envoyproxy · abeyad · May 7, 2024 · Apr 25, 2024 · Apr 25, 2024 · Apr 25, 2024
@@ -365,6 +365,11 @@ EngineBuilder& EngineBuilder::setXds(XdsBuilder xds_builder) {
 }
 #endif
 
+EngineBuilder& EngineBuilder::setUpstreamTlsSni(std::string sni) {
+  upstream_tls_sni_ = std::move(sni);
+  return *this;
+}
+
 EngineBuilder&
 EngineBuilder::enablePlatformCertificatesValidation(bool platform_certificates_validation_on) {
   platform_certificates_validation_on_ = platform_certificates_validation_on;
@@ -413,9 +418,6 @@ EngineBuilder& EngineBuilder::respectSystemProxySettings(bool value) {
 #endif
 
 std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> EngineBuilder::generateBootstrap() const {
-  // The yaml utilities have non-relevant thread asserts.
-  Thread::SkipAsserts skip;
-
   std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> bootstrap =
       std::make_unique<envoy::config::bootstrap::v3::Bootstrap>();
 
@@ -612,6 +614,9 @@ std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> EngineBuilder::generate
 
   // Basic TLS config.
   envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_socket;
+  if (!upstream_tls_sni_.empty()) {
+    tls_socket.set_sni(upstream_tls_sni_);
+  }
   tls_socket.mutable_common_tls_context()->mutable_tls_params()->set_tls_maximum_protocol_version(
       envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3);
   auto* validation = tls_socket.mutable_common_tls_context()->mutable_validation_context();

@@ -161,6 +161,7 @@ class EngineBuilder {
   EngineBuilder& enableInterfaceBinding(bool interface_binding_on);
   EngineBuilder& enableDrainPostDnsRefresh(bool drain_post_dns_refresh_on);
   EngineBuilder& enforceTrustChainVerification(bool trust_chain_verification_on);
+  EngineBuilder& setUpstreamTlsSni(std::string sni);
   EngineBuilder& enablePlatformCertificatesValidation(bool platform_certificates_validation_on);
   // Sets the node.id field in the Bootstrap configuration.
   EngineBuilder& setNodeId(std::string node_id);
@@ -255,6 +256,7 @@ class EngineBuilder {
   bool enable_interface_binding_ = false;
   bool enable_drain_post_dns_refresh_ = false;
   bool enforce_trust_chain_verification_ = true;
+  std::string upstream_tls_sni_;
   bool enable_http3_ = true;
 #if !defined(__APPLE__)
   bool use_cares_ = false;

@@ -40,17 +40,6 @@ InternalEngine::InternalEngine(std::unique_ptr<EngineCallbacks> callbacks,
     : InternalEngine(std::move(callbacks), std::move(logger), std::move(event_tracker),
                      thread_priority, Thread::PosixThreadFactory::create()) {}
 
-envoy_status_t InternalEngine::run(const std::string& config, const std::string& log_level) {
-  // Start the Envoy on the dedicated thread.
-  auto options = std::make_shared<Envoy::OptionsImplBase>();
-  options->setConfigYaml(config);
-  if (!log_level.empty()) {
-    ENVOY_BUG(options->setLogLevel(log_level).ok(), "invalid log level");
-  }
-  options->setConcurrency(1);
-  return run(std::move(options));
-}
-
 envoy_stream_t InternalEngine::initStream() { return current_stream_handle_++; }
 
 envoy_status_t InternalEngine::startStream(envoy_stream_t stream,

@@ -37,11 +37,9 @@ class InternalEngine : public Logger::Loggable<Logger::Id::main> {
   ~InternalEngine();
 
   /**
-   * Run the engine with the provided configuration.
-   * @param config, the Envoy bootstrap configuration to use.
-   * @param log_level, the log level.
+   * Run the engine with the provided options.
+   * @param options, the Envoy options, including the Bootstrap configuration and log level.
    */
-  envoy_status_t run(const std::string& config, const std::string& log_level);
   envoy_status_t run(std::shared_ptr<Envoy::OptionsImplBase> options);
 
   /**

@@ -43,11 +43,6 @@ public void performRegistration(EnvoyConfiguration envoyConfiguration) {
     envoyEngine.performRegistration(envoyConfiguration);
   }
 
