If "issuer" in the JwtProvider config is specified, it has to match "iss" field in the JWT. But current implementation has a bug where if "iss" is empty, it is not checked.
Risk Level: Low, only impact users with empty "iss" JWT.
Testing: Unit-tested
Docs Changes: None
Release Notes: Yes
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 336fcf9b1105fcb2581a59811c0029f8899c63c2
Adding xDS routing discovery support for thrift proxy.
The routing discovery is supported only through ADS. No separate service endpoints added
for thrift routing config type url.
This PR is split from #17631
Risk Level: Low
Testing:
- Unittest
- Manual test with static routing from bootstrap config, static routing and dynamic routing from GRPC based xDS server.
Docs Changes: Comment added to the new API field.
Signed-off-by: Tamas Kovacs <tamas.2.kovacs@nokia-sbell.com>
Mirrored from https://github.com/envoyproxy/envoy @ ec7ef59ef36ccb5e2a9b20493ae23673504d75b9
TcpProxy ondemand vs http on demand
Why not a dedicated on demand filter prior to tcp_proxy?
A filter prior to tcp proxy cannot figure out the dest cluster before tcp_proxy establish the upstream connection.
In http stack, a route entry which contains the upstream cluster is offered to the potential on-demand filter before the router filter.
Why no per-route config in tcp_proxy?
TcpProxy provides single upstream cluster.
An alternative weighted_clusters can be used as tcp_proxy upstream cluster. However, it's probably too early to distinguish the
per cluster ondemand requirement within the weighted_cluster. We can always add in the future.
Risk Level: LOW
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 824032e93ef295e22086f465d4c60a3aeea4ae13
ratelimit: add support for x-ratelimit-* headers in local rate limiting
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5c56e45a041a4446411a8dccb5262b12323ff9be
* Adding custom config-validation interface, extension, and a CDS validator.
Signed-off-by: Adi Suissa-Peleg <adip@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ e58c890ded5c13e60eba3285c96ffefd6f7215cf
Introduce data inputs for connection matching as part of #18871
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ a1181348a4f6df6011843a141814e28840d23eb5
* Fix comments regarding what is and isn't implemented.
* Indicate that "stat_prefix" really is implemented, because it is.
* Re-name two misnamed (but as yet unimplemented) fields in per-route
configuration.
Risk Level: Low
Testing: Existing integration and unit tests
Docs Changes:
Release Notes:
Platform Specific Features:
Signed-off-by: Gregory Brail <gregbrail@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ c1f3f51156fe6c56216ec10be9e04af8f4a157b6
Replace code in mutation_utils.cc with code that calls into the new
mutation_rules library. Add the ability to keep a counter of failed
header mutations, and also add the ability for an invalid mutation
to cause the HTTP request to fail.
Signed-off-by: Gregory Brail <gregbrail@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1bea8aea1590ffab5bb185d32232f9bf265e6b1e
Add Proxy-Status HTTP response header field
Signed-off-by: James Buckland <jbuckland@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ fcf2c551465bc5fae280c8fffce6859278842d9b
Remove TLS 1.0 and 1.1 from the default server TLS versions. Users can
still explicitly opt-in to 1.0 and 1.1 using tls_minimum_protocol_version.
Signed-off-by: derekguo001 <dong.guo@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ f8baa480ec9c6cbaa7a9d5433102efb04145cfc8
This PR adds two new LB policy extension configurations, to be used in gRPC via the new load_balancing_policy field:
* round_robin: This allows configuring the built-in ROUND_ROBIN LB policy via the new extension-based API.
* wrr_locality: This is an extension config for a new policy that does ROUND_ROBIN-style locality picking and then delegates to a child LB policy extension to pick the endpoint within the locality. This will allow users to plugin their own custom endpoint-picking logic without having to reimplement the locality-picking logic.
This is a small step toward moving away from the legacy lb_policy enum. Completing that migration will require work in Envoy to create extension configs for all built-in LB policies and register those extensions.
Risk Level: Low
Testing: N/A
Docs Changes: Included in PR
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 65a82d75c3ef1e15fbc4f301c9eacc269a1a6080
Introduce a new stateful session extension. This is a change after #17848#17290.
In #17290, we added a new cross-priority host map for fast host searching. In #17848, we extend `LoadBalancerContext` interface to provide an override host and to select the upstream host by the override host.
Finally, in this change, we expand a new API to allow users to extract the state of the session from the request and change the result of load balancing by setting the override host value.
Related doc: https://docs.google.com/document/d/1IU4b76AgOXijNa4sew1gfBfSiOMbZNiEt5Dhis8QpYg/edit?usp=sharing.
Risk Level: Medium
Testing: Added
Docs Changes: Added
Release Notes: Added
Platform-Specific Features: N/A.
