Add unified matcher for network streams, as a replacement for filter chain match.
See previous discussion in #18871
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7eb3a87b8757e030aedfdc4959adc509e89ac788
This change introduces a new output sink type for admin /tap requests which buffers traces internally before responding to the client.
This sink is best used to collect traces for requests that are frequently matched, or to work around system limitations such as improper support for streaming HTTP responses.
Signed-off-by: David Peet <davidpeet@tutanota.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0fd80eef63bc9770186c4f4aa345ee63e464cab3
Use type_url to look up extensions. This prevents the undesirable practice of putting invalid protobufs to avoid a type lookup or duplicating the type URL.
Risk Level: medium, affects extensions with duplicated type URLs or no configuration
Testing: yes
Docs Changes: yes, this has been the recommendation for awhile.
Release Notes: yes
Runtime Guard: envoy.reloadable_features.no_extension_lookup_by_name
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8cb6862fe6099cd8583a64ff037ecdeaf0e939fa
Add an extra async cluster look up. The continuation of the cluster look up is establishUpstreamConnection().
To establishConnection() is also the callback of upstream connection failure.
Additional Description:
Risk Level: LOW if odcds is disabled, the code path remains the same.
Testing: Added integration tests and existing unit test is untouched.
Docs Changes: n/a
Release Notes: inline
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0a587f23b21ab34b28d9c53428af259b3f7b0970
Added option to limit the number of certificates parsed during verification.
Signed-off-by: Deepti Gupta <deepti_gupta2@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ b130ee612018cf099a91b3f2bc1225f70f49e48c
The new field would allow more efficient generation of routes, replacing pairs of path+prefix routes into one path_separated_prefix route
Risk Level: Low
Testing: Unit test
Docs Changes: inline
Release Notes: Added
Fixes#18148
Signed-off-by: Toma Petkov <tpetkov@vmware.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8f9e11247a07cc6df0ecd62689fe290f12a9013d
This begins the deprecation process for TTwitter.
Fixes#20466.
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9e67f1e2461e965c0269c69356d608e39c23902b
filter_metadata is already forwarded to external auth service
but typed_filter_metadata is not, this commit fixes this.
Signed-off-by: Wanli Li <wanlil@netflix.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9cce4a61851069f025493726f0b6cef87489f394
When deploying a new cluster specifier plugin, it is often necessary to add it to the configuration before all clients can be updated to support it, with routing rules configured to prevent clients without support from selecting any routes referencing the plugin. This field will allow those clients to suppress the default behavior of NACKing any resource containing the unknown plugin.
Risk Level: None
Testing: None
Docs Changes: None
Release Notes: None
Platform Specific Features: None
Signed-off-by: Doug Fawley <dfawley@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 55539d34f6ad5771f17ba04a64e1c7d24aa3c055
add envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport.enable_early_data to turn on/off early data support in EnvoyQuicServerSession.
Risk Level: low, behavior change to h3 downstream handshake is behind the new config knob.
Testing: added new integration tests
Docs Changes: N/A
Release Notes: noted about the new config knob transport_sockets.quic.v3.QuicDownstreamTransport.enable_early_data
Fixes#19943
Mirrored from https://github.com/envoyproxy/envoy @ 7be30191816ef3cbdc2ca013560d9de6a3a2d5fb
* connection: add runtime guard to disable looking up local interface name for upstream connections
Signed-off-by: Jose Nino <jnino@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8cbbf66dd3f46f3525e3950152d0c8bf666cbd57
If "issuer" in the JwtProvider config is specified, it has to match "iss" field in the JWT. But current implementation has a bug where if "iss" is empty, it is not checked.
Risk Level: Low, only impact users with empty "iss" JWT.
Testing: Unit-tested
Docs Changes: None
Release Notes: Yes
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 336fcf9b1105fcb2581a59811c0029f8899c63c2
Commit Message:
Additional Description:
Risk Level: low (off by default)
Testing: unit, integration
Docs Changes: in API
Release Notes: yes
Part of #20207
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ fc96a7683601321d3655b99d900cc8b9fd406992
Adding xDS routing discovery support for thrift proxy.
The routing discovery is supported only through ADS. No separate service endpoints added
for thrift routing config type url.
This PR is split from #17631
Risk Level: Low
Testing:
- Unittest
- Manual test with static routing from bootstrap config, static routing and dynamic routing from GRPC based xDS server.
Docs Changes: Comment added to the new API field.
Signed-off-by: Tamas Kovacs <tamas.2.kovacs@nokia-sbell.com>
Mirrored from https://github.com/envoyproxy/envoy @ ec7ef59ef36ccb5e2a9b20493ae23673504d75b9
TcpProxy ondemand vs http on demand
Why not a dedicated on demand filter prior to tcp_proxy?
A filter prior to tcp proxy cannot figure out the dest cluster before tcp_proxy establish the upstream connection.
In http stack, a route entry which contains the upstream cluster is offered to the potential on-demand filter before the router filter.
Why no per-route config in tcp_proxy?
TcpProxy provides single upstream cluster.
An alternative weighted_clusters can be used as tcp_proxy upstream cluster. However, it's probably too early to distinguish the
per cluster ondemand requirement within the weighted_cluster. We can always add in the future.
Risk Level: LOW
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 824032e93ef295e22086f465d4c60a3aeea4ae13
* fix: slow start config add min_weight_percent field to avoid too big edf deadline
Signed-off-by: jiangshantao <jiangshantao-dbg@qq.com>
Mirrored from https://github.com/envoyproxy/envoy @ e3fede5b9374bca134ec546934335ab5cdeb7aef
ratelimit: add support for x-ratelimit-* headers in local rate limiting
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5c56e45a041a4446411a8dccb5262b12323ff9be
Stateful session will try to parse upstream address from downstream request directly and override the result of load balancing algorithm by the LoadBalancerContext::overrideHostToSelect API.
To avoid the load balancer selecting hosts that in unexpected statuses, specifying some expected statuses are necessary.
In the previous design, we will provide expected statuses of override host by the LoadBalancerContext::overrideHostToSelect API.
And in the PR #18207, after some discussion with @htuch, we found may be cluster-level config may be more reasonable design and implementation.
Ref some more details: #18207 (comment)
So this PR try to close previous discussion in the #18207:
Refactoring LoadBalancerContext::overrideHostToSelect API to remove expected statuses for the return value.
Add new common lb config override_host_status and related implementation.
Risk Level: Mid.
Testing: N/A.
Docs Changes: N/A.
Release Notes: N/A.
Platform Specific Features: N/A.
@wbpcode
Signed-off-by: wbpcode <wbphub@live.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1575185d14abc3bc508ce5a6ba45422393322551
* Adding custom config-validation interface, extension, and a CDS validator.
Signed-off-by: Adi Suissa-Peleg <adip@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ e58c890ded5c13e60eba3285c96ffefd6f7215cf
- Add ability to fail on deprecated or WiP
- Add basic tests to the validator.
- PGV checks will now recurse into all sub-messages, including
Any messages, allowing for full verification of the message tree.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 80458835e87ba03019df319a1927ae0d17956dd3
Upstream GRPC hosts may categorize requests by request headers. This change exposes
request_headers_to_add and request_headers_to_remove options to GrpcHealthCheck in
a way similar to HttpHealthCheck.
Risk Level: Low
Testing: Performed manual test, a new unit test is added to cover the new code path.
Docs Changes: None
Release Notes: Added to "Minor Behavior Changes" section.
Signed-off-by: Wanli Li <wanlil@netflix.com>
Mirrored from https://github.com/envoyproxy/envoy @ 23ff23d0954eb9e6e4ed7ed60ec0e0d05174f6da
Introduce data inputs for connection matching as part of #18871
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ a1181348a4f6df6011843a141814e28840d23eb5
For xDS over the file system, sometimes more control is required over
what directory/file is watched for symbolic link swaps. Specifically,
in order to deliver xDS over a Kubernetes ConfigMap, this extra
configuration is required.
Fixes https://github.com/envoyproxy/envoy/issues/10979
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8670309bce9a488ccfc04a87d0c4367ca59c4179