Postgres filter can negotiate upstream SSL connection with Postgres server and enable upstream encryption.
Upon receiving the initial postgres request, the filter buffers the received packet (without sending it) and sends to the upstream server a request to establish SSL connection. When the server agrees, the postgres filter enables upstream STARTTLS transport socket and sends the previously buffered initial packet. From now on, the connection to upstream is encrypted and the filter can read the postgres payloads in clear-text.
If the server does not agree for SSL or converting STARTTLS transport socket to secure mode fails, depending on the configuration, the filter may continue in clear-text or may tear down the connection.
Risk Level: Low
Testing: unit, integration and manual tests.
Docs Changes: yes.
Release Notes: yes
Platform Specific Features: No
Fixes#19527
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 0ce6cf5fc3b54185b068ac0b6ec2dd5e461fc3cb
* Adding back ECDS config dump support. (#23902)" which is reverted by (#24354)
This reverts commit c5d61600db75c3effe25fa1a5e096d8a7936663a.
* Fixing test coverage issue due to an early return and a couple of comment lines.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ df2f00a7e2e5b841d1032ca4c2607b5e939c47bf
This reverts commit 3752119b94ae4a5ff337364f585f54305406dc7f.
Mirrored from https://github.com/envoyproxy/envoy @ c5d61600db75c3effe25fa1a5e096d8a7936663a
This allows setting socket options without specifying an address to
bind for upstream connections.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7010984aeffe27aea0e6cbf452ef7c20139c6a43
Envoy supports selecting certs by selecting filter chain based on SNI.
But it is possible that we access different services via one filter
chain, which requires SNI-based cert selection in one single filter
chain during handshake.
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 96530246347cea4a439bd1d861c530b1940b49a6
Sometimes when an application doesn't bind to localhost and the machine uses iptables for traffic redirection, HDS might need to override the source address for iptables to redirect traffic to the application instead of getting into the loop.
Risk Level: Low
Testing: small unit test configuration, upstream cluster tests binding functionality, manual testing
Docs Changes: API docs
Release Notes:
Platform Specific Features: no
Signed-off-by: Łukasz Dziedziak <lukidzi@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 74bef6aac36a45a2b8f1812dcd3e31c7eb46db3e
This is just an improvement to async_fetch feature of remote jwks.
* For a successful fetch, adjust its re_fetch time to be the jwks_cache_duration - 5s. This is to avoid of triggering on-demand fetching. During authentication, if jwks is not fetched, or is expired, it will trigger an on-demand fetching. If async_fetch can refetch the jwks a little bit earlier, it will avoid the on-demand fetch.
* For a failed fetch, trigger a re_fetch after 1 second. Getting jwks is important. We should keep retrying. This retrying is after [remote_jwks.retry_policy](https://github.com/envoyproxy/envoy/blob/main/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto#L366).
Risk Level: Low, added more frequence refetch for a failed remote jwks uri.
Testing: unit-tested
Docs Changes: None
Release Notes: Yes
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4e40d6ad5f98cd3c86f1398bb8990b1d88bdfe92
Risk Level: low
Testing: unittest
Docs Changes: API doc
Release Notes: new feature
Fixes#24038
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ ea2cdc3a164430ee43ff216655aaaac7fada51ed
Add support for intermediate CA as trusted_ca with
X509_V_FLAG_PARTIAL_CHAIN
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 14015bb2a68d44e9429556e447bfa6fe84e3bb37
Add support for allowlisting request headers included in the check request to the authorization server, be it HTTP or gRPC (currently, this is supported for HTTP only). This patch deprecates the current allowed_headers config field (on the authorization_request message) and introduces a new one on the ext_authz message. To note is that the default behaviour (i.e. no config specified) differs based on the type of authorization server (this is to maintain backwards compatibility).
Signed-off-by: rulex123 <erica.manno@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ fc49bd76e849bd056a709e9fa4064ccc66ea1660
Upstream filters specified in the router will apply if there are no filters specified in the cluster.
