While trying to send a pull request for an extension I was baffled multiple times by poor error messages and surprising behaviors. The alterations here each derive from a confusing thing that mostly also didn't get any clear "someone understood it better" signs from the dev slack channel.
First surprise, if you use option (udpa.annotations.file_status).work_in_progress = true; like the doc suggested, proto_format.sh would remove it. Suggestion from the slack channel was to use xds.annotations.v3.file_status instead, which this updates STYLE.md to reflect. (related slack thread)
Added a link to security posture and status documentation, which was otherwise hard to make sense of without foreknowledge.
Adjusted the section that suggests using work_in_progress=true or package_version_status=ACTIVE - any combination of these (with either xds or udpa version of work_in_progress) that doesn't involve package_version_status=ACTIVE causes proto_format.sh to delete the file entirely. So the only viable options appear to be just package_version_status=ACTIVE, or that and xds work_in_progress=true which is already covered in an earlier bulletpoint.
Clarified that without ACTIVE, proto_format.sh will delete the file (which hopefully will make it more discoverable for developers experiencing that symptom).
Added a mention of api/BUILD's v3_protos section, without which proto_format.sh will automatically remove any imports of your new proto from other protos.
Added mention of [#extension:] tag, which is also necessary, and extra detail about where [#extension-category:] has to go (it doesn't appear to work if present at the top-level). (related slack thread)
Risk Level: None, documentation only.
Testing: Verified that the old documentation doesn't work for at least one developer, and the new documentation is better. :)
Docs Changes: That's all this is.
Release Notes: n/a
Platform Specific Features: n/a
Signed-off-by: Raven Black <ravenblack@dropbox.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2014cbea0f67e9513137eb6b4be3cb92ba437244
Allow configs with both typed and non typed san matchers specified to allow config servers to use the same config for Envoys across multiple versions. The match_subject_alt_names field is ignored if match_typed_subject_alt_names is set.
Signed-off-by: Pradeep Rao <pcrao@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ef08b1c3d0cf9c2af84d32529a11b3e2056e9dcb
If set, the resolver will avoid the system's heuristics to only return
IPv4 or IPv6 addresses that it considers to be "routable", instead
returning all possible IPv4 or IPv6 addresses. This setting is
ignored if the DNS lookup family is set to v4-only or v6-only.
This may be a useful setting to specify if the addresses considered
unroutable by the system's heuristics may in practice be routable.
Signed-off-by: JP Simard <jp@jpsim.com>
Mirrored from https://github.com/envoyproxy/envoy @ 60a13f30a4e425c907607fab96efee0ed2afcf22
ComparisonFilter's value now marked as required in validate to ensure valid
input to fuzz tests.
Signed-off-by: Andre Vehreschild <vehre@x41-dsec.de>
Mirrored from https://github.com/envoyproxy/envoy @ 8df3136bcc00c701bf5c30d090937e5f37585652
This adds the ability to change the GrpcService used by the ext_proc filter on a per-route basis.
Risk Level: Low. Not triggered unless configured.
Testing: New unit and integration tests added.
Docs Changes: Addition of new config field.
Signed-off-by: Michael Warres <mpw@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0e8899c90213b39d8f4a1a083d4fd31e9c2fe8c1
Add unified matcher for network streams, as a replacement for filter chain match.
See previous discussion in #18871
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7eb3a87b8757e030aedfdc4959adc509e89ac788
This change introduces a new output sink type for admin /tap requests which buffers traces internally before responding to the client.
This sink is best used to collect traces for requests that are frequently matched, or to work around system limitations such as improper support for streaming HTTP responses.
Signed-off-by: David Peet <davidpeet@tutanota.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0fd80eef63bc9770186c4f4aa345ee63e464cab3
Use type_url to look up extensions. This prevents the undesirable practice of putting invalid protobufs to avoid a type lookup or duplicating the type URL.
Risk Level: medium, affects extensions with duplicated type URLs or no configuration
Testing: yes
Docs Changes: yes, this has been the recommendation for awhile.
Release Notes: yes
Runtime Guard: envoy.reloadable_features.no_extension_lookup_by_name
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8cb6862fe6099cd8583a64ff037ecdeaf0e939fa
Add an extra async cluster look up. The continuation of the cluster look up is establishUpstreamConnection().
To establishConnection() is also the callback of upstream connection failure.
Additional Description:
Risk Level: LOW if odcds is disabled, the code path remains the same.
Testing: Added integration tests and existing unit test is untouched.
Docs Changes: n/a
Release Notes: inline
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0a587f23b21ab34b28d9c53428af259b3f7b0970
Added option to limit the number of certificates parsed during verification.
Signed-off-by: Deepti Gupta <deepti_gupta2@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ b130ee612018cf099a91b3f2bc1225f70f49e48c
The new field would allow more efficient generation of routes, replacing pairs of path+prefix routes into one path_separated_prefix route
Risk Level: Low
Testing: Unit test
Docs Changes: inline
Release Notes: Added
Fixes#18148
Signed-off-by: Toma Petkov <tpetkov@vmware.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8f9e11247a07cc6df0ecd62689fe290f12a9013d
This begins the deprecation process for TTwitter.
Fixes#20466.
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9e67f1e2461e965c0269c69356d608e39c23902b
filter_metadata is already forwarded to external auth service
but typed_filter_metadata is not, this commit fixes this.
Signed-off-by: Wanli Li <wanlil@netflix.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9cce4a61851069f025493726f0b6cef87489f394
When deploying a new cluster specifier plugin, it is often necessary to add it to the configuration before all clients can be updated to support it, with routing rules configured to prevent clients without support from selecting any routes referencing the plugin. This field will allow those clients to suppress the default behavior of NACKing any resource containing the unknown plugin.
Risk Level: None
Testing: None
Docs Changes: None
Release Notes: None
Platform Specific Features: None
Signed-off-by: Doug Fawley <dfawley@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 55539d34f6ad5771f17ba04a64e1c7d24aa3c055
add envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport.enable_early_data to turn on/off early data support in EnvoyQuicServerSession.
Risk Level: low, behavior change to h3 downstream handshake is behind the new config knob.
Testing: added new integration tests
Docs Changes: N/A
Release Notes: noted about the new config knob transport_sockets.quic.v3.QuicDownstreamTransport.enable_early_data
Fixes#19943
Mirrored from https://github.com/envoyproxy/envoy @ 7be30191816ef3cbdc2ca013560d9de6a3a2d5fb
* connection: add runtime guard to disable looking up local interface name for upstream connections
Signed-off-by: Jose Nino <jnino@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8cbbf66dd3f46f3525e3950152d0c8bf666cbd57
If "issuer" in the JwtProvider config is specified, it has to match "iss" field in the JWT. But current implementation has a bug where if "iss" is empty, it is not checked.
Risk Level: Low, only impact users with empty "iss" JWT.
Testing: Unit-tested
Docs Changes: None
Release Notes: Yes
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 336fcf9b1105fcb2581a59811c0029f8899c63c2
Commit Message:
Additional Description:
Risk Level: low (off by default)
Testing: unit, integration
Docs Changes: in API
Release Notes: yes
Part of #20207
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ fc96a7683601321d3655b99d900cc8b9fd406992
data-plane-api(Azure Pipelines)