docs-x64"] = "skip"
+                  | .bazel["external-x64"] = "skip"
+                else . end
+            else . end
+          | del(.["target-branch"])
 
   cache:
     permissions:

.github/workflows/request.yml

@@ -28,7 +28,31 @@ concurrency:
 
 
 jobs:
+  # Envoy (and mirror repos) have an environment setup that requires maintainer approval
+  # to use it. This CI checks if the request is from a first-time contributor, and in that
+  # case it uses the environment and requires the permission to proceed.
+  authorize:
+    if: >-
+      ${{ github.repository == 'envoyproxy/envoy'
+          || (vars.ENVOY_CI && github.event_name != 'schedule')
+          || (vars.ENVOY_SCHEDULED_CI && github.event_name == 'schedule') }}
+    runs-on: ubuntu-24.04
+    environment: >-
+      ${{ github.event_name == 'pull_request_target'
+          && github.event.pull_request.author_association != 'MEMBER'
+          && github.event.pull_request.author_association != 'COLLABORATOR'
+          && github.event.pull_request.author_association != 'CONTRIBUTOR'
+          && github.event.pull_request.author_association != 'OWNER'
+          && 'external-contributors'
+          || '' }}
+    steps:
+    - run: |
+        echo "Authorized"
+        echo "  Event: ${{ github.event_name }}"
+        echo "  Author association: ${{ github.event.pull_request.author_association }}"
+
   request:
+    needs: authorize
     permissions:
       actions: write
       contents: read

CODEOWNERS

@@ -3,8 +3,8 @@
 #*       @envoyproxy/maintainers
 
 # ci
-/.github/ @agrawroh @phlax
-/ci/ @agrawroh @phlax
+/.github/ @agrawroh @phlax @jwendell
+/ci/ @agrawroh @phlax @jwendell
 
 # api
 /api/ @envoyproxy/api-shepherds
@@ -348,6 +348,8 @@ extensions/upstreams/tcp @ggreenway @mattklein123
 /*/extensions/filters/http/header_to_metadata @zuercher @JuniorHsu
 # Json to metadata
 /*/extensions/filters/http/json_to_metadata @cqi1217 @JuniorHsu @kbaichoo
+# SSE to metadata
+/*/extensions/filters/http/sse_to_metadata @JuniorHsu @PeterL328 @tyxia
 # zookeeper
 /*/extensions/filters/network/zookeeper_proxy @JuniorHsu @Winbobob @mattklein123
 # Custom response filter

api/BUILD

@@ -236,6 +236,7 @@ proto_library(
         "//envoy/extensions/filters/http/router/v3:pkg",
         "//envoy/extensions/filters/http/set_filter_state/v3:pkg",
         "//envoy/extensions/filters/http/set_metadata/v3:pkg",
+        "//envoy/extensions/filters/http/sse_to_metadata/v3:pkg",
         "//envoy/extensions/filters/http/stateful_session/v3:pkg",
         "//envoy/extensions/filters/http/tap/v3:pkg",
         "//envoy/extensions/filters/http/thrift_to_metadata/v3:pkg",

api/envoy/extensions/filters/http/sse_to_metadata/v3/BUILD

@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@xds//udpa/annotations:pkg",
+        "@xds//xds/annotations/v3:pkg",
+    ],
+)

