extensions: strongly prefer type URL lookup (#20397)

Use type_url to look up extensions. This prevents the undesirable practice of putting invalid protobufs to avoid a type lookup or duplicating the type URL. Risk Level: medium, affects extensions with duplicated type URLs or no configuration Testing: yes Docs Changes: yes, this has been the recommendation for awhile. Release Notes: yes Runtime Guard: envoy.reloadable_features.no_extension_lookup_by_name Signed-off-by: Kuat Yessenov <kuat@google.com>
envoyproxy · Apr 7, 2022 · 8cb6862 · 8cb6862
1 parent 456e449
commit 8cb6862
Show file tree

Hide file tree

Showing 153 changed files with 779 additions and 263 deletions.
diff --git a/api/envoy/config/accesslog/v3/accesslog.proto b/api/envoy/config/accesslog/v3/accesslog.proto
@@ -30,9 +30,7 @@ message AccessLog {
 
   reserved "config";
 
-  // The name of the access log extension to instantiate.
-  // The name must match one of the compiled in loggers.
-  // See the :ref:`extensions listed in typed_config below <extension_category_envoy.access_loggers>` for the default list of available loggers.
+  // The name of the access log extension configuration.
   string name = 1;
 
   // Filter which is used to determine if the access log needs to be written.

diff --git a/api/envoy/config/cluster/v3/filter.proto b/api/envoy/config/cluster/v3/filter.proto
@@ -20,12 +20,12 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 message Filter {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.cluster.Filter";
 
-  // The name of the filter to instantiate. The name must match a
-  // supported upstream filter. Note that Envoy's :ref:`downstream network
-  // filters <config_network_filters>` are not valid upstream filters.
+  // The name of the filter configuration.
   string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // Filter specific configuration which depends on the filter being
   // instantiated. See the supported filters for further documentation.
+  // Note that Envoy's :ref:`downstream network
+  // filters <config_network_filters>` are not valid upstream filters.
   google.protobuf.Any typed_config = 2;
 }
diff --git a/api/envoy/config/listener/v3/listener_components.proto b/api/envoy/config/listener/v3/listener_components.proto
@@ -33,8 +33,7 @@ message Filter {
 
   reserved "config";
 
-  // The name of the filter to instantiate. The name must match a
-  // :ref:`supported filter <config_network_filters>`.
+  // The name of the filter configuration.
   string name = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof config_type {
@@ -343,8 +342,7 @@ message ListenerFilter {
 
   reserved "config";
 
-  // The name of the filter to instantiate. The name must match a
-  // :ref:`supported filter <config_listener_filters>`.
+  // The name of the filter configuration.
   string name = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof config_type {

diff --git a/...envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/...envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
@@ -1013,9 +1013,7 @@ message HttpFilter {
 
   reserved "config";
 
-  // The name of the filter configuration. The name is used as a fallback to
-  // select an extension if the type of the configuration proto is not
-  // sufficient. It also serves as a resource name in ExtensionConfigDS.
+  // The name of the filter configuration. It also serves as a resource name in ExtensionConfigDS.
   string name = 1 [(validate.rules).string = {min_len: 1}];
 
   oneof config_type {

diff --git a/configs/envoy-demo.yaml b/configs/envoy-demo.yaml
@@ -35,6 +35,8 @@ static_resources:
                   cluster: service_envoyproxy_io
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   clusters:
   - name: service_envoyproxy_io
     type: LOGICAL_DNS

diff --git a/configs/envoy-tap-config.yaml b/configs/envoy-tap-config.yaml
@@ -35,6 +35,8 @@ static_resources:
                   cluster: service_envoyproxy_io
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   clusters:
   - name: service_envoyproxy_io
     type: LOGICAL_DNS

diff --git a/configs/envoy_double_proxy.template.yaml b/configs/envoy_double_proxy.template.yaml
@@ -61,6 +61,8 @@
             "@type": type.googleapis.com/envoy.extensions.filters.http.buffer.v3.Buffer
             max_request_bytes: 5242880
         - name: envoy.filters.http.router
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
         {% if tracing %}
         tracing:
           provider:

