Generic services are deprecated since protoc version 2.4.0 (2010). Protoc plugins that generates code may require that generic services are disabled, so that they can generate their own classes of the same name.
Risk Level: Low
Fixes#25172
Signed-off-by: Sébastien CROCQUESEL <88554524+scrocquesel@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ baec129464bba6e3651147a0d846e8c1f4610199
Add API for:
evict_fraction: evicting a fraction of the exceeded limits extra to reduce churn.
max_eviction_frequency: do an eviction pass before it's necessary, to ensure the stats aren't too out of date.
min_eviction_frequency: don't do an eviction pass even if limits are reached, to reduce churn.
create_cache_path: option to attempt to create the cache path if it does not exist.
Remove not-implemented-hide for:
max_cache_size_bytes
max_cache_entry_count
Clarify name for:
max_cache_entry_size_bytes -> max_individual_cache_entry_size_bytes: to avoid confusion with max_cache_size_bytes
Risk Level: None, extension is WIP and no change to existing behavior.
Testing: n/a
Docs Changes: Adds some generated docs.
Signed-off-by: Raven Black <ravenblack@dropbox.com>
Mirrored from https://github.com/envoyproxy/envoy @ eb4933645c3f5ddd47442174cce48cf59ba9e956
This commit marks the `grpc_service` of the opentelemtry configuration as optional and if the resulting field is empty, the plugin will abstain from sending the trace data to any collection service.
This means that the opentelemetry plugin will still generate and propagate trace headers, but they will no longer be sent to the collector.
Signed-off-by: Ashish Banerjee <ashish.banerjee@solo.io>
Mirrored from https://github.com/envoyproxy/envoy @ c424ab9b0165357b715866ee2906cf3fc717e4e8
This pulls the validation listener manager code into an extension, such that there's no hard-coded dependency on the TCP listener code. It should be a no-op for Envoy and a slight memory improvement for Envoy Mobile which does not support or use validation mode.
Risk Level: low
Testing: n/a
Docs Changes: n/a
Release Notes: n/a
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ ec9099786796da6f834a6d562d0c3939c342a5e1
* Update googleapis to 114a745 and xDS API to 46e39c7
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8319b9287e5324a4f24bfd2072493c1a208cfa83
* load balancer: added maglev/ring hash load balancer extension
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix the possbile UH of ringhash/maglev when locality_weighted_lb_config is set or LoadBalancingPolicyConfig is used
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* minor update
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* remove uncessary stdout
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* enable locality weighted lb only when he configuration is set eexplicitly
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix format
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* add more test
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix windows build
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* resolve cconflict
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5ba835d8ce9ff1d92b85a391f0138f9a69a71083
Adding envoy.reloadable_features.use_api_listener to control if the regular listener manager or the api listener manager is used. note this does not use the usual reloadable or restart flags mechanism (due to it not being loaded at the time) but instead checks for the string literal in bootstrap YAML.
Risk Level: low
Testing: new integration test
Docs Changes: n/a
Release Notes: n/a
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ a9d852b50511c1ff59a96815a38811f9853b00ed
Adds additional validation that the sum of weights of weighted clusters in a route does not exceed max uint32.
Risk Level: low - although this is a new validation, previously there was a similar validation when total_weight was used.
Testing: Added unit test
Signed-off-by: Adi Suissa-Peleg <adip@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0a2f59240b4b005be0a9a5824c5e6c1604028d86
Signed-off-by: Thomas van Noort thomas.vannoort@datadoghq.com
Commit Message: ratelimit: allow metadata descriptors to be skipped
Risk Level: low
Testing: added unit tests
Docs Changes: per the protobuf definitions
Release Notes: N/A
Platform Specific Features: N/A
Additional Description:
The default behaviour was to skip calling the rate limiting service whenever the metadata key was not found and the default value was not set. This was not correctly documented (nor tested) since it mentioned that only the descriptor was skipped whereas the rate limiting service was skipped altogether.
This adds a skip_if_absent field in the same spirit as for the request headers action: if set to true it skips the descriptor but still calls the rate limiting service, otherwise it skips the rate limiting service.