api/envoy/extensions/filters/http/sse_to_metadata/v3/sse_to_metadata.proto

@@ -0,0 +1,67 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.sse_to_metadata.v3;
+
+import "envoy/config/core/v3/extension.proto";
+
+import "google/protobuf/wrappers.proto";
+
+import "xds/annotations/v3/status.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.sse_to_metadata.v3";
+option java_outer_classname = "SseToMetadataProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/sse_to_metadata/v3;sse_to_metadatav3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+option (xds.annotations.v3.file_status).work_in_progress = true;
+
+// [#protodoc-title: SSE-To-Metadata Filter]
+//
+// The SSE-To-Metadata filter extracts values from Server-Sent Events (SSE) HTTP response bodies
+// and writes them to dynamic metadata. This is useful for LLM token usage tracking,
+// logging, and other observability use cases.
+//
+// The filter specifically handles SSE format (text/event-stream) and uses pluggable content
+// parsers to extract values from the SSE data fields. The content parser is a typed extension
+// that can be configured to handle different content types (JSON, plaintext, XML, etc.).
+//
+// The filter only processes responses with Content-Type "text/event-stream"
+// (the standard SSE content type). Content-Type parameters such as charset are ignored.
+//
+// See SSE-To-Metadata :ref:`configuration overview <config_http_filters_sse_to_metadata>` for more details.
+// [#extension: envoy.filters.http.sse_to_metadata]
+
+message SseToMetadata {
+  // Rules for processing SSE streams and extracting metadata.
+  //
+  // The filter parses the SSE protocol (events delimited by blank lines), then delegates
+  // to a content parser to parse event content and extract metadata. The content parser
+  // determines which values to extract and how to write them to metadata.
+  message ProcessingRules {
+    // Content parser configuration for parsing event content and extracting metadata.
+    //
+    // The content parser specifies:
+    // - How to parse the event data (e.g., JSON, XML, plaintext)
+    // - Which values to extract from the parsed content (e.g., JSON paths like usage.total_tokens)
+    // - How to map extracted values to metadata (namespace, key, type conversions)
+    // - When to write metadata (on_present, on_missing, on_error actions)
+    // [#extension-category: envoy.content_parsers]
+    config.core.v3.TypedExtensionConfig content_parser = 1
+        [(validate.rules).message = {required: true}];
+
+    // Maximum size in bytes for a single SSE event before it's considered invalid
+    // and discarded. This protects against unbounded memory growth from malicious
+    // or malformed streams that never send event delimiters (blank lines).
+    //
+    // Default is 8192 bytes (8KB), which is sufficient for most legitimate events.
+    // Set to 0 to disable the limit (not recommended for production).
+    // Maximum allowed value is 10485760 bytes (10MB).
+    google.protobuf.UInt32Value max_event_size = 2 [(validate.rules).uint32 = {lte: 10485760}];
+  }
+
+  // Rules for processing SSE response streams.
+  ProcessingRules response_rules = 1 [(validate.rules).message = {required: true}];
+}

api/envoy/extensions/geoip_providers/common/v3/common.proto

@@ -19,7 +19,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 message CommonGeoipProviderConfig {
   // The set of geolocation headers to add to request. If any of the configured headers is present
   // in the incoming request, it will be overridden by the :ref:`HTTP GeoIP filter <config_http_filters_geoip>`.
-  // [#next-free-field: 13]
+  // [#next-free-field: 14]
   //
   // .. attention::
   //   This field is deprecated in favor of :ref:`geo_field_keys
@@ -39,9 +39,15 @@ message CommonGeoipProviderConfig {
         [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
 
     // If set, the header will be used to populate the ASN associated with the IP address.
+    // Note: If both ISP and ASN databases are configured, only the ASN database is used for lookup.
     string asn = 4
         [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
 
+    // If set, the header will be used to populate the autonomous system organization associated with the IP address.
+    // Note: If both ISP and ASN databases are configured, only the ASN database is used for lookup.
+    string asn_org = 13
+        [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
+
     // This field is deprecated; use ``anon`` instead.
     string is_anon = 5 [
       deprecated = true,
@@ -92,7 +98,7 @@ message CommonGeoipProviderConfig {
   // - The :ref:`Network GeoIP filter <config_network_filters_geoip>` stores results in the
   //   connection's filter state under the well-known key ``envoy.geoip``.
   //
-  // [#next-free-field: 12]
+  // [#next-free-field: 13]
   message GeolocationFieldKeys {
     // If set, the key will be used to populate the country ISO code associated with the IP address.
     string country = 1;
@@ -107,6 +113,9 @@ message CommonGeoipProviderConfig {
     // If set, the key will be used to populate the ASN associated with the IP address.
     string asn = 4;
 
+    // If set, the key will be used to populate the autonomous system organization associated with the IP address.
+    string asn_org = 12;
+
     // If set, the IP address will be checked if it belongs to any type of anonymization network
     // (e.g., VPN, public proxy). The result will be stored with this key. Value will be set to
     // either ``true`` or ``false`` depending on the check result.