Commit Message: The documentation in the protobuf comments for stats tag extractors has been stale since 2018. This corrects the documentation to match the current behavior.
Additional Description: This documents a change that was done in Feb 2018: #2515 -- obviously we should've fixed the doc then but it was overlooked.
Risk Level: low
Testing: none
Docs Changes: this is a doc change only, to reflect current reality
Release Notes: n/a
Platform Specific Features: n/a
Signed-off-by: Joshua Marantz <jmarantz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 076bc515b3e6fca54592174928fc7ab06763b812
Commit Message: This PR entirely removes the Lightstep tracer. Lightstep is looking forward to the OpenTelemetry tracer integration.
Additional Description: The owner of this code left Lightstep and we have no plans to maintain this code now that OpenTelemetry is ready.
Risk Level: Low
Docs Changes:
Release Notes: Remove Lightstep tracer.
Co-authored-by: alyssawilk <alyssar@google.com>
Co-authored-by: alyssawilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ eb521f42e760b9e5cb6ca544e5c87523f0592fa9
Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c2dab844230197a1109e62f1d735384b67d74c9c
Next generation Intel® QAT support with Intel® Xeon® Scalable processors
will feature an Intel® QAT cryptography and compression acceleration
engine.
QAT private key provider extension will use qatlib library
(https://github.com/intel/qatlib) to accelerate RSA operations in
handshakes. The extension will look a bit like the existing cryptomb
private key provider. The use case is to move the expensive
cryptographic operations away from the CPU to the accelerator device,
leaving CPU cycles for other use.
Support for Intel® QAT is already present in the mainline Linux kernel
and in Kubernetes device plugins (to expose the device files to
containers). There are previous generations of Intel QAT® hardware
devices, but they are not supported by this extension.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9447ff5bfa8081fc2ddd5918b8ee9c1fd6720c7a
Adding an API field treat_missing_header_as_empty for better compatibility (both backward and to other xDS clients like gRPC) and potential to expand (not restricted to invert_match)
Risk Level: Low
Testing: Unit test
Docs Changes: inline
Release Notes: inline
Fixes#21828
Signed-off-by: Yuhao Liu <yuhaoliu@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 3e4b31b513765bcff4dba7e2e5b723cb8bd6ffca
This can be used when using the system resolver is desired. For
example, on Android.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 516b3f304bccf451691224c71a357f9c62840b2b
This PR contains the following changes:
* SIP Proxy extension TRA API updated to send additional SIP context (method type and from header), so TRA service can use this information for customized affinity management.
* Fix an error with decoding of SIP headers with a valid format causing Envoy proxy to crash in case of empty header fields.
Risk Level: Low
Testing: Unit tests
Docs Changes: None
Release Notes: None
Platform Specific Features: None
Signed-off-by: Jonah Murphy <jonamurp@cisco.com>
Signed-off-by: Adrian Rejas Conde <arejasco@cisco.com>
Mirrored from https://github.com/envoyproxy/envoy @ 09549da9045d9c85ffaf851b6d740de0b507708f
When rotating passwords, we need to support multiple passwords for graceful
deployment/rollout. This change adds support for multiple passwords in AUTH,
for both old auth and new ACL based one.
Signed-off-by: Suresh Kumar <sureshkumar.pp@gmail.com>
Signed-off-by: Suresh Kumar <suresh.ponnusamy@freshworks.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8ef5da2cee7328d24f80aa816aad0f4f22d6f1e0
Creates a transport socket for HTP/1.1 proxy support.
With the combination of the transport socket, and a filter putting the proxy stream info in place this will
redirect TCP connections to the proxy IP address
prefix TLS connections with cleartext CONECT headers to the destination host, and strip CONNECT response
change cleartext HTTP/1.1 to send fully qualified URLs
Risk Level: medium (intended as a no op but it does have data plane refactory)
Testing: new unit, integration tests
Docs Changes: n/a
Part of envoyproxy/envoy-mobile#1622
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 095f4ca336d3d705e629b207fb2cbbc22d29db8f
This cycles proto deps and creates a descriptor file from them.
This will allow other proto plugins to call protoc with the descriptor
file and just their `direct_sources` and not all of the `transitive_sources`
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ 00aab5c9c89b16435633613e5e57374f28cd7e26
Signed-off-by: Jacek Ewertowski jacek.ewertowski1@gmail.com
Commit Message: tcp_proxy: support command operators in tunneling_config.hostname
Additional Description: This change enables dynamically setting tunneling_config.hostname with command operators.
This pull request is an alternative for auto_sni.
This change allows to configure TCP proxy as follows:
```
tunneling_config:
hostname: %REQUESTED_SERVER_NAME%:443
```
Risk Level: Low
Testing: added unit tests
Docs Changes: done
Release Notes: done
Platform Specific Features: none
Fixes#19612Fixes#21804
Mirrored from https://github.com/envoyproxy/envoy @ 764a2e9fbb06e2f27fd6775fdc0ed78313b94157
Commit Message: Adds a new flag for filter state objects that indicates the intent to share with the upstream.
