Merge pull request #217197 from lukegb/envoy

envoy: 1.23.3 -> 1.25.1

6 files changed, 180 insertions, 75 deletions

diff --git a/pkgs/servers/http/envoy/use-system-python.patch b/pkgs/servers/http/envoy/0001-nixpkgs-use-system-Python.patch
index a2030cc75fd05..11871275f4ffc 100644
--- a/pkgs/servers/http/envoy/use-system-python.patch
+++ b/pkgs/servers/http/envoy/0001-nixpkgs-use-system-Python.patch
@@ -1,5 +1,15 @@
+From 329ad7cb56e66464e5570bbb51dea0fd56c4d9ae Mon Sep 17 00:00:00 2001
+From: Luke Granger-Brown <git@lukegb.com>
+Date: Sun, 19 Feb 2023 17:40:50 +0000
+Subject: [PATCH 1/2] nixpkgs: use system Python
+
+---
+ bazel/python_dependencies.bzl |  4 ----
+ bazel/repositories_extra.bzl  | 13 +------------
+ 2 files changed, 1 insertion(+), 16 deletions(-)
+
 diff --git a/bazel/python_dependencies.bzl b/bazel/python_dependencies.bzl
-index d9dfb14a9b..b8e92452a7 100644
+index a5c3283d0a..1c2c31ebf2 100644
 --- a/bazel/python_dependencies.bzl
 +++ b/bazel/python_dependencies.bzl
 @@ -1,10 +1,8 @@
@@ -14,7 +24,7 @@ index d9dfb14a9b..b8e92452a7 100644
          extra_pip_args = ["--require-hashes"],
      )
 @@ -12,14 +10,12 @@ def envoy_python_dependencies():
-     # These need to use `pip_install`
+     # TODO(phlax): switch to `pip_parse`
      pip_install(
          # Note: dev requirements do *not* check hashes
 -        python_interpreter_target = interpreter,
@@ -22,17 +32,17 @@ index d9dfb14a9b..b8e92452a7 100644
          requirements = "@envoy//tools/dev:requirements.txt",
      )
  
