envoyproxy · htuch · Apr 19, 2022 · Apr 10, 2022 · Apr 14, 2022 · Apr 18, 2022
diff --git a/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto b/api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto
@@ -178,6 +178,7 @@ message ExtProcPerRoute {
 }
 
 // Overrides that may be set on a per-route basis
+// [#next-free-field: 6]
 message ExtProcOverrides {
   // Set a different processing mode for this route than the default.
   ProcessingMode processing_mode = 1;
@@ -195,4 +196,7 @@ message ExtProcOverrides {
   // Set different optional properties than the default setting of the
   // ``response_attributes`` field.
   repeated string response_attributes = 4;
+
+  // Set a different gRPC service for this route than the default.
+  config.core.v3.GrpcService grpc_service = 5;
 }
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -21,6 +21,63 @@ Removed Config or Runtime
 
 New Features
 ------------
+* access_log: added new access_log command operator ``%ENVIRONMENT(X):Z%``.
+* access_log: added TCP proxy upstream and downstream byte logging. This can be accessed through the ``%DOWNSTREAM_WIRE_BYTES_SENT%``, ``%DOWNSTREAM_WIRE_BYTES_RECEIVED%``, ``%UPSTREAM_WIRE_BYTES_SENT%``, and ``%UPSTREAM_WIRE_BYTES_RECEIVED%`` access_log command operatrors.
+* access_log: make consistent access_log format fields ``%(DOWN|DIRECT_DOWN|UP)STREAM_(LOCAL|REMOTE)_*%`` to provide all combinations of local & remote addresses for upstream & downstream connections.
+* admin: :http:post:`/logging` now accepts ``/logging?paths=name1:level1,name2:level2,...`` to change multiple log levels at once.
+* cluster: added support for per host limits in :ref:`circuit breakers settings <envoy_v3_api_msg_config.cluster.v3.CircuitBreakers>`. Currently only  :ref:`max_connections <envoy_v3_api_field_config.cluster.v3.CircuitBreakers.Thresholds.max_connections>` is supported.
+* cluster: added support to restore original destination address from any desired header via setting :ref:`http_header_name <envoy_v3_api_field_config.cluster.v3.Cluster.OriginalDstLbConfig.http_header_name>`.
+* cluster: support :ref:`override host status restriction <envoy_v3_api_field_config.cluster.v3.Cluster.CommonLbConfig.override_host_status>`.
+* config: added new file based xDS configuration via :ref:`path_config_source <envoy_v3_api_field_config.core.v3.ConfigSource.path_config_source>`.
+  :ref:`watched_directory <envoy_v3_api_field_config.core.v3.PathConfigSource.watched_directory>` can
+  be used to setup an independent watch for when to reload the file path, for example when using
+  Kubernetes ConfigMaps to deliver configuration. See the linked documentation for more information.
+* config: added new :ref:`custom config validators <config_config_validation>` to dynamically verify config updates.
+* cors: add dynamic support for headers ``access-control-allow-methods`` and ``access-control-allow-headers`` in cors.
+* dns: added :ref:`dns_min_refresh_rate <envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.dns_min_refresh_rate>`
+  to the DNS cache implementation to configure the minimum DNS refresh rate, regardless of returned
+  TTL. This was previously hard coded to 5s and defaults to 5s if unset.
+* ext_proc: added support for per-route :ref:`grpc_service <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExtProcOverrides.grpc_service>`.
+* http: added random_value_specifier in :ref:`weighted_clusters <envoy_v3_api_field_config.route.v3.RouteAction.weighted_clusters>` to allow random value to be specified from configuration proto.
+* http: added request_mirror_policies to higher levels (i.e., :ref:`request_mirror_policies <envoy_v3_api_field_config.route.v3.RouteConfiguration.request_mirror_policies>` in :ref:`RouteConfiguration <envoy_v3_api_msg_config.route.v3.RouteConfiguration>` and  :ref:`request_mirror_policies <envoy_v3_api_field_config.route.v3.VirtualHost.request_mirror_policies>` in :ref:`VirtualHost <envoy_v3_api_msg_config.route.v3.VirtualHost>`) which applies to :ref:`request_mirror_policies <envoy_v3_api_field_config.route.v3.RouteAction.request_mirror_policies>` in all routes underneath without configured mirror policies.
+* http: added support for :ref:`cidr_ranges <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.InternalAddressConfig.cidr_ranges>` for configuring list of CIDR ranges that are considered internal.
+* http: added support for :ref:`proxy_status_config <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.proxy_status_config>` for configuring `Proxy-Status <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-proxy-status-08>`_ HTTP response header fields.
+* http: make consistent custom header format fields ``%(DOWN|DIRECT_DOWN|UP)STREAM_(LOCAL|REMOTE)_*%`` to provide all combinations of local & remote addresses for upstream & downstream connections.
