This change introduces a MetaProtocol proxy that provides a framework for layer-7 protocols. The common capabilities, including routing, tracing, metrics, logging, etc., will be built into the MetaProtocol proxy.
Signed-off-by: zhaohuabing <zhaohuabing@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ de51441bfe1b6b5eeab8981037d66cde9ac5b0d7
This PR establishes the ability to filter access log production via CEL expressions over the set of Envoy attributes. This can simply the creation of Envoy access log filters, allowing complex tailoring.
Risk Level: low
Testing: unit
Docs Changes: included
Release Notes: updated
Signed-off-by: Douglas Reid <douglas-reid@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 77ca6cc0d9aaf0892aec3e2025fe2ad7cf0c39ff
Signed-off-by: Max Kuznetsov <mkuznetsov@digitalocean.com>
Mirrored from https://github.com/envoyproxy/envoy @ 76a70b40f57bd9a75b50d4783d28dec0e0aa29ae
Risk Level: Low
Testing: new integration test
Docs Changes: made API more clear when requests count as connections :-/
Release Notes: inline
Fixes#19033
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 2bf847854610db8bc5a44ef3046fcc8f3a23518e
If, for a request, the host/authority header is changed when the
request is proxied, set the x-forwarded-host header as:
x-forwarded-host = append(x-forwarded-host, host)
Risk Level: Low
Testing: unit test and manual testing
Docs Changes:
Added x-forwarded-host header in HTTP header manipulation
(configuration/http/http_conn_man/headers).
Under the host_rewrite options in route_components.proto
(in v3), added that when host is rewritten, the XFH header is
appended with the original value of host header if append_x_forwarded_host
option is set.
Release Notes: router: added support for x-forwarded-host header.
Platform Specific Features: N/A
Fixes#5940
Signed-off-by: Arun Olappamanna Vasudevan <arun.vasudev@nutanix.com>
Mirrored from https://github.com/envoyproxy/envoy @ 91c2e6ba81f6892e4ab132f934d9f6179a50bbc2
Remove the unnecessary file level 'not-implemented-hide' annotation. I found these annotations during the development of PR #18923 . But it seems that they should not have this annotation.
If this is a misunderstanding on my part, please close this PR.
Risk Level: Doc Only.
Testing: N/A.
Docs Changes: N/A.
Release Notes: N/A.
Signed-off-by: wbpcode <comems@msn.com>
Mirrored from https://github.com/envoyproxy/envoy @ e9203e9845611bedfabbce26ed7d72cd8a6c8c32
Add a retry mechanism to the grpc access logger. This retry mechanism currently only supports a simple retry count.
Also, at the moment, retries are only fired when the gRPC stream fails to be established, and nothing happens if the stream is successfully established once and a reset is issued.
Risk Level: Low
Testing: Unit
Signed-off-by: Shikugawa <rei@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 3a5f7958afb161efd62dada8e6bbb77f96c4dd04
Fixes#1975
Adds a CLI parameter that can be repeated that acts as universal tags for all stats
Additional Description:
Risk Level: Low, additional parameter
Testing: Unit + integration + manual
Docs Changes: Provided
Release Notes: Pending
Platform Specific Features: N/A
Signed-off-by: Sotiris Nanopoulos <sonanopo@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ c75c1410c8682cb44c9136ce4ad01e6a58e16e8e
Commit Message: Allow cert validation by only leaf trusted CAs CRL
Additional Description: Close#18268. In the previous implementation, we don't have availability to validate certs when all trusted CAs don't have their own CRLs if any trusted CAs have that. This feature allows validating even if all trusted CAs don't have CRLs.
Risk Level: Low
Testing: Unit
Docs Changes: Required
Release Notes: Required
Signed-off-by: Shikugawa <rei@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 56e8c45b1b340c4a4f8f02ec2488354c31806d59
- Add response trailers for the bandwidth limit filter delays.
- Add new metric request_enforced and response_enforced.
- Change the following metrics type from Gauge to Counter (request_incoming_size, response_incoming_size, request_allowed_size, response_allowed_size) to better calculate the network bytes per second.
This is useful when downstream want to understand how much delays that is caused by bandwidth limit filter.