-     pip_install(
+     pip_parse(
          name = "fuzzing_pip3",
 -        python_interpreter_target = interpreter,
-         requirements = "@rules_fuzzing//fuzzing:requirements.txt",
+         requirements_lock = "@rules_fuzzing//fuzzing:requirements.txt",
          extra_pip_args = ["--require-hashes"],
      )
 diff --git a/bazel/repositories_extra.bzl b/bazel/repositories_extra.bzl
-index 885b41dec6..ac5605eb30 100644
+index 9d1b31c5d6..ac5605eb30 100644
 --- a/bazel/repositories_extra.bzl
 +++ b/bazel/repositories_extra.bzl
-@@ -1,22 +1,12 @@
+@@ -1,23 +1,12 @@
  load("@emsdk//:deps.bzl", emsdk_deps = "deps")
 -load("@rules_python//python:repositories.bzl", "python_register_toolchains")
  load("@proxy_wasm_cpp_host//bazel/cargo/wasmtime:crates.bzl", "wasmtime_fetch_remote_crates")
@@ -53,6 +63,10 @@ index 885b41dec6..ac5605eb30 100644
 -    python_register_toolchains(
 -        name = "python%s" % ("_".join(python_version.split(".")[:-1])),
 -        python_version = python_version,
+-        ignore_root_user_error = True,
 -    )
 -
      aspect_bazel_lib_dependencies()
+-- 
+2.39.1
+
diff --git a/pkgs/servers/http/envoy/0002-nixpkgs-use-system-Go.patch b/pkgs/servers/http/envoy/0002-nixpkgs-use-system-Go.patch
new file mode 100644
index 0000000000000..594d51cce9dc1
--- /dev/null
+++ b/pkgs/servers/http/envoy/0002-nixpkgs-use-system-Go.patch
@@ -0,0 +1,94 @@
+From 31d864a3b6a1a3455191e87ff680eb812f77dc3c Mon Sep 17 00:00:00 2001
+From: Luke Granger-Brown <git@lukegb.com>
+Date: Sun, 19 Feb 2023 17:43:03 +0000
+Subject: [PATCH 2/2] nixpkgs: use system Go
+
+---
+ bazel/dependency_imports.bzl   | 29 +----------------------------
+ bazel/repositories.bzl         |  3 ---
+ bazel/repository_locations.bzl |  4 ++--
+ 3 files changed, 3 insertions(+), 33 deletions(-)
+
+diff --git a/bazel/dependency_imports.bzl b/bazel/dependency_imports.bzl
+index 7dbdb0174e..e73662ed79 100644
+--- a/bazel/dependency_imports.bzl
++++ b/bazel/dependency_imports.bzl
+@@ -15,7 +15,7 @@ load("@aspect_bazel_lib//lib:repositories.bzl", "register_jq_toolchains", "regis
+ load("@com_google_cel_cpp//bazel:deps.bzl", "parser_deps")
+ 
+ # go version for rules_go
+-GO_VERSION = "1.18"
++GO_VERSION = "host"
+ 
+ JQ_VERSION = "1.6"
+ YQ_VERSION = "4.24.4"
+@@ -25,7 +25,6 @@ def envoy_dependency_imports(go_version = GO_VERSION, jq_version = JQ_VERSION, y
+     rules_foreign_cc_dependencies(register_default_tools = False, register_built_tools = False)
+     go_rules_dependencies()
+     go_register_toolchains(go_version)
+-    envoy_download_go_sdks(go_version)
+     gazelle_dependencies(go_sdk = "go_sdk")
+     apple_rules_dependencies()
+     pip_dependencies()
+@@ -134,29 +133,3 @@ def envoy_dependency_imports(go_version = GO_VERSION, jq_version = JQ_VERSION, y
+         # use_category = ["api"],
+         # source = "https://github.com/bufbuild/protoc-gen-validate/blob/v0.6.1/dependencies.bzl#L23-L28"
+     )
+-
+-def envoy_download_go_sdks(go_version):
+-    go_download_sdk(
+-        name = "go_linux_amd64",
+-        goos = "linux",
+-        goarch = "amd64",
+-        version = go_version,
+-    )
+-    go_download_sdk(
+-        name = "go_linux_arm64",
+-        goos = "linux",
+-        goarch = "arm64",
+-        version = go_version,
+-    )
+-    go_download_sdk(
+-        name = "go_darwin_amd64",
+-        goos = "darwin",
+-        goarch = "amd64",
+-        version = go_version,
+-    )
+-    go_download_sdk(
+-        name = "go_darwin_arm64",
+-        goos = "darwin",
+-        goarch = "arm64",
+-        version = go_version,
+-    )
+diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
+index fca05b6062..a2f60014cb 100644
+--- a/bazel/repositories.bzl
++++ b/bazel/repositories.bzl
+@@ -115,9 +115,6 @@ def _go_deps(skip_targets):
+     if "io_bazel_rules_go" not in skip_targets:
+         external_http_archive(
+             name = "io_bazel_rules_go",
+-            # TODO(wrowe, sunjayBhatia): remove when Windows RBE supports batch file invocation
+-            patch_args = ["-p1"],
+-            patches = ["@envoy//bazel:rules_go.patch"],
+         )
+         external_http_archive("bazel_gazelle")
+ 
+diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
+index e4e89d281a..fb62c4f8f3 100644
+--- a/bazel/repository_locations.bzl
++++ b/bazel/repository_locations.bzl
+@@ -878,8 +878,8 @@ REPOSITORY_LOCATIONS_SPEC = dict(
+         project_name = "Go rules for Bazel",
+         project_desc = "Bazel rules for the Go language",
+         project_url = "https://github.com/bazelbuild/rules_go",
+-        version = "0.36.0",
+-        sha256 = "ae013bf35bd23234d1dea46b079f1e05ba74ac0321423830119d3e787ec73483",
++        version = "0.38.1",
++        sha256 = "dd926a88a564a9246713a9c00b35315f54cbd46b31a26d5d8fb264c07045f05d",
+         urls = ["https://github.com/bazelbuild/rules_go/releases/download/v{version}/rules_go-v{version}.zip"],
+         use_category = ["build", "api"],
+         release_date = "2022-11-23",
+-- 
+2.39.1
+
diff --git a/pkgs/servers/http/envoy/bump-brotli.patch b/pkgs/servers/http/envoy/bump-brotli.patch
deleted file mode 100644
index 5656b8f260cfa..0000000000000
--- a/pkgs/servers/http/envoy/bump-brotli.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
-index 454c54b0ef..2ac0623cf0 100644
---- a/bazel/repository_locations.bzl
-+++ b/bazel/repository_locations.bzl
-@@ -510,8 +510,8 @@ REPOSITORY_LOCATIONS_SPEC = dict(
-         project_url = "https://brotli.org",
-         # Use the dev branch of brotli to resolve compilation issues.
-         # TODO(rojkov): Remove when brotli > 1.0.9 is released.
--        version = "0cd2e3926e95e7e2930f57ae3f4885508d462a25",
--        sha256 = "93810780e60304b51f2c9645fe313a6e4640711063ed0b860cfa60999dd256c5",
-+        version = "27dd7265403d8e8fed99a854b9c3e1db7d79525f",
-+        sha256 = "e71238b12e30233bdf25997132b29ae49639a69f33fdef3ae18a47abfc0d5e4c",
-         strip_prefix = "brotli-{version}",
-         urls = ["https://github.com/google/brotli/archive/{version}.tar.gz"],
-         use_category = ["dataplane_ext"],
diff --git a/pkgs/servers/http/envoy/default.nix b/pkgs/servers/http/envoy/default.nix
index 4a219a9cfb05a..db040f8a2080b 100644
--- a/pkgs/servers/http/envoy/default.nix
+++ b/pkgs/servers/http/envoy/default.nix
@@ -24,8 +24,8 @@ let
     # However, the version string is more useful for end-users.
     # These are contained in a attrset of their own to make it obvious that
     # people should update both.
-    version = "1.23.3";
-    rev = "4801f5881893857fbc53a4061f0b20ef4ca91a5b";
+    version = "1.25.1";
+    rev = "bae2e9d642a6a8ae6c5d3810f77f3e888f0d97da";
   };
 in
 buildBazelPackage rec {
@@ -36,13 +36,12 @@ buildBazelPackage rec {
     owner = "envoyproxy";
     repo = "envoy";
     inherit (srcVer) rev;
-    sha256 = "sha256-akAuFk+jESWWvLRCDQ0XDT1Eplutfj5uacAFQp714vM=";
+    sha256 = "sha256-qA3+bta2vXGtAYX3mg+CmSIEitk4576JQB/QLPsj9Vc=";
 