+* http2: adds the new runtime feature ``envoy.reloadable_features.http2_use_oghttp2``, disabled by default, that guards use of a new HTTP/2 implementation.
+* http2: re-enabled the HTTP/2 wrapper API. This should be a transparent change that does not affect functionality. Any behavior changes can be reverted by setting the ``envoy.reloadable_features.http2_new_codec_wrapper`` runtime feature to false.
+* http3: add :ref:`enable_early_data <envoy_v3_api_field_extensions.transport_sockets.quic.v3.QuicDownstreamTransport.enable_early_data>` to turn on/off downstream early data support.
+* http3: downstream HTTP/3 support is now GA! Upstream HTTP/3 also GA for specific deployments. See :ref:`here <arch_overview_http3>` for details.
+* http3: supports upstream HTTP/3 retries. Automatically retry `0-RTT safe requests <https://www.rfc-editor.org/rfc/rfc7231#section-4.2.1>`_ if they are rejected because they are sent `too early <https://datatracker.ietf.org/doc/html/rfc8470#section-5.2>`_. And automatically retry 0-RTT safe requests if connect attempt fails later on and the cluster is configured with TCP fallback. And add retry on ``http3-post-connect-failure`` policy which allows retry of failed HTTP/3 requests with TCP fallback even after handshake if the cluster is configured with TCP fallback. This feature is guarded by ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3``.
+* local_ratelimit: added support for sharing the rate limiter between multiple network filter chains or listeners via :ref:`share_key <envoy_v3_api_field_extensions.filters.network.local_ratelimit.v3.LocalRateLimit.share_key>`.
+* local_ratelimit: added support for X-RateLimit-* headers as defined in `draft RFC <https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html>`_.
+* matching: the matching API can now express a match tree that will always match by omitting a matcher at the top level.
+* outlier_detection: :ref:`max_ejection_time_jitter<envoy_v3_api_field_config.cluster.v3.OutlierDetection.base_ejection_time>` configuration added to allow adding a random value to the ejection time to prevent 'thundering herd' scenarios. Defaults to 0 so as to not break or change the behavior of existing deployments.
+* redis: support for hostnames returned in ``cluster_slots`` response is now available.
+* router: added a path-separated prefix matcher, to make route creation more efficient. :ref:`path_separated_prefix <envoy_v3_api_field_config.route.v3.RouteMatch.path_separated_prefix>`.
+* schema_validator_tool: added ``bootstrap`` checking to the
+  :ref:`schema validator check tool <install_tools_schema_validator_check_tool>`.
+* schema_validator_tool: added ``--fail-on-deprecated`` and ``--fail-on-wip`` to the
+  :ref:`schema validator check tool <install_tools_schema_validator_check_tool>` to allow failing
+  the check if either deprecated or work-in-progress fields are used.
+* schema_validator_tool: fixed linking of all extensions into the
+  :ref:`schema validator check tool <install_tools_schema_validator_check_tool>` so that all typed
+  configurations can be properly verified.
+* schema_validator_tool: the
+  :ref:`schema validator check tool <install_tools_schema_validator_check_tool>` will now recurse
+  into all sub messages, including Any messages, and perform full validation (deprecation,
+  work-in-progress, PGV, etc.). Previously only top-level messages were fully validated.
+* stats: histogram_buckets query parameter added to stats endpoint to change histogram output to show buckets.
+* tap: added support for buffering an arbitrary number of tapped traces before returning to the client via a new :ref:`buffered admin sink <envoy_v3_api_field_config.tap.v3.OutputSink.buffered_admin>`.
+* tcp_proxy: added support for on demand cluster. If the :ref:`on_demand <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.on_demand>` is set and the destination cluster is not present, a delta CDS request will be sent and the tcp proxy flow will be resumed after that cds response.
+* thrift: add support for connection draining. This can be enabled by setting the runtime guard ``envoy.reloadable_features.thrift_connection_draining`` to true.
+* thrift: added support for dynamic routing through aggregated discovery service.
+* tls: add support for tls key log :ref:`key_log<envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.key_log>`.
+* tools: the project now ships a :ref:`tools docker image <install_tools>` which contains tools
+  useful in support systems such as CI, CD, etc. The
+  :ref:`schema validator check tool <install_tools_schema_validator_check_tool>` has been added
+  to the tools image.
+* udp_proxy: added :ref:`matcher <envoy_v3_api_field_extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.matcher>` to support matching and routing to different clusters.
+* udp_proxy: added support for :ref:`access_log <envoy_v3_api_field_extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.access_log>`.
 
