This patch adds the claim_to_headers field to the JwtProvider config to copy jwt claims to http headers.
Risk Level: Low, a new feature
Testing: Added
Docs Changes: Added
Release Notes: Added
Fixes#15062
Signed-off-by: Aryan Gupta <garyan@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 287ccb9daafb3df3f42f6d83bbffd965c49cddb9
This PR is going to add an optional flag in the Endpoint.HealthCheckConfig to disable or enable active health check for it. E.g. Envoy will only use the health status from EDS for a subset of endpoints. This can support mixed/hybrid network groups.
Note, it will impact all type of clusters if health checker is configured, e.g. EDS, strict_dns.
However, we skip the endpoint with disable flag at message level for HDS.
Risk Level: Medium
Testing: unit and integration tests
Signed-off-by: Boteng Yao <boteng@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ fcfb1cd1d68f47d0fcacea693d76e1866ca2fde0
Signed-off-by: Kuat Yessenov kuat@google.com
Commit Message: Add another option to read principal from the filter state instead of metadata. The use case is passing the value from a network filter to an HTTP filter (RBAC), and the dynamic metadata does not support inheritance. For tunneled requests, the principal needs to be set at the tunnel connection, not the internal connection used for HTTP processing.
Risk Level: low
Testing: unit
Docs Changes: none
Release Notes: none
Mirrored from https://github.com/envoyproxy/envoy @ 91eccaf7d75161676e90adae58722c4bfa7d0c2e
This is a comments-changes-only PR.
The `ExternalProcessor` has a `mutation_rules` field, whose purpose is
to let users modify otherwise-restricted headers, such as `"host"` and
`":authority"`. Odds are that users who are modifying such headers are
trying to influence the routing decisions that Envoy makes, such as was
the case in https://github.com/envoyproxy/envoy/issues/23919.
However, setting only `"host"` or `":authority"` is not sufficient to
change such routing decisions; users must also set a `clear_route_cache`
field.
This PR hopes to avoid confusion about those two fields, like that in
https://github.com/envoyproxy/envoy/issues/23919, by improving the
comments on the `mutation_rules` field.
Signed-off-by: Robert-Jan Huijsman <22160949+rjhuijsman@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 43dde7800d6057406ef52dd1c0982a0028c558fa
Any Envoy users who customize their pre-built extensions will need to evaluate if they need this cluster.
Risk Level: medium
Testing: n/a
Docs Changes: n/a
Release Notes: inline
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 1d60a116413a0422b2df50e5f6ef8b553caba53b
Some stats like `no_route` and `idle_timeout` can't be printed by session access log,
so we need proxy-level access logging to log global stats.
Additional Description:
Risk Level: Low
Fixes#23241
Signed-off-by: giantcroc <changran.wang@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 33fce6bd1925a5c26eb41ed584de0c9422b5e4fb
This filter is configured with request_rules that will be matched against requests. A field_selector of a rule represents the head of a linked list, each node of the linked list has a name for logging and an id for matching. The field_selector is tied to a payload field when the linked list corresponds to a downward path which rooted in the top-level of the request message structure. on_present is triggered when corresponding the payload is present. Otherwise, on_missing is triggered.
This filter is designed to support payload passthrough. By performing payload to metadata filter can do deserialization once, and pass the metadata to other filters. This means that load balancing decisions, consumed from log and routing could all use payload information with a single parse. Also notably performing the parsing in payload passthrough buffer will mean deserialization once and not re-serializing, which is the most performant outcome.
Risk Level: low
Testing: unit
Docs Changes: multiple rst
Fixes#23322
Signed-off-by: kuochunghsu <kuochunghsu@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ cd208a5dbc281dcc27a8155a210037267c08ff6f
remove an extra dot in docs
Signed-off-by: Peter Jausovec <peter.jausovec@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 82667905a934826576e817a8222b0e1117b79b15
Add dubbo codec for generic proxy to support proxy dubbo traffic by the generic proxy. It's simple wrapper to the common dubbo codec (`/source/extensions/common/dubbo`).
Risk Level: n/a. new feature.
Testing: Unit.
Docs Changes: n/a.
Release Notes: Added.
Platform Specific Features: n/a.
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ ab0abb640b1e501c66762c45b164529378c6bf66
make QUIC connection ID generation an extension point with currently in-use EnvoyDeterministicConnectionIdGenerator as the default implementation.
Additional Description: fix some previously unused QUICHE build targets.
Risk Level: low, control plane change
Testing: added new unit tests
Docs Changes: docs/root/api-v3/config/quic/quic_extensions.rst
Release Notes: N/A
API Considerations: interface naming and documentation
Signed-off-by: Dan Zhang <danzh@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 02ebc03205cfae5b26ce890050b9d1b6e0c2d1f5
It is observed that Envoy crash in ASSERT() due to regex rewrite path string contains invalid character '
'.
We should prohibit null characters ,
,
in the regex rewrite substitution string. This is well guarded in most other cases like RouteAction:prefix_rewrite, but is missing in RouteAction:regex_rewrite:substitution.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 23f3ee57b012e28aea0d6e7bdd6a991edd392741
* xds: add config for random and maglev load balancer extensions
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* update extension type to envoy.load_balancing_policies because envoy.clusters is extension type for custom cluster
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ e4352708f7991872159dd8db12d379d190da1e26
Added support for replacing dots of gRPC service name with underscores in the gRPC stats by
the config grpc_stats.v3.FilterConfig.replace_dots_in_grpc_service_name.
Risk Level: Low
Testing:
1) Added Unit tests in context_impl_test and config_test.
2) Compiled and tested the Envoy locally and verified via output in /stats page.
