diff --git a/api/envoy/admin/v4alpha/BUILD b/api/envoy/admin/v4alpha/BUILD index 6da5b60bad28..d64c4f6a0816 100644 --- a/api/envoy/admin/v4alpha/BUILD +++ b/api/envoy/admin/v4alpha/BUILD @@ -10,7 +10,7 @@ api_proto_package( "//envoy/annotations:pkg", "//envoy/config/bootstrap/v4alpha:pkg", "//envoy/config/core/v4alpha:pkg", - "//envoy/config/tap/v3:pkg", + "//envoy/config/tap/v4alpha:pkg", "//envoy/type/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", ], diff --git a/api/envoy/admin/v4alpha/tap.proto b/api/envoy/admin/v4alpha/tap.proto index c47b308d6ee6..039dfcfeb812 100644 --- a/api/envoy/admin/v4alpha/tap.proto +++ b/api/envoy/admin/v4alpha/tap.proto @@ -2,7 +2,7 @@ syntax = "proto3"; package envoy.admin.v4alpha; -import "envoy/config/tap/v3/common.proto"; +import "envoy/config/tap/v4alpha/common.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; @@ -24,5 +24,5 @@ message TapRequest { string config_id = 1 [(validate.rules).string = {min_bytes: 1}]; // The tap configuration to load. - config.tap.v3.TapConfig tap_config = 2 [(validate.rules).message = {required: true}]; + config.tap.v4alpha.TapConfig tap_config = 2 [(validate.rules).message = {required: true}]; } diff --git a/api/envoy/config/accesslog/v4alpha/BUILD b/api/envoy/config/accesslog/v4alpha/BUILD new file mode 100644 index 000000000000..4ed75a69ea09 --- /dev/null +++ b/api/envoy/config/accesslog/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/accesslog/v3:pkg", + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/route/v4alpha:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/config/accesslog/v4alpha/accesslog.proto b/api/envoy/config/accesslog/v4alpha/accesslog.proto new file mode 100644 index 000000000000..56911ca19185 --- /dev/null +++ b/api/envoy/config/accesslog/v4alpha/accesslog.proto @@ -0,0 +1,298 @@ +syntax = "proto3"; + +package envoy.config.accesslog.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.accesslog.v4alpha"; +option java_outer_classname = "AccesslogProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Common access log types] + +message AccessLog { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.AccessLog"; + + reserved 3; + + reserved "config"; + + // The name of the access log implementation to instantiate. The name must + // match a statically registered access log. Current built-in loggers include: + // + // #. "envoy.access_loggers.file" + // #. "envoy.access_loggers.http_grpc" + // #. "envoy.access_loggers.tcp_grpc" + string name = 1; + + // Filter which is used to determine if the access log needs to be written. + AccessLogFilter filter = 2; + + // Custom configuration that depends on the access log being instantiated. Built-in + // configurations include: + // + // #. "envoy.access_loggers.file": :ref:`FileAccessLog + // ` + // #. "envoy.access_loggers.http_grpc": :ref:`HttpGrpcAccessLogConfig + // ` + // #. "envoy.access_loggers.tcp_grpc": :ref:`TcpGrpcAccessLogConfig + // ` + oneof config_type { + google.protobuf.Any typed_config = 4; + } +} + +// [#next-free-field: 12] +message AccessLogFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.AccessLogFilter"; + + oneof filter_specifier { + option (validate.required) = true; + + // Status code filter. + StatusCodeFilter status_code_filter = 1; + + // Duration filter. + DurationFilter duration_filter = 2; + + // Not health check filter. + NotHealthCheckFilter not_health_check_filter = 3; + + // Traceable filter. + TraceableFilter traceable_filter = 4; + + // Runtime filter. + RuntimeFilter runtime_filter = 5; + + // And filter. + AndFilter and_filter = 6; + + // Or filter. + OrFilter or_filter = 7; + + // Header filter. + HeaderFilter header_filter = 8; + + // Response flag filter. + ResponseFlagFilter response_flag_filter = 9; + + // gRPC status filter. + GrpcStatusFilter grpc_status_filter = 10; + + // Extension filter. + ExtensionFilter extension_filter = 11; + } +} + +// Filter on an integer comparison. +message ComparisonFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.ComparisonFilter"; + + enum Op { + // = + EQ = 0; + + // >= + GE = 1; + + // <= + LE = 2; + } + + // Comparison operator. + Op op = 1 [(validate.rules).enum = {defined_only: true}]; + + // Value to compare against. + core.v4alpha.RuntimeUInt32 value = 2; +} + +// Filters on HTTP response/status code. +message StatusCodeFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.StatusCodeFilter"; + + // Comparison. + ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; +} + +// Filters on total request duration in milliseconds. +message DurationFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.DurationFilter"; + + // Comparison. + ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; +} + +// Filters for requests that are not health check requests. A health check +// request is marked by the health check filter. +message NotHealthCheckFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.NotHealthCheckFilter"; +} + +// Filters for requests that are traceable. See the tracing overview for more +// information on how a request becomes traceable. +message TraceableFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.TraceableFilter"; +} + +// Filters for random sampling of requests. +message RuntimeFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.RuntimeFilter"; + + // Runtime key to get an optional overridden numerator for use in the *percent_sampled* field. + // If found in runtime, this value will replace the default numerator. + string runtime_key = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The default sampling percentage. If not specified, defaults to 0% with denominator of 100. + type.v3.FractionalPercent percent_sampled = 2; + + // By default, sampling pivots on the header + // :ref:`x-request-id` being present. If + // :ref:`x-request-id` is present, the filter will + // consistently sample across multiple hosts based on the runtime key value and the value + // extracted from :ref:`x-request-id`. If it is + // missing, or *use_independent_randomness* is set to true, the filter will randomly sample based + // on the runtime key value alone. *use_independent_randomness* can be used for logging kill + // switches within complex nested :ref:`AndFilter + // ` and :ref:`OrFilter + // ` blocks that are easier to reason about + // from a probability perspective (i.e., setting to true will cause the filter to behave like + // an independent random variable when composed within logical operator filters). + bool use_independent_randomness = 3; +} + +// Performs a logical “and” operation on the result of each filter in filters. +// Filters are evaluated sequentially and if one of them returns false, the +// filter returns false immediately. +message AndFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.AndFilter"; + + repeated AccessLogFilter filters = 1 [(validate.rules).repeated = {min_items: 2}]; +} + +// Performs a logical “or” operation on the result of each individual filter. +// Filters are evaluated sequentially and if one of them returns true, the +// filter returns true immediately. +message OrFilter { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.accesslog.v3.OrFilter"; + + repeated AccessLogFilter filters = 2 [(validate.rules).repeated = {min_items: 2}]; +} + +// Filters requests based on the presence or value of a request header. +message HeaderFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.HeaderFilter"; + + // Only requests with a header which matches the specified HeaderMatcher will pass the filter + // check. + route.v4alpha.HeaderMatcher header = 1 [(validate.rules).message = {required: true}]; +} + +// Filters requests that received responses with an Envoy response flag set. +// A list of the response flags can be found +// in the access log formatter :ref:`documentation`. +message ResponseFlagFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.ResponseFlagFilter"; + + // Only responses with the any of the flags listed in this field will be logged. + // This field is optional. If it is not specified, then any response flag will pass + // the filter check. + repeated string flags = 1 [(validate.rules).repeated = { + items { + string { + in: "LH" + in: "UH" + in: "UT" + in: "LR" + in: "UR" + in: "UF" + in: "UC" + in: "UO" + in: "NR" + in: "DI" + in: "FI" + in: "RL" + in: "UAEX" + in: "RLSE" + in: "DC" + in: "URX" + in: "SI" + in: "IH" + in: "DPE" + } + } + }]; +} + +// Filters gRPC requests based on their response status. If a gRPC status is not provided, the +// filter will infer the status from the HTTP status code. +message GrpcStatusFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.GrpcStatusFilter"; + + enum Status { + OK = 0; + CANCELED = 1; + UNKNOWN = 2; + INVALID_ARGUMENT = 3; + DEADLINE_EXCEEDED = 4; + NOT_FOUND = 5; + ALREADY_EXISTS = 6; + PERMISSION_DENIED = 7; + RESOURCE_EXHAUSTED = 8; + FAILED_PRECONDITION = 9; + ABORTED = 10; + OUT_OF_RANGE = 11; + UNIMPLEMENTED = 12; + INTERNAL = 13; + UNAVAILABLE = 14; + DATA_LOSS = 15; + UNAUTHENTICATED = 16; + } + + // Logs only responses that have any one of the gRPC statuses in this field. + repeated Status statuses = 1 [(validate.rules).repeated = {items {enum {defined_only: true}}}]; + + // If included and set to true, the filter will instead block all responses with a gRPC status or + // inferred gRPC status enumerated in statuses, and allow all other responses. + bool exclude = 2; +} + +// Extension filter is statically registered at runtime. +message ExtensionFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.ExtensionFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter implementation to instantiate. The name must + // match a statically registered filter. + string name = 1; + + // Custom configuration that depends on the filter being instantiated. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} diff --git a/api/envoy/config/bootstrap/v4alpha/BUILD b/api/envoy/config/bootstrap/v4alpha/BUILD index 884b942b2dac..2bb0248a4772 100644 --- a/api/envoy/config/bootstrap/v4alpha/BUILD +++ b/api/envoy/config/bootstrap/v4alpha/BUILD @@ -10,8 +10,8 @@ api_proto_package( "//envoy/config/bootstrap/v3:pkg", "//envoy/config/cluster/v4alpha:pkg", "//envoy/config/core/v4alpha:pkg", - "//envoy/config/listener/v3:pkg", - "//envoy/config/metrics/v3:pkg", + "//envoy/config/listener/v4alpha:pkg", + "//envoy/config/metrics/v4alpha:pkg", "//envoy/config/overload/v3:pkg", "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", diff --git a/api/envoy/config/bootstrap/v4alpha/bootstrap.proto b/api/envoy/config/bootstrap/v4alpha/bootstrap.proto index 0207967b4b0f..ce6aa147fba2 100644 --- a/api/envoy/config/bootstrap/v4alpha/bootstrap.proto +++ b/api/envoy/config/bootstrap/v4alpha/bootstrap.proto @@ -8,8 +8,8 @@ import "envoy/config/core/v4alpha/base.proto"; import "envoy/config/core/v4alpha/config_source.proto"; import "envoy/config/core/v4alpha/event_service_config.proto"; import "envoy/config/core/v4alpha/socket_option.proto"; -import "envoy/config/listener/v3/listener.proto"; -import "envoy/config/metrics/v3/stats.proto"; +import "envoy/config/listener/v4alpha/listener.proto"; +import "envoy/config/metrics/v4alpha/stats.proto"; import "envoy/config/overload/v3/overload.proto"; import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto"; @@ -42,9 +42,9 @@ message Bootstrap { option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v3.Bootstrap.StaticResources"; - // Static :ref:`Listeners `. These listeners are + // Static :ref:`Listeners `. These listeners are // available regardless of LDS configuration. - repeated listener.v3.Listener listeners = 1; + repeated listener.v4alpha.Listener listeners = 1; // If a network based configuration source is specified for :ref:`cds_config // `, it's necessary @@ -65,7 +65,7 @@ message Bootstrap { reserved 4; - // All :ref:`Listeners ` are provided by a single + // All :ref:`Listeners ` are provided by a single // :ref:`LDS ` configuration source. core.v4alpha.ConfigSource lds_config = 1; @@ -110,10 +110,10 @@ message Bootstrap { string flags_path = 5; // Optional set of stats sinks. - repeated metrics.v3.StatsSink stats_sinks = 6; + repeated metrics.v4alpha.StatsSink stats_sinks = 6; // Configuration for internal processing of stats. - metrics.v3.StatsConfig stats_config = 13; + metrics.v4alpha.StatsConfig stats_config = 13; // Optional duration between flushes to configured stats sinks. For // performance reasons Envoy latches counters and only flushes counters and @@ -142,7 +142,7 @@ message Bootstrap { // Enable :ref:`stats for event dispatcher `, defaults to false. // Note that this records a value for each iteration of the event loop on every thread. This // should normally be minimal overhead, but when using - // :ref:`statsd `, it will send each observed value + // :ref:`statsd `, it will send each observed value // over the wire individually because the statsd protocol doesn't have any way to represent a // histogram summary. Be aware that this can be a very large volume of data. bool enable_dispatcher_stats = 16; @@ -160,7 +160,7 @@ message Bootstrap { // Optional proxy version which will be used to set the value of :ref:`server.version statistic // ` if specified. Envoy will not process this value, it will be sent as is to - // :ref:`stats sinks `. + // :ref:`stats sinks `. google.protobuf.UInt64Value stats_server_version_override = 19; // Always use TCP queries instead of UDP queries for DNS lookups. diff --git a/api/envoy/config/core/v4alpha/BUILD b/api/envoy/config/core/v4alpha/BUILD index aeac38ac2833..ef6414dadc09 100644 --- a/api/envoy/config/core/v4alpha/BUILD +++ b/api/envoy/config/core/v4alpha/BUILD @@ -8,7 +8,7 @@ api_proto_package( deps = [ "//envoy/annotations:pkg", "//envoy/config/core/v3:pkg", - "//envoy/type/matcher/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", "//envoy/type/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", ], diff --git a/api/envoy/config/core/v4alpha/address.proto b/api/envoy/config/core/v4alpha/address.proto index a2e6070103ae..ffade4bed75b 100644 --- a/api/envoy/config/core/v4alpha/address.proto +++ b/api/envoy/config/core/v4alpha/address.proto @@ -45,7 +45,7 @@ message SocketAddress { // to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::`` // to bind to any address. [#comment:TODO(zuercher) reinstate when implemented: // It is possible to distinguish a Listener address via the prefix/suffix matching - // in :ref:`FilterChainMatch `.] When used + // in :ref:`FilterChainMatch `.] When used // within an upstream :ref:`BindConfig `, the address // controls the source address of outbound connections. For :ref:`clusters // `, the cluster type determines whether the diff --git a/api/envoy/config/core/v4alpha/health_check.proto b/api/envoy/config/core/v4alpha/health_check.proto index 7f823da97c5e..39badc334b01 100644 --- a/api/envoy/config/core/v4alpha/health_check.proto +++ b/api/envoy/config/core/v4alpha/health_check.proto @@ -4,7 +4,7 @@ package envoy.config.core.v4alpha; import "envoy/config/core/v4alpha/base.proto"; import "envoy/config/core/v4alpha/event_service_config.proto"; -import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; import "envoy/type/v3/http.proto"; import "envoy/type/v3/range.proto"; @@ -125,9 +125,9 @@ message HealthCheck { // An optional service name parameter which is used to validate the identity of // the health checked cluster using a :ref:`StringMatcher - // `. See the :ref:`architecture overview + // `. See the :ref:`architecture overview // ` for more information. - type.matcher.v3.StringMatcher service_name_matcher = 11; + type.matcher.v4alpha.StringMatcher service_name_matcher = 11; } message TcpHealthCheck { @@ -206,7 +206,7 @@ message HealthCheck { // Specifies the ALPN protocols for health check connections. This is useful if the // corresponding upstream is using ALPN-based :ref:`FilterChainMatch - // ` along with different protocols for health checks + // ` along with different protocols for health checks // versus data connections. If empty, no ALPN protocols will be set on health check connections. repeated string alpn_protocols = 1; } diff --git a/api/envoy/config/listener/v4alpha/BUILD b/api/envoy/config/listener/v4alpha/BUILD new file mode 100644 index 000000000000..1d1761a3e941 --- /dev/null +++ b/api/envoy/config/listener/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/accesslog/v4alpha:pkg", + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/listener/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/config/listener/v4alpha/api_listener.proto b/api/envoy/config/listener/v4alpha/api_listener.proto new file mode 100644 index 000000000000..b8d076c36583 --- /dev/null +++ b/api/envoy/config/listener/v4alpha/api_listener.proto @@ -0,0 +1,32 @@ +syntax = "proto3"; + +package envoy.config.listener.v4alpha; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; +option java_outer_classname = "ApiListenerProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: API listener] + +// Describes a type of API listener, which is used in non-proxy clients. The type of API +// exposed to the non-proxy application depends on the type of API listener. +message ApiListener { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.ApiListener"; + + // The type in this field determines the type of API listener. At present, the following + // types are supported: + // envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager (HTTP) + // [#next-major-version: In the v3 API, replace this Any field with a oneof containing the + // specific config message for each type of API listener. We could not do this in v2 because + // it would have caused circular dependencies for go protos: lds.proto depends on this file, + // and http_connection_manager.proto depends on rds.proto, which is in the same directory as + // lds.proto, so lds.proto cannot depend on this file.] + google.protobuf.Any api_listener = 1; +} diff --git a/api/envoy/config/listener/v4alpha/listener.proto b/api/envoy/config/listener/v4alpha/listener.proto new file mode 100644 index 000000000000..4438bd2974d4 --- /dev/null +++ b/api/envoy/config/listener/v4alpha/listener.proto @@ -0,0 +1,241 @@ +syntax = "proto3"; + +package envoy.config.listener.v4alpha; + +import "envoy/config/accesslog/v4alpha/accesslog.proto"; +import "envoy/config/core/v4alpha/address.proto"; +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/socket_option.proto"; +import "envoy/config/listener/v4alpha/api_listener.proto"; +import "envoy/config/listener/v4alpha/listener_components.proto"; +import "envoy/config/listener/v4alpha/udp_listener_config.proto"; + +import "google/api/annotations.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; +option java_outer_classname = "ListenerProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Listener configuration] +// Listener :ref:`configuration overview ` + +// [#next-free-field: 23] +message Listener { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.listener.v3.Listener"; + + enum DrainType { + // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check + // filter), listener removal/modification, and hot restart. + DEFAULT = 0; + + // Drain in response to listener removal/modification and hot restart. This setting does not + // include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress + // and egress listeners. + MODIFY_ONLY = 1; + } + + // [#not-implemented-hide:] + message DeprecatedV1 { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.Listener.DeprecatedV1"; + + // Whether the listener should bind to the port. A listener that doesn't + // bind can only receive connections redirected from other listeners that + // set use_original_dst parameter to true. Default is true. + // + // This is deprecated in v2, all Listeners will bind to their port. An + // additional filter chain must be created for every original destination + // port this listener may redirect to in v2, with the original port + // specified in the FilterChainMatch destination_port field. + // + // [#comment:TODO(PiotrSikora): Remove this once verified that we no longer need it.] + google.protobuf.BoolValue bind_to_port = 1; + } + + // Configuration for listener connection balancing. + message ConnectionBalanceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.Listener.ConnectionBalanceConfig"; + + // A connection balancer implementation that does exact balancing. This means that a lock is + // held during balancing so that connection counts are nearly exactly balanced between worker + // threads. This is "nearly" exact in the sense that a connection might close in parallel thus + // making the counts incorrect, but this should be rectified on the next accept. This balancer + // sacrifices accept throughput for accuracy and should be used when there are a small number of + // connections that rarely cycle (e.g., service mesh gRPC egress). + message ExactBalance { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.Listener.ConnectionBalanceConfig.ExactBalance"; + } + + oneof balance_type { + option (validate.required) = true; + + // If specified, the listener will use the exact connection balancer. + ExactBalance exact_balance = 1; + } + } + + reserved 14, 4; + + reserved "use_original_dst"; + + // The unique name by which this listener is known. If no name is provided, + // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically + // updated or removed via :ref:`LDS ` a unique name must be provided. + string name = 1; + + // The address that the listener should listen on. In general, the address must be unique, though + // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on + // Linux as the actual port will be allocated by the OS. + core.v4alpha.Address address = 2 [(validate.rules).message = {required: true}]; + + // A list of filter chains to consider for this listener. The + // :ref:`FilterChain ` with the most specific + // :ref:`FilterChainMatch ` criteria is used on a + // connection. + // + // Example using SNI for filter chain selection can be found in the + // :ref:`FAQ entry `. + repeated FilterChain filter_chains = 3; + + // Soft limit on size of the listener’s new connection read and write buffers. + // If unspecified, an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5; + + // Listener metadata. + core.v4alpha.Metadata metadata = 6; + + // [#not-implemented-hide:] + DeprecatedV1 deprecated_v1 = 7; + + // The type of draining to perform at a listener-wide level. + DrainType drain_type = 8; + + // Listener filters have the opportunity to manipulate and augment the connection metadata that + // is used in connection filter chain matching, for example. These filters are run before any in + // :ref:`filter_chains `. Order matters as the + // filters are processed sequentially right after a socket has been accepted by the listener, and + // before a connection is created. + // UDP Listener filters can be specified when the protocol in the listener socket address in + // :ref:`protocol ` is :ref:`UDP + // `. + // UDP listeners currently support a single filter. + repeated ListenerFilter listener_filters = 9; + + // The timeout to wait for all listener filters to complete operation. If the timeout is reached, + // the accepted socket is closed without a connection being created unless + // `continue_on_listener_filters_timeout` is set to true. Specify 0 to disable the + // timeout. If not specified, a default timeout of 15s is used. + google.protobuf.Duration listener_filters_timeout = 15; + + // Whether a connection should be created when listener filters timeout. Default is false. + // + // .. attention:: + // + // Some listener filters, such as :ref:`Proxy Protocol filter + // `, should not be used with this option. It will cause + // unexpected behavior when a connection is created. + bool continue_on_listener_filters_timeout = 17; + + // Whether the listener should be set as a transparent socket. + // When this flag is set to true, connections can be redirected to the listener using an + // *iptables* *TPROXY* target, in which case the original source and destination addresses and + // ports are preserved on accepted connections. This flag should be used in combination with + // :ref:`an original_dst ` :ref:`listener filter + // ` to mark the connections' local addresses as + // "restored." This can be used to hand off each redirected connection to another listener + // associated with the connection's destination address. Direct connections to the socket without + // using *TPROXY* cannot be distinguished from connections redirected using *TPROXY* and are + // therefore treated as if they were redirected. + // When this flag is set to false, the listener's socket is explicitly reset as non-transparent. + // Setting this flag requires Envoy to run with the *CAP_NET_ADMIN* capability. + // When this flag is not set (default), the socket is not modified, i.e. the transparent option + // is neither set nor reset. + google.protobuf.BoolValue transparent = 10; + + // Whether the listener should set the *IP_FREEBIND* socket option. When this + // flag is set to true, listeners can be bound to an IP address that is not + // configured on the system running Envoy. When this flag is set to false, the + // option *IP_FREEBIND* is disabled on the socket. When this flag is not set + // (default), the socket is not modified, i.e. the option is neither enabled + // nor disabled. + google.protobuf.BoolValue freebind = 11; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + repeated core.v4alpha.SocketOption socket_options = 13; + + // Whether the listener should accept TCP Fast Open (TFO) connections. + // When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on + // the socket, with a queue length of the specified size + // (see `details in RFC7413 `_). + // When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket. + // When this flag is not set (default), the socket is not modified, + // i.e. the option is neither enabled nor disabled. + // + // On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable + // TCP_FASTOPEN. + // See `ip-sysctl.txt `_. + // + // On macOS, only values of 0, 1, and unset are valid; other values may result in an error. + // To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter. + google.protobuf.UInt32Value tcp_fast_open_queue_length = 12; + + // Specifies the intended direction of the traffic relative to the local Envoy. + core.v4alpha.TrafficDirection traffic_direction = 16; + + // If the protocol in the listener socket address in :ref:`protocol + // ` is :ref:`UDP + // `, this field specifies the actual udp + // listener to create, i.e. :ref:`udp_listener_name + // ` = "raw_udp_listener" for + // creating a packet-oriented UDP listener. If not present, treat it as "raw_udp_listener". + UdpListenerConfig udp_listener_config = 18; + + // Used to represent an API listener, which is used in non-proxy clients. The type of API + // exposed to the non-proxy application depends on the type of API listener. + // When this field is set, no other field except for :ref:`name` + // should be set. + // + // .. note:: + // + // Currently only one ApiListener can be installed; and it can only be done via bootstrap config, + // not LDS. + // + // [#next-major-version: In the v3 API, instead of this messy approach where the socket + // listener fields are directly in the top-level Listener message and the API listener types + // are in the ApiListener message, the socket listener messages should be in their own message, + // and the top-level Listener should essentially be a oneof that selects between the + // socket listener and the various types of API listener. That way, a given Listener message + // can structurally only contain the fields of the relevant type.] + ApiListener api_listener = 19; + + // The listener's connection balancer configuration, currently only applicable to TCP listeners. + // If no configuration is specified, Envoy will not attempt to balance active connections between + // worker threads. + ConnectionBalanceConfig connection_balance_config = 20; + + // When this flag is set to true, listeners set the *SO_REUSEPORT* socket option and + // create one socket for each worker thread. This makes inbound connections + // distribute among worker threads roughly evenly in cases where there are a high number + // of connections. When this flag is set to false, all worker threads share one socket. + // + // Before Linux v4.19-rc1, new TCP connections may be rejected during hot restart + // (see `3rd paragraph in 'soreuseport' commit message + // `_). + // This issue was fixed by `tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket + // `_. + bool reuse_port = 21; + + // Configuration for :ref:`access logs ` + // emitted by this listener. + repeated accesslog.v4alpha.AccessLog access_log = 22; +} diff --git a/api/envoy/config/listener/v4alpha/listener_components.proto b/api/envoy/config/listener/v4alpha/listener_components.proto new file mode 100644 index 000000000000..6900cde39016 --- /dev/null +++ b/api/envoy/config/listener/v4alpha/listener_components.proto @@ -0,0 +1,298 @@ +syntax = "proto3"; + +package envoy.config.listener.v4alpha; + +import "envoy/config/core/v4alpha/address.proto"; +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; +option java_outer_classname = "ListenerComponentsProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Listener components] +// Listener :ref:`configuration overview ` + +message Filter { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.listener.v3.Filter"; + + reserved 3, 2; + + reserved "config"; + + // The name of the filter to instantiate. The name must match a + // :ref:`supported filter `. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + oneof config_type { + google.protobuf.Any typed_config = 4; + } +} + +// Specifies the match criteria for selecting a specific filter chain for a +// listener. +// +// In order for a filter chain to be selected, *ALL* of its criteria must be +// fulfilled by the incoming connection, properties of which are set by the +// networking stack and/or listener filters. +// +// The following order applies: +// +// 1. Destination port. +// 2. Destination IP address. +// 3. Server name (e.g. SNI for TLS protocol), +// 4. Transport protocol. +// 5. Application protocols (e.g. ALPN for TLS protocol). +// 6. Source type (e.g. any, local or external network). +// 7. Source IP address. +// 8. Source port. +// +// For criteria that allow ranges or wildcards, the most specific value in any +// of the configured filter chains that matches the incoming connection is going +// to be used (e.g. for SNI ``www.example.com`` the most specific match would be +// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter +// chain without ``server_names`` requirements). +// +// [#comment: Implemented rules are kept in the preference order, with deprecated fields +// listed at the end, because that's how we want to list them in the docs. +// +// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] +// [#next-free-field: 13] +message FilterChainMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.FilterChainMatch"; + + enum ConnectionSourceType { + // Any connection source matches. + ANY = 0; + + // Match a connection originating from the same host. + SAME_IP_OR_LOOPBACK = 1; + + // Match a connection originating from a different host. + EXTERNAL = 2; + } + + reserved 1; + + // Optional destination port to consider when use_original_dst is set on the + // listener in determining a filter chain match. + google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}]; + + // If non-empty, an IP address and prefix length to match addresses when the + // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. + repeated core.v4alpha.CidrRange prefix_ranges = 3; + + // If non-empty, an IP address and suffix length to match addresses when the + // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. + // [#not-implemented-hide:] + string address_suffix = 4; + + // [#not-implemented-hide:] + google.protobuf.UInt32Value suffix_len = 5; + + // Specifies the connection source IP match type. Can be any, local or external network. + ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}]; + + // The criteria is satisfied if the source IP address of the downstream + // connection is contained in at least one of the specified subnets. If the + // parameter is not specified or the list is empty, the source IP address is + // ignored. + repeated core.v4alpha.CidrRange source_prefix_ranges = 6; + + // The criteria is satisfied if the source port of the downstream connection + // is contained in at least one of the specified ports. If the parameter is + // not specified, the source port is ignored. + repeated uint32 source_ports = 7 + [(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}]; + + // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining + // a filter chain match. Those values will be compared against the server names of a new + // connection, when detected by one of the listener filters. + // + // The server name will be matched against all wildcard domains, i.e. ``www.example.com`` + // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``. + // + // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid. + // + // .. attention:: + // + // See the :ref:`FAQ entry ` on how to configure SNI for more + // information. + repeated string server_names = 11; + + // If non-empty, a transport protocol to consider when determining a filter chain match. + // This value will be compared against the transport protocol of a new connection, when + // it's detected by one of the listener filters. + // + // Suggested values include: + // + // * ``raw_buffer`` - default, used when no transport protocol is detected, + // * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector ` + // when TLS protocol is detected. + string transport_protocol = 9; + + // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when + // determining a filter chain match. Those values will be compared against the application + // protocols of a new connection, when detected by one of the listener filters. + // + // Suggested values include: + // + // * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector + // `, + // * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector ` + // + // .. attention:: + // + // Currently, only :ref:`TLS Inspector ` provides + // application protocol detection based on the requested + // `ALPN `_ values. + // + // However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, + // and matching on values other than ``h2`` is going to lead to a lot of false negatives, + // unless all connecting clients are known to use ALPN. + repeated string application_protocols = 10; +} + +// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and +// various other parameters. +// [#next-free-field: 8] +message FilterChain { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.FilterChain"; + + reserved 2; + + reserved "tls_context"; + + // The criteria to use when matching a connection to this filter chain. + FilterChainMatch filter_chain_match = 1; + + // A list of individual network filters that make up the filter chain for + // connections established with the listener. Order matters as the filters are + // processed sequentially as connection events happen. Note: If the filter + // list is empty, the connection will close by default. + repeated Filter filters = 3; + + // Whether the listener should expect a PROXY protocol V1 header on new + // connections. If this option is enabled, the listener will assume that that + // remote address of the connection is the one specified in the header. Some + // load balancers including the AWS ELB support this option. If the option is + // absent or set to false, Envoy will use the physical peer address of the + // connection as the remote address. + google.protobuf.BoolValue use_proxy_proto = 4; + + // [#not-implemented-hide:] filter chain metadata. + core.v4alpha.Metadata metadata = 5; + + // Optional custom transport socket implementation to use for downstream connections. + // To setup TLS, set a transport socket with name `tls` and + // :ref:`DownstreamTlsContext ` in the `typed_config`. + // If no transport socket configuration is specified, new connections + // will be set up with plaintext. + core.v4alpha.TransportSocket transport_socket = 6; + + // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no + // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter + // chain is to be dynamically updated or removed via FCDS a unique name must be provided. + string name = 7; +} + +// Listener filter chain match configuration. This is a recursive structure which allows complex +// nested match configurations to be built using various logical operators. +// +// Examples: +// +// * Matches if the destination port is 3306. +// +// .. code-block:: yaml +// +// destination_port_range: +// start: 3306 +// end: 3307 +// +// * Matches if the destination port is 3306 or 15000. +// +// .. code-block:: yaml +// +// or_match: +// rules: +// - destination_port_range: +// start: 3306 +// end: 3306 +// - destination_port_range: +// start: 15000 +// end: 15001 +// +// [#next-free-field: 6] +message ListenerFilterChainMatchPredicate { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.ListenerFilterChainMatchPredicate"; + + // A set of match configurations used for logical operations. + message MatchSet { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet"; + + // The list of rules that make up the set. + repeated ListenerFilterChainMatchPredicate rules = 1 + [(validate.rules).repeated = {min_items: 2}]; + } + + oneof rule { + option (validate.required) = true; + + // A set that describes a logical OR. If any member of the set matches, the match configuration + // matches. + MatchSet or_match = 1; + + // A set that describes a logical AND. If all members of the set match, the match configuration + // matches. + MatchSet and_match = 2; + + // A negation match. The match configuration will match if the negated match condition matches. + ListenerFilterChainMatchPredicate not_match = 3; + + // The match configuration will always match. + bool any_match = 4 [(validate.rules).bool = {const: true}]; + + // Match destination port. Particularly, the match evaluation must use the recovered local port if + // the owning listener filter is after :ref:`an original_dst listener filter `. + type.v3.Int32Range destination_port_range = 5; + } +} + +message ListenerFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.ListenerFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter to instantiate. The name must match a + // :ref:`supported filter `. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Filter specific configuration which depends on the filter being instantiated. + // See the supported filters for further documentation. + oneof config_type { + google.protobuf.Any typed_config = 3; + } + + // Optional match predicate used to disable the filter. The filter is enabled when this field is empty. + // See :ref:`ListenerFilterChainMatchPredicate ` + // for further examples. + ListenerFilterChainMatchPredicate filter_disabled = 4; +} diff --git a/api/envoy/config/listener/v4alpha/quic_config.proto b/api/envoy/config/listener/v4alpha/quic_config.proto new file mode 100644 index 000000000000..97866e4b6ed8 --- /dev/null +++ b/api/envoy/config/listener/v4alpha/quic_config.proto @@ -0,0 +1,35 @@ +syntax = "proto3"; + +package envoy.config.listener.v4alpha; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; +option java_outer_classname = "QuicConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: QUIC listener Config] + +// Configuration specific to the QUIC protocol. +// Next id: 4 +message QuicProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.QuicProtocolOptions"; + + // Maximum number of streams that the client can negotiate per connection. 100 + // if not specified. + google.protobuf.UInt32Value max_concurrent_streams = 1; + + // Maximum number of milliseconds that connection will be alive when there is + // no network activity. 300000ms if not specified. + google.protobuf.Duration idle_timeout = 2; + + // Connection timeout in milliseconds before the crypto handshake is finished. + // 20000ms if not specified. + google.protobuf.Duration crypto_handshake_timeout = 3; +} diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto new file mode 100644 index 000000000000..7e40e9529f99 --- /dev/null +++ b/api/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -0,0 +1,42 @@ +syntax = "proto3"; + +package envoy.config.listener.v4alpha; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; +option java_outer_classname = "UdpListenerConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: UDP Listener Config] +// Listener :ref:`configuration overview ` + +message UdpListenerConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.UdpListenerConfig"; + + reserved 2; + + reserved "config"; + + // Used to look up UDP listener factory, matches "raw_udp_listener" or + // "quic_listener" to create a specific udp listener. + // If not specified, treat as "raw_udp_listener". + string udp_listener_name = 1; + + // Used to create a specific listener factory. To some factory, e.g. + // "raw_udp_listener", config is not needed. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +message ActiveRawUdpListenerConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.ActiveRawUdpListenerConfig"; +} diff --git a/api/envoy/config/metrics/v4alpha/BUILD b/api/envoy/config/metrics/v4alpha/BUILD new file mode 100644 index 000000000000..4b70ffb4110a --- /dev/null +++ b/api/envoy/config/metrics/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/metrics/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/config/metrics/v4alpha/metrics_service.proto b/api/envoy/config/metrics/v4alpha/metrics_service.proto new file mode 100644 index 000000000000..e4da16c56bfd --- /dev/null +++ b/api/envoy/config/metrics/v4alpha/metrics_service.proto @@ -0,0 +1,36 @@ +syntax = "proto3"; + +package envoy.config.metrics.v4alpha; + +import "envoy/config/core/v4alpha/grpc_service.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.metrics.v4alpha"; +option java_outer_classname = "MetricsServiceProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Metrics service] + +// Metrics Service is configured as a built-in *envoy.stat_sinks.metrics_service* :ref:`StatsSink +// `. This opaque configuration will be used to create +// Metrics Service. +// [#extension: envoy.stat_sinks.metrics_service] +message MetricsServiceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.MetricsServiceConfig"; + + // The upstream gRPC cluster that hosts the metrics service. + core.v4alpha.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; + + // If true, counters are reported as the delta between flushing intervals. Otherwise, the current + // counter value is reported. Defaults to false. + // Eventually (https://github.com/envoyproxy/envoy/issues/10968) if this value is not set, the + // sink will take updates from the :ref:`MetricsResponse `. + google.protobuf.BoolValue report_counters_as_deltas = 2; +} diff --git a/api/envoy/config/metrics/v4alpha/stats.proto b/api/envoy/config/metrics/v4alpha/stats.proto new file mode 100644 index 000000000000..f9a4549746c6 --- /dev/null +++ b/api/envoy/config/metrics/v4alpha/stats.proto @@ -0,0 +1,361 @@ +syntax = "proto3"; + +package envoy.config.metrics.v4alpha; + +import "envoy/config/core/v4alpha/address.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.metrics.v4alpha"; +option java_outer_classname = "StatsProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Stats] +// Statistics :ref:`architecture overview `. + +// Configuration for pluggable stats sinks. +message StatsSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v3.StatsSink"; + + reserved 2; + + reserved "config"; + + // The name of the stats sink to instantiate. The name must match a supported + // stats sink. The built-in stats sinks are: + // + // * :ref:`envoy.stat_sinks.statsd ` + // * :ref:`envoy.stat_sinks.dog_statsd ` + // * :ref:`envoy.stat_sinks.metrics_service ` + // * :ref:`envoy.stat_sinks.hystrix ` + // + // Sinks optionally support tagged/multiple dimensional metrics. + string name = 1; + + // Stats sink specific configuration which depends on the sink being instantiated. See + // :ref:`StatsdSink ` for an example. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +// Statistics configuration such as tagging. +message StatsConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.StatsConfig"; + + // Each stat name is iteratively processed through these tag specifiers. + // When a tag is matched, the first capture group is removed from the name so + // later :ref:`TagSpecifiers ` cannot match that + // same portion of the match. + repeated TagSpecifier stats_tags = 1; + + // Use all default tag regexes specified in Envoy. These can be combined with + // custom tags specified in :ref:`stats_tags + // `. They will be processed before + // the custom tags. + // + // .. note:: + // + // If any default tags are specified twice, the config will be considered + // invalid. + // + // See :repo:`well_known_names.h ` for a list of the + // default tags in Envoy. + // + // If not provided, the value is assumed to be true. + google.protobuf.BoolValue use_all_default_tags = 2; + + // Inclusion/exclusion matcher for stat name creation. If not provided, all stats are instantiated + // as normal. Preventing the instantiation of certain families of stats can improve memory + // performance for Envoys running especially large configs. + // + // .. warning:: + // Excluding stats may affect Envoy's behavior in undocumented ways. See + // `issue #8771 `_ for more information. + // If any unexpected behavior changes are observed, please open a new issue immediately. + StatsMatcher stats_matcher = 3; +} + +// Configuration for disabling stat instantiation. +message StatsMatcher { + // The instantiation of stats is unrestricted by default. If the goal is to configure Envoy to + // instantiate all stats, there is no need to construct a StatsMatcher. + // + // However, StatsMatcher can be used to limit the creation of families of stats in order to + // conserve memory. Stats can either be disabled entirely, or they can be + // limited by either an exclusion or an inclusion list of :ref:`StringMatcher + // ` protos: + // + // * If `reject_all` is set to `true`, no stats will be instantiated. If `reject_all` is set to + // `false`, all stats will be instantiated. + // + // * If an exclusion list is supplied, any stat name matching *any* of the StringMatchers in the + // list will not instantiate. + // + // * If an inclusion list is supplied, no stats will instantiate, except those matching *any* of + // the StringMatchers in the list. + // + // + // A StringMatcher can be used to match against an exact string, a suffix / prefix, or a regex. + // **NB:** For performance reasons, it is highly recommended to use a prefix- or suffix-based + // matcher rather than a regex-based matcher. + // + // Example 1. Excluding all stats. + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "rejectAll": "true" + // } + // } + // + // Example 2. Excluding all cluster-specific stats, but not cluster-manager stats: + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "exclusionList": { + // "patterns": [ + // { + // "prefix": "cluster." + // } + // ] + // } + // } + // } + // + // Example 3. Including only manager-related stats: + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "inclusionList": { + // "patterns": [ + // { + // "prefix": "cluster_manager." + // }, + // { + // "prefix": "listener_manager." + // } + // ] + // } + // } + // } + // + + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.StatsMatcher"; + + oneof stats_matcher { + option (validate.required) = true; + + // If `reject_all` is true, then all stats are disabled. If `reject_all` is false, then all + // stats are enabled. + bool reject_all = 1; + + // Exclusive match. All stats are enabled except for those matching one of the supplied + // StringMatcher protos. + type.matcher.v4alpha.ListStringMatcher exclusion_list = 2; + + // Inclusive match. No stats are enabled except for those matching one of the supplied + // StringMatcher protos. + type.matcher.v4alpha.ListStringMatcher inclusion_list = 3; + } +} + +// Designates a tag name and value pair. The value may be either a fixed value +// or a regex providing the value via capture groups. The specified tag will be +// unconditionally set if a fixed value, otherwise it will only be set if one +// or more capture groups in the regex match. +message TagSpecifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.TagSpecifier"; + + // Attaches an identifier to the tag values to identify the tag being in the + // sink. Envoy has a set of default names and regexes to extract dynamic + // portions of existing stats, which can be found in :repo:`well_known_names.h + // ` in the Envoy repository. If a :ref:`tag_name + // ` is provided in the config and + // neither :ref:`regex ` or + // :ref:`fixed_value ` were specified, + // Envoy will attempt to find that name in its set of defaults and use the accompanying regex. + // + // .. note:: + // + // It is invalid to specify the same tag name twice in a config. + string tag_name = 1; + + oneof tag_value { + // Designates a tag to strip from the tag extracted name and provide as a named + // tag value for all statistics. This will only occur if any part of the name + // matches the regex provided with one or more capture groups. + // + // The first capture group identifies the portion of the name to remove. The + // second capture group (which will normally be nested inside the first) will + // designate the value of the tag for the statistic. If no second capture + // group is provided, the first will also be used to set the value of the tag. + // All other capture groups will be ignored. + // + // Example 1. a stat name ``cluster.foo_cluster.upstream_rq_timeout`` and + // one tag specifier: + // + // .. code-block:: json + // + // { + // "tag_name": "envoy.cluster_name", + // "regex": "^cluster\.