Add a new field sts_service into GoogleGrpc call credential options which support Envoy to exchange token. See grpc/grpc#19032 and grpc/grpc#19587.
Signed-off-by: JimmyCYJ jimmychen.0102@gmail.com
Risk Level: Low
Testing: Unit test
Signed-off-by: Jimmy Chen <jimmychen.0102@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 46e65a498df7c920065a769860753076f9de16e7
* access_log: add ability to generate JSON access logs preserving data types
Using the new typed JSON format mode, numeric values (e.g. request duration,
response codes, bytes sent, etc) are emitted as json numbers instead of as
json strings. In addition, dynamic metadata and filter state are emitted
as nested structs and lists where appropriate.
Risk Level: medium for users of json logs
Testing: unit tests
Doc Changes: included
Release Notes: included
Fixes: #8374
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c7affbc223fae3a5dd104b8d6be4ea29af4042f6
Make TCP listeners supporting SO_REUSEPORT, then each worker thread will create
and listen on socket using same address and port.
Signed-off-by: lhuang8 <lhuang8@ebay.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8534ac8f810de72961b9e4399e14cf24fade7a60
* api: link to previous message type package in API BUILD files.
We need to include the descriptors from the previous message version in
the build. We opt to do this transitively; when you include v3 of a
package, you get the v2 via a transitive dep. This should work based on
alwayslink semantics for cc_library.
The computation of the deps is based on the previous_message_type
annotation, which will allow cross package migrations.
Part of #8082.
Risk level: Low
Testing: Disabled ip_tagging v2 descriptor hack, observed
version_integration_test. After the BUILD changes, this now passes
again.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7f8fb9509d3189819dd253e25ec76e939ae106e7
Adding property use_tcp_for_dns_lookups to bootstrap and cds config, which will instruct dns resolvers to use tcp for DNS queries.
Risk Level: Medium/Low
Fixes#7965
Signed-off-by: Kateryna Nezdolii <nezdolik@spotify.com>
Mirrored from https://github.com/envoyproxy/envoy @ b78fc4e0edc696c2395b7eafbca8cbc62cb0f325
This PR avoids having to include an API type database in the Envoy build
by introducing a message annotation option that allows Envoy to
determine earlier corresponding message types via descriptor inspection.
The ApiTypeDb is now ApiTypeOracle and utilizes these annotations.
Risk level: Low
Testing: Existing API and verison upgrade tests pass.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 297f7a73b3f93bccf8af73c0a555ae52bce6cecb
Another bunch of work towards
https://github.com/envoyproxy/envoy/issues/492.
The remaining work is proper wiring up of upstream cluster
management, host health, etc. and documentation. This will
be done in the next PR.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 647c1eeba8622bafdd6add1e7997c1f0bda31be5
Add a mechanism for a filter to define the action for a route.
Risk Level: Low
Testing: N/A
Docs Changes: Inline with proto change.
Release Notes: N/A
Fixes#8953.
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ a907cff53f6ffb33d9a87b5ef50934626caa1b9e
serialize stream stats for telemetry
Risk Level: low
Testing: unit
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0c5b3571c2d04f9de973012fd1b346aecb6ca5ba
This reverts commit 80aedc1c4a1aecc1616bd1563450c69d04e9568f.
Revert "config: rename NewGrpcMuxImpl -> GrpcMuxImpl (#8919)"
This reverts commit 6d505533304731fcc97041adce1f735431a703d7.
Revert "config: reinstate #8478 (unification of delta and SotW xDS), reverted by #8939 (#8974)"
This reverts commit a37522cf3f15639c8afeb7402f505044815fcf85.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 38adf1f02e95cf7a7078cdaa39032b62ca1e2ebf
Description: Bypass the CORS preflight request in the JWT filter
Risk Level: Low
Testing: Added unit test and integration test
Docs Changes: n/a
Release Notes: Added `jwt_authn: added to bypass the CORS preflight request.`
Fixes https://github.com/istio/istio/issues/16171
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ a29a083d9c260422b314ef47ca264b6815e548ab
Introduce new fallback policy for subset load balancer's selectors: KEYS_SUBSET and related LbSubsetSelector config parameter: fallback_keys_subset.
When context metadata matches given selector on keys, but there is no matching subset and KEYS_SUBSET fallback policy is set for that selector, there will be another attempt on subset selector matching. For that consecutive attempt, the context metadata will be reduced to keys included in fallback_keys_subset.
Risk Level: low (no changes in existing features, adding a new feature that is disabled by default). But there is also a small bugfix that can affect existing behaviour.
