Signed-off-by: Michael Kaufmann <michael.kaufmann@ergon.ch>
Mirrored from https://github.com/envoyproxy/envoy @ e83b53cf138626d0255b4aad2045fcebb47b5d6e
* Revert "api: introduce the private key provider list field (#28215)"
This reverts commit b24ea1e75aea899d5106f2a10ddc8f3ef975fe20.
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
* Add fallback to PrivateKeyProvider
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
---------
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 209dff813fc0bed403a11aa0abcb12342b64d7f7
* Deprecate OpenTracing
* Change security_posture to `unknown`. The OT extension is no longer covered by security process.
---------
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 494c716cefcf98bc30773f0bd850d9a3788a1615
This is implementation to address issue: #28698.
It's a follow up PR of #28907
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 00309b2db645d5ffba9f8e398f6fc9c21067b7c6
This is the API change to address issue: #28698
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 3efdbd7261b9f29bfdd5d57521c769fb8b43bdc9
Commit Message: add knobs to set QUIC connection options and client connection options
Additional Description: This allows Envoy Mobile applications to set Quiche's connection options so that more performance tuning can be done.
Risk Level: Low
Testing: Unit tests
Docs Changes: n/a
Release Notes: n/a
Platform Specific Features: Mobile only
Signed-off-by: Renjie Tang <renjietang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 450dd5bc89d7b8994c88614333328097128caeb1
* Implement deferred clusters on worker. We initialize certain cluster on
workers inline when there's traffic for that cluster.
Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4aaf17dce6e6c2dfde384f3e496b63363da2aac8
* Avoid send empty body to ext_proc server if decodeData() not called
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5e4f35055a30f0990430664d74f6060a2a5ff20a
* Add UHV config to strip URL fragment
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1fe0dd5b9e0d33e59917247552f918adc835e596
Commit 664f3fce4730544f34ae767e10150fb6be11cdc6 changed how this data
is handled, but was only intended to apply when calling grpc_service.
Fixes#27386
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6b276066f4704abbbc870ed2bb71e3225476a1a2
* Add header forwarding disallow list support for ext_proc filter.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 852326772e76621cb495b38cec571d60ac8493b5
Commit Message: add the proto for the new http filter GrpcFieldExtraction we are going to contribute.
Additional Description: please see the proto comments for this filter's behavior. Thanks @yanavlasov who is willing to be the sponsor.
Risk Level:NA
Testing:NA
Docs Changes:NA
Release Notes:NA
Mirrored from https://github.com/envoyproxy/envoy @ 46a05a6e79b17b64406c83930d3065a545a04cbd
This is to address a use case when a header should be modified only when it exists and should not be added when it does not exist.
Risk Level: Low
Testing: Unit tests.
Docs Changes: Yes.
Release Notes: Yes
Platform Specific Features: No
Fixes#27907
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ d9ba9d17016296c50069584905dee1a19427d42e
This is to address issue: #28243
The value_bytes proto is added by #27865.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8a2d9502638789b1d078f06f48b51918589a1f4a
Boring SSL team is going to set `enforce_rsa_key_usage` to true very soon. If it is true, the handshake will fail if the keyUsage extension is present and incompatible with the TLS usage. However, the backend services/VMs might not be ready for this change and it had caused outage. I think this is also applicable to OSS Envoy customer since their certificate may not be ready as well.
Change:
- Add the config field to control `enforce_rsa_key_usage`. It is false by default now but can be changed to true (which is aligned with Boring SSL's request) later once the customers are ready.
- Set it when ClientContext's SSL object is created. This ssl object will be used later in ssl handshake.
- It is added in `upstreamTlsContext` proto and set in `ClientContext` because this change in Boring SSL only affects Envoy->Backend (Upstream TLS) but not Client-> Envoy (Downstream TLS)
- Add stats to track/report the invalid use case by leveraging SSL_was_key_usage_invalid API introduced [here](a614d46d40)
- Improve the error handling/report for `SSL_ERROR_SYSCALL`
Signed-off-by: tyxia <tyxia@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ c5d578bdf109b90c1b93e888dae6cb45de6309f7
tap: Fix the protobuf to PCAP generation failure
When run 'bazel run @envoy_api//tools:tap2pcap path_0.pb path_0.pcap':
...
Traceback (most recent call last):
File "..../tools/tap2pcap.runfiles/envoy_api/tools/tap2pcap.py", line 88, in <module>
tap2pcap(sys.argv[1], sys.argv[2])
File "..../tools/tap2pcap.runfiles/envoy_api/tools/tap2pcap.py", line 53, in tap2pcap
wrapper.ParseFromString(f.read())
^^^^^^^^
File "<frozen codecs>", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb8 in position 1: invalid start byte
...
The protobuf file is in binary format, opening this file in binary mode
will help to generate the PCAP file successfully.
Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ c1cae43bed0cd91b423dafa388a370a27cb163e7
One can specify a MetadataKey with a path selector to pick up a host
from the dynamic metadata of the request or downstream. Selected
value can either be a string or a list with at least a single
element of string type. Request metadata is considered first.
Signed-off-by: Andrii Chabykin <chabster@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 10468b320421cb14d7911b4e6d139cc18780fb1a
* Turn ext_proc into API stable.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4e5031013746a0768e9a3065dbab08b70eaf3c05
update-envoy[bot]