This is a followup to #13950 in which the transport API is also
fatal-by-default.
Risk level: High (this will break anyone who is still using v2 and has
not enabled CLI or runtime override)
Testing: Various tests updated as described above. New unit test added
for bootstrap to server_test and to ads_integration_test for
dynamic rejection behavior. api_version_integration_test continues to
provide the definitive cross-version transport API integration test.
Release Notes: Same as #13950.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9093131e2a01d368566741943e112fa629c96725
Add functionality to configure kill header in KillRequest proto. If configured in the proto, it will override the default kill header.
Risk Level: Low, new feature.
Testing: Unit/integration tests.
Docs Changes: Added
Release Notes: Added
Issue: #13978
Signed-off-by: qqustc@gmail.com <qqin@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1d44c27ff7d4ebdfbfd9a6acbcecf9631b107e30
As per discussion summarized in
#13555 (comment), we will not use structured
xdstp:// names/locators in the API initially. Instead, we will re-use existing string fields for
names and special case any name with a xdstp: prefix. We leave open the option of introducing
structured representation, in particular for efficiency wins, at a later point.
Risk level: Low (not in use yet)
Testing: CI
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ d1ded6b381ca92cbacb2e0683adf997239b12272
* xds: refactor and update API principles.
* Remove API_OVERVIEW.md, the content here is really stale and reflects
the v1 -> v2 migration. There is little content here of use.
* Move API principles from API_OVERVIEW.md to STYLE.md.
* Update some of the principles, in particular expressing client/server
directional neutrality and avoiding breaking changes that don't bring
major user facing wins.
* APIs should be human readable.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6ca4644073da6d9930ba45d90d57d8c9b2062962
This introduces a new filter called the "external processing filter." It is intended to allow an external service to be able to operate as if it were part of the filter chain using a gRPC stream. It is intended to support a variety of use cases in which processing of HTTP requests and responses by an external service is desired.
A document that describes the filter can be found here:
https://docs.google.com/document/d/1IZqm5IUnG9gc2VqwGaN5C2TZAD9_QbsY9Vvy5vr9Zmw/edit#heading=h.3zlthggr9vvv
Signed-off-by: Gregory Brail <gregbrail@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 98d2f3b553b87c3e935f57ba15b4faf68b45d7f0
Replacing the http-protocol-specific fields in the cluster config with a new plugin
Risk Level: medium
Testing: updated tests to use the new config
Docs Changes: updated docs to use the new config
Release Notes: deprecation notes in the PR
Deprecated: all http-specific cluster config.
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 7554d61bccf136638bdfb383c10d049dc8bd3790
Add a KillRequest HTTP filter which can crash Envoy when receiving a Kill request. It will be used to fault inject kill request to Envoy and measure the blast radius.
Risk Level: Low, new feature.
Testing: Unit/integration tests.
Docs Changes: Added
Release Notes: Added
Issue: #13978
Signed-off-by: Qin Qin <qqin@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 237b29d6399953f22a47c6e4d19df74b4fbcee8d
Fixes#13082
Support skip decoding data after metadata in the thrift message.
In payload_passthrough mode, there are some issues:
Envoy cannot detect some errors and exceptions ( e.g. a reply that contains exceptions ). It's possible to improve this by peeking beginning of the payload.
payload_passthrough controls both request and response path. It can be split into two options if we want more fine-grained control.
FilterStatus passthroughData(Buffer::Instance& data, uint64_t bytes_to_passthrough) will not prohibit custom filters to modify buffer. Now it is assumed custom filters won't do that, otherwise behavior is undefined.
Risk Level: Medium
Testing:
unit test:
config
decoder
router
conn_manager
integration:
add an parameter payload_passthrough
manual:
send requests and verify responses
Signed-off-by: Tong Cai <caitong93@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2aee439cd15762cecda768a481b33bd88c999086
As per the decision to move the cncf/udpa repository to cncf/xds branding.
Also updated cncf/udpa hash and updated identifier handling (moved from repeated to a flat string).
Risk level: Low (the only breaking API changes affect not-implemented-hide fields).
Testing: New unit tests for path components.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8c4a3c77a7de016a118aacc4cea933951b85e589
#10526 allowed tracers to use CDS clusters. But zipkin proto doc still says bootstrap cluster is mandatory
Risk Level: Low
Testing: N/A
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6706d4413ad168d58267ee456428e56c9f0f78a5
When verifying Jwt clock constraint, it is recommend to use some clock skew. grpc is using 1 minute clock [skew](4645da201a/src/core/lib/security/credentials/jwt/jwt_verifier.cc (L388-L389)).
[jwt_verify_lib](https://github.com/google/jwt_verify_lib/pull/57) has been updated to add 1 minute clock skew.
