Merge branch 'dynamic_secret_rebase' into sds_dynamic_secret

JimmyCYJ · Jun 6, 2018 · 80042a0 · 80042a0
2 parents b8321bd + c585dfe
commit 80042a0
Show file tree

Hide file tree

Showing 318 changed files with 6,546 additions and 2,160 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -79,6 +79,10 @@ jobs:
 
            sudo service docker restart
      - run: dig go.googlesource.com A go.googlesource.com AAAA # Debug IPv6 network issues
+     - run: ifconfig
+     - run: route -A inet -A inet6
+     - run: curl -v https://go.googlesource.com
+     - run: curl -6 -v https://go.googlesource.com || true
      - run: ./ci/do_circle_ci_ipv6_tests.sh
 
    coverage:

diff --git a/.clang-format b/.clang-format
@@ -7,3 +7,9 @@ PointerAlignment: Left
 SortIncludes: false
 ...
 
+---
+Language: Proto
+ColumnLimit: 100
+SpacesInContainerLiterals: false
+AllowShortFunctionsOnASingleLine: false
+...
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -11,6 +11,8 @@ maximize the chances of your PR being merged.
   agreement. This is to prevent your time being wasted, as well as ours. The GitHub review process
   for major features is also important so that [organizations with commit access](OWNERS.md) can
   come to agreement on design.
+* Specifically, if the goal is to add a new [extension](REPO_LAYOUT.md#sourceextensions-layout),
+  please read the [extension policy](GOVERNANCE.md#extension-addition-policy).
 * Small patches and bug fixes don't need prior communication.
 
 # Coding style

diff --git a/DEPRECATED.md b/DEPRECATED.md
@@ -21,6 +21,7 @@ A logged warning is expected for each deprecated item that is in deprecation win
 * `SAN` is replaced by `URI` in the `x-forwarded-client-cert` header.
 * The `endpoint` field in the http health check filter is deprecated in favor of the `headers`
   field where one can specify HeaderMatch objects to match on.
+* The `sni_domains` field in the filter chain match was deprecated/renamed to `server_names`.
 
 ## Version 1.6.0 (March 20, 2018)
 

diff --git a/GOVERNANCE.md b/GOVERNANCE.md
@@ -99,6 +99,12 @@ If a maintainer is no longer interested or cannot perform the maintainer duties
 should volunteer to be moved to emeritus status. In extreme cases this can also occur by a vote of
 the maintainers per the voting process below.
 
+# Extension addition policy
+
+Adding new [extensions](REPO_LAYOUT.md#sourceextensions-layout) has a dedicated policy. Please
+see [this](https://docs.google.com/document/d/1eDQQSxqx2khTXfa2vVm4vqkyRwXYkPzZCcbjxJ2_AvA) document
+for more information.
+
 # Conflict resolution and voting
 
 In general, we prefer that technical issues and maintainer membership are amicably worked out

diff --git a/OWNERS.md b/OWNERS.md
@@ -30,6 +30,8 @@ routing PRs, questions, etc. to the right place.
     (metadata, etc.), and OSX build.
 * Greg Greenway ([ggreenway](https://github.com/ggreenway)) (ggreenway@apple.com)
   * TCP proxy, TLS, logging, and core networking (listeners, connections, etc.).
+* Lizan Zhou ([lizan](https://github.com/lizan)) (zlizan@google.com)
+  * gRPC, gRPC/JSON transcoding, and core networking (transport socket abstractions).
 
 # Emeritus maintainers
 
@@ -45,8 +47,6 @@ matter expert reviews. Feel free to loop them in as needed.
   * TLS, BoringSSL, and core networking (listeners, connections, etc.).
 * Shriram Rajagopalan ([rshriram](https://github.com/rshriram)) (shriram@us.ibm.com)
   * Istio, APIs, HTTP routing, and WebSocket.
-* Lizan Zhou ([lizan](https://github.com/lizan)) (zlizan@google.com)
-  * gRPC, gRPC/JSON transcoding, and core networking (transport socket abstractions).
 * John Millikin ([jmillikin-stripe](https://github.com/jmillikin-stripe)) (jmillikin@stripe.com)
   * Bazel/build.
 * Joshua Marantz ([jmarantz](https://github.com/jmarantz)) (jmarantz@google.com)

diff --git a/README.md b/README.md
@@ -2,7 +2,11 @@
 
 [C++ L7 proxy and communication bus](https://www.envoyproxy.io/)
 
-Envoy is hosted by the [Cloud Native Computing Foundation](https://cncf.io) (CNCF). If you are a company that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details about who's involved and how Envoy plays a role, read the CNCF [announcement](https://www.cncf.io/blog/2017/09/13/cncf-hosts-envoy/).
+Envoy is hosted by the [Cloud Native Computing Foundation](https://cncf.io) (CNCF). If you are a
+company that wants to help shape the evolution of technologies that are container-packaged,
+dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details about who's
+involved and how Envoy plays a role, read the CNCF
+[announcement](https://www.cncf.io/blog/2017/09/13/cncf-hosts-envoy/).
 