     postFetch = ''
       chmod -R +w $out
       rm $out/.bazelversion
       echo ${srcVer.rev} > $out/SOURCE_VERSION
-      sed -i 's/GO_VERSION = ".*"/GO_VERSION = "host"/g' $out/bazel/dependency_imports.bzl
     '';
   };
 
@@ -51,20 +50,15 @@ buildBazelPackage rec {
     sed -i '/javabase=/d' .bazelrc
     sed -i '/"-Werror"/d' bazel/envoy_internal.bzl
 
-    # Use system Python.
-    sed -i -e '/python_interpreter_target =/d' -e '/@python3_10/d' bazel/python_dependencies.bzl
+    cp ${./protobuf.patch} bazel/protobuf.patch
   '';
 
   patches = [
-    # fix issues with brotli and GCC 11.2.0+ (-Werror=vla-parameter)
-    ./bump-brotli.patch
-
-    # fix linux-aarch64 WAMR builds
-    # (upstream WAMR only detects aarch64 on Darwin, not Linux)
-    ./fix-aarch64-wamr.patch
-
     # use system Python, not bazel-fetched binary Python
-    ./use-system-python.patch
+    ./0001-nixpkgs-use-system-Python.patch
+
+    # use system Go, not bazel-fetched binary Go
+    ./0002-nixpkgs-use-system-Go.patch
   ];
 
   nativeBuildInputs = [
@@ -81,10 +75,13 @@ buildBazelPackage rec {
     linuxHeaders
   ];
 
