diff --git a/Cargo.toml b/Cargo.toml index c492e8b15..894576463 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -16,6 +16,7 @@ members = [ "grpc-google", "grpc-protobuf", "grpc-protobuf-build", + "grpc-xds", "protoc-gen-rust-grpc", "xds-client", "tonic-xds", diff --git a/grpc-xds/Cargo.toml b/grpc-xds/Cargo.toml new file mode 100644 index 000000000..148c1bf9b --- /dev/null +++ b/grpc-xds/Cargo.toml @@ -0,0 +1,27 @@ +[package] +name = "grpc-xds" +version = "0.1.0-alpha.1" +authors = ["gRPC Authors"] +license = "MIT" +homepage = "https://grpc.io" +repository = "https://github.com/grpc/grpc-rust" +description = """ +xDS routing and load balancing for the Rust gRPC implementation. +""" +edition = "2024" +rust-version.workspace = true +# Not published yet: the build.rs codegen requires protoc (and a C++ build of +# `protoc-gen-rust-grpc`), which doesn't fit docs.rs / crates.io publishing. +publish = false + +[package.metadata.cargo_check_external_types] +allowed_external_types = [] + +[dependencies] +protobuf = "4.35.1-release" +protobuf-well-known-types = "4.35.1-release" + +[build-dependencies] +protobuf-codegen = "4.35.1-release" +protobuf-well-known-types = "4.35.1-release" +protoc-gen-rust-grpc = { version = "0.10.0", path = "../protoc-gen-rust-grpc" } diff --git a/grpc-xds/build.rs b/grpc-xds/build.rs new file mode 100644 index 000000000..6a8353d66 --- /dev/null +++ b/grpc-xds/build.rs @@ -0,0 +1,274 @@ +//! Build-time xDS codegen. +//! +//! Regenerates the protobuf message modules from the vendored protos under +//! `proto/` into `OUT_DIR`, one protoc invocation per proto package, then lays +//! out a module tree that `src/lib.rs` includes. See `src/lib.rs` for how the +//! generated root module is pulled in. +//! +//! Grouping by package is required by the protobuf-rust generator: within a +//! single invocation every file is flattened into one namespace, and top-level +//! names are only guaranteed unique *within a package*. Files in OTHER packages +//! are declared as dependencies mapped to their in-crate module +//! (`crate::generated::`), so cross-package references resolve there +//! instead of colliding. + +use std::collections::BTreeMap; +use std::path::{Path, PathBuf}; + +fn main() { + let manifest = PathBuf::from(std::env::var("CARGO_MANIFEST_DIR").unwrap()); + let out_dir = PathBuf::from(std::env::var("OUT_DIR").unwrap()); + let gen_dir = out_dir.join("generated"); + + let third_party = manifest.join("proto/third_party"); + println!("cargo:rerun-if-changed={}", third_party.display()); + + // The five vendored dependency roots double as protoc include paths. + let include_dirs: Vec = [ + "envoy", + "xds", + "protoc-gen-validate", + "googleapis", + "cel-spec", + ] + .iter() + .map(|d| third_party.join(d)) + .collect(); + + // Resolve protoc. Locally, `protoc-gen-rust-grpc` builds it and we use that; + // in CI its C++ build is skipped (`PROTOC_GEN_RUST_GRPC_NO_BUILD=1`) and a + // prebuilt protoc is provided on `$PATH`, so `find_protoc` falls back to it. + // protoc's bundled include dir provides the well-known types (imported by + // many vendored protos) plus `google/protobuf/descriptor.proto` (imported by + // the option-defining protos); it is the sibling `../include` of the binary. + let protoc = find_protoc(); + let protoc_include = protoc + .parent() + .and_then(|p| p.parent()) + .map(|p| p.join("include")) + .expect("could not derive protoc include dir"); + + // Collect every vendored proto as an include-relative import path, e.g. + // "envoy/config/route/v3/route.proto". + let mut protos: Vec = Vec::new(); + for dir in &include_dirs { + let mut found = Vec::new(); + collect_protos(dir, &mut found); + for p in found { + // Proto import paths are always forward-slash. Normalize here so + // they match protoc's input/crate-mapping expectations and our + // `/`-based package splitting on Windows, where `strip_prefix` + // yields backslashes. + let rel = p + .strip_prefix(dir) + .unwrap() + .to_string_lossy() + .replace('\\', "/"); + protos.push(rel); + } + } + // Also generate `descriptor.proto` (from protoc's bundled include) as an + // in-crate package `crate::generated::google::protobuf`. It's imported by + // the option-defining protos to DEFINE custom options; generating it + // in-crate means their reflection metadata (`__unstable`) can reference it + // here instead of a symbol that doesn't exist in the external + // well-known-types crate. protoc finds it via the bundled include path. + protos.push("google/protobuf/descriptor.proto".to_string()); + protos.sort(); + protos.dedup(); + + // Fresh output tree. + if gen_dir.exists() { + std::fs::remove_dir_all(&gen_dir).unwrap(); + } + std::fs::create_dir_all(&gen_dir).unwrap(); + + // Deps shared by every invocation: the well-known types resolve to the + // external `protobuf_well_known_types` crate. (`descriptor.proto` is not + // listed here — it's generated in-crate as its own package, so the + // per-package loop below maps it to `crate::generated::google::protobuf` + // like any other vendored proto.) + let base_deps = protobuf_well_known_types::get_dependency("protobuf_well_known_types"); + + let includes: Vec = include_dirs + .iter() + .cloned() + .chain(std::iter::once(protoc_include.clone())) + .collect(); + + // Group protos by package directory (each leaf dir is exactly one package) + // and run one invocation per package. + let mut packages: BTreeMap<&str, Vec> = BTreeMap::new(); + for file in &protos { + packages + .entry(package_dir(file)) + .or_default() + .push(file.clone()); + } + + for files in packages.values() { + let mut deps = base_deps.clone(); + for other in &protos { + if !files.contains(other) { + deps.push(protobuf_codegen::Dependency { + crate_name: package_module_path(other), + proto_import_paths: Vec::new(), + proto_files: vec![other.clone()], + }); + } + } + protobuf_codegen::CodeGen::new() + .protoc_path(&protoc) + .inputs(files.iter()) + .includes(includes.iter()) + .output_dir(&gen_dir) + .dependency(deps) + .generate_and_compile() + .unwrap_or_else(|e| { + panic!( + "xDS codegen failed for package {}: {e}", + package_dir(&files[0]) + ) + }); + } + + // protobuf_codegen rewrites `crate_mapping.txt` in the output dir each + // invocation; drop the leftover. The per-package `generated.rs` entry points + // are kept — `write_module_tree` folds each into its package `mod.rs`. + let _ = std::fs::remove_file(gen_dir.join("crate_mapping.txt")); + + write_module_tree(&gen_dir); +} + +/// Returns the package directory of an include-relative proto path, e.g. +/// `envoy/config/route/v3/route.proto` -> `envoy/config/route/v3`. +fn package_dir(proto_rel: &str) -> &str { + proto_rel + .rsplit_once('/') + .map(|(dir, _)| dir) + .unwrap_or(proto_rel) +} + +/// Maps an include-relative proto path to its package's in-crate module path, +/// e.g. `envoy/config/route/v3/route.proto` -> +/// `crate::generated::envoy::config::route::v3`. Every file in a package is +/// co-generated and flat-re-exported at this module, so a message `Foo` from any +/// file in the package is reachable as `::Foo`. +fn package_module_path(proto_rel: &str) -> String { + let path: Vec = package_dir(proto_rel).split('/').map(raw_ident).collect(); + format!("crate::generated::{}", path.join("::")) +} + +/// Wraps a path segment as a raw identifier when it is a Rust keyword. +fn raw_ident(seg: &str) -> String { + const KEYWORDS: &[&str] = &[ + "as", "break", "const", "continue", "else", "enum", "extern", "false", "fn", "for", "if", + "impl", "in", "let", "loop", "match", "mod", "move", "mut", "pub", "ref", "return", + "static", "struct", "trait", "true", "type", "unsafe", "use", "where", "while", "async", + "await", "dyn", "abstract", "become", "box", "do", "final", "macro", "override", "priv", + "typeof", "unsized", "virtual", "yield", "try", "gen", + ]; + if KEYWORDS.contains(&seg) { + format!("r#{seg}") + } else { + seg.to_string() + } +} + +/// Builds the module tree under `dir`: each package directory's protoc entry +/// point (`generated.rs`) becomes that directory's `mod.rs` (re-exporting the +/// package's messages), and every directory declares `pub mod` for each of its +/// subdirectories with an ABSOLUTE `#[path]` — the root `mod.rs` is `include!`d +/// into `src/lib.rs` from `OUT_DIR`, so relative child paths would otherwise +/// resolve against `src/` instead of the output tree. +fn write_module_tree(dir: &Path) { + const HEADER: &str = "// @generated at build time by grpc-xds/build.rs. Do not edit."; + + let mut subdirs: Vec = Vec::new(); + let mut has_entry_point = false; + for entry in std::fs::read_dir(dir).unwrap() { + let path = entry.unwrap().path(); + let name = path.file_name().unwrap().to_string_lossy().into_owned(); + if path.is_dir() { + subdirs.push(name); + write_module_tree(&path); + } else if name == "generated.rs" { + has_entry_point = true; + } + } + subdirs.sort(); + + let mut m = format!("{HEADER}\n"); + + // Fold the package's protoc entry point in as the module body: it declares + // each `.u.pb.rs` as a hidden submodule and flat-re-exports them, so + // this module holds all of the package's messages (and intra-package + // `super::…` refs resolve here). Its `#[path]`s are relative, which is fine + // because this `mod.rs` is file-loaded (only the tree root is `include!`d). + // The trailing `__unstable` reflection block is kept verbatim: its + // cross-package `::__unstable::` refs all resolve because every + // dependency is either generated in-crate (including `descriptor.proto`) or + // comes from `protobuf_well_known_types`. + if has_entry_point { + let entry = dir.join("generated.rs"); + let body = std::fs::read_to_string(&entry).unwrap(); + m.push_str(&body); + if !m.ends_with('\n') { + m.push('\n'); + } + std::fs::remove_file(&entry).unwrap(); + } + + for s in &subdirs { + let child = dir.join(s).join("mod.rs"); + m.push_str(&format!( + "#[path = {:?}]\npub mod {};\n", + child.to_string_lossy(), + raw_ident(s) + )); + } + + std::fs::write(dir.join("mod.rs"), m).unwrap(); +} + +/// Resolves the `protoc` binary. Prefers the one built by `protoc-gen-rust-grpc` +/// (local dev); when that build is skipped (`PROTOC_GEN_RUST_GRPC_NO_BUILD`, as +/// in CI), falls back to `$PROTOC` or the first `protoc` on `$PATH`. Returns the +/// full path so the sibling `../include` dir can be located. +fn find_protoc() -> PathBuf { + let built = protoc_gen_rust_grpc::protoc(); + if built.is_file() { + return built; + } + if let Some(p) = std::env::var_os("PROTOC").map(PathBuf::from) + && p.is_file() + { + return p; + } + if let Some(path) = std::env::var_os("PATH") { + for dir in std::env::split_paths(&path) { + for name in ["protoc", "protoc.exe"] { + let candidate = dir.join(name); + if candidate.is_file() { + return candidate; + } + } + } + } + panic!( + "could not find protoc: build `protoc-gen-rust-grpc`, set $PROTOC, \ + or put protoc on $PATH" + ); +} + +/// Recursively collects `*.proto` file paths under `dir` into `out`. +fn collect_protos(dir: &Path, out: &mut Vec) { + for entry in std::fs::read_dir(dir).unwrap() { + let path = entry.unwrap().path(); + if path.is_dir() { + collect_protos(&path, out); + } else if path.extension().is_some_and(|e| e == "proto") { + out.push(path); + } + } +} diff --git a/grpc-xds/proto/third_party/cel-spec/LICENSE b/grpc-xds/proto/third_party/cel-spec/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/grpc-xds/proto/third_party/cel-spec/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/grpc-xds/proto/third_party/cel-spec/cel/expr/checked.proto b/grpc-xds/proto/third_party/cel-spec/cel/expr/checked.proto new file mode 100644 index 000000000..e327db9b2 --- /dev/null +++ b/grpc-xds/proto/third_party/cel-spec/cel/expr/checked.proto @@ -0,0 +1,344 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package cel.expr; + +import "cel/expr/syntax.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/struct.proto"; + +option cc_enable_arenas = true; +option go_package = "cel.dev/expr"; +option java_multiple_files = true; +option java_outer_classname = "DeclProto"; +option java_package = "dev.cel.expr"; + +// Protos for representing CEL declarations and typed checked expressions. + +// A CEL expression which has been successfully type checked. +message CheckedExpr { + // A map from expression ids to resolved references. + // + // The following entries are in this table: + // + // - An Ident or Select expression is represented here if it resolves to a + // declaration. For instance, if `a.b.c` is represented by + // `select(select(id(a), b), c)`, and `a.b` resolves to a declaration, + // while `c` is a field selection, then the reference is attached to the + // nested select expression (but not to the id or or the outer select). + // In turn, if `a` resolves to a declaration and `b.c` are field selections, + // the reference is attached to the ident expression. + // - Every Call expression has an entry here, identifying the function being + // called. + // - Every CreateStruct expression for a message has an entry, identifying + // the message. + map reference_map = 2; + + // A map from expression ids to types. + // + // Every expression node which has a type different than DYN has a mapping + // here. If an expression has type DYN, it is omitted from this map to save + // space. + map type_map = 3; + + // The source info derived from input that generated the parsed `expr` and + // any optimizations made during the type-checking pass. + SourceInfo source_info = 5; + + // The expr version indicates the major / minor version number of the `expr` + // representation. + // + // The most common reason for a version change will be to indicate to the CEL + // runtimes that transformations have been performed on the expr during static + // analysis. In some cases, this will save the runtime the work of applying + // the same or similar transformations prior to evaluation. + string expr_version = 6; + + // The checked expression. Semantically equivalent to the parsed `expr`, but + // may have structural differences. + Expr expr = 4; +} + +// Represents a CEL type. +message Type { + // List type with typed elements, e.g. `list`. + message ListType { + // The element type. + Type elem_type = 1; + } + + // Map type with parameterized key and value types, e.g. `map`. + message MapType { + // The type of the key. + Type key_type = 1; + + // The type of the value. + Type value_type = 2; + } + + // Function type with result and arg types. + message FunctionType { + // Result type of the function. + Type result_type = 1; + + // Argument types of the function. + repeated Type arg_types = 2; + } + + // Application defined abstract type. + message AbstractType { + // The fully qualified name of this abstract type. + string name = 1; + + // Parameter types for this abstract type. + repeated Type parameter_types = 2; + } + + // CEL primitive types. + enum PrimitiveType { + // Unspecified type. + PRIMITIVE_TYPE_UNSPECIFIED = 0; + + // Boolean type. + BOOL = 1; + + // Int64 type. + // + // 32-bit integer values are widened to int64. + INT64 = 2; + + // Uint64 type. + // + // 32-bit unsigned integer values are widened to uint64. + UINT64 = 3; + + // Double type. + // + // 32-bit float values are widened to double values. + DOUBLE = 4; + + // String type. + STRING = 5; + + // Bytes type. + BYTES = 6; + } + + // Well-known protobuf types treated with first-class support in CEL. + enum WellKnownType { + // Unspecified type. + WELL_KNOWN_TYPE_UNSPECIFIED = 0; + + // Well-known protobuf.Any type. + // + // Any types are a polymorphic message type. During type-checking they are + // treated like `DYN` types, but at runtime they are resolved to a specific + // message type specified at evaluation time. + ANY = 1; + + // Well-known protobuf.Timestamp type, internally referenced as `timestamp`. + TIMESTAMP = 2; + + // Well-known protobuf.Duration type, internally referenced as `duration`. + DURATION = 3; + } + + // The kind of type. + oneof type_kind { + // Dynamic type. + google.protobuf.Empty dyn = 1; + + // Null value. + google.protobuf.NullValue null = 2; + + // Primitive types: `true`, `1u`, `-2.0`, `'string'`, `b'bytes'`. + PrimitiveType primitive = 3; + + // Wrapper of a primitive type, e.g. `google.protobuf.Int64Value`. + PrimitiveType wrapper = 4; + + // Well-known protobuf type such as `google.protobuf.Timestamp`. + WellKnownType well_known = 5; + + // Parameterized list with elements of `list_type`, e.g. `list`. + ListType list_type = 6; + + // Parameterized map with typed keys and values. + MapType map_type = 7; + + // Function type. + FunctionType function = 8; + + // Protocol buffer message type. + // + // The `message_type` string specifies the qualified message type name. For + // example, `google.type.PhoneNumber`. + string message_type = 9; + + // Type param type. + // + // The `type_param` string specifies the type parameter name, e.g. `list` + // would be a `list_type` whose element type was a `type_param` type + // named `E`. + string type_param = 10; + + // Type type. + // + // The `type` value specifies the target type. e.g. int is type with a + // target type of `Primitive.INT64`. + Type type = 11; + + // Error type. + // + // During type-checking if an expression is an error, its type is propagated + // as the `ERROR` type. This permits the type-checker to discover other + // errors present in the expression. + google.protobuf.Empty error = 12; + + // Abstract, application defined type. + // + // An abstract type has no accessible field names, and it can only be + // inspected via helper / member functions. + AbstractType abstract_type = 14; + } +} + +// Represents a declaration of a named value or function. +// +// A declaration is part of the contract between the expression, the agent +// evaluating that expression, and the caller requesting evaluation. +message Decl { + // Identifier declaration which specifies its type and optional `Expr` value. + // + // An identifier without a value is a declaration that must be provided at + // evaluation time. An identifier with a value should resolve to a constant, + // but may be used in conjunction with other identifiers bound at evaluation + // time. + message IdentDecl { + // Required. The type of the identifier. + Type type = 1; + + // The constant value of the identifier. If not specified, the identifier + // must be supplied at evaluation time. + Constant value = 2; + + // Documentation string for the identifier. + string doc = 3; + } + + // Function declaration specifies one or more overloads which indicate the + // function's parameter types and return type. + // + // Functions have no observable side-effects (there may be side-effects like + // logging which are not observable from CEL). + message FunctionDecl { + // An overload indicates a function's parameter types and return type, and + // may optionally include a function body described in terms of + // [Expr][cel.expr.Expr] values. + // + // Functions overloads are declared in either a function or method + // call-style. For methods, the `params[0]` is the expected type of the + // target receiver. + // + // Overloads must have non-overlapping argument types after erasure of all + // parameterized type variables (similar as type erasure in Java). + message Overload { + // Required. Globally unique overload name of the function which reflects + // the function name and argument types. + // + // This will be used by a [Reference][cel.expr.Reference] to + // indicate the `overload_id` that was resolved for the function `name`. + string overload_id = 1; + + // List of function parameter [Type][cel.expr.Type] values. + // + // Param types are disjoint after generic type parameters have been + // replaced with the type `DYN`. Since the `DYN` type is compatible with + // any other type, this means that if `A` is a type parameter, the + // function types `int` and `int` are not disjoint. Likewise, + // `map` is not disjoint from `map`. + // + // When the `result_type` of a function is a generic type param, the + // type param name also appears as the `type` of on at least one params. + repeated Type params = 2; + + // The type param names associated with the function declaration. + // + // For example, `function ex(K key, map map) : V` would yield + // the type params of `K, V`. + repeated string type_params = 3; + + // Required. The result type of the function. For example, the operator + // `string.isEmpty()` would have `result_type` of `kind: BOOL`. + Type result_type = 4; + + // Whether the function is to be used in a method call-style `x.f(...)` + // of a function call-style `f(x, ...)`. + // + // For methods, the first parameter declaration, `params[0]` is the + // expected type of the target receiver. + bool is_instance_function = 5; + + // Documentation string for the overload. + string doc = 6; + } + + // Required. List of function overloads, must contain at least one overload. + repeated Overload overloads = 1; + } + + // The fully qualified name of the declaration. + // + // Declarations are organized in containers and this represents the full path + // to the declaration in its container, as in `cel.expr.Decl`. + // + // Declarations used as + // [FunctionDecl.Overload][cel.expr.Decl.FunctionDecl.Overload] + // parameters may or may not have a name depending on whether the overload is + // function declaration or a function definition containing a result + // [Expr][cel.expr.Expr]. + string name = 1; + + // Required. The declaration kind. + oneof decl_kind { + // Identifier declaration. + IdentDecl ident = 2; + + // Function declaration. + FunctionDecl function = 3; + } +} + +// Describes a resolved reference to a declaration. +message Reference { + // The fully qualified name of the declaration. + string name = 1; + + // For references to functions, this is a list of `Overload.overload_id` + // values which match according to typing rules. + // + // If the list has more than one element, overload resolution among the + // presented candidates must happen at runtime because of dynamic types. The + // type checker attempts to narrow down this list as much as possible. + // + // Empty if this is not a reference to a + // [Decl.FunctionDecl][cel.expr.Decl.FunctionDecl]. + repeated string overload_id = 3; + + // For references to constants, this may contain the value of the + // constant if known at compile time. + Constant value = 4; +} diff --git a/grpc-xds/proto/third_party/cel-spec/cel/expr/syntax.proto b/grpc-xds/proto/third_party/cel-spec/cel/expr/syntax.proto new file mode 100644 index 000000000..ed124a743 --- /dev/null +++ b/grpc-xds/proto/third_party/cel-spec/cel/expr/syntax.proto @@ -0,0 +1,393 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package cel.expr; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option cc_enable_arenas = true; +option go_package = "cel.dev/expr"; +option java_multiple_files = true; +option java_outer_classname = "SyntaxProto"; +option java_package = "dev.cel.expr"; + +// A representation of the abstract syntax of the Common Expression Language. + +// An expression together with source information as returned by the parser. +message ParsedExpr { + // The parsed expression. + Expr expr = 2; + + // The source info derived from input that generated the parsed `expr`. + SourceInfo source_info = 3; +} + +// An abstract representation of a common expression. +// +// Expressions are abstractly represented as a collection of identifiers, +// select statements, function calls, literals, and comprehensions. All +// operators with the exception of the '.' operator are modelled as function +// calls. This makes it easy to represent new operators into the existing AST. +// +// All references within expressions must resolve to a +// [Decl][cel.expr.Decl] provided at type-check for an expression to be +// valid. A reference may either be a bare identifier `name` or a qualified +// identifier `google.api.name`. References may either refer to a value or a +// function declaration. +// +// For example, the expression `google.api.name.startsWith('expr')` references +// the declaration `google.api.name` within a +// [Expr.Select][cel.expr.Expr.Select] expression, and the function +// declaration `startsWith`. +message Expr { + // An identifier expression. e.g. `request`. + message Ident { + // Required. Holds a single, unqualified identifier, possibly preceded by a + // '.'. + // + // Qualified names are represented by the + // [Expr.Select][cel.expr.Expr.Select] expression. + string name = 1; + } + + // A field selection expression. e.g. `request.auth`. + message Select { + // Required. The target of the selection expression. + // + // For example, in the select expression `request.auth`, the `request` + // portion of the expression is the `operand`. + Expr operand = 1; + + // Required. The name of the field to select. + // + // For example, in the select expression `request.auth`, the `auth` portion + // of the expression would be the `field`. + string field = 2; + + // Whether the select is to be interpreted as a field presence test. + // + // This results from the macro `has(request.auth)`. + bool test_only = 3; + } + + // A call expression, including calls to predefined functions and operators. + // + // For example, `value == 10`, `size(map_value)`. + message Call { + // The target of an method call-style expression. For example, `x` in + // `x.f()`. + Expr target = 1; + + // Required. The name of the function or method being called. + string function = 2; + + // The arguments. + repeated Expr args = 3; + } + + // A list creation expression. + // + // Lists may either be homogenous, e.g. `[1, 2, 3]`, or heterogeneous, e.g. + // `dyn([1, 'hello', 2.0])` + message CreateList { + // The elements part of the list. + repeated Expr elements = 1; + + // The indices within the elements list which are marked as optional + // elements. + // + // When an optional-typed value is present, the value it contains + // is included in the list. If the optional-typed value is absent, the list + // element is omitted from the CreateList result. + repeated int32 optional_indices = 2; + } + + // A map or message creation expression. + // + // Maps are constructed as `{'key_name': 'value'}`. Message construction is + // similar, but prefixed with a type name and composed of field ids: + // `types.MyType{field_id: 'value'}`. + message CreateStruct { + // Represents an entry. + message Entry { + // Required. An id assigned to this node by the parser which is unique + // in a given expression tree. This is used to associate type + // information and other attributes to the node. + int64 id = 1; + + // The `Entry` key kinds. + oneof key_kind { + // The field key for a message creator statement. + string field_key = 2; + + // The key expression for a map creation statement. + Expr map_key = 3; + } + + // Required. The value assigned to the key. + // + // If the optional_entry field is true, the expression must resolve to an + // optional-typed value. If the optional value is present, the key will be + // set; however, if the optional value is absent, the key will be unset. + Expr value = 4; + + // Whether the key-value pair is optional. + bool optional_entry = 5; + } + + // The type name of the message to be created, empty when creating map + // literals. + string message_name = 1; + + // The entries in the creation expression. + repeated Entry entries = 2; + } + + // A comprehension expression applied to a list or map. + // + // Comprehensions are not part of the core syntax, but enabled with macros. + // A macro matches a specific call signature within a parsed AST and replaces + // the call with an alternate AST block. Macro expansion happens at parse + // time. + // + // The following macros are supported within CEL: + // + // Aggregate type macros may be applied to all elements in a list or all keys + // in a map: + // + // * `all`, `exists`, `exists_one` - test a predicate expression against + // the inputs and return `true` if the predicate is satisfied for all, + // any, or only one value `list.all(x, x < 10)`. + // * `filter` - test a predicate expression against the inputs and return + // the subset of elements which satisfy the predicate: + // `payments.filter(p, p > 1000)`. + // * `map` - apply an expression to all elements in the input and return the + // output aggregate type: `[1, 2, 3].map(i, i * i)`. + // + // The `has(m.x)` macro tests whether the property `x` is present in struct + // `m`. The semantics of this macro depend on the type of `m`. For proto2 + // messages `has(m.x)` is defined as 'defined, but not set`. For proto3, the + // macro tests whether the property is set to its default. For map and struct + // types, the macro tests whether the property `x` is defined on `m`. + // + // Comprehension evaluation can be best visualized as the following + // pseudocode: + // + // ``` + // let `accu_var` = `accu_init` + // for (let `iter_var` in `iter_range`) { + // if (!`loop_condition`) { + // break + // } + // `accu_var` = `loop_step` + // } + // return `result` + // ``` + message Comprehension { + // The name of the iteration variable. + string iter_var = 1; + + // The range over which var iterates. + Expr iter_range = 2; + + // The name of the variable used for accumulation of the result. + string accu_var = 3; + + // The initial value of the accumulator. + Expr accu_init = 4; + + // An expression which can contain iter_var and accu_var. + // + // Returns false when the result has been computed and may be used as + // a hint to short-circuit the remainder of the comprehension. + Expr loop_condition = 5; + + // An expression which can contain iter_var and accu_var. + // + // Computes the next value of accu_var. + Expr loop_step = 6; + + // An expression which can contain accu_var. + // + // Computes the result. + Expr result = 7; + } + + // Required. An id assigned to this node by the parser which is unique in a + // given expression tree. This is used to associate type information and other + // attributes to a node in the parse tree. + int64 id = 2; + + // Required. Variants of expressions. + oneof expr_kind { + // A constant expression. + Constant const_expr = 3; + + // An identifier expression. + Ident ident_expr = 4; + + // A field selection expression, e.g. `request.auth`. + Select select_expr = 5; + + // A call expression, including calls to predefined functions and operators. + Call call_expr = 6; + + // A list creation expression. + CreateList list_expr = 7; + + // A map or message creation expression. + CreateStruct struct_expr = 8; + + // A comprehension expression. + Comprehension comprehension_expr = 9; + } +} + +// Represents a primitive literal. +// +// Named 'Constant' here for backwards compatibility. +// +// This is similar as the primitives supported in the well-known type +// `google.protobuf.Value`, but richer so it can represent CEL's full range of +// primitives. +// +// Lists and structs are not included as constants as these aggregate types may +// contain [Expr][cel.expr.Expr] elements which require evaluation and +// are thus not constant. +// +// Examples of constants include: `"hello"`, `b'bytes'`, `1u`, `4.2`, `-2`, +// `true`, `null`. +message Constant { + // Required. The valid constant kinds. + oneof constant_kind { + // null value. + google.protobuf.NullValue null_value = 1; + + // boolean value. + bool bool_value = 2; + + // int64 value. + int64 int64_value = 3; + + // uint64 value. + uint64 uint64_value = 4; + + // double value. + double double_value = 5; + + // string value. + string string_value = 6; + + // bytes value. + bytes bytes_value = 7; + + // protobuf.Duration value. + // + // Deprecated: duration is no longer considered a builtin cel type. + google.protobuf.Duration duration_value = 8 [deprecated = true]; + + // protobuf.Timestamp value. + // + // Deprecated: timestamp is no longer considered a builtin cel type. + google.protobuf.Timestamp timestamp_value = 9 [deprecated = true]; + } +} + +// Source information collected at parse time. +message SourceInfo { + // The syntax version of the source, e.g. `cel1`. + string syntax_version = 1; + + // The location name. All position information attached to an expression is + // relative to this location. + // + // The location could be a file, UI element, or similar. For example, + // `acme/app/AnvilPolicy.cel`. + string location = 2; + + // Monotonically increasing list of code point offsets where newlines + // `\n` appear. + // + // The line number of a given position is the index `i` where for a given + // `id` the `line_offsets[i] < id_positions[id] < line_offsets[i+1]`. The + // column may be derived from `id_positions[id] - line_offsets[i]`. + repeated int32 line_offsets = 3; + + // A map from the parse node id (e.g. `Expr.id`) to the code point offset + // within the source. + map positions = 4; + + // A map from the parse node id where a macro replacement was made to the + // call `Expr` that resulted in a macro expansion. + // + // For example, `has(value.field)` is a function call that is replaced by a + // `test_only` field selection in the AST. Likewise, the call + // `list.exists(e, e > 10)` translates to a comprehension expression. The key + // in the map corresponds to the expression id of the expanded macro, and the + // value is the call `Expr` that was replaced. + map macro_calls = 5; + + // A list of tags for extensions that were used while parsing or type checking + // the source expression. For example, optimizations that require special + // runtime support may be specified. + // + // These are used to check feature support between components in separate + // implementations. This can be used to either skip redundant work or + // report an error if the extension is unsupported. + repeated Extension extensions = 6; + + // An extension that was requested for the source expression. + message Extension { + // Version + message Version { + // Major version changes indicate different required support level from + // the required components. + int64 major = 1; + // Minor version changes must not change the observed behavior from + // existing implementations, but may be provided informationally. + int64 minor = 2; + } + + // CEL component specifier. + enum Component { + // Unspecified, default. + COMPONENT_UNSPECIFIED = 0; + // Parser. Converts a CEL string to an AST. + COMPONENT_PARSER = 1; + // Type checker. Checks that references in an AST are defined and types + // agree. + COMPONENT_TYPE_CHECKER = 2; + // Runtime. Evaluates a parsed and optionally checked CEL AST against a + // context. + COMPONENT_RUNTIME = 3; + } + + // Identifier for the extension. Example: constant_folding + string id = 1; + + // If set, the listed components must understand the extension for the + // expression to evaluate correctly. + // + // This field has set semantics, repeated values should be deduplicated. + repeated Component affected_components = 2; + + // Version info. May be skipped if it isn't meaningful for the extension. + // (for example constant_folding might always be v0.0). + Version version = 3; + } +} diff --git a/grpc-xds/proto/third_party/cel-spec/import.sh b/grpc-xds/proto/third_party/cel-spec/import.sh new file mode 100755 index 000000000..1042fc18d --- /dev/null +++ b/grpc-xds/proto/third_party/cel-spec/import.sh @@ -0,0 +1,20 @@ +#!/bin/bash +set -e + +# Update VERSION then execute this script. +# Imports google/cel-spec CEL expression protos into src/main/proto. +# Modeled after grpc-java's xds/third_party/cel-spec/import.sh. + +source "$(cd "$(dirname "$0")" && pwd)/../import_common.sh" + +VERSION="v0.15.0" +DOWNLOAD_URL="https://github.com/google/cel-spec/archive/refs/tags/${VERSION}.tar.gz" +DOWNLOAD_BASE_DIR="cel-spec-${VERSION#v}" +SOURCE_PROTO_BASE_DIR="${DOWNLOAD_BASE_DIR}/proto" +# Sorted alphabetically. +FILES=( +cel/expr/checked.proto +cel/expr/syntax.proto +) + +import_protos diff --git a/grpc-xds/proto/third_party/envoy/LICENSE b/grpc-xds/proto/third_party/envoy/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/grpc-xds/proto/third_party/envoy/NOTICE b/grpc-xds/proto/third_party/envoy/NOTICE new file mode 100644 index 000000000..8604a8bbd --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/NOTICE @@ -0,0 +1,4 @@ +Envoy +Copyright The Envoy Project Authors + +Licensed under Apache License 2.0. See LICENSE for terms. diff --git a/grpc-xds/proto/third_party/envoy/envoy/admin/v3/config_dump.proto b/grpc-xds/proto/third_party/envoy/envoy/admin/v3/config_dump.proto new file mode 100644 index 000000000..82dc13ebf --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/admin/v3/config_dump.proto @@ -0,0 +1,135 @@ +syntax = "proto3"; + +package envoy.admin.v3; + +import "envoy/admin/v3/config_dump_shared.proto"; +import "envoy/config/bootstrap/v3/bootstrap.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/timestamp.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.admin.v3"; +option java_outer_classname = "ConfigDumpProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/admin/v3;adminv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: ConfigDump] + +// The :ref:`/config_dump ` admin endpoint uses this wrapper +// message to maintain and serve arbitrary configuration information from any component in Envoy. +message ConfigDump { + option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.ConfigDump"; + + // This list is serialized and dumped in its entirety at the + // :ref:`/config_dump ` endpoint. + // + // The following configurations are currently supported and will be dumped in the order given + // below: + // + // * ``bootstrap``: :ref:`BootstrapConfigDump ` + // * ``clusters``: :ref:`ClustersConfigDump ` + // * ``ecds_filter_http``: :ref:`EcdsConfigDump ` + // * ``ecds_filter_quic_listener``: :ref:`EcdsConfigDump ` + // * ``ecds_filter_tcp_listener``: :ref:`EcdsConfigDump ` + // * ``endpoints``: :ref:`EndpointsConfigDump ` + // * ``listeners``: :ref:`ListenersConfigDump ` + // * ``scoped_routes``: :ref:`ScopedRoutesConfigDump ` + // * ``routes``: :ref:`RoutesConfigDump ` + // * ``secrets``: :ref:`SecretsConfigDump ` + // + // EDS Configuration will only be dumped by using parameter ``?include_eds`` + // + // Currently ECDS is supported in HTTP and listener filters. Note, ECDS configuration for + // either HTTP or listener filter will only be dumped if it is actually configured. + // + // You can filter output with the resource and mask query parameters. + // See :ref:`/config_dump?resource={} `, + // :ref:`/config_dump?mask={} `, + // or :ref:`/config_dump?resource={},mask={} + // ` for more information. + repeated google.protobuf.Any configs = 1; +} + +// This message describes the bootstrap configuration that Envoy was started with. This includes +// any CLI overrides that were merged. Bootstrap configuration information can be used to recreate +// the static portions of an Envoy configuration by reusing the output as the bootstrap +// configuration for another Envoy. +message BootstrapConfigDump { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.BootstrapConfigDump"; + + config.bootstrap.v3.Bootstrap bootstrap = 1; + + // The timestamp when the BootstrapConfig was last updated. + google.protobuf.Timestamp last_updated = 2; +} + +// Envoys SDS implementation fills this message with all secrets fetched dynamically via SDS. +message SecretsConfigDump { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.SecretsConfigDump"; + + // DynamicSecret contains secret information fetched via SDS. + // [#next-free-field: 7] + message DynamicSecret { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.SecretsConfigDump.DynamicSecret"; + + // The name assigned to the secret. + string name = 1; + + // This is the per-resource version information. + string version_info = 2; + + // The timestamp when the secret was last updated. + google.protobuf.Timestamp last_updated = 3; + + // The actual secret information. + // Security sensitive information is redacted (replaced with "[redacted]") for + // private keys and passwords in TLS certificates. + google.protobuf.Any secret = 4; + + // Set if the last update failed, cleared after the next successful update. + // The *error_state* field contains the rejected version of this particular + // resource along with the reason and timestamp. For successfully updated or + // acknowledged resource, this field should be empty. + // [#not-implemented-hide:] + UpdateFailureState error_state = 5; + + // The client status of this resource. + // [#not-implemented-hide:] + ClientResourceStatus client_status = 6; + } + + // StaticSecret specifies statically loaded secret in bootstrap. + message StaticSecret { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.SecretsConfigDump.StaticSecret"; + + // The name assigned to the secret. + string name = 1; + + // The timestamp when the secret was last updated. + google.protobuf.Timestamp last_updated = 2; + + // The actual secret information. + // Security sensitive information is redacted (replaced with "[redacted]") for + // private keys and passwords in TLS certificates. + google.protobuf.Any secret = 3; + } + + // The statically loaded secrets. + repeated StaticSecret static_secrets = 1; + + // The dynamically loaded active secrets. These are secrets that are available to service + // clusters or listeners. + repeated DynamicSecret dynamic_active_secrets = 2; + + // The dynamically loaded warming secrets. These are secrets that are currently undergoing + // warming in preparation to service clusters or listeners. + repeated DynamicSecret dynamic_warming_secrets = 3; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/admin/v3/config_dump_shared.proto b/grpc-xds/proto/third_party/envoy/envoy/admin/v3/config_dump_shared.proto new file mode 100644 index 000000000..b34e004d9 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/admin/v3/config_dump_shared.proto @@ -0,0 +1,420 @@ +syntax = "proto3"; + +package envoy.admin.v3; + +import "google/protobuf/any.proto"; +import "google/protobuf/timestamp.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.admin.v3"; +option java_outer_classname = "ConfigDumpSharedProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/admin/v3;adminv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: ConfigDump] + +// Resource status from the view of a xDS client, which tells the synchronization +// status between the xDS client and the xDS server. +enum ClientResourceStatus { + // Resource status is not available/unknown. + UNKNOWN = 0; + + // Client requested this resource but hasn't received any update from management + // server. The client will not fail requests, but will queue them until update + // arrives or the client times out waiting for the resource. + REQUESTED = 1; + + // This resource has been requested by the client but has either not been + // delivered by the server or was previously delivered by the server and then + // subsequently removed from resources provided by the server. For more + // information, please refer to the :ref:`"Knowing When a Requested Resource + // Does Not Exist" ` section. + DOES_NOT_EXIST = 2; + + // Client received this resource and replied with ACK. + ACKED = 3; + + // Client received this resource and replied with NACK. + NACKED = 4; + + // Client received an error from the control plane. The attached config + // dump is the most recent accepted one. If no config is accepted yet, + // the attached config dump will be empty. + RECEIVED_ERROR = 5; + + // Client timed out waiting for the resource from the control plane. + TIMEOUT = 6; +} + +message UpdateFailureState { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.UpdateFailureState"; + + // What the component configuration would have been if the update had succeeded. + // This field may not be populated by xDS clients due to storage overhead. + google.protobuf.Any failed_configuration = 1; + + // Time of the latest failed update attempt. + google.protobuf.Timestamp last_update_attempt = 2; + + // Details about the last failed update attempt. + string details = 3; + + // This is the version of the rejected resource. + // [#not-implemented-hide:] + string version_info = 4; +} + +// Envoy's listener manager fills this message with all currently known listeners. Listener +// configuration information can be used to recreate an Envoy configuration by populating all +// listeners as static listeners or by returning them in a LDS response. +message ListenersConfigDump { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.ListenersConfigDump"; + + // Describes a statically loaded listener. + message StaticListener { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.ListenersConfigDump.StaticListener"; + + // The listener config. + google.protobuf.Any listener = 1; + + // The timestamp when the Listener was last successfully updated. + google.protobuf.Timestamp last_updated = 2; + } + + message DynamicListenerState { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.ListenersConfigDump.DynamicListenerState"; + + // This is the per-resource version information. This version is currently taken from the + // :ref:`version_info ` field at the time + // that the listener was loaded. In the future, discrete per-listener versions may be supported + // by the API. + string version_info = 1; + + // The listener config. + google.protobuf.Any listener = 2; + + // The timestamp when the Listener was last successfully updated. + google.protobuf.Timestamp last_updated = 3; + } + + // Describes a dynamically loaded listener via the LDS API. + // [#next-free-field: 7] + message DynamicListener { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.ListenersConfigDump.DynamicListener"; + + // The name or unique id of this listener, pulled from the DynamicListenerState config. + string name = 1; + + // The listener state for any active listener by this name. + // These are listeners that are available to service data plane traffic. + DynamicListenerState active_state = 2; + + // The listener state for any warming listener by this name. + // These are listeners that are currently undergoing warming in preparation to service data + // plane traffic. Note that if attempting to recreate an Envoy configuration from a + // configuration dump, the warming listeners should generally be discarded. + DynamicListenerState warming_state = 3; + + // The listener state for any draining listener by this name. + // These are listeners that are currently undergoing draining in preparation to stop servicing + // data plane traffic. Note that if attempting to recreate an Envoy configuration from a + // configuration dump, the draining listeners should generally be discarded. + DynamicListenerState draining_state = 4; + + // Set if the last update failed, cleared after the next successful update. + // The ``error_state`` field contains the rejected version of this particular + // resource along with the reason and timestamp. For successfully updated or + // acknowledged resource, this field should be empty. + UpdateFailureState error_state = 5; + + // The client status of this resource. + // [#not-implemented-hide:] + ClientResourceStatus client_status = 6; + } + + // This is the :ref:`version_info ` in the + // last processed LDS discovery response. If there are only static bootstrap listeners, this field + // will be "". + string version_info = 1; + + // The statically loaded listener configs. + repeated StaticListener static_listeners = 2; + + // State for any warming, active, or draining listeners. + repeated DynamicListener dynamic_listeners = 3; +} + +// Envoy's cluster manager fills this message with all currently known clusters. Cluster +// configuration information can be used to recreate an Envoy configuration by populating all +// clusters as static clusters or by returning them in a CDS response. +message ClustersConfigDump { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.ClustersConfigDump"; + + // Describes a statically loaded cluster. + message StaticCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.ClustersConfigDump.StaticCluster"; + + // The cluster config. + google.protobuf.Any cluster = 1; + + // The timestamp when the Cluster was last updated. + google.protobuf.Timestamp last_updated = 2; + } + + // Describes a dynamically loaded cluster via the CDS API. + // [#next-free-field: 6] + message DynamicCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.ClustersConfigDump.DynamicCluster"; + + // This is the per-resource version information. This version is currently taken from the + // :ref:`version_info ` field at the time + // that the cluster was loaded. In the future, discrete per-cluster versions may be supported by + // the API. + string version_info = 1; + + // The cluster config. + google.protobuf.Any cluster = 2; + + // The timestamp when the Cluster was last updated. + google.protobuf.Timestamp last_updated = 3; + + // Set if the last update failed, cleared after the next successful update. + // The ``error_state`` field contains the rejected version of this particular + // resource along with the reason and timestamp. For successfully updated or + // acknowledged resource, this field should be empty. + // [#not-implemented-hide:] + UpdateFailureState error_state = 4; + + // The client status of this resource. + // [#not-implemented-hide:] + ClientResourceStatus client_status = 5; + } + + // This is the :ref:`version_info ` in the + // last processed CDS discovery response. If there are only static bootstrap clusters, this field + // will be "". + string version_info = 1; + + // The statically loaded cluster configs. + repeated StaticCluster static_clusters = 2; + + // The dynamically loaded active clusters. These are clusters that are available to service + // data plane traffic. + repeated DynamicCluster dynamic_active_clusters = 3; + + // The dynamically loaded warming clusters. These are clusters that are currently undergoing + // warming in preparation to service data plane traffic. Note that if attempting to recreate an + // Envoy configuration from a configuration dump, the warming clusters should generally be + // discarded. + repeated DynamicCluster dynamic_warming_clusters = 4; +} + +// Envoy's RDS implementation fills this message with all currently loaded routes, as described by +// their RouteConfiguration objects. Static routes that are either defined in the bootstrap configuration +// or defined inline while configuring listeners are separated from those configured dynamically via RDS. +// Route configuration information can be used to recreate an Envoy configuration by populating all routes +// as static routes or by returning them in RDS responses. +message RoutesConfigDump { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.RoutesConfigDump"; + + message StaticRouteConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.RoutesConfigDump.StaticRouteConfig"; + + // The route config. + google.protobuf.Any route_config = 1; + + // The timestamp when the Route was last updated. + google.protobuf.Timestamp last_updated = 2; + } + + // [#next-free-field: 6] + message DynamicRouteConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.RoutesConfigDump.DynamicRouteConfig"; + + // This is the per-resource version information. This version is currently taken from the + // :ref:`version_info ` field at the time that + // the route configuration was loaded. + string version_info = 1; + + // The route config. + google.protobuf.Any route_config = 2; + + // The timestamp when the Route was last updated. + google.protobuf.Timestamp last_updated = 3; + + // Set if the last update failed, cleared after the next successful update. + // The ``error_state`` field contains the rejected version of this particular + // resource along with the reason and timestamp. For successfully updated or + // acknowledged resource, this field should be empty. + // [#not-implemented-hide:] + UpdateFailureState error_state = 4; + + // The client status of this resource. + // [#not-implemented-hide:] + ClientResourceStatus client_status = 5; + } + + // The statically loaded route configs. + repeated StaticRouteConfig static_route_configs = 2; + + // The dynamically loaded route configs. + repeated DynamicRouteConfig dynamic_route_configs = 3; +} + +// Envoy's scoped RDS implementation fills this message with all currently loaded route +// configuration scopes (defined via ScopedRouteConfigurationsSet protos). This message lists both +// the scopes defined inline with the higher order object (i.e., the HttpConnectionManager) and the +// dynamically obtained scopes via the SRDS API. +message ScopedRoutesConfigDump { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.ScopedRoutesConfigDump"; + + message InlineScopedRouteConfigs { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.ScopedRoutesConfigDump.InlineScopedRouteConfigs"; + + // The name assigned to the scoped route configurations. + string name = 1; + + // The scoped route configurations. + repeated google.protobuf.Any scoped_route_configs = 2; + + // The timestamp when the scoped route config set was last updated. + google.protobuf.Timestamp last_updated = 3; + } + + // [#next-free-field: 7] + message DynamicScopedRouteConfigs { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.ScopedRoutesConfigDump.DynamicScopedRouteConfigs"; + + // The name assigned to the scoped route configurations. + string name = 1; + + // This is the per-resource version information. This version is currently taken from the + // :ref:`version_info ` field at the time that + // the scoped routes configuration was loaded. + string version_info = 2; + + // The scoped route configurations. + repeated google.protobuf.Any scoped_route_configs = 3; + + // The timestamp when the scoped route config set was last updated. + google.protobuf.Timestamp last_updated = 4; + + // Set if the last update failed, cleared after the next successful update. + // The ``error_state`` field contains the rejected version of this particular + // resource along with the reason and timestamp. For successfully updated or + // acknowledged resource, this field should be empty. + // [#not-implemented-hide:] + UpdateFailureState error_state = 5; + + // The client status of this resource. + // [#not-implemented-hide:] + ClientResourceStatus client_status = 6; + } + + // The statically loaded scoped route configs. + repeated InlineScopedRouteConfigs inline_scoped_route_configs = 1; + + // The dynamically loaded scoped route configs. + repeated DynamicScopedRouteConfigs dynamic_scoped_route_configs = 2; +} + +// Envoy's admin fill this message with all currently known endpoints. Endpoint +// configuration information can be used to recreate an Envoy configuration by populating all +// endpoints as static endpoints or by returning them in an EDS response. +message EndpointsConfigDump { + message StaticEndpointConfig { + // The endpoint config. + google.protobuf.Any endpoint_config = 1; + + // [#not-implemented-hide:] The timestamp when the Endpoint was last updated. + google.protobuf.Timestamp last_updated = 2; + } + + // [#next-free-field: 6] + message DynamicEndpointConfig { + // [#not-implemented-hide:] This is the per-resource version information. This version is currently taken from the + // :ref:`version_info ` field at the time that + // the endpoint configuration was loaded. + string version_info = 1; + + // The endpoint config. + google.protobuf.Any endpoint_config = 2; + + // [#not-implemented-hide:] The timestamp when the Endpoint was last updated. + google.protobuf.Timestamp last_updated = 3; + + // Set if the last update failed, cleared after the next successful update. + // The ``error_state`` field contains the rejected version of this particular + // resource along with the reason and timestamp. For successfully updated or + // acknowledged resource, this field should be empty. + // [#not-implemented-hide:] + UpdateFailureState error_state = 4; + + // The client status of this resource. + // [#not-implemented-hide:] + ClientResourceStatus client_status = 5; + } + + // The statically loaded endpoint configs. + repeated StaticEndpointConfig static_endpoint_configs = 2; + + // The dynamically loaded endpoint configs. + repeated DynamicEndpointConfig dynamic_endpoint_configs = 3; +} + +// Envoy's ECDS service fills this message with all currently extension +// configuration. Extension configuration information can be used to recreate +// an Envoy ECDS listener and HTTP filters as static filters or by returning +// them in ECDS response. +message EcdsConfigDump { + option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.EcdsConfigDump"; + + // [#next-free-field: 6] + message EcdsFilterConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.EcdsConfigDump.EcdsFilterConfig"; + + // This is the per-resource version information. This version is currently + // taken from the :ref:`version_info + // ` + // field at the time that the ECDS filter was loaded. + string version_info = 1; + + // The ECDS filter config. + google.protobuf.Any ecds_filter = 2; + + // The timestamp when the ECDS filter was last updated. + google.protobuf.Timestamp last_updated = 3; + + // Set if the last update failed, cleared after the next successful update. + // The ``error_state`` field contains the rejected version of this + // particular resource along with the reason and timestamp. For successfully + // updated or acknowledged resource, this field should be empty. + // [#not-implemented-hide:] + UpdateFailureState error_state = 4; + + // The client status of this resource. + // [#not-implemented-hide:] + ClientResourceStatus client_status = 5; + } + + // The ECDS filter configs. + repeated EcdsFilterConfig ecds_filters = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/annotations/deprecation.proto b/grpc-xds/proto/third_party/envoy/envoy/annotations/deprecation.proto new file mode 100644 index 000000000..c9a96f1ae --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/annotations/deprecation.proto @@ -0,0 +1,34 @@ +syntax = "proto3"; + +package envoy.annotations; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/annotations"; + +import "google/protobuf/descriptor.proto"; + +// [#protodoc-title: Deprecation] +// Adds annotations for deprecated fields and enums to allow tagging proto +// fields as fatal by default and the minor version on which the field was +// deprecated. One Envoy release after deprecation, deprecated fields will be +// disallowed by default, a state which is reversible with +// :ref:`runtime overrides `. + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "envoy.annotation.disallowed_by_default" and "envoy.annotation.deprecated_at_minor_version" +extend google.protobuf.FieldOptions { + bool disallowed_by_default = 189503207; + + // The API major and minor version on which the field was deprecated + // (e.g., "3.5" for major version 3 and minor version 5). + string deprecated_at_minor_version = 157299826; +} + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "envoy.annotation.disallowed_by_default_enum" and +// "envoy.annotation.deprecated_at_minor_version_eum" +extend google.protobuf.EnumValueOptions { + bool disallowed_by_default_enum = 70100853; + + // The API major and minor version on which the enum value was deprecated + // (e.g., "3.5" for major version 3 and minor version 5). + string deprecated_at_minor_version_enum = 181198657; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/accesslog/v3/accesslog.proto b/grpc-xds/proto/third_party/envoy/envoy/config/accesslog/v3/accesslog.proto new file mode 100644 index 000000000..f273f2e69 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/accesslog/v3/accesslog.proto @@ -0,0 +1,355 @@ +syntax = "proto3"; + +package envoy.config.accesslog.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/data/accesslog/v3/accesslog.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.accesslog.v3"; +option java_outer_classname = "AccesslogProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3;accesslogv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common access log types] + +message AccessLog { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.AccessLog"; + + reserved 3; + + reserved "config"; + + // The name of the access log extension configuration. + string name = 1; + + // Filter which is used to determine if the access log needs to be written. + AccessLogFilter filter = 2; + + // Custom configuration that must be set according to the access logger extension being instantiated. + // [#extension-category: envoy.access_loggers] + oneof config_type { + google.protobuf.Any typed_config = 4; + } +} + +// [#next-free-field: 14] +message AccessLogFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.AccessLogFilter"; + + oneof filter_specifier { + option (validate.required) = true; + + // Status code filter. + StatusCodeFilter status_code_filter = 1; + + // Duration filter. + DurationFilter duration_filter = 2; + + // Not health check filter. + NotHealthCheckFilter not_health_check_filter = 3; + + // Traceable filter. + TraceableFilter traceable_filter = 4; + + // Runtime filter. + RuntimeFilter runtime_filter = 5; + + // And filter. + AndFilter and_filter = 6; + + // Or filter. + OrFilter or_filter = 7; + + // Header filter. + HeaderFilter header_filter = 8; + + // Response flag filter. + ResponseFlagFilter response_flag_filter = 9; + + // gRPC status filter. + GrpcStatusFilter grpc_status_filter = 10; + + // Extension filter. + // [#extension-category: envoy.access_loggers.extension_filters] + ExtensionFilter extension_filter = 11; + + // Metadata Filter + MetadataFilter metadata_filter = 12; + + // Log Type Filter + LogTypeFilter log_type_filter = 13; + } +} + +// Filter on an integer comparison. +message ComparisonFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.ComparisonFilter"; + + enum Op { + // = + EQ = 0; + + // >= + GE = 1; + + // <= + LE = 2; + + // != + NE = 3; + } + + // Comparison operator. + Op op = 1 [(validate.rules).enum = {defined_only: true}]; + + // Value to compare against. + core.v3.RuntimeUInt32 value = 2 [(validate.rules).message = {required: true}]; +} + +// Filters on HTTP response/status code. +message StatusCodeFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.StatusCodeFilter"; + + // Comparison. + ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; +} + +// Filters based on the duration of the request or stream, in milliseconds. +// For end of stream access logs, the total duration of the stream will be used. +// For :ref:`periodic access logs`, +// the duration of the stream at the time of log recording will be used. +message DurationFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.DurationFilter"; + + // Comparison. + ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; +} + +// Filters for requests that are not health check requests. A health check +// request is marked by the health check filter. +message NotHealthCheckFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.NotHealthCheckFilter"; +} + +// Filters for requests that are traceable. See the tracing overview for more +// information on how a request becomes traceable. +message TraceableFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.TraceableFilter"; +} + +// Filters requests based on runtime-configurable sampling rates. +message RuntimeFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.RuntimeFilter"; + + // Specifies a key used to look up a custom sampling rate from the runtime configuration. If a value is found for this + // key, it will override the default sampling rate specified in ``percent_sampled``. + string runtime_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Defines the default sampling percentage when no runtime override is present. If not specified, the default is + // **0%** (with a denominator of 100). + type.v3.FractionalPercent percent_sampled = 2; + + // Controls how sampling decisions are made. + // + // - Default behavior (``false``): + // + // * Uses the :ref:`x-request-id` as a consistent sampling pivot. + // * When :ref:`x-request-id` is present, sampling will be consistent + // across multiple hosts based on both the ``runtime_key`` and + // :ref:`x-request-id`. + // * Useful for tracking related requests across a distributed system. + // + // - When set to ``true`` or :ref:`x-request-id` is missing: + // + // * Sampling decisions are made randomly based only on the ``runtime_key``. + // * Useful in complex filter configurations (like nested + // :ref:`AndFilter`/ + // :ref:`OrFilter` blocks) where independent probability + // calculations are desired. + // * Can be used to implement logging kill switches with predictable probability distributions. + // + bool use_independent_randomness = 3; +} + +// Performs a logical “and” operation on the result of each filter in filters. +// Filters are evaluated sequentially and if one of them returns false, the +// filter returns false immediately. +message AndFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.AndFilter"; + + repeated AccessLogFilter filters = 1 [(validate.rules).repeated = {min_items: 2}]; +} + +// Performs a logical “or” operation on the result of each individual filter. +// Filters are evaluated sequentially and if one of them returns true, the +// filter returns true immediately. +message OrFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.OrFilter"; + + repeated AccessLogFilter filters = 2 [(validate.rules).repeated = {min_items: 2}]; +} + +// Filters requests based on the presence or value of a request header. +message HeaderFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.HeaderFilter"; + + // Only requests with a header which matches the specified HeaderMatcher will + // pass the filter check. + route.v3.HeaderMatcher header = 1 [(validate.rules).message = {required: true}]; +} + +// Filters requests that received responses with an Envoy response flag set. +// A list of the response flags can be found +// in the access log formatter +// :ref:`documentation`. +message ResponseFlagFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.ResponseFlagFilter"; + + // Only responses with the any of the flags listed in this field will be + // logged. This field is optional. If it is not specified, then any response + // flag will pass the filter check. + repeated string flags = 1 [(validate.rules).repeated = { + items { + string { + in: "LH" + in: "UH" + in: "UT" + in: "LR" + in: "UR" + in: "UF" + in: "UC" + in: "UO" + in: "NR" + in: "DI" + in: "FI" + in: "RL" + in: "UAEX" + in: "RLSE" + in: "DC" + in: "URX" + in: "SI" + in: "IH" + in: "DPE" + in: "UMSDR" + in: "RFCF" + in: "NFCF" + in: "DT" + in: "UPE" + in: "NC" + in: "OM" + in: "DF" + in: "DO" + in: "DR" + in: "UDO" + } + } + }]; +} + +// Filters gRPC requests based on their response status. If a gRPC status is not +// provided, the filter will infer the status from the HTTP status code. +message GrpcStatusFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.GrpcStatusFilter"; + + enum Status { + OK = 0; + CANCELED = 1; + UNKNOWN = 2; + INVALID_ARGUMENT = 3; + DEADLINE_EXCEEDED = 4; + NOT_FOUND = 5; + ALREADY_EXISTS = 6; + PERMISSION_DENIED = 7; + RESOURCE_EXHAUSTED = 8; + FAILED_PRECONDITION = 9; + ABORTED = 10; + OUT_OF_RANGE = 11; + UNIMPLEMENTED = 12; + INTERNAL = 13; + UNAVAILABLE = 14; + DATA_LOSS = 15; + UNAUTHENTICATED = 16; + } + + // Logs only responses that have any one of the gRPC statuses in this field. + repeated Status statuses = 1 [(validate.rules).repeated = {items {enum {defined_only: true}}}]; + + // If included and set to true, the filter will instead block all responses + // with a gRPC status or inferred gRPC status enumerated in statuses, and + // allow all other responses. + bool exclude = 2; +} + +// Filters based on matching dynamic metadata. +// If the matcher path and key correspond to an existing key in dynamic +// metadata, the request is logged only if the matcher value is equal to the +// metadata value. If the matcher path and key *do not* correspond to an +// existing key in dynamic metadata, the request is logged only if +// match_if_key_not_found is "true" or unset. +message MetadataFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.MetadataFilter"; + + // Matcher to check metadata for specified value. For example, to match on the + // access_log_hint metadata, set the filter to "envoy.common" and the path to + // "access_log_hint", and the value to "true". + type.matcher.v3.MetadataMatcher matcher = 1; + + // Default result if the key does not exist in dynamic metadata: if unset or + // true, then log; if false, then don't log. + google.protobuf.BoolValue match_if_key_not_found = 2; +} + +// Filters based on access log type. +message LogTypeFilter { + // Logs only records which their type is one of the types defined in this field. + repeated data.accesslog.v3.AccessLogType types = 1 + [(validate.rules).repeated = {items {enum {defined_only: true}}}]; + + // If this field is set to true, the filter will instead block all records + // with a access log type in types field, and allow all other records. + bool exclude = 2; +} + +// Extension filter is statically registered at runtime. +message ExtensionFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.ExtensionFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter implementation to instantiate. The name must + // match a statically registered filter. + string name = 1; + + // Custom configuration that depends on the filter being instantiated. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/bootstrap/v3/bootstrap.proto b/grpc-xds/proto/third_party/envoy/envoy/config/bootstrap/v3/bootstrap.proto new file mode 100644 index 000000000..7b862c102 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/bootstrap/v3/bootstrap.proto @@ -0,0 +1,786 @@ +syntax = "proto3"; + +package envoy.config.bootstrap.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/cluster/v3/cluster.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/event_service_config.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/resolver.proto"; +import "envoy/config/core/v3/socket_option.proto"; +import "envoy/config/listener/v3/listener.proto"; +import "envoy/config/metrics/v3/stats.proto"; +import "envoy/config/overload/v3/overload.proto"; +import "envoy/config/trace/v3/http_tracer.proto"; +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.bootstrap.v3"; +option java_outer_classname = "BootstrapProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3;bootstrapv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Bootstrap] +// This proto is supplied via the :option:`-c` CLI flag and acts as the root +// of the Envoy v3 configuration. See the :ref:`v3 configuration overview +// ` for more detail. + +// Bootstrap :ref:`configuration overview `. +// [#next-free-field: 43] +message Bootstrap { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.Bootstrap"; + + message StaticResources { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.Bootstrap.StaticResources"; + + // Static :ref:`Listeners `. These listeners are + // available regardless of LDS configuration. + repeated listener.v3.Listener listeners = 1; + + // If a network based configuration source is specified for :ref:`cds_config + // `, it's necessary + // to have some initial cluster definitions available to allow Envoy to know + // how to speak to the management server. + repeated cluster.v3.Cluster clusters = 2; + + // These static secrets can be used by :ref:`SdsSecretConfig + // ` + repeated envoy.extensions.transport_sockets.tls.v3.Secret secrets = 3; + } + + // [#next-free-field: 7] + message DynamicResources { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.Bootstrap.DynamicResources"; + + reserved 4; + + // All :ref:`Listeners ` are provided by a single + // :ref:`LDS ` configuration source. + core.v3.ConfigSource lds_config = 1; + + // ``xdstp://`` resource locator for listener collection. + // [#not-implemented-hide:] + string lds_resources_locator = 5; + + // All post-bootstrap :ref:`Cluster ` definitions are + // provided by a single :ref:`CDS ` + // configuration source. + core.v3.ConfigSource cds_config = 2; + + // ``xdstp://`` resource locator for cluster collection. + // [#not-implemented-hide:] + string cds_resources_locator = 6; + + // A single :ref:`ADS ` source may be optionally + // specified. This must have :ref:`api_type + // ` :ref:`GRPC + // `. Only + // :ref:`ConfigSources ` that have + // the :ref:`ads ` field set will be + // streamed on the ADS channel. + core.v3.ApiConfigSource ads_config = 3; + } + + message ApplicationLogConfig { + message LogFormat { + oneof log_format { + option (validate.required) = true; + + // Flush application logs in JSON format. The configured JSON struct can + // support all the format flags specified in the :option:`--log-format` + // command line options section, except for the ``%v`` and ``%_`` flags. + google.protobuf.Struct json_format = 1; + + // Flush application log in a format defined by a string. The text format + // can support all the format flags specified in the :option:`--log-format` + // command line option section. + string text_format = 2; + } + } + + // Optional field to set the application logs format. If this field is set, it will override + // the default log format. Setting both this field and :option:`--log-format` command line + // option is not allowed, and will cause a bootstrap error. + LogFormat log_format = 1; + } + + message DeferredStatOptions { + // When the flag is enabled, Envoy will lazily initialize a subset of the stats (see below). + // This will save memory and CPU cycles when creating the objects that own these stats, if those + // stats are never referenced throughout the lifetime of the process. However, it will incur additional + // memory overhead for these objects, and a small increase of CPU usage when at least one of the stats + // is updated for the first time. + // + // Groups of stats that will be lazily initialized: + // + // - Cluster traffic stats: a subgroup of the :ref:`cluster statistics ` + // that are used when requests are routed to the cluster. + bool enable_deferred_creation_stats = 1; + } + + message GrpcAsyncClientManagerConfig { + // Optional field to set the expiration time for the cached gRPC client object. + // The minimal value is ``5s`` and the default is ``50s``. + google.protobuf.Duration max_cached_entry_idle_duration = 1 + [(validate.rules).duration = {gte {seconds: 5}}]; + } + + reserved 10, 11; + + reserved "runtime"; + + // Node identity to present to the management server and for instance + // identification purposes (e.g. in generated headers). + core.v3.Node node = 1; + + // A list of :ref:`Node ` field names + // that will be included in the context parameters of the effective + // ``xdstp://`` URL that is sent in a discovery request when resource + // locators are used for LDS/CDS. Any non-string field will have its JSON + // encoding set as the context parameter value, with the exception of + // metadata, which will be flattened (see example below). The supported field + // names are: + // - ``cluster`` + // - ``id`` + // - ``locality.region`` + // - ``locality.sub_zone`` + // - ``locality.zone`` + // - ``metadata`` + // - ``user_agent_build_version.metadata`` + // - ``user_agent_build_version.version`` + // - ``user_agent_name`` + // - ``user_agent_version`` + // + // The node context parameters act as a base layer dictionary for the context + // parameters (i.e. more specific resource specific context parameters will + // override). Field names will be prefixed with ````"udpa.node."```` when included in + // context parameters. + // + // For example, if node_context_params is ``["user_agent_name", "metadata"]``, + // the implied context parameters might be:: + // + // node.user_agent_name: "envoy" + // node.metadata.foo: "{\"bar\": \"baz\"}" + // node.metadata.some: "42" + // node.metadata.thing: "\"thing\"" + // + // [#not-implemented-hide:] + repeated string node_context_params = 26; + + // Statically specified resources. + StaticResources static_resources = 2; + + // xDS configuration sources. + DynamicResources dynamic_resources = 3; + + // Configuration for the cluster manager which owns all upstream clusters + // within the server. + ClusterManager cluster_manager = 4; + + // Health discovery service config option. + // (:ref:`core.ApiConfigSource `) + core.v3.ApiConfigSource hds_config = 14; + + // Optional file system path to search for startup flag files. + string flags_path = 5; + + // Optional set of stats sinks. + repeated metrics.v3.StatsSink stats_sinks = 6; + + // Options to control behaviors of deferred creation compatible stats. + DeferredStatOptions deferred_stat_options = 39; + + // Configuration for internal processing of stats. + metrics.v3.StatsConfig stats_config = 13; + + // Optional duration between flushes to configured stats sinks. For + // performance reasons Envoy latches counters and only flushes counters and + // gauges at a periodic interval. If not specified the default is ``5000ms`` (``5`` seconds). + // Only one of ``stats_flush_interval`` or ``stats_flush_on_admin`` + // can be set. + // Duration must be at least ``1ms`` and at most ``5 min``. + google.protobuf.Duration stats_flush_interval = 7 [ + (validate.rules).duration = { + lt {seconds: 300} + gte {nanos: 1000000} + }, + (udpa.annotations.field_migrate).oneof_promotion = "stats_flush" + ]; + + oneof stats_flush { + // Flush stats to sinks only when queried for on the admin interface. If set, + // a flush timer is not created. Only one of ``stats_flush_on_admin`` or + // ``stats_flush_interval`` can be set. + bool stats_flush_on_admin = 29 [(validate.rules).bool = {const: true}]; + } + + oneof stats_eviction { + // Optional duration to perform metric eviction. At every interval, during the stats flush + // the unused metrics are removed from the worker caches and the used metrics + // are marked as unused. Must be a multiple of the ``stats_flush_interval``. + google.protobuf.Duration stats_eviction_interval = 42 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + } + + // Optional watchdog configuration. + // This is for a single watchdog configuration for the entire system. + // Deprecated in favor of ``watchdogs`` which has finer granularity. + Watchdog watchdog = 8 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional watchdogs configuration. + // This is used for specifying different watchdogs for the different subsystems. + // [#extension-category: envoy.guarddog_actions] + Watchdogs watchdogs = 27; + + // Configuration for an external tracing provider. + // + // .. attention:: + // This field has been deprecated in favor of :ref:`HttpConnectionManager.Tracing.provider + // `. + trace.v3.Tracing tracing = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Configuration for the runtime configuration provider. If not + // specified, a “null” provider will be used which will result in all defaults + // being used. + LayeredRuntime layered_runtime = 17; + + // Configuration for the local administration HTTP server. + Admin admin = 12; + + // Optional overload manager configuration. + overload.v3.OverloadManager overload_manager = 15 [ + (udpa.annotations.security).configure_for_untrusted_downstream = true, + (udpa.annotations.security).configure_for_untrusted_upstream = true + ]; + + // Enable :ref:`stats for event dispatcher `. Defaults to ``false``. + // + // .. note:: + // + // This records a value for each iteration of the event loop on every thread. This + // should normally be minimal overhead, but when using + // :ref:`statsd `, it will send each observed value + // over the wire individually because the statsd protocol doesn't have any way to represent a + // histogram summary. Be aware that this can be a very large volume of data. + bool enable_dispatcher_stats = 16; + + // Optional string which will be used in lieu of ``x-envoy`` in prefixing headers. + // + // For example, if this string is present and set to ``X-Foo``, then ``x-envoy-retry-on`` will be + // transformed into ``x-foo-retry-on`` etc. + // + // .. note:: + // + // This applies to the headers Envoy will generate, the headers Envoy will sanitize, and the + // headers Envoy will trust for core code and core extensions only. Be VERY careful making + // changes to this string, especially in multi-layer Envoy deployments or deployments using + // extensions which are not upstream. + string header_prefix = 18; + + // Optional proxy version which will be used to set the value of :ref:`server.version statistic + // ` if specified. Envoy will not process this value, it will be sent as is to + // :ref:`stats sinks `. + google.protobuf.UInt64Value stats_server_version_override = 19; + + // Always use ``TCP`` queries instead of ``UDP`` queries for DNS lookups. + // This may be overridden on a per-cluster basis in ``cds_config``, + // when :ref:`dns_resolvers ` and + // :ref:`use_tcp_for_dns_lookups ` are + // specified. + // This field is deprecated in favor of ``dns_resolution_config`` + // which aggregates all of the DNS resolver configuration in a single message. + bool use_tcp_for_dns_lookups = 20 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolution configuration which includes the underlying DNS resolver addresses and options. + // This may be overridden on a per-cluster basis in ``cds_config``, when + // :ref:`dns_resolution_config ` + // is specified. + // This field is deprecated in favor of + // :ref:`typed_dns_resolver_config `. + core.v3.DnsResolutionConfig dns_resolution_config = 30 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolver type configuration extension. This extension can be used to configure ``c-ares``, ``apple``, + // or any other DNS resolver types and the related parameters. + // For example, an object of + // :ref:`CaresDnsResolverConfig ` + // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the + // :ref:`dns_resolution_config ` + // configuration. + // + // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exist, + // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``. + // When ``typed_dns_resolver_config`` is missing, the default behavior is in place. + // [#extension-category: envoy.network.dns_resolver] + core.v3.TypedExtensionConfig typed_dns_resolver_config = 31; + + // Specifies optional bootstrap extensions to be instantiated at startup time. + // Each item contains extension specific configuration. + // [#extension-category: envoy.bootstrap] + repeated core.v3.TypedExtensionConfig bootstrap_extensions = 21; + + // Specifies optional extensions instantiated at startup time and + // invoked during crash time on the request that caused the crash. + repeated FatalAction fatal_actions = 28; + + // Configuration sources that will participate in + // ``xdstp://`` URL authority resolution. The algorithm is as + // follows: + // + // 1. The authority field is taken from the ``xdstp://`` URL, call + // this ``resource_authority``. + // 2. ``resource_authority`` is compared against the authorities in any peer + // ``ConfigSource``. The peer ``ConfigSource`` is the configuration source + // message which would have been used unconditionally for resolution + // with opaque resource names. If there is a match with an authority, the + // peer ``ConfigSource`` message is used. + // 3. ``resource_authority`` is compared sequentially with the authorities in + // each configuration source in ``config_sources``. The first ``ConfigSource`` + // to match wins. + // 4. As a fallback, if no configuration source matches, then + // ``default_config_source`` is used. + // 5. If ``default_config_source`` is not specified, resolution fails. + // [#not-implemented-hide:] + repeated core.v3.ConfigSource config_sources = 22; + + // Default configuration source for ``xdstp://`` URLs if all + // other resolution fails. + // [#not-implemented-hide:] + core.v3.ConfigSource default_config_source = 23; + + // Optional overriding of default socket interface. The value must be the name of one of the + // socket interface factories initialized through a bootstrap extension + string default_socket_interface = 24; + + // Global map of CertificateProvider instances. These instances are referred to by name in the + // :ref:`CommonTlsContext.CertificateProviderInstance.instance_name + // ` + // field. + // [#not-implemented-hide:] + map certificate_provider_instances = 25; + + // Specifies a set of headers that need to be registered as inline header. This configuration + // allows users to customize the inline headers on-demand at Envoy startup without modifying + // Envoy's source code. + // + // .. note:: + // + // The ``set-cookie`` header cannot be registered as inline header. + repeated CustomInlineHeader inline_headers = 32; + + // Optional path to a file with performance tracing data created by ``Perfetto`` SDK in binary + // ProtoBuf format. The default value is ``envoy.pftrace``. + string perf_tracing_file_path = 33; + + // Optional overriding of default regex engine. + // If the value is not specified, ``Google RE2`` will be used by default. + // [#extension-category: envoy.regex_engines] + core.v3.TypedExtensionConfig default_regex_engine = 34; + + // Optional XdsResourcesDelegate configuration, which allows plugging custom logic into both + // fetch and load events during xDS processing. + // If a value is not specified, no ``XdsResourcesDelegate`` will be used. + // TODO(abeyad): Add public-facing documentation. + // [#not-implemented-hide:] + core.v3.TypedExtensionConfig xds_delegate_extension = 35; + + // Optional XdsConfigTracker configuration, which allows tracking xDS responses in external components, + // e.g., external tracer or monitor. It provides the process point when receive, ingest, or fail to + // process xDS resources and messages. If a value is not specified, no ``XdsConfigTracker`` will be used. + // + // .. note:: + // + // There are no in-repo extensions currently, and the :repo:`XdsConfigTracker ` + // interface should be implemented before using. + // See :repo:`xds_config_tracker_integration_test ` + // for an example usage of the interface. + core.v3.TypedExtensionConfig xds_config_tracker_extension = 36; + + // [#not-implemented-hide:] + // This controls the type of listener manager configured for Envoy. Currently + // Envoy only supports ``ListenerManager`` for this field and Envoy Mobile + // supports ``ApiListenerManager``. + core.v3.TypedExtensionConfig listener_manager = 37; + + // Optional application log configuration. + ApplicationLogConfig application_log_config = 38; + + // Optional gRPC async client manager config. + GrpcAsyncClientManagerConfig grpc_async_client_manager_config = 40; + + // Optional configuration for memory allocation manager. + // Memory releasing is only supported for `tcmalloc allocator `_. + MemoryAllocatorManager memory_allocator_manager = 41; +} + +// Administration interface :ref:`operations documentation +// `. +// [#next-free-field: 8] +message Admin { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Admin"; + + // Configuration for :ref:`access logs ` + // emitted by the administration server. + repeated accesslog.v3.AccessLog access_log = 5; + + // The path to write the access log for the administration server. If no + // access log is desired specify ``/dev/null``. This is only required if + // :ref:`address ` is set. + // Deprecated in favor of ``access_log`` which offers more options. + string access_log_path = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The CPU profiler output path for the administration server. If no profile + // path is specified, the default is ``/var/log/envoy/envoy.prof``. + string profile_path = 2; + + // The TCP address that the administration server will listen on. + // If not specified, Envoy will not start an administration server. + core.v3.Address address = 3; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + repeated core.v3.SocketOption socket_options = 4; + + // Indicates whether :ref:`global_downstream_max_connections ` + // should apply to the admin interface or not. + bool ignore_global_conn_limit = 6; + + // List of admin paths that are accessible. If not specified, all admin endpoints are accessible. + // + // When specified, only paths in this list will be accessible, all others will return ``HTTP 403 Forbidden``. + // + // Example: + // + // .. code-block:: yaml + // + // allow_paths: + // - exact: /stats + // - exact: /ready + // - prefix: /healthcheck + // + repeated type.matcher.v3.StringMatcher allow_paths = 7; +} + +// Cluster manager :ref:`architecture overview `. +// [#next-free-field: 6] +message ClusterManager { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.ClusterManager"; + + message OutlierDetection { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.ClusterManager.OutlierDetection"; + + // Specifies the path to the outlier event log. + string event_log_path = 1; + + // [#not-implemented-hide:] + // The gRPC service for the outlier detection event service. + // If empty, outlier detection events won't be sent to a remote endpoint. + core.v3.EventServiceConfig event_service = 2; + } + + // Name of the local cluster (i.e., the cluster that owns the Envoy running + // this configuration). In order to enable :ref:`zone aware routing + // ` this option must be set. + // If ``local_cluster_name`` is defined then :ref:`clusters + // ` must be defined in the :ref:`Bootstrap + // static cluster resources + // `. This is unrelated to + // the :option:`--service-cluster` option which does not `affect zone aware + // routing `_. + string local_cluster_name = 1; + + // Optional global configuration for outlier detection. + OutlierDetection outlier_detection = 2; + + // Optional configuration used to bind newly established upstream connections. + // This may be overridden on a per-cluster basis by ``upstream_bind_config`` in the ``cds_config``. + core.v3.BindConfig upstream_bind_config = 3; + + // A management server endpoint to stream load stats to via + // ``StreamLoadStats``. This must have :ref:`api_type + // ` :ref:`GRPC + // `. + core.v3.ApiConfigSource load_stats_config = 4; + + // Whether the ClusterManager will create clusters on the worker threads + // inline during requests. This will save memory and CPU cycles in cases where + // there are lots of inactive clusters and ``> 1`` worker thread. + bool enable_deferred_cluster_creation = 5; +} + +// Allows you to specify different watchdog configs for different subsystems. +// This allows finer tuned policies for the watchdog. If a subsystem is omitted +// the default values for that system will be used. +message Watchdogs { + // Watchdog for the main thread. + Watchdog main_thread_watchdog = 1; + + // Watchdog for the worker threads. + Watchdog worker_watchdog = 2; +} + +// Envoy process watchdog configuration. When configured, this monitors for +// nonresponsive threads and kills the process after the configured thresholds. +// See the :ref:`watchdog documentation ` for more information. +// [#next-free-field: 8] +message Watchdog { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Watchdog"; + + message WatchdogAction { + // The events are fired in this order: ``KILL``, ``MULTIKILL``, ``MEGAMISS``, ``MISS``. + // Within an event type, actions execute in the order they are configured. + // For ``KILL``/``MULTIKILL`` there is a default ``PANIC`` that will run after the + // registered actions and kills the process if it wasn't already killed. + // It might be useful to specify several debug actions, and possibly an + // alternate ``FATAL`` action. + enum WatchdogEvent { + UNKNOWN = 0; + KILL = 1; + MULTIKILL = 2; + MEGAMISS = 3; + MISS = 4; + } + + // Extension specific configuration for the action. + core.v3.TypedExtensionConfig config = 1; + + WatchdogEvent event = 2 [(validate.rules).enum = {defined_only: true}]; + } + + // Register actions that will fire on given Watchdog events. + // See ``WatchdogAction`` for priority of events. + repeated WatchdogAction actions = 7; + + // The duration after which Envoy counts a nonresponsive thread in the + // ``watchdog_miss`` statistic. If not specified the default is ``200ms``. + google.protobuf.Duration miss_timeout = 1; + + // The duration after which Envoy counts a nonresponsive thread in the + // ``watchdog_mega_miss`` statistic. If not specified the default is ``1000ms``. + google.protobuf.Duration megamiss_timeout = 2; + + // If a watched thread has been nonresponsive for this duration, assume a + // programming error and kill the entire Envoy process. Set to ``0`` to disable + // kill behavior. If not specified the default is ``0`` (disabled). + google.protobuf.Duration kill_timeout = 3; + + // Defines the maximum jitter used to adjust the ``kill_timeout`` if ``kill_timeout`` is + // enabled. Enabling this feature would help to reduce risk of synchronized + // watchdog kill events across proxies due to external triggers. Set to ``0`` to + // disable. If not specified the default is ``0`` (disabled). + google.protobuf.Duration max_kill_timeout_jitter = 6 [(validate.rules).duration = {gte {}}]; + + // If ``max(2, ceil(registered_threads * Fraction(multikill_threshold)))`` + // threads have been nonresponsive for at least this duration kill the entire + // Envoy process. Set to ``0`` to disable this behavior. If not specified the + // default is ``0`` (disabled). + google.protobuf.Duration multikill_timeout = 4; + + // Sets the threshold for ``multikill_timeout`` in terms of the percentage of + // nonresponsive threads required for the ``multikill_timeout``. + // If not specified the default is ``0``. + type.v3.Percent multikill_threshold = 5; +} + +// Fatal actions to run while crashing. Actions can be safe (meaning they are +// async-signal safe) or unsafe. We run all safe actions before we run unsafe actions. +// +// .. note:: +// +// If using an unsafe action that could get stuck or deadlock, it is important to +// have an out of band system to terminate the process. +// +// The interface for the extension is ``Envoy::Server::Configuration::FatalAction``. +// ``FatalAction`` extensions live in the ``envoy.extensions.fatal_actions`` API +// namespace. +message FatalAction { + // Extension specific configuration for the action. It's expected to conform + // to the ``Envoy::Server::Configuration::FatalAction`` interface. + core.v3.TypedExtensionConfig config = 1; +} + +// Runtime :ref:`configuration overview ` (deprecated). +message Runtime { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Runtime"; + + // The implementation assumes that the file system tree is accessed via a + // symbolic link. An atomic link swap is used when a new tree should be + // switched to. This parameter specifies the path to the symbolic link. Envoy + // will watch the location for changes and reload the file system tree when + // they happen. If this parameter is not set, there will be no disk based + // runtime. + string symlink_root = 1; + + // Specifies the subdirectory to load within the root directory. This is + // useful if multiple systems share the same delivery mechanism. Envoy + // configuration elements can be contained in a dedicated subdirectory. + string subdirectory = 2; + + // Specifies an optional subdirectory to load within the root directory. If + // specified and the directory exists, configuration values within this + // directory will override those found in the primary subdirectory. This is + // useful when Envoy is deployed across many different types of servers. + // Sometimes it is useful to have a per service cluster directory for runtime + // configuration. See below for exactly how the override directory is used. + string override_subdirectory = 3; + + // Static base runtime. This will be :ref:`overridden + // ` by other runtime layers, e.g. + // disk or admin. This follows the :ref:`runtime protobuf JSON representation + // encoding `. + google.protobuf.Struct base = 4; +} + +// [#next-free-field: 6] +message RuntimeLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer"; + + // :ref:`Disk runtime ` layer. + message DiskLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer.DiskLayer"; + + // The implementation assumes that the file system tree is accessed via a + // symbolic link. An atomic link swap is used when a new tree should be + // switched to. This parameter specifies the path to the symbolic link. + // Envoy will watch the location for changes and reload the file system tree + // when they happen. See documentation on runtime :ref:`atomicity + // ` for further details on how reloads are + // treated. + string symlink_root = 1; + + // Specifies the subdirectory to load within the root directory. This is + // useful if multiple systems share the same delivery mechanism. Envoy + // configuration elements can be contained in a dedicated subdirectory. + string subdirectory = 3; + + // :ref:`Append ` the + // service cluster to the path under symlink root. + bool append_service_cluster = 2; + } + + // :ref:`Admin console runtime ` layer. + message AdminLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer.AdminLayer"; + } + + // :ref:`Runtime Discovery Service (RTDS) ` layer. + message RtdsLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer.RtdsLayer"; + + // Resource to subscribe to at the ``rtds_config`` for the RTDS layer. + string name = 1; + + // RTDS configuration source. + core.v3.ConfigSource rtds_config = 2; + } + + // Descriptive name for the runtime layer. This is only used for the runtime + // :http:get:`/runtime` output. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof layer_specifier { + option (validate.required) = true; + + // :ref:`Static runtime ` layer. + // This follows the :ref:`runtime protobuf JSON representation encoding + // `. Unlike static xDS resources, this static + // layer is overridable by later layers in the runtime virtual filesystem. + google.protobuf.Struct static_layer = 2; + + DiskLayer disk_layer = 3; + + AdminLayer admin_layer = 4; + + RtdsLayer rtds_layer = 5; + } +} + +// Runtime :ref:`configuration overview `. +message LayeredRuntime { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.LayeredRuntime"; + + // The :ref:`layers ` of the runtime. This is ordered + // such that later layers in the list overlay earlier entries. + repeated RuntimeLayer layers = 1; +} + +// Used to specify the header that needs to be registered as an inline header. +// +// If request or response contain multiple headers with the same name and the header +// name is registered as an inline header, then multiple headers will be folded +// into one, and multiple header values will be concatenated by a suitable delimiter. +// The delimiter is generally a comma. +// +// For example, if ``foo`` is registered as an inline header, and the headers contain +// the following two headers: +// +// .. code-block:: text +// +// foo: bar +// foo: eep +// +// Then they will eventually be folded into: +// +// .. code-block:: text +// +// foo: bar, eep +// +// Inline headers provide O(1) search performance, but each inline header imposes +// an additional memory overhead on all instances of the corresponding type of +// HeaderMap or TrailerMap. +message CustomInlineHeader { + enum InlineHeaderType { + REQUEST_HEADER = 0; + REQUEST_TRAILER = 1; + RESPONSE_HEADER = 2; + RESPONSE_TRAILER = 3; + } + + // The name of the header that is expected to be set as the inline header. + string inline_header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The type of the header that is expected to be set as the inline header. + InlineHeaderType inline_header_type = 2 [(validate.rules).enum = {defined_only: true}]; +} + +message MemoryAllocatorManager { + // Configures tcmalloc to perform background release of free memory in amount of bytes per ``memory_release_interval`` interval. + // If equals to ``0``, no memory release will occur. Defaults to ``0``. + uint64 bytes_to_release = 1; + + // Interval in milliseconds for memory releasing. If specified, during every + // interval Envoy will try to release ``bytes_to_release`` of free memory back to operating system for reuse. + // Defaults to ``1000`` milliseconds. + google.protobuf.Duration memory_release_interval = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/circuit_breaker.proto b/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/circuit_breaker.proto new file mode 100644 index 000000000..fe798ceb0 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/circuit_breaker.proto @@ -0,0 +1,121 @@ +syntax = "proto3"; + +package envoy.config.cluster.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.cluster.v3"; +option java_outer_classname = "CircuitBreakerProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3;clusterv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Circuit breakers] + +// :ref:`Circuit breaking` settings can be +// specified individually for each defined priority. +message CircuitBreakers { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.cluster.CircuitBreakers"; + + // A Thresholds defines CircuitBreaker settings for a + // :ref:`RoutingPriority`. + // [#next-free-field: 9] + message Thresholds { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.cluster.CircuitBreakers.Thresholds"; + + message RetryBudget { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.cluster.CircuitBreakers.Thresholds.RetryBudget"; + + // Specifies the limit on concurrent retries as a percentage of the sum of active requests and + // active pending requests. For example, if there are 100 active requests and the + // budget_percent is set to 25, there may be 25 active retries. + // + // This parameter is optional. Defaults to 20%. + type.v3.Percent budget_percent = 1; + + // Specifies the minimum retry concurrency allowed for the retry budget. The limit on the + // number of active retries may never go below this number. + // + // This parameter is optional. Defaults to 3. + google.protobuf.UInt32Value min_retry_concurrency = 2; + } + + // The :ref:`RoutingPriority` + // the specified CircuitBreaker settings apply to. + core.v3.RoutingPriority priority = 1 [(validate.rules).enum = {defined_only: true}]; + + // The maximum number of connections that Envoy will make to the upstream + // cluster. If not specified, the default is 1024. + google.protobuf.UInt32Value max_connections = 2; + + // The maximum number of pending requests that Envoy will allow to the + // upstream cluster. If not specified, the default is 1024. + // This limit is applied as a connection limit for non-HTTP traffic. + google.protobuf.UInt32Value max_pending_requests = 3; + + // The maximum number of parallel requests that Envoy will make to the + // upstream cluster. If not specified, the default is 1024. + // This limit does not apply to non-HTTP traffic. + google.protobuf.UInt32Value max_requests = 4; + + // The maximum number of parallel retries that Envoy will allow to the + // upstream cluster. If not specified, the default is 3. + google.protobuf.UInt32Value max_retries = 5; + + // Specifies a limit on concurrent retries in relation to the number of active requests. This + // parameter is optional. + // + // .. note:: + // + // If this field is set, the retry budget will override any configured retry circuit + // breaker. + RetryBudget retry_budget = 8; + + // If track_remaining is true, then stats will be published that expose + // the number of resources remaining until the circuit breakers open. If + // not specified, the default is false. + // + // .. note:: + // + // If a retry budget is used in lieu of the max_retries circuit breaker, + // the remaining retry resources remaining will not be tracked. + bool track_remaining = 6; + + // The maximum number of connection pools per cluster that Envoy will concurrently support at + // once. If not specified, the default is unlimited. Set this for clusters which create a + // large number of connection pools. See + // :ref:`Circuit Breaking ` for + // more details. + google.protobuf.UInt32Value max_connection_pools = 7; + } + + // If multiple :ref:`Thresholds` + // are defined with the same :ref:`RoutingPriority`, + // the first one in the list is used. If no Thresholds is defined for a given + // :ref:`RoutingPriority`, the default values + // are used. + repeated Thresholds thresholds = 1; + + // Optional per-host limits which apply to each individual host in a cluster. + // + // .. note:: + // currently only the :ref:`max_connections + // ` field is supported for per-host limits. + // + // If multiple per-host :ref:`Thresholds` + // are defined with the same :ref:`RoutingPriority`, + // the first one in the list is used. If no per-host Thresholds are defined for a given + // :ref:`RoutingPriority`, + // the cluster will not have per-host limits. + repeated Thresholds per_host_thresholds = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/cluster.proto b/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/cluster.proto new file mode 100644 index 000000000..192409096 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/cluster.proto @@ -0,0 +1,1407 @@ +syntax = "proto3"; + +package envoy.config.cluster.v3; + +import "envoy/config/cluster/v3/circuit_breaker.proto"; +import "envoy/config/cluster/v3/filter.proto"; +import "envoy/config/cluster/v3/outlier_detection.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/health_check.proto"; +import "envoy/config/core/v3/protocol.proto"; +import "envoy/config/core/v3/resolver.proto"; +import "envoy/config/endpoint/v3/endpoint.proto"; +import "envoy/type/metadata/v3/metadata.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/core/v3/collection_entry.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.cluster.v3"; +option java_outer_classname = "ClusterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3;clusterv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Cluster configuration] + +// Cluster list collections. Entries are ``Cluster`` resources or references. +// [#not-implemented-hide:] +message ClusterCollection { + xds.core.v3.CollectionEntry entries = 1; +} + +// Configuration for a single upstream cluster. +// [#next-free-field: 60] +message Cluster { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster"; + + // Refer to :ref:`service discovery type ` + // for an explanation on each type. + enum DiscoveryType { + // Refer to the :ref:`static discovery type` + // for an explanation. + STATIC = 0; + + // Refer to the :ref:`strict DNS discovery + // type` + // for an explanation. + STRICT_DNS = 1; + + // Refer to the :ref:`logical DNS discovery + // type` + // for an explanation. + LOGICAL_DNS = 2; + + // Refer to the :ref:`service discovery type` + // for an explanation. + EDS = 3; + + // Refer to the :ref:`original destination discovery + // type` + // for an explanation. + ORIGINAL_DST = 4; + } + + // Refer to :ref:`load balancer type ` architecture + // overview section for information on each type. + enum LbPolicy { + reserved 4; + + reserved "ORIGINAL_DST_LB"; + + // Refer to the :ref:`round robin load balancing + // policy` + // for an explanation. + ROUND_ROBIN = 0; + + // Refer to the :ref:`least request load balancing + // policy` + // for an explanation. + LEAST_REQUEST = 1; + + // Refer to the :ref:`ring hash load balancing + // policy` + // for an explanation. + RING_HASH = 2; + + // Refer to the :ref:`random load balancing + // policy` + // for an explanation. + RANDOM = 3; + + // Refer to the :ref:`Maglev load balancing policy` + // for an explanation. + MAGLEV = 5; + + // This load balancer type must be specified if the configured cluster provides a cluster + // specific load balancer. Consult the configured cluster's documentation for whether to set + // this option or not. + CLUSTER_PROVIDED = 6; + + // Use the new :ref:`load_balancing_policy + // ` field to determine the LB policy. + // This has been deprecated in favor of using the :ref:`load_balancing_policy + // ` field without + // setting any value in :ref:`lb_policy`. + LOAD_BALANCING_POLICY_CONFIG = 7; + } + + // When V4_ONLY is selected, the DNS resolver will only perform a lookup for + // addresses in the IPv4 family. If V6_ONLY is selected, the DNS resolver will + // only perform a lookup for addresses in the IPv6 family. If AUTO is + // specified, the DNS resolver will first perform a lookup for addresses in + // the IPv6 family and fallback to a lookup for addresses in the IPv4 family. + // This is semantically equivalent to a non-existent V6_PREFERRED option. + // AUTO is a legacy name that is more opaque than + // necessary and will be deprecated in favor of V6_PREFERRED in a future major version of the API. + // If V4_PREFERRED is specified, the DNS resolver will first perform a lookup for addresses in the + // IPv4 family and fallback to a lookup for addresses in the IPv6 family. i.e., the callback + // target will only get v6 addresses if there were NO v4 addresses to return. + // If ALL is specified, the DNS resolver will perform a lookup for both IPv4 and IPv6 families, + // and return all resolved addresses. When this is used, Happy Eyeballs will be enabled for + // upstream connections. Refer to :ref:`Happy Eyeballs Support ` + // for more information. + // For cluster types other than + // :ref:`STRICT_DNS` and + // :ref:`LOGICAL_DNS`, + // this setting is + // ignored. + // [#next-major-version: deprecate AUTO in favor of a V6_PREFERRED option.] + enum DnsLookupFamily { + AUTO = 0; + V4_ONLY = 1; + V6_ONLY = 2; + V4_PREFERRED = 3; + ALL = 4; + } + + enum ClusterProtocolSelection { + // Cluster can only operate on one of the possible upstream protocols (HTTP1.1, HTTP2). + // If :ref:`http2_protocol_options ` are + // present, HTTP2 will be used, otherwise HTTP1.1 will be used. + USE_CONFIGURED_PROTOCOL = 0; + + // Use HTTP1.1 or HTTP2, depending on which one is used on the downstream connection. + USE_DOWNSTREAM_PROTOCOL = 1; + } + + // TransportSocketMatch specifies what transport socket config will be used + // when the match conditions are satisfied. + message TransportSocketMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.TransportSocketMatch"; + + // The name of the match, used in stats generation. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Optional metadata match criteria. + // The connection to the endpoint with metadata matching what is set in this field + // will use the transport socket configuration specified here. + // The endpoint's metadata entry in ``envoy.transport_socket_match`` is used to match + // against the values specified in this field. + google.protobuf.Struct match = 2; + + // The configuration of the transport socket. + // [#extension-category: envoy.transport_sockets.upstream] + core.v3.TransportSocket transport_socket = 3; + } + + // Extended cluster type. + message CustomClusterType { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CustomClusterType"; + + // The type of the cluster to instantiate. The name must match a supported cluster type. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Cluster specific configuration which depends on the cluster being instantiated. + // See the supported cluster for further documentation. + // [#extension-category: envoy.clusters] + google.protobuf.Any typed_config = 2; + } + + // Only valid when discovery type is EDS. + message EdsClusterConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.EdsClusterConfig"; + + // Configuration for the source of EDS updates for this Cluster. + core.v3.ConfigSource eds_config = 1; + + // Optional alternative to cluster name to present to EDS. This does not + // have the same restrictions as cluster name, i.e. it may be arbitrary + // length. This may be a xdstp:// URL. + string service_name = 2; + } + + // Optionally divide the endpoints in this cluster into subsets defined by + // endpoint metadata and selected by route and weighted cluster metadata. + // [#next-free-field: 9] + message LbSubsetConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.LbSubsetConfig"; + + // If NO_FALLBACK is selected, a result + // equivalent to no healthy hosts is reported. If ANY_ENDPOINT is selected, + // any cluster endpoint may be returned (subject to policy, health checks, + // etc). If DEFAULT_SUBSET is selected, load balancing is performed over the + // endpoints matching the values from the default_subset field. + enum LbSubsetFallbackPolicy { + NO_FALLBACK = 0; + ANY_ENDPOINT = 1; + DEFAULT_SUBSET = 2; + } + + enum LbSubsetMetadataFallbackPolicy { + // No fallback. Route metadata will be used as-is. + METADATA_NO_FALLBACK = 0; + + // A special metadata key ``fallback_list`` will be used to provide variants of metadata to try. + // Value of ``fallback_list`` key has to be a list. Every list element has to be a struct - it will + // be merged with route metadata, overriding keys that appear in both places. + // ``fallback_list`` entries will be used in order until a host is found. + // + // ``fallback_list`` key itself is removed from metadata before subset load balancing is performed. + // + // Example: + // + // for metadata: + // + // .. code-block:: yaml + // + // version: 1.0 + // fallback_list: + // - version: 2.0 + // hardware: c64 + // - hardware: c32 + // - version: 3.0 + // + // at first, metadata: + // + // .. code-block:: json + // + // {"version": "2.0", "hardware": "c64"} + // + // will be used for load balancing. If no host is found, metadata: + // + // .. code-block:: json + // + // {"version": "1.0", "hardware": "c32"} + // + // is next to try. If it still results in no host, finally metadata: + // + // .. code-block:: json + // + // {"version": "3.0"} + // + // is used. + FALLBACK_LIST = 1; + } + + // Specifications for subsets. + message LbSubsetSelector { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.LbSubsetConfig.LbSubsetSelector"; + + // Allows to override top level fallback policy per selector. + enum LbSubsetSelectorFallbackPolicy { + // If NOT_DEFINED top level config fallback policy is used instead. + NOT_DEFINED = 0; + + // If NO_FALLBACK is selected, a result equivalent to no healthy hosts is reported. + NO_FALLBACK = 1; + + // If ANY_ENDPOINT is selected, any cluster endpoint may be returned + // (subject to policy, health checks, etc). + ANY_ENDPOINT = 2; + + // If DEFAULT_SUBSET is selected, load balancing is performed over the + // endpoints matching the values from the default_subset field. + DEFAULT_SUBSET = 3; + + // If KEYS_SUBSET is selected, subset selector matching is performed again with metadata + // keys reduced to + // :ref:`fallback_keys_subset`. + // It allows for a fallback to a different, less specific selector if some of the keys of + // the selector are considered optional. + KEYS_SUBSET = 4; + } + + // List of keys to match with the weighted cluster metadata. + repeated string keys = 1; + + // Selects a mode of operation in which each subset has only one host. This mode uses the same rules for + // choosing a host, but updating hosts is faster, especially for large numbers of hosts. + // + // If a match is found to a host, that host will be used regardless of priority levels. + // + // When this mode is enabled, configurations that contain more than one host with the same metadata value for the single key in ``keys`` + // will use only one of the hosts with the given key; no requests will be routed to the others. The cluster gauge + // :ref:`lb_subsets_single_host_per_subset_duplicate` indicates how many duplicates are + // present in the current configuration. + bool single_host_per_subset = 4; + + // The behavior used when no endpoint subset matches the selected route's + // metadata. + LbSubsetSelectorFallbackPolicy fallback_policy = 2 + [(validate.rules).enum = {defined_only: true}]; + + // Subset of + // :ref:`keys` used by + // :ref:`KEYS_SUBSET` + // fallback policy. + // It has to be a non empty list if KEYS_SUBSET fallback policy is selected. + // For any other fallback policy the parameter is not used and should not be set. + // Only values also present in + // :ref:`keys` are allowed, but + // ``fallback_keys_subset`` cannot be equal to ``keys``. + repeated string fallback_keys_subset = 3; + } + + // The behavior used when no endpoint subset matches the selected route's + // metadata. The value defaults to + // :ref:`NO_FALLBACK`. + LbSubsetFallbackPolicy fallback_policy = 1 [(validate.rules).enum = {defined_only: true}]; + + // Specifies the default subset of endpoints used during fallback if + // fallback_policy is + // :ref:`DEFAULT_SUBSET`. + // Each field in default_subset is + // compared to the matching LbEndpoint.Metadata under the ``envoy.lb`` + // namespace. It is valid for no hosts to match, in which case the behavior + // is the same as a fallback_policy of + // :ref:`NO_FALLBACK`. + google.protobuf.Struct default_subset = 2; + + // For each entry, LbEndpoint.Metadata's + // ``envoy.lb`` namespace is traversed and a subset is created for each unique + // combination of key and value. For example: + // + // .. code-block:: json + // + // { "subset_selectors": [ + // { "keys": [ "version" ] }, + // { "keys": [ "stage", "hardware_type" ] } + // ]} + // + // A subset is matched when the metadata from the selected route and + // weighted cluster contains the same keys and values as the subset's + // metadata. The same host may appear in multiple subsets. + repeated LbSubsetSelector subset_selectors = 3; + + // If true, routing to subsets will take into account the localities and locality weights of the + // endpoints when making the routing decision. + // + // There are some potential pitfalls associated with enabling this feature, as the resulting + // traffic split after applying both a subset match and locality weights might be undesirable. + // + // Consider for example a situation in which you have 50/50 split across two localities X/Y + // which have 100 hosts each without subsetting. If the subset LB results in X having only 1 + // host selected but Y having 100, then a lot more load is being dumped on the single host in X + // than originally anticipated in the load balancing assignment delivered via EDS. + bool locality_weight_aware = 4; + + // When used with locality_weight_aware, scales the weight of each locality by the ratio + // of hosts in the subset vs hosts in the original subset. This aims to even out the load + // going to an individual locality if said locality is disproportionately affected by the + // subset predicate. + bool scale_locality_weight = 5; + + // If true, when a fallback policy is configured and its corresponding subset fails to find + // a host this will cause any host to be selected instead. + // + // This is useful when using the default subset as the fallback policy, given the default + // subset might become empty. With this option enabled, if that happens the LB will attempt + // to select a host from the entire cluster. + bool panic_mode_any = 6; + + // If true, metadata specified for a metadata key will be matched against the corresponding + // endpoint metadata if the endpoint metadata matches the value exactly OR it is a list value + // and any of the elements in the list matches the criteria. + bool list_as_any = 7; + + // Fallback mechanism that allows to try different route metadata until a host is found. + // If load balancing process, including all its mechanisms (like + // :ref:`fallback_policy`) + // fails to select a host, this policy decides if and how the process is repeated using another metadata. + // + // The value defaults to + // :ref:`METADATA_NO_FALLBACK`. + LbSubsetMetadataFallbackPolicy metadata_fallback_policy = 8 + [(validate.rules).enum = {defined_only: true}]; + } + + // Configuration for :ref:`slow start mode `. + message SlowStartConfig { + // Represents the size of slow start window. + // If set, the newly created host remains in slow start mode starting from its creation time + // for the duration of slow start window. + google.protobuf.Duration slow_start_window = 1; + + // This parameter controls the speed of traffic increase over the slow start window. Defaults to 1.0, + // so that endpoint would get linearly increasing amount of traffic. + // When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + // The value of aggression parameter should be greater than 0.0. + // By tuning the parameter, is possible to achieve polynomial or exponential shape of ramp-up curve. + // + // During slow start window, effective weight of an endpoint would be scaled with time factor and aggression: + // ``new_weight = weight * max(min_weight_percent, time_factor ^ (1 / aggression))``, + // where ``time_factor=(time_since_start_seconds / slow_start_time_seconds)``. + // + // As time progresses, more and more traffic would be sent to endpoint, which is in slow start window. + // Once host exits slow start, time_factor and aggression no longer affect its weight. + core.v3.RuntimeDouble aggression = 2; + + // Configures the minimum percentage of origin weight that avoids too small new weight, + // which may cause endpoints in slow start mode receive no traffic in slow start window. + // If not specified, the default is 10%. + type.v3.Percent min_weight_percent = 3; + } + + // Specific configuration for the RoundRobin load balancing policy. + message RoundRobinLbConfig { + // Configuration for slow start mode. + // If this configuration is not set, slow start will not be not enabled. + SlowStartConfig slow_start_config = 1; + } + + // Specific configuration for the LeastRequest load balancing policy. + message LeastRequestLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.LeastRequestLbConfig"; + + // The number of random healthy hosts from which the host with the fewest active requests will + // be chosen. Defaults to 2 so that we perform two-choice selection if the field is not set. + google.protobuf.UInt32Value choice_count = 1 [(validate.rules).uint32 = {gte: 2}]; + + // The following formula is used to calculate the dynamic weights when hosts have different load + // balancing weights: + // + // ``weight = load_balancing_weight / (active_requests + 1)^active_request_bias`` + // + // The larger the active request bias is, the more aggressively active requests will lower the + // effective weight when all host weights are not equal. + // + // ``active_request_bias`` must be greater than or equal to 0.0. + // + // When ``active_request_bias == 0.0`` the Least Request Load Balancer doesn't consider the number + // of active requests at the time it picks a host and behaves like the Round Robin Load + // Balancer. + // + // When ``active_request_bias > 0.0`` the Least Request Load Balancer scales the load balancing + // weight by the number of active requests at the time it does a pick. + // + // The value is cached for performance reasons and refreshed whenever one of the Load Balancer's + // host sets changes, e.g., whenever there is a host membership update or a host load balancing + // weight change. + // + // .. note:: + // This setting only takes effect if all host weights are not equal. + core.v3.RuntimeDouble active_request_bias = 2; + + // Configuration for slow start mode. + // If this configuration is not set, slow start will not be not enabled. + SlowStartConfig slow_start_config = 3; + } + + // Specific configuration for the :ref:`RingHash` + // load balancing policy. + message RingHashLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.RingHashLbConfig"; + + // The hash function used to hash hosts onto the ketama ring. + enum HashFunction { + // Use `xxHash `_, this is the default hash function. + XX_HASH = 0; + + // Use `MurmurHash2 `_, this is compatible with + // std:hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled + // on Linux and not macOS. + MURMUR_HASH_2 = 1; + } + + reserved 2; + + // Minimum hash ring size. The larger the ring is (that is, the more hashes there are for each + // provided host) the better the request distribution will reflect the desired weights. Defaults + // to 1024 entries, and limited to 8M entries. See also + // :ref:`maximum_ring_size`. + google.protobuf.UInt64Value minimum_ring_size = 1 [(validate.rules).uint64 = {lte: 8388608}]; + + // The hash function used to hash hosts onto the ketama ring. The value defaults to + // :ref:`XX_HASH`. + HashFunction hash_function = 3 [(validate.rules).enum = {defined_only: true}]; + + // Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, but can be lowered + // to further constrain resource use. See also + // :ref:`minimum_ring_size`. + google.protobuf.UInt64Value maximum_ring_size = 4 [(validate.rules).uint64 = {lte: 8388608}]; + } + + // Specific configuration for the :ref:`Maglev` + // load balancing policy. + message MaglevLbConfig { + // The table size for Maglev hashing. Maglev aims for "minimal disruption" rather than an absolute guarantee. + // Minimal disruption means that when the set of upstream hosts change, a connection will likely be sent to the same + // upstream as it was before. Increasing the table size reduces the amount of disruption. + // The table size must be prime number limited to 5000011. If it is not specified, the default is 65537. + google.protobuf.UInt64Value table_size = 1 [(validate.rules).uint64 = {lte: 5000011}]; + } + + // Specific configuration for the + // :ref:`Original Destination ` + // load balancing policy. + // [#extension: envoy.clusters.original_dst] + message OriginalDstLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.OriginalDstLbConfig"; + + // When true, a HTTP header can be used to override the original dst address. The default header is + // :ref:`x-envoy-original-dst-host `. + // + // .. attention:: + // + // This header isn't sanitized by default, so enabling this feature allows HTTP clients to + // route traffic to arbitrary hosts and/or ports, which may have serious security + // consequences. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + bool use_http_header = 1; + + // The http header to override destination address if :ref:`use_http_header `. + // is set to true. If the value is empty, :ref:`x-envoy-original-dst-host ` will be used. + string http_header_name = 2; + + // The port to override for the original dst address. This port + // will take precedence over filter state and header override ports + google.protobuf.UInt32Value upstream_port_override = 3 [(validate.rules).uint32 = {lte: 65535}]; + + // The dynamic metadata key to override destination address. + // First the request metadata is considered, then the connection one. + type.metadata.v3.MetadataKey metadata_key = 4; + } + + // Common configuration for all load balancer implementations. + // [#next-free-field: 9] + message CommonLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CommonLbConfig"; + + // Configuration for :ref:`zone aware routing + // `. + message ZoneAwareLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CommonLbConfig.ZoneAwareLbConfig"; + + // Configures percentage of requests that will be considered for zone aware routing + // if zone aware routing is configured. If not specified, the default is 100%. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + type.v3.Percent routing_enabled = 1; + + // Configures minimum upstream cluster size required for zone aware routing + // If upstream cluster size is less than specified, zone aware routing is not performed + // even if zone aware routing is configured. If not specified, the default is 6. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + google.protobuf.UInt64Value min_cluster_size = 2; + + // If set to true, Envoy will not consider any hosts when the cluster is in :ref:`panic + // mode`. Instead, the cluster will fail all + // requests as if all hosts are unhealthy. This can help avoid potentially overwhelming a + // failing service. + bool fail_traffic_on_panic = 3; + } + + // Configuration for :ref:`locality weighted load balancing + // ` + message LocalityWeightedLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CommonLbConfig.LocalityWeightedLbConfig"; + } + + // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) + message ConsistentHashingLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CommonLbConfig.ConsistentHashingLbConfig"; + + // If set to ``true``, the cluster will use hostname instead of the resolved + // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address. + bool use_hostname_for_hashing = 1; + + // Configures percentage of average cluster load to bound per upstream host. For example, with a value of 150 + // no upstream host will get a load more than 1.5 times the average load of all the hosts in the cluster. + // If not specified, the load is not bounded for any upstream host. Typical value for this parameter is between 120 and 200. + // Minimum is 100. + // + // Applies to both Ring Hash and Maglev load balancers. + // + // This is implemented based on the method described in the paper https://arxiv.org/abs/1608.01350. For the specified + // ``hash_balance_factor``, requests to any upstream host are capped at ``hash_balance_factor/100`` times the average number of requests + // across the cluster. When a request arrives for an upstream host that is currently serving at its max capacity, linear probing + // is used to identify an eligible host. Further, the linear probe is implemented using a random jump in hosts ring/table to identify + // the eligible host (this technique is as described in the paper https://arxiv.org/abs/1908.08762 - the random jump avoids the + // cascading overflow effect when choosing the next host in the ring/table). + // + // If weights are specified on the hosts, they are respected. + // + // This is an O(N) algorithm, unlike other load balancers. Using a lower ``hash_balance_factor`` results in more hosts + // being probed, so use a higher value if you require better performance. + google.protobuf.UInt32Value hash_balance_factor = 2 [(validate.rules).uint32 = {gte: 100}]; + } + + // Configures the :ref:`healthy panic threshold `. + // If not specified, the default is 50%. + // To disable panic mode, set to 0%. + // + // .. note:: + // The specified percent will be truncated to the nearest 1%. + type.v3.Percent healthy_panic_threshold = 1; + + oneof locality_config_specifier { + ZoneAwareLbConfig zone_aware_lb_config = 2; + + LocalityWeightedLbConfig locality_weighted_lb_config = 3; + } + + // If set, all health check/weight/metadata updates that happen within this duration will be + // merged and delivered in one shot when the duration expires. The start of the duration is when + // the first update happens. This is useful for big clusters, with potentially noisy deploys + // that might trigger excessive CPU usage due to a constant stream of healthcheck state changes + // or metadata updates. The first set of updates to be seen apply immediately (e.g.: a new + // cluster). Please always keep in mind that the use of sandbox technologies may change this + // behavior. + // + // If this is not set, we default to a merge window of 1000ms. To disable it, set the merge + // window to 0. + // + // .. note:: + // Merging does not apply to cluster membership changes (e.g.: adds/removes); this is + // because merging those updates isn't currently safe. See + // https://github.com/envoyproxy/envoy/pull/3941. + google.protobuf.Duration update_merge_window = 4; + + // If set to true, Envoy will :ref:`exclude ` new hosts + // when computing load balancing weights until they have been health checked for the first time. + // This will have no effect unless active health checking is also configured. + bool ignore_new_hosts_until_first_hc = 5; + + // If set to ``true``, the cluster manager will drain all existing + // connections to upstream hosts whenever hosts are added or removed from the cluster. + bool close_connections_on_host_set_change = 6; + + // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) + ConsistentHashingLbConfig consistent_hashing_lb_config = 7; + + // This controls what hosts are considered valid when using + // :ref:`host overrides `, which is used by some + // filters to modify the load balancing decision. + // + // If this is unset then [UNKNOWN, HEALTHY, DEGRADED] will be applied by default. If this is + // set with an empty set of statuses then host overrides will be ignored by the load balancing. + core.v3.HealthStatusSet override_host_status = 8; + } + + message RefreshRate { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster.RefreshRate"; + + // Specifies the base interval between refreshes. This parameter is required and must be greater + // than zero and less than + // :ref:`max_interval `. + google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { + required: true + gt {nanos: 1000000} + }]; + + // Specifies the maximum interval between refreshes. This parameter is optional, but must be + // greater than or equal to the + // :ref:`base_interval ` if set. The default + // is 10 times the :ref:`base_interval `. