Commit Message: jwt_authn: RemoteJwks to support RetryPolicy config #16319 ( only for background fetches failing )
Additional Description: following up on comments and code pruned from background jwks refresh mechanism from #16912
Risk Level: Low, default number of retries set to zero. truncated exponential backoff requires explicit configuration.
Testing: Only mock-based unit tests so far. Haven't been able to get it ( or the background jwks fetch option, for that matter ) built in [esp-v2](https://github.com/GoogleCloudPlatform/espv-2) so far.
Docs Changes:
Release Notes:
Platform Specific Features:
Fixes#16319
Signed-off-by: Anthony Lichnewsky <alichnewsky@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ b62dae29a5dd06b7f689899b26974d9567a98f0e
Commit Message: upstream -- allow clusters to skip waiting on warmup for initialization
Additional Description: this reduces server startup time, but might cause initial 500s for requests made on unresolved clusters. Further work might be needed there if operators use this new config option.
Risk Level: low - new config option. Default uses legacy behavior.
Testing: added unit tests
Docs Changes: added.
Release Notes: updated
Signed-off-by: Jose Nino <jnino@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ f2906f5ce372814b8e6f688a0e1766703d8b56f2
This is a new extension point that will allow for dynamic cluster selection.
The plugin configured by it will be responsible for returning a cluster to
Envoy through its API (to be defined). Since the cluster returned is dynamic,
a new field is added to Route to list all the clusters it may return. This
allows for proxy implementations that are not using wildcard CDS queries to
pre-fetch clusters.
This feature may ultimately replace the FilterAction mechanism, as it provides
the same functionality for known use cases, but is simpler to implement and
use.
Signed-off-by: Doug Fawley <dfawley@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6dc4092fc161b8fcb5f25a972e4783116692d53c
Input matcher that checks that an IP{v4,v6} belongs to a list of CIDR ranges
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6cd6a0cab68c757c785e62e0d73d881f57c97839
Risk Level: Low; the protobuf types are not changing at all.
Testing: proto_format and tests
Signed-off-by: Tyler Dixon <tdixon@buf.build>
Co-authored-by: Snow Pettersen <snowp@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ c1bc5e78fa68b86236c8d6237e2db15ce1743459
Commit Message: this PR adds the ability to prefetch hostnames to resolve during cache construction.
Additional Description: This feature can be used as a performance improvement for setups that use dns cache, but know a priori some of the hostnames that will be used.
Risk Level: low -- adds a feature that is off by default.
Testing: new tests
Docs Changes: added documentation in the API
Release Notes: inline
Signed-off-by: Jose Nino <jnino@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7b492bdff96649aee29017fcaabaf37a39407d8a
This also fixes a bug with existing keepalive, where if the interval were larger than the idle timeout, it would send new pings and never time out.
Risk Level: medium (data plane change, changes existing ping logic)
Testing: unit tests
Docs Changes: n/a
Release Notes:
Fixes#16313
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 79343be05c9528462b51af10b49d5fffe6e173e5
Commit Message: make quic proof source and crypto streams extensions. Add config for default ones. If not specified in config, the default ones will be used.
Risk Level: low
Testing: existing tests passed
Part of #2557
Co-authored-by: Dan Zhang <danzh@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ beb5a93b08bd0c48a2a7dd2f40ca13bcdb0ed40e
- update to PGV 0.6.1 (release notes)
- update API versions to corresponding PGV and gRPC versions
- Bazel build tools to 4.0.1
- Zipkin API to 1.0.0
- OpenTelemetry Proto to 0.9.0
Risk Level: Low
Testing:
bazel --nohome_rc test //test/...
bazel --nohome_rc test @envoy_api_canonical//test/... @envoy_api_canonical//tools/...
bazel --nohome_rc build @envoy_api_canonical//envoy/...
tools/dependency/release_dates.py api/bazel/repository_locations.bzl
Signed-off-by: Michael Payne <michael@sooper.org>
Mirrored from https://github.com/envoyproxy/envoy @ d5ec0351f2a5dc28fc98c1d34deb90e48cf30083
The HTTP Gzip filter has been disabled in v1.17 by default. Now we can remove it completely. Also the code common for the gzip filter and for the generic compressor filter is moved to source/extensions/filters/http/compressor.
