Support an inline RouteConfiguration in ScopedRouteConfiguration.
This change enables fully inlined scoped route configuration by
allowing users to specify an inline `RouteConfiguration` in the scope's
config, as opposed to requiring a `route_configuration_name` to use for
an RDS subscription.
Signed-off-by: Andres Guedez <aguedez@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cbc05d480cc24fc96bbbbd476cc31b25402d6777
Commit Message: upstream: support max connection duration for upstream connections
Risk Level: low, isolated opt-in feature
Testing: new unit tests
Docs Changes: updated protobuf definition to no longer mention that max lifetime is not implemented for upstream connections
Release Notes: upstream: support max connection duration for upstream connections
Platform Specific Features:
Fixes#15107
Signed-off-by: John Esmet <john.esmet@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9a4a861a6b22959205fb70454bcdf238e3ebd4f9
Adds support for using the matching API in the route table. This wires up using the generic match as part of a virtual host, making it possible to define a match tree that results in Route actions that reuses the same routing actions currently in use by the router.
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 94d00135bd9f0f7701c89c7a9220691e51068aec
Update to latest commit of xDS protos.
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ea223b1a6cd999fecf60d3cdea3ccc589e86f9a3
This PR currently only implements query string modifications when using a gRPC authorization server.
Signed-off-by: John Esmet <john.esmet@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c42a018d332920f3e523f1a0409b6056bd805853
This includes some more go_package annotations in the protos
Signed-off-by: Keith Smiley <keithbsmiley@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 17d00f7e9a75b494d8cdeac77be4647619a1a9fa
Adds a new API field for http health checks that allows specifying ranges of status codes that are considered retriable. If these status codes are received, those failures will contribute towards the configured unhealthy threshold rather that immediately considering the cluster member unhealthy as is the case today.
Signed-off-by: Weston Carlson <wez470@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 42f9fc3b000fbc01fa5d500cc071f477bebaa638
Framed was the only transport that supported payload passthrough. However the payload
of Header transport is the same as Framed. Therefore its possible to also use payload
passthrough with Header to Header, Framed to Header and Header to Framed. Therefore
allow those extra three combinations and add integration tests. Note that in future if Header
transforms become supported then passthroughData will need to undo any transforms.
New metrics request_passthrough and response_passthrough are added to show when payload
passthrough occurs. Note that previously response_success was always incremented when
performing payload passthrough, and that is corrected to only occur when parsing the
payload.
This will enable payload passthrough for combinations of downstream/upstream transports that did not
previously perform passthrough. If a private filter does not implement passthroughEnabled or passthroughData
correctly, has enabled payload passthrough and is using Header to Header, Framed to Header or Header to Framed
then the filter may have issues.
Risk Level: Medium
Testing: Extended existing integration tests and verified on local deployment.
Docs Changes: Updated ThriftProxy proto docs.
Release Notes: Minor behavior change.
Platform Specific Features: N/A
Signed-off-by: James Fish <jfish@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0f31648808783b1057c78ff0c90721b81d32e19c
To fix: #13965
grpc_json envoy filter adds a new field 'query_param_unescape_plus` to enable the support of converting "+" to space in query parameters.
The actual unescape code is implemented in grpc-httpjson-transcoding.
Risk Level: None
Testing: integration tests
Docs Changes: None
Release Notes: Yes
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1ba355b5e9f00cda595d5b52e3390d473fa5ecce
Based on the dicsussion in the issue https://github.com/envoyproxy/envoy/issues/17410, this PR adds
implementation for ability to add rbac policy to filter upstream ip addresses for dynamically
resolved domains (by dynamic proxy filter).
Signed-off-by: Jojy George Varghese <jojy_varghese@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 53f95570a7e9d7fa5414a4bc145852524fa017ed
Intel's IPP (Integrated Performance Primitives) crypto library has support for multi-buffer crypto operations. Briefly, multi-buffer
cryptography is implemented with AVX-512 instructions using a SIMD (single instruction, multiple data) mechanism. Up to eight RSA or ECDSA operations are gathered together into a buffer and processed at the same time, providing potentially improved performance. The AVX-512 instructions are available on recently launched 3rd generation Xeon Scalable server processors (Ice Lake server) processors.
This commit adds a private key provider to accelerate RSA and ECDSA crypto operations on recent Intel Xeon processors. Every worker thread has a queue of up-to-eight crypto operations. When the queue is full or when the timer is triggered, the queue is processed and all the pending handshakes are notified.
The potential performance benefit depends on many factors: the size of the cpuset Envoy is running on, incoming traffic pattern, encryption type (RSA or ECDSA), and key size. In my own testing I saw the biggest performance increase when long RSA keys were used on an Envoy running in a fairly limited environment serving lots of new incoming TLS requests. For more details, see this Intel whitepaper which contains some more information about the AVX-512 instructions and potential performance increase: https://www.intel.com/content/www/us/en/architecture-and-technology/crypto-acceleration-in-xeon-scalable-processors-wp.html
Additional Description:
One new dependency is introduced: Intel’s ipp-crypto library. Currently the PR is using a development version of ipp-crypto because BoringSSL support is not yet part of any release. The ipp-crypto team has indicated that BoringSSL version will be included in future ipp-crypto releases.
Basic tests are provided, and a fake library interface is included for testing on systems without the required AVX-512 instruction set.
Risk Level: Medium (TLS security feature, not enabled by default)
Testing: Unit tests
Docs Changes: API interface is documented
Release Notes: Added CryptoMB private key provider to contrib.