-  @Override
-  public EnvoyStatus runWithYaml(String configurationYAML, String logLevel) {
-    return envoyEngine.runWithYaml(configurationYAML, logLevel);
-  }
-
   @Override
   public EnvoyStatus runWithConfig(EnvoyConfiguration envoyConfiguration, String logLevel) {
     return envoyEngine.runWithConfig(envoyConfiguration, logLevel);

@@ -60,6 +60,7 @@ public enum TrustChainVerification {
   public final Map<String, EnvoyKeyValueStore> keyValueStores;
   public final Map<String, String> runtimeGuards;
   public final Boolean enablePlatformCertificatesValidation;
+  public final String upstreamTlsSni;
   public final String rtdsResourceName;
   public final Integer rtdsTimeoutSeconds;
   public final String xdsAddress;
@@ -134,7 +135,8 @@ public enum TrustChainVerification {
    * @param stringAccessors                               platform string accessors to register.
    * @param keyValueStores                                platform key-value store implementations.
    * @param enablePlatformCertificatesValidation          whether to use the platform verifier.
-   * @param rtdsResourceName                                 the RTDS layer name for this client.
+   * @param upstreamTlsSni                                the upstream TLS socket SNI override.
+   * @param rtdsResourceName                              the RTDS layer name for this client.
    * @param rtdsTimeoutSeconds                            the timeout for RTDS fetches.
    * @param xdsAddress                                    the address for the xDS management server.
    * @param xdsPort                                       the port for the xDS server.
@@ -170,7 +172,7 @@ public EnvoyConfiguration(
       List<EnvoyHTTPFilterFactory> httpPlatformFilterFactories,
       Map<String, EnvoyStringAccessor> stringAccessors,
       Map<String, EnvoyKeyValueStore> keyValueStores, Map<String, Boolean> runtimeGuards,
-      boolean enablePlatformCertificatesValidation, String rtdsResourceName,
+      boolean enablePlatformCertificatesValidation, String upstreamTlsSni, String rtdsResourceName,
       Integer rtdsTimeoutSeconds, String xdsAddress, Integer xdsPort,
       Map<String, String> xdsGrpcInitialMetadata, String xdsRootCerts, String nodeId,
       String nodeRegion, String nodeZone, String nodeSubZone, Struct nodeMetadata,
@@ -228,6 +230,7 @@ public EnvoyConfiguration(
       this.runtimeGuards.put(guardAndValue.getKey(), String.valueOf(guardAndValue.getValue()));
     }
     this.enablePlatformCertificatesValidation = enablePlatformCertificatesValidation;
+    this.upstreamTlsSni = upstreamTlsSni;
     this.rtdsResourceName = rtdsResourceName;
     this.rtdsTimeoutSeconds = rtdsTimeoutSeconds;
     this.xdsAddress = xdsAddress;
@@ -266,9 +269,10 @@ public long createBootstrap() {
         enableSocketTagging, enableInterfaceBinding, h2ConnectionKeepaliveIdleIntervalMilliseconds,
         h2ConnectionKeepaliveTimeoutSeconds, maxConnectionsPerHost, streamIdleTimeoutSeconds,
         perTryIdleTimeoutSeconds, appVersion, appId, enforceTrustChainVerification, filterChain,
-        enablePlatformCertificatesValidation, runtimeGuards, rtdsResourceName, rtdsTimeoutSeconds,
-        xdsAddress, xdsPort, xdsGrpcInitialMetadata, xdsRootCerts, nodeId, nodeRegion, nodeZone,
-        nodeSubZone, nodeMetadata.toByteArray(), cdsResourcesLocator, cdsTimeoutSeconds, enableCds);
+        enablePlatformCertificatesValidation, upstreamTlsSni, runtimeGuards, rtdsResourceName,
+        rtdsTimeoutSeconds, xdsAddress, xdsPort, xdsGrpcInitialMetadata, xdsRootCerts, nodeId,
+        nodeRegion, nodeZone, nodeSubZone, nodeMetadata.toByteArray(), cdsResourcesLocator,
+        cdsTimeoutSeconds, enableCds);
   }
 
   static class ConfigurationException extends RuntimeException {

@@ -32,17 +32,6 @@ public interface EnvoyEngine {
    */
   void performRegistration(EnvoyConfiguration envoyConfiguration);
 
-  /**
-   * Run the Envoy engine with the provided yaml string and log level.
-   *
-   * This does not perform registration, and performRegistration() may need to be called first.
-   *
-   * @param configurationYAML The configuration yaml with which to start Envoy.
-   * @param logLevel          The log level to use when starting Envoy.
-   * @return A status indicating if the action was successful.
-   */
-  EnvoyStatus runWithYaml(String configurationYAML, String logLevel);
-
   /**
    * Run the Envoy engine with the provided EnvoyConfiguration and log level.
    *

