See envoyproxy/go-control-plane#824 for more information
This PR adds the vtprotobuf protoc plugin for Go. This works on top of the existing protoc-gen-go, to add optimized marshal functions that callers can opt in to using. This is not like gogo, which was a very invasive change -- everything is layered and opt-in. See issue for benchmarks, etc.
Additionally, to avoid possible binary size increase, the entire new code is protected under a go build tag. Users will need to opt-in at build time (-tags=vtprotobuf). By default, there is no impact for users at all.
Risk Level: Low - only additional opt-in code
Testing: Manually tested in Istio codebase
Signed-off-by: John Howard <howardjohn@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 21b52ba73d8ebbb51834d529a68f55ea2ec5e614
Additional Description: The CryptoMB private key provider only supports RSA at the time, the patch adds ECDSA support to it.
Risk Level: Low (as contrib extension)
Testing: Unit and integration tests
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: Requires AVX512 or equivalent CPU instruction set
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8dcb3165334b8d9fdec7bb9f5f0b103d97f858d3
* accesslog: add field to TLSProperties in data.accesslog.v3.AccessLogCommon
Signed-off-by: Li <wanxuli@ebay.com>
* Update changelogs/current.yaml
Signed-off-by: code <wangbaiping@corp.netease.com>
Signed-off-by: Li <wanxuli@ebay.com>
Signed-off-by: Li <929683467@qq.com>
* fix intergration_test for issuer
Signed-off-by: Li <wanxuli@ebay.com>
Signed-off-by: Li <929683467@qq.com>
* fix missing value for issuerPeerCertificate in test case
Signed-off-by: Li <wanxuli@ebay.com>
Signed-off-by: Li <929683467@qq.com>
---------
Signed-off-by: Li <wanxuli@ebay.com>
Signed-off-by: Li <929683467@qq.com>
Co-authored-by: Li <wanxuli@ebay.com>
Co-authored-by: code <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ 24ffda3f4f4d6aa310a20d9e4c77887581dbfce3
Commit Message: add an option to use a generic string object for the value
Additional Description:
Risk Level: low (new oneof but a recent extension)
Testing: done
Docs Changes: none
Release Notes: none
Mirrored from https://github.com/envoyproxy/envoy @ 5e4967ee54d2904cdfad853d201d2110e49eaf95
Remove decommissioned (in v5.x) bazel attribute
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 56f88a1761c7076004d5500c8aca06c4a51fc4ec
Prior to OpenSSL 1.1.0, the certificate depth limit in OpenSSL omitted
the leaf but included the trust anchor. That is, if your chain was Leaf,
Intermediate, Root, any depth limit of 2 or more allowed the
certificate.
OpenSSL 1.1.0 included d9b8b89bec4480de3a10bdaf9425db371c19145b, which
was described as a cleanup change to X509_verify_cert. However, this
change the semantics of the depth limit to omit *both* the leaf and
trust anchor. So the example above was accepted also at depth limit 1.
This is also why common.proto had a comment about different semantics
between the libraries.
BoringSSL originally forked a little before 1.0.2, so it had the older
OpenSSL behavior. Now that the new behavior has been in OpenSSL upstream
for a while, BoringSSL plans to match the new behavior in
https://boringssl-review.googlesource.com/c/boringssl/+/64707/
This change makes Envoy compatible with BoringSSLs before and after that
change. When BORINGSSL_API_VERSION is new enough, we adjust the value
before passing it in, to preserve the original semantics. I'm assuming
here that Envoy would prefer to maintain its existing semantics, rather
than change the test expectation. I've also removed the comment about
backend-specific behavior difference. Supposing Envoy prefers to
maintain existing semantics, any OpenSSL port of Envoy should similarly
adjust the value on OpenSSL 1.1.0 and up.
Along the way, fix an overflow. maxVerifyDepth is a uint32_t, but the
OpenSSL API takes an int. When we exceed INT_MAX, saturate the cast.
Signed-off-by: David Benjamin <davidben@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f7ef1eeca94f714f0d48af3dd8a43757dc63d770
Commit Message: add ecds support for composite filter
Additional Description: Currrently ECDS does not support composite filter. This would help to use composite filter for use cases like WASM filters
Risk Level: Low
Testing: Updated
Docs Changes: Updated
Release Notes: Added
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Mirrored from https://github.com/envoyproxy/envoy @ b4fba1a3cd22bfc5f60233c743e2c58c22957a90
This is the prerequisite of reverting #30438 in order to fix the ZK proxy filter "Uncaught Exception" issue.
Risk Level: Low
Testing: Unit test
Docs Changes: Revert doc changes in #31138
Release Notes: Revert release notes in #31138
Platform Specific Features: N/A
Signed-off-by: Zhewei Hu <zhu@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ e61e461736a28e26b6fcf0ca25d34c47ed29b0fc
* Update references to Connect RPC
This now lives at connectrpc.com.
Signed-off-by: Michael Rebello <me@michaelrebello.com>
Mirrored from https://github.com/envoyproxy/envoy @ afdc6606979bfd6cd486465d771ff2bb78468bf5
Some client requests' URLs may contain query params. gRPC upstream servers can not handle these requests, and may return error such as "unknown method". So we remove query params here.
Risk level: Low
Testing: Unit tests.
