This is a fast follow from https://github.com/envoyproxy/envoy/pull/15388.
I realized that I made a mistake in not using a common configuration
message. There will be more configuration options such as GRO, etc. that
will be configured similarly in multiple places. I'm correcting this
mistake now since the other change just landed within the last couple of
days.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ bd05ab7b74c2ee288aea9772a03d521cd761bd59
Release notes linked to explanatory docs not API changes, so didn't catch it was still hidden.
h/t @ggreenway for noticing.
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 0acf24ed2580c787227dc7c31f394ac583a598ae
As of today no route found and route is found but the cluster in that route is not ready are sharing the same error detail.
However, this make big difference. The latter is likely a RDS config problem, or explicit blackhole.
The latter might be a slow CDS.
Address #15448
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ a11d48368c62eb2c238d6d3087c16ffa355243d1
1) Add configuration for max packet size to UDP listeners
2) Add configuration for max packet size to UDP proxy filter
3) Fix crashing issue when a GRO receive is truncated. This
was fixed in the open because GRO recieve does not support
IP fragmentation, thus the previous size of 24000 bytes was
large enough to receive a jumbo frame size datagram. The issue
is now exposed by allowing packet size to be configured larger.
4) Reorganize code and some config around UDP listeners to streamline
the logic when the listener is a UDP listener. Also moved the UDP
batch writer configuration to a better place since it's still
effectively alpha and was marked not implemented.
Fixes https://github.com/envoyproxy/envoy/issues/15327
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 73eec645a39343eec33b5d61bf492ba49c397cfe
Adds support for matching on HTTP request and response trailers.
Also fixes a bug around skipping filter iteration where we would not
skip encoding trailers even if the skip_filter_ flag was set.
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 40964cc30d4e691df5c5f0c32a449a7b4462115a
This reverts commit 498d65b2fabceebbda9c0b993ba63c127fd16f27.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 3bddd1a8f8f67174d487a06c690f67b944b9e0da
This replaces prior logic where the :scheme header was consistently overwritten based on the encryption level of the upstream connection.
Risk Level: High (l7 change)
Testing: new integration tests, unit tests
Docs Changes: api docs updated
Release Notes: inline
Runtime guard: envoy.reloadable_features.preserve_downstream_scheme
Part of #14587
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ 8ac28e233538f0636b6e079f9d5569707b0ca815
This introduces a new matcher that allows matching on an input value by
computing a hash value and matching if the value % (configured value) is
greater than a configured threshold. This is useful in being able to
define match criteria that should match for a certain % of input values
in a way that is consistent between independent Envoy instances (e.g. it
does not rely on a random input).
Risk Level: Low, new extension
Testing: UTs
Docs Changes: Inline proto docs
Release Notes: n/a
Platform Specific Features: n/a
Fixes#14782
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7fe3d358f7e7e4d4c7282d50c498a7ab0e759a36
This commit adds an API on VmConfig so that users can configure env vars to be injected to Wasm VMs. Resolves#14958
Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 789f8a0831acac9bfe5a95f9b8c5331af43437d0
This is useful when there are more than 1 RBAC filter configured
with shadow rules to distinguish the shadow stats generated
by different filters.
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ fa81296e53a040ccebf45bfc6c67044e6d0d8b62
This ensures Envoy can core dump when the dumpability bit might have
been unset (e.g.: running inside a container with fewer capabilities
than the ones Envoy itself has).
Fixes#15242.
Mirrored from https://github.com/envoyproxy/envoy @ 4f1ec4f5c863560ea2da86c5b4cdc9135cd6a5da
* Configuration for path normalization so that normalization can be configured for internal only use and/or forwarding.
Signed-off-by: Asra Ali <asraa@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 236107df5d15381ccf5040c0cb0f163ece9627a2
1) Promote the default UUID request_id implementation to
an actual extension that is required in the build and wire
up all documentation.
2) Add a configuration option to the extension that allows trace
reason packing to be disabled (the default continues to be for it
to be enabled to match existing behavior).
3) Update all documentation for the new behavior.
4) Substantial cleanup of these code paths for clarity and robustness.
Fixes https://github.com/envoyproxy/envoy/issues/11532
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 07c4c17be61c77d87d2c108b0775f2e606a7ae12
Only the BUFFERED body mode is supported in this commit.
In addition, clean up the close stream handling code so that
we only close the stream in the onDestroy callback.
Signed-off-by: Gregory Brail <gregbrail@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 667d99539971130e882d7e86085f4dc9f146857b
This allows us to more easily test response crashes.
Risk Level: low (this is a test-only filter AFAIK)
Testing: unit test, integration test
Docs Changes: Included
Release Notes: Included
Platform Specific Features: N/A
Related Issue #14249
Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 53dc7afdf139b921157155188eaf90188bf78205
Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves https://github.com/envoyproxy/envoy/issues/14614 and https://github.com/envoyproxy/envoy/issues/9284.
Risk Level: low (only adding the new extension point and one implementation for it)
Testing: unit tests and integration tests.
Docs Changes:
Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support.
Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 50e81276fd8f109ba3a6134e790f65c1cc5bdec9
Moved the db generation into a bazel job - which will allow other tasks that also require this data to make use of it more easily/bazely
this also adds buildozer into the bazel env, so we might want to make use of that elsewhere and potentially remove buildozer from the build-image env
Touch #13229
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ a03209d5caf77b36ca4c40671ade8e328cb93fad
* Re-purpose alt_stat_name for other observability use-cases: access logging, tracing, and admin dumps through a new ClusterInfo field, `observabilityName()`.
