Calling out that it's possible to use the value 0 to disable route timeout (as it is for idle timeout).
Signed-off-by: nmeessen <nmeessen@atlassian.com>
Mirrored from https://github.com/envoyproxy/envoy @ b9fe0b93371094827827b4932aaad09f89b14928
Omit the node identifier from subsequent discovery requests on the same stream.
Restricted to non-incremental xDS for tractability.
Risk Level: low, affects xDS protocol but guarded by an option
Testing: Unit/integration tests are updated
Docs Changes: xDS spec clarification
Release Notes: omit the node identifier from subsequent discovery requests
Fixes: #7860
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8e07e8297d7d5e68cf6d6d7e49ba98d2500cdef7
This change adds protections against flooding using PRIORITY
and/or WINDOW_UPDATE frames, as well as frames with an empty
payload and no end stream flag.
Fixes CVE-2019-9511, CVE-2019-9513 and CVE-2019-9518.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9f16bca5044260f5ceeb49c5836b9326a75a0b49
Limit the number of outbound (these, waiting to be written into the socket)
HTTP/2 frames. When the limit is exceeded the connection is terminated.
This mitigates flood exploits where a client continually sends frames that
are not subject to flow control without reading server responses.
Fixes CVE-2019-9512, CVE-2019-9514 and CVE-2019-9515.
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ b93886ca040795407efc641f8b41eaf35e7bf1bb
This warms when building:
> envoy/api/v2/cluster/filter.proto:12:1: warning: Import google/protobuf/struct.proto but not used.
Signed-off-by: Michael Rebello <me@michaelrebello.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7b0ce0d32a9b584626e8c16b5ae07817eade322d
Promote tracing operation field to listener level. This expands the scope of the field to support two use cases:
Tracing TCP connections: istio can send connection events to create a service communication graph. Network filters can benefit from the common knowledge about the intent of the listener/filter chain (client-side vs server-side).
Using ingress/egress designation for other telemetry. The direction of the traffic is a useful label on metrics, and it is not explicit at the moment, unless depending on tracing configuration in HTTP connection manager or naming convention. Both workarounds are not ideal.
Risk Level: low
Testing: all unit tests continue to pass
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ca2af9723598fab4f511b59407396cc5cff9ed94
Description: Fix missing gogo annotation. The file-level `equal_all` annotation was missing in one of the files and failed to compile in go-control-plane.
https://github.com/envoyproxy/go-control-plane/pull/201
Risk Level: Low
Testing: go-control-plane
Docs Changes: N/A
Release Notes: N/A
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ bdd6788f1e01787d015eabd9902f4b565e5dea98
Due to a seg fault issue with the gogo protobuf library
[https://github.com/gogo/protobuf/issues/568], non nullable repeated
fields in a proto will cause proto.Merge(dst, src) to panic.
The nullable field setting was first added by @kyessenov when he was
re-organizing the protos. Unfortunately, people have been copy pasting it
across several areas in the Envoy proto. To keep the impact radius to a minimum,
I have updated only the fields that are currently causing the segfault
(in go-control-plane) for us.
Its also partly against proto principles. You should be able to determine if
a field is set or not. This non-nullable setting in gogo will insist on initializing
the field to default values.
Risk Level: to go control plane users
Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ b22d2b5cf09f779962cfedaaab24969f384cbc48
Description:
this commit bumps protoc-gen-validate to the latest version. this
should unblock `wrowe` in slack working on windows support.
after this I believe we can also take use of the new address validation
type to fix some unique error messages, but the first step is bumping it
as a side note:
- SocketState was using `.message.required` however it was not
a message type. as far as I can tell this was a bug that PGV fixed.
Risk Level: Low
Testing: Ensure that envoy successfully builds.
Docs Changes: None
Release Notes: None
Signed-off-by: Cynthia Coan <ccoan@instructure.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9c00735e68148b9100473eecce2ee536c3072c6b
Currently, in load_balancer_impl.cc: recalculatePerPriorityPanic(), even if common_lb_config.healthy_panic_threshold is 0%, a load balancer enters panic mode whenever normalized_total_availability is 0%.
