Commit Message: make HTTP/3 upstream sends 0-RTT (early data) requests if it has cached 0-RTT credentials. Add a config knob in RouteAction to specify which request can be sent over early data, which by default are HTTP safe methods.
Risk Level: high, changes to conn pool behavior though should only take effect for h3 pool
Testing: added h3 upstream integration tests.
Docs Changes: N/A
Release Notes: changes to docs/root/version_history/current.rst
Platform Specific Features: N/A
Runtime guard: envoy.reloadable_features.http3_sends_early_data
Fixes#18715, #19542
Signed-off-by: Dan Zhang <danzh@google.com>
Signed-off-by: Dan Zhang <danzh@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8ce13d75a982ddd347db5a333a4bb080922f7514
* Add an option to RouteConfiguration, when enabled, ignore port contained in host header during host matching.
Signed-off-by: Xin Zhuang <stevenzzz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2f99e0c9f83b6c91b42d215a148ed49ce0f174fd
Note: support for logging headers (via %REQ()%) will happen in a follow-up.
Risk Level: medium
Testing: unit tests
Doc Changes: included
Release Notes: updated
Fixes#17898.
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 01a0ff52ed3a1e55b14c3bbff4daede6c61fd5fb
Allows users to opt-in to functionality to auto-detect proxy protocol if present, and skip the filter if it's not present.
Signed-off-by: Kevin Dorosh <kevin.dorosh@solo.io>
Mirrored from https://github.com/envoyproxy/envoy @ 18c59eaf1b78c5b6bbe4d6ad96009ec3ecd895e1
This adds an odcds_config field to the extension's config, and also allows the extension to be configured per-route. As it stands, it currently works only with routes using cluster-header config.
Risk Level: Medium, extending one extension in an opt-in way.
Testing: Added unit tests and integration tests.
Fixes#2500
Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ a41b254a4e8f1faf40033c50c7122aa654186f63
To avoid HOL blocking impacts on slow connections.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ d0befbbb952c979782857bdb986bec562d9a3c2f
By default the router closes downstream connection if the current request is not routable or the upstream connection is broken. This causes oneway (or async) requests pending on wire or in kernel buffers will be also dropped even if they are routable and their target cluster is perfectly healthy.
Risk Level: low
Testing: unit test
Docs Changes: Comment added to the new API field.
Fixes#12836
Signed-off-by: Tamas Kovacs <tamas.2.kovacs@nokia-sbell.com>
Mirrored from https://github.com/envoyproxy/envoy @ 65a4fc4977c4e50e722461a1d68278d404610342
The plans for bazel to move to rules_cc have been postponed without any
communication. There's no value to us in using this right now, but it
will be trivial to re-adopt in the future if needed. But it has the
downside of using a fork of bazel's crosstool, that has to be updated
independently of bazel, which doesn't always happen as improvements are
made.
More details: https://github.com/bazelbuild/rules_cc/issues/86https://github.com/bazelbuild/bazel/issues/14150
This also required a `--host_action_env` addition to mirror the variables we
pass through to actions in general. This is required because C++ toolchain
setup which discovers linkers in the cc configuration which uses PATH directly,
but then host actions didn't use PATH because of
--incompatible_strict_action_env, so gcc couldn't discover the path of lld even
though `-fuse-ld=lld` was passed.
Fixes https://github.com/envoyproxy/envoy/issues/16608
Signed-off-by: Keith Smiley <keithbsmiley@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1edd65f80bd8ded5cb2c0ebeec818784ebd76bfb
This is a continuation of #20577.
Additional Description:
Risk Level: low
Testing: unit test
Signed-off-by: kuochunghsu <kuochunghsu@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0be448e6d92dff8d609142a8e5492ebf03884779
While trying to send a pull request for an extension I was baffled multiple times by poor error messages and surprising behaviors. The alterations here each derive from a confusing thing that mostly also didn't get any clear "someone understood it better" signs from the dev slack channel.
First surprise, if you use option (udpa.annotations.file_status).work_in_progress = true; like the doc suggested, proto_format.sh would remove it. Suggestion from the slack channel was to use xds.annotations.v3.file_status instead, which this updates STYLE.md to reflect. (related slack thread)
Added a link to security posture and status documentation, which was otherwise hard to make sense of without foreknowledge.
Adjusted the section that suggests using work_in_progress=true or package_version_status=ACTIVE - any combination of these (with either xds or udpa version of work_in_progress) that doesn't involve package_version_status=ACTIVE causes proto_format.sh to delete the file entirely. So the only viable options appear to be just package_version_status=ACTIVE, or that and xds work_in_progress=true which is already covered in an earlier bulletpoint.
Clarified that without ACTIVE, proto_format.sh will delete the file (which hopefully will make it more discoverable for developers experiencing that symptom).
Added a mention of api/BUILD's v3_protos section, without which proto_format.sh will automatically remove any imports of your new proto from other protos.
Added mention of [#extension:] tag, which is also necessary, and extra detail about where [#extension-category:] has to go (it doesn't appear to work if present at the top-level). (related slack thread)
Risk Level: None, documentation only.
Testing: Verified that the old documentation doesn't work for at least one developer, and the new documentation is better. :)
Docs Changes: That's all this is.
Release Notes: n/a
Platform Specific Features: n/a
Signed-off-by: Raven Black <ravenblack@dropbox.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2014cbea0f67e9513137eb6b4be3cb92ba437244
Allow configs with both typed and non typed san matchers specified to allow config servers to use the same config for Envoys across multiple versions. The match_subject_alt_names field is ignored if match_typed_subject_alt_names is set.
Signed-off-by: Pradeep Rao <pcrao@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ef08b1c3d0cf9c2af84d32529a11b3e2056e9dcb
If set, the resolver will avoid the system's heuristics to only return
IPv4 or IPv6 addresses that it considers to be "routable", instead
returning all possible IPv4 or IPv6 addresses. This setting is
ignored if the DNS lookup family is set to v4-only or v6-only.
This may be a useful setting to specify if the addresses considered
unroutable by the system's heuristics may in practice be routable.
Signed-off-by: JP Simard <jp@jpsim.com>
Mirrored from https://github.com/envoyproxy/envoy @ 60a13f30a4e425c907607fab96efee0ed2afcf22
ComparisonFilter's value now marked as required in validate to ensure valid
input to fuzz tests.
Signed-off-by: Andre Vehreschild <vehre@x41-dsec.de>
Mirrored from https://github.com/envoyproxy/envoy @ 8df3136bcc00c701bf5c30d090937e5f37585652
This adds the ability to change the GrpcService used by the ext_proc filter on a per-route basis.
Risk Level: Low. Not triggered unless configured.
Testing: New unit and integration tests added.
Docs Changes: Addition of new config field.
Signed-off-by: Michael Warres <mpw@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0e8899c90213b39d8f4a1a083d4fd31e9c2fe8c1
Add unified matcher for network streams, as a replacement for filter chain match.
See previous discussion in #18871
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7eb3a87b8757e030aedfdc4959adc509e89ac788
This change introduces a new output sink type for admin /tap requests which buffers traces internally before responding to the client.
This sink is best used to collect traces for requests that are frequently matched, or to work around system limitations such as improper support for streaming HTTP responses.
Signed-off-by: David Peet <davidpeet@tutanota.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0fd80eef63bc9770186c4f4aa345ee63e464cab3
data-plane-api(Azure Pipelines)