 Deprecated
 ----------
@@ -33,6 +33,7 @@ envoy_cc_library(
         "@com_google_absl//absl/status",
         "@com_google_absl//absl/strings:str_format",
         "@envoy_api//envoy/config/common/mutation_rules/v3:pkg_cc_proto",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
         "@envoy_api//envoy/extensions/filters/http/ext_proc/v3:pkg_cc_proto",
         "@envoy_api//envoy/service/ext_proc/v3:pkg_cc_proto",
     ],
@@ -56,6 +57,7 @@ envoy_cc_library(
     deps = [
         "//envoy/grpc:status",
         "//envoy/stream_info:stream_info_interface",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
         "@envoy_api//envoy/service/ext_proc/v3:pkg_cc_proto",
     ],
 )

@@ -3,6 +3,7 @@
 #include <memory>
 
 #include "envoy/common/pure.h"
+#include "envoy/config/core/v3/grpc_service.pb.h"
 #include "envoy/grpc/status.h"
 #include "envoy/service/ext_proc/v3/external_processor.pb.h"
 #include "envoy/stream_info/stream_info.h"
@@ -36,6 +37,7 @@ class ExternalProcessorClient {
 public:
   virtual ~ExternalProcessorClient() = default;
   virtual ExternalProcessorStreamPtr start(ExternalProcessorCallbacks& callbacks,
+                                           const envoy::config::core::v3::GrpcService& grpc_service,
                                            const StreamInfo::StreamInfo& stream_info) PURE;
 };
 

@@ -7,16 +7,16 @@ namespace ExternalProcessing {
 
 static constexpr char kExternalMethod[] = "envoy.service.ext_proc.v3.ExternalProcessor.Process";
 
-ExternalProcessorClientImpl::ExternalProcessorClientImpl(
-    Grpc::AsyncClientManager& client_manager,
-    const envoy::config::core::v3::GrpcService& grpc_service, Stats::Scope& scope)
-    : client_manager_(client_manager), grpc_service_(grpc_service), scope_(scope) {}
+ExternalProcessorClientImpl::ExternalProcessorClientImpl(Grpc::AsyncClientManager& client_manager,
+                                                         Stats::Scope& scope)
+    : client_manager_(client_manager), scope_(scope) {}
 
 ExternalProcessorStreamPtr
 ExternalProcessorClientImpl::start(ExternalProcessorCallbacks& callbacks,
+                                   const envoy::config::core::v3::GrpcService& grpc_service,
                                    const StreamInfo::StreamInfo& stream_info) {
   Grpc::AsyncClient<ProcessingRequest, ProcessingResponse> grpcClient(
-      client_manager_.getOrCreateRawAsyncClient(grpc_service_, scope_, true,
+      client_manager_.getOrCreateRawAsyncClient(grpc_service, scope_, true,
                                                 Grpc::CacheOption::AlwaysCache));
   return std::make_unique<ExternalProcessorStreamImpl>(std::move(grpcClient), callbacks,
                                                        stream_info);