((.+?)\.)" + // } + // + // Note that the regex will remove ``foo_cluster.`` making the tag extracted + // name ``cluster.upstream_rq_timeout`` and the tag value for + // ``envoy.cluster_name`` will be ``foo_cluster`` (note: there will be no + // ``.`` character because of the second capture group). + // + // Example 2. a stat name + // ``http.connection_manager_1.user_agent.ios.downstream_cx_total`` and two + // tag specifiers: + // + // .. code-block:: json + // + // [ + // { + // "tag_name": "envoy.http_user_agent", + // "regex": "^http(?=\.).*?\.user_agent\.((.+?)\.)\w+?$" + // }, + // { + // "tag_name": "envoy.http_conn_manager_prefix", + // "regex": "^http\.((.*?)\.)" + // } + // ] + // + // The two regexes of the specifiers will be processed in the definition order. + // + // The first regex will remove ``ios.``, leaving the tag extracted name + // ``http.connection_manager_1.user_agent.downstream_cx_total``. The tag + // ``envoy.http_user_agent`` will be added with tag value ``ios``. + // + // The second regex will remove ``connection_manager_1.`` from the tag + // extracted name produced by the first regex + // ``http.connection_manager_1.user_agent.downstream_cx_total``, leaving + // ``http.user_agent.downstream_cx_total`` as the tag extracted name. The tag + // ``envoy.http_conn_manager_prefix`` will be added with the tag value + // ``connection_manager_1``. + string regex = 2 [(validate.rules).string = {max_bytes: 1024}]; + + // Specifies a fixed tag value for the ``tag_name``. + string fixed_value = 3; + } +} + +// Stats configuration proto schema for built-in *envoy.stat_sinks.statsd* sink. This sink does not support +// tagged metrics. +// [#extension: envoy.stat_sinks.statsd] +message StatsdSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v3.StatsdSink"; + + oneof statsd_specifier { + option (validate.required) = true; + + // The UDP address of a running `statsd `_ + // compliant listener. If specified, statistics will be flushed to this + // address. + core.v4alpha.Address address = 1; + + // The name of a cluster that is running a TCP `statsd + // `_ compliant listener. If specified, + // Envoy will connect to this cluster to flush statistics. + string tcp_cluster_name = 2; + } + + // Optional custom prefix for StatsdSink. If + // specified, this will override the default prefix. + // For example: + // + // .. code-block:: json + // + // { + // "prefix" : "envoy-prod" + // } + // + // will change emitted stats to + // + // .. code-block:: cpp + // + // envoy-prod.test_counter:1|c + // envoy-prod.test_timer:5|ms + // + // Note that the default prefix, "envoy", will be used if a prefix is not + // specified. + // + // Stats with default prefix: + // + // .. code-block:: cpp + // + // envoy.test_counter:1|c + // envoy.test_timer:5|ms + string prefix = 3; +} + +// Stats configuration proto schema for built-in *envoy.stat_sinks.dog_statsd* sink. +// The sink emits stats with `DogStatsD `_ +// compatible tags. Tags are configurable via :ref:`StatsConfig +// `. +// [#extension: envoy.stat_sinks.dog_statsd] +message DogStatsdSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.DogStatsdSink"; + + reserved 2; + + oneof dog_statsd_specifier { + option (validate.required) = true; + + // The UDP address of a running DogStatsD compliant listener. If specified, + // statistics will be flushed to this address. + core.v4alpha.Address address = 1; + } + + // Optional custom metric name prefix. See :ref:`StatsdSink's prefix field + // ` for more details. + string prefix = 3; +} + +// Stats configuration proto schema for built-in *envoy.stat_sinks.hystrix* sink. +// The sink emits stats in `text/event-stream +// `_ +// formatted stream for use by `Hystrix dashboard +// `_. +// +// Note that only a single HystrixSink should be configured. +// +// Streaming is started through an admin endpoint :http:get:`/hystrix_event_stream`. +// [#extension: envoy.stat_sinks.hystrix] +message HystrixSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.HystrixSink"; + + // The number of buckets the rolling statistical window is divided into. + // + // Each time the sink is flushed, all relevant Envoy statistics are sampled and + // added to the rolling window (removing the oldest samples in the window + // in the process). The sink then outputs the aggregate statistics across the + // current rolling window to the event stream(s). + // + // rolling_window(ms) = stats_flush_interval(ms) * num_of_buckets + // + // More detailed explanation can be found in `Hystrix wiki + // `_. + int64 num_buckets = 1; +} diff --git a/api/envoy/config/rbac/v4alpha/BUILD b/api/envoy/config/rbac/v4alpha/BUILD index dbfa8be4f36f..f0707bae6eae 100644 --- a/api/envoy/config/rbac/v4alpha/BUILD +++ b/api/envoy/config/rbac/v4alpha/BUILD @@ -9,7 +9,7 @@ api_proto_package( "//envoy/config/core/v4alpha:pkg", "//envoy/config/rbac/v3:pkg", "//envoy/config/route/v4alpha:pkg", - "//envoy/type/matcher/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto", ], diff --git a/api/envoy/config/rbac/v4alpha/rbac.proto b/api/envoy/config/rbac/v4alpha/rbac.proto index 097231282f45..3ca9f7f08a72 100644 --- a/api/envoy/config/rbac/v4alpha/rbac.proto +++ b/api/envoy/config/rbac/v4alpha/rbac.proto @@ -4,9 +4,9 @@ package envoy.config.rbac.v4alpha; import "envoy/config/core/v4alpha/address.proto"; import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v3/metadata.proto"; -import "envoy/type/matcher/v3/path.proto"; -import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/matcher/v4alpha/metadata.proto"; +import "envoy/type/matcher/v4alpha/path.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; import "google/api/expr/v1alpha1/syntax.proto"; @@ -140,7 +140,7 @@ message Permission { route.v4alpha.HeaderMatcher header = 4; // A URL path on the incoming HTTP request. Only available for HTTP. - type.matcher.v3.PathMatcher url_path = 10; + type.matcher.v4alpha.PathMatcher url_path = 10; // A CIDR block that describes the destination IP. core.v4alpha.CidrRange destination_ip = 5; @@ -149,7 +149,7 @@ message Permission { uint32 destination_port = 6 [(validate.rules).uint32 = {lte: 65535}]; // Metadata that describes additional information about the action. - type.matcher.v3.MetadataMatcher metadata = 7; + type.matcher.v4alpha.MetadataMatcher metadata = 7; // Negates matching the provided permission. For instance, if the value of `not_rule` would // match, this permission would not match. Conversely, if the value of `not_rule` would not @@ -166,7 +166,7 @@ message Permission { // // * If the :ref:`TLS Inspector ` // filter is not added, and if a `FilterChainMatch` is not defined for - // the :ref:`server name `, + // the :ref:`server name `, // a TLS connection's requested SNI server name will be treated as if it // wasn't present. // @@ -175,7 +175,7 @@ message Permission { // // Please refer to :ref:`this FAQ entry ` to learn to // setup SNI. - type.matcher.v3.StringMatcher requested_server_name = 9; + type.matcher.v4alpha.StringMatcher requested_server_name = 9; } } @@ -203,7 +203,7 @@ message Principal { // The name of the principal. If set, The URI SAN or DNS SAN in that order is used from the // certificate, otherwise the subject field is used. If unset, it applies to any user that is // authenticated. - type.matcher.v3.StringMatcher principal_name = 2; + type.matcher.v4alpha.StringMatcher principal_name = 2; } reserved 5; @@ -245,10 +245,10 @@ message Principal { route.v4alpha.HeaderMatcher header = 6; // A URL path on the incoming HTTP request. Only available for HTTP. - type.matcher.v3.PathMatcher url_path = 9; + type.matcher.v4alpha.PathMatcher url_path = 9; // Metadata that describes additional information about the principal. - type.matcher.v3.MetadataMatcher metadata = 7; + type.matcher.v4alpha.MetadataMatcher metadata = 7; // Negates matching the provided principal. For instance, if the value of `not_id` would match, // this principal would not match. Conversely, if the value of `not_id` would not match, this diff --git a/api/envoy/config/route/v4alpha/BUILD b/api/envoy/config/route/v4alpha/BUILD index 507bedd76bdf..13dd451d1b4a 100644 --- a/api/envoy/config/route/v4alpha/BUILD +++ b/api/envoy/config/route/v4alpha/BUILD @@ -9,7 +9,7 @@ api_proto_package( "//envoy/annotations:pkg", "//envoy/config/core/v4alpha:pkg", "//envoy/config/route/v3:pkg", - "//envoy/type/matcher/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", "//envoy/type/tracing/v3:pkg", "//envoy/type/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", diff --git a/api/envoy/config/route/v4alpha/route_components.proto b/api/envoy/config/route/v4alpha/route_components.proto index 5fb31112b34e..6e1b1f9f5a0a 100644 --- a/api/envoy/config/route/v4alpha/route_components.proto +++ b/api/envoy/config/route/v4alpha/route_components.proto @@ -4,8 +4,8 @@ package envoy.config.route.v4alpha; import "envoy/config/core/v4alpha/base.proto"; import "envoy/config/core/v4alpha/proxy_protocol.proto"; -import "envoy/type/matcher/v3/regex.proto"; -import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/matcher/v4alpha/regex.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; import "envoy/type/tracing/v3/custom_tag.proto"; import "envoy/type/v3/percent.proto"; import "envoy/type/v3/range.proto"; @@ -143,7 +143,7 @@ message VirtualHost { // will see the attempt count as perceived by the second Envoy. Defaults to false. // This header is unaffected by the // :ref:`suppress_envoy_headers - // ` flag. + // ` flag. // // [#next-major-version: rename to include_attempt_count_in_request.] bool include_request_attempt_count = 14; @@ -155,7 +155,7 @@ message VirtualHost { // will see the attempt count as perceived by the Envoy closest upstream from itself. Defaults to false. // This header is unaffected by the // :ref:`suppress_envoy_headers - // ` flag. + // ` flag. bool include_attempt_count_in_response = 19; // Indicates the retry policy for all routes in this virtual host. Note that setting a @@ -428,7 +428,7 @@ message RouteMatch { // path_specifier entirely and just rely on a set of header matchers which can already match // on :path, etc. The issue with that is it is unclear how to generically deal with query string // stripping. This needs more thought.] - type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; + type.matcher.v4alpha.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; // [#not-implemented-hide:] // If this is used as the matcher, the matcher will only match CONNECT requests. @@ -499,7 +499,7 @@ message CorsPolicy { // Specifies string patterns that match allowed origins. An origin is allowed if any of the // string matchers match. - repeated type.matcher.v3.StringMatcher allow_origin_string_match = 11; + repeated type.matcher.v4alpha.StringMatcher allow_origin_string_match = 11; // Specifies the content for the *access-control-allow-methods* header. string allow_methods = 2; @@ -855,7 +855,7 @@ message RouteAction { // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to // ``/aaa/yyy/bbb``. - type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 32; + type.matcher.v4alpha.RegexMatchAndSubstitute regex_rewrite = 32; oneof host_rewrite_specifier { // Indicates that during forwarding, the host header will be swapped with @@ -1534,7 +1534,7 @@ message HeaderMatcher { // If specified, this regex string is a regular expression rule which implies the entire request // header value must match the regex. The rule will not match if only a subsequence of the // request header value matches the regex. - type.matcher.v3.RegexMatcher safe_regex_match = 11; + type.matcher.v4alpha.RegexMatcher safe_regex_match = 11; // If specified, header match will be performed based on range. // The rule will match if the request header value is within this range. @@ -1596,7 +1596,8 @@ message QueryParameterMatcher { oneof query_parameter_match_specifier { // Specifies whether a query parameter value should match against a string. - type.matcher.v3.StringMatcher string_match = 5 [(validate.rules).message = {required: true}]; + type.matcher.v4alpha.StringMatcher string_match = 5 + [(validate.rules).message = {required: true}]; // Specifies whether a query parameter should be present. bool present_match = 6; diff --git a/api/envoy/config/tap/v4alpha/BUILD b/api/envoy/config/tap/v4alpha/BUILD new file mode 100644 index 000000000000..cb06389f0186 --- /dev/null +++ b/api/envoy/config/tap/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/route/v4alpha:pkg", + "//envoy/config/tap/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/config/tap/v4alpha/common.proto b/api/envoy/config/tap/v4alpha/common.proto new file mode 100644 index 000000000000..b8e8dac291f3 --- /dev/null +++ b/api/envoy/config/tap/v4alpha/common.proto @@ -0,0 +1,225 @@ +syntax = "proto3"; + +package envoy.config.tap.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/grpc_service.proto"; +import "envoy/config/route/v4alpha/route_components.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.tap.v4alpha"; +option java_outer_classname = "CommonProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Common tap configuration] + +// Tap configuration. +message TapConfig { + // [#comment:TODO(mattklein123): Rate limiting] + + option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.TapConfig"; + + // The match configuration. If the configuration matches the data source being tapped, a tap will + // occur, with the result written to the configured output. + MatchPredicate match_config = 1 [(validate.rules).message = {required: true}]; + + // The tap output configuration. If a match configuration matches a data source being tapped, + // a tap will occur and the data will be written to the configured output. + OutputConfig output_config = 2 [(validate.rules).message = {required: true}]; + + // [#not-implemented-hide:] Specify if Tap matching is enabled. The % of requests\connections for + // which the tap matching is enabled. When not enabled, the request\connection will not be + // recorded. + // + // .. note:: + // + // This field defaults to 100/:ref:`HUNDRED + // `. + core.v4alpha.RuntimeFractionalPercent tap_enabled = 3; +} + +// Tap match configuration. This is a recursive structure which allows complex nested match +// configurations to be built using various logical operators. +// [#next-free-field: 9] +message MatchPredicate { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.MatchPredicate"; + + // A set of match configurations used for logical operations. + message MatchSet { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.tap.v3.MatchPredicate.MatchSet"; + + // The list of rules that make up the set. + repeated MatchPredicate rules = 1 [(validate.rules).repeated = {min_items: 2}]; + } + + oneof rule { + option (validate.required) = true; + + // A set that describes a logical OR. If any member of the set matches, the match configuration + // matches. + MatchSet or_match = 1; + + // A set that describes a logical AND. If all members of the set match, the match configuration + // matches. + MatchSet and_match = 2; + + // A negation match. The match configuration will match if the negated match condition matches. + MatchPredicate not_match = 3; + + // The match configuration will always match. + bool any_match = 4 [(validate.rules).bool = {const: true}]; + + // HTTP request headers match configuration. + HttpHeadersMatch http_request_headers_match = 5; + + // HTTP request trailers match configuration. + HttpHeadersMatch http_request_trailers_match = 6; + + // HTTP response headers match configuration. + HttpHeadersMatch http_response_headers_match = 7; + + // HTTP response trailers match configuration. + HttpHeadersMatch http_response_trailers_match = 8; + } +} + +// HTTP headers match configuration. +message HttpHeadersMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.tap.v3.HttpHeadersMatch"; + + // HTTP headers to match. + repeated route.v4alpha.HeaderMatcher headers = 1; +} + +// Tap output configuration. +message OutputConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.OutputConfig"; + + // Output sinks for tap data. Currently a single sink is allowed in the list. Once multiple + // sink types are supported this constraint will be relaxed. + repeated OutputSink sinks = 1 [(validate.rules).repeated = {min_items: 1 max_items: 1}]; + + // For buffered tapping, the maximum amount of received body that will be buffered prior to + // truncation. If truncation occurs, the :ref:`truncated + // ` field will be set. If not specified, the + // default is 1KiB. + google.protobuf.UInt32Value max_buffered_rx_bytes = 2; + + // For buffered tapping, the maximum amount of transmitted body that will be buffered prior to + // truncation. If truncation occurs, the :ref:`truncated + // ` field will be set. If not specified, the + // default is 1KiB. + google.protobuf.UInt32Value max_buffered_tx_bytes = 3; + + // Indicates whether taps produce a single buffered message per tap, or multiple streamed + // messages per tap in the emitted :ref:`TraceWrapper + // ` messages. Note that streamed tapping does not + // mean that no buffering takes place. Buffering may be required if data is processed before a + // match can be determined. See the HTTP tap filter :ref:`streaming + // ` documentation for more information. + bool streaming = 4; +} + +// Tap output sink configuration. +message OutputSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.OutputSink"; + + // Output format. All output is in the form of one or more :ref:`TraceWrapper + // ` messages. This enumeration indicates + // how those messages are written. Note that not all sinks support all output formats. See + // individual sink documentation for more information. + enum Format { + // Each message will be written as JSON. Any :ref:`body ` + // data will be present in the :ref:`as_bytes + // ` field. This means that body data will be + // base64 encoded as per the `proto3 JSON mappings + // `_. + JSON_BODY_AS_BYTES = 0; + + // Each message will be written as JSON. Any :ref:`body ` + // data will be present in the :ref:`as_string + // ` field. This means that body data will be + // string encoded as per the `proto3 JSON mappings + // `_. This format type is + // useful when it is known that that body is human readable (e.g., JSON over HTTP) and the + // user wishes to view it directly without being forced to base64 decode the body. + JSON_BODY_AS_STRING = 1; + + // Binary proto format. Note that binary proto is not self-delimiting. If a sink writes + // multiple binary messages without any length information the data stream will not be + // useful. However, for certain sinks that are self-delimiting (e.g., one message per file) + // this output format makes consumption simpler. + PROTO_BINARY = 2; + + // Messages are written as a sequence tuples, where each tuple is the message length encoded + // as a `protobuf 32-bit varint + // `_ + // followed by the binary message. The messages can be read back using the language specific + // protobuf coded stream implementation to obtain the message length and the message. + PROTO_BINARY_LENGTH_DELIMITED = 3; + + // Text proto format. + PROTO_TEXT = 4; + } + + // Sink output format. + Format format = 1 [(validate.rules).enum = {defined_only: true}]; + + oneof output_sink_type { + option (validate.required) = true; + + // Tap output will be streamed out the :http:post:`/tap` admin endpoint. + // + // .. attention:: + // + // It is only allowed to specify the streaming admin output sink if the tap is being + // configured from the :http:post:`/tap` admin endpoint. Thus, if an extension has + // been configured to receive tap configuration from some other source (e.g., static + // file, XDS, etc.) configuring the streaming admin output type will fail. + StreamingAdminSink streaming_admin = 2; + + // Tap output will be written to a file per tap sink. + FilePerTapSink file_per_tap = 3; + + // [#not-implemented-hide:] + // GrpcService to stream data to. The format argument must be PROTO_BINARY. + StreamingGrpcSink streaming_grpc = 4; + } +} + +// Streaming admin sink configuration. +message StreamingAdminSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.tap.v3.StreamingAdminSink"; +} + +// The file per tap sink outputs a discrete file for every tapped stream. +message FilePerTapSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.FilePerTapSink"; + + // Path prefix. The output file will be of the form _.pb, where is an + // identifier distinguishing the recorded trace for stream instances (the Envoy + // connection ID, HTTP stream ID, etc.). + string path_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; +} + +// [#not-implemented-hide:] Streaming gRPC sink configuration sends the taps to an external gRPC +// server. +message StreamingGrpcSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.tap.v3.StreamingGrpcSink"; + + // Opaque identifier, that will be sent back to the streaming grpc server. + string tap_id = 1; + + // The gRPC server that hosts the Tap Sink Service. + core.v4alpha.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}]; +} diff --git a/api/envoy/data/dns/v4alpha/BUILD b/api/envoy/data/dns/v4alpha/BUILD new file mode 100644 index 000000000000..bc8958ceab0b --- /dev/null +++ b/api/envoy/data/dns/v4alpha/BUILD @@ -0,0 +1,13 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/data/dns/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/data/dns/v4alpha/dns_table.proto b/api/envoy/data/dns/v4alpha/dns_table.proto new file mode 100644 index 000000000000..83edc20088de --- /dev/null +++ b/api/envoy/data/dns/v4alpha/dns_table.proto @@ -0,0 +1,85 @@ +syntax = "proto3"; + +package envoy.data.dns.v4alpha; + +import "envoy/type/matcher/v4alpha/string.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.data.dns.v4alpha"; +option java_outer_classname = "DnsTableProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: DNS Filter Table Data] +// :ref:`DNS Filter config overview `. + +// This message contains the configuration for the DNS Filter if populated +// from the control plane +message DnsTable { + option (udpa.annotations.versioning).previous_message_type = "envoy.data.dns.v3.DnsTable"; + + // This message contains a list of IP addresses returned for a query for a known name + message AddressList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.dns.v3.DnsTable.AddressList"; + + // This field contains a well formed IP address that is returned + // in the answer for a name query. The address field can be an + // IPv4 or IPv6 address. Address family detection is done automatically + // when Envoy parses the string. Since this field is repeated, + // Envoy will return one randomly chosen entry from this list in the + // DNS response. The random index will vary per query so that we prevent + // clients pinning on a single address for a configured domain + repeated string address = 1 [(validate.rules).repeated = { + min_items: 1 + items {string {min_len: 3}} + }]; + } + + // This message type is extensible and can contain a list of addresses + // or dictate some other method for resolving the addresses for an + // endpoint + message DnsEndpoint { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.dns.v3.DnsTable.DnsEndpoint"; + + oneof endpoint_config { + option (validate.required) = true; + + AddressList address_list = 1; + } + } + + message DnsVirtualDomain { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.dns.v3.DnsTable.DnsVirtualDomain"; + + // The domain name for which Envoy will respond to query requests + string name = 1 [(validate.rules).string = {min_len: 2 well_known_regex: HTTP_HEADER_NAME}]; + + // The configuration containing the method to determine the address + // of this endpoint + DnsEndpoint endpoint = 2; + + // Sets the TTL in dns answers from Envoy returned to the client + google.protobuf.Duration answer_ttl = 3 [(validate.rules).duration = {gt {}}]; + } + + // Control how many times envoy makes an attempt to forward a query to + // an external server + uint32 external_retry_count = 1; + + // Fully qualified domain names for which Envoy will respond to queries + repeated DnsVirtualDomain virtual_domains = 2 [(validate.rules).repeated = {min_items: 1}]; + + // This field serves to help Envoy determine whether it can authoritatively + // answer a query for a name matching a suffix in this list. If the query + // name does not match a suffix in this list, Envoy will forward + // the query to an upstream DNS server + repeated type.matcher.v4alpha.StringMatcher known_suffixes = 3; +} diff --git a/api/envoy/extensions/common/tap/v4alpha/BUILD b/api/envoy/extensions/common/tap/v4alpha/BUILD index d1fe49142a8e..a6fffecd9621 100644 --- a/api/envoy/extensions/common/tap/v4alpha/BUILD +++ b/api/envoy/extensions/common/tap/v4alpha/BUILD @@ -7,7 +7,7 @@ licenses(["notice"]) # Apache 2 api_proto_package( deps = [ "//envoy/config/core/v4alpha:pkg", - "//envoy/config/tap/v3:pkg", + "//envoy/config/tap/v4alpha:pkg", "//envoy/extensions/common/tap/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", ], diff --git a/api/envoy/extensions/common/tap/v4alpha/common.proto b/api/envoy/extensions/common/tap/v4alpha/common.proto index 63de14a3d6f6..f37889b90212 100644 --- a/api/envoy/extensions/common/tap/v4alpha/common.proto +++ b/api/envoy/extensions/common/tap/v4alpha/common.proto @@ -3,7 +3,7 @@ syntax = "proto3"; package envoy.extensions.common.tap.v4alpha; import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/tap/v3/common.proto"; +import "envoy/config/tap/v4alpha/common.