<!--
!!!ATTENTION!!!
If you are fixing *any* crash or *any* potential security issue, *do
not*
open a pull request in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged
appropriately.
Thank you in advance for helping to keep Envoy secure.
!!!ATTENTION!!!
For an explanation of how to fill out the fields, please see the
relevant section
in
[PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md)
-->
This PR adds the API for HTTP APIKey Auth Filter that is proposed at
https://github.com/envoyproxy/envoy/issues/34877 and
https://github.com/envoyproxy/gateway/issues/2630.
Commit Message: api: HTTP APIKey Auth Filter
Risk Level: Low (only API)
Testing: WIP (will be done after we agree on the API)
Docs Changes: WIP
Release Notes: WIP
Platform Specific Features: No
Part of: #34877
---------
Signed-off-by: Kensei Nakada <handbomusic@gmail.com>
Signed-off-by: wangbaiping(wbpcode) <wangbaiping@bytedance.com>
Co-authored-by: wangbaiping(wbpcode) <wangbaiping@bytedance.com>
Mirrored from https://github.com/envoyproxy/envoy @ 72b75074a0ee089ad81f68ae011e31f14c2936fe
Commit Message: dynamic_modules: scaffolds config API & HTTP Filter
Additional Description:
This scaffolds the configuration API marked as work-in-progress, and
the skeleton HTTP filter implementation based on the configuration.
The real implementations will follow after this commit.
Risk Level: low
Testing: done
Docs Changes: n/a
Release Notes: n/a (not enabled yet)
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional [API
Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):]
---------
Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0e6450aac2d0010555c82eb1ff513cf234ab5817
Commit Message: aws_signing: support for dynamically configurable
credential
Additional Description:
This adds a new API for AWS Signing filter that allows control planes to
configure the credentials providers to sign requests.
Note that the similar configuration had already been added for AWS
Lambda filter,
and this adds the similar but more generic configuration API for
credential in the common
configuration. In the future, the lambda filter can also leverage this
new common
configuration.
Closes#36109
Risk Level: low
Testing: unit
Docs Changes: done
Release Notes: done
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional [API
Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):]
---------
Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 871b3e91234d6e305d4ec653444f1d56b324a302
Commit Message: Add a CPU utilization resource monitor for overload
manager. i.e. this can be configured to reject requests once CPU Utilization reaches a certain brownout point.
Signed-off-by: Can Cecen <ccecen@netflix.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4d121628c648d2f565b4e6651484036981051763
The Proto Message Extraction Filter supports extracting gRPC
requests/responses (proto messages) as `google.protobuf.Struct` and
storing results in the dynamic metadata
`envoy.filters.http.proto_message_scrubbing` for later access.
---------
Signed-off-by: dchakarwarti@google.com <dchakarwarti@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 16759b97e02131cc9c8ca64d13cf663c75dae047
resolves#35673
## PR overview
Redis proxy users may want to create advanced authentication methods.
For example, the official [Azure SDK extension for
Redis](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis)
allows to authenticate to a Redis server using Microsoft Entra ID
token-based authentication, by passing a token in the password argument
of the `AUTH` command periodically, based on token expiration.
This PR introduces a way to support external authentication via a gRPC
service with additional support for expiry of such authentication (e.g.
for token-based authentication).
This way we keep it extensible for **any** advanced authentication
methods users might want to develop.
### The reviewer may ask: Why not use the _ext_authz_ filter?
The cost/latency impact by using the _ext_authz_ filter is much bigger
than the proposed design. That's because instead of being called on
every request, the current design only calls the external dependency on
**AUTH** commands. Not only that, but also we would have to decode the
Redis protocol twice, if we used a separate filter.
---
Risk Level: Medium (small optional feature added to existing filter)
Testing: ✅
- Unit Tests
- Integration Tests
- Manual Testing
- Also, we are already using the signed _-dev_ build on a test AKS
cluster
Docs Changes: ✅
- Proto docs
- Updated authentication-related information on the Redis protocol page.
Release Notes: ✅
---------
Signed-off-by: Diogo Barbosa <diogobarbosa@microsoft.com>
Signed-off-by: Diogo Barbosa <pessoal.dbarbosa@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 67b69c9038402b88953a2ab171ae38cab5cb23ab
<!--
!!!ATTENTION!!!
If you are fixing *any* crash or *any* potential security issue, *do
not*
open a pull request in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged
appropriately.
Thank you in advance for helping to keep Envoy secure.
!!!ATTENTION!!!