Signed-off-by: Asra Ali <asraa@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 5551e0a3e442cca24d76eeea76e8b9dc5f894303
Support setting max requests per downstream connection. By setting max_requests_per_connection, Envoy can actively disconnect the thrift client after reaching a certain number of requests.
Due to the limitations of the thrift protocol itself, we cannot achieve a clean disconnection.
Risk Level: Normal
Testing: Added
Docs Changes: Added
Release Notes: Added
Fixes: #14560
Signed-off-by: wbpcode <comems@msn.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8a2685ee7f0a8b4182574861256ba05fac5f6cd6
Support wildcard match、suffix match and prefix match for dubbo interface name. Check #14765 get more information.
Risk Level: Low
Testing: Unit Test
Fixes#14765
Signed-off-by: wbpcode <comems@msn.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9c2d5360635b46cc6ce4832ac84a9c324162629f
Some of the categories etc added in #14721 were not exactly correct and/or consistent
Also there is now some duplication from where links/info have been added manually previously
This PR should address these issues
Ref #13167
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ f9301ff57f64fd49918a61f6ac305638f065ecfb
This PR is the first step towards xdstp:// dynamic context parameter support. It introduces an
interface by which per-resource type dynamic context parameters can be set on the server. In
addition, it adds support for propagating these to Node (for legacy non-xdstp:// use cases) and
triggering discovery requests on update.
Risk level: Low
Testing: Unit and integration tests added (ads_integration_test).
Part of #11264
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 36e05482cc27b4d2b5765fdebcdb5fef16f07d84
Changed logic in config verification when max_ejection_time is not specified
and base_ejection_time is larger than max_ejection_time's default.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 12df7d09222af273828ed114e5254caeba65d658
Made listener manager to depends on extensions/quic_listeners/quiche:quic_transport_socket_factory_lib. The library itself doesn't depends on QUICHE, so quic listener can still be compiled out.
This is to prevent the case where a problematic config gets loaded which uses a legal transport socket config but not for quic transport socket and a new quic connection fails to get cert chain after the quic listener starts listening.
Risk Level: low
Testing: added unit test
#2557
Signed-off-by: Dan Zhang <danzh@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ e29e3c0569c548e267f153ec20f4032b09f001a8
Add information about known extension categories (types) to extension documentation
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ 7adc0393221467fcae18052c1f7caf0cb6048d2e
Follow-up on #14715 to allow finer configuration of the strict http request validation behavior. As mentioned in #14972, there are some cases where rejecting unknown paths is undesirable. So we provide more configurability to fit all use cases.
Risk Level:
Low.
This is a breaking API change, but it changes the API introduces < 14 days ago in #14715. This is compliant.
All behavior change only occurs when the option is enabled.
Testing:
Integration tests
Docs Changes:
Proto config changes
Release Notes:
None. #14715 includes release notes that still apply
Signed-off-by: Teju Nareddy <nareddyt@google.com>
Co-authored-by: Yan Tang <tangyan@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ f174fba476a921efb981e80c346faf7e6723c0c4
Support adding response headers on OK authorization checks from ext_authz
Commit Message: ext_authz: support response headers on OK authorization checks
Additional Description:
Risk Level: low (opt-in feature, does nothing by default)
Testing: Added code to existing unit tests
Docs Changes: API protos documented
Release Notes: ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK external authorization checks.
Platform Specific Features:
Fixes#7986
Signed-off-by: John Esmet <john.esmet@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ ac9a2637336decdcc52c24add5e8fc39edebb962
Adds ability to use _starttls_ transport socket to terminate SSL at Envoy and pass unencrypted traffic upstream to Postgres server.
Additional Description:
Risk Level: Low
Testing: Added unit and integration tests.
Docs Changes: Yes.
Release Notes: Yes.
Fixes#10942
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Co-authored-by: Fabrízio de Royes Mello <fabrizio@ongres.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1aa31dd9ca07f88029101bdecca12173930cf342
This allows control planes to tell clients that a given HTTP filter is okay to ignore if it is not supported. This is useful in environments where the clients are not centrally controlled and therefore cannot be upgraded at will, where it is desirable to start using a new filter for clients that do support the new filter without breaking older clients. Unlike a client-capability-based approach, where the client tells the server which filters it supports, this avoids cache pollution and resource-name-based complexity on the server. And because the control plane can set this on a per-filter basis, this approach does not impose risk that clients will silently fail to apply filters that provide mandatory functionality (e.g., authz policies).
Risk Level: Low
Testing: N/A (actual functionality will be implemented in a subsequent PR)
Docs Changes: Included in PR
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9ed95162ce11a09a56c1743d0a6e342d9bbfd2b6
* Add v3 equivalents of v2 configs that were included in v3 due to no
transitive deprecation. This increases consistency and reduces user
confusion. We will continue to support these straggler v2 configs
beyond the v2 turndown due to the late addition of v3 counterparts,
special case code is added to utility.cc to handle this.
* There were two extensions, //envoy/config/cluster/redis and
//envoy/config/retry/previous_priorities, that for some reason were
not upgraded to use v3 config. This is now fixed and I've grepped for
other v2 in //source, none remain.
Risk level: Medium (changes to extension config types and deprecated
config handling).
Testing: Additional unit test added for utility.cc handling, upgraded
configs to v3 for other tests.
Fixes#14735Fixes#12841
Signed-off-by: Harvey Tuch <htuch@google.com>
Co-authored-by: Abhay Narayan Katare <abhay.katare@india.nec.com>
Mirrored from https://github.com/envoyproxy/envoy @ c04a75efe9d601ebcb9650f274b5adde60181f1c
data-plane-api(Azure Pipelines)