I guess, a user who intentionally set to healthy_panic_threshold = 0 expects to immediately return error responses if there is no available host checked by a load balancer.
(In fact, current load_balancer_impl.cc: isGlobalPanic() decide not to enter panic mode whenever healthy_panic_threshold is 0%.)
So I suggest that panic mode is disabled only when healthy_panic_threshold is 0%.
I want this change for automatic degenerating lower priority or optional back-end services.
Risk Level: Low
(It seems that setting healthy_panic_threshold == 0 is a special case originally. It won't happen unless a user intend to disable panic mode, because default value of healthy_panic_threshold is 50%.)
Testing: unit and Integration tests with ./ci/run_envoy_docker.sh './ci/do_ci.sh bazel.release'
Docs Changes: inline
Signed-off-by: mnktsts2 <mnktsts2@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ ad9926fb29dc047d7583ab5b0217a3c379f14200
Description: Add an async data source which supports fetching data from local and remote data source. The async data provider guarantees that data is access before `init manager` is ready.
Risk Level: Low
Testing: Unit test
Docs Changes: N/A
Release Notes: Added
Fixes#7311
Signed-off-by: crazyxy <yxyan@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 42706efea87eda276cd650db99bc318319176a98
In order to better support clients such as gRPC-LB that want to access
only a single listener/cluster, provide the scope in the xDS
specification to specify explicit resource hints.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7ef20d7609fb6f570a058fcf4b4e000922d7eeba
This makes it possible to configure the subset LB to match metadata
match criterias with any of the values specified in a list value on an
endpoint. This allows endpoints to have multiple values for a given
metadata key.
To accomplish this the invariants of the subset trie construction
changed: a host can now be associated with multiple subsets for a set of
subset selectors. To support this the trie construction had to change to
traverse all possible paths for each host.
Fixes#6921
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 41ecbb3e4bd48b425483e7c3aae17509f2ef3a80
This fixes for ruby what
https://github.com/envoyproxy/envoy/pull/3854
fixed for C#.
Description: The existing protos yield a ruby module and class with the same name for both cluster and listener. This fixes for ruby what https://github.com/envoyproxy/envoy/pull/3854 fixed for C#.
Risk Level: Low
Testing: I successfully generated valid envoy configurations using the ruby code generated by these updated protos.
Docs Changes: N/A
Release Notes: Ruby module name overrides for data plane api proto definitions.
Signed-off-by: Justin Stallard <jstallard@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 47925a53e67645fa20ca60a5c3257084bd870994
This code change allows to redefine fallback policy per specific subset selector. Because of how existing LbSubsetMap trie data structure is organised (mapping subset key to values), is not possible to do lookups for fallback policy only based on subset keys (had to introduce additional trie that maps subset keys to keys and has fallback policy on leaf level). Additional LbSubsetSelectorFallbackPolicy enum required to correctly identify the case when fallback policy is not set for given selector (otherwise it would always default to NO_FALLBACK, breaking backwards compatibility, if field is not set we should use top level fallback policy instead).
Risk Level: Medium
Testing: Done
Docs Changes: Updated related docs
Release Notes: added
Fixes#5130
Signed-off-by: Kateryna Nezdolii <nezdolik@spotify.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1a60b343665cf2ffb966f37bbe48fed21805df57
Delta services other than DeltaClusters were missing. Also added those services to proto_descriptors.cc. Also added some other things that proto_descriptors.cc was missing. #4991
Risk Level: low
Signed-off-by: Fred Douglas <fredlas@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 40d8b7f68c64591f11d4e62ac429af5e074ed3a7
This PR also fully deprecates the tcp_proxy v1 configuration.
This will be deleted following the standard deprecation cycle.
All new uses should use filter chain matching.
