Prior to OpenSSL 1.1.0, the certificate depth limit in OpenSSL omitted
the leaf but included the trust anchor. That is, if your chain was Leaf,
Intermediate, Root, any depth limit of 2 or more allowed the
certificate.
OpenSSL 1.1.0 included d9b8b89bec4480de3a10bdaf9425db371c19145b, which
was described as a cleanup change to X509_verify_cert. However, this
change the semantics of the depth limit to omit *both* the leaf and
trust anchor. So the example above was accepted also at depth limit 1.
This is also why common.proto had a comment about different semantics
between the libraries.
BoringSSL originally forked a little before 1.0.2, so it had the older
OpenSSL behavior. Now that the new behavior has been in OpenSSL upstream
for a while, BoringSSL plans to match the new behavior in
https://boringssl-review.googlesource.com/c/boringssl/+/64707/
This change makes Envoy compatible with BoringSSLs before and after that
change. When BORINGSSL_API_VERSION is new enough, we adjust the value
before passing it in, to preserve the original semantics. I'm assuming
here that Envoy would prefer to maintain its existing semantics, rather
than change the test expectation. I've also removed the comment about
backend-specific behavior difference. Supposing Envoy prefers to
maintain existing semantics, any OpenSSL port of Envoy should similarly
adjust the value on OpenSSL 1.1.0 and up.
Along the way, fix an overflow. maxVerifyDepth is a uint32_t, but the
OpenSSL API takes an int. When we exceed INT_MAX, saturate the cast.
Signed-off-by: David Benjamin <davidben@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f7ef1eeca94f714f0d48af3dd8a43757dc63d770
Commit Message: add ecds support for composite filter
Additional Description: Currrently ECDS does not support composite filter. This would help to use composite filter for use cases like WASM filters
Risk Level: Low
Testing: Updated
Docs Changes: Updated
Release Notes: Added
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Mirrored from https://github.com/envoyproxy/envoy @ b4fba1a3cd22bfc5f60233c743e2c58c22957a90
This is the prerequisite of reverting #30438 in order to fix the ZK proxy filter "Uncaught Exception" issue.
Risk Level: Low
Testing: Unit test
Docs Changes: Revert doc changes in #31138
Release Notes: Revert release notes in #31138
Platform Specific Features: N/A
Signed-off-by: Zhewei Hu <zhu@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ e61e461736a28e26b6fcf0ca25d34c47ed29b0fc
* Update references to Connect RPC
This now lives at connectrpc.com.
Signed-off-by: Michael Rebello <me@michaelrebello.com>
Mirrored from https://github.com/envoyproxy/envoy @ afdc6606979bfd6cd486465d771ff2bb78468bf5
Some client requests' URLs may contain query params. gRPC upstream servers can not handle these requests, and may return error such as "unknown method". So we remove query params here.
Risk level: Low
Testing: Unit tests.
Signed-off-by: FHT <33562110+delphisfang@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ da09811ed0fe920b4beb9223a5e160d3587a47bc
Commit Message: Reverts #29873 and #30794
Multiple concerns about the effect of a full scan on LEAST_REQUEST have been raised.
See previous discussions in #11004 and #11006.
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
Mirrored from https://github.com/envoyproxy/envoy @ 6acfb74c10858e8dde84050ab17a07195f7f3360
Commit Message: clear route cache when dynamic metadata is written because route matching can be done on the dynamic metadata
Risk Level: low, recently added in #30699
Testing: done
Docs Changes: none
Release Notes: none
Mirrored from https://github.com/envoyproxy/envoy @ 90929a0b8827b8132d0ae1d8790a380a9fa87c36
* internal redirects: Support passing headers from response to request
This adds a new (repeated) field in the internal redirect policy,
"response_headers_to_preserve". When set, the headers named there
will be copied from the response that triggers an internal redirect
into the request that follows.
This allows some limited information passing through the internal
redirect system.
The current system is faithful to the idea that internal redirects are
purely a latency optimization, and should behave similarly to if the
redirect had been passed to the downstream user-agent. This does
violate that idea.
Other proxies, such as Nginx, have a much more flexible way of
handling internal redirects that allows a fair bit of information
passing like this. This should allow implementations to adopt Envoy
that are using this kind of information passing, with reduced needs to
rearchitect.
