CPLAT-9492: Update to Envoy 9b72caf (for Istio 1.28.5)#18
Closed
gavin-jeong wants to merge 13 commits intorelease/9b72caf-sendbird-customfrom
Closed
CPLAT-9492: Update to Envoy 9b72caf (for Istio 1.28.5)#18gavin-jeong wants to merge 13 commits intorelease/9b72caf-sendbird-customfrom
gavin-jeong wants to merge 13 commits intorelease/9b72caf-sendbird-customfrom
Conversation
Include code formatting improvements for consistent style in trace test files.
This commit introduces QUIC/HTTP3 keylog functionality in Envoy, enabling generation of NSS Key Log Format files for Wireshark and other debugging tools. - Keylog callback registration in OnNewSslCtx() - Implementation of EnvoyQuicProofSource::setupQuicKeylogCallback() and quicKeylogCallback() - TLS context–based keylog configuration with per–filter chain caching and thread safety - Address filtering via local/remote IP lists - Fallback to SSLKEYLOGFILE environment variable for compatibility with existing workflows - QuicKeylogBridge integration with Envoy’s existing TLS keylog infrastructure - RawBufferSocket fallback fix in QuicServerTransportSocketFactory::createDownstreamTransportSocket() - Comprehensive unit tests including edge cases Signed-off-by: Chanhun Jeong <keyolk@gmail.com>
…uction This commit combines multiple fixes for Redis cluster stability: - Fix race conditions in cluster destruction by capturing is_destroying_ flag - Add comprehensive null checks to prevent segfaults during cluster destruction - Use local shared_ptr copies to prevent race conditions - Use shared_from_this() to keep RedisDiscoverySession alive during timer callbacks - Fix use-after-free by using session-owned flag instead of parent reference These fixes ensure safe cleanup of Redis clusters and prevent crashes during cluster removal and timer callback execution.
Add TraceSampledFormatter that uses Envoy's internal tracing decision (stream_info.traceReason()) This approach works correctly at trace origin points (e.g., Istio Ingress Gateway) where no incoming traceparent header exists. Usage: %TRACE_SAMPLED% in access log format Returns: "true" if traced, "false" otherwise Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add per-shard statistics for Redis proxy to track hot shard usage: - enable_per_shard_stats: Emits per-shard request counters - upstream_rq_total: Total requests to each shard - upstream_rq_success: Successful requests - upstream_rq_failure: Failed requests - upstream_rq_active: Active requests (gauge) - enable_per_shard_latency_stats: Emits latency histogram - upstream_rq_time: Request latency in microseconds All metrics are scoped under: cluster.<cluster_name>.shard.<host_address>.* Per-shard command-level stats are also recorded when enable_command_stats is enabled alongside the per-shard options. Note: These options may significantly increase metric cardinality in large clusters. Use with caution in production environments.
…roxy#43012) Summary Zone-aware routing reduces cross-zone network traffic and latency by preferring replicas in the same availability zone as the client. This is particularly valuable in cloud environments where cross-zone data transfer incurs additional costs. New Configuration redis_cluster.proto: ``` // Enable zone discovery via INFO command google.protobuf.BoolValue enable_zone_discovery = 7; ``` redis_proxy.proto - New ReadPolicy values: ``` - AZ_AFFINITY: Prefer same-zone replicas → any replica → primary - AZ_AFFINITY_REPLICAS_AND_PRIMARY: Prefer same-zone replicas → same-zone primary → any replica → primary ``` How It Works ``` ┌─────────────────────────────────────────────────────────┐ │ CLUSTER SLOTS Response │ └─────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────┐ │ Zone Discovery (if enable_zone_discovery=true) │ │ Send INFO to each node → parse availability_zone │ └─────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────┐ │ Create hosts with zone in locality.zone() │ │ RedisShard groups replicas by zone │ └─────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────┐ │ Request Routing │ │ Client zone from node.locality.zone (bootstrap) │ │ AZ_AFFINITY: local replicas → any replica → primary │ └─────────────────────────────────────────────────────────┘ ``` Limitations - Valkey only: Zone discovery relies on availability_zone field in INFO response, which is exposed by Valkey but not standard Redis. - Client zone must be configured via node.locality.zone in Envoy bootstrap config. Risk Level: Low This is an opt-in feature that requires explicit configuration (enable_zone_discovery: true and read_policy: AZ_AFFINITY). Existing deployments are unaffected. Testing - Added comprehensive unit tests for zone-aware load balancing Related Issues Closes envoyproxy#43011 --------- Signed-off-by: Doogie Min <doogie.min@sendbird.com>
Add TLS certificate compression with brotli and zlib algorithms. This reduces TLS handshake size, especially beneficial for QUIC where the ServerHello needs to fit in the initial response. The existing QUIC-only certificate compression implementation has been refactored to be shared between QUIC and TCP TLS. The QUIC wrapper now delegates to the common TLS implementation for backward compatibility. Fixes envoyproxy#42682 Signed-off-by: Doogie Min <doogie.min@sendbird.com>
Change //bazel:zlib to //bazel/foreign_cc:zlib in source/common/tls/BUILD to match the zlib target name used in Envoy v1.36.5.
Change @brotli// to @org_brotli// in source/common/tls/BUILD. In Envoy v1.36.5 the brotli repo is named org_brotli (renamed to brotli in later versions).
gavin-jeong
changed the title
gavin-jeong
changed the base branch from
release/809213a-sendbird-custom
to
release/9b72caf-sendbird-custom
Author
|
Superseded by new PR using Istio 1.28.5 envoy base (9b72caf) with tested v1.36.x-compatible patches |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
JIRA: https://sendbird.atlassian.net/browse/CPLAT-9492
Summary
Rebuild the Envoy release branch for Istio 1.28.2 using the actual upstream-merged commits, replacing our previous cherry-picked versions.
Upstream PRs now included as-merged:
f1e84f0ecdredis: Add zone-aware routing support for Redis Cluster proxy (#43012) — merged 2026-04-073d0fc82b0etls: Add certificate compression support (RFC 8879) (#42690) — merged 2026-03-07Sendbird-only patches (unchanged from previous releases):
Envoy Details
809213ab4403f02b04521567715f97ad5a1ae597(Envoy dev v1.36.5, Istio 1.28.2 base)release/809213a-sendbird-customTest Plan
Merge Order
Security checklist (Infrastructure code)