Merge branch 'master' into cp-conn-prom-metric

Author: gszr

.github/actions/build-wasm-test-filters/action.yml

@@ -41,7 +41,7 @@ runs:
 
     - name: Install Rust Toolchain
       if: steps.restore-cache.outputs.cache-hit != 'true'
-      uses: actions-rs/toolchain@v1
+      uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1
       with:
         profile: minimal
         toolchain: stable
@@ -51,7 +51,7 @@ runs:
 
     - name: cargo build
       if: steps.restore-cache.outputs.cache-hit != 'true'
-      uses: actions-rs/cargo@v1
+      uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1
       with:
         command: build
         # building in release mode yields smaller library sizes, so it's

.github/workflows/label-schema.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Schema change label found
-      uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # v2
+      uses: Kong/action-slack-notify@bd750854aaf93c5c6f69799bf813c40e7786368a # v2_node20
       continue-on-error: true
       env:
         SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_SCHEMA_CHANGE }}

.github/workflows/release.yml

@@ -31,7 +31,7 @@ on:  # yamllint disable-line rule:truthy
 env:
   # official release repo
   DOCKER_REPOSITORY: kong/kong
-  PRERELEASE_DOCKER_REPOSITORY: kong/kong
+  PRERELEASE_DOCKER_REPOSITORY: kong/kong-dev
   FULL_RELEASE: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.actor == 'dependabot[bot]'}}
 
   # only for PR
@@ -492,7 +492,7 @@ jobs:
     - name: Scan AMD64 Image digest
       id: sbom_action_amd64
       if: steps.image_manifest_metadata.outputs.amd64_sha != ''
-      uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
+      uses: Kong/public-shared-actions/security-actions/scan-docker-image@a5b1cfac7d55d8cf9390456a1e6799425e28840d # v4.0.1
       with:
         asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-amd64
         image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}
@@ -501,7 +501,7 @@ jobs:
     - name: Scan ARM64 Image digest
       if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
       id: sbom_action_arm64
-      uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
+      uses: Kong/public-shared-actions/security-actions/scan-docker-image@a5b1cfac7d55d8cf9390456a1e6799425e28840d # v4.0.1
       with:
         asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-arm64
         image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}

.requirements

@@ -4,14 +4,14 @@ OPENRESTY=1.25.3.2
 OPENRESTY_SHA256=2d564022b06e33b45f7e5cfaf1e5dc571d38d61803af9fa2754dfff353c28d9c
 LUAROCKS=3.11.1
 LUAROCKS_SHA256=c3fb3d960dffb2b2fe9de7e3cb004dc4d0b34bb3d342578af84f84325c669102
-OPENSSL=3.2.3
-OPENSSL_SHA256=52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239
+OPENSSL=3.4.0
+OPENSSL_SHA256=e15dda82fe2fe8139dc2ac21a36d4ca01d5313c75f99f46c4e8a27709b7294bf
 PCRE=10.44
 PCRE_SHA256=86b9cb0aa3bcb7994faa88018292bc704cdbb708e785f7c74352ff6ea7d3175b
 ADA=2.9.2
 ADA_SHA256=b2cce630590b490d79ea4f4460ba77efd5fb29c5a87a4e8cb7ebc4859bc4b564
-LIBEXPAT=2.6.2
-LIBEXPAT_SHA256=d4cf38d26e21a56654ffe4acd9cd5481164619626802328506a2869afab29ab3
+LIBEXPAT=2.6.4
+LIBEXPAT_SHA256=fd03b7172b3bd7427a3e7a812063f74754f24542429b634e0db6511b53fb2278
 
 # Note: git repositories can be loaded from local path if path is set as value
 
@@ -20,7 +20,7 @@ LUA_RESTY_LMDB=9da0e9f3313960d06e2d8e718b7ac494faa500f1 # 1.6.0
 LUA_RESTY_EVENTS=bc85295b7c23eda2dbf2b4acec35c93f77b26787 # 0.3.1
 LUA_RESTY_SIMDJSON=7e6466ce91b2bc763b45701a4f055e94b1e8143b # 1.1.0
 LUA_RESTY_WEBSOCKET=966c69c39f03029b9b42ec0f8e55aaed7d6eebc0 # 0.4.0.1
-ATC_ROUTER=ffd11db657115769bf94f0c4f915f98300bc26b6 # 1.6.2
+ATC_ROUTER=4d29e10517e2c9d1dae3966f4034b38c557e2eaa # 1.7.1
 SNAPPY=23b3286820105438c5dbb9bc22f1bb85c5812c8a # 1.2.0
 
 KONG_MANAGER=nightly

bin/busted

@@ -64,6 +64,10 @@ if not os.getenv("KONG_BUSTED_RESPAWNED") then
   -- create shared dict
   resty_flags = resty_flags .. require("spec.fixtures.shared_dict")
 