For an explanation of how to fill out the fields, please see the
relevant section
in
[PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md)
-->
Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional [API
Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):]
---------
Signed-off-by: wbpcode <wbphub@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 44ad1a7db101abe2d42752c21a24913060da8e06
Looks like it broke prechecks
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 6145b7e9cc68061aaaa1c003d6f995e3e4499269
Commit Message: generic proxy: move generic proxy from contrib into
extensions
Additional Description:
The generic proxy is designed as a framework to empower the developers
to develop new L7 proxy for various L7 protocols.
It's be used for multiple different private protocols now in the
production env of our users. And recently, I complete the last part of
generic proxy: the filter chain support to the variable length stream.
And except the private protocols, we use the generic proxy implement the
kafka proxing and pulsar proxing and conditional traffic routing. (part
of these works are contributed back to the envoy).
After an offline discussion with other maintainers, I prepare to move
the generic proxy to the extensions now.
Risk Level: low.
Testing: n/a.
Docs Changes: n/a.
Release Notes: n/a.
Platform Specific Features: n/a.
---------
Signed-off-by: wbpcode <wbphub@live.com>
Signed-off-by: wbpcode <wbphub@gmail.com>
Co-authored-by: wbpcode <wbphub@live.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0dbd4418f6a4b2c649b7c88cff4ec2bec872a9c6
Commit Message: Add a way to configure a quic connection debug visitor factory that will be used to attach a debug visitor to all quic connections on the listener. Adds an interface for this new type of factory.
Additional Description:
Risk Level: Low
Testing: Added new tests and modified existing tests in /test/common/quic. Also performed manual testing on a real machine and sent traffic to it using quic_client.
Docs Changes: Update envoy.config.listener.v3.quic_config.proto inline.
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Will Lampert <wlampert@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0c28205942066b2b5b2ef2a344c9357f27f642c7
For apache thrift compatible HTTP requests and responses, this filter parses the thrift metadata and put them into filter dynamic metadata for other filter usage.
This is the initial proto design, which refers to other filters like json_to_metadata and payload_to_metadata.
Risk Level: low
Testing: build
Docs Changes: yes
#29371
Signed-off-by: kuochunghsu <kuochunghsu@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7081e5637c2cb0ecc90f1d1949c8acf27d576979
* generic proxy: complete the development of HTTP1 codec
Signed-off-by: wbpcode <wbphub@live.com>
* minor update
Signed-off-by: wbpcode <wbphub@live.com>
* add TODOs
Signed-off-by: wbpcode <wbphub@live.com>
* more validation and single frame mode for HTTP
Signed-off-by: wbpcode <wbphub@live.com>
* more test and validation
Signed-off-by: wbpcode <wbphub@live.com>
* handle the 100 continue and the 1xx response
Signed-off-by: wbpcode <wbphub@live.com>
* minor update
Signed-off-by: wbpcode <wbphub@live.com>
* address comments
Signed-off-by: wbpcode <wbphub@live.com>
* address comments
Signed-off-by: wbpcode <wbphub@live.com>
---------
Signed-off-by: wbpcode <wbphub@live.com>
Mirrored from https://github.com/envoyproxy/envoy @ ffcc257e16c9046b2fec7497a6bf9293d8ada286
* API for defining HTTP errors, locally originated errors and database errors.
Signed-off-by: Christoph Pakulski <paker8848@gmail.com>
* Adjusted next free field.
Signed-off-by: Christoph Pakulski <paker8848@gmail.com>
* Use Any for monitor extensions.
Moved proto for errors and consecutive errors monitor to envoy/extensions.
Signed-off-by: Christoph Pakulski <paker8848@gmail.com>
* Adjusted main api's BUILD file.
Signed-off-by: Christoph Pakulski <paker8848@gmail.com>
* Renamed common to error_types.
Signed-off-by: Christoph Pakulski <paker8848@gmail.com>
* Fixed docs.
Signed-off-by: Christoph Pakulski <paker8848@gmail.com>
* Used TypedExtensionConfig instead of user-define message.
Signed-off-by: Christoph Pakulski <paker8848@gmail.com>
* Redesign ErrorBucket to avoid using oneof.
Signed-off-by: Christoph Pakulski <paker8848@gmail.com>
* Renamed error buckets.
Signed-off-by: Christoph Pakulski <paker8848@gmail.com>
---------
Signed-off-by: Christoph Pakulski <paker8848@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6e71eb87e5d1c5b1853763afce64738bce13b586
Commit Message: Allow specifying resource detectors for the OpenTelemetry tracer via a new configuration resource_detectors. The resource detector reads from the env variable OTEL_RESOURCE_ATTRIBUTES which is defined by the OTel specification. The detector returns a resource object populated with the detected attributes, which is sent as part of the OTLP request.
