Based on the requirement discussion from #2514.
Change the Jwt_authn config to support different requirement based on route match.
Risk Level: Low
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cc4845b01f71f3e12b359d1ce099a22d4fe61526
Add support for extracting dynamic metadata from requests. This can then
be used as static metadata would be used (e.g.: for subset load balancer
metadata matches, logging, etc).
Risk Level: Low
Testing: unit-test
Docs Changes: Basic docs.
Release Notes: N/A
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 827c0a548ab38d55debe00587ee27253786befad
Glues together code from previous PRs into a ThriftFilter that counts requests (by type) and responses (by type and result), counts protocol errors for requests and responses, and records timings of request/response pairs.
Risk Level: Low
Testing: unit and manual testing
Docs Changes: trivial documentation of thrift config
Release Notes: introduced envoy.thrift filter
Relates to: #2247
Signed-off-by: Stephan Zuercher <stephan@turbinelabs.io>
Mirrored from https://github.com/envoyproxy/envoy @ 4521e89da33ce44ebdc61b2b1da07712341d743d
This supports things like OAuth, GCE default creds, refresh tokens, etc.
Risk Level: Low
Testing: Minimal tests. grpc::Channel/CallCredentials are opaque and don't provide much in the way
of inspection from tests (CC: @vjpai).
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2426ec1c614399438fae6803c85d22b98b1a7038
SAN-based verification without trusted CA is insecure, since provided
values are easily spoofable.
Becasue of how the existing verification code is structured, this was
already enforced at run-time, and all certificates were rejected when
trusted CA wasn't specified, but previously it wasn't obvious why.
*Risk Level*: None
*Testing*: bazel test //test/...
*Docs Changes*: Added
*Release Notes*: n/a
Fixes#1268.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 72db143131c1030e7c448e034a1a08980dc826f9
Add load_assignment field in Cluster
This patch introduces load_assigment field in CDS' Cluster. This is an API change only.
This is part of effort on breaking #3261 into multiple PRs.
Risk Level:
Low, since it is hidden.
Testing:
Build api and envoy-static without error
Docs Changes:
Add load_assignment in Cluster of cds.proto.
Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
Mirrored from https://github.com/envoyproxy/envoy @ 79bce5fe1cd8d1ab03dc6085497fcda653320a67
HCM and router changes to support use of Envoy in scenarios where we don't want Envoy to be generating additional headers or manipulating XFF. This also introduces Via support.
Fixes#1030.
Risk Level: Low (opt in)
Testing: Unit and integration tests added.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2f55443b68c50f88c6f7dccc3b82ec6a4b4c235d
Adds a file based grpc credentials extension. See issue #3392 for more details.
Risk Level: Low: extension for grpc credentials loaded by explicit configuration options
Testing: tests included in PR
Docs Changes: Inline docs via comments and proto docs
Release Notes: N/A
Fixes#3392
Signed-off-by: Michael Wozniak <wozz@koh.ms>
Mirrored from https://github.com/envoyproxy/envoy @ 230d2216fdd520a182dea9b5152522756853cd90
The proto field is marked as deprecated without any explanation, so this
adds a reference to the other field which should be used instead.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0bcdb5d7611a79fd22f823fd707a8b6f7b5f756e
Fixes https://github.com/envoyproxy/envoy/issues/743
This is a general cleanup of all of the access logging documentation.
I have reorganized a bunch of things and hidden the various gRPC logging
fields that are not implemented yet.
I've also moved the existing tap protos into a new "output" directory. This
is the best name I could come up for cleanly separating output data that might
be stored outside of any service or configuration.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ c15019e79c832d9f0a09468affaadabc4be3e115
No functional changes, only API update.
*Risk Level*: Low
*Testing*: bazel test //test/...
*Docs Changes*: n/a
*Release Notes*: n/a
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4eb09f86cbfff67404591cf812a7db8d7880c413
*Risk Level*: None
*Testing*: bazel test //test/...
*Docs Changes*: n/a
*Release Notes*: n/a
Found with buildifier.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0e8964c83f359916ecbf9c01a03ade3c92aac479
This enables configuring Envoy to generate cookies that expire at the
end of a session instead of requiring them to have an explicit max-age.
Risk Level: Low
Testing: added unit tests and an integration test
Docs Changes: documented new behavior in API and release docs
Release Notes: router: allow cookie routing to generate session cookies.
Signed-off-by: Alex Konradi <akonradi@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 396f52de26e8864dbbefa903ff605bd52af11b3e
While there, add support for the standard hex-encoded SHA-256 hashes without colon delimiters.
Risk Level: Low
Testing: Unit tests added.
Docs Changes: Added
Release Notes: Added
Fixes#3418, #3419.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f7e1e23379fae6045546e63584435b78ae5f30e6
* listener: add support for filter chain selection based on ALPN.
*Risk Level*: Low
*Testing*: bazel test //test/...
*Docs Changes*: Minimal
*Release Notes*: n/a
Fixes#3397.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 12c470e666d23f1cedaea92cdae6c747d6081dfe
Add api_go_grpc rules for metrics_service, als, and trace_service.
To support those changes, also added the necessary go_proto_library
rules in the repositories.bzl definitions for prometheus_metrics_model,
and io_opencensus_trace, and augmented the go_build_test.go to
verify these changes were correct.
Signed-off-by: William Chang <mr.williamchang@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ fb7797fd7df696cd239cc1d3792719361b62c684
The main gRPC service message is no longer draft.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ ef4d1b1392cf9e6e124b154bc481b1452690e157
The default is actually the cluster name, not the ip
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2fa152da07db067cb0aedd1ef309759cb9424de6