Ambassador Megapatch on release/v1.17

CODEOWNERS

@@ -111,6 +111,7 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/filters/http/grpc_json_transcoder @qiwzhang @lizan
 /*/extensions/filters/http/router @alyssawilk @mattklein123 @snowp
 /*/extensions/filters/http/ext_authz @gsagula @dio
+/*/extensions/filters/http/response_map @esmet @alyssawilk
 /*/extensions/filters/http/grpc_web @fengli79 @lizan
 /*/extensions/filters/http/grpc_stats @kyessenov @lizan
 /*/extensions/filters/http/squash @yuval-k @alyssawilk

api/BUILD

@@ -201,6 +201,7 @@ proto_library(
  "//envoy/extensions/filters/http/original_src/v3:pkg",
  "//envoy/extensions/filters/http/ratelimit/v3:pkg",
  "//envoy/extensions/filters/http/rbac/v3:pkg",
+ "//envoy/extensions/filters/http/response_map/v3:pkg",
  "//envoy/extensions/filters/http/router/v3:pkg",
  "//envoy/extensions/filters/http/squash/v3:pkg",
  "//envoy/extensions/filters/http/tap/v3:pkg",

api/envoy/api/v2/core/protocol.proto

@@ -99,6 +99,14 @@ message Http1ProtocolOptions {
  message ProperCaseWords {
  }
 
+ message Custom {
+ // Custom header rewrite rules.
+ // In each rule of the map, the key is a case-insensitive header name. The value
+ // is the new header value, case-sensitive. This allows for custom header
+ // capitalization, eg: `x-my-header-key` -> `X-MY-HEADER-Key`
+ map<string, string> rules = 1;
+ }
+
  oneof header_format {
  option (validate.required) = true;
 
@@ -108,6 +116,9 @@ message Http1ProtocolOptions {
  // Note that while this results in most headers following conventional casing, certain headers
  // are not covered. For example, the "TE" header will be formatted as "Te".
  ProperCaseWords proper_case_words = 1;
+
+ // Formats the header according to custom rules.
+ Custom custom = 2;
  }
  }
 

api/envoy/api/v2/route/route_components.proto

@@ -1149,7 +1149,7 @@ message HedgePolicy {
  bool hedge_on_per_try_timeout = 3;
 }
 
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message RedirectAction {
  enum RedirectResponseCode {
  // Moved Permanently HTTP Status Code - 301.
@@ -1218,6 +1218,36 @@ message RedirectAction {
  // :ref:`RouteAction's prefix_rewrite <envoy_api_field_route.RouteAction.prefix_rewrite>`.
  string prefix_rewrite = 5
  [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
+
+ // Indicates that during forwarding, portions of the path that match the
+ // pattern should be rewritten, even allowing the substitution of capture
+ // groups from the pattern into the new path as specified by the rewrite
+ // substitution string. This is useful to allow application paths to be
+ // rewritten in a way that is aware of segments with variable content like
+ // identifiers. The router filter will place the original path as it was
+ // before the rewrite into the :ref:`x-envoy-original-path
+ // <config_http_filters_router_x-envoy-original-path>` header.
+ //
+ // Only one of :ref:`prefix_rewrite <envoy_api_field_route.RouteAction.prefix_rewrite>`
+ // or *regex_rewrite* may be specified.
+ //
+ // Examples using Google's `RE2 <https://github.com/google/re2>`_ engine:
+ //
+ // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution
+ // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api``
+ // into ``/v1/api/instance/foo``.
+ //
+ // * The pattern ``one`` paired with a substitution string of ``two`` would
+ // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``.
+ //
+ // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of
+ // ``\1two\2`` would replace only the first occurrence of ``one``,
+ // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``.
+ //
+ // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/``
+ // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to
+ // ``/aaa/yyy/bbb``.
+ type.matcher.RegexMatchAndSubstitute regex_rewrite = 9;
  }
 
  // The HTTP status code to use in the redirect response. The default response

api/envoy/config/core/v3/protocol.proto

@@ -120,6 +120,17 @@ message Http1ProtocolOptions {
  "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat.ProperCaseWords";
  }
 
+ message Custom {
+ option (udpa.annotations.versioning).previous_message_type =
+ "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat.Custom";
+
+ // Custom header rewrite rules.
+ // In each rule of the map, the key is a case-insensitive header name. The value
+ // is the new header value, case-sensitive. This allows for custom header
+ // capitalization, eg: `x-my-header-key` -> `X-MY-HEADER-Key`
+ map<string, string> rules = 1;
+ }
+
  oneof header_format {
  option (validate.required) = true;
 
