Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves https://github.com/envoyproxy/envoy/issues/14614 and https://github.com/envoyproxy/envoy/issues/9284.
Risk Level: low (only adding the new extension point and one implementation for it)
Testing: unit tests and integration tests.
Docs Changes:
Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support.
Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 50e81276fd8f109ba3a6134e790f65c1cc5bdec9
Moved the db generation into a bazel job - which will allow other tasks that also require this data to make use of it more easily/bazely
this also adds buildozer into the bazel env, so we might want to make use of that elsewhere and potentially remove buildozer from the build-image env
Touch #13229
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ a03209d5caf77b36ca4c40671ade8e328cb93fad
* Re-purpose alt_stat_name for other observability use-cases: access logging, tracing, and admin dumps through a new ClusterInfo field, `observabilityName()`.
Signed-off-by: Asra Ali <asraa@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5551e0a3e442cca24d76eeea76e8b9dc5f894303
Support setting max requests per downstream connection. By setting max_requests_per_connection, Envoy can actively disconnect the thrift client after reaching a certain number of requests.
Due to the limitations of the thrift protocol itself, we cannot achieve a clean disconnection.
Risk Level: Normal
Testing: Added
Docs Changes: Added
Release Notes: Added
Fixes: #14560
Signed-off-by: wbpcode <comems@msn.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8a2685ee7f0a8b4182574861256ba05fac5f6cd6
Support wildcard match、suffix match and prefix match for dubbo interface name. Check #14765 get more information.
Risk Level: Low
Testing: Unit Test
Fixes#14765
Signed-off-by: wbpcode <comems@msn.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9c2d5360635b46cc6ce4832ac84a9c324162629f
Some of the categories etc added in #14721 were not exactly correct and/or consistent
Also there is now some duplication from where links/info have been added manually previously
This PR should address these issues
Ref #13167
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ f9301ff57f64fd49918a61f6ac305638f065ecfb
This PR is the first step towards xdstp:// dynamic context parameter support. It introduces an
interface by which per-resource type dynamic context parameters can be set on the server. In
addition, it adds support for propagating these to Node (for legacy non-xdstp:// use cases) and
triggering discovery requests on update.
Risk level: Low
Testing: Unit and integration tests added (ads_integration_test).
Part of #11264
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 36e05482cc27b4d2b5765fdebcdb5fef16f07d84
Changed logic in config verification when max_ejection_time is not specified
and base_ejection_time is larger than max_ejection_time's default.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 12df7d09222af273828ed114e5254caeba65d658
Made listener manager to depends on extensions/quic_listeners/quiche:quic_transport_socket_factory_lib. The library itself doesn't depends on QUICHE, so quic listener can still be compiled out.
This is to prevent the case where a problematic config gets loaded which uses a legal transport socket config but not for quic transport socket and a new quic connection fails to get cert chain after the quic listener starts listening.
Risk Level: low
Testing: added unit test
#2557
Signed-off-by: Dan Zhang <danzh@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ e29e3c0569c548e267f153ec20f4032b09f001a8
Add information about known extension categories (types) to extension documentation
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ 7adc0393221467fcae18052c1f7caf0cb6048d2e
Follow-up on #14715 to allow finer configuration of the strict http request validation behavior. As mentioned in #14972, there are some cases where rejecting unknown paths is undesirable. So we provide more configurability to fit all use cases.
Risk Level:
Low.
This is a breaking API change, but it changes the API introduces < 14 days ago in #14715. This is compliant.
All behavior change only occurs when the option is enabled.
Testing:
Integration tests
Docs Changes:
Proto config changes
Release Notes:
None. #14715 includes release notes that still apply
Signed-off-by: Teju Nareddy <nareddyt@google.com>
Co-authored-by: Yan Tang <tangyan@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ f174fba476a921efb981e80c346faf7e6723c0c4
Support adding response headers on OK authorization checks from ext_authz
Commit Message: ext_authz: support response headers on OK authorization checks
Additional Description:
Risk Level: low (opt-in feature, does nothing by default)
Testing: Added code to existing unit tests
Docs Changes: API protos documented
Release Notes: ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK external authorization checks.
Platform Specific Features:
Fixes#7986
Signed-off-by: John Esmet <john.esmet@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ ac9a2637336decdcc52c24add5e8fc39edebb962
Adds ability to use _starttls_ transport socket to terminate SSL at Envoy and pass unencrypted traffic upstream to Postgres server.
