repo-sync-2024-05-06T19:41:36+0800

.aci.yml

@@ -0,0 +1,104 @@
+# OPENSOURCE-CLEANUP DELETE_FILE
+# ACI 语法文档：https://yuque.antfin-inc.com/antci/help/syntax-plugins
+
+version: "1.5"
+
+git:
+  depth: 200
+
+stages:
+#- PreRequisites
+#- EnvPrepare
+  - Build
+  - Delivery
+
+parameters:
+  BUILD_IMAGE: "reg.docker.alibaba-inc.com/nueva-stack/envoy-build-ubuntu:81a93046060dbe5620d5b3aa92632090a9ee4da6"
+  KUSCIA_ENVOY_REPO_URL: "git@code.alipay.com:secretflow/kuscia-envoy.git"
+
+only:
+  triggerType:
+    - pullRequest # 创建PR及向PR分支push代码时触发
+    - tagPush
+    - push
+  triggerBranch: # 设置触发分支
+    pushOriginalBranch: # 只有向以下分支提交push才会触发
+      - master
+      - release/*
+      - codereview/*
+  targetBranch: #只有向master分支提交pullRequest时才触发pipeline执行
+    - master
+    - release/*
+    - codereview/*
+
+agent:
+  docker:
+    image: ${BUILD_IMAGE}
+    resourceRequirements: # 2c4g20g的配置 cpu/memory/ephemeral-storage取值均为整型
+      cpu: 4 # 最大值16
+      memory: 8 # 最大值32
+      ephemeral-storage: 10 # 最大值100
+
+CMD-FLAKE8:
+  stage: PreRequisites
+  plugin: CMD
+  pluginConfig:
+    encoding: UTF-8 # 编码设置
+    excludes: # 排除哪些项不进行代码扫描
+      - "**/*_pb.go" # generated files for protocol buffer
+  checkRule:
+    - blocker = 0
+    - critical = 0
+    - major = 0
+
+variableExport:
+  stage: EnvPrepare
+  script:
+    - |
+      cd ${WORKSPACE}
+      export BUILD_DATE="$(date +'%Y%m%d-%H%M%S')"
+  variables:
+    - BUILD_DATE
+
+build-envoy:
+  stage: Build
+  plugin: ANT-BUILD
+  pluginConfig:
+    image: ${BUILD_IMAGE}
+    script:
+      - |
+        set -ex
+        # Note: git clone requires answer 'yes'
+        ssh-keyscan -t rsa gitlab.alipay-inc.com >> ~/.ssh/known_hosts
+
+        cd $ANTBUILD_WORKSPACE
+        ls -l
+        whoami && cat /proc/cpuinfo | grep process | wc -l && cat /proc/meminfo | grep MemTotal && df -h
+
+        git submodule update --init
+        ls envoy
+        # .aci.yaml 开头的 depth 配置没有生效，aci 流水线写死 depth=5，这边强制修改 depth==200
+        git config --global --add safe.directory ./
+
+        bazel build //:envoy --verbose_failures
+        mkdir -p build_apps
+        mv bazel-bin/envoy build_apps
+    afterScript:
+      - ls
+    outputs:
+      - name: "kuscia-envoy"
+        desc: "kuscia envoy package"
+        type: custom
+        paths:
+          - build_app
+  only:
+    triggerType:
+      - push
+      - tagPush
+      - pullRequest
+    triggerBranch: # 设置触发分支
+      pushOriginalBranch: # 只有向以下分支提交push才会触发
+        - master
+        - release/*
+    targetBranch: #只有向master分支提交pullRequest时才触发pipeline执行
+      - release/*