@@ -129,6 +140,9 @@ message Http1ProtocolOptions {
  // Note that while this results in most headers following conventional casing, certain headers
  // are not covered. For example, the "TE" header will be formatted as "Te".
  ProperCaseWords proper_case_words = 1;
+
+ // Formats the header according to custom rules.
+ Custom custom = 2;
  }
  }
 

api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto

@@ -32,7 +32,7 @@ option (udpa.annotations.file_status).package_version_status = FROZEN;
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
 // [#extension: envoy.filters.network.http_connection_manager]
 
-// [#next-free-field: 37]
+// [#next-free-field: 40]
 message HttpConnectionManager {
  enum CodecType {
  // For every new connection, the connection manager will determine which
@@ -453,6 +453,12 @@ message HttpConnectionManager {
  // is the current Envoy behaviour. This defaults to false.
  bool preserve_external_request_id = 32;
 
+ // If set, Envoy will always set :ref:`x-request-id <config_http_conn_man_headers_x-request-id>` header in response.
+ // If this is false or not set, the request ID is returned in responses only if tracing is forced using
+ // :ref:`x-envoy-force-trace <config_http_conn_man_headers_x-envoy-force-trace>` header.
+ // XXX: Only exposed in the v3 API
+ //bool always_set_request_id_in_response = 37;
+
  // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP
  // header.
  ForwardClientCertDetails forward_client_cert_details = 16
@@ -521,6 +527,21 @@ message HttpConnectionManager {
  //
  // 3. Tracing decision (sampled, forced, etc) is set in 14th byte of the UUID.
  RequestIDExtension request_id_extension = 36;
+
+ // The configuration to customize local reply returned by Envoy. It can customize status code,
+ // body text and response content type. If not specified, status code and text body are hard
+ // coded in Envoy, the response content type is plain text.
+ // XXX: Only exposed in the v3 API
+ //LocalReplyConfig local_reply_config = 38;
+
+ // Determines if the port part should be removed from host/authority header before any processing
+ // of request by HTTP filters or routing. The port would be removed only if it is equal to the :ref:`listener's<envoy_api_field_config.listener.v3.Listener.address>`
+ // local port and request method is not CONNECT. This affects the upstream host header as well.
+ // Without setting this option, incoming requests with host `example:443` will not match against
+ // route with :ref:`domains<envoy_api_field_config.route.v3.VirtualHost.domains>` match set to `example`. Defaults to `false`. Note that port removal is not part
+ // of `HTTP spec <https://tools.ietf.org/html/rfc3986>`_ and is provided for convenience.
+ // XXX: Backported from the v3 API
+ bool strip_matching_host_port = 39;
 }
 
 message Rds {

api/envoy/config/trace/v2/zipkin.proto

@@ -17,7 +17,7 @@ option (udpa.annotations.file_status).package_version_status = FROZEN;
 
 // Configuration for the Zipkin tracer.
 // [#extension: envoy.tracers.zipkin]
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message ZipkinConfig {
  // Available Zipkin collector endpoint versions.
  enum CollectorEndpointVersion {
@@ -61,4 +61,8 @@ message ZipkinConfig {
  // Determines the selected collector endpoint version. By default, the ``HTTP_JSON_V1`` will be
  // used.
  CollectorEndpointVersion collector_endpoint_version = 5;
+
+ // Optional hostname to use when sending spans to the collector_cluster. Useful for collectors
+ // that require a specific hostname. Defaults to `collector_cluster` above.
+ string collector_hostname = 6;
 }

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -183,6 +183,9 @@ message BufferSettings {
 // additional headers metadata may be added to the original client request. See
 // :ref:`allowed_upstream_headers
 // <envoy_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.allowed_upstream_headers>`
+// for details. Additionally, the filter may add additional headers to the client's response. See
+// :ref:`allowed_client_headers_on_success
+// <envoy_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.allowed_client_headers_on_success>`
 // for details.
 //
 // On other authorization response statuses, the filter will not allow traffic. Additional headers
@@ -253,6 +256,12 @@ message AuthorizationResponse {
  // (Host)* will be in the response to the client. When a header is included in this list, *Path*,
  // *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added.
  type.matcher.v3.ListStringMatcher allowed_client_headers = 2;
+
+ // When this :ref:`list <envoy_api_msg_type.matcher.v3.ListStringMatcher>`. is set, authorization
+ // response headers that have a correspondent match will be added to the client's response when
+ // the authorization response itself is successful, i.e. not failed or denied. When this list is
+ // *not* set, no additional headers will be added to the client's response on success.
+ type.matcher.v3.ListStringMatcher allowed_client_headers_on_success = 4;
 }
 