Additional Description:
Risk Level: Low
Testing: Added unit and integration tests.
Docs Changes: Yes.
Release Notes: Yes.
Fixes#10942
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Co-authored-by: Fabrízio de Royes Mello <fabrizio@ongres.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1aa31dd9ca07f88029101bdecca12173930cf342
This allows control planes to tell clients that a given HTTP filter is okay to ignore if it is not supported. This is useful in environments where the clients are not centrally controlled and therefore cannot be upgraded at will, where it is desirable to start using a new filter for clients that do support the new filter without breaking older clients. Unlike a client-capability-based approach, where the client tells the server which filters it supports, this avoids cache pollution and resource-name-based complexity on the server. And because the control plane can set this on a per-filter basis, this approach does not impose risk that clients will silently fail to apply filters that provide mandatory functionality (e.g., authz policies).
Risk Level: Low
Testing: N/A (actual functionality will be implemented in a subsequent PR)
Docs Changes: Included in PR
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9ed95162ce11a09a56c1743d0a6e342d9bbfd2b6
* Add v3 equivalents of v2 configs that were included in v3 due to no
transitive deprecation. This increases consistency and reduces user
confusion. We will continue to support these straggler v2 configs
beyond the v2 turndown due to the late addition of v3 counterparts,
special case code is added to utility.cc to handle this.
* There were two extensions, //envoy/config/cluster/redis and
//envoy/config/retry/previous_priorities, that for some reason were
not upgraded to use v3 config. This is now fixed and I've grepped for
other v2 in //source, none remain.
Risk level: Medium (changes to extension config types and deprecated
config handling).
Testing: Additional unit test added for utility.cc handling, upgraded
configs to v3 for other tests.
Fixes#14735Fixes#12841
Signed-off-by: Harvey Tuch <htuch@google.com>
Co-authored-by: Abhay Narayan Katare <abhay.katare@india.nec.com>
Mirrored from https://github.com/envoyproxy/envoy @ c04a75efe9d601ebcb9650f274b5adde60181f1c
Only adding explicit (hard-configured, or downstream-initiated) HTTP/3. Getting Auto for UDP/TCP is going to take substantially more work. HTTP/3 config will be rejected initially to keep this PR simple as possible.
Risk Level: Low (unused, hidden)
Testing: new unit tests
Docs Changes: n/a
Release Notes: n/a
Part of #14829
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ d06b41c670e29de9d09f0f088e007611f3800db9
Commit Message: compression: add brotli compressor and decompressor
Additional Description: Add new brotli compression extensions in addition to gzip.
Risk Level: Low, no existing functionality is touched
Testing: uni tests, manual tests with curl.
Docs Changes: updated docs for compression and decompression HTTP filters to refer the new available encoder/decoder.
Release Notes: updated current.rst
Fixes#4429
The PR adds a new dependency on https://github.com/google/brotli. Here's the current criteria answers:
| Criteria | Answer |
|---------|---------|
| Cloud Native Computing Foundation (CNCF) approved license | MIT |
| Dependencies must not substantially increase the binary size unless they are optional | brotli's binary size built with `-c opt` is 752K |
| No duplication of existing dependencies | no other dep provides Brotli |
| Hosted on a git repository and the archive fetch must directly reference this repository. | https://github.com/google/brotli |
| CVE history appears reasonable, no pathological CVE arcs | so far 4 CVEs related to brotli have been registered |
| Code review (ideally PRs) before merge | PRs are reviewed before merge |
| Security vulnerability process exists, with contact details and reporting/disclosure process | no policy exists, submitted https://github.com/google/brotli/issues/878 |
| > 1 contributor responsible for a non-trivial number of commits | 75 contributors |
| Tests run in CI | CI set up with AppVeyor and Github actions |
| High test coverage (also static/dynamic analysis, fuzzing) | Fuzzers are run in CI |
| Envoy can obtain advanced notification of vulnerabilities or of security releases | brotli is registered in CPE |
| Do other significant projects have shared fate by using this dependency? | Google Chrome is using the library |
| Releases (with release notes) | https://github.com/google/brotli/releases |
| Commits/releases in last 90 days | last commit 9 days ago |
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 127aa55306c9e4366e10b3a6e26d01df826e2fc0
For various features or security fixes, we have used proto3 fields to
control enablement. These have often been scalar fields and default
disabled due to potential data plane breakages. When the time comes for
these to be default enabled, there is no way to do this client-side
without API breaking changes.
