Commit Message: kafka: close connection when rejectable request appears
Additional Description: provides
https://github.com/envoyproxy/envoy/issues/36978 by making the broker
filter check the requests' API key against allow/denylists in the config
- if we find a request to reject, we just close the connection. There is
also a bonus: this sets up a framework for "_close connection if we
don't like the request_" that we can expand upon later.
Risk Level: Low
Testing: automated (no filtering) + manual (filtering)
Docs Changes: Kafka broker .rst
Release Notes: n/a
Platform Specific Features: n/a
---------
Signed-off-by: Adam Kotwasinski <adam.kotwasinski@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c30d173544a6ac6646201f8766eb851c7c9e0bc6
<!--
!!!ATTENTION!!!
If you are fixing *any* crash or *any* potential security issue, *do
not*
open a pull request in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged
appropriately.
Thank you in advance for helping to keep Envoy secure.
!!!ATTENTION!!!
For an explanation of how to fill out the fields, please see the
relevant section
in
[PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md)
-->
Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional [API
Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):]
---------
Signed-off-by: wbpcode <wbphub@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 44ad1a7db101abe2d42752c21a24913060da8e06
Looks like it broke prechecks
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 6145b7e9cc68061aaaa1c003d6f995e3e4499269
Commit Message: generic proxy: move generic proxy from contrib into
extensions
Additional Description:
The generic proxy is designed as a framework to empower the developers
to develop new L7 proxy for various L7 protocols.
It's be used for multiple different private protocols now in the
production env of our users. And recently, I complete the last part of
generic proxy: the filter chain support to the variable length stream.
And except the private protocols, we use the generic proxy implement the
kafka proxing and pulsar proxing and conditional traffic routing. (part
of these works are contributed back to the envoy).
After an offline discussion with other maintainers, I prepare to move
the generic proxy to the extensions now.
Risk Level: low.
Testing: n/a.
Docs Changes: n/a.
Release Notes: n/a.
Platform Specific Features: n/a.
---------
Signed-off-by: wbpcode <wbphub@live.com>
Signed-off-by: wbpcode <wbphub@gmail.com>
Co-authored-by: wbpcode <wbphub@live.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0dbd4418f6a4b2c649b7c88cff4ec2bec872a9c6
* generic proxy: complete the development of HTTP1 codec
Signed-off-by: wbpcode <wbphub@live.com>
* minor update
Signed-off-by: wbpcode <wbphub@live.com>
* add TODOs
Signed-off-by: wbpcode <wbphub@live.com>
* more validation and single frame mode for HTTP
Signed-off-by: wbpcode <wbphub@live.com>
* more test and validation
Signed-off-by: wbpcode <wbphub@live.com>
* handle the 100 continue and the 1xx response
Signed-off-by: wbpcode <wbphub@live.com>
* minor update
Signed-off-by: wbpcode <wbphub@live.com>
* address comments
Signed-off-by: wbpcode <wbphub@live.com>
* address comments
Signed-off-by: wbpcode <wbphub@live.com>
---------
Signed-off-by: wbpcode <wbphub@live.com>
Mirrored from https://github.com/envoyproxy/envoy @ ffcc257e16c9046b2fec7497a6bf9293d8ada286
Additional Description: The CryptoMB private key provider only supports RSA at the time, the patch adds ECDSA support to it.
Risk Level: Low (as contrib extension)
Testing: Unit and integration tests
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: Requires AVX512 or equivalent CPU instruction set
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8dcb3165334b8d9fdec7bb9f5f0b103d97f858d3
Commit Message: proto: correct go_package of contrib
Additional Description:
This fixes up the go_package descriptor on contrib/ protos. I am not sure how the bazel protoc stuff works, but standard proto compiler seems trip up on this being incorrect, and generate invalid imports
Risk Level: Low
Testing: Manual
Mirrored from https://github.com/envoyproxy/envoy @ f97242a970eb6637b2aa8bba916f589672a1d190
The repo has been renamed from cncf/udpa to cncf/xds long time ago, this is just to reflect this in the bazel repo name.
Otherwise this is a noop.
Risk Level: Low
Testing: do_ci.sh
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f66bd34bf2060e71516456354202abb8ea23ba71
Signed-off-by: Adam Kotwasinski <adam.kotwasinski@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 70ba63a2e676f8676ab65840066729667c0af9bb
Signed-off-by: Adam Kotwasinski <adam.kotwasinski@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c2630addb1ac2984531c07317af5f9dd882b2a01
A new custom matcher for generic proxy is added to simplify the route table. When simple AND semantic is used, the users needn't write complex configuration to combine different input/match.
Risk Level: low.
Testing: unit.
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ b8e112190ef14bced0509a0fb201b5ee49da46d7
Signed-off-by: Adam Kotwasinski <adam.kotwasinski@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5e83af5042ec4ff87cad9d3baf476fbd57a7d048
Generic services are deprecated since protoc version 2.4.0 (2010). Protoc plugins that generates code may require that generic services are disabled, so that they can generate their own classes of the same name.
Risk Level: Low
Fixes#25172
Signed-off-by: Sébastien CROCQUESEL <88554524+scrocquesel@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ baec129464bba6e3651147a0d846e8c1f4610199
Postgres filter can negotiate upstream SSL connection with Postgres server and enable upstream encryption.
