Compare commits

...

7 Commits

Author SHA1 Message Date
update-envoy[bot] 470d9be5aa api: HTTP APIKey Auth Filter (#36709) 3 weeks ago
update-envoy[bot] 53a525a403 http: removing the default trusted address list (#36643) 4 weeks ago
update-envoy[bot] ffcb55de31 deps/api: Bump `com_github_bufbuild_buf` -> 1.46.0 (#36933) 4 weeks ago
update-envoy[bot] 7b3650c5c3 add OLM scaling for max_connection_duration (#36816) 4 weeks ago
update-envoy[bot] ca0e469afc Remove unused listener FilterChain on_demand_configuration field (#36786) 4 weeks ago
update-envoy[bot] 6fc033aea9 deps/api: Bump `envoy_toolshed` -> 0.1.13 (#36892) 4 weeks ago
update-envoy[bot] b6a95fbd30 quic: add debug visitor to export various quic stats from quiche (#36813) 4 weeks ago
  1. 2
      BUILD
  2. 12
      bazel/repository_locations.bzl
  3. 24
      envoy/config/listener/v3/listener_components.proto
  4. 6
      envoy/config/overload/v3/overload.proto
  5. 13
      envoy/extensions/filters/http/api_key_auth/v3/BUILD
  6. 54
      envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto
  7. 2
      envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
  8. 9
      envoy/extensions/quic/connection_debug_visitor/quic_stats/v3/BUILD
  9. 24
      envoy/extensions/quic/connection_debug_visitor/quic_stats/v3/quic_stats.proto
  10. 2
      versioning/BUILD

@ -161,6 +161,7 @@ proto_library(
"//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg",
"//envoy/extensions/filters/http/admission_control/v3:pkg",
"//envoy/extensions/filters/http/alternate_protocols_cache/v3:pkg",
"//envoy/extensions/filters/http/api_key_auth/v3:pkg",
"//envoy/extensions/filters/http/aws_lambda/v3:pkg",
"//envoy/extensions/filters/http/aws_request_signing/v3:pkg",
"//envoy/extensions/filters/http/bandwidth_limit/v3:pkg",
@ -305,6 +306,7 @@ proto_library(
"//envoy/extensions/outlier_detection_monitors/consecutive_errors/v3:pkg",
"//envoy/extensions/path/match/uri_template/v3:pkg",
"//envoy/extensions/path/rewrite/uri_template/v3:pkg",
"//envoy/extensions/quic/connection_debug_visitor/quic_stats/v3:pkg",
"//envoy/extensions/quic/connection_debug_visitor/v3:pkg",
"//envoy/extensions/quic/connection_id_generator/v3:pkg",
"//envoy/extensions/quic/crypto_stream/v3:pkg",

@ -144,11 +144,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
project_name = "buf",
project_desc = "A new way of working with Protocol Buffers.", # Used for breaking change detection in API protobufs
project_url = "https://buf.build",
version = "1.45.0",
sha256 = "deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4",
version = "1.46.0",
sha256 = "4250725166430f0444642b5206da9555c95bb7011fe62fca295fa71ef774a211",
strip_prefix = "buf",
urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
release_date = "2024-10-08",
release_date = "2024-10-29",
use_category = ["api"],
license = "Apache-2.0",
license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",
@ -179,12 +179,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
project_name = "envoy_toolshed",
project_desc = "Tooling, libraries, runners and checkers for Envoy proxy's CI",
project_url = "https://github.com/envoyproxy/toolshed",
version = "0.1.12",
sha256 = "cbd919462d3301ffcd83bcbc3763914201e08ac97d9237cd75219725760321d0",
version = "0.1.13",
sha256 = "5210866866fccb8e94f2a921c8452d7ea2ae1bf2b2b9520ab0e0cd1df36e7ad5",
strip_prefix = "toolshed-bazel-v{version}/bazel",
urls = ["https://github.com/envoyproxy/toolshed/archive/bazel-v{version}.tar.gz"],
use_category = ["build"],
release_date = "2024-09-08",
release_date = "2024-10-29",
cpe = "N/A",
license = "Apache-2.0",
license_url = "https://github.com/envoyproxy/envoy/blob/bazel-v{version}/LICENSE",

@ -201,24 +201,9 @@ message FilterChainMatch {
message FilterChain {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.FilterChain";
// The configuration for on-demand filter chain. If this field is not empty in FilterChain message,
// a filter chain will be built on-demand.
// On-demand filter chains help speedup the warming up of listeners since the building and initialization of
// an on-demand filter chain will be postponed to the arrival of new connection requests that require this filter chain.
// Filter chains that are not often used can be set as on-demand.
message OnDemandConfiguration {
// The timeout to wait for filter chain placeholders to complete rebuilding.
// 1. If this field is set to 0, timeout is disabled.
// 2. If not specified, a default timeout of 15s is used.
// Rebuilding will wait until dependencies are ready, have failed, or this timeout is reached.
// Upon failure or timeout, all connections related to this filter chain will be closed.
// Rebuilding will start again on the next new connection.
google.protobuf.Duration rebuild_timeout = 1;
}
reserved 2;
reserved 2, 8;
reserved "tls_context";
reserved "tls_context", "on_demand_configuration";
// The criteria to use when matching a connection to this filter chain.
FilterChainMatch filter_chain_match = 1;
@ -269,11 +254,6 @@ message FilterChain {
// <envoy_v3_api_field_config.listener.v3.Listener.filter_chain_matcher>`
// requires that filter chains are uniquely named within a listener.
string name = 7;
// [#not-implemented-hide:] The configuration to specify whether the filter chain will be built on-demand.
// If this field is not empty, the filter chain will be built on-demand.
// Otherwise, the filter chain will be built normally and block listener warming.
OnDemandConfiguration on_demand_configuration = 8;
}
// Listener filter chain match configuration. This is a recursive structure which allows complex

