This PR contains the following changes:
* SIP Proxy extension TRA API updated to send additional SIP context (method type and from header), so TRA service can use this information for customized affinity management.
* Fix an error with decoding of SIP headers with a valid format causing Envoy proxy to crash in case of empty header fields.
Risk Level: Low
Testing: Unit tests
Docs Changes: None
Release Notes: None
Platform Specific Features: None
Signed-off-by: Jonah Murphy <jonamurp@cisco.com>
Signed-off-by: Adrian Rejas Conde <arejasco@cisco.com>
Mirrored from https://github.com/envoyproxy/envoy @ 09549da9045d9c85ffaf851b6d740de0b507708f
When rotating passwords, we need to support multiple passwords for graceful
deployment/rollout. This change adds support for multiple passwords in AUTH,
for both old auth and new ACL based one.
Signed-off-by: Suresh Kumar <sureshkumar.pp@gmail.com>
Signed-off-by: Suresh Kumar <suresh.ponnusamy@freshworks.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8ef5da2cee7328d24f80aa816aad0f4f22d6f1e0
Creates a transport socket for HTP/1.1 proxy support.
With the combination of the transport socket, and a filter putting the proxy stream info in place this will
redirect TCP connections to the proxy IP address
prefix TLS connections with cleartext CONECT headers to the destination host, and strip CONNECT response
change cleartext HTTP/1.1 to send fully qualified URLs
Risk Level: medium (intended as a no op but it does have data plane refactory)
Testing: new unit, integration tests
Docs Changes: n/a
Part of envoyproxy/envoy-mobile#1622
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 095f4ca336d3d705e629b207fb2cbbc22d29db8f
This cycles proto deps and creates a descriptor file from them.
This will allow other proto plugins to call protoc with the descriptor
file and just their `direct_sources` and not all of the `transitive_sources`
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ 00aab5c9c89b16435633613e5e57374f28cd7e26
Signed-off-by: Jacek Ewertowski jacek.ewertowski1@gmail.com
Commit Message: tcp_proxy: support command operators in tunneling_config.hostname
Additional Description: This change enables dynamically setting tunneling_config.hostname with command operators.
This pull request is an alternative for auto_sni.
This change allows to configure TCP proxy as follows:
```
tunneling_config:
hostname: %REQUESTED_SERVER_NAME%:443
```
Risk Level: Low
Testing: added unit tests
Docs Changes: done
Release Notes: done
Platform Specific Features: none
Fixes#19612Fixes#21804
Mirrored from https://github.com/envoyproxy/envoy @ 764a2e9fbb06e2f27fd6775fdc0ed78313b94157
Commit Message: Adds a new flag for filter state objects that indicates the intent to share with the upstream.
Additional Description: Follow-up to #19809. There have been multiple reports of unexpected lifecycle changes for the filter state objects because they are stored in the transport socket options. This PR addresses this issue by introducing a new mark for filter state that explicitly changes the usage of filter state objects:
marked objects always participate in the connection pool hashing (generalizing and simplifying transport sockets: support passthrough state for internal connections #19435);
marked objects are copied by reference to the upstream info - this allows sharing state between downstream and upstream (and further down the chain, the internal listeners).
Risk Level: medium, revert to the original behavior prior to #19809
Testing: yes
Docs Changes: yes
Release Notes: yes
Mirrored from https://github.com/envoyproxy/envoy @ 18212bb6395af308d895f75352f82df522b038b4
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Co-authored-by: Yan Avlasov <yavlasov@google.com>
Co-authored-by: Matt Klein <mattklein123@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 259d76ef89bc008db6620497c424a3ca3fe97d88
Follow-up to #21707 with a focus on back-filling more extension type URLs. Renames extensions_build_config and extensions_metadata to the names in the internal extension registry. For preserve_case, we deprecate the short name with the fully qualified name (both names are valid in the interim).
Risk Level: medium, only preserve_case name changes
Testing: regression
Docs Changes: yes
Release Notes: yes
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7c04dda02a61c4866b6cc7273c776d62dd3fb127
The patch does following up jobs of #21633,
1. removes deprecated fields of regex matching in docs and examples,
2. add the missing deprecation changelog,
3. add the missing extension category and extensions.
