This is a one-time movement of all UDPA content from envoyproxy/envoy to
cncf/udpa. The permanent home of UDPA will be
https://github.com/cncf/udpa.
Risk level: Low
Testing: Added UDPA service entry to build_test.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ e67923fc0b60d0cdf3935fcb30af61d131301fad
Introduces a generic expression-based admission filter using https://github.com/google/cel-cpp.
This is a follow-up to discussion in https://github.com/envoyproxy/envoy/issues/6751.
The advantage of this approach is:
1. Un-opinionated about the policy structure since the only config is an expression. This is friendly towards control planes which can bear the complexity of translation, analysis, and evolution of policies.
2. Multi-language, CEL supports go, java, and c++ runtimes.
3. Inter-operability with other filters using request `metadata`. Companion filters can populate metadata about requests and resources that affect policy decisions.
4. Generic utility, it can be used for custom metric labels, access log entries, etc.
The dis-advantage of this approach is that its performance is lower than domain-optimized interpreters. On a fair example, the interpreter evaluates in around 1ms (see https://github.com/google/cel-cpp/blob/master/eval/tests/benchmark_test.cc#L591) vs ~150ns for hand-written C++ native code. There is space for improvement (especially if WASM can be used as a compilation target), but ultimately the generic expression form carries a cost.
Conditions are added to support RBAC filter for complementing the existing principal/permission model. They add support for the extended checks (e.g. time of query, resource-bound), but add no cost unless used.
Description: add expression-based admission filter
Risk Level: low
Testing:
Docs Changes:
Release Notes:
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f90e1b08ac5b4973c45a6529780ebdd211ff901f
Description:
Un-pin opencensus and googleapis to use master versions
Use SetName span method to set route operation names (aligning with other tracers).
Risk Level: low
Testing: Unit tests
Docs Changes: None
Release Notes: None
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ef054f08695b8c883c94674904ad27210aa9ba38
Description:
this commit bumps protoc-gen-validate to the latest version. this
should unblock `wrowe` in slack working on windows support.
after this I believe we can also take use of the new address validation
type to fix some unique error messages, but the first step is bumping it
as a side note:
- SocketState was using `.message.required` however it was not
a message type. as far as I can tell this was a bug that PGV fixed.
Risk Level: Low
Testing: Ensure that envoy successfully builds.
Docs Changes: None
Release Notes: None
Signed-off-by: Cynthia Coan <ccoan@instructure.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9c00735e68148b9100473eecce2ee536c3072c6b
Signed-off-by: Adam Kotwasinski <adam.kotwasinski@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ d63aa4d05c0968eb335a891c1b1218d2675beac7
They include fixes for future Bazel changes. In particular, the
repository can now build with --incompatible_depset_is_not_iterable,
which will be included in Bazel 0.27.
Description:
Risk Level: low
Testing: bazel build --nobuild ... --incompatible_depset_is_not_iterable
#6995
Signed-off-by: Laurent Le Brun <laurentlb@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0739cd6c9e33d77df2c9ff30c6f43fbb0676e023
Removes golang/protobuf dependency. This is an old @sesmith177 TODO and now the version of rules_go we import has the requisite well known types (WKT). Bumping rules_go to the latest version 0.18.4 (release notes) aligns with PGV which is on 0.18.3.
Risk Level: low (I think but there are WKT changes)
Testing: bazel test //test/...
Signed-off-by: Michael Payne <michael@sooper.org>
Mirrored from https://github.com/envoyproxy/envoy @ 7bf53149d137dcb2a7b4eddb4f8c23eda23d66e5
Update buildifier from 0.22.0 to 0.25.0 (release notes), bazel-compilation-database from 0.3.2 to 0.3.3 (release notes), bazel-skylib from 0.7.0 to 0.8.0 (release notes) and change to developer provided tar download and protoc-gen-validate from 0.13.0 to 0.14.0 (release notes).
Risk Level: Low
Testing: bazel bazel test //test/...
Docs Changes: none required
Release Notes: none required
Signed-off-by: Michael Payne <michael@sooper.org>
Mirrored from https://github.com/envoyproxy/envoy @ 8b1f6eaa7aa28c14640b2ed779738a8d7be33a34
Signed-off-by: Adam Kotwasinski <adam.kotwasinski@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ ecf1085a5b279d1244a02433f204ebba5306d40f
Dynamic link tests in ASAN to save disk space. Partially addresses #1407.
Risk Level: Low (ASAN only)
Testing: CI
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 8cca5c2992693ae143834ad0726aa630058f5910
The python script will print a machine readable output of Envoy's external dependencies
./tools/print_dependencies.py
I opt'd not to include the bazel rule this time around.
Risk Level: Low
Testing: I tested the changes by invoking the script `ci/build_container/docker_build.sh`
Signed-off-by: Dave Protasowski <dprotaso@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6046405e68c8772c77f0fa74e4705f7e3c49c059
This updates the lyft/protoc-gen-validate dependency to v0.0.13 in order
to fix a bug in validating repeated enums as described in
lyft/protoc-gen-validate#139.
Signed-off-by: Venil Noronha <veniln@vmware.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5aeae5969f945ba4a22279004c016431dbcf908c
Part of #2456
Signed-off-by: Emil Mikulic <g-easy@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4b475977f649c3614371940a819611f7d17e3a4e
To use --distdir option of Bazel (which allows to use previously
fetched tarballs instead of downloading dependencies during
build), all dependencies should use http instead of git and need
to have sha256 sums specified.