This change to API style encourages use of WKTs for scalars in this
situation, since they can have defaults changes on a per-xDS client
basis without any API breaking change.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1942151aafceee50630572c82cc40d220ec4a63c
Fixing "warning: Import ... but not used" warnings from protoc
Risk Level: Low
Testing: manually built protos
Signed-off-by: Chris Heisterkamp <cheister@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 209b8f96498162834856a4330f27deafdf7e0518
This lets the configuration control which calls are made to
the external processor, and also lets the processor temporarily
change the mode for a single request.
Risk Level: Low
Testing: unit test and integration tests, with new tests added to this PR to support the feature
Docs Changes: Removed "not-implemented-hide" from the "processing_mode" configuration parameter
Signed-off-by: Gregory Brail <gregbrail@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9976ba92afb3d2153887365260f6704b32ba9499
Commit Message: Add support proxying TCP over HTTP/2 or HTTP/1.1 POST to tcp_proxy. It's controlled by tcp_proxy filter configuration. Also add support adding additional headers to the proxy requests to coordinate with the upstream. In addition, add allo_post config to router, which allow triggering the regular TCP decaping from a POST request payload.
Additional Description: N/A
Risk Level: Low
Testing: Unit tests. Integration tests.
Docs Changes: Added
Release Notes: Added
Platform Specific Features: N/A
Fixes#14234
cc @alyssawilk@mattklein123
Signed-off-by: Wenlei (Frank) He <wlhe@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ effa486d042cd2ac141ee48d8ed54b02b0951c73
Fields `content_length`, `content_type`, `disable_on_etag_header` and
`remove_accept_encoding_header` are valid for APIv2 Gzip filter, not for
APIv3.
Signed-off-by: Pavel Kvasnička <pavel.kvasnicka@firma.seznam.cz>
Mirrored from https://github.com/envoyproxy/envoy @ 542e996eeb78b7a4460b4ef185e85254e19b21f7
Scheme is populated for h2 and not for h1.1.
Advise accordingly in documentation.
Signed-off-by: Harry Bagdi <harrybagdi@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 973a25abf42d580ef375e10f6a36bbe0c1038d2c
This patch adds max_direct_response_body_size_bytes to set the maximum bytes of the direct response body size (in bytes). The config is added as a field in RouteConfiguration.
Reviving #13487 with a slightly different approach (add the config to RouteConfiguration instead of directly per direct response config entry).
Risk Level: Low, since the default behavior is preserved.
Testing: Updated to test the newly introduced config.
Docs Changes: Updated.
Release Notes: Added.
Fixes#13422
Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
Mirrored from https://github.com/envoyproxy/envoy @ eeb7adc3a30456f0d4ac65e5e6c8e88e25481d2a
Clarify that NACKs should be detected via the presence of the error_details field, rather than by looking at nonce and version; the latter approach does not work for APIs other than LDS or CDS, where the client can change the set of resources it is subscribing to independently of the resource type instance version changing on the server. Also clarify semantics of nonce handling.
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 502d9cb5c7d8d9061337aec6e94c07afcc514e00
* Send x-envoy-immediate-health-check-fail on all responses that the
health check filter processes, not just non-HC responses.
* Exclude hosts from load balancing when x-envoy-immediate-health-check-fail
is received.
* Can be reverted via the envoy.reloadable_features.health_check.immediate_failure_exclude_from_cluster
feature flag.
Fixes https://github.com/envoyproxy/envoy/issues/9246
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ deed328494064bf28e09055c1cda4e3a3cdd6b67
Fix#13799. This means integration with external Apache SkyWalking SDK for C++ and destroyed redundant parts of implementations. Hired library is https://github.com/skyAPM/cpp2sky. But it is not released and some of missing parts of implementations which are necessary to achieve clean integration. Currently working private fork of that SDK here. https://github.com/Shikugawa/cpp2sky-envoy.