In the old code, time constraint verification is done in jwt_authn filter, and jwt_verify_lib::verifyJwt() is doing time constraint verification again.
Change jwt_verify_lib to split the time constraint verification to Jwt class so it can be called separately. And call verify() without the time checking.
Risk Level: None
Testing: unit-test is done in jwt_verify_lib repo
Docs Changes: None
Release Notes: Added
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ cd684e76bda80e140ab90573815f1990ec6f2a6f
Some followup docs tweaks to #13721.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ dac6e58738d64b15ea26d1641906b68c16d55616
There are a few limitations in our existing support for symlink-based
key rotation:
We don't atomically resolve symlinks, so a single snapshot might have
inconsistent symlink resolutions for different watched files.
Watches are on parent directories, e.g. for /foo/bar/baz on /foo/bar,
which doesn't support common key rotation schemes were /foo/new/baz
is rotated via a mv -Tf /foo/new /foo/bar.
The solution is to provide a structured WatchedDirectory for Secrets to
opt into when monitoring DataSources. SDS will used WatchedDirectory
to setup the inotify watch instead of the DataSource path. On update, it will
read key/cert twice, verifying file content hash consistency.
Risk level: Low (opt-in feature)
Testing: Unit and integration tests added.
Fixes#13663Fixes#10979Fixes#13370
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 122257ef6ade0009feafc3c9142d480260fe069f
Add a new config field for an additional timeout that will cancel
streams that take too long to send headers, and implement it in the
HTTP Connection Manager.
Signed-off-by: Alex Konradi <akonradi@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ e1c138b427ff9bcdf5ebcb2639cc2d22f98ac1a8
This patch adds a new tracer to support the SkyWalking tracing mechanism and format.
Risk Level: Low, a new extension.
Testing: Unit
Docs Changes: Added
Release Notes: Added
Signed-off-by: wbpcode <comems@msn.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7d0f89b1011503ecd22f28e347cf7f76cba73057
Adding support on per-route config with following goal: not to do RouteMatch twice. Currently the filter is using RouteMatch to match a request with a specific Jwt requirement. But RouteMatch is also performed at routing, so the RouteMatch is done twice.
If a Jwt requirement can be specified at the per-route config, one of RouteMatch can be eliminated.
1) Add a `requirement_map` to associate a requirement_name with a JwtRequirement in the filter config `JwtAuthentication`.
2) Add per-route-config as followings:
* a requirement_name to specify a JwtRequirement. or
* `disabled` flag to bypass Jwt verification if it is true.
Risk Level: None. Added a new feature, old features are not impacted.
Testing: Added unit-tests and integration tests.
Docs Changes: Yes
Release Notes: Added
Platform Specific Features: None
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ fe74d85d7d916eb975342e8298f2dc76279c1978
Adds support for per resource TTL for both Delta and SOTW xDS. This allows the server to direct Envoy to remove the resources in the case of control plane unavailability.
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Co-authored-by: Bill Gallagher <bgallagher@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ b2b3978afb25c5d2c3ca6b344071b285e8820da1
Adds a configurable timeout for the amount of time a downstream client is allowed to finish the transport-level connect before the connection is forcefully terminated. This can be used to require that a client finishes the TLS handshake in a bounded amount of time.
Signed-off-by: Alex Konradi <akonradi@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2d0a2f67eccc741f8d093c56b1ed4ea3f1382c06
Add flag protected checks for frame flood and abuse by upstream servers
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6b0f592dd34819fe094de9c6d11695e806bdd1d2
The comment in v3 version was missing the "If specified.." clause from the v2 version of that comment
Risk Level: low
Testing: Ran ./ci/run_envoy_docker.sh './ci/do_ci.sh fix_format'
Docs Changes: comment in a proto file changed
Signed-off-by: Sanjay Pujare <sanjaypujare@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f8e453fb43d5545730ddc90e10da541154d690b6
Clarify that the server may not resend resources upon stream restart only if it has some way to know that the client is not subscribing to new resources that it wasn't previously subscribed to.
Risk Level: Low
Testing: N/A
Docs Changes: Included in PR
Clarifies text added in #12580.
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ adc569c6e9b44a90d703a828ccb7162923e7368e
The use of last_updated was ambiguous (is it when an Envoy contributor
creates a PR, merges a commit, or when the dependency is released?).
We really are after the release date as a measure of how stale the
dependency is.
This patch introduces a tool, tools/dependency/release_dates.py, that
uses the GitHub API to compute release date. If a mismatch is detected, an
error is raised.
This patch also introduces a dependency validation CI job that gathers existing
scripts and the release_dates.py script into a single job.