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; @@ -42,7 +42,7 @@ message CommonExtensionConfig { // If specified, the tap filter will be configured via a static configuration that cannot be // changed. - config.tap.v3.TapConfig static_config = 2; + config.tap.v4alpha.TapConfig static_config = 2; // [#not-implemented-hide:] Configuration to use for TapDS updates for the filter. TapDSConfig tapds_config = 3; diff --git a/api/envoy/extensions/filters/http/cache/v4alpha/BUILD b/api/envoy/extensions/filters/http/cache/v4alpha/BUILD new file mode 100644 index 000000000000..63033acab5cf --- /dev/null +++ b/api/envoy/extensions/filters/http/cache/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/http/cache/v3alpha:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/http/cache/v4alpha/cache.proto b/api/envoy/extensions/filters/http/cache/v4alpha/cache.proto new file mode 100644 index 000000000000..7cb48d4d6c26 --- /dev/null +++ b/api/envoy/extensions/filters/http/cache/v4alpha/cache.proto @@ -0,0 +1,84 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.cache.v4alpha; + +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.cache.v4alpha"; +option java_outer_classname = "CacheProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).work_in_progress = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: HTTP Cache Filter] +// [#extension: envoy.filters.http.cache] + +message CacheConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.cache.v3alpha.CacheConfig"; + + // [#not-implemented-hide:] + // Modifies cache key creation by restricting which parts of the URL are included. + message KeyCreatorParams { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.cache.v3alpha.CacheConfig.KeyCreatorParams"; + + // If true, exclude the URL scheme from the cache key. Set to true if your origins always + // produce the same response for http and https requests. + bool exclude_scheme = 1; + + // If true, exclude the host from the cache key. Set to true if your origins' responses don't + // ever depend on host. + bool exclude_host = 2; + + // If *query_parameters_included* is nonempty, only query parameters matched + // by one or more of its matchers are included in the cache key. Any other + // query params will not affect cache lookup. + repeated config.route.v4alpha.QueryParameterMatcher query_parameters_included = 3; + + // If *query_parameters_excluded* is nonempty, query parameters matched by one + // or more of its matchers are excluded from the cache key (even if also + // matched by *query_parameters_included*), and will not affect cache lookup. + repeated config.route.v4alpha.QueryParameterMatcher query_parameters_excluded = 4; + } + + // Config specific to the cache storage implementation. + google.protobuf.Any typed_config = 1 [(validate.rules).any = {required: true}]; + + // [#not-implemented-hide:] + // + // + // List of allowed *Vary* headers. + // + // The *vary* response header holds a list of header names that affect the + // contents of a response, as described by + // https://httpwg.org/specs/rfc7234.html#caching.negotiated.responses. + // + // During insertion, *allowed_vary_headers* acts as a whitelist: if a + // response's *vary* header mentions any header names that aren't in + // *allowed_vary_headers*, that response will not be cached. + // + // During lookup, *allowed_vary_headers* controls what request headers will be + // sent to the cache storage implementation. + repeated type.matcher.v4alpha.StringMatcher allowed_vary_headers = 2; + + // [#not-implemented-hide:] + // + // + // Modifies cache key creation by restricting which parts of the URL are included. + KeyCreatorParams key_creator_params = 3; + + // [#not-implemented-hide:] + // + // + // Max body size the cache filter will insert into a cache. 0 means unlimited (though the cache + // storage implementation may have its own limit beyond which it will reject insertions). + uint32 max_body_bytes = 4; +} diff --git a/api/envoy/extensions/filters/http/csrf/v4alpha/BUILD b/api/envoy/extensions/filters/http/csrf/v4alpha/BUILD new file mode 100644 index 000000000000..72211218ff52 --- /dev/null +++ b/api/envoy/extensions/filters/http/csrf/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/extensions/filters/http/csrf/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto b/api/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto new file mode 100644 index 000000000000..dda915a059af --- /dev/null +++ b/api/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto @@ -0,0 +1,54 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.csrf.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.csrf.v4alpha"; +option java_outer_classname = "CsrfProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: CSRF] +// Cross-Site Request Forgery :ref:`configuration overview `. +// [#extension: envoy.filters.http.csrf] + +// CSRF filter config. +message CsrfPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.csrf.v3.CsrfPolicy"; + + // Specifies the % of requests for which the CSRF filter is enabled. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests to filter. + // + // .. note:: + // + // This field defaults to 100/:ref:`HUNDRED + // `. + config.core.v4alpha.RuntimeFractionalPercent filter_enabled = 1 + [(validate.rules).message = {required: true}]; + + // Specifies that CSRF policies will be evaluated and tracked, but not enforced. + // + // This is intended to be used when ``filter_enabled`` is off and will be ignored otherwise. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate + // and track the request's *Origin* and *Destination* to determine if it's valid, but will not + // enforce any policies. + config.core.v4alpha.RuntimeFractionalPercent shadow_enabled = 2; + + // Specifies additional source origins that will be allowed in addition to + // the destination origin. + // + // More information on how this can be configured via runtime can be found + // :ref:`here `. + repeated type.matcher.v4alpha.StringMatcher additional_origins = 3; +} diff --git a/api/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD b/api/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD new file mode 100644 index 000000000000..9a3d8a574a9b --- /dev/null +++ b/api/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD @@ -0,0 +1,16 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/annotations:pkg", + "//envoy/config/core/v4alpha:pkg", + "//envoy/extensions/filters/http/ext_authz/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto b/api/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto new file mode 100644 index 000000000000..b39a2d56d00d --- /dev/null +++ b/api/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto @@ -0,0 +1,245 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_authz.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/grpc_service.proto"; +import "envoy/config/core/v4alpha/http_uri.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; +import "envoy/type/v3/http_status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_authz.v4alpha"; +option java_outer_classname = "ExtAuthzProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: External Authorization] +// External Authorization :ref:`configuration overview `. +// [#extension: envoy.filters.http.ext_authz] + +// [#next-free-field: 11] +message ExtAuthz { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"; + + reserved 4; + + reserved "use_alpha"; + + // External authorization service configuration. + oneof services { + // gRPC service configuration (default timeout: 200ms). + config.core.v4alpha.GrpcService grpc_service = 1; + + // HTTP service configuration (default timeout: 200ms). + HttpService http_service = 3; + } + + // Changes filter's behaviour on errors: + // + // 1. When set to true, the filter will *accept* client request even if the communication with + // the authorization service has failed, or if the authorization service has returned a HTTP 5xx + // error. + // + // 2. When set to false, ext-authz will *reject* client requests and return a *Forbidden* + // response if the communication with the authorization service has failed, or if the + // authorization service has returned a HTTP 5xx error. + // + // Note that errors can be *always* tracked in the :ref:`stats + // `. + bool failure_mode_allow = 2; + + // Enables filter to buffer the client request body and send it within the authorization request. + // A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization + // request message indicating if the body data is partial. + BufferSettings with_request_body = 5; + + // Clears route cache in order to allow the external authorization service to correctly affect + // routing decisions. Filter clears all cached routes when: + // + // 1. The field is set to *true*. + // + // 2. The status returned from the authorization service is a HTTP 200 or gRPC 0. + // + // 3. At least one *authorization response header* is added to the client request, or is used for + // altering another client request header. + // + bool clear_route_cache = 6; + + // Sets the HTTP status that is returned to the client when there is a network error between the + // filter and the authorization server. The default status is HTTP 403 Forbidden. + type.v3.HttpStatus status_on_error = 7; + + // Specifies a list of metadata namespaces whose values, if present, will be passed to the + // ext_authz service as an opaque *protobuf::Struct*. + // + // For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata + // ` is set, + // then the following will pass the jwt payload to the authorization server. + // + // .. code-block:: yaml + // + // metadata_context_namespaces: + // - envoy.filters.http.jwt_authn + // + repeated string metadata_context_namespaces = 8; + + // Specifies if the filter is enabled. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests to filter. + // + // If this field is not specified, the filter will be enabled for all requests. + config.core.v4alpha.RuntimeFractionalPercent filter_enabled = 9; + + // Specifies if the peer certificate is sent to the external service. + // + // When this field is true, Envoy will include the peer X.509 certificate, if available, in the + // :ref:`certificate`. + bool include_peer_certificate = 10; +} + +// Configuration for buffering the request data. +message BufferSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.BufferSettings"; + + // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return + // *HTTP 413* and will *not* initiate the authorization process when buffer reaches the number + // set in this field. Note that this setting will have precedence over :ref:`failure_mode_allow + // `. + uint32 max_request_bytes = 1 [(validate.rules).uint32 = {gt: 0}]; + + // When this field is true, Envoy will buffer the message until *max_request_bytes* is reached. + // The authorization request will be dispatched and no 413 HTTP error will be returned by the + // filter. + bool allow_partial_message = 2; +} + +// HttpService is used for raw HTTP communication between the filter and the authorization service. +// When configured, the filter will parse the client request and use these attributes to call the +// authorization server. Depending on the response, the filter may reject or accept the client +// request. Note that in any of these events, metadata can be added, removed or overridden by the +// filter: +// +// *On authorization request*, a list of allowed request headers may be supplied. See +// :ref:`allowed_headers +// ` +// for details. Additional headers metadata may be added to the authorization request. See +// :ref:`headers_to_add +// ` for +// details. +// +// On authorization response status HTTP 200 OK, the filter will allow traffic to the upstream and +// additional headers metadata may be added to the original client request. See +// :ref:`allowed_upstream_headers +// ` +// for details. +// +// On other authorization response statuses, the filter will not allow traffic. Additional headers +// metadata as well as body may be added to the client's response. See :ref:`allowed_client_headers +// ` +// for details. +// [#next-free-field: 9] +message HttpService { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.HttpService"; + + reserved 3, 4, 5, 6; + + // Sets the HTTP server URI which the authorization requests must be sent to. + config.core.v4alpha.HttpUri server_uri = 1; + + // Sets a prefix to the value of authorization request header *Path*. + string path_prefix = 2; + + // Settings used for controlling authorization request metadata. + AuthorizationRequest authorization_request = 7; + + // Settings used for controlling authorization response metadata. + AuthorizationResponse authorization_response = 8; +} + +message AuthorizationRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.AuthorizationRequest"; + + // Authorization request will include the client request headers that have a correspondent match + // in the :ref:`list `. Note that in addition to the + // user's supplied matchers: + // + // 1. *Host*, *Method*, *Path* and *Content-Length* are automatically included to the list. + // + // 2. *Content-Length* will be set to 0 and the request to the authorization service will not have + // a message body. However, the authorization request can include the buffered client request body + // (controlled by :ref:`with_request_body + // ` setting), + // consequently the value of *Content-Length* of the authorization request reflects the size of + // its payload size. + // + type.matcher.v4alpha.ListStringMatcher allowed_headers = 1; + + // Sets a list of headers that will be included to the request to authorization service. Note that + // client request of the same key will be overridden. + repeated config.core.v4alpha.HeaderValue headers_to_add = 2; +} + +message AuthorizationResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.AuthorizationResponse"; + + // When this :ref:`list ` is set, authorization + // response headers that have a correspondent match will be added to the original client request. + // Note that coexistent headers will be overridden. + type.matcher.v4alpha.ListStringMatcher allowed_upstream_headers = 1; + + // When this :ref:`list `. is set, authorization + // response headers that have a correspondent match will be added to the client's response. Note + // that when this list is *not* set, all the authorization response headers, except *Authority + // (Host)* will be in the response to the client. When a header is included in this list, *Path*, + // *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added. + type.matcher.v4alpha.ListStringMatcher allowed_client_headers = 2; +} + +// Extra settings on a per virtualhost/route/weighted-cluster level. +message ExtAuthzPerRoute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute"; + + oneof override { + option (validate.required) = true; + + // Disable the ext auth filter for this particular vhost or route. + // If disabled is specified in multiple per-filter-configs, the most specific one will be used. + bool disabled = 1 [(validate.rules).bool = {const: true}]; + + // Check request settings for this route. + CheckSettings check_settings = 2 [(validate.rules).message = {required: true}]; + } +} + +// Extra settings for the check request. You can use this to provide extra context for the +// external authorization server on specific virtual hosts \ routes. For example, adding a context +// extension on the virtual host level can give the ext-authz server information on what virtual +// host is used without needing to parse the host header. If CheckSettings is specified in multiple +// per-filter-configs, they will be merged in order, and the result will be used. +message CheckSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.CheckSettings"; + + // Context extensions to set on the CheckRequest's + // :ref:`AttributeContext.context_extensions` + // + // Merge semantics for this field are such that keys from more specific configs override. + // + // .. note:: + // + // These settings are only applied to a filter configured with a + // :ref:`grpc_service`. + map context_extensions = 1; +} diff --git a/api/envoy/extensions/filters/http/fault/v4alpha/BUILD b/api/envoy/extensions/filters/http/fault/v4alpha/BUILD new file mode 100644 index 000000000000..936ee4414038 --- /dev/null +++ b/api/envoy/extensions/filters/http/fault/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/common/fault/v3:pkg", + "//envoy/extensions/filters/http/fault/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/http/fault/v4alpha/fault.proto b/api/envoy/extensions/filters/http/fault/v4alpha/fault.proto new file mode 100644 index 000000000000..7dd4f48aa476 --- /dev/null +++ b/api/envoy/extensions/filters/http/fault/v4alpha/fault.proto @@ -0,0 +1,144 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.fault.v4alpha; + +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/extensions/filters/common/fault/v3/fault.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.fault.v4alpha"; +option java_outer_classname = "FaultProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Fault Injection] +// Fault Injection :ref:`configuration overview `. +// [#extension: envoy.filters.http.fault] + +// [#next-free-field: 6] +message FaultAbort { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.fault.v3.FaultAbort"; + + // Fault aborts are controlled via an HTTP header (if applicable). See the + // :ref:`HTTP fault filter ` documentation for + // more information. + message HeaderAbort { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.fault.v3.FaultAbort.HeaderAbort"; + } + + reserved 1; + + oneof error_type { + option (validate.required) = true; + + // HTTP status code to use to abort the HTTP request. + uint32 http_status = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}]; + + // gRPC status code to use to abort the gRPC request. + uint32 grpc_status = 5; + + // Fault aborts are controlled via an HTTP header (if applicable). + HeaderAbort header_abort = 4; + } + + // The percentage of requests/operations/connections that will be aborted with the error code + // provided. + type.v3.FractionalPercent percentage = 3; +} + +// [#next-free-field: 15] +message HTTPFault { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.fault.v3.HTTPFault"; + + // If specified, the filter will inject delays based on the values in the + // object. + common.fault.v3.FaultDelay delay = 1; + + // If specified, the filter will abort requests based on the values in + // the object. At least *abort* or *delay* must be specified. + FaultAbort abort = 2; + + // Specifies the name of the (destination) upstream cluster that the + // filter should match on. Fault injection will be restricted to requests + // bound to the specific upstream cluster. + string upstream_cluster = 3; + + // Specifies a set of headers that the filter should match on. The fault + // injection filter can be applied selectively to requests that match a set of + // headers specified in the fault filter config. The chances of actual fault + // injection further depend on the value of the :ref:`percentage + // ` field. + // The filter will check the request's headers against all the specified + // headers in the filter config. A match will happen if all the headers in the + // config are present in the request with the same values (or based on + // presence if the *value* field is not in the config). + repeated config.route.v4alpha.HeaderMatcher headers = 4; + + // Faults are injected for the specified list of downstream hosts. If this + // setting is not set, faults are injected for all downstream nodes. + // Downstream node name is taken from :ref:`the HTTP + // x-envoy-downstream-service-node + // ` header and compared + // against downstream_nodes list. + repeated string downstream_nodes = 5; + + // The maximum number of faults that can be active at a single time via the configured fault + // filter. Note that because this setting can be overridden at the route level, it's possible + // for the number of active faults to be greater than this value (if injected via a different + // route). If not specified, defaults to unlimited. This setting can be overridden via + // `runtime ` and any faults that are not injected + // due to overflow will be indicated via the `faults_overflow + // ` stat. + // + // .. attention:: + // Like other :ref:`circuit breakers ` in Envoy, this is a fuzzy + // limit. It's possible for the number of active faults to rise slightly above the configured + // amount due to the implementation details. + google.protobuf.UInt32Value max_active_faults = 6; + + // The response rate limit to be applied to the response body of the stream. When configured, + // the percentage can be overridden by the :ref:`fault.http.rate_limit.response_percent + // ` runtime key. + // + // .. attention:: + // This is a per-stream limit versus a connection level limit. This means that concurrent streams + // will each get an independent limit. + common.fault.v3.FaultRateLimit response_rate_limit = 7; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.delay.fixed_delay_percent + string delay_percent_runtime = 8; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.abort.abort_percent + string abort_percent_runtime = 9; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.delay.fixed_duration_ms + string delay_duration_runtime = 10; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.abort.http_status + string abort_http_status_runtime = 11; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.max_active_faults + string max_active_faults_runtime = 12; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.rate_limit.response_percent + string response_rate_limit_percent_runtime = 13; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.abort.grpc_status + string abort_grpc_status_runtime = 14; +} diff --git a/api/envoy/extensions/filters/http/health_check/v4alpha/BUILD b/api/envoy/extensions/filters/http/health_check/v4alpha/BUILD new file mode 100644 index 000000000000..97b6ad2feb2d --- /dev/null +++ b/api/envoy/extensions/filters/http/health_check/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/http/health_check/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto b/api/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto new file mode 100644 index 000000000000..f530363e2380 --- /dev/null +++ b/api/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto @@ -0,0 +1,47 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.health_check.v4alpha; + +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.health_check.v4alpha"; +option java_outer_classname = "HealthCheckProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Health check] +// Health check :ref:`configuration overview `. +// [#extension: envoy.filters.http.health_check] + +// [#next-free-field: 6] +message HealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.health_check.v3.HealthCheck"; + + reserved 2; + + // Specifies whether the filter operates in pass through mode or not. + google.protobuf.BoolValue pass_through_mode = 1 [(validate.rules).message = {required: true}]; + + // If operating in pass through mode, the amount of time in milliseconds + // that the filter should cache the upstream response. + google.protobuf.Duration cache_time = 3; + + // If operating in non-pass-through mode, specifies a set of upstream cluster + // names and the minimum percentage of servers in each of those clusters that + // must be healthy or degraded in order for the filter to return a 200. + map cluster_min_healthy_percentages = 4; + + // Specifies a set of health check request headers to match on. The health check filter will + // check a request’s headers against all the specified headers. To specify the health check + // endpoint, set the ``:path`` header to match on. + repeated config.route.v4alpha.HeaderMatcher headers = 5; +} diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD new file mode 100644 index 000000000000..a9f9b8bc44c3 --- /dev/null +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/http/jwt_authn/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto new file mode 100644 index 000000000000..302cf7253dde --- /dev/null +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -0,0 +1,531 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.jwt_authn.