tls: Add certificate compression support (RFC 8879)#2
Open
bellatoris wants to merge 722 commits intomainfrom
Open
tls: Add certificate compression support (RFC 8879)#2bellatoris wants to merge 722 commits intomainfrom
bellatoris wants to merge 722 commits intomainfrom
Conversation
22b1941 to
ac6955c
Compare
185d581 to
b932d5d
Compare
557ef3f to
44e816f
Compare
23345d8 to
6988af6
Compare
Signed-off-by: Doogie Min <doogie.min@sendbird.com>
6988af6 to
c970a1c
Compare
Signed-off-by: Ryan Northey <ryan@synca.io>
- add a `-contrib` suffix to the version string - test version strings for suffixes - fix distroless contrib binary - add a test to ensure binary in distroless contrib is really contrib - fix distroless ci to ensure just-built image is the one tested Fix envoyproxy#43382 --------- Signed-off-by: Ryan Northey <ryan@synca.io>
…xy#43769) ## Description This PR adds a method to get the host health by address in the LB Dynamic Module. --- **Commit Message:** dynamic_modules: add a method to get host health by address **Additional Description:** Adds a method to get the host health by address in the LB Dynamic Module. **Risk Level:** Low **Testing:** Added Tests **Docs Changes:** Added **Release Notes:** N/A Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
Commit Message: The Rust compiler doesn't guarantee that the layout of slices won't change. Add a type to encapsulate the unsafeness and assert that the transformation is safe in debug builds. Additional Description: Risk Level: low, this only adds assertions to catch future incompatibilities Testing: ran unit tests locally Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Alex Bakon <abakon@netflix.com>
## Description This PR adds retry awareness to the LB Dynamic Modules. --- **Commit Message:** dynamic_modules: add retry awareness to lb module **Additional Description:** Added retry awareness to the LB Dynamic Modules. **Risk Level:** Low **Testing:** Added Tests **Docs Changes:** Added **Release Notes:** N/A Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
…43668) Commit Message: [file_server] Make suffix type mappings case-insensitive Additional Description: Very small change to file_server, after realizing that we have an environment that serves both PNG and png files. It doesn't make much sense to have to define every combination of case for suffixes (maybe there's some Png or pnG), so making it case-insensitive makes sense. One way to do that would be to accept any case and convert at init time - but that would provoke a confusing behavior if someone configured `{"png": "image/png", "PNG": "application/octet-stream"}`. We could do a deduplication validation after the fact to prevent that, but that adds a bunch of extra code for something that's trivially simple if we just enforce that it be configured in lowercase only at the proto validation level (which should be fine as a change since the filter is one day old and marked WIP). A bonus effect of doing it this way is that protovalidate is also validating "no periods" which I previously validated in code, so that code and its test can be removed. Risk Level: Negligible, minor change to brand new filter. Testing: Some removed. Manually validated that the protovalidate rule is functioning as expected. Docs Changes: n/a Release Notes: Added previously-forgotten changelog. Platform Specific Features: n/a --------- Signed-off-by: Raven Black <ravenblack@dropbox.com>
envoyproxy#43776) ## Description This PR splits up the monolith RUST SDK `lib.rs` into smaller parts by retaining --- **Commit Message:** dynamic_modules: split the RUST SDK lib.rs into smaller per-extensions **Additional Description:** **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
… LB context (envoyproxy#43777) ## Description This PR adds a way to access overridden host address and the strict flag from the LB context. --- **Commit Message:** dynamic_modules: add a way to access overridden host address from the LB context **Additional Description:** Added a way to access overridden host address and the strict flag from the LB context. **Risk Level:** Low **Testing:** Added Tests **Docs Changes:** Added **Release Notes:** N/A Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