Signed-off-by: Harvey Tuch <htuch@google.com>
Co-authored-by: Michael Payne <michael@sooper.org>
Mirrored from https://github.com/envoyproxy/envoy @ 91f2bb75a34e1068dcc91de1cafca9dad92feecb
Use abort action as a default if killing is enabled and we're on a supported platform.
Risk Level: low
Testing: unit tests
Docs Changes: Included
Release Notes: Included
See PR #13208 for context as the reason it's part of core envoy and not an extension.
Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 415af040e09a1f6993c15ffc022793d39ecf5e8e
A few changes that wrapup #12673.
* Python/Go dependencies that aren't part of the Envoy binary build
don't make sense to track in repository_locations.bzl, since they
have their own language specific metadata (e.g. requirements.txt)
or are in many cases transitively implied.
* Ensure that the full set of dependencies visible to bazel query
is now validated. This requires that we explicitly call out
transitive dependencies that are implied by direct dependencies
in repository_locations.bzl. A new annotation `implied_untracked_deps`
is used.
Fixes#12673
Risk level: Low
Testing: validate.py.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 499f46a24f59eeb4fc3b28e24f6b9191b009580d
The match all filter chain is chosen when no other filter chain matches
the request.
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ e62c994fac7ba18babfe2742b5595217ae2569c4
Modifies ratelimit filter to be able to use information
from the route's filter metadata as one of its actions
Signed-off-by: András Czigány <andras.czigany@strivacity.com>
Mirrored from https://github.com/envoyproxy/envoy @ 06813b2c42721489470ec94b2bc75a9771d6e403
* dependencies: CVE scanner for repository_locations.bzl metadata.
This is a custom CVE scanner that consumes the NIST CVE database and
heuristically matches against the CPEs, versions and last update stamps
in repository_locations.bzl.
Future PRs will create a CI job that runs this on a periodic basis
(every few hours) to provide a CVE early warning system.
Example output:
Based on heuristic matching with the NIST CVE database, Envoy may be vulnerable to:
CVE ID: CVE-2019-19391
CVSS v3 score: 9.1
Severity: CRITICAL
Published date: 2019-11-29
Last modified date: 2019-12-19
Dependencies: com_github_luajit_luajit
Description: ** DISPUTED ** In LuaJIT through 2.0.5, as used in Moonjit before
2.1.2 and other products, debug.getinfo has a type confusion issue
that leads to arbitrary memory write or read operations, because
certain cases involving valid stack levels and > options are
mishandled. NOTE: The LuaJIT project owner states that the debug
libary is unsafe by definition and that this is not a vulnerability.
When LuaJIT was originally developed, the expectation was that the
entire debug library had no security guarantees and thus it made no
sense to assign CVEs. However, not all users of later LuaJIT
derivatives share this perspective.
Affected CPEs:
- cpe:2.3🅰️moonjit_project:moonjit:*
- cpe:2.3🅰️luajit:luajit:*
Risk level: Low
Testing: cve_scan_test.py unit tests, manual.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7d50518ce44aacc702d252eb05eb603c69461834
Signed-off-by: András Czigány <andras.czigany@strivacity.com>
Mirrored from https://github.com/envoyproxy/envoy @ dc3460c247538b8f81d49bd7984f46d142f20ba9
- Refactor code responsible for processing repository location specs, i.e. checking for the presence of fields like last_updated and interpolation of version. The same code is now usable by both API repository_locations.bzl and bazel/repository_locations.bzl.
- Cleanup reference to repo locations in repository_locations.bzl, now using a consistent set of macros.
- Add API dependencies to dependency dashboard.
Risk level: Low
Testing: Docs build.
Part of #12673
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9181790e3ab21b53ec268470202986b9517c3723
Adds a no_traffic_healthy_interval for when a cluster is marked healthy
and we want to use a different interval than no_traffic_interval
Fixes https://github.com/envoyproxy/envoy/issues/13246
Risk level: Low
Testing: Unit test
Signed-off-by: Chuong Vu <chuongv@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 593be2274c3cba09873f162dd1d0c4d1fcf18641
This is a follow up to 2c60632.
This forces all callers to think about multiple header values. There may be places that we want
to support multiple values, but none of them are security critical and this change should be
functionally equivalent to what exists today.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4d77fc802c3bc1c517e66c54e9c9507ed7ae8d9b
Signed-off-by: John Plevyak <jplevyak@gmail.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 319a9a647f19036d831a75f68350c90e98bfc365
This patch allows to set parent context which carries the current request stream info to a gRPC async client instance.
Risk Level: Low
Testing: Added
Docs Changes: Updated
Release Notes: Added
Fixes#13345
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ e5aa69658c6182dd41b6217ec7f6c4c00cac84b4