Additional Description: This PR adds the "foundation" for building other resource detectors in Envoy. It is based on the OTel collector implementation. Users can configure multiple resource detectors, and they work together to "merge" all the detected attributes into a single resource object, which is then part of the OTLP message exported.
Risk Level: Low
Testing: Multiple unit tests, that cover all new code/scenarios. I also did manual testing, running Envoy locally with the OTel tracer + env resource detector enabled. Resource attributes detected from my environment is successfully exported as seen in the Jaeger screenshot.
resource-detectors-env-jaeger
Docs Changes: Not sure if I should add/where. Happy to do it.
Release Notes: N/A
Platform Specific Features: N/A
[Optional Runtime guard:] N/A
[Optional Fixes#28929]
Here is how the new config is used:
tracing:
provider:
name: envoy.tracers.opentelemetry
typed_config:
"@type": type.googleapis.com/envoy.config.trace.v3.OpenTelemetryConfig
grpc_service:
envoy_grpc:
cluster_name: opentelemetry_collector
timeout: 0.250s
service_name: envoy-gRPC-exporter
resource_detectors: # --> NEW CONFIG
- name: envoy.tracers.opentelemetry.resource_detectors.environment
typed_config:
"@type": type.googleapis.com/envoy.extensions.tracers.opentelemetry.resource_detectors.v3.EnvironmentResourceDetectorConfig
Signed-off-by: Joao Grassi <joao.grassi@dynatrace.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4eaa1f866164eee5d51e46406bcb31d8dec99bdd
Commit Message: Adds a new extension to set the filter state
Risk Level: low
Testing: done
Docs Changes: yes
Release Notes: yes
Issue: #29813
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 025d49f78410841e6caa26c1e42465c17f168e91
This reverts commit e95324541b0e1cbfa07b43cbf87490cff7383f27.
This change broke the compile_time_options CI job.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ de85ff2a125a2c23378bd463259fbea3e05442f9
* Allow custom local address resolvers.
#27881 introduces the concept of EDS clusters with hosts that have multiple (potentially > 2) IP addresses.
The current implementation of UpstreamLocalAddressSelector limits the number of source addresses in BindConfig artificially to 2, and further requires that the addresses be of different address families.
The workaround for this (if we need to specify more than 2 source addresses or have multiple addresses from the same family) is to use a custom address resolver that resolves the bind config address to nullptr (and therefore ignore it) and call bind in a customised SocketInterfaceImpl to a local source address determined by the SocketInterfaceImpl specialisation.
This PR makes it possible to define a custom local address selector, that makes it easy to work with a custom address resolver to pick the right source address based on the upstream address selected by HappyEyeballsConnectionImpl
Signed-off-by: pcrao <pcrao@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ da47a54a8ccbaa384c4cb62a5f4fcd4745a72c37
Commit Message: add the proto for the new http filter GrpcFieldExtraction we are going to contribute.
Additional Description: please see the proto comments for this filter's behavior. Thanks @yanavlasov who is willing to be the sponsor.
Risk Level:NA
Testing:NA
Docs Changes:NA
Release Notes:NA
Mirrored from https://github.com/envoyproxy/envoy @ 46a05a6e79b17b64406c83930d3065a545a04cbd
Commit Message:
This commit adds CONNECT-UDP (RFC 9298) support. UdpConnPool is added to create a UDP socket for a new CONNECT-UDP request, and UDPUpstream is added to maintain the socket and other relevant data associated with UDP upstreams.
We added an integration test for the terminating CONNECT-UDP proxy, but not the forwarding proxy in this commit. We are going to add test cases to cover the forwarding proxy scenario in a subsequent commit.
Additional Description:
Risk Level: Medium, the feature can only be enabled by the new configuration added in this commit.
Testing: Integration test
Runtime guard: envoy.reloadable_features.enable_connect_udp_support
Release Notes: added support for CONNECT-UDP (RFC 9298). Can be disabled by setting runtime feature envoy.reloadable_features.enable_connect_udp_support to false.
Signed-off-by: Jeongseok Son <jeongseok.son@gmail.com>
Co-authored-by: asingh-g <abhisinghx@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ b4f37553d6887447f942a1aedbc8c2dacae45537
* add access log to health check
Signed-off-by: Boteng Yao <boteng@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 881bc030a8f1cdc904311de6c1cdba38ef8cc98a
Commit Message: accesslog: support CEL command in the formatter
Risk Level: low
Testing: unit
Docs Changes: none
Release Notes: yes
Mirrored from https://github.com/envoyproxy/envoy @ 8cfeabd5bd0b15b5e6ef029bf9fef4dcaa1c8254
update-envoy[bot]
data-plane-api(Azure Pipelines)