…nvoyproxy#43778) ## Description This PR adds host membership update notifications for the Load Balancing Dynamic Module. --- **Commit Message:** dynamic_modules: added host membership update notifications for LB **Additional Description:** Added host membership update notifications for the Load Balancing Dynamic Module. **Risk Level:** Low **Testing:** Added Tests **Docs Changes:** Added **Release Notes:** N/A Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
**Problem** When `direct_response` uses `body_format.content_type`, the response always returns `Content-Type: text/plain`. The field was parsed from proto but never stored or applied. **Fix** - Added `responseContentType()` pure virtual to `DirectResponseEntry` - Stored `content_type` from `body_format` in `RouteEntryImplBase` (explicit → JSON default → empty) - Applied it in the `sendLocalReply` `modify_headers` lambda **Tests added** - `RouteConfigurationV2.DirectResponseBodyFormatContentType` — all 4 content-type cases - `RouterTest.DirectResponseWithBodyFormatContentType` — end-to-end `text/html` header - `RouterTest.DirectResponseWithBodyFormatNoContentType` — no override when empty Fixes envoyproxy#43680 --------- Signed-off-by: garima-uttam <garimauttam@ibm.com>
## Description Trying to bring back the Gemini reviews using the manual trigger. Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: use per connection rping timer with jitter similar to HTTP2 keepalives Additional Description: we have observed higher p90 latencies for requests from upstream to downstream when there are high number(>10k) of active reverse connections due to the for loop for rpings which initiates rpings for all connections without yielding for the requests. Per connection rping timers help with request events not starving Risk Level: Low Testing: Unit tests Docs Changes: N/A Release Notes: N/A Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Prasad I V <prasad.iv@databricks.com> Co-authored-by: Prasad I V <prasad.iv@databricks.com>
…yproxy#43748) Commit Message: dym sdk: add the config scheduler support to go sdk and cpp sdk Additional Description: Add the config scheduler to go sdk and cpp sdk. Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: wbpcode/wangbaiping <wbphub@gmail.com>
…voyproxy#43700) Commit Message: update() took a const reference, making the std::move inside it a no-op: std::move on a const& yields a const&& which resolves to the copy constructor, so every EDS config update deep-copied the entire ClusterLoadAssignment protobuf (all endpoints, localities, addresses, metadata) into the unique_ptr. Accept by value so callers can move their local variables in. The protobuf move constructor swaps internal pointers in O(1) regardless of message size, replacing what was a full recursive copy with two pointer swaps. This matters on the EDS hot path for large clusters where the control plane pushes frequent endpoint updates. Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
…oxy#43770) This deletes code that wasn't needed anymore Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Takeshi Yoneda <tyoneda@netflix.com>
Commit Message: This allows callers to provide a slice, which could be on the stack, instead of a Vec, which requires allocating on the heap. This is safe since the called functions weren't using the fact that they were taking ownership of the input, and were just producing a slice from the Vec internally and acting on that. Additional Description: Since the changed methods are using `unsafe` code, the usual "if it compiles, it's safe" Rust guarantees around lifetimes don't apply. That being said, all the callers were already taking containers of references, so if there is any usage beyond the lifetimes of those values happening with this change, it was present in the previous version of the code. Risk Level: low Testing: build and ran unit tests Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Alex Bakon <abakon@netflix.com>
…xy#43798) ## Description We are missing `#[repr(transparent)]` on the metrics methods. This PR is to add it. --- **Commit Message:** dynamic_modules: refactor RUST SDK to add repr(transparent) **Additional Description:** Added missing `#[repr(transparent)]` on the metrics methods. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
