* Add UHV config to strip URL fragment
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1fe0dd5b9e0d33e59917247552f918adc835e596
Commit 664f3fce4730544f34ae767e10150fb6be11cdc6 changed how this data
is handled, but was only intended to apply when calling grpc_service.
Fixes#27386
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6b276066f4704abbbc870ed2bb71e3225476a1a2
* Add header forwarding disallow list support for ext_proc filter.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 852326772e76621cb495b38cec571d60ac8493b5
Commit Message: add the proto for the new http filter GrpcFieldExtraction we are going to contribute.
Additional Description: please see the proto comments for this filter's behavior. Thanks @yanavlasov who is willing to be the sponsor.
Risk Level:NA
Testing:NA
Docs Changes:NA
Release Notes:NA
Mirrored from https://github.com/envoyproxy/envoy @ 46a05a6e79b17b64406c83930d3065a545a04cbd
This is to address a use case when a header should be modified only when it exists and should not be added when it does not exist.
Risk Level: Low
Testing: Unit tests.
Docs Changes: Yes.
Release Notes: Yes
Platform Specific Features: No
Fixes#27907
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ d9ba9d17016296c50069584905dee1a19427d42e
This is to address issue: #28243
The value_bytes proto is added by #27865.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8a2d9502638789b1d078f06f48b51918589a1f4a
Boring SSL team is going to set `enforce_rsa_key_usage` to true very soon. If it is true, the handshake will fail if the keyUsage extension is present and incompatible with the TLS usage. However, the backend services/VMs might not be ready for this change and it had caused outage. I think this is also applicable to OSS Envoy customer since their certificate may not be ready as well.
Change:
- Add the config field to control `enforce_rsa_key_usage`. It is false by default now but can be changed to true (which is aligned with Boring SSL's request) later once the customers are ready.
- Set it when ClientContext's SSL object is created. This ssl object will be used later in ssl handshake.
- It is added in `upstreamTlsContext` proto and set in `ClientContext` because this change in Boring SSL only affects Envoy->Backend (Upstream TLS) but not Client-> Envoy (Downstream TLS)
- Add stats to track/report the invalid use case by leveraging SSL_was_key_usage_invalid API introduced [here](a614d46d40)
- Improve the error handling/report for `SSL_ERROR_SYSCALL`
Signed-off-by: tyxia <tyxia@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ c5d578bdf109b90c1b93e888dae6cb45de6309f7
tap: Fix the protobuf to PCAP generation failure
When run 'bazel run @envoy_api//tools:tap2pcap path_0.pb path_0.pcap':
...
Traceback (most recent call last):
File "..../tools/tap2pcap.runfiles/envoy_api/tools/tap2pcap.py", line 88, in <module>
tap2pcap(sys.argv[1], sys.argv[2])
File "..../tools/tap2pcap.runfiles/envoy_api/tools/tap2pcap.py", line 53, in tap2pcap
wrapper.ParseFromString(f.read())
^^^^^^^^
File "<frozen codecs>", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb8 in position 1: invalid start byte
...
The protobuf file is in binary format, opening this file in binary mode
will help to generate the PCAP file successfully.
Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ c1cae43bed0cd91b423dafa388a370a27cb163e7
One can specify a MetadataKey with a path selector to pick up a host
from the dynamic metadata of the request or downstream. Selected
value can either be a string or a list with at least a single
element of string type. Request metadata is considered first.
Signed-off-by: Andrii Chabykin <chabster@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 10468b320421cb14d7911b4e6d139cc18780fb1a
* Turn ext_proc into API stable.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4e5031013746a0768e9a3065dbab08b70eaf3c05
Commit Message:
This commit adds CONNECT-UDP (RFC 9298) support. UdpConnPool is added to create a UDP socket for a new CONNECT-UDP request, and UDPUpstream is added to maintain the socket and other relevant data associated with UDP upstreams.
We added an integration test for the terminating CONNECT-UDP proxy, but not the forwarding proxy in this commit. We are going to add test cases to cover the forwarding proxy scenario in a subsequent commit.
Additional Description:
Risk Level: Medium, the feature can only be enabled by the new configuration added in this commit.
Testing: Integration test
Runtime guard: envoy.reloadable_features.enable_connect_udp_support
Release Notes: added support for CONNECT-UDP (RFC 9298). Can be disabled by setting runtime feature envoy.reloadable_features.enable_connect_udp_support to false.
Signed-off-by: Jeongseok Son <jeongseok.son@gmail.com>
Co-authored-by: asingh-g <abhisinghx@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ b4f37553d6887447f942a1aedbc8c2dacae45537
* Fix ext_proc filter can not send non-utf8 character by gRPC
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9c6e75062ebdd8c8382c671662fb096569d9eaa9
This computes the health of a priority level by using load balancing weight
instead of the count of healthy hosts.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 842d1b2ae9b7f73a5055f2117df6f7d086b9e40d
Commit Message:
With lots of clusters and route-tables in a cloud proxy, we are seeing tons of RAM been spent on stats while most of the stats are never inc-ed due to traffic pattern(or long tail). We are thinking that we can lazy init cluster stats() so that the RAM is only allocated when it's required.
To achieve that we need to have finer grained stats group, e.g. configUpdateStats() are frequently updated by config management server, while upstream_xxx are only required when there is traffic for the cluster, for this sub-group we can save RAM by lazy init it.
Introduce a new stats utility in this PR such that the nested StatsStruct is only instantiated when any of "->" or "*xx." operator is used.
Cribbed from PR #23921
Please see that PR for how it is used.
Additional Description:
Risk Level: LOW,utility lib not used yet.
Testing: unit test and speed test.
Docs Changes:
Release Notes:
Platform Specific Features:
Signed-off-by: Xin Zhuang <stevenzzz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7801df6af9000ae31bdd89b080e0d797501cbd18
* Bound the number of connections that can be accepted per socket event on
listeners.
Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ef9387f7336d136c5d1525f9c75176a4ae87cb75
Adding per route match tree resolution to the extension with matcher.
Risk Level: Low
Testing: test/common/http/match_delegate/match_delegate_integration_test.cc, test/extensions/filters/http/composite/composite_filter_integration_test.cc, test/common/http/match_delegate/config_test.cc
Docs Changes: matching_api.rst
Release Notes: changelogs/current.yaml
Platform Specific Features: N/A
Signed-off-by: Joseph Straceski <jstraceski@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ c6a9a24987ebaab94a529fbd1da1ab89ec480d81
A new custom matcher for generic proxy is added to simplify the route table. When simple AND semantic is used, the users needn't write complex configuration to combine different input/match.
Risk Level: low.
Testing: unit.
Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ b8e112190ef14bced0509a0fb201b5ee49da46d7
add bootstrap option to set log format
Signed-off-by: ohadvano <ohadvano@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 08dd6fedf0c433c341e74e689194beb23540932c
update-envoy[bot]