@@ -88,21 +88,6 @@ public void performRegistration(EnvoyConfiguration envoyConfiguration) {
     }
   }
 
-  /**
-   * Run the Envoy engine with the provided yaml string and log level.
-   *
-   * This does not perform registration, and performRegistration may need to be called first.
-   *
-   * @param configurationYAML The configuration yaml with which to start Envoy.
-   * @param logLevel          The log level to use when starting Envoy.
-   * @return A status indicating if the action was successful.
-   */
-  @Override
-  public EnvoyStatus runWithYaml(String configurationYAML, String logLevel) {
-    checkIsTerminated();
-    return runWithResolvedYAML(configurationYAML, logLevel);
-  }
-
   /**
    * Run the Envoy engine with the provided envoyConfiguration and log level.
    *
@@ -115,25 +100,13 @@ public EnvoyStatus runWithConfig(EnvoyConfiguration envoyConfiguration, String l
     checkIsTerminated();
     performRegistration(envoyConfiguration);
     int status =
-        JniLibrary.runEngine(this.engineHandle, "", envoyConfiguration.createBootstrap(), logLevel);
+        JniLibrary.runEngine(this.engineHandle, envoyConfiguration.createBootstrap(), logLevel);
     if (status == 0) {
       return EnvoyStatus.ENVOY_SUCCESS;
     }
     return EnvoyStatus.ENVOY_FAILURE;
   }
 
-  private EnvoyStatus runWithResolvedYAML(String configurationYAML, String logLevel) {
-    try {
-      int status = JniLibrary.runEngine(this.engineHandle, configurationYAML, 0, logLevel);
-      if (status == 0) {
-        return EnvoyStatus.ENVOY_SUCCESS;
-      }
-    } catch (Throwable throwable) {
-      // TODO: Need to have a way to log the exception somewhere.
-    }
-    return EnvoyStatus.ENVOY_FAILURE;
-  }
-
   /**
    * Increment a counter with the given count.
    *

@@ -160,13 +160,11 @@ protected static native long initEngine(EnvoyOnEngineRunning runningCallback, En
    * If a bootstrap pointer is passed, the engine will take ownership of the proto.
    *
    * @param engine,          the engine to run.
-   * @param config,          the configuration blob to run envoy with.
-   * @param bootstrap,       a bootstrap pointer generated by createBootstrap, or 0 to use config.
+   * @param bootstrap,       a bootstrap pointer generated by createBootstrap.
    * @param logLevel,        the logging level to run envoy with.
    * @return int, the resulting status of the operation.
    */
-  protected static native int runEngine(long engine, String config, long bootstrap,
-                                        String logLevel);
+  protected static native int runEngine(long engine, long bootstrap, String logLevel);
 
   /**
    * Terminate the engine.
@@ -277,7 +275,7 @@ public static native Object callCertificateVerificationFromNative(byte[][] certC
   public static native void callClearTestRootCertificateFromNative();
 
   /*
-   * Given a filter name, create the proto or YAML config for adding the native filter
+   * Given a filter name, create the proto config for adding the native filter
    *
    * @param filterName the name of the native filter
    * @return a filter config which can be passed back to createBootstrap
@@ -304,8 +302,9 @@ public static native long createBootstrap(
       long h2ConnectionKeepaliveTimeoutSeconds, long maxConnectionsPerHost,
       long streamIdleTimeoutSeconds, long perTryIdleTimeoutSeconds, String appVersion, String appId,
       boolean trustChainVerification, byte[][] filterChain,
-      boolean enablePlatformCertificatesValidation, byte[][] runtimeGuards, String rtdsResourceName,
-      long rtdsTimeoutSeconds, String xdsAddress, long xdsPort, byte[][] xdsGrpcInitialMetadata,
-      String xdsRootCerts, String nodeId, String nodeRegion, String nodeZone, String nodeSubZone,
-      byte[] nodeMetadata, String cdsResourcesLocator, long cdsTimeoutSeconds, boolean enableCds);
+      boolean enablePlatformCertificatesValidation, String upstreamTlsSni, byte[][] runtimeGuards,
+      String rtdsResourceName, long rtdsTimeoutSeconds, String xdsAddress, long xdsPort,
+      byte[][] xdsGrpcInitialMetadata, String xdsRootCerts, String nodeId, String nodeRegion,
+      String nodeZone, String nodeSubZone, byte[] nodeMetadata, String cdsResourcesLocator,
+      long cdsTimeoutSeconds, boolean enableCds);
 }
@@ -60,6 +60,7 @@ public class NativeCronvoyEngineBuilderImpl extends CronvoyEngineBuilderImpl {
   private final String mAppId = "unspecified";
   private TrustChainVerification mTrustChainVerification = VERIFY_TRUST_CHAIN;
   private final boolean mEnablePlatformCertificatesValidation = true;
+  private String mUpstreamTlsSni = "";
   private final String mNodeId = "";
   private final String mNodeRegion = "";
   private final String mNodeZone = "";
@@ -149,6 +150,16 @@ public NativeCronvoyEngineBuilderImpl setRuntimeGuard(String feature, boolean va
     return this;
   }
 
