This is to address issue: #28243
The value_bytes proto is added by #27865.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8a2d9502638789b1d078f06f48b51918589a1f4a
Boring SSL team is going to set `enforce_rsa_key_usage` to true very soon. If it is true, the handshake will fail if the keyUsage extension is present and incompatible with the TLS usage. However, the backend services/VMs might not be ready for this change and it had caused outage. I think this is also applicable to OSS Envoy customer since their certificate may not be ready as well.
Change:
- Add the config field to control `enforce_rsa_key_usage`. It is false by default now but can be changed to true (which is aligned with Boring SSL's request) later once the customers are ready.
- Set it when ClientContext's SSL object is created. This ssl object will be used later in ssl handshake.
- It is added in `upstreamTlsContext` proto and set in `ClientContext` because this change in Boring SSL only affects Envoy->Backend (Upstream TLS) but not Client-> Envoy (Downstream TLS)
- Add stats to track/report the invalid use case by leveraging SSL_was_key_usage_invalid API introduced [here](a614d46d40)
- Improve the error handling/report for `SSL_ERROR_SYSCALL`
Signed-off-by: tyxia <tyxia@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ c5d578bdf109b90c1b93e888dae6cb45de6309f7
tap: Fix the protobuf to PCAP generation failure
When run 'bazel run @envoy_api//tools:tap2pcap path_0.pb path_0.pcap':
...
Traceback (most recent call last):
File "..../tools/tap2pcap.runfiles/envoy_api/tools/tap2pcap.py", line 88, in <module>
tap2pcap(sys.argv[1], sys.argv[2])
File "..../tools/tap2pcap.runfiles/envoy_api/tools/tap2pcap.py", line 53, in tap2pcap
wrapper.ParseFromString(f.read())
^^^^^^^^
File "<frozen codecs>", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb8 in position 1: invalid start byte
...
The protobuf file is in binary format, opening this file in binary mode
will help to generate the PCAP file successfully.
Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ c1cae43bed0cd91b423dafa388a370a27cb163e7
One can specify a MetadataKey with a path selector to pick up a host
from the dynamic metadata of the request or downstream. Selected
value can either be a string or a list with at least a single
element of string type. Request metadata is considered first.
Signed-off-by: Andrii Chabykin <chabster@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 10468b320421cb14d7911b4e6d139cc18780fb1a
* Turn ext_proc into API stable.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4e5031013746a0768e9a3065dbab08b70eaf3c05
Commit Message:
This commit adds CONNECT-UDP (RFC 9298) support. UdpConnPool is added to create a UDP socket for a new CONNECT-UDP request, and UDPUpstream is added to maintain the socket and other relevant data associated with UDP upstreams.
We added an integration test for the terminating CONNECT-UDP proxy, but not the forwarding proxy in this commit. We are going to add test cases to cover the forwarding proxy scenario in a subsequent commit.
Additional Description:
Risk Level: Medium, the feature can only be enabled by the new configuration added in this commit.
Testing: Integration test
Runtime guard: envoy.reloadable_features.enable_connect_udp_support
Release Notes: added support for CONNECT-UDP (RFC 9298). Can be disabled by setting runtime feature envoy.reloadable_features.enable_connect_udp_support to false.
Signed-off-by: Jeongseok Son <jeongseok.son@gmail.com>
Co-authored-by: asingh-g <abhisinghx@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ b4f37553d6887447f942a1aedbc8c2dacae45537
* Fix ext_proc filter can not send non-utf8 character by gRPC
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9c6e75062ebdd8c8382c671662fb096569d9eaa9
This computes the health of a priority level by using load balancing weight
instead of the count of healthy hosts.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 842d1b2ae9b7f73a5055f2117df6f7d086b9e40d
Commit Message:
With lots of clusters and route-tables in a cloud proxy, we are seeing tons of RAM been spent on stats while most of the stats are never inc-ed due to traffic pattern(or long tail). We are thinking that we can lazy init cluster stats() so that the RAM is only allocated when it's required.