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1266/badge)](https://bestpractices.coreinfrastructure.org/projects/1266)
 

diff --git a/api/bazel/repositories.bzl b/api/bazel/repositories.bzl
@@ -1,7 +1,7 @@
-GOOGLEAPIS_SHA = "5c6df0cd18c6a429eab739fb711c27f6e1393366" # May 14, 2017
-GOGOPROTO_SHA = "1adfc126b41513cc696b209667c8656ea7aac67c" # Feb 2, 2018
-PROMETHEUS_SHA = "6f3806018612930941127f2a7c6c453ba2c527d2" # Nov 02, 2017
-OPENCENSUS_SHA = "993c711ba22a5f08c1d4de58a3c07466995ed962" # Dec 13, 2017
+GOOGLEAPIS_SHA = "d642131a6e6582fc226caf9893cb7fe7885b3411" # May 23, 2018
+GOGOPROTO_SHA = "1adfc126b41513cc696b209667c8656ea7aac67c" # v1.0.0
+PROMETHEUS_SHA = "99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c" # Nov 17, 2017
+OPENCENSUS_SHA = "ab82e5fdec8267dc2a726544b10af97675970847" # May 23, 2018
 
 PGV_GIT_SHA = "9f600c2cd2d7031fdc8e25e1c9f5ad81c8cab4fe"
 

diff --git a/api/docs/BUILD b/api/docs/BUILD
@@ -24,6 +24,8 @@ proto_library(
         "//envoy/api/v2/listener",
         "//envoy/api/v2/ratelimit",
         "//envoy/api/v2/route",
+        "//envoy/config/accesslog/v2:als",
+        "//envoy/config/accesslog/v2:file",
         "//envoy/config/bootstrap/v2:bootstrap",
         "//envoy/config/filter/accesslog/v2:accesslog",
         "//envoy/config/filter/http/buffer/v2:buffer",
@@ -34,6 +36,7 @@ proto_library(
         "//envoy/config/filter/http/ip_tagging/v2:ip_tagging",
         "//envoy/config/filter/http/lua/v2:lua",
         "//envoy/config/filter/http/rate_limit/v2:rate_limit",
+        "//envoy/config/filter/http/rbac/v2:rbac",
         "//envoy/config/filter/http/router/v2:router",
         "//envoy/config/filter/http/squash/v2:squash",
         "//envoy/config/filter/http/transcoder/v2:transcoder",
@@ -44,13 +47,17 @@ proto_library(
         "//envoy/config/filter/network/rate_limit/v2:rate_limit",
         "//envoy/config/filter/network/redis_proxy/v2:redis_proxy",
         "//envoy/config/filter/network/tcp_proxy/v2:tcp_proxy",
+        "//envoy/config/grpc_credentials/v2alpha:file_based_metadata",
         "//envoy/config/health_checker/redis/v2:redis",
         "//envoy/config/metrics/v2:metrics_service",
         "//envoy/config/metrics/v2:stats",
         "//envoy/config/ratelimit/v2:rls",
+        "//envoy/config/rbac/v2alpha:rbac",
         "//envoy/config/trace/v2:trace",
         "//envoy/config/transport_socket/capture/v2alpha:capture",
-        "//envoy/extensions/common/tap/v2alpha:capture",
+        "//envoy/data/accesslog/v2:accesslog",
+        "//envoy/data/tap/v2alpha:capture",
+        "//envoy/service/accesslog/v2:als",
         "//envoy/service/discovery/v2:ads",
         "//envoy/service/load_stats/v2:lrs",
         "//envoy/service/metrics/v2:metrics_service",

diff --git a/api/envoy/api/v2/BUILD b/api/envoy/api/v2/BUILD
@@ -1,4 +1,4 @@
-load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library", "api_go_grpc_library")
+load("//bazel:api_build_system.bzl", "api_go_grpc_library", "api_go_proto_library", "api_proto_library")
 
 licenses(["notice"])  # Apache 2
 
@@ -11,7 +11,7 @@ package_group(
         "//envoy/admin/...",
         "//envoy/api/v2",
         "//envoy/config/...",
-        "//envoy/extensions/...",
+        "//envoy/data/...",
         "//envoy/service/...",
     ],
 )

diff --git a/api/envoy/api/v2/auth/BUILD b/api/envoy/api/v2/auth/BUILD
@@ -1,4 +1,4 @@
-load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library")
+load("//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library")
 
 licenses(["notice"])  # Apache 2
 

diff --git a/api/envoy/api/v2/auth/cert.proto b/api/envoy/api/v2/auth/cert.proto
@@ -127,25 +127,70 @@ message CertificateValidationContext {
   // system CA locations.
   core.DataSource trusted_ca = 1;
 