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/http_uri.proto"; +import "envoy/config/route/v4alpha/route_components.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/empty.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v4alpha"; +option java_outer_classname = "ConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: JWT Authentication] +// JWT Authentication :ref:`configuration overview `. +// [#extension: envoy.filters.http.jwt_authn] + +// Please see following for JWT authentication flow: +// +// * `JSON Web Token (JWT) `_ +// * `The OAuth 2.0 Authorization Framework `_ +// * `OpenID Connect `_ +// +// A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies: +// +// * issuer: the principal that issues the JWT. It has to match the one from the token. +// * allowed audiences: the ones in the token have to be listed here. +// * how to fetch public key JWKS to verify the token signature. +// * how to extract JWT token in the request. +// * how to pass successfully verified token payload. +// +// Example: +// +// .. code-block:: yaml +// +// issuer: https://example.com +// audiences: +// - bookstore_android.apps.googleusercontent.com +// - bookstore_web.apps.googleusercontent.com +// remote_jwks: +// http_uri: +// uri: https://example.com/.well-known/jwks.json +// cluster: example_jwks_cluster +// cache_duration: +// seconds: 300 +// +// [#next-free-field: 10] +message JwtProvider { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtProvider"; + + // Specify the `principal `_ that issued + // the JWT, usually a URL or an email address. + // + // Example: https://securetoken.google.com + // Example: 1234567-compute@developer.gserviceaccount.com + // + string issuer = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The list of JWT `audiences `_ are + // allowed to access. A JWT containing any of these audiences will be accepted. If not specified, + // will not check audiences in the token. + // + // Example: + // + // .. code-block:: yaml + // + // audiences: + // - bookstore_android.apps.googleusercontent.com + // - bookstore_web.apps.googleusercontent.com + // + repeated string audiences = 2; + + // `JSON Web Key Set (JWKS) `_ is needed to + // validate signature of a JWT. This field specifies where to fetch JWKS. + oneof jwks_source_specifier { + option (validate.required) = true; + + // JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP + // URI and how the fetched JWKS should be cached. + // + // Example: + // + // .. code-block:: yaml + // + // remote_jwks: + // http_uri: + // uri: https://www.googleapis.com/oauth2/v1/certs + // cluster: jwt.www.googleapis.com|443 + // cache_duration: + // seconds: 300 + // + RemoteJwks remote_jwks = 3; + + // JWKS is in local data source. It could be either in a local file or embedded in the + // inline_string. + // + // Example: local file + // + // .. code-block:: yaml + // + // local_jwks: + // filename: /etc/envoy/jwks/jwks1.txt + // + // Example: inline_string + // + // .. code-block:: yaml + // + // local_jwks: + // inline_string: ACADADADADA + // + config.core.v4alpha.DataSource local_jwks = 4; + } + + // If false, the JWT is removed in the request after a success verification. If true, the JWT is + // not removed in the request. Default value is false. + bool forward = 5; + + // Two fields below define where to extract the JWT from an HTTP request. + // + // If no explicit location is specified, the following default locations are tried in order: + // + // 1. The Authorization header using the `Bearer schema + // `_. Example:: + // + // Authorization: Bearer . + // + // 2. `access_token `_ query parameter. + // + // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations + // its provider specified or from the default locations. + // + // Specify the HTTP headers to extract JWT token. For examples, following config: + // + // .. code-block:: yaml + // + // from_headers: + // - name: x-goog-iap-jwt-assertion + // + // can be used to extract token from header:: + // + // ``x-goog-iap-jwt-assertion: ``. + // + repeated JwtHeader from_headers = 6; + + // JWT is sent in a query parameter. `jwt_params` represents the query parameter names. + // + // For example, if config is: + // + // .. code-block:: yaml + // + // from_params: + // - jwt_token + // + // The JWT format in query parameter is:: + // + // /path?jwt_token= + // + repeated string from_params = 7; + + // This field specifies the header name to forward a successfully verified JWT payload to the + // backend. The forwarded data is:: + // + // base64url_encoded(jwt_payload_in_JSON) + // + // If it is not specified, the payload will not be forwarded. + string forward_payload_header = 8 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata + // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** + // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields* + // and the value is the *protobuf::Struct* converted from JWT JSON payload. + // + // For example, if payload_in_metadata is *my_payload*: + // + // .. code-block:: yaml + // + // envoy.filters.http.jwt_authn: + // my_payload: + // iss: https://example.com + // sub: test@example.com + // aud: https://example.com + // exp: 1501281058 + // + string payload_in_metadata = 9; +} + +// This message specifies how to fetch JWKS from remote and how to cache it. +message RemoteJwks { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks"; + + // The HTTP URI to fetch the JWKS. For example: + // + // .. code-block:: yaml + // + // http_uri: + // uri: https://www.googleapis.com/oauth2/v1/certs + // cluster: jwt.www.googleapis.com|443 + // + config.core.v4alpha.HttpUri http_uri = 1; + + // Duration after which the cached JWKS should be expired. If not specified, default cache + // duration is 5 minutes. + google.protobuf.Duration cache_duration = 2; +} + +// This message specifies a header location to extract JWT token. +message JwtHeader { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtHeader"; + + // The HTTP header name. + string name = 1 + [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The value prefix. The value format is "value_prefix" + // For example, for "Authorization: Bearer ", value_prefix="Bearer " with a space at the + // end. + string value_prefix = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; +} + +// Specify a required provider with audiences. +message ProviderWithAudiences { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences"; + + // Specify a required provider name. + string provider_name = 1; + + // This field overrides the one specified in the JwtProvider. + repeated string audiences = 2; +} + +// This message specifies a Jwt requirement. An empty message means JWT verification is not +// required. Here are some config examples: +// +// .. code-block:: yaml +// +// # Example 1: not required with an empty message +// +// # Example 2: require A +// provider_name: provider-A +// +// # Example 3: require A or B +// requires_any: +// requirements: +// - provider_name: provider-A +// - provider_name: provider-B +// +// # Example 4: require A and B +// requires_all: +// requirements: +// - provider_name: provider-A +// - provider_name: provider-B +// +// # Example 5: require A and (B or C) +// requires_all: +// requirements: +// - provider_name: provider-A +// - requires_any: +// requirements: +// - provider_name: provider-B +// - provider_name: provider-C +// +// # Example 6: require A or (B and C) +// requires_any: +// requirements: +// - provider_name: provider-A +// - requires_all: +// requirements: +// - provider_name: provider-B +// - provider_name: provider-C +// +// # Example 7: A is optional (if token from A is provided, it must be valid, but also allows +// missing token.) +// requires_any: +// requirements: +// - provider_name: provider-A +// - allow_missing: {} +// +// # Example 8: A is optional and B is required. +// requires_all: +// requirements: +// - requires_any: +// requirements: +// - provider_name: provider-A +// - allow_missing: {} +// - provider_name: provider-B +// +// [#next-free-field: 7] +message JwtRequirement { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement"; + + oneof requires_type { + // Specify a required provider name. + string provider_name = 1; + + // Specify a required provider with audiences. + ProviderWithAudiences provider_and_audiences = 2; + + // Specify list of JwtRequirement. Their results are OR-ed. + // If any one of them passes, the result is passed. + JwtRequirementOrList requires_any = 3; + + // Specify list of JwtRequirement. Their results are AND-ed. + // All of them must pass, if one of them fails or missing, it fails. + JwtRequirementAndList requires_all = 4; + + // The requirement is always satisfied even if JWT is missing or the JWT + // verification fails. A typical usage is: this filter is used to only verify + // JWTs and pass the verified JWT payloads to another filter, the other filter + // will make decision. In this mode, all JWT tokens will be verified. + google.protobuf.Empty allow_missing_or_failed = 5; + + // The requirement is satisfied if JWT is missing, but failed if JWT is + // presented but invalid. Similar to allow_missing_or_failed, this is used + // to only verify JWTs and pass the verified payload to another filter. The + // different is this mode will reject requests with invalid tokens. + google.protobuf.Empty allow_missing = 6; + } +} + +// This message specifies a list of RequiredProvider. +// Their results are OR-ed; if any one of them passes, the result is passed +message JwtRequirementOrList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList"; + + // Specify a list of JwtRequirement. + repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}]; +} + +// This message specifies a list of RequiredProvider. +// Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails. +message JwtRequirementAndList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList"; + + // Specify a list of JwtRequirement. + repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}]; +} + +// This message specifies a Jwt requirement for a specific Route condition. +// Example 1: +// +// .. code-block:: yaml +// +// - match: +// prefix: /healthz +// +// In above example, "requires" field is empty for /healthz prefix match, +// it means that requests matching the path prefix don't require JWT authentication. +// +// Example 2: +// +// .. code-block:: yaml +// +// - match: +// prefix: / +// requires: { provider_name: provider-A } +// +// In above example, all requests matched the path prefix require jwt authentication +// from "provider-A". +message RequirementRule { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.RequirementRule"; + + // The route matching parameter. Only when the match is satisfied, the "requires" field will + // apply. + // + // For example: following match will match all requests. + // + // .. code-block:: yaml + // + // match: + // prefix: / + // + config.route.v4alpha.RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + // Specify a Jwt Requirement. Please detail comment in message JwtRequirement. + JwtRequirement requires = 2; +} + +// This message specifies Jwt requirements based on stream_info.filterState. +// This FilterState should use `Router::StringAccessor` object to set a string value. +// Other HTTP filters can use it to specify Jwt requirements dynamically. +// +// Example: +// +// .. code-block:: yaml +// +// name: jwt_selector +// requires: +// issuer_1: +// provider_name: issuer1 +// issuer_2: +// provider_name: issuer2 +// +// If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, +// jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify. +message FilterStateRule { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.FilterStateRule"; + + // The filter state name to retrieve the `Router::StringAccessor` object. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // A map of string keys to requirements. The string key is the string value + // in the FilterState with the name specified in the *name* field above. + map requires = 3; +} + +// This is the Envoy HTTP filter config for JWT authentication. +// +// For example: +// +// .. code-block:: yaml +// +// providers: +// provider1: +// issuer: issuer1 +// audiences: +// - audience1 +// - audience2 +// remote_jwks: +// http_uri: +// uri: https://example.com/.well-known/jwks.json +// cluster: example_jwks_cluster +// provider2: +// issuer: issuer2 +// local_jwks: +// inline_string: jwks_string +// +// rules: +// # Not jwt verification is required for /health path +// - match: +// prefix: /health +// +// # Jwt verification for provider1 is required for path prefixed with "prefix" +// - match: +// prefix: /prefix +// requires: +// provider_name: provider1 +// +// # Jwt verification for either provider1 or provider2 is required for all other requests. +// - match: +// prefix: / +// requires: +// requires_any: +// requirements: +// - provider_name: provider1 +// - provider_name: provider2 +// +message JwtAuthentication { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication"; + + // Map of provider names to JwtProviders. + // + // .. code-block:: yaml + // + // providers: + // provider1: + // issuer: issuer1 + // audiences: + // - audience1 + // - audience2 + // remote_jwks: + // http_uri: + // uri: https://example.com/.well-known/jwks.json + // cluster: example_jwks_cluster + // provider2: + // issuer: provider2 + // local_jwks: + // inline_string: jwks_string + // + map providers = 1; + + // Specifies requirements based on the route matches. The first matched requirement will be + // applied. If there are overlapped match conditions, please put the most specific match first. + // + // Examples + // + // .. code-block:: yaml + // + // rules: + // - match: + // prefix: /healthz + // - match: + // prefix: /baz + // requires: + // provider_name: provider1 + // - match: + // prefix: /foo + // requires: + // requires_any: + // requirements: + // - provider_name: provider1 + // - provider_name: provider2 + // - match: + // prefix: /bar + // requires: + // requires_all: + // requirements: + // - provider_name: provider1 + // - provider_name: provider2 + // + repeated RequirementRule rules = 2; + + // This message specifies Jwt requirements based on stream_info.filterState. + // Other HTTP filters can use it to specify Jwt requirements dynamically. + // The *rules* field above is checked first, if it could not find any matches, + // check this one. + FilterStateRule filter_state_rules = 3; + + // When set to true, bypass the `CORS preflight request + // `_ regardless of JWT + // requirements specified in the rules. + bool bypass_cors_preflight = 4; +} diff --git a/api/envoy/extensions/filters/http/router/v4alpha/BUILD b/api/envoy/extensions/filters/http/router/v4alpha/BUILD new file mode 100644 index 000000000000..df329be54230 --- /dev/null +++ b/api/envoy/extensions/filters/http/router/v4alpha/BUILD @@ -0,0 +1,13 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/accesslog/v4alpha:pkg", + "//envoy/extensions/filters/http/router/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/http/router/v4alpha/router.proto b/api/envoy/extensions/filters/http/router/v4alpha/router.proto new file mode 100644 index 000000000000..d0baaab84a39 --- /dev/null +++ b/api/envoy/extensions/filters/http/router/v4alpha/router.proto @@ -0,0 +1,81 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.router.v4alpha; + +import "envoy/config/accesslog/v4alpha/accesslog.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.router.v4alpha"; +option java_outer_classname = "RouterProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Router] +// Router :ref:`configuration overview `. +// [#extension: envoy.filters.http.router] + +// [#next-free-field: 7] +message Router { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.router.v3.Router"; + + // Whether the router generates dynamic cluster statistics. Defaults to + // true. Can be disabled in high performance scenarios. + google.protobuf.BoolValue dynamic_stats = 1; + + // Whether to start a child span for egress routed calls. This can be + // useful in scenarios where other filters (auth, ratelimit, etc.) make + // outbound calls and have child spans rooted at the same ingress + // parent. Defaults to false. + bool start_child_span = 2; + + // Configuration for HTTP upstream logs emitted by the router. Upstream logs + // are configured in the same way as access logs, but each log entry represents + // an upstream request. Presuming retries are configured, multiple upstream + // requests may be made for each downstream (inbound) request. + repeated config.accesslog.v4alpha.AccessLog upstream_log = 3; + + // Do not add any additional *x-envoy-* headers to requests or responses. This + // only affects the :ref:`router filter generated *x-envoy-* headers + // `, other Envoy filters and the HTTP + // connection manager may continue to set *x-envoy-* headers. + bool suppress_envoy_headers = 4; + + // Specifies a list of HTTP headers to strictly validate. Envoy will reject a + // request and respond with HTTP status 400 if the request contains an invalid + // value for any of the headers listed in this field. Strict header checking + // is only supported for the following headers: + // + // Value must be a ','-delimited list (i.e. no spaces) of supported retry + // policy values: + // + // * :ref:`config_http_filters_router_x-envoy-retry-grpc-on` + // * :ref:`config_http_filters_router_x-envoy-retry-on` + // + // Value must be an integer: + // + // * :ref:`config_http_filters_router_x-envoy-max-retries` + // * :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms` + // * :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` + repeated string strict_check_headers = 5 [(validate.rules).repeated = { + items { + string { + in: "x-envoy-upstream-rq-timeout-ms" + in: "x-envoy-upstream-rq-per-try-timeout-ms" + in: "x-envoy-max-retries" + in: "x-envoy-retry-grpc-on" + in: "x-envoy-retry-on" + } + } + }]; + + // If not set, ingress Envoy will ignore + // :ref:`config_http_filters_router_x-envoy-expected-rq-timeout-ms` header, populated by egress + // Envoy, when deriving timeout for upstream cluster. + bool respect_expected_rq_timeout = 6; +} diff --git a/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD b/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD new file mode 100644 index 000000000000..663eb0d52d25 --- /dev/null +++ b/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/network/dubbo_proxy/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto b/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto new file mode 100644 index 000000000000..4894c7693fd7 --- /dev/null +++ b/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto @@ -0,0 +1,70 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.dubbo_proxy.v4alpha; + +import "envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.dubbo_proxy.v4alpha"; +option java_outer_classname = "DubboProxyProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Dubbo Proxy] +// Dubbo Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.dubbo_proxy] + +// Dubbo Protocol types supported by Envoy. +enum ProtocolType { + // the default protocol. + Dubbo = 0; +} + +// Dubbo Serialization types supported by Envoy. +enum SerializationType { + // the default serialization protocol. + Hessian2 = 0; +} + +// [#next-free-field: 6] +message DubboProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.DubboProxy"; + + // The human readable prefix to use when emitting statistics. + string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Configure the protocol used. + ProtocolType protocol_type = 2 [(validate.rules).enum = {defined_only: true}]; + + // Configure the serialization protocol used. + SerializationType serialization_type = 3 [(validate.rules).enum = {defined_only: true}]; + + // The route table for the connection manager is static and is specified in this property. + repeated RouteConfiguration route_config = 4; + + // A list of individual Dubbo filters that make up the filter chain for requests made to the + // Dubbo proxy. Order matters as the filters are processed sequentially. For backwards + // compatibility, if no dubbo_filters are specified, a default Dubbo router filter + // (`envoy.filters.dubbo.router`) is used. + repeated DubboFilter dubbo_filters = 5; +} + +// DubboFilter configures a Dubbo filter. +message DubboFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.DubboFilter"; + + // The name of the filter to instantiate. The name must match a supported + // filter. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + google.protobuf.Any config = 2; +} diff --git a/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto b/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto new file mode 100644 index 000000000000..c2ff03b33fb1 --- /dev/null +++ b/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto @@ -0,0 +1,121 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.dubbo_proxy.v4alpha; + +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; +import "envoy/type/v3/range.