Docs Changes:
Added inline doc description in the grpc_stats config.proto.
Release Notes:
Added the note in version history
Platform Specific Features: N/A
Fixes https://github.com/envoyproxy/envoy/issues/16384
Signed-off-by: Junpeng Luo <ljpeng1001@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6c4c0b1556d421e786c993061d9c304f0bc6e1d5
Since the ipv4 and ipv6 have different socket option flags, when using multiple addresses, the user has to specify different socket options for the ipv4 address and the ipv6 address.
For the listener, the additional address can be the Ipv6 address, then it should be able to set an Ipv6 flag corresponding to the ipv4 one. Add socket_option field for each additional address.
For the upstream, the endpoint can be ipv4 or ipv6, currently, the user can specify the ipv4 and ipv6 local bind address in the bind config, but there is only a global socket_options that apply to both the ipv4 and ipv6 addresses. Add socket_options for each extra source address. https://envoyproxy.slack.com/archives/C78HA81DH/p1664228598624269
Risk Level: low
Testing: n/a
Docs Changes: API doc
Release Notes: n/a
Platform Specific Features: n/a
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 601cf012144a6d212879b315efa51e9cdf177878
Adds a note that the ``cipher_suites`` setting needs to be manually set if using ``tls_minimum_protocol_version`` below ``TLSv1_2``.
Signed-off-by: gsalisbury <gsalisbury@apnic.net>
Mirrored from https://github.com/envoyproxy/envoy @ 538c0bb9bc0dc960677269512560d60c564b5f26
Risk Level: low
Testing: n/a
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ b1208ec4fd311d86086a99fb5f9f76d16af3a9ee
Add a "canonical suffix" list to the Alt-Svc cache so that Alt-Svc entries can be shared across origins which share the same hostname suffix.
Risk Level: Low
Testing: New unit tests
Docs Changes: Update proto docs
Release Notes: Updated
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2b67ce314da75f304d7f65d05155bcee7c7d18e1
Commit Message: Currently, there can be multiple built-in regexes targeting the same tag name, and in fact there's at least one case where this occurs:
466e78586a/source/common/config/well_known_names.cc (L133)466e78586a/source/common/config/well_known_names.cc (L136)
This change prevents a second tag value for a given name being from being extracted, to meet Prometheus' requirements.
Having two alternate ways of generating the same tag value allows them to be expressed using two distinct regexes, which are easier to understand, and possible for the infrastructure to optimize with the prefix-map. This situation also occurs with Istio/Wasm, which for reasons that elude me, generate stats with two very different syntaxes both meaning HTTP Response Code, and adds those extractors using configuration.
An alternate approach is to add complexity to the regex processing to allow matches in an ORed regex, which is a bit confusing, and results in regexes that cannot be optimized well by our current system. There is no one prefix that can be used to reduce the set of regexes that need to be evaluated against every stat, and the long regexes with captures are hard for humans to read. See https://github.com/envoyproxy/envoy/pull/22791
The disadvantage of allowing multiple regexes to generate the same tag, is that it may create more scenarios where a stats sink like Prometheus may be given multiple tags with the same name, and it would be good to get some notion that this is OK. Currently such cases would be rejected during process startup (for CLI-based tags) or during config processing.
I opened this up for review to initiate this discussion, but want to make sure various stakeholders have a chance to weigh in. Though no protobufs were changed structurally in this PR, it's kind of an API change (with .proto comments) and should probably be approved as one.
Additional Description:
Risk Level: medium
Testing: //test/...
Docs Changes: changed comments in proto file that previously indicated dups were not allowed
Release Notes:
Platform Specific Features:
Fixes: https://github.com/envoyproxy/envoy/issues/22591
Signed-off-by: Joshua Marantz <jmarantz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 45f062466a40216d29117320ede012d087ca1318
* generic proxy: make the l7 filter could be configured repeatly
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5a14b1a5b4b35de6dbb764fd1f5cdfb50614b095
Updating documentation to make clearer this issue: #3058
Risk Level: Low since it's just documentation?
Testing: Didn't do any -- happy to but was too lazy to set up my environment 😅
Docs Changes: Specifically for outlier detection, I was confused that 5xx mapped -- for TCP traffic -- to connection failures
Release Notes: Updated documentation on outlier detection
Fixes#3058
Signed-off-by: Steven Chu <stevenc1@gmail.com>
Signed-off-by: Steven Chu <stevenchu@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 118b15a6b2491d46731a27f3a6b8eed3f643fa00
An xDS delegate extension point was added in
#22473 to enable custom behavior upon
receiving and loading xDS resources. This change creates an implementation of
the XdsResourcesDelegate interface that is backed by a KeyValueStore.
The intended use case is to enable persisting xDS resources and loading them on
startup in Envoy Mobile, in the event that the xDS control plane is unreachable.
Signed-off-by: Ali Beyad abeyad@google.com
Risk Level: Low
Testing: Unit & Integration tests
Docs Changes: N/A (hidden experimental feature)
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Ali Beyad <abeyad@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f28db324be3fcb6e91eb5a89d90c08617f76a2b2
Update documentation to indicate that auto_host_rewrite works with STATIC clusters, provided that the hostname attribute of the endpoint is configured.
Signed-off-by: Klearchos Chaloulos <chaloulo@nokia.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6d293a901a51f46289ef2b5491c248d93b974d81
Add support to save response headers from CONNECT tunnels in tcp_proxy.
The use case is saving "baggage" header which provides additional metadata about the upstream endpoint for telemetry purposes.
Fixes#23116
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ caa81fa49acff4d793c96d8f61f7cc99f32b59ac
data-plane-api(Azure Pipelines)