Platform Specific Features: Requires Intel 3rd generation Xeon Scalable server processor for the AVX-512 IFMA instruction set.
Fixes: #15871
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Co-authored-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2144166ca7a3f100ecae16700bc82920b2de4871
This is a first step towards https://github.com/envoyproxy/envoy/issues/17920
A single proto (kafka mesh) has been swapped from using the udpa
file_status annotation to the xds file_status annotation to avoid a
large amount of churn and a forthcoming migration of many alpha/wip
protos to non alpha/wip. The rest will be audited and swapped in
future PRs. This single one was done to make sure the doc machinary
works properly.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ f0f17a3caa75106a9e28b99edc27dd09c1bed488
This allows for dynamic metadata when using an HTTP authorization service. Currently, it is only possible to set dynamic metadata using a gRPC authorization service.
Risk Level: low, new opt-in feature in an extension
Testing: unit tests
Docs Changes: proto definitions documented
Release Notes: ext_authz: added :ref:dynamic_metadata_from_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.dynamic_metadata_from_headers> to support emitting dynamic metadata from headers returned by an external authorization service via HTTP.
Signed-off-by: John Esmet <john.esmet@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 31f48ee7a3c32ed383b46c8940263af9dc9bdcd4
This PR adds some more description around max_connection_duration in the Timeout FAQs.
Commit Message: add more description for max_connection_duration in timeout faqs.
Additional Description: -
Risk Level: N/A
Testing: N/A
Docs Changes: Added some more description around max_connection_duration in the Timeout FAQs.
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2e8efdefef86f7749aee3ca30d0752218a07ca8a
Risk Level: low
Testing: new unit tests. integration test TODO in a follow up
Docs Changes: n/a
Release Notes: will land with integration test.
Fixes#18034
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 7f63632be6b08193550041c4069e63f557b16c5d
upstream: Make the Alt-Svc cache configuration required if HTTP/3 is enabled with AutoHttpConfig.
Risk Level: Low
Testing: Unit tests
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 19102ffc814204d2d2f98747afa3af3a84a4024c
This patch adds header_to_metadata field to JwtProvider config to allow
setting the extracted header of a successfully verified JWT to dynamic
metadata.
Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
Mirrored from https://github.com/envoyproxy/envoy @ 25622ce26532ad42d93a383d48b6c86d9e28d3d2
Removal of params or cookies after authentication is not implemented as of today.
authenticator.cc calls the removeJwt(...) if forward is set to false (default)
and this leads to an assertion failures caused by NOT_IMPLEMENTED_GCOVR_EXCL_LINE.
Changed removeJwt(...) for JwtCookieLocation to be empty, added test coverage
and updated proto doc to call-out this caveat.
Signed-off-by: Shubham Patil <theshubhamp@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5591dbc0f6d663641241f1919dc6135668c1da75
http: Unhide the AlternateProtocolCache configuration
and move some docs from http3_upstream.md to connection_pooling.rst
Risk Level: N/A - Docs only
Testing: N/A - Docs only
Docs Changes: Unhide the AlternateProtocolCache configuration and move some docs from http3_upstream.md to connection_pooling.rst
Release Notes: Added
Platform Specific Features: N/A
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ d7fdbbc567b5e3175240c1fa9827255275c53c36
This was built for Envoy Mobile, but will allow generic modification
of router behavior between retries. Currently it only supports modifying
upstream socket options (to in practice impact interface binding), but
in the future is likely to be extended to modify timeouts, retry back
off times, request headers, etc.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5b1015cffbf6e02a7ccec9c12a6b7f246f8f3d30
Allows ensuring continual progress of individual request attempts.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ b500a0a655809f518ed30a05ceb7262a02dbc537
Adds a new optional param called override_auto_sni_header which can be used to populate the upstream SNI value from an arbitrary header other than Host/Authority.
Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5c146696351be2bac731abd501333fbac824d919
This includes validation for upgrade connects per Ryan's offline advice.
n.b. this should be a no-op for HTTP (where there is no mechanism to send both) and HTTP/2 (where nghttp2 validates) so not currently calling out in release notes.
Risk Level: low
Testing: new integration tests
Docs Changes: inline
Release Notes: n/a (quic alpha)
co-author: @DavidSchinazi
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 2d934e1e618714bab0ae7f2dcfd6a0531212dd6c
Before this, when a gRPC server sends out DeniedResponse as a check
response for a request but without setting the
HttpResponse.DeniedResponse.Status, HTTP ext_authz filter translates
that as "0" (empty/unknown HTTP status code). This patch makes sure we
reply with a valid 403 Forbidden HTTP status code (the current default
status code for denied response).
Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
Mirrored from https://github.com/envoyproxy/envoy @ e3af0943fff8444660a797cce6a78fd956e3c2cf
Signed-off-by: Adam Kotwasinski <adam.kotwasinski@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0c8942dd82e3991d5162c4c53ec5b2e5c1d71010
Today "disabled" and the processing mode are the two things supported
because that is what is currently supported in ext_proc.
Signed-off-by: Gregory Brail <gregbrail@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 01ea37b280d980c25bb9e2c8069d62e4aef37961
Field 2 in the `DnsFilterConfig` message was released in Envoy 1.18,
and repurposed in Envoy 1.19. Renumber the field, while leaving a
compatibility field so that control planes can gracefully migrate to a
subsequent 1.19 release.
This fixes#17921.
Signed-off-by: James Peach <jpeach@apache.org>
Mirrored from https://github.com/envoyproxy/envoy @ ff9704e502184c4415d38351795f0d5d11627fcd