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.dubbo_proxy.v4alpha"; +option java_outer_classname = "RouteProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Dubbo Proxy Route Configuration] +// Dubbo Proxy :ref:`configuration overview `. + +// [#next-free-field: 6] +message RouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.RouteConfiguration"; + + // The name of the route configuration. Reserved for future use in asynchronous route discovery. + string name = 1; + + // The interface name of the service. + string interface = 2; + + // Which group does the interface belong to. + string group = 3; + + // The version number of the interface. + string version = 4; + + // The list of routes that will be matched, in order, against incoming requests. The first route + // that matches will be used. + repeated Route routes = 5; +} + +message Route { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.Route"; + + // Route matching parameters. + RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + // Route request to some upstream cluster. + RouteAction route = 2 [(validate.rules).message = {required: true}]; +} + +message RouteMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.RouteMatch"; + + // Method level routing matching. + MethodMatch method = 1; + + // Specifies a set of headers that the route should match on. The router will check the request’s + // headers against all the specified headers in the route config. A match will happen if all the + // headers in the route are present in the request with the same values (or based on presence if + // the value field is not in the config). + repeated config.route.v4alpha.HeaderMatcher headers = 2; +} + +message RouteAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.RouteAction"; + + oneof cluster_specifier { + option (validate.required) = true; + + // Indicates the upstream cluster to which the request should be routed. + string cluster = 1; + + // Multiple upstream clusters can be specified for a given route. The + // request is routed to one of the upstream clusters based on weights + // assigned to each cluster. + // Currently ClusterWeight only supports the name and weight fields. + config.route.v4alpha.WeightedCluster weighted_clusters = 2; + } +} + +message MethodMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.MethodMatch"; + + // The parameter matching type. + message ParameterMatchSpecifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.MethodMatch.ParameterMatchSpecifier"; + + oneof parameter_match_specifier { + // If specified, header match will be performed based on the value of the header. + string exact_match = 3; + + // If specified, header match will be performed based on range. + // The rule will match if the request header value is within this range. + // The entire request header value must represent an integer in base 10 notation: consisting + // of an optional plus or minus sign followed by a sequence of digits. The rule will not match + // if the header value does not represent an integer. Match will fail for empty values, + // floating point numbers or if only a subsequence of the header value is an integer. + // + // Examples: + // + // * For range [-10,0), route will match for header value -1, but not for 0, + // "somestring", 10.9, "-1somestring" + type.v3.Int64Range range_match = 4; + } + } + + // The name of the method. + type.matcher.v4alpha.StringMatcher name = 1; + + // Method parameter definition. + // The key is the parameter index, starting from 0. + // The value is the parameter matching type. + map params_match = 2; +} diff --git a/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD b/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD index 792ccf7ab677..57c9eebb5b19 100644 --- a/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD +++ b/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD @@ -7,7 +7,7 @@ licenses(["notice"]) # Apache 2 api_proto_package( deps = [ "//envoy/annotations:pkg", - "//envoy/config/accesslog/v3:pkg", + "//envoy/config/accesslog/v4alpha:pkg", "//envoy/config/core/v4alpha:pkg", "//envoy/config/route/v4alpha:pkg", "//envoy/config/trace/v4alpha:pkg", diff --git a/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto b/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto index 5eaefe16037e..03a15d832732 100644 --- a/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto +++ b/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto @@ -2,7 +2,7 @@ syntax = "proto3"; package envoy.extensions.filters.network.http_connection_manager.v4alpha; -import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/accesslog/v4alpha/accesslog.proto"; import "envoy/config/core/v4alpha/config_source.proto"; import "envoy/config/core/v4alpha/protocol.proto"; import "envoy/config/route/v4alpha/route.proto"; @@ -383,7 +383,7 @@ message HttpConnectionManager { // Configuration for :ref:`HTTP access logs ` // emitted by the connection manager. - repeated config.accesslog.v3.AccessLog access_log = 13; + repeated config.accesslog.v4alpha.AccessLog access_log = 13; // If set to true, the connection manager will use the real remote address // of the client connection when determining internal versus external origin and manipulating diff --git a/api/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD b/api/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD new file mode 100644 index 000000000000..d8d88f7f3bb4 --- /dev/null +++ b/api/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/network/rocketmq_proxy/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto b/api/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto new file mode 100644 index 000000000000..a765734e66db --- /dev/null +++ b/api/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto @@ -0,0 +1,39 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.rocketmq_proxy.v4alpha; + +import "envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.rocketmq_proxy.v4alpha"; +option java_outer_classname = "RocketmqProxyProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: RocketMQ Proxy] +// RocketMQ Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.rocketmq_proxy] + +message RocketmqProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.rocketmq_proxy.v3.RocketmqProxy"; + + // The human readable prefix to use when emitting statistics. + string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The route table for the connection manager is specified in this property. + RouteConfiguration route_config = 2; + + // The largest duration transient object expected to live, more than 10s is recommended. + google.protobuf.Duration transient_object_life_span = 3; + + // If develop_mode is enabled, this proxy plugin may work without dedicated traffic intercepting + // facility without considering backward compatibility of exiting RocketMQ client SDK. + bool develop_mode = 4; +} diff --git a/api/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto b/api/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto new file mode 100644 index 000000000000..995e8bcb05e3 --- /dev/null +++ b/api/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto @@ -0,0 +1,67 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.rocketmq_proxy.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.rocketmq_proxy.v4alpha"; +option java_outer_classname = "RouteProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Rocketmq Proxy Route Configuration] +// Rocketmq Proxy :ref:`configuration overview `. + +message RouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteConfiguration"; + + // The name of the route configuration. + string name = 1; + + // The list of routes that will be matched, in order, against incoming requests. The first route + // that matches will be used. + repeated Route routes = 2; +} + +message Route { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.rocketmq_proxy.v3.Route"; + + // Route matching parameters. + RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + // Route request to some upstream cluster. + RouteAction route = 2 [(validate.rules).message = {required: true}]; +} + +message RouteMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteMatch"; + + // The name of the topic. + type.matcher.v4alpha.StringMatcher topic = 1 [(validate.rules).message = {required: true}]; + + // Specifies a set of headers that the route should match on. The router will check the request’s + // headers against all the specified headers in the route config. A match will happen if all the + // headers in the route are present in the request with the same values (or based on presence if + // the value field is not in the config). + repeated config.route.v4alpha.HeaderMatcher headers = 2; +} + +message RouteAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteAction"; + + // Indicates the upstream cluster to which the request should be routed. + string cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. + config.core.v4alpha.Metadata metadata_match = 2; +} diff --git a/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD b/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD new file mode 100644 index 000000000000..3825be9a8afc --- /dev/null +++ b/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/accesslog/v4alpha:pkg", + "//envoy/config/core/v4alpha:pkg", + "//envoy/extensions/filters/network/tcp_proxy/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto b/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto new file mode 100644 index 000000000000..1857f2abcd4e --- /dev/null +++ b/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto @@ -0,0 +1,137 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.tcp_proxy.v4alpha; + +import "envoy/config/accesslog/v4alpha/accesslog.proto"; +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/type/v3/hash_policy.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.tcp_proxy.v4alpha"; +option java_outer_classname = "TcpProxyProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: TCP Proxy] +// TCP Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.tcp_proxy] + +// [#next-free-field: 13] +message TcpProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy"; + + // Allows for specification of multiple upstream clusters along with weights + // that indicate the percentage of traffic to be forwarded to each cluster. + // The router selects an upstream cluster based on these weights. + message WeightedCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster"; + + message ClusterWeight { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight"; + + // Name of the upstream cluster. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // When a request matches the route, the choice of an upstream cluster is + // determined by its weight. The sum of weights across all entries in the + // clusters array determines the total weight. + uint32 weight = 2 [(validate.rules).uint32 = {gte: 1}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints + // in the upstream cluster with metadata matching what is set in this field will be considered + // for load balancing. Note that this will be merged with what's provided in + // :ref:`TcpProxy.metadata_match + // `, with values + // here taking precedence. The filter name should be specified as *envoy.lb*. + config.core.v4alpha.Metadata metadata_match = 3; + } + + // Specifies one or more upstream clusters associated with the route. + repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // Configuration for tunneling TCP over other transports or application layers. + // Currently, only HTTP/2 is supported. When other options exist, HTTP/2 will + // remain the default. + message TunnelingConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig"; + + // The hostname to send in the synthesized CONNECT headers to the upstream proxy. + string hostname = 1 [(validate.rules).string = {min_bytes: 1}]; + } + + reserved 6; + + reserved "deprecated_v1"; + + // The prefix to use when emitting :ref:`statistics + // `. + string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; + + oneof cluster_specifier { + option (validate.required) = true; + + // The upstream cluster to connect to. + string cluster = 2; + + // Multiple upstream clusters can be specified for a given route. The + // request is routed to one of the upstream clusters based on weights + // assigned to each cluster. + WeightedCluster weighted_clusters = 10; + } + + // Optional endpoint metadata match criteria. Only endpoints in the upstream + // cluster with metadata matching that set in metadata_match will be + // considered. The filter name should be specified as *envoy.lb*. + config.core.v4alpha.Metadata metadata_match = 9; + + // The idle timeout for connections managed by the TCP proxy filter. The idle timeout + // is defined as the period in which there are no bytes sent or received on either + // the upstream or downstream connection. If not set, the default idle timeout is 1 hour. If set + // to 0s, the timeout will be disabled. + // + // .. warning:: + // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP + // FIN packets, etc. + google.protobuf.Duration idle_timeout = 8; + + // [#not-implemented-hide:] The idle timeout for connections managed by the TCP proxy + // filter. The idle timeout is defined as the period in which there is no + // active traffic. If not set, there is no idle timeout. When the idle timeout + // is reached the connection will be closed. The distinction between + // downstream_idle_timeout/upstream_idle_timeout provides a means to set + // timeout based on the last byte sent on the downstream/upstream connection. + google.protobuf.Duration downstream_idle_timeout = 3; + + // [#not-implemented-hide:] + google.protobuf.Duration upstream_idle_timeout = 4; + + // Configuration for :ref:`access logs ` + // emitted by the this tcp_proxy. + repeated config.accesslog.v4alpha.AccessLog access_log = 5; + + // The maximum number of unsuccessful connection attempts that will be made before + // giving up. If the parameter is not specified, 1 connection attempt will be made. + google.protobuf.UInt32Value max_connect_attempts = 7 [(validate.rules).uint32 = {gte: 1}]; + + // Optional configuration for TCP proxy hash policy. If hash_policy is not set, the hash-based + // load balancing algorithms will select a host randomly. Currently the number of hash policies is + // limited to 1. + repeated type.v3.HashPolicy hash_policy = 11 [(validate.rules).repeated = {max_items: 1}]; + + // [#not-implemented-hide:] feature in progress + // If set, this configures tunneling, e.g. configuration options to tunnel multiple TCP + // payloads over a shared HTTP/2 tunnel. If this message is absent, the payload + // will be proxied upstream as per usual. + TunnelingConfig tunneling_config = 12; +} diff --git a/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD b/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD new file mode 100644 index 000000000000..9ec74c0a9b83 --- /dev/null +++ b/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/network/thrift_proxy/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto b/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto new file mode 100644 index 000000000000..9b847d645a65 --- /dev/null +++ b/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto @@ -0,0 +1,157 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.thrift_proxy.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/route/v4alpha/route_components.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.v4alpha"; +option java_outer_classname = "RouteProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Thrift Proxy Route Configuration] +// Thrift Proxy :ref:`configuration overview `. + +message RouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.RouteConfiguration"; + + // The name of the route configuration. Reserved for future use in asynchronous route discovery. + string name = 1; + + // The list of routes that will be matched, in order, against incoming requests. The first route + // that matches will be used. + repeated Route routes = 2; +} + +message Route { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.Route"; + + // Route matching parameters. + RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + // Route request to some upstream cluster. + RouteAction route = 2 [(validate.rules).message = {required: true}]; +} + +message RouteMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.RouteMatch"; + + oneof match_specifier { + option (validate.required) = true; + + // If specified, the route must exactly match the request method name. As a special case, an + // empty string matches any request method name. + string method_name = 1; + + // If specified, the route must have the service name as the request method name prefix. As a + // special case, an empty string matches any service name. Only relevant when service + // multiplexing. + string service_name = 2; + } + + // Inverts whatever matching is done in the :ref:`method_name + // ` or + // :ref:`service_name + // ` fields. + // Cannot be combined with wildcard matching as that would result in routes never being matched. + // + // .. note:: + // + // This does not invert matching done as part of the :ref:`headers field + // ` field. To + // invert header matching, see :ref:`invert_match + // `. + bool invert = 3; + + // Specifies a set of headers that the route should match on. The router will check the request’s + // headers against all the specified headers in the route config. A match will happen if all the + // headers in the route are present in the request with the same values (or based on presence if + // the value field is not in the config). Note that this only applies for Thrift transports and/or + // protocols that support headers. + repeated config.route.v4alpha.HeaderMatcher headers = 4; +} + +// [#next-free-field: 7] +message RouteAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.RouteAction"; + + oneof cluster_specifier { + option (validate.required) = true; + + // Indicates a single upstream cluster to which the request should be routed + // to. + string cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Multiple upstream clusters can be specified for a given route. The + // request is routed to one of the upstream clusters based on weights + // assigned to each cluster. + WeightedCluster weighted_clusters = 2; + + // Envoy will determine the cluster to route to by reading the value of the + // Thrift header named by cluster_header from the request headers. If the + // header is not found or the referenced cluster does not exist Envoy will + // respond with an unknown method exception or an internal error exception, + // respectively. + string cluster_header = 6 [(validate.rules).string = {min_bytes: 1}]; + } + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in + // the upstream cluster with metadata matching what is set in this field will be considered. + // Note that this will be merged with what's provided in :ref:`WeightedCluster.metadata_match + // `, + // with values there taking precedence. Keys and values should be provided under the "envoy.lb" + // metadata key. + config.core.v4alpha.Metadata metadata_match = 3; + + // Specifies a set of rate limit configurations that could be applied to the route. + // N.B. Thrift service or method name matching can be achieved by specifying a RequestHeaders + // action with the header name ":method-name". + repeated config.route.v4alpha.RateLimit rate_limits = 4; + + // Strip the service prefix from the method name, if there's a prefix. For + // example, the method call Service:method would end up being just method. + bool strip_service_name = 5; +} + +// Allows for specification of multiple upstream clusters along with weights that indicate the +// percentage of traffic to be forwarded to each cluster. The router selects an upstream cluster +// based on these weights. +message WeightedCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.WeightedCluster"; + + message ClusterWeight { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.WeightedCluster.ClusterWeight"; + + // Name of the upstream cluster. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // When a request matches the route, the choice of an upstream cluster is determined by its + // weight. The sum of weights across all entries in the clusters array determines the total + // weight. + google.protobuf.UInt32Value weight = 2 [(validate.rules).uint32 = {gte: 1}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in + // the upstream cluster with metadata matching what is set in this field, combined with what's + // provided in :ref:`RouteAction's metadata_match + // `, + // will be considered. Values here will take precedence. Keys and values should be provided + // under the "envoy.lb" metadata key. + config.core.v4alpha.Metadata metadata_match = 3; + } + + // Specifies one or more upstream clusters associated with the route. + repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto b/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto new file mode 100644 index 000000000000..6bf055da3ce6 --- /dev/null +++ b/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto @@ -0,0 +1,130 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.thrift_proxy.v4alpha; + +import "envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.v4alpha"; +option java_outer_classname = "ThriftProxyProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Thrift Proxy] +// Thrift Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.thrift_proxy] + +// Thrift transport types supported by Envoy. +enum TransportType { + // For downstream connections, the Thrift proxy will attempt to determine which transport to use. + // For upstream connections, the Thrift proxy will use same transport as the downstream + // connection. + AUTO_TRANSPORT = 0; + + // The Thrift proxy will use the Thrift framed transport. + FRAMED = 1; + + // The Thrift proxy will use the Thrift unframed transport. + UNFRAMED = 2; + + // The Thrift proxy will assume the client is using the Thrift header transport. + HEADER = 3; +} + +// Thrift Protocol types supported by Envoy. +enum ProtocolType { + // For downstream connections, the Thrift proxy will attempt to determine which protocol to use. + // Note that the older, non-strict (or lax) binary protocol is not included in automatic protocol + // detection. For upstream connections, the Thrift proxy will use the same protocol as the + // downstream connection. + AUTO_PROTOCOL = 0; + + // The Thrift proxy will use the Thrift binary protocol. + BINARY = 1; + + // The Thrift proxy will use Thrift non-strict binary protocol. + LAX_BINARY = 2; + + // The Thrift proxy will use the Thrift compact protocol. + COMPACT = 3; + + // The Thrift proxy will use the Thrift "Twitter" protocol implemented by the finagle library. + TWITTER = 4; +} + +// [#next-free-field: 6] +message ThriftProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.ThriftProxy"; + + // Supplies the type of transport that the Thrift proxy should use. Defaults to + // :ref:`AUTO_TRANSPORT`. + TransportType transport = 2 [(validate.rules).enum = {defined_only: true}]; + + // Supplies the type of protocol that the Thrift proxy should use. Defaults to + // :ref:`AUTO_PROTOCOL`. + ProtocolType protocol = 3 [(validate.rules).enum = {defined_only: true}]; + + // The human readable prefix to use when emitting statistics. + string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The route table for the connection manager is static and is specified in this property. + RouteConfiguration route_config = 4; + + // A list of individual Thrift filters that make up the filter chain for requests made to the + // Thrift proxy. Order matters as the filters are processed sequentially. For backwards + // compatibility, if no thrift_filters are specified, a default Thrift router filter + // (`envoy.filters.thrift.router`) is used. + repeated ThriftFilter thrift_filters = 5; +} + +// ThriftFilter configures a Thrift filter. +message ThriftFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.ThriftFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter to instantiate. The name must match a supported + // filter. The built-in filters are: + // + // [#comment:TODO(zuercher): Auto generate the following list] + // * :ref:`envoy.filters.thrift.router ` + // * :ref:`envoy.filters.thrift.rate_limit ` + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Filter specific configuration which depends on the filter being instantiated. See the supported + // filters for further documentation. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +// ThriftProtocolOptions specifies Thrift upstream protocol options. This object is used in +// in +// :ref:`typed_extension_protocol_options`, +// keyed by the name `envoy.filters.network.thrift_proxy`. +message ThriftProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.ThriftProtocolOptions"; + + // Supplies the type of transport that the Thrift proxy should use for upstream connections. + // Selecting + // :ref:`AUTO_TRANSPORT`, + // which is the default, causes the proxy to use the same transport as the downstream connection. + TransportType transport = 1 [(validate.rules).enum = {defined_only: true}]; + + // Supplies the type of protocol that the Thrift proxy should use for upstream connections. + // Selecting + // :ref:`AUTO_PROTOCOL`, + // which is the default, causes the proxy to use the same protocol as the downstream connection. + ProtocolType protocol = 2 [(validate.rules).enum = {defined_only: true}]; +} diff --git a/api/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD b/api/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD new file mode 100644 index 000000000000..f869cf5ac123 --- /dev/null +++ b/api/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/data/dns/v4alpha:pkg", + "//envoy/extensions/filters/udp/dns_filter/v3alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto b/api/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto new file mode 100644 index 000000000000..be78ebf40c18 --- /dev/null +++ b/api/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto @@ -0,0 +1,80 @@ +syntax = "proto3"; + +package envoy.extensions.filters.udp.dns_filter.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/data/dns/v4alpha/dns_table.