Signed-off-by: FHT <33562110+delphisfang@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ da09811ed0fe920b4beb9223a5e160d3587a47bc
Commit Message: Reverts #29873 and #30794
Multiple concerns about the effect of a full scan on LEAST_REQUEST have been raised.
See previous discussions in #11004 and #11006.
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
Mirrored from https://github.com/envoyproxy/envoy @ 6acfb74c10858e8dde84050ab17a07195f7f3360
Commit Message: clear route cache when dynamic metadata is written because route matching can be done on the dynamic metadata
Risk Level: low, recently added in #30699
Testing: done
Docs Changes: none
Release Notes: none
Mirrored from https://github.com/envoyproxy/envoy @ 90929a0b8827b8132d0ae1d8790a380a9fa87c36
* internal redirects: Support passing headers from response to request
This adds a new (repeated) field in the internal redirect policy,
"response_headers_to_preserve". When set, the headers named there
will be copied from the response that triggers an internal redirect
into the request that follows.
This allows some limited information passing through the internal
redirect system.
The current system is faithful to the idea that internal redirects are
purely a latency optimization, and should behave similarly to if the
redirect had been passed to the downstream user-agent. This does
violate that idea.
Other proxies, such as Nginx, have a much more flexible way of
handling internal redirects that allows a fair bit of information
passing like this. This should allow implementations to adopt Envoy
that are using this kind of information passing, with reduced needs to
rearchitect.
Fixes: #30441Fixes: #16777
Signed-off-by: Ryan Anderson <ryan.anderson@snowflake.com>
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Switching loops to references
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Clarify that downstream filters will not run
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Use a vector of LowerCaseStrings
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Format fixes
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Fully qualify 'downstream_'
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Rename from ..._to_preserve to ..._to_copy
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Reject configs that specify HTTP/2 style headers or Host
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Fight with clang-tidy by hand
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Fixup bad doc references
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* punctuation
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* More doc fixups
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Add a small comment about request_headers_to_copy_
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Rip out the complicated header copying/restore logic and replace
This removes the existing specialized save/restore logic in favor of
just copying every header into another map, updating the original map
with the necessary changes, and then restoring the whole thing later on.
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Use copyFrom() instead of doing it by hand
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Return a reference instead of copying
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Deauto things
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* fight with clang-format
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Just use copyFrom()
Signed-off-by: Ryan Anderson <ryan@michonline.com>
---------
Signed-off-by: Ryan Anderson <ryan.anderson@snowflake.com>
Signed-off-by: Ryan Anderson <ryan@michonline.com>
Mirrored from https://github.com/envoyproxy/envoy @ 65bbace5fb0647ac6edc338c62cfc8fc69fda36e
* Implemented API and added code to handle strict routing to a host.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Adjusted existing tests.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Added unit and integration tests for header-based stateful session with strict mode.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Added release notes.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Fixed proto format.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Fixed router's test.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Fixed cluster manager test.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Moved strict mode to stateful session API. It applies to cookie and header
based stateful sessions.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* refactored setUpstreamOverrideHost method.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Pass parameter to setUpstreamOverrideHost as value.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Formatting.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
---------
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 62f4a14e35b4988dc62ebb51a070875fda59e1fe
Commit Message: proto: correct go_package of contrib
Additional Description:
This fixes up the go_package descriptor on contrib/ protos. I am not sure how the bazel protoc stuff works, but standard proto compiler seems trip up on this being incorrect, and generate invalid imports
Risk Level: Low
Testing: Manual
Mirrored from https://github.com/envoyproxy/envoy @ f97242a970eb6637b2aa8bba916f589672a1d190
Add access log options for UDP session access log to support flushing session access log periodically, and support flushing session access log on upstream tunnel connected when using UDP tunneling.
Additional Description:
Risk Level: low
Testing: unit tests, integration tests
Docs Changes:
Release Notes:
Platform Specific Features: None
Signed-off-by: Issa Abu Kalbein <iabukalbein@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1d4981bacacf33fdc5f60cfd56bede2802770a79
ConnectMatcher is now match CONNECT-UDP requests as well. I updated
the description of ConnectMatcher accordingly.
Signed-off-by: Jeongseok Son <jeongseok.son@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7f84968b32bf33f93fb48e5fcfc3e14fbea95301
allowed_upstream_headers_to_append appends to client request, not response.
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 86e608693d62d8bec8b1e52035202f7d5ebca7b2
Introduce the ability to send attributes in the External Processing Request
---------
Signed-off-by: Jacob Bohanon <jacob.bohanon@solo.io>
Mirrored from https://github.com/envoyproxy/envoy @ 64c6d04a5fb7b08624df6223f6ef08264b9604a5
bazel: fix incorrect version of `com_github_cncf_xds`
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ab976b10bc527ce3549da9c36c61803490de629e
Add support for saving upstream response headers and trailers to downstream info
Risk Level: low
Testing: integration tests
Docs Changes: API
Signed-off-by: Issa Abu Kalbein <iabukalbein@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 876753ad28d6601b91c25b8af59db4f4737c84a5
e9ce688...523115e
- cel: add a description to the AST (cncf/xds#61)
- Bump bazel to 4.2.2 (cncf/xds#68)
- bazel: fix "missing strict dependencies" build issue (cncf/xds#72)
- bazel version updated from `4.2.2` to `6.3.2`
- `protoc-gen-validate` dependencies updated to match Envoy's
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ b500165160ce60020ad55bf6b10c6d5cc0b5f54c
update-envoy[bot]