Risk Level: Low
Testing: N/A
Docs Changes: Yes (examples)
Release Notes: Added
Platform Specific Features: N/A
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ aa8da5554ae8bdf8c85229cc2594ec7d8dee6edb
Updated `grpc-httpjson-transcoding` repo to have this [change](grpc-ecosystem/grpc-httpjson-transcoding#70).
Additional Description:
grpc_json_transcoder: to support reject request if binding and body value are conflict
Risk Level: Low
Testing: unit test
Docs Changes: N/A
Release Notes: Add an option in grpc_json_transcoder to support reject request if binding and body value are conflict.
Platform Specific Features: N/A
Signed-off-by: yangshuo <yangshuo@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f40d62f6a2e11486f397c688ffc6c01a85738582
Part of #20389. Most of the formatters used in header manipulation are also present in substitution access log formatters. However, UPSTREAM_METADATA was not present in access log formatters.
Also, as noted in #17457 all xxxx_METADATA will be eventually replaced my METADATA(xxxx,...) so this PR also extends METADATA formatter.
api changes are trivial and limited to comments.
Risk Level: Low
Testing: Added unit tests.
Docs Changes: Yes.
Release Notes: Yes
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 380a328f7e32e4d18d31cba82bac7143904e0536
initially this will only check for "unused imports" but we can expand
as other linting rules are met.
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ e9f492281f9f905b6bedcbbb334c370b36c56fb2
Implements a special transport socket for transferring state (metadata and filter state) over the internal connection.
This transport socket captures a subset of endpoint metadata, cluster metadata, and stream filter state in the user space socket. When an internal listener accepts a user space socket connection, it immediately merges this passthrough state into the connection stream info. Because the state can be transferred from HTTP stream to TCP stream, this transport socket also participates in the hashing decisions in the HTTP connection pools.
Commit Message: Add passhtrough state over internal connection.
Risk Level: low, new extension
Testing: WIP
Docs Changes: yes
Release Notes: yes
Platform Specific Features:
Fixes: #19274
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 637a92a56e2739b5f78441c337171968f18b46ee
Add support for injecting regex engine with its options on startup in a bootstrap option. These are some API, runtime and implementation changes.
* google_re2 in safe_regex will be deprecated and no longer be required. Regex::parseRegex will choose the registered regex engine to parse expressions into matchers.
* A new bootstrap option default_regex_engine will be introduced for regex engine selection.
* For compatibility, GoogleRE2 will be chosen as default regex engine if no regex engine is designated.
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0a92cc86e7f8b88d5af0eb2e27b5c7ef64719e56
Signed-off-by: Xie Zhihao zhihao.xie@intel.com
Commit Message: rbac: add unified matcher for RBAC filters
Additional Description:
The patch add the matching API support for both RBAC network filter and HTTP filter. Users can configure rules and shadow rules in either policies or the matching API manner. There are some incompatibilities, TODOs and behavior changes compared to the policies way.
RBAC matchers are not compatible with the matching API.
URL path and CEL are not supported in the matching API. These matchers may come as custom matcher.
Metadata is not supported in the matching API. These matchers may come as inputs.
Connections and requests with no matcher matched will always be denied.
Risk Level: Medium
Testing: Unit and integration
Docs Changes: API and configuration
Release Notes: WIP
Platform Specific Features: N/A
Fixes#20623
Mirrored from https://github.com/envoyproxy/envoy @ 42cb84456d53d053eb1ae94680d07a74f4545a48
Commit Message: add stats prefix for route
Additional Description: Adds API for stats generation support per route.
Risk Level: Low
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
API for #3351
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7b937e8cd5796cf19d14f20abcb6be81f149c68b
Risk Level: low (and config guarded)
Testing: new unit, integration tests
Docs Changes: in with APIs
Release Notes: inline
part of envoyproxy/envoy-mobile#1622
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 71f7f2c54b4c7c8b3c076ad22d849914c25f62e8
Make sure a config option is a valid header name.
Signed-off-by: Andre Vehreschild <vehre@x41-dsec.de>
Mirrored from https://github.com/envoyproxy/envoy @ 2db5f021551b67cb37c49ca769bf1ab659897bc9
The default value of most_specific_header_mutations_wins is false.
Signed-off-by: derekguo001 <dong.guo@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 774bcedf31ac495f4ccb9df5d702f2be6d169079