@@ -23,16 +23,14 @@ using ProcessingResponsePtr = std::unique_ptr<ProcessingResponse>;
 
 class ExternalProcessorClientImpl : public ExternalProcessorClient {
 public:
-  ExternalProcessorClientImpl(Grpc::AsyncClientManager& client_manager,
-                              const envoy::config::core::v3::GrpcService& grpc_service,
-                              Stats::Scope& scope);
+  ExternalProcessorClientImpl(Grpc::AsyncClientManager& client_manager, Stats::Scope& scope);
 
   ExternalProcessorStreamPtr start(ExternalProcessorCallbacks& callbacks,
+                                   const envoy::config::core::v3::GrpcService& grpc_service,
                                    const StreamInfo::StreamInfo& stream_info) override;
 
 private:
   Grpc::AsyncClientManager& client_manager_;
-  const envoy::config::core::v3::GrpcService grpc_service_;
   Stats::Scope& scope_;
 };
 

@@ -19,10 +19,10 @@ Http::FilterFactoryCb ExternalProcessingFilterConfig::createFilterFactoryFromPro
   return [filter_config, grpc_service = proto_config.grpc_service(),
           &context](Http::FilterChainFactoryCallbacks& callbacks) {
     auto client = std::make_unique<ExternalProcessorClientImpl>(
-        context.clusterManager().grpcAsyncClientManager(), grpc_service, context.scope());
+        context.clusterManager().grpcAsyncClientManager(), context.scope());
 
-    callbacks.addStreamFilter(
-        Http::StreamFilterSharedPtr{std::make_shared<Filter>(filter_config, std::move(client))});
+    callbacks.addStreamFilter(Http::StreamFilterSharedPtr{
+        std::make_shared<Filter>(filter_config, std::move(client), grpc_service)});
   };
 }
 

@@ -61,11 +61,17 @@ FilterConfigPerRoute::FilterConfigPerRoute(const ExtProcPerRoute& config)
   if (config.has_overrides()) {
     processing_mode_ = config.overrides().processing_mode();
   }
+  if (config.overrides().has_grpc_service()) {
+    grpc_service_ = config.overrides().grpc_service();
+  }
 }
 
 void FilterConfigPerRoute::merge(const FilterConfigPerRoute& src) {
   disabled_ = src.disabled_;
   processing_mode_ = src.processing_mode_;
+  if (src.grpcService().has_value()) {
+    grpc_service_ = src.grpcService();
+  }
 }
 