diff --git a/configs/envoy_front_proxy.template.yaml b/configs/envoy_front_proxy.template.yaml
@@ -71,6 +71,8 @@
                 envoy_grpc:
                   cluster_name: ratelimit
         - name: envoy.filters.http.router
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
         add_user_agent: true
         {% if tracing %}
         tracing:

diff --git a/configs/envoy_service_to_service.template.yaml b/configs/envoy_service_to_service.template.yaml
@@ -48,6 +48,8 @@
             "@type": type.googleapis.com/envoy.extensions.filters.http.buffer.v3.Buffer
             max_request_bytes: 5242880
         - name: envoy.filters.http.router
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
         access_log:
         - name: envoy.access_loggers.file
           filter:
@@ -165,7 +167,11 @@ static_resources:
                     envoy_grpc:
                        cluster_name: ratelimit
           - name: envoy.filters.http.grpc_http1_bridge
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_http1_bridge.v3.Config
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   - address:
       socket_address:
         protocol: TCP
@@ -226,7 +232,11 @@ static_resources:
                     envoy_grpc:
                        cluster_name: ratelimit
           - name: envoy.filters.http.grpc_http1_bridge
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_http1_bridge.v3.Config
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   {% if external_virtual_hosts|length > 0 or mongos_servers|length > 0 %}{% endif -%}
   {% for mapping in external_virtual_hosts -%}
   - name: "{{ mapping['address']}}"
@@ -265,8 +275,12 @@ static_resources:
           http_filters:
           {% if mapping['name'] in ['dynamodb_iad', 'dynamodb_legacy'] -%}
           - name: envoy.filters.http.dynamo
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.dynamo.v3.Dynamo
           {% endif -%}
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
           access_log:
           - name: envoy.access_loggers.file
             filter:

diff --git a/configs/envoyproxy_io_proxy.yaml b/configs/envoyproxy_io_proxy.yaml
@@ -33,6 +33,8 @@ static_resources:
                   cluster: service_envoyproxy_io
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   clusters:
   - name: service_envoyproxy_io
     connect_timeout: 30s

diff --git a/configs/envoyproxy_io_proxy_http3_downstream.yaml b/configs/envoyproxy_io_proxy_http3_downstream.yaml
@@ -49,6 +49,8 @@ static_resources:
           http3_protocol_options:
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
 
   - name: listener_udp
     address:
@@ -92,6 +94,8 @@ static_resources:
           http3_protocol_options:
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   clusters:
   - name: service_envoyproxy_io
     connect_timeout: 30s

diff --git a/configs/freebind/freebind.yaml b/configs/freebind/freebind.yaml
@@ -28,6 +28,8 @@ static_resources:
                 route: {cluster: service_local}
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   clusters:
   - name: service_local
     connect_timeout: 30s

diff --git a/configs/google-vrp/envoy-edge.yaml b/configs/google-vrp/envoy-edge.yaml
@@ -77,6 +77,8 @@ static_resources:
                     inline_string: "denied\n"
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   clusters:
   - name: service_foo
     connect_timeout: 5s

diff --git a/configs/google-vrp/envoy-origin.yaml b/configs/google-vrp/envoy-origin.yaml
@@ -62,3 +62,5 @@ static_resources:
                     inline_string: "normal\n"
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
diff --git a/configs/google_com_auto_http3_upstream_proxy.yaml b/configs/google_com_auto_http3_upstream_proxy.yaml
@@ -39,6 +39,8 @@ static_resources:
               alternate_protocols_cache_options:
                 name: default_alternate_protocols_cache
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   clusters:
   - name: service_google
     connect_timeout: 30s