 // Extra settings on a per virtualhost/route/weighted-cluster level.

api/envoy/extensions/filters/http/response_map/v3/BUILD

@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"]) # Apache 2
+
+api_proto_package(
+ deps = [
+ "//envoy/config/accesslog/v3:pkg",
+ "//envoy/config/core/v3:pkg",
+ "@com_github_cncf_udpa//udpa/annotations:pkg",
+ ],
+)

api/envoy/extensions/filters/http/response_map/v3/response_map.proto

@@ -0,0 +1,103 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.response_map.v3;
+
+import "envoy/config/accesslog/v3/accesslog.proto";
+import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/substitution_format_string.proto";
+
+import "google/protobuf/struct.proto";
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.response_map.v3";
+option java_outer_classname = "ResponseMapProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: ResponseMap]
+// Response map filter :ref:`configuration overview <config_http_filters_response_map>`.
+// [#extension: envoy.filters.http.response_map]
+
+// The configuration to filter and change local response.
+// [#next-free-field: 6]
+message ResponseMapper {
+ // Filter to determine if this mapper should apply.
+ config.accesslog.v3.AccessLogFilter filter = 1 [(validate.rules).message = {required: true}];
+
+ // The new response status code if specified.
+ google.protobuf.UInt32Value status_code = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}];
+
+ // The new body text if specified. It will be used in the `%LOCAL_REPLY_BODY%`
+ // command operator in the `body_format`.
+ config.core.v3.DataSource body = 3;
+
+ config.core.v3.SubstitutionFormatString body_format_override = 4;
+
+ // HTTP headers to add to a local reply. This allows the response mapper to append, to add
+ // or to override headers of any local reply before it is sent to a downstream client.
+ repeated config.core.v3.HeaderValueOption headers_to_add = 5
+ [(validate.rules).repeated = {max_items: 1000}];
+}
+
+// The configuration to customize HTTP responses read by Envoy.
+message ResponseMap {
+ // Configuration of list of mappers which allows to filter and change HTTP response.
+ // The mappers will be checked by the specified order until one is matched.
+ repeated ResponseMapper mappers = 1;
+
+ // The configuration to form response body from the :ref:`command operators <config_access_log_command_operators>`
+ // and to specify response content type as one of: plain/text or application/json.
+ //
+ // Example one: plain/text body_format.
+ //
+ // .. code-block::
+ //
+ // text_format: %LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=$REQ(:path)%
+ //
+ // The following response body in `plain/text` format will be generated for a request with
+ // local reply body of "upstream connection error", response_code=503 and path=/foo.
+ //
+ // .. code-block::
+ //
+ // upstream connection error:503:path=/foo
+ //
+ // Example two: application/json body_format.
+ //
+ // .. code-block::
+ //
+ // json_format:
+ // status: %RESPONSE_CODE%
+ // message: %LOCAL_REPLY_BODY%
+ // path: $REQ(:path)%
+ //
+ // The following response body in "application/json" format would be generated for a request with
+ // local reply body of "upstream connection error", response_code=503 and path=/foo.
+ //
+ // .. code-block:: json
+ //
+ // {
+ // "status": 503,
+ // "message": "upstream connection error",
+ // "path": "/foo"
+ // }
+ //
+ config.core.v3.SubstitutionFormatString body_format = 2;
+}
+
+// Extra settings on a per virtualhost/route/weighted-cluster level.
+message ResponseMapPerRoute {
+ oneof override {
+ option (validate.required) = true;
+
+ // Disable the response map filter for this particular vhost or route.
+ // If disabled is specified in multiple per-filter-configs, the most specific one will be used.
+ bool disabled = 1 [(validate.rules).bool = {const: true}];
+
+ // Override the global configuration of the response map filter with this new config.
+ ResponseMap response_map = 2 [(validate.rules).message = {required: true}];
+ }
+}