Risk Level: low
Testing: n/a
Docs Changes: updated bazel/EXTERNAL_DEPS.md
Release Notes: n/a
Signed-off-by: Michal Rostecki <mrostecki@suse.de>
Mirrored from https://github.com/envoyproxy/envoy @ dc0d35b9ed93b4f5d2ad83f6a7e78832504aeeea
This should unblock Windows, fix the long CLI issue and also fuzz weak link problems.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 92971047ca0b8a97c1004e3b5196916203f9185b
In the latest iteration of
https://github.com/envoyproxy/envoy/pull/4220, it was necessary to use
PGV constraints on fuzzer inputs. To do this would require PGV
generation in envoy_build_system.bzl.
There is also quite a bit of mess in
how we were doing envoy_proto_library() today. So, this PR allows us to
throw away the custom envoy_proto_library() and benefit from leveraging
a single source of Envoy proto build truth.
Risk level: Low
Testing: bazel test //test/...
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 28d5f4118d60f828b1453cd8ad25033f2c8e38ab
This patch prepares HTTP response when an upstream gRPC service method
uses google.api.HttpBody proto as its message output type.
Risk Level: Low
Testing: Unit
Docs Changes:
Added notes on sending arbitrary content as HTTP response by using google.api.HttpBody.
Release Notes:
Added support for encoding google.api.HttpBody when building HTTP response.
Fixes#3205
Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0cf947f44247e83dad4274a39067e738a17b2994
adds the required visibility rules and delegates the rest to the generic
api_proto_library. I tested the change by doing the following without
getting errors.
./ci/run_envoy_docker.sh './ci/do_ci.sh docs'
I changed the BUILD files using the following commands.
/envoy/api$ find . -type f -name BUILD | xargs sed -i -e 's/api_proto_library(/api_proto_library_internal(/g'
envoy/api$ find . -type f -name BUILD | xargs sed -i -e 's/"api_proto_library"/"api_proto_library_internal"/g'
Signed-off-by: mickey <mickeyju@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4b871c0ab9350882271a490adcee44e613ed9807
* Bump protobuf dependency post 3.6.0 to 6a4fec616ec4b20f54d5fb530808b855cb664390. This
brings in the following fixes:
- https://github.com/google/protobuf/pull/4813 (fix bug when Any is directly embedded in a map)
- https://github.com/google/protobuf/pull/4812 (preserve snake/camel-case across Any)
- https://github.com/google/protobuf/pull/4811 (provide meaningful errors messages for missing fields)
* Bump PGV dependency to 345b6b478ef955ad31382955d21fb504e95f38c7. This bumps the Protobuf Go
dependency to 1.0, necessary for the above protobuf dependency bump.
Risk level: Low
Testing: Added proto conversion and validation to integration_admin_test.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9bb7df6bffbf9863939a3798299892a74c16c438
Add api_go_grpc rules for metrics_service, als, and trace_service.
To support those changes, also added the necessary go_proto_library
rules in the repositories.bzl definitions for prometheus_metrics_model,
and io_opencensus_trace, and augmented the go_build_test.go to
verify these changes were correct.
Signed-off-by: William Chang <mr.williamchang@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ fb7797fd7df696cd239cc1d3792719361b62c684
This change makes it possible to create custom Google gRPC channel credentials to be used for communication with the control plane. The current implementation only supports mutual TLS.
Risk Level: Low: optional feature, no functional change unless specifically overridden
Testing: additional unit tests.
Mirrored from https://github.com/envoyproxy/envoy @ b31452e724b024742719f16cd9adc7c8915f8c36
Signed-off-by: Daniel Hochman <danielhochman@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8e95e7a7b9a737c6a9b58ef7778367f1416ba33b
Found via proto fuzzing of the server config, unbounded ring sizes can lead to resource exhaustion.
Also bumped PGV version, since even with the bound added to cds.proto, the constraint validation was
skipped due to the bug fixed in https://github.com/lyft/protoc-gen-validate/pull/73.
Risk Level: Medium (PGV bump might result in some configs that passed before failing).
Testing: server_fuzz_test regression.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 176e565eaec82d79ebf28d3f2bd0493f68a95180
Fixes issue #396. Once this is approved, will make Envoy side changes.
Signed-off-by: Rama rama.rao@salesforce.com
Signed-off-by: Rama <rama.rao@salesforce.com>
This brings in https://github.com/lyft/protoc-gen-validate/pull/57 which
should allow builds that depend on data-plane-api (e.g. envoy) to work when git is
configured with a proxy.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
There are several main changes in this PR:
Create envoy.api.v2.core packages to break circular dependencies from xDS on to subpackages on to base protos.
Create individual packages for each filter and add independent versioning to each filter.
Add visibility constraints to prevent formation of dependency cycles.
Add gogoproto annotations to improve go code generation.
After moving xDS service definitions and top-level resource protos back to envoy.core.api.v2, cycles were created, since the second-level definitions depend on base protobuf definitions, and are in turn included from xDS; however xDS and base definitions are in the same package.
The solution is to split the base protos into another package, envoy.api.v2.core. That eliminates dependency cycles (validated using go-control-plane).
Added a few gogoproto annotations to improve golang code generation.
Signed-off-by: Kuat Yessenov <kuat@google.com>
Created new definitions in api_build_system.bzl that wrap
go_proto_library, go_grpc_library, and go_test. Changed rules in api/BUILD and
test/build/BUILD to use these new definitions. In the future these
definitions could be expanded upon for auto generation in api_proto_library.
Signed-off-by: Kyle Myerson <kmyerson@google.com>