Fixes: #30441Fixes: #16777
Signed-off-by: Ryan Anderson <ryan.anderson@snowflake.com>
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Switching loops to references
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Clarify that downstream filters will not run
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Use a vector of LowerCaseStrings
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Format fixes
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Fully qualify 'downstream_'
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Rename from ..._to_preserve to ..._to_copy
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Reject configs that specify HTTP/2 style headers or Host
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Fight with clang-tidy by hand
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Fixup bad doc references
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* punctuation
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* More doc fixups
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Add a small comment about request_headers_to_copy_
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Rip out the complicated header copying/restore logic and replace
This removes the existing specialized save/restore logic in favor of
just copying every header into another map, updating the original map
with the necessary changes, and then restoring the whole thing later on.
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Use copyFrom() instead of doing it by hand
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Return a reference instead of copying
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Deauto things
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* fight with clang-format
Signed-off-by: Ryan Anderson <ryan@michonline.com>
* Just use copyFrom()
Signed-off-by: Ryan Anderson <ryan@michonline.com>
---------
Signed-off-by: Ryan Anderson <ryan.anderson@snowflake.com>
Signed-off-by: Ryan Anderson <ryan@michonline.com>
Mirrored from https://github.com/envoyproxy/envoy @ 65bbace5fb0647ac6edc338c62cfc8fc69fda36e
* Implemented API and added code to handle strict routing to a host.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Adjusted existing tests.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Added unit and integration tests for header-based stateful session with strict mode.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Added release notes.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Fixed proto format.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Fixed router's test.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Fixed cluster manager test.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Moved strict mode to stateful session API. It applies to cookie and header
based stateful sessions.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* refactored setUpstreamOverrideHost method.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Pass parameter to setUpstreamOverrideHost as value.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
* Formatting.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
---------
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 62f4a14e35b4988dc62ebb51a070875fda59e1fe
Add access log options for UDP session access log to support flushing session access log periodically, and support flushing session access log on upstream tunnel connected when using UDP tunneling.
Additional Description:
Risk Level: low
Testing: unit tests, integration tests
Docs Changes:
Release Notes:
Platform Specific Features: None
Signed-off-by: Issa Abu Kalbein <iabukalbein@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1d4981bacacf33fdc5f60cfd56bede2802770a79
ConnectMatcher is now match CONNECT-UDP requests as well. I updated
the description of ConnectMatcher accordingly.
Signed-off-by: Jeongseok Son <jeongseok.son@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7f84968b32bf33f93fb48e5fcfc3e14fbea95301
allowed_upstream_headers_to_append appends to client request, not response.
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 86e608693d62d8bec8b1e52035202f7d5ebca7b2
Introduce the ability to send attributes in the External Processing Request
---------
Signed-off-by: Jacob Bohanon <jacob.bohanon@solo.io>
Mirrored from https://github.com/envoyproxy/envoy @ 64c6d04a5fb7b08624df6223f6ef08264b9604a5
Add support for saving upstream response headers and trailers to downstream info
Risk Level: low
Testing: integration tests
Docs Changes: API
Signed-off-by: Issa Abu Kalbein <iabukalbein@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 876753ad28d6601b91c25b8af59db4f4737c84a5
* rlqs: update and document failure mode behaviors
RLQS documentation updates intended to prevent memory exhaustion
caused by the number of tracked buckets.
- Changes the default behavior of unset
ExpiredAssignmentBehavior.expired_assignment_behavior_timeout from
"retain unlimited time" to "abandon immediately"
- Clarifies the retention policy for the buckets that never received
the initial assignment.
- Clarifies the implementation details for evicting buckets that
never received the initial assignment.
---------
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 487f57ddc4a1d47828a5c8ceee91a08a879fc6dd
Make the cached grpc client eviction time configurable, and before it is fixed 50s.
Risk Level: Low
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
Signed-off-by: Boteng Yao <boteng@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 83c66e18e7a32c77cf084dc8bb797c84a3e84bec
The repo has been renamed from cncf/udpa to cncf/xds long time ago, this is just to reflect this in the bazel repo name.
Otherwise this is a noop.