…3805) ## Description This PR adds Cluster/host stats access for the Load Balancing Dynamic Module. --- **Commit Message:** dynamic_modules: added Cluster/host stats access for lb **Additional Description:** Added Cluster/host stats access for the Load Balancing Dynamic Module. **Risk Level:** Low **Testing:** Added Tests **Docs Changes:** Added **Release Notes:** N/A Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
…envoyproxy#43797) ## Description This PR adds the missing `set_dynamic_metadata_number` to the Listener Filter Dynamic Modules. --- **Commit Message:** dynamic_modules: add set_dynamic_metadata_number for listener filters **Additional Description:** Added the missing `set_dynamic_metadata_number` to the Listener Filter Dynamic Modules. **Risk Level:** Low **Testing:** Added Tests **Docs Changes:** Added **Release Notes:** N/A Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
…nvoyproxy#43796) ## Description This PR adds the missing `set_dynamic_metadata_bool` to the Network Filter Dynamic Modules. --- **Commit Message:** dynamic_modules: add set_dynamic_metadata_bool for network filters **Additional Description:** Added the missing `set_dynamic_metadata_bool` to the Network Filter Dynamic Modules. **Risk Level:** Low **Testing:** Added Tests **Docs Changes:** Added **Release Notes:** N/A Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
…y#43809) Signed-off-by: Takeshi Yoneda <tyoneda@netflix.com>
Commit Message: dym sdk: refactor the cpp sdk to use std Additional Description: Rather than absl, to use std in the cpp dynamic module SDK. Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: wbpcode/wangbaiping <wbphub@gmail.com>
## Description This PR adds ability to emit stats to the Dynamic Modules for LB. --- **Commit Message:** dynamic_modules: added metrics for LB module **Additional Description:** Added ability to emit stats to the Dynamic Modules for LB. **Risk Level:** Low **Testing:** Added Tests **Docs Changes:** Added **Release Notes:** Added --------- Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
## Commit Message Fix flaky router integ test usually surfaced as a segfault under asan ## Additional Description aakugan@4af388b Caused because the integ test makes a seperate thread for the upstream connection and the sentinel frame callback has a ptr to the ServerConnectionImpl which is usually not the case for actual workflows -> only one thread. After everything is shut down on the test thread the upstream thread can have a callback which crashes. Ref: https://github.com/envoyproxy/envoy/actions/runs/22659006942/job/65674847129#step:19:751 Signed-off-by: aakugan <aakashganapathy2@gmail.com>
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: tyxia <tyxia@google.com>
Signed-off-by: Ethan <ethantruong@google.com>
bellatoris
added a commit
that referenced
this pull request
Mar 12, 2026
…use-after-free fix Code review fixes: - Use absl::optional<string> for zone parameter (Comment #1) - Skip locality modification when zone is nullopt (Comment #2) - Simplify fetch_sub pattern to fetch_sub(1)==1 (Comment envoyproxy#4) - Fix use-after-free: move zone_callbacks_.erase after all address uses - Add :ref: link in proto doc (Comment envoyproxy#7) - Add const qualifiers (Comments envoyproxy#8, envoyproxy#9) Zone discovery integration tests (redis_cluster_test.cc): - ZoneDiscoveryBasicFlow: both nodes return valid zones - ZoneDiscoveryPartialZones: one node missing availability_zone - ZoneDiscoveryResponseTypeMismatch: Error type instead of BulkString - ZoneDiscoveryAllFailure: both INFO requests fail - ZoneDiscoveryMixedSuccessAndFailure: one succeeds, one fails - ZoneDiscoveryMakeRequestReturnsNull: makeRequest returns nullptr LB tests (redis_cluster_lb_test.cc): - LocalZoneAffinityZoneDiscoveryFailure: hosts without zones - LocalZoneAffinityReplicasAndPrimaryUnhealthyLocalPrimary: unhealthy local primary fallback Signed-off-by: Doogie Min <doogie.min@sendbird.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add TLS certificate compression with brotli, zstd, and zlib algorithms. This reduces TLS handshake size, especially beneficial for QUIC where the ServerHello needs to fit in the initial response.
Key changes:
Risk Level: Low (feature disabled by default)
Testing: Unit tests, integration tests
Docs Changes: Updated ssl_stats.rst
Release Notes: Added to changelogs/current.yaml
Runtime guard: envoy.reloadable_features.tls_support_certificate_compression
Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]