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {nanos: 1000000}}]; + } + + message PreconnectPolicy { + // Indicates how many streams (rounded up) can be anticipated per-upstream for each + // incoming stream. This is useful for high-QPS or latency-sensitive services. Preconnecting + // will only be done if the upstream is healthy and the cluster has traffic. + // + // For example if this is 2, for an incoming HTTP/1.1 stream, 2 connections will be + // established, one for the new incoming stream, and one for a presumed follow-up stream. For + // HTTP/2, only one connection would be established by default as one connection can + // serve both the original and presumed follow-up stream. + // + // In steady state for non-multiplexed connections a value of 1.5 would mean if there were 100 + // active streams, there would be 100 connections in use, and 50 connections preconnected. + // This might be a useful value for something like short lived single-use connections, + // for example proxying HTTP/1.1 if keep-alive were false and each stream resulted in connection + // termination. It would likely be overkill for long lived connections, such as TCP proxying SMTP + // or regular HTTP/1.1 with keep-alive. For long lived traffic, a value of 1.05 would be more + // reasonable, where for every 100 connections, 5 preconnected connections would be in the queue + // in case of unexpected disconnects where the connection could not be reused. + // + // If this value is not set, or set explicitly to one, Envoy will fetch as many connections + // as needed to serve streams in flight. This means in steady state if a connection is torn down, + // a subsequent streams will pay an upstream-rtt latency penalty waiting for a new connection. + // + // This is limited somewhat arbitrarily to 3 because preconnecting too aggressively can + // harm latency more than the preconnecting helps. + google.protobuf.DoubleValue per_upstream_preconnect_ratio = 1 + [(validate.rules).double = {lte: 3.0 gte: 1.0}]; + + // Indicates how many streams (rounded up) can be anticipated across a cluster for each + // stream, useful for low QPS services. This is currently supported for a subset of + // deterministic non-hash-based load-balancing algorithms (weighted round robin, random). + // Unlike ``per_upstream_preconnect_ratio`` this preconnects across the upstream instances in a + // cluster, doing best effort predictions of what upstream would be picked next and + // pre-establishing a connection. + // + // Preconnecting will be limited to one preconnect per configured upstream in the cluster and will + // only be done if there are healthy upstreams and the cluster has traffic. + // + // For example if preconnecting is set to 2 for a round robin HTTP/2 cluster, on the first + // incoming stream, 2 connections will be preconnected - one to the first upstream for this + // cluster, one to the second on the assumption there will be a follow-up stream. + // + // If this value is not set, or set explicitly to one, Envoy will fetch as many connections + // as needed to serve streams in flight, so during warm up and in steady state if a connection + // is closed (and per_upstream_preconnect_ratio is not set), there will be a latency hit for + // connection establishment. + // + // If both this and preconnect_ratio are set, Envoy will make sure both predicted needs are met, + // basically preconnecting max(predictive-preconnect, per-upstream-preconnect), for each + // upstream. + // + // This is limited somewhat arbitrarily to 3 because preconnecting too aggressively can + // harm latency more than the preconnecting helps. + google.protobuf.DoubleValue predictive_preconnect_ratio = 2 + [(validate.rules).double = {lte: 3.0 gte: 1.0}]; + } + + reserved 12, 15, 7, 11, 35; + + reserved "hosts", "tls_context", "extension_protocol_options"; + + // Configuration to use different transport sockets for different endpoints. The entry of + // ``envoy.transport_socket_match`` in the :ref:`LbEndpoint.Metadata + // ` is used to match against the + // transport sockets as they appear in the list. If a match is not found, the search continues in + // :ref:`LocalityLbEndpoints.Metadata + // `. The first :ref:`match + // ` is used. For example, with + // the following match + // + // .. code-block:: yaml + // + // transport_socket_matches: + // - name: "enableMTLS" + // match: + // acceptMTLS: true + // transport_socket: + // name: envoy.transport_sockets.tls + // config: { ... } # tls socket configuration + // - name: "defaultToPlaintext" + // match: {} + // transport_socket: + // name: envoy.transport_sockets.raw_buffer + // + // Connections to the endpoints whose metadata value under ``envoy.transport_socket_match`` + // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration. + // + // If a :ref:`socket match ` with empty match + // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext" + // socket match in case above. + // + // If an endpoint metadata's value under ``envoy.transport_socket_match`` does not match any + // ``TransportSocketMatch``, the locality metadata is then checked for a match. Barring any + // matches in the endpoint or locality metadata, the socket configuration fallbacks to use the + // ``tls_context`` or ``transport_socket`` specified in this cluster. + // + // This field allows gradual and flexible transport socket configuration changes. + // + // The metadata of endpoints in EDS can indicate transport socket capabilities. For example, + // an endpoint's metadata can have two key value pairs as "acceptMTLS": "true", + // "acceptPlaintext": "true". While some other endpoints, only accepting plaintext traffic + // has "acceptPlaintext": "true" metadata information. + // + // Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS + // traffic for endpoints with "acceptMTLS": "true", by adding a corresponding + // ``TransportSocketMatch`` in this field. Other client Envoys receive CDS without + // ``transport_socket_match`` set, and still send plain text traffic to the same cluster. + // + // This field can be used to specify custom transport socket configurations for health + // checks by adding matching key/value pairs in a health check's + // :ref:`transport socket match criteria ` field. + // + // [#comment:TODO(incfly): add a detailed architecture doc on intended usage.] + repeated TransportSocketMatch transport_socket_matches = 43; + + // Optional matcher that selects a transport socket from + // :ref:`transport_socket_matches `. + // + // This matcher uses the generic xDS matcher framework to select a named transport socket + // based on various inputs available at transport socket selection time. + // + // Supported matching inputs: + // + // * ``endpoint_metadata``: Extract values from the selected endpoint's metadata. + // * ``locality_metadata``: Extract values from the endpoint's locality metadata. + // * ``transport_socket_filter_state``: Extract values from filter state that was explicitly shared from + // downstream to upstream via ``TransportSocketOptions``. This enables flexible + // downstream-connection-based matching, such as: + // + // - Network namespace matching. + // - Custom connection attributes. + // - Any data explicitly passed via filter state. + // + // .. note:: + // Filter state sharing follows the same pattern as tunneling in Envoy. Filters must explicitly + // share data by setting filter state with the appropriate sharing mode. The filter state is + // then accessible via the ``transport_socket_filter_state`` input during transport socket selection. + // + // If this field is set, it takes precedence over legacy metadata-based selection + // performed by :ref:`transport_socket_matches + // ` alone. + // If the matcher does not yield a match, Envoy uses the default transport socket + // configured for the cluster. + // + // When using this field, each entry in + // :ref:`transport_socket_matches ` + // must have a unique ``name``. The matcher outcome is expected to reference one of + // these names. + xds.type.matcher.v3.Matcher transport_socket_matcher = 59; + + // Supplies the name of the cluster which must be unique across all clusters. + // The cluster name is used when emitting + // :ref:`statistics ` if :ref:`alt_stat_name + // ` is not provided. + // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional alternative to the cluster name to be used for observability. This name is used + // for emitting stats for the cluster and access logging the cluster name. This will appear as + // additional information in configuration dumps of a cluster's current status as + // :ref:`observability_name ` + // and as an additional tag "upstream_cluster.name" while tracing. + // + // .. note:: + // Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be confused with + // :ref:`Router Filter Header `. + string alt_stat_name = 28 [(udpa.annotations.field_migrate).rename = "observability_name"]; + + oneof cluster_discovery_type { + // The :ref:`service discovery type ` + // to use for resolving the cluster. + DiscoveryType type = 2 [(validate.rules).enum = {defined_only: true}]; + + // The custom cluster type. + CustomClusterType cluster_type = 38; + } + + // Configuration to use for EDS updates for the Cluster. + EdsClusterConfig eds_cluster_config = 3; + + // The timeout for new network connections to hosts in the cluster. + // If not set, a default value of 5s will be used. + google.protobuf.Duration connect_timeout = 4 [(validate.rules).duration = {gt {}}]; + + // Soft limit on size of the cluster’s connections read and write buffers. If + // unspecified, an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 + [(udpa.annotations.security).configure_for_untrusted_upstream = true]; + + // The :ref:`load balancer type ` to use + // when picking a host in the cluster. + LbPolicy lb_policy = 6 [(validate.rules).enum = {defined_only: true}]; + + // Setting this is required for specifying members of + // :ref:`STATIC`, + // :ref:`STRICT_DNS` + // or :ref:`LOGICAL_DNS` clusters. + // This field supersedes the ``hosts`` field in the v2 API. + // + // .. attention:: + // + // Setting this allows non-EDS cluster types to contain embedded EDS equivalent + // :ref:`endpoint assignments`. + // + endpoint.v3.ClusterLoadAssignment load_assignment = 33; + + // Optional :ref:`active health checking ` + // configuration for the cluster. If no + // configuration is specified no health checking will be done and all cluster + // members will be considered healthy at all times. + repeated core.v3.HealthCheck health_checks = 8; + + // Optional maximum requests for a single upstream connection. This parameter + // is respected by both the HTTP/1.1 and HTTP/2 connection pool + // implementations. If not specified, there is no limit. Setting this + // parameter to 1 will effectively disable keep alive. + // + // .. attention:: + // This field has been deprecated in favor of the :ref:`max_requests_per_connection ` field. + google.protobuf.UInt32Value max_requests_per_connection = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional :ref:`circuit breaking ` for the cluster. + CircuitBreakers circuit_breakers = 10; + + // HTTP protocol options that are applied only to upstream HTTP connections. + // These options apply to all HTTP versions. + // This has been deprecated in favor of + // :ref:`upstream_http_protocol_options ` + // in the :ref:`http_protocol_options ` message. + // upstream_http_protocol_options can be set via the cluster's + // :ref:`extension_protocol_options`. + // See :ref:`upstream_http_protocol_options + // ` + // for example usage. + core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 46 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Additional options when handling HTTP requests upstream. These options will be applicable to + // both HTTP1 and HTTP2 requests. + // This has been deprecated in favor of + // :ref:`common_http_protocol_options ` + // in the :ref:`http_protocol_options ` message. + // common_http_protocol_options can be set via the cluster's + // :ref:`extension_protocol_options`. + // See :ref:`upstream_http_protocol_options + // ` + // for example usage. + core.v3.HttpProtocolOptions common_http_protocol_options = 29 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Additional options when handling HTTP1 requests. + // This has been deprecated in favor of http_protocol_options fields in the + // :ref:`http_protocol_options ` message. + // http_protocol_options can be set via the cluster's + // :ref:`extension_protocol_options`. + // See :ref:`upstream_http_protocol_options + // ` + // for example usage. + core.v3.Http1ProtocolOptions http_protocol_options = 13 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Even if default HTTP2 protocol options are desired, this field must be + // set so that Envoy will assume that the upstream supports HTTP/2 when + // making new HTTP connection pool connections. Currently, Envoy only + // supports prior knowledge for upstream connections. Even if TLS is used + // with ALPN, ``http2_protocol_options`` must be specified. As an aside this allows HTTP/2 + // connections to happen over plain text. + // This has been deprecated in favor of http2_protocol_options fields in the + // :ref:`http_protocol_options ` + // message. http2_protocol_options can be set via the cluster's + // :ref:`extension_protocol_options`. + // See :ref:`upstream_http_protocol_options + // ` + // for example usage. + core.v3.Http2ProtocolOptions http2_protocol_options = 14 [ + deprecated = true, + (udpa.annotations.security).configure_for_untrusted_upstream = true, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // The extension_protocol_options field is used to provide extension-specific protocol options + // for upstream connections. The key should match the extension filter name, such as + // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on + // specific options. + // [#next-major-version: make this a list of typed extensions.] + // [#extension-category: envoy.upstream_options] + map typed_extension_protocol_options = 36; + + // If the DNS refresh rate is specified and the cluster type is either + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`, + // this value is used as the cluster’s DNS refresh + // rate. The value configured must be at least 1ms. If this setting is not specified, the + // value defaults to 5000ms. For cluster types other than + // :ref:`STRICT_DNS` + // and :ref:`LOGICAL_DNS` + // this setting is ignored. + // This field is deprecated in favor of using the :ref:`cluster_type` + // extension point and configuring it with :ref:`DnsCluster`. + // If :ref:`cluster_type` is configured with + // :ref:`DnsCluster`, this field will be ignored. + google.protobuf.Duration dns_refresh_rate = 16 [ + deprecated = true, + (validate.rules).duration = {gt {nanos: 1000000}}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // DNS jitter can be optionally specified if the cluster type is either + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`. + // DNS jitter causes the cluster to refresh DNS entries later by a random amount of time to avoid a + // stampede of DNS requests. This value sets the upper bound (exclusive) for the random amount. + // There will be no jitter if this value is omitted. For cluster types other than + // :ref:`STRICT_DNS` + // and :ref:`LOGICAL_DNS` + // this setting is ignored. + // This field is deprecated in favor of using the :ref:`cluster_type` + // extension point and configuring it with :ref:`DnsCluster`. + // If :ref:`cluster_type` is configured with + // :ref:`DnsCluster`, this field will be ignored. + google.protobuf.Duration dns_jitter = 58 [ + deprecated = true, + (validate.rules).duration = {gte {}}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If the DNS failure refresh rate is specified and the cluster type is either + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`, + // this is used as the cluster’s DNS refresh rate when requests are failing. If this setting is + // not specified, the failure refresh rate defaults to the DNS refresh rate. For cluster types + // other than :ref:`STRICT_DNS` and + // :ref:`LOGICAL_DNS` this setting is + // ignored. + // This field is deprecated in favor of using the :ref:`cluster_type` + // extension point and configuring it with :ref:`DnsCluster`. + // If :ref:`cluster_type` is configured with + // :ref:`DnsCluster`, this field will be ignored. + RefreshRate dns_failure_refresh_rate = 44 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional configuration for setting cluster's DNS refresh rate. If the value is set to true, + // cluster's DNS refresh rate will be set to resource record's TTL which comes from DNS + // resolution. + // This field is deprecated in favor of using the :ref:`cluster_type` + // extension point and configuring it with :ref:`DnsCluster`. + // If :ref:`cluster_type` is configured with + // :ref:`DnsCluster`, this field will be ignored. + bool respect_dns_ttl = 39 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The DNS IP address resolution policy. If this setting is not specified, the + // value defaults to + // :ref:`AUTO`. + // For logical and strict dns cluster, this field is deprecated in favor of using the + // :ref:`cluster_type` + // extension point and configuring it with :ref:`DnsCluster`. + // If :ref:`cluster_type` is configured with + // :ref:`DnsCluster`, this field will be ignored. + DnsLookupFamily dns_lookup_family = 17 [(validate.rules).enum = {defined_only: true}]; + + // If DNS resolvers are specified and the cluster type is either + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`, + // this value is used to specify the cluster’s dns resolvers. + // If this setting is not specified, the value defaults to the default + // resolver, which uses /etc/resolv.conf for configuration. For cluster types + // other than + // :ref:`STRICT_DNS` + // and :ref:`LOGICAL_DNS` + // this setting is ignored. + // This field is deprecated in favor of ``dns_resolution_config`` + // which aggregates all of the DNS resolver configuration in a single message. + repeated core.v3.Address dns_resolvers = 18 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Always use TCP queries instead of UDP queries for DNS lookups. + // This field is deprecated in favor of ``dns_resolution_config`` + // which aggregates all of the DNS resolver configuration in a single message. + bool use_tcp_for_dns_lookups = 45 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolution configuration which includes the underlying dns resolver addresses and options. + // This field is deprecated in favor of + // :ref:`typed_dns_resolver_config `. + core.v3.DnsResolutionConfig dns_resolution_config = 53 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, + // or any other DNS resolver types and the related parameters. + // For example, an object of + // :ref:`CaresDnsResolverConfig ` + // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the + // :ref:`dns_resolution_config ` + // configuration. + // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exists, + // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``. + // When ``typed_dns_resolver_config`` is missing, the default behavior is in place. + // Also note that this field is deprecated for logical dns and strict dns clusters and will be ignored when + // :ref:`cluster_type` is configured with + // :ref:`DnsCluster`. + // [#extension-category: envoy.network.dns_resolver] + core.v3.TypedExtensionConfig typed_dns_resolver_config = 55; + + // Optional configuration for having cluster readiness block on warm-up. Currently, only applicable for + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`, + // or :ref:`Redis Cluster`. + // If true, cluster readiness blocks on warm-up. If false, the cluster will complete + // initialization whether or not warm-up has completed. Defaults to true. + google.protobuf.BoolValue wait_for_warm_on_init = 54; + + // If specified, outlier detection will be enabled for this upstream cluster. + // Each of the configuration values can be overridden via + // :ref:`runtime values `. + OutlierDetection outlier_detection = 19; + + // The interval for removing stale hosts from a cluster type + // :ref:`ORIGINAL_DST`. + // Hosts are considered stale if they have not been used + // as upstream destinations during this interval. New hosts are added + // to original destination clusters on demand as new connections are + // redirected to Envoy, causing the number of hosts in the cluster to + // grow over time. Hosts that are not stale (they are actively used as + // destinations) are kept in the cluster, which allows connections to + // them remain open, saving the latency that would otherwise be spent + // on opening new connections. If this setting is not specified, the + // value defaults to 5000ms. For cluster types other than + // :ref:`ORIGINAL_DST` + // this setting is ignored. + google.protobuf.Duration cleanup_interval = 20 [(validate.rules).duration = {gt {}}]; + + // Optional configuration used to bind newly established upstream connections. + // This overrides any bind_config specified in the bootstrap proto. + // If the address and port are empty, no bind will be performed. + core.v3.BindConfig upstream_bind_config = 21; + + // Configuration for load balancing subsetting. + LbSubsetConfig lb_subset_config = 22; + + // Optional configuration for the load balancing algorithm selected by + // LbPolicy. Currently only + // :ref:`RING_HASH`, + // :ref:`MAGLEV` and + // :ref:`LEAST_REQUEST` + // has additional configuration options. + // Specifying ring_hash_lb_config or maglev_lb_config or least_request_lb_config without setting the corresponding + // LbPolicy will generate an error at runtime. + oneof lb_config { + // Optional configuration for the Ring Hash load balancing policy. + RingHashLbConfig ring_hash_lb_config = 23; + + // Optional configuration for the Maglev load balancing policy. + MaglevLbConfig maglev_lb_config = 52; + + // Optional configuration for the Original Destination load balancing policy. + OriginalDstLbConfig original_dst_lb_config = 34; + + // Optional configuration for the LeastRequest load balancing policy. + LeastRequestLbConfig least_request_lb_config = 37; + + // Optional configuration for the RoundRobin load balancing policy. + RoundRobinLbConfig round_robin_lb_config = 56; + } + + // Common configuration for all load balancer implementations. + CommonLbConfig common_lb_config = 27; + + // Optional custom transport socket implementation to use for upstream connections. + // To setup TLS, set a transport socket with name ``envoy.transport_sockets.tls`` and + // :ref:`UpstreamTlsContexts ` in the ``typed_config``. + // If no transport socket configuration is specified, new connections + // will be set up with plaintext. + core.v3.TransportSocket transport_socket = 24; + + // The Metadata field can be used to provide additional information about the + // cluster. It can be used for stats, logging, and varying filter behavior. + // Fields should use reverse DNS notation to denote which entity within Envoy + // will need the information. For instance, if the metadata is intended for + // the Router filter, the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 25; + + // Determines how Envoy selects the protocol used to speak to upstream hosts. + // This has been deprecated in favor of setting explicit protocol selection + // in the :ref:`http_protocol_options + // ` message. + // http_protocol_options can be set via the cluster's + // :ref:`extension_protocol_options`. + ClusterProtocolSelection protocol_selection = 26 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional options for upstream connections. + UpstreamConnectionOptions upstream_connection_options = 30; + + // If an upstream host becomes unhealthy (as determined by the configured health checks + // or outlier detection), immediately close all connections to the failed host. + // + // .. note:: + // + // This is currently only supported for connections created by tcp_proxy. + // + // .. note:: + // + // The current implementation of this feature closes all connections immediately when + // the unhealthy status is detected. If there are a large number of connections open + // to an upstream host that becomes unhealthy, Envoy may spend a substantial amount of + // time exclusively closing these connections, and not processing any other traffic. + bool close_connections_on_host_health_failure = 31; + + // If set to true, Envoy will ignore the health value of a host when processing its removal + // from service discovery. This means that if active health checking is used, Envoy will *not* + // wait for the endpoint to go unhealthy before removing it. + bool ignore_health_on_host_removal = 32; + + // An (optional) network filter chain, listed in the order the filters should be applied. + // The chain will be applied to all outgoing connections that Envoy makes to the upstream + // servers of this cluster. + repeated Filter filters = 40; + + // If this field is set and is supported by the client, it will supersede the value of + // :ref:`lb_policy`. + LoadBalancingPolicy load_balancing_policy = 41; + + // [#not-implemented-hide:] + // If present, tells the client where to send load reports via LRS. If not present, the + // client will fall back to a client-side default, which may be either (a) don't send any + // load reports or (b) send load reports for all clusters to a single default server + // (which may be configured in the bootstrap file). + // + // Note that if multiple clusters point to the same LRS server, the client may choose to + // create a separate stream for each cluster or it may choose to coalesce the data for + // multiple clusters onto a single stream. Either way, the client must make sure to send + // the data for any given cluster on no more than one stream. + // + // [#next-major-version: In the v3 API, we should consider restructuring this somehow, + // maybe by allowing LRS to go on the ADS stream, or maybe by moving some of the negotiation + // from the LRS stream here.] + core.v3.ConfigSource lrs_server = 42; + + // A list of metric names from :ref:`ORCA load reports ` to propagate to LRS. + // + // If not specified, then ORCA load reports will not be propagated to LRS. + // + // For map fields in the ORCA proto, the string will be of the form ``.``. + // For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA + // :ref:`named_metrics ` field. + // + // The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to + // report all entries in the ORCA named_metrics field). Note that this should be used only with trusted + // backends. + // + // The metric names in LRS will follow the same semantics as this field. In other words, if this field + // contains ``named_metrics.foo``, then the LRS load report will include the data with that same string + // as the key. + repeated string lrs_report_endpoint_metrics = 57; + + // If track_timeout_budgets is true, the :ref:`timeout budget histograms + // ` will be published for each + // request. These show what percentage of a request's per try and global timeout was used. A value + // of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value + // of 100 would indicate that the request took the entirety of the timeout given to it. + // + // .. attention:: + // + // This field has been deprecated in favor of ``timeout_budgets``, part of + // :ref:`track_cluster_stats `. + bool track_timeout_budgets = 47 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional customization and configuration of upstream connection pool, and upstream type. + // + // Currently this field only applies for HTTP traffic but is designed for eventual use for custom + // TCP upstreams. + // + // For HTTP traffic, Envoy will generally take downstream HTTP and send it upstream as upstream + // HTTP, using the http connection pool and the codec from ``http2_protocol_options`` + // + // For routes where CONNECT termination is configured, Envoy will take downstream CONNECT + // requests and forward the CONNECT payload upstream over raw TCP using the tcp connection pool. + // + // The default pool used is the generic connection pool which creates the HTTP upstream for most + // HTTP requests, and the TCP upstream if CONNECT termination is configured. + // + // If users desire custom connection pool or upstream behavior, for example terminating + // CONNECT only if a custom filter indicates it is appropriate, the custom factories + // can be registered and configured here. + // [#extension-category: envoy.upstreams] + core.v3.TypedExtensionConfig upstream_config = 48; + + // Configuration to track optional cluster stats. + TrackClusterStats track_cluster_stats = 49; + + // Preconnect configuration for this cluster. + PreconnectPolicy preconnect_policy = 50; + + // If ``connection_pool_per_downstream_connection`` is true, the cluster will use a separate + // connection pool for every downstream connection + bool connection_pool_per_downstream_connection = 51; +} + +// Extensible load balancing policy configuration. +// +// Every LB policy defined via this mechanism will be identified via a unique name using reverse +// DNS notation. If the policy needs configuration parameters, it must define a message for its +// own configuration, which will be stored in the config field. The name of the policy will tell +// clients which type of message they should expect to see in the config field. +// +// Note that there are cases where it is useful to be able to independently select LB policies +// for choosing a locality and for choosing an endpoint within that locality. For example, a +// given deployment may always use the same policy to choose the locality, but for choosing the +// endpoint within the locality, some clusters may use weighted-round-robin, while others may +// use some sort of session-based balancing. +// +// This can be accomplished via hierarchical LB policies, where the parent LB policy creates a +// child LB policy for each locality. For each request, the parent chooses the locality and then +// delegates to the child policy for that locality to choose the endpoint within the locality. +// +// To facilitate this, the config message for the top-level LB policy may include a field of +// type LoadBalancingPolicy that specifies the child policy. +message LoadBalancingPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.LoadBalancingPolicy"; + + message Policy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.LoadBalancingPolicy.Policy"; + + reserved 2, 1, 3; + + reserved "config", "name", "typed_config"; + + // [#extension-category: envoy.load_balancing_policies] + core.v3.TypedExtensionConfig typed_extension_config = 4; + } + + // Each client will iterate over the list in order and stop at the first policy that it + // supports. This provides a mechanism for starting to use new LB policies that are not yet + // supported by all clients. + repeated Policy policies = 1; +} + +message UpstreamConnectionOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.UpstreamConnectionOptions"; + + enum FirstAddressFamilyVersion { + // respect the native ranking of destination ip addresses returned from dns + // resolution + DEFAULT = 0; + + V4 = 1; + + V6 = 2; + } + + message HappyEyeballsConfig { + // Specify the IP address family to attempt connection first in happy + // eyeballs algorithm according to RFC8305#section-4. + FirstAddressFamilyVersion first_address_family_version = 1; + + // Specify the number of addresses of the first_address_family_version being + // attempted for connection before the other address family. + google.protobuf.UInt32Value first_address_family_count = 2 [(validate.rules).uint32 = {gte: 1}]; + } + + // If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + core.v3.TcpKeepalive tcp_keepalive = 1; + + // If enabled, associates the interface name of the local address with the upstream connection. + // This can be used by extensions during processing of requests. The association mechanism is + // implementation specific. Defaults to false due to performance concerns. + bool set_local_interface_name_on_upstream_connections = 2; + + // Configurations for happy eyeballs algorithm. + // Add configs for first_address_family_version and first_address_family_count + // when sorting destination ip addresses. + HappyEyeballsConfig happy_eyeballs_config = 3; +} + +message TrackClusterStats { + // If timeout_budgets is true, the :ref:`timeout budget histograms + // ` will be published for each + // request. These show what percentage of a request's per try and global timeout was used. A value + // of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value + // of 100 would indicate that the request took the entirety of the timeout given to it. + bool timeout_budgets = 1; + + // If request_response_sizes is true, then the :ref:`histograms + // ` tracking header and body sizes + // of requests and responses will be published. Additionally, number of headers in the requests and responses will be tracked. + bool request_response_sizes = 2; + + // If true, some stats will be emitted per-endpoint, similar to the stats in admin ``/clusters`` + // output. + // + // This does not currently output correct stats during a hot-restart. + // + // This is not currently implemented by all stat sinks. + // + // These stats do not honor filtering or tag extraction rules in :ref:`StatsConfig + // ` (but fixed-value tags are supported). Admin + // endpoint filtering is supported. + // + // This may not be used at the same time as + // :ref:`load_stats_config `. + bool per_endpoint_stats = 3; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/filter.proto b/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/filter.proto new file mode 100644 index 000000000..54611edbf --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/filter.proto @@ -0,0 +1,40 @@ +syntax = "proto3"; + +package envoy.config.cluster.v3; + +import "envoy/config/core/v3/config_source.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.cluster.v3"; +option java_outer_classname = "FilterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3;clusterv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Upstream network filters] +// Upstream network filters apply to the connections to the upstream cluster hosts. + +message Filter { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.cluster.Filter"; + + // The name of the filter configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + // Note that Envoy's :ref:`downstream network + // filters ` are not valid upstream network filters. + // Only one of typed_config or config_discovery can be used. + google.protobuf.Any typed_config = 2; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, the + // listener closes the connections. + // Only one of typed_config or config_discovery can be used. + core.v3.ExtensionConfigSource config_discovery = 3; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/outlier_detection.proto b/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/outlier_detection.proto new file mode 100644 index 000000000..822d81da8 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/cluster/v3/outlier_detection.proto @@ -0,0 +1,180 @@ +syntax = "proto3"; + +package envoy.config.cluster.v3; + +import "envoy/config/core/v3/extension.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.cluster.v3"; +option java_outer_classname = "OutlierDetectionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3;clusterv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Outlier detection] + +// See the :ref:`architecture overview ` for +// more information on outlier detection. +// [#next-free-field: 26] +message OutlierDetection { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.cluster.OutlierDetection"; + + // The number of consecutive server-side error responses (for HTTP traffic, + // 5xx responses; for TCP traffic, connection failures; for Redis, failure to + // respond PONG; etc.) before a consecutive 5xx ejection occurs. Defaults to 5. + google.protobuf.UInt32Value consecutive_5xx = 1; + + // The time interval between ejection analysis sweeps. This can result in + // both new ejections as well as hosts being returned to service. Defaults + // to 10000ms or 10s. + google.protobuf.Duration interval = 2 [(validate.rules).duration = {gt {}}]; + + // The base time that a host is ejected for. The real time is equal to the + // base time multiplied by the number of times the host has been ejected and is + // capped by :ref:`max_ejection_time`. + // Defaults to 30000ms or 30s. + google.protobuf.Duration base_ejection_time = 3 [(validate.rules).duration = {gt {}}]; + + // The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 10% . + // Will eject at least one host regardless of the value if :ref:`always_eject_one_host` is enabled. + google.protobuf.UInt32Value max_ejection_percent = 4 [(validate.rules).uint32 = {lte: 100}]; + + // The % chance that a host will be actually ejected when an outlier status + // is detected through consecutive 5xx. This setting can be used to disable + // ejection or to ramp it up slowly. Defaults to 100. + google.protobuf.UInt32Value enforcing_consecutive_5xx = 5 [(validate.rules).uint32 = {lte: 100}]; + + // The % chance that a host will be actually ejected when an outlier status + // is detected through success rate statistics. This setting can be used to + // disable ejection or to ramp it up slowly. Defaults to 100. + google.protobuf.UInt32Value enforcing_success_rate = 6 [(validate.rules).uint32 = {lte: 100}]; + + // The number of hosts in a cluster that must have enough request volume to + // detect success rate outliers. If the number of hosts is less than this + // setting, outlier detection via success rate statistics is not performed + // for any host in the cluster. Defaults to 5. + google.protobuf.UInt32Value success_rate_minimum_hosts = 7; + + // The minimum number of total requests that must be collected in one + // interval (as defined by the interval duration above) to include this host + // in success rate based outlier detection. If the volume is lower than this + // setting, outlier detection via success rate statistics is not performed + // for that host. Defaults to 100. + google.protobuf.UInt32Value success_rate_request_volume = 8; + + // This factor is used to determine the ejection threshold for success rate + // outlier ejection. The ejection threshold is the difference between the + // mean success rate, and the product of this factor and the standard + // deviation of the mean success rate: mean - (stdev * + // success_rate_stdev_factor). This factor is divided by a thousand to get a + // double. That is, if the desired factor is 1.9, the runtime value should + // be 1900. Defaults to 1900. + google.protobuf.UInt32Value success_rate_stdev_factor = 9; + + // The number of consecutive gateway failures (502, 503, 504 status codes) + // before a consecutive gateway failure ejection occurs. Defaults to 5. + google.protobuf.UInt32Value consecutive_gateway_failure = 10; + + // The % chance that a host will be actually ejected when an outlier status + // is detected through consecutive gateway failures. This setting can be + // used to disable ejection or to ramp it up slowly. Defaults to 0. + google.protobuf.UInt32Value enforcing_consecutive_gateway_failure = 11 + [(validate.rules).uint32 = {lte: 100}]; + + // Determines whether to distinguish local origin failures from external errors. If set to true + // the following configuration parameters are taken into account: + // :ref:`consecutive_local_origin_failure`, + // :ref:`enforcing_consecutive_local_origin_failure` + // and + // :ref:`enforcing_local_origin_success_rate`. + // Defaults to false. + bool split_external_local_origin_errors = 12; + + // The number of consecutive locally originated failures before ejection + // occurs. Defaults to 5. Parameter takes effect only when + // :ref:`split_external_local_origin_errors` + // is set to true. + google.protobuf.UInt32Value consecutive_local_origin_failure = 13; + + // The % chance that a host will be actually ejected when an outlier status + // is detected through consecutive locally originated failures. This setting can be + // used to disable ejection or to ramp it up slowly. Defaults to 100. + // Parameter takes effect only when + // :ref:`split_external_local_origin_errors` + // is set to true. + google.protobuf.UInt32Value enforcing_consecutive_local_origin_failure = 14 + [(validate.rules).uint32 = {lte: 100}]; + + // The % chance that a host will be actually ejected when an outlier status + // is detected through success rate statistics for locally originated errors. + // This setting can be used to disable ejection or to ramp it up slowly. Defaults to 100. + // Parameter takes effect only when + // :ref:`split_external_local_origin_errors` + // is set to true. + google.protobuf.UInt32Value enforcing_local_origin_success_rate = 15 + [(validate.rules).uint32 = {lte: 100}]; + + // The failure percentage to use when determining failure percentage-based outlier detection. If + // the failure percentage of a given host is greater than or equal to this value, it will be + // ejected. Defaults to 85. + google.protobuf.UInt32Value failure_percentage_threshold = 16 + [(validate.rules).uint32 = {lte: 100}]; + + // The % chance that a host will be actually ejected when an outlier status is detected through + // failure percentage statistics. This setting can be used to disable ejection or to ramp it up + // slowly. Defaults to 0. + // + // [#next-major-version: setting this without setting failure_percentage_threshold should be + // invalid in v4.] + google.protobuf.UInt32Value enforcing_failure_percentage = 17 + [(validate.rules).uint32 = {lte: 100}]; + + // The % chance that a host will be actually ejected when an outlier status is detected through + // local-origin failure percentage statistics. This setting can be used to disable ejection or to + // ramp it up slowly. Defaults to 0. + google.protobuf.UInt32Value enforcing_failure_percentage_local_origin = 18 + [(validate.rules).uint32 = {lte: 100}]; + + // The minimum number of hosts in a cluster in order to perform failure percentage-based ejection. + // If the total number of hosts in the cluster is less than this value, failure percentage-based + // ejection will not be performed. Defaults to 5. + google.protobuf.UInt32Value failure_percentage_minimum_hosts = 19; + + // The minimum number of total requests that must be collected in one interval (as defined by the + // interval duration above) to perform failure percentage-based ejection for this host. If the + // volume is lower than this setting, failure percentage-based ejection will not be performed for + // this host. Defaults to 50. + google.protobuf.UInt32Value failure_percentage_request_volume = 20; + + // The maximum time that a host is ejected for. See :ref:`base_ejection_time` + // for more information. If not specified, the default value (300000ms or 300s) or + // :ref:`base_ejection_time` value is applied, whatever is larger. + google.protobuf.Duration max_ejection_time = 21 [(validate.rules).duration = {gt {}}]; + + // The maximum amount of jitter to add to the ejection time, in order to prevent + // a 'thundering herd' effect where all proxies try to reconnect to host at the same time. + // See :ref:`max_ejection_time_jitter` + // Defaults to 0s. + google.protobuf.Duration max_ejection_time_jitter = 22; + + // If active health checking is enabled and a host is ejected by outlier detection, a successful active health check + // unejects the host by default and considers it as healthy. Unejection also clears all the outlier detection counters. + // To change this default behavior set this config to ``false`` where active health checking will not uneject the host. + // Defaults to true. + google.protobuf.BoolValue successful_active_health_check_uneject_host = 23; + + // Set of host's passive monitors. + // [#not-implemented-hide:] + repeated core.v3.TypedExtensionConfig monitors = 24; + + // If enabled, at least one host is ejected regardless of the value of :ref:`max_ejection_percent`. + // Defaults to false. + google.protobuf.BoolValue always_eject_one_host = 25; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/common/matcher/v3/matcher.proto b/grpc-xds/proto/third_party/envoy/envoy/config/common/matcher/v3/matcher.proto new file mode 100644 index 000000000..9b189d1aa --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/common/matcher/v3/matcher.proto @@ -0,0 +1,239 @@ +syntax = "proto3"; + +package envoy.config.common.matcher.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.common.matcher.v3"; +option java_outer_classname = "MatcherProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/common/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Unified Matcher API] + +// A matcher, which may traverse a matching tree in order to result in a match action. +// During matching, the tree will be traversed until a match is found, or if no match +// is found the action specified by the most specific on_no_match will be evaluated. +// As an on_no_match might result in another matching tree being evaluated, this process +// might repeat several times until the final OnMatch (or no match) is decided. +// +// .. note:: +// Please use the syntactically equivalent :ref:`matching API ` +message Matcher { + // What to do if a match is successful. + message OnMatch { + oneof on_match { + option (validate.required) = true; + + // Nested matcher to evaluate. + // If the nested matcher does not match and does not specify + // on_no_match, then this matcher is considered not to have + // matched, even if a predicate at this level or above returned + // true. + Matcher matcher = 1; + + // Protocol-specific action to take. + core.v3.TypedExtensionConfig action = 2; + } + + // If true, the action will be taken but the caller will behave as if no + // match was found. This applies both to actions directly encoded in the + // action field and to actions returned from a nested matcher tree in the + // matcher field. A subsequent matcher on_no_match action will be used + // instead. + // + // This field is not supported in all contexts in which the matcher API is + // used. If this field is set in a context in which it's not supported, + // the resource will be rejected. + bool keep_matching = 3; + } + + // A linear list of field matchers. + // The field matchers are evaluated in order, and the first match + // wins. + message MatcherList { + // Predicate to determine if a match is successful. + message Predicate { + // Predicate for a single input field. + message SinglePredicate { + // Protocol-specific specification of input field to match on. + // [#extension-category: envoy.matching.common_inputs] + core.v3.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; + + oneof matcher { + option (validate.required) = true; + + // Built-in string matcher. + type.matcher.v3.StringMatcher value_match = 2; + + // Extension for custom matching logic. + // [#extension-category: envoy.matching.input_matchers] + core.v3.TypedExtensionConfig custom_match = 3; + } + } + + // A list of two or more matchers. Used to allow using a list within a oneof. + message PredicateList { + repeated Predicate predicate = 1 [(validate.rules).repeated = {min_items: 2}]; + } + + oneof match_type { + option (validate.required) = true; + + // A single predicate to evaluate. + SinglePredicate single_predicate = 1; + + // A list of predicates to be OR-ed together. + PredicateList or_matcher = 2; + + // A list of predicates to be AND-ed together. + PredicateList and_matcher = 3; + + // The inverse of a predicate + Predicate not_matcher = 4; + } + } + + // An individual matcher. + message FieldMatcher { + // Determines if the match succeeds. + Predicate predicate = 1 [(validate.rules).message = {required: true}]; + + // What to do if the match succeeds. + OnMatch on_match = 2 [(validate.rules).message = {required: true}]; + } + + // A list of matchers. First match wins. + repeated FieldMatcher matchers = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + message MatcherTree { + // A map of configured matchers. Used to allow using a map within a oneof. + message MatchMap { + map map = 1 [(validate.rules).map = {min_pairs: 1}]; + } + + // Protocol-specific specification of input field to match on. + core.v3.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; + + // Exact or prefix match maps in which to look up the input value. + // If the lookup succeeds, the match is considered successful, and + // the corresponding OnMatch is used. + oneof tree_type { + option (validate.required) = true; + + MatchMap exact_match_map = 2; + + // Longest matching prefix wins. + MatchMap prefix_match_map = 3; + + // Extension for custom matching logic. + core.v3.TypedExtensionConfig custom_match = 4; + } + } + + oneof matcher_type { + option (validate.required) = true; + + // A linear list of matchers to evaluate. + MatcherList matcher_list = 1; + + // A match tree to evaluate. + MatcherTree matcher_tree = 2; + } + + // Optional ``OnMatch`` to use if the matcher failed. + // If specified, the ``OnMatch`` is used, and the matcher is considered + // to have matched. + // If not specified, the matcher is considered not to have matched. + OnMatch on_no_match = 3; +} + +// Match configuration. This is a recursive structure which allows complex nested match +// configurations to be built using various logical operators. +// [#next-free-field: 11] +message MatchPredicate { + // A set of match configurations used for logical operations. + message MatchSet { + // The list of rules that make up the set. + repeated MatchPredicate rules = 1 [(validate.rules).repeated = {min_items: 2}]; + } + + oneof rule { + option (validate.required) = true; + + // A set that describes a logical OR. If any member of the set matches, the match configuration + // matches. + MatchSet or_match = 1; + + // A set that describes a logical AND. If all members of the set match, the match configuration + // matches. + MatchSet and_match = 2; + + // A negation match. The match configuration will match if the negated match condition matches. + MatchPredicate not_match = 3; + + // The match configuration will always match. + bool any_match = 4 [(validate.rules).bool = {const: true}]; + + // HTTP request headers match configuration. + HttpHeadersMatch http_request_headers_match = 5; + + // HTTP request trailers match configuration. + HttpHeadersMatch http_request_trailers_match = 6; + + // HTTP response headers match configuration. + HttpHeadersMatch http_response_headers_match = 7; + + // HTTP response trailers match configuration. + HttpHeadersMatch http_response_trailers_match = 8; + + // HTTP request generic body match configuration. + HttpGenericBodyMatch http_request_generic_body_match = 9; + + // HTTP response generic body match configuration. + HttpGenericBodyMatch http_response_generic_body_match = 10; + } +} + +// HTTP headers match configuration. +message HttpHeadersMatch { + // HTTP headers to match. + repeated route.v3.HeaderMatcher headers = 1; +} + +// HTTP generic body match configuration. +// List of text strings and hex strings to be located in HTTP body. +// All specified strings must be found in the HTTP body for positive match. +// The search may be limited to specified number of bytes from the body start. +// +// .. attention:: +// +// Searching for patterns in HTTP body is potentially CPU-intensive. For each specified pattern, HTTP body is scanned byte by byte to find a match. +// If multiple patterns are specified, the process is repeated for each pattern. If location of a pattern is known, ``bytes_limit`` should be specified +// to scan only part of the HTTP body. +message HttpGenericBodyMatch { + message GenericTextMatch { + oneof rule { + option (validate.required) = true; + + // Text string to be located in HTTP body. + string string_match = 1 [(validate.rules).string = {min_len: 1}]; + + // Sequence of bytes to be located in HTTP body. + bytes binary_match = 2 [(validate.rules).bytes = {min_len: 1}]; + } + } + + // Limits search to specified number of bytes - default zero (no limit - match entire captured buffer). + uint32 bytes_limit = 1; + + // List of patterns to match. + repeated GenericTextMatch patterns = 2 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/common/mutation_rules/v3/mutation_rules.proto b/grpc-xds/proto/third_party/envoy/envoy/config/common/mutation_rules/v3/mutation_rules.proto new file mode 100644 index 000000000..c015db214 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/common/mutation_rules/v3/mutation_rules.proto @@ -0,0 +1,113 @@ +syntax = "proto3"; + +package envoy.config.common.mutation_rules.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/type/matcher/v3/regex.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.common.mutation_rules.v3"; +option java_outer_classname = "MutationRulesProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/common/mutation_rules/v3;mutation_rulesv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Header mutation rules] + +// The HeaderMutationRules structure specifies what headers may be +// manipulated by a processing filter. This set of rules makes it +// possible to control which modifications a filter may make. +// +// By default, an external processing server may add, modify, or remove +// any header except for an "Envoy internal" header (which is typically +// denoted by an x-envoy prefix) or specific headers that may affect +// further filter processing: +// +// * ``host`` +// * ``:authority`` +// * ``:scheme`` +// * ``:method`` +// +// Every attempt to add, change, append, or remove a header will be +// tested against the rules here. Disallowed header mutations will be +// ignored unless ``disallow_is_error`` is set to true. +// +// Attempts to remove headers are further constrained -- regardless of the +// settings, system-defined headers (that start with ``:``) and the ``host`` +// header may never be removed. +// +// In addition, a counter will be incremented whenever a mutation is +// rejected. In the ext_proc filter, that counter is named +// ``rejected_header_mutations``. +// [#next-free-field: 8] +message HeaderMutationRules { + // By default, certain headers that could affect processing of subsequent + // filters or request routing cannot be modified. These headers are + // ``host``, ``:authority``, ``:scheme``, and ``:method``. Setting this parameter + // to true allows these headers to be modified as well. + google.protobuf.BoolValue allow_all_routing = 1; + + // If true, allow modification of envoy internal headers. By default, these + // start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` + // configuration using the + // :ref:`header_prefix ` + // field. Default is false. + google.protobuf.BoolValue allow_envoy = 2; + + // If true, prevent modification of any system header, defined as a header + // that starts with a ``:`` character, regardless of any other settings. + // A processing server may still override the ``:status`` of an HTTP response + // using an ``ImmediateResponse`` message. Default is false. + google.protobuf.BoolValue disallow_system = 3; + + // If true, prevent modifications of all header values, regardless of any + // other settings. A processing server may still override the ``:status`` + // of an HTTP response using an ``ImmediateResponse`` message. Default is false. + google.protobuf.BoolValue disallow_all = 4; + + // If set, specifically allow any header that matches this regular + // expression. This overrides all other settings except for + // ``disallow_expression``. + type.matcher.v3.RegexMatcher allow_expression = 5; + + // If set, specifically disallow any header that matches this regular + // expression regardless of any other settings. + type.matcher.v3.RegexMatcher disallow_expression = 6; + + // If true, and if the rules in this list cause a header mutation to be + // disallowed, then the filter using this configuration will terminate the + // request with a 500 error. In addition, regardless of the setting of this + // parameter, any attempt to set, add, or modify a disallowed header will + // cause the ``rejected_header_mutations`` counter to be incremented. + // Default is false. + google.protobuf.BoolValue disallow_is_error = 7; +} + +// The HeaderMutation structure specifies an action that may be taken on HTTP +// headers. +message HeaderMutation { + message RemoveOnMatch { + // A string matcher that will be applied to the header key. If the header key + // matches, the header will be removed. + type.matcher.v3.StringMatcher key_matcher = 1 [(validate.rules).message = {required: true}]; + } + + oneof action { + option (validate.required) = true; + + // Remove the specified header if it exists. + string remove = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Append new header by the specified HeaderValueOption. + core.v3.HeaderValueOption append = 2; + + // Remove the header if the key matches the specified string matcher. + RemoveOnMatch remove_on_match = 3; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/address.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/address.proto new file mode 100644 index 000000000..17a68269e --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/address.proto @@ -0,0 +1,214 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/socket_option.proto"; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "AddressProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Network addresses] + +message Pipe { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Pipe"; + + // Unix Domain Socket path. On Linux, paths starting with '@' will use the + // abstract namespace. The starting '@' is replaced by a null byte by Envoy. + // Paths starting with '@' will result in an error in environments other than + // Linux. + string path = 1 [(validate.rules).string = {min_len: 1}]; + + // The mode for the Pipe. Not applicable for abstract sockets. + uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}]; +} + +// The address represents an envoy internal listener. +// [#comment: TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30.] +message EnvoyInternalAddress { + oneof address_name_specifier { + option (validate.required) = true; + + // Specifies the :ref:`name ` of the + // internal listener. + string server_listener_name = 1; + } + + // Specifies an endpoint identifier to distinguish between multiple endpoints for the same internal listener in a + // single upstream pool. Only used in the upstream addresses for tracking changes to individual endpoints. This, for + // example, may be set to the final destination IP for the target internal listener. + string endpoint_id = 2; +} + +// [#next-free-field: 8] +message SocketAddress { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketAddress"; + + enum Protocol { + TCP = 0; + UDP = 1; + } + + Protocol protocol = 1 [(validate.rules).enum = {defined_only: true}]; + + // The address for this socket. :ref:`Listeners ` will bind + // to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::`` + // to bind to any address. [#comment:TODO(zuercher) reinstate when implemented: + // It is possible to distinguish a Listener address via the prefix/suffix matching + // in :ref:`FilterChainMatch `.] When used + // within an upstream :ref:`BindConfig `, the address + // controls the source address of outbound connections. For :ref:`clusters + // `, the cluster type determines whether the + // address must be an IP (``STATIC`` or ``EDS`` clusters) or a hostname resolved by DNS + // (``STRICT_DNS`` or ``LOGICAL_DNS`` clusters). Address resolution can be customized + // via :ref:`resolver_name `. + string address = 2 [(validate.rules).string = {min_len: 1}]; + + oneof port_specifier { + option (validate.required) = true; + + uint32 port_value = 3 [(validate.rules).uint32 = {lte: 65535}]; + + // This is only valid if :ref:`resolver_name + // ` is specified below and the + // named resolver is capable of named port resolution. + string named_port = 4; + } + + // The name of the custom resolver. This must have been registered with Envoy. If + // this is empty, a context dependent default applies. If the address is a concrete + // IP address, no resolution will occur. If address is a hostname this + // should be set for resolution other than DNS. Specifying a custom resolver with + // ``STRICT_DNS`` or ``LOGICAL_DNS`` will generate an error at runtime. + string resolver_name = 5; + + // When binding to an IPv6 address above, this enables `IPv4 compatibility + // `_. Binding to ``::`` will + // allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into + // IPv6 space as ``::FFFF:``. + bool ipv4_compat = 6; + + // Filepath that specifies the Linux network namespace this socket will be created in (see ``man 7 + // network_namespaces``). If this field is set, Envoy will create the socket in the specified + // network namespace. + // + // .. note:: + // Setting this parameter requires Envoy to run with the ``CAP_NET_ADMIN`` capability. + // + // .. attention:: + // Network namespaces are only configurable on Linux. Otherwise, this field has no effect. + string network_namespace_filepath = 7; +} + +message TcpKeepalive { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.TcpKeepalive"; + + // Maximum number of keepalive probes to send without response before deciding + // the connection is dead. Default is to use the OS level configuration (unless + // overridden, Linux defaults to 9.) Setting this to ``0`` disables TCP keepalive. + google.protobuf.UInt32Value keepalive_probes = 1; + + // The number of seconds a connection needs to be idle before keep-alive probes + // start being sent. Default is to use the OS level configuration (unless + // overridden, Linux defaults to 7200s (i.e., 2 hours.) Setting this to ``0`` disables + // TCP keepalive. + google.protobuf.UInt32Value keepalive_time = 2; + + // The number of seconds between keep-alive probes. Default is to use the OS + // level configuration (unless overridden, Linux defaults to 75s.) Setting this to + // ``0`` disables TCP keepalive. + google.protobuf.UInt32Value keepalive_interval = 3; +} + +message ExtraSourceAddress { + // The additional address to bind. + SocketAddress address = 1 [(validate.rules).message = {required: true}]; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. If specified, this will override the + // :ref:`socket_options ` + // in the BindConfig. If specified with no + // :ref:`socket_options ` + // or an empty list of :ref:`socket_options `, + // it means no socket option will apply. + SocketOptionsOverride socket_options = 2; +} + +// [#next-free-field: 7] +message BindConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BindConfig"; + + // The address to bind to when creating a socket. + SocketAddress source_address = 1; + + // Whether to set the ``IP_FREEBIND`` option when creating the socket. When this + // flag is set to true, allows the :ref:`source_address + // ` to be an IP address + // that is not configured on the system running Envoy. When this flag is set + // to false, the option ``IP_FREEBIND`` is disabled on the socket. When this + // flag is not set (default), the socket is not modified, i.e. the option is + // neither enabled nor disabled. + google.protobuf.BoolValue freebind = 2; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + repeated SocketOption socket_options = 3; + + // Extra source addresses appended to the address specified in the ``source_address`` + // field. This enables to specify multiple source addresses. + // The source address selection is determined by :ref:`local_address_selector + // `. + repeated ExtraSourceAddress extra_source_addresses = 5; + + // Deprecated by + // :ref:`extra_source_addresses ` + repeated SocketAddress additional_source_addresses = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Custom local address selector to override the default (i.e. + // :ref:`DefaultLocalAddressSelector + // `). + // [#extension-category: envoy.upstream.local_address_selector] + TypedExtensionConfig local_address_selector = 6; +} + +// Addresses specify either a logical or physical address and port, which are +// used to tell Envoy where to bind/listen, connect to upstream and find +// management servers. +message Address { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Address"; + + oneof address { + option (validate.required) = true; + + SocketAddress socket_address = 1; + + Pipe pipe = 2; + + // Specifies a user-space address handled by :ref:`internal listeners + // `. + EnvoyInternalAddress envoy_internal_address = 3; + } +} + +// CidrRange specifies an IP Address and a prefix length to construct +// the subnet mask for a `CIDR `_ range. +message CidrRange { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.CidrRange"; + + // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``. + string address_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // Length of prefix, e.g. 0, 32. Defaults to 0 when unset. + google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/backoff.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/backoff.proto new file mode 100644 index 000000000..435b36190 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/backoff.proto @@ -0,0 +1,37 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "BackoffProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Backoff strategy] + +// Configuration defining a jittered exponential back off strategy. +message BackoffStrategy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BackoffStrategy"; + + // The base interval to be used for the next back off computation. It should + // be greater than zero and less than or equal to :ref:`max_interval + // `. + google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { + required: true + gte {nanos: 1000000} + }]; + + // Specifies the maximum interval between retries. This parameter is optional, + // but must be greater than or equal to the :ref:`base_interval + // ` if set. The default + // is 10 times the :ref:`base_interval + // `. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/base.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/base.proto new file mode 100644 index 000000000..978f365d5 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/base.proto @@ -0,0 +1,662 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/backoff.proto"; +import "envoy/config/core/v3/http_uri.proto"; +import "envoy/type/v3/percent.proto"; +import "envoy/type/v3/semantic_version.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/core/v3/context_params.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "BaseProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common types] + +// Envoy supports :ref:`upstream priority routing +// ` both at the route and the virtual +// cluster level. The current priority implementation uses different connection +// pool and circuit breaking settings for each priority level. This means that +// even for HTTP/2 requests, two physical connections will be used to an +// upstream host. In the future Envoy will likely support true HTTP/2 priority +// over a single upstream connection. +enum RoutingPriority { + DEFAULT = 0; + HIGH = 1; +} + +// HTTP request method. +enum RequestMethod { + METHOD_UNSPECIFIED = 0; + GET = 1; + HEAD = 2; + POST = 3; + PUT = 4; + DELETE = 5; + CONNECT = 6; + OPTIONS = 7; + TRACE = 8; + PATCH = 9; +} + +// Identifies the direction of the traffic relative to the local Envoy. +enum TrafficDirection { + // Default option is unspecified. + UNSPECIFIED = 0; + + // The transport is used for incoming traffic. + INBOUND = 1; + + // The transport is used for outgoing traffic. + OUTBOUND = 2; +} + +// Identifies location of where either Envoy runs or where upstream hosts run. +message Locality { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Locality"; + + // Region this :ref:`zone ` belongs to. + string region = 1; + + // Defines the local service zone where Envoy is running. Though optional, it + // should be set if discovery service routing is used and the discovery + // service exposes :ref:`zone data `, + // either in this message or via :option:`--service-zone`. The meaning of zone + // is context dependent, e.g. `Availability Zone (AZ) + // `_ + // on AWS, `Zone `_ on + // GCP, etc. + string zone = 2; + + // When used for locality of upstream hosts, this field further splits zone + // into smaller chunks of sub-zones so they can be load balanced + // independently. + string sub_zone = 3; +} + +// BuildVersion combines SemVer version of extension with free-form build information +// (i.e. 'alpha', 'private-build') as a set of strings. +message BuildVersion { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BuildVersion"; + + // SemVer version of extension. + type.v3.SemanticVersion version = 1; + + // Free-form build information. + // Envoy defines several well known keys in the source/common/version/version.h file + google.protobuf.Struct metadata = 2; +} + +// Version and identification for an Envoy extension. +// [#next-free-field: 7] +message Extension { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Extension"; + + // This is the name of the Envoy filter as specified in the Envoy + // configuration, e.g. envoy.filters.http.router, com.acme.widget. + string name = 1; + + // Category of the extension. + // Extension category names use reverse DNS notation. For instance "envoy.filters.listener" + // for Envoy's built-in listener filters or "com.acme.filters.http" for HTTP filters from + // acme.com vendor. + // [#comment:TODO(yanavlasov): Link to the doc with existing envoy category names.] + string category = 2; + + // [#not-implemented-hide:] Type descriptor of extension configuration proto. + // [#comment:TODO(yanavlasov): Link to the doc with existing configuration protos.] + // [#comment:TODO(yanavlasov): Add tests when PR #9391 lands.] + string type_descriptor = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The version is a property of the extension and maintained independently + // of other extensions and the Envoy API. + // This field is not set when extension did not provide version information. + BuildVersion version = 4; + + // Indicates that the extension is present but was disabled via dynamic configuration. + bool disabled = 5; + + // Type URLs of extension configuration protos. + repeated string type_urls = 6; +} + +// Identifies a specific Envoy instance. The node identifier is presented to the +// management server, which may use this identifier to distinguish per Envoy +// configuration for serving. +// [#next-free-field: 13] +message Node { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Node"; + + reserved 5; + + reserved "build_version"; + + // An opaque node identifier for the Envoy node. This also provides the local + // service node name. It should be set if any of the following features are + // used: :ref:`statsd `, :ref:`CDS + // `, and :ref:`HTTP tracing + // `, either in this message or via + // :option:`--service-node`. + string id = 1; + + // Defines the local service cluster name where Envoy is running. Though + // optional, it should be set if any of the following features are used: + // :ref:`statsd `, :ref:`health check cluster + // verification + // `, + // :ref:`runtime override directory `, + // :ref:`user agent addition + // `, + // :ref:`HTTP global rate limiting `, + // :ref:`CDS `, and :ref:`HTTP tracing + // `, either in this message or via + // :option:`--service-cluster`. + string cluster = 2; + + // Opaque metadata extending the node identifier. Envoy will pass this + // directly to the management server. + google.protobuf.Struct metadata = 3; + + // Map from xDS resource type URL to dynamic context parameters. These may vary at runtime (unlike + // other fields in this message). For example, the xDS client may have a shard identifier that + // changes during the lifetime of the xDS client. In Envoy, this would be achieved by updating the + // dynamic context on the Server::Instance's LocalInfo context provider. The shard ID dynamic + // parameter then appears in this field during future discovery requests. + map dynamic_parameters = 12; + + // Locality specifying where the Envoy instance is running. + Locality locality = 4; + + // Free-form string that identifies the entity requesting config. + // E.g. "envoy" or "grpc" + string user_agent_name = 6; + + oneof user_agent_version_type { + // Free-form string that identifies the version of the entity requesting config. + // E.g. "1.12.2" or "abcd1234", or "SpecialEnvoyBuild" + string user_agent_version = 7; + + // Structured version of the entity requesting config. + BuildVersion user_agent_build_version = 8; + } + + // List of extensions and their versions supported by the node. + repeated Extension extensions = 9; + + // Client feature support list. These are well known features described + // in the Envoy API repository for a given major version of an API. Client features + // use reverse DNS naming scheme, for example ``com.acme.feature``. + // See :ref:`the list of features ` that xDS client may + // support. + repeated string client_features = 10; + + // Known listening ports on the node as a generic hint to the management server + // for filtering :ref:`listeners ` to be returned. For example, + // if there is a listener bound to port 80, the list can optionally contain the + // SocketAddress ``(0.0.0.0,80)``. The field is optional and just a hint. + repeated Address listening_addresses = 11 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; +} + +// Metadata provides additional inputs to filters based on matched listeners, +// filter chains, routes and endpoints. It is structured as a map, usually from +// filter name (in reverse DNS format) to metadata specific to the filter. Metadata +// key-values for a filter are merged as connection and request handling occurs, +// with later values for the same key overriding earlier values. +// +// An example use of metadata is providing additional values to +// http_connection_manager in the envoy.http_connection_manager.access_log +// namespace. +// +// Another example use of metadata is to per service config info in cluster metadata, which may get +// consumed by multiple filters. +// +// For load balancing, Metadata provides a means to subset cluster endpoints. +// Endpoints have a Metadata object associated and routes contain a Metadata +// object to match against. There are some well defined metadata used today for +// this purpose: +// +// * ``{"envoy.lb": {"canary": }}`` This indicates the canary status of an +// endpoint and is also used during header processing +// (x-envoy-upstream-canary) and for stats purposes. +// [#next-major-version: move to type/metadata/v2] +message Metadata { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Metadata"; + + // Key is the reverse DNS filter name, e.g. com.acme.widget. The ``envoy.*`` + // namespace is reserved for Envoy's built-in filters. + // If both ``filter_metadata`` and + // :ref:`typed_filter_metadata ` + // fields are present in the metadata with same keys, + // only ``typed_filter_metadata`` field will be parsed. + map filter_metadata = 1 + [(validate.rules).map = {keys {string {min_len: 1}}}]; + + // Key is the reverse DNS filter name, e.g. com.acme.widget. The ``envoy.*`` + // namespace is reserved for Envoy's built-in filters. + // The value is encoded as google.protobuf.Any. + // If both :ref:`filter_metadata ` + // and ``typed_filter_metadata`` fields are present in the metadata with same keys, + // only ``typed_filter_metadata`` field will be parsed. + map typed_filter_metadata = 2 + [(validate.rules).map = {keys {string {min_len: 1}}}]; +} + +// Runtime derived uint32 with a default when not specified. +message RuntimeUInt32 { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RuntimeUInt32"; + + // Default value if runtime value is not available. + uint32 default_value = 2; + + // Runtime key to get value for comparison. This value is used if defined. + string runtime_key = 3; +} + +// Runtime derived percentage with a default when not specified. +message RuntimePercent { + // Default value if runtime value is not available. + type.v3.Percent default_value = 1; + + // Runtime key to get value for comparison. This value is used if defined. + string runtime_key = 2; +} + +// Runtime derived double with a default when not specified. +message RuntimeDouble { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RuntimeDouble"; + + // Default value if runtime value is not available. + double default_value = 1; + + // Runtime key to get value for comparison. This value is used if defined. + string runtime_key = 2; +} + +// Runtime derived bool with a default when not specified. +message RuntimeFeatureFlag { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.RuntimeFeatureFlag"; + + // Default value if runtime value is not available. + google.protobuf.BoolValue default_value = 1 [(validate.rules).message = {required: true}]; + + // Runtime key to get value for comparison. This value is used if defined. The boolean value must + // be represented via its + // `canonical JSON encoding `_. + string runtime_key = 2; +} + +// Please use :ref:`KeyValuePair ` instead. +// [#not-implemented-hide:] +message KeyValue { + // The key of the key/value pair. + string key = 1 [ + deprecated = true, + (validate.rules).string = {min_len: 1 max_bytes: 16384}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // The value of the key/value pair. + // + // The ``bytes`` type is used. This means if JSON or YAML is used to to represent the + // configuration, the value must be base64 encoded. This is unfriendly for users in most + // use scenarios of this message. + // + bytes value = 2 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; +} + +message KeyValuePair { + // The key of the key/value pair. + string key = 1 [(validate.rules).string = {min_len: 1 max_bytes: 16384}]; + + // The value of the key/value pair. + google.protobuf.Value value = 2; +} + +// Key/value pair plus option to control append behavior. This is used to specify +// key/value pairs that should be appended to a set of existing key/value pairs. +message KeyValueAppend { + // Describes the supported actions types for key/value pair append action. + enum KeyValueAppendAction { + // If the key already exists, this action will result in the following behavior: + // + // - Comma-concatenated value if multiple values are not allowed. + // - New value added to the list of values if multiple values are allowed. + // + // If the key doesn't exist then this will add pair with specified key and value. + APPEND_IF_EXISTS_OR_ADD = 0; + + // This action will add the key/value pair if it doesn't already exist. If the + // key already exists then this will be a no-op. + ADD_IF_ABSENT = 1; + + // This action will overwrite the specified value by discarding any existing + // values if the key already exists. If the key doesn't exist then this will add + // the pair with specified key and value. + OVERWRITE_IF_EXISTS_OR_ADD = 2; + + // This action will overwrite the specified value by discarding any existing + // values if the key already exists. If the key doesn't exist then this will + // be no-op. + OVERWRITE_IF_EXISTS = 3; + } + + // The single key/value pair record to be appended or overridden. This field must be set. + KeyValuePair record = 3; + + // Key/value pair entry that this option to append or overwrite. This field is deprecated + // and please use :ref:`record ` + // as replacement. + // [#not-implemented-hide:] + KeyValue entry = 1 [ + deprecated = true, + (validate.rules).message = {skip: true}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // Describes the action taken to append/overwrite the given value for an existing + // key or to only add this key if it's absent. + KeyValueAppendAction action = 2 [(validate.rules).enum = {defined_only: true}]; +} + +// Key/value pair to append or remove. +message KeyValueMutation { + // Key/value pair to append or overwrite. Only one of ``append`` or ``remove`` can be set or + // the configuration will be rejected. + KeyValueAppend append = 1; + + // Key to remove. Only one of ``append`` or ``remove`` can be set or the configuration will be + // rejected. + string remove = 2 [(validate.rules).string = {max_bytes: 16384}]; +} + +// Query parameter name/value pair. +message QueryParameter { + // The key of the query parameter. Case sensitive. + string key = 1 [(validate.rules).string = {min_len: 1}]; + + // The value of the query parameter. + string value = 2; +} + +// Header name/value pair. +message HeaderValue { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderValue"; + + // Header name. + string key = 1 + [(validate.rules).string = + {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Header value. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown header values are replaced with the empty string instead of ``-``. + // Header value is encoded as string. This does not work for non-utf8 characters. + // Only one of ``value`` or ``raw_value`` can be set. + string value = 2 [ + (validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "value_type" + ]; + + // Header value is encoded as bytes which can support non-utf8 characters. + // Only one of ``value`` or ``raw_value`` can be set. + bytes raw_value = 3 [ + (validate.rules).bytes = {min_len: 0 max_len: 16384}, + (udpa.annotations.field_migrate).oneof_promotion = "value_type" + ]; +} + +// Header name/value pair plus option to control append behavior. +message HeaderValueOption { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HeaderValueOption"; + + // Describes the supported actions types for header append action. + enum HeaderAppendAction { + // If the header already exists, this action will result in: + // + // - Comma-concatenated for predefined inline headers. + // - Duplicate header added in the ``HeaderMap`` for other headers. + // + // If the header doesn't exist then this will add new header with specified key and value. + APPEND_IF_EXISTS_OR_ADD = 0; + + // This action will add the header if it doesn't already exist. If the header + // already exists then this will be a no-op. + ADD_IF_ABSENT = 1; + + // This action will overwrite the specified value by discarding any existing values if + // the header already exists. If the header doesn't exist then this will add the header + // with specified key and value. + OVERWRITE_IF_EXISTS_OR_ADD = 2; + + // This action will overwrite the specified value by discarding any existing values if + // the header already exists. If the header doesn't exist then this will be no-op. + OVERWRITE_IF_EXISTS = 3; + } + + // Header name/value pair that this option applies to. + HeaderValue header = 1 [(validate.rules).message = {required: true}]; + + // Should the value be appended? If true (default), the value is appended to + // existing values. Otherwise it replaces any existing values. + // This field is deprecated and please use + // :ref:`append_action ` as replacement. + // + // .. note:: + // The :ref:`external authorization service ` and + // :ref:`external processor service ` have + // default value (``false``) for this field. + google.protobuf.BoolValue append = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Describes the action taken to append/overwrite the given value for an existing header + // or to only add this header if it's absent. + // Value defaults to :ref:`APPEND_IF_EXISTS_OR_ADD + // `. + HeaderAppendAction append_action = 3 [(validate.rules).enum = {defined_only: true}]; + + // Is the header value allowed to be empty? If false (default), custom headers with empty values are dropped, + // otherwise they are added. + bool keep_empty_value = 4; +} + +// Wrapper for a set of headers. +message HeaderMap { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderMap"; + + // A list of header names and their values. + repeated HeaderValue headers = 1; +} + +// A directory that is watched for changes, e.g. by inotify on Linux. Move/rename +// events inside this directory trigger the watch. +message WatchedDirectory { + // Directory path to watch. + string path = 1 [(validate.rules).string = {min_len: 1}]; +} + +// Data source consisting of a file, an inline value, or an environment variable. +// [#next-free-field: 6] +message DataSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.DataSource"; + + oneof specifier { + option (validate.required) = true; + + // Local filesystem data source. + string filename = 1 [(validate.rules).string = {min_len: 1}]; + + // Bytes inlined in the configuration. + bytes inline_bytes = 2; + + // String inlined in the configuration. + string inline_string = 3; + + // Environment variable data source. + string environment_variable = 4 [(validate.rules).string = {min_len: 1}]; + } + + // Watched directory that is watched for file changes. If this is set explicitly, the file + // specified in the ``filename`` field will be reloaded when relevant file move events occur. + // + // .. note:: + // This field only makes sense when the ``filename`` field is set. + // + // .. note:: + // Envoy only updates when the file is replaced by a file move, and not when the file is + // edited in place. + // + // .. note:: + // Not all use cases of ``DataSource`` support watching directories. It depends on the + // specific usage of the ``DataSource``. See the documentation of the parent message for + // details. + WatchedDirectory watched_directory = 5; +} + +// The message specifies the retry policy of remote data source when fetching fails. +// [#next-free-field: 7] +message RetryPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RetryPolicy"; + + // See :ref:`RetryPriority `. + message RetryPriority { + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + google.protobuf.Any typed_config = 2; + } + } + + // See :ref:`RetryHostPredicate `. + message RetryHostPredicate { + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + google.protobuf.Any typed_config = 2; + } + } + + // Specifies parameters that control :ref:`retry backoff strategy `. + // This parameter is optional, in which case the default base interval is 1000 milliseconds. The + // default maximum interval is 10 times the base interval. + BackoffStrategy retry_back_off = 1; + + // Specifies the allowed number of retries. This parameter is optional and + // defaults to 1. + google.protobuf.UInt32Value num_retries = 2 + [(udpa.annotations.field_migrate).rename = "max_retries"]; + + // For details, see :ref:`retry_on `. + string retry_on = 3; + + // For details, see :ref:`retry_priority `. + RetryPriority retry_priority = 4; + + // For details, see :ref:`RetryHostPredicate `. + repeated RetryHostPredicate retry_host_predicate = 5; + + // For details, see :ref:`host_selection_retry_max_attempts `. + int64 host_selection_retry_max_attempts = 6; +} + +// The message specifies how to fetch data from remote and how to verify it. +message RemoteDataSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RemoteDataSource"; + + // The HTTP URI to fetch the remote data. + HttpUri http_uri = 1 [(validate.rules).message = {required: true}]; + + // SHA256 string for verifying data. + string sha256 = 2 [(validate.rules).string = {min_len: 1}]; + + // Retry policy for fetching remote data. + RetryPolicy retry_policy = 3; +} + +// Async data source which support async data fetch. +message AsyncDataSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.AsyncDataSource"; + + oneof specifier { + option (validate.required) = true; + + // Local async data source. + DataSource local = 1; + + // Remote async data source. + RemoteDataSource remote = 2; + } +} + +// Configuration for transport socket in :ref:`listeners ` and +// :ref:`clusters `. If the configuration is +// empty, a default transport socket implementation and configuration will be +// chosen based on the platform and existence of tls_context. +message TransportSocket { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.TransportSocket"; + + reserved 2; + + reserved "config"; + + // The name of the transport socket to instantiate. The name must match a supported transport + // socket implementation. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Implementation specific configuration which depends on the implementation being instantiated. + // See the supported transport socket implementations for further documentation. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +// Runtime derived FractionalPercent with defaults for when the numerator or denominator is not +// specified via a runtime key. +// +// .. note:: +// +// Parsing of the runtime key's data is implemented such that it may be represented as a +// :ref:`FractionalPercent ` proto represented as JSON/YAML +// and may also be represented as an integer with the assumption that the value is an integral +// percentage out of 100. For instance, a runtime key lookup returning the value "42" would parse +// as a ``FractionalPercent`` whose numerator is 42 and denominator is HUNDRED. +message RuntimeFractionalPercent { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.RuntimeFractionalPercent"; + + // Default value if the runtime value's for the numerator/denominator keys are not available. + type.v3.FractionalPercent default_value = 1 [(validate.rules).message = {required: true}]; + + // Runtime key for a YAML representation of a FractionalPercent. + string runtime_key = 2; +} + +// Identifies a specific ControlPlane instance that Envoy is connected to. +message ControlPlane { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ControlPlane"; + + // An opaque control plane identifier that uniquely identifies an instance + // of control plane. This can be used to identify which control plane instance, + // the Envoy is connected to. + string identifier = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/cel.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/cel.proto new file mode 100644 index 000000000..940a66d0b --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/cel.proto @@ -0,0 +1,63 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "CelProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: CEL Expression Configuration] + +// CEL expression evaluation configuration. +// These options control the behavior of the Common Expression Language runtime for +// individual CEL expressions. +message CelExpressionConfig { + // Enable string conversion functions for CEL expressions. When enabled, CEL expressions + // can convert values to strings using the ``string()`` function. + // + // .. attention:: + // + // This option is disabled by default to avoid unbounded memory allocation. + // CEL evaluation cost is typically bounded by the expression size, but converting + // arbitrary values (e.g., large messages, lists, or maps) to strings may allocate + // memory proportional to input data size, which can be unbounded and lead to + // memory exhaustion. + bool enable_string_conversion = 1; + + // Enable string concatenation for CEL expressions. When enabled, CEL expressions + // can concatenate strings using the ``+`` operator. + // + // .. attention:: + // + // This option is disabled by default to avoid unbounded memory allocation. + // While CEL normally bounds evaluation by expression size, enabling string + // concatenation allows building outputs whose size depends on input data, + // potentially causing large intermediate allocations and memory exhaustion. + bool enable_string_concat = 2; + + // Enable string manipulation functions for CEL expressions. When enabled, CEL + // expressions can use additional string functions: + // + // * ``replace(old, new)`` - Replaces all occurrences of ``old`` with ``new``. + // * ``split(separator)`` - Splits a string into a list of substrings. + // * ``lowerAscii()`` - Converts ASCII characters to lowercase. + // * ``upperAscii()`` - Converts ASCII characters to uppercase. + // + // .. note:: + // + // Standard CEL string functions like ``contains()``, ``startsWith()``, and + // ``endsWith()`` are always available regardless of this setting. + // + // .. attention:: + // + // This option is disabled by default to avoid unbounded memory allocation. + // Although CEL generally bounds evaluation by expression size, functions such as + // ``replace``, ``split``, ``lowerAscii()``, and ``upperAscii()`` can allocate memory + // proportional to input data size. Under adversarial inputs this can lead to + // unbounded allocations and memory exhaustion. + bool enable_string_functions = 3; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/config_source.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/config_source.proto new file mode 100644 index 000000000..430562aa5 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/config_source.proto @@ -0,0 +1,283 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/core/v3/authority.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ConfigSourceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Configuration sources] + +// xDS API and non-xDS services version. This is used to describe both resource and transport +// protocol versions (in distinct configuration fields). +enum ApiVersion { + // When not specified, we assume v3; it is the only supported version. + AUTO = 0; + + // Use xDS v2 API. This is no longer supported. + V2 = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"]; + + // Use xDS v3 API. + V3 = 2; +} + +// API configuration source. This identifies the API type and cluster that Envoy +// will use to fetch an xDS API. +// [#next-free-field: 10] +message ApiConfigSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ApiConfigSource"; + + // APIs may be fetched via either REST or gRPC. + enum ApiType { + // Ideally this would be 'reserved 0' but one can't reserve the default + // value. Instead we throw an exception if this is ever used. + DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 + [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; + + // REST-JSON v2 API. The `canonical JSON encoding + // `_ for + // the v2 protos is used. + REST = 1; + + // SotW gRPC service. + GRPC = 2; + + // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response} + // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state + // with every update, the xDS server only sends what has changed since the last update. + DELTA_GRPC = 3; + + // SotW xDS gRPC with ADS. All resources which resolve to this configuration source will be + // multiplexed on a single connection to an ADS endpoint. + // [#not-implemented-hide:] + AGGREGATED_GRPC = 5; + + // Delta xDS gRPC with ADS. All resources which resolve to this configuration source will be + // multiplexed on a single connection to an ADS endpoint. + // [#not-implemented-hide:] + AGGREGATED_DELTA_GRPC = 6; + } + + // API type (gRPC, REST, delta gRPC) + ApiType api_type = 1 [(validate.rules).enum = {defined_only: true}]; + + // API version for xDS transport protocol. This describes the xDS gRPC/REST + // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. + ApiVersion transport_api_version = 8 [(validate.rules).enum = {defined_only: true}]; + + // Cluster names should be used only with REST. If > 1 + // cluster is defined, clusters will be cycled through if any kind of failure + // occurs. + // + // .. note:: + // + // The cluster with name ``cluster_name`` must be statically defined and its + // type must not be ``EDS``. + repeated string cluster_names = 2; + + // Multiple gRPC services be provided for GRPC. If > 1 cluster is defined, + // services will be cycled through if any kind of failure occurs. + repeated GrpcService grpc_services = 4; + + // For REST APIs, the delay between successive polls. + google.protobuf.Duration refresh_delay = 3; + + // For REST APIs, the request timeout. If not set, a default value of 1s will be used. + google.protobuf.Duration request_timeout = 5 [(validate.rules).duration = {gt {}}]; + + // For GRPC APIs, the rate limit settings. If present, discovery requests made by Envoy will be + // rate limited. + RateLimitSettings rate_limit_settings = 6; + + // Skip the node identifier in subsequent discovery requests for streaming gRPC config types. + bool set_node_on_first_message_only = 7; + + // A list of config validators that will be executed when a new update is + // received from the ApiConfigSource. Note that each validator handles a + // specific xDS service type, and only the validators corresponding to the + // type url (in ``:ref: DiscoveryResponse`` or ``:ref: DeltaDiscoveryResponse``) + // will be invoked. + // If the validator returns false or throws an exception, the config will be rejected by + // the client, and a NACK will be sent. + // [#extension-category: envoy.config.validators] + repeated TypedExtensionConfig config_validators = 9; +} + +// Aggregated Discovery Service (ADS) options. This is currently empty, but when +// set in :ref:`ConfigSource ` can be used to +// specify that ADS is to be used. +message AggregatedConfigSource { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.AggregatedConfigSource"; +} + +// [#not-implemented-hide:] +// Self-referencing config source options. This is currently empty, but when +// set in :ref:`ConfigSource ` can be used to +// specify that other data can be obtained from the same server. +message SelfConfigSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SelfConfigSource"; + + // API version for xDS transport protocol. This describes the xDS gRPC/REST + // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. + ApiVersion transport_api_version = 1 [(validate.rules).enum = {defined_only: true}]; +} + +// Rate Limit settings to be applied for discovery requests made by Envoy. +message RateLimitSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.RateLimitSettings"; + + // Maximum number of tokens to be used for rate limiting discovery request calls. If not set, a + // default value of 100 will be used. + google.protobuf.UInt32Value max_tokens = 1; + + // Rate at which tokens will be filled per second. If not set, a default fill rate of 10 tokens + // per second will be used. The minimal fill rate is once per year. Lower + // fill rates will be set to once per year. + google.protobuf.DoubleValue fill_rate = 2 [(validate.rules).double = {gt: 0.0}]; +} + +// Local filesystem path configuration source. +message PathConfigSource { + // Path on the filesystem to source and watch for configuration updates. + // When sourcing configuration for a :ref:`secret `, + // the certificate and key files are also watched for updates. + // + // .. note:: + // + // The path to the source must exist at config load time. + // + // .. note:: + // + // If ``watched_directory`` is *not* configured, Envoy will watch the file path for *moves*. + // This is because in general only moves are atomic. The same method of swapping files as is + // demonstrated in the :ref:`runtime documentation ` can be + // used here also. If ``watched_directory`` is configured, no watch will be placed directly on + // this path. Instead, the configured ``watched_directory`` will be used to trigger reloads of + // this path. This is required in certain deployment scenarios. See below for more information. + string path = 1 [(validate.rules).string = {min_len: 1}]; + + // If configured, this directory will be watched for *moves*. When an entry in this directory is + // moved to, the ``path`` will be reloaded. This is required in certain deployment scenarios. + // + // Specifically, if trying to load an xDS resource using a + // `Kubernetes ConfigMap `_, the + // following configuration might be used: + // 1. Store xds.yaml inside a ConfigMap. + // 2. Mount the ConfigMap to ``/config_map/xds`` + // 3. Configure path ``/config_map/xds/xds.yaml`` + // 4. Configure watched directory ``/config_map/xds`` + // + // The above configuration will ensure that Envoy watches the owning directory for moves which is + // required due to how Kubernetes manages ConfigMap symbolic links during atomic updates. + WatchedDirectory watched_directory = 2; +} + +// Configuration for :ref:`listeners `, :ref:`clusters +// `, :ref:`routes +// `, :ref:`endpoints +// ` etc. may either be sourced from the +// filesystem or from an xDS API source. Filesystem configs are watched with +// inotify for updates. +// [#next-free-field: 9] +message ConfigSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ConfigSource"; + + // Authorities that this config source may be used for. An authority specified in a xdstp:// URL + // is resolved to a ``ConfigSource`` prior to configuration fetch. This field provides the + // association between authority name and configuration source. + // [#not-implemented-hide:] + repeated xds.core.v3.Authority authorities = 7; + + oneof config_source_specifier { + option (validate.required) = true; + + // Deprecated in favor of ``path_config_source``. Use that field instead. + string path = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Local filesystem path configuration source. + PathConfigSource path_config_source = 8; + + // API configuration source. + ApiConfigSource api_config_source = 2; + + // When set, ADS will be used to fetch resources. The ADS API configuration + // source in the bootstrap configuration is used. + AggregatedConfigSource ads = 3; + + // [#not-implemented-hide:] + // When set, the client will access the resources from the same server it got the + // ConfigSource from, although not necessarily from the same stream. This is similar to the + // :ref:`ads` field, except that the client may use a + // different stream to the same server. As a result, this field can be used for things + // like LRS that cannot be sent on an ADS stream. It can also be used to link from (e.g.) + // LDS to RDS on the same server without requiring the management server to know its name + // or required credentials. + // [#next-major-version: In xDS v3, consider replacing the ads field with this one, since + // this field can implicitly mean to use the same stream in the case where the ConfigSource + // is provided via ADS and the specified data can also be obtained via ADS.] + SelfConfigSource self = 5; + } + + // When this timeout is specified, Envoy will wait no longer than the specified time for first + // config response on this xDS subscription during the :ref:`initialization process + // `. After reaching the timeout, Envoy will move to the next + // initialization phase, even if the first config is not delivered yet. The timer is activated + // when the xDS API subscription starts, and is disarmed on first config update or on error. 0 + // means no timeout - Envoy will wait indefinitely for the first xDS config (unless another + // timeout applies). The default is 15s. + google.protobuf.Duration initial_fetch_timeout = 4; + + // API version for xDS resources. This implies the type URLs that the client + // will request for resources and the resource type that the client will in + // turn expect to be delivered. + ApiVersion resource_api_version = 6 [(validate.rules).enum = {defined_only: true}]; +} + +// Configuration source specifier for a late-bound extension configuration. The +// parent resource is warmed until all the initial extension configurations are +// received, unless the flag to apply the default configuration is set. +// Subsequent extension updates are atomic on a per-worker basis. Once an +// extension configuration is applied to a request or a connection, it remains +// constant for the duration of processing. If the initial delivery of the +// extension configuration fails, due to a timeout for example, the optional +// default configuration is applied. Without a default configuration, the +// extension is disabled, until an extension configuration is received. The +// behavior of a disabled extension depends on the context. For example, a +// filter chain with a disabled extension filter rejects all incoming streams. +message ExtensionConfigSource { + ConfigSource config_source = 1 [(validate.rules).any = {required: true}]; + + // Optional default configuration to use as the initial configuration if + // there is a failure to receive the initial extension configuration or if + // ``apply_default_config_without_warming`` flag is set. + google.protobuf.Any default_config = 2; + + // Use the default config as the initial configuration without warming and + // waiting for the first discovery response. Requires the default configuration + // to be supplied. + bool apply_default_config_without_warming = 3; + + // A set of permitted extension type URLs for the type encoded inside of the + // :ref:`TypedExtensionConfig `. Extension + // configuration updates are rejected if they do not match any type URL in the set. + repeated string type_urls = 4 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/event_service_config.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/event_service_config.proto new file mode 100644 index 000000000..68c8df407 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/event_service_config.proto @@ -0,0 +1,29 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/grpc_service.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "EventServiceConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#not-implemented-hide:] +// Configuration of the event reporting service endpoint. +message EventServiceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.EventServiceConfig"; + + oneof config_source_specifier { + option (validate.required) = true; + + // Specifies the gRPC service that hosts the event reporting service. + GrpcService grpc_service = 1; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/extension.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/extension.proto new file mode 100644 index 000000000..cacc7b00c --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/extension.proto @@ -0,0 +1,32 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ExtensionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Extension configuration] + +// Message type for extension configuration. +// [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.]. +message TypedExtensionConfig { + // The name of an extension. This is not used to select the extension, instead + // it serves the role of an opaque identifier. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The typed config for the extension. The type URL will be used to identify + // the extension. In the case that the type URL is ``xds.type.v3.TypedStruct`` + // (or, for historical reasons, ``udpa.type.v1.TypedStruct``), the inner type + // URL of ``TypedStruct`` will be utilized. See the + // :ref:`extension configuration overview + // ` for further details. + google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/grpc_service.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/grpc_service.proto new file mode 100644 index 000000000..9c44006b2 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/grpc_service.proto @@ -0,0 +1,355 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "GrpcServiceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC services] + +// gRPC service configuration. This is used by :ref:`ApiConfigSource +// ` and filter configurations. +// [#next-free-field: 7] +message GrpcService { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService"; + + // [#next-free-field: 6] + message EnvoyGrpc { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.EnvoyGrpc"; + + // The name of the upstream gRPC cluster. SSL credentials will be supplied + // in the :ref:`Cluster ` :ref:`transport_socket + // `. + string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; + + // The ``:authority`` header in the grpc request. If this field is not set, the authority header value will be ``cluster_name``. + // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster. + string authority = 2 + [(validate.rules).string = + {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Specifies the retry backoff policy for re-establishing long‑lived xDS gRPC streams. + // + // This field is optional. If ``retry_back_off.max_interval`` is not provided, it will be set to + // ten times the configured ``retry_back_off.base_interval``. + // + // .. note:: + // + // This field is only honored for management‑plane xDS gRPC streams created from + // :ref:`ApiConfigSource ` that use + // ``envoy_grpc``. Data‑plane gRPC clients (for example external authorization or external + // processing filters) must use :ref:`GrpcService.retry_policy + // ` instead. + // + // If not set, xDS gRPC streams default to a base interval of 500ms and a maximum interval of 30s. + RetryPolicy retry_policy = 3; + + // Maximum gRPC message size that is allowed to be received. + // If a message over this limit is received, the gRPC stream is terminated with the RESOURCE_EXHAUSTED error. + // This limit is applied to individual messages in the streaming response and not the total size of streaming response. + // Defaults to 0, which means unlimited. + google.protobuf.UInt32Value max_receive_message_length = 4; + + // This provides gRPC client level control over envoy generated headers. + // If false, the header will be sent but it can be overridden by per stream option. + // If true, the header will be removed and can not be overridden by per stream option. + // Default to false. + bool skip_envoy_headers = 5; + } + + // [#next-free-field: 11] + message GoogleGrpc { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc"; + + // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html. + message SslCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.SslCredentials"; + + // PEM encoded server root certificates. + DataSource root_certs = 1; + + // PEM encoded client private key. + DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; + + // PEM encoded client certificate chain. + DataSource cert_chain = 3; + } + + // Local channel credentials. Only UDS is supported for now. + // See https://github.com/grpc/grpc/pull/15909. + message GoogleLocalCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.GoogleLocalCredentials"; + } + + // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call + // credential types. + message ChannelCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.ChannelCredentials"; + + oneof credential_specifier { + option (validate.required) = true; + + SslCredentials ssl_credentials = 1; + + // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 + google.protobuf.Empty google_default = 2; + + GoogleLocalCredentials local_credentials = 3; + } + } + + // [#next-free-field: 8] + message CallCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials"; + + message ServiceAccountJWTAccessCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." + "ServiceAccountJWTAccessCredentials"; + + string json_key = 1; + + uint64 token_lifetime_seconds = 2; + } + + message GoogleIAMCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials"; + + string authorization_token = 1; + + string authority_selector = 2; + } + + message MetadataCredentialsFromPlugin { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." + "MetadataCredentialsFromPlugin"; + + reserved 2; + + reserved "config"; + + string name = 1; + + // [#extension-category: envoy.grpc_credentials] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + // Security token service configuration that allows Google gRPC to + // fetch security token from an OAuth 2.0 authorization server. + // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and + // https://github.com/grpc/grpc/pull/19587. + // [#next-free-field: 10] + message StsService { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.StsService"; + + // URI of the token exchange service that handles token exchange requests. + // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by + // https://github.com/bufbuild/protoc-gen-validate/issues/303] + string token_exchange_service_uri = 1; + + // Location of the target service or resource where the client + // intends to use the requested security token. + string resource = 2; + + // Logical name of the target service where the client intends to + // use the requested security token. + string audience = 3; + + // The desired scope of the requested security token in the + // context of the service or resource where the token will be used. + string scope = 4; + + // Type of the requested security token. + string requested_token_type = 5; + + // The path of subject token, a security token that represents the + // identity of the party on behalf of whom the request is being made. + string subject_token_path = 6 [(validate.rules).string = {min_len: 1}]; + + // Type of the subject token. + string subject_token_type = 7 [(validate.rules).string = {min_len: 1}]; + + // The path of actor token, a security token that represents the identity + // of the acting party. The acting party is authorized to use the + // requested security token and act on behalf of the subject. + string actor_token_path = 8; + + // Type of the actor token. + string actor_token_type = 9; + } + + oneof credential_specifier { + option (validate.required) = true; + + // Access token credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d. + string access_token = 1; + + // Google Compute Engine credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 + google.protobuf.Empty google_compute_engine = 2; + + // Google refresh token credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c. + string google_refresh_token = 3; + + // Service Account JWT Access credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa. + ServiceAccountJWTAccessCredentials service_account_jwt_access = 4; + + // Google IAM credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0. + GoogleIAMCredentials google_iam = 5; + + // Custom authenticator credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. + // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms. + MetadataCredentialsFromPlugin from_plugin = 6; + + // Custom security token service which implements OAuth 2.0 token exchange. + // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 + // See https://github.com/grpc/grpc/pull/19587. + StsService sts_service = 7; + } + } + + // Channel arguments. + message ChannelArgs { + message Value { + // Pointer values are not supported, since they don't make any sense when + // delivered via the API. + oneof value_specifier { + option (validate.required) = true; + + string string_value = 1; + + int64 int_value = 2; + } + } + + // See grpc_types.h GRPC_ARG #defines for keys that work here. + map args = 1; + } + + // The target URI when using the `Google C++ gRPC client + // `_. + string target_uri = 1 [(validate.rules).string = {min_len: 1}]; + + // The channel credentials to use. See `channel credentials + // `_. + // Ignored if ``channel_credentials_plugin`` is set. + ChannelCredentials channel_credentials = 2; + + // A list of channel credentials plugins. + // The data plane will iterate over the list in order and stop at the first credential type + // that it supports. This provides a mechanism for starting to use new credential types that + // are not yet supported by all data planes. + // [#not-implemented-hide:] + repeated google.protobuf.Any channel_credentials_plugin = 9; + + // The call credentials to use. See `channel credentials + // `_. + // Ignored if ``call_credentials_plugin`` is set. + repeated CallCredentials call_credentials = 3; + + // A list of call credentials plugins. All supported plugins will be used. + // Unsupported plugin types will be ignored. + // [#not-implemented-hide:] + repeated google.protobuf.Any call_credentials_plugin = 10; + + // The human readable prefix to use when emitting statistics for the gRPC + // service. + // + // .. csv-table:: + // :header: Name, Type, Description + // :widths: 1, 1, 2 + // + // streams_total, Counter, Total number of streams opened + // streams_closed_, Counter, Total streams closed with + string stat_prefix = 4 [(validate.rules).string = {min_len: 1}]; + + // The name of the Google gRPC credentials factory to use. This must have been registered with + // Envoy. If this is empty, a default credentials factory will be used that sets up channel + // credentials based on other configuration parameters. + string credentials_factory_name = 5; + + // Additional configuration for site-specific customizations of the Google + // gRPC library. + google.protobuf.Struct config = 6; + + // How many bytes each stream can buffer internally. + // If not set an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7; + + // Custom channels args. + ChannelArgs channel_args = 8; + } + + reserved 4; + + oneof target_specifier { + option (validate.required) = true; + + // Envoy's in-built gRPC client. + // See the :ref:`gRPC services overview ` + // documentation for discussion on gRPC client selection. + EnvoyGrpc envoy_grpc = 1; + + // `Google C++ gRPC client `_ + // See the :ref:`gRPC services overview ` + // documentation for discussion on gRPC client selection. + GoogleGrpc google_grpc = 2; + } + + // The timeout for the gRPC request. This is the timeout for a specific + // request. + google.protobuf.Duration timeout = 3; + + // Additional metadata to include in streams initiated to the GrpcService. This can be used for + // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to + // be injected. For more information, including details on header value syntax, see the + // documentation on :ref:`custom request headers + // `. + repeated HeaderValue initial_metadata = 5; + + // Optional default retry policy for RPCs or streams initiated toward this gRPC service. + // + // If an async stream does not have a retry policy configured in its per‑stream options, this + // policy is used as the default. + // + // .. note:: + // + // This field is only applied by Envoy gRPC (``envoy_grpc``) clients. Google gRPC + // (``google_grpc``) clients currently ignore this field. + // + // If not specified, no default retry policy is applied at the client level and retries only occur + // when explicitly configured in per‑stream options. + RetryPolicy retry_policy = 6; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/health_check.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/health_check.proto new file mode 100644 index 000000000..a4ed6e918 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/health_check.proto @@ -0,0 +1,443 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/event_service_config.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/proxy_protocol.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "HealthCheckProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Health check] +// * Health checking :ref:`architecture overview `. +// * If health checking is configured for a cluster, additional statistics are emitted. They are +// documented :ref:`here `. + +// Endpoint health status. +enum HealthStatus { + // The health status is not known. This is interpreted by Envoy as ``HEALTHY``. + UNKNOWN = 0; + + // Healthy. + HEALTHY = 1; + + // Unhealthy. + UNHEALTHY = 2; + + // Connection draining in progress. E.g., + // ``_ + // or + // ``_. + // This is interpreted by Envoy as ``UNHEALTHY``. + DRAINING = 3; + + // Health check timed out. This is part of HDS and is interpreted by Envoy as + // ``UNHEALTHY``. + TIMEOUT = 4; + + // Degraded. + DEGRADED = 5; +} + +message HealthStatusSet { + // An order-independent set of health status. + repeated HealthStatus statuses = 1 + [(validate.rules).repeated = {items {enum {defined_only: true}}}]; +} + +// [#next-free-field: 27] +message HealthCheck { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck"; + + // Describes the encoding of the payload bytes in the payload. + message Payload { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.Payload"; + + oneof payload { + option (validate.required) = true; + + // Hex encoded payload. E.g., "000000FF". + string text = 1 [(validate.rules).string = {min_len: 1}]; + + // Binary payload. + bytes binary = 2; + } + } + + // [#next-free-field: 15] + message HttpHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.HttpHealthCheck"; + + reserved 5, 7; + + reserved "service_name", "use_http2"; + + // The value of the host header in the HTTP health check request. If + // left empty (default value), the name of the cluster this health check is associated + // with will be used. The host header can be customized for a specific endpoint by setting the + // :ref:`hostname ` field. + string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE}]; + + // Specifies the HTTP path that will be requested during health checking. For example + // ``/healthcheck``. + string path = 2 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE}]; + + // HTTP specific payload to be sent as the request body during health checking. + // If specified, the method should support a request body (POST, PUT, PATCH, etc.). + Payload send = 3; + + // Specifies a list of HTTP expected responses to match in the first ``response_buffer_size`` bytes of the response body. + // If it is set, both the expected response check and status code determine the health check. + // When checking the response, “fuzzy” matching is performed such that each payload block must be found, + // and in the order specified, but not necessarily contiguous. + // + // .. note:: + // + // It is recommended to set ``response_buffer_size`` based on the total Payload size for efficiency. + // The default buffer size is 1024 bytes when it is not set. + repeated Payload receive = 4; + + // Specifies the size of response buffer in bytes that is used to Payload match. + // The default value is 1024. Setting to 0 implies that the Payload will be matched against the entire response. + google.protobuf.UInt64Value response_buffer_size = 14 [(validate.rules).uint64 = {gte: 0}]; + + // Specifies a list of HTTP headers that should be added to each request that is sent to the + // health checked cluster. For more information, including details on header value syntax, see + // the documentation on :ref:`custom request headers + // `. + repeated HeaderValueOption request_headers_to_add = 6 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request that is sent to the + // health checked cluster. + repeated string request_headers_to_remove = 8 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default + // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open + // semantics of :ref:`Int64Range `. The start and end of each + // range are required. Only statuses in the range [100, 600) are allowed. + repeated type.v3.Int64Range expected_statuses = 9; + + // Specifies a list of HTTP response statuses considered retriable. If provided, responses in this range + // will count towards the configured :ref:`unhealthy_threshold `, + // but will not result in the host being considered immediately unhealthy. Ranges follow half-open semantics of + // :ref:`Int64Range `. The start and end of each range are required. + // Only statuses in the range [100, 600) are allowed. The :ref:`expected_statuses ` + // field takes precedence for any range overlaps with this field i.e. if status code 200 is both retriable and expected, a 200 response will + // be considered a successful health check. By default all responses not in + // :ref:`expected_statuses ` will result in + // the host being considered immediately unhealthy i.e. if status code 200 is expected and there are no configured retriable statuses, any + // non-200 response will result in the host being marked unhealthy. + repeated type.v3.Int64Range retriable_statuses = 12; + + // Use specified application protocol for health checks. + type.v3.CodecClientType codec_client_type = 10 [(validate.rules).enum = {defined_only: true}]; + + // An optional service name parameter which is used to validate the identity of + // the health checked cluster using a :ref:`StringMatcher + // `. See the :ref:`architecture overview + // ` for more information. + type.matcher.v3.StringMatcher service_name_matcher = 11; + + // HTTP Method that will be used for health checking, default is "GET". + // GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PATCH methods are supported. + // Request body payloads are supported for POST, PUT, PATCH, and OPTIONS methods only. + // CONNECT method is disallowed because it is not appropriate for health check request. + // If a non-200 response is expected by the method, it needs to be set in :ref:`expected_statuses `. + RequestMethod method = 13 [(validate.rules).enum = {defined_only: true not_in: 6}]; + } + + message TcpHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.TcpHealthCheck"; + + // Empty payloads imply a connect-only health check. + Payload send = 1; + + // When checking the response, “fuzzy” matching is performed such that each + // payload block must be found, and in the order specified, but not + // necessarily contiguous. + repeated Payload receive = 2; + + // When setting this value, it tries to attempt health check request with ProxyProtocol. + // When ``send`` is presented, they are sent after preceding ProxyProtocol header. + // Only ProxyProtocol header is sent when ``send`` is not presented. + // It allows to use both ProxyProtocol V1 and V2. In V1, it presents L3/L4. In V2, it includes + // LOCAL command and doesn't include L3/L4. + ProxyProtocolConfig proxy_protocol_config = 3; + } + + message RedisHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.RedisHealthCheck"; + + // If set, optionally perform ``EXISTS `` instead of ``PING``. A return value + // from Redis of 0 (does not exist) is considered a passing healthcheck. A return value other + // than 0 is considered a failure. This allows the user to mark a Redis instance for maintenance + // by setting the specified key to any value and waiting for traffic to drain. + string key = 1; + } + + // `grpc.health.v1.Health + // `_-based + // healthcheck. See `gRPC doc `_ + // for details. + message GrpcHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.GrpcHealthCheck"; + + // An optional service name parameter which will be sent to gRPC service in + // `grpc.health.v1.HealthCheckRequest + // `_. + // message. See `gRPC health-checking overview + // `_ for more information. + string service_name = 1; + + // The value of the :authority header in the gRPC health check request. If + // left empty (default value), the name of the cluster this health check is associated + // with will be used. The authority header can be customized for a specific endpoint by setting + // the :ref:`hostname ` field. + string authority = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Specifies a list of key-value pairs that should be added to the metadata of each GRPC call + // that is sent to the health checked cluster. For more information, including details on header value syntax, + // see the documentation on :ref:`custom request headers + // `. + repeated HeaderValueOption initial_metadata = 3 [(validate.rules).repeated = {max_items: 1000}]; + } + + // Custom health check. + message CustomHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.CustomHealthCheck"; + + reserved 2; + + reserved "config"; + + // The registered name of the custom health checker. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A custom health checker specific configuration which depends on the custom health checker + // being instantiated. See :api:`envoy/config/health_checker` for reference. + // [#extension-category: envoy.health_checkers] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + // Health checks occur over the transport socket specified for the cluster. This implies that if a + // cluster is using a TLS-enabled transport socket, the health check will also occur over TLS. + // + // This allows overriding the cluster TLS settings, just for health check connections. + message TlsOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.TlsOptions"; + + // Specifies the ALPN protocols for health check connections. This is useful if the + // corresponding upstream is using ALPN-based :ref:`FilterChainMatch + // ` along with different protocols for health checks + // versus data connections. If empty, no ALPN protocols will be set on health check connections. + repeated string alpn_protocols = 1; + } + + reserved 10; + + // The time to wait for a health check response. If the timeout is reached the + // health check attempt will be considered a failure. + google.protobuf.Duration timeout = 1 [(validate.rules).duration = { + required: true + gt {} + }]; + + // The interval between health checks. + google.protobuf.Duration interval = 2 [(validate.rules).duration = { + required: true + gt {} + }]; + + // An optional jitter amount in milliseconds. If specified, Envoy will start health + // checking after for a random time in ms between 0 and initial_jitter. This only + // applies to the first health check. + google.protobuf.Duration initial_jitter = 20; + + // An optional jitter amount in milliseconds. If specified, during every + // interval Envoy will add interval_jitter to the wait time. + google.protobuf.Duration interval_jitter = 3; + + // An optional jitter amount as a percentage of interval_ms. If specified, + // during every interval Envoy will add ``interval_ms`` * + // ``interval_jitter_percent`` / 100 to the wait time. + // + // If interval_jitter_ms and interval_jitter_percent are both set, both of + // them will be used to increase the wait time. + uint32 interval_jitter_percent = 18; + + // The number of unhealthy health checks required before a host is marked + // unhealthy. Note that for ``http`` health checking if a host responds with a code not in + // :ref:`expected_statuses ` + // or :ref:`retriable_statuses `, + // this threshold is ignored and the host is considered immediately unhealthy. + google.protobuf.UInt32Value unhealthy_threshold = 4 [(validate.rules).message = {required: true}]; + + // The number of healthy health checks required before a host is marked + // healthy. Note that during startup, only a single successful health check is + // required to mark a host healthy. + google.protobuf.UInt32Value healthy_threshold = 5 [(validate.rules).message = {required: true}]; + + // [#not-implemented-hide:] Non-serving port for health checking. + google.protobuf.UInt32Value alt_port = 6; + + // Reuse health check connection between health checks. Default is true. + google.protobuf.BoolValue reuse_connection = 7; + + oneof health_checker { + option (validate.required) = true; + + // HTTP health check. + HttpHealthCheck http_health_check = 8; + + // TCP health check. + TcpHealthCheck tcp_health_check = 9; + + // gRPC health check. + GrpcHealthCheck grpc_health_check = 11; + + // Custom health check. + CustomHealthCheck custom_health_check = 13; + } + + // The "no traffic interval" is a special health check interval that is used when a cluster has + // never had traffic routed to it. This lower interval allows cluster information to be kept up to + // date, without sending a potentially large amount of active health checking traffic for no + // reason. Once a cluster has been used for traffic routing, Envoy will shift back to using the + // standard health check interval that is defined. Note that this interval takes precedence over + // any other. + // + // The default value for "no traffic interval" is 60 seconds. + google.protobuf.Duration no_traffic_interval = 12 [(validate.rules).duration = {gt {}}]; + + // The "no traffic healthy interval" is a special health check interval that + // is used for hosts that are currently passing active health checking + // (including new hosts) when the cluster has received no traffic. + // + // This is useful for when we want to send frequent health checks with + // ``no_traffic_interval`` but then revert to lower frequency ``no_traffic_healthy_interval`` once + // a host in the cluster is marked as healthy. + // + // Once a cluster has been used for traffic routing, Envoy will shift back to using the + // standard health check interval that is defined. + // + // If no_traffic_healthy_interval is not set, it will default to the + // no traffic interval and send that interval regardless of health state. + google.protobuf.Duration no_traffic_healthy_interval = 24 [(validate.rules).duration = {gt {}}]; + + // The "unhealthy interval" is a health check interval that is used for hosts that are marked as + // unhealthy. As soon as the host is marked as healthy, Envoy will shift back to using the + // standard health check interval that is defined. + // + // The default value for "unhealthy interval" is the same as "interval". + google.protobuf.Duration unhealthy_interval = 14 [(validate.rules).duration = {gt {}}]; + + // The "unhealthy edge interval" is a special health check interval that is used for the first + // health check right after a host is marked as unhealthy. For subsequent health checks + // Envoy will shift back to using either "unhealthy interval" if present or the standard health + // check interval that is defined. + // + // The default value for "unhealthy edge interval" is the same as "unhealthy interval". + google.protobuf.Duration unhealthy_edge_interval = 15 [(validate.rules).duration = {gt {}}]; + + // The "healthy edge interval" is a special health check interval that is used for the first + // health check right after a host is marked as healthy. For subsequent health checks + // Envoy will shift back to using the standard health check interval that is defined. + // + // The default value for "healthy edge interval" is the same as the default interval. + google.protobuf.Duration healthy_edge_interval = 16 [(validate.rules).duration = {gt {}}]; + + // Specifies the path to the :ref:`health check event log `. + // + // .. attention:: + // This field is deprecated in favor of the extension + // :ref:`event_logger ` and + // :ref:`event_log_path ` + // in the file sink extension. + string event_log_path = 17 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // A list of event log sinks to process the health check event. + // [#extension-category: envoy.health_check.event_sinks] + repeated TypedExtensionConfig event_logger = 25; + + // [#not-implemented-hide:] + // The gRPC service for the health check event service. + // If empty, health check events won't be sent to a remote endpoint. + EventServiceConfig event_service = 22; + + // If set to true, health check failure events will always be logged. If set to false, only the + // initial health check failure event will be logged. + // The default value is false. + bool always_log_health_check_failures = 19; + + // If set to true, health check success events will always be logged. If set to false, only host addition event will be logged + // if it is the first successful health check, or if the healthy threshold is reached. + // The default value is false. + bool always_log_health_check_success = 26; + + // This allows overriding the cluster TLS settings, just for health check connections. + TlsOptions tls_options = 21; + + // Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's + // :ref:`tranport socket matches `. + // For example, the following match criteria + // + // .. code-block:: yaml + // + // transport_socket_match_criteria: + // useMTLS: true + // + // Will match the following :ref:`cluster socket match ` + // + // .. code-block:: yaml + // + // transport_socket_matches: + // - name: "useMTLS" + // match: + // useMTLS: true + // transport_socket: + // name: envoy.transport_sockets.tls + // config: { ... } # tls socket configuration + // + // If this field is set, then for health checks it will supersede an entry of ``envoy.transport_socket`` in the + // :ref:`LbEndpoint.Metadata `. + // This allows using different transport socket capabilities for health checking versus proxying to the + // endpoint. + // + // If the key/values pairs specified do not match any + // :ref:`transport socket matches `, + // the cluster's :ref:`transport socket ` + // will be used for health check socket configuration. + google.protobuf.Struct transport_socket_match_criteria = 23; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/http_service.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/http_service.proto new file mode 100644 index 000000000..426994c03 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/http_service.proto @@ -0,0 +1,35 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/http_uri.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "HttpServiceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP services] + +// HTTP service configuration. +message HttpService { + // The service's HTTP URI. For example: + // + // .. code-block:: yaml + // + // http_uri: + // uri: https://www.myserviceapi.com/v1/data + // cluster: www.myserviceapi.com|443 + // + HttpUri http_uri = 1; + + // Specifies a list of HTTP headers that should be added to each request + // handled by this virtual host. + repeated HeaderValueOption request_headers_to_add = 2 + [(validate.rules).repeated = {max_items: 1000}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/http_uri.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/http_uri.proto new file mode 100644 index 000000000..bac37c0d5 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/http_uri.proto @@ -0,0 +1,58 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "HttpUriProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP service URI ] + +// Envoy external URI descriptor +message HttpUri { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HttpUri"; + + // The HTTP server URI. It should be a full FQDN with protocol, host and path. + // + // Example: + // + // .. code-block:: yaml + // + // uri: https://www.googleapis.com/oauth2/v1/certs + // + string uri = 1 [(validate.rules).string = {min_len: 1}]; + + // Specify how ``uri`` is to be fetched. Today, this requires an explicit + // cluster, but in the future we may support dynamic cluster creation or + // inline DNS resolution. See `issue + // `_. + oneof http_upstream_type { + option (validate.required) = true; + + // A cluster is created in the Envoy "cluster_manager" config + // section. This field specifies the cluster name. + // + // Example: + // + // .. code-block:: yaml + // + // cluster: jwks_cluster + // + string cluster = 2 [(validate.rules).string = {min_len: 1}]; + } + + // Sets the maximum duration in milliseconds that a response can take to arrive upon request. + google.protobuf.Duration timeout = 3 [(validate.rules).duration = { + required: true + lt {seconds: 4294967296} + gte {} + }]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/protocol.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/protocol.proto new file mode 100644 index 000000000..63e189e68 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/protocol.proto @@ -0,0 +1,807 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ProtocolProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Protocol options] + +// [#not-implemented-hide:] +message TcpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.TcpProtocolOptions"; +} + +// Config for keepalive probes in a QUIC connection. +// +// .. note:: +// +// QUIC keep-alive probing packets work differently from HTTP/2 keep-alive PINGs in a sense that the probing packet +// itself doesn't timeout waiting for a probing response. QUIC has a shorter idle timeout than TCP, so it doesn't rely on such probing to discover dead connections. If the peer fails to respond, the connection will idle timeout eventually. Thus, they are configured differently from :ref:`connection_keepalive `. +message QuicKeepAliveSettings { + // The max interval for a connection to send keep-alive probing packets (with ``PING`` or ``PATH_RESPONSE``). The value should be smaller than :ref:`connection idle_timeout ` to prevent idle timeout while not less than ``1s`` to avoid throttling the connection or flooding the peer with probes. + // + // If :ref:`initial_interval ` is absent or zero, a client connection will use this value to start probing. + // + // If zero, disable keepalive probing. + // If absent, use the QUICHE default interval to probe. + google.protobuf.Duration max_interval = 1; + + // The interval to send the first few keep-alive probing packets to prevent connection from hitting the idle timeout. Subsequent probes will be sent, each one with an interval exponentially longer than previous one, till it reaches :ref:`max_interval `. And the probes afterwards will always use :ref:`max_interval `. + // + // The value should be smaller than :ref:`connection idle_timeout ` to prevent idle timeout and smaller than max_interval to take effect. + // + // If absent, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval ` is zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time. + google.protobuf.Duration initial_interval = 2 [(validate.rules).duration = { + lte {} + gte {nanos: 1000000} + }]; +} + +// QUIC protocol options which apply to both downstream and upstream connections. +// [#next-free-field: 12] +message QuicProtocolOptions { + // Config for QUIC connection migration across network interfaces, i.e. cellular to WIFI, upon + // network change events from the platform, i.e. the current network gets + // disconnected, or upon the QUIC detecting a bad connection. After migration, the + // connection may be on a different network other than the default network + // picked by the platform. Both iOS and Android will use a default network to interact with the internet, usually prefer unmetered network (WIFI) + // over metered ones (cellular). And users can specify which network to be used as the default. A connection on non-default network is only allowed to + // serve new requests for a certain period of time before being drained, and + // meanwhile, QUIC will try to migrate to the default network if possible. + message ConnectionMigrationSettings { + // Config for options to migrate idle connections which aren't serving any requests. + message MigrateIdleConnectionSettings { + // If idle connections are allowed to be migrated, only migrate the connection + // if it hasn't been idle for longer than this idle period. Otherwise, the + // connection will be closed instead. + // Default to 30s. + google.protobuf.Duration max_idle_time_before_migration = 1 + [(validate.rules).duration = {gte {seconds: 1}}]; + } + + // Config whether and how to migrate idle connections. + // If absent, idle connections will not be migrated but be closed upon + // migration signals. + MigrateIdleConnectionSettings migrate_idle_connections = 1; + + // After migrating to a non-default network interface, the connection will + // only be allowed to stay on that network for up to this period of time before + // being drained unless it migrates to the default network or that network + // gets picked as the default by the device by then. + // Default to 128s. + google.protobuf.Duration max_time_on_non_default_network = 2 + [(validate.rules).duration = {gte {seconds: 1}}]; + } + + // Maximum number of streams that the client can negotiate per connection. ``100`` + // if not specified. + google.protobuf.UInt32Value max_concurrent_streams = 1 [(validate.rules).uint32 = {gte: 1}]; + + // `Initial stream-level flow-control receive window + // `_ size. Valid values range from + // ``1`` to ``16777216`` (``2^24``, maximum supported by QUICHE) and defaults to ``16777216`` (``16 * 1024 * 1024``). + // + // .. note:: + // + // ``16384`` (``2^14``) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use + // ``16384`` instead. QUICHE IETF QUIC implementation supports ``1`` byte window. We only support increasing the default + // window size now, so it's also the minimum. + // + // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the + // QUIC stream send and receive buffers. Once the buffer reaches this pointer, watermark callbacks will fire to + // stop the flow of data to the stream buffers. + google.protobuf.UInt32Value initial_stream_window_size = 2 + [(validate.rules).uint32 = {lte: 16777216 gte: 1}]; + + // Similar to ``initial_stream_window_size``, but for connection-level + // flow-control. Valid values range from ``1`` to ``25165824`` (``24MB``, maximum supported by QUICHE) and defaults + // to ``25165824`` (``24 * 1024 * 1024``). + // + // .. note:: + // + // ``16384`` (``2^14``) is the minimum window size supported in Google QUIC. We only support increasing the default + // window size now, so it's also the minimum. + // + google.protobuf.UInt32Value initial_connection_window_size = 3 + [(validate.rules).uint32 = {lte: 25165824 gte: 1}]; + + // The number of timeouts that can occur before port migration is triggered for QUIC clients. + // This defaults to ``4``. If set to ``0``, port migration will not occur on path degrading. + // Timeout here refers to QUIC internal path degrading timeout mechanism, such as ``PTO``. + // This has no effect on server sessions. + google.protobuf.UInt32Value num_timeouts_to_trigger_port_migration = 4 + [(validate.rules).uint32 = {lte: 5 gte: 0}]; + + // Probes the peer at the configured interval to solicit traffic, i.e. ``ACK`` or ``PATH_RESPONSE``, from the peer to push back connection idle timeout. + // If absent, use the default keepalive behavior of which a client connection sends ``PING``s every ``15s``, and a server connection doesn't do anything. + QuicKeepAliveSettings connection_keepalive = 5; + + // A comma-separated list of strings representing QUIC connection options defined in + // `QUICHE `_ and to be sent by upstream connections. + string connection_options = 6; + + // A comma-separated list of strings representing QUIC client connection options defined in + // `QUICHE `_ and to be sent by upstream connections. + string client_connection_options = 7; + + // The duration that a QUIC connection stays idle before it closes itself. If this field is not present, QUICHE + // default ``600s`` will be applied. + // For internal corporate network, a long timeout is often fine. + // But for client facing network, ``30s`` is usually a good choice. + // Do not add an upper bound here. A long idle timeout is useful for maintaining warm connections at non-front-line proxy for low QPS services. + google.protobuf.Duration idle_network_timeout = 8 + [(validate.rules).duration = {gte {seconds: 1}}]; + + // Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection. + // If not specified, one of the `default values in QUICHE `_ is used. + google.protobuf.UInt64Value max_packet_length = 9; + + // A customized UDP socket and a QUIC packet writer using the socket for + // client connections. i.e. Mobile uses its own implementation to interact + // with platform socket APIs. + // If not present, the default platform-independent socket and writer will be used. + // [#extension-category: envoy.quic.client_packet_writer] + TypedExtensionConfig client_packet_writer = 10; + + // Enable QUIC `connection migration + // ` + // to a different network interface when the current network is degrading or + // has become bad. + // In order to use a different network interface other than the platform's default one, + // a customized :ref:`client_packet_writer ` needs to be configured to + // create UDP sockets on non-default networks. + // Only takes effect when runtime key ``envoy.reloadable_features.use_migration_in_quiche`` is true. + // If absent, the feature will be disabled. + // [#not-implemented-hide:] + ConnectionMigrationSettings connection_migration = 11; +} + +message UpstreamHttpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.UpstreamHttpProtocolOptions"; + + // Set transport socket `SNI `_ for new + // upstream connections based on the downstream HTTP host/authority header or any other arbitrary + // header when :ref:`override_auto_sni_header ` + // is set, as seen by the :ref:`router filter `. + // Does nothing if a filter before the http router filter sets the corresponding metadata. + // + // See :ref:`SNI configuration ` for details on how this + // interacts with other validation options. + bool auto_sni = 1; + + // Automatic validate upstream presented certificate for new upstream connections based on the + // downstream HTTP host/authority header or any other arbitrary header when :ref:`override_auto_sni_header ` + // is set, as seen by the :ref:`router filter `. + // This field is intended to be set with ``auto_sni`` field. + // Does nothing if a filter before the http router filter sets the corresponding metadata. + // + // See :ref:`validation configuration ` for how this interacts with + // other validation options. + bool auto_san_validation = 2; + + // An optional alternative to the host/authority header to be used for setting the SNI value. + // It should be a valid downstream HTTP header, as seen by the + // :ref:`router filter `. + // If unset, host/authority header will be used for populating the SNI. If the specified header + // is not found or the value is empty, host/authority header will be used instead. + // This field is intended to be set with ``auto_sni`` and/or ``auto_san_validation`` fields. + // If none of these fields are set then setting this would be a no-op. + // Does nothing if a filter before the http router filter sets the corresponding metadata. + string override_auto_sni_header = 3 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; +} + +// Configures the alternate protocols cache which tracks alternate protocols that can be used to +// make an HTTP connection to an origin server. See https://tools.ietf.org/html/rfc7838 for +// HTTP Alternative Services and https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-04 +// for the "HTTPS" DNS resource record. +// [#next-free-field: 6] +message AlternateProtocolsCacheOptions { + // Allows pre-populating the cache with HTTP/3 alternate protocols entries with a 7 day lifetime. + // This will cause Envoy to attempt HTTP/3 to those upstreams, even if the upstreams have not + // advertised HTTP/3 support. These entries will be overwritten by alt-svc + // response headers or cached values. + // As with regular cached entries, if the origin response would result in clearing an existing + // alternate protocol cache entry, pre-populated entries will also be cleared. + // Adding a cache entry with hostname=foo.com port=123 is the equivalent of getting + // response headers + // alt-svc: h3=:"123"; ma=86400" in a response to a request to foo.com:123 + message AlternateProtocolsCacheEntry { + // The host name for the alternate protocol entry. + string hostname = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // The port for the alternate protocol entry. + uint32 port = 2 [(validate.rules).uint32 = {lt: 65535 gt: 0}]; + } + + // The name of the cache. Multiple named caches allow independent alternate protocols cache + // configurations to operate within a single Envoy process using different configurations. All + // alternate protocols cache options with the same name *must* be equal in all fields when + // referenced from different configuration components. Configuration will fail to load if this is + // not the case. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The maximum number of entries that the cache will hold. If not specified defaults to ``1024``. + // + // .. note:: + // + // The implementation is approximate and enforced independently on each worker thread, thus + // it is possible for the maximum entries in the cache to go slightly above the configured + // value depending on timing. This is similar to how other circuit breakers work. + google.protobuf.UInt32Value max_entries = 2 [(validate.rules).uint32 = {gt: 0}]; + + // Allows configuring a persistent + // :ref:`key value store ` to flush + // alternate protocols entries to disk. + // This function is currently only supported if concurrency is 1 + // Cached entries will take precedence over pre-populated entries below. + TypedExtensionConfig key_value_store_config = 3; + + // Allows pre-populating the cache with entries, as described above. + repeated AlternateProtocolsCacheEntry prepopulated_entries = 4; + + // Optional list of hostnames suffixes for which Alt-Svc entries can be shared. For example, if + // this list contained the value ``.c.example.com``, then an Alt-Svc entry for ``foo.c.example.com`` + // could be shared with ``bar.c.example.com`` but would not be shared with ``baz.example.com``. On + // the other hand, if the list contained the value ``.example.com`` then all three hosts could share + // Alt-Svc entries. Each entry must start with ``.``. If a hostname matches multiple suffixes, the + // first listed suffix will be used. + // + // Since lookup in this list is O(n), it is recommended that the number of suffixes be limited. + // [#not-implemented-hide:] + repeated string canonical_suffixes = 5; +} + +// [#next-free-field: 8] +message HttpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HttpProtocolOptions"; + + // Action to take when Envoy receives client request with header names containing underscore + // characters. + // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented + // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore + // characters. + enum HeadersWithUnderscoresAction { + // Allow headers with underscores. This is the default behavior. + ALLOW = 0; + + // Reject client request. HTTP/1 requests are rejected with ``HTTP 400`` status. HTTP/2 requests + // end with the stream reset. The ``httpN.requests_rejected_with_underscores_in_headers`` counter + // is incremented for each rejected request. + REJECT_REQUEST = 1; + + // Drop the client header with name containing underscores. The header is dropped before the filter chain is + // invoked and as such filters will not see dropped headers. The + // ``httpN.dropped_headers_with_underscores`` is incremented for each dropped header. + DROP_HEADER = 2; + } + + // The idle timeout for connections. The idle timeout is defined as the + // period in which there are no active requests. When the + // idle timeout is reached the connection will be closed. If the connection is an HTTP/2 + // downstream connection a drain sequence will occur prior to closing the connection, see + // :ref:`drain_timeout + // `. + // + // .. note:: + // + // Request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. + // + // If not specified, this defaults to ``1 hour``. To disable idle timeouts explicitly set this to ``0``. + // + // .. warning:: + // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP + // FIN packets, etc. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled for downstream connections according to the value for + // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE `. + google.protobuf.Duration idle_timeout = 1; + + // The maximum duration of a connection. The duration is defined as a period since a connection + // was established. If not set, there is no max duration. When max_connection_duration is reached, + // the drain sequence will kick-in. The connection will be closed after the drain timeout period + // if there are no active streams. See :ref:`drain_timeout + // `. + google.protobuf.Duration max_connection_duration = 3; + + // The maximum number of headers (request headers if configured on HttpConnectionManager, + // response headers when configured on a cluster). + // If unconfigured, the default maximum number of headers allowed is ``100``. + // The default value for requests can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_count``. + // The default value for responses can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_count``. + // Downstream requests that exceed this limit will receive a ``HTTP 431`` response for HTTP/1.x and cause a stream + // reset for HTTP/2. + // Upstream responses that exceed this limit will result in a ``HTTP 502`` response. + google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}]; + + // The maximum size of response headers. + // If unconfigured, the default is ``60 KiB``, except for HTTP/1 response headers which have a default + // of ``80 KiB``. + // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_size_kb``. + // Responses that exceed this limit will result in a ``HTTP 503`` response. + // In Envoy, this setting is only valid when configured on an upstream cluster, not on the + // :ref:`HTTP Connection Manager + // `. + // + // .. note:: + // + // Currently some protocol codecs impose limits on the maximum size of a single header. + // + // * HTTP/2 (when using ``nghttp2``) limits a single header to around ``100kb``. + // * HTTP/3 limits a single header to around ``1024kb``. + // + google.protobuf.UInt32Value max_response_headers_kb = 7 + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; + + // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be + // reset independent of any other timeouts. If not specified, this value is not set. + google.protobuf.Duration max_stream_duration = 4; + + // Action to take when a client request with a header name containing underscore characters is received. + // If this setting is not specified, the value defaults to ``ALLOW``. + // + // .. note:: + // + // Upstream responses are not affected by this setting. + // + // .. note:: + // + // This only affects client headers. It does not affect headers added by Envoy filters and does not have any + // impact if added to cluster config. + HeadersWithUnderscoresAction headers_with_underscores_action = 5; + + // Optional maximum requests for both upstream and downstream connections. + // If not specified, there is no limit. + // Setting this parameter to ``1`` will effectively disable keep alive. + // For HTTP/2 and HTTP/3, due to concurrent stream processing, the limit is approximate. + google.protobuf.UInt32Value max_requests_per_connection = 6; +} + +// [#next-free-field: 12] +message Http1ProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions"; + + // [#next-free-field: 9] + message HeaderKeyFormat { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat"; + + message ProperCaseWords { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat.ProperCaseWords"; + } + + oneof header_format { + option (validate.required) = true; + + // Formats the header by proper casing words: the first character and any character following + // a special character will be capitalized if it's an alpha character. For example, + // ``"content-type"`` becomes ``"Content-Type"``, and ``"foo$b#$are"`` becomes ``"Foo$B#$Are"``. + // + // .. note:: + // + // While this results in most headers following conventional casing, certain headers + // are not covered. For example, the ``"TE"`` header will be formatted as ``"Te"``. + ProperCaseWords proper_case_words = 1; + + // Configuration for stateful formatter extensions that allow using received headers to + // affect the output of encoding headers. E.g., preserving case during proxying. + // [#extension-category: envoy.http.stateful_header_formatters] + TypedExtensionConfig stateful_formatter = 8; + } + } + + // Handle HTTP requests with absolute URLs in the requests. These requests + // are generally sent by clients to forward/explicit proxies. This allows clients to configure + // envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the + // ``http_proxy`` environment variable. + google.protobuf.BoolValue allow_absolute_url = 1; + + // Handle incoming HTTP/1.0 and HTTP/0.9 requests. + // This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1 + // style connect logic, dechunking, and handling lack of client host iff + // ``default_host_for_http_10`` is configured. + bool accept_http_10 = 2; + + // A default host for HTTP/1.0 requests. This is highly suggested if ``accept_http_10`` is true as + // Envoy does not otherwise support HTTP/1.0 without a Host header. + // This is a no-op if ``accept_http_10`` is not true. + string default_host_for_http_10 = 3; + + // Describes how the keys for response headers should be formatted. By default, all header keys + // are lower cased. + HeaderKeyFormat header_key_format = 4; + + // Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers. + // + // .. attention:: + // + // This only happens when Envoy is chunk encoding which occurs when: + // - The request is HTTP/1.1. + // - Is neither a ``HEAD`` only request nor a HTTP Upgrade. + // - Not a response to a ``HEAD`` request. + // - The ``Content-Length`` header is not present. + bool enable_trailers = 5; + + // Allows Envoy to process requests/responses with both ``Content-Length`` and ``Transfer-Encoding`` + // headers set. By default such messages are rejected, but if option is enabled - Envoy will + // remove ``Content-Length`` header and process message. + // See `RFC7230, sec. 3.3.3 `_ for details. + // + // .. attention:: + // + // Enabling this option might lead to request smuggling vulnerability, especially if traffic + // is proxied via multiple layers of proxies. + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + bool allow_chunked_length = 6; + + // Allows invalid HTTP messaging. When this option is false, then Envoy will terminate + // HTTP/1.1 connections upon receiving an invalid HTTP message. However, + // when this option is true, then Envoy will leave the HTTP/1.1 connection + // open where possible. + // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // `. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 7; + + // Allows sending fully qualified URLs when proxying the first line of the + // response. By default, Envoy will only send the path components in the first line. + // If this is true, Envoy will create a fully qualified URI composing scheme + // (inferred if not present), host (from the host/:authority header) and path + // (from first line or :path header). + bool send_fully_qualified_url = 8; + + // [#not-implemented-hide:] Hiding so that field can be removed after BalsaParser is rolled out. + // If set, force HTTP/1 parser: BalsaParser if true, http-parser if false. + // If unset, HTTP/1 parser is selected based on + // envoy.reloadable_features.http1_use_balsa_parser. + // See issue #21245. + google.protobuf.BoolValue use_balsa_parser = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // [#not-implemented-hide:] Hiding so that field can be removed. + // If true, and BalsaParser is used (either `use_balsa_parser` above is true, + // or `envoy.reloadable_features.http1_use_balsa_parser` is true and + // `use_balsa_parser` is unset), then every non-empty method with only valid + // characters is accepted. Otherwise, methods not on the hard-coded list are + // rejected. + // Once UHV is enabled, this field should be removed, and BalsaParser should + // allow any method. UHV validates the method, rejecting empty string or + // invalid characters, and provides :ref:`restrict_http_methods + // ` + // to reject custom methods. + bool allow_custom_methods = 10 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Ignore HTTP/1.1 upgrade values matching any of the supplied matchers. + // + // .. note:: + // + // ``h2c`` upgrades are always removed for backwards compatibility, regardless of the + // value in this setting. + repeated type.matcher.v3.StringMatcher ignore_http_11_upgrade = 11; +} + +message KeepaliveSettings { + // Send HTTP/2 PING frames at this period, in order to test that the connection is still alive. + // If this is zero, interval PINGs will not be sent. + google.protobuf.Duration interval = 1 [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // How long to wait for a response to a keepalive PING. If a response is not received within this + // time period, the connection will be aborted. + // + // .. note:: + // + // In order to prevent the influence of Head-of-line (HOL) blocking the timeout period is extended when *any* frame is received on + // the connection, under the assumption that if a frame is received the connection is healthy. + google.protobuf.Duration timeout = 2 [(validate.rules).duration = { + required: true + gte {nanos: 1000000} + }]; + + // A random jitter amount as a percentage of interval that will be added to each interval. + // A value of zero means there will be no jitter. + // The default value is ``15%``. + type.v3.Percent interval_jitter = 3; + + // If the connection has been idle for this duration, send a HTTP/2 ping ahead + // of new stream creation, to quickly detect dead connections. + // If this is zero, this type of PING will not be sent. + // If an interval ping is outstanding, a second ping will not be sent as the + // interval ping will determine if the connection is dead. + // + // The same feature for HTTP/3 is given by inheritance from QUICHE which uses :ref:`connection idle_timeout ` and the current PTO of the connection to decide whether to probe before sending a new request. + google.protobuf.Duration connection_idle_interval = 4 + [(validate.rules).duration = {gte {nanos: 1000000}}]; +} + +// [#next-free-field: 19] +message Http2ProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http2ProtocolOptions"; + + // Defines a parameter to be sent in the SETTINGS frame. + // See `RFC7540, sec. 6.5.1 `_ for details. + message SettingsParameter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http2ProtocolOptions.SettingsParameter"; + + // The 16 bit parameter identifier. + google.protobuf.UInt32Value identifier = 1 [ + (validate.rules).uint32 = {lte: 65535 gte: 0}, + (validate.rules).message = {required: true} + ]; + + // The 32 bit parameter value. + google.protobuf.UInt32Value value = 2 [(validate.rules).message = {required: true}]; + } + + // `Maximum table size `_ + // (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values + // range from ``0`` to ``4294967295`` (``2^32 - 1``) and defaults to ``4096``. ``0`` effectively disables header + // compression. + google.protobuf.UInt32Value hpack_table_size = 1; + + // `Maximum concurrent streams `_ + // allowed for peer on one HTTP/2 connection. Valid values range from ``1`` to ``2147483647`` (``2^31 - 1``) + // and defaults to ``1024`` for safety and should be sufficient for most use cases. + // + // For upstream connections, this also limits how many streams Envoy will initiate concurrently + // on a single connection. If the limit is reached, Envoy may queue requests or establish + // additional connections (as allowed per circuit breaker limits). + // + // This acts as an upper bound: Envoy will lower the max concurrent streams allowed on a given + // connection based on upstream settings. Config dumps will reflect the configured upper bound, + // not the per-connection negotiated limits. + google.protobuf.UInt32Value max_concurrent_streams = 2 + [(validate.rules).uint32 = {lte: 2147483647 gte: 1}]; + + // `Initial stream-level flow-control window + // `_ size. Valid values range from ``65535`` + // (``2^16 - 1``, HTTP/2 default) to ``2147483647`` (``2^31 - 1``, HTTP/2 maximum) and defaults to + // ``16MiB`` (``16 * 1024 * 1024``). + // + // .. note:: + // + // ``65535`` is the initial window size from HTTP/2 spec. We only support increasing the default window size now, + // so it's also the minimum. + // + // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the + // HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to + // stop the flow of data to the codec buffers. + google.protobuf.UInt32Value initial_stream_window_size = 3 + [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; + + // Similar to ``initial_stream_window_size``, but for connection-level flow-control + // window. The default is ``24MiB`` (``24 * 1024 * 1024``). + google.protobuf.UInt32Value initial_connection_window_size = 4 + [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; + + // Allows proxying Websocket and other upgrades over H2 connect. + bool allow_connect = 5; + + // [#not-implemented-hide:] Hiding until Envoy has full metadata support. + // Still under implementation. DO NOT USE. + // + // Allows sending and receiving HTTP/2 METADATA frames. See [metadata + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more + // information. + bool allow_metadata = 6; + + // Limit the number of pending outbound downstream frames of all types (frames that are waiting to + // be written into the socket). Exceeding this limit triggers flood mitigation and connection is + // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due + // to flood mitigation. The default limit is ``10000``. + google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}]; + + // Limit the number of pending outbound downstream frames of types ``PING``, ``SETTINGS`` and ``RST_STREAM``, + // preventing high memory utilization when receiving continuous stream of these frames. Exceeding + // this limit triggers flood mitigation and connection is terminated. The + // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood + // mitigation. The default limit is ``1000``. + google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}]; + + // Limit the number of consecutive inbound frames of types ``HEADERS``, ``CONTINUATION`` and ``DATA`` with an + // empty payload and no end stream flag. Those frames have no legitimate use and are abusive, but + // might be a result of a broken HTTP/2 implementation. The ``http2.inbound_empty_frames_flood`` + // stat tracks the number of connections terminated due to flood mitigation. + // Setting this to ``0`` will terminate connection upon receiving first frame with an empty payload + // and no end stream flag. The default limit is ``1``. + google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9; + + // Limit the number of inbound ``PRIORITY`` frames allowed per each opened stream. If the number + // of ``PRIORITY`` frames received over the lifetime of connection exceeds the value calculated + // using this formula:: + // + // ``max_inbound_priority_frames_per_stream`` * (1 + ``opened_streams``) + // + // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when + // Envoy receives complete response headers from the upstream server. For upstream connection the + // ``opened_streams`` is incremented when Envoy sends the ``HEADERS`` frame for a new stream. The + // ``http2.inbound_priority_frames_flood`` stat tracks + // the number of connections terminated due to flood mitigation. The default limit is ``100``. + google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10; + + // Limit the number of inbound ``WINDOW_UPDATE`` frames allowed per ``DATA`` frame sent. If the number + // of ``WINDOW_UPDATE`` frames received over the lifetime of connection exceeds the value calculated + // using this formula:: + // + // ``5 + 2 * (opened_streams + + // max_inbound_window_update_frames_per_data_frame_sent * outbound_data_frames)`` + // + // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when + // Envoy receives complete response headers from the upstream server. For upstream connections the + // ``opened_streams`` is incremented when Envoy sends the ``HEADERS`` frame for a new stream. The + // ``http2.inbound_priority_frames_flood`` stat tracks the number of connections terminated due to + // flood mitigation. The default ``max_inbound_window_update_frames_per_data_frame_sent`` value is ``10``. + // Setting this to ``1`` should be enough to support HTTP/2 implementations with basic flow control, + // but more complex implementations that try to estimate available bandwidth require at least ``2``. + google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11 + [(validate.rules).uint32 = {gte: 1}]; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // This is overridden by HCM :ref:`stream_error_on_invalid_http_messaging + // ` + // iff present. + // + // This is deprecated in favor of :ref:`override_stream_error_on_invalid_http_message + // ` + // + // See `RFC7540, sec. 8.1 `_ for details. + bool stream_error_on_invalid_http_messaging = 12 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // ` + // + // See `RFC7540, sec. 8.1 `_ for details. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 14; + + // [#not-implemented-hide:] + // Specifies SETTINGS frame parameters to be sent to the peer, with two exceptions: + // + // 1. SETTINGS_ENABLE_PUSH (0x2) is not configurable as HTTP/2 server push is not supported by + // Envoy. + // + // 2. SETTINGS_ENABLE_CONNECT_PROTOCOL (0x8) is only configurable through the named field + // 'allow_connect'. + // + // .. note:: + // + // Custom parameters specified through this field can not also be set in the + // corresponding named parameters: + // + // .. code-block:: text + // + // ID Field Name + // ---------------- + // 0x1 hpack_table_size + // 0x3 max_concurrent_streams + // 0x4 initial_stream_window_size + // + // Collisions will trigger config validation failure on load/update. Likewise, inconsistencies + // between custom parameters with the same identifier will trigger a failure. + // + // See `IANA HTTP/2 Settings + // `_ for + // standardized identifiers. + repeated SettingsParameter custom_settings_parameters = 13; + + // Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer + // does not respond within the configured timeout, the connection will be aborted. + KeepaliveSettings connection_keepalive = 15; + + // [#not-implemented-hide:] Hiding so that the field can be removed after oghttp2 is rolled out. + // If set, force use of a particular HTTP/2 codec: oghttp2 if true, nghttp2 if false. + // If unset, HTTP/2 codec is selected based on envoy.reloadable_features.http2_use_oghttp2. + google.protobuf.BoolValue use_oghttp2_codec = 16 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Configure the maximum amount of metadata than can be handled per stream. Defaults to ``1 MB``. + google.protobuf.UInt64Value max_metadata_size = 17; + + // Controls whether to encode headers using huffman encoding. + // This can be useful in cases where the cpu spent encoding the headers isn't + // worth the network bandwidth saved e.g. for localhost. + // If unset, uses the data plane's default value. + google.protobuf.BoolValue enable_huffman_encoding = 18; +} + +// [#not-implemented-hide:] +message GrpcProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcProtocolOptions"; + + Http2ProtocolOptions http2_protocol_options = 1; +} + +// A message which allows using HTTP/3. +// [#next-free-field: 9] +message Http3ProtocolOptions { + QuicProtocolOptions quic_protocol_options = 1; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/3 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // `. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2; + + // Allows proxying Websocket and other upgrades over HTTP/3 CONNECT using + // the header mechanisms from the `HTTP/2 extended connect RFC + // `_ + // and settings `proposed for HTTP/3 + // `_ + // + // .. note:: + // + // HTTP/3 CONNECT is not yet an RFC. + bool allow_extended_connect = 5 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // [#not-implemented-hide:] Hiding until Envoy has full metadata support. + // Still under implementation. DO NOT USE. + // + // Allows sending and receiving HTTP/3 METADATA frames. See [metadata + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more + // information. + bool allow_metadata = 6; + + // [#not-implemented-hide:] Hiding until Envoy has full HTTP/3 upstream support. + // Still under implementation. DO NOT USE. + // + // Disables QPACK compression related features for HTTP/3 including: + // No huffman encoding, zero dynamic table capacity and no cookie crumbling. + // This can be useful for trading off CPU vs bandwidth when an upstream HTTP/3 connection multiplexes multiple downstream connections. + bool disable_qpack = 7; + + // Disables connection level flow control for HTTP/3 streams. This is useful in situations where the streams share the same connection + // but originate from different end-clients, so that each stream can make progress independently at non-front-line proxies. + bool disable_connection_flow_control_for_streams = 8; +} + +// A message to control transformations to the :scheme header +message SchemeHeaderTransformation { + oneof transformation { + // Overwrite any Scheme header with the contents of this string. + // If set, takes precedence over ``match_upstream``. + string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}]; + } + + // Set the Scheme header to match the upstream transport protocol. For example, should a + // request be sent to the upstream over TLS, the scheme header will be set to ``"https"``. Should the + // request be sent over plaintext, the scheme header will be set to ``"http"``. + // If ``scheme_to_overwrite`` is set, this field is not used. + bool match_upstream = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/proxy_protocol.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/proxy_protocol.proto new file mode 100644 index 000000000..2da5fe5fd --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/proxy_protocol.proto @@ -0,0 +1,114 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/substitution_format_string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ProxyProtocolProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Proxy protocol] + +message ProxyProtocolPassThroughTLVs { + enum PassTLVsMatchType { + // Pass all TLVs. + INCLUDE_ALL = 0; + + // Pass specific TLVs defined in tlv_type. + INCLUDE = 1; + } + + // The strategy to pass through TLVs. Default is INCLUDE_ALL. + // If INCLUDE_ALL is set, all TLVs will be passed through no matter the tlv_type field. + PassTLVsMatchType match_type = 1; + + // The TLV types that are applied based on match_type. + // TLV type is defined as uint8_t in proxy protocol. See `the spec + // `_ for details. + repeated uint32 tlv_type = 2 [(validate.rules).repeated = {items {uint32 {lt: 256}}}]; +} + +// Represents a single Type-Length-Value (TLV) entry. +message TlvEntry { + // The type of the TLV. Must be a uint8 (0-255) as per the Proxy Protocol v2 specification. + uint32 type = 1 [(validate.rules).uint32 = {lt: 256}]; + + // The static value of the TLV. + // Only one of ``value`` or ``format_string`` may be set. + bytes value = 2; + + // Uses the :ref:`format string ` to dynamically + // populate the TLV value from stream information. This allows dynamic values + // such as metadata, filter state, or other stream properties to be included in + // the TLV. + // + // For example: + // + // .. code-block:: yaml + // + // type: 0xF0 + // format_string: + // text_format_source: + // inline_string: "%DYNAMIC_METADATA(envoy.filters.network:key)%" + // + // The formatted string will be used directly as the TLV value. + // Only one of ``value`` or ``format_string`` may be set. + SubstitutionFormatString format_string = 3; +} + +message ProxyProtocolConfig { + enum Version { + // PROXY protocol version 1. Human readable format. + V1 = 0; + + // PROXY protocol version 2. Binary format. + V2 = 1; + } + + // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details + Version version = 1; + + // This config controls which TLVs can be passed to upstream if it is Proxy Protocol + // V2 header. If there is no setting for this field, no TLVs will be passed through. + ProxyProtocolPassThroughTLVs pass_through_tlvs = 2; + + // This config allows additional TLVs to be included in the upstream PROXY protocol + // V2 header. Unlike ``pass_through_tlvs``, which passes TLVs from the downstream request, + // ``added_tlvs`` provides an extension mechanism for defining new TLVs that are included + // with the upstream request. These TLVs may not be present in the downstream request and + // can be defined at either the transport socket level or the host level to provide more + // granular control over the TLVs that are included in the upstream request. + // + // Host-level TLVs are specified in the ``metadata.typed_filter_metadata`` field under the + // ``envoy.transport_sockets.proxy_protocol`` namespace. + // + // .. literalinclude:: /_configs/repo/proxy_protocol.yaml + // :language: yaml + // :lines: 49-57 + // :linenos: + // :lineno-start: 49 + // :caption: :download:`proxy_protocol.yaml ` + // + // **Precedence behavior**: + // + // - When a TLV is defined at both the host level and the transport socket level, the value + // from the host level configuration takes precedence. This allows users to define default TLVs + // at the transport socket level and override them at the host level. + // - Any TLV defined in the ``pass_through_tlvs`` field will be overridden by either the host-level + // or transport socket-level TLV. + // + // If there are multiple TLVs with the same type, only the TLVs from the highest precedence level + // will be used. + repeated TlvEntry added_tlvs = 3; +} + +message PerHostConfig { + // Enables per-host configuration for Proxy Protocol. + repeated TlvEntry added_tlvs = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/resolver.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/resolver.proto new file mode 100644 index 000000000..f4d103ab0 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/resolver.proto @@ -0,0 +1,36 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/address.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ResolverProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Resolver] + +// Configuration of DNS resolver option flags which control the behavior of the DNS resolver. +message DnsResolverOptions { + // Use TCP for all DNS queries instead of the default protocol UDP. + bool use_tcp_for_dns_lookups = 1; + + // Do not use the default search domains; only query hostnames as-is or as aliases. + bool no_default_search_domain = 2; +} + +// DNS resolution configuration which includes the underlying dns resolver addresses and options. +message DnsResolutionConfig { + // A list of dns resolver addresses. If specified, the DNS client library will perform resolution + // via the underlying DNS resolvers. Otherwise, the default system resolvers + // (e.g., /etc/resolv.conf) will be used. + repeated Address resolvers = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Configuration of DNS resolver option flags which control the behavior of the DNS resolver. + DnsResolverOptions dns_resolver_options = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/socket_cmsg_headers.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/socket_cmsg_headers.proto new file mode 100644 index 000000000..cc3e58e09 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/socket_cmsg_headers.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "SocketCmsgHeadersProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Socket CMSG headers] + +// Configuration for socket cmsg headers. +// See `:ref:CMSG `_ for further information. +message SocketCmsgHeaders { + // cmsg level. Default is unset. + google.protobuf.UInt32Value level = 1; + + // cmsg type. Default is unset. + google.protobuf.UInt32Value type = 2; + + // Expected size of cmsg value. Default is zero. + uint32 expected_size = 3; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/socket_option.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/socket_option.proto new file mode 100644 index 000000000..ad73d72e4 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/socket_option.proto @@ -0,0 +1,108 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "SocketOptionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Socket option] + +// Generic socket option message. This would be used to set socket options that +// might not exist in upstream kernels or precompiled Envoy binaries. +// +// For example: +// +// .. code-block:: json +// +// { +// "description": "support tcp keep alive", +// "state": 0, +// "level": 1, +// "name": 9, +// "int_value": 1, +// } +// +// 1 means SOL_SOCKET and 9 means SO_KEEPALIVE on Linux. +// With the above configuration, `TCP Keep-Alives `_ +// can be enabled in socket with Linux, which can be used in +// :ref:`listener's` or +// :ref:`admin's ` socket_options etc. +// +// It should be noted that the name or level may have different values on different platforms. +// [#next-free-field: 8] +message SocketOption { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketOption"; + + enum SocketState { + // Socket options are applied after socket creation but before binding the socket to a port + STATE_PREBIND = 0; + + // Socket options are applied after binding the socket to a port but before calling listen() + STATE_BOUND = 1; + + // Socket options are applied after calling listen() + STATE_LISTENING = 2; + } + + // The `socket type `_ to apply the socket option to. + // Only one field should be set. If multiple fields are set, the precedence order will determine + // the selected one. If none of the fields is set, the socket option will be applied to all socket types. + // + // For example: + // If :ref:`stream ` is set, + // it takes precedence over :ref:`datagram `. + message SocketType { + // The stream socket type. + message Stream { + } + + // The datagram socket type. + message Datagram { + } + + // Apply the socket option to the stream socket type. + Stream stream = 1; + + // Apply the socket option to the datagram socket type. + Datagram datagram = 2; + } + + // An optional name to give this socket option for debugging, etc. + // Uniqueness is not required and no special meaning is assumed. + string description = 1; + + // Corresponding to the level value passed to setsockopt, such as IPPROTO_TCP + int64 level = 2; + + // The numeric name as passed to setsockopt + int64 name = 3; + + oneof value { + option (validate.required) = true; + + // Because many sockopts take an int value. + int64 int_value = 4; + + // Otherwise it's a byte buffer. + bytes buf_value = 5; + } + + // The state in which the option will be applied. When used in BindConfig + // STATE_PREBIND is currently the only valid value. + SocketState state = 6 [(validate.rules).enum = {defined_only: true}]; + + // Apply the socket option to the specified `socket type `_. + // If not specified, the socket option will be applied to all socket types. + SocketType type = 7; +} + +message SocketOptionsOverride { + repeated SocketOption socket_options = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/substitution_format_string.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/substitution_format_string.proto new file mode 100644 index 000000000..3edbf5f5f --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/substitution_format_string.proto @@ -0,0 +1,136 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; + +import "google/protobuf/struct.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "SubstitutionFormatStringProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Substitution format string] + +// Optional configuration options to be used with json_format. +message JsonFormatOptions { + // The output JSON string properties will be sorted. + // + // .. note:: + // As the properties are always sorted, this option has no effect and is deprecated. + // + bool sort_properties = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; +} + +// Configuration to use multiple :ref:`command operators ` +// to generate a new string in either plain text or JSON format. +// [#next-free-field: 8] +message SubstitutionFormatString { + oneof format { + option (validate.required) = true; + + // Specify a format with command operators to form a text string. + // Its details is described in :ref:`format string`. + // + // For example, setting ``text_format`` like below, + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" + // + // generates plain text similar to: + // + // .. code-block:: text + // + // upstream connect error:503:path=/foo + // + // Deprecated in favor of :ref:`text_format_source `. To migrate text format strings, use the :ref:`inline_string ` field. + string text_format = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Specify a format with command operators to form a JSON string. + // Its details is described in :ref:`format dictionary`. + // Values are rendered as strings, numbers, or boolean values as appropriate. + // Nested JSON objects may be produced by some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). + // See the documentation for a specific command operator for details. + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // json_format: + // status: "%RESPONSE_CODE%" + // message: "%LOCAL_REPLY_BODY%" + // + // The following JSON object would be created: + // + // .. code-block:: json + // + // { + // "status": 500, + // "message": "My error message" + // } + // + google.protobuf.Struct json_format = 2 [(validate.rules).message = {required: true}]; + + // Specify a format with command operators to form a text string. + // Its details is described in :ref:`format string`. + // + // For example, setting ``text_format`` like below, + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // text_format_source: + // inline_string: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" + // + // generates plain text similar to: + // + // .. code-block:: text + // + // upstream connect error:503:path=/foo + // + DataSource text_format_source = 5; + } + + // If set to true, when command operators are evaluated to null, + // + // * for ``text_format``, the output of the empty operator is changed from ``-`` to an + // empty string, so that empty values are omitted entirely. + // * for ``json_format`` the keys with null values are omitted in the output structure. + // + // .. note:: + // This option does not work perfectly with ``json_format`` as keys with ``null`` values + // will still be included in the output. See https://github.com/envoyproxy/envoy/issues/37941 + // for more details. + // + bool omit_empty_values = 3; + + // Specify a ``content_type`` field. + // If this field is not set then ``text/plain`` is used for ``text_format`` and + // ``application/json`` is used for ``json_format``. + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // content_type: "text/html; charset=UTF-8" + // + string content_type = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Specifies a collection of Formatter plugins that can be called from the access log configuration. + // See the formatters extensions documentation for details. + // [#extension-category: envoy.formatter] + repeated TypedExtensionConfig formatters = 6; + + // If json_format is used, the options will be applied to the output JSON string. + JsonFormatOptions json_format_options = 7; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/udp_socket_config.proto b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/udp_socket_config.proto new file mode 100644 index 000000000..ec9f77f06 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/core/v3/udp_socket_config.proto @@ -0,0 +1,32 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "UdpSocketConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: UDP socket config] + +// Generic UDP socket configuration. +message UdpSocketConfig { + // The maximum size of received UDP datagrams. Using a larger size will cause Envoy to allocate + // more memory per socket. Received datagrams above this size will be dropped. If not set + // defaults to 1500 bytes. + google.protobuf.UInt64Value max_rx_datagram_size = 1 + [(validate.rules).uint64 = {lt: 65536 gt: 0}]; + + // Configures whether Generic Receive Offload (GRO) + // _ is preferred when reading from the + // UDP socket. The default is context dependent and is documented where UdpSocketConfig is used. + // This option affects performance but not functionality. If GRO is not supported by the operating + // system, non-GRO receive will be used. + google.protobuf.BoolValue prefer_gro = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/endpoint/v3/endpoint.proto b/grpc-xds/proto/third_party/envoy/envoy/config/endpoint/v3/endpoint.proto new file mode 100644 index 000000000..a149f6095 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/endpoint/v3/endpoint.proto @@ -0,0 +1,137 @@ +syntax = "proto3"; + +package envoy.config.endpoint.v3; + +import "envoy/config/endpoint/v3/endpoint_components.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.endpoint.v3"; +option java_outer_classname = "EndpointProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3;endpointv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Endpoint configuration] +// Endpoint discovery :ref:`architecture overview ` + +// Each route from RDS will map to a single cluster or traffic split across +// clusters using weights expressed in the RDS WeightedCluster. +// +// With EDS, each cluster is treated independently from a LB perspective, with +// LB taking place between the Localities within a cluster and at a finer +// granularity between the hosts within a locality. The percentage of traffic +// for each endpoint is determined by both its load_balancing_weight, and the +// load_balancing_weight of its locality. First, a locality will be selected, +// then an endpoint within that locality will be chose based on its weight. +// [#next-free-field: 6] +message ClusterLoadAssignment { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.ClusterLoadAssignment"; + + // Load balancing policy settings. + // [#next-free-field: 7] + message Policy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.ClusterLoadAssignment.Policy"; + + message DropOverload { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.ClusterLoadAssignment.Policy.DropOverload"; + + // Identifier for the policy specifying the drop. + string category = 1 [(validate.rules).string = {min_len: 1}]; + + // Percentage of traffic that should be dropped for the category. + type.v3.FractionalPercent drop_percentage = 2; + } + + reserved 1, 5; + + reserved "disable_overprovisioning"; + + // Action to trim the overall incoming traffic to protect the upstream + // hosts. This action allows protection in case the hosts are unable to + // recover from an outage, or unable to autoscale or unable to handle + // incoming traffic volume for any reason. + // + // At the client each category is applied one after the other to generate + // the 'actual' drop percentage on all outgoing traffic. For example: + // + // .. code-block:: json + // + // { "drop_overloads": [ + // { "category": "throttle", "drop_percentage": 60 } + // { "category": "lb", "drop_percentage": 50 } + // ]} + // + // The actual drop percentages applied to the traffic at the clients will be + // "throttle"_drop = 60% + // "lb"_drop = 20% // 50% of the remaining 'actual' load, which is 40%. + // actual_outgoing_load = 20% // remaining after applying all categories. + // + // Envoy supports only one element and will NACK if more than one element is present. + // Other xDS-capable data planes will not necessarily have this limitation. + // + // In Envoy, this ``drop_overloads`` config can be overridden by a runtime key + // "load_balancing_policy.drop_overload_limit" setting. This runtime key can be set to + // any integer number between 0 and 100. 0 means drop 0%. 100 means drop 100%. + // When both ``drop_overloads`` config and "load_balancing_policy.drop_overload_limit" + // setting are in place, the min of these two wins. + repeated DropOverload drop_overloads = 2; + + // Priority levels and localities are considered overprovisioned with this + // factor (in percentage). This means that we don't consider a priority + // level or locality unhealthy until the fraction of healthy hosts + // multiplied by the overprovisioning factor drops below 100. + // With the default value 140(1.4), Envoy doesn't consider a priority level + // or a locality unhealthy until their percentage of healthy hosts drops + // below 72%. For example: + // + // .. code-block:: json + // + // { "overprovisioning_factor": 100 } + // + // Read more at :ref:`priority levels ` and + // :ref:`localities `. + google.protobuf.UInt32Value overprovisioning_factor = 3 [(validate.rules).uint32 = {gt: 0}]; + + // The max time until which the endpoints from this assignment can be used. + // If no new assignments are received before this time expires the endpoints + // are considered stale and should be marked unhealthy. + // Defaults to 0 which means endpoints never go stale. + google.protobuf.Duration endpoint_stale_after = 4 [(validate.rules).duration = {gt {}}]; + + // If true, use the :ref:`load balancing weight + // ` of healthy and unhealthy + // hosts to determine the health of the priority level. If false, use the number of healthy and unhealthy hosts + // to determine the health of the priority level, or in other words assume each host has a weight of 1 for + // this calculation. + // + // .. note:: + // This is not currently implemented for + // :ref:`locality weighted load balancing `. + bool weighted_priority_health = 6; + } + + // Name of the cluster. This will be the :ref:`service_name + // ` value if specified + // in the cluster :ref:`EdsClusterConfig + // `. + string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; + + // List of endpoints to load balance to. + repeated LocalityLbEndpoints endpoints = 2; + + // Map of named endpoints that can be referenced in LocalityLbEndpoints. + // [#not-implemented-hide:] + map named_endpoints = 5; + + // Load balancing policy settings. + Policy policy = 4; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/endpoint/v3/endpoint_components.proto b/grpc-xds/proto/third_party/envoy/envoy/config/endpoint/v3/endpoint_components.proto new file mode 100644 index 000000000..eacc555df --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/endpoint/v3/endpoint_components.proto @@ -0,0 +1,229 @@ +syntax = "proto3"; + +package envoy.config.endpoint.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/health_check.proto"; + +import "google/protobuf/wrappers.proto"; + +import "xds/core/v3/collection_entry.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.endpoint.v3"; +option java_outer_classname = "EndpointComponentsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3;endpointv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Endpoints] + +// Upstream host identifier. +message Endpoint { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.endpoint.Endpoint"; + + // The optional health check configuration. + message HealthCheckConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.endpoint.Endpoint.HealthCheckConfig"; + + // Optional alternative health check port value. + // + // By default the health check address port of an upstream host is the same + // as the host's serving address port. This provides an alternative health + // check port. Setting this with a non-zero value allows an upstream host + // to have different health check address port. + uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}]; + + // By default, the host header for L7 health checks is controlled by cluster level configuration + // (see: :ref:`host ` and + // :ref:`authority `). Setting this + // to a non-empty value allows overriding the cluster level configuration for a specific + // endpoint. + string hostname = 2; + + // Optional alternative health check host address. + // + // .. attention:: + // + // The form of the health check host address is expected to be a direct IP address. + core.v3.Address address = 3; + + // Optional flag to control if perform active health check for this endpoint. + // Active health check is enabled by default if there is a health checker. + bool disable_active_health_check = 4; + } + + message AdditionalAddress { + // Additional address that is associated with the endpoint. + core.v3.Address address = 1; + } + + // The upstream host address. + // + // .. attention:: + // + // The form of host address depends on the given cluster type. For STATIC or EDS, + // it is expected to be a direct IP address (or something resolvable by the + // specified :ref:`resolver ` + // in the Address). For LOGICAL or STRICT DNS, it is expected to be hostname, + // and will be resolved via DNS. + core.v3.Address address = 1; + + // The optional health check configuration is used as configuration for the + // health checker to contact the health checked host. + // + // .. attention:: + // + // This takes into effect only for upstream clusters with + // :ref:`active health checking ` enabled. + HealthCheckConfig health_check_config = 2; + + // The hostname associated with this endpoint. This hostname is not used for routing or address + // resolution. If provided, it will be associated with the endpoint, and can be used for features + // that require a hostname, like + // :ref:`auto_host_rewrite `. + string hostname = 3; + + // An ordered list of addresses that together with ``address`` comprise the + // list of addresses for an endpoint. The address given in the ``address`` is + // prepended to this list. It is assumed that the list must already be + // sorted by preference order of the addresses. This will only be supported + // for STATIC and EDS clusters. + repeated AdditionalAddress additional_addresses = 4; +} + +// An Endpoint that Envoy can route traffic to. +// [#next-free-field: 6] +message LbEndpoint { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.endpoint.LbEndpoint"; + + // Upstream host identifier or a named reference. + oneof host_identifier { + Endpoint endpoint = 1; + + // [#not-implemented-hide:] + string endpoint_name = 5; + } + + // Optional health status when known and supplied by EDS server. + core.v3.HealthStatus health_status = 2; + + // The endpoint metadata specifies values that may be used by the load + // balancer to select endpoints in a cluster for a given request. The filter + // name should be specified as ``envoy.lb``. An example boolean key-value pair + // is ``canary``, providing the optional canary status of the upstream host. + // This may be matched against in a route's + // :ref:`RouteAction ` metadata_match field + // to subset the endpoints considered in cluster load balancing. + core.v3.Metadata metadata = 3; + + // The optional load balancing weight of the upstream host; at least 1. + // Envoy uses the load balancing weight in some of the built in load + // balancers. The load balancing weight for an endpoint is divided by the sum + // of the weights of all endpoints in the endpoint's locality to produce a + // percentage of traffic for the endpoint. This percentage is then further + // weighted by the endpoint's locality's load balancing weight from + // LocalityLbEndpoints. If unspecified, will be treated as 1. The sum + // of the weights of all endpoints in the endpoint's locality must not + // exceed uint32_t maximal value (4294967295). + google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}]; +} + +// LbEndpoint list collection. Entries are `LbEndpoint` resources or references. +// [#not-implemented-hide:] +message LbEndpointCollection { + xds.core.v3.CollectionEntry entries = 1; +} + +// A configuration for an LEDS collection. +message LedsClusterLocalityConfig { + // Configuration for the source of LEDS updates for a Locality. + core.v3.ConfigSource leds_config = 1; + + // The name of the LbEndpoint collection resource. + // + // If the name ends in ``/*``, it indicates an LbEndpoint glob collection, + // which is supported only in the xDS incremental protocol variants. + // Otherwise, it indicates an LbEndpointCollection list collection. + // + // Envoy currently supports only glob collections. + string leds_collection_name = 2; +} + +// A group of endpoints belonging to a Locality. +// One can have multiple LocalityLbEndpoints for a locality, but only if +// they have different priorities. +// [#next-free-field: 10] +message LocalityLbEndpoints { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.endpoint.LocalityLbEndpoints"; + + // [#not-implemented-hide:] + // A list of endpoints of a specific locality. + message LbEndpointList { + repeated LbEndpoint lb_endpoints = 1; + } + + // Identifies location of where the upstream hosts run. + core.v3.Locality locality = 1; + + // Metadata to provide additional information about the locality endpoints in aggregate. + core.v3.Metadata metadata = 9; + + // The group of endpoints belonging to the locality specified. + // This is ignored if :ref:`leds_cluster_locality_config + // ` is set. + repeated LbEndpoint lb_endpoints = 2; + + oneof lb_config { + // [#not-implemented-hide:] + // Not implemented and deprecated. + LbEndpointList load_balancer_endpoints = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // LEDS Configuration for the current locality. + // If this is set, the :ref:`lb_endpoints + // ` + // field is ignored. + LedsClusterLocalityConfig leds_cluster_locality_config = 8; + } + + // Optional: Per priority/region/zone/sub_zone weight; at least 1. The load + // balancing weight for a locality is divided by the sum of the weights of all + // localities at the same priority level to produce the effective percentage + // of traffic for the locality. The sum of the weights of all localities at + // the same priority level must not exceed uint32_t maximal value (4294967295). + // + // Locality weights are only considered when :ref:`locality weighted load + // balancing ` is + // configured. These weights are ignored otherwise. If no weights are + // specified when locality weighted load balancing is enabled, the locality is + // assigned no load. + google.protobuf.UInt32Value load_balancing_weight = 3 [(validate.rules).uint32 = {gte: 1}]; + + // Optional: the priority for this LocalityLbEndpoints. If unspecified this will + // default to the highest priority (0). + // + // Under usual circumstances, Envoy will only select endpoints for the highest + // priority (0). In the event that enough endpoints for a particular priority are + // unavailable/unhealthy, Envoy will fail over to selecting endpoints for the + // next highest priority group. Read more at :ref:`priority levels `. + // + // Priorities should range from 0 (highest) to N (lowest) without skipping. + uint32 priority = 5 [(validate.rules).uint32 = {lte: 128}]; + + // Optional: Per locality proximity value which indicates how close this + // locality is from the source locality. This value only provides ordering + // information (lower the value, closer it is to the source locality). + // This will be consumed by load balancing schemes that need proximity order + // to determine where to route the requests. + // [#not-implemented-hide:] + google.protobuf.UInt32Value proximity = 6; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/endpoint/v3/load_report.proto b/grpc-xds/proto/third_party/envoy/envoy/config/endpoint/v3/load_report.proto new file mode 100644 index 000000000..6d12765ce --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/endpoint/v3/load_report.proto @@ -0,0 +1,220 @@ +syntax = "proto3"; + +package envoy.config.endpoint.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.endpoint.v3"; +option java_outer_classname = "LoadReportProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3;endpointv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Load Report] + +// These are stats Envoy reports to the management server at a frequency defined by +// :ref:`LoadStatsResponse.load_reporting_interval`. +// Stats per upstream region/zone and optionally per subzone. +// [#next-free-field: 15] +message UpstreamLocalityStats { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.endpoint.UpstreamLocalityStats"; + + // Name of zone, region and optionally endpoint group these metrics were + // collected from. Zone and region names could be empty if unknown. + core.v3.Locality locality = 1; + + // The total number of requests successfully completed by the endpoints in the + // locality. + uint64 total_successful_requests = 2; + + // The total number of unfinished requests. A request can be an HTTP request + // or a TCP connection for a TCP connection pool. + uint64 total_requests_in_progress = 3; + + // The total number of requests that failed due to errors at the endpoint, + // aggregated over all endpoints in the locality. + uint64 total_error_requests = 4; + + // The total number of requests that were issued by this Envoy since + // the last report. This information is aggregated over all the + // upstream endpoints in the locality. A request can be an HTTP request + // or a TCP connection for a TCP connection pool. + uint64 total_issued_requests = 8; + + // The total number of connections in an established state at the time of the + // report. This field is aggregated over all the upstream endpoints in the + // locality. + // In Envoy, this information may be based on ``upstream_cx_active metric``. + // [#not-implemented-hide:] + uint64 total_active_connections = 9 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // The total number of connections opened since the last report. + // This field is aggregated over all the upstream endpoints in the locality. + // In Envoy, this information may be based on ``upstream_cx_total`` metric + // compared to itself between start and end of an interval, i.e. + // ``upstream_cx_total``(now) - ``upstream_cx_total``(now - + // load_report_interval). + // [#not-implemented-hide:] + uint64 total_new_connections = 10 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // The total number of connection failures since the last report. + // This field is aggregated over all the upstream endpoints in the locality. + // In Envoy, this information may be based on ``upstream_cx_connect_fail`` + // metric compared to itself between start and end of an interval, i.e. + // ``upstream_cx_connect_fail``(now) - ``upstream_cx_connect_fail``(now - + // load_report_interval). + // [#not-implemented-hide:] + uint64 total_fail_connections = 11 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // CPU utilization stats for multi-dimensional load balancing. + // This typically comes from endpoint metrics reported via ORCA. + UnnamedEndpointLoadMetricStats cpu_utilization = 12; + + // Memory utilization for multi-dimensional load balancing. + // This typically comes from endpoint metrics reported via ORCA. + UnnamedEndpointLoadMetricStats mem_utilization = 13; + + // Blended application-defined utilization for multi-dimensional load balancing. + // This typically comes from endpoint metrics reported via ORCA. + UnnamedEndpointLoadMetricStats application_utilization = 14; + + // Named stats for multi-dimensional load balancing. + // These typically come from endpoint metrics reported via ORCA. + repeated EndpointLoadMetricStats load_metric_stats = 5; + + // Endpoint granularity stats information for this locality. This information + // is populated if the Server requests it by setting + // :ref:`LoadStatsResponse.report_endpoint_granularity`. + repeated UpstreamEndpointStats upstream_endpoint_stats = 7; + + // [#not-implemented-hide:] The priority of the endpoint group these metrics + // were collected from. + uint32 priority = 6; +} + +// [#next-free-field: 8] +message UpstreamEndpointStats { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.endpoint.UpstreamEndpointStats"; + + // Upstream host address. + core.v3.Address address = 1; + + // Opaque and implementation dependent metadata of the + // endpoint. Envoy will pass this directly to the management server. + google.protobuf.Struct metadata = 6; + + // The total number of requests successfully completed by the endpoints in the + // locality. These include non-5xx responses for HTTP, where errors + // originate at the client and the endpoint responded successfully. For gRPC, + // the grpc-status values are those not covered by total_error_requests below. + uint64 total_successful_requests = 2; + + // The total number of unfinished requests for this endpoint. + uint64 total_requests_in_progress = 3; + + // The total number of requests that failed due to errors at the endpoint. + // For HTTP these are responses with 5xx status codes and for gRPC the + // grpc-status values: + // + // - DeadlineExceeded + // - Unimplemented + // - Internal + // - Unavailable + // - Unknown + // - DataLoss + uint64 total_error_requests = 4; + + // The total number of requests that were issued to this endpoint + // since the last report. A single TCP connection, HTTP or gRPC + // request or stream is counted as one request. + uint64 total_issued_requests = 7; + + // Stats for multi-dimensional load balancing. + repeated EndpointLoadMetricStats load_metric_stats = 5; +} + +message EndpointLoadMetricStats { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.endpoint.EndpointLoadMetricStats"; + + // Name of the metric; may be empty. + string metric_name = 1; + + // Number of calls that finished and included this metric. + uint64 num_requests_finished_with_metric = 2; + + // Sum of metric values across all calls that finished with this metric for + // load_reporting_interval. + double total_metric_value = 3; +} + +// Same as EndpointLoadMetricStats, except without the metric_name field. +message UnnamedEndpointLoadMetricStats { + // Number of calls that finished and included this metric. + uint64 num_requests_finished_with_metric = 1; + + // Sum of metric values across all calls that finished with this metric for + // load_reporting_interval. + double total_metric_value = 2; +} + +// Per cluster load stats. Envoy reports these stats a management server in a +// :ref:`LoadStatsRequest` +// Next ID: 7 +// [#next-free-field: 7] +message ClusterStats { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.endpoint.ClusterStats"; + + message DroppedRequests { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.endpoint.ClusterStats.DroppedRequests"; + + // Identifier for the policy specifying the drop. + string category = 1 [(validate.rules).string = {min_len: 1}]; + + // Total number of deliberately dropped requests for the category. + uint64 dropped_count = 2; + } + + // The name of the cluster. + string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; + + // The eds_cluster_config service_name of the cluster. + // It's possible that two clusters send the same service_name to EDS, + // in that case, the management server is supposed to do aggregation on the load reports. + string cluster_service_name = 6; + + // Need at least one. + repeated UpstreamLocalityStats upstream_locality_stats = 2 + [(validate.rules).repeated = {min_items: 1}]; + + // Cluster-level stats such as total_successful_requests may be computed by + // summing upstream_locality_stats. In addition, below there are additional + // cluster-wide stats. + // + // The total number of dropped requests. This covers requests + // deliberately dropped by the drop_overload policy and circuit breaking. + uint64 total_dropped_requests = 3; + + // Information about deliberately dropped requests for each category specified + // in the DropOverload policy. + repeated DroppedRequests dropped_requests = 5; + + // Period over which the actual load report occurred. This will be guaranteed to include every + // request reported. Due to system load and delays between the ``LoadStatsRequest`` sent from Envoy + // and the ``LoadStatsResponse`` message sent from the management server, this may be longer than + // the requested load reporting interval in the ``LoadStatsResponse``. + google.protobuf.Duration load_report_interval = 4; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/api_listener.proto b/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/api_listener.proto new file mode 100644 index 000000000..a3610e656 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/api_listener.proto @@ -0,0 +1,34 @@ +syntax = "proto3"; + +package envoy.config.listener.v3; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v3"; +option java_outer_classname = "ApiListenerProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3;listenerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: API listener] + +// Describes a type of API listener, which is used in non-proxy clients. The type of API +// exposed to the non-proxy application depends on the type of API listener. +message ApiListener { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v2.ApiListener"; + + // The type in this field determines the type of API listener. At present, the following + // types are supported: + // envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager (HTTP) + // envoy.extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager (HTTP) + // [#next-major-version: In the v3 API, replace this Any field with a oneof containing the + // specific config message for each type of API listener. We could not do this in v2 because + // it would have caused circular dependencies for go protos: lds.proto depends on this file, + // and http_connection_manager.proto depends on rds.proto, which is in the same directory as + // lds.proto, so lds.proto cannot depend on this file.] + google.protobuf.Any api_listener = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/listener.proto b/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/listener.proto new file mode 100644 index 000000000..54ef2cfed --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/listener.proto @@ -0,0 +1,455 @@ +syntax = "proto3"; + +package envoy.config.listener.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/socket_option.proto"; +import "envoy/config/listener/v3/api_listener.proto"; +import "envoy/config/listener/v3/listener_components.proto"; +import "envoy/config/listener/v3/udp_listener_config.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/core/v3/collection_entry.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v3"; +option java_outer_classname = "ListenerProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3;listenerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Listener configuration] +// Listener :ref:`configuration overview ` + +// The additional address the listener is listening on. +message AdditionalAddress { + core.v3.Address address = 1; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. If specified, this will override the + // :ref:`socket_options ` + // in the listener. If specified with no + // :ref:`socket_options ` + // or an empty list of :ref:`socket_options `, + // it means no socket option will apply. + core.v3.SocketOptionsOverride socket_options = 2; + + // Configures TCP keepalive settings for the additional address. + // If not set, the listener :ref:`tcp_keepalive ` + // configuration is inherited. You can explicitly disable TCP keepalive for the additional address by setting any keepalive field + // (:ref:`keepalive_probes `, + // :ref:`keepalive_time `, or + // :ref:`keepalive_interval `) to ``0``. + core.v3.TcpKeepalive tcp_keepalive = 3; +} + +// Listener list collections. Entries are ``Listener`` resources or references. +// [#not-implemented-hide:] +message ListenerCollection { + repeated xds.core.v3.CollectionEntry entries = 1; +} + +// [#next-free-field: 38] +message Listener { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Listener"; + + enum DrainType { + // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check + // filter), listener removal/modification, and hot restart. + DEFAULT = 0; + + // Drain in response to listener removal/modification and hot restart. This setting does not + // include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress + // and egress listeners. + MODIFY_ONLY = 1; + } + + // [#not-implemented-hide:] + message DeprecatedV1 { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Listener.DeprecatedV1"; + + // Whether the listener should bind to the port. A listener that doesn't + // bind can only receive connections redirected from other listeners that + // set use_original_dst parameter to true. Default is true. + // + // This is deprecated. Use :ref:`Listener.bind_to_port + // ` + google.protobuf.BoolValue bind_to_port = 1; + } + + // Configuration for listener connection balancing. + message ConnectionBalanceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Listener.ConnectionBalanceConfig"; + + // A connection balancer implementation that does exact balancing. This means that a lock is + // held during balancing so that connection counts are nearly exactly balanced between worker + // threads. This is "nearly" exact in the sense that a connection might close in parallel thus + // making the counts incorrect, but this should be rectified on the next accept. This balancer + // sacrifices accept throughput for accuracy and should be used when there are a small number of + // connections that rarely cycle (e.g., service mesh gRPC egress). + message ExactBalance { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Listener.ConnectionBalanceConfig.ExactBalance"; + } + + oneof balance_type { + option (validate.required) = true; + + // If specified, the listener will use the exact connection balancer. + ExactBalance exact_balance = 1; + + // The listener will use the connection balancer according to ``type_url``. If ``type_url`` is invalid, + // Envoy will not attempt to balance active connections between worker threads. + // [#extension-category: envoy.network.connection_balance] + core.v3.TypedExtensionConfig extend_balance = 2; + } + } + + // Configuration for envoy internal listener. All the future internal listener features should be added here. + message InternalListenerConfig { + } + + // Configuration for filter chains discovery. + // [#not-implemented-hide:] + message FcdsConfig { + // Optional name to present to the filter chain discovery service. This may be an arbitrary name with arbitrary + // length. If a name is not provided, the listener's name is used. Refer to :ref:`filter_chains `. + // for details on how listener name is determined if unspecified. In addition, this may be a xdstp:// URL. + string name = 1; + + // Configuration for the source of FCDS updates for this listener. + // .. note:: + // This discovery service only supports ``AGGREGATED_GRPC`` API type. + core.v3.ConfigSource config_source = 2; + } + + reserved 14, 23; + + // The unique name by which this listener is known. If no name is provided, + // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically + // updated or removed via :ref:`LDS ` a unique name must be provided. + string name = 1; + + // The address that the listener should listen on. In general, the address must be unique, though + // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on + // Linux as the actual port will be allocated by the OS. + // Required unless ``api_listener`` or ``listener_specifier`` is populated. + // + // When the address contains a network namespace filepath (via + // :ref:`network_namespace_filepath `), + // Envoy automatically populates the filter state with key ``envoy.network.network_namespace`` + // when a connection is accepted. This provides read-only access to the network namespace for + // filters, access logs, and other components. + core.v3.Address address = 2; + + // The additional addresses the listener should listen on. The addresses must be unique across all + // listeners. Multiple addresses with port 0 can be supplied. When using multiple addresses in a single listener, + // all addresses use the same protocol, and multiple internal addresses are not supported. + repeated AdditionalAddress additional_addresses = 33; + + // Optional prefix to use on listener stats. If empty, the stats will be rooted at + // ``listener.
.``. If non-empty, stats will be rooted at + // ``listener..``. + string stat_prefix = 28; + + // A list of filter chains to consider for this listener. The + // :ref:`FilterChain ` with the most specific + // :ref:`FilterChainMatch ` criteria is used on a + // connection. + // + // Example using SNI for filter chain selection can be found in the + // :ref:`FAQ entry `. + repeated FilterChain filter_chains = 3; + + // Discover filter chains configurations by external service. Dynamic discovery of filter chains is allowed + // while having statically configured filter chains, however, a filter chain name must be unique within a + // listener. If a discovered filter chain matches a name of an existing filter chain, it is discarded. + // [#not-implemented-hide:] + FcdsConfig fcds_config = 36; + + // :ref:`Matcher API ` resolving the filter chain name from the + // network properties. This matcher is used as a replacement for the filter chain match condition + // :ref:`filter_chain_match + // `. If specified, all + // :ref:`filter_chains ` must have a + // non-empty and unique :ref:`name ` field + // and not specify :ref:`filter_chain_match + // ` field. + // + // .. note:: + // + // Once matched, each connection is permanently bound to its filter chain. + // If the matcher changes but the filter chain remains the same, the + // connections bound to the filter chain are not drained. If, however, the + // filter chain is removed or structurally modified, then the drain for its + // connections is initiated. + xds.type.matcher.v3.Matcher filter_chain_matcher = 32; + + // If a connection is redirected using ``iptables``, the port on which the proxy + // receives it might be different from the original destination address. When this flag is set to + // true, the listener hands off redirected connections to the listener associated with the + // original destination address. If there is no listener associated with the original destination + // address, the connection is handled by the listener that receives it. Defaults to false. + google.protobuf.BoolValue use_original_dst = 4; + + // The default filter chain if none of the filter chain matches. If no default filter chain is supplied, + // the connection will be closed. The filter chain match is ignored in this field. + FilterChain default_filter_chain = 25; + + // Soft limit on size of the listener’s new connection read and write buffers. + // If unspecified, an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // Listener metadata. + core.v3.Metadata metadata = 6; + + // [#not-implemented-hide:] + DeprecatedV1 deprecated_v1 = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The type of draining to perform at a listener-wide level. + DrainType drain_type = 8; + + // Listener filters have the opportunity to manipulate and augment the connection metadata that + // is used in connection filter chain matching, for example. These filters are run before any in + // :ref:`filter_chains `. Order matters as the + // filters are processed sequentially right after a socket has been accepted by the listener, and + // before a connection is created. + // UDP Listener filters can be specified when the protocol in the listener socket address in + // :ref:`protocol ` is :ref:`UDP + // ` and no + // :ref:`quic_options ` is specified in :ref:`udp_listener_config `. + // QUIC listener filters can be specified when :ref:`quic_options + // ` is + // specified in :ref:`udp_listener_config `. + // They are processed sequentially right before connection creation. And like TCP Listener filters, they can be used to manipulate the connection metadata and socket. But the difference is that they can't be used to pause connection creation. + repeated ListenerFilter listener_filters = 9; + + // The timeout to wait for all listener filters to complete operation. If the timeout is reached, + // the accepted socket is closed without a connection being created unless + // ``continue_on_listener_filters_timeout`` is set to true. Specify 0 to disable the + // timeout. If not specified, a default timeout of 15s is used. + google.protobuf.Duration listener_filters_timeout = 15; + + // Whether a connection should be created when listener filters timeout. Default is false. + // + // .. attention:: + // + // Some listener filters, such as :ref:`Proxy Protocol filter + // `, should not be used with this option. It will cause + // unexpected behavior when a connection is created. + bool continue_on_listener_filters_timeout = 17; + + // Whether the listener should be set as a transparent socket. + // When this flag is set to true, connections can be redirected to the listener using an + // ``iptables`` ``TPROXY`` target, in which case the original source and destination addresses and + // ports are preserved on accepted connections. This flag should be used in combination with + // :ref:`an original_dst ` :ref:`listener filter + // ` to mark the connections' local addresses as + // "restored." This can be used to hand off each redirected connection to another listener + // associated with the connection's destination address. Direct connections to the socket without + // using ``TPROXY`` cannot be distinguished from connections redirected using ``TPROXY`` and are + // therefore treated as if they were redirected. + // When this flag is set to false, the listener's socket is explicitly reset as non-transparent. + // Setting this flag requires Envoy to run with the ``CAP_NET_ADMIN`` capability. + // When this flag is not set (default), the socket is not modified, i.e. the transparent option + // is neither set nor reset. + google.protobuf.BoolValue transparent = 10; + + // Whether the listener should set the ``IP_FREEBIND`` socket option. When this + // flag is set to true, listeners can be bound to an IP address that is not + // configured on the system running Envoy. When this flag is set to false, the + // option ``IP_FREEBIND`` is disabled on the socket. When this flag is not set + // (default), the socket is not modified, i.e. the option is neither enabled + // nor disabled. + google.protobuf.BoolValue freebind = 11; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + // It is not allowed to update the socket options for any existing address if + // :ref:`enable_reuse_port ` + // is ``false`` to avoid the conflict when creating new sockets for the listener. + repeated core.v3.SocketOption socket_options = 13; + + // Whether the listener should accept TCP Fast Open (TFO) connections. + // When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on + // the socket, with a queue length of the specified size + // (see `details in RFC7413 `_). + // When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket. + // When this flag is not set (default), the socket is not modified, + // i.e. the option is neither enabled nor disabled. + // + // On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable + // TCP_FASTOPEN. + // See `ip-sysctl.txt `_. + // + // On macOS, only values of 0, 1, and unset are valid; other values may result in an error. + // To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter. + google.protobuf.UInt32Value tcp_fast_open_queue_length = 12; + + // Specifies the intended direction of the traffic relative to the local Envoy. + // This property is required on Windows for listeners using the original destination filter, + // see :ref:`Original Destination `. + core.v3.TrafficDirection traffic_direction = 16; + + // If the protocol in the listener socket address in :ref:`protocol + // ` is :ref:`UDP + // `, this field specifies UDP + // listener specific configuration. + UdpListenerConfig udp_listener_config = 18; + + // Used to represent an API listener, which is used in non-proxy clients. The type of API + // exposed to the non-proxy application depends on the type of API listener. + // When this field is set, no other field except for :ref:`name` + // should be set. + // + // .. note:: + // + // Currently only one ApiListener can be installed; and it can only be done via bootstrap config, + // not LDS. + // + // [#next-major-version: In the v3 API, instead of this messy approach where the socket + // listener fields are directly in the top-level Listener message and the API listener types + // are in the ApiListener message, the socket listener messages should be in their own message, + // and the top-level Listener should essentially be a oneof that selects between the + // socket listener and the various types of API listener. That way, a given Listener message + // can structurally only contain the fields of the relevant type.] + ApiListener api_listener = 19; + + // The listener's connection balancer configuration, currently only applicable to TCP listeners. + // If no configuration is specified, Envoy will not attempt to balance active connections between + // worker threads. + // + // In the scenario that the listener X redirects all the connections to the listeners Y1 and Y2 + // by setting :ref:`use_original_dst ` in X + // and :ref:`bind_to_port ` to false in Y1 and Y2, + // it is recommended to disable the balance config in listener X to avoid the cost of balancing, and + // enable the balance config in Y1 and Y2 to balance the connections among the workers. + ConnectionBalanceConfig connection_balance_config = 20; + + // Deprecated. Use ``enable_reuse_port`` instead. + bool reuse_port = 21 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // When this flag is set to true, listeners set the ``SO_REUSEPORT`` socket option and + // create one socket for each worker thread. This makes inbound connections + // distribute among worker threads roughly evenly in cases where there are a high number + // of connections. When this flag is set to false, all worker threads share one socket. This field + // defaults to true. The change of field will be rejected during an listener update when the + // runtime flag ``envoy.reloadable_features.enable_update_listener_socket_options`` is enabled. + // Otherwise, the update of this field will be ignored quietly. + // + // .. attention:: + // + // Although this field defaults to true, it has different behavior on different platforms. See + // the following text for more information. + // + // * On Linux, reuse_port is respected for both TCP and UDP listeners. It also works correctly + // with hot restart. + // * On macOS, reuse_port for TCP does not do what it does on Linux. Instead of load balancing, + // the last socket wins and receives all connections/packets. For TCP, reuse_port is force + // disabled and the user is warned. For UDP, it is enabled, but only one worker will receive + // packets. For QUIC/H3, SW routing will send packets to other workers. For "raw" UDP, only + // a single worker will currently receive packets. + // * On Windows, reuse_port for TCP has undefined behavior. It is force disabled and the user + // is warned similar to macOS. It is left enabled for UDP with undefined behavior currently. + google.protobuf.BoolValue enable_reuse_port = 29; + + // Configuration for :ref:`access logs ` + // emitted by this listener. + repeated accesslog.v3.AccessLog access_log = 22; + + // The maximum length a tcp listener's pending connections queue can grow to. If no value is + // provided net.core.somaxconn will be used on Linux and 128 otherwise. + google.protobuf.UInt32Value tcp_backlog_size = 24; + + // The maximum number of connections to accept from the kernel per socket + // event. Envoy may decide to close these connections after accepting them + // from the kernel e.g. due to load shedding, or other policies. + // If there are more than max_connections_to_accept_per_socket_event + // connections pending accept, connections over this threshold will be + // accepted in later event loop iterations. + // If no value is provided Envoy will accept all connections pending accept + // from the kernel. + // + // .. note:: + // + // It is recommended to lower this value for better overload management and reduced per-event cost. + // Setting it to 1 is a viable option with no noticeable impact on performance. + google.protobuf.UInt32Value max_connections_to_accept_per_socket_event = 34 + [(validate.rules).uint32 = {gt: 0}]; + + // Whether the listener should bind to the port. A listener that doesn't + // bind can only receive connections redirected from other listeners that set + // :ref:`use_original_dst ` + // to true. Default is true. + google.protobuf.BoolValue bind_to_port = 26; + + // The exclusive listener type and the corresponding config. + oneof listener_specifier { + // Used to represent an internal listener which does not listen on OSI L4 address but can be used by the + // :ref:`envoy cluster ` to create a user space connection to. + // The internal listener acts as a TCP listener. It supports listener filters and network filter chains. + // Upstream clusters refer to the internal listeners by their :ref:`name + // `. :ref:`Address + // ` must not be set on the internal listeners. + // + // There are some limitations that are derived from the implementation. The known limitations include: + // + // * :ref:`ConnectionBalanceConfig ` is not + // allowed because both the cluster connection and the listener connection must be owned by the same dispatcher. + // * :ref:`tcp_backlog_size ` + // * :ref:`freebind ` + // * :ref:`transparent ` + InternalListenerConfig internal_listener = 27; + } + + // Enable MPTCP (multi-path TCP) on this listener. Clients will be allowed to establish + // MPTCP connections. Non-MPTCP clients will fall back to regular TCP. + bool enable_mptcp = 30; + + // Whether the listener should limit connections based upon the value of + // :ref:`global_downstream_max_connections `. + bool ignore_global_conn_limit = 31; + + // Whether the listener bypasses configured overload manager actions. + bool bypass_overload_manager = 35; + + // If set, TCP keepalive settings are configured for the listener address and inherited by + // additional addresses. If not set, TCP keepalive settings are not configured for the + // listener address and additional addresses by default. See :ref:`tcp_keepalive ` + // to explicitly configure TCP keepalive settings for individual additional addresses. + core.v3.TcpKeepalive tcp_keepalive = 37; +} + +// A placeholder proto so that users can explicitly configure the standard +// Listener Manager via the bootstrap's :ref:`listener_manager `. +// [#not-implemented-hide:] +message ListenerManager { +} + +// A placeholder proto so that users can explicitly configure the standard +// Validation Listener Manager via the bootstrap's :ref:`listener_manager `. +// [#not-implemented-hide:] +message ValidationListenerManager { +} + +// A placeholder proto so that users can explicitly configure the API +// Listener Manager via the bootstrap's :ref:`listener_manager `. +// [#not-implemented-hide:] +message ApiListenerManager { +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/listener_components.proto b/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/listener_components.proto new file mode 100644 index 000000000..16b43568f --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/listener_components.proto @@ -0,0 +1,353 @@ +syntax = "proto3"; + +package envoy.config.listener.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v3"; +option java_outer_classname = "ListenerComponentsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3;listenerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Listener components] +// Listener :ref:`configuration overview ` + +// [#next-free-field: 6] +message Filter { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.Filter"; + + reserved 3, 2; + + reserved "config"; + + // The name of the filter configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + // [#extension-category: envoy.filters.network] + google.protobuf.Any typed_config = 4; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, the + // listener closes the connections. + core.v3.ExtensionConfigSource config_discovery = 5; + } +} + +// Specifies the match criteria for selecting a specific filter chain for a +// listener. +// +// In order for a filter chain to be selected, *ALL* of its criteria must be +// fulfilled by the incoming connection, properties of which are set by the +// networking stack and/or listener filters. +// +// The following order applies: +// +// 1. Destination port. +// 2. Destination IP address. +// 3. Server name (e.g. SNI for TLS protocol), +// 4. Transport protocol. +// 5. Application protocols (e.g. ALPN for TLS protocol). +// 6. Directly connected source IP address (this will only be different from the source IP address +// when using a listener filter that overrides the source address, such as the :ref:`Proxy Protocol +// listener filter `). +// 7. Source type (e.g. any, local or external network). +// 8. Source IP address. +// 9. Source port. +// +// For criteria that allow ranges or wildcards, the most specific value in any +// of the configured filter chains that matches the incoming connection is going +// to be used (e.g. for SNI ``www.example.com`` the most specific match would be +// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter +// chain without ``server_names`` requirements). +// +// A different way to reason about the filter chain matches: +// Suppose there exists N filter chains. Prune the filter chain set using the above 8 steps. +// In each step, filter chains which most specifically matches the attributes continue to the next step. +// The listener guarantees at most 1 filter chain is left after all of the steps. +// +// Example: +// +// For destination port, filter chains specifying the destination port of incoming traffic are the +// most specific match. If none of the filter chains specifies the exact destination port, the filter +// chains which do not specify ports are the most specific match. Filter chains specifying the +// wrong port can never be the most specific match. +// +// [#comment: Implemented rules are kept in the preference order, with deprecated fields +// listed at the end, because that's how we want to list them in the docs. +// +// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] +// [#next-free-field: 14] +message FilterChainMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.FilterChainMatch"; + + enum ConnectionSourceType { + // Any connection source matches. + ANY = 0; + + // Match a connection originating from the same host. + SAME_IP_OR_LOOPBACK = 1; + + // Match a connection originating from a different host. + EXTERNAL = 2; + } + + reserved 1; + + // Optional destination port to consider when use_original_dst is set on the + // listener in determining a filter chain match. + google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}]; + + // If non-empty, an IP address and prefix length to match addresses when the + // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. + repeated core.v3.CidrRange prefix_ranges = 3; + + // If non-empty, an IP address and suffix length to match addresses when the + // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. + // [#not-implemented-hide:] + string address_suffix = 4; + + // [#not-implemented-hide:] + google.protobuf.UInt32Value suffix_len = 5; + + // The criteria is satisfied if the directly connected source IP address of the downstream + // connection is contained in at least one of the specified subnets. If the parameter is not + // specified or the list is empty, the directly connected source IP address is ignored. + repeated core.v3.CidrRange direct_source_prefix_ranges = 13; + + // Specifies the connection source IP match type. Can be any, local or external network. + ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}]; + + // The criteria is satisfied if the source IP address of the downstream + // connection is contained in at least one of the specified subnets. If the + // parameter is not specified or the list is empty, the source IP address is + // ignored. + repeated core.v3.CidrRange source_prefix_ranges = 6; + + // The criteria is satisfied if the source port of the downstream connection + // is contained in at least one of the specified ports. If the parameter is + // not specified, the source port is ignored. + repeated uint32 source_ports = 7 + [(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}]; + + // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining + // a filter chain match. Those values will be compared against the server names of a new + // connection, when detected by one of the listener filters. + // + // The server name will be matched against all wildcard domains, i.e. ``www.example.com`` + // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``. + // + // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid. + // The value ``*`` is also not supported, and ``server_names`` should be omitted instead. + // + // .. attention:: + // + // See the :ref:`FAQ entry ` on how to configure SNI for more + // information. + repeated string server_names = 11; + + // If non-empty, a transport protocol to consider when determining a filter chain match. + // This value will be compared against the transport protocol of a new connection, when + // it's detected by one of the listener filters. + // + // Suggested values include: + // + // * ``raw_buffer`` - default, used when no transport protocol is detected, + // * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector ` + // when TLS protocol is detected. + string transport_protocol = 9; + + // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when + // determining a filter chain match. Those values will be compared against the application + // protocols of a new connection, when detected by one of the listener filters. + // + // Suggested values include: + // + // * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector + // `, + // * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector ` + // + // .. attention:: + // + // Currently, only :ref:`TLS Inspector ` provides + // application protocol detection based on the requested + // `ALPN `_ values. + // + // However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, + // and matching on values other than ``h2`` is going to lead to a lot of false negatives, + // unless all connecting clients are known to use ALPN. + repeated string application_protocols = 10; +} + +// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and +// various other parameters. +// [#next-free-field: 10] +message FilterChain { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.FilterChain"; + + reserved 2, 8; + + reserved "tls_context", "on_demand_configuration"; + + // The criteria to use when matching a connection to this filter chain. + FilterChainMatch filter_chain_match = 1; + + // A list of individual network filters that make up the filter chain for + // connections established with the listener. Order matters as the filters are + // processed sequentially as connection events happen. Note: If the filter + // list is empty, the connection will close by default. + // + // For QUIC listeners, network filters other than HTTP Connection Manager (HCM) + // can be created, but due to differences in the connection implementation compared + // to TCP, the onData() method will never be called. Therefore, network filters + // for QUIC listeners should only expect to do work at the start of a new connection + // (i.e. in onNewConnection()). HCM must be the last (or only) filter in the chain. + repeated Filter filters = 3; + + // Whether the listener should expect a PROXY protocol V1 header on new + // connections. If this option is enabled, the listener will assume that that + // remote address of the connection is the one specified in the header. Some + // load balancers including the AWS ELB support this option. If the option is + // absent or set to false, Envoy will use the physical peer address of the + // connection as the remote address. + // + // This field is deprecated. Add a + // :ref:`PROXY protocol listener filter ` + // explicitly instead. + google.protobuf.BoolValue use_proxy_proto = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Filter chain metadata. + core.v3.Metadata metadata = 5; + + // Optional custom transport socket implementation to use for downstream connections. + // To setup TLS, set a transport socket with name ``envoy.transport_sockets.tls`` and + // :ref:`DownstreamTlsContext ` in the ``typed_config``. + // If no transport socket configuration is specified, new connections + // will be set up with plaintext. + // [#extension-category: envoy.transport_sockets.downstream] + core.v3.TransportSocket transport_socket = 6; + + // If present and nonzero, the amount of time to allow incoming connections to complete any + // transport socket negotiations. If this expires before the transport reports connection + // establishment, the connection is summarily closed. + google.protobuf.Duration transport_socket_connect_timeout = 9; + + // The unique name (or empty) by which this filter chain is known. + // + // .. note:: + // :ref:`filter_chain_matcher + // ` + // requires that filter chains are uniquely named within a listener. + string name = 7; +} + +// Listener filter chain match configuration. This is a recursive structure which allows complex +// nested match configurations to be built using various logical operators. +// +// Examples: +// +// * Matches if the destination port is 3306. +// +// .. code-block:: yaml +// +// destination_port_range: +// start: 3306 +// end: 3307 +// +// * Matches if the destination port is 3306 or 15000. +// +// .. code-block:: yaml +// +// or_match: +// rules: +// - destination_port_range: +// start: 3306 +// end: 3307 +// - destination_port_range: +// start: 15000 +// end: 15001 +// +// [#next-free-field: 6] +message ListenerFilterChainMatchPredicate { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.ListenerFilterChainMatchPredicate"; + + // A set of match configurations used for logical operations. + message MatchSet { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.ListenerFilterChainMatchPredicate.MatchSet"; + + // The list of rules that make up the set. + repeated ListenerFilterChainMatchPredicate rules = 1 + [(validate.rules).repeated = {min_items: 2}]; + } + + oneof rule { + option (validate.required) = true; + + // A set that describes a logical OR. If any member of the set matches, the match configuration + // matches. + MatchSet or_match = 1; + + // A set that describes a logical AND. If all members of the set match, the match configuration + // matches. + MatchSet and_match = 2; + + // A negation match. The match configuration will match if the negated match condition matches. + ListenerFilterChainMatchPredicate not_match = 3; + + // The match configuration will always match. + bool any_match = 4 [(validate.rules).bool = {const: true}]; + + // Match destination port. Particularly, the match evaluation must use the recovered local port if + // the owning listener filter is after :ref:`an original_dst listener filter `. + type.v3.Int32Range destination_port_range = 5; + } +} + +// [#next-free-field: 6] +message ListenerFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.ListenerFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + // [#extension-category: envoy.filters.listener,envoy.filters.udp_listener] + google.protobuf.Any typed_config = 3; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, the + // listener closes the connections. + core.v3.ExtensionConfigSource config_discovery = 5; + } + + // Optional match predicate used to disable the filter. The filter is enabled when this field is empty. + // See :ref:`ListenerFilterChainMatchPredicate ` + // for further examples. + ListenerFilterChainMatchPredicate filter_disabled = 4; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/quic_config.proto b/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/quic_config.proto new file mode 100644 index 000000000..c208a58f4 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/quic_config.proto @@ -0,0 +1,108 @@ +syntax = "proto3"; + +package envoy.config.listener.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/protocol.proto"; +import "envoy/config/core/v3/socket_cmsg_headers.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v3"; +option java_outer_classname = "QuicConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3;listenerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: QUIC listener config] + +// Configuration specific to the UDP QUIC listener. +// [#next-free-field: 15] +message QuicProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.QuicProtocolOptions"; + + core.v3.QuicProtocolOptions quic_protocol_options = 1; + + // Maximum number of milliseconds that connection will be alive when there is + // no network activity. + // + // If it is less than 1ms, Envoy will use 1ms. 300000ms if not specified. + google.protobuf.Duration idle_timeout = 2; + + // Connection timeout in milliseconds before the crypto handshake is finished. + // + // If it is less than 5000ms, Envoy will use 5000ms. 20000ms if not specified. + google.protobuf.Duration crypto_handshake_timeout = 3; + + // Runtime flag that controls whether the listener is enabled or not. If not specified, defaults + // to enabled. + core.v3.RuntimeFeatureFlag enabled = 4; + + // A multiplier to number of connections which is used to determine how many packets to read per + // event loop. A reasonable number should allow the listener to process enough payload but not + // starve TCP and other UDP sockets and also prevent long event loop duration. + // The default value is 32. This means if there are N QUIC connections, the total number of + // packets to read in each read event will be 32 * N. + // The actual number of packets to read in total by the UDP listener is also + // bound by 6000, regardless of this field or how many connections there are. + google.protobuf.UInt32Value packets_to_read_to_connection_count_ratio = 5 + [(validate.rules).uint32 = {gte: 1}]; + + // Configure which implementation of ``quic::QuicCryptoClientStreamBase`` to be used for this listener. + // If not specified the :ref:`QUICHE default one configured by ` will be used. + // [#extension-category: envoy.quic.server.crypto_stream] + core.v3.TypedExtensionConfig crypto_stream_config = 6; + + // Configure which implementation of ``quic::ProofSource`` to be used for this listener. + // If not specified the :ref:`default one configured by ` will be used. + // [#extension-category: envoy.quic.proof_source] + core.v3.TypedExtensionConfig proof_source_config = 7; + + // Config which implementation of ``quic::ConnectionIdGeneratorInterface`` to be used for this listener. + // If not specified the :ref:`default one configured by ` will be used. + // [#extension-category: envoy.quic.connection_id_generator] + core.v3.TypedExtensionConfig connection_id_generator_config = 8; + + // Configure the server's preferred address to advertise so that client can migrate to it. See :ref:`example ` which configures a pair of v4 and v6 preferred addresses. + // The current QUICHE implementation will advertise only one of the preferred IPv4 and IPv6 addresses based on the address family the client initially connects with. + // If not specified, Envoy will not advertise any server's preferred address. + // [#extension-category: envoy.quic.server_preferred_address] + core.v3.TypedExtensionConfig server_preferred_address_config = 9 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Configure the server to send transport parameter `disable_active_migration `_. + // Defaults to false (do not send this transport parameter). + google.protobuf.BoolValue send_disable_active_migration = 10; + + // Configure which implementation of ``quic::QuicConnectionDebugVisitor`` to be used for this listener. + // If not specified, no debug visitor will be attached to connections. + // [#extension-category: envoy.quic.connection_debug_visitor] + core.v3.TypedExtensionConfig connection_debug_visitor_config = 11; + + // Configure a type of UDP cmsg to pass to listener filters via QuicReceivedPacket. + // Both level and type must be specified for cmsg to be saved. + // Cmsg may be truncated or omitted if expected size is not set. + // If not specified, no cmsg will be saved to QuicReceivedPacket. + repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12 + [(validate.rules).repeated = {max_items: 1}]; + + // If true, the listener will reject connection-establishing packets at the + // QUIC layer by replying with an empty version negotiation packet to the + // client. + bool reject_new_connections = 13; + + // Maximum number of QUIC sessions to create per event loop. + // If not specified, the default value is 16. + // This is an equivalent of the TCP listener option + // max_connections_to_accept_per_socket_event. + google.protobuf.UInt32Value max_sessions_per_event_loop = 14 [(validate.rules).uint32 = {gt: 0}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/udp_listener_config.proto b/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/udp_listener_config.proto new file mode 100644 index 000000000..4e619b1f7 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/listener/v3/udp_listener_config.proto @@ -0,0 +1,52 @@ +syntax = "proto3"; + +package envoy.config.listener.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/udp_socket_config.proto"; +import "envoy/config/listener/v3/quic_config.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v3"; +option java_outer_classname = "UdpListenerConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3;listenerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: UDP listener config] +// Listener :ref:`configuration overview ` + +// [#next-free-field: 9] +message UdpListenerConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.UdpListenerConfig"; + + reserved 1, 2, 3, 4, 6; + + reserved "config"; + + // UDP socket configuration for the listener. The default for + // :ref:`prefer_gro ` is false for + // listener sockets. If receiving a large amount of datagrams from a small number of sources, it + // may be worthwhile to enable this option after performance testing. + core.v3.UdpSocketConfig downstream_socket_config = 5; + + // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set + // to the default object to enable QUIC without modifying any additional options. + QuicProtocolOptions quic_options = 7; + + // Configuration for the UDP packet writer. If empty, HTTP/3 will use GSO if available + // (:ref:`UdpDefaultWriterFactory `) + // or the default kernel sendmsg if not, + // (:ref:`UdpDefaultWriterFactory `) + // and raw UDP will use kernel sendmsg. + // [#extension-category: envoy.udp_packet_writer] + core.v3.TypedExtensionConfig udp_packet_packet_writer_config = 8; +} + +message ActiveRawUdpListenerConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.ActiveRawUdpListenerConfig"; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/metrics/v3/stats.proto b/grpc-xds/proto/third_party/envoy/envoy/config/metrics/v3/stats.proto new file mode 100644 index 000000000..0fcf36c1c --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/metrics/v3/stats.proto @@ -0,0 +1,411 @@ +syntax = "proto3"; + +package envoy.config.metrics.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.metrics.v3"; +option java_outer_classname = "StatsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3;metricsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Stats] +// Statistics :ref:`architecture overview `. + +// Configuration for pluggable stats sinks. +message StatsSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v2.StatsSink"; + + reserved 2; + + reserved "config"; + + // The name of the stats sink to instantiate. The name must match a supported + // stats sink. + // See the :ref:`extensions listed in typed_config below ` for the default list of available stats sink. + // Sinks optionally support tagged/multiple dimensional metrics. + string name = 1; + + // Stats sink specific configuration which depends on the sink being instantiated. See + // :ref:`StatsdSink ` for an example. + // [#extension-category: envoy.stats_sinks] + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +// Statistics configuration such as tagging. +message StatsConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.StatsConfig"; + + // Each stat name is independently processed through these tag specifiers. When a tag is + // matched, the first capture group is not immediately removed from the name, so later + // :ref:`TagSpecifiers ` can also match that + // same portion of the match. After all tag matching is complete, a tag-extracted version of + // the name is produced and is used in stats sinks that represent tags, such as Prometheus. + repeated TagSpecifier stats_tags = 1; + + // Use all default tag regexes specified in Envoy. These can be combined with + // custom tags specified in :ref:`stats_tags + // `. They will be processed before + // the custom tags. + // + // See :repo:`well_known_names.h ` for a list of the + // default tags in Envoy. + // + // If not provided, the value is assumed to be true. + google.protobuf.BoolValue use_all_default_tags = 2; + + // Inclusion/exclusion matcher for stat name creation. If not provided, all stats are instantiated + // as normal. Preventing the instantiation of certain families of stats can improve memory + // performance for Envoys running especially large configs. + // + // .. warning:: + // Excluding stats may affect Envoy's behavior in undocumented ways. See + // `issue #8771 `_ for more information. + // If any unexpected behavior changes are observed, please open a new issue immediately. + StatsMatcher stats_matcher = 3; + + // Defines rules for setting the histogram buckets. Rules are evaluated in order, and the first + // match is applied. If no match is found (or if no rules are set), the following default buckets + // are used: + // + // .. code-block:: json + // + // [ + // 0.5, + // 1, + // 5, + // 10, + // 25, + // 50, + // 100, + // 250, + // 500, + // 1000, + // 2500, + // 5000, + // 10000, + // 30000, + // 60000, + // 300000, + // 600000, + // 1800000, + // 3600000 + // ] + repeated HistogramBucketSettings histogram_bucket_settings = 4; +} + +// Configuration for disabling stat instantiation. +message StatsMatcher { + // The instantiation of stats is unrestricted by default. If the goal is to configure Envoy to + // instantiate all stats, there is no need to construct a StatsMatcher. + // + // However, StatsMatcher can be used to limit the creation of families of stats in order to + // conserve memory. Stats can either be disabled entirely, or they can be + // limited by either an exclusion or an inclusion list of :ref:`StringMatcher + // ` protos: + // + // * If ``reject_all`` is set to ``true``, no stats will be instantiated. If ``reject_all`` is set to + // ``false``, all stats will be instantiated. + // + // * If an exclusion list is supplied, any stat name matching *any* of the StringMatchers in the + // list will not instantiate. + // + // * If an inclusion list is supplied, no stats will instantiate, except those matching *any* of + // the StringMatchers in the list. + // + // + // A StringMatcher can be used to match against an exact string, a suffix / prefix, or a regex. + // **NB:** For performance reasons, it is highly recommended to use a prefix- or suffix-based + // matcher rather than a regex-based matcher. + // + // Example 1. Excluding all stats. + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "rejectAll": "true" + // } + // } + // + // Example 2. Excluding all cluster-specific stats, but not cluster-manager stats: + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "exclusionList": { + // "patterns": [ + // { + // "prefix": "cluster." + // } + // ] + // } + // } + // } + // + // Example 3. Including only manager-related stats: + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "inclusionList": { + // "patterns": [ + // { + // "prefix": "cluster_manager." + // }, + // { + // "prefix": "listener_manager." + // } + // ] + // } + // } + // } + // + + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.StatsMatcher"; + + oneof stats_matcher { + option (validate.required) = true; + + // If ``reject_all`` is true, then all stats are disabled. If ``reject_all`` is false, then all + // stats are enabled. + bool reject_all = 1; + + // Exclusive match. All stats are enabled except for those matching one of the supplied + // StringMatcher protos. + type.matcher.v3.ListStringMatcher exclusion_list = 2; + + // Inclusive match. No stats are enabled except for those matching one of the supplied + // StringMatcher protos. + type.matcher.v3.ListStringMatcher inclusion_list = 3; + } +} + +// Designates a tag name and value pair. The value may be either a fixed value +// or a regex providing the value via capture groups. The specified tag will be +// unconditionally set if a fixed value, otherwise it will only be set if one +// or more capture groups in the regex match. +message TagSpecifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.TagSpecifier"; + + // Attaches an identifier to the tag values to identify the tag being in the + // sink. Envoy has a set of default names and regexes to extract dynamic + // portions of existing stats, which can be found in :repo:`well_known_names.h + // ` in the Envoy repository. If a :ref:`tag_name + // ` is provided in the config and + // neither :ref:`regex ` or + // :ref:`fixed_value ` were specified, + // Envoy will attempt to find that name in its set of defaults and use the accompanying regex. + // + // .. note:: + // + // A stat name may be spelled in such a way that it matches two different + // tag extractors for the same tag name. In that case, all but one of the + // tag values will be dropped. It is not specified which tag value will be + // retained. The extraction will only occur for one of the extractors, and + // only the matched extraction will be removed from the tag name. + string tag_name = 1; + + oneof tag_value { + // Designates a tag to strip from the tag extracted name and provide as a named + // tag value for all statistics. This will only occur if any part of the name + // matches the regex provided with one or more capture groups. + // + // The first capture group identifies the portion of the name to remove. The + // second capture group (which will normally be nested inside the first) will + // designate the value of the tag for the statistic. If no second capture + // group is provided, the first will also be used to set the value of the tag. + // All other capture groups will be ignored. + // + // Example 1. a stat name ``cluster.foo_cluster.upstream_rq_timeout`` and + // one tag specifier: + // + // .. code-block:: json + // + // { + // "tag_name": "envoy.cluster_name", + // "regex": "^cluster\\.((.+?)\\.)" + // } + // + // Note that the regex will remove ``foo_cluster.`` making the tag extracted + // name ``cluster.upstream_rq_timeout`` and the tag value for + // ``envoy.cluster_name`` will be ``foo_cluster`` (note: there will be no + // ``.`` character because of the second capture group). + // + // Example 2. a stat name + // ``http.connection_manager_1.user_agent.ios.downstream_cx_total`` and two + // tag specifiers: + // + // .. code-block:: json + // + // [ + // { + // "tag_name": "envoy.http_user_agent", + // "regex": "^http(?=\\.).*?\\.user_agent\\.((.+?)\\.)\\w+?$" + // }, + // { + // "tag_name": "envoy.http_conn_manager_prefix", + // "regex": "^http\\.((.*?)\\.)" + // } + // ] + // + // The two regexes of the specifiers will be processed from the elaborated + // stat name. + // + // The first regex will save ``ios.`` as the tag value for ``envoy.http_user_agent``. It will + // leave it in the name for potential matching with additional tag specifiers. After all tag + // specifiers are processed the tags will be removed from the name. + // + // The second regex will populate tag ``envoy.http_conn_manager_prefix`` with value + // ``connection_manager_1.``, based on the original stat name. + // + // As a final step, the matched tags are removed, leaving + // ``http.user_agent.downstream_cx_total`` as the tag extracted name. + string regex = 2 [(validate.rules).string = {max_bytes: 1024}]; + + // Specifies a fixed tag value for the ``tag_name``. + string fixed_value = 3; + } +} + +// Specifies a matcher for stats and the buckets that matching stats should use. +message HistogramBucketSettings { + // The stats that this rule applies to. The match is applied to the original stat name + // before tag-extraction, for example ``cluster.exampleclustername.upstream_cx_length_ms``. + type.matcher.v3.StringMatcher match = 1 [(validate.rules).message = {required: true}]; + + // Each value is the upper bound of a bucket. Each bucket must be greater than 0 and unique. + // The order of the buckets does not matter. + repeated double buckets = 2 [(validate.rules).repeated = { + unique: true + items {double {gt: 0.0}} + }]; + + // Initial number of bins for the ``circllhist`` thread local histogram per time series. Default value is 100. + google.protobuf.UInt32Value bins = 3 [(validate.rules).uint32 = {lte: 46082 gt: 0}]; +} + +// Stats configuration proto schema for built-in ``envoy.stat_sinks.statsd`` sink. This sink does not support +// tagged metrics. +// [#extension: envoy.stat_sinks.statsd] +message StatsdSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v2.StatsdSink"; + + oneof statsd_specifier { + option (validate.required) = true; + + // The UDP address of a running `statsd `_ + // compliant listener. If specified, statistics will be flushed to this + // address. + core.v3.Address address = 1; + + // The name of a cluster that is running a TCP `statsd + // `_ compliant listener. If specified, + // Envoy will connect to this cluster to flush statistics. + string tcp_cluster_name = 2; + } + + // Optional custom prefix for StatsdSink. If + // specified, this will override the default prefix. + // For example: + // + // .. code-block:: json + // + // { + // "prefix" : "envoy-prod" + // } + // + // will change emitted stats to + // + // .. code-block:: cpp + // + // envoy-prod.test_counter:1|c + // envoy-prod.test_timer:5|ms + // + // Note that the default prefix, "envoy", will be used if a prefix is not + // specified. + // + // Stats with default prefix: + // + // .. code-block:: cpp + // + // envoy.test_counter:1|c + // envoy.test_timer:5|ms + string prefix = 3; +} + +// Stats configuration proto schema for built-in ``envoy.stat_sinks.dog_statsd`` sink. +// The sink emits stats with `DogStatsD `_ +// compatible tags. Tags are configurable via :ref:`StatsConfig +// `. +// [#extension: envoy.stat_sinks.dog_statsd] +message DogStatsdSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.DogStatsdSink"; + + reserved 2; + + oneof dog_statsd_specifier { + option (validate.required) = true; + + // The UDP address of a running DogStatsD compliant listener. If specified, + // statistics will be flushed to this address. + core.v3.Address address = 1; + } + + // Optional custom metric name prefix. See :ref:`StatsdSink's prefix field + // ` for more details. + string prefix = 3; + + // Optional max datagram size to use when sending UDP messages. By default Envoy + // will emit one metric per datagram. By specifying a max-size larger than a single + // metric, Envoy will emit multiple, new-line separated metrics. The max datagram + // size should not exceed your network's MTU. + // + // Note that this value may not be respected if smaller than a single metric. + google.protobuf.UInt64Value max_bytes_per_datagram = 4 [(validate.rules).uint64 = {gt: 0}]; +} + +// Stats configuration proto schema for built-in ``envoy.stat_sinks.hystrix`` sink. +// The sink emits stats in `text/event-stream +// `_ +// formatted stream for use by `Hystrix dashboard +// `_. +// +// Note that only a single HystrixSink should be configured. +// +// Streaming is started through an admin endpoint :http:get:`/hystrix_event_stream`. +// [#extension: envoy.stat_sinks.hystrix] +message HystrixSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.HystrixSink"; + + // The number of buckets the rolling statistical window is divided into. + // + // Each time the sink is flushed, all relevant Envoy statistics are sampled and + // added to the rolling window (removing the oldest samples in the window + // in the process). The sink then outputs the aggregate statistics across the + // current rolling window to the event stream(s). + // + // ``rolling_window(ms)`` = ``stats_flush_interval(ms)`` * ``num_of_buckets`` + // + // More detailed explanation can be found in `Hystrix wiki + // `_. + int64 num_buckets = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/overload/v3/overload.proto b/grpc-xds/proto/third_party/envoy/envoy/config/overload/v3/overload.proto new file mode 100644 index 000000000..b5bc2c4d8 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/overload/v3/overload.proto @@ -0,0 +1,227 @@ +syntax = "proto3"; + +package envoy.config.overload.v3; + +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.overload.v3"; +option java_outer_classname = "OverloadProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/overload/v3;overloadv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Overload Manager] + +// The Overload Manager provides an extensible framework to protect Envoy instances +// from overload of various resources (memory, cpu, file descriptors, etc). +// It monitors a configurable set of resources and notifies registered listeners +// when triggers related to those resources fire. + +message ResourceMonitor { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.overload.v2alpha.ResourceMonitor"; + + reserved 2; + + reserved "config"; + + // The name of the resource monitor to instantiate. Must match a registered + // resource monitor type. + // See the :ref:`extensions listed in typed_config below ` for the default list of available resource monitor. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Configuration for the resource monitor being instantiated. + // [#extension-category: envoy.resource_monitors] + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +message ThresholdTrigger { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.overload.v2alpha.ThresholdTrigger"; + + // If the resource pressure is greater than or equal to this value, the trigger + // will enter saturation. + double value = 1 [(validate.rules).double = {lte: 1.0 gte: 0.0}]; +} + +message ScaledTrigger { + // If the resource pressure is greater than this value, the trigger will be in the + // :ref:`scaling ` state with value + // ``(pressure - scaling_threshold) / (saturation_threshold - scaling_threshold)``. + double scaling_threshold = 1 [(validate.rules).double = {lte: 1.0 gte: 0.0}]; + + // If the resource pressure is greater than this value, the trigger will enter saturation. + double saturation_threshold = 2 [(validate.rules).double = {lte: 1.0 gte: 0.0}]; +} + +message Trigger { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.overload.v2alpha.Trigger"; + + // The name of the resource this is a trigger for. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof trigger_oneof { + option (validate.required) = true; + + ThresholdTrigger threshold = 2; + + ScaledTrigger scaled = 3; + } +} + +// Typed configuration for the "envoy.overload_actions.reduce_timeouts" action. See +// :ref:`the docs ` for an example of how to configure +// the action with different timeouts and minimum values. +message ScaleTimersOverloadActionConfig { + enum TimerType { + // Unsupported value; users must explicitly specify the timer they want scaled. + UNSPECIFIED = 0; + + // Adjusts the idle timer for downstream HTTP connections that takes effect when there are no active streams. + // This affects the value of :ref:`HttpConnectionManager.common_http_protocol_options.idle_timeout + // ` + HTTP_DOWNSTREAM_CONNECTION_IDLE = 1; + + // Adjusts the idle timer for HTTP streams initiated by downstream clients. + // This affects the value of :ref:`RouteAction.idle_timeout ` and + // :ref:`HttpConnectionManager.stream_idle_timeout + // ` + HTTP_DOWNSTREAM_STREAM_IDLE = 2; + + // Adjusts the timer for how long downstream clients have to finish transport-level negotiations + // before the connection is closed. + // This affects the value of + // :ref:`FilterChain.transport_socket_connect_timeout `. + TRANSPORT_SOCKET_CONNECT = 3; + + // Adjusts the max connection duration timer for downstream HTTP connections. + // This affects the value of + // :ref:`HttpConnectionManager.common_http_protocol_options.max_connection_duration + // `. + HTTP_DOWNSTREAM_CONNECTION_MAX = 4; + + // Adjusts the timeout for the downstream codec to flush an ended stream. + // This affects the value of :ref:`RouteAction.flush_timeout + // ` and + // :ref:`HttpConnectionManager.stream_flush_timeout + // ` + HTTP_DOWNSTREAM_STREAM_FLUSH = 5; + } + + message ScaleTimer { + // The type of timer this minimum applies to. + TimerType timer = 1 [(validate.rules).enum = {defined_only: true not_in: 0}]; + + oneof overload_adjust { + option (validate.required) = true; + + // Sets the minimum duration as an absolute value. + google.protobuf.Duration min_timeout = 2; + + // Sets the minimum duration as a percentage of the maximum value. + type.v3.Percent min_scale = 3; + } + } + + // A set of timer scaling rules to be applied. + repeated ScaleTimer timer_scale_factors = 1 [(validate.rules).repeated = {min_items: 1}]; +} + +message OverloadAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.overload.v2alpha.OverloadAction"; + + // The name of the overload action. This is just a well-known string that + // listeners can use for registering callbacks. + // Valid known overload actions include: + // - envoy.overload_actions.stop_accepting_requests + // - envoy.overload_actions.disable_http_keepalive + // - envoy.overload_actions.stop_accepting_connections + // - envoy.overload_actions.reject_incoming_connections + // - envoy.overload_actions.shrink_heap + // - envoy.overload_actions.reduce_timeouts + // - envoy.overload_actions.reset_high_memory_stream + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A set of triggers for this action. The state of the action is the maximum + // state of all triggers, which can be scalar values between 0 and 1 or + // saturated. Listeners are notified when the overload action changes state. + // An overload manager action can only have one trigger for a given resource + // e.g. :ref:`Trigger.name + // ` must be unique + // in this list. + repeated Trigger triggers = 2 [(validate.rules).repeated = {min_items: 1}]; + + // Configuration for the action being instantiated if applicable. + google.protobuf.Any typed_config = 3; +} + +// A point within the connection or request lifecycle that provides context on +// whether to shed load at that given stage for the current entity at the +// point. +message LoadShedPoint { + // This is just a well-known string for the LoadShedPoint. + // Deployment specific LoadShedPoints e.g. within a custom extension should + // be prefixed by the company / deployment name to avoid colliding with any + // open source LoadShedPoints. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A set of triggers for this LoadShedPoint. The LoadShedPoint will use the + // the maximum state of all triggers, which can be scalar values between 0 and + // 1 or saturated. A LoadShedPoint can only have one trigger for a given + // resource e.g. :ref:`Trigger.name + // ` must be unique in + // this list. + repeated Trigger triggers = 2 [(validate.rules).repeated = {min_items: 1}]; +} + +// Configuration for which accounts the WatermarkBuffer Factories should +// track. +message BufferFactoryConfig { + // The minimum power of two at which Envoy starts tracking an account. + // + // Envoy has 8 power of two buckets starting with the provided exponent below. + // Concretely the 1st bucket contains accounts for streams that use + // [2^minimum_account_to_track_power_of_two, + // 2^(minimum_account_to_track_power_of_two + 1)) bytes. + // With the 8th bucket tracking accounts + // >= 128 * 2^minimum_account_to_track_power_of_two. + // + // The maximum value is 56, since we're using uint64_t for bytes counting, + // and that's the last value that would use the 8 buckets. In practice, + // we don't expect the proxy to be holding 2^56 bytes. + // + // If omitted, Envoy should not do any tracking. + uint32 minimum_account_to_track_power_of_two = 1 [(validate.rules).uint32 = {lte: 56 gte: 10}]; +} + +// [#next-free-field: 6] +message OverloadManager { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.overload.v2alpha.OverloadManager"; + + // The interval for refreshing resource usage. + google.protobuf.Duration refresh_interval = 1; + + // The set of resources to monitor. + repeated ResourceMonitor resource_monitors = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The set of overload actions. + repeated OverloadAction actions = 3; + + // The set of load shed points. + repeated LoadShedPoint loadshed_points = 5; + + // Configuration for buffer factory. + BufferFactoryConfig buffer_factory_config = 4; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/rbac/v3/rbac.proto b/grpc-xds/proto/third_party/envoy/envoy/config/rbac/v3/rbac.proto new file mode 100644 index 000000000..ef153ad17 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/rbac/v3/rbac.proto @@ -0,0 +1,470 @@ +syntax = "proto3"; + +package envoy.config.rbac.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/cel.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/type/matcher/v3/filter_state.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/matcher/v3/path.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/range.proto"; + +import "google/api/expr/v1alpha1/checked.proto"; +import "google/api/expr/v1alpha1/syntax.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.rbac.v3"; +option java_outer_classname = "RbacProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3;rbacv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Role Based Access Control (RBAC)] + +enum MetadataSource { + // Query :ref:`dynamic metadata ` + DYNAMIC = 0; + + // Query :ref:`route metadata ` + ROUTE = 1; +} + +// Role Based Access Control (RBAC) provides service-level and method-level access control for a +// service. Requests are allowed or denied based on the ``action`` and whether a matching policy is +// found. For instance, if the action is ALLOW and a matching policy is found the request should be +// allowed. +// +// RBAC can also be used to make access logging decisions by communicating with access loggers +// through dynamic metadata. When the action is LOG and at least one policy matches, the +// ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating +// the request should be logged. +// +// Here is an example of RBAC configuration. It has two policies: +// +// * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so +// does "cluster.local/ns/default/sa/superuser". +// +// * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the +// destination port is either 80 or 443. +// +// .. code-block:: yaml +// +// action: ALLOW +// policies: +// "service-admin": +// permissions: +// - any: true +// principals: +// - authenticated: +// principal_name: +// exact: "cluster.local/ns/default/sa/admin" +// - authenticated: +// principal_name: +// exact: "cluster.local/ns/default/sa/superuser" +// "product-viewer": +// permissions: +// - and_rules: +// rules: +// - header: +// name: ":method" +// string_match: +// exact: "GET" +// - url_path: +// path: { prefix: "/products" } +// - or_rules: +// rules: +// - destination_port: 80 +// - destination_port: 443 +// principals: +// - any: true +// +message RBAC { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.RBAC"; + + // Should we do safe-list or block-list style access control? + enum Action { + // The policies grant access to principals. The rest are denied. This is safe-list style + // access control. This is the default type. + ALLOW = 0; + + // The policies deny access to principals. The rest are allowed. This is block-list style + // access control. + DENY = 1; + + // The policies set the ``access_log_hint`` dynamic metadata key based on if requests match. + // All requests are allowed. + LOG = 2; + } + + message AuditLoggingOptions { + // Deny and allow here refer to RBAC decisions, not actions. + enum AuditCondition { + // Never audit. + NONE = 0; + + // Audit when RBAC denies the request. + ON_DENY = 1; + + // Audit when RBAC allows the request. + ON_ALLOW = 2; + + // Audit whether RBAC allows or denies the request. + ON_DENY_AND_ALLOW = 3; + } + + // [#not-implemented-hide:] + message AuditLoggerConfig { + // Typed logger configuration. + // + // [#extension-category: envoy.rbac.audit_loggers] + core.v3.TypedExtensionConfig audit_logger = 1; + + // If true, when the logger is not supported, the data plane will not NACK but simply ignore it. + bool is_optional = 2; + } + + // Condition for the audit logging to happen. + // If this condition is met, all the audit loggers configured here will be invoked. + // + // [#not-implemented-hide:] + AuditCondition audit_condition = 1 [(validate.rules).enum = {defined_only: true}]; + + // Configurations for RBAC-based authorization audit loggers. + // + // [#not-implemented-hide:] + repeated AuditLoggerConfig logger_configs = 2; + } + + // The action to take if a policy matches. Every action either allows or denies a request, + // and can also carry out action-specific operations. + // + // Actions: + // + // * ``ALLOW``: Allows the request if and only if there is a policy that matches + // the request. + // * ``DENY``: Allows the request if and only if there are no policies that + // match the request. + // * ``LOG``: Allows all requests. If at least one policy matches, the dynamic + // metadata key ``access_log_hint`` is set to the value ``true`` under the shared + // key namespace ``envoy.common``. If no policies match, it is set to ``false``. + // Other actions do not modify this key. + // + Action action = 1 [(validate.rules).enum = {defined_only: true}]; + + // Maps from policy name to policy. A match occurs when at least one policy matches the request. + // The policies are evaluated in lexicographic order of the policy name. + map policies = 2; + + // Audit logging options that include the condition for audit logging to happen + // and audit logger configurations. + // + // [#not-implemented-hide:] + AuditLoggingOptions audit_logging_options = 3; +} + +// Policy specifies a role and the principals that are assigned/denied the role. +// A policy matches if and only if at least one of its permissions match the +// action taking place AND at least one of its principals match the downstream +// AND the condition is true if specified. +// [#next-free-field: 6] +message Policy { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Policy"; + + // Required. The set of permissions that define a role. Each permission is + // matched with OR semantics. To match all actions for this policy, a single + // Permission with the ``any`` field set to true should be used. + repeated Permission permissions = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Required. The set of principals that are assigned/denied the role based on + // “action”. Each principal is matched with OR semantics. To match all + // downstreams for this policy, a single Principal with the ``any`` field set to + // true should be used. + repeated Principal principals = 2 [(validate.rules).repeated = {min_items: 1}]; + + // An optional symbolic expression specifying an access control + // :ref:`condition `. The condition is combined + // with the permissions and the principals as a clause with AND semantics. + // Only be used when checked_condition is not used. + google.api.expr.v1alpha1.Expr condition = 3 + [(udpa.annotations.field_migrate).oneof_promotion = "expression_specifier"]; + + // [#not-implemented-hide:] + // An optional symbolic expression that has been successfully type checked. + // Only be used when condition is not used. + google.api.expr.v1alpha1.CheckedExpr checked_condition = 4 + [(udpa.annotations.field_migrate).oneof_promotion = "expression_specifier"]; + + // CEL expression configuration that modifies the evaluation behavior of the ``condition`` field. + // If specified, string conversion, concatenation, and manipulation functions may be enabled + // for the CEL expression. See :ref:`CelExpressionConfig ` + // for more details. + core.v3.CelExpressionConfig cel_config = 5; +} + +// SourcedMetadata enables matching against metadata from different sources in the request processing +// pipeline. It extends the base MetadataMatcher functionality by allowing specification of where the +// metadata should be sourced from, rather than only matching against dynamic metadata. +// +// The matcher can be configured to look up metadata from: +// +// * Dynamic metadata: Runtime metadata added by filters during request processing +// * Route metadata: Static metadata configured on the route entry +// +message SourcedMetadata { + // Metadata matcher configuration that defines what metadata to match against. This includes the filter name, + // metadata key path, and expected value. + type.matcher.v3.MetadataMatcher metadata_matcher = 1 + [(validate.rules).message = {required: true}]; + + // Specifies which metadata source should be used for matching. If not set, + // defaults to DYNAMIC (dynamic metadata). Set to ROUTE to match against + // static metadata configured on the route entry. + MetadataSource metadata_source = 2 [(validate.rules).enum = {defined_only: true}]; +} + +// Permission defines an action (or actions) that a principal can take. +// [#next-free-field: 15] +message Permission { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Permission"; + + // Used in the ``and_rules`` and ``or_rules`` fields in the ``rule`` oneof. Depending on the context, + // each are applied with the associated behavior. + message Set { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.rbac.v2.Permission.Set"; + + repeated Permission rules = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + oneof rule { + option (validate.required) = true; + + // A set of rules that all must match in order to define the action. + Set and_rules = 1; + + // A set of rules where at least one must match in order to define the action. + Set or_rules = 2; + + // When any is set, it matches any action. + bool any = 3 [(validate.rules).bool = {const: true}]; + + // A header (or pseudo-header such as ``:path`` or ``:method``) on the incoming HTTP request. Only available + // for HTTP request. + // + // .. note:: + // + // The pseudo-header ``:path`` includes the query and fragment string. Use the ``url_path`` field if you + // want to match the URL path without the query and fragment string. + // + route.v3.HeaderMatcher header = 4; + + // A URL path on the incoming HTTP request. Only available for HTTP. + type.matcher.v3.PathMatcher url_path = 10; + + // A CIDR block that describes the destination IP. + core.v3.CidrRange destination_ip = 5; + + // A port number that describes the destination port connecting to. + uint32 destination_port = 6 [(validate.rules).uint32 = {lte: 65535}]; + + // A port number range that describes a range of destination ports connecting to. + type.v3.Int32Range destination_port_range = 11; + + // Metadata that describes additional information about the action. This field is deprecated; please use + // :ref:`sourced_metadata` instead. + type.matcher.v3.MetadataMatcher metadata = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Negates matching the provided permission. For instance, if the value of + // ``not_rule`` would match, this permission would not match. Conversely, if + // the value of ``not_rule`` would not match, this permission would match. + Permission not_rule = 8; + + // The request server from the client's connection request. This is typically TLS SNI. + // + // .. attention:: + // + // The behavior of this field may be affected by how Envoy is configured + // as explained below. + // + // * If the :ref:`TLS Inspector ` + // filter is not added, and if a ``FilterChainMatch`` is not defined for + // the :ref:`server name + // `, + // a TLS connection's requested SNI server name will be treated as if it + // wasn't present. + // + // * A :ref:`listener filter ` may + // overwrite a connection's requested server name within Envoy. + // + // Please refer to :ref:`this FAQ entry ` to learn how to setup SNI. + type.matcher.v3.StringMatcher requested_server_name = 9; + + // Extension for configuring custom matchers for RBAC. + // [#extension-category: envoy.rbac.matchers] + core.v3.TypedExtensionConfig matcher = 12; + + // URI template path matching. + // [#extension-category: envoy.path.match] + core.v3.TypedExtensionConfig uri_template = 13; + + // Matches against metadata from either dynamic state or route configuration. Preferred over the + // ``metadata`` field as it provides more flexibility in metadata source selection. + SourcedMetadata sourced_metadata = 14; + } +} + +// Principal defines an identity or a group of identities for a downstream +// subject. +// [#next-free-field: 15] +message Principal { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Principal"; + + // Used in the ``and_ids`` and ``or_ids`` fields in the ``identifier`` oneof. + // Depending on the context, each are applied with the associated behavior. + message Set { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.rbac.v2.Principal.Set"; + + repeated Principal ids = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // Authentication attributes for a downstream. + // It is recommended to NOT use this type, but instead use + // :ref:`MTlsAuthenticated `, + // configured via :ref:`custom `, + // which should be used for most use cases due to its improved security. + message Authenticated { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.rbac.v2.Principal.Authenticated"; + + reserved 1; + + // The name of the principal. If set, The URI SAN or DNS SAN in that order + // is used from the certificate, otherwise the subject field is used. If + // unset, it applies to any user that is allowed by the downstream TLS configuration. + // If :ref:`require_client_certificate ` + // is false or :ref:`trust_chain_verification ` + // is set to :ref:`ACCEPT_UNTRUSTED `, + // then no authentication is required. + type.matcher.v3.StringMatcher principal_name = 2; + } + + oneof identifier { + option (validate.required) = true; + + // A set of identifiers that all must match in order to define the downstream. + Set and_ids = 1; + + // A set of identifiers at least one must match in order to define the downstream. + Set or_ids = 2; + + // When any is set, it matches any downstream. + bool any = 3 [(validate.rules).bool = {const: true}]; + + // Authenticated attributes that identify the downstream. + // It is recommended to NOT use this field, but instead use + // :ref:`MTlsAuthenticated `, + // configured via :ref:`custom `, + // which should be used for most use cases due to its improved security. + Authenticated authenticated = 4; + + // A CIDR block that describes the downstream IP. + // This address will honor proxy protocol, but will not honor XFF. + // + // This field is deprecated; either use :ref:`remote_ip + // ` for the same + // behavior, or use + // :ref:`direct_remote_ip `. + core.v3.CidrRange source_ip = 5 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // A CIDR block that describes the downstream remote/origin address. + // + // .. note:: + // + // This is always the physical peer even if the + // :ref:`remote_ip ` is inferred from the + // x-forwarder-for header, the proxy protocol, etc. + // + core.v3.CidrRange direct_remote_ip = 10; + + // A CIDR block that describes the downstream remote/origin address. + // + // .. note:: + // + // This may not be the physical peer and could be different from the :ref:`direct_remote_ip + // `. E.g, if the remote ip is inferred from + // the x-forwarder-for header, the proxy protocol, etc. + // + core.v3.CidrRange remote_ip = 11; + + // A header (or pseudo-header such as ``:path`` or ``:method``) on the incoming HTTP request. Only available + // for HTTP request. + // + // .. note:: + // + // The pseudo-header ``:path`` includes the query and fragment string. Use the ``url_path`` field if you + // want to match the URL path without the query and fragment string. + // + route.v3.HeaderMatcher header = 6; + + // A URL path on the incoming HTTP request. Only available for HTTP. + type.matcher.v3.PathMatcher url_path = 9; + + // Metadata that describes additional information about the principal. This field is deprecated; please use + // :ref:`sourced_metadata` instead. + type.matcher.v3.MetadataMatcher metadata = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Identifies the principal using a filter state object. + type.matcher.v3.FilterStateMatcher filter_state = 12; + + // Negates matching the provided principal. For instance, if the value of + // ``not_id`` would match, this principal would not match. Conversely, if the + // value of ``not_id`` would not match, this principal would match. + Principal not_id = 8; + + // Matches against metadata from either dynamic state or route configuration. Preferred over the + // ``metadata`` field as it provides more flexibility in metadata source selection. + SourcedMetadata sourced_metadata = 13; + + // Extension for configuring custom principals for RBAC. + // [#extension-category: envoy.rbac.principals] + core.v3.TypedExtensionConfig custom = 14; + } +} + +// Action defines the result of allowance or denial when a request matches the matcher. +message Action { + // The name indicates the policy name. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The action to take if the matcher matches. Every action either allows or denies a request, + // and can also carry out action-specific operations. + // + // **Actions:** + // + // * ``ALLOW``: If the request gets matched on ALLOW, it is permitted. + // * ``DENY``: If the request gets matched on DENY, it is not permitted. + // * ``LOG``: If the request gets matched on LOG, it is permitted. Besides, the + // dynamic metadata key ``access_log_hint`` under the shared key namespace + // ``envoy.common`` will be set to the value ``true``. + // * If the request cannot get matched, it will fallback to ``DENY``. + // + // **Log behavior:** + // + // If the RBAC matcher contains at least one LOG action, the dynamic + // metadata key ``access_log_hint`` will be set based on if the request + // get matched on the LOG action. + // + RBAC.Action action = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/route/v3/route.proto b/grpc-xds/proto/third_party/envoy/envoy/config/route/v3/route.proto new file mode 100644 index 000000000..5bd909f34 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/route/v3/route.proto @@ -0,0 +1,172 @@ +syntax = "proto3"; + +package envoy.config.route.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/route/v3/route_components.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.route.v3"; +option java_outer_classname = "RouteProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP route configuration] +// * Routing :ref:`architecture overview ` +// * HTTP :ref:`router filter ` + +// [#next-free-field: 19] +message RouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.RouteConfiguration"; + + // The name of the route configuration. For example, it might match + // :ref:`route_config_name + // ` in + // :ref:`envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.Rds`. + string name = 1; + + // An array of virtual hosts that make up the route table. + repeated VirtualHost virtual_hosts = 2; + + // An array of virtual hosts will be dynamically loaded via the VHDS API. + // Both ``virtual_hosts`` and ``vhds`` fields will be used when present. ``virtual_hosts`` can be used + // for a base routing table or for infrequently changing virtual hosts. ``vhds`` is used for + // on-demand discovery of virtual hosts. The contents of these two fields will be merged to + // generate a routing table for a given RouteConfiguration, with ``vhds`` derived configuration + // taking precedence. + Vhds vhds = 9; + + // Optionally specifies a list of HTTP headers that the connection manager + // will consider to be internal only. If they are found on external requests they will be cleaned + // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more + // information. + repeated string internal_only_headers = 3 [ + (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} + ]; + + // Specifies a list of HTTP headers that should be added to each response that + // the connection manager encodes. Headers specified at this level are applied + // after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or + // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 4 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // that the connection manager encodes. + repeated string response_headers_to_remove = 5 [ + (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} + ]; + + // Specifies a list of HTTP headers that should be added to each request + // routed by the HTTP connection manager. Headers specified at this level are + // applied after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or + // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 6 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // routed by the HTTP connection manager. + repeated string request_headers_to_remove = 8 [ + (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} + ]; + + // Headers mutations at all levels are evaluated, if specified. By default, the order is from most + // specific (i.e. route entry level) to least specific (i.e. route configuration level). Later header + // mutations may override earlier mutations. + // This order can be reversed by setting this field to true. In other words, most specific level mutation + // is evaluated last. + // + bool most_specific_header_mutations_wins = 10; + + // An optional boolean that specifies whether the clusters that the route + // table refers to will be validated by the cluster manager. If set to true + // and a route refers to a non-existent cluster, the route table will not + // load. If set to false and a route refers to a non-existent cluster, the + // route table will load and the router filter will return a 404 if the route + // is selected at runtime. This setting defaults to true if the route table + // is statically defined via the :ref:`route_config + // ` + // option. This setting default to false if the route table is loaded dynamically via the + // :ref:`rds + // ` + // option. Users may wish to override the default behavior in certain cases (for example when + // using CDS with a static route table). + google.protobuf.BoolValue validate_clusters = 7; + + // The maximum bytes of the response :ref:`direct response body + // ` size. If not specified the default + // is 4096. + // + // .. warning:: + // + // Envoy currently holds the content of :ref:`direct response body + // ` in memory. Be careful setting + // this to be larger than the default 4KB, since the allocated memory for direct response body + // is not subject to data plane buffering controls. + // + google.protobuf.UInt32Value max_direct_response_body_size_bytes = 11; + + // A list of plugins and their configurations which may be used by a + // :ref:`cluster specifier plugin name ` + // within the route. All ``extension.name`` fields in this list must be unique. + repeated ClusterSpecifierPlugin cluster_specifier_plugins = 12; + + // Specify a set of default request mirroring policies which apply to all routes under its virtual hosts. + // Note that policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RouteAction.RequestMirrorPolicy request_mirror_policies = 13; + + // By default, port in :authority header (if any) is used in host matching. + // With this option enabled, Envoy will ignore the port number in the :authority header (if any) when picking VirtualHost. + // + // .. note:: + // This option will not strip the port number (if any) contained in route config + // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`.domains field. + bool ignore_port_in_host_matching = 14; + + // Normally, virtual host matching is done using the :authority (or + // Host: in HTTP < 2) HTTP header. Setting this will instead, use a + // different HTTP header for this purpose. + string vhost_header = 18; + + // Ignore path-parameters in path-matching. + // Before RFC3986, URI were like(RFC1808): :///;?# + // Envoy by default takes ":path" as ";". + // For users who want to only match path on the "" portion, this option should be true. + bool ignore_path_parameters_in_path_matching = 15; + + // This field can be used to provide RouteConfiguration level per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`Http filter route specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 16; + + // The metadata field can be used to provide additional information + // about the route configuration. It can be used for configuration, stats, and logging. + // The metadata should go under the filter namespace that will need it. + // For instance, if the metadata is intended for the Router filter, + // the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 17; +} + +message Vhds { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Vhds"; + + // Configuration source specifier for VHDS. + core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/route/v3/route_components.proto b/grpc-xds/proto/third_party/envoy/envoy/config/route/v3/route_components.proto new file mode 100644 index 000000000..4587ef104 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/route/v3/route_components.proto @@ -0,0 +1,2918 @@ +syntax = "proto3"; + +package envoy.config.route.v3; + +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/proxy_protocol.proto"; +import "envoy/config/core/v3/substitution_format_string.proto"; +import "envoy/type/matcher/v3/filter_state.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/matcher/v3/regex.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/metadata/v3/metadata.proto"; +import "envoy/type/tracing/v3/custom_tag.proto"; +import "envoy/type/v3/percent.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.route.v3"; +option java_outer_classname = "RouteComponentsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP route components] +// * Routing :ref:`architecture overview ` +// * HTTP :ref:`router filter ` + +// The top level element in the routing configuration is a virtual host. Each virtual host has +// a logical name as well as a set of domains that get routed to it based on the incoming request's +// host header. This allows a single listener to service multiple top level domain path trees. Once +// a virtual host is selected based on the domain, the routes are processed in order to see which +// upstream cluster to route to or whether to perform a redirect. +// [#next-free-field: 26] +message VirtualHost { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualHost"; + + enum TlsRequirementType { + // No TLS requirement for the virtual host. + NONE = 0; + + // External requests must use TLS. If a request is external and it is not + // using TLS, a 301 redirect will be sent telling the client to use HTTPS. + EXTERNAL_ONLY = 1; + + // All requests must use TLS. If a request is not using TLS, a 301 redirect + // will be sent telling the client to use HTTPS. + ALL = 2; + } + + reserved 9, 12; + + reserved "per_filter_config"; + + // The logical name of the virtual host. This is used when emitting certain + // statistics but is not relevant for routing. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A list of domains (host/authority header) that will be matched to this + // virtual host. Wildcard hosts are supported in the suffix or prefix form. + // + // Domain search order: + // 1. Exact domain names: ``www.foo.com``. + // 2. Suffix domain wildcards: ``*.foo.com`` or ``*-bar.foo.com``. + // 3. Prefix domain wildcards: ``foo.*`` or ``foo-*``. + // 4. Special wildcard ``*`` matching any domain. + // + // .. note:: + // + // The wildcard will not match the empty string. + // For example, ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``. + // The longest wildcards match first. + // Only a single virtual host in the entire route configuration can match on ``*``. A domain + // must be unique across all virtual hosts or the config will fail to load. + // + // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE. + repeated string domains = 2 [(validate.rules).repeated = { + min_items: 1 + items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}} + }]; + + // The list of routes that will be matched, in order, for incoming requests. + // The first route that matches will be used. + // Only one of this and ``matcher`` can be specified. + repeated Route routes = 3 [(udpa.annotations.field_migrate).oneof_promotion = "route_selection"]; + + // The match tree to use when resolving route actions for incoming requests. Only one of this and ``routes`` + // can be specified. + xds.type.matcher.v3.Matcher matcher = 21 + [(udpa.annotations.field_migrate).oneof_promotion = "route_selection"]; + + // Specifies the type of TLS enforcement the virtual host expects. If this option is not + // specified, there is no TLS requirement for the virtual host. + TlsRequirementType require_tls = 4 [(validate.rules).enum = {defined_only: true}]; + + // A list of virtual clusters defined for this virtual host. Virtual clusters + // are used for additional statistics gathering. + repeated VirtualCluster virtual_clusters = 5; + + // Specifies a set of rate limit configurations that will be applied to the + // virtual host. + repeated RateLimit rate_limits = 6; + + // Specifies a list of HTTP headers that should be added to each request + // handled by this virtual host. Headers specified at this level are applied + // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 7 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // handled by this virtual host. + repeated string request_headers_to_remove = 13 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of HTTP headers that should be added to each response + // handled by this virtual host. Headers specified at this level are applied + // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 10 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // handled by this virtual host. + repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Indicates that the virtual host has a CORS policy. This field is ignored if related cors policy is + // found in the + // :ref:`VirtualHost.typed_per_filter_config`. + // + // .. attention:: + // + // This option has been deprecated. Please use + // :ref:`VirtualHost.typed_per_filter_config` + // to configure the CORS HTTP filter. + CorsPolicy cors = 8 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // This field can be used to provide virtual host level per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`HTTP filter route-specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 15; + + // Decides whether the :ref:`x-envoy-attempt-count + // ` header should be included + // in the upstream request. Setting this option will cause it to override any existing header + // value, so in the case of two Envoys on the request path with this option enabled, the upstream + // will see the attempt count as perceived by the second Envoy. + // + // Defaults to ``false``. + // + // This header is unaffected by the + // :ref:`suppress_envoy_headers + // ` flag. + // + // [#next-major-version: rename to include_attempt_count_in_request.] + bool include_request_attempt_count = 14; + + // Decides whether the :ref:`x-envoy-attempt-count + // ` header should be included + // in the downstream response. Setting this option will cause the router to override any existing header + // value, so in the case of two Envoys on the request path with this option enabled, the downstream + // will see the attempt count as perceived by the Envoy closest upstream from itself. + // + // Defaults to ``false``. + // + // This header is unaffected by the + // :ref:`suppress_envoy_headers + // ` flag. + bool include_attempt_count_in_response = 19; + + // Indicates the retry policy for all routes in this virtual host. Note that setting a + // route level entry will take precedence over this config and it'll be treated + // independently (e.g., values are not inherited). + RetryPolicy retry_policy = 16; + + // [#not-implemented-hide:] + // Specifies the configuration for retry policy extension. Note that setting a route level entry + // will take precedence over this config and it'll be treated independently (e.g., values are not + // inherited). :ref:`Retry policy ` should not be + // set if this field is used. + google.protobuf.Any retry_policy_typed_config = 20; + + // Indicates the hedge policy for all routes in this virtual host. Note that setting a + // route level entry will take precedence over this config and it'll be treated + // independently (e.g., values are not inherited). + HedgePolicy hedge_policy = 17; + + // Decides whether to include the :ref:`x-envoy-is-timeout-retry ` + // request header in retries initiated by per-try timeouts. + bool include_is_timeout_retry_header = 23; + + // The maximum bytes which will be buffered for retries and shadowing. If set, the bytes actually buffered will be + // the minimum value of this and the listener ``per_connection_buffer_limit_bytes``. + // + // .. attention:: + // + // This field has been deprecated. Please use :ref:`request_body_buffer_limit + // ` instead. + // Only one of ``per_request_buffer_limit_bytes`` and ``request_body_buffer_limit`` could be set. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The maximum bytes which will be buffered for request bodies to support large request body + // buffering beyond the ``per_connection_buffer_limit_bytes``. + // + // This limit is specifically for the request body buffering and allows buffering larger payloads while maintaining + // flow control. + // + // Buffer limit precedence (from highest to lowest priority): + // + // 1. If ``request_body_buffer_limit`` is set, then ``request_body_buffer_limit`` will be used. + // 2. If :ref:`per_request_buffer_limit_bytes ` + // is set but ``request_body_buffer_limit`` is not, then ``min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes)`` + // will be used. + // 3. If neither is set, then ``per_connection_buffer_limit_bytes`` will be used. + // + // For flow control chunk sizes, ``min(per_connection_buffer_limit_bytes, 16KB)`` will be used. + // + // Only one of :ref:`per_request_buffer_limit_bytes ` + // and ``request_body_buffer_limit`` could be set. + google.protobuf.UInt64Value request_body_buffer_limit = 25 + [(validate.rules).message = {required: false}]; + + // Specify a set of default request mirroring policies for every route under this virtual host. + // It takes precedence over the route config mirror policy entirely. + // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RouteAction.RequestMirrorPolicy request_mirror_policies = 22; + + // The metadata field can be used to provide additional information + // about the virtual host. It can be used for configuration, stats, and logging. + // The metadata should go under the filter namespace that will need it. + // For instance, if the metadata is intended for the Router filter, + // the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 24; +} + +// A filter-defined action type. +message FilterAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.FilterAction"; + + google.protobuf.Any action = 1; +} + +// This can be used in route matcher :ref:`VirtualHost.matcher `. +// When the matcher matches, routes will be matched and run. +message RouteList { + // The list of routes that will be matched and run, in order. The first route that matches will be used. + repeated Route routes = 1; +} + +// A route is both a specification of how to match a request as well as an indication of what to do +// next (e.g., redirect, forward, rewrite, etc.). +// +// .. attention:: +// +// Envoy supports routing on HTTP method via :ref:`header matching +// `. +// [#next-free-field: 21] +message Route { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Route"; + + reserved 6, 8; + + reserved "per_filter_config"; + + // Name for the route. + string name = 14; + + // Route matching parameters. + RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + oneof action { + option (validate.required) = true; + + // Route request to some upstream cluster. + RouteAction route = 2; + + // Return a redirect. + RedirectAction redirect = 3; + + // Return an arbitrary HTTP response directly, without proxying. + DirectResponseAction direct_response = 7; + + // [#not-implemented-hide:] + // A filter-defined action (e.g., it could dynamically generate the RouteAction). + // [#comment: TODO(samflattery): Remove cleanup in route_fuzz_test.cc when + // implemented] + FilterAction filter_action = 17; + + // [#not-implemented-hide:] + // An action used when the route will generate a response directly, + // without forwarding to an upstream host. This will be used in non-proxy + // xDS clients like the gRPC server. It could also be used in the future + // in Envoy for a filter that directly generates responses for requests. + NonForwardingAction non_forwarding_action = 18; + } + + // The Metadata field can be used to provide additional information + // about the route. It can be used for configuration, stats, and logging. + // The metadata should go under the filter namespace that will need it. + // For instance, if the metadata is intended for the Router filter, + // the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 4; + + // Decorator for the matched route. + Decorator decorator = 5; + + // This field can be used to provide route specific per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`HTTP filter route-specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 13; + + // Specifies a set of headers that will be added to requests matching this + // route. Headers specified at this level are applied before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 9 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // matching this route. + repeated string request_headers_to_remove = 12 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a set of headers that will be added to responses to requests + // matching this route. Headers specified at this level are applied before + // headers from the enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on + // :ref:`custom request headers `. + repeated core.v3.HeaderValueOption response_headers_to_add = 10 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // to requests matching this route. + repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Presence of the object defines whether the connection manager's tracing configuration + // is overridden by this route specific instance. + Tracing tracing = 15; + + // The maximum bytes which will be buffered for retries and shadowing. + // If set, the bytes actually buffered will be the minimum value of this and the + // listener per_connection_buffer_limit_bytes. + // + // .. attention:: + // + // This field has been deprecated. Please use :ref:`request_body_buffer_limit + // ` instead. + // Only one of ``per_request_buffer_limit_bytes`` and ``request_body_buffer_limit`` may be set. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The human readable prefix to use when emitting statistics for this endpoint. + // The statistics are rooted at vhost..route.. + // This should be set for highly critical + // endpoints that one wishes to get “per-route” statistics on. + // If not set, endpoint statistics are not generated. + // + // The emitted statistics are the same as those documented for :ref:`virtual clusters `. + // + // .. warning:: + // + // We do not recommend setting up a stat prefix for + // every application endpoint. This is both not easily maintainable and + // statistics use a non-trivial amount of memory (approximately 1KiB per route). + string stat_prefix = 19; + + // The maximum bytes which will be buffered for request bodies to support large request body + // buffering beyond the ``per_connection_buffer_limit_bytes``. + // + // This limit is specifically for the request body buffering and allows buffering larger payloads while maintaining + // flow control. + // + // Buffer limit precedence (from highest to lowest priority): + // + // 1. If ``request_body_buffer_limit`` is set: use ``request_body_buffer_limit`` + // 2. If :ref:`per_request_buffer_limit_bytes ` + // is set but ``request_body_buffer_limit`` is not: use ``min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes)`` + // 3. If neither is set: use ``per_connection_buffer_limit_bytes`` + // + // For flow control chunk sizes, use ``min(per_connection_buffer_limit_bytes, 16KB)``. + // + // Only one of :ref:`per_request_buffer_limit_bytes ` + // and ``request_body_buffer_limit`` may be set. + google.protobuf.UInt64Value request_body_buffer_limit = 20; +} + +// Compared to the :ref:`cluster ` field that specifies a +// single upstream cluster as the target of a request, the :ref:`weighted_clusters +// ` option allows for specification of +// multiple upstream clusters along with weights that indicate the percentage of +// traffic to be forwarded to each cluster. The router selects an upstream cluster based on the +// weights. +// [#next-free-field: 6] +message WeightedCluster { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.WeightedCluster"; + + // [#next-free-field: 13] + message ClusterWeight { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.WeightedCluster.ClusterWeight"; + + reserved 7, 8; + + reserved "per_filter_config"; + + // Only one of ``name`` and ``cluster_header`` may be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}] + // Name of the upstream cluster. The cluster must exist in the + // :ref:`cluster manager configuration `. + string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"]; + + // Only one of ``name`` and ``cluster_header`` may be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1 }] + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. If the + // header is not found or the referenced cluster does not exist, Envoy will + // return a 404 response. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 12 [ + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier" + ]; + + // The weight of the cluster. This value is relative to the other clusters' + // weights. When a request matches the route, the choice of an upstream cluster + // is determined by its weight. The sum of weights across all + // entries in the clusters array must be greater than 0, and must not exceed + // uint32_t maximal value (4294967295). + google.protobuf.UInt32Value weight = 2; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in + // the upstream cluster with metadata matching what is set in this field will be considered for + // load balancing. Note that this will be merged with what's provided in + // :ref:`RouteAction.metadata_match `, with + // values here taking precedence. The filter name should be specified as ``envoy.lb``. + core.v3.Metadata metadata_match = 3; + + // Specifies a list of headers to be added to requests when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + // Headers specified at this level are applied before headers from the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 4 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request when + // this cluster is selected through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + repeated string request_headers_to_remove = 9 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of headers to be added to responses when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + // Headers specified at this level are applied before headers from the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 5 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of headers to be removed from responses when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + repeated string response_headers_to_remove = 6 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // This field can be used to provide weighted cluster specific per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`HTTP filter route-specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 10; + + oneof host_rewrite_specifier { + // Indicates that during forwarding, the host header will be swapped with + // this value. + string host_rewrite_literal = 11 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + } + + // Specifies one or more upstream clusters associated with the route. + repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Specifies the total weight across all clusters. The sum of all cluster weights must equal this + // value, if this is greater than 0. + // This field is now deprecated, and the client will use the sum of all + // cluster weights. It is up to the management server to supply the correct weights. + google.protobuf.UInt32Value total_weight = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Specifies the runtime key prefix that should be used to construct the + // runtime keys associated with each cluster. When the ``runtime_key_prefix`` is + // specified, the router will look for weights associated with each upstream + // cluster under the key ``runtime_key_prefix`` + ``.`` + ``cluster[i].name`` where + // ``cluster[i]`` denotes an entry in the clusters array field. If the runtime + // key for the cluster does not exist, the value specified in the + // configuration file will be used as the default weight. See the :ref:`runtime documentation + // ` for how key names map to the underlying implementation. + string runtime_key_prefix = 2; + + oneof random_value_specifier { + // Specifies the header name that is used to look up the random value passed in the request header. + // This is used to ensure consistent cluster picking across multiple proxy levels for weighted traffic. + // If header is not present or invalid, Envoy will fall back to use the internally generated random value. + // This header is expected to be single-valued header as we only want to have one selected value throughout + // the process for the consistency. And the value is a unsigned number between 0 and UINT64_MAX. + string header_name = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // When set to true, the hash policies will be used to generate the random value for weighted cluster selection. + // This could ensure consistent cluster picking across multiple proxy levels for weighted traffic. + google.protobuf.BoolValue use_hash_policy = 5; + } +} + +// Configuration for a cluster specifier plugin. +message ClusterSpecifierPlugin { + // The name of the plugin and its opaque configuration. + // + // [#extension-category: envoy.router.cluster_specifier_plugin] + core.v3.TypedExtensionConfig extension = 1 [(validate.rules).message = {required: true}]; + + // If is_optional is not set or is set to false and the plugin defined by this message is not a + // supported type, the containing resource is NACKed. If is_optional is set to true, the resource + // would not be NACKed for this reason. In this case, routes referencing this plugin's name would + // not be treated as an illegal configuration, but would result in a failure if the route is + // selected. + bool is_optional = 2; +} + +// [#next-free-field: 18] +message RouteMatch { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch"; + + message GrpcRouteMatchOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteMatch.GrpcRouteMatchOptions"; + } + + message TlsContextMatchOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteMatch.TlsContextMatchOptions"; + + // If specified, the route will match against whether or not a certificate is presented. + // If not specified, certificate presentation status (true or false) will not be considered when route matching. + google.protobuf.BoolValue presented = 1; + + // If specified, the route will match against whether or not a certificate is validated. + // If not specified, certificate validation status (true or false) will not be considered when route matching. + // + // .. warning:: + // + // Client certificate validation is not currently performed upon TLS session resumption. For + // a resumed TLS session the route will match only when ``validated`` is false, regardless of + // whether the client TLS certificate is valid. + // + // The only known workaround for this issue is to disable TLS session resumption entirely, by + // setting both :ref:`disable_stateless_session_resumption ` + // and :ref:`disable_stateful_session_resumption ` on the DownstreamTlsContext. + google.protobuf.BoolValue validated = 2; + } + + // An extensible message for matching CONNECT or CONNECT-UDP requests. + message ConnectMatcher { + } + + reserved 5, 3; + + reserved "regex"; + + oneof path_specifier { + option (validate.required) = true; + + // If specified, the route is a prefix rule meaning that the prefix must + // match the beginning of the ``:path`` header. + string prefix = 1; + + // If specified, the route is an exact path rule meaning that the path must + // exactly match the ``:path`` header once the query string is removed. + string path = 2; + + // If specified, the route is a regular expression rule meaning that the + // regex must match the ``:path`` header once the query string is removed. The entire path + // (without the query string) must match the regex. The rule will not match if only a + // subsequence of the ``:path`` header matches the regex. + // + // [#next-major-version: In the v3 API we should redo how path specification works such + // that we utilize StringMatcher, and additionally have consistent options around whether we + // strip query strings, do a case-sensitive match, etc. In the interim it will be too disruptive + // to deprecate the existing options. We should even consider whether we want to do away with + // path_specifier entirely and just rely on a set of header matchers which can already match + // on :path, etc. The issue with that is it is unclear how to generically deal with query string + // stripping. This needs more thought.] + type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; + + // If this is used as the matcher, the matcher will only match CONNECT or CONNECT-UDP requests. + // Note that this will not match other Extended CONNECT requests (WebSocket and the like) as + // they are normalized in Envoy as HTTP/1.1 style upgrades. + // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2 and HTTP/3, + // where Extended CONNECT requests may have a path, the path matchers will work if + // there is a path present. + // Note that CONNECT support is currently considered alpha in Envoy. + // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] + ConnectMatcher connect_matcher = 12; + + // If specified, the route is a path-separated prefix rule meaning that the + // ``:path`` header (without the query string) must either exactly match the + // ``path_separated_prefix`` or have it as a prefix, followed by ``/`` + // + // For example, ``/api/dev`` would match + // ``/api/dev``, ``/api/dev/``, ``/api/dev/v1``, and ``/api/dev?param=true`` + // but would not match ``/api/developer`` + // + // Expect the value to not contain ``?`` or ``#`` and not to end in ``/`` + string path_separated_prefix = 14 [(validate.rules).string = {pattern: "^[^?#]+[^?#/]$"}]; + + // [#extension-category: envoy.path.match] + core.v3.TypedExtensionConfig path_match_policy = 15; + } + + // Indicates that prefix/path matching should be case-sensitive. The default + // is true. Ignored for safe_regex matching. + google.protobuf.BoolValue case_sensitive = 4; + + // Indicates that the route should additionally match on a runtime key. Every time the route + // is considered for a match, it must also fall under the percentage of matches indicated by + // this field. For some fraction N/D, a random number in the range [0,D) is selected. If the + // number is <= the value of the numerator N, or if the key is not present, the default + // value, the router continues to evaluate the remaining match criteria. A runtime_fraction + // route configuration can be used to roll out route changes in a gradual manner without full + // code/config deploys. Refer to the :ref:`traffic shifting + // ` docs for additional documentation. + // + // .. note:: + // + // Parsing this field is implemented such that the runtime key's data may be represented + // as a FractionalPercent proto represented as JSON/YAML and may also be represented as an + // integer with the assumption that the value is an integral percentage out of 100. For + // instance, a runtime key lookup returning the value "42" would parse as a FractionalPercent + // whose numerator is 42 and denominator is HUNDRED. This preserves legacy semantics. + core.v3.RuntimeFractionalPercent runtime_fraction = 9; + + // Specifies a set of headers that the route should match on. The router will + // check the request’s headers against all the specified headers in the route + // config. A match will happen if all the headers in the route are present in + // the request with the same values (or based on presence if the value field + // is not in the config). + repeated HeaderMatcher headers = 6; + + // Specifies a set of URL query parameters on which the route should + // match. The router will check the query string from the ``path`` header + // against all the specified query parameters. If the number of specified + // query parameters is nonzero, they all must match the ``path`` header's + // query string for a match to occur. In the event query parameters are + // repeated, only the first value for each key will be considered. + // + // .. note:: + // + // If query parameters are used to pass request message fields when + // `grpc_json_transcoder `_ + // is used, the transcoded message fields may be different. The query parameters are + // URL-encoded, but the message fields are not. For example, if a query + // parameter is "foo%20bar", the message field will be "foo bar". + repeated QueryParameterMatcher query_parameters = 7; + + // Specifies a set of cookies on which the route should match. The router parses the ``Cookie`` + // header and evaluates the named cookie against each matcher. If the number of specified cookie + // matchers is nonzero, they all must match for the route to be selected. + repeated CookieMatcher cookies = 17; + + // If specified, only gRPC requests will be matched. The router will check + // that the ``Content-Type`` header has ``application/grpc`` or one of the various + // ``application/grpc+`` values. + GrpcRouteMatchOptions grpc = 8; + + // If specified, the client tls context will be matched against the defined + // match options. + // + // [#next-major-version: unify with RBAC] + TlsContextMatchOptions tls_context = 11; + + // Specifies a set of dynamic metadata matchers on which the route should match. + // The router will check the dynamic metadata against all the specified dynamic metadata matchers. + // If the number of specified dynamic metadata matchers is nonzero, they all must match the + // dynamic metadata for a match to occur. + repeated type.matcher.v3.MetadataMatcher dynamic_metadata = 13; + + // Specifies a set of filter state matchers on which the route should match. + // The router will check the filter state against all the specified filter state matchers. + // If the number of specified filter state matchers is nonzero, they all must match the + // filter state for a match to occur. + repeated type.matcher.v3.FilterStateMatcher filter_state = 16; +} + +// Cors policy configuration. +// +// .. attention:: +// +// This message has been deprecated. Please use +// :ref:`CorsPolicy in filter extension ` +// as as alternative. +// +// [#next-free-field: 14] +message CorsPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.CorsPolicy"; + + reserved 1, 8, 7; + + reserved "allow_origin", "allow_origin_regex", "enabled"; + + // Specifies string patterns that match allowed origins. An origin is allowed if any of the + // string matchers match. + repeated type.matcher.v3.StringMatcher allow_origin_string_match = 11; + + // Specifies the content for the ``access-control-allow-methods`` header. + string allow_methods = 2; + + // Specifies the content for the ``access-control-allow-headers`` header. + string allow_headers = 3; + + // Specifies the content for the ``access-control-expose-headers`` header. + string expose_headers = 4; + + // Specifies the content for the ``access-control-max-age`` header. + string max_age = 5; + + // Specifies whether the resource allows credentials. + google.protobuf.BoolValue allow_credentials = 6; + + oneof enabled_specifier { + // Specifies the % of requests for which the CORS filter is enabled. + // + // If neither ``enabled``, ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS + // filter will be enabled for 100% of the requests. + // + // If :ref:`runtime_key ` is + // specified, Envoy will lookup the runtime key to get the percentage of requests to filter. + core.v3.RuntimeFractionalPercent filter_enabled = 9; + } + + // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not + // enforced. + // + // This field is intended to be used when ``filter_enabled`` and ``enabled`` are off. One of those + // fields have to explicitly disable the filter in order for this setting to take effect. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate + // and track the request's ``Origin`` to determine if it's valid but will not enforce any policies. + core.v3.RuntimeFractionalPercent shadow_enabled = 10; + + // Specify whether allow requests whose target server's IP address is more private than that from + // which the request initiator was fetched. + // + // More details refer to https://developer.chrome.com/blog/private-network-access-preflight. + google.protobuf.BoolValue allow_private_network_access = 12; + + // Specifies if preflight requests not matching the configured allowed origin should be forwarded + // to the upstream. Default is ``true``. + google.protobuf.BoolValue forward_not_matching_preflights = 13; +} + +// [#next-free-field: 46] +message RouteAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction"; + + enum ClusterNotFoundResponseCode { + // HTTP status code - 503 Service Unavailable. + SERVICE_UNAVAILABLE = 0; + + // HTTP status code - 404 Not Found. + NOT_FOUND = 1; + + // HTTP status code - 500 Internal Server Error. + INTERNAL_SERVER_ERROR = 2; + } + + // Configures :ref:`internal redirect ` behavior. + // [#next-major-version: remove this definition - it's defined in the InternalRedirectPolicy message.] + enum InternalRedirectAction { + option deprecated = true; + + PASS_THROUGH_INTERNAL_REDIRECT = 0; + HANDLE_INTERNAL_REDIRECT = 1; + } + + // The router is capable of shadowing traffic from one cluster to another. The current + // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to + // respond before returning the response from the primary cluster. All normal statistics are + // collected for the shadow cluster making this feature useful for testing. + // + // During shadowing, the host/authority header is altered such that ``-shadow`` is appended. This is + // useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``. This behavior can be + // disabled by setting ``disable_shadow_host_suffix_append`` to ``true``. + // + // .. note:: + // + // Shadowing will not be triggered if the primary cluster does not exist. + // + // .. note:: + // + // Shadowing doesn't support HTTP CONNECT and upgrades. + // [#next-free-field: 9] + message RequestMirrorPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.RequestMirrorPolicy"; + + reserved 2; + + reserved "runtime_key"; + + // Only one of ``cluster`` and ``cluster_header`` can be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}] + // Specifies the cluster that requests will be mirrored to. The cluster must + // exist in the cluster manager configuration. + string cluster = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"]; + + // Only one of ``cluster`` and ``cluster_header`` can be specified. + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. Only the first value in header is used, + // and no shadow request will happen if the value is not found in headers. Envoy will not wait for + // the shadow cluster to respond before returning the response from the primary cluster. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 5 [ + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier" + ]; + + // If not specified, all requests to the target cluster will be mirrored. + // + // If specified, this field takes precedence over the ``runtime_key`` field and requests must also + // fall under the percentage of matches indicated by this field. + // + // For some fraction N/D, a random number in the range [0,D) is selected. If the + // number is <= the value of the numerator N, or if the key is not present, the default + // value, the request will be mirrored. + core.v3.RuntimeFractionalPercent runtime_fraction = 3; + + // Specifies whether the trace span for the shadow request should be sampled. If this field is not explicitly set, + // the shadow request will inherit the sampling decision of its parent span. This ensures consistency with the trace + // sampling policy of the original request and prevents oversampling, especially in scenarios where runtime sampling + // is disabled. + google.protobuf.BoolValue trace_sampled = 4; + + // Disables appending the ``-shadow`` suffix to the shadowed ``Host`` header. + // + // Defaults to ``false``. + bool disable_shadow_host_suffix_append = 6; + + // Specifies a list of header mutations that should be applied to each mirrored request. + // Header mutations are applied in the order they are specified. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated common.mutation_rules.v3.HeaderMutation request_headers_mutations = 7 + [(validate.rules).repeated = {max_items: 1000}]; + + // Indicates that during mirroring, the host header will be swapped with this value. + // :ref:`disable_shadow_host_suffix_append + // ` + // is implicitly enabled if this field is set. + string host_rewrite_literal = 8 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + + // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer + // `. + // [#next-free-field: 7] + message HashPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy"; + + message Header { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.Header"; + + // The name of the request header that will be used to obtain the hash + // key. If the request header is not present, no hash will be produced. + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // If specified, the request header value will be rewritten and used + // to produce the hash key. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 2; + } + + // CookieAttribute defines an API for adding additional attributes for a HTTP cookie. + message CookieAttribute { + // The name of the cookie attribute. + string name = 1 + [(validate.rules).string = + {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The optional value of the cookie attribute. + string value = 2 [(validate.rules).string = + {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + + // Envoy supports two types of cookie affinity: + // + // 1. Passive. Envoy takes a cookie that's present in the cookies header and + // hashes on its value. + // + // 2. Generated. Envoy generates and sets a cookie with an expiration (TTL) + // on the first request from the client in its response to the client, + // based on the endpoint the request gets sent to. The client then + // presents this on the next and all subsequent requests. The hash of + // this is sufficient to ensure these requests get sent to the same + // endpoint. The cookie is generated by hashing the source and + // destination ports and addresses so that multiple independent HTTP2 + // streams on the same connection will independently receive the same + // cookie, even if they arrive at the Envoy simultaneously. + message Cookie { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.Cookie"; + + // The name of the cookie that will be used to obtain the hash key. If the + // cookie is not present and ttl below is not set, no hash will be + // produced. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // If specified, a cookie with the TTL will be generated if the cookie is + // not present. If the TTL is present and zero, the generated cookie will + // be a session cookie. + google.protobuf.Duration ttl = 2; + + // The name of the path for the cookie. If no path is specified here, no path + // will be set for the cookie. + string path = 3; + + // Additional attributes for the cookie. They will be used when generating a new cookie. + repeated CookieAttribute attributes = 4; + } + + message ConnectionProperties { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.ConnectionProperties"; + + // Hash on source IP address. + bool source_ip = 1; + } + + message QueryParameter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.QueryParameter"; + + // The name of the URL query parameter that will be used to obtain the hash + // key. If the parameter is not present, no hash will be produced. Query + // parameter names are case-sensitive. If query parameters are repeated, only + // the first value will be considered. + string name = 1 [(validate.rules).string = {min_len: 1}]; + } + + message FilterState { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.FilterState"; + + // The name of the Object in the per-request filterState, which is an + // Envoy::Hashable object. If there is no data associated with the key, + // or the stored object is not Envoy::Hashable, no hash will be produced. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + + oneof policy_specifier { + option (validate.required) = true; + + // Header hash policy. + Header header = 1; + + // Cookie hash policy. + Cookie cookie = 2; + + // Connection properties hash policy. + ConnectionProperties connection_properties = 3; + + // Query parameter hash policy. + QueryParameter query_parameter = 5; + + // Filter state hash policy. + FilterState filter_state = 6; + } + + // The flag that short-circuits the hash computing. This field provides a + // 'fallback' style of configuration: "if a terminal policy doesn't work, + // fallback to rest of the policy list", it saves time when the terminal + // policy works. + // + // If true, and there is already a hash computed, ignore rest of the + // list of hash polices. + // For example, if the following hash methods are configured: + // + // ========= ======== + // specifier terminal + // ========= ======== + // Header A true + // Header B false + // Header C false + // ========= ======== + // + // The generateHash process ends if policy "header A" generates a hash, as + // it's a terminal policy. + bool terminal = 4; + } + + // Allows enabling and disabling upgrades on a per-route basis. + // This overrides any enabled/disabled upgrade filter chain specified in the + // HttpConnectionManager + // :ref:`upgrade_configs + // ` + // but does not affect any custom filter chain specified there. + message UpgradeConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.UpgradeConfig"; + + // Configuration for sending data upstream as a raw data payload. This is used for + // CONNECT or POST requests, when forwarding request payload as raw TCP. + message ConnectConfig { + // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream. + core.v3.ProxyProtocolConfig proxy_protocol_config = 1; + + // If set, the route will also allow forwarding POST payload as raw TCP. + bool allow_post = 2; + } + + // The case-insensitive name of this upgrade, for example, "websocket". + // For each upgrade type present in upgrade_configs, requests with + // Upgrade: [upgrade_type] will be proxied upstream. + string upgrade_type = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Determines if upgrades are available on this route. + // + // Defaults to ``true``. + google.protobuf.BoolValue enabled = 2; + + // Configuration for sending data upstream as a raw data payload. This is used for + // CONNECT requests, when forwarding CONNECT payload as raw TCP. + // Note that CONNECT support is currently considered alpha in Envoy. + // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] + ConnectConfig connect_config = 3; + } + + message MaxStreamDuration { + // Specifies the maximum duration allowed for streams on the route. If not specified, the value + // from the :ref:`max_stream_duration + // ` field in + // :ref:`HttpConnectionManager.common_http_protocol_options + // ` + // is used. If this field is set explicitly to zero, any + // HttpConnectionManager max_stream_duration timeout will be disabled for + // this route. + google.protobuf.Duration max_stream_duration = 1; + + // If present, and the request contains a `grpc-timeout header + // `_, use that value as the + // ``max_stream_duration``, but limit the applied timeout to the maximum value specified here. + // If set to 0, the ``grpc-timeout`` header is used without modification. + google.protobuf.Duration grpc_timeout_header_max = 2; + + // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by + // subtracting the provided duration from the header. This is useful for allowing Envoy to set + // its global timeout to be less than that of the deadline imposed by the calling client, which + // makes it more likely that Envoy will handle the timeout instead of having the call canceled + // by the client. If, after applying the offset, the resulting timeout is zero or negative, + // the stream will timeout immediately. + google.protobuf.Duration grpc_timeout_header_offset = 3; + } + + reserved 12, 18, 19, 16, 22, 21, 10; + + reserved "request_mirror_policy"; + + oneof cluster_specifier { + option (validate.required) = true; + + // Indicates the upstream cluster to which the request should be routed + // to. + string cluster = 1 [(validate.rules).string = {min_len: 1}]; + + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. If the + // header is not found or the referenced cluster does not exist, Envoy will + // return a 404 response. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 2 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Multiple upstream clusters can be specified for a given route. The + // request is routed to one of the upstream clusters based on weights + // assigned to each cluster. See + // :ref:`traffic splitting ` + // for additional documentation. + WeightedCluster weighted_clusters = 3; + + // Name of the cluster specifier plugin to use to determine the cluster for requests on this route. + // The cluster specifier plugin name must be defined in the associated + // :ref:`cluster specifier plugins ` + // in the :ref:`name ` field. + string cluster_specifier_plugin = 37; + + // Custom cluster specifier plugin configuration to use to determine the cluster for requests + // on this route. + ClusterSpecifierPlugin inline_cluster_specifier_plugin = 39; + } + + // The HTTP status code to use when configured cluster is not found. + // The default response code is 503 Service Unavailable. + ClusterNotFoundResponseCode cluster_not_found_response_code = 20 + [(validate.rules).enum = {defined_only: true}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints + // in the upstream cluster with metadata matching what's set in this field will be considered + // for load balancing. If using :ref:`weighted_clusters + // `, metadata will be merged, with values + // provided there taking precedence. The filter name should be specified as ``envoy.lb``. + core.v3.Metadata metadata_match = 4; + + // Indicates that during forwarding, the matched prefix (or path) should be + // swapped with this value. This option allows application URLs to be rooted + // at a different path from those exposed at the reverse proxy layer. The router filter will + // place the original path before rewrite into the :ref:`x-envoy-original-path + // ` header. + // + // Only one of :ref:`regex_rewrite `, + // :ref:`path_rewrite_policy `, + // :ref:`path_rewrite `, + // or :ref:`prefix_rewrite ` + // may be specified. + // + // .. attention:: + // + // Pay careful attention to the use of trailing slashes in the + // :ref:`route's match ` prefix value. + // Stripping a prefix from a path requires multiple Routes to handle all cases. For example, + // rewriting ``/prefix`` to ``/`` and ``/prefix/etc`` to ``/etc`` cannot be done in a single + // :ref:`Route `, as shown by the below config entries: + // + // .. code-block:: yaml + // + // - match: + // prefix: "/prefix/" + // route: + // prefix_rewrite: "/" + // - match: + // prefix: "/prefix" + // route: + // prefix_rewrite: "/" + // + // Having above entries in the config, requests to ``/prefix`` will be stripped to ``/``, while + // requests to ``/prefix/etc`` will be stripped to ``/etc``. + string prefix_rewrite = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during forwarding, portions of the path that match the + // pattern should be rewritten, even allowing the substitution of capture + // groups from the pattern into the new path as specified by the rewrite + // substitution string. This is useful to allow application paths to be + // rewritten in a way that is aware of segments with variable content like + // identifiers. The router filter will place the original path as it was + // before the rewrite into the :ref:`x-envoy-original-path + // ` header. + // + // Only one of :ref:`regex_rewrite `, + // :ref:`path_rewrite_policy `, + // :ref:`path_rewrite `, + // or :ref:`prefix_rewrite ` + // may be specified. + // + // Examples using Google's `RE2 `_ engine: + // + // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution + // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` + // into ``/v1/api/instance/foo``. + // + // * The pattern ``one`` paired with a substitution string of ``two`` would + // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. + // + // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of + // ``\1two\2`` would replace only the first occurrence of ``one``, + // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. + // + // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` + // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to + // ``/aaa/yyy/bbb``. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 32; + + // [#extension-category: envoy.path.rewrite] + core.v3.TypedExtensionConfig path_rewrite_policy = 41; + + // Rewrites the whole path (without query parameters) with the given path value. + // The router filter will + // place the original path before rewrite into the :ref:`x-envoy-original-path + // ` header. + // + // Only one of :ref:`regex_rewrite `, + // :ref:`path_rewrite_policy `, + // :ref:`path_rewrite `, + // or :ref:`prefix_rewrite ` + // may be specified. + // + // The :ref:`substitution format specifier ` could be applied here. + // For example, with the following config: + // + // .. code-block:: yaml + // + // path_rewrite: "/new_path_prefix%REQ(custom-path-header-name)%" + // + // Would rewrite the path to ``/new_path_prefix/some_value`` given the header + // ``custom-path-header-name: some_value``. If the header is not present, the path will be + // rewritten to ``/new_path_prefix``. + // + // + // If the final output of the path rewrite is empty, then the update will be ignored and the + // original path will be preserved. + string path_rewrite = 45; + + // If one of the host rewrite specifiers is set and the + // :ref:`suppress_envoy_headers + // ` flag is not + // set to true, the router filter will place the original host header value before + // rewriting into the :ref:`x-envoy-original-host + // ` header. + // + // And if the + // :ref:`append_x_forwarded_host ` + // is set to true, the original host value will also be appended to the + // :ref:`config_http_conn_man_headers_x-forwarded-host` header. + // + oneof host_rewrite_specifier { + // Indicates that during forwarding, the host header will be swapped with + // this value. + string host_rewrite_literal = 6 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during forwarding, the host header will be swapped with + // the hostname of the upstream host chosen by the cluster manager. This + // option is applicable only when the destination cluster for a route is of + // type ``strict_dns`` or ``logical_dns``, + // or when :ref:`hostname ` + // field is not empty. Setting this to true with other cluster types + // has no effect. + google.protobuf.BoolValue auto_host_rewrite = 7; + + // Indicates that during forwarding, the host header will be swapped with the content of given + // downstream or :ref:`custom ` header. + // If header value is empty, host header is left intact. + // + // .. attention:: + // + // Pay attention to the potential security implications of using this option. Provided header + // must come from trusted source. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string host_rewrite_header = 29 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Indicates that during forwarding, the host header will be swapped with + // the result of the regex substitution executed on path value with query and fragment removed. + // This is useful for transitioning variable content between path segment and subdomain. + // + // For example with the following config: + // + // .. code-block:: yaml + // + // host_rewrite_path_regex: + // pattern: + // google_re2: {} + // regex: "^/(.+)/.+$" + // substitution: \1 + // + // Would rewrite the host header to ``envoyproxy.io`` given the path ``/envoyproxy.io/some/path``. + type.matcher.v3.RegexMatchAndSubstitute host_rewrite_path_regex = 35; + + // Rewrites the host header with the value of this field. The router filter will + // place the original host header value before rewriting into the :ref:`x-envoy-original-host + // ` header. + // + // The :ref:`substitution format specifier ` could be applied here. + // For example, with the following config: + // + // .. code-block:: yaml + // + // host_rewrite: "prefix-%REQ(custom-host-header-name)%" + // + // Would rewrite the host header to ``prefix-some_value`` given the header + // ``custom-host-header-name: some_value``. If the header is not present, the host header will + // be rewritten to an value of ``prefix-``. + // + // If the final output of the host rewrite is empty, then the update will be ignored and the + // original host header will be preserved. + string host_rewrite = 44; + } + + // If set, then a host rewrite action (one of + // :ref:`host_rewrite_literal `, + // :ref:`auto_host_rewrite `, + // :ref:`host_rewrite_header `, or + // :ref:`host_rewrite_path_regex `) + // causes the original value of the host header, if any, to be appended to the + // :ref:`config_http_conn_man_headers_x-forwarded-host` HTTP header if it is different to the last value appended. + bool append_x_forwarded_host = 38; + + // Specifies the upstream timeout for the route. If not specified, the default is 15s. This + // spans between the point at which the entire downstream request (i.e. end-of-stream) has been + // processed and when the upstream response has been completely processed. A value of 0 will + // disable the route's timeout. + // + // .. note:: + // + // This timeout includes all retries. See also + // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the + // :ref:`retry overview `. + google.protobuf.Duration timeout = 8; + + // Specifies the idle timeout for the route. If not specified, there is no per-route idle timeout, + // although the connection manager wide :ref:`stream_idle_timeout + // ` + // will still apply. A value of 0 will completely disable the route's idle timeout, even if a + // connection manager stream idle timeout is configured. + // + // The idle timeout is distinct to :ref:`timeout + // `, which provides an upper bound + // on the upstream response time; :ref:`idle_timeout + // ` instead bounds the amount + // of time the request's stream may be idle. + // + // After header decoding, the idle timeout will apply on downstream and + // upstream request events. Each time an encode/decode event for headers or + // data is processed for the stream, the timer will be reset. If the timeout + // fires, the stream is terminated with a 408 Request Timeout error code if no + // upstream response header has been received, otherwise a stream reset + // occurs. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled according to the value for + // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. + // + // This timeout may also be used in place of ``flush_timeout`` in very specific cases. See the + // documentation for ``flush_timeout`` for more details. + google.protobuf.Duration idle_timeout = 24; + + // Specifies the codec stream flush timeout for the route. + // + // If not specified, the first preference is the global :ref:`stream_flush_timeout + // `, + // but only if explicitly configured. + // + // If neither the explicit HCM-wide flush timeout nor this route-specific flush timeout is configured, + // the route's stream idle timeout is reused for this timeout. This is for + // backwards compatibility since both behaviors were historically controlled by the one timeout. + // + // If the route also does not have an idle timeout configured, the global :ref:`stream_idle_timeout + // `. used, again + // for backwards compatibility. That timeout defaults to 5 minutes. + // + // A value of 0 via any of the above paths will completely disable the timeout for a given route. + google.protobuf.Duration flush_timeout = 42; + + // Specifies how to send request over TLS early data. + // If absent, allows `safe HTTP requests `_ to be sent on early data. + // [#extension-category: envoy.route.early_data_policy] + core.v3.TypedExtensionConfig early_data_policy = 40; + + // Indicates that the route has a retry policy. Note that if this is set, + // it'll take precedence over the virtual host level retry policy entirely + // (e.g., policies are not merged, the most internal one becomes the enforced policy). + RetryPolicy retry_policy = 9; + + // [#not-implemented-hide:] + // Specifies the configuration for retry policy extension. Note that if this is set, it'll take + // precedence over the virtual host level retry policy entirely (e.g., policies are not merged, + // the most internal one becomes the enforced policy). :ref:`Retry policy ` + // should not be set if this field is used. + google.protobuf.Any retry_policy_typed_config = 33; + + // Specify a set of route request mirroring policies. + // It takes precedence over the virtual host and route config mirror policy entirely. + // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RequestMirrorPolicy request_mirror_policies = 30; + + // Optionally specifies the :ref:`routing priority `. + core.v3.RoutingPriority priority = 11 [(validate.rules).enum = {defined_only: true}]; + + // Specifies a set of rate limit configurations that could be applied to the + // route. + repeated RateLimit rate_limits = 13; + + // Specifies if the rate limit filter should include the virtual host rate + // limits. By default, if the route configured rate limits, the virtual host + // :ref:`rate_limits ` are not applied to the + // request. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`vh_rate_limits ` + google.protobuf.BoolValue include_vh_rate_limits = 14 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Specifies a list of hash policies to use for ring hash load balancing. Each + // hash policy is evaluated individually and the combined result is used to + // route the request. The method of combination is deterministic such that + // identical lists of hash policies will produce the same hash. Since a hash + // policy examines specific parts of a request, it can fail to produce a hash + // (i.e. if the hashed header is not present). If (and only if) all configured + // hash policies fail to generate a hash, no hash will be produced for + // the route. In this case, the behavior is the same as if no hash policies + // were specified (i.e. the ring hash load balancer will choose a random + // backend). If a hash policy has the "terminal" attribute set to true, and + // there is already a hash generated, the hash is returned immediately, + // ignoring the rest of the hash policy list. + repeated HashPolicy hash_policy = 15; + + // Indicates that the route has a CORS policy. This field is ignored if related cors policy is + // found in the :ref:`Route.typed_per_filter_config` or + // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config`. + // + // .. attention:: + // + // This option has been deprecated. Please use + // :ref:`Route.typed_per_filter_config` or + // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` + // to configure the CORS HTTP filter. + CorsPolicy cors = 17 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Deprecated by :ref:`grpc_timeout_header_max ` + // If present, and the request is a gRPC request, use the + // `grpc-timeout header `_, + // or its default value (infinity) instead of + // :ref:`timeout `, but limit the applied timeout + // to the maximum value specified here. If configured as 0, the maximum allowed timeout for + // gRPC requests is infinity. If not configured at all, the ``grpc-timeout`` header is not used + // and gRPC requests time out like any other requests using + // :ref:`timeout ` or its default. + // This can be used to prevent unexpected upstream request timeouts due to potentially long + // time gaps between gRPC request and response in gRPC streaming mode. + // + // .. note:: + // + // If a timeout is specified using :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, it takes + // precedence over `grpc-timeout header `_, when + // both are present. See also + // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the + // :ref:`retry overview `. + google.protobuf.Duration max_grpc_timeout = 23 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Deprecated by :ref:`grpc_timeout_header_offset `. + // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by subtracting + // the provided duration from the header. This is useful in allowing Envoy to set its global + // timeout to be less than that of the deadline imposed by the calling client, which makes it more + // likely that Envoy will handle the timeout instead of having the call canceled by the client. + // The offset will only be applied if the provided grpc_timeout is greater than the offset. This + // ensures that the offset will only ever decrease the timeout and never set it to 0 (meaning + // infinity). + google.protobuf.Duration grpc_timeout_offset = 28 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + repeated UpgradeConfig upgrade_configs = 25; + + // If present, Envoy will try to follow an upstream redirect response instead of proxying the + // response back to the downstream. An upstream redirect response is defined + // by :ref:`redirect_response_codes + // `. + InternalRedirectPolicy internal_redirect_policy = 34; + + InternalRedirectAction internal_redirect_action = 26 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // An internal redirect is handled, iff the number of previous internal redirects that a + // downstream request has encountered is lower than this value, and + // :ref:`internal_redirect_action ` + // is set to :ref:`HANDLE_INTERNAL_REDIRECT + // ` + // In the case where a downstream request is bounced among multiple routes by internal redirect, + // the first route that hits this threshold, or has + // :ref:`internal_redirect_action ` + // set to + // :ref:`PASS_THROUGH_INTERNAL_REDIRECT + // ` + // will pass the redirect back to downstream. + // + // If not specified, at most one redirect will be followed. + google.protobuf.UInt32Value max_internal_redirects = 31 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Indicates that the route has a hedge policy. Note that if this is set, + // it'll take precedence over the virtual host level hedge policy entirely + // (e.g., policies are not merged, the most internal one becomes the enforced policy). + HedgePolicy hedge_policy = 27; + + // Specifies the maximum stream duration for this route. + MaxStreamDuration max_stream_duration = 36; +} + +// HTTP retry :ref:`architecture overview `. +// [#next-free-field: 14] +message RetryPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RetryPolicy"; + + enum ResetHeaderFormat { + SECONDS = 0; + UNIX_TIMESTAMP = 1; + } + + message RetryPriority { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryPriority"; + + reserved 2; + + reserved "config"; + + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // [#extension-category: envoy.retry_priorities] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + message RetryHostPredicate { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryHostPredicate"; + + reserved 2; + + reserved "config"; + + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // [#extension-category: envoy.retry_host_predicates] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + message RetryBackOff { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryBackOff"; + + // Specifies the base interval between retries. This parameter is required and must be greater + // than zero. Values less than 1 ms are rounded up to 1 ms. + // See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion of Envoy's + // back-off algorithm. + google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { + required: true + gt {} + }]; + + // Specifies the maximum interval between retries. This parameter is optional, but must be + // greater than or equal to the ``base_interval`` if set. The default is 10 times the + // ``base_interval``. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion + // of Envoy's back-off algorithm. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; + } + + message ResetHeader { + // The name of the reset header. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The format of the reset header. + ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}]; + } + + // A retry back-off strategy that applies when the upstream server rate limits + // the request. + // + // Given this configuration: + // + // .. code-block:: yaml + // + // rate_limited_retry_back_off: + // reset_headers: + // - name: Retry-After + // format: SECONDS + // - name: X-RateLimit-Reset + // format: UNIX_TIMESTAMP + // max_interval: "300s" + // + // The following algorithm will apply: + // + // 1. If the response contains the header ``Retry-After`` its value must be on + // the form ``120`` (an integer that represents the number of seconds to + // wait before retrying). If so, this value is used as the back-off interval. + // 2. Otherwise, if the response contains the header ``X-RateLimit-Reset`` its + // value must be on the form ``1595320702`` (an integer that represents the + // point in time at which to retry, as a Unix timestamp in seconds). If so, + // the current time is subtracted from this value and the result is used as + // the back-off interval. + // 3. Otherwise, Envoy will use the default + // :ref:`exponential back-off ` + // strategy. + // + // No matter which format is used, if the resulting back-off interval exceeds + // ``max_interval`` it is discarded and the next header in ``reset_headers`` + // is tried. If a request timeout is configured for the route it will further + // limit how long the request will be allowed to run. + // + // To prevent many clients retrying at the same point in time jitter is added + // to the back-off interval, so the resulting interval is decided by taking: + // ``random(interval, interval * 1.5)``. + // + // .. attention:: + // + // Configuring ``rate_limited_retry_back_off`` will not by itself cause a request + // to be retried. You will still need to configure the right retry policy to match + // the responses from the upstream server. + message RateLimitedRetryBackOff { + // Specifies the reset headers (like ``Retry-After`` or ``X-RateLimit-Reset``) + // to match against the response. Headers are tried in order, and matched case + // insensitive. The first header to be parsed successfully is used. If no headers + // match the default exponential back-off is used instead. + repeated ResetHeader reset_headers = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Specifies the maximum back off interval that Envoy will allow. If a reset + // header contains an interval longer than this then it will be discarded and + // the next header will be tried. + // + // Defaults to 300 seconds. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; + } + + // Specifies the conditions under which retry takes place. These are the same + // conditions documented for :ref:`config_http_filters_router_x-envoy-retry-on` and + // :ref:`config_http_filters_router_x-envoy-retry-grpc-on`. + string retry_on = 1; + + // Specifies the allowed number of retries. This parameter is optional and + // defaults to 1. These are the same conditions documented for + // :ref:`config_http_filters_router_x-envoy-max-retries`. + google.protobuf.UInt32Value num_retries = 2 + [(udpa.annotations.field_migrate).rename = "max_retries"]; + + // Specifies a non-zero upstream timeout per retry attempt (including the initial attempt). This + // parameter is optional. The same conditions documented for + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` apply. + // + // .. note:: + // + // If left unspecified, Envoy will use the global + // :ref:`route timeout ` for the request. + // Consequently, when using a :ref:`5xx ` based + // retry policy, a request that times out will not be retried as the total timeout budget + // would have been exhausted. + google.protobuf.Duration per_try_timeout = 3; + + // Specifies an upstream idle timeout per retry attempt (including the initial attempt). This + // parameter is optional and if absent there is no per-try idle timeout. The semantics of the per- + // try idle timeout are similar to the + // :ref:`route idle timeout ` and + // :ref:`stream idle timeout + // ` + // both enforced by the HTTP connection manager. The difference is that this idle timeout + // is enforced by the router for each individual attempt and thus after all previous filters have + // run, as opposed to *before* all previous filters run for the other idle timeouts. This timeout + // is useful in cases in which total request timeout is bounded by a number of retries and a + // :ref:`per_try_timeout `, but + // there is a desire to ensure each try is making incremental progress. Note also that similar + // to :ref:`per_try_timeout `, + // this idle timeout does not start until after both the entire request has been received by the + // router *and* a connection pool connection has been obtained. Unlike + // :ref:`per_try_timeout `, + // the idle timer continues once the response starts streaming back to the downstream client. + // This ensures that response data continues to make progress without using one of the HTTP + // connection manager idle timeouts. + google.protobuf.Duration per_try_idle_timeout = 13; + + // Specifies an implementation of a RetryPriority which is used to determine the + // distribution of load across priorities used for retries. Refer to + // :ref:`retry plugin configuration ` for more details. + RetryPriority retry_priority = 4; + + // Specifies a collection of RetryHostPredicates that will be consulted when selecting a host + // for retries. If any of the predicates reject the host, host selection will be reattempted. + // Refer to :ref:`retry plugin configuration ` for more + // details. + repeated RetryHostPredicate retry_host_predicate = 5; + + // Retry options predicates that will be applied prior to retrying a request. These predicates + // allow customizing request behavior between retries. + // [#comment: add [#extension-category: envoy.retry_options_predicates] when there are built-in extensions] + repeated core.v3.TypedExtensionConfig retry_options_predicates = 12; + + // The maximum number of times host selection will be reattempted before giving up, at which + // point the host that was last selected will be routed to. If unspecified, this will default to + // retrying once. + int64 host_selection_retry_max_attempts = 6; + + // HTTP status codes that should trigger a retry in addition to those specified by retry_on. + repeated uint32 retriable_status_codes = 7; + + // Specifies parameters that control exponential retry back off. This parameter is optional, in which case the + // default base interval is 25 milliseconds or, if set, the current value of the + // ``upstream.base_retry_backoff_ms`` runtime parameter. The default maximum interval is 10 times + // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries` + // describes Envoy's back-off algorithm. + RetryBackOff retry_back_off = 8; + + // Specifies parameters that control a retry back-off strategy that is used + // when the request is rate limited by the upstream server. The server may + // return a response header like ``Retry-After`` or ``X-RateLimit-Reset`` to + // provide feedback to the client on how long to wait before retrying. If + // configured, this back-off strategy will be used instead of the + // default exponential back off strategy (configured using ``retry_back_off``) + // whenever a response includes the matching headers. + RateLimitedRetryBackOff rate_limited_retry_back_off = 11; + + // HTTP response headers that trigger a retry if present in the response. A retry will be + // triggered if any of the header matches match the upstream response headers. + // The field is only consulted if 'retriable-headers' retry policy is active. + repeated HeaderMatcher retriable_headers = 9; + + // HTTP headers which must be present in the request for retries to be attempted. + repeated HeaderMatcher retriable_request_headers = 10; +} + +// HTTP request hedging :ref:`architecture overview `. +message HedgePolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.HedgePolicy"; + + // Specifies the number of initial requests that should be sent upstream. + // Must be at least 1. + // + // Defaults to 1. + // [#not-implemented-hide:] + google.protobuf.UInt32Value initial_requests = 1 [(validate.rules).uint32 = {gte: 1}]; + + // Specifies a probability that an additional upstream request should be sent + // on top of what is specified by initial_requests. + // + // Defaults to 0. + // [#not-implemented-hide:] + type.v3.FractionalPercent additional_request_chance = 2; + + // Indicates that a hedged request should be sent when the per-try timeout is hit. + // This means that a retry will be issued without resetting the original request, leaving multiple upstream requests in flight. + // The first request to complete successfully will be the one returned to the caller. + // + // * At any time, a successful response (i.e. not triggering any of the retry-on conditions) would be returned to the client. + // * Before per-try timeout, an error response (per retry-on conditions) would be retried immediately or returned to the client + // if there are no more retries left. + // * After per-try timeout, an error response would be discarded, as a retry in the form of a hedged request is already in progress. + // + // .. note:: + // + // For this to have effect, you must have a :ref:`RetryPolicy ` that retries at least + // one error code and specifies a maximum number of retries. + // + // Defaults to ``false``. + bool hedge_on_per_try_timeout = 3; +} + +// [#next-free-field: 10] +message RedirectAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RedirectAction"; + + enum RedirectResponseCode { + // Moved Permanently HTTP Status Code - 301. + MOVED_PERMANENTLY = 0; + + // Found HTTP Status Code - 302. + FOUND = 1; + + // See Other HTTP Status Code - 303. + SEE_OTHER = 2; + + // Temporary Redirect HTTP Status Code - 307. + TEMPORARY_REDIRECT = 3; + + // Permanent Redirect HTTP Status Code - 308. + PERMANENT_REDIRECT = 4; + } + + // When the scheme redirection take place, the following rules apply: + // 1. If the source URI scheme is ``http`` and the port is explicitly + // set to ``:80``, the port will be removed after the redirection + // 2. If the source URI scheme is ``https`` and the port is explicitly + // set to ``:443``, the port will be removed after the redirection + oneof scheme_rewrite_specifier { + // The scheme portion of the URL will be swapped with "https". + bool https_redirect = 4; + + // The scheme portion of the URL will be swapped with this value. + string scheme_redirect = 7; + } + + // The host portion of the URL will be swapped with this value. + string host_redirect = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // The port value of the URL will be swapped with this value. + uint32 port_redirect = 8; + + oneof path_rewrite_specifier { + // The path portion of the URL will be swapped with this value. + // Please note that query string in path_redirect will override the + // request's query string and will not be stripped. + // + // For example, let's say we have the following routes: + // + // - match: { path: "/old-path-1" } + // redirect: { path_redirect: "/new-path-1" } + // - match: { path: "/old-path-2" } + // redirect: { path_redirect: "/new-path-2", strip-query: "true" } + // - match: { path: "/old-path-3" } + // redirect: { path_redirect: "/new-path-3?foo=1", strip_query: "true" } + // + // 1. if request uri is "/old-path-1?bar=1", users will be redirected to "/new-path-1?bar=1" + // 2. if request uri is "/old-path-2?bar=1", users will be redirected to "/new-path-2" + // 3. if request uri is "/old-path-3?bar=1", users will be redirected to "/new-path-3?foo=1" + string path_redirect = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during redirection, the matched prefix (or path) + // should be swapped with this value. This option allows redirect URLs be dynamically created + // based on the request. + // + // .. attention:: + // + // Pay attention to the use of trailing slashes as mentioned in + // :ref:`RouteAction's prefix_rewrite `. + string prefix_rewrite = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during redirect, portions of the path that match the + // pattern should be rewritten, even allowing the substitution of capture + // groups from the pattern into the new path as specified by the rewrite + // substitution string. This is useful to allow application paths to be + // rewritten in a way that is aware of segments with variable content like + // identifiers. + // + // Examples using Google's `RE2 `_ engine: + // + // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution + // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` + // into ``/v1/api/instance/foo``. + // + // * The pattern ``one`` paired with a substitution string of ``two`` would + // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. + // + // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of + // ``\1two\2`` would replace only the first occurrence of ``one``, + // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. + // + // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` + // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to + // ``/aaa/yyy/bbb``. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 9; + } + + // The HTTP status code to use in the redirect response. The default response + // code is MOVED_PERMANENTLY (301). + RedirectResponseCode response_code = 3 [(validate.rules).enum = {defined_only: true}]; + + // Indicates that during redirection, the query portion of the URL will + // be removed. Default value is false. + bool strip_query = 6; +} + +message DirectResponseAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.DirectResponseAction"; + + // Specifies the HTTP response status to be returned. + uint32 status = 1 [(validate.rules).uint32 = {lt: 600 gte: 200}]; + + // Specifies the content of the response body. If this setting is omitted, + // no body is included in the generated response. + // + // .. note:: + // + // Headers can be specified using ``response_headers_to_add`` in the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` or + // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`. + core.v3.DataSource body = 2; + + // Specifies a format string for the response body. If present, the contents of + // ``body_format`` will be formatted and used as the response body, where the + // contents of ``body`` (may be empty) will be passed as the variable ``%LOCAL_REPLY_BODY%``. + // If neither are provided, no body is included in the generated response. + core.v3.SubstitutionFormatString body_format = 3; +} + +// [#not-implemented-hide:] +message NonForwardingAction { +} + +message Decorator { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Decorator"; + + // The operation name associated with the request matched to this route. If tracing is + // enabled, this information will be used as the span name reported for this request. + // + // .. note:: + // + // For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden + // by the :ref:`x-envoy-decorator-operation + // ` header. + string operation = 1 [(validate.rules).string = {min_len: 1}]; + + // Whether the decorated details should be propagated to the other party. The default is ``true``. + google.protobuf.BoolValue propagate = 2; +} + +// [#next-free-field: 7] +message Tracing { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Tracing"; + + // Target percentage of requests managed by this HTTP connection manager that will be force + // traced if the :ref:`x-client-trace-id ` + // header is set. This field is a direct analog for the runtime variable + // 'tracing.client_enabled' in the :ref:`HTTP Connection Manager + // `. + // Default: 100% + type.v3.FractionalPercent client_sampling = 1; + + // Target percentage of requests managed by this HTTP connection manager that will be randomly + // selected for trace generation, if not requested by the client or not forced. This field is + // a direct analog for the runtime variable 'tracing.random_sampling' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.FractionalPercent random_sampling = 2; + + // Target percentage of requests managed by this HTTP connection manager that will be traced + // after all other sampling checks have been applied (client-directed, force tracing, random + // sampling). This field functions as an upper limit on the total configured sampling rate. For + // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% + // of client requests with the appropriate headers to be force traced. This field is a direct + // analog for the runtime variable 'tracing.global_enabled' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.FractionalPercent overall_sampling = 3; + + // A list of custom tags with unique tag name to create tags for the active span. + // It will take effect after merging with the :ref:`corresponding configuration + // ` + // configured in the HTTP connection manager. If two tags with the same name are configured + // each in the HTTP connection manager and the route level, the one configured here takes + // priority. + repeated type.tracing.v3.CustomTag custom_tags = 4; + + // The operation name of the span which will be used for tracing. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // This field will take precedence over and make following settings ineffective: + // + // * :ref:`route decorator `. + // * :ref:`x-envoy-decorator-operation `. + // * :ref:`HCM tracing operation + // `. + string operation = 5; + + // The operation name of the upstream span which will be used for tracing. + // This only takes effect when ``spawn_upstream_span`` is set to true and the upstream + // span is created. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // This field will take precedence over and make following settings ineffective: + // + // * :ref:`HCM tracing upstream operation + // ` + string upstream_operation = 6; +} + +// A virtual cluster is a way of specifying a regex matching rule against +// certain important endpoints such that statistics are generated explicitly for +// the matched requests. The reason this is useful is that when doing +// prefix/path matching Envoy does not always know what the application +// considers to be an endpoint. Thus, it’s impossible for Envoy to generically +// emit per endpoint statistics. However, often systems have highly critical +// endpoints that they wish to get “perfect” statistics on. Virtual cluster +// statistics are perfect in the sense that they are emitted on the downstream +// side such that they include network level failures. +// +// Documentation for :ref:`virtual cluster statistics `. +// +// .. note:: +// +// Virtual clusters are a useful tool, but we do not recommend setting up a virtual cluster for +// every application endpoint. This is both not easily maintainable and as well the matching and +// statistics output are not free. +message VirtualCluster { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualCluster"; + + reserved 1, 3; + + reserved "pattern", "method"; + + // Specifies a list of header matchers to use for matching requests. Each specified header must + // match. The pseudo-headers ``:path`` and ``:method`` can be used to match the request path and + // method, respectively. + repeated HeaderMatcher headers = 4; + + // Specifies the name of the virtual cluster. The virtual cluster name as well + // as the virtual host name are used when emitting statistics. The statistics are emitted by the + // router filter and are documented :ref:`here `. + string name = 2 [(validate.rules).string = {min_len: 1}]; +} + +// Global rate limiting :ref:`architecture overview `. +// Also applies to Local rate limiting :ref:`using descriptors `. +// [#next-free-field: 7] +message RateLimit { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit"; + + // [#next-free-field: 13] + message Action { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action"; + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("source_cluster", "") + // + // is derived from the :option:`--service-cluster` option. + message SourceCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.SourceCluster"; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("destination_cluster", "") + // + // Once a request matches against a route table rule, a routed cluster is determined by one of + // the following :ref:`route table configuration ` + // settings: + // + // * :ref:`cluster ` indicates the upstream cluster + // to route to. + // * :ref:`weighted_clusters ` + // chooses a cluster randomly from a set of clusters with attributed weight. + // * :ref:`cluster_header ` indicates which + // header in the request contains the target cluster. + message DestinationCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.DestinationCluster"; + } + + // The following descriptor entry is appended when a header contains a key that matches the + // ``header_name``: + // + // .. code-block:: cpp + // + // ("", "") + message RequestHeaders { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.RequestHeaders"; + + // The header name to be queried from the request headers. The header’s + // value is used to populate the value of the descriptor entry for the + // descriptor_key. + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The key to use in the descriptor entry. + string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; + + // Controls the behavior when the specified header is not present in the request. + // + // If set to ``false`` (default): + // + // * Envoy does **NOT** call the rate limiting service for this descriptor. + // * Useful if the header is optional and you prefer to skip rate limiting when it's absent. + // + // If set to ``true``: + // + // * Envoy calls the rate limiting service but omits this descriptor if the header is missing. + // * Useful if you want Envoy to enforce rate limiting even when the header is not present. + // + bool skip_if_absent = 3; + } + + // The following descriptor entry is appended when a query parameter contains a key that matches the + // ``query_parameter_name``: + // + // .. code-block:: cpp + // + // ("", "") + message QueryParameters { + // The name of the query parameter to use for rate limiting. Value of this query parameter is used to populate + // the value of the descriptor entry for the descriptor_key. + string query_parameter_name = 1 [(validate.rules).string = {min_len: 1}]; + + // The key to use when creating the rate limit descriptor entry. This descriptor key will be used to identify the + // rate limit rule in the rate limiting service. + string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; + + // Controls the behavior when the specified query parameter is not present in the request. + // + // If set to ``false`` (default): + // + // * Envoy does **NOT** call the rate limiting service for this descriptor. + // * Useful if the query parameter is optional and you prefer to skip rate limiting when it's absent. + // + // If set to ``true``: + // + // * Envoy calls the rate limiting service but omits this descriptor if the query parameter is missing. + // * Useful if you want Envoy to enforce rate limiting even when the query parameter is not present. + // + bool skip_if_absent = 3; + } + + // The following descriptor entry is appended to the descriptor and is populated using the + // trusted address from :ref:`x-forwarded-for `: + // + // .. code-block:: cpp + // + // ("remote_address", "") + message RemoteAddress { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.RemoteAddress"; + } + + // The following descriptor entry is appended to the descriptor and is populated using the + // masked address from :ref:`x-forwarded-for `: + // + // .. code-block:: cpp + // + // ("masked_remote_address", "") + message MaskedRemoteAddress { + // Length of prefix mask len for IPv4 (e.g. 0, 32). + // + // Defaults to 32 when unset. + // + // For example, trusted address from x-forwarded-for is ``192.168.1.1``, + // the descriptor entry is ("masked_remote_address", "192.168.1.1/32"); + // if mask len is 24, the descriptor entry is ("masked_remote_address", "192.168.1.0/24"). + google.protobuf.UInt32Value v4_prefix_mask_len = 1 [(validate.rules).uint32 = {lte: 32}]; + + // Length of prefix mask len for IPv6 (e.g. 0, 128). + // + // Defaults to 128 when unset. + // + // For example, trusted address from x-forwarded-for is ``2001:abcd:ef01:2345:6789:abcd:ef01:234``, + // the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345:6789:abcd:ef01:234/128"); + // if mask len is 64, the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345::/64"). + google.protobuf.UInt32Value v6_prefix_mask_len = 2 [(validate.rules).uint32 = {lte: 128}]; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("generic_key", "") + message GenericKey { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.GenericKey"; + + // Descriptor value of entry. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // .. note:: + // + // Formatter parsing is controlled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` + // (disabled by default). + // + // When enabled: The format string can contain multiple valid substitution + // fields. If multiple substitution fields are present, their results will be concatenated + // to form the final descriptor value. If it contains no substitution fields, the value + // will be used as is. If the final concatenated result is empty and ``default_value`` is set, + // the ``default_value`` will be used. If ``default_value`` is not set and the result is + // empty, this descriptor will be skipped and not included in the rate limit call. + // + // When disabled (default): The descriptor_value is used as a literal string without any formatter + // parsing or substitution. + // + // For example, ``static_value`` will be used as is since there are no substitution fields. + // ``%REQ(:method)%`` will be replaced with the HTTP method, and + // ``%REQ(:method)%%REQ(:path)%`` will be replaced with the concatenation of the HTTP method and path. + // ``%CEL(request.headers['user-id'])%`` will use CEL to extract the user ID from request headers. + // + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional value to use if the final concatenated ``descriptor_value`` result is empty. + // Only applicable when formatter parsing is enabled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` (disabled by default). + string default_value = 3; + + // An optional key to use in the descriptor entry. If not set it defaults + // to 'generic_key' as the descriptor key. + string descriptor_key = 2; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("header_match", "") + // [#next-free-field: 6] + message HeaderValueMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch"; + + // Descriptor value of entry. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // .. note:: + // + // Formatter parsing is controlled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` + // (disabled by default). + // + // When enabled: The format string can contain multiple valid substitution + // fields. If multiple substitution fields are present, their results will be concatenated + // to form the final descriptor value. If it contains no substitution fields, the value + // will be used as is. All substitution fields will be evaluated and their results + // concatenated. If the final concatenated result is empty and ``default_value`` is set, + // the ``default_value`` will be used. If ``default_value`` is not set and the result is + // empty, this descriptor will be skipped and not included in the rate limit call. + // + // When disabled (default): The descriptor_value is used as a literal string without any formatter + // parsing or substitution. + // + // For example, ``static_value`` will be used as is since there are no substitution fields. + // ``%REQ(:method)%`` will be replaced with the HTTP method, and + // ``%REQ(:method)%%REQ(:path)%`` will be replaced with the concatenation of the HTTP method and path. + // ``%CEL(request.headers['user-id'])%`` will use CEL to extract the user ID from request headers. + // + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional value to use if the final concatenated ``descriptor_value`` result is empty. + // Only applicable when formatter parsing is enabled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` (disabled by default). + string default_value = 5; + + // The key to use in the descriptor entry. + // + // Defaults to ``header_match``. + string descriptor_key = 4; + + // If set to true, the action will append a descriptor entry when the + // request matches the headers. If set to false, the action will append a + // descriptor entry when the request does not match the headers. The + // default value is true. + google.protobuf.BoolValue expect_match = 2; + + // Specifies a set of headers that the rate limit action should match + // on. The action will check the request's headers against all the + // specified headers in the config. A match will happen if all the + // headers in the config are present in the request with the same values + // (or based on presence if the value field is not in the config). + repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}]; + } + + // The following descriptor entry is appended when the + // :ref:`dynamic metadata ` contains a key value: + // + // .. code-block:: cpp + // + // ("", "") + // + // .. attention:: + // This action has been deprecated in favor of the :ref:`metadata ` action + message DynamicMetaData { + // The key to use in the descriptor entry. + string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Metadata struct that defines the key and path to retrieve the string value. A match will + // only happen if the value in the dynamic metadata is of type string. + type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; + + // An optional value to use if ``metadata_key`` is empty. If not set and + // no value is present under the metadata_key then no descriptor is generated. + string default_value = 3; + } + + // The following descriptor entry is appended when the metadata contains a key value: + // + // .. code-block:: cpp + // + // ("", "") + // [#next-free-field: 6] + message MetaData { + enum Source { + // Query :ref:`dynamic metadata ` + DYNAMIC = 0; + + // Query :ref:`route entry metadata ` + ROUTE_ENTRY = 1; + } + + // The key to use in the descriptor entry. + string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Metadata struct that defines the key and path to retrieve the string value. A match will + // only happen if the value in the metadata is of type string. + type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; + + // An optional value to use if ``metadata_key`` is empty. If not set and + // no value is present under the metadata_key then ``skip_if_absent`` is followed to + // skip calling the rate limiting service or skip the descriptor. + string default_value = 3; + + // Source of metadata + Source source = 4 [(validate.rules).enum = {defined_only: true}]; + + // Controls the behavior when the specified ``metadata_key`` is empty and ``default_value`` is not set. + // + // If set to ``false`` (default): + // + // * Envoy does **NOT** call the rate limiting service for this descriptor. + // * Useful if the metadata is optional and you prefer to skip rate limiting when it's absent. + // + // If set to ``true``: + // + // * Envoy calls the rate limiting service but omits this descriptor if the ``metadata_key`` is empty and + // ``default_value`` is missing. + // * Useful if you want Envoy to enforce rate limiting even when the metadata is not present. + // + bool skip_if_absent = 5; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("query_match", "") + // [#next-free-field: 6] + message QueryParameterValueMatch { + // Descriptor value of entry. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // .. note:: + // + // Formatter parsing is controlled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` + // (disabled by default). + // + // When enabled: The format string can contain multiple valid substitution + // fields. If multiple substitution fields are present, their results will be concatenated + // to form the final descriptor value. If it contains no substitution fields, the value + // will be used as is. All substitution fields will be evaluated and their results + // concatenated. If the final concatenated result is empty and ``default_value`` is set, + // the ``default_value`` will be used. If ``default_value`` is not set and the result is + // empty, this descriptor will be skipped and not included in the rate limit call. + // + // When disabled (default): The descriptor_value is used as a literal string without any formatter + // parsing or substitution. + // + // For example, ``static_value`` will be used as is since there are no substitution fields. + // ``%REQ(:method)%`` will be replaced with the HTTP method, and + // ``%REQ(:method)%%REQ(:path)%`` will be replaced with the concatenation of the HTTP method and path. + // ``%CEL(request.headers['user-id'])%`` will use CEL to extract the user ID from request headers. + // + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional value to use if the final concatenated ``descriptor_value`` result is empty. + // Only applicable when formatter parsing is enabled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` (disabled by default). + string default_value = 5; + + // The key to use in the descriptor entry. + // + // Defaults to ``query_match``. + string descriptor_key = 4; + + // If set to true, the action will append a descriptor entry when the + // request matches the headers. If set to false, the action will append a + // descriptor entry when the request does not match the headers. The + // default value is true. + google.protobuf.BoolValue expect_match = 2; + + // Specifies a set of query parameters that the rate limit action should match + // on. The action will check the request's query parameters against all the + // specified query parameters in the config. A match will happen if all the + // query parameters in the config are present in the request with the same values + // (or based on presence if the value field is not in the config). + repeated QueryParameterMatcher query_parameters = 3 + [(validate.rules).repeated = {min_items: 1}]; + } + + oneof action_specifier { + option (validate.required) = true; + + // Rate limit on source cluster. + SourceCluster source_cluster = 1; + + // Rate limit on destination cluster. + DestinationCluster destination_cluster = 2; + + // Rate limit on request headers. + RequestHeaders request_headers = 3; + + // Rate limit on query parameters. + QueryParameters query_parameters = 12; + + // Rate limit on remote address. + RemoteAddress remote_address = 4; + + // Rate limit on a generic key. + GenericKey generic_key = 5; + + // Rate limit on the existence of request headers. + HeaderValueMatch header_value_match = 6; + + // Rate limit on dynamic metadata. + // + // .. attention:: + // This field has been deprecated in favor of the :ref:`metadata ` field + DynamicMetaData dynamic_metadata = 7 [ + deprecated = true, + (envoy.annotations.deprecated_at_minor_version) = "3.0", + (envoy.annotations.disallowed_by_default) = true + ]; + + // Rate limit on metadata. + MetaData metadata = 8; + + // Rate limit descriptor extension. See the rate limit descriptor extensions documentation. + // + // :ref:`HTTP matching input functions ` are + // permitted as descriptor extensions. The input functions are only + // looked up if there is no rate limit descriptor extension matching + // the type URL. + // + // [#extension-category: envoy.rate_limit_descriptors] + core.v3.TypedExtensionConfig extension = 9; + + // Rate limit on masked remote address. + MaskedRemoteAddress masked_remote_address = 10; + + // Rate limit on the existence of query parameters. + QueryParameterValueMatch query_parameter_value_match = 11; + } + } + + message Override { + // Fetches the override from the dynamic metadata. + message DynamicMetadata { + // Metadata struct that defines the key and path to retrieve the struct value. + // The value must be a struct containing an integer "requests_per_unit" property + // and a "unit" property with a value parseable to :ref:`RateLimitUnit + // enum ` + type.metadata.v3.MetadataKey metadata_key = 1 [(validate.rules).message = {required: true}]; + } + + oneof override_specifier { + option (validate.required) = true; + + // Limit override from dynamic metadata. + DynamicMetadata dynamic_metadata = 1; + } + } + + message HitsAddend { + // Fixed number of hits to add to the rate limit descriptor. + // + // One of the ``number`` or ``format`` fields should be set but not both. + google.protobuf.UInt64Value number = 1 [(validate.rules).uint64 = {lte: 1000000000}]; + + // Substitution format string to extract the number of hits to add to the rate limit descriptor. + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here. + // + // .. note:: + // + // The format string must contains only single valid substitution field. If the format string + // not meets the requirement, the configuration will be rejected. + // + // The substitution field should generates a non-negative number or string representation of + // a non-negative number. The value of the non-negative number should be less than or equal + // to 1000000000 like the ``number`` field. If the output of the substitution field not meet + // the requirement, this will be treated as an error and the current descriptor will be ignored. + // + // For example, the ``%BYTES_RECEIVED%`` format string will be replaced with the number of bytes + // received in the request. + // + // One of the ``number`` or ``format`` fields should be set but not both. + string format = 2 [(validate.rules).string = {prefix: "%" suffix: "%" ignore_empty: true}]; + } + + // Refers to the stage set in the filter. The rate limit configuration only + // applies to filters with the same stage number. The default stage number is + // 0. + // + // .. note:: + // + // The filter supports a range of 0 - 10 inclusively for stage numbers. + // + // .. note:: + // This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + google.protobuf.UInt32Value stage = 1 [(validate.rules).uint32 = {lte: 10}]; + + // The key to be set in runtime to disable this rate limit configuration. + // + // .. note:: + // This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + string disable_key = 2; + + // A list of actions that are to be applied for this rate limit configuration. + // Order matters as the actions are processed sequentially and the descriptor + // is composed by appending descriptor entries in that sequence. If an action + // cannot append a descriptor entry, no descriptor is generated for the + // configuration. See :ref:`composing actions + // ` for additional documentation. + repeated Action actions = 3 [(validate.rules).repeated = {min_items: 1}]; + + // An optional limit override to be appended to the descriptor produced by this + // rate limit configuration. If the override value is invalid or cannot be resolved + // from metadata, no override is provided. See :ref:`rate limit override + // ` for more information. + // + // .. note:: + // This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + Override limit = 4; + + // An optional hits addend to be appended to the descriptor produced by this rate limit + // configuration. + // + // .. note:: + // This is only supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + HitsAddend hits_addend = 5; + + // If true, the rate limit request will be applied when the stream completes. The default value is false. + // This is useful when the rate limit budget needs to reflect the response context that is not available + // on the request path. + // + // For example, let's say the upstream service calculates the usage statistics and returns them in the response body + // and we want to utilize these numbers to apply the rate limit action for the subsequent requests. + // Combined with another filter that can set the desired addend based on the response (e.g. Lua filter), + // this can be used to subtract the usage statistics from the rate limit budget. + // + // A rate limit applied on the stream completion is "fire-and-forget" by nature, and rate limit is not enforced by this config. + // In other words, the current request won't be blocked when this is true, but the budget will be updated for the subsequent + // requests based on the action with this field set to true. Users should ensure that the rate limit is enforced by the actions + // applied on the request path, i.e. the ones with this field set to false. + // + // Currently, this is only supported by the HTTP global rate filter. + bool apply_on_stream_done = 6; +} + +// .. attention:: +// +// Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 ``Host`` +// header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. +// +// .. attention:: +// +// To route on HTTP method, use the special HTTP/2 ``:method`` header. This works for both +// HTTP/1 and HTTP/2 as Envoy normalizes headers. E.g., +// +// .. code-block:: json +// +// { +// "name": ":method", +// "string_match": { +// "exact": "POST" +// } +// } +// +// .. attention:: +// In the absence of any header match specifier, match will default to :ref:`present_match +// `. i.e, a request that has the :ref:`name +// ` header will match, regardless of the header's +// value. +// +// [#next-major-version: HeaderMatcher should be refactored to use StringMatcher.] +// [#next-free-field: 15] +message HeaderMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.HeaderMatcher"; + + reserved 2, 3, 5; + + reserved "regex_match"; + + // Specifies the name of the header in the request. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Specifies how the header match will be performed to route the request. + oneof header_match_specifier { + // If specified, header match will be performed based on the value of the header. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + string exact_match = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If specified, this regex string is a regular expression rule which implies the entire request + // header value must match the regex. The rule will not match if only a subsequence of the + // request header value matches the regex. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + type.matcher.v3.RegexMatcher safe_regex_match = 11 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If specified, header match will be performed based on range. + // The rule will match if the request header value is within this range. + // The entire request header value must represent an integer in base 10 notation: consisting of + // an optional plus or minus sign followed by a sequence of digits. The rule will not match if + // the header value does not represent an integer. Match will fail for empty values, floating + // point numbers or if only a subsequence of the header value is an integer. + // + // Examples: + // + // * For range [-10,0), route will match for header value -1, but not for 0, ``somestring``, 10.9, + // ``-1somestring`` + type.v3.Int64Range range_match = 6; + + // If specified as true, header match will be performed based on whether the header is in the + // request. If specified as false, header match will be performed based on whether the header is absent. + bool present_match = 7; + + // If specified, header match will be performed based on the prefix of the header value. + // + // .. note:: + // + // Empty prefix is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The prefix ``abcd`` matches the value ``abcdxyz``, but not for ``abcxyz``. + string prefix_match = 9 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on the suffix of the header value. + // + // .. note:: + // + // Empty suffix is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The suffix ``abcd`` matches the value ``xyzabcd``, but not for ``xyzbcd``. + string suffix_match = 10 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on whether the header value contains + // the given value or not. + // + // .. note:: + // + // Empty contains match is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The value ``abcd`` matches the value ``xyzabcdpqr``, but not for ``xyzbcdpqr``. + string contains_match = 12 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on the string match of the header value. + type.matcher.v3.StringMatcher string_match = 13; + } + + // If specified, the match result will be inverted before checking. + // + // Defaults to ``false``. + // + // Examples: + // + // * The regex ``\d{3}`` does not match the value ``1234``, so it will match when inverted. + // * The range [-10,0) will match the value -1, so it will not match when inverted. + bool invert_match = 8; + + // If specified, for any header match rule, if the header match rule specified header + // does not exist, this header value will be treated as empty. + // + // Defaults to ``false``. + // + // Examples: + // + // * The header match rule specified header "header1" to range match of [0, 10], + // :ref:`invert_match ` + // is set to true and :ref:`treat_missing_header_as_empty ` + // is set to true; The "header1" header is not present. The match rule will + // treat the "header1" as an empty header. The empty header does not match the range, + // so it will match when inverted. + // * The header match rule specified header "header2" to range match of [0, 10], + // :ref:`invert_match ` + // is set to true and :ref:`treat_missing_header_as_empty ` + // is set to false; The "header2" header is not present and the header + // matcher rule for "header2" will be ignored so it will not match. + // * The header match rule specified header "header3" to a string regex match + // ``^$`` which means an empty string, and + // :ref:`treat_missing_header_as_empty ` + // is set to true; The "header3" header is not present. + // The match rule will treat the "header3" header as an empty header so it will match. + // * The header match rule specified header "header4" to a string regex match + // ``^$`` which means an empty string, and + // :ref:`treat_missing_header_as_empty ` + // is set to false; The "header4" header is not present. + // The match rule for "header4" will be ignored so it will not match. + bool treat_missing_header_as_empty = 14; +} + +// Query parameter matching treats the query string of a request's :path header +// as an ampersand-separated list of keys and/or key=value elements. +// [#next-free-field: 7] +message QueryParameterMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.QueryParameterMatcher"; + + reserved 3, 4; + + reserved "value", "regex"; + + // Specifies the name of a key that must be present in the requested + // ``path``'s query string. + string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}]; + + oneof query_parameter_match_specifier { + // Specifies whether a query parameter value should match against a string. + type.matcher.v3.StringMatcher string_match = 5 [(validate.rules).message = {required: true}]; + + // Specifies whether a query parameter should be present. + bool present_match = 6; + } +} + +// Cookie matching inspects individual name/value pairs parsed from the ``Cookie`` header. +message CookieMatcher { + // Specifies the cookie name to evaluate. + string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}]; + + // Match the cookie value using :ref:`StringMatcher + // ` semantics. + type.matcher.v3.StringMatcher string_match = 2 [(validate.rules).message = {required: true}]; + + // Invert the match result. If the cookie is not present, the match result is false, so + // ``invert_match`` will cause the matcher to succeed when the cookie is absent. + bool invert_match = 3; +} + +// HTTP Internal Redirect :ref:`architecture overview `. +// [#next-free-field: 6] +message InternalRedirectPolicy { + // An internal redirect is not handled, unless the number of previous internal redirects that a + // downstream request has encountered is lower than this value. + // In the case where a downstream request is bounced among multiple routes by internal redirect, + // the first route that hits this threshold, or does not set :ref:`internal_redirect_policy + // ` + // will pass the redirect back to downstream. + // + // If not specified, at most one redirect will be followed. + google.protobuf.UInt32Value max_internal_redirects = 1; + + // Defines what upstream response codes are allowed to trigger internal redirect. If unspecified, + // only 302 will be treated as internal redirect. + // Only 301, 302, 303, 307 and 308 are valid values. Any other codes will be ignored. + repeated uint32 redirect_response_codes = 2 [(validate.rules).repeated = {max_items: 5}]; + + // Specifies a list of predicates that are queried when an upstream response is deemed + // to trigger an internal redirect by all other criteria. Any predicate in the list can reject + // the redirect, causing the response to be proxied to downstream. + // [#extension-category: envoy.internal_redirect_predicates] + repeated core.v3.TypedExtensionConfig predicates = 3; + + // Allow internal redirect to follow a target URI with a different scheme than the value of + // x-forwarded-proto. The default is ``false``. + bool allow_cross_scheme_redirect = 4; + + // Specifies a list of headers, by name, to copy from the internal redirect into the subsequent + // request. If a header is specified here but not present in the redirect, it will be cleared in + // the subsequent request. + repeated string response_headers_to_copy = 5 [(validate.rules).repeated = { + unique: true + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; +} + +// A simple wrapper for an HTTP filter config. This is intended to be used as a wrapper for the +// map value in +// :ref:`VirtualHost.typed_per_filter_config`, +// :ref:`Route.typed_per_filter_config`, +// or :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` +// to add additional flags to the filter. +message FilterConfig { + // The filter config. + google.protobuf.Any config = 1; + + // If true, the filter is optional, meaning that if the client does + // not support the specified filter, it may ignore the map entry rather + // than rejecting the config. + bool is_optional = 2; + + // If true, the filter is disabled in the route or virtual host and the ``config`` field is ignored. + // See :ref:`route based filter chain ` + // for more details. + // + // .. note:: + // + // This field will take effect when the request arrive and filter chain is created for the request. + // If initial route is selected for the request and a filter is disabled in the initial route, then + // the filter will not be added to the filter chain. + // And if the request is mutated later and re-match to another route, the disabled filter by the + // initial route will not be added back to the filter chain because the filter chain is already + // created and it is too late to change the chain. + // + bool disabled = 3; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/route/v3/scoped_route.proto b/grpc-xds/proto/third_party/envoy/envoy/config/route/v3/scoped_route.proto new file mode 100644 index 000000000..ff4cc689c --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/route/v3/scoped_route.proto @@ -0,0 +1,133 @@ +syntax = "proto3"; + +package envoy.config.route.v3; + +import "envoy/config/route/v3/route.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.route.v3"; +option java_outer_classname = "ScopedRouteProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP scoped routing configuration] +// * Routing :ref:`architecture overview ` + +// Specifies a routing scope, which associates a +// :ref:`Key` to a +// :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. +// The :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` can be obtained dynamically +// via RDS (:ref:`route_configuration_name`) +// or specified inline (:ref:`route_configuration`). +// +// The HTTP connection manager builds up a table consisting of these Key to +// RouteConfiguration mappings, and looks up the RouteConfiguration to use per +// request according to the algorithm specified in the +// :ref:`scope_key_builder` +// assigned to the HttpConnectionManager. +// +// For example, with the following configurations (in YAML): +// +// HttpConnectionManager config: +// +// .. code:: +// +// ... +// scoped_routes: +// name: foo-scoped-routes +// scope_key_builder: +// fragments: +// - header_value_extractor: +// name: X-Route-Selector +// element_separator: "," +// element: +// separator: = +// key: vip +// +// ScopedRouteConfiguration resources (specified statically via +// :ref:`scoped_route_configurations_list` +// or obtained dynamically via SRDS): +// +// .. code:: +// +// (1) +// name: route-scope1 +// route_configuration_name: route-config1 +// key: +// fragments: +// - string_key: 172.10.10.20 +// +// (2) +// name: route-scope2 +// route_configuration_name: route-config2 +// key: +// fragments: +// - string_key: 172.20.20.30 +// +// A request from a client such as: +// +// .. code:: +// +// GET / HTTP/1.1 +// Host: foo.com +// X-Route-Selector: vip=172.10.10.20 +// +// would result in the routing table defined by the ``route-config1`` +// RouteConfiguration being assigned to the HTTP request/stream. +// +// [#next-free-field: 6] +message ScopedRouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.ScopedRouteConfiguration"; + + // Specifies a key which is matched against the output of the + // :ref:`scope_key_builder` + // specified in the HttpConnectionManager. The matching is done per HTTP + // request and is dependent on the order of the fragments contained in the + // Key. + message Key { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.ScopedRouteConfiguration.Key"; + + message Fragment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.ScopedRouteConfiguration.Key.Fragment"; + + oneof type { + option (validate.required) = true; + + // A string to match against. + string string_key = 1; + } + } + + // The ordered set of fragments to match against. The order must match the + // fragments in the corresponding + // :ref:`scope_key_builder`. + repeated Fragment fragments = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // Whether the RouteConfiguration should be loaded on demand. + bool on_demand = 4; + + // The name assigned to the routing scope. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The resource name to use for a :ref:`envoy_v3_api_msg_service.discovery.v3.DiscoveryRequest` to an + // RDS server to fetch the :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` associated + // with this scope. + string route_configuration_name = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "route_config"]; + + // The :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` associated with the scope. + RouteConfiguration route_configuration = 5 + [(udpa.annotations.field_migrate).oneof_promotion = "route_config"]; + + // The key to match against. + Key key = 3 [(validate.rules).message = {required: true}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/datadog.proto b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/datadog.proto new file mode 100644 index 000000000..5359ec742 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/datadog.proto @@ -0,0 +1,50 @@ +syntax = "proto3"; + +package envoy.config.trace.v3; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v3"; +option java_outer_classname = "DatadogProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3;tracev3"; +option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.tracers.datadog.v4alpha"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Datadog tracer] + +// Configuration for the Remote Configuration feature. +message DatadogRemoteConfig { + // Frequency at which new configuration updates are queried. + // If no value is provided, the default value is delegated to the Datadog tracing library. + google.protobuf.Duration polling_interval = 1; +} + +// Configuration for the Datadog tracer. +// [#extension: envoy.tracers.datadog] +message DatadogConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.trace.v2.DatadogConfig"; + + // The cluster to use for submitting traces to the Datadog agent. + string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; + + // The name used for the service when traces are generated by envoy. + string service_name = 2 [(validate.rules).string = {min_len: 1}]; + + // Optional hostname to use when sending spans to the collector_cluster. Useful for collectors + // that require a specific hostname. Defaults to :ref:`collector_cluster ` above. + string collector_hostname = 3; + + // Enables and configures remote configuration. + // Remote Configuration allows to configure the tracer from Datadog's user interface. + // This feature can drastically increase the number of connections to the Datadog Agent. + // Each tracer regularly polls for configuration updates, and the number of tracers is the product + // of the number of listeners and worker threads. + DatadogRemoteConfig remote_config = 4; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/dynamic_ot.proto b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/dynamic_ot.proto new file mode 100644 index 000000000..40fe8526a --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/dynamic_ot.proto @@ -0,0 +1,47 @@ +syntax = "proto3"; + +package envoy.config.trace.v3; + +import "google/protobuf/struct.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v3"; +option java_outer_classname = "DynamicOtProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3;tracev3"; +option (udpa.annotations.file_migrate).move_to_package = + "envoy.extensions.tracers.dynamic_ot.v4alpha"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Dynamically loadable OpenTracing tracer] + +// DynamicOtConfig was used to dynamically load a tracer from a shared library +// that implements the `OpenTracing dynamic loading API +// `_. +// [#not-implemented-hide:] +message DynamicOtConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.trace.v2.DynamicOtConfig"; + + // Dynamic library implementing the `OpenTracing API + // `_. + string library = 1 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0", + (envoy.annotations.disallowed_by_default) = true + ]; + + // The configuration to use when creating a tracer from the given dynamic + // library. + google.protobuf.Struct config = 2 [ + deprecated = true, + (envoy.annotations.deprecated_at_minor_version) = "3.0", + (envoy.annotations.disallowed_by_default) = true + ]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/http_tracer.proto b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/http_tracer.proto new file mode 100644 index 000000000..8bd5151f4 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/http_tracer.proto @@ -0,0 +1,60 @@ +syntax = "proto3"; + +package envoy.config.trace.v3; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v3"; +option java_outer_classname = "HttpTracerProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3;tracev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Tracing] +// Tracing :ref:`architecture overview `. + +// The tracing configuration specifies settings for an HTTP tracer provider used by Envoy. +// +// Envoy may support other tracers in the future, but right now the HTTP tracer is the only one +// supported. +// +// .. attention:: +// +// Use of this message type has been deprecated in favor of direct use of +// :ref:`Tracing.Http `. +message Tracing { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v2.Tracing"; + + // Configuration for an HTTP tracer provider used by Envoy. + // + // The configuration is defined by the + // :ref:`HttpConnectionManager.Tracing ` + // :ref:`provider ` + // field. + message Http { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.trace.v2.Tracing.Http"; + + reserved 2; + + reserved "config"; + + // The name of the HTTP trace driver to instantiate. The name must match a + // supported HTTP trace driver. + // See the :ref:`extensions listed in typed_config below ` for the default list of the HTTP trace driver. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Trace driver specific configuration which must be set according to the driver being instantiated. + // [#extension-category: envoy.tracers] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + // Provides configuration for the HTTP tracer. + Http http = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/lightstep.proto b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/lightstep.proto new file mode 100644 index 000000000..96dbbedd5 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/lightstep.proto @@ -0,0 +1,59 @@ +syntax = "proto3"; + +package envoy.config.trace.v3; + +import "envoy/config/core/v3/base.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v3"; +option java_outer_classname = "LightstepProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3;tracev3"; +option (udpa.annotations.file_migrate).move_to_package = + "envoy.extensions.tracers.lightstep.v4alpha"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: LightStep tracer] + +// Configuration for the LightStep tracer. +// [#extension: envoy.tracers.lightstep] +// [#not-implemented-hide:] +message LightstepConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.trace.v2.LightstepConfig"; + + // Available propagation modes + enum PropagationMode { + // Propagate trace context in the single header x-ot-span-context. + ENVOY = 0; + + // Propagate trace context using LightStep's native format. + LIGHTSTEP = 1; + + // Propagate trace context using the b3 format. + B3 = 2; + + // Propagation trace context using the w3 trace-context standard. + TRACE_CONTEXT = 3; + } + + // The cluster manager cluster that hosts the LightStep collectors. + string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; + + // File containing the access token to the `LightStep + // `_ API. + string access_token_file = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Access token to the `LightStep `_ API. + core.v3.DataSource access_token = 4; + + // Propagation modes to use by LightStep's tracer. + repeated PropagationMode propagation_modes = 3 + [(validate.rules).repeated = {items {enum {defined_only: true}}}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/opentelemetry.proto b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/opentelemetry.proto new file mode 100644 index 000000000..5260d9bd6 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/opentelemetry.proto @@ -0,0 +1,67 @@ +syntax = "proto3"; + +package envoy.config.trace.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/config/core/v3/http_service.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v3"; +option java_outer_classname = "OpentelemetryProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3;tracev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: OpenTelemetry tracer] + +// Configuration for the OpenTelemetry tracer. +// [#extension: envoy.tracers.opentelemetry] +// [#next-free-field: 7] +message OpenTelemetryConfig { + // The upstream gRPC cluster that will receive OTLP traces. + // Note that the tracer drops traces if the server does not read data fast enough. + // This field can be left empty to disable reporting traces to the gRPC service. + // Only one of ``grpc_service``, ``http_service`` may be used. + core.v3.GrpcService grpc_service = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "otlp_exporter"]; + + // The upstream HTTP cluster that will receive OTLP traces. + // This field can be left empty to disable reporting traces to the HTTP service. + // Only one of ``grpc_service``, ``http_service`` may be used. + // + // .. note:: + // + // Note: The ``request_headers_to_add`` property in the OTLP HTTP exporter service + // does not support the :ref:`format specifier ` as used for + // :ref:`HTTP access logging `. + // The values configured are added as HTTP headers on the OTLP export request + // without any formatting applied. + core.v3.HttpService http_service = 3 + [(udpa.annotations.field_migrate).oneof_promotion = "otlp_exporter"]; + + // The name for the service. This will be populated in the ResourceSpan Resource attributes. + // If it is not provided, it will default to "unknown_service:envoy". + string service_name = 2; + + // An ordered list of resource detectors + // [#extension-category: envoy.tracers.opentelemetry.resource_detectors] + repeated core.v3.TypedExtensionConfig resource_detectors = 4; + + // Specifies the sampler to be used by the OpenTelemetry tracer. + // The configured sampler implements the Sampler interface defined by the OpenTelemetry specification. + // This field can be left empty. In this case, the default Envoy sampling decision is used. + // + // See: `OpenTelemetry sampler specification `_ + // [#extension-category: envoy.tracers.opentelemetry.samplers] + core.v3.TypedExtensionConfig sampler = 5; + + // Envoy caches the span in memory when the OpenTelemetry backend service is temporarily unavailable. + // This field specifies the maximum number of spans that can be cached. If not specified, the + // default is 1024. + google.protobuf.UInt32Value max_cache_size = 6; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/service.proto b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/service.proto new file mode 100644 index 000000000..4cb8c44c4 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/service.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package envoy.config.trace.v3; + +import "envoy/config/core/v3/grpc_service.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v3"; +option java_outer_classname = "ServiceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3;tracev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Trace Service] + +// Configuration structure. +message TraceServiceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.trace.v2.TraceServiceConfig"; + + // The upstream gRPC cluster that hosts the metrics service. + core.v3.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/zipkin.proto b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/zipkin.proto new file mode 100644 index 000000000..2364983ef --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/config/trace/v3/zipkin.proto @@ -0,0 +1,176 @@ +syntax = "proto3"; + +package envoy.config.trace.v3; + +import "envoy/config/core/v3/http_service.proto"; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v3"; +option java_outer_classname = "ZipkinProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3;tracev3"; +option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.tracers.zipkin.v4alpha"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Zipkin tracer] + +// Configuration for the Zipkin tracer. +// [#extension: envoy.tracers.zipkin] +// [#next-free-field: 10] +message ZipkinConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v2.ZipkinConfig"; + + // Available trace context options for handling different trace header formats. + enum TraceContextOption { + // Use B3 headers only (default behavior). + USE_B3 = 0; + + // Enable B3 and W3C dual header support: + // - For downstream: Extract from B3 headers first, fallback to W3C traceparent if B3 is unavailable. + // - For upstream: Inject both B3 and W3C traceparent headers. + // When this option is NOT set, only B3 headers are used for both extraction and injection. + USE_B3_WITH_W3C_PROPAGATION = 1; + } + + // Available Zipkin collector endpoint versions. + enum CollectorEndpointVersion { + // Zipkin API v1, JSON over HTTP. + // [#comment: The default implementation of Zipkin client before this field is added was only v1 + // and the way user configure this was by not explicitly specifying the version. Consequently, + // before this is added, the corresponding Zipkin collector expected to receive v1 payload. + // Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when + // user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field, + // since in Zipkin realm this v1 version is considered to be not preferable anymore.] + DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 + [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; + + // Zipkin API v2, JSON over HTTP. + HTTP_JSON = 1; + + // Zipkin API v2, protobuf over HTTP. + HTTP_PROTO = 2; + + // [#not-implemented-hide:] + GRPC = 3; + } + + // The cluster manager cluster that hosts the Zipkin collectors. + // + // .. note:: + // This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + // + // Either this field or ``collector_service`` must be specified. + string collector_cluster = 1; + + // The API endpoint of the Zipkin service where the spans will be sent. When + // using a standard Zipkin installation. + // + // .. note:: + // This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + // + // Required when using ``collector_cluster``. + string collector_endpoint = 2; + + // Determines whether a 128bit trace id will be used when creating a new + // trace instance. The default value is false, which will result in a 64 bit trace id being used. + bool trace_id_128bit = 3; + + // Determines whether client and server spans will share the same span context. + // The default value is true. + google.protobuf.BoolValue shared_span_context = 4; + + // Determines the selected collector endpoint version. + CollectorEndpointVersion collector_endpoint_version = 5; + + // Optional hostname to use when sending spans to the collector_cluster. Useful for collectors + // that require a specific hostname. Defaults to :ref:`collector_cluster ` above. + // + // .. note:: + // This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + string collector_hostname = 6; + + // If this is set to true, then Envoy will be treated as an independent hop in trace chain. A complete span pair will be created for a single + // request. Server span will be created for the downstream request and client span will be created for the related upstream request. + // This should be set to true in the following cases: + // + // * The Envoy Proxy is used as gateway or ingress. + // * The Envoy Proxy is used as sidecar but inbound traffic capturing or outbound traffic capturing is disabled. + // * Any case that the :ref:`start_child_span of router ` is set to true. + // + // .. attention:: + // + // If this is set to true, then the + // :ref:`start_child_span of router ` + // SHOULD be set to true also to ensure the correctness of trace chain. + // + // Both this field and ``start_child_span`` are deprecated by the + // :ref:`spawn_upstream_span `. + // Please use that ``spawn_upstream_span`` field to control the span creation. + bool split_spans_for_request = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Determines which trace context format to use for trace header extraction and propagation. + // This controls both downstream request header extraction and upstream request header injection. + // Here is the spec for W3C trace headers: https://www.w3.org/TR/trace-context/ + // The default value is USE_B3 to maintain backward compatibility. + TraceContextOption trace_context_option = 8; + + // HTTP service configuration for the Zipkin collector. + // When specified, this configuration takes precedence over the legacy fields: + // collector_cluster, collector_endpoint, and collector_hostname. + // This provides a complete HTTP service configuration including cluster, URI, timeout, and headers. + // If not specified, the legacy fields above will be used for backward compatibility. + // + // Required fields when using collector_service: + // + // * ``http_uri.cluster`` - Must be specified and non-empty + // * ``http_uri.uri`` - Must be specified and non-empty + // * ``http_uri.timeout`` - Optional + // + // Full URI Support with Automatic Parsing: + // + // The ``uri`` field supports both path-only and full URI formats: + // + // .. code-block:: yaml + // + // tracing: + // provider: + // name: envoy.tracers.zipkin + // typed_config: + // "@type": type.googleapis.com/envoy.config.trace.v3.ZipkinConfig + // collector_service: + // http_uri: + // # Full URI format - hostname and path are extracted automatically + // uri: "https://zipkin-collector.example.com/api/v2/spans" + // cluster: zipkin + // timeout: 5s + // request_headers_to_add: + // - header: + // key: "X-Custom-Token" + // value: "your-custom-token" + // - header: + // key: "X-Service-ID" + // value: "your-service-id" + // + // URI Parsing Behavior: + // + // * Full URI: ``"https://zipkin-collector.example.com/api/v2/spans"`` + // + // * Hostname: ``zipkin-collector.example.com`` (sets HTTP ``Host`` header) + // * Path: ``/api/v2/spans`` (sets HTTP request path) + // + // * Path only: ``"/api/v2/spans"`` + // + // * Hostname: Uses cluster name as fallback + // * Path: ``/api/v2/spans`` + core.v3.HttpService collector_service = 9; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/data/accesslog/v3/accesslog.proto b/grpc-xds/proto/third_party/envoy/envoy/data/accesslog/v3/accesslog.proto new file mode 100644 index 000000000..da029b7da --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/data/accesslog/v3/accesslog.proto @@ -0,0 +1,547 @@ +syntax = "proto3"; + +package envoy.data.accesslog.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/timestamp.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.data.accesslog.v3"; +option java_outer_classname = "AccesslogProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3;accesslogv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC access logs] +// Envoy access logs describe incoming interaction with Envoy over a fixed +// period of time, and typically cover a single request/response exchange, +// (e.g. HTTP), stream (e.g. over HTTP/gRPC), or proxied connection (e.g. TCP). +// Access logs contain fields defined in protocol-specific protobuf messages. +// +// Except where explicitly declared otherwise, all fields describe +// *downstream* interaction between Envoy and a connected client. +// Fields describing *upstream* interaction will explicitly include ``upstream`` +// in their name. + +enum AccessLogType { + NotSet = 0; + TcpUpstreamConnected = 1; + TcpPeriodic = 2; + TcpConnectionEnd = 3; + DownstreamStart = 4; + DownstreamPeriodic = 5; + DownstreamEnd = 6; + UpstreamPoolReady = 7; + UpstreamPeriodic = 8; + UpstreamEnd = 9; + DownstreamTunnelSuccessfullyEstablished = 10; + UdpTunnelUpstreamConnected = 11; + UdpPeriodic = 12; + UdpSessionEnd = 13; +} + +message TCPAccessLogEntry { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.TCPAccessLogEntry"; + + // Common properties shared by all Envoy access logs. + AccessLogCommon common_properties = 1; + + // Properties of the TCP connection. + ConnectionProperties connection_properties = 2; +} + +message HTTPAccessLogEntry { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.HTTPAccessLogEntry"; + + // HTTP version + enum HTTPVersion { + PROTOCOL_UNSPECIFIED = 0; + HTTP10 = 1; + HTTP11 = 2; + HTTP2 = 3; + HTTP3 = 4; + } + + // Common properties shared by all Envoy access logs. + AccessLogCommon common_properties = 1; + + HTTPVersion protocol_version = 2; + + // Description of the incoming HTTP request. + HTTPRequestProperties request = 3; + + // Description of the outgoing HTTP response. + HTTPResponseProperties response = 4; +} + +// Defines fields for a connection +message ConnectionProperties { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.ConnectionProperties"; + + // Number of bytes received from downstream. + uint64 received_bytes = 1; + + // Number of bytes sent to downstream. + uint64 sent_bytes = 2; +} + +// Defines fields that are shared by all Envoy access logs. +// [#next-free-field: 34] +message AccessLogCommon { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.AccessLogCommon"; + + // [#not-implemented-hide:] + // This field indicates the rate at which this log entry was sampled. + // Valid range is (0.0, 1.0]. + double sample_rate = 1 [(validate.rules).double = {lte: 1.0 gt: 0.0}]; + + // This field is the remote/origin address on which the request from the user was received. + // + // .. note:: + // This may not be the actual peer address. For example, it might be derived from headers like ``x-forwarded-for``, + // the proxy protocol, or similar sources. + config.core.v3.Address downstream_remote_address = 2; + + // This field is the local/destination address on which the request from the user was received. + config.core.v3.Address downstream_local_address = 3; + + // If the connection is secure, this field will contain TLS properties. + TLSProperties tls_properties = 4; + + // The time that Envoy started servicing this request. This is effectively the time that the first + // downstream byte is received. + google.protobuf.Timestamp start_time = 5; + + // Interval between the first downstream byte received and the last + // downstream byte received (i.e. time it takes to receive a request). + google.protobuf.Duration time_to_last_rx_byte = 6; + + // Interval between the first downstream byte received and the first upstream byte sent. There may + // be considerable delta between ``time_to_last_rx_byte`` and this value due to filters. + // Additionally, the same caveats apply as documented in ``time_to_last_downstream_tx_byte`` about + // not accounting for kernel socket buffer time, etc. + google.protobuf.Duration time_to_first_upstream_tx_byte = 7; + + // Interval between the first downstream byte received and the last upstream byte sent. There may + // by considerable delta between ``time_to_last_rx_byte`` and this value due to filters. + // Additionally, the same caveats apply as documented in ``time_to_last_downstream_tx_byte`` about + // not accounting for kernel socket buffer time, etc. + google.protobuf.Duration time_to_last_upstream_tx_byte = 8; + + // Interval between the first downstream byte received and the first upstream + // byte received (i.e. time it takes to start receiving a response). + google.protobuf.Duration time_to_first_upstream_rx_byte = 9; + + // Interval between the first downstream byte received and the last upstream + // byte received (i.e. time it takes to receive a complete response). + google.protobuf.Duration time_to_last_upstream_rx_byte = 10; + + // Interval between the first downstream byte received and the first downstream byte sent. + // There may be a considerable delta between the ``time_to_first_upstream_rx_byte`` and this field + // due to filters. Additionally, the same caveats apply as documented in + // ``time_to_last_downstream_tx_byte`` about not accounting for kernel socket buffer time, etc. + google.protobuf.Duration time_to_first_downstream_tx_byte = 11; + + // Interval between the first downstream byte received and the last downstream byte sent. + // Depending on protocol, buffering, windowing, filters, etc. there may be a considerable delta + // between ``time_to_last_upstream_rx_byte`` and this field. Note also that this is an approximate + // time. In the current implementation it does not include kernel socket buffer time. In the + // current implementation it also does not include send window buffering inside the HTTP/2 codec. + // In the future it is likely that work will be done to make this duration more accurate. + google.protobuf.Duration time_to_last_downstream_tx_byte = 12; + + // The upstream remote/destination address that handles this exchange. This does not include + // retries. + config.core.v3.Address upstream_remote_address = 13; + + // The upstream local/origin address that handles this exchange. This does not include retries. + config.core.v3.Address upstream_local_address = 14; + + // The upstream cluster that ``upstream_remote_address`` belongs to. + string upstream_cluster = 15; + + // Flags indicating occurrences during request/response processing. + ResponseFlags response_flags = 16; + + // All metadata encountered during request processing, including endpoint + // selection. + // + // This can be used to associate IDs attached to the various configurations + // used to process this request with the access log entry. For example, a + // route created from a higher level forwarding rule with some ID can place + // that ID in this field and cross reference later. It can also be used to + // determine if a canary endpoint was used or not. + config.core.v3.Metadata metadata = 17; + + // If upstream connection failed due to transport socket (e.g. TLS handshake), provides the + // failure reason from the transport socket. The format of this field depends on the configured + // upstream transport socket. Common TLS failures are in + // :ref:`TLS troubleshooting `. + string upstream_transport_failure_reason = 18; + + // The name of the route + string route_name = 19; + + // This field is the downstream direct remote address on which the request from the user was + // received. Note: This is always the physical peer, even if the remote address is inferred from + // for example the x-forwarder-for header, proxy protocol, etc. + config.core.v3.Address downstream_direct_remote_address = 20; + + // Map of filter state in stream info that have been configured to be logged. If the filter + // state serialized to any message other than ``google.protobuf.Any`` it will be packed into + // ``google.protobuf.Any``. + map filter_state_objects = 21; + + // A list of custom tags, which annotate logs with additional information. + // To configure this value, see the documentation for + // :ref:`custom_tags `. + map custom_tags = 22; + + // For HTTP: Total duration in milliseconds of the request from the start time to the last byte out. + // For TCP: Total duration in milliseconds of the downstream connection. + // This is the total duration of the request (i.e., when the request's ActiveStream is destroyed) + // and may be longer than ``time_to_last_downstream_tx_byte``. + google.protobuf.Duration duration = 23; + + // For HTTP: Number of times the request is attempted upstream. Note that the field is omitted when the request was never attempted upstream. + // For TCP: Number of times the connection request is attempted upstream. Note that the field is omitted when the connect request was never attempted upstream. + uint32 upstream_request_attempt_count = 24; + + // Connection termination details may provide additional information about why the connection was terminated by Envoy for L4 reasons. + string connection_termination_details = 25; + + // Optional unique id of stream (TCP connection, long-live HTTP2 stream, HTTP request) for logging and tracing. + // This could be any format string that could be used to identify one stream. + string stream_id = 26; + + // Indicates whether this log entry is the final entry (flushed after the stream completed) or an intermediate entry + // (flushed periodically during the stream). + // + // For long-lived streams (e.g., TCP connections or long-lived HTTP/2 streams), there may be multiple intermediate + // entries and only one final entry. + // + // If needed, a unique identifier (see :ref:`stream_id `) + // can be used to correlate all intermediate and final log entries for the same stream. + // + // .. attention:: + // + // This field is deprecated in favor of ``access_log_type``, which provides a clearer indication of the log entry + // type. + bool intermediate_log_entry = 27 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If downstream connection in listener failed due to transport socket (e.g. TLS handshake), provides the + // failure reason from the transport socket. The format of this field depends on the configured downstream + // transport socket. Common TLS failures are in :ref:`TLS troubleshooting `. + string downstream_transport_failure_reason = 28; + + // For HTTP: Total number of bytes sent to the downstream by the http stream. + // For TCP: Total number of bytes sent to the downstream by the :ref:`TCP Proxy `. + uint64 downstream_wire_bytes_sent = 29; + + // For HTTP: Total number of bytes received from the downstream by the http stream. Envoy over counts sizes of received HTTP/1.1 pipelined requests by adding up bytes of requests in the pipeline to the one currently being processed. + // For TCP: Total number of bytes received from the downstream by the :ref:`TCP Proxy `. + uint64 downstream_wire_bytes_received = 30; + + // For HTTP: Total number of bytes sent to the upstream by the http stream. This value accumulates during upstream retries. + // For TCP: Total number of bytes sent to the upstream by the :ref:`TCP Proxy `. + uint64 upstream_wire_bytes_sent = 31; + + // For HTTP: Total number of bytes received from the upstream by the http stream. + // For TCP: Total number of bytes sent to the upstream by the :ref:`TCP Proxy `. + uint64 upstream_wire_bytes_received = 32; + + // The type of the access log, which indicates when the log was recorded. + // See :ref:`ACCESS_LOG_TYPE ` for the available values. + // In case the access log was recorded by a flow which does not correspond to one of the supported + // values, then the default value will be ``NotSet``. + // For more information about how access log behaves and when it is being recorded, + // please refer to :ref:`access logging `. + AccessLogType access_log_type = 33; +} + +// Flags indicating occurrences during request/response processing. +// [#next-free-field: 29] +message ResponseFlags { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.ResponseFlags"; + + message Unauthorized { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.ResponseFlags.Unauthorized"; + + // Reasons why the request was unauthorized + enum Reason { + REASON_UNSPECIFIED = 0; + + // The request was denied by the external authorization service. + EXTERNAL_SERVICE = 1; + } + + Reason reason = 1; + } + + // Indicates local server healthcheck failed. + bool failed_local_healthcheck = 1; + + // Indicates there was no healthy upstream. + bool no_healthy_upstream = 2; + + // Indicates there was an upstream request timeout. + bool upstream_request_timeout = 3; + + // Indicates local codec level reset was sent on the stream. + bool local_reset = 4; + + // Indicates remote codec level reset was received on the stream. + bool upstream_remote_reset = 5; + + // Indicates there was a local reset by a connection pool due to an initial connection failure. + bool upstream_connection_failure = 6; + + // Indicates the stream was reset due to an upstream connection termination. + bool upstream_connection_termination = 7; + + // Indicates the stream was reset because of a resource overflow. + bool upstream_overflow = 8; + + // Indicates no route was found for the request. + bool no_route_found = 9; + + // Indicates that the request was delayed before proxying. + bool delay_injected = 10; + + // Indicates that the request was aborted with an injected error code. + bool fault_injected = 11; + + // Indicates that the request was rate-limited locally. + bool rate_limited = 12; + + // Indicates if the request was deemed unauthorized and the reason for it. + Unauthorized unauthorized_details = 13; + + // Indicates that the request was rejected because there was an error in rate limit service. + bool rate_limit_service_error = 14; + + // Indicates the stream was reset due to a downstream connection termination. + bool downstream_connection_termination = 15; + + // Indicates that the upstream retry limit was exceeded, resulting in a downstream error. + bool upstream_retry_limit_exceeded = 16; + + // Indicates that the stream idle timeout was hit, resulting in a downstream 408. + bool stream_idle_timeout = 17; + + // Indicates that the request was rejected because an envoy request header failed strict + // validation. + bool invalid_envoy_request_headers = 18; + + // Indicates there was an HTTP protocol error on the downstream request. + bool downstream_protocol_error = 19; + + // Indicates there was a max stream duration reached on the upstream request. + bool upstream_max_stream_duration_reached = 20; + + // Indicates the response was served from a cache filter. + bool response_from_cache_filter = 21; + + // Indicates that a filter configuration is not available. + bool no_filter_config_found = 22; + + // Indicates that the request or connection exceeded the downstream connection duration. + bool duration_timeout = 23; + + // Indicates there was an HTTP protocol error in the upstream response. + bool upstream_protocol_error = 24; + + // Indicates no cluster was found for the request. + bool no_cluster_found = 25; + + // Indicates overload manager terminated the request. + bool overload_manager = 26; + + // Indicates a DNS resolution failed. + bool dns_resolution_failure = 27; + + // Indicates a downstream remote codec level reset was received on the stream + bool downstream_remote_reset = 28; +} + +// Properties of a negotiated TLS connection. +// [#next-free-field: 8] +message TLSProperties { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.TLSProperties"; + + enum TLSVersion { + VERSION_UNSPECIFIED = 0; + TLSv1 = 1; + TLSv1_1 = 2; + TLSv1_2 = 3; + TLSv1_3 = 4; + } + + message CertificateProperties { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.TLSProperties.CertificateProperties"; + + message SubjectAltName { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.TLSProperties.CertificateProperties.SubjectAltName"; + + oneof san { + string uri = 1; + + // [#not-implemented-hide:] + string dns = 2; + } + } + + // SANs present in the certificate. + repeated SubjectAltName subject_alt_name = 1; + + // The subject field of the certificate. + string subject = 2; + + // The issuer field of the certificate. + string issuer = 3; + } + + // Version of TLS that was negotiated. + TLSVersion tls_version = 1; + + // TLS cipher suite negotiated during handshake. The value is a + // four-digit hex code defined by the IANA TLS Cipher Suite Registry + // (e.g. ``009C`` for ``TLS_RSA_WITH_AES_128_GCM_SHA256``). + // + // Here it is expressed as an integer. + google.protobuf.UInt32Value tls_cipher_suite = 2; + + // SNI hostname from handshake. + string tls_sni_hostname = 3; + + // Properties of the local certificate used to negotiate TLS. + CertificateProperties local_certificate_properties = 4; + + // Properties of the peer certificate used to negotiate TLS. + CertificateProperties peer_certificate_properties = 5; + + // The TLS session ID. + string tls_session_id = 6; + + // The ``JA3`` fingerprint when ``JA3`` fingerprinting is enabled. + string ja3_fingerprint = 7; +} + +// [#next-free-field: 16] +message HTTPRequestProperties { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.HTTPRequestProperties"; + + // The request method (RFC 7231/2616). + config.core.v3.RequestMethod request_method = 1 [(validate.rules).enum = {defined_only: true}]; + + // The scheme portion of the incoming request URI. + string scheme = 2; + + // HTTP/2 ``:authority`` or HTTP/1.1 ``Host`` header value. + string authority = 3; + + // The port of the incoming request URI + // (unused currently, as port is composed onto authority). + google.protobuf.UInt32Value port = 4; + + // The path portion from the incoming request URI. + string path = 5; + + // Value of the ``User-Agent`` request header. + string user_agent = 6; + + // Value of the ``Referer`` request header. + string referer = 7; + + // Value of the ``X-Forwarded-For`` request header. + string forwarded_for = 8; + + // Value of the ``X-Request-Id`` request header + // + // This header is used by Envoy to uniquely identify a request. + // It will be generated for all external requests and internal requests that + // do not already have a request ID. + string request_id = 9; + + // Value of the ``x-envoy-original-path`` request header. + string original_path = 10; + + // Size of the HTTP request headers in bytes. + // + // This value is captured from the OSI layer 7 perspective, i.e. it does not + // include overhead from framing or encoding at other networking layers. + uint64 request_headers_bytes = 11; + + // Size of the HTTP request body in bytes. + // + // This value is captured from the OSI layer 7 perspective, i.e. it does not + // include overhead from framing or encoding at other networking layers. + uint64 request_body_bytes = 12; + + // Map of additional headers that have been configured to be logged. + map request_headers = 13; + + // Number of header bytes sent to the upstream by the http stream, including protocol overhead. + // + // This value accumulates during upstream retries. + uint64 upstream_header_bytes_sent = 14; + + // Number of header bytes received from the downstream by the http stream, including protocol overhead. + uint64 downstream_header_bytes_received = 15; +} + +// [#next-free-field: 9] +message HTTPResponseProperties { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.accesslog.v2.HTTPResponseProperties"; + + // The HTTP response code returned by Envoy. + google.protobuf.UInt32Value response_code = 1; + + // Size of the HTTP response headers in bytes. + // + // This value is captured from the OSI layer 7 perspective, i.e. it does not + // include protocol overhead or overhead from framing or encoding at other networking layers. + uint64 response_headers_bytes = 2; + + // Size of the HTTP response body in bytes. + // + // This value is captured from the OSI layer 7 perspective, i.e. it does not + // include overhead from framing or encoding at other networking layers. + uint64 response_body_bytes = 3; + + // Map of additional headers configured to be logged. + map response_headers = 4; + + // Map of trailers configured to be logged. + map response_trailers = 5; + + // The HTTP response code details. + string response_code_details = 6; + + // Number of header bytes received from the upstream by the http stream, including protocol overhead. + uint64 upstream_header_bytes_received = 7; + + // Number of header bytes sent to the downstream by the http stream, including protocol overhead. + uint64 downstream_header_bytes_sent = 8; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/clusters/aggregate/v3/cluster.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/clusters/aggregate/v3/cluster.proto new file mode 100644 index 000000000..d23d767f7 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/clusters/aggregate/v3/cluster.proto @@ -0,0 +1,44 @@ +syntax = "proto3"; + +package envoy.extensions.clusters.aggregate.v3; + +import "envoy/config/core/v3/config_source.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.clusters.aggregate.v3"; +option java_outer_classname = "ClusterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/aggregate/v3;aggregatev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Aggregate cluster configuration] + +// Configuration for the aggregate cluster. See the :ref:`architecture overview +// ` for more information. +// [#extension: envoy.clusters.aggregate] +message ClusterConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.cluster.aggregate.v2alpha.ClusterConfig"; + + // Load balancing clusters in aggregate cluster. Clusters are prioritized based on the order they + // appear in this list. + repeated string clusters = 1 [(validate.rules).repeated = {min_items: 1}]; +} + +// Configures an aggregate cluster whose +// :ref:`ClusterConfig ` +// is to be fetched from a separate xDS resource. +// [#extension: envoy.clusters.aggregate_resource] +// [#not-implemented-hide:] +message AggregateClusterResource { + // Configuration source specifier for the ClusterConfig resource. + // Only the aggregated protocol variants are supported; if configured + // otherwise, the cluster resource will be NACKed. + config.core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; + + // The name of the ClusterConfig resource to subscribe to. + string resource_name = 2 [(validate.rules).string = {min_len: 1}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/common/matching/v3/extension_matcher.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/common/matching/v3/extension_matcher.proto new file mode 100644 index 000000000..817cd27a3 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/common/matching/v3/extension_matcher.proto @@ -0,0 +1,42 @@ +syntax = "proto3"; + +package envoy.extensions.common.matching.v3; + +import "envoy/config/common/matcher/v3/matcher.proto"; +import "envoy/config/core/v3/extension.proto"; + +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.common.matching.v3"; +option java_outer_classname = "ExtensionMatcherProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/common/matching/v3;matchingv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Extension matcher] + +// Wrapper around an existing extension that provides an associated matcher. This allows +// decorating an existing extension with a matcher, which can be used to match against +// relevant protocol data. +message ExtensionWithMatcher { + // The associated matcher. This is deprecated in favor of xds_matcher. + config.common.matcher.v3.Matcher matcher = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The associated matcher. + xds.type.matcher.v3.Matcher xds_matcher = 3; + + // The underlying extension config. + config.core.v3.TypedExtensionConfig extension_config = 2 + [(validate.rules).message = {required: true}]; +} + +// Extra settings on a per virtualhost/route/weighted-cluster level. +message ExtensionWithMatcherPerRoute { + // Matcher override. + xds.type.matcher.v3.Matcher xds_matcher = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/common/fault/v3/fault.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/common/fault/v3/fault.proto new file mode 100644 index 000000000..ab24f5d23 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/common/fault/v3/fault.proto @@ -0,0 +1,97 @@ +syntax = "proto3"; + +package envoy.extensions.filters.common.fault.v3; + +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.common.fault.v3"; +option java_outer_classname = "FaultProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/common/fault/v3;faultv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common fault injection types] + +// Delay specification is used to inject latency into the +// HTTP/Mongo operation. +// [#next-free-field: 6] +message FaultDelay { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.fault.v2.FaultDelay"; + + enum FaultDelayType { + // Unused and deprecated. + FIXED = 0; + } + + // Fault delays are controlled via an HTTP header (if applicable). See the + // :ref:`HTTP fault filter ` documentation for + // more information. + message HeaderDelay { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.fault.v2.FaultDelay.HeaderDelay"; + } + + reserved 2, 1; + + reserved "type"; + + oneof fault_delay_secifier { + option (validate.required) = true; + + // Add a fixed delay before forwarding the operation upstream. See + // https://developers.google.com/protocol-buffers/docs/proto3#json for + // the JSON/YAML Duration mapping. For HTTP/Mongo, the specified + // delay will be injected before a new request/operation. + // This is required if type is FIXED. + google.protobuf.Duration fixed_delay = 3 [(validate.rules).duration = {gt {}}]; + + // Fault delays are controlled via an HTTP header (if applicable). + HeaderDelay header_delay = 5; + } + + // The percentage of operations/connections/requests on which the delay will be injected. + type.v3.FractionalPercent percentage = 4; +} + +// Describes a rate limit to be applied. +message FaultRateLimit { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.fault.v2.FaultRateLimit"; + + // Describes a fixed/constant rate limit. + message FixedLimit { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.fault.v2.FaultRateLimit.FixedLimit"; + + // The limit supplied in KiB/s. + uint64 limit_kbps = 1 [(validate.rules).uint64 = {gte: 1}]; + } + + // Rate limits are controlled via an HTTP header (if applicable). See the + // :ref:`HTTP fault filter ` documentation for + // more information. + message HeaderLimit { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.fault.v2.FaultRateLimit.HeaderLimit"; + } + + oneof limit_type { + option (validate.required) = true; + + // A fixed rate limit. + FixedLimit fixed_limit = 1; + + // Rate limits are controlled via an HTTP header (if applicable). + HeaderLimit header_limit = 3; + } + + // The percentage of operations/connections/requests on which the rate limit will be injected. + type.v3.FractionalPercent percentage = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/composite/v3/composite.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/composite/v3/composite.proto new file mode 100644 index 000000000..1ab6c5eb1 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/composite/v3/composite.proto @@ -0,0 +1,106 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.composite.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.composite.v3"; +option java_outer_classname = "CompositeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/composite/v3;compositev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Composite] +// Composite Filter :ref:`configuration overview `. +// [#extension: envoy.filters.http.composite] + +// :ref:`Composite filter ` config. The composite filter config +// allows delegating filter handling to another filter as determined by matching on the request +// headers. This makes it possible to use different filters or filter configurations based on the +// incoming request. +// +// This is intended to be used with +// :ref:`ExtensionWithMatcher ` +// where a match tree is specified that indicates (via +// :ref:`ExecuteFilterAction `) +// which filter configuration to create and delegate to. +message Composite { + // Named filter chain definitions that can be referenced from + // :ref:`ExecuteFilterAction.filter_chain_name + // `. + // The filter chains are compiled at configuration time and can be referenced by name. + // This is useful when the same filter chain needs to be applied across many routes, + // as it avoids duplicating the filter chain configuration. + map named_filter_chains = 1; +} + +// A list of filter configurations to be called in order. Note that this can be used as the type +// inside of an ECDS :ref:`TypedExtensionConfig +// ` extension, which allows a chain of +// filters to be configured dynamically. In that case, the types of all filters in the chain must +// be present in the :ref:`ExtensionConfigSource.type_urls +// ` field. +message FilterChainConfiguration { + repeated config.core.v3.TypedExtensionConfig typed_config = 1; +} + +// Configuration for an extension configuration discovery service with name. +message DynamicConfig { + // The name of the extension configuration. It also serves as a resource name in ExtensionConfigDS. + // The resource type in the ``DiscoveryRequest`` will be :ref:`TypedExtensionConfig + // `. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, + // 500(Internal Server Error) will be returned. + config.core.v3.ExtensionConfigSource config_discovery = 2; +} + +// Composite match action (see :ref:`matching docs ` for more info on match actions). +// This specifies the filter configuration of the filter that the composite filter should delegate filter interactions to. +// [#next-free-field: 6] +message ExecuteFilterAction { + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + // Only one of ``typed_config``, ``dynamic_config``, ``filter_chain``, or ``filter_chain_name`` + // can be set. + // [#extension-category: envoy.filters.http] + config.core.v3.TypedExtensionConfig typed_config = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "config_type"]; + + // Dynamic configuration of filter obtained via extension configuration discovery service. + // Only one of ``typed_config``, ``dynamic_config``, ``filter_chain``, or ``filter_chain_name`` + // can be set. + DynamicConfig dynamic_config = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "config_type"]; + + // An inlined list of filter configurations. The specified filters will be executed in order. + // Only one of ``typed_config``, ``dynamic_config``, ``filter_chain``, or ``filter_chain_name`` + // can be set. + FilterChainConfiguration filter_chain = 4; + + // The name of a filter chain defined in + // :ref:`Composite.named_filter_chains + // `. + // At runtime, if the named filter chain is not found in the Composite filter's configuration, + // no filter will be applied for this match (the action is silently skipped). + // Only one of ``typed_config``, ``dynamic_config``, ``filter_chain``, or ``filter_chain_name`` + // can be set. + string filter_chain_name = 5; + + // Probability of the action execution. If not specified, this is 100%. + // This allows sampling behavior for the configured actions. + // For example, if + // :ref:`default_value ` + // under the ``sample_percent`` is configured with 30%, a dice roll with that + // probability is done. The underline action will only be executed if the + // dice roll returns positive. Otherwise, the action is skipped. + config.core.v3.RuntimeFractionalPercent sample_percent = 3; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto new file mode 100644 index 000000000..7f70b7001 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto @@ -0,0 +1,602 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_authz.v3; + +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/config/core/v3/http_uri.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3"; +option java_outer_classname = "ExtAuthzProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3;ext_authzv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External Authorization] +// External Authorization :ref:`configuration overview `. +// [#extension: envoy.filters.http.ext_authz] + +// [#next-free-field: 32] +message ExtAuthz { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v3.ExtAuthz"; + + reserved 4; + + reserved "use_alpha"; + + // External authorization service configuration. + oneof services { + // gRPC service configuration (default timeout: 200ms). + config.core.v3.GrpcService grpc_service = 1; + + // HTTP service configuration (default timeout: 200ms). + HttpService http_service = 3; + } + + // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and + // version of messages used on the wire. + config.core.v3.ApiVersion transport_api_version = 12 + [(validate.rules).enum = {defined_only: true}]; + + // Changes the filter's behavior on errors: + // + // * When set to ``true``, the filter will ``accept`` the client request even if communication with + // the authorization service has failed, or if the authorization service has returned an HTTP 5xx + // error. + // + // * When set to ``false``, the filter will ``reject`` client requests and return ``Forbidden`` + // if communication with the authorization service has failed, or if the authorization service + // has returned an HTTP 5xx error. + // + // Errors can always be tracked in the :ref:`stats `. + // + // Defaults to ``false``. + bool failure_mode_allow = 2; + + // When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to ``true``, + // ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication + // with the authorization service has failed, or if the authorization service has returned a + // HTTP 5xx error. + bool failure_mode_allow_header_add = 19; + + // Enables the filter to buffer the client request body and send it within the authorization request. + // The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization + // request indicating whether the body data is partial. + BufferSettings with_request_body = 5; + + // Clears the route cache in order to allow the external authorization service to correctly affect + // routing decisions. The filter clears all cached routes when all of the following holds: + // + // * This field is set to ``true``. + // * The status returned from the authorization service is an HTTP 200 or gRPC 0. + // * At least one ``authorization response header`` is added to the client request, or is used to + // alter another client request header. + // + // Defaults to ``false``. + bool clear_route_cache = 6; + + // Sets the HTTP status that is returned to the client when the authorization server returns an error + // or cannot be reached. + // + // The default status is ``HTTP 403 Forbidden``. + type.v3.HttpStatus status_on_error = 7; + + // When set to ``true``, the filter will check the :ref:`ext_authz response + // ` for invalid header and + // query parameter mutations. If the response is invalid, the filter will send a local reply + // to the downstream request with status ``HTTP 500 Internal Server Error``. + // + // .. note:: + // Both ``headers_to_remove`` and ``query_parameters_to_remove`` are validated, but invalid elements in + // those fields should not affect any headers and thus will not cause the filter to send a local reply. + // + // When set to ``false``, any invalid mutations will be visible to the rest of Envoy and may cause + // unexpected behavior. + // + // If you are using ext_authz with an untrusted ext_authz server, you should set this to ``true``. + // + // Defaults to ``false``. + bool validate_mutations = 24; + + // Specifies a list of metadata namespaces whose values, if present, will be passed to the + // ext_authz service. The :ref:`filter_metadata ` + // is passed as an opaque ``protobuf::Struct``. + // + // .. note:: + // This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service. + // + // For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata + // ` is set, + // then the following will pass the jwt payload to the authorization server. + // + // .. code-block:: yaml + // + // metadata_context_namespaces: + // - envoy.filters.http.jwt_authn + // + repeated string metadata_context_namespaces = 8; + + // Specifies a list of metadata namespaces whose values, if present, will be passed to the + // ext_authz service. :ref:`typed_filter_metadata ` + // is passed as a ``protobuf::Any``. + // + // .. note:: + // This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service. + // + // This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share + // the protobuf message definition in order to perform safe parsing. + // + repeated string typed_metadata_context_namespaces = 16; + + // Specifies a list of route metadata namespaces whose values, if present, will be passed to the + // ext_authz service at :ref:`route_metadata_context ` in + // :ref:`CheckRequest `. + // :ref:`filter_metadata ` is passed as an opaque ``protobuf::Struct``. + repeated string route_metadata_context_namespaces = 21; + + // Specifies a list of route metadata namespaces whose values, if present, will be passed to the + // ext_authz service at :ref:`route_metadata_context ` in + // :ref:`CheckRequest `. + // :ref:`typed_filter_metadata ` is passed as a ``protobuf::Any``. + repeated string route_typed_metadata_context_namespaces = 22; + + // Specifies if the filter is enabled. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests to filter. + // + // If this field is not specified, the filter will be enabled for all requests. + config.core.v3.RuntimeFractionalPercent filter_enabled = 9; + + // Specifies if the filter is enabled with metadata matcher. + // If this field is not specified, the filter will be enabled for all requests. + // + // .. note:: + // + // This field is only evaluated if the filter is instantiated. If the filter is marked with + // ``disabled: true`` in the :ref:`HttpFilter + // ` + // configuration or in per-route configuration via :ref:`ExtAuthzPerRoute + // `, + // the filter will not be instantiated and this field will have no effect. + // + // .. tip:: + // + // For dynamic filter activation based on metadata (such as metadata set by a preceding + // filter), consider using :ref:`ExtensionWithMatcher + // ` instead. This + // provides a more flexible matching framework that can evaluate conditions before filter + // instantiation. See the :ref:`ext_authz filter documentation + // ` for examples. + type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14; + + // Specifies whether to deny the requests when the filter is disabled. + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths + // when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path, + // requests will not be denied. + // + // If this field is not specified, all requests will be allowed when disabled. + // + // If a request is denied due to this setting, the response code in :ref:`status_on_error + // ` will + // be returned. + config.core.v3.RuntimeFeatureFlag deny_at_disable = 11; + + // Specifies if the peer certificate is sent to the external service. + // + // When this field is ``true``, Envoy will include the peer X.509 certificate, if available, in the + // :ref:`certificate`. + bool include_peer_certificate = 10; + + // Optional additional prefix to use when emitting statistics. This allows distinguishing + // emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example: + // + // .. code-block:: yaml + // + // http_filters: + // - name: envoy.filters.http.ext_authz + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + // stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc. + // - name: envoy.filters.http.ext_authz + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + // stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc. + // + string stat_prefix = 13; + + // Optional labels that will be passed to :ref:`labels` in + // :ref:`destination`. + // The labels will be read from :ref:`metadata` with the specified key. + string bootstrap_metadata_labels_key = 15; + + // Check request to authorization server will include the client request headers that have a correspondent match + // in the list. If this option isn't specified, then + // all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers + // (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server. + // This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior. + // + // .. note:: + // + // For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``, + // ``Content-Length``, and ``Authorization`` are **additionally included** in the list. + // + // .. note:: + // + // For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the + // authorization server will not have a message body. However, the check request can include the buffered + // client request body (controlled by :ref:`with_request_body + // ` setting); + // consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload. + // + // .. note:: + // + // This can be overridden by the field ``disallowed_headers`` below. That is, if a header + // matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent. + type.matcher.v3.ListStringMatcher allowed_headers = 17; + + // If set, specifically disallow any header in this list to be forwarded to the external + // authentication server. This overrides the above ``allowed_headers`` if a header matches both. + type.matcher.v3.ListStringMatcher disallowed_headers = 25; + + // Specifies if the TLS session level details like SNI are sent to the external service. + // + // When this field is ``true``, Envoy will include the SNI name used for TLSClientHello, if available, in the + // :ref:`tls_session`. + bool include_tls_session = 18; + + // Whether to increment cluster statistics (e.g. cluster..upstream_rq_*) on authorization failure. + // Defaults to ``true``. + google.protobuf.BoolValue charge_cluster_response_stats = 20; + + // Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers) + // in the authorization request. Works with both HTTP and gRPC clients. + // + // When this is set to ``true``, header values are not sanitized. Headers with the same key will also + // not be combined into a single, comma-separated header. + // Requests to gRPC services will populate the field + // :ref:`header_map`. + // Requests to HTTP services will be constructed with the unsanitized header values and preserved + // multi-line headers with the same key. + // + // If this field is set to ``false``, header values will be sanitized, with any non-UTF-8-compliant + // bytes replaced with ``'!'``. Headers with the same key will have their values concatenated into a + // single comma-separated header value. + // Requests to gRPC services will populate the field + // :ref:`headers`. + // Requests to HTTP services will have their header values sanitized and will not preserve + // multi-line headers with the same key. + // + // It is recommended to set this to ``true`` unless you rely on the previous behavior. + // + // It is set to ``false`` by default for backwards compatibility. + bool encode_raw_headers = 23; + + // Rules for what modifications an ext_authz server may make to the request headers before + // continuing decoding or forwarding upstream. + // + // If set, enables header mutation checking against the configured rules. Note that + // :ref:`HeaderMutationRules ` + // has defaults that change ext_authz behavior. Also note that if this field is set, + // ext_authz can no longer append to ``:``-prefixed headers. + // + // If unset, header mutation rule checking is completely disabled. + // + // Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers. + // + // This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables + // correctness checks for all header and query parameter mutations (for example, invalid characters). + // This field allows the filter to reject mutations to specific headers. + config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26; + + // Enable or disable ingestion of dynamic metadata from the ext_authz service. + // + // If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the + // ext_authz service tries injecting dynamic metadata, the filter will log, increment the + // ``ignored_dynamic_metadata`` stat, then continue handling the response. + // + // If ``true``, the filter will ingest dynamic metadata entries as normal. + // + // If unset, defaults to ``true``. + google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27; + + // Additional metadata to be added to the filter state for logging purposes. The metadata will be + // added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter + // name. + google.protobuf.Struct filter_metadata = 28; + + // When set to ``true``, the filter will emit per-stream stats for access logging. The filter state + // key will be the same as the filter name. + // + // If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster + // info. If not using Envoy gRPC, emits only latency. + // + // .. note:: + // Stats are ONLY added to filter state if a check request is actually made to an ext_authz service. + // + // If this is ``false`` the filter will not emit stats, but filter_metadata will still be respected if + // it has a value. + // + // Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service. + // Fields ``bytesSent`` and ``bytesReceived`` are exposed for CEL and logging only when using gRPC service. + bool emit_filter_state_stats = 29; + + // Sets the maximum size (in bytes) of the response body that the filter will send downstream + // when a request is denied by the external authorization service. + // + // If the authorization server returns a response body larger than this configured limit, + // the body will be truncated to ``max_denied_response_body_bytes`` before being sent to the + // downstream client. + // + // If this field is not set or is set to 0, no truncation will occur, and the entire + // denied response body will be forwarded. + uint32 max_denied_response_body_bytes = 30; + + // When set to ``true``, the filter will enforce the response header map's count and size limits + // by sending a local reply when those limits are violated. + // + // When set to ``false``, the filter will ignore the response header map's limits and add / set + // all response headers as specified by the external authorization service. + // + // Recommendation: enable if the external authorization service is not trusted. Otherwise, leave + // it ``false``. + // + // Defaults to ``false``. + bool enforce_response_header_limits = 31; +} + +// Configuration for buffering the request data. +message BufferSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.BufferSettings"; + + // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return + // ``HTTP 413`` and will *not* initiate the authorization process when the buffer reaches the size + // set in this field. + // + // .. note:: + // This setting will have precedence over :ref:`failure_mode_allow + // `. + uint32 max_request_bytes = 1 [(validate.rules).uint32 = {gt: 0}]; + + // When this field is ``true``, Envoy will buffer the message until ``max_request_bytes`` is reached. + // The authorization request will be dispatched and no 413 HTTP error will be returned by the + // filter. + // + // Defaults to ``false``. + bool allow_partial_message = 2; + + // If ``true``, the body sent to the external authorization service is set as raw bytes and populates + // :ref:`raw_body` + // in the HTTP request attribute context. Otherwise, :ref:`body + // ` will be populated + // with a UTF-8 string request body. + // + // This field only affects configurations using a :ref:`grpc_service + // `. In configurations that use + // an :ref:`http_service `, this + // has no effect. + // + // Defaults to ``false``. + bool pack_as_bytes = 3; +} + +// HttpService is used for raw HTTP communication between the filter and the authorization service. +// When configured, the filter will parse the client request and use these attributes to call the +// authorization server. Depending on the response, the filter may reject or accept the client +// request. +// +// .. note:: +// In any of these events, metadata can be added, removed or overridden by the filter: +// +// On authorization request, a list of allowed request headers may be supplied. See +// :ref:`allowed_headers +// ` +// for details. Additional headers metadata may be added to the authorization request. See +// :ref:`headers_to_add +// ` for +// details. +// +// On authorization response status ``HTTP 200 OK``, the filter will allow traffic to the upstream and +// additional headers metadata may be added to the original client request. See +// :ref:`allowed_upstream_headers +// ` +// for details. Additionally, the filter may add additional headers to the client's response. See +// :ref:`allowed_client_headers_on_success +// ` +// for details. +// +// On other authorization response statuses, the filter will not allow traffic. Additional headers +// metadata as well as body may be added to the client's response. See :ref:`allowed_client_headers +// ` +// for details. +// [#next-free-field: 10] +message HttpService { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.HttpService"; + + reserved 3, 4, 5, 6; + + // Sets the HTTP server URI which the authorization requests must be sent to. + config.core.v3.HttpUri server_uri = 1; + + // Sets a prefix to the value of authorization request header ``Path``. + string path_prefix = 2; + + // Settings used for controlling authorization request metadata. + AuthorizationRequest authorization_request = 7; + + // Settings used for controlling authorization response metadata. + AuthorizationResponse authorization_response = 8; + + // Optional retry policy for requests to the authorization server. + // If not set, no retries will be performed. + // + // .. note:: + // When this field is set, the ``ext_authz`` filter will buffer the request body for retry purposes. + config.core.v3.RetryPolicy retry_policy = 9; +} + +message AuthorizationRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.AuthorizationRequest"; + + // Authorization request includes the client request headers that have a corresponding match + // in the list. + // This field has been deprecated in favor of :ref:`allowed_headers + // `. + // + // .. note:: + // + // In addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``, + // ``Content-Length``, and ``Authorization`` are **automatically included** in the list. + // + // .. note:: + // + // By default, the ``Content-Length`` header is set to ``0`` and the request to the authorization + // service has no message body. However, the authorization request *may* include the buffered + // client request body (controlled by :ref:`with_request_body + // ` + // setting); hence the value of its ``Content-Length`` reflects the size of its payload. + // + type.matcher.v3.ListStringMatcher allowed_headers = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Sets a list of headers that will be included in the request to the authorization service. + // + // .. note:: + // Client request headers with the same key will be overridden. + repeated config.core.v3.HeaderValue headers_to_add = 2; +} + +// [#next-free-field: 6] +message AuthorizationResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.AuthorizationResponse"; + + // When this list is set, authorization + // response headers that have a correspondent match will be added to the original client request. + // + // .. note:: + // Existing headers will be overridden. + type.matcher.v3.ListStringMatcher allowed_upstream_headers = 1; + + // When this list is set, authorization + // response headers that have a correspondent match will be added to the original client request. + // + // .. note:: + // Existing headers will be appended. + type.matcher.v3.ListStringMatcher allowed_upstream_headers_to_append = 3; + + // When this list is set, authorization + // response headers that have a correspondent match will be added to the client's response. + // When a header is included in this list, ``Path``, ``Status``, ``Content-Length``, ``WWW-Authenticate`` and + // ``Location`` are automatically added. + // + // .. note:: + // When this list is *not* set, all the authorization response headers, except + // ``Authority (Host)``, will be in the response to the client. + type.matcher.v3.ListStringMatcher allowed_client_headers = 2; + + // When this list is set, authorization + // response headers that have a correspondent match will be added to the client's response when + // the authorization response itself is successful, i.e. not failed or denied. When this list is + // *not* set, no additional headers will be added to the client's response on success. + type.matcher.v3.ListStringMatcher allowed_client_headers_on_success = 4; + + // When this list is set, authorization + // response headers that have a correspondent match will be emitted as dynamic metadata to be consumed + // by the next filter. This metadata lives in a namespace specified by the canonical name of extension filter + // that requires it: + // + // - :ref:`envoy.filters.http.ext_authz ` for HTTP filter. + // - :ref:`envoy.filters.network.ext_authz ` for network filter. + type.matcher.v3.ListStringMatcher dynamic_metadata_from_headers = 5; +} + +// Extra settings on a per virtualhost/route/weighted-cluster level. +message ExtAuthzPerRoute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute"; + + oneof override { + option (validate.required) = true; + + // Disable the ext auth filter for this particular vhost or route. + // If disabled is specified in multiple per-filter-configs, the most specific one will be used. + // If the filter is disabled by default and this is set to ``false``, the filter will be enabled + // for this vhost or route. + bool disabled = 1; + + // Check request settings for this route. + CheckSettings check_settings = 2 [(validate.rules).message = {required: true}]; + } +} + +// Extra settings for the check request. +// [#next-free-field: 6] +message CheckSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.CheckSettings"; + + // Context extensions to set on the CheckRequest's + // :ref:`AttributeContext.context_extensions` + // + // You can use this to provide extra context for the external authorization server on specific + // virtual hosts/routes. For example, adding a context extension on the virtual host level can + // give the ext-authz server information on what virtual host is used without needing to parse the + // host header. If CheckSettings is specified in multiple per-filter-configs, they will be merged + // in order, and the result will be used. + // + // Merge semantics for this field are such that keys from more specific configs override. + // + // .. note:: + // These settings are only applied to a filter configured with a + // :ref:`grpc_service`. + map context_extensions = 1 [(udpa.annotations.sensitive) = true]; + + // When set to ``true``, disable the configured :ref:`with_request_body + // ` for a specific route. + // + // Only one of ``disable_request_body_buffering`` and + // :ref:`with_request_body ` + // may be specified. + bool disable_request_body_buffering = 2; + + // Enable or override request body buffering, which is configured using the + // :ref:`with_request_body ` + // option for a specific route. + // + // Only one of ``with_request_body`` and + // :ref:`disable_request_body_buffering ` + // may be specified. + BufferSettings with_request_body = 3; + + // Override the external authorization service for this route. + // This allows different routes to use different external authorization service backends + // and service types (gRPC or HTTP). If specified, this overrides the filter-level service + // configuration regardless of the original service type. + oneof service_override { + // Override with a gRPC service configuration. + config.core.v3.GrpcService grpc_service = 4; + + // Override with an HTTP service configuration. + HttpService http_service = 5; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto new file mode 100644 index 000000000..b07811d52 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto @@ -0,0 +1,500 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_proc.v3; + +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/config/core/v3/http_service.proto"; +import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_proc.v3"; +option java_outer_classname = "ExtProcProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3;ext_procv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External Processing Filter] +// External Processing Filter +// [#extension: envoy.filters.http.ext_proc] + +// The External Processing filter allows an external service to act on HTTP traffic in a flexible way. + +// The filter communicates with an external gRPC service called an "external processor" +// that can do a variety of things with the request and response: +// +// * Access and modify the HTTP headers on the request, response, or both. +// * Access and modify the HTTP request and response bodies. +// * Access and modify the dynamic stream metadata. +// * Immediately send an HTTP response downstream and terminate other processing. +// +// The filter communicates with the server using a gRPC bidirectional stream. After the initial +// request, the external server is in control over what additional data is sent to it +// and how it should be processed. +// +// By implementing the protocol specified by the stream, the external server can choose: +// +// * Whether it receives the response message at all. +// * Whether it receives the message body at all, in separate chunks, or as a single buffer. +// * To modify request or response trailers if they already exist. +// +// The filter supports up to six different processing steps. Each is represented by +// a gRPC stream message that is sent to the external processor. For each message, the +// processor must send a matching response. +// +// * Request headers: Contains the headers from the original HTTP request. +// * Request body: If the body is present, the behavior depends on the +// body send mode. In ``BUFFERED`` or ``BUFFERED_PARTIAL`` mode, the body is sent to the external +// processor in a single message. In ``STREAMED`` or ``FULL_DUPLEX_STREAMED`` mode, the body will +// be split across multiple messages sent to the external processor. In ``GRPC`` mode, as each +// gRPC message arrives, it will be sent to the external processor (there will be exactly one +// gRPC message in each message sent to the external processor). In ``NONE`` mode, the body will +// not be sent to the external processor. +// * Request trailers: Delivered if they are present and if the trailer mode is set +// to ``SEND``. +// * Response headers: Contains the headers from the HTTP response. Keep in mind +// that if the upstream system sends them before processing the request body that +// this message may arrive before the complete body. +// * Response body: Sent according to the processing mode like the request body. +// * Response trailers: Delivered according to the processing mode like the +// request trailers. +// +// By default, the processor sends only the request and response headers messages. +// This may be changed to include any of the six steps by changing the ``processing_mode`` +// setting of the filter configuration, or by setting the ``mode_override`` of any response +// from the external processor. The latter is only enabled if ``allow_mode_override`` is +// set to true. This way, a processor may, for example, use information +// in the request header to determine whether the message body must be examined, or whether +// the data plane should simply stream it straight through. +// +// All of this together allows a server to process the filter traffic in fairly +// sophisticated ways. For example: +// +// * A server may choose to examine all or part of the HTTP message bodies depending +// on the content of the headers. +// * A server may choose to immediately reject some messages based on their HTTP +// headers (or other dynamic metadata) and more carefully examine others. +// +// The protocol itself is based on a bidirectional gRPC stream. The data plane will send the server +// :ref:`ProcessingRequest ` +// messages, and the server must reply with +// :ref:`ProcessingResponse `. +// +// Stats about each gRPC call are recorded in a :ref:`dynamic filter state +// ` object in a namespace matching the filter +// name. +// +// [#next-free-field: 26] +message ExternalProcessor { + // Describes the route cache action to be taken when an external processor response + // is received in response to request headers. + enum RouteCacheAction { + // The default behavior is to clear the route cache only when the + // :ref:`clear_route_cache ` + // field is set in an external processor response. + DEFAULT = 0; + + // Always clear the route cache irrespective of the ``clear_route_cache`` bit in + // the external processor response. + CLEAR = 1; + + // Do not clear the route cache irrespective of the ``clear_route_cache`` bit in + // the external processor response. Setting to ``RETAIN`` is equivalent to setting the + // :ref:`disable_clear_route_cache ` + // to true. + RETAIN = 2; + } + + reserved 4; + + reserved "async_mode"; + + // Configuration for the gRPC service that the filter will communicate with. + // Only one of ``grpc_service`` or ``http_service`` can be set. + // It is required that one of them must be set. + config.core.v3.GrpcService grpc_service = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "ext_proc_service_type"]; + + // Configuration for the HTTP service that the filter will communicate with. + // Only one of ``http_service`` or + // :ref:`grpc_service ` + // can be set. It is required that one of them must be set. + // + // If ``http_service`` is set, the + // :ref:`processing_mode ` + // cannot be configured to send any body or trailers. i.e., ``http_service`` only supports + // sending request or response headers to the side stream server. + // + // With this configuration, the data plane behavior is: + // + // 1. The headers are first put in a proto message + // :ref:`ProcessingRequest `. + // + // 2. This proto message is then transcoded into a JSON text. + // + // 3. The data plane then sends an HTTP POST message with content-type as "application/json", + // and this JSON text as body to the side stream server. + // + // After the side-stream receives this HTTP request message, it is expected to do as follows: + // + // 1. It converts the body, which is a JSON string, into a ``ProcessingRequest`` + // proto message to examine and mutate the headers. + // + // 2. It then sets the mutated headers into a new proto message + // :ref:`ProcessingResponse `. + // + // 3. It converts the ``ProcessingResponse`` proto message into a JSON text. + // + // 4. It then sends an HTTP response back to the data plane with status code as ``"200"``, + // ``content-type`` as ``"application/json"`` and sets the JSON text as the body. + // + ExtProcHttpService http_service = 20 [ + (udpa.annotations.field_migrate).oneof_promotion = "ext_proc_service_type", + (xds.annotations.v3.field_status).work_in_progress = true + ]; + + // By default, if in the following cases: + // + // 1. The gRPC stream cannot be established. + // + // 2. The gRPC stream is closed prematurely with an error. + // + // 3. The external processing timeouts. + // + // 4. The ext_proc server sends back spurious response messages. + // + // The filter will fail and a local reply with error code + // 504(for timeout case) or 500(for all other cases), will be sent to the downstream. + // + // However, with this parameter set to true and if the above cases happen, the processing + // continues without error. + // + bool failure_mode_allow = 2; + + // Specifies default options for how HTTP headers, trailers, and bodies are + // sent. See ``ProcessingMode`` for details. + ProcessingMode processing_mode = 3; + + // The data plane provides a number of :ref:`attributes ` + // for expressive policies. Each attribute name provided in this field will be + // matched against that list and populated in the + // :ref:`ProcessingRequest.attributes ` field. + // See the :ref:`attribute documentation ` + // for the list of supported attributes and their types. + repeated string request_attributes = 5; + + // The data plane provides a number of :ref:`attributes ` + // for expressive policies. Each attribute name provided in this field will be + // matched against that list and populated in the + // :ref:`ProcessingRequest.attributes ` field. + // See the :ref:`attribute documentation ` + // for the list of supported attributes and their types. + repeated string response_attributes = 6; + + // Specifies the timeout for each individual message sent on the stream. + // Whenever the data plane sends a message on the stream that requires a + // response, it will reset this timer, and will stop processing and return + // an error (subject to the processing mode) if the timer expires before a + // matching response is received. There is no timeout when the filter is + // running in observability mode or when the body send mode is + // ``FULL_DUPLEX_STREAMED`` or ``GRPC``. Zero is a valid config which means + // the timer will be triggered immediately. If not configured, default is + // 200 milliseconds. + google.protobuf.Duration message_timeout = 7 [(validate.rules).duration = { + lte {seconds: 3600} + gte {} + }]; + + // Optional additional prefix to use when emitting statistics. This allows to distinguish + // emitted statistics between configured ``ext_proc`` filters in an HTTP filter chain. + string stat_prefix = 8; + + // Rules that determine what modifications an external processing server may + // make to message headers. If not set, all headers may be modified except + // for "host", ":authority", ":scheme", ":method", and headers that start + // with the header prefix set via + // :ref:`header_prefix ` + // (which is usually "x-envoy"). + // Note that changing headers such as "host" or ":authority" may not in itself + // change the data plane's routing decision, as routes can be cached. To also force the + // route to be recomputed, set the + // :ref:`clear_route_cache ` + // field to true in the same response. + config.common.mutation_rules.v3.HeaderMutationRules mutation_rules = 9; + + // Specify the upper bound of + // :ref:`override_message_timeout ` + // If not specified, by default it is 0, which will effectively disable the ``override_message_timeout`` API. + google.protobuf.Duration max_message_timeout = 10 [(validate.rules).duration = { + lte {seconds: 3600} + gte {} + }]; + + // Allow headers matching the ``forward_rules`` to be forwarded to the external processing server. + // If not set, all headers are forwarded to the external processing server. + HeaderForwardingRules forward_rules = 12; + + // Additional metadata to be added to the filter state for logging purposes. The metadata + // will be added to StreamInfo's filter state under the namespace corresponding to the + // ext_proc filter name. + google.protobuf.Struct filter_metadata = 13; + + // If ``allow_mode_override`` is set to true, the filter config :ref:`processing_mode + // ` + // can be overridden by the response message from the external processing server + // :ref:`mode_override `. + // If not set, ``mode_override`` API in the response message will be ignored. + // Mode override is not supported if the body send mode is ``FULL_DUPLEX_STREAMED``. + bool allow_mode_override = 14; + + // If set to true, ignore the + // :ref:`immediate_response ` + // message in an external processor response. In such case, no local reply will be sent. + // Instead, the stream to the external processor will be closed. There will be no + // more external processing for this stream from now on. + bool disable_immediate_response = 15; + + // Options related to the sending and receiving of dynamic metadata. + MetadataOptions metadata_options = 16; + + // If true, send each part of the HTTP request or response specified by ``ProcessingMode`` + // without pausing on filter chain iteration. It is "Send and Go" mode that can be used + // by external processor to observe the request's data and status. In this mode: + // + // 1. Only ``STREAMED``, ``GRPC``, and ``NONE`` body processing modes are supported; for any + // other body processing mode, the body will not be sent. + // + // 2. External processor should not send back processing response, as any responses will be ignored. + // This also means that + // :ref:`message_timeout ` + // restriction doesn't apply to this mode. + // + // 3. External processor may still close the stream to indicate that no more messages are needed. + // + // .. warning:: + // + // Flow control is a necessary mechanism to prevent the fast sender (either downstream client or upstream server) + // from overwhelming the external processor when its processing speed is slower. + // This protective measure is being explored and developed but has not been ready yet, so please use your own + // discretion when enabling this feature. + // This work is currently tracked under https://github.com/envoyproxy/envoy/issues/33319. + // + bool observability_mode = 17; + + // Prevents clearing the route-cache when the + // :ref:`clear_route_cache ` + // field is set in an external processor response. + // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set. + // It is recommended to set ``route_cache_action`` which supersedes ``disable_clear_route_cache``. + bool disable_clear_route_cache = 11 + [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"]; + + // Specifies the action to be taken when an external processor response is + // received in response to request headers. It is recommended to set this field rather than set + // :ref:`disable_clear_route_cache `. + // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set. + RouteCacheAction route_cache_action = 18 + [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"]; + + // Specifies the deferred closure timeout for gRPC stream that connects to external processor. Currently, the deferred stream closure + // is only used in :ref:`observability_mode `. + // In observability mode, gRPC streams may be held open to the external processor longer than the lifetime of the regular client to + // backend stream lifetime. In this case, the data plane will eventually timeout the external processor stream according to this time limit. + // The default value is 5000 milliseconds (5 seconds) if not specified. + google.protobuf.Duration deferred_close_timeout = 19; + + // Send body to the side stream server once it arrives without waiting for the header response from that server. + // It only works for ``STREAMED`` body processing mode. For any other body + // processing modes, it is ignored. + // The server has two options upon receiving a header request: + // + // 1. Instant Response: send the header response as soon as the header request is received. + // + // 2. Delayed Response: wait for the body before sending any response. + // + // In all scenarios, the header-body ordering must always be maintained. + // + // If enabled the data plane will ignore the + // :ref:`mode_override ` + // value that the server sends in the header response. This is because the data plane may have already + // sent the body to the server, prior to processing the header response. + bool send_body_without_waiting_for_header_response = 21; + + // When :ref:`allow_mode_override + // ` is enabled and + // ``allowed_override_modes`` is configured, the filter config :ref:`processing_mode + // ` + // can only be overridden by the response message from the external processing server iff the + // :ref:`mode_override ` is allowed by + // the ``allowed_override_modes`` allow-list below. + // Since ``request_header_mode`` is not applicable in any way, it's ignored in comparison. + repeated ProcessingMode allowed_override_modes = 22; + + // Decorator to introduce custom logic that runs after the ``ProcessingRequest`` is constructed, but + // before it is sent to the External Processor. The ``ProcessingRequest`` may be modified. + // + // .. note:: + // Processing request modifiers are currently in alpha. + // + // [#extension-category: envoy.http.ext_proc.processing_request_modifiers] + config.core.v3.TypedExtensionConfig processing_request_modifier = 25 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Decorator to introduce custom logic that runs after a message received from + // the External Processor is processed, but before continuing filter chain iteration. + // + // .. note:: + // Response processors are currently in alpha. + // + // [#extension-category: envoy.http.ext_proc.response_processors] + config.core.v3.TypedExtensionConfig on_processing_response = 23 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Sets the HTTP status code that is returned to the client when the external processing server returns + // an error, fails to respond, or cannot be reached. + // + // The default status is ``HTTP 500 Internal Server Error``. + type.v3.HttpStatus status_on_error = 24; +} + +// ExtProcHttpService is used for HTTP communication between the filter and the external processing service. +message ExtProcHttpService { + // Sets the HTTP service which the external processing requests must be sent to. + config.core.v3.HttpService http_service = 1; +} + +// The MetadataOptions structure defines options for the sending and receiving of +// dynamic metadata. Specifically, which namespaces to send to the server, whether +// metadata returned by the server may be written, and how that metadata may be written. +message MetadataOptions { + message MetadataNamespaces { + // Specifies a list of metadata namespaces whose values, if present, + // will be passed to the ``ext_proc`` service as an opaque ``protobuf::Struct``. + repeated string untyped = 1; + + // Specifies a list of metadata namespaces whose values, if present, + // will be passed to the ``ext_proc`` service as a ``protobuf::Any``. This allows + // envoy and the external processing server to share the protobuf message + // definition for safe parsing. + repeated string typed = 2; + } + + // Describes which typed or untyped filter dynamic metadata namespaces to forward to + // the external processing server. + MetadataNamespaces forwarding_namespaces = 1; + + // Describes which typed or untyped filter dynamic metadata namespaces to accept from + // the external processing server. Set to empty or leave unset to disallow writing + // any received dynamic metadata. Receiving of typed metadata is not supported. + MetadataNamespaces receiving_namespaces = 2; + + // Describes which cluster metadata namespaces to forward to + // the external processing server. + // .. note:: + // This is the least specific metadata. Should there be any namespace collision, + // cluster level metadata can be overridden by filter metadata. + MetadataNamespaces cluster_metadata_forwarding_namespaces = 3; +} + +// The HeaderForwardingRules structure specifies what headers are +// allowed to be forwarded to the external processing server. +// +// This works as below: +// +// 1. If neither ``allowed_headers`` nor ``disallowed_headers`` is set, all headers are forwarded. +// 2. If both ``allowed_headers`` and ``disallowed_headers`` are set, only headers in the +// ``allowed_headers`` but not in the ``disallowed_headers`` are forwarded. +// 3. If ``allowed_headers`` is set, and ``disallowed_headers`` is not set, only headers in +// the ``allowed_headers`` are forwarded. +// 4. If ``disallowed_headers`` is set, and ``allowed_headers`` is not set, all headers except +// headers in the ``disallowed_headers`` are forwarded. +message HeaderForwardingRules { + // If set, specifically allow any header in this list to be forwarded to the external + // processing server. This can be overridden by the below ``disallowed_headers``. + type.matcher.v3.ListStringMatcher allowed_headers = 1; + + // If set, specifically disallow any header in this list to be forwarded to the external + // processing server. This overrides the above ``allowed_headers`` if a header matches both. + type.matcher.v3.ListStringMatcher disallowed_headers = 2; +} + +// Extra settings that may be added to per-route configuration for a +// virtual host or cluster. +message ExtProcPerRoute { + oneof override { + option (validate.required) = true; + + // Disable the filter for this particular vhost or route. + // If disabled is specified in multiple per-filter-configs, the most specific one will be used. + bool disabled = 1 [(validate.rules).bool = {const: true}]; + + // Override aspects of the configuration for this route. A set of + // overrides in a more specific configuration will override a "disabled" + // flag set in a less-specific one. + ExtProcOverrides overrides = 2; + } +} + +// Overrides that may be set on a per-route basis +// [#next-free-field: 10] +message ExtProcOverrides { + // Set a different processing mode for this route than the default. + ProcessingMode processing_mode = 1; + + // [#not-implemented-hide:] + // Set a different asynchronous processing option than the default. + // Deprecated and not implemented. + bool async_mode = 2 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // [#not-implemented-hide:] + // Set different optional attributes than the default setting of the + // ``request_attributes`` field. + repeated string request_attributes = 3; + + // [#not-implemented-hide:] + // Set different optional properties than the default setting of the + // ``response_attributes`` field. + repeated string response_attributes = 4; + + // Set a different gRPC service for this route than the default. + config.core.v3.GrpcService grpc_service = 5; + + // Options related to the sending and receiving of dynamic metadata. + // Lists of forwarding and receiving namespaces will be overridden in their entirety, + // meaning the most-specific config that specifies this override will be the final + // config used. It is the prerogative of the control plane to ensure this + // most-specific config contains the correct final overrides. + MetadataOptions metadata_options = 6; + + // Additional metadata to include into streams initiated to the ``ext_proc`` gRPC + // service. This can be used for scenarios in which additional ad hoc + // authorization headers (e.g. ``x-foo-bar: baz-key``) are to be injected or + // when a route needs to partially override inherited metadata. + repeated config.core.v3.HeaderValue grpc_initial_metadata = 7; + + // If true, the filter will not fail closed if the gRPC stream is prematurely closed + // or could not be opened. This field is the per-route override of + // :ref:`failure_mode_allow `. + google.protobuf.BoolValue failure_mode_allow = 8; + + // Decorator to introduce custom logic that runs after the ``ProcessingRequest`` is constructed, but + // before it is sent to the External Processor. The ``ProcessingRequest`` may be modified. + // This is a per-route override of + // :ref:`processing_request_modifier `. + config.core.v3.TypedExtensionConfig processing_request_modifier = 9 + [(xds.annotations.v3.field_status).work_in_progress = true]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto new file mode 100644 index 000000000..e2ec89462 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto @@ -0,0 +1,152 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_proc.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_proc.v3"; +option java_outer_classname = "ProcessingModeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3;ext_procv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External Processing Filter] +// External Processing Filter Processing Mode +// [#extension: envoy.filters.http.ext_proc] + +// This configuration describes which parts of an HTTP request and +// response are sent to a remote server and how they are delivered. + +// [#next-free-field: 7] +message ProcessingMode { + // Control how headers and trailers are handled + enum HeaderSendMode { + // When used to configure the ext_proc filter :ref:`processing_mode + // `, + // the default HeaderSendMode depends on which part of the message is being processed. By + // default, request and response headers are sent, while trailers are skipped. + // + // When used in :ref:`mode_override + // ` or + // :ref:`allowed_override_modes + // `, + // a value of DEFAULT indicates that there is no change from the behavior that is configured for + // the filter in :ref:`processing_mode + // `. + DEFAULT = 0; + + // Send the header or trailer. + SEND = 1; + + // Do not send the header or trailer. + SKIP = 2; + } + + // Control how the request and response bodies are handled + // When body mutation by external processor is enabled, ext_proc filter will always remove + // the content length header in four cases below because content length can not be guaranteed + // to be set correctly: + // 1) STREAMED BodySendMode: header processing completes before body mutation comes back. + // 2) BUFFERED_PARTIAL BodySendMode: body is buffered and could be injected in different phases. + // 3) BUFFERED BodySendMode + SKIP HeaderSendMode: header processing (e.g., update content-length) is skipped. + // 4) FULL_DUPLEX_STREAMED BodySendMode: header processing completes before body mutation comes back. + // + // In Envoy's http1 codec implementation, removing content length will enable chunked transfer + // encoding whenever feasible. The recipient (either client or server) must be able + // to parse and decode the chunked transfer coding. + // (see `details in RFC9112 `_). + // + // In BUFFERED BodySendMode + SEND HeaderSendMode, content length header is allowed but it is + // external processor's responsibility to set the content length correctly matched to the length + // of mutated body. If they don't match, the corresponding body mutation will be rejected and + // local reply will be sent with an error message. + enum BodySendMode { + // Do not send the body at all. This is the default. + NONE = 0; + + // Stream the body to the server in pieces as they are seen. + STREAMED = 1; + + // Buffer the message body in memory and send the entire body at once. + // If the body exceeds the configured buffer limit, then the + // downstream system will receive an error. + BUFFERED = 2; + + // Buffer the message body in memory and send the entire body in one + // chunk. If the body exceeds the configured buffer limit, then the body contents + // up to the buffer limit will be sent. + BUFFERED_PARTIAL = 3; + + // The ext_proc client (the data plane) streams the body to the server in pieces as they arrive. + // + // 1) The server may choose to buffer any number chunks of data before processing them. + // After it finishes buffering, the server processes the buffered data. Then it splits the processed + // data into any number of chunks, and streams them back to the ext_proc client one by one. + // The server may continuously do so until the complete body is processed. + // The individual response chunk size is recommended to be no greater than 64K bytes, or + // :ref:`max_receive_message_length ` + // if EnvoyGrpc is used. + // + // 2) The server may also choose to buffer the entire message, including the headers (if header mode is + // ``SEND``), the entire body, and the trailers (if present), before sending back any response. + // The server response has to maintain the headers-body-trailers ordering. + // + // 3) Note that the server might also choose not to buffer data. That is, upon receiving a + // body request, it could process the data and send back a body response immediately. + // + // In this body mode: + // * The corresponding trailer mode has to be set to ``SEND``. + // * The client will send body and trailers (if present) to the server as they arrive. + // Sending the trailers (if present) is to inform the server the complete body arrives. + // In case there are no trailers, then the client will set + // :ref:`end_of_stream ` + // to true as part of the last body chunk request to notify the server that no other data is to be sent. + // * The server needs to send + // :ref:`StreamedBodyResponse ` + // to the client in the body response. + // * The client will stream the body chunks in the responses from the server to the upstream/downstream as they arrive. + + FULL_DUPLEX_STREAMED = 4; + + // [#not-implemented-hide:] + // A mode for gRPC traffic. This is similar to ``FULL_DUPLEX_STREAMED``, + // except that instead of sending raw chunks of the HTTP/2 DATA frames, + // the ext_proc client will de-frame the individual gRPC messages inside + // the HTTP/2 DATA frames, and as each message is de-framed, it will be + // sent to the ext_proc server as a :ref:`request_body + // ` + // or :ref:`response_body + // `. + // The ext_proc server will stream back individual gRPC messages in the + // :ref:`StreamedBodyResponse ` + // field, but the number of messages sent by the ext_proc server + // does not need to equal the number of messages sent by the data + // plane. This allows the ext_proc server to change the number of + // messages sent on the stream. + // In this mode, the client will send body and trailers to the server as + // they arrive. + GRPC = 5; + } + + // How to handle the request header. Default is "SEND". + // Note this field is ignored in :ref:`mode_override + // `, since mode + // overrides can only affect messages exchanged after the request header is processed. + HeaderSendMode request_header_mode = 1 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the response header. Default is "SEND". + HeaderSendMode response_header_mode = 2 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the request body. Default is "NONE". + BodySendMode request_body_mode = 3 [(validate.rules).enum = {defined_only: true}]; + + // How do handle the response body. Default is "NONE". + BodySendMode response_body_mode = 4 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the request trailers. Default is "SKIP". + HeaderSendMode request_trailer_mode = 5 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the response trailers. Default is "SKIP". + HeaderSendMode response_trailer_mode = 6 [(validate.rules).enum = {defined_only: true}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/fault/v3/fault.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/fault/v3/fault.proto new file mode 100644 index 000000000..01f056e79 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/fault/v3/fault.proto @@ -0,0 +1,159 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.fault.v3; + +import "envoy/config/route/v3/route_components.proto"; +import "envoy/extensions/filters/common/fault/v3/fault.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.fault.v3"; +option java_outer_classname = "FaultProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3;faultv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Fault Injection] +// Fault Injection :ref:`configuration overview `. +// [#extension: envoy.filters.http.fault] + +// [#next-free-field: 6] +message FaultAbort { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.fault.v2.FaultAbort"; + + // Fault aborts are controlled via an HTTP header (if applicable). See the + // :ref:`HTTP fault filter ` documentation for + // more information. + message HeaderAbort { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.fault.v2.FaultAbort.HeaderAbort"; + } + + reserved 1; + + oneof error_type { + option (validate.required) = true; + + // HTTP status code to use to abort the HTTP request. + uint32 http_status = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}]; + + // gRPC status code to use to abort the gRPC request. + uint32 grpc_status = 5; + + // Fault aborts are controlled via an HTTP header (if applicable). + HeaderAbort header_abort = 4; + } + + // The percentage of requests/operations/connections that will be aborted with the error code + // provided. + type.v3.FractionalPercent percentage = 3; +} + +// [#next-free-field: 17] +message HTTPFault { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.fault.v2.HTTPFault"; + + // If specified, the filter will inject delays based on the values in the + // object. + common.fault.v3.FaultDelay delay = 1; + + // If specified, the filter will abort requests based on the values in + // the object. At least ``abort`` or ``delay`` must be specified. + FaultAbort abort = 2; + + // Specifies the name of the (destination) upstream cluster that the + // filter should match on. Fault injection will be restricted to requests + // bound to the specific upstream cluster. + string upstream_cluster = 3; + + // Specifies a set of headers that the filter should match on. The fault + // injection filter can be applied selectively to requests that match a set of + // headers specified in the fault filter config. The chances of actual fault + // injection further depend on the value of the :ref:`percentage + // ` field. + // The filter will check the request's headers against all the specified + // headers in the filter config. A match will happen if all the headers in the + // config are present in the request with the same values (or based on + // presence if the ``value`` field is not in the config). + repeated config.route.v3.HeaderMatcher headers = 4; + + // Faults are injected for the specified list of downstream hosts. If this + // setting is not set, faults are injected for all downstream nodes. + // Downstream node name is taken from :ref:`the HTTP + // x-envoy-downstream-service-node + // ` header and compared + // against downstream_nodes list. + repeated string downstream_nodes = 5; + + // The maximum number of faults that can be active at a single time via the configured fault + // filter. Note that because this setting can be overridden at the route level, it's possible + // for the number of active faults to be greater than this value (if injected via a different + // route). If not specified, defaults to unlimited. This setting can be overridden via + // ``runtime `` and any faults that are not injected + // due to overflow will be indicated via the ``faults_overflow + // `` stat. + // + // .. attention:: + // Like other :ref:`circuit breakers ` in Envoy, this is a fuzzy + // limit. It's possible for the number of active faults to rise slightly above the configured + // amount due to the implementation details. + google.protobuf.UInt32Value max_active_faults = 6; + + // The response rate limit to be applied to the response body of the stream. When configured, + // the percentage can be overridden by the :ref:`fault.http.rate_limit.response_percent + // ` runtime key. + // + // .. attention:: + // This is a per-stream limit versus a connection level limit. This means that concurrent streams + // will each get an independent limit. + common.fault.v3.FaultRateLimit response_rate_limit = 7; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.delay.fixed_delay_percent + string delay_percent_runtime = 8; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.abort.abort_percent + string abort_percent_runtime = 9; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.delay.fixed_duration_ms + string delay_duration_runtime = 10; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.abort.http_status + string abort_http_status_runtime = 11; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.max_active_faults + string max_active_faults_runtime = 12; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.rate_limit.response_percent + string response_rate_limit_percent_runtime = 13; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.abort.grpc_status + string abort_grpc_status_runtime = 14; + + // To control whether stats storage is allocated dynamically for each downstream server. + // If set to true, "x-envoy-downstream-service-cluster" field of header will be ignored by this filter. + // If set to false, dynamic stats storage will be allocated for the downstream cluster name. + // Default value is false. + bool disable_downstream_cluster_stats = 15; + + // When an abort or delay fault is executed, the metadata struct provided here will be added to the + // request's dynamic metadata under the namespace corresponding to the name of the fault filter. + // This data can be logged as part of Access Logs using the :ref:`command operator + // ` %DYNAMIC_METADATA(NAMESPACE)%, where NAMESPACE is the name of + // the fault filter. + google.protobuf.Struct filter_metadata = 16; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/gcp_authn/v3/gcp_authn.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/gcp_authn/v3/gcp_authn.proto new file mode 100644 index 000000000..f4646389f --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/gcp_authn/v3/gcp_authn.proto @@ -0,0 +1,87 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.gcp_authn.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/http_uri.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.gcp_authn.v3"; +option java_outer_classname = "GcpAuthnProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/gcp_authn/v3;gcp_authnv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: GCP authentication] +// GCP authentication :ref:`configuration overview `. +// [#extension: envoy.filters.http.gcp_authn] + +// Filter configuration. +// [#next-free-field: 7] +message GcpAuthnFilterConfig { + // The HTTP URI to fetch tokens from GCE Metadata Server(https://cloud.google.com/compute/docs/metadata/overview). + // The URL format is "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]" + // + // This field is deprecated because it does not match the API surface provided by the google auth libraries. + // Control planes should not attempt to override the metadata server URI. + // The cluster and timeout can be configured using the ``cluster`` and ``timeout`` fields instead. + // For backward compatibility, the cluster and timeout configured in this field will be used + // if the new ``cluster`` and ``timeout`` fields are not set. + config.core.v3.HttpUri http_uri = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Retry policy for fetching tokens. + // Not supported by all data planes. + config.core.v3.RetryPolicy retry_policy = 2; + + // Token cache configuration. This field is optional. + TokenCacheConfig cache_config = 3; + + // Request header location to extract the token. By default (i.e. if this field is not specified), the token + // is extracted to the Authorization HTTP header, in the format "Authorization: Bearer ". + // Not supported by all data planes. + TokenHeader token_header = 4; + + // Cluster to send traffic to the GCE metadata server. Not supported + // by all data planes; a data plane may instead have its own mechanism + // for contacting the metadata server. + string cluster = 5; + + // Timeout for fetching the tokens from the GCE metadata server. + // Not supported by all data planes. + google.protobuf.Duration timeout = 6 [(validate.rules).duration = { + lt {seconds: 4294967296} + gte {} + }]; +} + +// Audience is the URL of the receiving service that performs token authentication. +// It will be provided to the filter through cluster's typed_filter_metadata. +message Audience { + string url = 1 [(validate.rules).string = {min_len: 1}]; +} + +// Token Cache configuration. +message TokenCacheConfig { + // The number of cache entries. The maximum number of entries is INT64_MAX as it is constrained by underlying cache implementation. + // Default value 0 (i.e., proto3 defaults) disables the cache by default. Other default values will enable the cache. + google.protobuf.UInt64Value cache_size = 1 [(validate.rules).uint64 = {lte: 9223372036854775807}]; +} + +message TokenHeader { + // The HTTP header's name. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The header's prefix. The format is "value_prefix" + // For example, for "Authorization: Bearer ", value_prefix="Bearer " with a space at the + // end. + string value_prefix = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/rate_limit_quota/v3/rate_limit_quota.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/rate_limit_quota/v3/rate_limit_quota.proto new file mode 100644 index 000000000..57b8bdecd --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/rate_limit_quota/v3/rate_limit_quota.proto @@ -0,0 +1,423 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.rate_limit_quota.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/type/v3/http_status.proto"; +import "envoy/type/v3/ratelimit_strategy.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; +import "google/rpc/status.proto"; + +import "xds/annotations/v3/status.