-  // If specified, Envoy will verify (pin) the hex-encoded SHA-256 fingerprint of
-  // the presented certificate.
+  // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
+  // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
+  // matches one of the specified values.
   //
-  // For example, ``openssl`` can produce a SHA-256 fingerprint of an x509 certificate
-  // with the following command:
+  // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
+  // can be generated with the following command:
   //
   // .. code-block:: bash
   //
-  //   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256
-  repeated string verify_certificate_hash = 2;
-
-  // If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of
-  // the Subject Public Key Information (SPKI) of the presented certificate.
-  // This is the same format as used in HTTP Public Key Pinning.
-  // [#not-implemented-hide:]
-  repeated string verify_spki_sha256 = 3;
-
-  // An optional list of subject alternative names. If specified, Envoy will verify that
-  // the certificate’s subject alternative name matches one of the specified values.
+  //   $ openssl x509 -in path/to/client.crt -noout -pubkey \
+  //     | openssl pkey -pubin -outform DER \
+  //     | openssl dgst -sha256 -binary \
+  //     | openssl enc -base64
+  //   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
+  //
+  // This is the format used in HTTP Public Key Pinning.
+  //
+  // When both:
+  // :ref:`verify_certificate_hash
+  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
+  // :ref:`verify_certificate_spki
+  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
+  // a hash matching value from either of the lists will result in the certificate being accepted.
+  //
+  // .. attention::
+  //
+  //   This option is preferred over :ref:`verify_certificate_hash
+  //   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
+  //   because SPKI is tied to a private key, so it doesn't change when the certificate
+  //   is renewed using the same private key.
+  repeated string verify_certificate_spki = 3
+      [(validate.rules).repeated .items.string = {min_bytes: 44, max_bytes: 44}];
+
+  // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
+  // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
+  //
+  // A hex-encoded SHA-256 of the certificate can be generated with the following command:
+  //
+  // .. code-block:: bash
+  //
+  //   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
+  //   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
+  //
+  // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
+  // can be generated with the following command:
+  //
+  // .. code-block:: bash
+  //
+  //   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
+  //   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
+  //
+  // Both of those formats are acceptable.
+  //
+  // When both:
+  // :ref:`verify_certificate_hash
+  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
+  // :ref:`verify_certificate_spki
+  // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
+  // a hash matching value from either of the lists will result in the certificate being accepted.
+  repeated string verify_certificate_hash = 2
+      [(validate.rules).repeated .items.string = {min_bytes: 64, max_bytes: 95}];
+
+  // An optional list of Subject Alternative Names. If specified, Envoy will verify that the
+  // Subject Alternative Name of the presented certificate matches one of the specified values.
   repeated string verify_subject_alt_name = 4;
 
   // [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
@@ -179,8 +224,13 @@ message CommonTlsContext {
   // [#not-implemented-hide:]
   repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6;
 
-  // How to validate peer certificates.
-  CertificateValidationContext validation_context = 3;
+  oneof validation_context_type {
+    // How to validate peer certificates.
+    CertificateValidationContext validation_context = 3;
+
+    // [#not-implemented-hide:]
+    SdsSecretConfig validation_context_sds_secret_config = 7;
+  }
 
   // Supplies the list of ALPN protocols that the listener should expose. In
   // practice this is likely to be set to one of two values (see the
@@ -251,5 +301,6 @@ message Secret {
   oneof type {
     TlsCertificate tls_certificate = 2;
     TlsSessionTicketKeys session_ticket_keys = 3;
+    CertificateValidationContext validation_context = 4;
   }
 }
diff --git a/api/envoy/api/v2/cluster/BUILD b/api/envoy/api/v2/cluster/BUILD
@@ -1,4 +1,4 @@
-load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library")
+load("//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library")
 
 licenses(["notice"])  # Apache 2
 

diff --git a/api/envoy/api/v2/core/BUILD b/api/envoy/api/v2/core/BUILD
@@ -1,4 +1,4 @@
-load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library", "api_go_grpc_library")
+load("//bazel:api_build_system.bzl", "api_go_grpc_library", "api_go_proto_library", "api_proto_library")
 
 licenses(["notice"])  # Apache 2
 

diff --git a/api/envoy/api/v2/endpoint/BUILD b/api/envoy/api/v2/endpoint/BUILD
@@ -1,4 +1,4 @@
-load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library")
+load("//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library")
 