+  -- create lmdb environment
+  local lmdb_env = os.tmpname()
+  resty_flags = resty_flags .. string.format(' --main-conf "lmdb_environment_path %s;" ', lmdb_env)
+
   if resty_flags then
     table.insert(cmd, cmd_prefix_count+1, resty_flags)
   end

build/libexpat/BUILD.libexpat.bazel

@@ -39,7 +39,7 @@ configure_make(
             "libexpat.1.dylib",
         ],
         "//conditions:default": [
-            "libexpat.so.1.9.2",
+            "libexpat.so.1.10.0",
         ],
     }),
     targets = [

build/luarocks/templates/luarocks_make.sh

@@ -15,7 +15,7 @@ mkdir -p $(dirname $@)
 # alias LDOC command to true(1) command
 export LDOC=true
 
-$luarocks_exec make --no-doc 2>&1 >$@.tmp
+$luarocks_exec make --no-doc >$@.tmp 2>&1
 
 # only generate the output when the command succeeds
-mv $@.tmp $@
+mv $@.tmp $@

build/luarocks/templates/luarocks_target.sh

@@ -33,7 +33,7 @@ EOF
 export LUAROCKS_CONFIG=$ROCKS_CONFIG
 
 $host_luajit $luarocks_wrap_script \
-            luarocks $rocks_tree $install_destdir 2>&1 > $@.tmp
+            luarocks $rocks_tree $install_destdir > $@.tmp 2>&1
 
 # write the luarocks config with host configuration
 mkdir -p $rocks_tree/etc/luarocks
@@ -55,4 +55,4 @@ sed -i -e "s|$build_destdir|$install_destdir|g" $rocks_tree/bin/luarocks
 sed -i -e "s|$rocks_tree|$install_destdir|g" $rocks_tree/bin/luarocks
 