Signed-off-by: wbpcode <wbphub@live.com>
Mirrored from https://github.com/envoyproxy/envoy @ fb2aad0303bbbcb0daabf6940c6ad97252995b98
This is an implementation based on the discussion in #19198.
When application/x-protobuf is used the filter will prepend the payload with the gRPC header, as defined by the wire format. Before returning the response the frame is also trimmed. This functionality is behind a configuration setting.
Risk Level: Medium
Testing: Unit tests
Docs Changes: Added
Fixes#19198
Signed-off-by: Stefan Puhlmann <stefanp@spotify.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8feaee6e5801bdbe0837158e5fc499a723b1a108
This allows matching the more lenient behavior of other client-side
networking libraries such as OkHttp or URLSession, especially in cases
where the remote server is not under the client developer's control.
Risk Level: Low, defaults are unaffected, change is opt-in.
Testing: Added unit tests for existing no-transform behavior (there was none) and a new test validating the new configuration flag.
Docs Changes: Updated.
Release Notes: Added.
Signed-off-by: JP Simard <jp@jpsim.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2afb9573ab1915ed57ac8d42203286b224ce95ae
* Fix whitespace typo in transcoder documentation.
The documentation for `convert_grpc_status` had two leading spaces in the text
following a code block, causing the text to be rendered as part of the code block.
* Remove whitespace from transcoder.proto.
Signed-off-by: Pras Velagapudi <psigen@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ e9f36d2c49a3c9176340303b44ef593bd0b78c35
Commit Message: c-ares resolver: add option to use name servers as fallback.
Risk Level: low - opt in behavior
Testing: existing and additional tests
Docs Changes: added
Release Notes: added
Signed-off-by: Jose Nino <jnino@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ b1219ef0decc22040d45fe8bf2fa86bd16ea4e3c
Mainly update the grpcJsonTranscoder to include the latest path matcher filter change for always checking custom verb no matter if it is registered or not.
Risk Level: Low
Testing: added the unit test
Docs Changes: None
Release Notes: Yes
Signed-off-by: Xuyang Tao <taoxuy@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ c68cf0dddfcea6c9ccf6346ff47b518837b0ca0d
This was caused by a merge race
Signed-off-by: Keith Smiley <keithbsmiley@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 70a5f295da789610b9d078015f43e39c6a76d4b6
This change introduces a MetaProtocol proxy that provides a framework for layer-7 protocols. The common capabilities, including routing, tracing, metrics, logging, etc., will be built into the MetaProtocol proxy.
Signed-off-by: zhaohuabing <zhaohuabing@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ de51441bfe1b6b5eeab8981037d66cde9ac5b0d7
This PR establishes the ability to filter access log production via CEL expressions over the set of Envoy attributes. This can simply the creation of Envoy access log filters, allowing complex tailoring.
Risk Level: low
Testing: unit
Docs Changes: included
Release Notes: updated
Signed-off-by: Douglas Reid <douglas-reid@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 77ca6cc0d9aaf0892aec3e2025fe2ad7cf0c39ff
Signed-off-by: Max Kuznetsov <mkuznetsov@digitalocean.com>
Mirrored from https://github.com/envoyproxy/envoy @ 76a70b40f57bd9a75b50d4783d28dec0e0aa29ae
Add a retry mechanism to the grpc access logger. This retry mechanism currently only supports a simple retry count.
Also, at the moment, retries are only fired when the gRPC stream fails to be established, and nothing happens if the stream is successfully established once and a reset is issued.
Risk Level: Low
Testing: Unit
Signed-off-by: Shikugawa <rei@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 3a5f7958afb161efd62dada8e6bbb77f96c4dd04
Commit Message: Allow cert validation by only leaf trusted CAs CRL
Additional Description: Close#18268. In the previous implementation, we don't have availability to validate certs when all trusted CAs don't have their own CRLs if any trusted CAs have that. This feature allows validating even if all trusted CAs don't have CRLs.
Risk Level: Low
Testing: Unit
Docs Changes: Required
Release Notes: Required
Signed-off-by: Shikugawa <rei@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 56e8c45b1b340c4a4f8f02ec2488354c31806d59
- Add response trailers for the bandwidth limit filter delays.
- Add new metric request_enforced and response_enforced.
- Change the following metrics type from Gauge to Counter (request_incoming_size, response_incoming_size, request_allowed_size, response_allowed_size) to better calculate the network bytes per second.
This is useful when downstream want to understand how much delays that is caused by bandwidth limit filter.
Risk Level: Low
Testing: UT added.
Docs Changes: Updated.
Release Notes: Added.
