add OLM scaling for max_connection_duration
This allows for configuring scaling the max connection duration in
response to overload.
Risk Level: low
Testing: integration & unit tests
Docs Changes: none
Release Notes: in changelog
---------
Signed-off-by: antoniovleonti <leonti@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ae4391145fb38487a3206e7b77c402d928857e7b
Commit Message: add a config knob to Java, Kotlin and C++ engines to set
initial interval of QUIC keepalive probing.
Additional Description: also adjust the validation rule of
`initial_interval` to be larger than 1ms instead of 1s and fix
contradicting documentation.
Risk Level: low, interface change
Testing: unit test
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A
---------
Signed-off-by: Dan Zhang <danzh@google.com>
Co-authored-by: Dan Zhang <danzh@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ fe8bc08a2201567833b0245526018f5480cd8cb1
Commit Message: remove WIP annotation. unified matcher has been used in
production for quite a while
Signed-off-by: tyxia <tyxia@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ d049362557545b054e1a883231e64944ed0a8819
Also, update docs and tests for similar runtime overrides that already
existed
This is a followup to #36231
Risk Level: Low
Testing: New tests, plus more tests for existing untested code
Docs Changes: Updated proto docs, including adding docs for existing
feature
Release Notes: updated
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1173629e531abf758f011c2da15da739f72881c6
Commit Message:
When Envoy operates as a CONNECT-UDP forwarding proxy, it was resetting
the upstream stream because it received HTTP Datagrams before receiving
the SETTINGS frame. A new enum has been added in QUICHE to distinguish
this case, so I added handling logic for this and made Envoy drop the
datagrams instead of resetting the stream.
Also, Envoy was dropping Datagrams because the default maximum packet
length for QUIC connections in QUICHE is not large enough for tunneling
use cases such as CONNECT-UDP. I added a new QUIC protocol option called
`max_packet_length` to allow users to adjust the maximum packet length
for upstream QUIC connections to fix this issue.
Additional Description:
Risk Level: Low, this change is only relevant if CONNECT-UDP is enabled
with the forwarding mode.
Testing: Added more unit tests.
Docs Changes: Added the `max_packet_length` QUIC protocol option and its
explanation.
Release Notes: Added notes about fixing the CONNECT-UDP forwarding mode
and adding the new QUIC protocol option.
Platform Specific Features: N/A
[Optional Fixes #Issue]: #34836
---------
Signed-off-by: Jeongseok Son <jeongseok.son@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0e7fdf5f23e3147a998c24a0cf8e3192797e80c5
Commit Message: Implementing reject_new_connections QUIC listener
option.
Additional Description: The goal is to implement a mechanism to
configure the bootstrap to reject H3 traffic as early as possible in the
QUIC layer. This is done by replying to the client with an empty QUIC
version negotiation packet to leverage the incompatible version
negotiation logic from RFC 9368. This feature is off by default.
Risk Level: Low
Testing: UTs
Docs Changes: N/A
Release Notes: added new_features/quic note
---------
Signed-off-by: Ricardo Perez <ripere@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 88543c9c37f389ff6d2650bb7aae211563ab0485
Commit Message:
Followup changes for `OrcaLoadReport` handling in `Router::Filter`.
- Use ENVOY_STREAM_LOG in `Router::Filter::maybeProcessOrcaLoadReport`.
- Add Integration test for custom metrics.
- Update CNCF version to bring in `OrcaLoadReport` proto changes.
- Add references to `OrcaLoadReport` proto.
Risk Level: low
Docs Changes:
Release Notes:
#34777
---------
Signed-off-by: Misha Efimov <mef@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4ba73c869963cbf1d1afe8f4a4f568783fb1c750
Commit Message: Allow specified UDP cmsg to be saved to
QuicReceivedPacket
Additional Description: This can be accessed via
QuicListenerFilter::onFirstPacketReceived.
Risk Level: Low
Testing: Integration test
Docs Changes: N/A
Release Notes: added
---------
Signed-off-by: Paul Sohn <paulsohn@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ bd5bec9abb537b3d462ed4e74bb5ea4bf1844655
Resolves#35641. Adding DNS jitter to resolvers makes it so that envoy
doesnt stampede the DNS server when it has multiple entries with the
same expiration.
Testing is still WIP. I am open to any suggestions.