diff --git a/configs/google_com_http3_upstream_proxy.yaml b/configs/google_com_http3_upstream_proxy.yaml
@@ -32,6 +32,8 @@ static_resources:
                   cluster: service_google
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   clusters:
   - name: service_google
     connect_timeout: 30s

diff --git a/configs/original-dst-cluster/proxy_config.yaml b/configs/original-dst-cluster/proxy_config.yaml
@@ -24,9 +24,13 @@ static_resources:
                   cluster: cluster1
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
           codec_type: AUTO
     listener_filters:
     - name: envoy.filters.listener.original_dst
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
   clusters:
   - name: cluster1
     type: ORIGINAL_DST

diff --git a/configs/proxy_connect.yaml b/configs/proxy_connect.yaml
@@ -36,6 +36,8 @@ static_resources:
                   - upgrade_type: CONNECT
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
           http2_protocol_options:
             allow_connect: true
           upgrade_configs:

diff --git a/configs/terminate_http1_connect.yaml b/configs/terminate_http1_connect.yaml
@@ -56,6 +56,8 @@ static_resources:
                       {}
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
           http_protocol_options: {}
           upgrade_configs:
           - upgrade_type: CONNECT

diff --git a/configs/terminate_http2_connect.yaml b/configs/terminate_http2_connect.yaml
@@ -40,6 +40,8 @@ static_resources:
                       {}
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
           http2_protocol_options:
             allow_connect: true
           upgrade_configs:

diff --git a/configs/terminate_http2_post.yaml b/configs/terminate_http2_post.yaml
@@ -43,6 +43,8 @@ static_resources:
                       allow_post: true
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
           http2_protocol_options:
             allow_connect: true
   clusters:

diff --git a/contrib/sip_proxy/filters/network/source/BUILD b/contrib/sip_proxy/filters/network/source/BUILD
@@ -35,6 +35,7 @@ envoy_cc_contrib_extension(
         "//envoy/registry",
         "//source/common/config:utility_lib",
         "//source/extensions/filters/network/common:factory_base_lib",
+        "@envoy_api//contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha:pkg_cc_proto",
         "@envoy_api//contrib/envoy/extensions/filters/network/sip_proxy/v3alpha:pkg_cc_proto",
     ],
 )

diff --git a/contrib/sip_proxy/filters/network/source/config.cc b/contrib/sip_proxy/filters/network/source/config.cc
@@ -7,6 +7,7 @@
 
 #include "source/common/config/utility.h"
 
+#include "contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha/router.pb.h"
 #include "contrib/envoy/extensions/filters/network/sip_proxy/v3alpha/sip_proxy.pb.h"
 #include "contrib/envoy/extensions/filters/network/sip_proxy/v3alpha/sip_proxy.pb.validate.h"
 #include "contrib/sip_proxy/filters/network/source/decoder.h"
@@ -97,7 +98,9 @@ ConfigImpl::ConfigImpl(
     ENVOY_LOG(debug, "using default router filter");
 
     envoy::extensions::filters::network::sip_proxy::v3alpha::SipFilter router;
+    envoy::extensions::filters::network::sip_proxy::router::v3alpha::Router default_router;
     router.set_name(SipFilters::SipFilterNames::get().ROUTER);
+    router.mutable_typed_config()->PackFrom(default_router);
     processFilter(router);
   } else {
     for (const auto& filter : config.sip_filters()) {

diff --git a/contrib/sip_proxy/filters/network/test/config_test.cc b/contrib/sip_proxy/filters/network/test/config_test.cc
@@ -81,6 +81,8 @@ stat_prefix: sip
       cluster: A
 sip_filters:
   - name: envoy.filters.sip.router
+    typed_config:
+      "@type": type.googleapis.com/envoy.extensions.filters.network.sip_proxy.router.v3alpha.Router
 )EOF";
 