Signed-off-by: gayang <gayang@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8b8ece8adb8c9282cbd9405151993fa1bc5cebee
Docs Changes: Removes an extra word
Signed-off-by: Peter Jausovec <peter.jausovec@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ dbb1f50ef340e565c5a495a17aac0afff5d9a4f9
This should reduce the binary size, which is particularly important for Envoy Mobile. Looking at a
local opt build with debug symbols, I'm seeing a drop from ~400MB to ~380MB, so maybe 5% saving. @Reflejo indicates that optimized Envoy Mobile without symbols is observing ~20% improvement.
Related to #10943
Risk level: Low
Testing: bazel query deps to confirm no more v2 API deps.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 53fca618e47702f6c8dbc323db9bd39d15725457
- Fix the session_timeout formatting so that it links to the RFC
reference correctly.
- Make some minor grammar improvements.
- Quote the session_timeout field name
Signed-off-by: James Peach <jpeach@apache.org>
Mirrored from https://github.com/envoyproxy/envoy @ bd1ac13275246c2a9a865912682ed9904ed7a78a
This adds a new transport socket wrapper for collecting OS-level TCP stats and publishing them as envoy metrics, in either the cluster or listener stats namespace (depending on upstream or downstream use). This allows attributing the TCP stats to specific listeners and clusters.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ b959a46661ec87bba8268a1750506695125f2b06
Widen the Upstream::LoadBalancer interface to add methods which allow
a load balancer to optionally observe connection lifetime events and to
select a specific connection based on those events.
Implement this behavior in the DFP LoadBalancer to reuse HTTP/2 and HTTP/3
connections when the hash key, IP address, and certificate all match, conditional
on a new allow_coalesced_connections field in the DFP config.
Risk Level: Low
Testing: Unit
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ b4047464f7e1c75d578f7b98db4d3d669dce9bd0
This patch adds cookie_names to credentials config to allow overriding
the default cookie names: `BearerToken`, `OauthHMAC`, and
`OauthExpires`.
Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7323ddeb5011df73f5f42115cb644769d9dcab96
Changes the DNS cache to respect the advertised TTL, modulo a floor of 5s.
That part of the change is runtime guard. The part which is not, is that the backoff is done on a per-host basis not a global basis, so if one endpoint fails to resolve, it won't result in others backing off, and if one succeeds it won't result in changing backoff for failed hosts.
Risk Level: Medium
Testing: new unit tests
Docs Changes: inline
Release Notes: inline
Optional Runtime guard: envoy.reloadable_features.use_dns_ttl
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ bebd3e2c4700fb13132a34fcfa8b82b439249f3b
Support an inline RouteConfiguration in ScopedRouteConfiguration.
This change enables fully inlined scoped route configuration by
allowing users to specify an inline `RouteConfiguration` in the scope's
config, as opposed to requiring a `route_configuration_name` to use for
an RDS subscription.
Signed-off-by: Andres Guedez <aguedez@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cbc05d480cc24fc96bbbbd476cc31b25402d6777
Framed was the only transport that supported payload passthrough. However the payload
of Header transport is the same as Framed. Therefore its possible to also use payload
passthrough with Header to Header, Framed to Header and Header to Framed. Therefore
allow those extra three combinations and add integration tests. Note that in future if Header
transforms become supported then passthroughData will need to undo any transforms.
New metrics request_passthrough and response_passthrough are added to show when payload
passthrough occurs. Note that previously response_success was always incremented when
performing payload passthrough, and that is corrected to only occur when parsing the
payload.
This will enable payload passthrough for combinations of downstream/upstream transports that did not
previously perform passthrough. If a private filter does not implement passthroughEnabled or passthroughData
correctly, has enabled payload passthrough and is using Header to Header, Framed to Header or Header to Framed
then the filter may have issues.
Risk Level: Medium
Testing: Extended existing integration tests and verified on local deployment.
Docs Changes: Updated ThriftProxy proto docs.
Release Notes: Minor behavior change.
Platform Specific Features: N/A
Signed-off-by: James Fish <jfish@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0f31648808783b1057c78ff0c90721b81d32e19c
To fix: #13965
grpc_json envoy filter adds a new field 'query_param_unescape_plus` to enable the support of converting "+" to space in query parameters.
The actual unescape code is implemented in grpc-httpjson-transcoding.
Risk Level: None
Testing: integration tests
Docs Changes: None
Release Notes: Yes
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1ba355b5e9f00cda595d5b52e3390d473fa5ecce
Based on the dicsussion in the issue https://github.com/envoyproxy/envoy/issues/17410, this PR adds
implementation for ability to add rbac policy to filter upstream ip addresses for dynamically
resolved domains (by dynamic proxy filter).
Signed-off-by: Jojy George Varghese <jojy_varghese@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 53f95570a7e9d7fa5414a4bc145852524fa017ed
data-plane-api(Azure Pipelines)