Risk Level: Low
Testing: UT added.
Docs Changes: Updated.
Release Notes: Added.
Signed-off-by: gayang <gayang@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8b8ece8adb8c9282cbd9405151993fa1bc5cebee
Docs Changes: Removes an extra word
Signed-off-by: Peter Jausovec <peter.jausovec@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ dbb1f50ef340e565c5a495a17aac0afff5d9a4f9
This should reduce the binary size, which is particularly important for Envoy Mobile. Looking at a
local opt build with debug symbols, I'm seeing a drop from ~400MB to ~380MB, so maybe 5% saving. @Reflejo indicates that optimized Envoy Mobile without symbols is observing ~20% improvement.
Related to #10943
Risk level: Low
Testing: bazel query deps to confirm no more v2 API deps.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 53fca618e47702f6c8dbc323db9bd39d15725457
Adds a new variant to type.v3.HashPolicy to generate a hash from an object in FilterState. This implementation mirrors what already exists for HTTP filters (see RouteAction.HashPolicy.FilterState), and is usable by network filters such as TcpProxy.
Risk Level: low
Testing: updated tests in tcp_proxy:config_test
Docs Changes: N/A
Release Notes: added an entry under tcp
Platform Specific Features: N/A
Signed-off-by: Dan Rosen <mergeconflict@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 38739c32b39da483782fa18dc5a5aa77cee677ab
- Fix the session_timeout formatting so that it links to the RFC
reference correctly.
- Make some minor grammar improvements.
- Quote the session_timeout field name
Signed-off-by: James Peach <jpeach@apache.org>
Mirrored from https://github.com/envoyproxy/envoy @ bd1ac13275246c2a9a865912682ed9904ed7a78a
This change updates Envoy to consider the load balancing configuration
set in load_balancing_policy, regardless of what is set in lb_policy.
Previously the load_balancing_policy field was only considered if lb_policy
was set to LOAD_BALANCING_POLICY_CONFIG.
Going forward the approach is to only use the load_balancing_policy field
and the extensible configuration mechanism it provides to configure
all load balancing policies, which makes lb_policy deprecated.
This change still preserves backward compatibility, allowing old clients
to continue using the lb_policy field and new ones to switch to just
considering load_balancing_policy.
Commit Message: Prefer the load_balancing_policy cluster field over lb_policy
Additional Description: This change updates Envoy to consider the load
balancing configuration set in load_balancing_policy, regardless of what
is set in lb_policy.
Risk Level: Low
Testing: New unit tests for upstream_impl.cc
Docs Changes: Documentation to follow once consensus on this
change is reached.
Release Notes: Not currently user impacting as backward compatibility
is maintained.
Platform Specific Features: None.
Signed-off-by: Terry Wilson <tmwilson@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ bc641dbb9157460b346fa0d3ef387f05e5ce9881
This adds a new transport socket wrapper for collecting OS-level TCP stats and publishing them as envoy metrics, in either the cluster or listener stats namespace (depending on upstream or downstream use). This allows attributing the TCP stats to specific listeners and clusters.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ b959a46661ec87bba8268a1750506695125f2b06
keepalive probing can be configured in envoy.config.core.v3.QuicProtocolOptions for upstream and downstream. If absent, use the QUICHE default behavior which sends PING frame every 15s on client side and no-op on server side.
Fixes#16751
Signed-off-by: Dan Zhang <danzh@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 30e0c701b7d285ae50e9b52f9e75195f18ea30b2
Widen the Upstream::LoadBalancer interface to add methods which allow
a load balancer to optionally observe connection lifetime events and to
select a specific connection based on those events.
Implement this behavior in the DFP LoadBalancer to reuse HTTP/2 and HTTP/3
connections when the hash key, IP address, and certificate all match, conditional
on a new allow_coalesced_connections field in the DFP config.
Risk Level: Low
Testing: Unit
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ b4047464f7e1c75d578f7b98db4d3d669dce9bd0
Add support to DataSource to read data from environment variables.
Risk Level: Low
Testing: Unit test for well-known environment variable, no environment variable, and empty environment variable.