.bazelversion

@@ -1 +1 @@
-5.4.1
+6.3.2

.circleci/config.yml

@@ -8,12 +8,12 @@ version: 2.1
 executors:
   linux_x64_executor: # declares a reusable executor
     docker:
-      - image: envoyproxy/envoy-build-ubuntu:81a93046060dbe5620d5b3aa92632090a9ee4da6
+      - image: envoyproxy/envoy-build-ubuntu:0ca52447572ee105a4730da5e76fe47c9c5a7c64
     resource_class: 2xlarge
     shell: /bin/bash --login -eo pipefail
   linux_aarch64_executor:
     docker:
-      - image: envoyproxy/envoy-build-ubuntu:81a93046060dbe5620d5b3aa92632090a9ee4da6
+      - image: envoyproxy/envoy-build-ubuntu:0ca52447572ee105a4730da5e76fe47c9c5a7c64
     resource_class: arm.2xlarge
     shell: /bin/bash --login -eo pipefail
 
@@ -54,26 +54,24 @@ jobs:
             IMG=secretflow/kuscia-envoy
             IMG_LATEST={IMG}:latest
             IMG_TAG={IMG}:{CIRCLETAG}
-            
+
             ALIYUN_IMG=secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/kuscia-envoy
             ALIYUN_IMG_LATEST={ALIYUN_IMG}:latest
             ALIYUN_IMG_TAG={ALIYUN_IMG}:{CIRCLETAG}
-            
+
             #login docker
             docker login -u ${DOCKER_USERNAME} -p ${DOCKER_DEPLOY_TOKEN}
-
-            docker buildx build -t ${IMG_LATEST} --platform linux/amd64 --build-arg ARCH=amd64  -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push
-            docker buildx build -t ${IMG_LATEST} --platform linux/arm64 --build-arg ARCH=arm64  -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push
-            docker buildx build -t ${IMG_TAG} --platform linux/amd64 --build-arg ARCH=amd64  -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push
-            docker buildx build -t ${IMG_TAG} --platform linux/arm64 --build-arg ARCH=arm64  -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push           
-
+
+            docker buildx build -t ${IMG_LATEST} --platform linux/arm64,linux/amd64 -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push
+            docker buildx build -t ${IMG_TAG} --platform linux/arm64,linux/amd64 -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push
+
+
             # login docker - aliyun
             docker login -u ${ALIYUN_DOCKER_USERNAME} -p ${ALIYUN_DOCKER_PASSWORD} secretflow-registry.cn-hangzhou.cr.aliyuncs.com
-
-            docker buildx build -t ${ALIYUN_IMG_LATEST} --platform linux/amd64 --build-arg ARCH=amd64  -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push
-            docker buildx build -t ${ALIYUN_IMG_LATEST} --platform linux/arm64 --build-arg ARCH=arm64  -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push
-            docker buildx build -t ${ALIYUN_IMG_TAG} --platform linux/amd64 --build-arg ARCH=amd64  -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push
-            docker buildx build -t ${ALIYUN_IMG_TAG} --platform linux/arm64 --build-arg ARCH=arm64  -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push           
+            docker buildx build -t {ALIYUN_IMG_LATEST} --platform linux/amd64,linux/arm64 -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push
+            docker buildx build -t {ALIYUN_IMG_TAG} --platform linux/amd64,linux/arm64 -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile . --push
+
+
 
 
 # Orchestrate jobs using workflows

.gitmodules

@@ -1,4 +1,4 @@
 [submodule "envoy"]
 	path = envoy
 	url = https://github.com/envoyproxy/envoy.git
-	branch = release/v1.20
+	branch = release/v1.29

Makefile

@@ -1,5 +1,5 @@
 SHELL := /bin/bash
-BUILD_IMAGE = envoyproxy/envoy-build-ubuntu:81a93046060dbe5620d5b3aa92632090a9ee4da6
+BUILD_IMAGE = envoyproxy/envoy-build-ubuntu:0ca52447572ee105a4730da5e76fe47c9c5a7c64
 