Testing: Unit tests and manual testing using envoy with static config
Docs: added
Release Notes: added
Fixes: #8767Fixes: #8874
Signed-off-by: Marcin Falkowski <marcin.falkowski@allegro.pl>
Mirrored from https://github.com/envoyproxy/envoy @ b7bef67c256090919a4585a1a06c42f15d640a09
* Add an explicit threat model to the end user facing docs, link to this from SECURITY.md
* Switch all Envoy extensions to use a new macro `envoy_cc_extension`, mandating that extensions declare a security posture. Extensions can also optionally declare `alpha` or `wip` status.
* Tag all documentation sites with their well-known Envoy names.
* Introduce tooling to automagically populate a list of known trusted/untrusted extensions in the threat model docs.
* Generate API docs for extensions that depend on `google.protobuf.Empty`. This pattern is deprecated as per https://github.com/envoyproxy/envoy/issues/8933, but we need these for tooling support meanwhile.
This work was motivated by oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18370
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 90d1094b32aa017f90cc8efcd379aeb143acabfc
Set the downstream client X.509 certificate in the source Peer AttributeContext
Risk Level: low
Testing: Tests updated and extended.
Docs Changes: New API additions are documented.
Release Notes: Added.
Fixes#8326
Signed-off-by: Steve Larkin <steve.larkin@volvocars.com>
Mirrored from https://github.com/envoyproxy/envoy @ 766f3fb8dbdafce402631c43c16fda46ed003462
This reverts commit 443bc3345b0e3db99a3df03d52f317697b99d5d7.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ df6d3bc453167a8e9fd29662280859b4f56f0af8
This has not been implemented, so hide the API from the docs.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8e368e4bdfa8f220c5f4cb03ca61587ae1a3d118
Updates protoc-gen-validate to a18376249eb51cdd517f67fe8703897322812e6d and
adds tests to the RBAC common filter code to prove that nested validations
work as expected.
Risk Level: low
Testing: unit test
Doc Changes: n/a
Release Notes: n/a
Fixes: #8715, #5324
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 28ce96326e154dba0879b4fa330eb33f29581634
Currently, application logs are not sanitized of c-style escape sequences. If any filter logs a message that contains newline characters, the logs will be printed to a new line. This breaks log formats set by the --log-format option, breaking integration with log viewers.
This change adds a command line option --log-format-escaped to escape c-style escape characters in application logs before they are outputted. Enabling this flag ensures newline characters in logs are ignored, meaning that each call to ENVOY_LOG will result in at most 1 line outputted. This flag works for both Stderr and File loggers.
Risk Level: Low
Testing:
Unit tests
Fuzz test
Manual verification (see comments in PR)
Performance Impact: As long as production environments are running with the default log level, this will only slightly impact startup time (only when --log-format-escaped is set). The critical section for each request/response will not be impacted.
Docs Changes: Added docs to command line options about new flag and possible use cases, like Stackdriver Logging integration on GKE.
Release Notes: Added release notes about new flag
Fixes#8637
Signed-off-by: Teju Nareddy <nareddyt@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 20ca0ae3bdd9c2a69194203f5e1d2eca92ce2b48
Description:
Adds serialization method to filter state and use from logger if specified.
Risk Level: Low
Testing: CI
Docs Changes: Added
Release Notes: Added
Fixes#8790
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ cf74f816933d1350d7c588a3b8478dd399ce3d18
Description: Tracking load status for LDS using the ConfigDump protos
Risk Level: Medium: major changes to an existing (alpha) system
Testing: new unit tests
Docs Changes: API notes inline
Release Notes: n/a
#8039
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 0aed05aecd17576b0dd96f3e4126acd1c24a02bc
Deprecate google.protobuf.Struct config members in the following types:
envoy.api.v2.auth.PrivateKeyProvider
envoy.api.v2.listener.UdpListenerConfig
envoy.config.filter.accesslog.v2.ExtensionFilter
Risk Level: Low
Testing: Unit Test
Docs Changes: N/A
Release Notes: N/A
Fixes: #8403
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ d36adbb5c4aad13af21f109b86978b8478f54409
Wires up the upstream side of HTTP/1.1 header formatting and documents the header casing behavior.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 86420eb64a750fd6025cf5efc8b846c8fe63f0c9
Adds a configuration option that will convert all header keys into
Proper-Case. This is useful to allow Envoy to respond with headers
that match the casing of other systems, to ensure that the wire format
of responses is unchanged when migrating to Envoy.
Fixes#8463
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7846427d7aafb9e023c38bb6e704262f7c724c92