Adding runtime key to protect drop overload feature.
The runtime key "load_balancing_policy.drop_overload_limit" can be configured with an integer 0 to 100. 0 means 0%. 100 means 100%. So, when there is an EDS update with drop_overloads configuration, if this runtime key is enabled, Envoy will pick up the smaller one between these two to perform the drops.
---------
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ef8a34d89f85f434e6df562c742b63a359d0ceb4
* inplace change the ImmediateResponse::body type from string to bytes
per discussion this should be a safe swap for c++ Envoy
Signed-off-by: Xin Zhuang <stevenzzz@google.com>
* add a unit test for non-utf8 body in extenal immediate response
Signed-off-by: Xin Zhuang <stevenzzz@google.com>
---------
Signed-off-by: Xin Zhuang <stevenzzz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ab4b6f70b283905d5fcb5ddb0b0be34562873b51
This adds additional stats for `rules` and `shadow_rules` in the HTTP-based RBAC filter.
Fixes#32129
---------
Signed-off-by: Henry Wang <henry.wang@datadoghq.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5eccc35176a77633c98bd96baa64d15bd3c5fe2f
---------
Signed-off-by: Raven Black <ravenblack@dropbox.com>
Mirrored from https://github.com/envoyproxy/envoy @ f5bca686eb043e099bd96a8049a38048c402cd36
* mismatch content type should set on_error metadata in json_to_metadata filter
Signed-off-by: kuochunghsu <kuochunghsu@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6aea06a3e9ba5ee7f5537cf0f70a72bdbb35ab72
Signed-off-by: Adam Anderson <6754028+AdamEAnderson@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9a575d82a4186c8cf37ff3d7f0a7002dce412d7d
CORS: Generate local response for preflights with not matching origin.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 5f58f9ac917e82fdfadb771b8de3bb466d9e53ee
There is a case when somebody is uploading a file with "content type: multipart/form-data; boundary=------------------------75b5d728d1539bb5"; since the header value will change every time, we can not write a config to allow it in previous proto. Then we need a regex match to allow it.
Risk Level: low
Testing: unit test
Signed-off-by: Cai Qi <cqi@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 667e96312130ac2bcbb7c1c598f4d63746d6f0c4
This is akin to shadow_rules_stat_prefix but for non-shadowing rules.
Since only shadow rules emit dynamic metadata, this prefix only applies
to metrics.
---------
Signed-off-by: Thomas van Noort <thomas.vannoort@datadoghq.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7fec609a507371d7176c61aa4623f445543f294f
Resolves#32119. This allows the option to always log successful health checks. On the first successful health check, only ``logAddHealthy`` is called. On consecutive successful health checks, ``logSuccessfulHealthCheck`` is called.
Risk Level: low (config guarded)
Testing: unit tests
Docs Changes: API docs
Release Notes: added
Platform Specific Features: none
Signed-off-by: ohadvano <ohadvano@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 975d4107061ea92a62e99490c9474ace17d9609a
Adds new max_lifetime config field to restrict token lifetime accepted from a JwtProvider.
Risk Level: Low
Testing: Unit testing
Docs Changes: Added subjects description inline in proto.
Release Notes: Attached
Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md): Feature is opt in, without specifying the config, there's no behavior change.
Fixes#31455
Signed-off-by: Matthew Jones <mattjo@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 63cf70129f06e53f0915e7cefc4ead637784a183
http3: Add support for HTTP/3 METADATA
Adds a new allow_metadata option to Http3ProtocolOptions.
Risk Level: Low, protected by new config option
Testing: New integration tests
Docs Changes: N/A
Release Notes: Updated
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 640f016a2e99ab44e97dec71b60afec91404dadd
Adds new `subjects` config field to restrict subjects accepted from a `JwtProvider` partially implementing #31455
Risk Level: Low
Testing: Unit testing
Docs Changes: Added `subjects` description inline in proto.
Release Notes: Attached
Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md): Feature is opt in, without specifying the config, there's no behavior change.
Signed-off-by: Matthew Jones <mattjo@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 08231e383fc3fb1c3bb207774d8295995759552a
* add dr response flag
Signed-off-by: Boteng Yao <boteng@google.com>
* add tests
Signed-off-by: Boteng Yao <boteng@google.com>
* fix assertion
Signed-off-by: Boteng Yao <boteng@google.com>
* fix format
Signed-off-by: Boteng Yao <boteng@google.com>
* fix proto
Signed-off-by: Boteng Yao <boteng@google.com>
* fix test
Signed-off-by: Boteng Yao <boteng@google.com>
* fix test
Signed-off-by: Boteng Yao <boteng@google.com>
* add change logs
Signed-off-by: Boteng Yao <boteng@google.com>
---------
Signed-off-by: Boteng Yao <boteng@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0cb0b01b7f44399085e511085e51e8222132982e
Added new parameter `ajax_request_matcher` to optionally not allow OAuth2 authorization redirect when all tokens are expired. Such redirect usually redirects the user to a login page (in authorization code flow) and this behavior is not desired in Ajax requests.
Signed-off-by: Samuel Valis <samuel.valis@innovatrics.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8318716d9aedfc6277cd605a41b606a86f3feb52
update-envoy[bot]