 licenses(["notice"])  # Apache 2
 

diff --git a/api/envoy/api/v2/listener/BUILD b/api/envoy/api/v2/listener/BUILD
@@ -1,4 +1,4 @@
-load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library")
+load("//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library")
 
 licenses(["notice"])  # Apache 2
 

diff --git a/api/envoy/api/v2/listener/listener.proto b/api/envoy/api/v2/listener/listener.proto
@@ -62,24 +62,14 @@ message Filter {
 // For criterias that allow ranges or wildcards, the most specific value in any
 // of the configured filter chains that matches the incoming connection is going
 // to be used (e.g. for SNI ``www.example.com`` the most specific match would be
-// ``www.example.com``, then ``*.example.com``, then any filter chain without
-// ``sni_domains`` requirements).
+// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter
+// chain without ``server_names`` requirements).
+//
+// [#comment: Implemented rules are kept in the preference order, with deprecated fields
+// listed at the end, because that's how we want to list them in the docs.
 //
 // [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
 message FilterChainMatch {
-  // If non-empty, the SNI domain names to consider. May contain a wildcard prefix for
-  // the bottom-level domain of a domain name, e.g. ``*.example.com``.
-  //
-  // Note that ``foo.example.com`` will be matched by ``foo.example.com``
-  // and ``*.example.com`` SNI domain names, but **not** by ``*foo.example.com``,
-  // ``*oo.example.com``, ``*example.com``, ``*.com`` or ``*``.
-  //
-  // .. attention::
-  //
-  //   See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more
-  //   information.
-  repeated string sni_domains = 1;
-
   // If non-empty, an IP address and prefix length to match addresses when the
   // listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
   // [#not-implemented-hide:]
@@ -111,6 +101,21 @@ message FilterChainMatch {
   // [#not-implemented-hide:]
   google.protobuf.UInt32Value destination_port = 8;
 
+  // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining
+  // a filter chain match. Those values will be compared against the server names of a new
+  // connection, when detected by one of the listener filters.
+  //
+  // The server name will be matched against all wildcard domains, i.e. ``www.example.com``
+  // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``.
+  //
+  // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid.
+  //
+  // .. attention::
+  //
+  //   See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more
+  //   information.
+  repeated string server_names = 11;
+
   // If non-empty, a transport protocol to consider when determining a filter chain match.
   // This value will be compared against the transport protocol of a new connection, when
   // it's detected by one of the listener filters.
@@ -122,13 +127,14 @@ message FilterChainMatch {
   //   when TLS protocol is detected.
   string transport_protocol = 9;
 
-  // If non-empty, a list of application protocols to consider when determining a filter chain
-  // match. Those values will be compared against the application protocols of a new connection,
-  // when detected by one of the listener filters.
+  // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when
+  // determining a filter chain match. Those values will be compared against the application
+  // protocols of a new connection, when detected by one of the listener filters.
   //
   // Suggested values include:
   //
-  // * ``http/1.1`` - set by :ref:`envoy.listener.tls_inspector <config_listener_filters_tls_inspector>`,
+  // * ``http/1.1`` - set by :ref:`envoy.listener.tls_inspector
+  //   <config_listener_filters_tls_inspector>`,
   // * ``h2`` - set by :ref:`envoy.listener.tls_inspector <config_listener_filters_tls_inspector>`
   //
   // .. attention::
@@ -141,6 +147,21 @@ message FilterChainMatch {
   //   and matching on values other than ``h2`` is going to lead to a lot of false negatives,
   //   unless all connecting clients are known to use ALPN.
   repeated string application_protocols = 10;
+
+  // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining
+  // a filter chain match. Those values will be compared against the server names of a new
+  // connection, when detected by one of the listener filters.
+  //
+  // The server name will be matched against all wildcard domains, i.e. ``www.example.com``
+  // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``.
+  //
+  // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid.
+  //
+  // .. attention::
+  //
+  //   Deprecated. Use :ref:`server_names <envoy_api_field_listener.FilterChainMatch.server_names>`
+  //   instead.
+  repeated string sni_domains = 1 [deprecated = true];
 }
 
 // A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and

diff --git a/api/envoy/api/v2/ratelimit/BUILD b/api/envoy/api/v2/ratelimit/BUILD
@@ -1,4 +1,4 @@
-load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library")
+load("//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library")
 
 licenses(["notice"])  # Apache 2
 

diff --git a/api/envoy/api/v2/route/BUILD b/api/envoy/api/v2/route/BUILD
@@ -1,4 +1,4 @@
-load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library")
+load("//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library")
 
 licenses(["notice"])  # Apache 2