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.udp.dns_filter.v4alpha"; +option java_outer_classname = "DnsFilterProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).work_in_progress = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: DNS Filter] +// DNS Filter :ref:`configuration overview `. +// [#extension: envoy.filters.udp_listener.dns_filter] + +// Configuration for the DNS filter. +message DnsFilterConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig"; + + // This message contains the configuration for the DNS Filter operating + // in a server context. This message will contain the virtual hosts and + // associated addresses with which Envoy will respond to queries + message ServerContextConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig.ServerContextConfig"; + + oneof config_source { + option (validate.required) = true; + + // Load the configuration specified from the control plane + data.dns.v4alpha.DnsTable inline_dns_table = 1; + + // Seed the filter configuration from an external path. This source + // is a yaml formatted file that contains the DnsTable driving Envoy's + // responses to DNS queries + config.core.v4alpha.DataSource external_dns_table = 2; + } + } + + // This message contains the configuration for the DNS Filter operating + // in a client context. This message will contain the timeouts, retry, + // and forwarding configuration for Envoy to make DNS requests to other + // resolvers + message ClientContextConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig.ClientContextConfig"; + + // Sets the maximum time we will wait for the upstream query to complete + // We allow 5s for the upstream resolution to complete, so the minimum + // value here is 5 + google.protobuf.Duration resolver_timeout = 1 [(validate.rules).duration = {gte {seconds: 5}}]; + + // A list of DNS servers to which we can forward queries + repeated string upstream_resolvers = 2 [(validate.rules).repeated = { + min_items: 1 + items {string {min_len: 3}} + }]; + } + + // The stat prefix used when emitting DNS filter statistics + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // Server context configuration contains the data that the filter uses to respond + // to DNS requests. + ServerContextConfig server_config = 2; + + // Client context configuration controls Envoy's behavior when it must use external + // resolvers to answer a query. This object is optional and if omitted instructs + // the filter to resolve queries from the data in the server_config + ClientContextConfig client_config = 3; +} diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/BUILD b/api/envoy/extensions/transport_sockets/tls/v4alpha/BUILD index e56544584bfe..d294b69de40c 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/BUILD +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/BUILD @@ -8,7 +8,7 @@ api_proto_package( deps = [ "//envoy/config/core/v4alpha:pkg", "//envoy/extensions/transport_sockets/tls/v3:pkg", - "//envoy/type/matcher/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", ], ) diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 9028e380d092..f81442f4dbcd 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -3,7 +3,7 @@ syntax = "proto3"; package envoy.extensions.transport_sockets.tls.v4alpha; import "envoy/config/core/v4alpha/base.proto"; -import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; import "google/protobuf/any.proto"; import "google/protobuf/struct.proto"; @@ -298,7 +298,7 @@ message CertificateValidationContext { // Subject Alternative Name of the presented certificate matches one of the specified matches. // // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be - // configured with exact match type in the :ref:`string matcher `. + // configured with exact match type in the :ref:`string matcher `. // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", // it should be configured as shown below. // @@ -312,7 +312,7 @@ message CertificateValidationContext { // Subject Alternative Names are easily spoofable and verifying only them is insecure, // therefore this option must be used together with :ref:`trusted_ca // `. - repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9; + repeated type.matcher.v4alpha.StringMatcher match_subject_alt_names = 9; // [#not-implemented-hide:] Must present a signed time-stamped OCSP response. google.protobuf.BoolValue require_ocsp_staple = 5; diff --git a/api/envoy/service/health/v4alpha/BUILD b/api/envoy/service/health/v4alpha/BUILD new file mode 100644 index 000000000000..b7b2a13bd495 --- /dev/null +++ b/api/envoy/service/health/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + has_services = True, + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/endpoint/v3:pkg", + "//envoy/service/health/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/service/health/v4alpha/hds.proto b/api/envoy/service/health/v4alpha/hds.proto new file mode 100644 index 000000000000..826d5eeb0301 --- /dev/null +++ b/api/envoy/service/health/v4alpha/hds.proto @@ -0,0 +1,160 @@ +syntax = "proto3"; + +package envoy.service.health.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/health_check.proto"; +import "envoy/config/endpoint/v3/endpoint_components.proto"; + +import "google/api/annotations.proto"; +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.service.health.v4alpha"; +option java_outer_classname = "HdsProto"; +option java_multiple_files = true; +option java_generic_services = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Health Discovery Service (HDS)] + +// HDS is Health Discovery Service. It compliments Envoy’s health checking +// service by designating this Envoy to be a healthchecker for a subset of hosts +// in the cluster. The status of these health checks will be reported to the +// management server, where it can be aggregated etc and redistributed back to +// Envoy through EDS. +service HealthDiscoveryService { + // 1. Envoy starts up and if its can_healthcheck option in the static + // bootstrap config is enabled, sends HealthCheckRequest to the management + // server. It supplies its capabilities (which protocol it can health check + // with, what zone it resides in, etc.). + // 2. In response to (1), the management server designates this Envoy as a + // healthchecker to health check a subset of all upstream hosts for a given + // cluster (for example upstream Host 1 and Host 2). It streams + // HealthCheckSpecifier messages with cluster related configuration for all + // clusters this Envoy is designated to health check. Subsequent + // HealthCheckSpecifier message will be sent on changes to: + // a. Endpoints to health checks + // b. Per cluster configuration change + // 3. Envoy creates a health probe based on the HealthCheck config and sends + // it to endpoint(ip:port) of Host 1 and 2. Based on the HealthCheck + // configuration Envoy waits upon the arrival of the probe response and + // looks at the content of the response to decide whether the endpoint is + // healthy or not. If a response hasn't been received within the timeout + // interval, the endpoint health status is considered TIMEOUT. + // 4. Envoy reports results back in an EndpointHealthResponse message. + // Envoy streams responses as often as the interval configured by the + // management server in HealthCheckSpecifier. + // 5. The management Server collects health statuses for all endpoints in the + // cluster (for all clusters) and uses this information to construct + // EndpointDiscoveryResponse messages. + // 6. Once Envoy has a list of upstream endpoints to send traffic to, it load + // balances traffic to them without additional health checking. It may + // use inline healthcheck (i.e. consider endpoint UNHEALTHY if connection + // failed to a particular endpoint to account for health status propagation + // delay between HDS and EDS). + // By default, can_healthcheck is true. If can_healthcheck is false, Cluster + // configuration may not contain HealthCheck message. + // TODO(htuch): How is can_healthcheck communicated to CDS to ensure the above + // invariant? + // TODO(htuch): Add @amb67's diagram. + rpc StreamHealthCheck(stream HealthCheckRequestOrEndpointHealthResponse) + returns (stream HealthCheckSpecifier) { + } + + // TODO(htuch): Unlike the gRPC version, there is no stream-based binding of + // request/response. Should we add an identifier to the HealthCheckSpecifier + // to bind with the response? + rpc FetchHealthCheck(HealthCheckRequestOrEndpointHealthResponse) returns (HealthCheckSpecifier) { + option (google.api.http).post = "/v3/discovery:health_check"; + option (google.api.http).body = "*"; + } +} + +// Defines supported protocols etc, so the management server can assign proper +// endpoints to healthcheck. +message Capability { + option (udpa.annotations.versioning).previous_message_type = "envoy.service.health.v3.Capability"; + + // Different Envoy instances may have different capabilities (e.g. Redis) + // and/or have ports enabled for different protocols. + enum Protocol { + HTTP = 0; + TCP = 1; + REDIS = 2; + } + + repeated Protocol health_check_protocols = 1; +} + +message HealthCheckRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.HealthCheckRequest"; + + config.core.v4alpha.Node node = 1; + + Capability capability = 2; +} + +message EndpointHealth { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.EndpointHealth"; + + config.endpoint.v3.Endpoint endpoint = 1; + + config.core.v4alpha.HealthStatus health_status = 2; +} + +message EndpointHealthResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.EndpointHealthResponse"; + + repeated EndpointHealth endpoints_health = 1; +} + +message HealthCheckRequestOrEndpointHealthResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.HealthCheckRequestOrEndpointHealthResponse"; + + oneof request_type { + HealthCheckRequest health_check_request = 1; + + EndpointHealthResponse endpoint_health_response = 2; + } +} + +message LocalityEndpoints { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.LocalityEndpoints"; + + config.core.v4alpha.Locality locality = 1; + + repeated config.endpoint.v3.Endpoint endpoints = 2; +} + +// The cluster name and locality is provided to Envoy for the endpoints that it +// health checks to support statistics reporting, logging and debugging by the +// Envoy instance (outside of HDS). For maximum usefulness, it should match the +// same cluster structure as that provided by EDS. +message ClusterHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.ClusterHealthCheck"; + + string cluster_name = 1; + + repeated config.core.v4alpha.HealthCheck health_checks = 2; + + repeated LocalityEndpoints locality_endpoints = 3; +} + +message HealthCheckSpecifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.HealthCheckSpecifier"; + + repeated ClusterHealthCheck cluster_health_checks = 1; + + // The default is 1 second. + google.protobuf.Duration interval = 2; +} diff --git a/api/envoy/service/status/v4alpha/BUILD b/api/envoy/service/status/v4alpha/BUILD new file mode 100644 index 000000000000..fb238648fbca --- /dev/null +++ b/api/envoy/service/status/v4alpha/BUILD @@ -0,0 +1,16 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + has_services = True, + deps = [ + "//envoy/admin/v4alpha:pkg", + "//envoy/config/core/v4alpha:pkg", + "//envoy/service/status/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/service/status/v4alpha/csds.proto b/api/envoy/service/status/v4alpha/csds.proto new file mode 100644 index 000000000000..f6f5fa654d70 --- /dev/null +++ b/api/envoy/service/status/v4alpha/csds.proto @@ -0,0 +1,102 @@ +syntax = "proto3"; + +package envoy.service.status.v4alpha; + +import "envoy/admin/v4alpha/config_dump.proto"; +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/type/matcher/v4alpha/node.proto"; + +import "google/api/annotations.proto"; +import "google/protobuf/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.service.status.v4alpha"; +option java_outer_classname = "CsdsProto"; +option java_multiple_files = true; +option java_generic_services = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Client Status Discovery Service (CSDS)] + +// CSDS is Client Status Discovery Service. It can be used to get the status of +// an xDS-compliant client from the management server's point of view. In the +// future, it can potentially be used as an interface to get the current +// state directly from the client. +service ClientStatusDiscoveryService { + rpc StreamClientStatus(stream ClientStatusRequest) returns (stream ClientStatusResponse) { + } + + rpc FetchClientStatus(ClientStatusRequest) returns (ClientStatusResponse) { + option (google.api.http).post = "/v3/discovery:client_status"; + option (google.api.http).body = "*"; + } +} + +// Status of a config. +enum ConfigStatus { + // Status info is not available/unknown. + UNKNOWN = 0; + + // Management server has sent the config to client and received ACK. + SYNCED = 1; + + // Config is not sent. + NOT_SENT = 2; + + // Management server has sent the config to client but hasn’t received + // ACK/NACK. + STALE = 3; + + // Management server has sent the config to client but received NACK. + ERROR = 4; +} + +// Request for client status of clients identified by a list of NodeMatchers. +message ClientStatusRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v3.ClientStatusRequest"; + + // Management server can use these match criteria to identify clients. + // The match follows OR semantics. + repeated type.matcher.v4alpha.NodeMatcher node_matchers = 1; +} + +// Detailed config (per xDS) with status. +// [#next-free-field: 6] +message PerXdsConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v3.PerXdsConfig"; + + ConfigStatus status = 1; + + oneof per_xds_config { + admin.v4alpha.ListenersConfigDump listener_config = 2; + + admin.v4alpha.ClustersConfigDump cluster_config = 3; + + admin.v4alpha.RoutesConfigDump route_config = 4; + + admin.v4alpha.ScopedRoutesConfigDump scoped_route_config = 5; + } +} + +// All xds configs for a particular client. +message ClientConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v3.ClientConfig"; + + // Node for a particular client. + config.core.v4alpha.Node node = 1; + + repeated PerXdsConfig xds_config = 2; +} + +message ClientStatusResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v3.ClientStatusResponse"; + + // Client configs for the clients specified in the ClientStatusRequest. + repeated ClientConfig config = 1; +} diff --git a/api/envoy/service/tap/v4alpha/BUILD b/api/envoy/service/tap/v4alpha/BUILD new file mode 100644 index 000000000000..5f75886cd068 --- /dev/null +++ b/api/envoy/service/tap/v4alpha/BUILD @@ -0,0 +1,17 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + has_services = True, + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/tap/v4alpha:pkg", + "//envoy/data/tap/v3:pkg", + "//envoy/service/discovery/v3:pkg", + "//envoy/service/tap/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/service/tap/v4alpha/tap.proto b/api/envoy/service/tap/v4alpha/tap.proto new file mode 100644 index 000000000000..a1654d18bebb --- /dev/null +++ b/api/envoy/service/tap/v4alpha/tap.proto @@ -0,0 +1,64 @@ +syntax = "proto3"; + +package envoy.service.tap.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/data/tap/v3/wrapper.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.service.tap.v4alpha"; +option java_outer_classname = "TapProto"; +option java_multiple_files = true; +option java_generic_services = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Tap Sink Service] + +// [#not-implemented-hide:] A tap service to receive incoming taps. Envoy will call +// StreamTaps to deliver captured taps to the server +service TapSinkService { + // Envoy will connect and send StreamTapsRequest messages forever. It does not expect any + // response to be sent as nothing would be done in the case of failure. The server should + // disconnect if it expects Envoy to reconnect. + rpc StreamTaps(stream StreamTapsRequest) returns (StreamTapsResponse) { + } +} + +// [#not-implemented-hide:] Stream message for the Tap API. Envoy will open a stream to the server +// and stream taps without ever expecting a response. +message StreamTapsRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.tap.v3.StreamTapsRequest"; + + message Identifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.tap.v3.StreamTapsRequest.Identifier"; + + // The node sending taps over the stream. + config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; + + // The opaque identifier that was set in the :ref:`output config + // `. + string tap_id = 2; + } + + // Identifier data effectively is a structured metadata. As a performance optimization this will + // only be sent in the first message on the stream. + Identifier identifier = 1; + + // The trace id. this can be used to merge together a streaming trace. Note that the trace_id + // is not guaranteed to be spatially or temporally unique. + uint64 trace_id = 2; + + // The trace data. + data.tap.v3.TraceWrapper trace = 3; +} + +// [#not-implemented-hide:] +message StreamTapsResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.tap.v3.StreamTapsResponse"; +} diff --git a/api/envoy/service/tap/v4alpha/tapds.proto b/api/envoy/service/tap/v4alpha/tapds.proto new file mode 100644 index 000000000000..855fde8c8e63 --- /dev/null +++ b/api/envoy/service/tap/v4alpha/tapds.proto @@ -0,0 +1,48 @@ +syntax = "proto3"; + +package envoy.service.tap.v4alpha; + +import "envoy/config/tap/v4alpha/common.proto"; +import "envoy/service/discovery/v3/discovery.proto"; + +import "google/api/annotations.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.service.tap.v4alpha"; +option java_outer_classname = "TapdsProto"; +option java_multiple_files = true; +option java_generic_services = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Tap discovery service] + +// [#not-implemented-hide:] Tap discovery service. +service TapDiscoveryService { + rpc StreamTapConfigs(stream discovery.v3.DiscoveryRequest) + returns (stream discovery.v3.DiscoveryResponse) { + } + + rpc DeltaTapConfigs(stream discovery.v3.DeltaDiscoveryRequest) + returns (stream discovery.v3.DeltaDiscoveryResponse) { + } + + rpc FetchTapConfigs(discovery.v3.DiscoveryRequest) returns (discovery.v3.DiscoveryResponse) { + option (google.api.http).post = "/v3/discovery:tap_configs"; + option (google.api.http).body = "*"; + } +} + +// [#not-implemented-hide:] A tap resource is essentially a tap configuration with a name +// The filter TapDS config references this name. +message TapResource { + option (udpa.annotations.versioning).previous_message_type = "envoy.service.tap.v3.TapResource"; + + // The name of the tap configuration. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Tap config to apply + config.tap.v4alpha.TapConfig config = 2; +} diff --git a/api/envoy/type/matcher/regex.proto b/api/envoy/type/matcher/regex.proto index 78b4a2c1d61e..9e41637ab70c 100644 --- a/api/envoy/type/matcher/regex.proto +++ b/api/envoy/type/matcher/regex.proto @@ -24,7 +24,10 @@ message RegexMatcher { // compiled regex is to evaluate. A regex that has a program size greater than the configured // value will fail to compile. In this case, the configured max program size can be increased // or the regex can be simplified. If not specified, the default is 100. - google.protobuf.UInt32Value max_program_size = 1; + // + // This field is deprecated; regexp validation should be performed on the management server + // instead of being done by each individual client. + google.protobuf.UInt32Value max_program_size = 1 [deprecated = true]; } oneof engine_type { diff --git a/api/envoy/type/matcher/v3/regex.proto b/api/envoy/type/matcher/v3/regex.proto index 393274794abf..e318cb5457d9 100644 --- a/api/envoy/type/matcher/v3/regex.proto +++ b/api/envoy/type/matcher/v3/regex.proto @@ -30,7 +30,10 @@ message RegexMatcher { // compiled regex is to evaluate. A regex that has a program size greater than the configured // value will fail to compile. In this case, the configured max program size can be increased // or the regex can be simplified. If not specified, the default is 100. - google.protobuf.UInt32Value max_program_size = 1; + // + // This field is deprecated; regexp validation should be performed on the management server + // instead of being done by each individual client. + google.protobuf.UInt32Value max_program_size = 1 [deprecated = true]; } oneof engine_type { diff --git a/api/envoy/type/matcher/v4alpha/BUILD b/api/envoy/type/matcher/v4alpha/BUILD new file mode 100644 index 000000000000..e63f52b2baa5 --- /dev/null +++ b/api/envoy/type/matcher/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/annotations:pkg", + "//envoy/type/matcher/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/type/matcher/v4alpha/metadata.proto b/api/envoy/type/matcher/v4alpha/metadata.proto new file mode 100644 index 000000000000..8abe14e7b667 --- /dev/null +++ b/api/envoy/type/matcher/v4alpha/metadata.proto @@ -0,0 +1,105 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/value.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "MetadataProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Metadata matcher] + +// MetadataMatcher provides a general interface to check if a given value is matched in +// :ref:`Metadata `. It uses `filter` and `path` to retrieve the value +// from the Metadata and then check if it's matched to the specified value. +// +// For example, for the following Metadata: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.filters.http.rbac: +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" +// from the Metadata which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following MetadataMatcher is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to +// enforce access control based on dynamic metadata in a request. See :ref:`Permission +// ` and :ref:`Principal +// `. + +// [#next-major-version: MetadataMatcher should use StructMatcher] +message MetadataMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.MetadataMatcher"; + + // Specifies the segment in a path to retrieve value from Metadata. + // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that + // if the segment key refers to a list, it has to be the last segment in a path. + message PathSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.MetadataMatcher.PathSegment"; + + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_bytes: 1}]; + } + } + + // The filter name to retrieve the Struct from the Metadata. + string filter = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The MetadataMatcher is matched if the value retrieved by path is matched to this value. + ValueMatcher value = 3 [(validate.rules).message = {required: true}]; +} diff --git a/api/envoy/type/matcher/v4alpha/node.proto b/api/envoy/type/matcher/v4alpha/node.proto new file mode 100644 index 000000000000..a74bf808f05a --- /dev/null +++ b/api/envoy/type/matcher/v4alpha/node.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/string.proto"; +import "envoy/type/matcher/v4alpha/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "NodeProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Node matcher] + +// Specifies the way to match a Node. +// The match follows AND semantics. +message NodeMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.NodeMatcher"; + + // Specifies match criteria on the node id. + StringMatcher node_id = 1; + + // Specifies match criteria on the node metadata. + repeated StructMatcher node_metadatas = 2; +} diff --git a/api/envoy/type/matcher/v4alpha/number.proto b/api/envoy/type/matcher/v4alpha/number.proto new file mode 100644 index 000000000000..b168af19ab50 --- /dev/null +++ b/api/envoy/type/matcher/v4alpha/number.proto @@ -0,0 +1,33 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/v3/range.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "NumberProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Number matcher] + +// Specifies the way to match a double value. +message DoubleMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.DoubleMatcher"; + + oneof match_pattern { + option (validate.required) = true; + + // If specified, the input double value must be in the range specified here. + // Note: The range is using half-open interval semantics [start, end). + v3.DoubleRange range = 1; + + // If specified, the input double value must be equal to the value specified here. + double exact = 2; + } +} diff --git a/api/envoy/type/matcher/v4alpha/path.proto b/api/envoy/type/matcher/v4alpha/path.proto new file mode 100644 index 000000000000..9150939bf2ee --- /dev/null +++ b/api/envoy/type/matcher/v4alpha/path.proto @@ -0,0 +1,30 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "PathProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Path matcher] + +// Specifies the way to match a path on HTTP request. +message PathMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.PathMatcher"; + + oneof rule { + option (validate.required) = true; + + // The `path` must match the URL path portion of the :path header. The query and fragment + // string (if present) are removed in the URL path portion. + // For example, the path */data* will match the *:path* header */data#fragment?param=value*. + StringMatcher path = 1 [(validate.rules).message = {required: true}]; + } +} diff --git a/api/envoy/type/matcher/v4alpha/regex.proto b/api/envoy/type/matcher/v4alpha/regex.proto new file mode 100644 index 000000000000..f94a85e778e4 --- /dev/null +++ b/api/envoy/type/matcher/v4alpha/regex.proto @@ -0,0 +1,72 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "RegexProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Regex matcher] + +// A regex matcher designed for safety when used with untrusted input. +message RegexMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.RegexMatcher"; + + // Google's `RE2 `_ regex engine. The regex string must adhere to + // the documented `syntax `_. The engine is designed + // to complete execution in linear time as well as limit the amount of memory used. + message GoogleRE2 { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.RegexMatcher.GoogleRE2"; + + reserved 1; + + reserved "max_program_size"; + } + + oneof engine_type { + option (validate.required) = true; + + // Google's RE2 regex engine. + GoogleRE2 google_re2 = 1 [(validate.rules).message = {required: true}]; + } + + // The regex match string. The string must be supported by the configured engine. + string regex = 2 [(validate.rules).string = {min_bytes: 1}]; +} + +// Describes how to match a string and then produce a new string using a regular +// expression and a substitution string. +message RegexMatchAndSubstitute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.RegexMatchAndSubstitute"; + + // The regular expression used to find portions of a string (hereafter called + // the "subject string") that should be replaced. When a new string is + // produced during the substitution operation, the new string is initially + // the same as the subject string, but then all matches in the subject string + // are replaced by the substitution string. If replacing all matches isn't + // desired, regular expression anchors can be used to ensure a single match, + // so as to replace just one occurrence of a pattern. Capture groups can be + // used in the pattern to extract portions of the subject string, and then + // referenced in the substitution string. + RegexMatcher pattern = 1; + + // The string that should be substituted into matching portions of the + // subject string during a substitution operation to produce a new string. + // Capture groups in the pattern can be referenced in the substitution + // string. Note, however, that the syntax for referring to capture groups is + // defined by the chosen regular expression engine. Google's `RE2 + // `_ regular expression engine uses a + // backslash followed by the capture group number to denote a numbered + // capture group. E.g., ``\1`` refers to capture group 1, and ``\2`` refers + // to capture group 2. + string substitution = 2; +} diff --git a/api/envoy/type/matcher/v4alpha/string.proto b/api/envoy/type/matcher/v4alpha/string.proto new file mode 100644 index 000000000000..8ce0b12f9e2a --- /dev/null +++ b/api/envoy/type/matcher/v4alpha/string.proto @@ -0,0 +1,71 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/regex.