 # Image URL to use all building image targets
 DATETIME = $(shell date +"%Y%m%d%H%M%S")
@@ -14,7 +14,7 @@ UNAME_M_OUTPUT := $(shell uname -m)
 # To configure the ARCH variable to either arm64 or amd64 or UNAME_M_OUTPUT
 ARCH := $(if $(filter aarch64 arm64,$(UNAME_M_OUTPUT)),arm64,$(if $(filter amd64 x86_64,$(UNAME_M_OUTPUT)),amd64,$(UNAME_M_OUTPUT)))
 
-CONTAINER_NAME ?= "build-envoy"
+CONTAINER_NAME ?= "build-envoy-$(shell echo ${USER})"
 COMPILE_MODE ?=opt
 TARGET ?= "//:envoy"
 BUILD_OPTS ?="--strip=always"
@@ -28,7 +28,7 @@ define start_docker
 		git submodule update --init;\
 	fi;
 	if [[ ! -n $$(docker ps -q -f "name=^$(CONTAINER_NAME)$$") ]]; then\
-		docker run -itd --rm -v $(shell pwd):/home/admin/dev -v $(shell pwd)/cache:/root/.cache/bazel -w /home/admin/dev --name $(CONTAINER_NAME) \
+		docker run -itd --rm -v $(shell pwd)/cache:/root/.cache/bazel -v $(shell pwd):/home/admin/dev -w /home/admin/dev --name $(CONTAINER_NAME) \
 		-e GOPROXY='https://goproxy.cn,direct' --cap-add=NET_ADMIN $(BUILD_IMAGE);\
 		docker exec -it $(CONTAINER_NAME) /bin/bash -c 'git config --global --add safe.directory /home/admin/dev';\
 	fi;
@@ -72,7 +72,6 @@ clean:
 	$(call stop_docker)
 	rm -rf output
 
-
 .PHONY: image
 image: build-envoy
-	docker build -t ${IMG} --build-arg ARCH=${ARCH} -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile .
+	docker build -t ${IMG} -f ./build_image/dockerfile/kuscia-envoy-anolis.Dockerfile .

OWNERS

@@ -0,0 +1,3 @@
+# OPENSOURCE-CLEANUP DELETE_FILE
+reviewers: ["yuwen.lyf", "tingcheng.wtc", "xiaol.huxl", "dongwen.hdw", "changyu.ycy", "wujieqiang.wjq", "guoshilei.gsl", "caochen.cao", "yansi.zy", "jiamingyang.jmy", "wt388595"]
+threshold: 1

WORKSPACE

@@ -17,9 +17,10 @@ load("@envoy//bazel:repositories.bzl", "envoy_dependencies")
 
 envoy_dependencies()
 
+#https://github.com/envoyproxy/envoy/issues/28670
 load("@envoy//bazel:repositories_extra.bzl", "envoy_dependencies_extra")
 
-envoy_dependencies_extra()
+envoy_dependencies_extra(ignore_root_user_error = True)
 
 load("@envoy//bazel:python_dependencies.bzl", "envoy_python_dependencies")
 

build_image/dockerfile/kuscia-envoy-anolis.Dockerfile

@@ -1,12 +1,12 @@
 FROM openanolis/anolisos:8.8
 
-ARG ARCH
+ARG TARGETPLATFORM
 
 ENV TZ=Asia/Shanghai
 
 ARG ROOT_DIR="/home/kuscia"
 
