Add API for:
evict_fraction: evicting a fraction of the exceeded limits extra to reduce churn.
max_eviction_frequency: do an eviction pass before it's necessary, to ensure the stats aren't too out of date.
min_eviction_frequency: don't do an eviction pass even if limits are reached, to reduce churn.
create_cache_path: option to attempt to create the cache path if it does not exist.
Remove not-implemented-hide for:
max_cache_size_bytes
max_cache_entry_count
Clarify name for:
max_cache_entry_size_bytes -> max_individual_cache_entry_size_bytes: to avoid confusion with max_cache_size_bytes
Risk Level: None, extension is WIP and no change to existing behavior.
Testing: n/a
Docs Changes: Adds some generated docs.
Signed-off-by: Raven Black <ravenblack@dropbox.com>
Mirrored from https://github.com/envoyproxy/envoy @ eb4933645c3f5ddd47442174cce48cf59ba9e956
This commit marks the `grpc_service` of the opentelemtry configuration as optional and if the resulting field is empty, the plugin will abstain from sending the trace data to any collection service.
This means that the opentelemetry plugin will still generate and propagate trace headers, but they will no longer be sent to the collector.
Signed-off-by: Ashish Banerjee <ashish.banerjee@solo.io>
Mirrored from https://github.com/envoyproxy/envoy @ c424ab9b0165357b715866ee2906cf3fc717e4e8
* load balancer: added maglev/ring hash load balancer extension
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix the possbile UH of ringhash/maglev when locality_weighted_lb_config is set or LoadBalancingPolicyConfig is used
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* minor update
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* remove uncessary stdout
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* enable locality weighted lb only when he configuration is set eexplicitly
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix format
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* add more test
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix windows build
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* resolve cconflict
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5ba835d8ce9ff1d92b85a391f0138f9a69a71083
Signed-off-by: Thomas van Noort thomas.vannoort@datadoghq.com
Commit Message: ratelimit: allow metadata descriptors to be skipped
Risk Level: low
Testing: added unit tests
Docs Changes: per the protobuf definitions
Release Notes: N/A
Platform Specific Features: N/A
Additional Description:
The default behaviour was to skip calling the rate limiting service whenever the metadata key was not found and the default value was not set. This was not correctly documented (nor tested) since it mentioned that only the descriptor was skipped whereas the rate limiting service was skipped altogether.
This adds a skip_if_absent field in the same spirit as for the request headers action: if set to true it skips the descriptor but still calls the rate limiting service, otherwise it skips the rate limiting service.
Note that the deprecated dynamic metadata action does not support this field and defaults to false.
Mirrored from https://github.com/envoyproxy/envoy @ 40fb636fb3ba7d502625614ed613d4e97e140b3e
Remove max_items=2 validation rules from sds configs proto.
Add test cases to verify that multiple sds configs is allowed
and works with SNI-based cert selection.
Fixes#24824
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ fb48a7d2d41e6237640d73d5ec39d103feb8e73e
* Clarify that on-demand CDS does not support SotW xDS
Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
Mirrored from https://github.com/envoyproxy/envoy @ cdc1c1d80b6fdf5b5c1fe33168feccb162bf5d51
While we return the connection to the pool, the idle timeout starts ticking until the connection is reused.
If the timeout fires, we closes the connection and let the pool knows.
Fixes#23699
Signed-off-by: kuochunghsu <kuochunghsu@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 57b1c7213327ce6a505d7a8e2209db31561f85d0
Move checks for headers with underscores to UHV when it is enabled
While UHV has implemented checks for header names with underscores, the corresponding checks in codec_impl.cc was not disabled. This PR removes this check from codecs when ENVOY_ENABLE_UHV is defined, such that code in UHV is exercised.
Also added missing plumbing for the stats for header map modification done by UHV.
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cdbf0703ac84d0b38edc93018735dd021ad02061
Envoy supports selecting certs by selecting filter chain based on SNI.
But it is possible that we access different services via one filter
chain, which requires SNI-based cert selection in one single filter
chain during handshake.
This change is merged by #22036 and reverted by #24475.
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ ffa7295273834e2c777b1464896397bb05c0f68a
Envoy supports selecting certs by selecting filter chain based on SNI.
But it is possible that we access different services via one filter
chain, which requires SNI-based cert selection in one single filter
chain during handshake.
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 96530246347cea4a439bd1d861c530b1940b49a6
This is just an improvement to async_fetch feature of remote jwks.
* For a successful fetch, adjust its re_fetch time to be the jwks_cache_duration - 5s. This is to avoid of triggering on-demand fetching. During authentication, if jwks is not fetched, or is expired, it will trigger an on-demand fetching. If async_fetch can refetch the jwks a little bit earlier, it will avoid the on-demand fetch.