 void Filter::setDecoderFilterCallbacks(Http::StreamDecoderFilterCallbacks& callbacks) {
@@ -82,7 +88,7 @@ Filter::StreamOpenState Filter::openStream() {
   ENVOY_BUG(!processing_complete_, "openStream should not have been called");
   if (!stream_) {
     ENVOY_LOG(debug, "Opening gRPC stream to external processor");
-    stream_ = client_->start(*this, decoder_callbacks_->streamInfo());
+    stream_ = client_->start(*this, grpc_service_, decoder_callbacks_->streamInfo());
     stats_.streams_started_.inc();
     if (processing_complete_) {
       // Stream failed while starting and either onGrpcError or onGrpcClose was already called
@@ -705,19 +711,26 @@ void Filter::mergePerRouteConfig() {
   auto&& merged_config = Http::Utility::getMergedPerFilterConfig<FilterConfigPerRoute>(
       FilterName, decoder_callbacks_->route(),
       [](FilterConfigPerRoute& dst, const FilterConfigPerRoute& src) { dst.merge(src); });
-  if (merged_config) {
-    if (merged_config->disabled()) {
-      // Rather than introduce yet another flag, use the processing mode
-      // structure to disable all the callbacks.
-      ENVOY_LOG(trace, "Disabling filter due to per-route configuration");
-      const auto all_disabled = allDisabledMode();
-      decoding_state_.setProcessingMode(all_disabled);
-      encoding_state_.setProcessingMode(all_disabled);
-    } else if (merged_config->processingMode()) {
-      ENVOY_LOG(trace, "Setting new processing mode from per-route configuration");
-      decoding_state_.setProcessingMode(*(merged_config->processingMode()));
-      encoding_state_.setProcessingMode(*(merged_config->processingMode()));
-    }
+  if (!merged_config) {
+    return;
+  }
+  if (merged_config->disabled()) {
+    // Rather than introduce yet another flag, use the processing mode
+    // structure to disable all the callbacks.
+    ENVOY_LOG(trace, "Disabling filter due to per-route configuration");
+    const auto all_disabled = allDisabledMode();
+    decoding_state_.setProcessingMode(all_disabled);
+    encoding_state_.setProcessingMode(all_disabled);
+    return;
+  }
+  if (merged_config->processingMode()) {
+    ENVOY_LOG(trace, "Setting new processing mode from per-route configuration");
+    decoding_state_.setProcessingMode(*(merged_config->processingMode()));
+    encoding_state_.setProcessingMode(*(merged_config->processingMode()));
+  }
+  if (merged_config->grpcService()) {
+    ENVOY_LOG(trace, "Setting new GrpcService from per-route configuration");
+    grpc_service_ = *merged_config->grpcService();
   }
 }
 

@@ -4,6 +4,7 @@
 #include <memory>
 #include <string>
 
+#include "envoy/config/core/v3/grpc_service.pb.h"
 #include "envoy/event/timer.h"
 #include "envoy/extensions/filters/http/ext_proc/v3/ext_proc.pb.h"
 #include "envoy/grpc/async_client.h"
@@ -90,10 +91,14 @@ class FilterConfigPerRoute : public Router::RouteSpecificFilterConfig {
   processingMode() const {
     return processing_mode_;
   }
+  const absl::optional<envoy::config::core::v3::GrpcService>& grpcService() const {
+    return grpc_service_;
+  }
 
 private:
   bool disabled_;
   absl::optional<envoy::extensions::filters::http::ext_proc::v3::ProcessingMode> processing_mode_;
+  absl::optional<envoy::config::core::v3::GrpcService> grpc_service_;
 };
 
 class Filter : public Logger::Loggable<Logger::Id::ext_proc>,
@@ -112,9 +117,10 @@ class Filter : public Logger::Loggable<Logger::Id::ext_proc>,
   };
 
 public:
-  Filter(const FilterConfigSharedPtr& config, ExternalProcessorClientPtr&& client)
+  Filter(const FilterConfigSharedPtr& config, ExternalProcessorClientPtr&& client,
+         const envoy::config::core::v3::GrpcService& grpc_service)
       : config_(config), client_(std::move(client)), stats_(config->stats()),
-        decoding_state_(*this, config->processingMode()),
+        grpc_service_(grpc_service), decoding_state_(*this, config->processingMode()),
         encoding_state_(*this, config->processingMode()) {}
 
   const FilterConfig& config() const { return *config_; }
@@ -175,6 +181,7 @@ class Filter : public Logger::Loggable<Logger::Id::ext_proc>,
   const FilterConfigSharedPtr config_;
   const ExternalProcessorClientPtr client_;
   ExtProcFilterStats stats_;
+  envoy::config::core::v3::GrpcService grpc_service_;
 
   // The state of the filter on both the encoding and decoding side.
   DecodingProcessorState decoding_state_;

@@ -39,6 +39,7 @@ envoy_extension_cc_test(
         "//test/mocks/event:event_mocks",
         "//test/mocks/server:factory_context_mocks",
         "//test/test_common:test_runtime_lib",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
         "@envoy_api//envoy/service/ext_proc/v3:pkg_cc_proto",
     ],
 )
@@ -65,6 +66,7 @@ envoy_extension_cc_test(
         "//test/mocks/event:event_mocks",
         "//test/mocks/server:factory_context_mocks",
         "//test/test_common:test_runtime_lib",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
 )