In order to get file level move annotation, import has to be before options.
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 062c895f499382ae61dead16db2a7e78b9146525
Description:
Implement `allow_missing` (but not failed) mode for JWT requirement. In this mode, token is not required for JWT filter to pass. However, if a token is presented, it must be valid.
This PR also change the `allow_missing_or_failed` (and the new `allow_missing`) to consider the provider within the container OR-list, instead of using the global one that have all providers. As a result, each `allow_xxx` will examine the interested tokens list independently. This correct the behavior when the `allow_xxx` is used multiple times, e.g in different ORs of an AND-of-OR requirements.
Risk Level: Medium
The PR changes the existing behavior of `allow_missing_or_failed`
Testing:
Unit tests.
Docs Changes: Added
Release Notes: Added
Signed-off-by: Diem Vu <diemvu@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 74436a6303825e0a6873222efff591ea1001cf87
Setting update_frequency to 0 causes a segfault. Prevent invalid values via validation.
Risk Level: low
Testing: added unit test
Doc Changes: updated
Release Notes: n/a
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 3256d60fcb9710f0ffda856e72126fd957796409
The max_request_bytes field is assumed to have a value set that is
greater than zero. The code ASSERTs this and does unpleasent things
if not set. This corrects that built-in assumption. Note that this
field could be a primitive integer with a constraint, but it doesn't
seem worth that churn to fix.
Fixes https://github.com/envoyproxy/envoy/issues/7650
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ a3b15fccf1c4c8318af9493aa263abe07089bfd5
Instead of formatting options heuristically, which will erase new annotations without changing protoxform, use proto descriptor to format options, and enforce its order as well.
Risk Level: Low
Testing: CI
Docs Changes: N/A
Release Notes: N/A
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ dfe687d49574ef7eb1bf84867bf571e805a2bf97
* access_log: add ability to generate JSON access logs preserving data types
Using the new typed JSON format mode, numeric values (e.g. request duration,
response codes, bytes sent, etc) are emitted as json numbers instead of as
json strings. In addition, dynamic metadata and filter state are emitted
as nested structs and lists where appropriate.
Risk Level: medium for users of json logs
Testing: unit tests
Doc Changes: included
Release Notes: included
Fixes: #8374
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c7affbc223fae3a5dd104b8d6be4ea29af4042f6
* api: link to previous message type package in API BUILD files.
We need to include the descriptors from the previous message version in
the build. We opt to do this transitively; when you include v3 of a
package, you get the v2 via a transitive dep. This should work based on
alwayslink semantics for cc_library.
The computation of the deps is based on the previous_message_type
annotation, which will allow cross package migrations.
Part of #8082.
Risk level: Low
Testing: Disabled ip_tagging v2 descriptor hack, observed
version_integration_test. After the BUILD changes, this now passes
again.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7f8fb9509d3189819dd253e25ec76e939ae106e7
Adding property use_tcp_for_dns_lookups to bootstrap and cds config, which will instruct dns resolvers to use tcp for DNS queries.
Risk Level: Medium/Low
Fixes#7965
Signed-off-by: Kateryna Nezdolii <nezdolik@spotify.com>
Mirrored from https://github.com/envoyproxy/envoy @ b78fc4e0edc696c2395b7eafbca8cbc62cb0f325
This PR avoids having to include an API type database in the Envoy build
by introducing a message annotation option that allows Envoy to
determine earlier corresponding message types via descriptor inspection.
The ApiTypeDb is now ApiTypeOracle and utilizes these annotations.
Risk level: Low
Testing: Existing API and verison upgrade tests pass.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 297f7a73b3f93bccf8af73c0a555ae52bce6cecb
Another bunch of work towards
https://github.com/envoyproxy/envoy/issues/492.
The remaining work is proper wiring up of upstream cluster
management, host health, etc. and documentation. This will
be done in the next PR.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 647c1eeba8622bafdd6add1e7997c1f0bda31be5
serialize stream stats for telemetry
Risk Level: low
Testing: unit
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0c5b3571c2d04f9de973012fd1b346aecb6ca5ba
Description: Bypass the CORS preflight request in the JWT filter
Risk Level: Low
Testing: Added unit test and integration test
Docs Changes: n/a
Release Notes: Added `jwt_authn: added to bypass the CORS preflight request.`
Fixes https://github.com/istio/istio/issues/16171
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ a29a083d9c260422b314ef47ca264b6815e548ab
* Add an explicit threat model to the end user facing docs, link to this from SECURITY.md
* Switch all Envoy extensions to use a new macro `envoy_cc_extension`, mandating that extensions declare a security posture. Extensions can also optionally declare `alpha` or `wip` status.
* Tag all documentation sites with their well-known Envoy names.