+  /**
+   * Sets the upstream TLS socket's SNI override. If empty, no SNI override will be configured.
+   *
+   * @param sni The SNI to override on the upstream HTTP/3 or HTTP/2 TLS socket.
+   */
+  public NativeCronvoyEngineBuilderImpl setUpstreamTlsSni(String sni) {
+    mUpstreamTlsSni = sni;
+    return this;
+  }
+
   /**
    * Indicates to skip the TLS certificate verification.
    *
@@ -207,7 +218,7 @@ mEnableGzipDecompression, brotliEnabled(), portMigrationEnabled(), mEnableSocket
         mH2ConnectionKeepaliveTimeoutSeconds, mMaxConnectionsPerHost, mStreamIdleTimeoutSeconds,
         mPerTryIdleTimeoutSeconds, mAppVersion, mAppId, mTrustChainVerification, nativeFilterChain,
         platformFilterChain, stringAccessors, keyValueStores, mRuntimeGuards,
-        mEnablePlatformCertificatesValidation,
+        mEnablePlatformCertificatesValidation, mUpstreamTlsSni,
         /*rtdsResourceName=*/"", /*rtdsTimeoutSeconds=*/0, /*xdsAddress=*/"",
         /*xdsPort=*/0, /*xdsGrpcInitialMetadata=*/Collections.emptyMap(),
         /*xdsSslRootCerts=*/"", mNodeId, mNodeRegion, mNodeZone, mNodeSubZone,

@@ -114,26 +114,19 @@ extern "C" JNIEXPORT jlong JNICALL Java_io_envoyproxy_envoymobile_engine_JniLibr
 }
 
 extern "C" JNIEXPORT jint JNICALL Java_io_envoyproxy_envoymobile_engine_JniLibrary_runEngine(
-    JNIEnv* env, jclass, jlong engine, jstring config, jlong bootstrap_ptr, jstring log_level) {
+    JNIEnv* env, jclass, jlong engine, jlong bootstrap_ptr, jstring log_level) {
   Envoy::JNI::JniHelper jni_helper(env);
-  Envoy::JNI::StringUtfUniquePtr java_string_config = jni_helper.getStringUtfChars(config, nullptr);
   Envoy::JNI::StringUtfUniquePtr java_log_level = jni_helper.getStringUtfChars(log_level, nullptr);
   // This should be either 0 (null) or a pointer generated by createBootstrap.
   // As documented in JniLibrary.java, take ownership.
   std::unique_ptr<envoy::config::bootstrap::v3::Bootstrap> bootstrap(
       reinterpret_cast<envoy::config::bootstrap::v3::Bootstrap*>(bootstrap_ptr));
 
-  jint result;
-  if (!bootstrap) {
-    result = reinterpret_cast<Envoy::InternalEngine*>(engine)->run(java_string_config.get(),
-                                                                   java_log_level.get());
-  } else {
-    auto options = std::make_unique<Envoy::OptionsImplBase>();
-    options->setConfigProto(std::move(bootstrap));
-    ENVOY_BUG(options->setLogLevel(java_log_level.get()).ok(), "invalid log level");
-    options->setConcurrency(1);
-    result = reinterpret_cast<Envoy::InternalEngine*>(engine)->run(std::move(options));
-  }
+  auto options = std::make_unique<Envoy::OptionsImplBase>();
+  options->setConfigProto(std::move(bootstrap));
+  ENVOY_BUG(options->setLogLevel(java_log_level.get()).ok(), "invalid log level");
+  options->setConcurrency(1);
+  jint result = reinterpret_cast<Envoy::InternalEngine*>(engine)->run(std::move(options));
 
