Merge branch 'master' into flood-disconnect-goaway

Signed-off-by: Yan Avlasov <yavlasov@google.com>
envoyproxy · Oct 8, 2020 · 1c8e9af · 1c8e9af
2 parents 4ac889c + 5b55032
commit 1c8e9af
Show file tree

Hide file tree

Showing 306 changed files with 5,509 additions and 2,515 deletions.
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -140,3 +140,6 @@ extensions/upstreams/http/tcp @alyssawilk @mattklein123
 extensions/upstreams/http/default @alyssawilk @snowp @mattklein123
 # OAuth2
 extensions/filters/http/oauth2 @rgs1 @derekargueta @snowp
+# HTTP Local Rate Limit
+/*/extensions/filters/http/local_ratelimit @rgs1 @mattklein123
+/*/extensions/filters/common/local_ratelimit @mattklein123 @rgs1
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
@@ -87,6 +87,7 @@ or you can subscribe to the iCal feed [here](webcal://kubernetes.app.opsgenie.co
   * Remove the "Pending" tags and add dates to the top of the [release notes for this version](docs/root/version_history/current.rst).
   * Switch the [VERSION](VERSION) from a "dev" variant to a final variant. E.g., "1.6.0-dev" to
     "1.6.0".
+  * Update the [RELEASES](RELEASES.md) doc with the relevant dates.
   * Get a review and merge.
 * Wait for tests to pass on [master](https://dev.azure.com/cncf/envoy/_build).
 * Create a [tagged release](https://github.com/envoyproxy/envoy/releases). The release should
@@ -137,10 +138,7 @@ Deprecated
 ----------
 ```
 * Run the deprecate_versions.py script (e.g. `sh tools/deprecate_version/deprecate_version.sh`)
-  to file tracking issues for code which can be removed.
-* Run the deprecate_features.py script (e.g. `sh tools/deprecate_features/deprecate_features.sh`)
-  to make the last release's deprecated features fatal-by-default. Submit the resultant PR and send
-  an email to envoy-announce.
+  to file tracking issues for runtime guarded code which can be removed.
 * Check source/common/runtime/runtime_features.cc and see if any runtime guards in
   disabled_runtime_features should be reassessed, and ping on the relevant issues.
 

diff --git a/RELEASES.md b/RELEASES.md
@@ -64,7 +64,7 @@ deadline of 3 weeks.
 | 1.13.0  | 2019/12/31 | 2020/01/20 |  +20 days  | 2021/01/20  |
 | 1.14.0  | 2020/03/31 | 2020/04/08 |   +8 days  | 2021/04/08  |
 | 1.15.0  | 2020/06/30 | 2020/07/07 |   +7 days  | 2021/07/07  |
-| 1.16.0  | 2020/09/30 |            |            |             |
+| 1.16.0  | 2020/09/30 | 2020/10/08 |   +8 days  | 2021/10/08  |
 | 1.17.0  | 2020/12/31 |            |            |             |
 
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.16.0-dev
+1.16.0
diff --git a/api/BUILD b/api/BUILD
@@ -190,6 +190,7 @@ proto_library(
         "//envoy/extensions/filters/http/health_check/v3:pkg",
         "//envoy/extensions/filters/http/ip_tagging/v3:pkg",
         "//envoy/extensions/filters/http/jwt_authn/v3:pkg",
+        "//envoy/extensions/filters/http/local_ratelimit/v3:pkg",
         "//envoy/extensions/filters/http/lua/v3:pkg",
         "//envoy/extensions/filters/http/oauth2/v3alpha:pkg",
         "//envoy/extensions/filters/http/on_demand/v3:pkg",

diff --git a/api/envoy/config/core/v3/address.proto b/api/envoy/config/core/v3/address.proto
@@ -32,6 +32,7 @@ message Pipe {
 
 // [#not-implemented-hide:] The address represents an envoy internal listener.
 // TODO(lambdai): Make this address available for listener and endpoint.
+// TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30.
 message EnvoyInternalAddress {
   oneof address_name_specifier {
     option (validate.required) = true;

diff --git a/api/envoy/config/core/v4alpha/address.proto b/api/envoy/config/core/v4alpha/address.proto
diff --git a/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
@@ -6,6 +6,7 @@ import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 import "envoy/config/core/v3/http_uri.proto";
+import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/string.proto";
 import "envoy/type/v3/http_status.proto";
 
@@ -23,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 14]
+// [#next-free-field: 15]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
@@ -103,6 +104,10 @@ message ExtAuthz {
   // If this field is not specified, the filter will be enabled for all requests.
   config.core.v3.RuntimeFractionalPercent filter_enabled = 9;
 
+  // Specifies if the filter is enabled with metadata matcher.
+  // If this field is not specified, the filter will be enabled for all requests.
+  type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;
+
   // Specifies whether to deny the requests, when the filter is disabled.
   // If :ref:`runtime_key <envoy_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
   // Envoy will lookup the runtime key to determine whether to deny request for

diff --git a/api/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto b/api/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto
diff --git a/api/envoy/extensions/filters/http/local_ratelimit/v3/BUILD b/api/envoy/extensions/filters/http/local_ratelimit/v3/BUILD
@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "//envoy/type/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/api/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto b/api/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto
@@ -0,0 +1,70 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.local_ratelimit.v3;
+
+import "envoy/config/core/v3/base.proto";
+import "envoy/type/v3/http_status.proto";
+import "envoy/type/v3/token_bucket.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.local_ratelimit.v3";
+option java_outer_classname = "LocalRateLimitProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Local Rate limit]
+// Local Rate limit :ref:`configuration overview <config_http_filters_local_rate_limit>`.
+// [#extension: envoy.filters.http.local_ratelimit]
+
+// [#next-free-field: 7]
+message LocalRateLimit {
+  // The human readable prefix to use when emitting stats.
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+  // This field allows for a custom HTTP response status code to the downstream client when
+  // the request has been rate limited.
+  // Defaults to 429 (TooManyRequests).
+  //
+  // .. note::
+  //   If this is set to < 400, 429 will be used instead.
+  type.v3.HttpStatus status = 2;
+
+  // The token bucket configuration to use for rate limiting requests that are processed by this
+  // filter. Each request processed by the filter consumes a single token. If the token is available,
+  // the request will be allowed. If no tokens are available, the request will receive the configured
+  // rate limit status.
+  //
+  // .. note::
+  //   It's fine for the token bucket to be unset for the global configuration since the rate limit
+  //   can be applied at a the virtual host or route level. Thus, the token bucket must be set
+  //   for the per route configuration otherwise the config will be rejected.
+  //
+  // .. note::
+  //   When using per route configuration, the bucket becomes unique to that route.
+  //
+  // .. note::
+  //   In the current implementation the token bucket's :ref:`fill_interval
+  //   <envoy_api_field_type.v3.TokenBucket.fill_interval>` must be >= 50ms to avoid too aggressive
+  //   refills.
+  type.v3.TokenBucket token_bucket = 3;
+
+  // If set, this will enable -- but not necessarily enforce -- the rate limit for the given
+  // fraction of requests.
+  // Defaults to 0% of requests for safety.
+  config.core.v3.RuntimeFractionalPercent filter_enabled = 4;
+
+  // If set, this will enforce the rate limit decisions for the given fraction of requests.
+  //
+  // Note: this only applies to the fraction of enabled requests.
+  //
+  // Defaults to 0% of requests for safety.
+  config.core.v3.RuntimeFractionalPercent filter_enforced = 5;
+
+  // Specifies a list of HTTP headers that should be added to each response for requests that
+  // have been rate limited.
+  repeated config.core.v3.HeaderValueOption response_headers_to_add = 6
+      [(validate.rules).repeated = {max_items: 10}];
+}
diff --git a/api/envoy/extensions/filters/network/ext_authz/v3/BUILD b/api/envoy/extensions/filters/network/ext_authz/v3/BUILD
@@ -8,6 +8,7 @@ api_proto_package(
     deps = [
         "//envoy/config/core/v3:pkg",
         "//envoy/config/filter/network/ext_authz/v2:pkg",
+        "//envoy/type/matcher/v3:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",
     ],
 )
diff --git a/api/envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto b/api/envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto
@@ -4,6 +4,7 @@ package envoy.extensions.filters.network.ext_authz.v3;
 
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
+import "envoy/type/matcher/v3/metadata.proto";
 
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
@@ -23,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // gRPC Authorization API defined by
 // :ref:`CheckRequest <envoy_api_msg_service.auth.v3.CheckRequest>`.