   envoy::extensions::filters::network::sip_proxy::v3alpha::SipProxy config =
@@ -98,6 +100,8 @@ stat_prefix: sip
   name: local_route
 sip_filters:
   - name: envoy.filters.sip.router
+    typed_config:
+      "@type": type.googleapis.com/envoy.extensions.filters.network.sip_proxy.router.v3alpha.Router
 )EOF";
 
   envoy::extensions::filters::network::sip_proxy::v3alpha::SipProxy config =
@@ -114,6 +118,8 @@ stat_prefix: sip
 sip_filters:
   - name: no_such_filter
   - name: envoy.filters.sip.router
+    typed_config:
+      "@type": type.googleapis.com/envoy.extensions.filters.network.sip_proxy.router.v3alpha.Router
 )EOF";
 
   envoy::extensions::filters::network::sip_proxy::v3alpha::SipProxy config =
@@ -136,6 +142,8 @@ stat_prefix: ingress
       value:
         key: value
   - name: envoy.filters.sip.router
+    typed_config:
+      "@type": type.googleapis.com/envoy.extensions.filters.network.sip_proxy.router.v3alpha.Router
 settings:
   transaction_timeout: 32s
   local_services:

diff --git a/docs/root/configuration/best_practices/_include/edge.yaml b/docs/root/configuration/best_practices/_include/edge.yaml
@@ -32,6 +32,8 @@ static_resources:
         port_value: 443
     listener_filters:
     - name: "envoy.filters.listener.tls_inspector"
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
     # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
     # - name: envoy.filters.listener.proxy_protocol
     #   typed_config:
@@ -69,6 +71,8 @@ static_resources:
           request_timeout: 300s  # 5 mins, must be disabled for long-lived and streaming requests
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
           route_config:
             virtual_hosts:
             - name: default

diff --git a/docs/root/configuration/http/http_conn_man/_include/preserve-case.yaml b/docs/root/configuration/http/http_conn_man/_include/preserve-case.yaml
@@ -18,6 +18,8 @@ static_resources:
                   "@type": type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
           route_config:
             virtual_hosts:
             - name: default

diff --git a/docs/root/configuration/http/http_filters/_include/bandwidth-limit-filter.yaml b/docs/root/configuration/http/http_filters/_include/bandwidth-limit-filter.yaml
@@ -34,6 +34,8 @@ static_resources:
               "@type": type.googleapis.com/envoy.extensions.filters.http.bandwidth_limit.v3.BandwidthLimit
               stat_prefix: bandwidth_limiter_default
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   clusters:
   - name: service_protected_by_bandwidth_limit
     type: STRICT_DNS

diff --git a/docs/root/configuration/http/http_filters/_include/composite.yaml b/docs/root/configuration/http/http_filters/_include/composite.yaml
@@ -70,6 +70,8 @@ static_resources:
                                     numerator: 100
                                     denominator: HUNDRED
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
 
   clusters:
   - name: grpc

diff --git a/docs/root/configuration/http/http_filters/_include/grpc-reverse-bridge-filter.yaml b/docs/root/configuration/http/http_filters/_include/grpc-reverse-bridge-filter.yaml
@@ -50,6 +50,8 @@ static_resources:
               content_type: application/grpc+proto
               withhold_grpc_frames: true
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
   clusters:
   - name: other
     type: LOGICAL_DNS

diff --git a/docs/root/configuration/http/http_filters/_include/grpc-transcoder-filter.yaml b/docs/root/configuration/http/http_filters/_include/grpc-transcoder-filter.yaml
@@ -36,6 +36,8 @@ static_resources:
                 always_print_enums_as_ints: false
                 preserve_proto_field_names: false
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
 
   clusters:
   - name: grpc

diff --git a/docs/root/configuration/http/http_filters/_include/local-rate-limit-with-descriptors.yaml b/docs/root/configuration/http/http_filters/_include/local-rate-limit-with-descriptors.yaml
@@ -12,6 +12,8 @@ static_resources:
           stat_prefix: ingress_http
           http_filters:
           - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
           route_config:
             name: local_route
             virtual_hosts: