Commit Message: contrib: add Hyperscan regex engine
Additional Description: Hyperscan has been introduced as an input matcher earlier this year. Since the regex engine interface has been completed, the patch extent the usage of Hyperscan into a contrib regex engine.
Risk Level: Low
Testing: Unit
Docs Changes: API
Release Notes: N/A
Platform Specific Features: Requires processor with SSSE3 support (nearly any modern x86 processor)
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 725d0b4b3e6fb84aa7dfd1ca4d5792f2dc4558b2
This PR is the first of a series to implement pattern matching and rewrite functionality for Envoy.
These specific proto changes:
Add the foundation for two extension configs
Change the API to expose the extension configs to end users
Risk Level: Low
Signed-off-by: silverstar195 <seanmaloney@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 25654b97cdd2647c258ae459e6607f51e99c99cc
Next generation Intel® QAT support with Intel® Xeon® Scalable processors
will feature an Intel® QAT cryptography and compression acceleration
engine.
QAT private key provider extension will use qatlib library
(https://github.com/intel/qatlib) to accelerate RSA operations in
handshakes. The extension will look a bit like the existing cryptomb
private key provider. The use case is to move the expensive
cryptographic operations away from the CPU to the accelerator device,
leaving CPU cycles for other use.
Support for Intel® QAT is already present in the mainline Linux kernel
and in Kubernetes device plugins (to expose the device files to
containers). There are previous generations of Intel QAT® hardware
devices, but they are not supported by this extension.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9447ff5bfa8081fc2ddd5918b8ee9c1fd6720c7a
This can be used when using the system resolver is desired. For
example, on Android.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 516b3f304bccf451691224c71a357f9c62840b2b
Creates a transport socket for HTP/1.1 proxy support.
With the combination of the transport socket, and a filter putting the proxy stream info in place this will
redirect TCP connections to the proxy IP address
prefix TLS connections with cleartext CONECT headers to the destination host, and strip CONNECT response
change cleartext HTTP/1.1 to send fully qualified URLs
Risk Level: medium (intended as a no op but it does have data plane refactory)
Testing: new unit, integration tests
Docs Changes: n/a
Part of envoyproxy/envoy-mobile#1622
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 095f4ca336d3d705e629b207fb2cbbc22d29db8f
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Co-authored-by: Yan Avlasov <yavlasov@google.com>
Co-authored-by: Matt Klein <mattklein123@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 259d76ef89bc008db6620497c424a3ca3fe97d88
Implements a special transport socket for transferring state (metadata and filter state) over the internal connection.
This transport socket captures a subset of endpoint metadata, cluster metadata, and stream filter state in the user space socket. When an internal listener accepts a user space socket connection, it immediately merges this passthrough state into the connection stream info. Because the state can be transferred from HTTP stream to TCP stream, this transport socket also participates in the hashing decisions in the HTTP connection pools.
Commit Message: Add passhtrough state over internal connection.
Risk Level: low, new extension
Testing: WIP
Docs Changes: yes
Release Notes: yes
Platform Specific Features:
Fixes: #19274
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 637a92a56e2739b5f78441c337171968f18b46ee
Add support for injecting regex engine with its options on startup in a bootstrap option. These are some API, runtime and implementation changes.
* google_re2 in safe_regex will be deprecated and no longer be required. Regex::parseRegex will choose the registered regex engine to parse expressions into matchers.
* A new bootstrap option default_regex_engine will be introduced for regex engine selection.
* For compatibility, GoogleRE2 will be chosen as default regex engine if no regex engine is designated.
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0a92cc86e7f8b88d5af0eb2e27b5c7ef64719e56
API for Unified Header Validators
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ e569ce06101932cfe3ccb710c3c60b92dd09464b
udp: Add a udp_packet_packet_writer_config option to UdpListenerConfig.
Fixes#21200
Risk Level: Low
Testing: Existing and additional tests
Docs Changes: None
Release Notes: Added
Platform Specific Features: N/A
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 3a7b26aa3909488a8561a232b82845b8b4cd38bb
Commit Message: make HTTP/3 upstream sends 0-RTT (early data) requests if it has cached 0-RTT credentials. Add a config knob in RouteAction to specify which request can be sent over early data, which by default are HTTP safe methods.
