Switch to using a data source for a more usable API
Risk Level: low (just recently merged the API)
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ abb575aec73b505bddddcb96c5e858088f331bac
The first half of proxying TCP over HTTP/1, sending the TCP over an HTTP connection.
Risk Level: Low (new code config guarded, minor TCP proxy refactors)
Testing: new integration tests, unit tests
Docs Changes: n/a (will land docs when the other half makes it usable)
Release Notes: n/a
Part of #1630
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 213d09d200d8bc7504f19ab3945cbb6342483d48
This enables "non-strict" header validations, that match the ones in place with Envoy's ASSERT(valid()) code. The default strict: true checks checked for RFC-compliance, which may break previously valid configs.
Part of #10318
Signed-off-by: Asra Ali <asraa@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 97a76d991766d96df2e84a1f2e33b69cae844471
The partial implementation of #10254. Adding a support for http header responsible for injecting faults - aborting requests with x-envoy-fault-abort-request HTTP header set.
Risk Level: low, new feature.
Testing: Added
Docs Changes: Added
Release Notes: Added
Signed-off-by: Rafal Augustyniak <raugustyniak@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 55971b23978b961da71c80b49ddede4c88f24eab
This filter transform HTTP requests to AWS Lambda invocations.
The filter supports pass-through only. Meaning, the request body
is passed to Lambda as is. Note: Lambda requires the request to be in
JSON format.
In a later iteration, we'll wrap the headers the body in a JSON string
before passing it to Lambda.
The filter requires the ARN of the Lambda function and supports
per-filter-config. When the per-filter configuration is used, the target
cluster must be tagged with specific metadata. This indicates to the
filter whether to process the request or to skip it.
Lambda supports two invocation modes:
- Synchronous (Request-Response)
- Asynchronous (Event)
This initial version of the filter supports the synchronous mode only.
In a later iteration I'll add support for the asynchronous (Event-based)
version.
Signed-off-by: Marco Magdy <mmagdy@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 807401004d500899e9aa4c78fce007cf83b538cd
There were a few things missing to make this filter work with S3:
* empty body requests (e.g.: GET) still need a sha256 content header
(the empty string hash)
* requests for s3 shouldn't sign all headers (especially because some
of them might change, e.g.: x-forwarded-for)
* when proxying requests to s3, HCM's host rewrite won't work so
support it as a filter config option
* ditto for prefix rewrite
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 28f33a776960dd717d4b57da73b0dbce7dbb3e85
Add a new hash method based on Hashable object in FilterState.
Risk Level: LOW (new method)
Testing: unit tests
Docs Changes: N/A
Release Notes: N/A
Fixes#9701
Signed-off-by: Xin Zhuang <stevenzzz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cfa91de1a284a8be848cfbd5844a89157baf64d2
Implement a retry policy for remote data sources.
Risk Level: Low
Testing: Unit test
Docs Changes: N/A
Release Notes: added
Fixes: #9438
Signed-off-by: Yan Xue <yxyan@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ bd7c97858556c2851589d7fb73a25e99b8687df3
Modifies the well-known-names of the built-in listener filters
to use the same names as the extension build system.
Risk Level: low, previous name is still accepted
Testing: existing tests + deprecated tests for old names
Docs Changes: updated names
Release Notes: updated
Deprecated: old names are logged as deprecated
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6c2137468c25d167dbbe4719b0ecaf343bfb4233
Ignores RST code blocks, double-backtick literals, and links.
Ignores single-, double- or asterisk-quoted words containing
letters, numbers, hyphens and periods. Single- and double-quoted
words may contain asterisks as well. Ignores code-like expressions
in single backticks (e.g. `namespace::template<T>`). Ignores
tuple-like expressions. Better smart quote handling. Prefix and
suffixes can be stored in the word list but are handled specially.
Risk Level: low, build only
Testing: unit tests
Docs Changes: cleanup
Release Notes: n/a
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 56cfb638edd241887338816eecda12fc66f57e9e
Modifies the jwt_authn docs to make it clear that the JWT payload
forwarded to the backend service is encoded with base64url and not
regular base64.
