Based on the requirement discussion from #2514.
Change the Jwt_authn config to support different requirement based on route match.
Risk Level: Low
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cc4845b01f71f3e12b359d1ce099a22d4fe61526
Add support for extracting dynamic metadata from requests. This can then
be used as static metadata would be used (e.g.: for subset load balancer
metadata matches, logging, etc).
Risk Level: Low
Testing: unit-test
Docs Changes: Basic docs.
Release Notes: N/A
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ 827c0a548ab38d55debe00587ee27253786befad
HCM and router changes to support use of Envoy in scenarios where we don't want Envoy to be generating additional headers or manipulating XFF. This also introduces Via support.
Fixes#1030.
Risk Level: Low (opt in)
Testing: Unit and integration tests added.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2f55443b68c50f88c6f7dccc3b82ec6a4b4c235d
Adds a file based grpc credentials extension. See issue #3392 for more details.
Risk Level: Low: extension for grpc credentials loaded by explicit configuration options
Testing: tests included in PR
Docs Changes: Inline docs via comments and proto docs
Release Notes: N/A
Fixes#3392
Signed-off-by: Michael Wozniak <wozz@koh.ms>
Mirrored from https://github.com/envoyproxy/envoy @ 230d2216fdd520a182dea9b5152522756853cd90
The proto field is marked as deprecated without any explanation, so this
adds a reference to the other field which should be used instead.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0bcdb5d7611a79fd22f823fd707a8b6f7b5f756e
Fixes https://github.com/envoyproxy/envoy/issues/743
This is a general cleanup of all of the access logging documentation.
I have reorganized a bunch of things and hidden the various gRPC logging
fields that are not implemented yet.
I've also moved the existing tap protos into a new "output" directory. This
is the best name I could come up for cleanly separating output data that might
be stored outside of any service or configuration.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ c15019e79c832d9f0a09468affaadabc4be3e115
*Risk Level*: None
*Testing*: bazel test //test/...
*Docs Changes*: n/a
*Release Notes*: n/a
Found with buildifier.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0e8964c83f359916ecbf9c01a03ade3c92aac479
This change does several things:
1) Clarifies how we handle xDS version_info in responses and sets us up
for both top-level/transactional versions as well as per-resource
versions in the future.
2) Moves the config_dump admin endpoint to the v2alpha namespace so that
we can iterate on it in the future.
3) Fills out the config dump proto for the remaining resource types.
These are not implemented but are here to force a discussion about
how we want to handle versions moving forward.
4) Fixes RDS static config dump to actually work and add better tests.
5) Wire up version for the RDS config dump on a per-resource basis.
Once we agree on the general version semantics I will be following up
with dump capability of the remaining resource types.
Part of https://github.com/envoyproxy/envoy/issues/2421
Part of https://github.com/envoyproxy/envoy/issues/2172
Fixes https://github.com/envoyproxy/envoy/issues/3141
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ ada758739907628b50079b9adfccf5481ec9fc5f
* tap/fuzz: transport socket extension for traffic capture.
This PR introduces a transport socket extension that wraps a given transport socket, interposes on its
plain text traffic and records it into a proto trace file on the filesystem. This can be used for a
number of purposes:
1. As a corpus for fuzzing the data plane.
2. Converted to PCAP using a soon-to-be-written utility, allowing existing tools such as Wireshark
to be used to decode L4/L7 protocol history in the trace. Essentially this lets us take advantage
of the PCAP ecosystem.
Relates to #1413 and #508.
Risk Level: Low (opt-in).
Testing: New SSL integration tests, demonstrating plain text intercept.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6c7a91733469f76381487f9ca78bdece6825c8c9
Added protos to support Role Based Access Control in Envoy.
Also removed existing auth.proto because the new RBAC proto is a replacement of it.
Ealier discussions at
envoyproxy/data-plane-api#586.
Signed-off-by: Limin Wang <liminwang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 13de384ab34428af99c53201f6b3c95991b7ae10
Implements the header matching mechanism that was added to the API in #3097 .
Risk Level: Low
Testing: Unit tests were added for the new configuration options.
Docs Changes: #3097.
Release Notes: added release note.
Signed-off-by: Matt Rice <mattrice@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 132b36cdae221dd602ebd920a1025167c3a7753a
define a access log filter to filter requests based on the
value of a specified header.
This is the initial data plane api change for the issue envoyproxy/envoy#2544.
Signed-off-by: Kevin Chan <kchan@evernote.com>
This PR includes the necessary modifications in support of envoyproxy/envoy#2828.
Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service.
In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter.
Signed-off-by: Gabriel <gsagula@gmail.com>
These are required to generate xDS responses from a Go binary. If they
don't exist, implementations are required to vendor the data-plane-api
with this change applied.
Signed-off-by: John Millikin <jmillikin@stripe.com>
This is a follow-up PR of #325.
I mistook to add an unnecessary field here. What actually we need is just making dog_statsd_specifier oneof field, not adding tcp_cluster_name field.
We can safely drop this field because users has ended up with
initializing errors if they had specified this field.
[critical][main] source/server/server.cc:71] error initializing configuration '/envoy.yaml': Address must be a socket or pipe
This field has
never been used in envoy repo: 7d03b231c7/source/server/config/stats/dog_statsd.cc (L19-L23)
Signed-off-by: Taiki Ono <taiki-ono@cookpad.com>
* tcp proxy: add metadata_match to tcp proxy config
This should allow the tcp proxy to target a specific subset of endpoints
in a cluster by matching on the metadata, similar to what is currently
possible in the http_connection_manager filter.
See https://github.com/envoyproxy/envoy/issues/2696
Signed-off-by: Snow Pettersen <snowp@squareup.com>
V1 configuration does not support ip tagging. This pr cleans references to IP Tagging in V1 configs.
Signed-off-by: Constance Caramanolis <ccaramanolis@lyft.com>