Risk Level: high, changes to conn pool behavior though should only take effect for h3 pool
Testing: added h3 upstream integration tests.
Docs Changes: N/A
Release Notes: changes to docs/root/version_history/current.rst
Platform Specific Features: N/A
Runtime guard: envoy.reloadable_features.http3_sends_early_data
Fixes#18715, #19542
Signed-off-by: Dan Zhang <danzh@google.com>
Signed-off-by: Dan Zhang <danzh@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8ce13d75a982ddd347db5a333a4bb080922f7514
* Adding custom config-validation interface, extension, and a CDS validator.
Signed-off-by: Adi Suissa-Peleg <adip@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ e58c890ded5c13e60eba3285c96ffefd6f7215cf
Introduce data inputs for connection matching as part of #18871
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ a1181348a4f6df6011843a141814e28840d23eb5
Risk Level: Medium
Testing: unit test & manual testing
Docs Changes: update sip proxy docs
Release Notes:
Platform Specific Features:
Signed-off-by: Mingling Ding <mingling.ding01@gmail.com>
Co-authored-by: Felix Du <durd07@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7174c148a0763f2ed5863c3ab341d4a9ce01c54b
This PR adds two new LB policy extension configurations, to be used in gRPC via the new load_balancing_policy field:
* round_robin: This allows configuring the built-in ROUND_ROBIN LB policy via the new extension-based API.
* wrr_locality: This is an extension config for a new policy that does ROUND_ROBIN-style locality picking and then delegates to a child LB policy extension to pick the endpoint within the locality. This will allow users to plugin their own custom endpoint-picking logic without having to reimplement the locality-picking logic.
This is a small step toward moving away from the legacy lb_policy enum. Completing that migration will require work in Envoy to create extension configs for all built-in LB policies and register those extensions.
Risk Level: Low
Testing: N/A
Docs Changes: Included in PR
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 65a82d75c3ef1e15fbc4f301c9eacc269a1a6080
Introduce a new stateful session extension. This is a change after #17848#17290.
In #17290, we added a new cross-priority host map for fast host searching. In #17848, we extend `LoadBalancerContext` interface to provide an override host and to select the upstream host by the override host.
Finally, in this change, we expand a new API to allow users to extract the state of the session from the request and change the result of load balancing by setting the override host value.
Related doc: https://docs.google.com/document/d/1IU4b76AgOXijNa4sew1gfBfSiOMbZNiEt5Dhis8QpYg/edit?usp=sharing.
Risk Level: Medium
Testing: Added
Docs Changes: Added
Release Notes: Added
Platform-Specific Features: N/A.
Signed-off-by: wbpcode <wbphub@live.com>
Mirrored from https://github.com/envoyproxy/envoy @ fb2aad0303bbbcb0daabf6940c6ad97252995b98
This protobuf will be used initialy by the ext_proc filter to control
which headers may be changed by an external processing server.
This begins to address #14789 .
If the proto and the location are OK, I'll go on to add a common library to test a proposed header mutation against these rules and then incorporate them into the ext_proc filter.
The eventual result is that, by default, an external processor for ext_proc will be able to modify any header, but there will be controls that an administrator can use when connecting to a processor to control whether that processor is actually allowed to make all possible changes.
Risk Level: Low -- just the proto for now
Signed-off-by: Gregory Brail <gregbrail@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ a3e50ecd88943536b4ce412c172a246dacb6288a
This change introduces a MetaProtocol proxy that provides a framework for layer-7 protocols. The common capabilities, including routing, tracing, metrics, logging, etc., will be built into the MetaProtocol proxy.
Signed-off-by: zhaohuabing <zhaohuabing@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ de51441bfe1b6b5eeab8981037d66cde9ac5b0d7
This PR establishes the ability to filter access log production via CEL expressions over the set of Envoy attributes. This can simply the creation of Envoy access log filters, allowing complex tailoring.