Note that the deprecated dynamic metadata action does not support this field and defaults to false.
Mirrored from https://github.com/envoyproxy/envoy @ 40fb636fb3ba7d502625614ed613d4e97e140b3e
Remove max_items=2 validation rules from sds configs proto.
Add test cases to verify that multiple sds configs is allowed
and works with SNI-based cert selection.
Fixes#24824
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ fb48a7d2d41e6237640d73d5ec39d103feb8e73e
* Clarify that on-demand CDS does not support SotW xDS
Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
Mirrored from https://github.com/envoyproxy/envoy @ cdc1c1d80b6fdf5b5c1fe33168feccb162bf5d51
While we return the connection to the pool, the idle timeout starts ticking until the connection is reused.
If the timeout fires, we closes the connection and let the pool knows.
Fixes#23699
Signed-off-by: kuochunghsu <kuochunghsu@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 57b1c7213327ce6a505d7a8e2209db31561f85d0
Move checks for headers with underscores to UHV when it is enabled
While UHV has implemented checks for header names with underscores, the corresponding checks in codec_impl.cc was not disabled. This PR removes this check from codecs when ENVOY_ENABLE_UHV is defined, such that code in UHV is exercised.
Also added missing plumbing for the stats for header map modification done by UHV.
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cdbf0703ac84d0b38edc93018735dd021ad02061
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ cce99bf8b006b16b1be212c18cc0a267e72fe7da
Envoy supports selecting certs by selecting filter chain based on SNI.
But it is possible that we access different services via one filter
chain, which requires SNI-based cert selection in one single filter
chain during handshake.
This change is merged by #22036 and reverted by #24475.
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ ffa7295273834e2c777b1464896397bb05c0f68a
Postgres filter can negotiate upstream SSL connection with Postgres server and enable upstream encryption.
Upon receiving the initial postgres request, the filter buffers the received packet (without sending it) and sends to the upstream server a request to establish SSL connection. When the server agrees, the postgres filter enables upstream STARTTLS transport socket and sends the previously buffered initial packet. From now on, the connection to upstream is encrypted and the filter can read the postgres payloads in clear-text.
If the server does not agree for SSL or converting STARTTLS transport socket to secure mode fails, depending on the configuration, the filter may continue in clear-text or may tear down the connection.
Risk Level: Low
Testing: unit, integration and manual tests.
Docs Changes: yes.
Release Notes: yes
Platform Specific Features: No
Fixes#19527
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 0ce6cf5fc3b54185b068ac0b6ec2dd5e461fc3cb
* Adding back ECDS config dump support. (#23902)" which is reverted by (#24354)
This reverts commit c5d61600db75c3effe25fa1a5e096d8a7936663a.
* Fixing test coverage issue due to an early return and a couple of comment lines.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ df2f00a7e2e5b841d1032ca4c2607b5e939c47bf
This reverts commit 3752119b94ae4a5ff337364f585f54305406dc7f.
Mirrored from https://github.com/envoyproxy/envoy @ c5d61600db75c3effe25fa1a5e096d8a7936663a
This allows setting socket options without specifying an address to
bind for upstream connections.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7010984aeffe27aea0e6cbf452ef7c20139c6a43
Envoy supports selecting certs by selecting filter chain based on SNI.
But it is possible that we access different services via one filter
chain, which requires SNI-based cert selection in one single filter
chain during handshake.
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 96530246347cea4a439bd1d861c530b1940b49a6
Sometimes when an application doesn't bind to localhost and the machine uses iptables for traffic redirection, HDS might need to override the source address for iptables to redirect traffic to the application instead of getting into the loop.
Risk Level: Low
Testing: small unit test configuration, upstream cluster tests binding functionality, manual testing
Docs Changes: API docs
Release Notes:
Platform Specific Features: no
Signed-off-by: Łukasz Dziedziak <lukidzi@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 74bef6aac36a45a2b8f1812dcd3e31c7eb46db3e
data-plane-api(Azure Pipelines)