As discussed in Slack, these should have been under api/config/filter/network
to begin with. Added a note to the style doc to make this clear in the
future.
*Risk level*: low (rename only)
*Testing*: existing tests suffice
*Doc Changes*: n/a
*Release Notes*: updated
Signed-off-by: Stephan Zuercher <stephan@turbinelabs.io>
Mirrored from https://github.com/envoyproxy/envoy @ 1dfde38343e7dfafe2c9f211229109bb22491257
Make the YAML examples use lists for `audiences` and avoid starting
lists for non-repeating fields.
Risk Level: Low
Testing: N/A
Docs Changes: N/A
Release Notes: N/A
Signed-off-by: Tal Nordan <tal.nordan@solo.io>
Mirrored from https://github.com/envoyproxy/envoy @ c4b6aecdd1bf5fb7a05a3f2a6f58e6ec42dc1393
This is a followup to #3841, where we introduce HCM-wide stream idle timeouts. This has two effects:
1. We can now timeout immediately after stream creation, potentially before receiving request headers and routing.
2. A default timeout can be configured across all routes. This is overridable on a per-route basis.
The default and overriding semantics are explained in the docs. Also added as a bonus some docs
about how timeouts interact more generally in Envoy.
Fixes#3853.
Risk Level: Low. While there is some change to the per-route vs. HCM wide semantics for stream idle
timeouts, it's not anticipated this feature is in common use yet (it's only a couple of days since
landing), and the caveats in #3841 with the new 5 minute default timeout should already apply.
Testing: Unit/integration tests added.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 672083c7ba4e92fe9548252c45d84d583a95102d
Fix the description of an `RBAC` Protobuf message example, so that it
matches the changes made to the YAML code block in PR #3477.
Risk Level: Low
Testing: N/A
Docs Changes: N/A
Release Notes: N/A
Signed-off-by: Tal Nordan <tal.nordan@solo.io>
Mirrored from https://github.com/envoyproxy/envoy @ 0f68948434039eb5e2fe3610e9b315989d843296
Add an extensible resource monitor framework for monitoring resource "pressures" (usage/limit). This will be used by the overload manager to implement downstream circuit breaking (issue #373 - see design doc linked from there).
Risk Level: low (not yet used in envoy main)
Signed-off-by: Elisha Ziskind <eziskind@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0e71582b338b97d5667be7deaff831a062a96d1f
This is the complete HTTP/1.1 implementation of #3301, new style websockets.
It should preserve existing behavior for "old style" websockets except for handling transfer-encoding requests (we all agree shouldn't happen) and responses (actually could happen and have been requested) better.
Risk Level: High (should be self contained but still lots of core code changes)
Testing: Thorough integration tests. unit tests for http1 codec
Docs Changes: added websocket FAQ
Release Notes: added
Fixes#3301 (modulo timeouts not working, which will be addressed by #3654 or #1778)
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 95c3e1343de707edee58defbec03ba87c9e969de
I think this broke in a recent refactor.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 866597fcb8cc3cdd53a767d66755506036261f3c
adds the required visibility rules and delegates the rest to the generic
api_proto_library. I tested the change by doing the following without
getting errors.
./ci/run_envoy_docker.sh './ci/do_ci.sh docs'
I changed the BUILD files using the following commands.
/envoy/api$ find . -type f -name BUILD | xargs sed -i -e 's/api_proto_library(/api_proto_library_internal(/g'
envoy/api$ find . -type f -name BUILD | xargs sed -i -e 's/"api_proto_library"/"api_proto_library_internal"/g'
Signed-off-by: mickey <mickeyju@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4b871c0ab9350882271a490adcee44e613ed9807
This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests.
*issue: #2828
Risk Level: Medium
Testing: Manual, unit testing.
Docs Changes: envoyproxy/data-plane-api#563
Signed-off-by: Gabriel <gsagula@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5244597e93c70b4945c03a9fc55f8924a2da6fbc
Added a health discovery service config option in bootstrap.proto.
There is skeleton code for this service in source/common/upstream/health_discovery_service.cc
and an integration test that tests connectivity between envoy running hds and a management server.
This work is for #1310.
Risk Level: Low
Signed-off-by: Lilika Markatou <lilika@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1413d5697c9a6c5c43d7b3d23bdab23cc8c2604b
Adding the (hidden) option to configure a HTTP filter chain for any upgrade type.
Also tossing in some minor renames and status code as prep work for #3301
Risk Level: Low (refactors and adding config guarded code)
Testing: Unit tests of new code.
Docs Changes: docs inline with protos.
