Risk Level: LOW
Testing: Unit and format
Fixes#10535
Signed-off-by: Abhay Narayan Katare <abhay.katare@india.nec.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6321e5d95f7e435625d762ea82316b7a9f7071a4
Add OCSP stapling support with configurable stapling policy. A pre-fetched OCSP response can be configured with its corresponding certificate via the new ocsp_staple field in the TlsCertificate message. The new ocsp_staple_policy field on DownstreamTlsContext determines whether an OCSP response is required and whether to continue using the TLS certificate for new connections once its OCSP response expires. The ocsp_staple_policy defaults to LENIENT_STAPLING, which allows the operator to omit ocsp_staples from the configuration and will only use OCSP responses that are present and valid. This should therefore not break any existing configurations.
Risk Level: Medium - touches some core functionality of certificate selection but does not alter any existing behavior
Testing: added
Docs Changes: Added OCSP Stapling subsection in the SSL section of the architecture overview.
Release Notes: Added
Runtime flags:
envoy.reloadable_features.check_ocsp_policy
envoy.reloadable_features.require_ocsp_response_for_must_staple_certs
Signed-off-by: Daniel Goldstein <danielgold95@gmail.com>
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ cdd3a837056dc6935c0d8e0fb693d4de89b998e9
Description: Taking advantage of the new feature introduced in [#12035](https://github.com/envoyproxy/envoy/pull/12035), which introduced quick visibility for init managers to check unready targets, this pull request adds protobuf message for unready targets and enables admin to dump configs of unready targets. An example of config dump for listeners’ unready targets is given in this pull request.
Introduce ```InitDumpHandler``` with ```handlerInitDump``` method to help dump information of unready targets.
Add ```dumpUnreadyTargets``` function for ```init::manager```.
Risk Level: Low
Docs Changes: protodoc
Release Notes: Added
Signed-off-by: pingsun <pingsun@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8aef76370877c66b09f7791f0577ca83aad7d608
This was added for gRPC server support, but we've decided to use resource names instead to explicitly request the listeners we want by name. This is more in-line with the new naming scheme described in the "xDS Transport Next Steps" design.
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 05cbb309b828dc86737c51fd2c79d30e48e397a4
Add log control (list and modify log level) in admin interface for Fancy Logger, a new fine-grained logger for Envoy, and provide command line option --enable-fine-grain-logging for developers.
Additional Description: A doc of overview is provided here: source/docs/fancy_logger.md.
Risk Level: Medium
Testing: Unit tests.
Docs Changes: Added a new option --enable-fine-grain-logging and doc it.
Release Notes: Added to current.rst.
Signed-off-by: Jinhui Song <jinhuisong@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ b7138814dde530b8c2957e806ea40879a4fdce32
/config_dump API now supports dumping out EDS while using parameter ?include_eds
Add help method dumpEndpointConfigs() to dump out EDS in /config_dump by calling this method in the handler handlerConfigDump()
This will dump out envoy::admin::v3::EndpointsConfigDump by generating envoy::config::endpoint::v3::ClusterLoadAssignment based on data stored in server_.clusterManager().clusters()
Missing Field:
- ClusterLoadAssignment
- Policy
- endpoint_stale_after
- StaticEndpointConfig
- last_updated
- DynamicEndpointConfig
- version_info
- last_updated
Risk Level: Medium
Testing: add unit test, integration test
Docs Changes: operations_admin_interface
Release Notes: N/A
Part of fixing #3362
Signed-off-by: Yutong Li <yutongli@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 3cec62a096584894e8d1552ba915e47cffd8bf49
Add DrainStrategy enum to Options with Graceful and Immediate
Disable probabilistic drain in DrainManager if DrainStrategy == Immediate
Add integration tests
Risk Level: Low.
Testing: Integration tests, verify that the race condition from #11240 does not occur if the probabilistic drain is disabled.
Signed-off-by: Auni Ahsan <auni@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8c7df0f08bd86bbeebaee3773b79cf6e3949fe3c
Provides a --use-dynamic-base-id flag to select an unused base-id.
Primarily useful for testing, but generally available. Adds a
--base-id-path flag where Envoy writes the base id to a file.
Converts tests to use the dynamic base id selection rather than
trying to keep all base ids unique.
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 69f2dfcae15401f14d7cc3c829fd32ff2efc9f0c
Add EndpointsConfigDump message to support EDS in config_dump.proto
(not implemented in Envoy)
Additional Description:
Risk Level: Low
Testing: N/A
Docs Changes: N/A
Release Notes: N/A
This is the first step to solve #3362
Signed-off-by: Yutong Li <yutongli@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 192cd1341643f3a01bb27f992bbb6f0950eef867
In order to speed up eds, don't necessarily visit every proto field to count its validity as WarningValidationVisitor does. This yields a ~30% speed improvement in processing very large updates in EDS.
Risk Level: medium, new feature behind a command line flag.
Testing: Unit and bechmark tests.
Docs Changes: These are probably wrong, thus the draft-ness.
Release Notes: EDS can now ignore unknown dynamic fields, for a ~30% improvement in update processing time. Behind --ignore-unknown-dynamic-fields
Co-authored-by: Joshua Marantz <jmarantz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 703f2fbdd4d2b11db901a74d15726bc6c017189b
Deprecates GoogleRE2.max_program_size field so that client does not need to check this.
Risk Level: Low
Testing: N/A
Docs Changes: Included in PR
Release Notes: Included in PR
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 10125161be0d0a759c3ffb02ddcdf8abc0bc6060
Adds a --boostrap_version flag that can be used to determine which API version the bootstrap should be parsed as.
Risk Level: Low
Testing: UTs
Docs Changes: Flag docs
Release Notes: n/a
Fixes#10343
Signed-off-by: Snow Pettersen <aickck@gmail.com>
Co-authored-by: Snow Pettersen <kpettersen@netflix.com>
Mirrored from https://github.com/envoyproxy/envoy @ 62777e87edc9f16af5c7920bb86f198585789a3d
This patch performs a major version freeze and bump by modifying
package_version_status, using the tooling developed in #10636.
Specifically:
v2 APIs are frozen (except for where they are the latest in their
package history and still active)
v3 APIs are transitioned to be active
Candidate v4alpha APIs are generated (not used by Envoy yet)
Fixes#10355
Risk level: medium (entire API's files are modified, visually verified
to ensure things look sane, all tests pass)
Testing: CI
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 549164c42cae84b59154ca4c36009e408aa10b52