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.rate_limit_quota.v3"; +option java_outer_classname = "RateLimitQuotaProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rate_limit_quota/v3;rate_limit_quotav3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Rate Limit Quota] +// Rate Limit Quota :ref:`configuration overview `. +// [#extension: envoy.filters.http.rate_limit_quota] + +// Configures the Rate Limit Quota filter. +// +// Can be overridden in the per-route and per-host configurations. +// The more specific definition completely overrides the less specific definition. +// [#next-free-field: 7] +message RateLimitQuotaFilterConfig { + // Configures the gRPC Rate Limit Quota Service (RLQS) RateLimitQuotaService. + config.core.v3.GrpcService rlqs_server = 1 [(validate.rules).message = {required: true}]; + + // The application domain to use when calling the service. This enables sharing the quota + // server between different applications without fear of overlap. + // E.g., "envoy". + string domain = 2 [(validate.rules).string = {min_len: 1}]; + + // The match tree to use for grouping incoming requests into buckets. + // + // Example: + // + // .. validated-code-block:: yaml + // :type-name: xds.type.matcher.v3.Matcher + // + // matcher_list: + // matchers: + // # Assign requests with header['env'] set to 'staging' to the bucket { name: 'staging' } + // - predicate: + // single_predicate: + // input: + // typed_config: + // '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + // header_name: env + // value_match: + // exact: staging + // on_match: + // action: + // typed_config: + // '@type': type.googleapis.com/envoy.extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings + // bucket_id_builder: + // bucket_id_builder: + // name: + // string_value: staging + // + // # Assign requests with header['user_group'] set to 'admin' to the bucket { acl: 'admin_users' } + // - predicate: + // single_predicate: + // input: + // typed_config: + // '@type': type.googleapis.com/xds.type.matcher.v3.HttpAttributesCelMatchInput + // custom_match: + // typed_config: + // '@type': type.googleapis.com/xds.type.matcher.v3.CelMatcher + // expr_match: + // # Shortened for illustration purposes. Here should be parsed CEL expression: + // # request.headers['user_group'] == 'admin' + // parsed_expr: {} + // on_match: + // action: + // typed_config: + // '@type': type.googleapis.com/envoy.extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings + // bucket_id_builder: + // bucket_id_builder: + // acl: + // string_value: admin_users + // + // # Catch-all clause for the requests not matched by any of the matchers. + // # In this example, deny all requests. + // on_no_match: + // action: + // typed_config: + // '@type': type.googleapis.com/envoy.extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings + // no_assignment_behavior: + // fallback_rate_limit: + // blanket_rule: DENY_ALL + // + // .. attention:: + // The first matched group wins. Once the request is matched into a bucket, matcher + // evaluation ends. + // + // Use ``on_no_match`` field to assign the catch-all bucket. If a request is not matched + // into any bucket, and there's no ``on_no_match`` field configured, the request will be + // ALLOWED by default. It will NOT be reported to the RLQS server. + // + // Refer to :ref:`Unified Matcher API ` + // documentation for more information on the matcher trees. + xds.type.matcher.v3.Matcher bucket_matchers = 3 [(validate.rules).message = {required: true}]; + + // If set, this will enable -- but not necessarily enforce -- the rate limit for the given + // fraction of requests. + // + // Defaults to 100% of requests. + config.core.v3.RuntimeFractionalPercent filter_enabled = 4; + + // If set, this will enforce the rate limit decisions for the given fraction of requests. + // For requests that are not enforced the filter will still obtain the quota and include it + // in the load computation, however the request will always be allowed regardless of the outcome + // of quota application. This allows validation or testing of the rate limiting service + // infrastructure without disrupting existing traffic. + // + // Note: this only applies to the fraction of enabled requests. + // + // Defaults to 100% of requests. + config.core.v3.RuntimeFractionalPercent filter_enforced = 5; + + // Specifies a list of HTTP headers that should be added to each request that + // has been rate limited and is also forwarded upstream. This can only occur when the + // filter is enabled but not enforced. + repeated config.core.v3.HeaderValueOption request_headers_to_add_when_not_enforced = 6 + [(validate.rules).repeated = {max_items: 10}]; +} + +// Per-route and per-host configuration overrides. The more specific definition completely +// overrides the less specific definition. +message RateLimitQuotaOverride { + // The application domain to use when calling the service. This enables sharing the quota + // server between different applications without fear of overlap. + // E.g., "envoy". + // + // If empty, inherits the value from the less specific definition. + string domain = 1; + + // The match tree to use for grouping incoming requests into buckets. + // + // If set, fully overrides the bucket matchers provided on the less specific definition. + // If not set, inherits the value from the less specific definition. + // + // See usage example: :ref:`RateLimitQuotaFilterConfig.bucket_matchers + // `. + xds.type.matcher.v3.Matcher bucket_matchers = 2; +} + +// Rate Limit Quota Bucket Settings to apply on the successful ``bucket_matchers`` match. +// +// Specify this message in the :ref:`Matcher.OnMatch.action +// ` field of the +// ``bucket_matchers`` matcher tree to assign the matched requests to the Quota Bucket. +// Usage example: :ref:`RateLimitQuotaFilterConfig.bucket_matchers +// `. +// [#next-free-field: 6] +message RateLimitQuotaBucketSettings { + // Configures the behavior after the first request has been matched to the bucket, and before the + // the RLQS server returns the first quota assignment. + message NoAssignmentBehavior { + oneof no_assignment_behavior { + option (validate.required) = true; + + // Apply pre-configured rate limiting strategy until the server sends the first assignment. + type.v3.RateLimitStrategy fallback_rate_limit = 1; + } + } + + // Specifies the behavior when the bucket's assignment has expired, and cannot be refreshed for + // any reason. + message ExpiredAssignmentBehavior { + // Reuse the last known quota assignment, effectively extending it for the duration + // specified in the :ref:`expired_assignment_behavior_timeout + // ` + // field. + message ReuseLastAssignment { + } + + // Limit the time :ref:`ExpiredAssignmentBehavior + // ` + // is applied. If the server doesn't respond within this duration: + // + // 1. Selected ``ExpiredAssignmentBehavior`` is no longer applied. + // 2. The bucket is abandoned. The process of abandoning the bucket is described in the + // :ref:`AbandonAction ` + // message. + // 3. If a new request is matched into the bucket that has become abandoned, + // the data plane restarts the subscription to the bucket. The process of restarting the + // subscription is described in the :ref:`AbandonAction + // ` + // message. + // + // If not set, defaults to zero, and the bucket is abandoned immediately. + google.protobuf.Duration expired_assignment_behavior_timeout = 1 + [(validate.rules).duration = {gt {}}]; + + oneof expired_assignment_behavior { + option (validate.required) = true; + + // Apply the rate limiting strategy to all requests matched into the bucket until the RLQS + // server sends a new assignment, or the :ref:`expired_assignment_behavior_timeout + // ` + // runs out. + type.v3.RateLimitStrategy fallback_rate_limit = 2; + + // Reuse the last ``active`` assignment until the RLQS server sends a new assignment, or the + // :ref:`expired_assignment_behavior_timeout + // ` + // runs out. + ReuseLastAssignment reuse_last_assignment = 3; + } + } + + // Customize the deny response to the requests over the rate limit. + message DenyResponseSettings { + // HTTP response code to deny for HTTP requests (gRPC excluded). + // Defaults to 429 (:ref:`StatusCode.TooManyRequests`). + type.v3.HttpStatus http_status = 1; + + // HTTP response body used to deny for HTTP requests (gRPC excluded). + // If not set, an empty body is returned. + google.protobuf.BytesValue http_body = 2; + + // Configure the deny response for gRPC requests over the rate limit. + // Allows to specify the `RPC status code + // `_, + // and the error message. + // Defaults to the Status with the RPC Code ``UNAVAILABLE`` and empty message. + // + // To identify gRPC requests, Envoy checks that the ``Content-Type`` header is + // ``application/grpc``, or one of the various ``application/grpc+`` values. + // + // .. note:: + // The HTTP code for a gRPC response is always 200. + google.rpc.Status grpc_status = 3; + + // Specifies a list of HTTP headers that should be added to each response for requests that + // have been rate limited. Applies both to plain HTTP, and gRPC requests. + // The headers are added even when the rate limit quota was not enforced. + repeated config.core.v3.HeaderValueOption response_headers_to_add = 4 + [(validate.rules).repeated = {max_items: 10}]; + } + + // ``BucketIdBuilder`` makes it possible to build :ref:`BucketId + // ` with values substituted + // from the dynamic properties associated with each individual request. See usage examples in + // the docs to :ref:`bucket_id_builder + // ` + // field. + message BucketIdBuilder { + // Produces the value of the :ref:`BucketId + // ` map. + message ValueBuilder { + oneof value_specifier { + option (validate.required) = true; + + // Static string value — becomes the value in the :ref:`BucketId + // ` map as is. + string string_value = 1; + + // Dynamic value — evaluated for each request. Must produce a string output, which becomes + // the value in the :ref:`BucketId ` + // map. For example, extensions with the ``envoy.matching.http.input`` category can be used. + config.core.v3.TypedExtensionConfig custom_value = 2; + } + } + + // The map translated into the ``BucketId`` map. + // + // The ``string key`` of this map and becomes the key of ``BucketId`` map as is. + // + // The ``ValueBuilder value`` for the key can be: + // + // * static ``StringValue string_value`` — becomes the value in the ``BucketId`` map as is. + // * dynamic ``TypedExtensionConfig custom_value`` — evaluated for each request. Must produce + // a string output, which becomes the value in the the ``BucketId`` map. + // + // See usage examples in the docs to :ref:`bucket_id_builder + // ` + // field. + map bucket_id_builder = 1 [(validate.rules).map = {min_pairs: 1}]; + } + + // ``BucketId`` builder. + // + // :ref:`BucketId ` is a map from + // the string key to the string value which serves as bucket identifier common for on + // the control plane and the data plane. + // + // While ``BucketId`` is always static, ``BucketIdBuilder`` allows to populate map values + // with the dynamic properties associated with the each individual request. + // + // Example 1: static fields only + // + // ``BucketIdBuilder``: + // + // .. validated-code-block:: yaml + // :type-name: envoy.extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings.BucketIdBuilder + // + // bucket_id_builder: + // name: + // string_value: my_bucket + // hello: + // string_value: world + // + // Produces the following ``BucketId`` for all requests: + // + // .. validated-code-block:: yaml + // :type-name: envoy.service.rate_limit_quota.v3.BucketId + // + // bucket: + // name: my_bucket + // hello: world + // + // Example 2: static and dynamic fields + // + // .. validated-code-block:: yaml + // :type-name: envoy.extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings.BucketIdBuilder + // + // bucket_id_builder: + // name: + // string_value: my_bucket + // env: + // custom_value: + // typed_config: + // '@type': type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + // header_name: environment + // + // In this example, the value of ``BucketId`` key ``env`` is substituted from the ``environment`` + // request header. + // + // This is equivalent to the following ``pseudo-code``: + // + // .. code-block:: yaml + // + // name: 'my_bucket' + // env: $header['environment'] + // + // For example, the request with the HTTP header ``env`` set to ``staging`` will produce + // the following ``BucketId``: + // + // .. validated-code-block:: yaml + // :type-name: envoy.service.rate_limit_quota.v3.BucketId + // + // bucket: + // name: my_bucket + // env: staging + // + // For the request with the HTTP header ``environment`` set to ``prod``, will produce: + // + // .. validated-code-block:: yaml + // :type-name: envoy.service.rate_limit_quota.v3.BucketId + // + // bucket: + // name: my_bucket + // env: prod + // + // .. note:: + // The order of ``BucketId`` keys do not matter. Buckets ``{ a: 'A', b: 'B' }`` and + // ``{ b: 'B', a: 'A' }`` are identical. + // + // If not set, requests will NOT be reported to the server, and will always limited + // according to :ref:`no_assignment_behavior + // ` + // configuration. + BucketIdBuilder bucket_id_builder = 1; + + // The interval at which the data plane (RLQS client) is to report quota usage for this bucket. + // + // When the first request is matched to a bucket with no assignment, the data plane is to report + // the request immediately in the :ref:`RateLimitQuotaUsageReports + // ` message. + // For the RLQS server, this signals that the data plane is now subscribed to + // the quota assignments in this bucket, and will start sending the assignment as described in + // the :ref:`RLQS documentation `. + // + // After sending the initial report, the data plane is to continue reporting the bucket usage with + // the internal specified in this field. + // + // If for any reason RLQS client doesn't receive the initial assignment for the reported bucket, + // the data plane will eventually consider the bucket abandoned and stop sending the usage + // reports. This is explained in more details at :ref:`Rate Limit Quota Service (RLQS) + // `. + // + // [#comment: 100000000 nanoseconds = 0.1 seconds] + google.protobuf.Duration reporting_interval = 2 [(validate.rules).duration = { + required: true + gt {nanos: 100000000} + }]; + + // Customize the deny response to the requests over the rate limit. + // If not set, the filter will be configured as if an empty message is set, + // and will behave according to the defaults specified in :ref:`DenyResponseSettings + // `. + DenyResponseSettings deny_response_settings = 3; + + // Configures the behavior in the "no assignment" state: after the first request has been + // matched to the bucket, and before the the RLQS server returns the first quota assignment. + // + // If not set, the default behavior is to allow all requests. + NoAssignmentBehavior no_assignment_behavior = 4; + + // Configures the behavior in the "expired assignment" state: the bucket's assignment has expired, + // and cannot be refreshed. + // + // If not set, the bucket is abandoned when its ``active`` assignment expires. + // The process of abandoning the bucket, and restarting the subscription is described in the + // :ref:`AbandonAction ` + // message. + ExpiredAssignmentBehavior expired_assignment_behavior = 5; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/rbac/v3/rbac.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/rbac/v3/rbac.proto new file mode 100644 index 000000000..a37efe157 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/rbac/v3/rbac.proto @@ -0,0 +1,86 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.rbac.v3; + +import "envoy/config/rbac/v3/rbac.proto"; + +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.rbac.v3"; +option java_outer_classname = "RbacProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3;rbacv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: RBAC] +// Role-Based Access Control :ref:`configuration overview `. +// [#extension: envoy.filters.http.rbac] + +// RBAC filter config. +// [#next-free-field: 8] +message RBAC { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.rbac.v2.RBAC"; + + // The primary RBAC policy which will be applied globally, to all the incoming requests. + // + // * If absent, no RBAC enforcement occurs. + // * If set but empty, all requests are denied. + // + // .. note:: + // + // When both ``rules`` and ``matcher`` are configured, ``rules`` will be ignored. + // + config.rbac.v3.RBAC rules = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; + + // If specified, rules will emit stats with the given prefix. + // This is useful for distinguishing metrics when multiple RBAC filters are configured. + string rules_stat_prefix = 6; + + // Match tree for evaluating RBAC actions on incoming requests. Requests not matching any matcher will be denied. + // + // * If absent, no RBAC enforcement occurs. + // * If set but empty, all requests are denied. + // + xds.type.matcher.v3.Matcher matcher = 4 + [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; + + // Shadow policy for testing RBAC rules without enforcing them. These rules generate stats and logs but do not deny + // requests. If absent, no shadow RBAC policy will be applied. + // + // .. note:: + // + // When both ``shadow_rules`` and ``shadow_matcher`` are configured, ``shadow_rules`` will be ignored. + // + config.rbac.v3.RBAC shadow_rules = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; + + // If absent, no shadow matcher will be applied. + // Match tree for testing RBAC rules through stats and logs without enforcing them. + // If absent, no shadow matching occurs. + xds.type.matcher.v3.Matcher shadow_matcher = 5 + [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; + + // If specified, shadow rules will emit stats with the given prefix. + // This is useful for distinguishing metrics when multiple RBAC filters use shadow rules. + string shadow_rules_stat_prefix = 3; + + // If ``track_per_rule_stats`` is ``true``, counters will be published for each rule and shadow rule. + bool track_per_rule_stats = 7; +} + +message RBACPerRoute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.rbac.v2.RBACPerRoute"; + + reserved 1; + + // Per-route specific RBAC configuration that overrides the global RBAC configuration. + // If absent, RBAC policy will be disabled for this route. + RBAC rbac = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/router/v3/router.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/router/v3/router.proto new file mode 100644 index 000000000..7da658bcb --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/http/router/v3/router.proto @@ -0,0 +1,143 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.router.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.router.v3"; +option java_outer_classname = "RouterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3;routerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Router] +// Router :ref:`configuration overview `. +// [#extension: envoy.filters.http.router] + +// [#next-free-field: 11] +message Router { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.router.v2.Router"; + + message UpstreamAccessLogOptions { + // If set to true, an upstream access log will be recorded when an upstream stream is + // associated to an http request. Note: Each HTTP request received for an already established + // connection will result in an upstream access log record. This includes, for example, + // consecutive HTTP requests over the same connection or a request that is retried. + // In case a retry is applied, an upstream access log will be recorded for each retry. + bool flush_upstream_log_on_upstream_stream = 1; + + // The interval to flush the upstream access logs. By default, the router will flush an upstream + // access log on stream close, when the HTTP request is complete. If this field is set, the router + // will flush access logs periodically at the specified interval. This is especially useful in the + // case of long-lived requests, such as CONNECT and Websockets. + // The interval must be at least 1 millisecond. + google.protobuf.Duration upstream_log_flush_interval = 2 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + } + + // Whether the router generates dynamic cluster statistics. Defaults to + // true. Can be disabled in high performance scenarios. + google.protobuf.BoolValue dynamic_stats = 1; + + // Whether to start a child span for egress routed calls. This can be + // useful in scenarios where other filters (auth, ratelimit, etc.) make + // outbound calls and have child spans rooted at the same ingress + // parent. Defaults to false. + // + // .. attention:: + // This field is deprecated by the + // :ref:`spawn_upstream_span `. + // Please use that ``spawn_upstream_span`` field to control the span creation. + bool start_child_span = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Configuration for HTTP upstream logs emitted by the router. Upstream logs + // are configured in the same way as access logs, but each log entry represents + // an upstream request. Presuming retries are configured, multiple upstream + // requests may be made for each downstream (inbound) request. + repeated config.accesslog.v3.AccessLog upstream_log = 3; + + // Additional upstream access log options. + UpstreamAccessLogOptions upstream_log_options = 9; + + // Do not add any additional ``x-envoy-`` headers to requests or responses. This + // only affects the :ref:`router filter generated x-envoy- headers + // `, other Envoy filters and the HTTP + // connection manager may continue to set ``x-envoy-`` headers. + bool suppress_envoy_headers = 4; + + // Specifies a list of HTTP headers to strictly validate. Envoy will reject a + // request and respond with HTTP status 400 if the request contains an invalid + // value for any of the headers listed in this field. Strict header checking + // is only supported for the following headers: + // + // Value must be a ','-delimited list (i.e. no spaces) of supported retry + // policy values: + // + // * :ref:`config_http_filters_router_x-envoy-retry-grpc-on` + // * :ref:`config_http_filters_router_x-envoy-retry-on` + // + // Value must be an integer: + // + // * :ref:`config_http_filters_router_x-envoy-max-retries` + // * :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms` + // * :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` + repeated string strict_check_headers = 5 [(validate.rules).repeated = { + items { + string { + in: "x-envoy-upstream-rq-timeout-ms" + in: "x-envoy-upstream-rq-per-try-timeout-ms" + in: "x-envoy-max-retries" + in: "x-envoy-retry-grpc-on" + in: "x-envoy-retry-on" + } + } + }]; + + // If not set, ingress Envoy will ignore + // :ref:`config_http_filters_router_x-envoy-expected-rq-timeout-ms` header, populated by egress + // Envoy, when deriving timeout for upstream cluster. + bool respect_expected_rq_timeout = 6; + + // If set, Envoy will avoid incrementing HTTP failure code stats + // on gRPC requests. This includes the individual status code value + // (e.g. upstream_rq_504) and group stats (e.g. upstream_rq_5xx). + // This field is useful if interested in relying only on the gRPC + // stats filter to define success and failure metrics for gRPC requests + // as not all failed gRPC requests charge HTTP status code metrics. See + // :ref:`gRPC stats filter` documentation + // for more details. + bool suppress_grpc_request_failure_code_stats = 7; + + // Optional HTTP filters for the upstream HTTP filter chain. + // + // .. note:: + // Upstream HTTP filters are currently in alpha. + // + // These filters will be applied for all requests that pass through the router. + // They will also be applied to shadowed requests. + // Upstream HTTP filters cannot change route or cluster. + // Upstream HTTP filters specified on the cluster will override these filters. + // + // If using upstream HTTP filters, please be aware that local errors sent by + // upstream HTTP filters will not trigger retries, and local errors sent by + // upstream HTTP filters will count as a final response if hedging is configured. + // [#extension-category: envoy.filters.http.upstream] + repeated network.http_connection_manager.v3.HttpFilter upstream_http_filters = 8; + + // If set to true, Envoy will reject ``CONNECT`` requests that send data before + // receiving a ``200`` response from the upstream. This early data behavior + // is common for latency reduction but can cause issues with some upstreams. + // Defaults to false to allow early data and be compatible with common behavior. + google.protobuf.BoolValue reject_connect_request_early_data = 10; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto new file mode 100644 index 000000000..9d8cf8bf4 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto @@ -0,0 +1,1357 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.http_connection_manager.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/protocol.proto"; +import "envoy/config/core/v3/substitution_format_string.proto"; +import "envoy/config/route/v3/route.proto"; +import "envoy/config/route/v3/scoped_route.proto"; +import "envoy/config/trace/v3/http_tracer.proto"; +import "envoy/type/http/v3/path_transformation.proto"; +import "envoy/type/tracing/v3/custom_tag.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v3"; +option java_outer_classname = "HttpConnectionManagerProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3;http_connection_managerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP connection manager] +// HTTP connection manager :ref:`configuration overview `. +// [#extension: envoy.filters.network.http_connection_manager] + +// [#next-free-field: 61] +message HttpConnectionManager { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"; + + enum CodecType { + // For every new connection, the connection manager will determine which + // codec to use. This mode supports both ALPN for TLS listeners as well as + // protocol inference for plaintext listeners. If ALPN data is available, it + // is preferred, otherwise protocol inference is used. In almost all cases, + // this is the right option to choose for this setting. + AUTO = 0; + + // The connection manager will assume that the client is speaking HTTP/1.1. + HTTP1 = 1; + + // The connection manager will assume that the client is speaking HTTP/2 + // (Envoy does not require HTTP/2 to take place over TLS or to use ALPN. + // Prior knowledge is allowed). + HTTP2 = 2; + + // The connection manager will assume that the client is speaking HTTP/3. + // This needs to be consistent with listener and transport socket config. + HTTP3 = 3; + } + + enum ServerHeaderTransformation { + // Overwrite any Server header with the contents of server_name. + OVERWRITE = 0; + + // If no Server header is present, append Server server_name + // If a Server header is present, pass it through. + APPEND_IF_ABSENT = 1; + + // Pass through the value of the server header, and do not append a header + // if none is present. + PASS_THROUGH = 2; + } + + // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP + // header. + enum ForwardClientCertDetails { + // Do not send the XFCC header to the next hop. This is the default value. + SANITIZE = 0; + + // When the client connection is mTLS (Mutual TLS), forward the XFCC header + // in the request. + FORWARD_ONLY = 1; + + // When the client connection is mTLS, append the client certificate + // information to the request’s XFCC header and forward it. + APPEND_FORWARD = 2; + + // When the client connection is mTLS, reset the XFCC header with the client + // certificate information and send it to the next hop. + SANITIZE_SET = 3; + + // Always forward the XFCC header in the request, regardless of whether the + // client connection is mTLS. + ALWAYS_FORWARD_ONLY = 4; + } + + // Determines the action for request that contain ``%2F``, ``%2f``, ``%5C`` or ``%5c`` sequences in the URI path. + // This operation occurs before URL normalization and the merge slashes transformations if they were enabled. + enum PathWithEscapedSlashesAction { + // Default behavior specific to implementation (i.e. Envoy) of this configuration option. + // Envoy, by default, takes the KEEP_UNCHANGED action. + // + // .. note:: + // + // The implementation may change the default behavior at-will. + IMPLEMENTATION_SPECIFIC_DEFAULT = 0; + + // Keep escaped slashes. + KEEP_UNCHANGED = 1; + + // Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. + // The ``httpN.downstream_rq_failed_path_normalization`` counter is incremented for each rejected request. + REJECT_REQUEST = 2; + + // Unescape ``%2F`` and ``%5C`` sequences and redirect request to the new path if these sequences were present. + // Redirect occurs after path normalization and merge slashes transformations if they were configured. + // + // .. note:: + // + // gRPC requests will be rejected with the INTERNAL (13) error code. This option minimizes possibility of path + // confusion exploits by forcing request with unescaped slashes to traverse all parties: downstream client, + // intermediate proxies, Envoy and upstream server. The ``httpN.downstream_rq_redirected_with_normalized_path`` + // counter is incremented for each redirected request. + // + UNESCAPE_AND_REDIRECT = 3; + + // Unescape ``%2F`` and ``%5C`` sequences. + // + // .. note:: + // + // This option should not be enabled if intermediaries perform path based access control as it may lead to path + // confusion vulnerabilities. + // + UNESCAPE_AND_FORWARD = 4; + } + + // [#next-free-field: 13] + message Tracing { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager.Tracing"; + + // This OperationName makes no sense and is unnecessary in the current tracing API. + // [#not-implemented-hide:] + enum OperationName { + // The HTTP listener is used for ingress/incoming requests. + INGRESS = 0; + + // The HTTP listener is used for egress/outgoing requests. + EGRESS = 1; + } + + reserved 1, 2; + + reserved "operation_name", "request_headers_for_tags"; + + // Target percentage of requests managed by this HTTP connection manager that will be force + // traced if the :ref:`x-client-trace-id ` + // header is set. This field is a direct analog for the runtime variable + // 'tracing.client_enabled' in the :ref:`HTTP Connection Manager + // `. + // Default: 100% + type.v3.Percent client_sampling = 3; + + // Target percentage of requests managed by this HTTP connection manager that will be randomly + // selected for trace generation, if not requested by the client or not forced. This field is + // a direct analog for the runtime variable 'tracing.random_sampling' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.Percent random_sampling = 4; + + // Target percentage of requests managed by this HTTP connection manager that will be traced + // after all other sampling checks have been applied (client-directed, force tracing, random + // sampling). This field functions as an upper limit on the total configured sampling rate. For + // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% + // of client requests with the appropriate headers to be force traced. This field is a direct + // analog for the runtime variable 'tracing.global_enabled' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.Percent overall_sampling = 5; + + // Whether to annotate spans with additional data. If true, spans will include logs for stream + // events. + bool verbose = 6; + + // Maximum length of the request path to extract and include in the HttpUrl tag. Used to + // truncate lengthy request paths to meet the needs of a tracing backend. + // Default: 256 + google.protobuf.UInt32Value max_path_tag_length = 7; + + // A list of custom tags with unique tag name to create tags for the active span. + repeated type.tracing.v3.CustomTag custom_tags = 8; + + // Configuration for an external tracing provider. + // If not specified, no tracing will be performed. + config.trace.v3.Tracing.Http provider = 9; + + // Create separate tracing span for each upstream request if true. And if this flag is set to true, + // the tracing provider will assume that Envoy will be independent hop in the trace chain and may + // set span type to client or server based on this flag. + // This will deprecate the + // :ref:`start_child_span ` + // in the router. + // + // Users should set appropriate value based on their tracing provider and actual scenario: + // + // * If Envoy is used as sidecar and users want to make the sidecar and its application as only one + // hop in the trace chain, this flag should be set to false. And please also make sure the + // :ref:`start_child_span ` + // in the router is not set to true. + // * If Envoy is used as gateway or independent proxy, or users want to make the sidecar and its + // application as different hops in the trace chain, this flag should be set to true. + // * If tracing provider that has explicit requirements on span creation (like SkyWalking), + // this flag should be set to true. + // + // The default value is false for now for backward compatibility. + google.protobuf.BoolValue spawn_upstream_span = 10; + + // The operation name of the span which will be used for tracing. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // This field will take precedence over and make following settings ineffective: + // + // * :ref:`route decorator ` and + // * :ref:`x-envoy-decorator-operation ` + // header will be ignored. + string operation = 11; + + // The operation name of the upstream span which will be used for tracing. + // This only takes effect when ``spawn_upstream_span`` is set to true and the upstream + // span is created. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + string upstream_operation = 12; + } + + message InternalAddressConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager." + "InternalAddressConfig"; + + // Whether unix socket addresses should be considered internal. + bool unix_sockets = 1; + + // List of CIDR ranges that are treated as internal. If unset, then RFC1918 / RFC4193 + // IP addresses will be considered internal. + repeated config.core.v3.CidrRange cidr_ranges = 2; + } + + // [#next-free-field: 7] + message SetCurrentClientCertDetails { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager." + "SetCurrentClientCertDetails"; + + reserved 2; + + // Whether to forward the subject of the client cert. Defaults to false. + google.protobuf.BoolValue subject = 1; + + // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + // XFCC header comma separated from other values with the value Cert="PEM". + // Defaults to false. + bool cert = 3; + + // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + // format. This will appear in the XFCC header comma separated from other values with the value + // Chain="PEM". + // Defaults to false. + bool chain = 6; + + // Whether to forward the DNS type Subject Alternative Names of the client cert. + // Defaults to false. + bool dns = 4; + + // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + // false. + bool uri = 5; + } + + // The configuration for forwarding client cert details. + message ForwardClientCertConfig { + // How to handle the XFCC header. + ForwardClientCertDetails forward_client_cert_details = 1; + + // How to set the current client cert details. + SetCurrentClientCertDetails set_current_client_cert_details = 2; + } + + // The configuration for HTTP upgrades. + // For each upgrade type desired, an UpgradeConfig must be added. + // + // .. warning:: + // + // The current implementation of upgrade headers does not handle multi-valued upgrade headers. Support for + // multi-valued headers may be added in the future if needed. + // + // .. warning:: + // The current implementation of upgrade headers does not work with HTTP/2 upstreams. + // + message UpgradeConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager." + "UpgradeConfig"; + + // The case-insensitive name of this upgrade, e.g. "websocket". + // For each upgrade type present in upgrade_configs, requests with + // Upgrade: [upgrade_type] + // will be proxied upstream. + string upgrade_type = 1; + + // If present, this represents the filter chain which will be created for + // this type of upgrade. If no filters are present, the filter chain for + // HTTP connections will be used for this upgrade type. + repeated HttpFilter filters = 2; + + // Determines if upgrades are enabled or disabled by default. Defaults to true. + // This can be overridden on a per-route basis with :ref:`cluster + // ` as documented in the + // :ref:`upgrade documentation `. + google.protobuf.BoolValue enabled = 3; + } + + // [#not-implemented-hide:] Transformations that apply to path headers. Transformations are applied + // before any processing of requests by HTTP filters, routing, and matching. Only the normalized + // path will be visible internally if a transformation is enabled. Any path rewrites that the + // router performs (e.g. :ref:`regex_rewrite + // ` or :ref:`prefix_rewrite + // `) will apply to the ``:path`` header + // destined for the upstream. + // + // .. note:: + // + // Access logging and tracing will show the original ``:path`` header. + // + message PathNormalizationOptions { + // [#not-implemented-hide:] Normalization applies internally before any processing of requests by + // HTTP filters, routing, and matching *and* will affect the forwarded ``:path`` header. Defaults + // to :ref:`NormalizePathRFC3986 + // `. When not + // specified, this value may be overridden by the runtime variable + // :ref:`http_connection_manager.normalize_path`. + // Envoy will respond with 400 to paths that are malformed (e.g. for paths that fail RFC 3986 + // normalization due to disallowed characters.) + type.http.v3.PathTransformation forwarding_transformation = 1; + + // [#not-implemented-hide:] Normalization only applies internally before any processing of + // requests by HTTP filters, routing, and matching. These will be applied after full + // transformation is applied. The ``:path`` header before this transformation will be restored in + // the router filter and sent upstream unless it was mutated by a filter. Defaults to no + // transformations. + // Multiple actions can be applied in the same Transformation, forming a sequential + // pipeline. The transformations will be performed in the order that they appear. Envoy will + // respond with 400 to paths that are malformed (e.g. for paths that fail RFC 3986 + // normalization due to disallowed characters.) + type.http.v3.PathTransformation http_filter_transformation = 2; + } + + // Configures the manner in which the Proxy-Status HTTP response header is + // populated. + // + // See the [Proxy-Status + // RFC](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-proxy-status-08). + // [#comment:TODO: Update this with the non-draft URL when finalized.] + // + // The Proxy-Status header is a string of the form: + // + // "; error=; details=
" + // [#next-free-field: 7] + message ProxyStatusConfig { + // If true, the details field of the Proxy-Status header is not populated with stream_info.response_code_details. + // This value defaults to ``false``, i.e. the ``details`` field is populated by default. + bool remove_details = 1; + + // If true, the details field of the Proxy-Status header will not contain + // connection termination details. This value defaults to ``false``, i.e. the + // ``details`` field will contain connection termination details by default. + bool remove_connection_termination_details = 2; + + // If true, the details field of the Proxy-Status header will not contain an + // enumeration of the Envoy ResponseFlags. This value defaults to ``false``, + // i.e. the ``details`` field will contain a list of ResponseFlags by default. + bool remove_response_flags = 3; + + // If true, overwrites the existing Status header with the response code + // recommended by the Proxy-Status spec. + // This value defaults to ``false``, i.e. the HTTP response code is not + // overwritten. + bool set_recommended_response_code = 4; + + // The name of the proxy as it appears at the start of the Proxy-Status + // header. + // + // If neither of these values are set, this value defaults to ``server_name``, + // which itself defaults to "envoy". + oneof proxy_name { + // If ``use_node_id`` is set, Proxy-Status headers will use the Envoy's node + // ID as the name of the proxy. + bool use_node_id = 5; + + // If ``literal_proxy_name`` is set, Proxy-Status headers will use this + // value as the name of the proxy. + string literal_proxy_name = 6; + } + } + + message HcmAccessLogOptions { + // The interval to flush the above access logs. By default, the HCM will flush exactly one access log + // on stream close, when the HTTP request is complete. If this field is set, the HCM will flush access + // logs periodically at the specified interval. This is especially useful in the case of long-lived + // requests, such as CONNECT and Websockets. Final access logs can be detected via the + // ``requestComplete()`` method of ``StreamInfo`` in access log filters, or through the ``%DURATION%`` substitution + // string. + // The interval must be at least 1 millisecond. + google.protobuf.Duration access_log_flush_interval = 1 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // If set to true, HCM will flush an access log when a new HTTP request is received, after request + // headers have been evaluated, before iterating through the HTTP filter chain. + // This log record, if enabled, does not depend on periodic log records or request completion log. + // Details related to upstream cluster, such as upstream host, will not be available for this log. + bool flush_access_log_on_new_request = 2; + + // If true, the HCM will flush an access log when a tunnel is successfully established. For example, + // this could be when an upstream has successfully returned 101 Switching Protocols, or when the proxy + // has returned 200 to a CONNECT request. + bool flush_log_on_tunnel_successfully_established = 3; + } + + reserved 27, 11; + + reserved "idle_timeout"; + + // Supplies the type of codec that the connection manager should use. + CodecType codec_type = 1 [(validate.rules).enum = {defined_only: true}]; + + // The human readable prefix to use when emitting statistics for the + // connection manager. See the :ref:`statistics documentation ` for + // more information. + string stat_prefix = 2 [(validate.rules).string = {min_len: 1}]; + + oneof route_specifier { + option (validate.required) = true; + + // The connection manager’s route table will be dynamically loaded via the RDS API. + Rds rds = 3; + + // The route table for the connection manager is static and is specified in this property. + config.route.v3.RouteConfiguration route_config = 4; + + // A route table will be dynamically assigned to each request based on request attributes + // (e.g., the value of a header). The "routing scopes" (i.e., route tables) and "scope keys" are + // specified in this message. + ScopedRoutes scoped_routes = 31; + } + + // A list of individual HTTP filters that make up the filter chain for + // requests made to the connection manager. :ref:`Order matters ` + // as the filters are processed sequentially as request events happen. + repeated HttpFilter http_filters = 5; + + // Whether the connection manager manipulates the :ref:`config_http_conn_man_headers_user-agent` + // and :ref:`config_http_conn_man_headers_downstream-service-cluster` headers. See the linked + // documentation for more information. Defaults to false. + google.protobuf.BoolValue add_user_agent = 6; + + // Presence of the object defines whether the connection manager + // emits :ref:`tracing ` data to the :ref:`configured tracing provider + // `. + Tracing tracing = 7; + + // Additional settings for HTTP requests handled by the connection manager. These will be + // applicable to both HTTP/1.1 and HTTP/2 requests. + config.core.v3.HttpProtocolOptions common_http_protocol_options = 35 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // If set to ``true``, Envoy will not initiate an immediate drain timer for downstream HTTP/1 connections + // once :ref:`common_http_protocol_options.max_connection_duration + // ` is exceeded. + // Instead, Envoy will wait until the next downstream request arrives, add a ``connection: close`` header + // to the response, and then gracefully close the connection once the stream has completed. + // + // This behavior adheres to `RFC 9112, Section 9.6 `_. + // + // If set to ``false``, exceeding ``max_connection_duration`` triggers Envoy's default drain behavior for HTTP/1, + // where the connection is eventually closed after all active streams finish. + // + // This option has no effect if ``max_connection_duration`` is not configured. + // Defaults to ``false``. + bool http1_safe_max_connection_duration = 58; + + // Additional HTTP/1 settings that are passed to the HTTP/1 codec. + // [#comment:TODO: The following fields are ignored when the + // :ref:`header validation configuration ` + // is present: + // 1. :ref:`allow_chunked_length `] + config.core.v3.Http1ProtocolOptions http_protocol_options = 8; + + // Additional HTTP/2 settings that are passed directly to the HTTP/2 codec. + config.core.v3.Http2ProtocolOptions http2_protocol_options = 9 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // Additional HTTP/3 settings that are passed directly to the HTTP/3 codec. + config.core.v3.Http3ProtocolOptions http3_protocol_options = 44; + + // An optional override that the connection manager will write to the server + // header in responses. If not set, the default is ``envoy``. + string server_name = 10 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Defines the action to be applied to the Server header on the response path. + // By default, Envoy will overwrite the header with the value specified in + // server_name. + ServerHeaderTransformation server_header_transformation = 34 + [(validate.rules).enum = {defined_only: true}]; + + // Allows for explicit transformation of the :scheme header on the request path. + // If not set, Envoy's default :ref:`scheme ` + // handling applies. + config.core.v3.SchemeHeaderTransformation scheme_header_transformation = 48; + + // The maximum request headers size for incoming connections. + // If unconfigured, the default max request headers allowed is 60 KiB. + // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_size_kb``. + // Requests that exceed this limit will receive a 431 response. + // + // .. note:: + // + // Currently some protocol codecs impose limits on the maximum size of a single header. + // + // * HTTP/2 (when using nghttp2) limits a single header to around 100kb. + // * HTTP/3 limits a single header to around 1024kb. + // + google.protobuf.UInt32Value max_request_headers_kb = 29 + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; + + // The stream idle timeout for connections managed by the connection manager. + // If not specified, this defaults to 5 minutes. The default value was selected + // so as not to interfere with any smaller configured timeouts that may have + // existed in configurations prior to the introduction of this feature, while + // introducing robustness to TCP connections that terminate without a FIN. + // + // This idle timeout applies to new streams and is overridable by the + // :ref:`route-level idle_timeout + // `. Even on a stream in + // which the override applies, prior to receipt of the initial request + // headers, the :ref:`stream_idle_timeout + // ` + // applies. Each time an encode/decode event for headers or data is processed + // for the stream, the timer will be reset. If the timeout fires, the stream + // is terminated with a 408 Request Timeout error code if no upstream response + // header has been received, otherwise a stream reset occurs. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled according to the value for + // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. + // + // Note that it is possible to idle timeout even if the wire traffic for a stream is non-idle, due + // to the granularity of events presented to the connection manager. For example, while receiving + // very large request headers, it may be the case that there is traffic regularly arriving on the + // wire while the connection manage is only able to observe the end-of-headers event, hence the + // stream may still idle timeout. + // + // A value of 0 will completely disable the connection manager stream idle + // timeout, although per-route idle timeout overrides will continue to apply. + // + // This timeout is also used as the default value for :ref:`stream_flush_timeout + // `. + google.protobuf.Duration stream_idle_timeout = 24 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // The stream flush timeout for connections managed by the connection manager. + // + // If not specified, the value of stream_idle_timeout is used. This is for backwards compatibility + // since this was the original behavior. In essence this timeout is an override for the + // stream_idle_timeout that applies specifically to the end of stream flush case. + // + // This timeout specifies the amount of time that Envoy will wait for the peer to open enough + // window to write any remaining stream data once the entirety of stream data (local end stream is + // true) has been buffered pending available window. In other words, this timeout defends against + // a peer that does not release enough window to completely write the stream, even though all + // data has been proxied within available flow control windows. If the timeout is hit in this + // case, the :ref:`tx_flush_timeout ` counter will be + // incremented. Note that :ref:`max_stream_duration + // ` does not apply to + // this corner case. + google.protobuf.Duration stream_flush_timeout = 59; + + // The amount of time that Envoy will wait for the entire request to be received. + // The timer is activated when the request is initiated, and is disarmed when the last byte of the + // request is sent upstream (i.e. all decoding filters have processed the request), OR when the + // response is initiated. If not specified or set to 0, this timeout is disabled. + google.protobuf.Duration request_timeout = 28 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // The amount of time that Envoy will wait for the request headers to be received. The timer is + // activated when the first byte of the headers is received, and is disarmed when the last byte of + // the headers has been received. If not specified or set to 0, this timeout is disabled. + google.protobuf.Duration request_headers_timeout = 41 [ + (validate.rules).duration = {gte {}}, + (udpa.annotations.security).configure_for_untrusted_downstream = true + ]; + + // The time that Envoy will wait between sending an HTTP/2 “shutdown + // notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame. + // This is used so that Envoy provides a grace period for new streams that + // race with the final GOAWAY frame. During this grace period, Envoy will + // continue to accept new streams. After the grace period, a final GOAWAY + // frame is sent and Envoy will start refusing new streams. Draining occurs + // either when a connection hits the idle timeout, when :ref:`max_connection_duration + // ` + // is reached, or during general server draining. The default grace period is + // 5000 milliseconds (5 seconds) if this option is not specified. + google.protobuf.Duration drain_timeout = 12; + + // The delayed close timeout is for downstream connections managed by the HTTP connection manager. + // It is defined as a grace period after connection close processing has been locally initiated + // during which Envoy will wait for the peer to close (i.e., a TCP FIN/RST is received by Envoy + // from the downstream connection) prior to Envoy closing the socket associated with that + // connection. + // + // .. note:: + // + // This timeout is enforced even when the socket associated with the downstream connection is pending a flush of + // the write buffer. However, any progress made writing data to the socket will restart the timer associated with + // this timeout. This means that the total grace period for a socket in this state will be + // +. + // + // Delaying Envoy's connection close and giving the peer the opportunity to initiate the close + // sequence mitigates a race condition that exists when downstream clients do not drain/process + // data in a connection's receive buffer after a remote close has been detected via a socket + // ``write()``. This race leads to such clients failing to process the response code sent by Envoy, + // which could result in erroneous downstream processing. + // + // If the timeout triggers, Envoy will close the connection's socket. + // + // The default timeout is 1000 ms if this option is not specified. + // + // .. note:: + // To be useful in avoiding the race condition described above, this timeout must be set + // to *at least* +<100ms to account for + // a reasonable "worst" case processing time for a full iteration of Envoy's event loop>. + // + // .. warning:: + // A value of ``0`` will completely disable delayed close processing. When disabled, the downstream + // connection's socket will be closed immediately after the write flush is completed or will + // never close if the write flush does not complete. + // + google.protobuf.Duration delayed_close_timeout = 26; + + // Configuration for :ref:`HTTP access logs ` + // emitted by the connection manager. + repeated config.accesslog.v3.AccessLog access_log = 13; + + // The interval to flush the above access logs. + // + // .. attention:: + // + // This field is deprecated in favor of + // :ref:`access_log_flush_interval + // `. + // Note that if both this field and :ref:`access_log_flush_interval + // ` + // are specified, the former (deprecated field) is ignored. + google.protobuf.Duration access_log_flush_interval = 54 [ + deprecated = true, + (validate.rules).duration = {gte {nanos: 1000000}}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If set to true, HCM will flush an access log once when a new HTTP request is received, after the request + // headers have been evaluated, and before iterating through the HTTP filter chain. + // + // .. attention:: + // + // This field is deprecated in favor of + // :ref:`flush_access_log_on_new_request + // `. + // Note that if both this field and :ref:`flush_access_log_on_new_request + // ` + // are specified, the former (deprecated field) is ignored. + bool flush_access_log_on_new_request = 55 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Additional access log options for HTTP connection manager. + HcmAccessLogOptions access_log_options = 56; + + // If set to true, the connection manager will use the real remote address + // of the client connection when determining internal versus external origin and manipulating + // various headers. If set to false or absent, the connection manager will use the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. See the documentation for + // :ref:`config_http_conn_man_headers_x-forwarded-for`, + // :ref:`config_http_conn_man_headers_x-envoy-internal`, and + // :ref:`config_http_conn_man_headers_x-envoy-external-address` for more information. + google.protobuf.BoolValue use_remote_address = 14 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // The number of additional ingress proxy hops from the right side of the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when + // determining the origin client's IP address. The default is zero if this option + // is not specified. See the documentation for + // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. + uint32 xff_num_trusted_hops = 19; + + // Configuration for original IP detection extensions. + // + // When these extensions are configured, Envoy will invoke them with the incoming request headers and + // details about the downstream connection, including the directly connected address. Each extension uses + // this information to determine the effective remote IP address for the request. If an extension cannot + // identify the original IP address and isn't set to reject the request, Envoy will sequentially attempt + // the remaining extensions until one successfully determines the IP or explicitly rejects the request. + // If all extensions fail without rejection, Envoy defaults to using the directly connected remote address. + // + // .. warning:: + // These extensions cannot be configured simultaneously with :ref:`use_remote_address + // ` + // or :ref:`xff_num_trusted_hops + // `. + // + // [#extension-category: envoy.http.original_ip_detection] + repeated config.core.v3.TypedExtensionConfig original_ip_detection_extensions = 46; + + // The configuration for the early header mutation extensions. + // + // When configured the extensions will be called before any routing, tracing, or any filter processing. + // Each extension will be applied in the order they are configured. + // If the same header is mutated by multiple extensions, then the last extension will win. + // + // [#extension-category: envoy.http.early_header_mutation] + repeated config.core.v3.TypedExtensionConfig early_header_mutation_extensions = 52; + + // Configures what network addresses are considered internal for stats and header sanitation + // purposes. If unspecified, only RFC1918 IP addresses will be considered internal. + // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more + // information about internal/external addresses. + // + // .. warning:: + // As of Envoy 1.33.0 no IP addresses will be considered trusted. If you have tooling such as probes + // on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers) + // you will have to manually include those addresses or CIDR ranges like: + // + // .. validated-code-block:: yaml + // :type-name: envoy.extensions.filters.network.http_connection_manager.v3.InternalAddressConfig + // + // cidr_ranges: + // address_prefix: 10.0.0.0 + // prefix_len: 8 + // cidr_ranges: + // address_prefix: 192.168.0.0 + // prefix_len: 16 + // cidr_ranges: + // address_prefix: 172.16.0.0 + // prefix_len: 12 + // cidr_ranges: + // address_prefix: 127.0.0.1 + // prefix_len: 32 + // cidr_ranges: + // address_prefix: fd00:: + // prefix_len: 8 + // cidr_ranges: + // address_prefix: ::1 + // prefix_len: 128 + // + InternalAddressConfig internal_address_config = 25; + + // If set, Envoy will not append the remote address to the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. This may be used in + // conjunction with HTTP filters that explicitly manipulate XFF after the HTTP connection manager + // has mutated the request headers. While :ref:`use_remote_address + // ` + // will also suppress XFF addition, it has consequences for logging and other + // Envoy uses of the remote address, so ``skip_xff_append`` should be used + // when only an elision of XFF addition is intended. + bool skip_xff_append = 21; + + // Via header value to append to request and response headers. If this is + // empty, no via header will be appended. + string via = 22 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Whether the connection manager will generate the :ref:`x-request-id + // ` header if it does not exist. This defaults to + // true. Generating a random UUID4 is expensive so in high throughput scenarios where this feature + // is not desired it can be disabled. + google.protobuf.BoolValue generate_request_id = 15; + + // Whether the connection manager will keep the :ref:`x-request-id + // ` header if passed for a request that is edge + // (Edge request is the request from external clients to front Envoy) and not reset it, which + // is the current Envoy behaviour. This defaults to false. + bool preserve_external_request_id = 32; + + // If set, Envoy will always set :ref:`x-request-id ` header in response. + // If this is false or not set, the request ID is returned in responses only if tracing is forced using + // :ref:`x-envoy-force-trace ` header. + bool always_set_request_id_in_response = 37; + + // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP + // header. + ForwardClientCertDetails forward_client_cert_details = 16 + [(validate.rules).enum = {defined_only: true}]; + + // This field is valid only when :ref:`forward_client_cert_details + // ` + // is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in + // the client certificate to be forwarded. Note that in the + // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, ``Hash`` is always set, and + // ``By`` is always set when the client certificate presents the URI type Subject Alternative Name + // value. + SetCurrentClientCertDetails set_current_client_cert_details = 17; + + // The matcher for forwarding client cert details. This allows per-request configuration + // of forward client cert behavior based on request properties. If a matcher is configured + // and matches a request, the matched action's forward client cert config will be used. + // If the matcher is not configured or doesn't match, the static + // :ref:`forward_client_cert_details + // ` + // and + // :ref:`set_current_client_cert_details + // ` + // config will be used as fallback. + // + // Example: If the x-forwarded-client-cert header contains "trusted-client", use APPEND_FORWARD, + // otherwise use SANITIZE_SET: + // + // .. code-block:: yaml + // + // forward_client_cert_matcher: + // matcher_list: + // matchers: + // - predicate: + // single_predicate: + // input: + // name: envoy.matching.inputs.request_headers + // typed_config: + // "@type": type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + // header_name: "x-forwarded-client-cert" + // value_match: + // string_match: + // contains: "trusted-client" + // on_match: + // action: + // name: forward_client_cert + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertConfig + // forward_client_cert_details: APPEND_FORWARD + // set_current_client_cert_details: + // uri: true + // on_no_match: + // action: + // name: forward_client_cert + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertConfig + // forward_client_cert_details: SANITIZE_SET + // set_current_client_cert_details: + // uri: true + xds.type.matcher.v3.Matcher forward_client_cert_matcher = 60; + + // If proxy_100_continue is true, Envoy will proxy incoming "Expect: + // 100-continue" headers upstream, and forward "100 Continue" responses + // downstream. If this is false or not set, Envoy will instead strip the + // "Expect: 100-continue" header, and send a "100 Continue" response itself. + bool proxy_100_continue = 18; + + // If + // :ref:`use_remote_address + // ` + // is true and represent_ipv4_remote_address_as_ipv4_mapped_ipv6 is true and the remote address is + // an IPv4 address, the address will be mapped to IPv6 before it is appended to ``x-forwarded-for``. + // This is useful for testing compatibility of upstream services that parse the header value. For + // example, 50.0.0.1 is represented as ::FFFF:50.0.0.1. See `IPv4-Mapped IPv6 Addresses + // `_ for details. This will also affect the + // :ref:`config_http_conn_man_headers_x-envoy-external-address` header. See + // :ref:`http_connection_manager.represent_ipv4_remote_address_as_ipv4_mapped_ipv6 + // ` for runtime + // control. + // [#not-implemented-hide:] + bool represent_ipv4_remote_address_as_ipv4_mapped_ipv6 = 20; + + repeated UpgradeConfig upgrade_configs = 23; + + // Should paths be normalized according to RFC 3986 before any processing of + // requests by HTTP filters or routing? This affects the upstream ``:path`` header + // as well. For paths that fail this check, Envoy will respond with 400 to + // paths that are malformed. This defaults to false currently but will default + // true in the future. When not specified, this value may be overridden by the + // runtime variable + // :ref:`http_connection_manager.normalize_path`. + // See `Normalization and Comparison `_ + // for details of normalization. + // Note that Envoy does not perform + // `case normalization `_ + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + google.protobuf.BoolValue normalize_path = 30; + + // Determines if adjacent slashes in the path are merged into one before any processing of + // requests by HTTP filters or routing. This affects the upstream ``:path`` header as well. Without + // setting this option, incoming requests with path ``//dir///file`` will not match against route + // with ``prefix`` match set to ``/dir``. Defaults to ``false``. Note that slash merging is not part of + // `HTTP spec `_ and is provided for convenience. + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + bool merge_slashes = 33; + + // Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c). + // The default value can be overridden by the :ref:`http_connection_manager.path_with_escaped_slashes_action` + // runtime variable. + // The :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling` runtime + // variable can be used to apply the action to a portion of all requests. + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + PathWithEscapedSlashesAction path_with_escaped_slashes_action = 45; + + // The configuration of the request ID extension. This includes operations such as + // generation, validation, and associated tracing operations. If empty, the + // :ref:`UuidRequestIdConfig ` + // default extension is used with default parameters. See the documentation for that extension + // for details on what it does. Customizing the configuration for the default extension can be + // achieved by configuring it explicitly here. For example, to disable trace reason packing, + // the following configuration can be used: + // + // .. validated-code-block:: yaml + // :type-name: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension + // + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.request_id.uuid.v3.UuidRequestIdConfig + // pack_trace_reason: false + // + // [#extension-category: envoy.request_id] + RequestIDExtension request_id_extension = 36; + + // The configuration to customize local reply returned by Envoy. It can customize status code, + // body text and response content type. If not specified, status code and text body are hard + // coded in Envoy, the response content type is plain text. + LocalReplyConfig local_reply_config = 38; + + // Determines if the port part should be removed from host/authority header before any processing + // of request by HTTP filters or routing. The port would be removed only if it is equal to the :ref:`listener's` + // local port. This affects the upstream host header unless the method is + // CONNECT in which case if no filter adds a port the original port will be restored before headers are + // sent upstream. + // Without setting this option, incoming requests with host ``example:443`` will not match against + // route with :ref:`domains` match set to ``example``. Defaults to ``false``. Note that port removal is not part + // of `HTTP spec `_ and is provided for convenience. + // Only one of ``strip_matching_host_port`` or ``strip_any_host_port`` can be set. + bool strip_matching_host_port = 39 + [(udpa.annotations.field_migrate).oneof_promotion = "strip_port_mode"]; + + oneof strip_port_mode { + // Determines if the port part should be removed from host/authority header before any processing + // of request by HTTP filters or routing. + // This affects the upstream host header unless the method is CONNECT in + // which case if no filter adds a port the original port will be restored before headers are sent upstream. + // Without setting this option, incoming requests with host ``example:443`` will not match against + // route with :ref:`domains` match set to ``example``. Defaults to ``false``. Note that port removal is not part + // of `HTTP spec `_ and is provided for convenience. + // Only one of ``strip_matching_host_port`` or ``strip_any_host_port`` can be set. + bool strip_any_host_port = 42; + } + + // Governs Envoy's behavior when receiving invalid HTTP from downstream. + // If this option is false (default), Envoy will err on the conservative side handling HTTP + // errors, terminating both HTTP/1.1 and HTTP/2 connections when receiving an invalid request. + // If this option is set to true, Envoy will be more permissive, only resetting the invalid + // stream in the case of HTTP/2 and leaving the connection open where possible (if the entire + // request is read for HTTP/1.1) + // In general this should be true for deployments receiving trusted traffic (L2 Envoys, + // company-internal mesh) and false when receiving untrusted traffic (edge deployments). + // + // If different behaviors for invalid_http_message for HTTP/1 and HTTP/2 are + // desired, one should use the new HTTP/1 option :ref:`override_stream_error_on_invalid_http_message + // ` or the new HTTP/2 option + // :ref:`override_stream_error_on_invalid_http_message + // ` + // ``not`` the deprecated but similarly named :ref:`stream_error_on_invalid_http_messaging + // ` + google.protobuf.BoolValue stream_error_on_invalid_http_message = 40; + + // [#not-implemented-hide:] Path normalization configuration. This includes + // configurations for transformations (e.g. RFC 3986 normalization or merge + // adjacent slashes) and the policy to apply them. The policy determines + // whether transformations affect the forwarded ``:path`` header. RFC 3986 path + // normalization is enabled by default and the default policy is that the + // normalized header will be forwarded. See :ref:`PathNormalizationOptions + // ` + // for details. + PathNormalizationOptions path_normalization_options = 43; + + // Determines if trailing dot of the host should be removed from host/authority header before any + // processing of request by HTTP filters or routing. + // This affects the upstream host header. + // Without setting this option, incoming requests with host ``example.com.`` will not match against + // route with :ref:`domains` match set to ``example.com``. Defaults to ``false``. + // When the incoming request contains a host/authority header that includes a port number, + // setting this option will strip a trailing dot, if present, from the host section, + // leaving the port as is (e.g. host value ``example.com.:443`` will be updated to ``example.com:443``). + bool strip_trailing_host_dot = 47; + + // Proxy-Status HTTP response header configuration. + // If this config is set, the Proxy-Status HTTP response header field is + // populated. By default, it is not. + ProxyStatusConfig proxy_status_config = 49; + + // Configuration options for Header Validation (UHV). + // UHV is an extensible mechanism for checking validity of HTTP requests as well as providing + // normalization for request attributes, such as URI path. + // If the typed_header_validation_config is present it overrides the following options: + // ``normalize_path``, ``merge_slashes``, ``path_with_escaped_slashes_action`` + // ``http_protocol_options.allow_chunked_length``, ``common_http_protocol_options.headers_with_underscores_action``. + // + // The default UHV checks the following: + // + // #. HTTP/1 header map validity according to `RFC 7230 section 3.2`_ + // #. Syntax of HTTP/1 request target URI and response status + // #. HTTP/2 header map validity according to `RFC 7540 section 8.1.2`_ + // #. Syntax of HTTP/3 pseudo headers + // #. Syntax of ``Content-Length`` and ``Transfer-Encoding`` + // #. Validation of HTTP/1 requests with both ``Content-Length`` and ``Transfer-Encoding`` headers + // #. Normalization of the URI path according to `Normalization and Comparison `_ + // without `case normalization `_ + // + // [#not-implemented-hide:] + // [#extension-category: envoy.http.header_validators] + config.core.v3.TypedExtensionConfig typed_header_validation_config = 50; + + // Append the ``x-forwarded-port`` header with the port value client used to connect to Envoy. It + // will be ignored if the ``x-forwarded-port`` header has been set by any trusted proxy in front of Envoy. + bool append_x_forwarded_port = 51; + + // Append the :ref:`config_http_conn_man_headers_x-envoy-local-overloaded` HTTP header in the scenario where + // the Overload Manager has been triggered. + bool append_local_overload = 57; + + // Whether the HCM will add ProxyProtocolFilterState to the Connection lifetime filter state. Defaults to ``true``. + // This should be set to ``false`` in cases where Envoy's view of the downstream address may not correspond to the + // actual client address, for example, if there's another proxy in front of the Envoy. + google.protobuf.BoolValue add_proxy_protocol_connection_state = 53; +} + +// The configuration to customize local reply returned by Envoy. +message LocalReplyConfig { + // Configuration of list of mappers which allows to filter and change local response. + // The mappers will be checked by the specified order until one is matched. + repeated ResponseMapper mappers = 1; + + // The configuration to form response body from the :ref:`command operators ` + // and to specify response content type as one of: plain/text or application/json. + // + // Example one: "plain/text" ``body_format``. + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" + // + // The following response body in "plain/text" format will be generated for a request with + // local reply body of "upstream connection error", response_code=503 and path=/foo. + // + // .. code-block:: text + // + // upstream connect error:503:path=/foo + // + // Example two: "application/json" ``body_format``. + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // json_format: + // status: "%RESPONSE_CODE%" + // message: "%LOCAL_REPLY_BODY%" + // path: "%REQ(:path)%" + // + // The following response body in "application/json" format would be generated for a request with + // local reply body of "upstream connection error", response_code=503 and path=/foo. + // + // .. code-block:: json + // + // { + // "status": 503, + // "message": "upstream connection error", + // "path": "/foo" + // } + // + config.core.v3.SubstitutionFormatString body_format = 2; +} + +// The configuration to filter and change local response. +// [#next-free-field: 6] +message ResponseMapper { + // Filter to determine if this mapper should apply. + config.accesslog.v3.AccessLogFilter filter = 1 [(validate.rules).message = {required: true}]; + + // The new response status code if specified. + google.protobuf.UInt32Value status_code = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}]; + + // The new local reply body text if specified. It will be used in the ``%LOCAL_REPLY_BODY%`` + // command operator in the ``body_format``. + config.core.v3.DataSource body = 3; + + // A per mapper ``body_format`` to override the :ref:`body_format `. + // It will be used when this mapper is matched. + config.core.v3.SubstitutionFormatString body_format_override = 4; + + // HTTP headers to add to a local reply. This allows the response mapper to append, to add + // or to override headers of any local reply before it is sent to a downstream client. + repeated config.core.v3.HeaderValueOption headers_to_add = 5 + [(validate.rules).repeated = {max_items: 1000}]; +} + +message Rds { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.Rds"; + + // Configuration source specifier for RDS. + config.core.v3.ConfigSource config_source = 1; + + // The name of the route configuration. This name will be passed to the RDS + // API. This allows an Envoy configuration with multiple HTTP listeners (and + // associated HTTP connection manager filters) to use different route + // configurations. + string route_config_name = 2; +} + +// This message is used to work around the limitations with 'oneof' and repeated fields. +message ScopedRouteConfigurationsList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRouteConfigurationsList"; + + repeated config.route.v3.ScopedRouteConfiguration scoped_route_configurations = 1 + [(validate.rules).repeated = {min_items: 1}]; +} + +// [#next-free-field: 6] +message ScopedRoutes { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes"; + + // Specifies the mechanism for constructing "scope keys" based on HTTP request attributes. These + // keys are matched against a set of :ref:`Key` + // objects assembled from :ref:`ScopedRouteConfiguration` + // messages distributed via SRDS (the Scoped Route Discovery Service) or assigned statically via + // :ref:`scoped_route_configurations_list`. + // + // Upon receiving a request's headers, the Router will build a key using the algorithm specified + // by this message. This key will be used to look up the routing table (i.e., the + // :ref:`RouteConfiguration`) to use for the request. + message ScopeKeyBuilder { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder"; + + // Specifies the mechanism for constructing key fragments which are composed into scope keys. + message FragmentBuilder { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder." + "FragmentBuilder"; + + // Specifies how the value of a header should be extracted. + // The following example maps the structure of a header to the fields in this message. + // + // .. code:: + // + // <0> <1> <-- index + // X-Header: a=b;c=d + // | || | + // | || \----> + // | || + // | |\----> + // | | + // | \----> + // | + // \----> + // + // Each 'a=b' key-value pair constitutes an 'element' of the header field. + message HeaderValueExtractor { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder." + "FragmentBuilder.HeaderValueExtractor"; + + // Specifies a header field's key value pair to match on. + message KvElement { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder." + "FragmentBuilder.HeaderValueExtractor.KvElement"; + + // The separator between key and value (e.g., '=' separates 'k=v;...'). + // If an element is an empty string, the element is ignored. + // If an element contains no separator, the whole element is parsed as key and the + // fragment value is an empty string. + // If there are multiple values for a matched key, the first value is returned. + string separator = 1 [(validate.rules).string = {min_len: 1}]; + + // The key to match on. + string key = 2 [(validate.rules).string = {min_len: 1}]; + } + + // The name of the header field to extract the value from. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string name = 1 [ + (validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false} + ]; + + // The element separator (e.g., ';' separates 'a;b;c;d'). + // Default: empty string. This causes the entirety of the header field to be extracted. + // If this field is set to an empty string and 'index' is used in the oneof below, 'index' + // must be set to 0. + string element_separator = 2; + + oneof extract_type { + // Specifies the zero based index of the element to extract. + // Note Envoy concatenates multiple values of the same header key into a comma separated + // string, the splitting always happens after the concatenation. + uint32 index = 3; + + // Specifies the key value pair to extract the value from. + KvElement element = 4; + } + } + + oneof type { + option (validate.required) = true; + + // Specifies how a header field's value should be extracted. + HeaderValueExtractor header_value_extractor = 1; + } + } + + // The final(built) scope key consists of the ordered union of these fragments, which are compared in order with the + // fragments of a :ref:`ScopedRouteConfiguration`. + // A missing fragment during comparison will make the key invalid, i.e., the computed key doesn't match any key. + repeated FragmentBuilder fragments = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // The name assigned to the scoped routing configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The algorithm to use for constructing a scope key for each request. + ScopeKeyBuilder scope_key_builder = 2 [(validate.rules).message = {required: true}]; + + // Configuration source specifier for RDS. + // This config source is used to subscribe to RouteConfiguration resources specified in + // ScopedRouteConfiguration messages. + config.core.v3.ConfigSource rds_config_source = 3; + + oneof config_specifier { + option (validate.required) = true; + + // The set of routing scopes corresponding to the HCM. A scope is assigned to a request by + // matching a key constructed from the request's attributes according to the algorithm specified + // by the + // :ref:`ScopeKeyBuilder` + // in this message. + ScopedRouteConfigurationsList scoped_route_configurations_list = 4; + + // The set of routing scopes associated with the HCM will be dynamically loaded via the SRDS + // API. A scope is assigned to a request by matching a key constructed from the request's + // attributes according to the algorithm specified by the + // :ref:`ScopeKeyBuilder` + // in this message. + ScopedRds scoped_rds = 5; + } +} + +message ScopedRds { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRds"; + + // Configuration source specifier for scoped RDS. + config.core.v3.ConfigSource scoped_rds_config_source = 1 + [(validate.rules).message = {required: true}]; + + // xdstp:// resource locator for scoped RDS collection. + // [#not-implemented-hide:] + string srds_resources_locator = 2; +} + +// [#next-free-field: 8] +message HttpFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpFilter"; + + reserved 3, 2; + + reserved "config"; + + // The name of the filter configuration. It also serves as a resource name in ExtensionConfigDS. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + // Filter specific configuration which depends on the filter being instantiated. See the supported + // filters for further documentation. + // + // To support configuring a :ref:`match tree `, use an + // :ref:`ExtensionWithMatcher ` + // with the desired HTTP filter. + // [#extension-category: envoy.filters.http] + google.protobuf.Any typed_config = 4; + + // Configuration source specifier for an extension configuration discovery service. + // In case of a failure and without the default configuration, the HTTP listener responds with code 500. + // Extension configs delivered through this mechanism are not expected to require warming (see https://github.com/envoyproxy/envoy/issues/12061). + // + // To support configuring a :ref:`match tree `, use an + // :ref:`ExtensionWithMatcher ` + // with the desired HTTP filter. This works for both the default filter configuration as well + // as for filters provided via the API. + config.core.v3.ExtensionConfigSource config_discovery = 5; + } + + // If true, clients that do not support this filter may ignore the + // filter but otherwise accept the config. + // Otherwise, clients that do not support this filter must reject the config. + bool is_optional = 6; + + // If true, the filter is disabled by default and must be explicitly enabled by setting + // per filter configuration in the route configuration. + // See :ref:`route based filter chain ` + // for more details. + // + // Terminal filters (e.g. ``envoy.filters.http.router``) cannot be marked as disabled. + bool disabled = 7; +} + +message RequestIDExtension { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.RequestIDExtension"; + + // Request ID extension specific configuration. + google.protobuf.Any typed_config = 1; +} + +// [#protodoc-title: Envoy Mobile HTTP connection manager] +// HTTP connection manager for use in Envoy mobile. +// [#extension: envoy.filters.network.envoy_mobile_http_connection_manager] +message EnvoyMobileHttpConnectionManager { + // The configuration for the underlying HttpConnectionManager which will be + // instantiated for Envoy mobile. + HttpConnectionManager config = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/call_credentials/access_token/v3/access_token_credentials.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/call_credentials/access_token/v3/access_token_credentials.proto new file mode 100644 index 000000000..45ee3839e --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/call_credentials/access_token/v3/access_token_credentials.proto @@ -0,0 +1,19 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.call_credentials.access_token.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.call_credentials.access_token.v3"; +option java_outer_classname = "AccessTokenCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/call_credentials/access_token/v3;access_tokenv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Access Token Credentials] + +// [#not-implemented-hide:] +message AccessTokenCredentials { + // The access token. + string token = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/google_default/v3/google_default_credentials.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/google_default/v3/google_default_credentials.proto new file mode 100644 index 000000000..77c3af41f --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/google_default/v3/google_default_credentials.proto @@ -0,0 +1,17 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.channel_credentials.google_default.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.channel_credentials.google_default.v3"; +option java_outer_classname = "GoogleDefaultCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/channel_credentials/google_default/v3;google_defaultv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Google Default Credentials] + +// [#not-implemented-hide:] +message GoogleDefaultCredentials { +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/insecure/v3/insecure_credentials.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/insecure/v3/insecure_credentials.proto new file mode 100644 index 000000000..70d58451e --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/insecure/v3/insecure_credentials.proto @@ -0,0 +1,17 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.channel_credentials.insecure.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.channel_credentials.insecure.v3"; +option java_outer_classname = "InsecureCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/channel_credentials/insecure/v3;insecurev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Insecure Credentials] + +// [#not-implemented-hide:] +message InsecureCredentials { +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/local/v3/local_credentials.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/local/v3/local_credentials.proto new file mode 100644 index 000000000..00514a0e8 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/local/v3/local_credentials.proto @@ -0,0 +1,17 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.channel_credentials.local.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.channel_credentials.local.v3"; +option java_outer_classname = "LocalCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/channel_credentials/local/v3;localv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Local Credentials] + +// [#not-implemented-hide:] +message LocalCredentials { +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/tls/v3/tls_credentials.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/tls/v3/tls_credentials.proto new file mode 100644 index 000000000..f64c16bb6 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/tls/v3/tls_credentials.proto @@ -0,0 +1,27 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.channel_credentials.tls.v3; + +import "envoy/extensions/transport_sockets/tls/v3/tls.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.channel_credentials.tls.v3"; +option java_outer_classname = "TlsCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/channel_credentials/tls/v3;tlsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC TLS Credentials] + +// [#not-implemented-hide:] +message TlsCredentials { + // The certificate provider instance for the root cert. Must be set. + transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance root_certificate_provider = + 1; + + // The certificate provider instance for the identity cert. Optional; + // if unset, no identity certificate will be sent to the server. + transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance + identity_certificate_provider = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/xds/v3/xds_credentials.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/xds/v3/xds_credentials.proto new file mode 100644 index 000000000..ba8d471dd --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/grpc_service/channel_credentials/xds/v3/xds_credentials.proto @@ -0,0 +1,21 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.channel_credentials.xds.v3; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.channel_credentials.xds.v3"; +option java_outer_classname = "XdsCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/channel_credentials/xds/v3;xdsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC xDS Credentials] + +// [#not-implemented-hide:] +message XdsCredentials { + // Fallback credentials. Required. + google.protobuf.Any fallback_credentials = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto new file mode 100644 index 000000000..c55d30b89 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto @@ -0,0 +1,91 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.client_side_weighted_round_robin.v3; + +import "envoy/extensions/load_balancing_policies/common/v3/common.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.client_side_weighted_round_robin.v3"; +option java_outer_classname = "ClientSideWeightedRoundRobinProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3;client_side_weighted_round_robinv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Client-Side Weighted Round Robin Load Balancing Policy] +// [#extension: envoy.load_balancing_policies.client_side_weighted_round_robin] + +// Configuration for the client_side_weighted_round_robin LB policy. +// +// This policy differs from the built-in ROUND_ROBIN policy in terms of +// how the endpoint weights are determined. In the ROUND_ROBIN policy, +// the endpoint weights are sent by the control plane via EDS. However, +// in this policy, the endpoint weights are instead determined via qps (queries +// per second), eps (errors per second), and utilization metrics sent by the +// endpoint using the Open Request Cost Aggregation (ORCA) protocol. Utilization +// is determined by using the ORCA application_utilization field, if set, or +// else falling back to the cpu_utilization field. All queries count toward qps, +// regardless of result. Only failed queries count toward eps. A config +// parameter error_utilization_penalty controls the penalty to adjust endpoint +// weights using eps and qps. The weight of a given endpoint is computed as: +// ``qps / (utilization + eps/qps * error_utilization_penalty)``. +// +// Note that Envoy will forward the ORCA response headers/trailers from the upstream +// cluster to the downstream client. This means that if the downstream client is also +// configured to use ``client_side_weighted_round_robin`` it will load balance against +// Envoy based on upstream weights. This can happen when Envoy is used as a reverse proxy. +// To avoid this issue you can configure the :ref:`header_mutation filter ` to remove +// the ORCA payload from the response headers/trailers. +// +// See the :ref:`load balancing architecture +// overview` for more information. +// +// [#next-free-field: 9] +message ClientSideWeightedRoundRobin { + // Whether to enable out-of-band utilization reporting collection from + // the endpoints. By default, per-request utilization reporting is used. + google.protobuf.BoolValue enable_oob_load_report = 1; + + // Load reporting interval to request from the server. Note that the + // server may not provide reports as frequently as the client requests. + // Used only when enable_oob_load_report is true. Default is 10 seconds. + google.protobuf.Duration oob_reporting_period = 2; + + // A given endpoint must report load metrics continuously for at least + // this long before the endpoint weight will be used. This avoids + // churn when the set of endpoint addresses changes. Takes effect + // both immediately after we establish a connection to an endpoint and + // after weight_expiration_period has caused us to stop using the most + // recent load metrics. Default is 10 seconds. + google.protobuf.Duration blackout_period = 3; + + // If a given endpoint has not reported load metrics in this long, + // then we stop using the reported weight. This ensures that we do + // not continue to use very stale weights. Once we stop using a stale + // value, if we later start seeing fresh reports again, the + // blackout_period applies. Defaults to 3 minutes. + google.protobuf.Duration weight_expiration_period = 4; + + // How often endpoint weights are recalculated. Values less than 100ms are + // capped at 100ms. Default is 1 second. + google.protobuf.Duration weight_update_period = 5; + + // The multiplier used to adjust endpoint weights with the error rate + // calculated as eps/qps. Configuration is rejected if this value is negative. + // Default is 1.0. + google.protobuf.FloatValue error_utilization_penalty = 6 [(validate.rules).float = {gte: 0.0}]; + + // By default, endpoint weight is computed based on the :ref:`application_utilization ` field reported by the endpoint. + // If that field is not set, then utilization will instead be computed by taking the max of the values of the metrics specified here. + // For map fields in the ORCA proto, the string will be of the form ``.``. For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA :ref:`named_metrics ` field. + // If none of the specified metrics are present in the load report, then :ref:`cpu_utilization ` is used instead. + repeated string metric_names_for_computing_utilization = 7; + + // Configuration for slow start mode. + // If this configuration is not set, slow start will not be not enabled. + common.v3.SlowStartConfig slow_start_config = 8; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/common/v3/common.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/common/v3/common.proto new file mode 100644 index 000000000..22faf11b9 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/common/v3/common.proto @@ -0,0 +1,161 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.common.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.common.v3"; +option java_outer_classname = "CommonProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/common/v3;commonv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common configuration for two or more load balancing policy extensions] + +message LocalityLbConfig { + // Configuration for :ref:`zone aware routing + // `. + // [#next-free-field: 7] + message ZoneAwareLbConfig { + // Basis for computing per-locality percentages in zone-aware routing. + enum LocalityBasis { + // Use the number of healthy hosts in each locality. + HEALTHY_HOSTS_NUM = 0; + + // Use the weights of healthy hosts in each locality. + HEALTHY_HOSTS_WEIGHT = 1; + } + + // Configures Envoy to always route requests to the local zone regardless of the + // upstream zone structure. In Envoy's default configuration, traffic is distributed proportionally + // across all upstream hosts while trying to maximize local routing when possible. The approach + // with force_local_zone aims to be more predictable and if there are upstream hosts in the local + // zone, they will receive all traffic. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + message ForceLocalZone { + // Configures the minimum number of upstream hosts in the local zone required when force_local_zone + // is enabled. If the number of upstream hosts in the local zone is less than the specified value, + // Envoy will fall back to the default proportional-based distribution across localities. + // If not specified, the default is 1. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + google.protobuf.UInt32Value min_size = 1; + } + + // Configures percentage of requests that will be considered for zone aware routing + // if zone aware routing is configured. If not specified, the default is 100%. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + type.v3.Percent routing_enabled = 1; + + // Configures minimum upstream cluster size required for zone aware routing + // If upstream cluster size is less than specified, zone aware routing is not performed + // even if zone aware routing is configured. If not specified, the default is 6. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + google.protobuf.UInt64Value min_cluster_size = 2; + + // If set to true, Envoy will not consider any hosts when the cluster is in :ref:`panic + // mode`. Instead, the cluster will fail all + // requests as if all hosts are unhealthy. This can help avoid potentially overwhelming a + // failing service. + bool fail_traffic_on_panic = 3; + + // If set to true, Envoy will force LocalityDirect routing if a local locality exists. + bool force_locality_direct_routing = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + ForceLocalZone force_local_zone = 5; + + // Determines how locality percentages are computed: + // - HEALTHY_HOSTS_NUM: proportional to the count of healthy hosts. + // - HEALTHY_HOSTS_WEIGHT: proportional to the weights of healthy hosts. + // Default value is HEALTHY_HOSTS_NUM if unset. + LocalityBasis locality_basis = 6; + } + + // Configuration for :ref:`locality weighted load balancing + // ` + message LocalityWeightedLbConfig { + } + + oneof locality_config_specifier { + option (validate.required) = true; + + // Configuration for local zone aware load balancing. + ZoneAwareLbConfig zone_aware_lb_config = 1; + + // Enable locality weighted load balancing. + LocalityWeightedLbConfig locality_weighted_lb_config = 2; + } +} + +// Configuration for :ref:`slow start mode `. +message SlowStartConfig { + // Represents the size of slow start window. + // If set, the newly created host remains in slow start mode starting from its creation time + // for the duration of slow start window. + google.protobuf.Duration slow_start_window = 1; + + // This parameter controls the speed of traffic increase over the slow start window. Defaults to 1.0, + // so that endpoint would get linearly increasing amount of traffic. + // When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + // The value of aggression parameter should be greater than 0.0. + // By tuning the parameter, is possible to achieve polynomial or exponential shape of ramp-up curve. + // + // During slow start window, effective weight of an endpoint would be scaled with time factor and aggression: + // ``new_weight = weight * max(min_weight_percent, time_factor ^ (1 / aggression))``, + // where ``time_factor=(time_since_start_seconds / slow_start_time_seconds)``. + // + // As time progresses, more and more traffic would be sent to endpoint, which is in slow start window. + // Once host exits slow start, time_factor and aggression no longer affect its weight. + config.core.v3.RuntimeDouble aggression = 2; + + // Configures the minimum percentage of origin weight that avoids too small new weight, + // which may cause endpoints in slow start mode receive no traffic in slow start window. + // If not specified, the default is 10%. + type.v3.Percent min_weight_percent = 3; +} + +// Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) +message ConsistentHashingLbConfig { + // If set to ``true``, the cluster will use hostname instead of the resolved + // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address. + bool use_hostname_for_hashing = 1; + + // Configures percentage of average cluster load to bound per upstream host. For example, with a value of 150 + // no upstream host will get a load more than 1.5 times the average load of all the hosts in the cluster. + // If not specified, the load is not bounded for any upstream host. Typical value for this parameter is between 120 and 200. + // Minimum is 100. + // + // Applies to both Ring Hash and Maglev load balancers. + // + // This is implemented based on the method described in the paper https://arxiv.org/abs/1608.01350. For the specified + // ``hash_balance_factor``, requests to any upstream host are capped at ``hash_balance_factor/100`` times the average number of requests + // across the cluster. When a request arrives for an upstream host that is currently serving at its max capacity, linear probing + // is used to identify an eligible host. Further, the linear probe is implemented using a random jump in hosts ring/table to identify + // the eligible host (this technique is as described in the paper https://arxiv.org/abs/1908.08762 - the random jump avoids the + // cascading overflow effect when choosing the next host in the ring/table). + // + // If weights are specified on the hosts, they are respected. + // + // This is an O(N) algorithm, unlike other load balancers. Using a lower ``hash_balance_factor`` results in more hosts + // being probed, so use a higher value if you require better performance. + google.protobuf.UInt32Value hash_balance_factor = 2 [(validate.rules).uint32 = {gte: 100}]; + + // Specifies a list of hash policies to use for ring hash load balancing. If ``hash_policy`` is + // set, then + // :ref:`route level hash policy ` + // will be ignored. + repeated config.route.v3.RouteAction.HashPolicy hash_policy = 3; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/least_request/v3/least_request.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/least_request/v3/least_request.proto new file mode 100644 index 000000000..095f60752 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/least_request/v3/least_request.proto @@ -0,0 +1,97 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.least_request.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/extensions/load_balancing_policies/common/v3/common.proto"; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.least_request.v3"; +option java_outer_classname = "LeastRequestProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/least_request/v3;least_requestv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Least Request Load Balancing Policy] +// [#extension: envoy.load_balancing_policies.least_request] + +// This configuration allows the built-in LEAST_REQUEST LB policy to be configured via the LB policy +// extension point. See the :ref:`load balancing architecture overview +// ` for more information. +// [#next-free-field: 7] +message LeastRequest { + // Available methods for selecting the host set from which to return the host with the + // fewest active requests. + enum SelectionMethod { + // Return host with fewest requests from a set of ``choice_count`` randomly selected hosts. + // Best selection method for most scenarios. + N_CHOICES = 0; + + // Return host with fewest requests from all hosts. + // Useful in some niche use cases involving low request rates and one of: + // (example 1) low request limits on workloads, or (example 2) few hosts. + // + // Example 1: Consider a workload type that can only accept one connection at a time. + // If such workloads are deployed across many hosts, only a small percentage of those + // workloads have zero connections at any given time, and the rate of new connections is low, + // the ``FULL_SCAN`` method is more likely to select a suitable host than ``N_CHOICES``. + // + // Example 2: Consider a workload type that is only deployed on 2 hosts. With default settings, + // the ``N_CHOICES`` method will return the host with more active requests 25% of the time. + // If the request rate is sufficiently low, the behavior of always selecting the host with least + // requests as of the last metrics refresh may be preferable. + FULL_SCAN = 1; + } + + // The number of random healthy hosts from which the host with the fewest active requests will + // be chosen. Defaults to 2 so that we perform two-choice selection if the field is not set. + // Only applies to the ``N_CHOICES`` selection method. + google.protobuf.UInt32Value choice_count = 1 [(validate.rules).uint32 = {gte: 2}]; + + // The following formula is used to calculate the dynamic weights when hosts have different load + // balancing weights: + // + // ``weight = load_balancing_weight / (active_requests + 1)^active_request_bias`` + // + // The larger the active request bias is, the more aggressively active requests will lower the + // effective weight when all host weights are not equal. + // + // ``active_request_bias`` must be greater than or equal to 0.0. + // + // When ``active_request_bias == 0.0`` the Least Request Load Balancer doesn't consider the number + // of active requests at the time it picks a host and behaves like the Round Robin Load + // Balancer. + // + // When ``active_request_bias > 0.0`` the Least Request Load Balancer scales the load balancing + // weight by the number of active requests at the time it does a pick. + // + // The value is cached for performance reasons and refreshed whenever one of the Load Balancer's + // host sets changes, e.g., whenever there is a host membership update or a host load balancing + // weight change. + // + // .. note:: + // This setting only takes effect if all host weights are not equal. + config.core.v3.RuntimeDouble active_request_bias = 2; + + // Configuration for slow start mode. + // If this configuration is not set, slow start will not be not enabled. + common.v3.SlowStartConfig slow_start_config = 3; + + // Configuration for local zone aware load balancing or locality weighted load balancing. + common.v3.LocalityLbConfig locality_lb_config = 4; + + // [#not-implemented-hide:] + // Unused. Replaced by the `selection_method` enum for better extensibility. + google.protobuf.BoolValue enable_full_scan = 5 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Method for selecting the host set from which to return the host with the fewest active requests. + // + // Defaults to ``N_CHOICES``. + SelectionMethod selection_method = 6 [(validate.rules).enum = {defined_only: true}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto new file mode 100644 index 000000000..2a7db058e --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto @@ -0,0 +1,22 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.pick_first.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.pick_first.v3"; +option java_outer_classname = "PickFirstProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/pick_first/v3;pick_firstv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Pick First Load Balancing Policy] +// [#not-implemented-hide:] + +// This configuration allows the built-in PICK_FIRST LB policy to be configured +// via the LB policy extension point. +message PickFirst { + // If set to true, instructs the LB policy to shuffle the list of addresses + // received from the name resolver before attempting to connect to them. + bool shuffle_address_list = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto new file mode 100644 index 000000000..f154be55a --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto @@ -0,0 +1,97 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.ring_hash.v3; + +import "envoy/extensions/load_balancing_policies/common/v3/common.proto"; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.ring_hash.v3"; +option java_outer_classname = "RingHashProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/ring_hash/v3;ring_hashv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Ring Hash Load Balancing Policy] +// [#extension: envoy.load_balancing_policies.ring_hash] + +// This configuration allows the built-in RING_HASH LB policy to be configured via the LB policy +// extension point. See the :ref:`load balancing architecture overview +// ` for more information. +// [#next-free-field: 8] +message RingHash { + // The hash function used to hash hosts onto the ketama ring. + enum HashFunction { + // Currently defaults to XX_HASH. + DEFAULT_HASH = 0; + + // Use `xxHash `_. + XX_HASH = 1; + + // Use `MurmurHash2 `_, this is compatible with + // std:hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled + // on Linux and not macOS. + MURMUR_HASH_2 = 2; + } + + // The hash function used to hash hosts onto the ketama ring. The value defaults to + // :ref:`XX_HASH`. + HashFunction hash_function = 1 [(validate.rules).enum = {defined_only: true}]; + + // Minimum hash ring size. The larger the ring is (that is, the more hashes there are for each + // provided host) the better the request distribution will reflect the desired weights. Defaults + // to 1024 entries, and limited to 8M entries. See also + // :ref:`maximum_ring_size`. + google.protobuf.UInt64Value minimum_ring_size = 2 + [(validate.rules).uint64 = {lte: 8388608 gte: 1}]; + + // Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, but can be lowered + // to further constrain resource use. See also + // :ref:`minimum_ring_size`. + google.protobuf.UInt64Value maximum_ring_size = 3 [(validate.rules).uint64 = {lte: 8388608}]; + + // If set to ``true``, the cluster will use hostname instead of the resolved + // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address. + // + // .. note:: + // This is deprecated and please use :ref:`consistent_hashing_lb_config + // ` instead. + bool use_hostname_for_hashing = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Configures percentage of average cluster load to bound per upstream host. For example, with a value of 150 + // no upstream host will get a load more than 1.5 times the average load of all the hosts in the cluster. + // If not specified, the load is not bounded for any upstream host. Typical value for this parameter is between 120 and 200. + // Minimum is 100. + // + // This is implemented based on the method described in the paper https://arxiv.org/abs/1608.01350. For the specified + // ``hash_balance_factor``, requests to any upstream host are capped at ``hash_balance_factor/100`` times the average number of requests + // across the cluster. When a request arrives for an upstream host that is currently serving at its max capacity, linear probing + // is used to identify an eligible host. Further, the linear probe is implemented using a random jump in hosts ring/table to identify + // the eligible host (this technique is as described in the paper https://arxiv.org/abs/1908.08762 - the random jump avoids the + // cascading overflow effect when choosing the next host in the ring/table). + // + // If weights are specified on the hosts, they are respected. + // + // This is an O(N) algorithm, unlike other load balancers. Using a lower ``hash_balance_factor`` results in more hosts + // being probed, so use a higher value if you require better performance. + // + // .. note:: + // This is deprecated and please use :ref:`consistent_hashing_lb_config + // ` instead. + google.protobuf.UInt32Value hash_balance_factor = 5 [ + deprecated = true, + (validate.rules).uint32 = {gte: 100}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // Common configuration for hashing-based load balancing policies. + common.v3.ConsistentHashingLbConfig consistent_hashing_lb_config = 6; + + // Enable locality weighted load balancing for ring hash lb explicitly. + common.v3.LocalityLbConfig.LocalityWeightedLbConfig locality_weighted_lb_config = 7; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/round_robin/v3/round_robin.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/round_robin/v3/round_robin.proto new file mode 100644 index 000000000..63fe49e9b --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/round_robin/v3/round_robin.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.round_robin.v3; + +import "envoy/extensions/load_balancing_policies/common/v3/common.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.round_robin.v3"; +option java_outer_classname = "RoundRobinProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/round_robin/v3;round_robinv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Round Robin Load Balancing Policy] +// [#extension: envoy.load_balancing_policies.round_robin] + +// This configuration allows the built-in ROUND_ROBIN LB policy to be configured via the LB policy +// extension point. See the :ref:`load balancing architecture overview +// ` for more information. +message RoundRobin { + // Configuration for slow start mode. + // If this configuration is not set, slow start will not be not enabled. + common.v3.SlowStartConfig slow_start_config = 1; + + // Configuration for local zone aware load balancing or locality weighted load balancing. + common.v3.LocalityLbConfig locality_lb_config = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto new file mode 100644 index 000000000..e2e4ade82 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto @@ -0,0 +1,25 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.wrr_locality.v3; + +import "envoy/config/cluster/v3/cluster.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.wrr_locality.v3"; +option java_outer_classname = "WrrLocalityProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/wrr_locality/v3;wrr_localityv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Weighted Round Robin Locality-Picking Load Balancing Policy] +// [#extension: envoy.load_balancing_policies.wrr_locality] + +// Configuration for the wrr_locality LB policy. See the :ref:`load balancing architecture overview +// ` for more information. +message WrrLocality { + // The child LB policy to create for endpoint-picking within the chosen locality. + config.cluster.v3.LoadBalancingPolicy endpoint_picking_policy = 1 + [(validate.rules).message = {required: true}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto new file mode 100644 index 000000000..2c9b5333f --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto @@ -0,0 +1,38 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.http_11_proxy.v3; + +import "envoy/config/core/v3/base.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.http_11_proxy.v3"; +option java_outer_classname = "UpstreamHttp11ConnectProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/http_11_proxy/v3;http_11_proxyv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Upstream HTTP/1.1 Proxy] +// [#extension: envoy.transport_sockets.http_11_proxy] + +// HTTP/1.1 proxy transport socket establishes an upstream connection to a proxy address +// instead of the target host's address. This behavior is triggered when the transport +// socket is configured and proxy information is provided. +// +// Behavior when proxying: +// ======================= +// When an upstream connection is established, instead of connecting directly to the endpoint +// address, the client will connect to the specified proxy address, send an HTTP/1.1 ``CONNECT`` request +// indicating the endpoint address, and process the response. If the response has HTTP status 200, +// the connection will be passed down to the underlying transport socket. +// +// Configuring proxy information: +// ============================== +// Set ``typed_filter_metadata`` in :ref:`LbEndpoint.Metadata ` or :ref:`LocalityLbEndpoints.Metadata `. +// using the key ``envoy.http11_proxy_transport_socket.proxy_address`` and the +// proxy address in ``config::core::v3::Address`` format. +// +message Http11ProxyUpstreamTransport { + // The underlying transport socket being wrapped. Defaults to plaintext (raw_buffer) if unset. + config.core.v3.TransportSocket transport_socket = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/cert.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/cert.proto new file mode 100644 index 000000000..8a5f8962b --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/cert.proto @@ -0,0 +1,12 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v3; + +import public "envoy/extensions/transport_sockets/tls/v3/common.proto"; +import public "envoy/extensions/transport_sockets/tls/v3/secret.proto"; +import public "envoy/extensions/transport_sockets/tls/v3/tls.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; +option java_outer_classname = "CertProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3;tlsv3"; diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/common.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/common.proto new file mode 100644 index 000000000..9bc5fb5d0 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -0,0 +1,597 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; +option java_outer_classname = "CommonProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3;tlsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common TLS configuration] + +// [#next-free-field: 7] +message TlsParameters { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsParameters"; + + enum TlsProtocol { + // Envoy will choose the optimal TLS version. + TLS_AUTO = 0; + + // TLS 1.0 + TLSv1_0 = 1; + + // TLS 1.1 + TLSv1_1 = 2; + + // TLS 1.2 + TLSv1_2 = 3; + + // TLS 1.3 + TLSv1_3 = 4; + } + + enum CompliancePolicy { + // FIPS_202205 configures a TLS connection to use: + // + // * TLS 1.2 or 1.3 + // * For TLS 1.2, only ECDHE_[RSA|ECDSA]_WITH_AES_*_GCM_SHA*. + // * For TLS 1.3, only AES-GCM + // * P-256 or P-384 for key agreement. + // * For server signatures, only ``PKCS#1/PSS`` with ``SHA256/384/512``, or ECDSA + // with P-256 or P-384. + // + // .. attention:: + // + // Please refer to `BoringSSL policies `_ + // for details. + FIPS_202205 = 0; + } + + // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for both clients and servers. + // + // TLS protocol versions below TLSv1_2 require setting compatible ciphers with the + // ``cipher_suites`` setting as the default ciphers no longer include compatible ciphers. + // + // .. attention:: + // + // Using TLS protocol versions below TLSv1_2 has serious security considerations and risks. + TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; + + // Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for + // servers. + TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}]; + + // If specified, the TLS listener will only support the specified `cipher list + // `_ + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). + // + // If not specified, a default list will be used. Defaults are different for server (downstream) and + // client (upstream) TLS configurations. + // Defaults will change over time in response to security considerations; If you care, configure + // it instead of using the default. + // + // In non-FIPS builds, the default server cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In non-FIPS builds, the default client cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + repeated string cipher_suites = 3; + + // If specified, the TLS connection will only support the specified ECDH + // curves. If not specified, the default curves will be used. + // + // In non-FIPS builds, the default curves are: + // + // .. code-block:: none + // + // X25519 + // P-256 + // + // In builds using :ref:`BoringSSL FIPS `, the default curve is: + // + // .. code-block:: none + // + // P-256 + repeated string ecdh_curves = 4; + + // If specified, the TLS connection will only support the specified signature algorithms. + // The list is ordered by preference. + // If not specified, the default signature algorithms defined by BoringSSL will be used. + // + // Default signature algorithms selected by BoringSSL (may be out of date): + // + // .. code-block:: none + // + // ecdsa_secp256r1_sha256 + // rsa_pss_rsae_sha256 + // rsa_pkcs1_sha256 + // ecdsa_secp384r1_sha384 + // rsa_pss_rsae_sha384 + // rsa_pkcs1_sha384 + // rsa_pss_rsae_sha512 + // rsa_pkcs1_sha512 + // rsa_pkcs1_sha1 + // + // Signature algorithms supported by BoringSSL (may be out of date): + // + // .. code-block:: none + // + // rsa_pkcs1_sha256 + // rsa_pkcs1_sha384 + // rsa_pkcs1_sha512 + // ecdsa_secp256r1_sha256 + // ecdsa_secp384r1_sha384 + // ecdsa_secp521r1_sha512 + // rsa_pss_rsae_sha256 + // rsa_pss_rsae_sha384 + // rsa_pss_rsae_sha512 + // ed25519 + // rsa_pkcs1_sha1 + // ecdsa_sha1 + repeated string signature_algorithms = 5; + + // Compliance policies configure various aspects of the TLS based on the given policy. + // The policies are applied last during configuration and may override the other TLS + // parameters, or any previous policy. + repeated CompliancePolicy compliance_policies = 6 [(validate.rules).repeated = {max_items: 1}]; +} + +// BoringSSL private key method configuration. The private key methods are used for external +// (potentially asynchronous) signing and decryption operations. Some use cases for private key +// methods would be TPM support and TLS acceleration. +message PrivateKeyProvider { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.PrivateKeyProvider"; + + reserved 2; + + reserved "config"; + + // Private key method provider name. The name must match a + // supported private key method provider type. + string provider_name = 1 [(validate.rules).string = {min_len: 1}]; + + // Private key method provider specific configuration. + oneof config_type { + google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true]; + } + + // If the private key provider isn't available (eg. the required hardware capability doesn't existed), + // Envoy will fallback to the BoringSSL default implementation when the ``fallback`` is true. + // The default value is ``false``. + bool fallback = 4; +} + +// [#next-free-field: 9] +message TlsCertificate { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsCertificate"; + + // The TLS certificate chain. + // + // If ``certificate_chain`` is a filesystem path, a watch will be added to the + // parent directory for any file moves to support rotation. This currently + // only applies to dynamic secrets, when the ``TlsCertificate`` is delivered via + // SDS. + config.core.v3.DataSource certificate_chain = 1; + + // The TLS private key. + // + // If ``private_key`` is a filesystem path, a watch will be added to the parent + // directory for any file moves to support rotation. This currently only + // applies to dynamic secrets, when the ``TlsCertificate`` is delivered via SDS. + config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; + + // ``Pkcs12`` data containing TLS certificate, chain, and private key. + // + // If ``pkcs12`` is a filesystem path, the file will be read, but no watch will + // be added to the parent directory, since ``pkcs12`` isn't used by SDS. + // This field is mutually exclusive with ``certificate_chain``, ``private_key`` and ``private_key_provider``. + // This can't be marked as ``oneof`` due to API compatibility reasons. Setting + // both :ref:`private_key `, + // :ref:`certificate_chain `, + // or :ref:`private_key_provider ` + // and :ref:`pkcs12 ` + // fields will result in an error. Use :ref:`password + // ` + // to specify the password to unprotect the ``PKCS12`` data, if necessary. + config.core.v3.DataSource pkcs12 = 8 [(udpa.annotations.sensitive) = true]; + + // If specified, updates of file-based ``certificate_chain`` and ``private_key`` + // sources will be triggered by this watch. The certificate/key pair will be + // read together and validated for atomic read consistency (i.e. no + // intervening modification occurred between cert/key read, verified by file + // hash comparisons). This allows explicit control over the path watched, by + // default the parent directories of the filesystem paths in + // ``certificate_chain`` and ``private_key`` are watched if this field is not + // specified. This only applies when a ``TlsCertificate`` is delivered by SDS + // with references to filesystem paths. See the :ref:`SDS key rotation + // ` documentation for further details. + config.core.v3.WatchedDirectory watched_directory = 7; + + // BoringSSL private key method provider. This is an alternative to :ref:`private_key + // ` field. + // When both :ref:`private_key ` and + // :ref:`private_key_provider ` fields are set, + // ``private_key_provider`` takes precedence. + // If ``private_key_provider`` is unavailable and :ref:`fallback + // ` + // is enabled, ``private_key`` will be used. + PrivateKeyProvider private_key_provider = 6; + + // The password to decrypt the TLS private key. If this field is not set, it is assumed that the + // TLS private key is not password encrypted. + config.core.v3.DataSource password = 3 [(udpa.annotations.sensitive) = true]; + + // The OCSP response to be stapled with this certificate during the handshake. + // The response must be DER-encoded and may only be provided via ``filename`` or + // ``inline_bytes``. The response may pertain to only one certificate. + config.core.v3.DataSource ocsp_staple = 4; + + // [#not-implemented-hide:] + repeated config.core.v3.DataSource signed_certificate_timestamp = 5; +} + +message TlsSessionTicketKeys { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.TlsSessionTicketKeys"; + + // Keys for encrypting and decrypting TLS session tickets. The + // first key in the array contains the key to encrypt all new sessions created by this context. + // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys + // by, for example, putting the new key first, and the previous key second. + // + // If :ref:`session_ticket_keys ` + // is not specified, the TLS library will still support resuming sessions via tickets, but it will + // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts + // or on different hosts. + // + // Each key must contain exactly 80 bytes of cryptographically-secure random data. For + // example, the output of ``openssl rand 80``. + // + // .. attention:: + // + // Using this feature has serious security considerations and risks. Improper handling of keys + // may result in loss of secrecy in connections, even if ciphers supporting perfect forward + // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some + // discussion. To minimize the risk, you must: + // + // * Keep the session ticket keys at least as secure as your TLS certificate private keys + // * Rotate session ticket keys at least daily, and preferably hourly + // * Always generate keys using a cryptographically-secure random data source + repeated config.core.v3.DataSource keys = 1 + [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; +} + +// Indicates a certificate to be obtained from a named CertificateProvider plugin instance. +// The plugin instances are defined in the client's bootstrap file. +// The plugin allows certificates to be fetched/refreshed over the network asynchronously with +// respect to the TLS handshake. +// [#not-implemented-hide:] +message CertificateProviderPluginInstance { + // Provider instance name. + // + // Instance names should generally be defined not in terms of the underlying provider + // implementation (e.g., "file_watcher") but rather in terms of the function of the + // certificates (e.g., "foo_deployment_identity"). + string instance_name = 1 [(validate.rules).string = {min_len: 1}]; + + // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + // a root-certificate (validation context) or "example.com" to specify a certificate for a + // particular domain. Not all provider instances will actually use this field, so the value + // defaults to the empty string. + string certificate_name = 2; +} + +// Matcher for subject alternative names, to match both type and value of the SAN. +message SubjectAltNameMatcher { + // Indicates the choice of GeneralName as defined in section 4.2.1.5 of RFC 5280 to match + // against. + enum SanType { + SAN_TYPE_UNSPECIFIED = 0; + EMAIL = 1; + DNS = 2; + URI = 3; + IP_ADDRESS = 4; + OTHER_NAME = 5; + } + + // Specification of type of SAN. Note that the default enum value is an invalid choice. + SanType san_type = 1 [(validate.rules).enum = {defined_only: true not_in: 0}]; + + // Matcher for SAN value. + // + // If the :ref:`san_type ` + // is :ref:`DNS ` + // and the matcher type is :ref:`exact `, DNS wildcards are evaluated + // according to the rules in https://www.rfc-editor.org/rfc/rfc6125#section-6.4.3. + // For example, ``*.example.com`` would match ``test.example.com`` but not ``example.com`` and not + // ``a.b.example.com``. + // + // The string matching for OTHER_NAME SAN values depends on their ASN.1 type: + // + // * OBJECT: Validated against its dotted numeric notation (e.g., "1.2.3.4") + // * BOOLEAN: Validated against strings "true" or "false" + // * INTEGER/ENUMERATED: Validated against a string containing the integer value + // * NULL: Validated against an empty string + // * Other types: Validated directly against the string value + type.matcher.v3.StringMatcher matcher = 2 [(validate.rules).message = {required: true}]; + + // OID Value which is required if OTHER_NAME SAN type is used. + // For example, UPN OID is 1.3.6.1.4.1.311.20.2.3 + // (Reference: http://oid-info.com/get/1.3.6.1.4.1.311.20.2.3). + // + // If set for SAN types other than OTHER_NAME, it will be ignored. + string oid = 3; +} + +// [#next-free-field: 18] +message CertificateValidationContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.CertificateValidationContext"; + + // Peer certificate verification mode. + enum TrustChainVerification { + // Perform default certificate verification (e.g., against CA / verification lists) + VERIFY_TRUST_CHAIN = 0; + + // Connections where the certificate fails verification will be permitted. + // For HTTP connections, the result of certificate verification can be used in route matching. ( + // see :ref:`validated ` ). + ACCEPT_UNTRUSTED = 1; + } + + message SystemRootCerts { + } + + reserved 4, 5; + + reserved "verify_subject_alt_name"; + + // TLS certificate data containing certificate authority certificates to use in verifying + // a presented peer certificate (e.g. server certificate for clusters or client certificate + // for listeners). If not specified and a peer certificate is presented it will not be + // verified. By default, a client certificate is optional, unless one of the additional + // options (:ref:`require_client_certificate + // `, + // :ref:`verify_certificate_spki + // `, + // :ref:`verify_certificate_hash + // `, or + // :ref:`match_typed_subject_alt_names + // `) is also + // specified. + // + // It can optionally contain certificate revocation lists, in which case Envoy will verify + // that the presented peer certificate has not been revoked by one of the included CRLs. Note + // that if a CRL is provided for any certificate authority in a trust chain, a CRL must be + // provided for all certificate authorities in that chain. Failure to do so will result in + // verification failure for both revoked and unrevoked certificates from that chain. + // The behavior of requiring all certificates to contain CRLs can be altered by + // setting :ref:`only_verify_leaf_cert_crl ` + // true. If set to true, only the final certificate in the chain undergoes CRL verification. + // + // See :ref:`the TLS overview ` for a list of common + // system CA locations. + // + // If ``trusted_ca`` is a filesystem path, a watch will be added to the parent + // directory for any file moves to support rotation. This currently only + // applies to dynamic secrets, when the ``CertificateValidationContext`` is + // delivered via SDS. + // + // X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` + // can be treated as trust anchor as well. It allows verification with building valid partial chain instead + // of a full chain. + // + // If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``. + config.core.v3.DataSource trusted_ca = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"]; + + // Certificate provider instance for fetching TLS certificates. + // + // If set, takes precedence over ``trusted_ca``. + // [#not-implemented-hide:] + CertificateProviderPluginInstance ca_certificate_provider_instance = 13 + [(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"]; + + // Use system root certs for validation. + // If present, system root certs are used only if neither of the ``trusted_ca`` + // or ``ca_certificate_provider_instance`` fields are set. + // [#not-implemented-hide:] + SystemRootCerts system_root_certs = 17; + + // If specified, updates of a file-based ``trusted_ca`` source will be triggered + // by this watch. This allows explicit control over the path watched, by + // default the parent directory of the filesystem path in ``trusted_ca`` is + // watched if this field is not specified. This only applies when a + // ``CertificateValidationContext`` is delivered by SDS with references to + // filesystem paths. See the :ref:`SDS key rotation ` + // documentation for further details. + config.core.v3.WatchedDirectory watched_directory = 11; + + // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the + // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate + // matches one of the specified values. + // + // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate + // can be generated with the following command: + // + // .. code-block:: bash + // + // $ openssl x509 -in path/to/client.crt -noout -pubkey + // | openssl pkey -pubin -outform DER + // | openssl dgst -sha256 -binary + // | openssl enc -base64 + // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= + // + // This is the format used in HTTP Public Key Pinning. + // + // When both: + // :ref:`verify_certificate_hash + // ` and + // :ref:`verify_certificate_spki + // ` are specified, + // a hash matching value from either of the lists will result in the certificate being accepted. + // + // .. attention:: + // + // This option is preferred over :ref:`verify_certificate_hash + // `, + // because SPKI is tied to a private key, so it doesn't change when the certificate + // is renewed using the same private key. + repeated string verify_certificate_spki = 3 + [(validate.rules).repeated = {items {string {min_len: 44 max_bytes: 44}}}]; + + // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that + // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. + // + // A hex-encoded SHA-256 of the certificate can be generated with the following command: + // + // .. code-block:: bash + // + // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 + // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a + // + // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate + // can be generated with the following command: + // + // .. code-block:: bash + // + // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 + // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A + // + // Both of those formats are acceptable. + // + // When both: + // :ref:`verify_certificate_hash + // ` and + // :ref:`verify_certificate_spki + // ` are specified, + // a hash matching value from either of the lists will result in the certificate being accepted. + repeated string verify_certificate_hash = 2 + [(validate.rules).repeated = {items {string {min_len: 64 max_bytes: 95}}}]; + + // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the + // Subject Alternative Name of the presented certificate matches one of the specified matchers. + // The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is + // matched. + // + // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be + // configured with exact match type in the :ref:`string matcher `. + // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", + // it should be configured as shown below. + // + // .. code-block:: yaml + // + // match_typed_subject_alt_names: + // - san_type: DNS + // matcher: + // exact: "api.example.com" + // + // .. attention:: + // + // Subject Alternative Names are easily spoofable and verifying only them is insecure, + // therefore this option must be used together with :ref:`trusted_ca + // `. + repeated SubjectAltNameMatcher match_typed_subject_alt_names = 15; + + // This field is deprecated in favor of + // :ref:`match_typed_subject_alt_names + // `. + // Note that if both this field and :ref:`match_typed_subject_alt_names + // ` + // are specified, the former (deprecated field) is ignored. + repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // [#not-implemented-hide:] Must present signed certificate time-stamp. + google.protobuf.BoolValue require_signed_certificate_timestamp = 6; + + // An optional `certificate revocation list + // `_ + // (in PEM format). If specified, Envoy will verify that the presented peer + // certificate has not been revoked by this CRL. If this DataSource contains + // multiple CRLs, all of them will be used. Note that if a CRL is provided + // for any certificate authority in a trust chain, a CRL must be provided + // for all certificate authorities in that chain. Failure to do so will + // result in verification failure for both revoked and unrevoked certificates + // from that chain. This default behavior can be altered by setting + // :ref:`only_verify_leaf_cert_crl ` to + // true. + // + // If ``crl`` is a filesystem path, a watch will be added to the parent + // directory for any file moves to support rotation. This currently only + // applies to dynamic secrets, when the ``CertificateValidationContext`` is + // delivered via SDS. + config.core.v3.DataSource crl = 7; + + // If specified, Envoy will not reject expired certificates. + bool allow_expired_certificate = 8; + + // Certificate trust chain verification mode. + TrustChainVerification trust_chain_verification = 10 + [(validate.rules).enum = {defined_only: true}]; + + // The configuration of an extension specific certificate validator. + // If specified, all validation is done by the specified validator, + // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). + // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. + // [#extension-category: envoy.tls.cert_validator] + config.core.v3.TypedExtensionConfig custom_validator_config = 12; + + // If this option is set to true, only the certificate at the end of the + // certificate chain will be subject to validation by :ref:`CRL `. + bool only_verify_leaf_cert_crl = 14; + + // Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. + // This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer + // appears in the chain, but in a depth larger than configured, the certificate validation will fail. + // This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` + // in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. + // Trusted issues are specified by setting :ref:`trusted_ca ` + google.protobuf.UInt32Value max_verify_depth = 16 [(validate.rules).uint32 = {lte: 100}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/secret.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/secret.proto new file mode 100644 index 000000000..94660e2da --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/secret.proto @@ -0,0 +1,61 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/extensions/transport_sockets/tls/v3/common.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; +option java_outer_classname = "SecretProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3;tlsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Secrets configuration] + +message GenericSecret { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.GenericSecret"; + + // Secret of generic type and is available to filters. It is expected + // that only only one of secret and secrets is set. + config.core.v3.DataSource secret = 1 [(udpa.annotations.sensitive) = true]; + + // For cases where multiple associated secrets need to be distributed together. It is expected + // that only only one of secret and secrets is set. + map secrets = 2 [(udpa.annotations.sensitive) = true]; +} + +message SdsSecretConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.SdsSecretConfig"; + + // Name by which the secret can be uniquely referred to. When both name and config are specified, + // then secret can be fetched and/or reloaded via SDS. When only name is specified, then secret + // will be loaded from static resources. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + config.core.v3.ConfigSource sds_config = 2; +} + +// [#next-free-field: 6] +message Secret { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.Secret"; + + // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + string name = 1; + + oneof type { + TlsCertificate tls_certificate = 2; + + TlsSessionTicketKeys session_ticket_keys = 3; + + CertificateValidationContext validation_context = 4; + + GenericSecret generic_secret = 5; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/tls.proto b/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/tls.proto new file mode 100644 index 000000000..d656c66b5 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/extensions/transport_sockets/tls/v3/tls.proto @@ -0,0 +1,366 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/extensions/transport_sockets/tls/v3/common.proto"; +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; +option java_outer_classname = "TlsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3;tlsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: TLS transport socket] +// [#extension: envoy.transport_sockets.tls] +// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS. + +// [#next-free-field: 8] +message UpstreamTlsContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.UpstreamTlsContext"; + + // Common TLS context settings. + // + // .. attention:: + // + // Server certificate verification is not enabled by default. To enable verification, configure + // :ref:`trusted_ca`. + CommonTlsContext common_tls_context = 1; + + // SNI string to use when creating TLS backend connections. + string sni = 2 [(validate.rules).string = {max_bytes: 255}]; + + // If true, replaces the SNI for the connection with the hostname of the upstream host, if + // the hostname is known due to either a DNS cluster type or the + // :ref:`hostname ` is set on + // the host. + // + // See :ref:`SNI configuration ` for details on how this + // interacts with other validation options. + bool auto_host_sni = 6; + + // If true, replaces any Subject Alternative Name (SAN) validations with a validation for a DNS SAN matching + // the SNI value sent. The validation uses the actual requested SNI, regardless of how the SNI is configured. + // + // For common cases where an SNI value is present and the server certificate should include a corresponding SAN, + // this option ensures the SAN is properly validated. + // + // See the :ref:`validation configuration ` for how this interacts with + // other validation options. + bool auto_sni_san_validation = 7; + + // If true, server-initiated TLS renegotiation will be allowed. + // + // .. attention:: + // + // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. + bool allow_renegotiation = 3; + + // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets + // for TLSv1.2 and older) to be stored for session resumption. + // + // Defaults to 1, setting this to 0 disables session resumption. + google.protobuf.UInt32Value max_session_keys = 4; + + // Controls enforcement of the ``keyUsage`` extension in peer certificates. If set to ``true``, the handshake will fail if + // the ``keyUsage`` is incompatible with TLS usage. + // + // .. note:: + // The default value is ``false`` (i.e., enforcement off). It is expected to change to ``true`` in a future release. + // + // The ``ssl.was_key_usage_invalid`` in :ref:`listener metrics ` metric will be incremented + // for configurations that would fail if this option were enabled. + google.protobuf.BoolValue enforce_rsa_key_usage = 5; +} + +// [#next-free-field: 12] +message DownstreamTlsContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.DownstreamTlsContext"; + + enum OcspStaplePolicy { + // OCSP responses are optional. If absent or expired, the certificate is used without stapling. + LENIENT_STAPLING = 0; + + // OCSP responses are optional. If absent, the certificate is used without stapling. If present but expired, + // the certificate is not used for subsequent connections. Connections are rejected if no suitable certificate + // is found. + STRICT_STAPLING = 1; + + // OCSP responses are required. Connections fail if a certificate lacks a valid OCSP response. Expired responses + // prevent certificate use in new connections, and connections are rejected if no suitable certificate is available. + MUST_STAPLE = 2; + } + + // Common TLS context settings. + CommonTlsContext common_tls_context = 1; + + // If specified, Envoy will reject connections without a valid client + // certificate. + google.protobuf.BoolValue require_client_certificate = 2; + + // If specified, Envoy will reject connections without a valid and matching SNI. + // [#not-implemented-hide:] + google.protobuf.BoolValue require_sni = 3; + + oneof session_ticket_keys_type { + // TLS session ticket key settings. + TlsSessionTicketKeys session_ticket_keys = 4; + + // Config for fetching TLS session ticket keys via SDS API. + SdsSecretConfig session_ticket_keys_sds_secret_config = 5; + + // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS + // server to not issue TLS session tickets for the purposes of stateless TLS session resumption. + // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using + // the keys specified through either :ref:`session_ticket_keys ` + // or :ref:`session_ticket_keys_sds_secret_config `. + // If this config is set to false and no keys are explicitly configured, the TLS server will issue + // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the + // implication that sessions cannot be resumed across hot restarts or on different hosts. + bool disable_stateless_session_resumption = 7; + } + + // If ``true``, the TLS server will not maintain a session cache of TLS sessions. + // + // .. note:: + // This applies only to TLSv1.2 and earlier. + // + bool disable_stateful_session_resumption = 10; + + // Maximum lifetime of TLS sessions. If specified, ``session_timeout`` will change the maximum lifetime + // of the TLS session. + // + // This serves as a hint for the `TLS session ticket lifetime (for TLSv1.2) `_. + // Only whole seconds are considered; fractional seconds are ignored. + google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = { + lt {seconds: 4294967296} + gte {} + }]; + + // Configuration for handling certificates without an OCSP response or with expired responses. + // + // Defaults to ``LENIENT_STAPLING`` + OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}]; + + // Multiple certificates are allowed in Downstream transport socket to serve different SNI. + // This option controls the behavior when no matching certificate is found for the received SNI value, + // or no SNI value was sent. If enabled, all certificates will be evaluated for a match for non-SNI criteria + // such as key type and OCSP settings. If disabled, the first provided certificate will be used. + // Defaults to ``false``. See more details in :ref:`Multiple TLS certificates `. + google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9; + + // If ``true``, the downstream client's preferred cipher is used during the handshake. If ``false``, Envoy + // uses its preferred cipher. + // + // .. note:: + // This has no effect when using TLSv1_3. + // + bool prefer_client_ciphers = 11; +} + +// TLS key log configuration. +// The key log file format is "format used by NSS for its SSLKEYLOGFILE debugging output" (text taken from openssl man page) +message TlsKeyLog { + // Path to save the TLS key log. + string path = 1 [(validate.rules).string = {min_len: 1}]; + + // Local IP address ranges to filter connections for TLS key logging. If not set, matches any local IP address. + repeated config.core.v3.CidrRange local_address_range = 2; + + // Remote IP address ranges to filter connections for TLS key logging. If not set, matches any remote IP address. + repeated config.core.v3.CidrRange remote_address_range = 3; +} + +// TLS context shared by both client and server TLS contexts. +// [#next-free-field: 17] +message CommonTlsContext { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext"; + + // Config for the Certificate Provider to fetch certificates. Certificates are fetched/refreshed asynchronously over + // the network relative to the TLS handshake. + // + // DEPRECATED: This message is not currently used, but if we ever do need it, we will want to + // move it out of CommonTlsContext and into common.proto, similar to the existing + // CertificateProviderPluginInstance message. + // + // [#not-implemented-hide:] + message CertificateProvider { + // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + // a root-certificate (validation context) or "TLS" to specify a new tls-certificate. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Provider specific config. + // Note: an implementation is expected to dedup multiple instances of the same config + // to maintain a single certificate-provider instance. The sharing can happen, for + // example, among multiple clusters or between the tls_certificate and validation_context + // certificate providers of a cluster. + // This config could be supplied inline or (in future) a named xDS resource. + oneof config { + option (validate.required) = true; + + config.core.v3.TypedExtensionConfig typed_config = 2; + } + } + + // Similar to CertificateProvider above, but allows the provider instances to be configured on + // the client side instead of being sent from the control plane. + // + // DEPRECATED: This message was moved outside of CommonTlsContext + // and now lives in common.proto. + // + // [#not-implemented-hide:] + message CertificateProviderInstance { + // Provider instance name. This name must be defined in the client's configuration (e.g., a + // bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config + // field that would be sent in the CertificateProvider message if the config was sent by the + // control plane). If not present, defaults to "default". + // + // Instance names should generally be defined not in terms of the underlying provider + // implementation (e.g., "file_watcher") but rather in terms of the function of the + // certificates (e.g., "foo_deployment_identity"). + string instance_name = 1; + + // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + // a root-certificate (validation context) or "example.com" to specify a certificate for a + // particular domain. Not all provider instances will actually use this field, so the value + // defaults to the empty string. + string certificate_name = 2; + } + + message CombinedCertificateValidationContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext"; + + // How to validate peer certificates. + CertificateValidationContext default_validation_context = 1 + [(validate.rules).message = {required: true}]; + + // Config for fetching validation context via SDS API. Note SDS API allows certificates to be + // fetched/refreshed over the network asynchronously with respect to the TLS handshake. + SdsSecretConfig validation_context_sds_secret_config = 2 + [(validate.rules).message = {required: true}]; + + // Certificate provider for fetching CA certs. This will populate the + // ``default_validation_context.trusted_ca`` field. + // [#not-implemented-hide:] + CertificateProvider validation_context_certificate_provider = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Certificate provider instance for fetching CA certs. This will populate the + // ``default_validation_context.trusted_ca`` field. + // [#not-implemented-hide:] + CertificateProviderInstance validation_context_certificate_provider_instance = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + } + + reserved 5; + + // TLS protocol versions, cipher suites etc. + TlsParameters tls_params = 1; + + // Only a single TLS certificate is supported in client contexts. In server contexts, + // :ref:`Multiple TLS certificates ` can be associated with the + // same context to allow both RSA and ECDSA certificates and support SNI-based selection. + // + // If ``tls_certificate_provider_instance`` is set, this field is ignored. + // If this field is set, ``tls_certificate_sds_secret_configs`` is ignored. + repeated TlsCertificate tls_certificates = 2; + + // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be + // fetched/refreshed over the network asynchronously with respect to the TLS handshake. + // + // The same number and types of certificates as :ref:`tls_certificates ` + // are valid in the certificates fetched through this setting. + // + // If ``tls_certificates`` or ``tls_certificate_provider_instance`` are set, this field + // is ignored. + repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6; + + // Certificate provider instance for fetching TLS certs. + // + // If this field is set, ``tls_certificates`` and ``tls_certificate_provider_instance`` + // are ignored. + // [#not-implemented-hide:] + CertificateProviderPluginInstance tls_certificate_provider_instance = 14; + + // Custom TLS certificate selector. + // + // Select TLS certificate based on TLS client hello. + // If empty, defaults to native TLS certificate selection behavior: + // DNS SANs or Subject Common Name in TLS certificates is extracted as server name pattern to match SNI. + // [#extension-category: envoy.tls.certificate_selectors] + config.core.v3.TypedExtensionConfig custom_tls_certificate_selector = 16; + + // Certificate provider for fetching TLS certificates. + // [#not-implemented-hide:] + CertificateProvider tls_certificate_certificate_provider = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Certificate provider instance for fetching TLS certificates. + // [#not-implemented-hide:] + CertificateProviderInstance tls_certificate_certificate_provider_instance = 11 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + oneof validation_context_type { + // How to validate peer certificates. + CertificateValidationContext validation_context = 3; + + // Config for fetching validation context via SDS API. Note SDS API allows certificates to be + // fetched/refreshed over the network asynchronously with respect to the TLS handshake. + SdsSecretConfig validation_context_sds_secret_config = 7; + + // Combines the default ``CertificateValidationContext`` with the SDS-provided dynamic context for certificate + // validation. + // + // When the SDS server returns a dynamic ``CertificateValidationContext``, it is merged + // with the default context using ``Message::MergeFrom()``. The merging rules are as follows: + // + // * **Singular Fields:** Dynamic fields override the default singular fields. + // * **Repeated Fields:** Dynamic repeated fields are concatenated with the default repeated fields. + // * **Boolean Fields:** Boolean fields are combined using a logical OR operation. + // + // The resulting ``CertificateValidationContext`` is used to perform certificate validation. + CombinedCertificateValidationContext combined_validation_context = 8; + + // Certificate provider for fetching validation context. + // [#not-implemented-hide:] + CertificateProvider validation_context_certificate_provider = 10 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Certificate provider instance for fetching validation context. + // [#not-implemented-hide:] + CertificateProviderInstance validation_context_certificate_provider_instance = 12 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + } + + // Supplies the list of ALPN protocols that the listener should expose. In + // practice this is likely to be set to one of two values (see the + // :ref:`codec_type + // ` + // parameter in the HTTP connection manager for more information): + // + // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. + // * "http/1.1" If the listener is only going to support HTTP/1.1. + // + // There is no default for this parameter. If empty, Envoy will not expose ALPN. + repeated string alpn_protocols = 4; + + // Custom TLS handshaker. If empty, defaults to native TLS handshaking + // behavior. + config.core.v3.TypedExtensionConfig custom_handshaker = 13; + + // TLS key log configuration + TlsKeyLog key_log = 15; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/service/auth/v3/attribute_context.proto b/grpc-xds/proto/third_party/envoy/envoy/service/auth/v3/attribute_context.proto new file mode 100644 index 000000000..2c4fbb4b7 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/service/auth/v3/attribute_context.proto @@ -0,0 +1,222 @@ +syntax = "proto3"; + +package envoy.service.auth.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/timestamp.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.service.auth.v3"; +option java_outer_classname = "AttributeContextProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3;authv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Attribute context] + +// See :ref:`network filter configuration overview ` +// and :ref:`HTTP filter configuration overview `. + +// An attribute is a piece of metadata that describes an activity on a network. +// For example, the size of an HTTP request, or the status code of an HTTP response. +// +// Each attribute has a type and a name, which is logically defined as a proto message field +// of the ``AttributeContext``. The ``AttributeContext`` is a collection of individual attributes +// supported by Envoy authorization system. +// [#comment: The following items are left out of this proto +// Request.Auth field for JWTs +// Request.Api for api management +// Origin peer that originated the request +// Caching Protocol +// request_context return values to inject back into the filter chain +// peer.claims -- from X.509 extensions +// Configuration +// - field mask to send +// - which return values from request_context are copied back +// - which return values are copied into request_headers] +// [#next-free-field: 14] +message AttributeContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.auth.v2.AttributeContext"; + + // This message defines attributes for a node that handles a network request. + // The node can be either a service or an application that sends, forwards, + // or receives the request. Service peers should fill in the ``service``, + // ``principal``, and ``labels`` as appropriate. + // [#next-free-field: 6] + message Peer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.auth.v2.AttributeContext.Peer"; + + // The address of the peer, this is typically the IP address. + // It can also be UDS path, or others. + config.core.v3.Address address = 1; + + // The canonical service name of the peer. + // It should be set to :ref:`the HTTP x-envoy-downstream-service-cluster + // ` + // If a more trusted source of the service name is available through mTLS/secure naming, it + // should be used. + string service = 2; + + // The labels associated with the peer. + // These could be pod labels for Kubernetes or tags for VMs. + // The source of the labels could be an X.509 certificate or other configuration. + map labels = 3; + + // The authenticated identity of this peer. + // For example, the identity associated with the workload such as a service account. + // If an X.509 certificate is used to assert the identity this field should be sourced from + // ``URI Subject Alternative Names``, ``DNS Subject Alternate Names`` or ``Subject`` in that order. + // The primary identity should be the principal. The principal format is issuer specific. + // + // Examples: + // + // - SPIFFE format is ``spiffe://trust-domain/path``. + // - Google account format is ``https://accounts.google.com/{userid}``. + string principal = 4; + + // The X.509 certificate used to authenticate the identify of this peer. + // When present, the certificate contents are encoded in URL and PEM format. + string certificate = 5; + } + + // Represents a network request, such as an HTTP request. + message Request { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.auth.v2.AttributeContext.Request"; + + // The timestamp when the proxy receives the first byte of the request. + google.protobuf.Timestamp time = 1; + + // Represents an HTTP request or an HTTP-like request. + HttpRequest http = 2; + } + + // This message defines attributes for an HTTP request. + // HTTP/1.x, HTTP/2, gRPC are all considered as HTTP requests. + // [#next-free-field: 14] + message HttpRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.auth.v2.AttributeContext.HttpRequest"; + + // The unique ID for a request, which can be propagated to downstream + // systems. The ID should have low probability of collision + // within a single day for a specific service. + // For HTTP requests, it should be X-Request-ID or equivalent. + string id = 1; + + // The HTTP request method, such as ``GET``, ``POST``. + string method = 2; + + // The HTTP request headers. If multiple headers share the same key, they + // must be merged according to the HTTP spec. All header keys must be + // lower-cased, because HTTP header keys are case-insensitive. + // Header value is encoded as UTF-8 string. Non-UTF-8 characters will be replaced by "!". + // This field will not be set if + // :ref:`encode_raw_headers ` + // is set to true. + map headers = 3 + [(udpa.annotations.field_migrate).oneof_promotion = "headers_type"]; + + // A list of the raw HTTP request headers. This is used instead of + // :ref:`headers ` when + // :ref:`encode_raw_headers ` + // is set to true. + // + // Note that this is not actually a map type. ``header_map`` contains a single repeated field + // ``headers``. + // + // Here, only the ``key`` and ``raw_value`` fields will be populated for each HeaderValue, and + // that is only when + // :ref:`encode_raw_headers ` + // is set to true. + // + // Also, unlike the + // :ref:`headers ` + // field, headers with the same key are not combined into a single comma separated header. + config.core.v3.HeaderMap header_map = 13 + [(udpa.annotations.field_migrate).oneof_promotion = "headers_type"]; + + // The request target, as it appears in the first line of the HTTP request. This includes + // the URL path and query-string. No decoding is performed. + string path = 4; + + // The HTTP request ``Host`` or ``:authority`` header value. + string host = 5; + + // The HTTP URL scheme, such as ``http`` and ``https``. + string scheme = 6; + + // This field is always empty, and exists for compatibility reasons. The HTTP URL query is + // included in ``path`` field. + string query = 7; + + // This field is always empty, and exists for compatibility reasons. The URL fragment is + // not submitted as part of HTTP requests; it is unknowable. + string fragment = 8; + + // The HTTP request size in bytes. If unknown, it must be -1. + int64 size = 9; + + // The network protocol used with the request, such as "HTTP/1.0", "HTTP/1.1", or "HTTP/2". + // + // See :repo:`headers.h:ProtocolStrings ` for a list of all + // possible values. + string protocol = 10; + + // The HTTP request body. + string body = 11; + + // The HTTP request body in bytes. This is used instead of + // :ref:`body ` when + // :ref:`pack_as_bytes ` + // is set to true. + bytes raw_body = 12; + } + + // This message defines attributes for the underlying TLS session. + message TLSSession { + // SNI used for TLS session. + string sni = 1; + } + + // The source of a network activity, such as starting a TCP connection. + // In a multi hop network activity, the source represents the sender of the + // last hop. + Peer source = 1; + + // The destination of a network activity, such as accepting a TCP connection. + // In a multi hop network activity, the destination represents the receiver of + // the last hop. + Peer destination = 2; + + // Represents a network request, such as an HTTP request. + Request request = 4; + + // This is analogous to http_request.headers, however these contents will not be sent to the + // upstream server. Context_extensions provide an extension mechanism for sending additional + // information to the auth server without modifying the proto definition. It maps to the + // internal opaque context in the filter chain. + map context_extensions = 10; + + // Dynamic metadata associated with the request. + config.core.v3.Metadata metadata_context = 11; + + // Metadata associated with the selected route. + config.core.v3.Metadata route_metadata_context = 13; + + // TLS session details of the underlying connection. + // This is not populated by default and will be populated only if the ext_authz filter has + // been specifically configured to include this information. + // For HTTP ext_authz, that requires :ref:`include_tls_session ` + // to be set to true. + // For network ext_authz, that requires :ref:`include_tls_session ` + // to be set to true. + TLSSession tls_session = 12; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/service/auth/v3/external_auth.proto b/grpc-xds/proto/third_party/envoy/envoy/service/auth/v3/external_auth.proto new file mode 100644 index 000000000..520a4ff4f --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/service/auth/v3/external_auth.proto @@ -0,0 +1,157 @@ +syntax = "proto3"; + +package envoy.service.auth.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/service/auth/v3/attribute_context.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/struct.proto"; +import "google/rpc/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.service.auth.v3"; +option java_outer_classname = "ExternalAuthProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3;authv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Authorization service] + +// The authorization service request messages used by external authorization :ref:`network filter +// ` and :ref:`HTTP filter `. + +// A generic interface for performing authorization check on incoming +// requests to a networked service. +service Authorization { + // Performs authorization check based on the attributes associated with the + // incoming request, and returns status `OK` or not `OK`. + rpc Check(CheckRequest) returns (CheckResponse) { + } +} + +message CheckRequest { + option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest"; + + // The request attributes. + AttributeContext attributes = 1; +} + +// HTTP attributes for a denied response. +message DeniedHttpResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.auth.v2.DeniedHttpResponse"; + + // This field allows the authorization service to send an HTTP response status code to the + // downstream client. If not set, Envoy sends ``403 Forbidden`` HTTP status code by default. + type.v3.HttpStatus status = 1; + + // This field allows the authorization service to send HTTP response headers + // to the downstream client. Note that the :ref:`append field in HeaderValueOption ` defaults to + // false when used in this message. + repeated config.core.v3.HeaderValueOption headers = 2; + + // This field allows the authorization service to send a response body data + // to the downstream client. + string body = 3; +} + +// HTTP attributes for an OK response. +// [#next-free-field: 9] +message OkHttpResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.auth.v2.OkHttpResponse"; + + // HTTP entity headers in addition to the original request headers. This allows the authorization + // service to append, to add or to override headers from the original request before + // dispatching it to the upstream. Note that the :ref:`append field in HeaderValueOption ` defaults to + // false when used in this message. By setting the ``append`` field to ``true``, + // the filter will append the correspondent header value to the matched request header. + // By leaving ``append`` as false, the filter will either add a new header, or override an existing + // one if there is a match. + repeated config.core.v3.HeaderValueOption headers = 2; + + // HTTP entity headers to remove from the original request before dispatching + // it to the upstream. This allows the authorization service to act on auth + // related headers (like ``Authorization``), process them, and consume them. + // Under this model, the upstream will either receive the request (if it's + // authorized) or not receive it (if it's not), but will not see headers + // containing authorization credentials. + // + // Pseudo headers (such as ``:authority``, ``:method``, ``:path`` etc), as well as + // the header ``Host``, may not be removed as that would make the request + // malformed. If mentioned in ``headers_to_remove`` these special headers will + // be ignored. + // + // When using the HTTP service this must instead be set by the HTTP + // authorization service as a comma separated list like so: + // ``x-envoy-auth-headers-to-remove: one-auth-header, another-auth-header``. + repeated string headers_to_remove = 5; + + // This field has been deprecated in favor of :ref:`CheckResponse.dynamic_metadata + // `. Until it is removed, + // setting this field overrides :ref:`CheckResponse.dynamic_metadata + // `. + google.protobuf.Struct dynamic_metadata = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // This field allows the authorization service to send HTTP response headers + // to the downstream client on success. Note that the :ref:`append field in HeaderValueOption ` + // defaults to false when used in this message. + repeated config.core.v3.HeaderValueOption response_headers_to_add = 6; + + // This field allows the authorization service to set (and overwrite) query + // string parameters on the original request before it is sent upstream. + repeated config.core.v3.QueryParameter query_parameters_to_set = 7; + + // This field allows the authorization service to specify which query parameters + // should be removed from the original request before it is sent upstream. Each + // element in this list is a case-sensitive query parameter name to be removed. + repeated string query_parameters_to_remove = 8; +} + +// Intended for gRPC and Network Authorization servers ``only``. +// [#next-free-field: 6] +message CheckResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.auth.v2.CheckResponse"; + + // Status ``OK`` allows the request. Any other status indicates the request should be denied, and + // for HTTP filter, if not overridden by :ref:`denied HTTP response status ` + // Envoy sends ``403 Forbidden`` HTTP status code by default. + google.rpc.Status status = 1; + + // An message that contains HTTP response attributes. This message is + // used when the authorization service needs to send custom responses to the + // downstream client or, to modify/add request headers being dispatched to the upstream. + oneof http_response { + // Supplies http attributes for a denied response. + DeniedHttpResponse denied_response = 2; + + // Supplies http attributes for an ok response. + OkHttpResponse ok_response = 3; + + // Supplies http attributes for an error response. This is used when the authorization + // service encounters an internal error and wants to return custom headers and body to the + // downstream client. When ``error_response`` is set, the ext_authz filter increments the + // ``ext_authz_error`` stat and respects the :ref:`failure_mode_allow + // ` + // configuration. The HTTP status code, headers, and body are taken from the + // :ref:`DeniedHttpResponse ` message. + // If the status field is not set, Envoy sends the status code configured via + // :ref:`status_on_error `, + // which defaults to ``403 Forbidden``. + DeniedHttpResponse error_response = 5; + } + + // Optional response metadata that will be emitted as dynamic metadata to be consumed by the next + // filter. This metadata lives in a namespace specified by the canonical name of extension filter + // that requires it: + // + // - :ref:`envoy.filters.http.ext_authz ` for HTTP filter. + // - :ref:`envoy.filters.network.ext_authz ` for network filter. + google.protobuf.Struct dynamic_metadata = 4; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/service/discovery/v3/ads.proto b/grpc-xds/proto/third_party/envoy/envoy/service/discovery/v3/ads.proto new file mode 100644 index 000000000..50f2af4fe --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/service/discovery/v3/ads.proto @@ -0,0 +1,44 @@ +syntax = "proto3"; + +package envoy.service.discovery.v3; + +import "envoy/service/discovery/v3/discovery.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.service.discovery.v3"; +option java_outer_classname = "AdsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3;discoveryv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Aggregated Discovery Service (ADS)] + +// Discovery services for endpoints, clusters, routes, +// and listeners are retained in the package `envoy.api.v2` for backwards +// compatibility with existing management servers. New development in discovery +// services should proceed in the package `envoy.service.discovery.v2`. + +// See https://github.com/envoyproxy/envoy-api#apis for a description of the role of +// ADS and how it is intended to be used by a management server. ADS requests +// have the same structure as their singleton xDS counterparts, but can +// multiplex many resource types on a single stream. The type_url in the +// DiscoveryRequest/DiscoveryResponse provides sufficient information to recover +// the multiplexed singleton APIs at the Envoy instance and management server. +service AggregatedDiscoveryService { + // This is a gRPC-only API. + rpc StreamAggregatedResources(stream DiscoveryRequest) returns (stream DiscoveryResponse) { + } + + rpc DeltaAggregatedResources(stream DeltaDiscoveryRequest) + returns (stream DeltaDiscoveryResponse) { + } +} + +// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing +// services: https://github.com/google/protobuf/issues/4221 +message AdsDummy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.discovery.v2.AdsDummy"; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/service/discovery/v3/discovery.proto b/grpc-xds/proto/third_party/envoy/envoy/service/discovery/v3/discovery.proto new file mode 100644 index 000000000..e1ce827a4 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/service/discovery/v3/discovery.proto @@ -0,0 +1,443 @@ +syntax = "proto3"; + +package envoy.service.discovery.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/rpc/status.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.service.discovery.v3"; +option java_outer_classname = "DiscoveryProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3;discoveryv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common discovery API components] + +// Specifies a resource to be subscribed to. +message ResourceLocator { + // The resource name to subscribe to. + string name = 1; + + // A set of dynamic parameters used to match against the dynamic parameter + // constraints on the resource. This allows clients to select between + // multiple variants of the same resource. + map dynamic_parameters = 2; +} + +// Specifies a concrete resource name. +message ResourceName { + // The name of the resource. + string name = 1; + + // Dynamic parameter constraints associated with this resource. To be used by client-side caches + // (including xDS proxies) when matching subscribed resource locators. + DynamicParameterConstraints dynamic_parameter_constraints = 2; +} + +// [#not-implemented-hide:] +// An error associated with a specific resource name, returned to the +// client by the server. +message ResourceError { + // The name of the resource. + ResourceName resource_name = 1; + + // The error reported for the resource. + google.rpc.Status error_detail = 2; +} + +// A DiscoveryRequest requests a set of versioned resources of the same type for +// a given Envoy node on some API. +// [#next-free-field: 8] +message DiscoveryRequest { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.DiscoveryRequest"; + + // The ``version_info`` provided in the request messages will be the ``version_info`` + // received with the most recent successfully processed response or empty on + // the first request. It is expected that no new request is sent after a + // response is received until the Envoy instance is ready to ACK/NACK the new + // configuration. ACK/NACK takes place by returning the new API config version + // as applied or the previous API config version respectively. Each ``type_url`` + // (see below) has an independent version associated with it. + string version_info = 1; + + // The node making the request. + config.core.v3.Node node = 2; + + // List of resources to subscribe to, e.g. list of cluster names or a route + // configuration name. If this is empty, all resources for the API are + // returned. LDS/CDS may have empty ``resource_names``, which will cause all + // resources for the Envoy instance to be returned. The LDS and CDS responses + // will then imply a number of resources that need to be fetched via EDS/RDS, + // which will be explicitly enumerated in ``resource_names``. + repeated string resource_names = 3; + + // [#not-implemented-hide:] + // Alternative to ``resource_names`` field that allows specifying dynamic + // parameters along with each resource name. Clients that populate this + // field must be able to handle responses from the server where resources + // are wrapped in a Resource message. + // + // .. note:: + // It is legal for a request to have some resources listed + // in ``resource_names`` and others in ``resource_locators``. + // + repeated ResourceLocator resource_locators = 7; + + // Type of the resource that is being requested, e.g. + // ``type.googleapis.com/envoy.api.v2.ClusterLoadAssignment``. This is implicit + // in requests made via singleton xDS APIs such as CDS, LDS, etc. but is + // required for ADS. + string type_url = 4; + + // nonce corresponding to ``DiscoveryResponse`` being ACK/NACKed. See above + // discussion on ``version_info`` and the ``DiscoveryResponse`` nonce comment. This + // may be empty only if: + // + // * This is a non-persistent-stream xDS such as HTTP, or + // * The client has not yet accepted an update in this xDS stream (unlike + // delta, where it is populated only for new explicit ACKs). + // + string response_nonce = 5; + + // This is populated when the previous :ref:`DiscoveryResponse ` + // failed to update configuration. The ``message`` field in ``error_details`` provides the Envoy + // internal exception related to the failure. It is only intended for consumption during manual + // debugging, the string provided is not guaranteed to be stable across Envoy versions. + google.rpc.Status error_detail = 6; +} + +// [#next-free-field: 8] +message DiscoveryResponse { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.DiscoveryResponse"; + + // The version of the response data. + string version_info = 1; + + // The response resources. These resources are typed and depend on the API being called. + repeated google.protobuf.Any resources = 2; + + // [#not-implemented-hide:] + // Canary is used to support two Envoy command line flags: + // + // * ``--terminate-on-canary-transition-failure``. When set, Envoy is able to + // terminate if it detects that configuration is stuck at canary. Consider + // this example sequence of updates: + // + // * Management server applies a canary config successfully. + // * Management server rolls back to a production config. + // * Envoy rejects the new production config. + // + // Since there is no sensible way to continue receiving configuration + // updates, Envoy will then terminate and apply production config from a + // clean slate. + // + // * ``--dry-run-canary``. When set, a canary response will never be applied, only + // validated via a dry run. + // + bool canary = 3; + + // Type URL for resources. Identifies the xDS API when muxing over ADS. + // Must be consistent with the ``type_url`` in the 'resources' repeated Any (if non-empty). + string type_url = 4; + + // For gRPC based subscriptions, the nonce provides a way to explicitly ack a + // specific ``DiscoveryResponse`` in a following ``DiscoveryRequest``. Additional + // messages may have been sent by Envoy to the management server for the + // previous version on the stream prior to this ``DiscoveryResponse``, that were + // unprocessed at response send time. The nonce allows the management server + // to ignore any further ``DiscoveryRequests`` for the previous version until a + // ``DiscoveryRequest`` bearing the nonce. The nonce is optional and is not + // required for non-stream based xDS implementations. + string nonce = 5; + + // The control plane instance that sent the response. + config.core.v3.ControlPlane control_plane = 6; + + // [#not-implemented-hide:] + // Errors associated with specific resources. Clients are expected to + // remember the most recent error for a given resource across responses; + // the error condition is not considered to be cleared until a response is + // received that contains the resource in the 'resources' field. + repeated ResourceError resource_errors = 7; +} + +// DeltaDiscoveryRequest and DeltaDiscoveryResponse are used in a new gRPC +// endpoint for Delta xDS. +// +// With Delta xDS, the DeltaDiscoveryResponses do not need to include a full +// snapshot of the tracked resources. Instead, DeltaDiscoveryResponses are a +// diff to the state of a xDS client. +// In Delta XDS there are per-resource versions, which allow tracking state at +// the resource granularity. +// An xDS Delta session is always in the context of a gRPC bidirectional +// stream. This allows the xDS server to keep track of the state of xDS clients +// connected to it. +// +// In Delta xDS the nonce field is required and used to pair +// ``DeltaDiscoveryResponse`` to a ``DeltaDiscoveryRequest`` ACK or NACK. +// Optionally, a response message level ``system_version_info`` is present for +// debugging purposes only. +// +// ``DeltaDiscoveryRequest`` plays two independent roles. Any ``DeltaDiscoveryRequest`` +// can be either or both of: +// +// * Informing the server of what resources the client has gained/lost interest in +// (using ``resource_names_subscribe`` and ``resource_names_unsubscribe``), or +// * (N)ACKing an earlier resource update from the server (using ``response_nonce``, +// with presence of ``error_detail`` making it a NACK). +// +// Additionally, the first message (for a given ``type_url``) of a reconnected gRPC stream +// has a third role: informing the server of the resources (and their versions) +// that the client already possesses, using the ``initial_resource_versions`` field. +// +// As with state-of-the-world, when multiple resource types are multiplexed (ADS), +// all requests/acknowledgments/updates are logically walled off by ``type_url``: +// a Cluster ACK exists in a completely separate world from a prior Route NACK. +// In particular, ``initial_resource_versions`` being sent at the "start" of every +// gRPC stream actually entails a message for each ``type_url``, each with its own +// ``initial_resource_versions``. +// [#next-free-field: 10] +message DeltaDiscoveryRequest { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.DeltaDiscoveryRequest"; + + // The node making the request. + config.core.v3.Node node = 1; + + // Type of the resource that is being requested, e.g. + // ``type.googleapis.com/envoy.api.v2.ClusterLoadAssignment``. This does not need to be set if + // resources are only referenced via ``xds_resource_subscribe`` and + // ``xds_resources_unsubscribe``. + string type_url = 2; + + // DeltaDiscoveryRequests allow the client to add or remove individual + // resources to the set of tracked resources in the context of a stream. + // All resource names in the ``resource_names_subscribe`` list are added to the + // set of tracked resources and all resource names in the ``resource_names_unsubscribe`` + // list are removed from the set of tracked resources. + // + // *Unlike* state-of-the-world xDS, an empty ``resource_names_subscribe`` or + // ``resource_names_unsubscribe`` list simply means that no resources are to be + // added or removed to the resource list. + // *Like* state-of-the-world xDS, the server must send updates for all tracked + // resources, but can also send updates for resources the client has not subscribed to. + // + // .. note:: + // The server must respond with all resources listed in ``resource_names_subscribe``, + // even if it believes the client has the most recent version of them. The reason: + // the client may have dropped them, but then regained interest before it had a chance + // to send the unsubscribe message. See DeltaSubscriptionStateTest.RemoveThenAdd. + // + // These two fields can be set in any ``DeltaDiscoveryRequest``, including ACKs + // and ``initial_resource_versions``. + // + // A list of Resource names to add to the list of tracked resources. + repeated string resource_names_subscribe = 3; + + // A list of Resource names to remove from the list of tracked resources. + repeated string resource_names_unsubscribe = 4; + + // [#not-implemented-hide:] + // Alternative to ``resource_names_subscribe`` field that allows specifying dynamic parameters + // along with each resource name. + // + // .. note:: + // It is legal for a request to have some resources listed + // in ``resource_names_subscribe`` and others in ``resource_locators_subscribe``. + // + repeated ResourceLocator resource_locators_subscribe = 8; + + // [#not-implemented-hide:] + // Alternative to ``resource_names_unsubscribe`` field that allows specifying dynamic parameters + // along with each resource name. + // + // .. note:: + // It is legal for a request to have some resources listed + // in ``resource_names_unsubscribe`` and others in ``resource_locators_unsubscribe``. + // + repeated ResourceLocator resource_locators_unsubscribe = 9; + + // Informs the server of the versions of the resources the xDS client knows of, to enable the + // client to continue the same logical xDS session even in the face of gRPC stream reconnection. + // It will not be populated: + // + // * In the very first stream of a session, since the client will not yet have any resources. + // * In any message after the first in a stream (for a given ``type_url``), since the server will + // already be correctly tracking the client's state. + // + // (In ADS, the first message ``of each type_url`` of a reconnected stream populates this map.) + // The map's keys are names of xDS resources known to the xDS client. + // The map's values are opaque resource versions. + map initial_resource_versions = 5; + + // When the ``DeltaDiscoveryRequest`` is a ACK or NACK message in response + // to a previous ``DeltaDiscoveryResponse``, the ``response_nonce`` must be the + // nonce in the ``DeltaDiscoveryResponse``. + // Otherwise (unlike in ``DiscoveryRequest``) ``response_nonce`` must be omitted. + string response_nonce = 6; + + // This is populated when the previous :ref:`DiscoveryResponse ` + // failed to update configuration. The ``message`` field in ``error_details`` + // provides the Envoy internal exception related to the failure. + google.rpc.Status error_detail = 7; +} + +// [#next-free-field: 10] +message DeltaDiscoveryResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.DeltaDiscoveryResponse"; + + // The version of the response data (used for debugging). + string system_version_info = 1; + + // The response resources. These are typed resources, whose types must match + // the ``type_url`` field. + repeated Resource resources = 2; + + // field id 3 IS available! + + // Type URL for resources. Identifies the xDS API when muxing over ADS. + // Must be consistent with the ``type_url`` in the Any within 'resources' if 'resources' is non-empty. + string type_url = 4; + + // Resource names of resources that have been deleted and to be removed from the xDS Client. + // Removed resources for missing resources can be ignored. + repeated string removed_resources = 6; + + // Alternative to ``removed_resources`` that allows specifying which variant of + // a resource is being removed. This variant must be used for any resource + // for which dynamic parameter constraints were sent to the client. + repeated ResourceName removed_resource_names = 8; + + // The nonce provides a way for ``DeltaDiscoveryRequests`` to uniquely + // reference a ``DeltaDiscoveryResponse`` when (N)ACKing. The nonce is required. + string nonce = 5; + + // [#not-implemented-hide:] + // The control plane instance that sent the response. + config.core.v3.ControlPlane control_plane = 7; + + // [#not-implemented-hide:] + // Errors associated with specific resources. + // + // .. note:: + // A resource in this field with a status of NOT_FOUND should be treated the same as + // a resource listed in the ``removed_resources`` or ``removed_resource_names`` fields. + // + repeated ResourceError resource_errors = 9; +} + +// A set of dynamic parameter constraints associated with a variant of an individual xDS resource. +// These constraints determine whether the resource matches a subscription based on the set of +// dynamic parameters in the subscription, as specified in the +// :ref:`ResourceLocator.dynamic_parameters ` +// field. This allows xDS implementations (clients, servers, and caching proxies) to determine +// which variant of a resource is appropriate for a given client. +message DynamicParameterConstraints { + // A single constraint for a given key. + message SingleConstraint { + message Exists { + } + + // The key to match against. + string key = 1; + + oneof constraint_type { + option (validate.required) = true; + + // Matches this exact value. + string value = 2; + + // Key is present (matches any value except for the key being absent). + // This allows setting a default constraint for clients that do + // not send a key at all, while there may be other clients that need + // special configuration based on that key. + Exists exists = 3; + } + } + + message ConstraintList { + repeated DynamicParameterConstraints constraints = 1; + } + + oneof type { + // A single constraint to evaluate. + SingleConstraint constraint = 1; + + // A list of constraints that match if any one constraint in the list + // matches. + ConstraintList or_constraints = 2; + + // A list of constraints that must all match. + ConstraintList and_constraints = 3; + + // The inverse (NOT) of a set of constraints. + DynamicParameterConstraints not_constraints = 4; + } +} + +// [#next-free-field: 10] +message Resource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Resource"; + + // Cache control properties for the resource. + // [#not-implemented-hide:] + message CacheControl { + // If true, xDS proxies may not cache this resource. + // + // .. note:: + // This does not apply to clients other than xDS proxies, which must cache resources + // for their own use, regardless of the value of this field. + // + bool do_not_cache = 1; + } + + // The resource's name, to distinguish it from others of the same type of resource. + // Only one of ``name`` or ``resource_name`` may be set. + string name = 3; + + // Alternative to the ``name`` field, to be used when the server supports + // multiple variants of the named resource that are differentiated by + // dynamic parameter constraints. + // Only one of ``name`` or ``resource_name`` may be set. + ResourceName resource_name = 8; + + // The aliases are a list of other names that this resource can go by. + repeated string aliases = 4; + + // The resource level version. It allows xDS to track the state of individual + // resources. + string version = 1; + + // The resource being tracked. + google.protobuf.Any resource = 2; + + // Time-to-live value for the resource. For each resource, a timer is started. The timer is + // reset each time the resource is received with a new TTL. If the resource is received with + // no TTL set, the timer is removed for the resource. Upon expiration of the timer, the + // configuration for the resource will be removed. + // + // The TTL can be refreshed or changed by sending a response that doesn't change the resource + // version. In this case the ``resource`` field does not need to be populated, which allows for + // light-weight "heartbeat" updates to keep a resource with a TTL alive. + // + // The TTL feature is meant to support configurations that should be removed in the event of + // a management server failure. For example, the feature may be used for fault injection + // testing where the fault injection should be terminated in the event that Envoy loses contact + // with the management server. + google.protobuf.Duration ttl = 6; + + // Cache control properties for the resource. + // [#not-implemented-hide:] + CacheControl cache_control = 7; + + // The Metadata field can be used to provide additional information for the resource. + // E.g. the trace data for debugging. + config.core.v3.Metadata metadata = 9; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/service/ext_proc/v3/external_processor.proto b/grpc-xds/proto/third_party/envoy/envoy/service/ext_proc/v3/external_processor.proto new file mode 100644 index 000000000..1c033c08d --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/service/ext_proc/v3/external_processor.proto @@ -0,0 +1,533 @@ +syntax = "proto3"; + +package envoy.service.ext_proc.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; + +import "xds/annotations/v3/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.service.ext_proc.v3"; +option java_outer_classname = "ExternalProcessorProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3;ext_procv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External processing service] + +// A service that can access and modify HTTP requests and responses +// as part of a filter chain. +// The overall external processing protocol works like this: +// +// 1. The data plane sends to the service information about the HTTP request. +// 2. The service sends back a ProcessingResponse message that directs +// the data plane to either stop processing, continue without it, or send +// it the next chunk of the message body. +// 3. If so requested, the data plane sends the server the message body in +// chunks, or the entire body at once. In either case, the server may send +// back a ProcessingResponse for each message it receives, or wait for +// a certain amount of body chunks received before streaming back the +// ProcessingResponse messages. +// 4. If so requested, the data plane sends the server the HTTP trailers, +// and the server sends back a ProcessingResponse. +// 5. At this point, request processing is done, and we pick up again +// at step 1 when the data plane receives a response from the upstream +// server. +// 6. At any point above, if the server closes the gRPC stream cleanly, +// then the data plane proceeds without consulting the server. +// 7. At any point above, if the server closes the gRPC stream with an error, +// then the data plane returns a 500 error to the client, unless the filter +// was configured to ignore errors. +// +// In other words, the process is a request/response conversation, but +// using a gRPC stream to make it easier for the server to +// maintain state. +service ExternalProcessor { + // This begins the bidirectional stream that the data plane will use to + // give the server control over what the filter does. The actual + // protocol is described by the ProcessingRequest and ProcessingResponse + // messages below. + rpc Process(stream ProcessingRequest) returns (stream ProcessingResponse) { + } +} + +// This message specifies the filter protocol configurations which will be sent to the ext_proc +// server in a :ref:`ProcessingRequest `. +// If the server does not support these protocol configurations, it may choose to close the gRPC stream. +// If the server supports these protocol configurations, it should respond based on the API specifications. +message ProtocolConfiguration { + // Specify the filter configuration :ref:`request_body_mode + // ` + envoy.extensions.filters.http.ext_proc.v3.ProcessingMode.BodySendMode request_body_mode = 1 + [(validate.rules).enum = {defined_only: true}]; + + // Specify the filter configuration :ref:`response_body_mode + // ` + envoy.extensions.filters.http.ext_proc.v3.ProcessingMode.BodySendMode response_body_mode = 2 + [(validate.rules).enum = {defined_only: true}]; + + // Specify the filter configuration :ref:`send_body_without_waiting_for_header_response + // ` + // If the client is waiting for a header response from the server, setting ``true`` means the client will send body to the server + // as they arrive. Setting ``false`` means the client will buffer the arrived data and not send it to the server immediately. + bool send_body_without_waiting_for_header_response = 3; +} + +// This represents the different types of messages that the data plane can send +// to an external processing server. +// [#next-free-field: 12] +message ProcessingRequest { + reserved 1; + + reserved "async_mode"; + + // Each request message will include one of the following sub-messages. Which + // ones are set for a particular HTTP request/response depend on the + // processing mode. + oneof request { + option (validate.required) = true; + + // Information about the HTTP request headers, as well as peer info and additional + // properties. Unless ``observability_mode`` is ``true``, the server must send back a + // HeaderResponse message, an ImmediateResponse message, or close the stream. + HttpHeaders request_headers = 2; + + // Information about the HTTP response headers, as well as peer info and additional + // properties. Unless ``observability_mode`` is ``true``, the server must send back a + // HeaderResponse message or close the stream. + HttpHeaders response_headers = 3; + + // A chunk of the HTTP request body. Unless ``observability_mode`` is true, the server must send back + // a BodyResponse message, an ImmediateResponse message, or close the stream. + HttpBody request_body = 4; + + // A chunk of the HTTP response body. Unless ``observability_mode`` is ``true``, the server must send back + // a BodyResponse message or close the stream. + HttpBody response_body = 5; + + // The HTTP trailers for the request path. Unless ``observability_mode`` is ``true``, the server + // must send back a TrailerResponse message or close the stream. + // + // This message is only sent if the trailers processing mode is set to ``SEND`` and + // the original downstream request has trailers. + HttpTrailers request_trailers = 6; + + // The HTTP trailers for the response path. Unless ``observability_mode`` is ``true``, the server + // must send back a TrailerResponse message or close the stream. + // + // This message is only sent if the trailers processing mode is set to ``SEND`` and + // the original upstream response has trailers. + HttpTrailers response_trailers = 7; + } + + // Dynamic metadata associated with the request. + config.core.v3.Metadata metadata_context = 8; + + // The values of properties selected by the ``request_attributes`` + // or ``response_attributes`` list in the configuration. Each entry + // in the list is populated from the standard + // :ref:`attributes ` supported in the data plane. + map attributes = 9; + + // Specify whether the filter that sent this request is running in :ref:`observability_mode + // ` + // and defaults to false. + // + // * A value of ``false`` indicates that the server must respond + // to this message by either sending back a matching ProcessingResponse message, + // or by closing the stream. + // * A value of ``true`` indicates that the server should not respond to this message, as any + // responses will be ignored. However, it may still close the stream to indicate that no more messages + // are needed. + // + bool observability_mode = 10; + + // Specify the filter protocol configurations to be sent to the server. + // ``protocol_config`` is only encoded in the first ``ProcessingRequest`` message from the client to the server. + ProtocolConfiguration protocol_config = 11; +} + +// This represents the different types of messages the server may send back to the data plane +// when the ``observability_mode`` field in the received ProcessingRequest is set to false. +// +// * If the corresponding ``BodySendMode`` in the +// :ref:`processing_mode ` +// is not set to ``FULL_DUPLEX_STREAMED``, then for every received ProcessingRequest, +// the server must send back exactly one ProcessingResponse message. +// * If it is set to ``FULL_DUPLEX_STREAMED``, the server must follow the API defined +// for this mode to send the ProcessingResponse messages. +// [#next-free-field: 13] +message ProcessingResponse { + // The response type that is sent by the server. + oneof response { + option (validate.required) = true; + + // The server must send back this message in response to a message with the + // ``request_headers`` field set. + HeadersResponse request_headers = 1; + + // The server must send back this message in response to a message with the + // ``response_headers`` field set. + HeadersResponse response_headers = 2; + + // The server must send back this message in response to a message with + // the ``request_body`` field set. + BodyResponse request_body = 3; + + // The server must send back this message in response to a message with + // the ``response_body`` field set. + BodyResponse response_body = 4; + + // The server must send back this message in response to a message with + // the ``request_trailers`` field set. + TrailersResponse request_trailers = 5; + + // The server must send back this message in response to a message with + // the ``response_trailers`` field set. + TrailersResponse response_trailers = 6; + + // If specified, attempt to create a locally generated response, send it + // downstream, and stop processing additional filters and ignore any + // additional messages received from the remote server for this request or + // response. If a response has already started -- for example, if this + // message is sent response to a ``response_body`` message -- then + // this will either ship the reply directly to the downstream codec, + // or reset the stream. + ImmediateResponse immediate_response = 7; + + // The server sends back this message to initiate or continue local response streaming. + // The server must initiate local response streaming with the ``headers_response`` in response to a ProcessingRequest + // with the ``request_headers`` only. + // The server may follow up with multiple messages containing ``body_response``. The server must indicate + // end of stream by setting ``end_of_stream`` to ``true`` in the ``headers_response`` + // or ``body_response`` message or by sending a ``trailers_response`` message. + // The client may send a ``request_body`` or ``request_trailers`` to the server depending on configuration. + // The streaming local response can only be sent when the ``request_header_mode`` in the filter + // :ref:`processing_mode ` + // is set to ``SEND``. The ext_proc server should not send StreamedImmediateResponse if it did not observe request headers, + // as it will result in the race with the upstream server response and reset of the client request. + // Presently only the FULL_DUPLEX_STREAMED or NONE body modes are supported. + StreamedImmediateResponse streamed_immediate_response = 11; + } + + // Optional metadata that will be emitted as dynamic metadata to be consumed by + // following filters. This metadata will be placed in the namespace(s) specified by the top-level + // field name(s) of the struct. + google.protobuf.Struct dynamic_metadata = 8; + + // Override how parts of the HTTP request and response are processed + // for the duration of this particular request/response only. Servers + // may use this to intelligently control how requests are processed + // based on the headers and other metadata that they see. + // This field is only applicable when servers responding to the header requests. + // If it is set in the response to the body or trailer requests, it will be ignored by the data plane. + // It is also ignored by the data plane when the ext_proc filter config + // :ref:`allow_mode_override + // ` + // is set to false, or + // :ref:`send_body_without_waiting_for_header_response + // ` + // is set to true. + envoy.extensions.filters.http.ext_proc.v3.ProcessingMode mode_override = 9; + + // [#not-implemented-hide:] + // Used only in ``FULL_DUPLEX_STREAMED`` and ``GRPC`` body send modes. + // Instructs the data plane to stop sending body data and to send a + // half-close on the ext_proc stream. The ext_proc server should then echo + // back all subsequent body contents as-is until it sees the client's + // half-close, at which point the ext_proc server can terminate the stream + // with an OK status. This provides a safe way for the ext_proc server + // to indicate that it does not need to see the rest of the stream; + // without this, the ext_proc server could not terminate the stream + // early, because it would wind up dropping any body contents that the + // client had already sent before it saw the ext_proc stream termination. + bool request_drain = 12; + + // When ext_proc server receives a request message, in case it needs more + // time to process the message, it sends back a ProcessingResponse message + // with a new timeout value. When the data plane receives this response + // message, it ignores other fields in the response, just stop the original + // timer, which has the timeout value specified in + // :ref:`message_timeout + // ` + // and start a new timer with this ``override_message_timeout`` value and keep the + // data plane ext_proc filter state machine intact. + // Has to be >= 1ms and <= + // :ref:`max_message_timeout ` + // Such message can be sent at most once in a particular data plane ext_proc filter processing state. + // To enable this API, one has to set ``max_message_timeout`` to a number >= 1ms. + google.protobuf.Duration override_message_timeout = 10; +} + +// The following are messages that are sent to the server. + +// This message is sent to the external server when the HTTP request and responses +// are first received. +message HttpHeaders { + // The HTTP request headers. All header keys will be + // lower-cased, because HTTP header keys are case-insensitive. + // The header value is encoded in the + // :ref:`raw_value ` field. + config.core.v3.HeaderMap headers = 1; + + // [#not-implemented-hide:] + // This field is deprecated and not implemented. Attributes will be sent in + // the top-level :ref:`attributes attributes = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If ``true``, then there is no message body associated with this + // request or response. + bool end_of_stream = 3; +} + +// This message is sent to the external server when the HTTP request and +// response bodies are received. +message HttpBody { + // The contents of the body in the HTTP request/response. Note that in + // streaming mode multiple ``HttpBody`` messages may be sent. + // + // In ``GRPC`` body send mode, a separate ``HttpBody`` message will be + // sent for each message in the gRPC stream. + bytes body = 1; + + // If ``true``, this will be the last ``HttpBody`` message that will be sent and no + // trailers will be sent for the current request/response. + bool end_of_stream = 2; + + // This field is used in ``GRPC`` body send mode when ``end_of_stream`` is + // true and ``body`` is empty. Those values would normally indicate an + // empty message on the stream with the end-of-stream bit set. + // However, if the half-close happens after the last message on the + // stream was already sent, then this field will be true to indicate an + // end-of-stream with *no* message (as opposed to an empty message). + bool end_of_stream_without_message = 3; + + // This field is used in ``GRPC`` body send mode to indicate whether + // the message is compressed. This will never be set to true by gRPC + // but may be set to true by a proxy like Envoy. + bool grpc_message_compressed = 4; +} + +// This message is sent to the external server when the HTTP request and +// response trailers are received. +message HttpTrailers { + // The header value is encoded in the + // :ref:`raw_value ` field. + config.core.v3.HeaderMap trailers = 1; +} + +// The following are messages that may be sent back by the server. + +// This message is sent by the external server to the data plane after ``HttpHeaders`` was +// sent to it. +message HeadersResponse { + // Details the modifications (if any) to be made by the data plane to the current + // request/response. + CommonResponse response = 1; +} + +// This message is sent by the external server to the data plane after ``HttpBody`` was +// sent to it. +message BodyResponse { + // Details the modifications (if any) to be made by the data plane to the current + // request/response. + CommonResponse response = 1; +} + +// This message is sent by the external server to the data plane after ``HttpTrailers`` was +// sent to it. +message TrailersResponse { + // Details the modifications (if any) to be made by the data plane to the current + // request/response trailers. + HeaderMutation header_mutation = 1; +} + +// This message is sent by the external server to the data plane after ``HttpHeaders`` +// to initiate local response streaming. The server may follow up with multiple messages containing ``body_response``. +// The server must indicate end of stream by setting ``end_of_stream`` to ``true`` in the ``headers_response`` +// or ``body_response`` message or by sending a ``trailers_response`` message. +message StreamedImmediateResponse { + oneof response { + // Response headers to be sent downstream. The ":status" header must be set. + HttpHeaders headers_response = 1; + + // Response body to be sent downstream. + StreamedBodyResponse body_response = 2; + + // Response trailers to be sent downstream. + config.core.v3.HeaderMap trailers_response = 3; + } +} + +// This message contains common fields between header and body responses. +// [#next-free-field: 6] +message CommonResponse { + // The status of the response. + enum ResponseStatus { + // Apply the mutation instructions in this message to the + // request or response, and then continue processing the filter + // stream as normal. This is the default. + CONTINUE = 0; + + // Apply the specified header mutation, replace the body with the body + // specified in the body mutation (if present), and do not send any + // further messages for this request or response even if the processing + // mode is configured to do so. + // + // When used in response to a request_headers or response_headers message, + // this status makes it possible to either completely replace the body + // while discarding the original body, or to add a body to a message that + // formerly did not have one. + // + // In other words, this response makes it possible to turn an HTTP GET + // into a POST, PUT, or PATCH. + // + // Not supported if the body send mode is ``GRPC``. + CONTINUE_AND_REPLACE = 1; + } + + // If set, provide additional direction on how the data plane should + // handle the rest of the HTTP filter chain. + ResponseStatus status = 1 [(validate.rules).enum = {defined_only: true}]; + + // Instructions on how to manipulate the headers. When responding to an + // HttpBody request, header mutations will only take effect if + // the current processing mode for the body is BUFFERED. + HeaderMutation header_mutation = 2; + + // Replace the body of the last message sent to the remote server on this + // stream. If responding to an HttpBody request, simply replace or clear + // the body chunk that was sent with that request. Body mutations may take + // effect in response either to ``header`` or ``body`` messages. When it is + // in response to ``header`` messages, it only take effect if the + // :ref:`status ` + // is set to CONTINUE_AND_REPLACE. + BodyMutation body_mutation = 3; + + // [#not-implemented-hide:] + // Add new trailers to the message. This may be used when responding to either a + // HttpHeaders or HttpBody message, but only if this message is returned + // along with the CONTINUE_AND_REPLACE status. + // The header value is encoded in the + // :ref:`raw_value ` field. + config.core.v3.HeaderMap trailers = 4; + + // Clear the route cache for the current client request. This is necessary + // if the remote server modified headers that are used to calculate the route. + // This field is ignored in the response direction. This field is also ignored + // if the data plane ext_proc filter is in the upstream filter chain. + bool clear_route_cache = 5; +} + +// This message causes the filter to attempt to create a locally +// generated response, send it downstream, stop processing +// additional filters, and ignore any additional messages received +// from the remote server for this request or response. If a response +// has already started, then this will either ship the reply directly +// to the downstream codec, or reset the stream. +// [#next-free-field: 6] +message ImmediateResponse { + // The response code to return. + type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}]; + + // Apply changes to the default headers, which will include content-type. + HeaderMutation headers = 2; + + // The message body to return with the response which is sent using the + // text/plain content type, or encoded in the grpc-message header. + bytes body = 3; + + // If set, then include a gRPC status trailer. + GrpcStatus grpc_status = 4; + + // A string detailing why this local reply was sent, which may be included + // in log and debug output (e.g. this populates the %RESPONSE_CODE_DETAILS% + // command operator field for use in access logging). + string details = 5; +} + +// This message specifies a gRPC status for an ImmediateResponse message. +message GrpcStatus { + // The actual gRPC status. + uint32 status = 1; +} + +// Change HTTP headers or trailers by appending, replacing, or removing +// headers. +message HeaderMutation { + // Add or replace HTTP headers. Attempts to set the value of + // any ``x-envoy`` header, and attempts to set the ``:method``, + // ``:authority``, ``:scheme``, or ``host`` headers will be ignored. + // The header value is encoded in the + // :ref:`raw_value ` field. + repeated config.core.v3.HeaderValueOption set_headers = 1; + + // Remove these HTTP headers. Attempts to remove system headers -- + // any header starting with ``:``, plus ``host`` -- will be ignored. + repeated string remove_headers = 2; +} + +// The body response message corresponding to ``FULL_DUPLEX_STREAMED`` or ``GRPC`` body modes. +message StreamedBodyResponse { + // In ``FULL_DUPLEX_STREAMED`` body send mode, contains the body response chunk that will be + // passed to the upstream/downstream by the data plane. In ``GRPC`` body send mode, contains + // a serialized gRPC message to be passed to the upstream/downstream by the data plane. + bytes body = 1; + + // The server sets this flag to true if it has received a body request with + // :ref:`end_of_stream ` set to true, + // and this is the last chunk of body responses. + // Note that in ``GRPC`` body send mode, this allows the ext_proc + // server to tell the data plane to send a half close after a client + // message, which will result in discarding any other messages sent by + // the client application. + bool end_of_stream = 2; + + // This field is used in ``GRPC`` body send mode when ``end_of_stream`` is + // true and ``body`` is empty. Those values would normally indicate an + // empty message on the stream with the end-of-stream bit set. + // However, if the half-close happens after the last message on the + // stream was already sent, then this field will be true to indicate an + // end-of-stream with *no* message (as opposed to an empty message). + bool end_of_stream_without_message = 3; + + // This field is used in ``GRPC`` body send mode to indicate whether + // the message is compressed. This will never be set to true by gRPC + // but may be set to true by a proxy like Envoy. + bool grpc_message_compressed = 4; +} + +// This message specifies the body mutation the server sends to the data plane. +message BodyMutation { + // The type of mutation for the body. + oneof mutation { + // The entire body to replace. + // Should only be used when the corresponding ``BodySendMode`` in the + // :ref:`processing_mode ` + // is not set to ``FULL_DUPLEX_STREAMED`` or ``GRPC``. + bytes body = 1; + + // Clear the corresponding body chunk. + // Should only be used when the corresponding ``BodySendMode`` in the + // :ref:`processing_mode ` + // is not set to ``FULL_DUPLEX_STREAMED`` or ``GRPC``. + // Clear the corresponding body chunk. + bool clear_body = 2; + + // Must be used when the corresponding ``BodySendMode`` in the + // :ref:`processing_mode ` + // is set to ``FULL_DUPLEX_STREAMED`` or ``GRPC``. + StreamedBodyResponse streamed_response = 3 + [(xds.annotations.v3.field_status).work_in_progress = true]; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/service/load_stats/v3/lrs.proto b/grpc-xds/proto/third_party/envoy/envoy/service/load_stats/v3/lrs.proto new file mode 100644 index 000000000..37410628c --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/service/load_stats/v3/lrs.proto @@ -0,0 +1,102 @@ +syntax = "proto3"; + +package envoy.service.load_stats.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/endpoint/v3/load_report.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.service.load_stats.v3"; +option java_outer_classname = "LrsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/load_stats/v3;load_statsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Load reporting service (LRS)] + +// Load Reporting Service is an Envoy API to emit load reports. Envoy will initiate a bi-directional +// stream with a management server. Upon connecting, the management server can send a +// :ref:`LoadStatsResponse ` to a node it is +// interested in getting the load reports for. Envoy in this node will start sending +// :ref:`LoadStatsRequest `. This is done periodically +// based on the :ref:`load reporting interval ` +// For details, take a look at the :ref:`Load Reporting Service sandbox example `. + +service LoadReportingService { + // Advanced API to allow for multi-dimensional load balancing by remote + // server. For receiving LB assignments, the steps are: + // 1, The management server is configured with per cluster/zone/load metric + // capacity configuration. The capacity configuration definition is + // outside of the scope of this document. + // 2. Envoy issues a standard {Stream,Fetch}Endpoints request for the clusters + // to balance. + // + // Independently, Envoy will initiate a StreamLoadStats bidi stream with a + // management server: + // 1. Once a connection establishes, the management server publishes a + // LoadStatsResponse for all clusters it is interested in learning load + // stats about. + // 2. For each cluster, Envoy load balances incoming traffic to upstream hosts + // based on per-zone weights and/or per-instance weights (if specified) + // based on intra-zone LbPolicy. This information comes from the above + // {Stream,Fetch}Endpoints. + // 3. When upstream hosts reply, they optionally add header with ASCII representation of EndpointLoadMetricStats. + // 4. Envoy aggregates load reports over the period of time given to it in + // LoadStatsResponse.load_reporting_interval. This includes aggregation + // stats Envoy maintains by itself (total_requests, rpc_errors etc.) as + // well as load metrics from upstream hosts. + // 5. When the timer of load_reporting_interval expires, Envoy sends new + // LoadStatsRequest filled with load reports for each cluster. + // 6. The management server uses the load reports from all reported Envoys + // from around the world, computes global assignment and prepares traffic + // assignment destined for each zone Envoys are located in. Goto 2. + rpc StreamLoadStats(stream LoadStatsRequest) returns (stream LoadStatsResponse) { + } +} + +// A load report Envoy sends to the management server. +message LoadStatsRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.load_stats.v2.LoadStatsRequest"; + + // Node identifier for Envoy instance. + config.core.v3.Node node = 1; + + // A list of load stats to report. + repeated config.endpoint.v3.ClusterStats cluster_stats = 2; +} + +// The management server sends envoy a LoadStatsResponse with all clusters it +// is interested in learning load stats about. +message LoadStatsResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.load_stats.v2.LoadStatsResponse"; + + // Clusters to report stats for. + // Not populated if ``send_all_clusters`` is true. + repeated string clusters = 1; + + // If true, the client should send all clusters it knows about. + // Only clients that advertise the "envoy.lrs.supports_send_all_clusters" capability in their + // :ref:`client_features` field will honor this field. + bool send_all_clusters = 4; + + // The minimum interval of time to collect stats over. This is only a minimum for two reasons: + // + // 1. There may be some delay from when the timer fires until stats sampling occurs. + // 2. For clusters that were already feature in the previous ``LoadStatsResponse``, any traffic + // that is observed in between the corresponding previous ``LoadStatsRequest`` and this + // ``LoadStatsResponse`` will also be accumulated and billed to the cluster. This avoids a period + // of inobservability that might otherwise exists between the messages. New clusters are not + // subject to this consideration. + google.protobuf.Duration load_reporting_interval = 2; + + // Set to ``true`` if the management server supports endpoint granularity + // report. + bool report_endpoint_granularity = 3; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/service/rate_limit_quota/v3/rlqs.proto b/grpc-xds/proto/third_party/envoy/envoy/service/rate_limit_quota/v3/rlqs.proto new file mode 100644 index 000000000..b8fa2cd89 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/service/rate_limit_quota/v3/rlqs.proto @@ -0,0 +1,258 @@ +syntax = "proto3"; + +package envoy.service.rate_limit_quota.v3; + +import "envoy/type/v3/ratelimit_strategy.proto"; + +import "google/protobuf/duration.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.service.rate_limit_quota.v3"; +option java_outer_classname = "RlqsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/rate_limit_quota/v3;rate_limit_quotav3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Rate Limit Quota Service (RLQS)] + +// The Rate Limit Quota Service (RLQS) is a Envoy global rate limiting service that allows to +// delegate rate limit decisions to a remote service. The service will aggregate the usage reports +// from multiple data plane instances, and distribute Rate Limit Assignments to each instance +// based on its business logic. The logic is outside of the scope of the protocol API. +// +// The protocol is designed as a streaming-first API. It utilizes watch-like subscription model. +// The data plane groups requests into Quota Buckets as directed by the filter config, +// and periodically reports them to the RLQS server along with the Bucket identifier, :ref:`BucketId +// `. Once RLQS server has collected enough +// reports to make a decision, it'll send back the assignment with the rate limiting instructions. +// +// The first report sent by the data plane is interpreted by the RLQS server as a "watch" request, +// indicating that the data plane instance is interested in receiving further updates for the +// ``BucketId``. From then on, RLQS server may push assignments to this instance at will, even if +// the instance is not sending usage reports. It's the responsibility of the RLQS server +// to determine when the data plane instance didn't send ``BucketId`` reports for too long, +// and to respond with the :ref:`AbandonAction +// `, +// indicating that the server has now stopped sending quota assignments for the ``BucketId`` bucket, +// and the data plane instance should :ref:`abandon +// ` +// it. +// +// If for any reason the RLQS client doesn't receive the initial assignment for the reported bucket, +// in order to prevent memory exhaustion, the data plane will limit the time such bucket +// is retained. The exact time to wait for the initial assignment is chosen by the filter, +// and may vary based on the implementation. +// Once the duration ends, the data plane will stop reporting bucket usage, reject any enqueued +// requests, and purge the bucket from the memory. Subsequent requests matched into the bucket +// will re-initialize the bucket in the "no assignment" state, restarting the reports. +// +// Refer to Rate Limit Quota :ref:`configuration overview ` +// for further details. + +// Defines the Rate Limit Quota Service (RLQS). +service RateLimitQuotaService { + // Main communication channel: the data plane sends usage reports to the RLQS server, + // and the server asynchronously responding with the assignments. + rpc StreamRateLimitQuotas(stream RateLimitQuotaUsageReports) + returns (stream RateLimitQuotaResponse) { + } +} + +message RateLimitQuotaUsageReports { + // The usage report for a bucket. + // + // .. note:: + // Note that the first report sent for a ``BucketId`` indicates to the RLQS server that + // the RLQS client is subscribing for the future assignments for this ``BucketId``. + message BucketQuotaUsage { + // ``BucketId`` for which request quota usage is reported. + BucketId bucket_id = 1 [(validate.rules).message = {required: true}]; + + // Time elapsed since the last report. + google.protobuf.Duration time_elapsed = 2 [(validate.rules).duration = { + required: true + gt {} + }]; + + // Requests the data plane has allowed through. + uint64 num_requests_allowed = 3; + + // Requests throttled. + uint64 num_requests_denied = 4; + } + + // All quota requests must specify the domain. This enables sharing the quota + // server between different applications without fear of overlap. + // E.g., "envoy". + // + // Should only be provided in the first report, all subsequent messages on the same + // stream are considered to be in the same domain. In case the domain needs to be + // changes, close the stream, and reopen a new one with the different domain. + string domain = 1 [(validate.rules).string = {min_len: 1}]; + + // A list of quota usage reports. The list is processed by the RLQS server in the same order + // it's provided by the client. + repeated BucketQuotaUsage bucket_quota_usages = 2 [(validate.rules).repeated = {min_items: 1}]; +} + +message RateLimitQuotaResponse { + // Commands the data plane to apply one of the actions to the bucket with the + // :ref:`bucket_id `. + message BucketAction { + // Quota assignment for the bucket. Configures the rate limiting strategy and the duration + // for the given :ref:`bucket_id + // `. + // + // **Applying the first assignment to the bucket** + // + // Once the data plane receives the ``QuotaAssignmentAction``, it must send the current usage + // report for the bucket, and start rate limiting requests matched into the bucket + // using the strategy configured in the :ref:`rate_limit_strategy + // ` + // field. The assignment becomes bucket's ``active`` assignment. + // + // **Expiring the assignment** + // + // The duration of the assignment defined in the :ref:`assignment_time_to_live + // ` + // field. When the duration runs off, the assignment is ``expired``, and no longer ``active``. + // The data plane should stop applying the rate limiting strategy to the bucket, and transition + // the bucket to the "expired assignment" state. This activates the behavior configured in the + // :ref:`expired_assignment_behavior ` + // field. + // + // **Replacing the assignment** + // + // * If the rate limiting strategy is different from bucket's ``active`` assignment, or + // the current bucket assignment is ``expired``, the data plane must immediately + // end the current assignment, report the bucket usage, and apply the new assignment. + // The new assignment becomes bucket's ``active`` assignment. + // * If the rate limiting strategy is the same as the bucket's ``active`` (not ``expired``) + // assignment, the data plane should extend the duration of the ``active`` assignment + // for the duration of the new assignment provided in the :ref:`assignment_time_to_live + // ` + // field. The ``active`` assignment is considered unchanged. + message QuotaAssignmentAction { + // A duration after which the assignment is be considered ``expired``. The process of the + // expiration is described :ref:`above + // `. + // + // * If unset, the assignment has no expiration date. + // * If set to ``0``, the assignment expires immediately, forcing the client into the + // :ref:`"expired assignment" + // ` + // state. This may be used by the RLQS server in cases when it needs clients to proactively + // fall back to the pre-configured :ref:`ExpiredAssignmentBehavior + // `, + // f.e. before the server going into restart. + // + // .. attention:: + // Note that :ref:`expiring + // ` + // the assignment is not the same as :ref:`abandoning + // ` + // the assignment. While expiring the assignment just transitions the bucket to + // the "expired assignment" state; abandoning the assignment completely erases + // the bucket from the data plane memory, and stops the usage reports. + google.protobuf.Duration assignment_time_to_live = 2 [(validate.rules).duration = {gte {}}]; + + // Configures the local rate limiter for the request matched to the bucket. + // If not set, allow all requests. + type.v3.RateLimitStrategy rate_limit_strategy = 3; + } + + // Abandon action for the bucket. Indicates that the RLQS server will no longer be + // sending updates for the given :ref:`bucket_id + // `. + // + // If no requests are reported for a bucket, after some time the server considers the bucket + // inactive. The server stops tracking the bucket, and instructs the the data plane to abandon + // the bucket via this message. + // + // **Abandoning the assignment** + // + // The data plane is to erase the bucket (including its usage data) from the memory. + // It should stop tracking the bucket, and stop reporting its usage. This effectively resets + // the data plane to the state prior to matching the first request into the bucket. + // + // **Restarting the subscription** + // + // If a new request is matched into a bucket previously abandoned, the data plane must behave + // as if it has never tracked the bucket, and it's the first request matched into it: + // + // 1. The process of :ref:`subscription and reporting + // ` + // starts from the beginning. + // + // 2. The bucket transitions to the :ref:`"no assignment" + // ` + // state. + // + // 3. Once the new assignment is received, it's applied per + // "Applying the first assignment to the bucket" section of the :ref:`QuotaAssignmentAction + // `. + message AbandonAction { + } + + // ``BucketId`` for which request the action is applied. + BucketId bucket_id = 1 [(validate.rules).message = {required: true}]; + + oneof bucket_action { + option (validate.required) = true; + + // Apply the quota assignment to the bucket. + // + // Commands the data plane to apply a rate limiting strategy to the bucket. + // The process of applying and expiring the rate limiting strategy is detailed in the + // :ref:`QuotaAssignmentAction + // ` + // message. + QuotaAssignmentAction quota_assignment_action = 2; + + // Abandon the bucket. + // + // Commands the data plane to abandon the bucket. + // The process of abandoning the bucket is described in the :ref:`AbandonAction + // ` + // message. + AbandonAction abandon_action = 3; + } + } + + // An ordered list of actions to be applied to the buckets. The actions are applied in the + // given order, from top to bottom. + repeated BucketAction bucket_action = 1 [(validate.rules).repeated = {min_items: 1}]; +} + +// The identifier for the bucket. Used to match the bucket between the control plane (RLQS server), +// and the data plane (RLQS client), f.e.: +// +// * the data plane sends a usage report for requests matched into the bucket with ``BucketId`` +// to the control plane +// * the control plane sends an assignment for the bucket with ``BucketId`` to the data plane +// Bucket ID. +// +// Example: +// +// .. validated-code-block:: yaml +// :type-name: envoy.service.rate_limit_quota.v3.BucketId +// +// bucket: +// name: my_bucket +// env: staging +// +// .. note:: +// The order of ``BucketId`` keys do not matter. Buckets ``{ a: 'A', b: 'B' }`` and +// ``{ b: 'B', a: 'A' }`` are identical. +message BucketId { + map bucket = 1 [(validate.rules).map = { + min_pairs: 1 + keys {string {min_len: 1}} + values {string {min_len: 1}} + }]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/service/status/v3/csds.proto b/grpc-xds/proto/third_party/envoy/envoy/service/status/v3/csds.proto new file mode 100644 index 000000000..de62fbf9b --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/service/status/v3/csds.proto @@ -0,0 +1,206 @@ +syntax = "proto3"; + +package envoy.service.status.v3; + +import "envoy/admin/v3/config_dump_shared.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/type/matcher/v3/node.proto"; + +import "google/api/annotations.proto"; +import "google/protobuf/any.proto"; +import "google/protobuf/timestamp.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.service.status.v3"; +option java_outer_classname = "CsdsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/status/v3;statusv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Client status discovery service (CSDS)] + +// CSDS is Client Status Discovery Service. It can be used to get the status of +// an xDS-compliant client from the management server's point of view. It can +// also be used to get the current xDS states directly from the client. +service ClientStatusDiscoveryService { + rpc StreamClientStatus(stream ClientStatusRequest) returns (stream ClientStatusResponse) { + } + + rpc FetchClientStatus(ClientStatusRequest) returns (ClientStatusResponse) { + option (google.api.http).post = "/v3/discovery:client_status"; + option (google.api.http).body = "*"; + } +} + +// Status of a config from a management server view. +enum ConfigStatus { + // Status info is not available/unknown. + UNKNOWN = 0; + + // Management server has sent the config to client and received ACK. + SYNCED = 1; + + // Config is not sent. + NOT_SENT = 2; + + // Management server has sent the config to client but hasn’t received + // ACK/NACK. + STALE = 3; + + // Management server has sent the config to client but received NACK. The + // attached config dump will be the latest config (the rejected one), since + // it is the persisted version in the management server. + ERROR = 4; +} + +// Config status from a client-side view. +enum ClientConfigStatus { + // Config status is not available/unknown. + CLIENT_UNKNOWN = 0; + + // Client requested the config but hasn't received any config from management + // server yet. + CLIENT_REQUESTED = 1; + + // Client received the config and replied with ACK. + CLIENT_ACKED = 2; + + // Client received the config and replied with NACK. Notably, the attached + // config dump is not the NACKed version, but the most recent accepted one. If + // no config is accepted yet, the attached config dump will be empty. + CLIENT_NACKED = 3; + + // Client received an error from the control plane. The attached config + // dump is the most recent accepted one. If no config is accepted yet, + // the attached config dump will be empty. + CLIENT_RECEIVED_ERROR = 4; +} + +// Request for client status of clients identified by a list of NodeMatchers. +message ClientStatusRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v2.ClientStatusRequest"; + + // Management server can use these match criteria to identify clients. + // The match follows OR semantics. + repeated type.matcher.v3.NodeMatcher node_matchers = 1; + + // The node making the csds request. + config.core.v3.Node node = 2; + + // If true, the server will not include the resource contents in the response + // (i.e., the generic_xds_configs.xds_config field will not be populated). + // [#not-implemented-hide:] + bool exclude_resource_contents = 3; +} + +// Detailed config (per xDS) with status. +// [#next-free-field: 8] +message PerXdsConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v2.PerXdsConfig"; + + // Config status generated by management servers. Will not be present if the + // CSDS server is an xDS client. + ConfigStatus status = 1; + + // Client config status is populated by xDS clients. Will not be present if + // the CSDS server is an xDS server. No matter what the client config status + // is, xDS clients should always dump the most recent accepted xDS config. + // + // .. attention:: + // This field is deprecated. Use :ref:`ClientResourceStatus + // ` for per-resource + // config status instead. + ClientConfigStatus client_status = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + oneof per_xds_config { + admin.v3.ListenersConfigDump listener_config = 2; + + admin.v3.ClustersConfigDump cluster_config = 3; + + admin.v3.RoutesConfigDump route_config = 4; + + admin.v3.ScopedRoutesConfigDump scoped_route_config = 5; + + admin.v3.EndpointsConfigDump endpoint_config = 6; + } +} + +// All xds configs for a particular client. +message ClientConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v2.ClientConfig"; + + // GenericXdsConfig is used to specify the config status and the dump + // of any xDS resource identified by their type URL. It is the generalized + // version of the now deprecated ListenersConfigDump, ClustersConfigDump etc + // [#next-free-field: 10] + message GenericXdsConfig { + // Type_url represents the fully qualified name of xDS resource type + // like envoy.v3.Cluster, envoy.v3.ClusterLoadAssignment etc. + string type_url = 1; + + // Name of the xDS resource + string name = 2; + + // This is the :ref:`version_info ` + // in the last processed xDS discovery response. If there are only + // static bootstrap listeners, this field will be "" + string version_info = 3; + + // The xDS resource config. Actual content depends on the type + google.protobuf.Any xds_config = 4; + + // Timestamp when the xDS resource was last updated + google.protobuf.Timestamp last_updated = 5; + + // Per xDS resource config status. It is generated by management servers. + // It will not be present if the CSDS server is an xDS client. + ConfigStatus config_status = 6; + + // Per xDS resource status from the view of a xDS client + admin.v3.ClientResourceStatus client_status = 7; + + // Set if the last update failed, cleared after the next successful + // update. The *error_state* field contains the rejected version of + // this particular resource along with the reason and timestamp. For + // successfully updated or acknowledged resource, this field should + // be empty. + // [#not-implemented-hide:] + admin.v3.UpdateFailureState error_state = 8; + + // Is static resource is true if it is specified in the config supplied + // through the file at the startup. + bool is_static_resource = 9; + } + + // Node for a particular client. + config.core.v3.Node node = 1; + + // This field is deprecated in favor of generic_xds_configs which is + // much simpler and uniform in structure. + repeated PerXdsConfig xds_config = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Represents generic xDS config and the exact config structure depends on + // the type URL (like Cluster if it is CDS) + repeated GenericXdsConfig generic_xds_configs = 3; + + // For xDS clients, the scope in which the data is used. + // For example, gRPC indicates the data plane target or that the data is + // associated with gRPC server(s). + string client_scope = 4; +} + +message ClientStatusResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v2.ClientStatusResponse"; + + // Client configs for the clients specified in the ClientStatusRequest. + repeated ClientConfig config = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/http/v3/path_transformation.proto b/grpc-xds/proto/third_party/envoy/envoy/type/http/v3/path_transformation.proto new file mode 100644 index 000000000..2e974ca38 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/http/v3/path_transformation.proto @@ -0,0 +1,58 @@ +syntax = "proto3"; + +package envoy.type.http.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.http.v3"; +option java_outer_classname = "PathTransformationProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/http/v3;httpv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Path Transformations API] + +// PathTransformation defines an API to apply a sequence of operations that can be used to alter +// text before it is used for matching or routing. Multiple actions can be applied in the same +// Transformation, forming a sequential pipeline. The transformations will be performed in the order +// that they appear. +// +// This API is a work in progress. + +message PathTransformation { + // A type of operation to alter text. + message Operation { + // Should text be normalized according to RFC 3986? This typically is used for path headers + // before any processing of requests by HTTP filters or routing. This applies percent-encoded + // normalization and path segment normalization. Fails on characters disallowed in URLs + // (e.g. NULLs). See `Normalization and Comparison + // `_ for details of normalization. Note that + // this options does not perform `case normalization + // `_ + message NormalizePathRFC3986 { + } + + // Determines if adjacent slashes are merged into one. A common use case is for a request path + // header. Using this option in ``:ref: PathNormalizationOptions + // `` + // will allow incoming requests with path ``//dir///file`` to match against route with ``prefix`` + // match set to ``/dir``. When using for header transformations, note that slash merging is not + // part of `HTTP spec `_ and is provided for convenience. + message MergeSlashes { + } + + oneof operation_specifier { + option (validate.required) = true; + + // Enable path normalization per RFC 3986. + NormalizePathRFC3986 normalize_path_rfc_3986 = 2; + + // Enable merging adjacent slashes. + MergeSlashes merge_slashes = 3; + } + } + + // A list of operations to apply. Transformations will be performed in the order that they appear. + repeated Operation operations = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/address.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/address.proto new file mode 100644 index 000000000..8a03a5320 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/address.proto @@ -0,0 +1,22 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "xds/core/v3/cidr.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "AddressProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Address Matcher] + +// Match an IP against a repeated CIDR range. This matcher is intended to be +// used in other matchers, for example in the filter state matcher to match a +// filter state object as an IP. +message AddressMatcher { + repeated xds.core.v3.CidrRange ranges = 1; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/filter_state.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/filter_state.proto new file mode 100644 index 000000000..8c38a515a --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/filter_state.proto @@ -0,0 +1,33 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/address.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "FilterStateProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Filter state matcher] + +// FilterStateMatcher provides a general interface for matching the filter state objects. +message FilterStateMatcher { + // The filter state key to retrieve the object. + string key = 1 [(validate.rules).string = {min_len: 1}]; + + oneof matcher { + option (validate.required) = true; + + // Matches the filter state object as a string value. + StringMatcher string_match = 2; + + // Matches the filter state object as a ip Instance. + AddressMatcher address_match = 3; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/http_inputs.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/http_inputs.proto new file mode 100644 index 000000000..c90199eb6 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/http_inputs.proto @@ -0,0 +1,71 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "HttpInputsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common HTTP inputs] + +// Match input indicates that matching should be done on a specific request header. +// The resulting input string will be all headers for the given key joined by a comma, +// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input +// string will be 'bar,baz'. +// [#comment:TODO(snowp): Link to unified matching docs.] +// [#extension: envoy.matching.inputs.request_headers] +message HttpRequestHeaderMatchInput { + // The request header to match on. + string header_name = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; +} + +// Match input indicates that matching should be done on a specific request trailer. +// The resulting input string will be all headers for the given key joined by a comma, +// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input +// string will be 'bar,baz'. +// [#comment:TODO(snowp): Link to unified matching docs.] +// [#extension: envoy.matching.inputs.request_trailers] +message HttpRequestTrailerMatchInput { + // The request trailer to match on. + string header_name = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; +} + +// Match input indicating that matching should be done on a specific response header. +// The resulting input string will be all headers for the given key joined by a comma, +// e.g. if the response contains two 'foo' headers with value 'bar' and 'baz', the input +// string will be 'bar,baz'. +// [#comment:TODO(snowp): Link to unified matching docs.] +// [#extension: envoy.matching.inputs.response_headers] +message HttpResponseHeaderMatchInput { + // The response header to match on. + string header_name = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; +} + +// Match input indicates that matching should be done on a specific response trailer. +// The resulting input string will be all headers for the given key joined by a comma, +// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input +// string will be 'bar,baz'. +// [#comment:TODO(snowp): Link to unified matching docs.] +// [#extension: envoy.matching.inputs.response_trailers] +message HttpResponseTrailerMatchInput { + // The response trailer to match on. + string header_name = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; +} + +// Match input indicates that matching should be done on a specific query parameter. +// The resulting input string will be the first query parameter for the value +// 'query_param'. +// [#extension: envoy.matching.inputs.query_params] +message HttpRequestQueryParamMatchInput { + // The query parameter to match on. + string query_param = 1 [(validate.rules).string = {min_len: 1}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/metadata.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/metadata.proto new file mode 100644 index 000000000..30abde97c --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/metadata.proto @@ -0,0 +1,110 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/value.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "MetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Metadata matcher] + +// ``MetadataMatcher`` provides a general interface to check if a given value is matched in +// :ref:`Metadata `. It uses ``filter`` and ``path`` to retrieve the value +// from the ``Metadata`` and then check if it's matched to the specified value. +// +// For example, for the following ``Metadata``: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.filters.http.rbac: +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following ``MetadataMatcher`` is matched as the path ``[a, b, c]`` will retrieve a string value ``pro`` +// from the ``Metadata`` which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following ``MetadataMatcher`` is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of ``MetadataMatcher`` is specifying additional metadata in ``envoy.filters.http.rbac`` to +// enforce access control based on dynamic metadata in a request. See :ref:`Permission +// ` and :ref:`Principal +// `. + +// [#next-major-version: MetadataMatcher should use StructMatcher] +message MetadataMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.MetadataMatcher"; + + // Specifies the segment in a path to retrieve value from ``Metadata``. + // + // .. note:: + // Currently it's not supported to retrieve a value from a list in ``Metadata``. This means that + // if the segment key refers to a list, it has to be the last segment in a path. + message PathSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.MetadataMatcher.PathSegment"; + + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a ``Struct``. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The filter name to retrieve the ``Struct`` from the ``Metadata``. + string filter = 1 [(validate.rules).string = {min_len: 1}]; + + // The path to retrieve the ``Value`` from the ``Struct``. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The ``MetadataMatcher`` is matched if the value retrieved by path is matched to this value. + ValueMatcher value = 3 [(validate.rules).message = {required: true}]; + + // If true, the match result will be inverted. + bool invert = 4; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/node.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/node.proto new file mode 100644 index 000000000..baa92fb60 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/node.proto @@ -0,0 +1,29 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/matcher/v3/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "NodeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Node matcher] + +// Specifies the way to match a Node. +// The match follows AND semantics. +message NodeMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.NodeMatcher"; + + // Specifies match criteria on the node id. + StringMatcher node_id = 1; + + // Specifies match criteria on the node metadata. + repeated StructMatcher node_metadatas = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/number.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/number.proto new file mode 100644 index 000000000..99681c989 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/number.proto @@ -0,0 +1,33 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/v3/range.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "NumberProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Number matcher] + +// Specifies the way to match a double value. +message DoubleMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.DoubleMatcher"; + + oneof match_pattern { + option (validate.required) = true; + + // If specified, the input double value must be in the range specified here. + // Note: The range is using half-open interval semantics [start, end). + type.v3.DoubleRange range = 1; + + // If specified, the input double value must be equal to the value specified here. + double exact = 2; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/path.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/path.proto new file mode 100644 index 000000000..46b758e22 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/path.proto @@ -0,0 +1,31 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "PathProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Path matcher] + +// Specifies the way to match a path on HTTP request. +message PathMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.PathMatcher"; + + oneof rule { + option (validate.required) = true; + + // The ``path`` must match the URL path portion of the :path header. The query and fragment + // string (if present) are removed in the URL path portion. + // For example, the path ``/data`` will match the ``:path`` header ``/data#fragment?param=value``. + StringMatcher path = 1 [(validate.rules).message = {required: true}]; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/regex.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/regex.proto new file mode 100644 index 000000000..10b3970ff --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/regex.proto @@ -0,0 +1,97 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "RegexProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Regex matcher] + +// A regex matcher designed for safety when used with untrusted input. +message RegexMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.RegexMatcher"; + + // Google's `RE2 `_ regex engine. The regex string must adhere to + // the documented `syntax `_. The engine is designed + // to complete execution in linear time as well as limit the amount of memory used. + // + // Envoy supports program size checking via runtime. The runtime keys ``re2.max_program_size.error_level`` + // and ``re2.max_program_size.warn_level`` can be set to integers as the maximum program size or + // complexity that a compiled regex can have before an exception is thrown or a warning is + // logged, respectively. ``re2.max_program_size.error_level`` defaults to 100, and + // ``re2.max_program_size.warn_level`` has no default if unset (will not check/log a warning). + // + // Envoy emits two stats for tracking the program size of regexes: the histogram ``re2.program_size``, + // which records the program size, and the counter ``re2.exceeded_warn_level``, which is incremented + // each time the program size exceeds the warn level threshold. + message GoogleRE2 { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.RegexMatcher.GoogleRE2"; + + // This field controls the RE2 "program size" which is a rough estimate of how complex a + // compiled regex is to evaluate. A regex that has a program size greater than the configured + // value will fail to compile. In this case, the configured max program size can be increased + // or the regex can be simplified. If not specified, the default is 100. + // + // This field is deprecated; regexp validation should be performed on the management server + // instead of being done by each individual client. + // + // .. note:: + // + // Although this field is deprecated, the program size will still be checked against the + // global ``re2.max_program_size.error_level`` runtime value. + // + google.protobuf.UInt32Value max_program_size = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + } + + oneof engine_type { + // Google's RE2 regex engine. + GoogleRE2 google_re2 = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + } + + // The regex match string. The string must be supported by the configured engine. The regex is matched + // against the full string, not as a partial match. + string regex = 2 [(validate.rules).string = {min_len: 1}]; +} + +// Describes how to match a string and then produce a new string using a regular +// expression and a substitution string. +message RegexMatchAndSubstitute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.RegexMatchAndSubstitute"; + + // The regular expression used to find portions of a string (hereafter called + // the "subject string") that should be replaced. When a new string is + // produced during the substitution operation, the new string is initially + // the same as the subject string, but then all matches in the subject string + // are replaced by the substitution string. If replacing all matches isn't + // desired, regular expression anchors can be used to ensure a single match, + // so as to replace just one occurrence of a pattern. Capture groups can be + // used in the pattern to extract portions of the subject string, and then + // referenced in the substitution string. + RegexMatcher pattern = 1 [(validate.rules).message = {required: true}]; + + // The string that should be substituted into matching portions of the + // subject string during a substitution operation to produce a new string. + // Capture groups in the pattern can be referenced in the substitution + // string. Note, however, that the syntax for referring to capture groups is + // defined by the chosen regular expression engine. Google's `RE2 + // `_ regular expression engine uses a + // backslash followed by the capture group number to denote a numbered + // capture group. E.g., ``\1`` refers to capture group 1, and ``\2`` refers + // to capture group 2. + string substitution = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/string.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/string.proto new file mode 100644 index 000000000..56d39565c --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/string.proto @@ -0,0 +1,94 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/regex.proto"; + +import "xds/core/v3/extension.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "StringProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: String matcher] + +// Specifies the way to match a string. +// [#next-free-field: 9] +message StringMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.StringMatcher"; + + reserved 4; + + reserved "regex"; + + oneof match_pattern { + option (validate.required) = true; + + // The input string must match exactly the string specified here. + // + // Examples: + // + // * ``abc`` only matches the value ``abc``. + string exact = 1; + + // The input string must have the prefix specified here. + // + // .. note:: + // + // Empty prefix match is not allowed, please use ``safe_regex`` instead. + // + // Examples: + // + // * ``abc`` matches the value ``abc.xyz`` + string prefix = 2 [(validate.rules).string = {min_len: 1}]; + + // The input string must have the suffix specified here. + // + // .. note:: + // + // Empty suffix match is not allowed, please use ``safe_regex`` instead. + // + // Examples: + // + // * ``abc`` matches the value ``xyz.abc`` + string suffix = 3 [(validate.rules).string = {min_len: 1}]; + + // The input string must match the regular expression specified here. + RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; + + // The input string must have the substring specified here. + // + // .. note:: + // + // Empty contains match is not allowed, please use ``safe_regex`` instead. + // + // Examples: + // + // * ``abc`` matches the value ``xyz.abc.def`` + string contains = 7 [(validate.rules).string = {min_len: 1}]; + + // Use an extension as the matcher type. + // [#extension-category: envoy.string_matcher] + xds.core.v3.TypedExtensionConfig custom = 8; + } + + // If ``true``, indicates the exact/prefix/suffix/contains matching should be case insensitive. This + // has no effect for the ``safe_regex`` match. + // For example, the matcher ``data`` will match both input string ``Data`` and ``data`` if this option + // is set to ``true``. + bool ignore_case = 6; +} + +// Specifies a list of ways to match a string. +message ListStringMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.ListStringMatcher"; + + repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/struct.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/struct.proto new file mode 100644 index 000000000..1b963343b --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/struct.proto @@ -0,0 +1,91 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/value.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "StructProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Struct matcher] + +// StructMatcher provides a general interface to check if a given value is matched in +// google.protobuf.Struct. It uses ``path`` to retrieve the value +// from the struct and then check if it's matched to the specified value. +// +// For example, for the following Struct: +// +// .. code-block:: yaml +// +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" +// from the Metadata which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following StructMatcher is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of StructMatcher is to match metadata in envoy.v*.core.Node. +message StructMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.StructMatcher"; + + // Specifies the segment in a path to retrieve value from Struct. + message PathSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.StructMatcher.PathSegment"; + + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The StructMatcher is matched if the value retrieved by path is matched to this value. + ValueMatcher value = 3 [(validate.rules).message = {required: true}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/value.proto b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/value.proto new file mode 100644 index 000000000..8d65c457c --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/matcher/v3/value.proto @@ -0,0 +1,80 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/number.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "ValueProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Value matcher] + +// Specifies the way to match a Protobuf::Value. Primitive values and ListValue are supported. +// StructValue is not supported and is always not matched. +// [#next-free-field: 8] +message ValueMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.ValueMatcher"; + + // NullMatch is an empty message to specify a null value. + message NullMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.ValueMatcher.NullMatch"; + } + + // Specifies how to match a value. + oneof match_pattern { + option (validate.required) = true; + + // If specified, a match occurs if and only if the target value is a NullValue. + NullMatch null_match = 1; + + // If specified, a match occurs if and only if the target value is a double value and is + // matched to this field. + DoubleMatcher double_match = 2; + + // If specified, a match occurs if and only if the target value is a string value and is + // matched to this field. + StringMatcher string_match = 3; + + // If specified, a match occurs if and only if the target value is a bool value and is equal + // to this field. + bool bool_match = 4; + + // If specified, value match will be performed based on whether the path is referring to a + // valid primitive value in the metadata. If the path is referring to a non-primitive value, + // the result is always not matched. + bool present_match = 5; + + // If specified, a match occurs if and only if the target value is a list value and + // is matched to this field. + ListMatcher list_match = 6; + + // If specified, a match occurs if and only if any of the alternatives in the match accept the value. + OrMatcher or_match = 7; + } +} + +// Specifies the way to match a list value. +message ListMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.ListMatcher"; + + oneof match_pattern { + option (validate.required) = true; + + // If specified, at least one of the values in the list must match the value specified. + ValueMatcher one_of = 1; + } +} + +// Specifies a list of alternatives for the match. +message OrMatcher { + repeated ValueMatcher value_matchers = 1 [(validate.rules).repeated = {min_items: 2}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/metadata/v3/metadata.proto b/grpc-xds/proto/third_party/envoy/envoy/type/metadata/v3/metadata.proto new file mode 100644 index 000000000..d131635bf --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/metadata/v3/metadata.proto @@ -0,0 +1,117 @@ +syntax = "proto3"; + +package envoy.type.metadata.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.metadata.v3"; +option java_outer_classname = "MetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/metadata/v3;metadatav3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Metadata] + +// MetadataKey provides a way to retrieve values from +// :ref:`Metadata ` using a ``key`` and a ``path``. +// +// For example, consider the following Metadata: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.xxx: +// prop: +// foo: bar +// xyz: +// hello: envoy +// +// The following MetadataKey would retrieve the string value "bar" from the Metadata: +// +// .. code-block:: yaml +// +// key: envoy.xxx +// path: +// - key: prop +// - key: foo +// +message MetadataKey { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.metadata.v2.MetadataKey"; + + // Specifies a segment in a path for retrieving values from Metadata. + // Currently, only key-based segments (field names) are supported. + message PathSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKey.PathSegment"; + + oneof segment { + option (validate.required) = true; + + // If specified, use this key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The key name of the Metadata from which to retrieve the Struct. + // This typically represents a builtin subsystem or custom extension. + string key = 1 [(validate.rules).string = {min_len: 1}]; + + // The path used to retrieve a specific Value from the Struct. + // This can be either a prefix or a full path, depending on the use case. + // For example, ``[prop, xyz]`` would retrieve a struct or ``[prop, foo]`` would retrieve a string + // in the example above. + // + // .. note:: + // Since only key-type segments are supported, a path cannot specify a list + // unless the list is the last segment. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; +} + +// Describes different types of metadata sources. +message MetadataKind { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKind"; + + // Represents dynamic metadata associated with the request. + message Request { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKind.Request"; + } + + // Represents metadata from :ref:`the route`. + message Route { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKind.Route"; + } + + // Represents metadata from :ref:`the upstream cluster`. + message Cluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKind.Cluster"; + } + + // Represents metadata from :ref:`the upstream + // host`. + message Host { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKind.Host"; + } + + oneof kind { + option (validate.required) = true; + + // Request kind of metadata. + Request request = 1; + + // Route kind of metadata. + Route route = 2; + + // Cluster kind of metadata. + Cluster cluster = 3; + + // Host kind of metadata. + Host host = 4; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/tracing/v3/custom_tag.proto b/grpc-xds/proto/third_party/envoy/envoy/type/tracing/v3/custom_tag.proto new file mode 100644 index 000000000..cdb42a435 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/tracing/v3/custom_tag.proto @@ -0,0 +1,109 @@ +syntax = "proto3"; + +package envoy.type.tracing.v3; + +import "envoy/type/metadata/v3/metadata.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.tracing.v3"; +option java_outer_classname = "CustomTagProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/tracing/v3;tracingv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Custom Tag] + +// Describes custom tags for the active span. +// [#next-free-field: 7] +message CustomTag { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.tracing.v2.CustomTag"; + + // Literal type custom tag with static value for the tag value. + message Literal { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Literal"; + + // Static literal value to populate the tag value. + string value = 1 [(validate.rules).string = {min_len: 1}]; + } + + // Environment type custom tag with environment name and default value. + message Environment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Environment"; + + // Environment variable name to obtain the value to populate the tag value. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // When the environment variable is not found, + // the tag value will be populated with this default value if specified, + // otherwise no tag will be populated. + string default_value = 2; + } + + // Header type custom tag with header name and default value. + message Header { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Header"; + + // Header name to obtain the value to populate the tag value. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // When the header does not exist, + // the tag value will be populated with this default value if specified, + // otherwise no tag will be populated. + string default_value = 2; + } + + // Metadata type custom tag using + // :ref:`MetadataKey ` to retrieve the protobuf value + // from :ref:`Metadata `, and populate the tag value with + // `the canonical JSON `_ + // representation of it. + message Metadata { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Metadata"; + + // Specify what kind of metadata to obtain tag value from. + metadata.v3.MetadataKind kind = 1; + + // Metadata key to define the path to retrieve the tag value. + metadata.v3.MetadataKey metadata_key = 2; + + // When no valid metadata is found, + // the tag value would be populated with this default value if specified, + // otherwise no tag would be populated. + string default_value = 3; + } + + // Used to populate the tag name. + string tag = 1 [(validate.rules).string = {min_len: 1}]; + + // Used to specify what kind of custom tag. + oneof type { + option (validate.required) = true; + + // A literal custom tag. + Literal literal = 2; + + // An environment custom tag. + Environment environment = 3; + + // A request header custom tag. + Header request_header = 4; + + // A custom tag to obtain tag value from the metadata. + Metadata metadata = 5; + + // Custom tag value. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + string value = 6; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/v3/http.proto b/grpc-xds/proto/third_party/envoy/envoy/type/v3/http.proto new file mode 100644 index 000000000..a1a5a04fc --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/v3/http.proto @@ -0,0 +1,24 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "HttpProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP] + +enum CodecClientType { + HTTP1 = 0; + + HTTP2 = 1; + + // [#not-implemented-hide:] QUIC implementation is not production ready yet. Use this enum with + // caution to prevent accidental execution of QUIC code. I.e. `!= HTTP2` is no longer sufficient + // to distinguish HTTP1 and HTTP2 traffic. + HTTP3 = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/v3/http_status.proto b/grpc-xds/proto/third_party/envoy/envoy/type/v3/http_status.proto new file mode 100644 index 000000000..40d697bee --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/v3/http_status.proto @@ -0,0 +1,199 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "HttpStatusProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP status codes] + +// HTTP response codes supported in Envoy. +// For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml +enum StatusCode { + // Empty - This code not part of the HTTP status code specification, but it is needed for proto + // `enum` type. + Empty = 0; + + // Continue - ``100`` status code. + Continue = 100; + + // OK - ``200`` status code. + OK = 200; + + // Created - ``201`` status code. + Created = 201; + + // Accepted - ``202`` status code. + Accepted = 202; + + // NonAuthoritativeInformation - ``203`` status code. + NonAuthoritativeInformation = 203; + + // NoContent - ``204`` status code. + NoContent = 204; + + // ResetContent - ``205`` status code. + ResetContent = 205; + + // PartialContent - ``206`` status code. + PartialContent = 206; + + // MultiStatus - ``207`` status code. + MultiStatus = 207; + + // AlreadyReported - ``208`` status code. + AlreadyReported = 208; + + // IMUsed - ``226`` status code. + IMUsed = 226; + + // MultipleChoices - ``300`` status code. + MultipleChoices = 300; + + // MovedPermanently - ``301`` status code. + MovedPermanently = 301; + + // Found - ``302`` status code. + Found = 302; + + // SeeOther - ``303`` status code. + SeeOther = 303; + + // NotModified - ``304`` status code. + NotModified = 304; + + // UseProxy - ``305`` status code. + UseProxy = 305; + + // TemporaryRedirect - ``307`` status code. + TemporaryRedirect = 307; + + // PermanentRedirect - ``308`` status code. + PermanentRedirect = 308; + + // BadRequest - ``400`` status code. + BadRequest = 400; + + // Unauthorized - ``401`` status code. + Unauthorized = 401; + + // PaymentRequired - ``402`` status code. + PaymentRequired = 402; + + // Forbidden - ``403`` status code. + Forbidden = 403; + + // NotFound - ``404`` status code. + NotFound = 404; + + // MethodNotAllowed - ``405`` status code. + MethodNotAllowed = 405; + + // NotAcceptable - ``406`` status code. + NotAcceptable = 406; + + // ProxyAuthenticationRequired - ``407`` status code. + ProxyAuthenticationRequired = 407; + + // RequestTimeout - ``408`` status code. + RequestTimeout = 408; + + // Conflict - ``409`` status code. + Conflict = 409; + + // Gone - ``410`` status code. + Gone = 410; + + // LengthRequired - ``411`` status code. + LengthRequired = 411; + + // PreconditionFailed - ``412`` status code. + PreconditionFailed = 412; + + // PayloadTooLarge - ``413`` status code. + PayloadTooLarge = 413; + + // URITooLong - ``414`` status code. + URITooLong = 414; + + // UnsupportedMediaType - ``415`` status code. + UnsupportedMediaType = 415; + + // RangeNotSatisfiable - ``416`` status code. + RangeNotSatisfiable = 416; + + // ExpectationFailed - ``417`` status code. + ExpectationFailed = 417; + + // MisdirectedRequest - ``421`` status code. + MisdirectedRequest = 421; + + // UnprocessableEntity - ``422`` status code. + UnprocessableEntity = 422; + + // Locked - ``423`` status code. + Locked = 423; + + // FailedDependency - ``424`` status code. + FailedDependency = 424; + + // UpgradeRequired - ``426`` status code. + UpgradeRequired = 426; + + // PreconditionRequired - ``428`` status code. + PreconditionRequired = 428; + + // TooManyRequests - ``429`` status code. + TooManyRequests = 429; + + // RequestHeaderFieldsTooLarge - ``431`` status code. + RequestHeaderFieldsTooLarge = 431; + + // InternalServerError - ``500`` status code. + InternalServerError = 500; + + // NotImplemented - ``501`` status code. + NotImplemented = 501; + + // BadGateway - ``502`` status code. + BadGateway = 502; + + // ServiceUnavailable - ``503`` status code. + ServiceUnavailable = 503; + + // GatewayTimeout - ``504`` status code. + GatewayTimeout = 504; + + // HTTPVersionNotSupported - ``505`` status code. + HTTPVersionNotSupported = 505; + + // VariantAlsoNegotiates - ``506`` status code. + VariantAlsoNegotiates = 506; + + // InsufficientStorage - ``507`` status code. + InsufficientStorage = 507; + + // LoopDetected - ``508`` status code. + LoopDetected = 508; + + // NotExtended - ``510`` status code. + NotExtended = 510; + + // NetworkAuthenticationRequired - ``511`` status code. + NetworkAuthenticationRequired = 511; +} + +// HTTP status. +message HttpStatus { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.HttpStatus"; + + // Supplies HTTP response code. + StatusCode code = 1 [(validate.rules).enum = {defined_only: true not_in: 0}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/v3/percent.proto b/grpc-xds/proto/third_party/envoy/envoy/type/v3/percent.proto new file mode 100644 index 000000000..e041ecddc --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/v3/percent.proto @@ -0,0 +1,57 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "PercentProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Percent] + +// Identifies a percentage, in the range [0.0, 100.0]. +message Percent { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.Percent"; + + double value = 1 [(validate.rules).double = {lte: 100.0 gte: 0.0}]; +} + +// A fractional percentage is used in cases in which for performance reasons performing floating +// point to integer conversions during randomness calculations is undesirable. The message includes +// both a numerator and denominator that together determine the final fractional value. +// +// * **Example**: 1/100 = 1%. +// * **Example**: 3/10000 = 0.03%. +message FractionalPercent { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.FractionalPercent"; + + // Fraction percentages support several fixed denominator values. + enum DenominatorType { + // 100. + // + // **Example**: 1/100 = 1%. + HUNDRED = 0; + + // 10,000. + // + // **Example**: 1/10000 = 0.01%. + TEN_THOUSAND = 1; + + // 1,000,000. + // + // **Example**: 1/1000000 = 0.0001%. + MILLION = 2; + } + + // Specifies the numerator. Defaults to 0. + uint32 numerator = 1; + + // Specifies the denominator. If the denominator specified is less than the numerator, the final + // fractional percentage is capped at 1 (100%). + DenominatorType denominator = 2 [(validate.rules).enum = {defined_only: true}]; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/v3/range.proto b/grpc-xds/proto/third_party/envoy/envoy/type/v3/range.proto new file mode 100644 index 000000000..3b1af8148 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/v3/range.proto @@ -0,0 +1,50 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "RangeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Range] + +// Specifies the int64 start and end of the range using half-open interval semantics [start, +// end). +message Int64Range { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.Int64Range"; + + // start of the range (inclusive) + int64 start = 1; + + // end of the range (exclusive) + int64 end = 2; +} + +// Specifies the int32 start and end of the range using half-open interval semantics [start, +// end). +message Int32Range { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.Int32Range"; + + // start of the range (inclusive) + int32 start = 1; + + // end of the range (exclusive) + int32 end = 2; +} + +// Specifies the double start and end of the range using half-open interval semantics [start, +// end). +message DoubleRange { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.DoubleRange"; + + // start of the range (inclusive) + double start = 1; + + // end of the range (exclusive) + double end = 2; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/v3/ratelimit_strategy.proto b/grpc-xds/proto/third_party/envoy/envoy/type/v3/ratelimit_strategy.proto new file mode 100644 index 000000000..a86da55b8 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/v3/ratelimit_strategy.proto @@ -0,0 +1,79 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "envoy/type/v3/ratelimit_unit.proto"; +import "envoy/type/v3/token_bucket.