Add connect_pool_per_downstream_connection flag to the cluster config (disabled by default)
Add a hashKey method to Connection in order to be able to hash on the connection ID
Signed-off-by: Craig Radcliffe <craig.radcliffe@broadcom.com>
Mirrored from https://github.com/envoyproxy/envoy @ 76a1b24dd511bb5b3a38da3e84c9003ccadc64ce
Adds intermediate certificate authority revocation list documentation and tests that cover revoked, unrevoked and incomplete certificate revocation list chains.
Signed-off-by: Joshua Rutherford <joshua.rutherford@greymatter.io>
Mirrored from https://github.com/envoyproxy/envoy @ 969711e8c7f6b4cdc8fbc9f1f8d9c81a4df94adb
In the closed-source implementation of the AWS X-Ray tracer extension
there was additional span metadata that was hard-coded for the AWS App Mesh
service. This was expectedly removed from the implementation that was
upstreamed but there was a miss in adding an API to re-add this metadata
to spans.
Signed-off-by: Scott LaVigne <lavignes@amazon.com>
Mirrored from https://github.com/envoyproxy/envoy @ 64731cece4fb1c7a63251007e3f8bf319d1cb895
Risk Level: Low
Testing: N/A
Docs Changes: Included in PR
Release Notes: N/A
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ c7323f25ee8395736b5b6d37a4521b29eeb84a0f
For matching values in the header that might be somewhere in the middle of the header, the present option is to use Regex in the form .Search-Pattern.. This can cause catastrophic backtracking as described in #7728
As a solution, I have introduced another header match type called contains which is based on absl::StrContains().
Risk Level: Low
Testing: Unit tests are included and manual testing was performed.
Fixes#12590
Signed-off-by: Shivanshu Goswami <shigoswami@ebay.com>
Mirrored from https://github.com/envoyproxy/envoy @ e322daaf0ca70fd3fcb1c1405830c73395510d93
This was written by Derek Argueta originally. Some more
work might be needed to make it more generic.
Risk Level: low, new filter
Testing: unit tests included
Docs Changes: filter docs added
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Co-authored-by: Derek Argueta <darguetap@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c6bfd7f9f52468d576781a9b1fe9ea5d3f9086c9
The filter responds to the SRV requests identifying the server targets, and address records for each target.
Signed-off-by: Alvin Baptiste <alvinsb@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ d6b9cf7fce5065062940248f254d66cf77770ee9
This adds a dynamic_metadata field to CheckResponse message, hence it can be used for any type of HTTP response (OkHttpResponse or DeniedHttpResponse).
Risk Level: Low
Testing: Updated
Docs Changes: Updated
Release Notes: Added
Fixes#12671
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ cbdd01c22b84ac5333f95f030821dfcf6db49734
Currently, the health discovery service takes a specifier with information about which endpoints to perform health checks on, which already supports information about cluster structure and locality information. However, when when forming a response holding endpoint health information, all notion of cluster or locality is dropped and endpoint information is stored in a flat list. This is problematic when there are several endpoints with the same address or port but with a different locality, cluster, or path.
This PR uses the previous proto change in Issue #12153 which added support for grouping endpoint health information by their respective cluster and locality.
Risk Level: Low
Testing: Added a unit test in test/common/upstream/hds_test, which sends a specifier to HdsDelegate with several clusters, localties, and endpoints. It then verifies that the response holds the same structure. Existing integration tests were also changed to check for the new proto structure, specifically ones that already group several endpoints by differing clusters or localities.
Signed-off-by: Drew S. Ortega <drewortega@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ d16164be1bd0ec7eba2b0b0f78ae8b0f455acd50
This was added for gRPC server support, but we've decided to use resource names instead to explicitly request the listeners we want by name. This is more in-line with the new naming scheme described in the "xDS Transport Next Steps" design.
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 05cbb309b828dc86737c51fd2c79d30e48e397a4
Add log control (list and modify log level) in admin interface for Fancy Logger, a new fine-grained logger for Envoy, and provide command line option --enable-fine-grain-logging for developers.
Additional Description: A doc of overview is provided here: source/docs/fancy_logger.md.
Risk Level: Medium
Testing: Unit tests.
Docs Changes: Added a new option --enable-fine-grain-logging and doc it.
Release Notes: Added to current.rst.
Signed-off-by: Jinhui Song <jinhuisong@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ b7138814dde530b8c2957e806ea40879a4fdce32
This PR implements a new retry back off strategy that uses values from response headers like Retry-After or X-RateLimit-Reset (the headers are configurable) to decide the back off interval before retrying a request.
Signed-off-by: Martin Matusiak <numerodix@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ bd2b989c578b2472faaff44902573e5b187f671f
Establish an extension point for actions to run based on Watch Dog Events.
Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8c312f2c5b40b5ce7f6f68a1f9d4b0e98ef3829e
Added an node field to csds request to identify the CSDS client to the CSDS server, and removed the [#not-implemented-hide:] for the endpoint_config since it has been implemented in #11577
Risk Level: Low
Testing: N/A
Docs Changes: N/A
Release Notes: N/A
Signed-off-by: Yutong Li <yutongli@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 90a97c7ef3d67e213980db6b0ebeff284a938837
Un-Reverts 048583b, with fix for high cpu consumption.
This PR implements fault injection for Redis; specifically delay and error faults (which themselves can have delays added). I chose not to implement a separate filter after discussing with Henry; we concluded that the faults we felt were useful didn't need many levels- just a delay on top of the original fault, if any. In addition, as the Redis protocol doesn't support headers that makes it a bit different again from Envoy's http fault injection. This PR fixes the issue previously seen with redis fault injection where excessive cpu was used on connection creation.
Faults record metrics on the original request- and the delay fault adds extra latency which is included in the command latency for that request. Also, faults can apply only to certain commands.
Future work: Add several other faults, including cache misses and connection failures.
Signed-off-by: FAYiEKcbD0XFqF2QK2E4viAHg8rMm2VbjYKdjTg <nflacco@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ e319b7c2a93783cd8bde45fa4c002ae02a4cb13f
Change the Overload Manager API to extend the overload action state with non-binary values. This will allow future overload actions to take effect in response to increasing load, instead of to the existing inactive/active binary values. This PR also adds a range field to the overload trigger config, though no actions currently trigger on the 'scaling' state.
The existing behavior is preserved by replacing all places where OverloadActionState::Active was being used with OverloadActionState::saturated(). This is a minimal re-hashing of #11697 for ##11427.
Risk Level: medium
Testing: ran unit and integration tests
Docs Changes: none
Release Notes: add "scaling" trigger for OverloadManager actions
Signed-off-by: Alex Konradi <akonradi@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 28df333572e71fc6850e82437a59e9e378d7b00b
Clarify that resource instance version can be reused across stream restarts. Also a few other small fixes and improvements.
Risk Level: Low
Testing: N/A
Docs Changes: Included in PR
Release Notes: N/A
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2a4f7dae855ef81376a8aee6201ea19ea36ef8e2
This implements a host_rewrite_path option for rewriting the Host header based on path. See rational in the linked issue.
Note: the regex is executed on the path with query/fragment stripped. This is analogues to what regex_rewrite option is doing.
Risk Level: Low
Testing: added unit tests
Docs Changes: document the new option in proto file
Release Notes: added to current.rst
Fixes#12430
Signed-off-by: Petr Pchelko <ppchelko@wikimedia.org>
Mirrored from https://github.com/envoyproxy/envoy @ 374dca7905fc048be74169a7655d0462606555ad
The log action will be used to set the dynamic metadata key "envoy.log", which can be used to decide whether to log a request.
Signed-off-by: davidraskin <draskin@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 89b594e09e2f4ebaac43c6b38d778a3e0dc13a3a
This is the 1st PR for #11832 that factors out the TAP filter matcher to prepare for reuse in other filters.
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 520389e677cdcd4a85df769deb40f6cdd2f4f6f8
Introduces UdpPacketWriter Interface that can be used to perform writes in Batched/PassThrough modes by using QuicGsoBatchWriter implementation from QUICHE extension.
**Additional Description:**
UDP GSO (Generic Segmentation Offload) was introduced in Linux at version 4.18. It allows batch-writing of multiple messages into a single payload and sending these messages along as a batch in a single sendmsg syscall.
Currently, Envoy performs the sending of messages using simple sendmsg implementation in pass-through mode, i.e. no support for batch writing. With this change, UdpListener can use UdpPacketWriter interface as a DefaultWriter or a GsoBatchWriter to perform pass-through or batched writes respectively.
Detailed description of the changes can be found in the design document, [here](https://docs.google.com/document/d/16ePbgkfrzQ6v-cOVMSnKDja3dUdZvX-mxT9jw29rx4g/edit?usp=sharing).
**Risk Level:** Low, not in use
**Testing:**
- Added udp_listener_impl_batched_writes_test, to verify that multiple packets of varying sizes are batched/flushed as per gso specifications while using UdpGsoBatchWriter.
- Modified existing tests, to verify that UdpDefaultWriter performs writes in pass-through mode.
- Ran all tests. All 677 tests passed successfully.