Upon receiving the initial postgres request, the filter buffers the received packet (without sending it) and sends to the upstream server a request to establish SSL connection. When the server agrees, the postgres filter enables upstream STARTTLS transport socket and sends the previously buffered initial packet. From now on, the connection to upstream is encrypted and the filter can read the postgres payloads in clear-text.
If the server does not agree for SSL or converting STARTTLS transport socket to secure mode fails, depending on the configuration, the filter may continue in clear-text or may tear down the connection.
Risk Level: Low
Testing: unit, integration and manual tests.
Docs Changes: yes.
Release Notes: yes
Platform Specific Features: No
Fixes#19527
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 0ce6cf5fc3b54185b068ac0b6ec2dd5e461fc3cb
Add dubbo codec for generic proxy to support proxy dubbo traffic by the generic proxy. It's simple wrapper to the common dubbo codec (`/source/extensions/common/dubbo`).
Risk Level: n/a. new feature.
Testing: Unit.
Docs Changes: n/a.
Release Notes: Added.
Platform Specific Features: n/a.
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ ab0abb640b1e501c66762c45b164529378c6bf66
* generic proxy: make the l7 filter could be configured repeatly
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5a14b1a5b4b35de6dbb764fd1f5cdfb50614b095
An xDS delegate extension point was added in
#22473 to enable custom behavior upon
receiving and loading xDS resources. This change creates an implementation of
the XdsResourcesDelegate interface that is backed by a KeyValueStore.
The intended use case is to enable persisting xDS resources and loading them on
startup in Envoy Mobile, in the event that the xDS control plane is unreachable.
Signed-off-by: Ali Beyad abeyad@google.com
Risk Level: Low
Testing: Unit & Integration tests
Docs Changes: N/A (hidden experimental feature)
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Ali Beyad <abeyad@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f28db324be3fcb6e91eb5a89d90c08617f76a2b2
* initial draft for the meta protocol proxy
Signed-off-by: wbpcode <comems@msn.com>
* minor update
Signed-off-by: wbpcode <comems@msn.com>
* add match implemented
Signed-off-by: wbpcode <comems@msn.com>
* add some simple test
Signed-off-by: wbpcode <wbphub@live.com>
* add more test for route matcher
Signed-off-by: wbpcode <wbphub@live.com>
* partial commit
Signed-off-by: wbpcode <wbphub@live.com>
* complete basic unit test
Signed-off-by: wbpcode <comems@msn.com>
* fix format
Signed-off-by: wbpcode <comems@msn.com>
* fix error after merge
Signed-off-by: wbpcode <wbphub@live.com>
* add some more test
Signed-off-by: wbpcode <wbphub@live.com>
* minor fix
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix test
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* just make it run
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* just make it run
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* first integration test
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* complete almost all the tests and fix docs and format
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix proto format
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* minor update
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* add cleanup
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* update for clang tidy and type error
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* lower coverage threshould
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix unexpected include
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix window build
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* rename to generic proxy to avoid name conflict
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix docs
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* remove unnecessary readme
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* update comments and name of matcher
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix format
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* add name method
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* move everything to contrib
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* simple release note
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
* fix format
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Signed-off-by: wbpcode <comems@msn.com>
Signed-off-by: wbpcode <wbphub@live.com>
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ 51c0d6f47c98087c7e3288205cbf8edf50ae0196
Commit Message: contrib: add Hyperscan regex engine
Additional Description: Hyperscan has been introduced as an input matcher earlier this year. Since the regex engine interface has been completed, the patch extent the usage of Hyperscan into a contrib regex engine.
Risk Level: Low
Testing: Unit
Docs Changes: API
Release Notes: N/A
Platform Specific Features: Requires processor with SSSE3 support (nearly any modern x86 processor)
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 725d0b4b3e6fb84aa7dfd1ca4d5792f2dc4558b2
Next generation Intel® QAT support with Intel® Xeon® Scalable processors
will feature an Intel® QAT cryptography and compression acceleration
engine.
QAT private key provider extension will use qatlib library
(https://github.com/intel/qatlib) to accelerate RSA operations in
handshakes. The extension will look a bit like the existing cryptomb
private key provider. The use case is to move the expensive
cryptographic operations away from the CPU to the accelerator device,
leaving CPU cycles for other use.
Support for Intel® QAT is already present in the mainline Linux kernel
and in Kubernetes device plugins (to expose the device files to
containers). There are previous generations of Intel QAT® hardware
devices, but they are not supported by this extension.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9447ff5bfa8081fc2ddd5918b8ee9c1fd6720c7a
This PR contains the following changes:
* SIP Proxy extension TRA API updated to send additional SIP context (method type and from header), so TRA service can use this information for customized affinity management.
* Fix an error with decoding of SIP headers with a valid format causing Envoy proxy to crash in case of empty header fields.
Risk Level: Low
Testing: Unit tests
Docs Changes: None
Release Notes: None
Platform Specific Features: None
Signed-off-by: Jonah Murphy <jonamurp@cisco.com>
Signed-off-by: Adrian Rejas Conde <arejasco@cisco.com>
Mirrored from https://github.com/envoyproxy/envoy @ 09549da9045d9c85ffaf851b6d740de0b507708f
update-envoy[bot]
data-plane-api(Azure Pipelines)