   return result;
 }
@@ -1109,8 +1102,9 @@ void configureBuilder(Envoy::JNI::JniHelper& jni_helper, jlong connect_timeout_s
                       jlong stream_idle_timeout_seconds, jlong per_try_idle_timeout_seconds,
                       jstring app_version, jstring app_id, jboolean trust_chain_verification,
                       jobjectArray filter_chain, jboolean enable_platform_certificates_validation,
-                      jobjectArray runtime_guards, jstring node_id, jstring node_region,
-                      jstring node_zone, jstring node_sub_zone, jbyteArray serialized_node_metadata,
+                      jstring upstream_tls_sni, jobjectArray runtime_guards, jstring node_id,
+                      jstring node_region, jstring node_zone, jstring node_sub_zone,
+                      jbyteArray serialized_node_metadata,
                       Envoy::Platform::EngineBuilder& builder) {
   builder.addConnectTimeoutSeconds((connect_timeout_seconds));
   builder.addDnsRefreshSeconds((dns_refresh_seconds));
@@ -1156,6 +1150,7 @@ void configureBuilder(Envoy::JNI::JniHelper& jni_helper, jlong connect_timeout_s
   builder.enableDrainPostDnsRefresh(enable_drain_post_dns_refresh == JNI_TRUE);
   builder.enforceTrustChainVerification(trust_chain_verification == JNI_TRUE);
   builder.enablePlatformCertificatesValidation(enable_platform_certificates_validation == JNI_TRUE);
+  builder.setUpstreamTlsSni(Envoy::JNI::javaStringToCppString(jni_helper, upstream_tls_sni));
   builder.setForceAlwaysUsev6(true);
 
   auto guards = javaObjectArrayToStringPairVector(jni_helper, runtime_guards);
@@ -1216,12 +1211,12 @@ extern "C" JNIEXPORT jlong JNICALL Java_io_envoyproxy_envoymobile_engine_JniLibr
     jlong h2_connection_keepalive_timeout_seconds, jlong max_connections_per_host,
     jlong stream_idle_timeout_seconds, jlong per_try_idle_timeout_seconds, jstring app_version,
     jstring app_id, jboolean trust_chain_verification, jobjectArray filter_chain,
-    jboolean enable_platform_certificates_validation, jobjectArray runtime_guards,
-    jstring rtds_resource_name, jlong rtds_timeout_seconds, jstring xds_address, jlong xds_port,
-    jobjectArray xds_grpc_initial_metadata, jstring xds_root_certs, jstring node_id,
-    jstring node_region, jstring node_zone, jstring node_sub_zone,
-    jbyteArray serialized_node_metadata, jstring cds_resources_locator, jlong cds_timeout_seconds,
-    jboolean enable_cds) {
+    jboolean enable_platform_certificates_validation, jstring upstream_tls_sni,
+    jobjectArray runtime_guards, jstring rtds_resource_name, jlong rtds_timeout_seconds,
+    jstring xds_address, jlong xds_port, jobjectArray xds_grpc_initial_metadata,
+    jstring xds_root_certs, jstring node_id, jstring node_region, jstring node_zone,
+    jstring node_sub_zone, jbyteArray serialized_node_metadata, jstring cds_resources_locator,
+    jlong cds_timeout_seconds, jboolean enable_cds) {
   Envoy::JNI::JniHelper jni_helper(env);
   Envoy::Platform::EngineBuilder builder;
 
@@ -1236,8 +1231,8 @@ extern "C" JNIEXPORT jlong JNICALL Java_io_envoyproxy_envoymobile_engine_JniLibr
       h2_connection_keepalive_idle_interval_milliseconds, h2_connection_keepalive_timeout_seconds,
       max_connections_per_host, stream_idle_timeout_seconds, per_try_idle_timeout_seconds,
       app_version, app_id, trust_chain_verification, filter_chain,
-      enable_platform_certificates_validation, runtime_guards, node_id, node_region, node_zone,
-      node_sub_zone, serialized_node_metadata, builder);
+      enable_platform_certificates_validation, upstream_tls_sni, runtime_guards, node_id,
+      node_region, node_zone, node_sub_zone, serialized_node_metadata, builder);
 
   std::string native_xds_address = Envoy::JNI::javaStringToCppString(jni_helper, xds_address);
   if (!native_xds_address.empty()) {