To achieve that we need to have finer grained stats group, e.g. configUpdateStats() are frequently updated by config management server, while upstream_xxx are only required when there is traffic for the cluster, for this sub-group we can save RAM by lazy init it.
Introduce a new stats utility in this PR such that the nested StatsStruct is only instantiated when any of "->" or "*xx." operator is used.
Cribbed from PR #23921
Please see that PR for how it is used.
Additional Description:
Risk Level: LOW,utility lib not used yet.
Testing: unit test and speed test.
Docs Changes:
Release Notes:
Platform Specific Features:
Signed-off-by: Xin Zhuang <stevenzzz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7801df6af9000ae31bdd89b080e0d797501cbd18
* Bound the number of connections that can be accepted per socket event on
listeners.
Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ef9387f7336d136c5d1525f9c75176a4ae87cb75
Adding per route match tree resolution to the extension with matcher.
Risk Level: Low
Testing: test/common/http/match_delegate/match_delegate_integration_test.cc, test/extensions/filters/http/composite/composite_filter_integration_test.cc, test/common/http/match_delegate/config_test.cc
Docs Changes: matching_api.rst
Release Notes: changelogs/current.yaml
Platform Specific Features: N/A
Signed-off-by: Joseph Straceski <jstraceski@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ c6a9a24987ebaab94a529fbd1da1ab89ec480d81
A new custom matcher for generic proxy is added to simplify the route table. When simple AND semantic is used, the users needn't write complex configuration to combine different input/match.
Risk Level: low.
Testing: unit.
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ b8e112190ef14bced0509a0fb201b5ee49da46d7
add bootstrap option to set log format
Signed-off-by: ohadvano <ohadvano@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 08dd6fedf0c433c341e74e689194beb23540932c
Commit Message: application_logs: add bootstrap option to write logs in JSON format
Additional Description: Adds an option in bootstrap config to write application logs in JSON format, while supporting all the log-format flags as defined in the CLI --log-format option. Related to #25959 - this is the first step in the implementation for supporting custom JSON properties, while printing the application logs output in JSON format.
Risk Level: Low (all new code paths are only enabled by config option)
Testing: Unit tests
Docs Changes: API, Application logs docs
Release Notes: None
Platform Specific Features: None
Signed-off-by: ohadvano <ohadvano@gmail.com>
Signed-off-by: ohadvano <49730675+ohadvano@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ a9ec898d6dfdb4875a5b3684a6ee84afd4bb9663
* add access log to health check
Signed-off-by: Boteng Yao <boteng@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 881bc030a8f1cdc904311de6c1cdba38ef8cc98a
I don't think these do anything here except for produce this warning:
```
DEBUG: Rule 'com_github_bufbuild_buf' indicated that a canonical reproducible form can be obtained by dropping arguments ["tags"]
DEBUG: Repository com_github_bufbuild_buf instantiated at:
/Users/ksmiley/dev/envoy4/WORKSPACE:9:23: in <toplevel>
/Users/ksmiley/dev/envoy4/bazel/api_repositories.bzl:4:21: in envoy_api_dependencies
/private/var/tmp/_bazel_ksmiley/81424bb29de8eeef22a825a179047d5f/external/envoy_api/bazel/repositories.bzl:47:26: in api_dependencies
/private/var/tmp/_bazel_ksmiley/81424bb29de8eeef22a825a179047d5f/external/envoy_api/bazel/repositories.bzl:9:23: in external_http_archive
/private/var/tmp/_bazel_ksmiley/81424bb29de8eeef22a825a179047d5f/external/envoy_api/bazel/envoy_http_archive.bzl:16:17: in envoy_http_archive
```
Signed-off-by: Keith Smiley <keithbsmiley@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7c4bbe1785ad41a868dec0b66f4ea06e802bce95
update-envoy[bot]
phlax
data-plane-api(Azure Pipelines)