Commit Message: dns: add jitter to strict dns
Additional Description:
Risk Level: low
Testing: unit tests
Docs Changes:
Release Notes:
for the :ref:`strict DNS
<arch_overview_service_discovery_types_strict_dns>` and :ref:`logical
DNS
<arch_overview_service_discovery_types_logical_dns>` cluster types,
the new :ref:`dns_jitter
<envoy_v3_api_field_config.cluster.v3.Cluster.dns_jitter>` field, if
provided, will causes the cluster to refresh DNS entries later by a
random amount of time as to
avoid stampedes of DNS requests. This field sets the upper bound
(exclusive) for the random amount.
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional [API
Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):]
---------
Signed-off-by: Steven Jin Xuan <sjinxuan@microsoft.com>
Signed-off-by: Steven Jin <stevenjin8@gmail.com>
Co-authored-by: Adi (Suissa) Peleg <adip@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 20e27887d29d735e1cc47cbb9af1cfe9baac4b4d
Commit Message: Add a socket `type` field in the `SocketOption` proto
Additional Description: The `socket_option_impl.cc` implementation
already has a logic to apply the socket option based on the socket type.
This change is simply exposing the socket type filter in the
`SocketOption` proto.
Risk Level: low
Testing: unit tests
Docs Changes: updated
Release Notes: updated
Platform Specific Features: n/a
---------
Signed-off-by: Fredy Wijaya <fredyw@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 1d9910e57d9b767b6a5653f746b760bbb8c8f145
This reverts commit 6db316f25dc70b439c028beeaac31e6f33d3b2aa.
Signed-off-by: Ryan Northey <ryan@synca.io>
Mirrored from https://github.com/envoyproxy/envoy @ d84f707f8cc03d41a9f6bbffaf1b4f0105e7432b
Commit Message: conn pool: use hostnames of endpoints as SNI values
Additional Description: optional support for usage of upstream cluster
endpoints' hostnames as SNI values
Risk Level: Low
Testing: integration
Docs Changes: added information about new mechanism of SNI derivation
Release Notes:
b8e8a4537e/changelogs/current.yaml (L377)
Platform Specific Features: N/A
Fixes#15839
---------
Signed-off-by: Dmitriy Ilin <dmitry.m.ilyin@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6db316f25dc70b439c028beeaac31e6f33d3b2aa
Commit Message: tracer(datadog): improve remote configuration usability
Additional Description: Remote Configuration has been introduced in
https://github.com/envoyproxy/envoy/pull/33294.
It was enabled by default with the only way to configure the feature
being an environment variable. This commit disables the feature by
default and adds a new fields to enable and configure it from Envoy's
configuration.
Here's a snippet for enabling remote configuration with a 10s polling
interval:
```yaml
...
tracing:
provider:
name: envoy.tracers.datadog
typed_config:
"@type": type.googleapis.com/envoy.config.trace.v3.DatadogConfig
collector_cluster: datadog_agent
service_name: envoy-demo
remote_config:
enabled: true
polling_interval: "10s"
...
```
Changes:
- Add configuration options for remote configuration.
- Disable remote configuration by default.
Risk Level: Low.
Testing: unit test and manual testing.
Docs Changes: NA.
Release Notes: Updated.
Platform Specific Features: NA.
---------
Signed-off-by: Damien Mehala <damien.mehala@datadoghq.com>
Mirrored from https://github.com/envoyproxy/envoy @ bea314b7623ca29bd3f8b99756476177afd687eb
Commit Message: Add UNIQUE_ID substitution string in the access log.
Additional Description: Envoy access log today doesn't have the concept
of unique log id which is guaranteed to be always present always when
emitting an access log record. This will ensure every access log record
when uses % UNIQUE_ID% in schema gets a UUID.
Risk Level: Low
Testing: Unit test has been added to ensure the UNIQUE_ID provides
unique value for every invocation of parse. Local testing has also been
performed to ensure the UNIQUE_ID is emitted from all filter levels
(example - listener filter access log, http connection manager access
log, tcp_proxy access log) for good and bad requests (which are
malformed and expected to fail at http parser level).
Docs Changes: Updated Access log documentation to provide the new
UNIQUE_ID support.
Release Notes: N/A
Platform Specific Features: N/A
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional [API
Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):]
---------
Signed-off-by: Chaitra Reddy Vontela <cvontela@microsoft.com>
Co-authored-by: Chaitra Reddy Vontela <cvontela@microsoft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6cb0b30d6be9302025e09248a4327bac7a7e8cf1
Add a config option to allow ejecting one host regardless of max_ejection_percentage
Risk Level: low
Testing: added test
Docs Changes: updated proto comment
Release Notes: todo
Fixes#34666
Signed-off-by: Pawan Bishnoi <pawanbishnoi@outlook.com>
Signed-off-by: Pawan Kumar <pawanbishnoi@outlook.com>
Mirrored from https://github.com/envoyproxy/envoy @ 36531d9a1852bec3df8eb171600fd4b2479159cf
This PR provides gRPC client level control over Envoy generated headers. It currently controls x-envoy-internal and x-forwarded-for (can be expanded if needed)
If false, header will be added. But it can be overridden by setting setSendInternal or setSendXff to false in
Http::AsyncClient::StreamOptions, as per stream control.