Docs Changes: N/A
Release Notes: config: added environment_variable to the DataSource.
Platform Specific Features: N/A
Fixes#18277
Signed-off-by: Anthony Rossi <anrossi@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5d4a457615cf19294dc077b1f7123c480ffdaa94
This patch adds cookie_names to credentials config to allow overriding
the default cookie names: `BearerToken`, `OauthHMAC`, and
`OauthExpires`.
Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7323ddeb5011df73f5f42115cb644769d9dcab96
Changes the DNS cache to respect the advertised TTL, modulo a floor of 5s.
That part of the change is runtime guard. The part which is not, is that the backoff is done on a per-host basis not a global basis, so if one endpoint fails to resolve, it won't result in others backing off, and if one succeeds it won't result in changing backoff for failed hosts.
Risk Level: Medium
Testing: new unit tests
Docs Changes: inline
Release Notes: inline
Optional Runtime guard: envoy.reloadable_features.use_dns_ttl
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ bebd3e2c4700fb13132a34fcfa8b82b439249f3b
Support an inline RouteConfiguration in ScopedRouteConfiguration.
This change enables fully inlined scoped route configuration by
allowing users to specify an inline `RouteConfiguration` in the scope's
config, as opposed to requiring a `route_configuration_name` to use for
an RDS subscription.
Signed-off-by: Andres Guedez <aguedez@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cbc05d480cc24fc96bbbbd476cc31b25402d6777
Commit Message: upstream: support max connection duration for upstream connections
Risk Level: low, isolated opt-in feature
Testing: new unit tests
Docs Changes: updated protobuf definition to no longer mention that max lifetime is not implemented for upstream connections
Release Notes: upstream: support max connection duration for upstream connections
Platform Specific Features:
Fixes#15107
Signed-off-by: John Esmet <john.esmet@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9a4a861a6b22959205fb70454bcdf238e3ebd4f9
Adds support for using the matching API in the route table. This wires up using the generic match as part of a virtual host, making it possible to define a match tree that results in Route actions that reuses the same routing actions currently in use by the router.
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 94d00135bd9f0f7701c89c7a9220691e51068aec
This PR currently only implements query string modifications when using a gRPC authorization server.
Signed-off-by: John Esmet <john.esmet@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c42a018d332920f3e523f1a0409b6056bd805853
Adds a new API field for http health checks that allows specifying ranges of status codes that are considered retriable. If these status codes are received, those failures will contribute towards the configured unhealthy threshold rather that immediately considering the cluster member unhealthy as is the case today.
Signed-off-by: Weston Carlson <wez470@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 42f9fc3b000fbc01fa5d500cc071f477bebaa638
Framed was the only transport that supported payload passthrough. However the payload
of Header transport is the same as Framed. Therefore its possible to also use payload
passthrough with Header to Header, Framed to Header and Header to Framed. Therefore
allow those extra three combinations and add integration tests. Note that in future if Header
transforms become supported then passthroughData will need to undo any transforms.
New metrics request_passthrough and response_passthrough are added to show when payload
passthrough occurs. Note that previously response_success was always incremented when
performing payload passthrough, and that is corrected to only occur when parsing the
payload.
This will enable payload passthrough for combinations of downstream/upstream transports that did not
previously perform passthrough. If a private filter does not implement passthroughEnabled or passthroughData
correctly, has enabled payload passthrough and is using Header to Header, Framed to Header or Header to Framed
then the filter may have issues.
Risk Level: Medium
Testing: Extended existing integration tests and verified on local deployment.
Docs Changes: Updated ThriftProxy proto docs.
Release Notes: Minor behavior change.
Platform Specific Features: N/A
Signed-off-by: James Fish <jfish@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0f31648808783b1057c78ff0c90721b81d32e19c
To fix: #13965
grpc_json envoy filter adds a new field 'query_param_unescape_plus` to enable the support of converting "+" to space in query parameters.
The actual unescape code is implemented in grpc-httpjson-transcoding.
Risk Level: None
Testing: integration tests
Docs Changes: None
Release Notes: Yes
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1ba355b5e9f00cda595d5b52e3390d473fa5ecce
data-plane-api(Azure Pipelines)