Fixes https://github.com/envoyproxy/envoy/issues/4457
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 866d0438d12ce9d39afb35ba200b0107bf3d6de3
Certain clusters have cluster specific load balancers. This change
allows a cluster to explicitly provide one, both allowing extension
clusters to easily provide a dedicated load balancer, as well as
allowing for future cleanup of the original DST LB configuration.
This change is needed for Redis Cluster as well as
#1606.
Risk Level: Low
Testing: New UTs and integration tests.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ fcf8a5918dfd20ed4ff52652f9ffd7d1d9d34b28
Implements the hedge_on_per_try_timeout option in HedgePolicy config
which instructs the router filter to not cancel requests that hit the
per try timeout before sending a retry. This means the router must be
able to manage multiple simultaneous upstream requests and handle
deciding which response "wins" and canceling any other in flight
requests.
Fixes#5841
Signed-off-by: Michael Puncel <mpuncel@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4d4748ea243e0ab0538bcb0894a64bb0da617b55
Risk Level: none, adding unused proto field
#4991
Signed-off-by: Fred Douglas <fredlas@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 154cdcb25832b01794430bc473e6675d365dd082
Changes: Fixes coverage test hang.
No change to core logic from #6692.
Signed-off-by: Karthik Reddy <rekarthik@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 27b3e48e8d754dcb956dca58888c7dbfde7ceec8
This adds an option to allow hosts to be excluded in lb calculations until they have been health checked
for the first time. This will make it possible to scale up the number of hosts quickly (ie large increase
relative to current host set size) without triggering panic mode/spillover (as long as the initial health check
is succeeds).
While these hosts are excluded from the lb calculations, they are still eligible for routing when panic
mode is triggered.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4c80194bf82193261aa52a4ca64c4e6a461881c0
Moved all of DeltaSubscriptionImpl's existing tests to be DeltaSubscriptionState tests, since that's what they really were. Added tests that test actual DeltaSubscriptionImpl logic. Followup of #6729.
Risk Level: none, just adding tests
Testing: DeltaSubscriptionState, DeltaSubscriptionImpl
Signed-off-by: Fred Douglas <fredlas@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ae3106b3ee792f697b2098781a0e65d8d73a32ca
Description: Adding API support to report Locality proximity information as part of Locality Assignment. This does not need to be documented yet, and should be documented as part of LB algorithm implementation which will use this information.
Risk Level: LOW
Testing: None
Signed-off-by: Vishal Powar <vishalpowar@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5e039a6581cf5fa1f7b70329afeb2e3d35b8189c
total_issued_requests field tracks the count of requests issued since
the last report. This field will be used for global load balancing
decisions.
Envoy maintains a stats counter rq_total to track total
requests made. By latching this counter when load reporting period
begins, we are able to count the total requests issued in a load
reporting interval. This information is then used to populate the field
total_issued_requests.
Risk Level: Low
Testing: //test/integration:load_stats_reporter passes.
Signed-off-by: Karthik Reddy <rekarthik@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cdddf54e8548036703ee928335a44c3b503b988b
Protos to statically and dynamically (via the Scoped Route Discovery Service) configure scoped
routing logic in Envoy.
Signed-off-by: Andres Guedez <aguedez@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2778c3c0c1e1f18a1c7864b4e7707e9d0ca2571e
This adds support for modifying the grpc-timeout provided by the
downstream by some offset. This is useful to make sure that Envoy is
able to see timeouts before the gRPC client does, as the client will
cancel the request when the deadline has been exceeded which hides the
timeout from the outlier detector.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 03ae1ef6b9afcfda9545b3d734b54027776254f9
Default behavior remains unchanged: retries will use the runtime parameter
defaulted to 25ms as the base interval and 250ms as the maximum. Allows
routes to customize the base and maximum intervals.
Risk Level: low (no change to default behavior)
Testing: unit tests
Doc Changes: included, plus updated description of back-off algorithm
Release Notes: added
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5ea103ee0e88cca52f543fdd230ca9f84c518c88