Additional Description:
cpp2sky dependency policy check list
### MUST
- [x] Cloud Native Computing Foundation (CNCF) approved license
- [x] Dependencies must not substantially increase the binary size unless they are optional (i.e. confined to specific extensions)
- [x] No duplication of existing dependencies
Maybe, the dependencies are described [here](https://github.com/SkyAPM/cpp2sky/blob/main/bazel/repositories.bzl)
- [x] Hosted on a git repository and the archive fetch must directly reference this repository. We will NOT support intermediate artifacts built by-hand located on GCS, S3, etc.
- [x] CVE history appears reasonable, no pathological CVE arcs
- [x] Code review (ideally PRs) before merge
- [x] Security vulnerability process exists, with contact details and reporting/disclosure process
- [x] Tests run in CI
### SHOULD
- [ ] > 1 contributor responsible for a non-trivial number of commits
- [ ] High test coverage (also static/dynamic analysis, fuzzing)
Parts which is used in Envoy have higher test coverage. But gRPC async segment reporter(which is not used in Envoy) has less test.
- [ ] Envoy can obtain advanced notification of vulnerabilities or of security releases
- [ ] Do other significant projects have shared fate by using this dependency?
- [x] Releases (with release notes)
- [x] Commits/releases in last 90 days
Risk Level: Mid
Testing: Unit/Integration
Docs Changes:
Release Notes:
Platform Specific Features:
Signed-off-by: Shikugawa <rei@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 032a8e75928304e011833babea2ca231f32866dd
part of #12841
Signed-off-by: Abhay Narayan Katare <abhay.katare@india.nec.com>
Mirrored from https://github.com/envoyproxy/envoy @ f1638fbed36a1416d3b44783eedfb7ef6fb39f17
When a downstream request's headers do not follow the transcoding specification:
Current behavior: The filter blindly passes the request through to the upstream. This works well when the request is already a gRPC request, but is not ideal if the :path is malformed.
New behavior: For cases where the :path is malformed, the filter will reject the request instead of passing it through. This includes paths that are not registered for transcoding and unknown query parameter variable bindings. gRPC requests are still passed through.
Risk Level: Low. Backwards compatible, new behavior is guarded by option. I cannot think of a case where a client would prefer the old behavior, but let's be safe with breaking changes.
Testing: Integration tests
Platform Specific Features: No
Ref: GoogleCloudPlatform/esp-v2#459
Signed-off-by: Teju Nareddy <nareddyt@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6ce641fff03ea137e201cfb6e5f52e513551f2df
Add support for scaling the transport socket connect timeout with load.
Risk Level: low
Testing: added tests and ran affected tests
Docs Changes: none
Release Notes: none
Platform Specific Features: none
Fixes: #11426
Signed-off-by: Alex Konradi <akonradi@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 88140146696fe09cebad628321020528a7e9ecd0
* fix kill request API validation for header
Signed-off-by: Asra Ali <asraa@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 90534ebdaeb05306b3c4ebcfd3b20d8c5c364529
Implement header processing on the response path by sending the
response_headers message to the processor and handling the result.
Also update the docs in the .proto file.
Signed-off-by: Gregory Brail <gregbrail@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9753819331d1547c4b8294546a6461a3777958f5
New optional parameter 'auth_scopes' added to the filter. The default value is 'user' (if not provided) to avoid breaking changes to users updating to the latest version.
Signed-off-by: andreyprezotto <andreypp@gmail.com>
Co-authored-by: Nitin Goyal <nitingoyal.dev@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 23a97fbb237b51f10c19c8c228f74faf7ec65370
Introduces the FilterDependency proto. This isn't quite an extension, but it's a common proto to be used by all filter extensions.
Risk Level: Low (proto addition only)
#14470
Signed-off-by: Auni Ahsan <auni@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2da224f88afe5ec84ba802bd932f73ed13308a92
Store the NACKed resource in each resources
Risk Level: None
Fixes: #14431
Signed-off-by: Lidi Zheng <lidiz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 44b5cb7ed795c38f7d6ad09f351c1716611bc632
* API review checklist
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ b501569e116a3d17e93dd19f16b076ee513f90ea
part of #12841
Signed-off-by: Abhay Narayan Katare <abhay.katare@india.nec.com>
Mirrored from https://github.com/envoyproxy/envoy @ 77d7cecb7e68cb41b2f5f7c2aa7f4294c88089ce
data-plane-api(Azure Pipelines)