```
**Docs Changes:** None
**Release Notes:** None
**Fixes:** #11925
Signed-off-by: Yugant <yugant@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 933e267db60961e76549ae6e65ac4872cb78db4d
Followup for a new feature introduced by #12410 Apologies for not noticing that a later draft was introduced recently. I think we should start with supporting the latest available spec draft, so update version 2 to version 3. The change is technically backwards-incompatible, but the new feature was introduced one day ago, nobody could have been so fast to depend on it.
Signed-off-by: Petr Pchelko <ppchelko@wikimedia.org>
Mirrored from https://github.com/envoyproxy/envoy @ 8452f4b749674deb5f4b963d0da78797fb7b1278
Adds support for X-RateLimit-* headers described in the draft RFC. The X-RateLimit-Limit header contains the quota-policy per RFC. The descriptor name is included in the quota policy under the name key. X-RateLimit-Reset header is emitted, but it would need a followup in the ratelimit service, which I will do once this is merged.
Signed-off-by: Petr Pchelko <ppchelko@wikimedia.org>
Mirrored from https://github.com/envoyproxy/envoy @ 9f405633b63e71c623d4de81698807fca17debe9
Add authority field in envoy grpc message to override the default host name as cluster name.
Risk Level: Low
Testing:
Docs Changes:
Release Notes:
Fix#12116
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 29b49276db0812b566d143a79996848819248428
An assert failure will occur when `config.route_config.route.cluster_header` contains invalid characters for the HTTP header. Added validation for this field to avoid assert failure and a regression test case in the unit test.
```
[assert] [bazel-out/k8-fastbuild/bin/include/envoy/http/_virtual_includes/header_map_interface/envoy/http/header_map.h:54] assert failure: valid().
```
Risk Level: Low
Testing: Added a regression test case
Fixes#12361
Signed-off-by: jianwen <jianwendong@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 71e9049eb3b22bd53d1651b8a435ed3b4142ee9f
Adding a filter for access logs that will decide whether to log based on dynamic metadata.
Signed-off-by: davidraskin <draskin@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ d7c7e9a79eed80afa56a0b05cf6adf0516750d14
Description: Upstream Wasm proto files from envoy-wasm.
Risk Level: Low
Testing: Unit tests in envoy-wasm, integration tests in istio/proxy.
Docs Changes: N/A
Release Notes: N/A
Signed-off-by: John Plevyak <jplevyak@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 26eaa2e85cee69e5c32ab6bf4c5ae3d338fa462f
header-to-metadata filter supports adding a header's value to a metadata key which is later used for subset load balancing.
This PR adds support for extracting a specific cookie value before it's added as metadata.
Signed-off-by: Radha Kumari <rkumari@slack-corp.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4dfa844f56d637b6ec26f415f65035707cdf01c8
Create metadata similar to MySQL based on SQL query sent by Postgres client. The metadata may be used by other filters like RBAC.
Risk Level: Low.
Testing: Added unit tests.
Docs Changes: Yes - updated Postgres section.
Release Notes: Yes.
Fixes#11065
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 7287fad48f49cae45ce897643622fbf989c3c6c8
Implementing per-upstream prefetching, useful for high QPS or latency-sensitive services.
Risk Level: low (off by default)
Testing: new unit tests, integration test
Docs Changes: n/a
Release Notes: not yet
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ f6e90f2966887b25a8b6d5dd7f13ffb32865d66b
This is a docs only change, mostly on how to refer to LuaPerRoute info.
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 3dedf1693f45239c670c5ba7598db44ff2e32c2f
This ensures that the configuration is valid.
Note that this adds stricter validation to an existing proto field, but the field was only added 5 days ago, so only someone running HEAD, using this new config, with invalid/non-sensical config should be affected.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 61c2816f704d11f66a507b76abc8f01c1816fe57
Commit Message: Add proxy proto transport socket
Additional Description: This is the part 1 PR described in #10682. It adds the transports socket / unit tests, a transport socket options struct for the proxy proto header, and does a refactor to make the listener filter use the common proxy proto constants (potentially want to move these now since the proxy proto config api type is not in extensions?)
Risk Level: Small
Testing: Unit
Docs Changes: None
Release Notes: None
Part Of: #1031
Signed-off-by: Weston Carlson <wez470@gmail.com>
Co-authored-by: Lizan Zhou <lizan@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 8972b478e6c9f1e7342e3dbfb57b35317c0cc009
* added generic freamework for testing filters.
This is a fuzzer for testing network-layer(L3/L4) filters.
Now Envoy has 20 network-layer filters which will deal with raw bytes from untrusted networks and thus they are security-critical to some extent. The idea of this is to write a fuzzer which can be applied to different kinds of network filters(potentially cover all the filters), and when new filters are added to Envoy, we won't need to write dedicated fuzzers one by one to give them fuzz coverage.
Signed-off-by: jianwen <jianwendong@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ce26fe19e0f8cd033e16aa3a9145281b0d03b748