Release Notes: n/a
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 474d548a5d646048d3d573577fac46079f3bf30a
ratelimit: added support for api/envoy/service/ratelimit/v2/rls.proto. Envoy can use either proto to send client requests to a ratelimit server with the use of the use_data_plane_proto boolean flag in the ratelimit configuration. Support for the legacy proto is deprecated and will be removed at the start of the 1.8.0 release cycle.
Signed-off-by: Jose Nino <jnino@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ b0874e3ebd3bf79cec09aa4480f07da5f5630d07
Based on the requirement discussion from #2514.
Change the Jwt_authn config to support different requirement based on route match.
Risk Level: Low
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cc4845b01f71f3e12b359d1ce099a22d4fe61526
Add support for extracting dynamic metadata from requests. This can then
be used as static metadata would be used (e.g.: for subset load balancer
metadata matches, logging, etc).
Risk Level: Low
Testing: unit-test
Docs Changes: Basic docs.
Release Notes: N/A
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 827c0a548ab38d55debe00587ee27253786befad
HCM and router changes to support use of Envoy in scenarios where we don't want Envoy to be generating additional headers or manipulating XFF. This also introduces Via support.
Fixes#1030.
Risk Level: Low (opt in)
Testing: Unit and integration tests added.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2f55443b68c50f88c6f7dccc3b82ec6a4b4c235d
Adds a file based grpc credentials extension. See issue #3392 for more details.
Risk Level: Low: extension for grpc credentials loaded by explicit configuration options
Testing: tests included in PR
Docs Changes: Inline docs via comments and proto docs
Release Notes: N/A
Fixes#3392
Signed-off-by: Michael Wozniak <wozz@koh.ms>
Mirrored from https://github.com/envoyproxy/envoy @ 230d2216fdd520a182dea9b5152522756853cd90
The proto field is marked as deprecated without any explanation, so this
adds a reference to the other field which should be used instead.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0bcdb5d7611a79fd22f823fd707a8b6f7b5f756e
Fixes https://github.com/envoyproxy/envoy/issues/743
This is a general cleanup of all of the access logging documentation.
I have reorganized a bunch of things and hidden the various gRPC logging
fields that are not implemented yet.
I've also moved the existing tap protos into a new "output" directory. This
is the best name I could come up for cleanly separating output data that might
be stored outside of any service or configuration.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ c15019e79c832d9f0a09468affaadabc4be3e115
*Risk Level*: None
*Testing*: bazel test //test/...
*Docs Changes*: n/a
*Release Notes*: n/a
Found with buildifier.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0e8964c83f359916ecbf9c01a03ade3c92aac479
This change does several things:
1) Clarifies how we handle xDS version_info in responses and sets us up
for both top-level/transactional versions as well as per-resource
versions in the future.
2) Moves the config_dump admin endpoint to the v2alpha namespace so that
we can iterate on it in the future.
3) Fills out the config dump proto for the remaining resource types.
These are not implemented but are here to force a discussion about
how we want to handle versions moving forward.
4) Fixes RDS static config dump to actually work and add better tests.
5) Wire up version for the RDS config dump on a per-resource basis.
Once we agree on the general version semantics I will be following up
with dump capability of the remaining resource types.
Part of https://github.com/envoyproxy/envoy/issues/2421
Part of https://github.com/envoyproxy/envoy/issues/2172
Fixes https://github.com/envoyproxy/envoy/issues/3141
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ ada758739907628b50079b9adfccf5481ec9fc5f
* tap/fuzz: transport socket extension for traffic capture.
This PR introduces a transport socket extension that wraps a given transport socket, interposes on its
plain text traffic and records it into a proto trace file on the filesystem. This can be used for a
number of purposes:
1. As a corpus for fuzzing the data plane.
2. Converted to PCAP using a soon-to-be-written utility, allowing existing tools such as Wireshark
to be used to decode L4/L7 protocol history in the trace. Essentially this lets us take advantage
of the PCAP ecosystem.
Relates to #1413 and #508.
Risk Level: Low (opt-in).
Testing: New SSL integration tests, demonstrating plain text intercept.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6c7a91733469f76381487f9ca78bdece6825c8c9
Added protos to support Role Based Access Control in Envoy.
Also removed existing auth.proto because the new RBAC proto is a replacement of it.
Ealier discussions at
envoyproxy/data-plane-api#586.
Signed-off-by: Limin Wang <liminwang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 13de384ab34428af99c53201f6b3c95991b7ae10
Implements the header matching mechanism that was added to the API in #3097 .
Risk Level: Low
Testing: Unit tests were added for the new configuration options.
Docs Changes: #3097.
Release Notes: added release note.
Signed-off-by: Matt Rice <mattrice@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 132b36cdae221dd602ebd920a1025167c3a7753a
data-plane-api(CircleCI)