Risk Level: Low
Testing: do_ci.sh
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f66bd34bf2060e71516456354202abb8ea23ba71
Signed-off-by: Adam Kotwasinski <adam.kotwasinski@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 70ba63a2e676f8676ab65840066729667c0af9bb
Add the ability to ext_authz that collect specified namespaces from route metadata, and propagate them to external auth service. #30252
The instruction of what namespace to select from route metadata, and the field in CheckRequest where the metadata context from route is filled are totally separate from those metadata context from connection or request.
Risk Level: Low
Testing: Unit tests
Signed-off-by: Yujian Zhao <zhaosukima@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6b78796398528e6d9d5c60c24ab1f54bdc57db8e
Signed-off-by: Adam Kotwasinski <adam.kotwasinski@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c2630addb1ac2984531c07317af5f9dd882b2a01
Commit Message: Allow specifying resource detectors for the OpenTelemetry tracer via a new configuration resource_detectors. The resource detector reads from the env variable OTEL_RESOURCE_ATTRIBUTES which is defined by the OTel specification. The detector returns a resource object populated with the detected attributes, which is sent as part of the OTLP request.
Additional Description: This PR adds the "foundation" for building other resource detectors in Envoy. It is based on the OTel collector implementation. Users can configure multiple resource detectors, and they work together to "merge" all the detected attributes into a single resource object, which is then part of the OTLP message exported.
Risk Level: Low
Testing: Multiple unit tests, that cover all new code/scenarios. I also did manual testing, running Envoy locally with the OTel tracer + env resource detector enabled. Resource attributes detected from my environment is successfully exported as seen in the Jaeger screenshot.
resource-detectors-env-jaeger
Docs Changes: Not sure if I should add/where. Happy to do it.
Release Notes: N/A
Platform Specific Features: N/A
[Optional Runtime guard:] N/A
[Optional Fixes#28929]
Here is how the new config is used:
tracing:
provider:
name: envoy.tracers.opentelemetry
typed_config:
"@type": type.googleapis.com/envoy.config.trace.v3.OpenTelemetryConfig
grpc_service:
envoy_grpc:
cluster_name: opentelemetry_collector
timeout: 0.250s
service_name: envoy-gRPC-exporter
resource_detectors: # --> NEW CONFIG
- name: envoy.tracers.opentelemetry.resource_detectors.environment
typed_config:
"@type": type.googleapis.com/envoy.extensions.tracers.opentelemetry.resource_detectors.v3.EnvironmentResourceDetectorConfig
Signed-off-by: Joao Grassi <joao.grassi@dynatrace.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4eaa1f866164eee5d51e46406bcb31d8dec99bdd
API to address gaps with the downstream Istio filter to finish upstreaming.
Issue: #29681
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ e9366f2b34be537b1b30ed17a4fd75b4715b5990
* Add new idea for selecting hosts among those not selected yet.
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
* Change how we choose full table scan
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
* Remove cout
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
* Fix Tests for load_balancer_impl_test
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
* Fix format and make sure full scan happens only when selected or the number of choices is larger than the size.
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
* Enable new option on extesions api only
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
* Fix Integration tests.
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
* Add release notes for full scan in least request LB.
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
* Fix ref for release note.
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
* Fix release notes
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
* Update release note
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
---------
Signed-off-by: Leonardo da Mata <ldamata@spotify.com>
Signed-off-by: Leonardo da Mata <barroca@gmail.com>
Co-authored-by: Leonardo da Mata <ldamata@spotify.com>
Mirrored from https://github.com/envoyproxy/envoy @ 3ea2bc40590c1a48f26e8297ae55d7a6d08083e9
* http api: new disable flag to disable a filter in the filter chain by default
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* complete development
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* more tests to verify the new feature
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* add release note
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix link
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix test
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* Update api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
Co-authored-by: Matt Klein <mattklein123@gmail.com>
Signed-off-by: code <wangbaiping@corp.netease.com>
* Update changelogs/current.yaml
Co-authored-by: Matt Klein <mattklein123@gmail.com>
Signed-off-by: code <wangbaiping@corp.netease.com>
* Update source/common/http/filter_chain_helper.h
Co-authored-by: Matt Klein <mattklein123@gmail.com>
Signed-off-by: code <wangbaiping@corp.netease.com>
* fix spelling error
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix ci
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
---------
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Signed-off-by: code <wangbaiping@corp.netease.com>
Co-authored-by: Matt Klein <mattklein123@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9be3183433f30e9a726add174c80fd32cf6b7202
update-envoy[bot]