 // A failed check will cause this filter to close the TCP connection.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.ext_authz.v2.ExtAuthz";
@@ -51,4 +52,8 @@ message ExtAuthz {
   // version of Check{Request,Response} used on the wire.
   config.core.v3.ApiVersion transport_api_version = 5
       [(validate.rules).enum = {defined_only: true}];
+
+  // Specifies if the filter is enabled with metadata matcher.
+  // If this field is not specified, the filter will be enabled for all requests.
+  type.matcher.v3.MetadataMatcher filter_enabled_metadata = 6;
 }
diff --git a/api/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD b/api/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD
diff --git a/api/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto b/api/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto
diff --git a/api/envoy/extensions/transport_sockets/proxy_protocol/v3/upstream_proxy_protocol.proto b/api/envoy/extensions/transport_sockets/proxy_protocol/v3/upstream_proxy_protocol.proto
@@ -6,7 +6,6 @@ import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/proxy_protocol.proto";
 
 import "udpa/annotations/status.proto";
-import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.proxy_protocol.v3";
@@ -16,9 +15,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Upstream Proxy Protocol]
 // [#extension: envoy.transport_sockets.upstream_proxy_protocol]
-// [#not-implemented-hide:]
+
 // Configuration for PROXY protocol socket
 message ProxyProtocolUpstreamTransport {
+  // The PROXY protocol settings
   config.core.v3.ProxyProtocolConfig config = 1;
 
   // The underlying transport socket being wrapped.

diff --git a/api/envoy/extensions/upstreams/http/generic/v3/generic_connection_pool.proto b/api/envoy/extensions/upstreams/http/generic/v3/generic_connection_pool.proto
@@ -5,7 +5,7 @@ package envoy.extensions.upstreams.http.generic.v3;
 import "udpa/annotations/status.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.generic.v3";
-option java_outer_classname = "GenericConnectionPoolProto";
+option java_outer_classname = "GenericConnectionPoolProtoOuterClass";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 

diff --git a/api/envoy/extensions/upstreams/http/http/v3/http_connection_pool.proto b/api/envoy/extensions/upstreams/http/http/v3/http_connection_pool.proto
@@ -5,7 +5,7 @@ package envoy.extensions.upstreams.http.http.v3;
 import "udpa/annotations/status.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.http.v3";
-option java_outer_classname = "HttpConnectionPoolProto";
+option java_outer_classname = "HttpConnectionPoolProtoOuterClass";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 

diff --git a/api/envoy/extensions/upstreams/http/tcp/v3/tcp_connection_pool.proto b/api/envoy/extensions/upstreams/http/tcp/v3/tcp_connection_pool.proto
@@ -5,7 +5,7 @@ package envoy.extensions.upstreams.http.tcp.v3;
 import "udpa/annotations/status.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.tcp.v3";
-option java_outer_classname = "TcpConnectionPoolProto";
+option java_outer_classname = "TcpConnectionPoolProtoOuterClass";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 

diff --git a/api/versioning/BUILD b/api/versioning/BUILD
@@ -73,6 +73,7 @@ proto_library(
         "//envoy/extensions/filters/http/health_check/v3:pkg",
         "//envoy/extensions/filters/http/ip_tagging/v3:pkg",
         "//envoy/extensions/filters/http/jwt_authn/v3:pkg",
+        "//envoy/extensions/filters/http/local_ratelimit/v3:pkg",
         "//envoy/extensions/filters/http/lua/v3:pkg",
         "//envoy/extensions/filters/http/oauth2/v3alpha:pkg",
         "//envoy/extensions/filters/http/on_demand/v3:pkg",