Signed-off-by: Joshua Welsh <Jawshua@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 609458bbd178100f956ee8587c1092abfb9a99f2
Modifies the well-known-names of the built-in http filters
to use the same names as the extension build system.
Handles transition of per-filter-configs.
Risk Level: low, previous name is still accepted
Testing: existing tests + deprecated tests for old names
Docs Changes: updated names
Release Notes: updated
Deprecated: old names are logged as deprecated
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c5c1e5bb6570f81f30dd48d8b379392c84e81fe0
Support path rewriting using regular expressions and optionally capture groups. This PR is like #8462, but using the safe regular expression support.
Risk Level: Medium, since it slightly modifies the existing `prefix_rewrite` code.
Testing: Unit tests are added to `test/common/router/config_impl_test.cc`, runnable with `bazel test //test/common/router:config_impl_test`
Docs Changes: Any doc that references `prefix_rewrite` has been changed to reference `regex_rewrite` as well, if appropriate.
Release Notes: A bullet is added to `docs/root/intro/version_history.rst` mentioning the new support.
Signed-off-by: James Hennessy <jph@us.ibm.com>
Mirrored from https://github.com/envoyproxy/envoy @ 10d40f51e3e223153d9e9286b2b784b3c2e111b8
This is the new style for indicating a file is WiP and subject to
breaking changes. Rather than rely on alpha major versions, which are
coarse grained and introduce migration difficulties for operators, we
use a file-level annotation.
Risk level: Low
Testing: API/docs build, manual inspection of docs.
Fixes#9769.
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Co-authored-by: htuch <htuch@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 423fe76d5572bb4f1505391ccaaacf39b2bf2c85
Modifies the well-known-names of the built-in network filters
to use the same names as the extension build system.
Risk Level: low, previous name is still accepted
Testing: existing tests + deprecated tests for old names
Docs Changes: updated names
Release Notes: updated
Deprecated: old names are logged as deprecated
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c0ab3a4374144728c1e193fc2d43951ed36ccdb7
Description: Add a new PathMatcher that strips the query and/or fragment string from the ":path" header before matching, use it in route, JWT and RBAC.
Risk Level: Low
Testing: Added unit tests and integration tests
Docs Changes: Updated types.rst for PathMatcher
Release Notes: Updated version_history.rst for RBAC API change
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7ea52d5e2b0bccbd3263a805e38778fa132b715d
Modifies the well-known-names of the built-in stat sinks and
tracers to use the same name as the extension build system.
Risk Level: low, previous name is still accepted
Testing: existing tests + deprecated tests for old names
Docs Changes: updated names
Release Notes: updated
Deprecated: old names are logged as deprecated
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ b09184f8e9e17839f555f78ad8dbbcc57e3709db
Modifies the well-known-names of the built-in access loggers to
use the same name as the extension build system.
Risk Level: low, previous name is still accepted
Testing: existing tests
Docs Changes: updated names
Release Notes: updated
Deprecated: old names are logged as deprecated
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9cc7a5caf2961947d6c5eea18a1afbbbc13af82b
Description:
This PR adds support of generic secret type in secret manager. The goal is to enable filters to access generic secret.
Risk Level: Medium
Testing: Unit test, Integration test
Docs Changes: Changed
Release Notes: Changed
Signed-off-by: bennettdong <xiangfeid@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ f64ade1d90d9209982008391f337ed76e7aca3d2
This new alpha filter injects authentication headers for requests
directed at AWS services that require authentication.
Note:
Requests over plain HTTP aren't handled yet, since the message body
needs to be signed.
Fixes#9708
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ ee2306673b79215641be02893cb4d8b2b256c466
In ext_authz HTTP implementation, when user set content-length as one of
the allowed headers patterns as part of request authorization, we should
skip setting it since it is already configured at initialization and the
value depends on the request_size.
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ aaf67bba8c0fd245dbdd41b7c9eef6639ecbfa0d