@ -103,6 +103,12 @@ message ScaleTimersOverloadActionConfig {
// This affects the value of
// :ref:`FilterChain.transport_socket_connect_timeout <envoy_v3_api_field_config.listener.v3.FilterChain.transport_socket_connect_timeout>`.
TRANSPORT_SOCKET_CONNECT = 3;
// Adjusts the max connection duration timer for downstream HTTP connections.
// This affects the value of
// :ref:`HttpConnectionManager.common_http_protocol_options.max_connection_duration
// <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_connection_duration>`.
HTTP_DOWNSTREAM_CONNECTION_MAX = 4;
}
message ScaleTimer {

@ -0,0 +1,13 @@
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
licenses(["notice"]) # Apache 2
api_proto_package(
deps = [
"//envoy/config/core/v3:pkg",
"@com_github_cncf_xds//udpa/annotations:pkg",
"@com_github_cncf_xds//xds/annotations/v3:pkg",
],
)

@ -0,0 +1,54 @@
syntax = "proto3";
package envoy.extensions.filters.http.api_key_auth.v3;
import "envoy/config/core/v3/base.proto";
import "xds/annotations/v3/status.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.extensions.filters.http.api_key_auth.v3";
option java_outer_classname = "ApiKeyAuthProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/api_key_auth/v3;api_key_authv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
option (xds.annotations.v3.file_status).work_in_progress = true;
// [#protodoc-title: APIKey Auth]
// [#not-implemented-hide:]
// APIKey Auth :ref:`configuration overview <config_http_filters_api_key_auth>`.
// [#extension: envoy.filters.http.api_key_auth]
// API Key HTTP authentication.
//
// Example:
//
// .. code-block:: yaml
//
// authentication_header: "X-API-KEY"
// keys:
// inline_string: |-
// clientID1:apiKey1
// clientID2:apiKey2
//
message APIKeyAuth {
// keys used to authenticate the client.
// It should be a map of clientID to apiKey.
// The clientID serves solely for identification purposes and isn't used for authentication.
config.core.v3.DataSource keys = 1 [(udpa.annotations.sensitive) = true];
// The header name to fetch the key.
// If multiple values are present in the given header, the filter rejects the request.
// Only one of authentication_header, authentication_query, or authentication_cookie should be set.
string authentication_header = 2;
// The query parameter name to fetch the key.
// Only one of authentication_header, authentication_query, or authentication_cookie should be set.
string authentication_query = 3;
// The cookie name to fetch the key.
// Only one of authentication_header, authentication_query, or authentication_cookie should be set.
string authentication_cookie = 4;
}

@ -691,7 +691,7 @@ message HttpConnectionManager {
// information about internal/external addresses.
//
// .. warning::
// In the next release, no IP addresses will be considered trusted. If you have tooling such as probes
// As of Envoy 1.33.0 no IP addresses will be considered trusted. If you have tooling such as probes
// on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers)
// you will have to manually include those addresses or CIDR ranges like:
//

@ -0,0 +1,9 @@
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
licenses(["notice"]) # Apache 2
api_proto_package(
deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
)

@ -0,0 +1,24 @@
syntax = "proto3";
package envoy.extensions.quic.connection_debug_visitor.quic_stats.v3;
import "google/protobuf/duration.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.quic.connection_debug_visitor.quic_stats.v3";
option java_outer_classname = "QuicStatsProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/connection_debug_visitor/quic_stats/v3;quic_statsv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: QUIC stats config]
// [#extension: envoy.quic.connection_debug_visitor.quic_stats]
// Configuration for a QUIC debug visitor which emits stats from the underlying QUIC transport.
message Config {
// Period to update stats while the connection is open. If unset, updates only happen when the
// connection is closed. Stats are always updated one final time when the connection is closed.
google.protobuf.Duration update_period = 2 [(validate.rules).duration = {gte {nanos: 1000000}}];
}

@ -99,6 +99,7 @@ proto_library(
"//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg",
"//envoy/extensions/filters/http/admission_control/v3:pkg",
"//envoy/extensions/filters/http/alternate_protocols_cache/v3:pkg",
"//envoy/extensions/filters/http/api_key_auth/v3:pkg",
"//envoy/extensions/filters/http/aws_lambda/v3:pkg",
"//envoy/extensions/filters/http/aws_request_signing/v3:pkg",
"//envoy/extensions/filters/http/bandwidth_limit/v3:pkg",
@ -243,6 +244,7 @@ proto_library(
"//envoy/extensions/outlier_detection_monitors/consecutive_errors/v3:pkg",
"//envoy/extensions/path/match/uri_template/v3:pkg",
"//envoy/extensions/path/rewrite/uri_template/v3:pkg",
"//envoy/extensions/quic/connection_debug_visitor/quic_stats/v3:pkg",
"//envoy/extensions/quic/connection_debug_visitor/v3:pkg",
"//envoy/extensions/quic/connection_id_generator/v3:pkg",
"//envoy/extensions/quic/crypto_stream/v3:pkg",

Loading…
Cancel
Save