Risk Level: low
Testing: unit
Docs Changes: included
Release Notes: updated
Signed-off-by: Douglas Reid <douglas-reid@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 77ca6cc0d9aaf0892aec3e2025fe2ad7cf0c39ff
This adds a new transport socket wrapper for collecting OS-level TCP stats and publishing them as envoy metrics, in either the cluster or listener stats namespace (depending on upstream or downstream use). This allows attributing the TCP stats to specific listeners and clusters.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ b959a46661ec87bba8268a1750506695125f2b06
Based on the dicsussion in the issue https://github.com/envoyproxy/envoy/issues/17410, this PR adds
implementation for ability to add rbac policy to filter upstream ip addresses for dynamically
resolved domains (by dynamic proxy filter).
Signed-off-by: Jojy George Varghese <jojy_varghese@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 53f95570a7e9d7fa5414a4bc145852524fa017ed
Intel's IPP (Integrated Performance Primitives) crypto library has support for multi-buffer crypto operations. Briefly, multi-buffer
cryptography is implemented with AVX-512 instructions using a SIMD (single instruction, multiple data) mechanism. Up to eight RSA or ECDSA operations are gathered together into a buffer and processed at the same time, providing potentially improved performance. The AVX-512 instructions are available on recently launched 3rd generation Xeon Scalable server processors (Ice Lake server) processors.
This commit adds a private key provider to accelerate RSA and ECDSA crypto operations on recent Intel Xeon processors. Every worker thread has a queue of up-to-eight crypto operations. When the queue is full or when the timer is triggered, the queue is processed and all the pending handshakes are notified.
The potential performance benefit depends on many factors: the size of the cpuset Envoy is running on, incoming traffic pattern, encryption type (RSA or ECDSA), and key size. In my own testing I saw the biggest performance increase when long RSA keys were used on an Envoy running in a fairly limited environment serving lots of new incoming TLS requests. For more details, see this Intel whitepaper which contains some more information about the AVX-512 instructions and potential performance increase: https://www.intel.com/content/www/us/en/architecture-and-technology/crypto-acceleration-in-xeon-scalable-processors-wp.html
Additional Description:
One new dependency is introduced: Intel’s ipp-crypto library. Currently the PR is using a development version of ipp-crypto because BoringSSL support is not yet part of any release. The ipp-crypto team has indicated that BoringSSL version will be included in future ipp-crypto releases.
Basic tests are provided, and a fake library interface is included for testing on systems without the required AVX-512 instruction set.
Risk Level: Medium (TLS security feature, not enabled by default)
Testing: Unit tests
Docs Changes: API interface is documented
Release Notes: Added CryptoMB private key provider to contrib.
Platform Specific Features: Requires Intel 3rd generation Xeon Scalable server processor for the AVX-512 IFMA instruction set.
Fixes: #15871
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Co-authored-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2144166ca7a3f100ecae16700bc82920b2de4871
Signed-off-by: Adam Kotwasinski <adam.kotwasinski@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0c8942dd82e3991d5162c4c53ec5b2e5c1d71010
This PR addresses several issues:
1. MetadataFormatter base class takes a pointer to a function to access specific type of metadata. All other methods operating on internals of metadata structure are moved to base class. This simplified adding new types of metadata.
2. new type of access_log METADATA tag is introduced to handle all types of metadata. It is implemented as formatter extension. It handles existing tags DYNAMIC_METADATA and CLUSTER_METADATA, so two ways of accessing dynamic and cluster metadata are allowed now. Maybe we should obsolete DYNAMIC_METADATA and CLUSTER_METADATA in the future?
3. Adds handler for ROUTE metadata. See issue #3006.
Follow up to #16121
Risk Level: Low
Testing: Unit tests.
Docs Changes: Yes.
Release Notes: Yes.
Platform Specific Features: No
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 43b597e719230c8266998394301c5d0b3c862688
Input matcher that checks that an IP{v4,v6} belongs to a list of CIDR ranges
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6cd6a0cab68c757c785e62e0d73d881f57c97839