Additional Description: Follow-up to #19809. There have been multiple reports of unexpected lifecycle changes for the filter state objects because they are stored in the transport socket options. This PR addresses this issue by introducing a new mark for filter state that explicitly changes the usage of filter state objects:
marked objects always participate in the connection pool hashing (generalizing and simplifying transport sockets: support passthrough state for internal connections #19435);
marked objects are copied by reference to the upstream info - this allows sharing state between downstream and upstream (and further down the chain, the internal listeners).
Risk Level: medium, revert to the original behavior prior to #19809
Testing: yes
Docs Changes: yes
Release Notes: yes
Mirrored from https://github.com/envoyproxy/envoy @ 18212bb6395af308d895f75352f82df522b038b4
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Co-authored-by: Yan Avlasov <yavlasov@google.com>
Co-authored-by: Matt Klein <mattklein123@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 259d76ef89bc008db6620497c424a3ca3fe97d88
Follow-up to #21707 with a focus on back-filling more extension type URLs. Renames extensions_build_config and extensions_metadata to the names in the internal extension registry. For preserve_case, we deprecate the short name with the fully qualified name (both names are valid in the interim).
Risk Level: medium, only preserve_case name changes
Testing: regression
Docs Changes: yes
Release Notes: yes
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7c04dda02a61c4866b6cc7273c776d62dd3fb127
The patch does following up jobs of #21633,
1. removes deprecated fields of regex matching in docs and examples,
2. add the missing deprecation changelog,
3. add the missing extension category and extensions.
Risk Level: Low
Testing: N/A
Docs Changes: Yes (examples)
Release Notes: Added
Platform Specific Features: N/A
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ aa8da5554ae8bdf8c85229cc2594ec7d8dee6edb
Updated `grpc-httpjson-transcoding` repo to have this [change](grpc-ecosystem/grpc-httpjson-transcoding#70).
Additional Description:
grpc_json_transcoder: to support reject request if binding and body value are conflict
Risk Level: Low
Testing: unit test
Docs Changes: N/A
Release Notes: Add an option in grpc_json_transcoder to support reject request if binding and body value are conflict.
Platform Specific Features: N/A
Signed-off-by: yangshuo <yangshuo@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f40d62f6a2e11486f397c688ffc6c01a85738582
Part of #20389. Most of the formatters used in header manipulation are also present in substitution access log formatters. However, UPSTREAM_METADATA was not present in access log formatters.
Also, as noted in #17457 all xxxx_METADATA will be eventually replaced my METADATA(xxxx,...) so this PR also extends METADATA formatter.
api changes are trivial and limited to comments.
Risk Level: Low
Testing: Added unit tests.
Docs Changes: Yes.
Release Notes: Yes
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 380a328f7e32e4d18d31cba82bac7143904e0536
initially this will only check for "unused imports" but we can expand
as other linting rules are met.
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ e9f492281f9f905b6bedcbbb334c370b36c56fb2
Implements a special transport socket for transferring state (metadata and filter state) over the internal connection.
This transport socket captures a subset of endpoint metadata, cluster metadata, and stream filter state in the user space socket. When an internal listener accepts a user space socket connection, it immediately merges this passthrough state into the connection stream info. Because the state can be transferred from HTTP stream to TCP stream, this transport socket also participates in the hashing decisions in the HTTP connection pools.
Commit Message: Add passhtrough state over internal connection.
Risk Level: low, new extension
Testing: WIP
Docs Changes: yes
Release Notes: yes
Platform Specific Features:
Fixes: #19274
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 637a92a56e2739b5f78441c337171968f18b46ee
Add support for injecting regex engine with its options on startup in a bootstrap option. These are some API, runtime and implementation changes.
* google_re2 in safe_regex will be deprecated and no longer be required. Regex::parseRegex will choose the registered regex engine to parse expressions into matchers.
* A new bootstrap option default_regex_engine will be introduced for regex engine selection.
* For compatibility, GoogleRE2 will be chosen as default regex engine if no regex engine is designated.
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0a92cc86e7f8b88d5af0eb2e27b5c7ef64719e56
Signed-off-by: Xie Zhihao zhihao.xie@intel.com
Commit Message: rbac: add unified matcher for RBAC filters
Additional Description:
The patch add the matching API support for both RBAC network filter and HTTP filter. Users can configure rules and shadow rules in either policies or the matching API manner. There are some incompatibilities, TODOs and behavior changes compared to the policies way.
RBAC matchers are not compatible with the matching API.
URL path and CEL are not supported in the matching API. These matchers may come as custom matcher.
Metadata is not supported in the matching API. These matchers may come as inputs.
Connections and requests with no matcher matched will always be denied.
Risk Level: Medium
Testing: Unit and integration
Docs Changes: API and configuration
Release Notes: WIP
Platform Specific Features: N/A
Fixes#20623
Mirrored from https://github.com/envoyproxy/envoy @ 42cb84456d53d053eb1ae94680d07a74f4545a48