If true, header will be removed and can not be overridden by per stream option.
This logic is designed in this way because:
Preserve backwards compatible behavior:
Both headers are still sent by default
If any existing users remove them with StreamOptions, headers are still removed
Still provide the per stream override control
Override here implicitly means setting to false as their default value in AsyncClient::StreamOptions is true.
Thus, per stream override is still available, just in one-way direction: disable on per stream basis
The only thing is that now user can not set StreamOptions to true if they are disabled in config. But it should be fine because:
For existing user, no one should set them to true in StreamOptions as they are already default to true.
For future user, per stream control can still be achieved as stated above.
Signed-off-by: Tianyu Xia <tyxia@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9ce333ba1c46cde9e1a7af5bef99aceea1a80d77
This patch adds a metadata field to the [LocalityLbEndpoints](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#config-endpoint-v3-localitylbendpoints) configuration. The new field can be used to perform transport socket matching for all endpoints in a locality:
```
load_assignment:
cluster_name: example_cluster
endpoints:
- metadata: # <----- This is new.
filter_metadata:
envoy.transport_socket_match:
network.id: vpc-1
lb_endpoints:
- endpoint:
address:
socket_address:
address: 10.1.1.1
port_value: 11337
- endpoint:
address:
socket_address:
address: 10.1.1.2
port_value: 11337
```
Notice the ability to add metadata alongside the collection of endpoints. The transport socket matcher will still check the `envoy.transport_socket_match` metadata for an endpoint, but now if there is no match it will look at that field in its locality's metadata. This essentially allows one to set a transport socket match for groups of endpoints with a single metadata field, which can significantly improve scalability for deployments with many endpoints as shown in https://github.com/envoyproxy/envoy/issues/34530.
Signed-off-by: Tony Allen <txallen@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f0201e54683875efeecf09df7328ad374be52d2c
* api: Add total_{active,new,error}_connections to UpstreamLocalityStats
They are marked with `[#not-implemented-hide:]` and `work_in_progress`.
Implementation will be added later.
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
* Update api/envoy/config/endpoint/v3/load_report.proto
Co-authored-by: htuch <htuch@users.noreply.github.com>
Signed-off-by: AwesomePatrol <AwesomePatrol@users.noreply.github.com>
* Rename total_error_connections to total_fail_connections
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
* Add mention of metrics to docstring
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
* Mention Envoy when pointing out relation to metrics
Put metric names in `` (as in other parts of the file)
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
---------
Signed-off-by: Aleksander Mistewicz <amistewicz@google.com>
Signed-off-by: AwesomePatrol <AwesomePatrol@users.noreply.github.com>
Co-authored-by: htuch <htuch@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ d2a20a02b6664c531e51cce04cc4283cb554ed4c
Seems until now, we still have no a common key/value API that be applied to string-map-like structures. This PR add one.
Then we can use this API for query mutation, cookie mutation. And this could also be used by non-HTTP headers (like dubbo attachment) or any string-map-like structures.
Risk Level: low. API only.
Testing: n/a.
Signed-off-by: wbpcode <wbphub@live.com>
Mirrored from https://github.com/envoyproxy/envoy @ 3a0c2a4ffb5e199eed0be1738ff8e6590dcf94c6
Commit Message: Add the ability to bypass overload manager for listeners
Additional Description: This flag can be used to disable overload manager on specific listeners where, for instance, we don't want to stop accepting requests. In my company, we implemented a CPU Utilization resource monitor that helps us drop requests when we hit a certain utilization percentage, but there are certain listeners that receive administrative traffic that we don't want overload manager to touch. Another use case is, we want to only throttle ingress traffic but not egress traffic going via Envoy. Another contributor authored #29781, but it has been marked as stale.
Risk Level: Low
Testing: Unit tests & Integration tests added
Docs Changes: No
Release Notes: Add bypass_overload_manager flag to Listener in order to prevent overload manager from taking actions on the traffic going through the said listener.