-COPY ./output/linux/$ARCH $ROOT_DIR/
+COPY ./output/$TARGETPLATFORM $ROOT_DIR/
 
 WORKDIR ${ROOT_DIR}
 

internaldoc/README.md

@@ -0,0 +1,62 @@
+## 说明
+本说明文档仅限内部使用，不会带到开源仓库。
+
+## 开发环境搭建
+安装 golang
+
+```shell
+# mac
+wget https://go.dev/dl/go1.19.4.darwin-amd64.tar.gz
+sudo tar -C /usr/local -zxvf go1.19.4.darwin-amd64.tar.gz
+
+# linux
+wget https://go.dev/dl/go1.19.4.linux-amd64.tar.gz
+sudo tar -C /usr/local -zxvf go1.19.4.linux-amd64.tar.gz
+```
+
+添加环境变量
+```shell
+export GOPROXY="https://goproxy.cn,direct"
+export GO111MODULE=on
+export GOPATH="$HOME/gopath"
+export PATH="$PATH:$GOPATH/bin:/usr/local/go/bin"
+export GOPRIVATE="gitlab.alipay-inc.com"
+```
+
+bazel_tools的java依赖
+```shell
+sudo apt install default-jdk
+sudo update-alternatives --config javac
+```
+
+gazelle的安装与使用
+```shell
+# 安装
+go install github.com/bazelbuild/bazel-gazelle/cmd/gazelle@latest
+# 生成BUILD(在根目录下执行）
+gazelle -exclude envoy -exclude bazel -exclude internaldoc -build_file_name BUILD -repo_root=.
+# 生成依赖
+gazelle  update-repos -from_file=go.mod -to_macro=deps.bzl%go_dependencie
+# 部分依赖需要手动禁止编译proto
+sed  -i '/.*name = "\(io_k8s_api\|io_k8s_apimachinery\|com_github_google_gnostic\)",/a\        build_file_proto_mode = "disable_global",' deps.bzl
+```
+
+git 配置
+```shell
+git config --global user.name "xxx"
+git config --global user.email "xxx@antgroup.com"
+
+# http/https 免密码登录（首次需要密码验证）
+git config --global credential.helper store
+
+# 通过 ssh 访问 gitlab，需要加这行配置
+git config --global url."git@gitlab.alipay-inc.com:".insteadOf "http://gitlab.alipay-inc.com/"
+```
+ssh 配置
+```shell
+# 生成 ssh 公私钥
+ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ''
+
+# 将公钥内容填至 AntCode->设置->SSH密钥
+cat ~/.ssh/id_rsa.pub
+```

internaldoc/start_docker.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Copyright 2023 Ant Group Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+docker_image=envoyproxy/envoy-build-ubuntu:0ca52447572ee105a4730da5e76fe47c9c5a7c64
+
+docker pull $docker_image
+bazel_cache_user_root=./.bazel-cache
+
+if [[ x$1 == 'x' ]]; then
+  docker exec -it envoyv1.29.4-build-$(whoami)  bash
+elif [[ x$1 == 'xinit' ]]; then
+  docker run -d -it --name envoyv1.29.4-build-$(whoami) \
+    --mount type=bind,source="$(pwd)",target=/home/admin/dev/ -w /home/admin/dev \
+    -e HOST_PERMS="$(id -u):$(id -g)" \
+    -e GOPROXY='https://goproxy.cn,direct' \
+    --cap-add=SYS_PTRACE --security-opt seccomp=unconfined \
+    --cap-add=NET_ADMIN \
+    $docker_image
+else
+  echo "unknown command"
+  exit 1
+fi

kuscia/api/filters/http/kuscia_crypt/v3/BUILD

@@ -6,6 +6,6 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
-        "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
     ],
 )

kuscia/api/filters/http/kuscia_gress/v3/BUILD

@@ -6,7 +6,7 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
-        "@com_github_cncf_udpa//udpa/annotations:pkg",
-	 "@envoy_api//envoy/type/matcher/v3:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+        "@envoy_api//envoy/type/matcher/v3:pkg",
     ],
 )

kuscia/api/filters/http/kuscia_header_decorator/v3/BUILD

@@ -6,6 +6,6 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
-        "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
     ],
 )

kuscia/api/filters/http/kuscia_poller/v3/BUILD

@@ -6,6 +6,6 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
-        "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
     ],
 )

kuscia/api/filters/http/kuscia_receiver/v3/BUILD

@@ -6,6 +6,6 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
-        "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
     ],
 )

kuscia/api/filters/http/kuscia_token_auth/v3/BUILD

@@ -6,6 +6,6 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
-        "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
     ],
 )