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "RatelimitStrategyProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Rate Limit Strategies] + +message RateLimitStrategy { + // Choose between allow all and deny all. + enum BlanketRule { + ALLOW_ALL = 0; + DENY_ALL = 1; + } + + // Best-effort limit of the number of requests per time unit. + // + // Allows to specify the desired requests per second (RPS, QPS), requests per minute (QPM, RPM), + // etc., without specifying a rate limiting algorithm implementation. + // + // ``RequestsPerTimeUnit`` strategy does not demand any specific rate limiting algorithm to be + // used (in contrast to the :ref:`TokenBucket `, + // for example). It implies that the implementation details of rate limiting algorithm are + // irrelevant as long as the configured number of "requests per time unit" is achieved. + // + // Note that the ``TokenBucket`` is still a valid implementation of the ``RequestsPerTimeUnit`` + // strategy, and may be chosen to enforce the rate limit. However, there's no guarantee it will be + // the ``TokenBucket`` in particular, and not the Leaky Bucket, the Sliding Window, or any other + // rate limiting algorithm that fulfills the requirements. + message RequestsPerTimeUnit { + // The desired number of requests per :ref:`time_unit + // ` to allow. + // If set to ``0``, deny all (equivalent to ``BlanketRule.DENY_ALL``). + // + // .. note:: + // Note that the algorithm implementation determines the course of action for the requests + // over the limit. As long as the ``requests_per_time_unit`` converges on the desired value, + // it's allowed to treat this field as a soft-limit: allow bursts, redistribute the allowance + // over time, etc. + // + uint64 requests_per_time_unit = 1; + + // The unit of time. Ignored when :ref:`requests_per_time_unit + // ` + // is ``0`` (deny all). + RateLimitUnit time_unit = 2 [(validate.rules).enum = {defined_only: true}]; + } + + oneof strategy { + option (validate.required) = true; + + // Allow or Deny the requests. + // If unset, allow all. + BlanketRule blanket_rule = 1 [(validate.rules).enum = {defined_only: true}]; + + // Best-effort limit of the number of requests per time unit, f.e. requests per second. + // Does not prescribe any specific rate limiting algorithm, see :ref:`RequestsPerTimeUnit + // ` for details. + RequestsPerTimeUnit requests_per_time_unit = 2; + + // Limit the requests by consuming tokens from the Token Bucket. + // Allow the same number of requests as the number of tokens available in + // the token bucket. + TokenBucket token_bucket = 3; + } +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/v3/ratelimit_unit.proto b/grpc-xds/proto/third_party/envoy/envoy/type/v3/ratelimit_unit.proto new file mode 100644 index 000000000..1a9649792 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/v3/ratelimit_unit.proto @@ -0,0 +1,37 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "RatelimitUnitProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Ratelimit Time Unit] + +// Identifies the unit of of time for rate limit. +enum RateLimitUnit { + // The time unit is not known. + UNKNOWN = 0; + + // The time unit representing a second. + SECOND = 1; + + // The time unit representing a minute. + MINUTE = 2; + + // The time unit representing an hour. + HOUR = 3; + + // The time unit representing a day. + DAY = 4; + + // The time unit representing a month. + MONTH = 5; + + // The time unit representing a year. + YEAR = 6; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/v3/semantic_version.proto b/grpc-xds/proto/third_party/envoy/envoy/type/v3/semantic_version.proto new file mode 100644 index 000000000..e032b4cd2 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/v3/semantic_version.proto @@ -0,0 +1,27 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "SemanticVersionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Semantic version] + +// Envoy uses SemVer (https://semver.org/). Major/minor versions indicate +// expected behaviors and APIs, the patch version field is used only +// for security fixes and can be generally ignored. +message SemanticVersion { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.SemanticVersion"; + + uint32 major_number = 1; + + uint32 minor_number = 2; + + uint32 patch = 3; +} diff --git a/grpc-xds/proto/third_party/envoy/envoy/type/v3/token_bucket.proto b/grpc-xds/proto/third_party/envoy/envoy/type/v3/token_bucket.proto new file mode 100644 index 000000000..157a271ef --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/envoy/type/v3/token_bucket.proto @@ -0,0 +1,39 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "TokenBucketProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Token bucket] + +// Configures a token bucket, typically used for rate limiting. +message TokenBucket { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.TokenBucket"; + + // The maximum tokens that the bucket can hold. This is also the number of tokens that the bucket + // initially contains. + uint32 max_tokens = 1 [(validate.rules).uint32 = {gt: 0}]; + + // The number of tokens added to the bucket during each fill interval. If not specified, defaults + // to a single token. + google.protobuf.UInt32Value tokens_per_fill = 2 [(validate.rules).uint32 = {gt: 0}]; + + // The fill interval that tokens are added to the bucket. During each fill interval + // ``tokens_per_fill`` are added to the bucket. The bucket will never contain more than + // ``max_tokens`` tokens. + google.protobuf.Duration fill_interval = 3 [(validate.rules).duration = { + required: true + gt {} + }]; +} diff --git a/grpc-xds/proto/third_party/envoy/import.sh b/grpc-xds/proto/third_party/envoy/import.sh new file mode 100755 index 000000000..251ab70b4 --- /dev/null +++ b/grpc-xds/proto/third_party/envoy/import.sh @@ -0,0 +1,131 @@ +#!/bin/bash +set -e + +# Update VERSION then execute this script. +# Imports envoyproxy/envoy xDS API protos into src/main/proto. +# Modeled after grpc-java's xds/third_party/envoy/import.sh. + +source "$(cd "$(dirname "$0")" && pwd)/../import_common.sh" + +# import VERSION from the google internal go/envoy-import-status +VERSION=a0b3df32ba54c92a08d3636a9a36013cb920e471 +DOWNLOAD_URL="https://github.com/envoyproxy/envoy/archive/${VERSION}.tar.gz" +DOWNLOAD_BASE_DIR="envoy-${VERSION}" +SOURCE_PROTO_BASE_DIR="${DOWNLOAD_BASE_DIR}/api" +# Sorted alphabetically. +FILES=( +envoy/admin/v3/config_dump.proto +envoy/admin/v3/config_dump_shared.proto +envoy/annotations/deprecation.proto +envoy/config/accesslog/v3/accesslog.proto +envoy/config/bootstrap/v3/bootstrap.proto +envoy/config/cluster/v3/circuit_breaker.proto +envoy/config/cluster/v3/cluster.proto +envoy/config/cluster/v3/filter.proto +envoy/config/cluster/v3/outlier_detection.proto +envoy/config/common/mutation_rules/v3/mutation_rules.proto +envoy/config/core/v3/address.proto +envoy/config/core/v3/backoff.proto +envoy/config/core/v3/base.proto +envoy/config/core/v3/cel.proto +envoy/config/core/v3/config_source.proto +envoy/config/core/v3/event_service_config.proto +envoy/config/core/v3/extension.proto +envoy/config/core/v3/grpc_service.proto +envoy/config/core/v3/health_check.proto +envoy/config/core/v3/http_service.proto +envoy/config/core/v3/http_uri.proto +envoy/config/core/v3/protocol.proto +envoy/config/core/v3/proxy_protocol.proto +envoy/config/core/v3/resolver.proto +envoy/config/core/v3/socket_cmsg_headers.proto +envoy/config/core/v3/socket_option.proto +envoy/config/core/v3/substitution_format_string.proto +envoy/config/core/v3/udp_socket_config.proto +envoy/config/endpoint/v3/endpoint.proto +envoy/config/endpoint/v3/endpoint_components.proto +envoy/config/endpoint/v3/load_report.proto +envoy/config/listener/v3/api_listener.proto +envoy/config/listener/v3/listener.proto +envoy/config/listener/v3/listener_components.proto +envoy/config/listener/v3/quic_config.proto +envoy/config/listener/v3/udp_listener_config.proto +envoy/config/metrics/v3/stats.proto +envoy/config/overload/v3/overload.proto +envoy/config/rbac/v3/rbac.proto +envoy/config/route/v3/route.proto +envoy/config/route/v3/route_components.proto +envoy/config/route/v3/scoped_route.proto +envoy/config/trace/v3/datadog.proto +envoy/config/trace/v3/dynamic_ot.proto +envoy/config/trace/v3/http_tracer.proto +envoy/config/trace/v3/lightstep.proto +envoy/config/trace/v3/opentelemetry.proto +envoy/config/trace/v3/service.proto +envoy/config/trace/v3/zipkin.proto +envoy/data/accesslog/v3/accesslog.proto +envoy/extensions/clusters/aggregate/v3/cluster.proto +envoy/extensions/filters/common/fault/v3/fault.proto +envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto +envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto +envoy/extensions/common/matching/v3/extension_matcher.proto +envoy/extensions/filters/http/fault/v3/fault.proto +envoy/extensions/filters/http/composite/v3/composite.proto +envoy/extensions/filters/http/rate_limit_quota/v3/rate_limit_quota.proto +envoy/extensions/filters/http/gcp_authn/v3/gcp_authn.proto +envoy/extensions/filters/http/rbac/v3/rbac.proto +envoy/extensions/filters/http/router/v3/router.proto +envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +envoy/extensions/grpc_service/call_credentials/access_token/v3/access_token_credentials.proto +envoy/extensions/grpc_service/channel_credentials/google_default/v3/google_default_credentials.proto +envoy/extensions/grpc_service/channel_credentials/insecure/v3/insecure_credentials.proto +envoy/extensions/grpc_service/channel_credentials/local/v3/local_credentials.proto +envoy/extensions/grpc_service/channel_credentials/tls/v3/tls_credentials.proto +envoy/extensions/grpc_service/channel_credentials/xds/v3/xds_credentials.proto +envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto +envoy/extensions/load_balancing_policies/common/v3/common.proto +envoy/extensions/load_balancing_policies/least_request/v3/least_request.proto +envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto +envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto +envoy/extensions/load_balancing_policies/round_robin/v3/round_robin.proto +envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto +envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto +envoy/extensions/transport_sockets/tls/v3/cert.proto +envoy/extensions/transport_sockets/tls/v3/common.proto +envoy/extensions/transport_sockets/tls/v3/secret.proto +envoy/extensions/transport_sockets/tls/v3/tls.proto +envoy/service/auth/v3/attribute_context.proto +envoy/service/auth/v3/external_auth.proto +envoy/service/discovery/v3/ads.proto +envoy/service/discovery/v3/discovery.proto +envoy/service/ext_proc/v3/external_processor.proto +envoy/service/load_stats/v3/lrs.proto +envoy/service/rate_limit_quota/v3/rlqs.proto +envoy/service/status/v3/csds.proto +envoy/type/http/v3/path_transformation.proto +envoy/type/matcher/v3/address.proto +envoy/type/matcher/v3/filter_state.proto +envoy/type/matcher/v3/http_inputs.proto +envoy/type/matcher/v3/metadata.proto +envoy/type/matcher/v3/node.proto +envoy/config/common/matcher/v3/matcher.proto +envoy/type/matcher/v3/number.proto +envoy/type/matcher/v3/path.proto +envoy/type/matcher/v3/regex.proto +envoy/type/matcher/v3/string.proto +envoy/type/matcher/v3/struct.proto +envoy/type/matcher/v3/value.proto +envoy/type/metadata/v3/metadata.proto +envoy/type/tracing/v3/custom_tag.proto +envoy/type/v3/http.proto +envoy/type/v3/http_status.proto +envoy/type/v3/percent.proto +envoy/type/v3/range.proto +envoy/type/v3/ratelimit_strategy.proto +envoy/type/v3/ratelimit_unit.proto +envoy/type/v3/semantic_version.proto +envoy/type/v3/token_bucket.proto +) + +import_protos diff --git a/grpc-xds/proto/third_party/googleapis/LICENSE b/grpc-xds/proto/third_party/googleapis/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/grpc-xds/proto/third_party/googleapis/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/grpc-xds/proto/third_party/googleapis/google/api/annotations.proto b/grpc-xds/proto/third_party/googleapis/google/api/annotations.proto new file mode 100644 index 000000000..efdab3db6 --- /dev/null +++ b/grpc-xds/proto/third_party/googleapis/google/api/annotations.proto @@ -0,0 +1,31 @@ +// Copyright 2015 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.api; + +import "google/api/http.proto"; +import "google/protobuf/descriptor.proto"; + +option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations"; +option java_multiple_files = true; +option java_outer_classname = "AnnotationsProto"; +option java_package = "com.google.api"; +option objc_class_prefix = "GAPI"; + +extend google.protobuf.MethodOptions { + // See `HttpRule`. + HttpRule http = 72295728; +} diff --git a/grpc-xds/proto/third_party/googleapis/google/api/expr/v1alpha1/checked.proto b/grpc-xds/proto/third_party/googleapis/google/api/expr/v1alpha1/checked.proto new file mode 100644 index 000000000..930dc4f00 --- /dev/null +++ b/grpc-xds/proto/third_party/googleapis/google/api/expr/v1alpha1/checked.proto @@ -0,0 +1,343 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.api.expr.v1alpha1; + +import "google/api/expr/v1alpha1/syntax.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/struct.proto"; + +option cc_enable_arenas = true; +option go_package = "google.golang.org/genproto/googleapis/api/expr/v1alpha1;expr"; +option java_multiple_files = true; +option java_outer_classname = "DeclProto"; +option java_package = "com.google.api.expr.v1alpha1"; + +// Protos for representing CEL declarations and typed checked expressions. + +// A CEL expression which has been successfully type checked. +message CheckedExpr { + // A map from expression ids to resolved references. + // + // The following entries are in this table: + // + // - An Ident or Select expression is represented here if it resolves to a + // declaration. For instance, if `a.b.c` is represented by + // `select(select(id(a), b), c)`, and `a.b` resolves to a declaration, + // while `c` is a field selection, then the reference is attached to the + // nested select expression (but not to the id or or the outer select). + // In turn, if `a` resolves to a declaration and `b.c` are field selections, + // the reference is attached to the ident expression. + // - Every Call expression has an entry here, identifying the function being + // called. + // - Every CreateStruct expression for a message has an entry, identifying + // the message. + map reference_map = 2; + + // A map from expression ids to types. + // + // Every expression node which has a type different than DYN has a mapping + // here. If an expression has type DYN, it is omitted from this map to save + // space. + map type_map = 3; + + // The source info derived from input that generated the parsed `expr` and + // any optimizations made during the type-checking pass. + SourceInfo source_info = 5; + + // The expr version indicates the major / minor version number of the `expr` + // representation. + // + // The most common reason for a version change will be to indicate to the CEL + // runtimes that transformations have been performed on the expr during static + // analysis. In some cases, this will save the runtime the work of applying + // the same or similar transformations prior to evaluation. + string expr_version = 6; + + // The checked expression. Semantically equivalent to the parsed `expr`, but + // may have structural differences. + Expr expr = 4; +} + +// Represents a CEL type. +message Type { + // List type with typed elements, e.g. `list`. + message ListType { + // The element type. + Type elem_type = 1; + } + + // Map type with parameterized key and value types, e.g. `map`. + message MapType { + // The type of the key. + Type key_type = 1; + + // The type of the value. + Type value_type = 2; + } + + // Function type with result and arg types. + message FunctionType { + // Result type of the function. + Type result_type = 1; + + // Argument types of the function. + repeated Type arg_types = 2; + } + + // Application defined abstract type. + message AbstractType { + // The fully qualified name of this abstract type. + string name = 1; + + // Parameter types for this abstract type. + repeated Type parameter_types = 2; + } + + // CEL primitive types. + enum PrimitiveType { + // Unspecified type. + PRIMITIVE_TYPE_UNSPECIFIED = 0; + + // Boolean type. + BOOL = 1; + + // Int64 type. + // + // Proto-based integer values are widened to int64. + INT64 = 2; + + // Uint64 type. + // + // Proto-based unsigned integer values are widened to uint64. + UINT64 = 3; + + // Double type. + // + // Proto-based float values are widened to double values. + DOUBLE = 4; + + // String type. + STRING = 5; + + // Bytes type. + BYTES = 6; + } + + // Well-known protobuf types treated with first-class support in CEL. + enum WellKnownType { + // Unspecified type. + WELL_KNOWN_TYPE_UNSPECIFIED = 0; + + // Well-known protobuf.Any type. + // + // Any types are a polymorphic message type. During type-checking they are + // treated like `DYN` types, but at runtime they are resolved to a specific + // message type specified at evaluation time. + ANY = 1; + + // Well-known protobuf.Timestamp type, internally referenced as `timestamp`. + TIMESTAMP = 2; + + // Well-known protobuf.Duration type, internally referenced as `duration`. + DURATION = 3; + } + + // The kind of type. + oneof type_kind { + // Dynamic type. + google.protobuf.Empty dyn = 1; + + // Null value. + google.protobuf.NullValue null = 2; + + // Primitive types: `true`, `1u`, `-2.0`, `'string'`, `b'bytes'`. + PrimitiveType primitive = 3; + + // Wrapper of a primitive type, e.g. `google.protobuf.Int64Value`. + PrimitiveType wrapper = 4; + + // Well-known protobuf type such as `google.protobuf.Timestamp`. + WellKnownType well_known = 5; + + // Parameterized list with elements of `list_type`, e.g. `list`. + ListType list_type = 6; + + // Parameterized map with typed keys and values. + MapType map_type = 7; + + // Function type. + FunctionType function = 8; + + // Protocol buffer message type. + // + // The `message_type` string specifies the qualified message type name. For + // example, `google.plus.Profile`. + string message_type = 9; + + // Type param type. + // + // The `type_param` string specifies the type parameter name, e.g. `list` + // would be a `list_type` whose element type was a `type_param` type + // named `E`. + string type_param = 10; + + // Type type. + // + // The `type` value specifies the target type. e.g. int is type with a + // target type of `Primitive.INT`. + Type type = 11; + + // Error type. + // + // During type-checking if an expression is an error, its type is propagated + // as the `ERROR` type. This permits the type-checker to discover other + // errors present in the expression. + google.protobuf.Empty error = 12; + + // Abstract, application defined type. + AbstractType abstract_type = 14; + } +} + +// Represents a declaration of a named value or function. +// +// A declaration is part of the contract between the expression, the agent +// evaluating that expression, and the caller requesting evaluation. +message Decl { + // Identifier declaration which specifies its type and optional `Expr` value. + // + // An identifier without a value is a declaration that must be provided at + // evaluation time. An identifier with a value should resolve to a constant, + // but may be used in conjunction with other identifiers bound at evaluation + // time. + message IdentDecl { + // Required. The type of the identifier. + Type type = 1; + + // The constant value of the identifier. If not specified, the identifier + // must be supplied at evaluation time. + Constant value = 2; + + // Documentation string for the identifier. + string doc = 3; + } + + // Function declaration specifies one or more overloads which indicate the + // function's parameter types and return type. + // + // Functions have no observable side-effects (there may be side-effects like + // logging which are not observable from CEL). + message FunctionDecl { + // An overload indicates a function's parameter types and return type, and + // may optionally include a function body described in terms of + // [Expr][google.api.expr.v1alpha1.Expr] values. + // + // Functions overloads are declared in either a function or method + // call-style. For methods, the `params[0]` is the expected type of the + // target receiver. + // + // Overloads must have non-overlapping argument types after erasure of all + // parameterized type variables (similar as type erasure in Java). + message Overload { + // Required. Globally unique overload name of the function which reflects + // the function name and argument types. + // + // This will be used by a [Reference][google.api.expr.v1alpha1.Reference] + // to indicate the `overload_id` that was resolved for the function + // `name`. + string overload_id = 1; + + // List of function parameter [Type][google.api.expr.v1alpha1.Type] + // values. + // + // Param types are disjoint after generic type parameters have been + // replaced with the type `DYN`. Since the `DYN` type is compatible with + // any other type, this means that if `A` is a type parameter, the + // function types `int` and `int` are not disjoint. Likewise, + // `map` is not disjoint from `map`. + // + // When the `result_type` of a function is a generic type param, the + // type param name also appears as the `type` of on at least one params. + repeated Type params = 2; + + // The type param names associated with the function declaration. + // + // For example, `function ex(K key, map map) : V` would yield + // the type params of `K, V`. + repeated string type_params = 3; + + // Required. The result type of the function. For example, the operator + // `string.isEmpty()` would have `result_type` of `kind: BOOL`. + Type result_type = 4; + + // Whether the function is to be used in a method call-style `x.f(...)` + // or a function call-style `f(x, ...)`. + // + // For methods, the first parameter declaration, `params[0]` is the + // expected type of the target receiver. + bool is_instance_function = 5; + + // Documentation string for the overload. + string doc = 6; + } + + // Required. List of function overloads, must contain at least one overload. + repeated Overload overloads = 1; + } + + // The fully qualified name of the declaration. + // + // Declarations are organized in containers and this represents the full path + // to the declaration in its container, as in `google.api.expr.Decl`. + // + // Declarations used as + // [FunctionDecl.Overload][google.api.expr.v1alpha1.Decl.FunctionDecl.Overload] + // parameters may or may not have a name depending on whether the overload is + // function declaration or a function definition containing a result + // [Expr][google.api.expr.v1alpha1.Expr]. + string name = 1; + + // Required. The declaration kind. + oneof decl_kind { + // Identifier declaration. + IdentDecl ident = 2; + + // Function declaration. + FunctionDecl function = 3; + } +} + +// Describes a resolved reference to a declaration. +message Reference { + // The fully qualified name of the declaration. + string name = 1; + + // For references to functions, this is a list of `Overload.overload_id` + // values which match according to typing rules. + // + // If the list has more than one element, overload resolution among the + // presented candidates must happen at runtime because of dynamic types. The + // type checker attempts to narrow down this list as much as possible. + // + // Empty if this is not a reference to a + // [Decl.FunctionDecl][google.api.expr.v1alpha1.Decl.FunctionDecl]. + repeated string overload_id = 3; + + // For references to constants, this may contain the value of the + // constant if known at compile time. + Constant value = 4; +} diff --git a/grpc-xds/proto/third_party/googleapis/google/api/expr/v1alpha1/syntax.proto b/grpc-xds/proto/third_party/googleapis/google/api/expr/v1alpha1/syntax.proto new file mode 100644 index 000000000..8219ba689 --- /dev/null +++ b/grpc-xds/proto/third_party/googleapis/google/api/expr/v1alpha1/syntax.proto @@ -0,0 +1,343 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.api.expr.v1alpha1; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; + +option cc_enable_arenas = true; +option go_package = "google.golang.org/genproto/googleapis/api/expr/v1alpha1;expr"; +option java_multiple_files = true; +option java_outer_classname = "SyntaxProto"; +option java_package = "com.google.api.expr.v1alpha1"; + +// A representation of the abstract syntax of the Common Expression Language. + +// An expression together with source information as returned by the parser. +message ParsedExpr { + // The parsed expression. + Expr expr = 2; + + // The source info derived from input that generated the parsed `expr`. + SourceInfo source_info = 3; +} + +// An abstract representation of a common expression. +// +// Expressions are abstractly represented as a collection of identifiers, +// select statements, function calls, literals, and comprehensions. All +// operators with the exception of the '.' operator are modelled as function +// calls. This makes it easy to represent new operators into the existing AST. +// +// All references within expressions must resolve to a [Decl][google.api.expr.v1alpha1.Decl] provided at +// type-check for an expression to be valid. A reference may either be a bare +// identifier `name` or a qualified identifier `google.api.name`. References +// may either refer to a value or a function declaration. +// +// For example, the expression `google.api.name.startsWith('expr')` references +// the declaration `google.api.name` within a [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression, and +// the function declaration `startsWith`. +message Expr { + // An identifier expression. e.g. `request`. + message Ident { + // Required. Holds a single, unqualified identifier, possibly preceded by a + // '.'. + // + // Qualified names are represented by the [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression. + string name = 1; + } + + // A field selection expression. e.g. `request.auth`. + message Select { + // Required. The target of the selection expression. + // + // For example, in the select expression `request.auth`, the `request` + // portion of the expression is the `operand`. + Expr operand = 1; + + // Required. The name of the field to select. + // + // For example, in the select expression `request.auth`, the `auth` portion + // of the expression would be the `field`. + string field = 2; + + // Whether the select is to be interpreted as a field presence test. + // + // This results from the macro `has(request.auth)`. + bool test_only = 3; + } + + // A call expression, including calls to predefined functions and operators. + // + // For example, `value == 10`, `size(map_value)`. + message Call { + // The target of an method call-style expression. For example, `x` in + // `x.f()`. + Expr target = 1; + + // Required. The name of the function or method being called. + string function = 2; + + // The arguments. + repeated Expr args = 3; + } + + // A list creation expression. + // + // Lists may either be homogenous, e.g. `[1, 2, 3]`, or heterogeneous, e.g. + // `dyn([1, 'hello', 2.0])` + message CreateList { + // The elements part of the list. + repeated Expr elements = 1; + + // The indices within the elements list which are marked as optional + // elements. + // + // When an optional-typed value is present, the value it contains + // is included in the list. If the optional-typed value is absent, the list + // element is omitted from the CreateList result. + repeated int32 optional_indices = 2; + } + + // A map or message creation expression. + // + // Maps are constructed as `{'key_name': 'value'}`. Message construction is + // similar, but prefixed with a type name and composed of field ids: + // `types.MyType{field_id: 'value'}`. + message CreateStruct { + // Represents an entry. + message Entry { + // Required. An id assigned to this node by the parser which is unique + // in a given expression tree. This is used to associate type + // information and other attributes to the node. + int64 id = 1; + + // The `Entry` key kinds. + oneof key_kind { + // The field key for a message creator statement. + string field_key = 2; + + // The key expression for a map creation statement. + Expr map_key = 3; + } + + // Required. The value assigned to the key. + // + // If the optional_entry field is true, the expression must resolve to an + // optional-typed value. If the optional value is present, the key will be + // set; however, if the optional value is absent, the key will be unset. + Expr value = 4; + + // Whether the key-value pair is optional. + bool optional_entry = 5; + } + + // The type name of the message to be created, empty when creating map + // literals. + string message_name = 1; + + // The entries in the creation expression. + repeated Entry entries = 2; + } + + // A comprehension expression applied to a list or map. + // + // Comprehensions are not part of the core syntax, but enabled with macros. + // A macro matches a specific call signature within a parsed AST and replaces + // the call with an alternate AST block. Macro expansion happens at parse + // time. + // + // The following macros are supported within CEL: + // + // Aggregate type macros may be applied to all elements in a list or all keys + // in a map: + // + // * `all`, `exists`, `exists_one` - test a predicate expression against + // the inputs and return `true` if the predicate is satisfied for all, + // any, or only one value `list.all(x, x < 10)`. + // * `filter` - test a predicate expression against the inputs and return + // the subset of elements which satisfy the predicate: + // `payments.filter(p, p > 1000)`. + // * `map` - apply an expression to all elements in the input and return the + // output aggregate type: `[1, 2, 3].map(i, i * i)`. + // + // The `has(m.x)` macro tests whether the property `x` is present in struct + // `m`. The semantics of this macro depend on the type of `m`. For proto2 + // messages `has(m.x)` is defined as 'defined, but not set`. For proto3, the + // macro tests whether the property is set to its default. For map and struct + // types, the macro tests whether the property `x` is defined on `m`. + message Comprehension { + // The name of the iteration variable. + string iter_var = 1; + + // The range over which var iterates. + Expr iter_range = 2; + + // The name of the variable used for accumulation of the result. + string accu_var = 3; + + // The initial value of the accumulator. + Expr accu_init = 4; + + // An expression which can contain iter_var and accu_var. + // + // Returns false when the result has been computed and may be used as + // a hint to short-circuit the remainder of the comprehension. + Expr loop_condition = 5; + + // An expression which can contain iter_var and accu_var. + // + // Computes the next value of accu_var. + Expr loop_step = 6; + + // An expression which can contain accu_var. + // + // Computes the result. + Expr result = 7; + } + + // Required. An id assigned to this node by the parser which is unique in a + // given expression tree. This is used to associate type information and other + // attributes to a node in the parse tree. + int64 id = 2; + + // Required. Variants of expressions. + oneof expr_kind { + // A literal expression. + Constant const_expr = 3; + + // An identifier expression. + Ident ident_expr = 4; + + // A field selection expression, e.g. `request.auth`. + Select select_expr = 5; + + // A call expression, including calls to predefined functions and operators. + Call call_expr = 6; + + // A list creation expression. + CreateList list_expr = 7; + + // A map or message creation expression. + CreateStruct struct_expr = 8; + + // A comprehension expression. + Comprehension comprehension_expr = 9; + } +} + +// Represents a primitive literal. +// +// Named 'Constant' here for backwards compatibility. +// +// This is similar as the primitives supported in the well-known type +// `google.protobuf.Value`, but richer so it can represent CEL's full range of +// primitives. +// +// Lists and structs are not included as constants as these aggregate types may +// contain [Expr][google.api.expr.v1alpha1.Expr] elements which require evaluation and are thus not constant. +// +// Examples of literals include: `"hello"`, `b'bytes'`, `1u`, `4.2`, `-2`, +// `true`, `null`. +message Constant { + // Required. The valid constant kinds. + oneof constant_kind { + // null value. + google.protobuf.NullValue null_value = 1; + + // boolean value. + bool bool_value = 2; + + // int64 value. + int64 int64_value = 3; + + // uint64 value. + uint64 uint64_value = 4; + + // double value. + double double_value = 5; + + // string value. + string string_value = 6; + + // bytes value. + bytes bytes_value = 7; + + // protobuf.Duration value. + // + // Deprecated: duration is no longer considered a builtin cel type. + google.protobuf.Duration duration_value = 8 [deprecated = true]; + + // protobuf.Timestamp value. + // + // Deprecated: timestamp is no longer considered a builtin cel type. + google.protobuf.Timestamp timestamp_value = 9 [deprecated = true]; + } +} + +// Source information collected at parse time. +message SourceInfo { + // The syntax version of the source, e.g. `cel1`. + string syntax_version = 1; + + // The location name. All position information attached to an expression is + // relative to this location. + // + // The location could be a file, UI element, or similar. For example, + // `acme/app/AnvilPolicy.cel`. + string location = 2; + + // Monotonically increasing list of code point offsets where newlines + // `\n` appear. + // + // The line number of a given position is the index `i` where for a given + // `id` the `line_offsets[i] < id_positions[id] < line_offsets[i+1]`. The + // column may be derivd from `id_positions[id] - line_offsets[i]`. + repeated int32 line_offsets = 3; + + // A map from the parse node id (e.g. `Expr.id`) to the code point offset + // within the source. + map positions = 4; + + // A map from the parse node id where a macro replacement was made to the + // call `Expr` that resulted in a macro expansion. + // + // For example, `has(value.field)` is a function call that is replaced by a + // `test_only` field selection in the AST. Likewise, the call + // `list.exists(e, e > 10)` translates to a comprehension expression. The key + // in the map corresponds to the expression id of the expanded macro, and the + // value is the call `Expr` that was replaced. + map macro_calls = 5; +} + +// A specific position in source. +message SourcePosition { + // The soucre location name (e.g. file name). + string location = 1; + + // The UTF-8 code unit offset. + int32 offset = 2; + + // The 1-based index of the starting line in the source text + // where the issue occurs, or 0 if unknown. + int32 line = 3; + + // The 0-based index of the starting position within the line of source text + // where the issue occurs. Only meaningful if line is nonzero. + int32 column = 4; +} diff --git a/grpc-xds/proto/third_party/googleapis/google/api/http.proto b/grpc-xds/proto/third_party/googleapis/google/api/http.proto new file mode 100644 index 000000000..113fa936a --- /dev/null +++ b/grpc-xds/proto/third_party/googleapis/google/api/http.proto @@ -0,0 +1,375 @@ +// Copyright 2015 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.api; + +option cc_enable_arenas = true; +option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations"; +option java_multiple_files = true; +option java_outer_classname = "HttpProto"; +option java_package = "com.google.api"; +option objc_class_prefix = "GAPI"; + +// Defines the HTTP configuration for an API service. It contains a list of +// [HttpRule][google.api.HttpRule], each specifying the mapping of an RPC method +// to one or more HTTP REST API methods. +message Http { + // A list of HTTP configuration rules that apply to individual API methods. + // + // **NOTE:** All service configuration rules follow "last one wins" order. + repeated HttpRule rules = 1; + + // When set to true, URL path parameters will be fully URI-decoded except in + // cases of single segment matches in reserved expansion, where "%2F" will be + // left encoded. + // + // The default behavior is to not decode RFC 6570 reserved characters in multi + // segment matches. + bool fully_decode_reserved_expansion = 2; +} + +// # gRPC Transcoding +// +// gRPC Transcoding is a feature for mapping between a gRPC method and one or +// more HTTP REST endpoints. It allows developers to build a single API service +// that supports both gRPC APIs and REST APIs. Many systems, including [Google +// APIs](https://github.com/googleapis/googleapis), +// [Cloud Endpoints](https://cloud.google.com/endpoints), [gRPC +// Gateway](https://github.com/grpc-ecosystem/grpc-gateway), +// and [Envoy](https://github.com/envoyproxy/envoy) proxy support this feature +// and use it for large scale production services. +// +// `HttpRule` defines the schema of the gRPC/REST mapping. The mapping specifies +// how different portions of the gRPC request message are mapped to the URL +// path, URL query parameters, and HTTP request body. It also controls how the +// gRPC response message is mapped to the HTTP response body. `HttpRule` is +// typically specified as an `google.api.http` annotation on the gRPC method. +// +// Each mapping specifies a URL path template and an HTTP method. The path +// template may refer to one or more fields in the gRPC request message, as long +// as each field is a non-repeated field with a primitive (non-message) type. +// The path template controls how fields of the request message are mapped to +// the URL path. +// +// Example: +// +// service Messaging { +// rpc GetMessage(GetMessageRequest) returns (Message) { +// option (google.api.http) = { +// get: "/v1/{name=messages/*}" +// }; +// } +// } +// message GetMessageRequest { +// string name = 1; // Mapped to URL path. +// } +// message Message { +// string text = 1; // The resource content. +// } +// +// This enables an HTTP REST to gRPC mapping as below: +// +// HTTP | gRPC +// -----|----- +// `GET /v1/messages/123456` | `GetMessage(name: "messages/123456")` +// +// Any fields in the request message which are not bound by the path template +// automatically become HTTP query parameters if there is no HTTP request body. +// For example: +// +// service Messaging { +// rpc GetMessage(GetMessageRequest) returns (Message) { +// option (google.api.http) = { +// get:"/v1/messages/{message_id}" +// }; +// } +// } +// message GetMessageRequest { +// message SubMessage { +// string subfield = 1; +// } +// string message_id = 1; // Mapped to URL path. +// int64 revision = 2; // Mapped to URL query parameter `revision`. +// SubMessage sub = 3; // Mapped to URL query parameter `sub.subfield`. +// } +// +// This enables a HTTP JSON to RPC mapping as below: +// +// HTTP | gRPC +// -----|----- +// `GET /v1/messages/123456?revision=2&sub.subfield=foo` | +// `GetMessage(message_id: "123456" revision: 2 sub: SubMessage(subfield: +// "foo"))` +// +// Note that fields which are mapped to URL query parameters must have a +// primitive type or a repeated primitive type or a non-repeated message type. +// In the case of a repeated type, the parameter can be repeated in the URL +// as `...?param=A¶m=B`. In the case of a message type, each field of the +// message is mapped to a separate parameter, such as +// `...?foo.a=A&foo.b=B&foo.c=C`. +// +// For HTTP methods that allow a request body, the `body` field +// specifies the mapping. Consider a REST update method on the +// message resource collection: +// +// service Messaging { +// rpc UpdateMessage(UpdateMessageRequest) returns (Message) { +// option (google.api.http) = { +// patch: "/v1/messages/{message_id}" +// body: "message" +// }; +// } +// } +// message UpdateMessageRequest { +// string message_id = 1; // mapped to the URL +// Message message = 2; // mapped to the body +// } +// +// The following HTTP JSON to RPC mapping is enabled, where the +// representation of the JSON in the request body is determined by +// protos JSON encoding: +// +// HTTP | gRPC +// -----|----- +// `PATCH /v1/messages/123456 { "text": "Hi!" }` | `UpdateMessage(message_id: +// "123456" message { text: "Hi!" })` +// +// The special name `*` can be used in the body mapping to define that +// every field not bound by the path template should be mapped to the +// request body. This enables the following alternative definition of +// the update method: +// +// service Messaging { +// rpc UpdateMessage(Message) returns (Message) { +// option (google.api.http) = { +// patch: "/v1/messages/{message_id}" +// body: "*" +// }; +// } +// } +// message Message { +// string message_id = 1; +// string text = 2; +// } +// +// +// The following HTTP JSON to RPC mapping is enabled: +// +// HTTP | gRPC +// -----|----- +// `PATCH /v1/messages/123456 { "text": "Hi!" }` | `UpdateMessage(message_id: +// "123456" text: "Hi!")` +// +// Note that when using `*` in the body mapping, it is not possible to +// have HTTP parameters, as all fields not bound by the path end in +// the body. This makes this option more rarely used in practice when +// defining REST APIs. The common usage of `*` is in custom methods +// which don't use the URL at all for transferring data. +// +// It is possible to define multiple HTTP methods for one RPC by using +// the `additional_bindings` option. Example: +// +// service Messaging { +// rpc GetMessage(GetMessageRequest) returns (Message) { +// option (google.api.http) = { +// get: "/v1/messages/{message_id}" +// additional_bindings { +// get: "/v1/users/{user_id}/messages/{message_id}" +// } +// }; +// } +// } +// message GetMessageRequest { +// string message_id = 1; +// string user_id = 2; +// } +// +// This enables the following two alternative HTTP JSON to RPC mappings: +// +// HTTP | gRPC +// -----|----- +// `GET /v1/messages/123456` | `GetMessage(message_id: "123456")` +// `GET /v1/users/me/messages/123456` | `GetMessage(user_id: "me" message_id: +// "123456")` +// +// ## Rules for HTTP mapping +// +// 1. Leaf request fields (recursive expansion nested messages in the request +// message) are classified into three categories: +// - Fields referred by the path template. They are passed via the URL path. +// - Fields referred by the [HttpRule.body][google.api.HttpRule.body]. They are passed via the HTTP +// request body. +// - All other fields are passed via the URL query parameters, and the +// parameter name is the field path in the request message. A repeated +// field can be represented as multiple query parameters under the same +// name. +// 2. If [HttpRule.body][google.api.HttpRule.body] is "*", there is no URL query parameter, all fields +// are passed via URL path and HTTP request body. +// 3. If [HttpRule.body][google.api.HttpRule.body] is omitted, there is no HTTP request body, all +// fields are passed via URL path and URL query parameters. +// +// ### Path template syntax +// +// Template = "/" Segments [ Verb ] ; +// Segments = Segment { "/" Segment } ; +// Segment = "*" | "**" | LITERAL | Variable ; +// Variable = "{" FieldPath [ "=" Segments ] "}" ; +// FieldPath = IDENT { "." IDENT } ; +// Verb = ":" LITERAL ; +// +// The syntax `*` matches a single URL path segment. The syntax `**` matches +// zero or more URL path segments, which must be the last part of the URL path +// except the `Verb`. +// +// The syntax `Variable` matches part of the URL path as specified by its +// template. A variable template must not contain other variables. If a variable +// matches a single path segment, its template may be omitted, e.g. `{var}` +// is equivalent to `{var=*}`. +// +// The syntax `LITERAL` matches literal text in the URL path. If the `LITERAL` +// contains any reserved character, such characters should be percent-encoded +// before the matching. +// +// If a variable contains exactly one path segment, such as `"{var}"` or +// `"{var=*}"`, when such a variable is expanded into a URL path on the client +// side, all characters except `[-_.~0-9a-zA-Z]` are percent-encoded. The +// server side does the reverse decoding. Such variables show up in the +// [Discovery +// Document](https://developers.google.com/discovery/v1/reference/apis) as +// `{var}`. +// +// If a variable contains multiple path segments, such as `"{var=foo/*}"` +// or `"{var=**}"`, when such a variable is expanded into a URL path on the +// client side, all characters except `[-_.~/0-9a-zA-Z]` are percent-encoded. +// The server side does the reverse decoding, except "%2F" and "%2f" are left +// unchanged. Such variables show up in the +// [Discovery +// Document](https://developers.google.com/discovery/v1/reference/apis) as +// `{+var}`. +// +// ## Using gRPC API Service Configuration +// +// gRPC API Service Configuration (service config) is a configuration language +// for configuring a gRPC service to become a user-facing product. The +// service config is simply the YAML representation of the `google.api.Service` +// proto message. +// +// As an alternative to annotating your proto file, you can configure gRPC +// transcoding in your service config YAML files. You do this by specifying a +// `HttpRule` that maps the gRPC method to a REST endpoint, achieving the same +// effect as the proto annotation. This can be particularly useful if you +// have a proto that is reused in multiple services. Note that any transcoding +// specified in the service config will override any matching transcoding +// configuration in the proto. +// +// Example: +// +// http: +// rules: +// # Selects a gRPC method and applies HttpRule to it. +// - selector: example.v1.Messaging.GetMessage +// get: /v1/messages/{message_id}/{sub.subfield} +// +// ## Special notes +// +// When gRPC Transcoding is used to map a gRPC to JSON REST endpoints, the +// proto to JSON conversion must follow the [proto3 +// specification](https://developers.google.com/protocol-buffers/docs/proto3#json). +// +// While the single segment variable follows the semantics of +// [RFC 6570](https://tools.ietf.org/html/rfc6570) Section 3.2.2 Simple String +// Expansion, the multi segment variable **does not** follow RFC 6570 Section +// 3.2.3 Reserved Expansion. The reason is that the Reserved Expansion +// does not expand special characters like `?` and `#`, which would lead +// to invalid URLs. As the result, gRPC Transcoding uses a custom encoding +// for multi segment variables. +// +// The path variables **must not** refer to any repeated or mapped field, +// because client libraries are not capable of handling such variable expansion. +// +// The path variables **must not** capture the leading "/" character. The reason +// is that the most common use case "{var}" does not capture the leading "/" +// character. For consistency, all path variables must share the same behavior. +// +// Repeated message fields must not be mapped to URL query parameters, because +// no client library can support such complicated mapping. +// +// If an API needs to use a JSON array for request or response body, it can map +// the request or response body to a repeated field. However, some gRPC +// Transcoding implementations may not support this feature. +message HttpRule { + // Selects a method to which this rule applies. + // + // Refer to [selector][google.api.DocumentationRule.selector] for syntax details. + string selector = 1; + + // Determines the URL pattern is matched by this rules. This pattern can be + // used with any of the {get|put|post|delete|patch} methods. A custom method + // can be defined using the 'custom' field. + oneof pattern { + // Maps to HTTP GET. Used for listing and getting information about + // resources. + string get = 2; + + // Maps to HTTP PUT. Used for replacing a resource. + string put = 3; + + // Maps to HTTP POST. Used for creating a resource or performing an action. + string post = 4; + + // Maps to HTTP DELETE. Used for deleting a resource. + string delete = 5; + + // Maps to HTTP PATCH. Used for updating a resource. + string patch = 6; + + // The custom pattern is used for specifying an HTTP method that is not + // included in the `pattern` field, such as HEAD, or "*" to leave the + // HTTP method unspecified for this rule. The wild-card rule is useful + // for services that provide content to Web (HTML) clients. + CustomHttpPattern custom = 8; + } + + // The name of the request field whose value is mapped to the HTTP request + // body, or `*` for mapping all request fields not captured by the path + // pattern to the HTTP body, or omitted for not having any HTTP request body. + // + // NOTE: the referred field must be present at the top-level of the request + // message type. + string body = 7; + + // Optional. The name of the response field whose value is mapped to the HTTP + // response body. When omitted, the entire response message will be used + // as the HTTP response body. + // + // NOTE: The referred field must be present at the top-level of the response + // message type. + string response_body = 12; + + // Additional HTTP bindings for the selector. Nested bindings must + // not contain an `additional_bindings` field themselves (that is, + // the nesting may only be one level deep). + repeated HttpRule additional_bindings = 11; +} + +// A custom pattern is used for defining custom HTTP verb. +message CustomHttpPattern { + // The name of this custom HTTP verb. + string kind = 1; + + // The path matched by this custom verb. + string path = 2; +} diff --git a/grpc-xds/proto/third_party/googleapis/google/rpc/status.proto b/grpc-xds/proto/third_party/googleapis/google/rpc/status.proto new file mode 100644 index 000000000..923e16938 --- /dev/null +++ b/grpc-xds/proto/third_party/googleapis/google/rpc/status.proto @@ -0,0 +1,49 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.rpc; + +import "google/protobuf/any.proto"; + +option cc_enable_arenas = true; +option go_package = "google.golang.org/genproto/googleapis/rpc/status;status"; +option java_multiple_files = true; +option java_outer_classname = "StatusProto"; +option java_package = "com.google.rpc"; +option objc_class_prefix = "RPC"; + +// The `Status` type defines a logical error model that is suitable for +// different programming environments, including REST APIs and RPC APIs. It is +// used by [gRPC](https://github.com/grpc). Each `Status` message contains +// three pieces of data: error code, error message, and error details. +// +// You can find out more about this error model and how to work with it in the +// [API Design Guide](https://cloud.google.com/apis/design/errors). +message Status { + // The status code, which should be an enum value of + // [google.rpc.Code][google.rpc.Code]. + int32 code = 1; + + // A developer-facing error message, which should be in English. Any + // user-facing error message should be localized and sent in the + // [google.rpc.Status.details][google.rpc.Status.details] field, or localized + // by the client. + string message = 2; + + // A list of messages that carry the error details. There is a common set of + // message types for APIs to use. + repeated google.protobuf.Any details = 3; +} diff --git a/grpc-xds/proto/third_party/googleapis/import.sh b/grpc-xds/proto/third_party/googleapis/import.sh new file mode 100755 index 000000000..a4b5b4fad --- /dev/null +++ b/grpc-xds/proto/third_party/googleapis/import.sh @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +# Update VERSION then execute this script. +# Imports googleapis protos into src/main/proto. +# Modeled after grpc-java's xds/third_party/googleapis/import.sh. + +source "$(cd "$(dirname "$0")" && pwd)/../import_common.sh" + +VERSION=114a745b2841a044e98cdbb19358ed29fcf4a5f1 +DOWNLOAD_URL="https://github.com/googleapis/googleapis/archive/${VERSION}.tar.gz" +DOWNLOAD_BASE_DIR="googleapis-${VERSION}" +SOURCE_PROTO_BASE_DIR="${DOWNLOAD_BASE_DIR}" +# Sorted alphabetically. +# annotations.proto/http.proto/status.proto are not needed by grpc-java (it +# resolves them from external Bazel/Maven deps), but we vendor them so protoc +# can resolve every non-well-known import from the committed tree. +FILES=( +google/api/annotations.proto +google/api/expr/v1alpha1/checked.proto +google/api/expr/v1alpha1/syntax.proto +google/api/http.proto +google/rpc/status.proto +) + +import_protos diff --git a/grpc-xds/proto/third_party/import.sh b/grpc-xds/proto/third_party/import.sh new file mode 100755 index 000000000..9f7c09a72 --- /dev/null +++ b/grpc-xds/proto/third_party/import.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -e + +# Re-imports every vendored xDS proto dependency by running each +# subdirectory's import.sh. +# +# Each dependency is pinned to a specific upstream version (kept in sync with +# grpc-java's xds/third_party import scripts) so the whole set forms a +# coherent, mutually-compatible snapshot. To bump a single dependency, edit +# its VERSION in the corresponding /import.sh and run that script +# directly instead. + +cd "$(dirname "$0")" + +for script in */import.sh; do + name="$(dirname "${script}")" + echo "==> Importing ${name}" + ./"${script}" +done + +echo "All xDS protos imported." diff --git a/grpc-xds/proto/third_party/import_common.sh b/grpc-xds/proto/third_party/import_common.sh new file mode 100644 index 000000000..62ee470b2 --- /dev/null +++ b/grpc-xds/proto/third_party/import_common.sh @@ -0,0 +1,56 @@ +#!/bin/bash +# Shared helper for the per-directory xDS proto import scripts. +# +# Each third_party//import.sh sources this file, sets the variables +# below, and then calls import_protos: +# +# VERSION upstream revision (tag or commit) — informational +# DOWNLOAD_URL tarball URL for the pinned upstream revision +# DOWNLOAD_BASE_DIR top-level directory inside the extracted tarball +# SOURCE_PROTO_BASE_DIR path within the tarball that roots the proto tree +# FILES array of proto paths to copy, relative to the root +# +# The destination directory is inferred from the calling script's location and +# protos are written directly under . Re-importing first removes any +# previously-imported files (all *.proto, plus LICENSE and NOTICE) so stale files +# never linger. LICENSE is always copied; NOTICE only when the upstream ships one. + +import_protos() { + local dest_dir + dest_dir="$(cd "$(dirname "${BASH_SOURCE[1]}")" && pwd)" + + pushd "${dest_dir}" > /dev/null + + # put the repo in a tmp directory + local tmpdir + tmpdir="$(mktemp -d)" + trap 'rm -rf "${tmpdir}"' RETURN + + curl -Ls "${DOWNLOAD_URL}" | tar xz -C "${tmpdir}" + + # Remove previously-imported files so stale protos never linger, then prune + # any package directories left empty. + find . -name '*.proto' -delete + find . -type d -empty -delete + rm -f LICENSE NOTICE + + cp -p "${tmpdir}/${DOWNLOAD_BASE_DIR}/LICENSE" LICENSE + if [[ -f "${tmpdir}/${DOWNLOAD_BASE_DIR}/NOTICE" ]]; then + cp -p "${tmpdir}/${DOWNLOAD_BASE_DIR}/NOTICE" NOTICE + fi + + # copy proto files to project directory + local total=${#FILES[@]} copied=0 file + for file in "${FILES[@]}"; do + mkdir -p "$(dirname "${file}")" + cp -p "${tmpdir}/${SOURCE_PROTO_BASE_DIR}/${file}" "${file}" && (( ++copied )) + done + + popd > /dev/null + + echo "Imported ${copied} files." + if (( copied != total )); then + echo "Failed importing $(( total - copied )) files." 1>&2 + return 1 + fi +} diff --git a/grpc-xds/proto/third_party/protoc-gen-validate/LICENSE b/grpc-xds/proto/third_party/protoc-gen-validate/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/grpc-xds/proto/third_party/protoc-gen-validate/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/grpc-xds/proto/third_party/protoc-gen-validate/NOTICE b/grpc-xds/proto/third_party/protoc-gen-validate/NOTICE new file mode 100644 index 000000000..60884a059 --- /dev/null +++ b/grpc-xds/proto/third_party/protoc-gen-validate/NOTICE @@ -0,0 +1,4 @@ +protoc-gen-validate +Copyright 2019 Envoy Project Authors + +Licensed under Apache License 2.0. See LICENSE for terms. diff --git a/grpc-xds/proto/third_party/protoc-gen-validate/import.sh b/grpc-xds/proto/third_party/protoc-gen-validate/import.sh new file mode 100755 index 000000000..8b5e37676 --- /dev/null +++ b/grpc-xds/proto/third_party/protoc-gen-validate/import.sh @@ -0,0 +1,20 @@ +#!/bin/bash +set -e + +# Update VERSION then execute this script. +# Imports envoyproxy/protoc-gen-validate protos into src/main/proto. +# Modeled after grpc-java's xds/third_party/protoc-gen-validate/import.sh. + +source "$(cd "$(dirname "$0")" && pwd)/../import_common.sh" + +# import VERSION from one of the google internal CLs +VERSION=dfcdc5ea103dda467963fb7079e4df28debcfd28 +DOWNLOAD_URL="https://github.com/envoyproxy/protoc-gen-validate/archive/${VERSION}.tar.gz" +DOWNLOAD_BASE_DIR="protoc-gen-validate-${VERSION}" +SOURCE_PROTO_BASE_DIR="${DOWNLOAD_BASE_DIR}" +# Sorted alphabetically. +FILES=( +validate/validate.proto +) + +import_protos diff --git a/grpc-xds/proto/third_party/protoc-gen-validate/validate/validate.proto b/grpc-xds/proto/third_party/protoc-gen-validate/validate/validate.proto new file mode 100644 index 000000000..705d382aa --- /dev/null +++ b/grpc-xds/proto/third_party/protoc-gen-validate/validate/validate.proto @@ -0,0 +1,862 @@ +syntax = "proto2"; +package validate; + +option go_package = "github.com/envoyproxy/protoc-gen-validate/validate"; +option java_package = "io.envoyproxy.pgv.validate"; + +import "google/protobuf/descriptor.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/timestamp.proto"; + +// Validation rules applied at the message level +extend google.protobuf.MessageOptions { + // Disabled nullifies any validation rules for this message, including any + // message fields associated with it that do support validation. + optional bool disabled = 1071; + // Ignore skips generation of validation methods for this message. + optional bool ignored = 1072; +} + +// Validation rules applied at the oneof level +extend google.protobuf.OneofOptions { + // Required ensures that exactly one the field options in a oneof is set; + // validation fails if no fields in the oneof are set. + optional bool required = 1071; +} + +// Validation rules applied at the field level +extend google.protobuf.FieldOptions { + // Rules specify the validations to be performed on this field. By default, + // no validation is performed against a field. + optional FieldRules rules = 1071; +} + +// FieldRules encapsulates the rules for each type of field. Depending on the +// field, the correct set should be used to ensure proper validations. +message FieldRules { + optional MessageRules message = 17; + oneof type { + // Scalar Field Types + FloatRules float = 1; + DoubleRules double = 2; + Int32Rules int32 = 3; + Int64Rules int64 = 4; + UInt32Rules uint32 = 5; + UInt64Rules uint64 = 6; + SInt32Rules sint32 = 7; + SInt64Rules sint64 = 8; + Fixed32Rules fixed32 = 9; + Fixed64Rules fixed64 = 10; + SFixed32Rules sfixed32 = 11; + SFixed64Rules sfixed64 = 12; + BoolRules bool = 13; + StringRules string = 14; + BytesRules bytes = 15; + + // Complex Field Types + EnumRules enum = 16; + RepeatedRules repeated = 18; + MapRules map = 19; + + // Well-Known Field Types + AnyRules any = 20; + DurationRules duration = 21; + TimestampRules timestamp = 22; + } +} + +// FloatRules describes the constraints applied to `float` values +message FloatRules { + // Const specifies that this field must be exactly the specified value + optional float const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional float lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional float lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional float gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional float gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated float in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated float not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// DoubleRules describes the constraints applied to `double` values +message DoubleRules { + // Const specifies that this field must be exactly the specified value + optional double const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional double lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional double lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional double gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional double gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated double in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated double not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// Int32Rules describes the constraints applied to `int32` values +message Int32Rules { + // Const specifies that this field must be exactly the specified value + optional int32 const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional int32 lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional int32 lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional int32 gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional int32 gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated int32 in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated int32 not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// Int64Rules describes the constraints applied to `int64` values +message Int64Rules { + // Const specifies that this field must be exactly the specified value + optional int64 const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional int64 lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional int64 lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional int64 gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional int64 gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated int64 in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated int64 not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// UInt32Rules describes the constraints applied to `uint32` values +message UInt32Rules { + // Const specifies that this field must be exactly the specified value + optional uint32 const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional uint32 lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional uint32 lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional uint32 gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional uint32 gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated uint32 in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated uint32 not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// UInt64Rules describes the constraints applied to `uint64` values +message UInt64Rules { + // Const specifies that this field must be exactly the specified value + optional uint64 const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional uint64 lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional uint64 lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional uint64 gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional uint64 gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated uint64 in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated uint64 not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// SInt32Rules describes the constraints applied to `sint32` values +message SInt32Rules { + // Const specifies that this field must be exactly the specified value + optional sint32 const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional sint32 lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional sint32 lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional sint32 gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional sint32 gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated sint32 in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated sint32 not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// SInt64Rules describes the constraints applied to `sint64` values +message SInt64Rules { + // Const specifies that this field must be exactly the specified value + optional sint64 const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional sint64 lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional sint64 lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional sint64 gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional sint64 gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated sint64 in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated sint64 not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// Fixed32Rules describes the constraints applied to `fixed32` values +message Fixed32Rules { + // Const specifies that this field must be exactly the specified value + optional fixed32 const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional fixed32 lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional fixed32 lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional fixed32 gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional fixed32 gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated fixed32 in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated fixed32 not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// Fixed64Rules describes the constraints applied to `fixed64` values +message Fixed64Rules { + // Const specifies that this field must be exactly the specified value + optional fixed64 const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional fixed64 lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional fixed64 lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional fixed64 gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional fixed64 gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated fixed64 in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated fixed64 not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// SFixed32Rules describes the constraints applied to `sfixed32` values +message SFixed32Rules { + // Const specifies that this field must be exactly the specified value + optional sfixed32 const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional sfixed32 lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional sfixed32 lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional sfixed32 gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional sfixed32 gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated sfixed32 in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated sfixed32 not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// SFixed64Rules describes the constraints applied to `sfixed64` values +message SFixed64Rules { + // Const specifies that this field must be exactly the specified value + optional sfixed64 const = 1; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional sfixed64 lt = 2; + + // Lte specifies that this field must be less than or equal to the + // specified value, inclusive + optional sfixed64 lte = 3; + + // Gt specifies that this field must be greater than the specified value, + // exclusive. If the value of Gt is larger than a specified Lt or Lte, the + // range is reversed. + optional sfixed64 gt = 4; + + // Gte specifies that this field must be greater than or equal to the + // specified value, inclusive. If the value of Gte is larger than a + // specified Lt or Lte, the range is reversed. + optional sfixed64 gte = 5; + + // In specifies that this field must be equal to one of the specified + // values + repeated sfixed64 in = 6; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated sfixed64 not_in = 7; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 8; +} + +// BoolRules describes the constraints applied to `bool` values +message BoolRules { + // Const specifies that this field must be exactly the specified value + optional bool const = 1; +} + +// StringRules describe the constraints applied to `string` values +message StringRules { + // Const specifies that this field must be exactly the specified value + optional string const = 1; + + // Len specifies that this field must be the specified number of + // characters (Unicode code points). Note that the number of + // characters may differ from the number of bytes in the string. + optional uint64 len = 19; + + // MinLen specifies that this field must be the specified number of + // characters (Unicode code points) at a minimum. Note that the number of + // characters may differ from the number of bytes in the string. + optional uint64 min_len = 2; + + // MaxLen specifies that this field must be the specified number of + // characters (Unicode code points) at a maximum. Note that the number of + // characters may differ from the number of bytes in the string. + optional uint64 max_len = 3; + + // LenBytes specifies that this field must be the specified number of bytes + optional uint64 len_bytes = 20; + + // MinBytes specifies that this field must be the specified number of bytes + // at a minimum + optional uint64 min_bytes = 4; + + // MaxBytes specifies that this field must be the specified number of bytes + // at a maximum + optional uint64 max_bytes = 5; + + // Pattern specifes that this field must match against the specified + // regular expression (RE2 syntax). The included expression should elide + // any delimiters. + optional string pattern = 6; + + // Prefix specifies that this field must have the specified substring at + // the beginning of the string. + optional string prefix = 7; + + // Suffix specifies that this field must have the specified substring at + // the end of the string. + optional string suffix = 8; + + // Contains specifies that this field must have the specified substring + // anywhere in the string. + optional string contains = 9; + + // NotContains specifies that this field cannot have the specified substring + // anywhere in the string. + optional string not_contains = 23; + + // In specifies that this field must be equal to one of the specified + // values + repeated string in = 10; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated string not_in = 11; + + // WellKnown rules provide advanced constraints against common string + // patterns + oneof well_known { + // Email specifies that the field must be a valid email address as + // defined by RFC 5322 + bool email = 12; + + // Hostname specifies that the field must be a valid hostname as + // defined by RFC 1034. This constraint does not support + // internationalized domain names (IDNs). + bool hostname = 13; + + // Ip specifies that the field must be a valid IP (v4 or v6) address. + // Valid IPv6 addresses should not include surrounding square brackets. + bool ip = 14; + + // Ipv4 specifies that the field must be a valid IPv4 address. + bool ipv4 = 15; + + // Ipv6 specifies that the field must be a valid IPv6 address. Valid + // IPv6 addresses should not include surrounding square brackets. + bool ipv6 = 16; + + // Uri specifies that the field must be a valid, absolute URI as defined + // by RFC 3986 + bool uri = 17; + + // UriRef specifies that the field must be a valid URI as defined by RFC + // 3986 and may be relative or absolute. + bool uri_ref = 18; + + // Address specifies that the field must be either a valid hostname as + // defined by RFC 1034 (which does not support internationalized domain + // names or IDNs), or it can be a valid IP (v4 or v6). + bool address = 21; + + // Uuid specifies that the field must be a valid UUID as defined by + // RFC 4122 + bool uuid = 22; + + // WellKnownRegex specifies a common well known pattern defined as a regex. + KnownRegex well_known_regex = 24; + } + + // This applies to regexes HTTP_HEADER_NAME and HTTP_HEADER_VALUE to enable + // strict header validation. + // By default, this is true, and HTTP header validations are RFC-compliant. + // Setting to false will enable a looser validations that only disallows + // \r\n\0 characters, which can be used to bypass header matching rules. + optional bool strict = 25 [default = true]; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 26; +} + +// WellKnownRegex contain some well-known patterns. +enum KnownRegex { + UNKNOWN = 0; + + // HTTP header name as defined by RFC 7230. + HTTP_HEADER_NAME = 1; + + // HTTP header value as defined by RFC 7230. + HTTP_HEADER_VALUE = 2; +} + +// BytesRules describe the constraints applied to `bytes` values +message BytesRules { + // Const specifies that this field must be exactly the specified value + optional bytes const = 1; + + // Len specifies that this field must be the specified number of bytes + optional uint64 len = 13; + + // MinLen specifies that this field must be the specified number of bytes + // at a minimum + optional uint64 min_len = 2; + + // MaxLen specifies that this field must be the specified number of bytes + // at a maximum + optional uint64 max_len = 3; + + // Pattern specifes that this field must match against the specified + // regular expression (RE2 syntax). The included expression should elide + // any delimiters. + optional string pattern = 4; + + // Prefix specifies that this field must have the specified bytes at the + // beginning of the string. + optional bytes prefix = 5; + + // Suffix specifies that this field must have the specified bytes at the + // end of the string. + optional bytes suffix = 6; + + // Contains specifies that this field must have the specified bytes + // anywhere in the string. + optional bytes contains = 7; + + // In specifies that this field must be equal to one of the specified + // values + repeated bytes in = 8; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated bytes not_in = 9; + + // WellKnown rules provide advanced constraints against common byte + // patterns + oneof well_known { + // Ip specifies that the field must be a valid IP (v4 or v6) address in + // byte format + bool ip = 10; + + // Ipv4 specifies that the field must be a valid IPv4 address in byte + // format + bool ipv4 = 11; + + // Ipv6 specifies that the field must be a valid IPv6 address in byte + // format + bool ipv6 = 12; + } + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 14; +} + +// EnumRules describe the constraints applied to enum values +message EnumRules { + // Const specifies that this field must be exactly the specified value + optional int32 const = 1; + + // DefinedOnly specifies that this field must be only one of the defined + // values for this enum, failing on any undefined value. + optional bool defined_only = 2; + + // In specifies that this field must be equal to one of the specified + // values + repeated int32 in = 3; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated int32 not_in = 4; +} + +// MessageRules describe the constraints applied to embedded message values. +// For message-type fields, validation is performed recursively. +message MessageRules { + // Skip specifies that the validation rules of this field should not be + // evaluated + optional bool skip = 1; + + // Required specifies that this field must be set + optional bool required = 2; +} + +// RepeatedRules describe the constraints applied to `repeated` values +message RepeatedRules { + // MinItems specifies that this field must have the specified number of + // items at a minimum + optional uint64 min_items = 1; + + // MaxItems specifies that this field must have the specified number of + // items at a maximum + optional uint64 max_items = 2; + + // Unique specifies that all elements in this field must be unique. This + // contraint is only applicable to scalar and enum types (messages are not + // supported). + optional bool unique = 3; + + // Items specifies the contraints to be applied to each item in the field. + // Repeated message fields will still execute validation against each item + // unless skip is specified here. + optional FieldRules items = 4; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 5; +} + +// MapRules describe the constraints applied to `map` values +message MapRules { + // MinPairs specifies that this field must have the specified number of + // KVs at a minimum + optional uint64 min_pairs = 1; + + // MaxPairs specifies that this field must have the specified number of + // KVs at a maximum + optional uint64 max_pairs = 2; + + // NoSparse specifies values in this field cannot be unset. This only + // applies to map's with message value types. + optional bool no_sparse = 3; + + // Keys specifies the constraints to be applied to each key in the field. + optional FieldRules keys = 4; + + // Values specifies the constraints to be applied to the value of each key + // in the field. Message values will still have their validations evaluated + // unless skip is specified here. + optional FieldRules values = 5; + + // IgnoreEmpty specifies that the validation rules of this field should be + // evaluated only if the field is not empty + optional bool ignore_empty = 6; +} + +// AnyRules describe constraints applied exclusively to the +// `google.protobuf.Any` well-known type +message AnyRules { + // Required specifies that this field must be set + optional bool required = 1; + + // In specifies that this field's `type_url` must be equal to one of the + // specified values. + repeated string in = 2; + + // NotIn specifies that this field's `type_url` must not be equal to any of + // the specified values. + repeated string not_in = 3; +} + +// DurationRules describe the constraints applied exclusively to the +// `google.protobuf.Duration` well-known type +message DurationRules { + // Required specifies that this field must be set + optional bool required = 1; + + // Const specifies that this field must be exactly the specified value + optional google.protobuf.Duration const = 2; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional google.protobuf.Duration lt = 3; + + // Lt specifies that this field must be less than the specified value, + // inclusive + optional google.protobuf.Duration lte = 4; + + // Gt specifies that this field must be greater than the specified value, + // exclusive + optional google.protobuf.Duration gt = 5; + + // Gte specifies that this field must be greater than the specified value, + // inclusive + optional google.protobuf.Duration gte = 6; + + // In specifies that this field must be equal to one of the specified + // values + repeated google.protobuf.Duration in = 7; + + // NotIn specifies that this field cannot be equal to one of the specified + // values + repeated google.protobuf.Duration not_in = 8; +} + +// TimestampRules describe the constraints applied exclusively to the +// `google.protobuf.Timestamp` well-known type +message TimestampRules { + // Required specifies that this field must be set + optional bool required = 1; + + // Const specifies that this field must be exactly the specified value + optional google.protobuf.Timestamp const = 2; + + // Lt specifies that this field must be less than the specified value, + // exclusive + optional google.protobuf.Timestamp lt = 3; + + // Lte specifies that this field must be less than the specified value, + // inclusive + optional google.protobuf.Timestamp lte = 4; + + // Gt specifies that this field must be greater than the specified value, + // exclusive + optional google.protobuf.Timestamp gt = 5; + + // Gte specifies that this field must be greater than the specified value, + // inclusive + optional google.protobuf.Timestamp gte = 6; + + // LtNow specifies that this must be less than the current time. LtNow + // can only be used with the Within rule. + optional bool lt_now = 7; + + // GtNow specifies that this must be greater than the current time. GtNow + // can only be used with the Within rule. + optional bool gt_now = 8; + + // Within specifies that this field must be within this duration of the + // current time. This constraint can be used alone or with the LtNow and + // GtNow rules. + optional google.protobuf.Duration within = 9; +} diff --git a/grpc-xds/proto/third_party/xds/LICENSE b/grpc-xds/proto/third_party/xds/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/grpc-xds/proto/third_party/xds/import.sh b/grpc-xds/proto/third_party/xds/import.sh new file mode 100755 index 000000000..cc4f1347d --- /dev/null +++ b/grpc-xds/proto/third_party/xds/import.sh @@ -0,0 +1,46 @@ +#!/bin/bash +set -e + +# Update VERSION then execute this script. +# Imports cncf/xds protos into src/main/proto. +# Modeled after grpc-java's xds/third_party/xds/import.sh. + +source "$(cd "$(dirname "$0")" && pwd)/../import_common.sh" + +# import VERSION from one of the google internal CLs +VERSION=2ac532fd44436293585084f8d94c6bdb17835af0 +DOWNLOAD_URL="https://github.com/cncf/xds/archive/${VERSION}.tar.gz" +DOWNLOAD_BASE_DIR="xds-${VERSION}" +SOURCE_PROTO_BASE_DIR="${DOWNLOAD_BASE_DIR}" +# Sorted alphabetically. +FILES=( +udpa/annotations/migrate.proto +udpa/annotations/security.proto +udpa/annotations/sensitive.proto +udpa/annotations/status.proto +udpa/annotations/versioning.proto +udpa/type/v1/typed_struct.proto +xds/annotations/v3/migrate.proto +xds/annotations/v3/security.proto +xds/annotations/v3/sensitive.proto +xds/annotations/v3/status.proto +xds/annotations/v3/versioning.proto +xds/core/v3/authority.proto +xds/core/v3/collection_entry.proto +xds/core/v3/context_params.proto +xds/core/v3/cidr.proto +xds/core/v3/extension.proto +xds/core/v3/resource_locator.proto +xds/core/v3/resource_name.proto +xds/data/orca/v3/orca_load_report.proto +xds/service/orca/v3/orca.proto +xds/type/matcher/v3/cel.proto +xds/type/matcher/v3/matcher.proto +xds/type/matcher/v3/regex.proto +xds/type/matcher/v3/string.proto +xds/type/v3/cel.proto +xds/type/matcher/v3/http_inputs.proto +xds/type/v3/typed_struct.proto +) + +import_protos diff --git a/grpc-xds/proto/third_party/xds/udpa/annotations/migrate.proto b/grpc-xds/proto/third_party/xds/udpa/annotations/migrate.proto new file mode 100644 index 000000000..5f5f389b7 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/udpa/annotations/migrate.proto @@ -0,0 +1,55 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.annotations; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/udpa/annotations"; + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "udpa.annotation.migrate". + +extend google.protobuf.MessageOptions { + MigrateAnnotation message_migrate = 171962766; +} + +extend google.protobuf.FieldOptions { + FieldMigrateAnnotation field_migrate = 171962766; +} + +extend google.protobuf.EnumOptions { + MigrateAnnotation enum_migrate = 171962766; +} + +extend google.protobuf.EnumValueOptions { + MigrateAnnotation enum_value_migrate = 171962766; +} + +extend google.protobuf.FileOptions { + FileMigrateAnnotation file_migrate = 171962766; +} + +message MigrateAnnotation { + // Rename the message/enum/enum value in next version. + string rename = 1; +} + +message FieldMigrateAnnotation { + // Rename the field in next version. + string rename = 1; + + // Add the field to a named oneof in next version. If this already exists, the + // field will join its siblings under the oneof, otherwise a new oneof will be + // created with the given name. + string oneof_promotion = 2; +} + +message FileMigrateAnnotation { + // Move all types in the file to another package, this implies changing proto + // file path. + string move_to_package = 2; +} diff --git a/grpc-xds/proto/third_party/xds/udpa/annotations/security.proto b/grpc-xds/proto/third_party/xds/udpa/annotations/security.proto new file mode 100644 index 000000000..0ef919716 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/udpa/annotations/security.proto @@ -0,0 +1,34 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.annotations; + +import "udpa/annotations/status.proto"; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/udpa/annotations"; + +// All annotations in this file are experimental and subject to change. Their +// only consumer today is the Envoy APIs and SecuritAnnotationValidator protoc +// plugin in this repository. +option (udpa.annotations.file_status).work_in_progress = true; + +extend google.protobuf.FieldOptions { + // Magic number is the 28 most significant bits in the sha256sum of + // "udpa.annotations.security". + FieldSecurityAnnotation security = 11122993; +} + +// These annotations indicate metadata for the purpose of understanding the +// security significance of fields. +message FieldSecurityAnnotation { + // Field should be set in the presence of untrusted downstreams. + bool configure_for_untrusted_downstream = 1; + + // Field should be set in the presence of untrusted upstreams. + bool configure_for_untrusted_upstream = 2; +} diff --git a/grpc-xds/proto/third_party/xds/udpa/annotations/sensitive.proto b/grpc-xds/proto/third_party/xds/udpa/annotations/sensitive.proto new file mode 100644 index 000000000..c7d8af608 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/udpa/annotations/sensitive.proto @@ -0,0 +1,20 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.annotations; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/udpa/annotations"; + +extend google.protobuf.FieldOptions { + // Magic number is the 28 most significant bits in the sha256sum of "udpa.annotations.sensitive". + // When set to true, `sensitive` indicates that this field contains sensitive data, such as + // personally identifiable information, passwords, or private keys, and should be redacted for + // display by tools aware of this annotation. Note that that this has no effect on standard + // Protobuf functions such as `TextFormat::PrintToString`. + bool sensitive = 76569463; +} diff --git a/grpc-xds/proto/third_party/xds/udpa/annotations/status.proto b/grpc-xds/proto/third_party/xds/udpa/annotations/status.proto new file mode 100644 index 000000000..5a90bde29 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/udpa/annotations/status.proto @@ -0,0 +1,40 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.annotations; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/udpa/annotations"; + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "udpa.annotation.status". +extend google.protobuf.FileOptions { + StatusAnnotation file_status = 222707719; +} + +enum PackageVersionStatus { + // Unknown package version status. + UNKNOWN = 0; + + // This version of the package is frozen. + FROZEN = 1; + + // This version of the package is the active development version. + ACTIVE = 2; + + // This version of the package is the candidate for the next major version. It + // is typically machine generated from the active development version. + NEXT_MAJOR_VERSION_CANDIDATE = 3; +} + +message StatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; + + // The entity belongs to a package with the given version status. + PackageVersionStatus package_version_status = 2; +} diff --git a/grpc-xds/proto/third_party/xds/udpa/annotations/versioning.proto b/grpc-xds/proto/third_party/xds/udpa/annotations/versioning.proto new file mode 100644 index 000000000..06df78d81 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/udpa/annotations/versioning.proto @@ -0,0 +1,23 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.annotations; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/udpa/annotations"; + +extend google.protobuf.MessageOptions { + // Magic number derived from 0x78 ('x') 0x44 ('D') 0x53 ('S') + VersioningAnnotation versioning = 7881811; +} + +message VersioningAnnotation { + // Track the previous message type. E.g. this message might be + // udpa.foo.v3alpha.Foo and it was previously udpa.bar.v2.Bar. This + // information is consumed by UDPA via proto descriptors. + string previous_message_type = 1; +} diff --git a/grpc-xds/proto/third_party/xds/udpa/type/v1/typed_struct.proto b/grpc-xds/proto/third_party/xds/udpa/type/v1/typed_struct.proto new file mode 100644 index 000000000..10eaef1a6 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/udpa/type/v1/typed_struct.proto @@ -0,0 +1,46 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.type.v1; + +option java_outer_classname = "TypedStructProto"; +option java_multiple_files = true; +option java_package = "com.github.udpa.udpa.type.v1"; +option go_package = "github.com/cncf/xds/go/udpa/type/v1"; + +import "google/protobuf/struct.proto"; + +// A TypedStruct contains an arbitrary JSON serialized protocol buffer message with a URL that +// describes the type of the serialized message. This is very similar to google.protobuf.Any, +// instead of having protocol buffer binary, this employs google.protobuf.Struct as value. +// +// This message is intended to be embedded inside Any, so it shouldn't be directly referred +// from other UDPA messages. +// +// When packing an opaque extension config, packing the expected type into Any is preferred +// wherever possible for its efficiency. TypedStruct should be used only if a proto descriptor +// is not available, for example if: +// - A control plane sends opaque message that is originally from external source in human readable +// format such as JSON or YAML. +// - The control plane doesn't have the knowledge of the protocol buffer schema hence it cannot +// serialize the message in protocol buffer binary format. +// - The DPLB doesn't have have the knowledge of the protocol buffer schema its plugin or extension +// uses. This has to be indicated in the DPLB capability negotiation. +// +// When a DPLB receives a TypedStruct in Any, it should: +// - Check if the type_url of the TypedStruct matches the type the extension expects. +// - Convert value to the type described in type_url and perform validation. +// TODO(lizan): Figure out how TypeStruct should be used with DPLB extensions that doesn't link +// protobuf descriptor with DPLB itself, (e.g. gRPC LB Plugin, Envoy WASM extensions). +message TypedStruct { + // A URL that uniquely identifies the type of the serialize protocol buffer message. + // This has same semantics and format described in google.protobuf.Any: + // https://github.com/protocolbuffers/protobuf/blob/master/src/google/protobuf/any.proto + string type_url = 1; + + // A JSON representation of the above specified type. + google.protobuf.Struct value = 2; +} diff --git a/grpc-xds/proto/third_party/xds/xds/annotations/v3/migrate.proto b/grpc-xds/proto/third_party/xds/xds/annotations/v3/migrate.proto new file mode 100644 index 000000000..13859274c --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/annotations/v3/migrate.proto @@ -0,0 +1,46 @@ +syntax = "proto3"; + +package xds.annotations.v3; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/xds/annotations/v3"; + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "xds.annotation.v3.migrate". +extend google.protobuf.MessageOptions { + MigrateAnnotation message_migrate = 112948430; +} +extend google.protobuf.FieldOptions { + FieldMigrateAnnotation field_migrate = 112948430; +} +extend google.protobuf.EnumOptions { + MigrateAnnotation enum_migrate = 112948430; +} +extend google.protobuf.EnumValueOptions { + MigrateAnnotation enum_value_migrate = 112948430; +} +extend google.protobuf.FileOptions { + FileMigrateAnnotation file_migrate = 112948430; +} + +message MigrateAnnotation { + // Rename the message/enum/enum value in next version. + string rename = 1; +} + +message FieldMigrateAnnotation { + // Rename the field in next version. + string rename = 1; + + // Add the field to a named oneof in next version. If this already exists, the + // field will join its siblings under the oneof, otherwise a new oneof will be + // created with the given name. + string oneof_promotion = 2; +} + +message FileMigrateAnnotation { + // Move all types in the file to another package, this implies changing proto + // file path. + string move_to_package = 2; +} diff --git a/grpc-xds/proto/third_party/xds/xds/annotations/v3/security.proto b/grpc-xds/proto/third_party/xds/xds/annotations/v3/security.proto new file mode 100644 index 000000000..f1f9f40da --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/annotations/v3/security.proto @@ -0,0 +1,30 @@ +syntax = "proto3"; + +package xds.annotations.v3; + +import "xds/annotations/v3/status.proto"; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/xds/annotations/v3"; + +// All annotations in this file are experimental and subject to change. Their +// only consumer today is the Envoy APIs and SecuritAnnotationValidator protoc +// plugin in this repository. +option (xds.annotations.v3.file_status).work_in_progress = true; + +extend google.protobuf.FieldOptions { + // Magic number is the 28 most significant bits in the sha256sum of + // "xds.annotations.v3.security". + FieldSecurityAnnotation security = 99044135; +} + +// These annotations indicate metadata for the purpose of understanding the +// security significance of fields. +message FieldSecurityAnnotation { + // Field should be set in the presence of untrusted downstreams. + bool configure_for_untrusted_downstream = 1; + + // Field should be set in the presence of untrusted upstreams. + bool configure_for_untrusted_upstream = 2; +} diff --git a/grpc-xds/proto/third_party/xds/xds/annotations/v3/sensitive.proto b/grpc-xds/proto/third_party/xds/xds/annotations/v3/sensitive.proto new file mode 100644 index 000000000..e2cc0b792 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/annotations/v3/sensitive.proto @@ -0,0 +1,16 @@ +syntax = "proto3"; + +package xds.annotations.v3; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/xds/annotations/v3"; + +extend google.protobuf.FieldOptions { + // Magic number is the 28 most significant bits in the sha256sum of "xds.annotations.v3.sensitive". + // When set to true, `sensitive` indicates that this field contains sensitive data, such as + // personally identifiable information, passwords, or private keys, and should be redacted for + // display by tools aware of this annotation. Note that that this has no effect on standard + // Protobuf functions such as `TextFormat::PrintToString`. + bool sensitive = 61008053; +} diff --git a/grpc-xds/proto/third_party/xds/xds/annotations/v3/status.proto b/grpc-xds/proto/third_party/xds/xds/annotations/v3/status.proto new file mode 100644 index 000000000..367e784f6 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/annotations/v3/status.proto @@ -0,0 +1,59 @@ +syntax = "proto3"; + +package xds.annotations.v3; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/xds/annotations/v3"; + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "xds.annotations.v3.status". +extend google.protobuf.FileOptions { + FileStatusAnnotation file_status = 226829418; +} + +extend google.protobuf.MessageOptions { + MessageStatusAnnotation message_status = 226829418; +} + +extend google.protobuf.FieldOptions { + FieldStatusAnnotation field_status = 226829418; +} + +message FileStatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; +} + +message MessageStatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; +} + +message FieldStatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; +} + +enum PackageVersionStatus { + // Unknown package version status. + UNKNOWN = 0; + + // This version of the package is frozen. + FROZEN = 1; + + // This version of the package is the active development version. + ACTIVE = 2; + + // This version of the package is the candidate for the next major version. It + // is typically machine generated from the active development version. + NEXT_MAJOR_VERSION_CANDIDATE = 3; +} + +message StatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; + + // The entity belongs to a package with the given version status. + PackageVersionStatus package_version_status = 2; +} diff --git a/grpc-xds/proto/third_party/xds/xds/annotations/v3/versioning.proto b/grpc-xds/proto/third_party/xds/xds/annotations/v3/versioning.proto new file mode 100644 index 000000000..b6440f194 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/annotations/v3/versioning.proto @@ -0,0 +1,20 @@ +syntax = "proto3"; + +package xds.annotations.v3; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/xds/annotations/v3"; + +extend google.protobuf.MessageOptions { + // Magic number is the 28 most significant bits in the sha256sum of + // "xds.annotations.v3.versioning". + VersioningAnnotation versioning = 92389011; +} + +message VersioningAnnotation { + // Track the previous message type. E.g. this message might be + // xds.foo.v3alpha.Foo and it was previously xds.bar.v2.Bar. This + // information is consumed by UDPA via proto descriptors. + string previous_message_type = 1; +} diff --git a/grpc-xds/proto/third_party/xds/xds/core/v3/authority.proto b/grpc-xds/proto/third_party/xds/xds/core/v3/authority.proto new file mode 100644 index 000000000..d666c38ea --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/core/v3/authority.proto @@ -0,0 +1,22 @@ +syntax = "proto3"; + +package xds.core.v3; + +import "xds/annotations/v3/status.proto"; + +import "validate/validate.proto"; + +option java_outer_classname = "AuthorityProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.core.v3"; +option go_package = "github.com/cncf/xds/go/xds/core/v3"; + +option (xds.annotations.v3.file_status).work_in_progress = true; + +// xDS authority information. +message Authority { + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // .. space reserved for additional authority addressing information, e.g. for + // resource signing, items such as CA trust chain, cert pinning may be added. +} diff --git a/grpc-xds/proto/third_party/xds/xds/core/v3/cidr.proto b/grpc-xds/proto/third_party/xds/xds/core/v3/cidr.proto new file mode 100644 index 000000000..c40dab2f2 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/core/v3/cidr.proto @@ -0,0 +1,25 @@ +syntax = "proto3"; + +package xds.core.v3; + +import "xds/annotations/v3/status.proto"; +import "google/protobuf/wrappers.proto"; + +import "validate/validate.proto"; + +option java_outer_classname = "CidrRangeProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.core.v3"; +option go_package = "github.com/cncf/xds/go/xds/core/v3"; + +option (xds.annotations.v3.file_status).work_in_progress = true; + +// CidrRange specifies an IP Address and a prefix length to construct +// the subnet mask for a `CIDR `_ range. +message CidrRange { + // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``. + string address_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // Length of prefix, e.g. 0, 32. Defaults to 0 when unset. + google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}]; +} diff --git a/grpc-xds/proto/third_party/xds/xds/core/v3/collection_entry.proto b/grpc-xds/proto/third_party/xds/xds/core/v3/collection_entry.proto new file mode 100644 index 000000000..c844d614e --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/core/v3/collection_entry.proto @@ -0,0 +1,55 @@ +syntax = "proto3"; + +package xds.core.v3; + +import "google/protobuf/any.proto"; + +import "xds/annotations/v3/status.proto"; +import "xds/core/v3/resource_locator.proto"; + +import "validate/validate.proto"; + +option java_outer_classname = "CollectionEntryProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.core.v3"; +option go_package = "github.com/cncf/xds/go/xds/core/v3"; + +option (xds.annotations.v3.file_status).work_in_progress = true; + +// xDS collection resource wrapper. This encapsulates a xDS resource when +// appearing inside a list collection resource. List collection resources are +// regular Resource messages of type: +// +// .. code-block:: proto +// +// message Collection { +// repeated CollectionEntry resources = 1; +// } +// +message CollectionEntry { + // Inlined resource entry. + message InlineEntry { + // Optional name to describe the inlined resource. Resource names must match + // ``[a-zA-Z0-9_-\./]+`` (TODO(htuch): turn this into a PGV constraint once + // finalized, probably should be a RFC3986 pchar). This name allows + // reference via the #entry directive in ResourceLocator. + string name = 1 [(validate.rules).string.pattern = "^[0-9a-zA-Z_\\-\\.~:]+$"]; + + // The resource's logical version. It is illegal to have the same named xDS + // resource name at a given version with different resource payloads. + string version = 2; + + // The resource payload, including type URL. + google.protobuf.Any resource = 3; + } + + oneof resource_specifier { + option (validate.required) = true; + + // A resource locator describing how the member resource is to be located. + ResourceLocator locator = 1; + + // The resource is inlined in the list collection. + InlineEntry inline_entry = 2; + } +} diff --git a/grpc-xds/proto/third_party/xds/xds/core/v3/context_params.proto b/grpc-xds/proto/third_party/xds/xds/core/v3/context_params.proto new file mode 100644 index 000000000..a42c7a859 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/core/v3/context_params.proto @@ -0,0 +1,23 @@ +syntax = "proto3"; + +package xds.core.v3; + +import "xds/annotations/v3/status.proto"; + +option java_outer_classname = "ContextParamsProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.core.v3"; +option go_package = "github.com/cncf/xds/go/xds/core/v3"; + +option (xds.annotations.v3.file_status).work_in_progress = true; + +// Additional parameters that can be used to select resource variants. These include any +// global context parameters, per-resource type client feature capabilities and per-resource +// type functional attributes. All per-resource type attributes will be `xds.resource.` +// prefixed and some of these are documented below: +// +// `xds.resource.listening_address`: The value is "IP:port" (e.g. "10.1.1.3:8080") which is +// the listening address of a Listener. Used in a Listener resource query. +message ContextParams { + map params = 1; +} diff --git a/grpc-xds/proto/third_party/xds/xds/core/v3/extension.proto b/grpc-xds/proto/third_party/xds/xds/core/v3/extension.proto new file mode 100644 index 000000000..dd489eb99 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/core/v3/extension.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package xds.core.v3; + +option java_outer_classname = "ExtensionProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.core.v3"; +option go_package = "github.com/cncf/xds/go/xds/core/v3"; + +import "validate/validate.proto"; +import "google/protobuf/any.proto"; + +// Message type for extension configuration. +message TypedExtensionConfig { + // The name of an extension. This is not used to select the extension, instead + // it serves the role of an opaque identifier. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The typed config for the extension. The type URL will be used to identify + // the extension. In the case that the type URL is *xds.type.v3.TypedStruct* + // (or, for historical reasons, *udpa.type.v1.TypedStruct*), the inner type + // URL of *TypedStruct* will be utilized. See the + // :ref:`extension configuration overview + // ` for further details. + google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}]; +} diff --git a/grpc-xds/proto/third_party/xds/xds/core/v3/resource_locator.proto b/grpc-xds/proto/third_party/xds/xds/core/v3/resource_locator.proto new file mode 100644 index 000000000..9b40d52fc --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/core/v3/resource_locator.proto @@ -0,0 +1,118 @@ +syntax = "proto3"; + +package xds.core.v3; + +import "xds/annotations/v3/status.proto"; +import "xds/core/v3/context_params.proto"; + +import "validate/validate.proto"; + +option java_outer_classname = "ResourceLocatorProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.core.v3"; +option go_package = "github.com/cncf/xds/go/xds/core/v3"; + +option (xds.annotations.v3.file_status).work_in_progress = true; + +// xDS resource locators identify a xDS resource name and instruct the +// data-plane load balancer on how the resource may be located. +// +// Resource locators have a canonical xdstp:// URI representation: +// +// xdstp://{authority}/{type_url}/{id}?{context_params}{#directive,*} +// +// where context_params take the form of URI query parameters. +// +// Resource locators have a similar canonical http:// URI representation: +// +// http://{authority}/{type_url}/{id}?{context_params}{#directive,*} +// +// Resource locators also have a simplified file:// URI representation: +// +// file:///{id}{#directive,*} +// +message ResourceLocator { + enum Scheme { + XDSTP = 0; + HTTP = 1; + FILE = 2; + } + + // URI scheme. + Scheme scheme = 1 [(validate.rules).enum = {defined_only: true}]; + + // Opaque identifier for the resource. Any '/' will not be escaped during URI + // encoding and will form part of the URI path. This may end + // with ‘*’ for glob collection references. + string id = 2; + + // Logical authority for resource (not necessarily transport network address). + // Authorities are opaque in the xDS API, data-plane load balancers will map + // them to concrete network transports such as an xDS management server, e.g. + // via envoy.config.core.v3.ConfigSource. + string authority = 3; + + // Fully qualified resource type (as in type URL without types.googleapis.com/ + // prefix). + string resource_type = 4 [(validate.rules).string = {min_len: 1}]; + + oneof context_param_specifier { + // Additional parameters that can be used to select resource variants. + // Matches must be exact, i.e. all context parameters must match exactly and + // there must be no additional context parameters set on the matched + // resource. + ContextParams exact_context = 5; + + // .. space reserved for future potential matchers, e.g. CEL expressions. + } + + // Directives provide information to data-plane load balancers on how xDS + // resource names are to be interpreted and potentially further resolved. For + // example, they may provide alternative resource locators for when primary + // resolution fails. Directives are not part of resource names and do not + // appear in a xDS transport discovery request. + // + // When encoding to URIs, directives take the form: + // + // = + // + // For example, we can have alt=xdstp://foo/bar or entry=some%20thing. Each + // directive value type may have its own string encoding, in the case of + // ResourceLocator there is a recursive URI encoding. + // + // Percent encoding applies to the URI encoding of the directive value. + // Multiple directives are comma-separated, so the reserved characters that + // require percent encoding in a directive value are [',', '#', '[', ']', + // '%']. These are the RFC3986 fragment reserved characters with the addition + // of the xDS scheme specific ','. See + // https://tools.ietf.org/html/rfc3986#page-49 for further details on URI ABNF + // and reserved characters. + message Directive { + oneof directive { + option (validate.required) = true; + + // An alternative resource locator for fallback if the resource is + // unavailable. For example, take the resource locator: + // + // xdstp://foo/some-type/some-route-table#alt=xdstp://bar/some-type/another-route-table + // + // If the data-plane load balancer is unable to reach `foo` to fetch the + // resource, it will fallback to `bar`. Alternative resources do not need + // to have equivalent content, but they should be functional substitutes. + ResourceLocator alt = 1; + + // List collections support inlining of resources via the entry field in + // Resource. These inlined Resource objects may have an optional name + // field specified. When specified, the entry directive allows + // ResourceLocator to directly reference these inlined resources, e.g. + // xdstp://.../foo#entry=bar. + string entry = 2 [(validate.rules).string = {min_len: 1, pattern: "^[0-9a-zA-Z_\\-\\./~:]+$"}]; + } + } + + // A list of directives that appear in the xDS resource locator #fragment. + // + // When encoding to URI form, directives are percent encoded with comma + // separation. + repeated Directive directives = 6; +} diff --git a/grpc-xds/proto/third_party/xds/xds/core/v3/resource_name.proto b/grpc-xds/proto/third_party/xds/xds/core/v3/resource_name.proto new file mode 100644 index 000000000..0f3d99740 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/core/v3/resource_name.proto @@ -0,0 +1,42 @@ +syntax = "proto3"; + +package xds.core.v3; + +import "xds/annotations/v3/status.proto"; +import "xds/core/v3/context_params.proto"; + +import "validate/validate.proto"; + +option java_outer_classname = "ResourceNameProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.core.v3"; +option go_package = "github.com/cncf/xds/go/xds/core/v3"; + +option (xds.annotations.v3.file_status).work_in_progress = true; + +// xDS resource name. This has a canonical xdstp:// URI representation: +// +// xdstp://{authority}/{type_url}/{id}?{context_params} +// +// where context_params take the form of URI query parameters. +// +// A xDS resource name fully identifies a network resource for transport +// purposes. xDS resource names in this form appear only in discovery +// request/response messages used with the xDS transport. +message ResourceName { + // Opaque identifier for the resource. Any '/' will not be escaped during URI + // encoding and will form part of the URI path. + string id = 1; + + // Logical authority for resource (not necessarily transport network address). + // Authorities are opaque in the xDS API, data-plane load balancers will map + // them to concrete network transports such as an xDS management server. + string authority = 2; + + // Fully qualified resource type (as in type URL without types.googleapis.com/ + // prefix). + string resource_type = 3 [(validate.rules).string = {min_len: 1}]; + + // Additional parameters that can be used to select resource variants. + ContextParams context = 4; +} diff --git a/grpc-xds/proto/third_party/xds/xds/data/orca/v3/orca_load_report.proto b/grpc-xds/proto/third_party/xds/xds/data/orca/v3/orca_load_report.proto new file mode 100644 index 000000000..1b0847585 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/data/orca/v3/orca_load_report.proto @@ -0,0 +1,58 @@ +syntax = "proto3"; + +package xds.data.orca.v3; + +option java_outer_classname = "OrcaLoadReportProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.data.orca.v3"; +option go_package = "github.com/cncf/xds/go/xds/data/orca/v3"; + +import "validate/validate.proto"; + +// See section `ORCA load report format` of the design document in +// https://github.com/envoyproxy/envoy/issues/6614. + +message OrcaLoadReport { + // CPU utilization expressed as a fraction of available CPU resources. This + // should be derived from the latest sample or measurement. The value may be + // larger than 1.0 when the usage exceeds the reporter dependent notion of + // soft limits. + double cpu_utilization = 1 [(validate.rules).double.gte = 0]; + + // Memory utilization expressed as a fraction of available memory + // resources. This should be derived from the latest sample or measurement. + double mem_utilization = 2 [(validate.rules).double.gte = 0, (validate.rules).double.lte = 1]; + + // Total RPS being served by an endpoint. This should cover all services that an endpoint is + // responsible for. + // Deprecated -- use ``rps_fractional`` field instead. + uint64 rps = 3 [deprecated = true]; + + // Application specific requests costs. Each value is an absolute cost (e.g. 3487 bytes of + // storage) associated with the request. + map request_cost = 4; + + // Resource utilization values. Each value is expressed as a fraction of total resources + // available, derived from the latest sample or measurement. + map utilization = 5 + [(validate.rules).map.values.double.gte = 0, (validate.rules).map.values.double.lte = 1]; + + // Total RPS being served by an endpoint. This should cover all services that an endpoint is + // responsible for. + double rps_fractional = 6 [(validate.rules).double.gte = 0]; + + // Total EPS (errors/second) being served by an endpoint. This should cover + // all services that an endpoint is responsible for. + double eps = 7 [(validate.rules).double.gte = 0]; + + // Application specific opaque metrics. + map named_metrics = 8; + + // Application specific utilization expressed as a fraction of available + // resources. For example, an application may report the max of CPU and memory + // utilization for better load balancing if it is both CPU and memory bound. + // This should be derived from the latest sample or measurement. + // The value may be larger than 1.0 when the usage exceeds the reporter + // dependent notion of soft limits. + double application_utilization = 9 [(validate.rules).double.gte = 0]; +} diff --git a/grpc-xds/proto/third_party/xds/xds/service/orca/v3/orca.proto b/grpc-xds/proto/third_party/xds/xds/service/orca/v3/orca.proto new file mode 100644 index 000000000..03126cdca --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/service/orca/v3/orca.proto @@ -0,0 +1,36 @@ +syntax = "proto3"; + +package xds.service.orca.v3; + +option java_outer_classname = "OrcaProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.service.orca.v3"; +option go_package = "github.com/cncf/xds/go/xds/service/orca/v3"; + +import "xds/data/orca/v3/orca_load_report.proto"; + +import "google/protobuf/duration.proto"; + +// See section `Out-of-band (OOB) reporting` of the design document in +// :ref:`https://github.com/envoyproxy/envoy/issues/6614`. + +// Out-of-band (OOB) load reporting service for the additional load reporting +// agent that does not sit in the request path. Reports are periodically sampled +// with sufficient frequency to provide temporal association with requests. +// OOB reporting compensates the limitation of in-band reporting in revealing +// costs for backends that do not provide a steady stream of telemetry such as +// long running stream operations and zero QPS services. This is a server +// streaming service, client needs to terminate current RPC and initiate +// a new call to change backend reporting frequency. +service OpenRcaService { + rpc StreamCoreMetrics(OrcaLoadReportRequest) returns (stream xds.data.orca.v3.OrcaLoadReport); +} + +message OrcaLoadReportRequest { + // Interval for generating Open RCA core metric responses. + google.protobuf.Duration report_interval = 1; + // Request costs to collect. If this is empty, all known requests costs tracked by + // the load reporting agent will be returned. This provides an opportunity for + // the client to selectively obtain a subset of tracked costs. + repeated string request_cost_names = 2; +} diff --git a/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/cel.proto b/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/cel.proto new file mode 100644 index 000000000..a45af9534 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/cel.proto @@ -0,0 +1,37 @@ +syntax = "proto3"; + +package xds.type.matcher.v3; + +import "xds/type/v3/cel.proto"; +import "validate/validate.proto"; + +option java_package = "com.github.xds.type.matcher.v3"; +option java_outer_classname = "CelProto"; +option java_multiple_files = true; +option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; + +// [#protodoc-title: Common Expression Language (CEL) matchers] + +// Performs a match by evaluating a `Common Expression Language +// `_ (CEL) expression against the standardized set of +// :ref:`HTTP attributes ` specified via ``HttpAttributesCelMatchInput``. +// +// .. attention:: +// +// The match is ``true``, iff the result of the evaluation is a bool AND true. +// In all other cases, the match is ``false``, including but not limited to: non-bool types, +// ``false``, ``null``, ``int(1)``, etc. +// In case CEL expression raises an error, the result of the evaluation is interpreted "no match". +// +// Refer to :ref:`Unified Matcher API ` documentation +// for usage details. +// +// [#comment: envoy.matching.matchers.cel_matcher] +message CelMatcher { + // Either parsed or checked representation of the CEL program. + type.v3.CelExpression expr_match = 1 [(validate.rules).message = {required: true}]; + + // Free-form description of the CEL AST, e.g. the original expression text, to be + // used for debugging assistance. + string description = 2; +} diff --git a/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/http_inputs.proto b/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/http_inputs.proto new file mode 100644 index 000000000..5709d6450 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/http_inputs.proto @@ -0,0 +1,23 @@ +syntax = "proto3"; + +package xds.type.matcher.v3; + +option java_package = "com.github.xds.type.matcher.v3"; +option java_outer_classname = "HttpInputsProto"; +option java_multiple_files = true; +option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; + +// [#protodoc-title: Common HTTP Inputs] + +// Specifies that matching should be performed on the set of :ref:`HTTP attributes +// `. +// +// The attributes will be exposed via `Common Expression Language +// `_ runtime to associated CEL matcher. +// +// Refer to :ref:`Unified Matcher API ` documentation +// for usage details. +// +// [#comment: envoy.matching.inputs.cel_data_input] +message HttpAttributesCelMatchInput { +} diff --git a/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/matcher.proto b/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/matcher.proto new file mode 100644 index 000000000..cc03ff6e9 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/matcher.proto @@ -0,0 +1,144 @@ +syntax = "proto3"; + +package xds.type.matcher.v3; + +import "xds/core/v3/extension.proto"; +import "xds/type/matcher/v3/string.proto"; + +import "validate/validate.proto"; + +option java_package = "com.github.xds.type.matcher.v3"; +option java_outer_classname = "MatcherProto"; +option java_multiple_files = true; +option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; + +// [#protodoc-title: Unified Matcher API] + +// A matcher, which may traverse a matching tree in order to result in a match action. +// During matching, the tree will be traversed until a match is found, or if no match +// is found the action specified by the most specific on_no_match will be evaluated. +// As an on_no_match might result in another matching tree being evaluated, this process +// might repeat several times until the final OnMatch (or no match) is decided. +message Matcher { + // What to do if a match is successful. + message OnMatch { + oneof on_match { + option (validate.required) = true; + + // Nested matcher to evaluate. + // If the nested matcher does not match and does not specify + // on_no_match, then this matcher is considered not to have + // matched, even if a predicate at this level or above returned + // true. + Matcher matcher = 1; + + // Protocol-specific action to take. + core.v3.TypedExtensionConfig action = 2; + } + + // If true and the Matcher matches, the action will be taken but the caller + // will behave as if the Matcher did not match. A subsequent matcher or + // on_no_match action will be used instead. + // This field is not supported in all contexts in which the matcher API is + // used. If this field is set in a context in which it's not supported, + // the resource will be rejected. + bool keep_matching = 3; + } + + // A linear list of field matchers. + // The field matchers are evaluated in order, and the first match + // wins. + message MatcherList { + // Predicate to determine if a match is successful. + message Predicate { + // Predicate for a single input field. + message SinglePredicate { + // Protocol-specific specification of input field to match on. + // [#extension-category: envoy.matching.common_inputs] + core.v3.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; + + oneof matcher { + option (validate.required) = true; + + // Built-in string matcher. + type.matcher.v3.StringMatcher value_match = 2; + + // Extension for custom matching logic. + // [#extension-category: envoy.matching.input_matchers] + core.v3.TypedExtensionConfig custom_match = 3; + } + } + + // A list of two or more matchers. Used to allow using a list within a oneof. + message PredicateList { + repeated Predicate predicate = 1 [(validate.rules).repeated = {min_items: 2}]; + } + + oneof match_type { + option (validate.required) = true; + + // A single predicate to evaluate. + SinglePredicate single_predicate = 1; + + // A list of predicates to be OR-ed together. + PredicateList or_matcher = 2; + + // A list of predicates to be AND-ed together. + PredicateList and_matcher = 3; + + // The invert of a predicate + Predicate not_matcher = 4; + } + } + + // An individual matcher. + message FieldMatcher { + // Determines if the match succeeds. + Predicate predicate = 1 [(validate.rules).message = {required: true}]; + + // What to do if the match succeeds. + OnMatch on_match = 2 [(validate.rules).message = {required: true}]; + } + + // A list of matchers. First match wins. + repeated FieldMatcher matchers = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + message MatcherTree { + // A map of configured matchers. Used to allow using a map within a oneof. + message MatchMap { + map map = 1 [(validate.rules).map = {min_pairs: 1}]; + } + + // Protocol-specific specification of input field to match on. + core.v3.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; + + // Exact or prefix match maps in which to look up the input value. + // If the lookup succeeds, the match is considered successful, and + // the corresponding OnMatch is used. + oneof tree_type { + option (validate.required) = true; + + MatchMap exact_match_map = 2; + + // Longest matching prefix wins. + MatchMap prefix_match_map = 3; + + // Extension for custom matching logic. + core.v3.TypedExtensionConfig custom_match = 4; + } + } + + oneof matcher_type { + // A linear list of matchers to evaluate. + MatcherList matcher_list = 1; + + // A match tree to evaluate. + MatcherTree matcher_tree = 2; + } + + // Optional OnMatch to use if no matcher above matched (e.g., if there are no matchers specified + // above, or if none of the matches specified above succeeded). + // If no matcher above matched and this field is not populated, the match will be considered unsuccessful. + OnMatch on_no_match = 3; +} diff --git a/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/regex.proto b/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/regex.proto new file mode 100644 index 000000000..3ff4ca95c --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/regex.proto @@ -0,0 +1,46 @@ +syntax = "proto3"; + +package xds.type.matcher.v3; + +import "validate/validate.proto"; + +option java_package = "com.github.xds.type.matcher.v3"; +option java_outer_classname = "RegexProto"; +option java_multiple_files = true; +option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; + +// [#protodoc-title: Regex matcher] + +// A regex matcher designed for safety when used with untrusted input. +message RegexMatcher { + // Google's `RE2 `_ regex engine. The regex + // string must adhere to the documented `syntax + // `_. The engine is designed to + // complete execution in linear time as well as limit the amount of memory + // used. + // + // Envoy supports program size checking via runtime. The runtime keys + // `re2.max_program_size.error_level` and `re2.max_program_size.warn_level` + // can be set to integers as the maximum program size or complexity that a + // compiled regex can have before an exception is thrown or a warning is + // logged, respectively. `re2.max_program_size.error_level` defaults to 100, + // and `re2.max_program_size.warn_level` has no default if unset (will not + // check/log a warning). + // + // Envoy emits two stats for tracking the program size of regexes: the + // histogram `re2.program_size`, which records the program size, and the + // counter `re2.exceeded_warn_level`, which is incremented each time the + // program size exceeds the warn level threshold. + message GoogleRE2 {} + + oneof engine_type { + option (validate.required) = true; + + // Google's RE2 regex engine. + GoogleRE2 google_re2 = 1 [ (validate.rules).message = {required : true} ]; + } + + // The regex match string. The string must be supported by the configured + // engine. + string regex = 2 [ (validate.rules).string = {min_len : 1} ]; +} diff --git a/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/string.proto b/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/string.proto new file mode 100644 index 000000000..e58cb413e --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/type/matcher/v3/string.proto @@ -0,0 +1,71 @@ +syntax = "proto3"; + +package xds.type.matcher.v3; + +import "xds/core/v3/extension.proto"; +import "xds/type/matcher/v3/regex.proto"; + +import "validate/validate.proto"; + +option java_package = "com.github.xds.type.matcher.v3"; +option java_outer_classname = "StringProto"; +option java_multiple_files = true; +option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; + +// [#protodoc-title: String matcher] + +// Specifies the way to match a string. +// [#next-free-field: 9] +message StringMatcher { + oneof match_pattern { + option (validate.required) = true; + + // The input string must match exactly the string specified here. + // + // Examples: + // + // * *abc* only matches the value *abc*. + string exact = 1; + + // The input string must have the prefix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *abc.xyz* + string prefix = 2 [(validate.rules).string = {min_len: 1}]; + + // The input string must have the suffix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *xyz.abc* + string suffix = 3 [(validate.rules).string = {min_len: 1}]; + + // The input string must match the regular expression specified here. + RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; + + // The input string must have the substring specified here. + // Note: empty contains match is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *xyz.abc.def* + string contains = 7 [(validate.rules).string = {min_len: 1}]; + + // Use an extension as the matcher type. + // [#extension-category: envoy.string_matcher] + xds.core.v3.TypedExtensionConfig custom = 8; + } + + // If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no + // effect for the safe_regex match. + // For example, the matcher *data* will match both input string *Data* and *data* if set to true. + bool ignore_case = 6; +} + +// Specifies a list of ways to match a string. +message ListStringMatcher { + repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/grpc-xds/proto/third_party/xds/xds/type/v3/cel.proto b/grpc-xds/proto/third_party/xds/xds/type/v3/cel.proto new file mode 100644 index 000000000..043990401 --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/type/v3/cel.proto @@ -0,0 +1,77 @@ +syntax = "proto3"; + +package xds.type.v3; + +import "google/api/expr/v1alpha1/checked.proto"; +import "google/api/expr/v1alpha1/syntax.proto"; +import "cel/expr/checked.proto"; +import "cel/expr/syntax.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "validate/validate.proto"; + +option java_package = "com.github.xds.type.v3"; +option java_outer_classname = "CelProto"; +option java_multiple_files = true; +option go_package = "github.com/cncf/xds/go/xds/type/v3"; + +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Common Expression Language (CEL)] + +// Either parsed or checked representation of the `Common Expression Language +// `_ (CEL) program. +message CelExpression { + oneof expr_specifier { + // Parsed expression in abstract syntax tree (AST) form. + // + // Deprecated -- use ``cel_expr_parsed`` field instead. + // If ``cel_expr_parsed`` or ``cel_expr_checked`` is set, this field is not used. + google.api.expr.v1alpha1.ParsedExpr parsed_expr = 1 [deprecated = true]; + + // Parsed expression in abstract syntax tree (AST) form that has been successfully type checked. + // + // Deprecated -- use ``cel_expr_checked`` field instead. + // If ``cel_expr_parsed`` or ``cel_expr_checked`` is set, this field is not used. + google.api.expr.v1alpha1.CheckedExpr checked_expr = 2 [deprecated = true]; + } + + // Parsed expression in abstract syntax tree (AST) form. + // + // If ``cel_expr_checked`` is set, this field is not used. + cel.expr.ParsedExpr cel_expr_parsed = 3; + + // Parsed expression in abstract syntax tree (AST) form that has been successfully type checked. + // + // If set, takes precedence over ``cel_expr_parsed``. + cel.expr.CheckedExpr cel_expr_checked = 4; + + // Unparsed expression in string form. For example, ``request.headers['x-env'] == 'prod'`` will + // get ``x-env`` header value and compare it with ``prod``. + // Check the `Common Expression Language `_ for more details. + // + // If set, takes precedence over ``cel_expr_parsed`` and ``cel_expr_checked``. + string cel_expr_string = 5; +} + +// Extracts a string by evaluating a `Common Expression Language +// `_ (CEL) expression against the standardized set of +// :ref:`HTTP attributes `. +// +// .. attention:: +// +// Besides CEL evaluation raising an error explicitly, CEL program returning a type other than +// the ``string``, or not returning anything, are considered an error as well. +// +// [#comment:TODO(sergiitk): When implemented, add the extension tag.] +message CelExtractString { + // The CEL expression used to extract a string from the CEL environment. + // the "subject string") that should be replaced. + CelExpression expr_extract = 1 [(validate.rules).message = {required: true}]; + + // If CEL expression evaluates to an error, this value is be returned to the caller. + // If not set, the error is propagated to the caller. + google.protobuf.StringValue default_value = 2; +} diff --git a/grpc-xds/proto/third_party/xds/xds/type/v3/typed_struct.proto b/grpc-xds/proto/third_party/xds/xds/type/v3/typed_struct.proto new file mode 100644 index 000000000..40d0a8dac --- /dev/null +++ b/grpc-xds/proto/third_party/xds/xds/type/v3/typed_struct.proto @@ -0,0 +1,44 @@ +syntax = "proto3"; + +package xds.type.v3; + +option java_outer_classname = "TypedStructProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.type.v3"; +option go_package = "github.com/cncf/xds/go/xds/type/v3"; + +import "google/protobuf/struct.proto"; + +// A TypedStruct contains an arbitrary JSON serialized protocol buffer message with a URL that +// describes the type of the serialized message. This is very similar to google.protobuf.Any, +// instead of having protocol buffer binary, this employs google.protobuf.Struct as value. +// +// This message is intended to be embedded inside Any, so it shouldn't be directly referred +// from other UDPA messages. +// +// When packing an opaque extension config, packing the expected type into Any is preferred +// wherever possible for its efficiency. TypedStruct should be used only if a proto descriptor +// is not available, for example if: +// +// - A control plane sends opaque message that is originally from external source in human readable +// format such as JSON or YAML. +// - The control plane doesn't have the knowledge of the protocol buffer schema hence it cannot +// serialize the message in protocol buffer binary format. +// - The DPLB doesn't have have the knowledge of the protocol buffer schema its plugin or extension +// uses. This has to be indicated in the DPLB capability negotiation. +// +// When a DPLB receives a TypedStruct in Any, it should: +// - Check if the type_url of the TypedStruct matches the type the extension expects. +// - Convert value to the type described in type_url and perform validation. +// +// TODO(lizan): Figure out how TypeStruct should be used with DPLB extensions that doesn't link +// protobuf descriptor with DPLB itself, (e.g. gRPC LB Plugin, Envoy WASM extensions). +message TypedStruct { + // A URL that uniquely identifies the type of the serialize protocol buffer message. + // This has same semantics and format described in google.protobuf.Any: + // https://github.com/protocolbuffers/protobuf/blob/master/src/google/protobuf/any.proto + string type_url = 1; + + // A JSON representation of the above specified type. + google.protobuf.Struct value = 2; +} diff --git a/grpc-xds/src/lib.rs b/grpc-xds/src/lib.rs new file mode 100644 index 000000000..eb609ccd2 --- /dev/null +++ b/grpc-xds/src/lib.rs @@ -0,0 +1,72 @@ +//! grpc-xds implements xDS support for Rust gRPC. + +/// Module `generated` contains the generated Protobuf messages for xDS, +/// mirroring the vendored proto package tree. The messages are an implementation detail +/// consumed only within grpc-xds. The blanket `allow` covers machine-generated code; +/// the tree is built into `OUT_DIR` by `build.rs` and its root `mod.rs` is included here. +#[allow( + missing_docs, + missing_debug_implementations, + unreachable_pub, + non_camel_case_types, + non_snake_case, + non_upper_case_globals, + unused, + clippy::all +)] +pub(crate) mod generated { + include!(concat!(env!("OUT_DIR"), "/generated/mod.rs")); +} + +#[cfg(test)] +mod tests { + //! Sanity checks that the generated xDS modules are importable and usable + //! for a sampling of the core discovery resources (LDS/RDS/CDS/EDS): + //! construct a message, then round-trip it through the protobuf wire format. + //! + //! This lives as an in-crate unit test rather than a doctest because the + //! `generated` module is `pub(crate)` — doctests compile as an external + //! crate and can only reach the public API. + + use crate::generated::envoy::config::{ + cluster::v3::Cluster, endpoint::v3::ClusterLoadAssignment, listener::v3::Listener, + route::v3::RouteConfiguration, + }; + + /// Encodes then decodes a message. `serialize` / `parse` are methods of the + /// `protobuf::Message` trait (in scope via the `M: protobuf::Message` bound). + fn round_trip(msg: &M) -> M { + M::parse(&msg.serialize().expect("serialize")).expect("parse") + } + + #[test] + fn lds_listener_round_trip() { + let mut listener = Listener::new(); + listener.set_name("grpc-listener"); + assert_eq!(round_trip(&listener).name().as_bytes(), b"grpc-listener"); + } + + #[test] + fn rds_route_configuration_round_trip() { + let mut route_config = RouteConfiguration::new(); + route_config.set_name("grpc-routes"); + assert_eq!(round_trip(&route_config).name().as_bytes(), b"grpc-routes"); + } + + #[test] + fn cds_cluster_round_trip() { + let mut cluster = Cluster::new(); + cluster.set_name("grpc-cluster"); + assert_eq!(round_trip(&cluster).name().as_bytes(), b"grpc-cluster"); + } + + #[test] + fn eds_cluster_load_assignment_round_trip() { + let mut endpoints = ClusterLoadAssignment::new(); + endpoints.set_cluster_name("grpc-cluster"); + assert_eq!( + round_trip(&endpoints).cluster_name().as_bytes(), + b"grpc-cluster" + ); + } +}