* Allow custom local address resolvers.
#27881 introduces the concept of EDS clusters with hosts that have multiple (potentially > 2) IP addresses.
The current implementation of UpstreamLocalAddressSelector limits the number of source addresses in BindConfig artificially to 2, and further requires that the addresses be of different address families.
The workaround for this (if we need to specify more than 2 source addresses or have multiple addresses from the same family) is to use a custom address resolver that resolves the bind config address to nullptr (and therefore ignore it) and call bind in a customised SocketInterfaceImpl to a local source address determined by the SocketInterfaceImpl specialisation.
This PR makes it possible to define a custom local address selector, that makes it easy to work with a custom address resolver to pick the right source address based on the upstream address selected by HappyEyeballsConnectionImpl
Signed-off-by: pcrao <pcrao@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ da47a54a8ccbaa384c4cb62a5f4fcd4745a72c37
Current fill_rate must be above 0.0 (PGV constraint).
However, a low double value can cause an infinite value when computing 1/fill_rate and its cast to uint64_t fails.
This PR changes the minimal fill_rate to be once-per-year, and if a lower value is given, it is overridden and set to once-per-year.
Alternatives considered: changing the PGV value to 3.1709792e-8 (once-per-year).
Risk Level: Low - minor change in behavior
Testing: Added fuzz test case
Docs Changes: Updated API comments
Release Notes: Added.
Platform Specific Features: N/A
Fixes fuzz bug 60974
Signed-off-by: Adi Suissa-Peleg <adip@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ffddd03ece01d9a542037bbf275e81a714fd6b8c
Adds a config option to set a stat prefix for all stats flushed by the otlp stats sink. Resolves#28962.
Risk Level: low
Testing: Unit tests, integration tests
Docs Changes: API docs
Signed-off-by: ohadvano <ohadvano@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ a19966b92bc3afcdd68ebeffe53c4b6848733e79
Signed-off-by: Michael Kaufmann <michael.kaufmann@ergon.ch>
Mirrored from https://github.com/envoyproxy/envoy @ e83b53cf138626d0255b4aad2045fcebb47b5d6e
* Revert "api: introduce the private key provider list field (#28215)"
This reverts commit b24ea1e75aea899d5106f2a10ddc8f3ef975fe20.
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
* Add fallback to PrivateKeyProvider
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
---------
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 209dff813fc0bed403a11aa0abcb12342b64d7f7
* Deprecate OpenTracing
* Change security_posture to `unknown`. The OT extension is no longer covered by security process.
---------
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 494c716cefcf98bc30773f0bd850d9a3788a1615
This is implementation to address issue: #28698.
It's a follow up PR of #28907
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 00309b2db645d5ffba9f8e398f6fc9c21067b7c6
This is the API change to address issue: #28698
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 3efdbd7261b9f29bfdd5d57521c769fb8b43bdc9
Commit Message: add knobs to set QUIC connection options and client connection options
Additional Description: This allows Envoy Mobile applications to set Quiche's connection options so that more performance tuning can be done.
Risk Level: Low
Testing: Unit tests
Docs Changes: n/a
Release Notes: n/a
Platform Specific Features: Mobile only
Signed-off-by: Renjie Tang <renjietang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 450dd5bc89d7b8994c88614333328097128caeb1
* Implement deferred clusters on worker. We initialize certain cluster on
workers inline when there's traffic for that cluster.
Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4aaf17dce6e6c2dfde384f3e496b63363da2aac8
* Avoid send empty body to ext_proc server if decodeData() not called
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5e4f35055a30f0990430664d74f6060a2a5ff20a
* Add UHV config to strip URL fragment
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1fe0dd5b9e0d33e59917247552f918adc835e596
Commit 664f3fce4730544f34ae767e10150fb6be11cdc6 changed how this data
is handled, but was only intended to apply when calling grpc_service.
Fixes#27386
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6b276066f4704abbbc870ed2bb71e3225476a1a2
* Add header forwarding disallow list support for ext_proc filter.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 852326772e76621cb495b38cec571d60ac8493b5
Commit Message: add the proto for the new http filter GrpcFieldExtraction we are going to contribute.
Additional Description: please see the proto comments for this filter's behavior. Thanks @yanavlasov who is willing to be the sponsor.
Risk Level:NA
Testing:NA
Docs Changes:NA
Release Notes:NA
Mirrored from https://github.com/envoyproxy/envoy @ 46a05a6e79b17b64406c83930d3065a545a04cbd
This is to address a use case when a header should be modified only when it exists and should not be added when it does not exist.
Risk Level: Low
Testing: Unit tests.
Docs Changes: Yes.
Release Notes: Yes
Platform Specific Features: No
Fixes#27907
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ d9ba9d17016296c50069584905dee1a19427d42e
This is to address issue: #28243
The value_bytes proto is added by #27865.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8a2d9502638789b1d078f06f48b51918589a1f4a
Boring SSL team is going to set `enforce_rsa_key_usage` to true very soon. If it is true, the handshake will fail if the keyUsage extension is present and incompatible with the TLS usage. However, the backend services/VMs might not be ready for this change and it had caused outage. I think this is also applicable to OSS Envoy customer since their certificate may not be ready as well.
Change:
- Add the config field to control `enforce_rsa_key_usage`. It is false by default now but can be changed to true (which is aligned with Boring SSL's request) later once the customers are ready.
- Set it when ClientContext's SSL object is created. This ssl object will be used later in ssl handshake.
- It is added in `upstreamTlsContext` proto and set in `ClientContext` because this change in Boring SSL only affects Envoy->Backend (Upstream TLS) but not Client-> Envoy (Downstream TLS)
- Add stats to track/report the invalid use case by leveraging SSL_was_key_usage_invalid API introduced [here](a614d46d40)
- Improve the error handling/report for `SSL_ERROR_SYSCALL`
Signed-off-by: tyxia <tyxia@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ c5d578bdf109b90c1b93e888dae6cb45de6309f7
update-envoy[bot]