Platform Specific Features:
Signed-off-by: Fernando Cainelli <fernando.cainelli-external@getyourguide.com>
Signed-off-by: Can Cecen <ccecen@netflix.com>
Mirrored from https://github.com/envoyproxy/envoy @ ea982dc8dd1afc2d4cacbcbb484cf00bc48dab93
resource_api_version has also been removed from all tests and
examples, as it isn't used for anything.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ 505a8603f7997ef7a8ddd81fcba382caa2be5867
Commit Message: Add a way to configure a quic connection debug visitor factory that will be used to attach a debug visitor to all quic connections on the listener. Adds an interface for this new type of factory.
Additional Description:
Risk Level: Low
Testing: Added new tests and modified existing tests in /test/common/quic. Also performed manual testing on a real machine and sent traffic to it using quic_client.
Docs Changes: Update envoy.config.listener.v3.quic_config.proto inline.
Release Notes: N/A
Platform Specific Features: N/A
Signed-off-by: Will Lampert <wlampert@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0c28205942066b2b5b2ef2a344c9357f27f642c7
Expose config option for tcmalloc [memory background release rate](bf4db7e4c8/tcmalloc/malloc_extension.h (L637C15-L637C39), that eases tuning of tcmalloc in Envoy. Gperf tcmalloc is not yet supported in this change, as gperf tcmalloc memory release does not function the same way as tcmalloc does and introduced test flakiness.
Commit Message:
Additional Description:
Risk Level:
Testing: Unit tests
Docs Changes: API docs
Release Notes:
Platform Specific Features:
Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>
Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@docker.com>
Co-authored-by: Matt Klein <mattklein123@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 02dc6af0bd66af3105bb47919ee67102b6611feb
This PR provide a common data source provider to support file watching.
For the users who don't need the file watching or don't use the file data source, if the provider is used, then only need to pay 8 additional bytes and one additional if check (holds_alternative) compare to using the directly DataSource::read().
For the users who want to use the file watching, additional file watcher and TLS slot (ThreadLocalStorage) are necessary. This is much expensive but reasonable.
Risk Level: low.
Testing: unit.
Docs Changes: n/a.
Release Notes: n/a.
Platform Specific Features: n/a.
Signed-off-by: wbpcode <wbphub@live.com>
Signed-off-by: code <wangbaiping@corp.netease.com>
Mirrored from https://github.com/envoyproxy/envoy @ 838bc86a0fe46801320eef13cc599bc80bd88d10
* healthcheck: support TCP health check with ProxyProtocol
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
Mirrored from https://github.com/envoyproxy/envoy @ a3ecbf09d08f457349126faaf64ce5005658637d
Adding runtime key to protect drop overload feature.
The runtime key "load_balancing_policy.drop_overload_limit" can be configured with an integer 0 to 100. 0 means 0%. 100 means 100%. So, when there is an EDS update with drop_overloads configuration, if this runtime key is enabled, Envoy will pick up the smaller one between these two to perform the drops.
---------
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ef8a34d89f85f434e6df562c742b63a359d0ceb4
CORS: Generate local response for preflights with not matching origin.
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 5f58f9ac917e82fdfadb771b8de3bb466d9e53ee
Resolves#32119. This allows the option to always log successful health checks. On the first successful health check, only ``logAddHealthy`` is called. On consecutive successful health checks, ``logSuccessfulHealthCheck`` is called.
Risk Level: low (config guarded)
Testing: unit tests
Docs Changes: API docs
Release Notes: added
Platform Specific Features: none
Signed-off-by: ohadvano <ohadvano@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 975d4107061ea92a62e99490c9474ace17d9609a
http3: Add support for HTTP/3 METADATA
Adds a new allow_metadata option to Http3ProtocolOptions.
Risk Level: Low, protected by new config option
Testing: New integration tests
Docs Changes: N/A
Release Notes: Updated
Signed-off-by: Ryan Hamilton <rch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 640f016a2e99ab44e97dec71b60afec91404dadd
* add dr response flag
Signed-off-by: Boteng Yao <boteng@google.com>
* add tests
Signed-off-by: Boteng Yao <boteng@google.com>
* fix assertion
Signed-off-by: Boteng Yao <boteng@google.com>
* fix format
Signed-off-by: Boteng Yao <boteng@google.com>
* fix proto
Signed-off-by: Boteng Yao <boteng@google.com>
* fix test
Signed-off-by: Boteng Yao <boteng@google.com>
* fix test
Signed-off-by: Boteng Yao <boteng@google.com>
* add change logs
Signed-off-by: Boteng Yao <boteng@google.com>
---------
Signed-off-by: Boteng Yao <boteng@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0cb0b01b7f44399085e511085e51e8222132982e
update-envoy[bot]