 # only generate the output when the command succeeds
-mv $@.tmp $@
+mv $@.tmp $@

build/openresty/patches/lua-resty-core-0.1.28_02-balancer_set_upstream_tls.patch

@@ -0,0 +1,205 @@
+diff --git a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua
+index 7d64d63..b0b7543 100644
+--- a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua
++++ b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua
+@@ -22,6 +22,7 @@ local ngx_lua_ffi_balancer_set_current_peer
+ local ngx_lua_ffi_balancer_set_more_tries
+ local ngx_lua_ffi_balancer_get_last_failure
+ local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http
++local ngx_lua_ffi_balancer_set_upstream_tls
+ 
+ 
+ if subsystem == 'http' then
+@@ -41,6 +42,8 @@ if subsystem == 'http' then
+ 
+     int ngx_http_lua_ffi_balancer_recreate_request(ngx_http_request_t *r,
+         char **err);
++    int ngx_http_lua_ffi_balancer_set_upstream_tls(ngx_http_request_t *r,
++        int on, char **err);
+     ]]
+ 
+     ngx_lua_ffi_balancer_set_current_peer =
+@@ -55,6 +58,9 @@ if subsystem == 'http' then
+     ngx_lua_ffi_balancer_set_timeouts =
+         C.ngx_http_lua_ffi_balancer_set_timeouts
+ 
++    ngx_lua_ffi_balancer_set_upstream_tls =
++        C.ngx_http_lua_ffi_balancer_set_upstream_tls
++
+ elseif subsystem == 'stream' then
+     ffi.cdef[[
+     int ngx_stream_lua_ffi_balancer_set_current_peer(
+@@ -228,6 +234,29 @@ if subsystem == 'http' then
+ 
+         return nil, "failed to recreate the upstream request"
+     end
++
++
++    function _M.set_upstream_tls(on)
++        local r = get_request()
++        if not r then
++            return error("no request found")
++        end
++
++        local rc
++
++        if on == 0 or on == false then
++            on = 0
++        else
++            on = 1
++        end
++
++        rc = ngx_lua_ffi_balancer_set_upstream_tls(r, on, errmsg);
++        if rc == FFI_OK then
++            return true
++        end
++
++        return nil, ffi_str(errmsg[0])
++    end
+ end
+ 
+ 
+diff --git a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md
+index ef2f124..3ec8cb9 100644
+--- a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md
++++ b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md
+@@ -13,11 +13,12 @@ Table of Contents
+     * [stream subsystem](#stream-subsystem)
+ * [Description](#description)
+ * [Methods](#methods)
++    * [get_last_failure](#get_last_failure)
++    * [recreate_request](#recreate_request)
+     * [set_current_peer](#set_current_peer)
+     * [set_more_tries](#set_more_tries)
+-    * [get_last_failure](#get_last_failure)
+     * [set_timeouts](#set_timeouts)
+-    * [recreate_request](#recreate_request)
++    * [set_upstream_tls](#set_upstream_tls)
+ * [Community](#community)
+     * [English Mailing List](#english-mailing-list)
+     * [Chinese Mailing List](#chinese-mailing-list)
+@@ -270,6 +271,21 @@ This function was first added in the `0.1.20` version of this library.
+ 
+ [Back to TOC](#table-of-contents)
+ 
++set_upstream_tls
++------------
++**syntax:** `ok, err = balancer.set_upstream_tls(on)`
++
++**context:** *balancer_by_lua**
++
++Turn off the HTTPs or reenable the HTTPs for the upstream connection.
++
++- If `on` is `true`, then the https protocol will be used to connect to the upstream server.
++- If `on` is `false`, then the http protocol will be used to connect to the upstream server.
++
++This function was first added in the `0.1.29` version of this library.
++
++[Back to TOC](#table-of-contents)
++
+ Community
+ =========
+ 
+diff --git a/bundle/lua-resty-core-0.1.28/t/balancer.t b/bundle/lua-resty-core-0.1.28/t/balancer.t
+index 3e9fb2f..6201b47 100644
+--- a/bundle/lua-resty-core-0.1.28/t/balancer.t
++++ b/bundle/lua-resty-core-0.1.28/t/balancer.t
+@@ -882,3 +882,98 @@ connect() failed (111: Connection refused) while connecting to upstream, client:
+ --- no_error_log
+ [warn]
+ [crit]
++
++
++
++=== TEST 20: set_upstream_tls off
++--- skip_nginx: 5: < 1.7.5
++--- http_config
++    lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
++
++    upstream backend {
++        server 0.0.0.1;
++        balancer_by_lua_block {
++            local b = require "ngx.balancer"
++            b.set_current_peer("127.0.0.1", tonumber(ngx.var.server_port))
++            b.set_upstream_tls(false)
++        }
++        keepalive 1;
++    }
++
++    server {
++        listen $TEST_NGINX_RAND_PORT_1 ssl;
++        ssl_certificate ../../cert/test.crt;
++        ssl_certificate_key ../../cert/test.key;
++
++        server_tokens off;
++        location = /back {
++            return 200 "ok";
++        }
++    }
++--- config
++    location /t {
++        proxy_pass https://backend/back;
++        proxy_http_version 1.1;
++        proxy_set_header Connection "";
++    }
++
++    location /back {
++        echo "Hello world!";
++    }
++--- request
++    GET /t
++--- no_error_log
++[alert]
++[error]
++--- response_body
++Hello world!
++
++--- no_check_leak
++
++
++
++=== TEST 21: set_upstream_tls on
++--- skip_nginx: 5: < 1.7.5
++--- http_config
++    lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
++
++    upstream backend {
++        server 0.0.0.1;
++        balancer_by_lua_block {
++            local b = require "ngx.balancer"
++            b.set_current_peer("127.0.0.1", $TEST_NGINX_RAND_PORT_1)
++            b.set_upstream_tls(false)
++            b.set_upstream_tls(true)
++        }
++
++        keepalive 1;
++    }
++
++    server {
++        listen $TEST_NGINX_RAND_PORT_1 ssl;
++        ssl_certificate ../../cert/test.crt;
++        ssl_certificate_key ../../cert/test.key;
++
++        server_tokens off;
++        location = /back {
++            return 200 "ok";
++        }
++    }
++--- config
++    location /t {
++        proxy_pass https://backend/back;
++        proxy_http_version 1.1;
++        proxy_set_header Connection "";
++    }
++
++    location /back {
++        echo "Hello world!";
++    }
++--- request
++    GET /t
++--- no_error_log
++[alert]
++[error]
++--- response_body chomp
++ok
++--- no_check_leak

build/openresty/patches/nginx-1.25.3_09-refresh-uri-when-proxy-pass-balancer-recreate.patch

@@ -0,0 +1,27 @@
+diff --git a/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c b/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c
+index 4eb6931..9d38e6b 100644
+--- a/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c
++++ b/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c
+@@ -1277,6 +1277,22 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)
+ 
+     ctx = ngx_http_get_module_ctx(r, ngx_http_proxy_module);
+ 
++    // make sure we refresh the proxy upstream uri in balancer retry scenarios
++    if (r->upstream_states && r->upstream_states->nelts > 0) {
++        if (plcf->proxy_lengths == NULL) {
++            ctx->vars = plcf->vars;
++            u->schema = plcf->vars.schema;
++    #if (NGX_HTTP_SSL)
++            u->ssl = plcf->ssl;
++    #endif
++
++        } else {
++            if (ngx_http_proxy_eval(r, ctx, plcf) != NGX_OK) {
++                return NGX_HTTP_INTERNAL_SERVER_ERROR;
++            }
++        }
++    }
++
+     if (method.len == 4
+         && ngx_strncasecmp(method.data, (u_char *) "HEAD", 4) == 0)
+     {