* For a failed fetch, trigger a re_fetch after 1 second. Getting jwks is important. We should keep retrying. This retrying is after [remote_jwks.retry_policy](https://github.com/envoyproxy/envoy/blob/main/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto#L366).
Risk Level: Low, added more frequence refetch for a failed remote jwks uri.
Testing: unit-tested
Docs Changes: None
Release Notes: Yes
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4e40d6ad5f98cd3c86f1398bb8990b1d88bdfe92
Risk Level: low
Testing: unittest
Docs Changes: API doc
Release Notes: new feature
Fixes#24038
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ ea2cdc3a164430ee43ff216655aaaac7fada51ed
Add support for intermediate CA as trusted_ca with
X509_V_FLAG_PARTIAL_CHAIN
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 14015bb2a68d44e9429556e447bfa6fe84e3bb37
Add support for allowlisting request headers included in the check request to the authorization server, be it HTTP or gRPC (currently, this is supported for HTTP only). This patch deprecates the current allowed_headers config field (on the authorization_request message) and introduces a new one on the ext_authz message. To note is that the default behaviour (i.e. no config specified) differs based on the type of authorization server (this is to maintain backwards compatibility).
Signed-off-by: rulex123 <erica.manno@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ fc49bd76e849bd056a709e9fa4064ccc66ea1660
Upstream filters specified in the router will apply if there are no filters specified in the cluster.
Risk Level: Low.
Testing: Unit and Integration testing.
Signed-off-by: Paul Gallagher <pgal@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9bb570fded9246762d087c8d2c8fe9733ad0dbff
This patch adds the claim_to_headers field to the JwtProvider config to copy jwt claims to http headers.
Risk Level: Low, a new feature
Testing: Added
Docs Changes: Added
Release Notes: Added
Fixes#15062
Signed-off-by: Aryan Gupta <garyan@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 287ccb9daafb3df3f42f6d83bbffd965c49cddb9
This is a comments-changes-only PR.
The `ExternalProcessor` has a `mutation_rules` field, whose purpose is
to let users modify otherwise-restricted headers, such as `"host"` and
`":authority"`. Odds are that users who are modifying such headers are
trying to influence the routing decisions that Envoy makes, such as was
the case in https://github.com/envoyproxy/envoy/issues/23919.
However, setting only `"host"` or `":authority"` is not sufficient to
change such routing decisions; users must also set a `clear_route_cache`
field.
This PR hopes to avoid confusion about those two fields, like that in
https://github.com/envoyproxy/envoy/issues/23919, by improving the
comments on the `mutation_rules` field.
Signed-off-by: Robert-Jan Huijsman <22160949+rjhuijsman@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 43dde7800d6057406ef52dd1c0982a0028c558fa
Some stats like `no_route` and `idle_timeout` can't be printed by session access log,
so we need proxy-level access logging to log global stats.
Additional Description:
Risk Level: Low
Fixes#23241
Signed-off-by: giantcroc <changran.wang@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 33fce6bd1925a5c26eb41ed584de0c9422b5e4fb
This filter is configured with request_rules that will be matched against requests. A field_selector of a rule represents the head of a linked list, each node of the linked list has a name for logging and an id for matching. The field_selector is tied to a payload field when the linked list corresponds to a downward path which rooted in the top-level of the request message structure. on_present is triggered when corresponding the payload is present. Otherwise, on_missing is triggered.
This filter is designed to support payload passthrough. By performing payload to metadata filter can do deserialization once, and pass the metadata to other filters. This means that load balancing decisions, consumed from log and routing could all use payload information with a single parse. Also notably performing the parsing in payload passthrough buffer will mean deserialization once and not re-serializing, which is the most performant outcome.
Risk Level: low
Testing: unit
Docs Changes: multiple rst
Fixes#23322
Signed-off-by: kuochunghsu <kuochunghsu@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ cd208a5dbc281dcc27a8155a210037267c08ff6f
remove an extra dot in docs
Signed-off-by: Peter Jausovec <peter.jausovec@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 82667905a934826576e817a8222b0e1117b79b15
make QUIC connection ID generation an extension point with currently in-use EnvoyDeterministicConnectionIdGenerator as the default implementation.
Additional Description: fix some previously unused QUICHE build targets.
Risk Level: low, control plane change
Testing: added new unit tests
Docs Changes: docs/root/api-v3/config/quic/quic_extensions.rst
Release Notes: N/A
API Considerations: interface naming and documentation
Signed-off-by: Dan Zhang <danzh@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 02ebc03205cfae5b26ce890050b9d1b6e0c2d1f5
* xds: add config for random and maglev load balancer extensions
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* update extension type to envoy.load_balancing_policies because envoy.clusters is extension type for custom cluster
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ e4352708f7991872159dd8db12d379d190da1e26