Risk Level: Low.
Testing: Unit and Integration testing.
Signed-off-by: Paul Gallagher <pgal@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9bb570fded9246762d087c8d2c8fe9733ad0dbff
This patch adds the claim_to_headers field to the JwtProvider config to copy jwt claims to http headers.
Risk Level: Low, a new feature
Testing: Added
Docs Changes: Added
Release Notes: Added
Fixes#15062
Signed-off-by: Aryan Gupta <garyan@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 287ccb9daafb3df3f42f6d83bbffd965c49cddb9
This PR is going to add an optional flag in the Endpoint.HealthCheckConfig to disable or enable active health check for it. E.g. Envoy will only use the health status from EDS for a subset of endpoints. This can support mixed/hybrid network groups.
Note, it will impact all type of clusters if health checker is configured, e.g. EDS, strict_dns.
However, we skip the endpoint with disable flag at message level for HDS.
Risk Level: Medium
Testing: unit and integration tests
Signed-off-by: Boteng Yao <boteng@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ fcfb1cd1d68f47d0fcacea693d76e1866ca2fde0
Signed-off-by: Kuat Yessenov kuat@google.com
Commit Message: Add another option to read principal from the filter state instead of metadata. The use case is passing the value from a network filter to an HTTP filter (RBAC), and the dynamic metadata does not support inheritance. For tunneled requests, the principal needs to be set at the tunnel connection, not the internal connection used for HTTP processing.
Risk Level: low
Testing: unit
Docs Changes: none
Release Notes: none
Mirrored from https://github.com/envoyproxy/envoy @ 91eccaf7d75161676e90adae58722c4bfa7d0c2e
This is a comments-changes-only PR.
The `ExternalProcessor` has a `mutation_rules` field, whose purpose is
to let users modify otherwise-restricted headers, such as `"host"` and
`":authority"`. Odds are that users who are modifying such headers are
trying to influence the routing decisions that Envoy makes, such as was
the case in https://github.com/envoyproxy/envoy/issues/23919.
However, setting only `"host"` or `":authority"` is not sufficient to
change such routing decisions; users must also set a `clear_route_cache`
field.
This PR hopes to avoid confusion about those two fields, like that in
https://github.com/envoyproxy/envoy/issues/23919, by improving the
comments on the `mutation_rules` field.
Signed-off-by: Robert-Jan Huijsman <22160949+rjhuijsman@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 43dde7800d6057406ef52dd1c0982a0028c558fa
Any Envoy users who customize their pre-built extensions will need to evaluate if they need this cluster.
Risk Level: medium
Testing: n/a
Docs Changes: n/a
Release Notes: inline
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 1d60a116413a0422b2df50e5f6ef8b553caba53b
Some stats like `no_route` and `idle_timeout` can't be printed by session access log,
so we need proxy-level access logging to log global stats.
Additional Description:
Risk Level: Low
Fixes#23241
Signed-off-by: giantcroc <changran.wang@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 33fce6bd1925a5c26eb41ed584de0c9422b5e4fb
This filter is configured with request_rules that will be matched against requests. A field_selector of a rule represents the head of a linked list, each node of the linked list has a name for logging and an id for matching. The field_selector is tied to a payload field when the linked list corresponds to a downward path which rooted in the top-level of the request message structure. on_present is triggered when corresponding the payload is present. Otherwise, on_missing is triggered.
This filter is designed to support payload passthrough. By performing payload to metadata filter can do deserialization once, and pass the metadata to other filters. This means that load balancing decisions, consumed from log and routing could all use payload information with a single parse. Also notably performing the parsing in payload passthrough buffer will mean deserialization once and not re-serializing, which is the most performant outcome.
Risk Level: low
Testing: unit
Docs Changes: multiple rst
Fixes#23322
Signed-off-by: kuochunghsu <kuochunghsu@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ cd208a5dbc281dcc27a8155a210037267c08ff6f
data-plane-api(Azure Pipelines)