+  # external/com_github_grpc_grpc/src/core/ext/transport/binder/transport/binder_transport.cc:756:29: error: format not a string literal and no format arguments [-Werror=format-security]
+  hardeningDisable = [ "format" ];
+
   fetchAttrs = {
     sha256 = {
-      x86_64-linux = "sha256-UXTh5sCN7PJxNbTaG47YnW7aQBBtu101UjfsWU1CtBw=";
-      aarch64-linux = "sha256-uynV2/RWBybR2bjErDjcfoacv5vsI4GJ3SL4OF1kFOE=";
+      x86_64-linux = "sha256-H2s8sTbmKF+yRfSzLsZAT2ckFuunFwh/FMSKj+GYyPM=";
+      aarch64-linux = "sha256-R9jzy/dpdCcGgT9yq59Wo/IN/bVo6fxnVPGhLMZ9fbM=";
     }.${stdenv.system} or (throw "unsupported system ${stdenv.system}");
     dontUseCmakeConfigure = true;
     dontUseGnConfigure = true;
diff --git a/pkgs/servers/http/envoy/fix-aarch64-wamr.patch b/pkgs/servers/http/envoy/fix-aarch64-wamr.patch
deleted file mode 100644
index 4d8bc6c02adce..0000000000000
--- a/pkgs/servers/http/envoy/fix-aarch64-wamr.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff --git a/bazel/envoy_build_system.bzl b/bazel/envoy_build_system.bzl
-index f48ebe7056..1e5cc5d663 100644
---- a/bazel/envoy_build_system.bzl
-+++ b/bazel/envoy_build_system.bzl
-@@ -102,6 +102,7 @@ def envoy_cmake(
-         pdb_name = "",
-         cmake_files_dir = "$BUILD_TMPDIR/CMakeFiles",
-         generate_crosstool_file = False,
-+        generate_args = [],
-         **kwargs):
-     cache_entries.update({"CMAKE_BUILD_TYPE": "Bazel"})
-     cache_entries_debug = dict(cache_entries)
-@@ -131,7 +132,7 @@ def envoy_cmake(
-             "@envoy//bazel:dbg_build": cache_entries_debug,
-             "//conditions:default": cache_entries,
-         }),
--        generate_args = ["-GNinja"],
-+        generate_args = ["-GNinja"] + generate_args,
-         targets = ["", "install"],
-         # TODO: Remove install target and make this work
-         install = False,
-diff --git a/bazel/foreign_cc/BUILD b/bazel/foreign_cc/BUILD
-index 4d3a281669..b4716dfe2e 100644
---- a/bazel/foreign_cc/BUILD
-+++ b/bazel/foreign_cc/BUILD
-@@ -394,6 +394,12 @@ envoy_cmake(
-         "WAMR_BUILD_LIBC_WASI": "0",
-         "WAMR_BUILD_TAIL_CALL": "1",
-     },
-+    generate_args = select({
-+        "//conditions:default": [],
-+        "@platforms//cpu:aarch64": [
-+            "-DWAMR_BUILD_TARGET=AARCH64",
-+        ],
-+    }),
-     lib_source = "@com_github_wamr//:all",
-     out_static_libs = ["libvmlib.a"],
-     tags = ["skip_on_windows"],
diff --git a/pkgs/servers/http/envoy/protobuf.patch b/pkgs/servers/http/envoy/protobuf.patch
new file mode 100644
index 0000000000000..1cc071bd861a1
--- /dev/null
+++ b/pkgs/servers/http/envoy/protobuf.patch
@@ -0,0 +1,53 @@
+diff --git a/BUILD.bazel b/BUILD.bazel
+index 0f6e41e3a..c0d2bbccf 100644
+--- a/BUILD.bazel
++++ b/BUILD.bazel
+@@ -138,7 +138,7 @@ cc_library(
+     visibility = ["//visibility:public"],
+     deps = [":protobuf_lite"] + select({
+         "//build_defs:config_msvc": [],
+-        "//conditions:default": ["@zlib//:zlib"],
++        "//conditions:default": ["//external:zlib"],
+     }),
+ )
+ 
+@@ -755,7 +820,7 @@ cc_test(
+         "@com_google_googletest//:gtest_main",
+     ] + select({
+         "//build_defs:config_msvc": [],
+-        "//conditions:default": ["@zlib//:zlib"],
++        "//conditions:default": ["//external:zlib"],
+     }),
+ )
+ 
+diff --git a/python/google/protobuf/__init__.py b/python/google/protobuf/__init__.py
+index e7555ee10..a93beb1c5 100644
+--- a/python/google/protobuf/__init__.py
++++ b/python/google/protobuf/__init__.py
+@@ -31,3 +31,10 @@
+ # Copyright 2007 Google Inc. All Rights Reserved.
+ 
+ __version__ = '4.21.12'
++
++
++if __name__ != '__main__':
++    try:
++        __import__('pkg_resources').declare_namespace(__name__)
++    except ImportError:
++        __path__ = __import__('pkgutil').extend_path(__path__, __name__)
+diff --git a/src/google/protobuf/generated_message_tctable_lite.cc b/src/google/protobuf/generated_message_tctable_lite.cc
+index 9993811dc..d80006af7 100644
+--- a/src/google/protobuf/generated_message_tctable_lite.cc
++++ b/src/google/protobuf/generated_message_tctable_lite.cc
+@@ -343,11 +343,6 @@ const char* TcParser::MiniParse(PROTOBUF_TC_PARAM_DECL) {
+ 
+ namespace {
+ 
+-// Offset returns the address `offset` bytes after `base`.
+-inline void* Offset(void* base, uint32_t offset) {
+-  return static_cast<uint8_t*>(base) + offset;
+-}
+-
+ // InvertPacked changes tag bits from the given wire type to length
+ // delimited. This is the difference expected between packed and non-packed
+ // repeated fields.