Risk Level: Low
Testing: unit tests
Docs Changes: removed the page about the Gzip filter
Release Notes: added a note about the removal to current.rst
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ dc2cddeef3ef06febe4c8f9f40b3dd98e1b273bc
alternate_protocols_cache: Create a filter for parsing Alt-Svc headers and populating the AlternateProtocolsCache.
Risk Level: Low
Testing: Unit and Integration
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ e35a790bc3619fe304a3904ef81112db0a7e7b08
WebAssembly Micro Runtime (WAMR) is a standalone WebAssembly (WASM) runtime with a small footprint. It includes a few parts as below:
The "iwasm" VM core, supporting WebAssembly interpreter, ahead of time compilation (AoT) and Just-in-Time compilation (JIT)
The application framework and the supporting API's for the WASM applications
The dynamic management of the WASM applications
Risk Level: Medium
Testing: Runtime unit testing, integration testing and manual testing
Signed-off-by: Le Yao <le.yao@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ a7fa3311ad1f847d80e139970d5325a4efcbdbc1
It is to fix: https://github.com/envoyproxy/envoy/issues/14556#issuecomment-754203164
Currently, remote Jwks is fetched on-demand, in the worker thread after the requests come. The first few requests need to pause to wait for the Jwks.
Add a new feature to fetch remote Jwks in the main thread, before the listener is activated.
Detail changes:
* Change the filter config to add async_fetch field inside RemoteJwks message
* Add a new class: JwksAsyncFetcher class to handle this new config.
* Add two new statistics counters `jwks_fetch_success` and `jwks_fetch_fail`.
Risk Level: Low since new feature is guarded by the new config.
Testing: unit-tested and integration tested
Docs Changes: None
Release Notes: Yes
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ db16625415e0e5e3486854e0c993b178a80bab58
Currently, envoy ignores the value of present match. This commit adjust
envoy's behavior. When the value is True, envoy will check the header
present. When the value is False, envoy will check the header absent.
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9a7a7ede474780c2bd8fe59e7a93e537204cfe31
the filter smoothens the flow of data in both direction up to the specified bandwidth limit.
Risk Level: Low, new filter
Testing: UTs added. Adding more UTs and integration tests.
Docs Changes: Added
Release Notes: Added
Fixes#13604
Signed-off-by: Nitin Goyal <nigoyal@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ a467b0ef41864459f4b4ad76fad7e1efb06b0bf8
Add an option in connection manager which allow to strip trailing host dot from Host/authority header
(e.g transforms "example.com." to "example.com").
Signed-off-by: maheshkurund <mahesh.kurund@oneconvergence.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7cc10b03bcbff0367daaa8bd9b228eee9871d0e3
This is a PR for scoping token buckets in the local rate limiting flow on a per connection basis as opposed to scoping it on the entire envoy instance. More details in #15637
Currently, the HTTP local rate limiter's token bucket is shared across all workers, thus causing the rate limits to be applied per Envoy instance/process. This could potentially result in bad actors quickly exhausting limits on a given envoy instance before legitimate users have had a fair chance. We achieve this by adding an instance of the LocalRateLimit::LocalRateLimiterImpl to each connection object, if there isn't one already, via FilterState data
Risk Level: Low
Testing:
Added unit tests to local_ratelimit
Manually tested via curl'ing against a locally patched envoy instance.
One can send multiple requests on the same connection via curl using the following:
curl -vI example.com example.com
Docs Changes:
Added new toggle to local rate limit configuration to enable per connection local rate limiting
// Specifies the scope of the rate limiter's token bucket.
// If set to false, the token bucket is shared across all worker threads
// thus the rate limits are applied per Envoy process.
// If set to true, a token bucket is allocated for each connection.
// Thus the rate limits are applied per connection thereby allowing
// one to rate limit requests on a per connection basis.
// If unspecified, the default value is false.
bool local_rate_limit_per_downstream_connection
Sample configuration
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 10000
tokens_per_fill: 1000
fill_interval: 1s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
response_headers_to_add:
- append: false
header:
key: x-local-rate-limit
value: 'true'
local_rate_limit_per_downstream_connection: true
Fixes#15637
Signed-off-by: Gokul Nair <gnair@twitter.com>
Mirrored from https://github.com/envoyproxy/envoy @ 151aa0ce902071c9ad07e78f5f62dc22119bab39
data-plane-api(Azure Pipelines)