* Introduce tooling to automagically populate a list of known trusted/untrusted extensions in the threat model docs.
* Generate API docs for extensions that depend on `google.protobuf.Empty`. This pattern is deprecated as per https://github.com/envoyproxy/envoy/issues/8933, but we need these for tooling support meanwhile.
This work was motivated by oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18370
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 90d1094b32aa017f90cc8efcd379aeb143acabfc
Set the downstream client X.509 certificate in the source Peer AttributeContext
Risk Level: low
Testing: Tests updated and extended.
Docs Changes: New API additions are documented.
Release Notes: Added.
Fixes#8326
Signed-off-by: Steve Larkin <steve.larkin@volvocars.com>
Mirrored from https://github.com/envoyproxy/envoy @ 766f3fb8dbdafce402631c43c16fda46ed003462
Description:
Adds serialization method to filter state and use from logger if specified.
Risk Level: Low
Testing: CI
Docs Changes: Added
Release Notes: Added
Fixes#8790
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ cf74f816933d1350d7c588a3b8478dd399ce3d18
Deprecate google.protobuf.Struct config members in the following types:
envoy.api.v2.auth.PrivateKeyProvider
envoy.api.v2.listener.UdpListenerConfig
envoy.config.filter.accesslog.v2.ExtensionFilter
Risk Level: Low
Testing: Unit Test
Docs Changes: N/A
Release Notes: N/A
Fixes: #8403
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ d36adbb5c4aad13af21f109b86978b8478f54409
Fix PGV location references and TODOs. Remove some unused imports.
Risk Level: Low (locations in comments and simple TODOs as outlined by @htuch)
Testing: bazel build @envoy_api//envoy/..., bazel test //test/...
Signed-off-by: Michael Payne <michael@sooper.org>
Mirrored from https://github.com/envoyproxy/envoy @ 68ca6746d168c6cea26d21479ef50b2be9aaa25d
A skeleton tracer to incrementally add support for AWS X-Ray
Risk Level: Low
Testing: unit tests for functionality in util - the rest of files have no business logic to test yet
Signed-off-by: Marco Magdy <mmagdy@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ f68368f1a497d8f9254a714c2694cee88477438d
Modifies the pedantic spell checker to better handle camel-case words.
Each part the word is now treated as a separate error in both the check
and fix modes.
Disables run-together mode for aspell, which allowed typos such as
"mananger" (man + anger). Fixes the resulting spelling errors.
Miscellaneous other fixes:
* Provides an option to replace a word without adding the word to the
dictionary (in case aspell's suggestions do not contain the correct
replacement).
* Fixes a bug in the script when no suggestions are returned by aspell.
* Checks the dictionary and added words for invalid characters that cause
aspell errors at dictionary load time.
* Sets the mark flag when in CI runs so that misspelled words are indicated.
* Culls words from the dictionary that are no longer in the codebase, or are
otherwise not needed.
Risk Level: low (comments only)
Testing: n/a
Doc Changes: n/a
Release Notes: n/a
Fixes: #8481
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ de70fe54cdba6b022b3971379afa535f402f2ffe
Signed-off-by: Manuel Jurado <manuel.jurado@socialpoint.es>
Mirrored from https://github.com/envoyproxy/envoy @ e0e94c5a52ee692468fd2b802a0430dd5b35854f
This reverts commit 596cd4894c8ecd536c1da1dddecaae3531f269ea.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8c4afa6fee5e104c7b195657a3c22e23f062eb11
Modifies the pedantic spell checker to better handle camel-case words.
Each part the word is now treated as a separate error in both the check
and fix modes.
Disables run-together mode for aspell, which allowed typos such as
"mananger" (man + anger). Fixes the resulting spelling errors.
Miscellaneous other fixes:
* Provides an option to replace a word without adding the word to the
dictionary (in case aspell's suggestions do not contain the correct
replacement).
* Fixes a bug in the script when no suggestions are returned by aspell.
* Checks the dictionary and added words for invalid characters that cause
aspell errors at dictionary load time.
* Sets the mark flag when in CI runs so that misspelled words are indicated.
* Culls words from the dictionary that are no longer in the codebase, or are
otherwise not needed.
Risk Level: low (comments only)
Testing: n/a
Doc Changes: n/a
Release Notes: n/a
Fixes: #8481
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 596cd4894c8ecd536c1da1dddecaae3531f269ea
Generate or format next free field annotation via protoxform.
Risk Level: low
Testing: N/A
Docs Changes: N/A
Release Notes: N/A
Fixes#8429
Signed-off-by: Yi Tang <ssnailtang@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 986173ed516dcc1c3dea7db90659ed993d0aad75
data-plane-api(CircleCI)