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "StringProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: String matcher] + +// Specifies the way to match a string. +// [#next-free-field: 7] +message StringMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.StringMatcher"; + + reserved 4; + + reserved "regex"; + + oneof match_pattern { + option (validate.required) = true; + + // The input string must match exactly the string specified here. + // + // Examples: + // + // * *abc* only matches the value *abc*. + string exact = 1; + + // The input string must have the prefix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *abc.xyz* + string prefix = 2 [(validate.rules).string = {min_bytes: 1}]; + + // The input string must have the suffix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *xyz.abc* + string suffix = 3 [(validate.rules).string = {min_bytes: 1}]; + + // The input string must match the regular expression specified here. + RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; + } + + // If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no + // effect for the safe_regex match. + // For example, the matcher *data* will match both input string *Data* and *data* if set to true. + bool ignore_case = 6; +} + +// Specifies a list of ways to match a string. +message ListStringMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.ListStringMatcher"; + + repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/api/envoy/type/matcher/v4alpha/struct.proto b/api/envoy/type/matcher/v4alpha/struct.proto new file mode 100644 index 000000000000..643cc5a47570 --- /dev/null +++ b/api/envoy/type/matcher/v4alpha/struct.proto @@ -0,0 +1,91 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/value.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "StructProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Struct matcher] + +// StructMatcher provides a general interface to check if a given value is matched in +// google.protobuf.Struct. It uses `path` to retrieve the value +// from the struct and then check if it's matched to the specified value. +// +// For example, for the following Struct: +// +// .. code-block:: yaml +// +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" +// from the Metadata which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following StructMatcher is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of StructMatcher is to match metadata in envoy.v*.core.Node. +message StructMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.StructMatcher"; + + // Specifies the segment in a path to retrieve value from Struct. + message PathSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.StructMatcher.PathSegment"; + + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_bytes: 1}]; + } + } + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The StructMatcher is matched if the value retrieved by path is matched to this value. + ValueMatcher value = 3 [(validate.rules).message = {required: true}]; +} diff --git a/api/envoy/type/matcher/v4alpha/value.proto b/api/envoy/type/matcher/v4alpha/value.proto new file mode 100644 index 000000000000..6e509d460109 --- /dev/null +++ b/api/envoy/type/matcher/v4alpha/value.proto @@ -0,0 +1,71 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/number.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "ValueProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Value matcher] + +// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. +// StructValue is not supported and is always not matched. +// [#next-free-field: 7] +message ValueMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.ValueMatcher"; + + // NullMatch is an empty message to specify a null value. + message NullMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.ValueMatcher.NullMatch"; + } + + // Specifies how to match a value. + oneof match_pattern { + option (validate.required) = true; + + // If specified, a match occurs if and only if the target value is a NullValue. + NullMatch null_match = 1; + + // If specified, a match occurs if and only if the target value is a double value and is + // matched to this field. + DoubleMatcher double_match = 2; + + // If specified, a match occurs if and only if the target value is a string value and is + // matched to this field. + StringMatcher string_match = 3; + + // If specified, a match occurs if and only if the target value is a bool value and is equal + // to this field. + bool bool_match = 4; + + // If specified, value match will be performed based on whether the path is referring to a + // valid primitive value in the metadata. If the path is referring to a non-primitive value, + // the result is always not matched. + bool present_match = 5; + + // If specified, a match occurs if and only if the target value is a list value and + // is matched to this field. + ListMatcher list_match = 6; + } +} + +// Specifies the way to match a list value. +message ListMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.ListMatcher"; + + oneof match_pattern { + option (validate.required) = true; + + // If specified, at least one of the values in the list must match the value specified. + ValueMatcher one_of = 1; + } +} diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index d2fd148d8a5a..d84e96c048db 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -47,3 +47,6 @@ Deprecated * Tracing provider configuration as part of :ref:`bootstrap config ` has been deprecated in favor of configuration as part of :ref:`HTTP connection manager `. +* The * :ref:`GoogleRE2.max_program_size` + field is now deprecated. Management servers are expected to validate regexp program sizes + instead of expecting the client to do it. diff --git a/generated_api_shadow/envoy/admin/v4alpha/BUILD b/generated_api_shadow/envoy/admin/v4alpha/BUILD index 6da5b60bad28..d64c4f6a0816 100644 --- a/generated_api_shadow/envoy/admin/v4alpha/BUILD +++ b/generated_api_shadow/envoy/admin/v4alpha/BUILD @@ -10,7 +10,7 @@ api_proto_package( "//envoy/annotations:pkg", "//envoy/config/bootstrap/v4alpha:pkg", "//envoy/config/core/v4alpha:pkg", - "//envoy/config/tap/v3:pkg", + "//envoy/config/tap/v4alpha:pkg", "//envoy/type/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", ], diff --git a/generated_api_shadow/envoy/admin/v4alpha/tap.proto b/generated_api_shadow/envoy/admin/v4alpha/tap.proto index c47b308d6ee6..039dfcfeb812 100644 --- a/generated_api_shadow/envoy/admin/v4alpha/tap.proto +++ b/generated_api_shadow/envoy/admin/v4alpha/tap.proto @@ -2,7 +2,7 @@ syntax = "proto3"; package envoy.admin.v4alpha; -import "envoy/config/tap/v3/common.proto"; +import "envoy/config/tap/v4alpha/common.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; @@ -24,5 +24,5 @@ message TapRequest { string config_id = 1 [(validate.rules).string = {min_bytes: 1}]; // The tap configuration to load. - config.tap.v3.TapConfig tap_config = 2 [(validate.rules).message = {required: true}]; + config.tap.v4alpha.TapConfig tap_config = 2 [(validate.rules).message = {required: true}]; } diff --git a/generated_api_shadow/envoy/config/accesslog/v4alpha/BUILD b/generated_api_shadow/envoy/config/accesslog/v4alpha/BUILD new file mode 100644 index 000000000000..4ed75a69ea09 --- /dev/null +++ b/generated_api_shadow/envoy/config/accesslog/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/accesslog/v3:pkg", + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/route/v4alpha:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/config/accesslog/v4alpha/accesslog.proto b/generated_api_shadow/envoy/config/accesslog/v4alpha/accesslog.proto new file mode 100644 index 000000000000..56911ca19185 --- /dev/null +++ b/generated_api_shadow/envoy/config/accesslog/v4alpha/accesslog.proto @@ -0,0 +1,298 @@ +syntax = "proto3"; + +package envoy.config.accesslog.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.accesslog.v4alpha"; +option java_outer_classname = "AccesslogProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Common access log types] + +message AccessLog { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.AccessLog"; + + reserved 3; + + reserved "config"; + + // The name of the access log implementation to instantiate. The name must + // match a statically registered access log. Current built-in loggers include: + // + // #. "envoy.access_loggers.file" + // #. "envoy.access_loggers.http_grpc" + // #. "envoy.access_loggers.tcp_grpc" + string name = 1; + + // Filter which is used to determine if the access log needs to be written. + AccessLogFilter filter = 2; + + // Custom configuration that depends on the access log being instantiated. Built-in + // configurations include: + // + // #. "envoy.access_loggers.file": :ref:`FileAccessLog + // ` + // #. "envoy.access_loggers.http_grpc": :ref:`HttpGrpcAccessLogConfig + // ` + // #. "envoy.access_loggers.tcp_grpc": :ref:`TcpGrpcAccessLogConfig + // ` + oneof config_type { + google.protobuf.Any typed_config = 4; + } +} + +// [#next-free-field: 12] +message AccessLogFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.AccessLogFilter"; + + oneof filter_specifier { + option (validate.required) = true; + + // Status code filter. + StatusCodeFilter status_code_filter = 1; + + // Duration filter. + DurationFilter duration_filter = 2; + + // Not health check filter. + NotHealthCheckFilter not_health_check_filter = 3; + + // Traceable filter. + TraceableFilter traceable_filter = 4; + + // Runtime filter. + RuntimeFilter runtime_filter = 5; + + // And filter. + AndFilter and_filter = 6; + + // Or filter. + OrFilter or_filter = 7; + + // Header filter. + HeaderFilter header_filter = 8; + + // Response flag filter. + ResponseFlagFilter response_flag_filter = 9; + + // gRPC status filter. + GrpcStatusFilter grpc_status_filter = 10; + + // Extension filter. + ExtensionFilter extension_filter = 11; + } +} + +// Filter on an integer comparison. +message ComparisonFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.ComparisonFilter"; + + enum Op { + // = + EQ = 0; + + // >= + GE = 1; + + // <= + LE = 2; + } + + // Comparison operator. + Op op = 1 [(validate.rules).enum = {defined_only: true}]; + + // Value to compare against. + core.v4alpha.RuntimeUInt32 value = 2; +} + +// Filters on HTTP response/status code. +message StatusCodeFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.StatusCodeFilter"; + + // Comparison. + ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; +} + +// Filters on total request duration in milliseconds. +message DurationFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.DurationFilter"; + + // Comparison. + ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; +} + +// Filters for requests that are not health check requests. A health check +// request is marked by the health check filter. +message NotHealthCheckFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.NotHealthCheckFilter"; +} + +// Filters for requests that are traceable. See the tracing overview for more +// information on how a request becomes traceable. +message TraceableFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.TraceableFilter"; +} + +// Filters for random sampling of requests. +message RuntimeFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.RuntimeFilter"; + + // Runtime key to get an optional overridden numerator for use in the *percent_sampled* field. + // If found in runtime, this value will replace the default numerator. + string runtime_key = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The default sampling percentage. If not specified, defaults to 0% with denominator of 100. + type.v3.FractionalPercent percent_sampled = 2; + + // By default, sampling pivots on the header + // :ref:`x-request-id` being present. If + // :ref:`x-request-id` is present, the filter will + // consistently sample across multiple hosts based on the runtime key value and the value + // extracted from :ref:`x-request-id`. If it is + // missing, or *use_independent_randomness* is set to true, the filter will randomly sample based + // on the runtime key value alone. *use_independent_randomness* can be used for logging kill + // switches within complex nested :ref:`AndFilter + // ` and :ref:`OrFilter + // ` blocks that are easier to reason about + // from a probability perspective (i.e., setting to true will cause the filter to behave like + // an independent random variable when composed within logical operator filters). + bool use_independent_randomness = 3; +} + +// Performs a logical “and” operation on the result of each filter in filters. +// Filters are evaluated sequentially and if one of them returns false, the +// filter returns false immediately. +message AndFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.AndFilter"; + + repeated AccessLogFilter filters = 1 [(validate.rules).repeated = {min_items: 2}]; +} + +// Performs a logical “or” operation on the result of each individual filter. +// Filters are evaluated sequentially and if one of them returns true, the +// filter returns true immediately. +message OrFilter { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.accesslog.v3.OrFilter"; + + repeated AccessLogFilter filters = 2 [(validate.rules).repeated = {min_items: 2}]; +} + +// Filters requests based on the presence or value of a request header. +message HeaderFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.HeaderFilter"; + + // Only requests with a header which matches the specified HeaderMatcher will pass the filter + // check. + route.v4alpha.HeaderMatcher header = 1 [(validate.rules).message = {required: true}]; +} + +// Filters requests that received responses with an Envoy response flag set. +// A list of the response flags can be found +// in the access log formatter :ref:`documentation`. +message ResponseFlagFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.ResponseFlagFilter"; + + // Only responses with the any of the flags listed in this field will be logged. + // This field is optional. If it is not specified, then any response flag will pass + // the filter check. + repeated string flags = 1 [(validate.rules).repeated = { + items { + string { + in: "LH" + in: "UH" + in: "UT" + in: "LR" + in: "UR" + in: "UF" + in: "UC" + in: "UO" + in: "NR" + in: "DI" + in: "FI" + in: "RL" + in: "UAEX" + in: "RLSE" + in: "DC" + in: "URX" + in: "SI" + in: "IH" + in: "DPE" + } + } + }]; +} + +// Filters gRPC requests based on their response status. If a gRPC status is not provided, the +// filter will infer the status from the HTTP status code. +message GrpcStatusFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.GrpcStatusFilter"; + + enum Status { + OK = 0; + CANCELED = 1; + UNKNOWN = 2; + INVALID_ARGUMENT = 3; + DEADLINE_EXCEEDED = 4; + NOT_FOUND = 5; + ALREADY_EXISTS = 6; + PERMISSION_DENIED = 7; + RESOURCE_EXHAUSTED = 8; + FAILED_PRECONDITION = 9; + ABORTED = 10; + OUT_OF_RANGE = 11; + UNIMPLEMENTED = 12; + INTERNAL = 13; + UNAVAILABLE = 14; + DATA_LOSS = 15; + UNAUTHENTICATED = 16; + } + + // Logs only responses that have any one of the gRPC statuses in this field. + repeated Status statuses = 1 [(validate.rules).repeated = {items {enum {defined_only: true}}}]; + + // If included and set to true, the filter will instead block all responses with a gRPC status or + // inferred gRPC status enumerated in statuses, and allow all other responses. + bool exclude = 2; +} + +// Extension filter is statically registered at runtime. +message ExtensionFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.accesslog.v3.ExtensionFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter implementation to instantiate. The name must + // match a statically registered filter. + string name = 1; + + // Custom configuration that depends on the filter being instantiated. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} diff --git a/generated_api_shadow/envoy/config/bootstrap/v4alpha/BUILD b/generated_api_shadow/envoy/config/bootstrap/v4alpha/BUILD index 005603632b4c..eb87a71ad68e 100644 --- a/generated_api_shadow/envoy/config/bootstrap/v4alpha/BUILD +++ b/generated_api_shadow/envoy/config/bootstrap/v4alpha/BUILD @@ -10,8 +10,8 @@ api_proto_package( "//envoy/config/bootstrap/v3:pkg", "//envoy/config/cluster/v4alpha:pkg", "//envoy/config/core/v4alpha:pkg", - "//envoy/config/listener/v3:pkg", - "//envoy/config/metrics/v3:pkg", + "//envoy/config/listener/v4alpha:pkg", + "//envoy/config/metrics/v4alpha:pkg", "//envoy/config/overload/v3:pkg", "//envoy/config/trace/v4alpha:pkg", "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", diff --git a/generated_api_shadow/envoy/config/bootstrap/v4alpha/bootstrap.proto b/generated_api_shadow/envoy/config/bootstrap/v4alpha/bootstrap.proto index b9086b771981..cd05d6f4e46d 100644 --- a/generated_api_shadow/envoy/config/bootstrap/v4alpha/bootstrap.proto +++ b/generated_api_shadow/envoy/config/bootstrap/v4alpha/bootstrap.proto @@ -8,8 +8,8 @@ import "envoy/config/core/v4alpha/base.proto"; import "envoy/config/core/v4alpha/config_source.proto"; import "envoy/config/core/v4alpha/event_service_config.proto"; import "envoy/config/core/v4alpha/socket_option.proto"; -import "envoy/config/listener/v3/listener.proto"; -import "envoy/config/metrics/v3/stats.proto"; +import "envoy/config/listener/v4alpha/listener.proto"; +import "envoy/config/metrics/v4alpha/stats.proto"; import "envoy/config/overload/v3/overload.proto"; import "envoy/config/trace/v4alpha/http_tracer.proto"; import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto"; @@ -43,9 +43,9 @@ message Bootstrap { option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v3.Bootstrap.StaticResources"; - // Static :ref:`Listeners `. These listeners are + // Static :ref:`Listeners `. These listeners are // available regardless of LDS configuration. - repeated listener.v3.Listener listeners = 1; + repeated listener.v4alpha.Listener listeners = 1; // If a network based configuration source is specified for :ref:`cds_config // `, it's necessary @@ -66,7 +66,7 @@ message Bootstrap { reserved 4; - // All :ref:`Listeners ` are provided by a single + // All :ref:`Listeners ` are provided by a single // :ref:`LDS ` configuration source. core.v4alpha.ConfigSource lds_config = 1; @@ -111,10 +111,10 @@ message Bootstrap { string flags_path = 5; // Optional set of stats sinks. - repeated metrics.v3.StatsSink stats_sinks = 6; + repeated metrics.v4alpha.StatsSink stats_sinks = 6; // Configuration for internal processing of stats. - metrics.v3.StatsConfig stats_config = 13; + metrics.v4alpha.StatsConfig stats_config = 13; // Optional duration between flushes to configured stats sinks. For // performance reasons Envoy latches counters and only flushes counters and @@ -150,7 +150,7 @@ message Bootstrap { // Enable :ref:`stats for event dispatcher `, defaults to false. // Note that this records a value for each iteration of the event loop on every thread. This // should normally be minimal overhead, but when using - // :ref:`statsd `, it will send each observed value + // :ref:`statsd `, it will send each observed value // over the wire individually because the statsd protocol doesn't have any way to represent a // histogram summary. Be aware that this can be a very large volume of data. bool enable_dispatcher_stats = 16; @@ -168,7 +168,7 @@ message Bootstrap { // Optional proxy version which will be used to set the value of :ref:`server.version statistic // ` if specified. Envoy will not process this value, it will be sent as is to - // :ref:`stats sinks `. + // :ref:`stats sinks `. google.protobuf.UInt64Value stats_server_version_override = 19; // Always use TCP queries instead of UDP queries for DNS lookups. diff --git a/generated_api_shadow/envoy/config/core/v4alpha/BUILD b/generated_api_shadow/envoy/config/core/v4alpha/BUILD index aeac38ac2833..ef6414dadc09 100644 --- a/generated_api_shadow/envoy/config/core/v4alpha/BUILD +++ b/generated_api_shadow/envoy/config/core/v4alpha/BUILD @@ -8,7 +8,7 @@ api_proto_package( deps = [ "//envoy/annotations:pkg", "//envoy/config/core/v3:pkg", - "//envoy/type/matcher/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", "//envoy/type/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", ], diff --git a/generated_api_shadow/envoy/config/core/v4alpha/address.proto b/generated_api_shadow/envoy/config/core/v4alpha/address.proto index a2e6070103ae..ffade4bed75b 100644 --- a/generated_api_shadow/envoy/config/core/v4alpha/address.proto +++ b/generated_api_shadow/envoy/config/core/v4alpha/address.proto @@ -45,7 +45,7 @@ message SocketAddress { // to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::`` // to bind to any address. [#comment:TODO(zuercher) reinstate when implemented: // It is possible to distinguish a Listener address via the prefix/suffix matching - // in :ref:`FilterChainMatch `.] When used + // in :ref:`FilterChainMatch `.] When used // within an upstream :ref:`BindConfig `, the address // controls the source address of outbound connections. For :ref:`clusters // `, the cluster type determines whether the diff --git a/generated_api_shadow/envoy/config/core/v4alpha/health_check.proto b/generated_api_shadow/envoy/config/core/v4alpha/health_check.proto index 7f823da97c5e..39badc334b01 100644 --- a/generated_api_shadow/envoy/config/core/v4alpha/health_check.proto +++ b/generated_api_shadow/envoy/config/core/v4alpha/health_check.proto @@ -4,7 +4,7 @@ package envoy.config.core.v4alpha; import "envoy/config/core/v4alpha/base.proto"; import "envoy/config/core/v4alpha/event_service_config.proto"; -import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; import "envoy/type/v3/http.proto"; import "envoy/type/v3/range.proto"; @@ -125,9 +125,9 @@ message HealthCheck { // An optional service name parameter which is used to validate the identity of // the health checked cluster using a :ref:`StringMatcher - // `. See the :ref:`architecture overview + // `. See the :ref:`architecture overview // ` for more information. - type.matcher.v3.StringMatcher service_name_matcher = 11; + type.matcher.v4alpha.StringMatcher service_name_matcher = 11; } message TcpHealthCheck { @@ -206,7 +206,7 @@ message HealthCheck { // Specifies the ALPN protocols for health check connections. This is useful if the // corresponding upstream is using ALPN-based :ref:`FilterChainMatch - // ` along with different protocols for health checks + // ` along with different protocols for health checks // versus data connections. If empty, no ALPN protocols will be set on health check connections. repeated string alpn_protocols = 1; } diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/BUILD b/generated_api_shadow/envoy/config/listener/v4alpha/BUILD new file mode 100644 index 000000000000..1d1761a3e941 --- /dev/null +++ b/generated_api_shadow/envoy/config/listener/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/accesslog/v4alpha:pkg", + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/listener/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/api_listener.proto b/generated_api_shadow/envoy/config/listener/v4alpha/api_listener.proto new file mode 100644 index 000000000000..b8d076c36583 --- /dev/null +++ b/generated_api_shadow/envoy/config/listener/v4alpha/api_listener.proto @@ -0,0 +1,32 @@ +syntax = "proto3"; + +package envoy.config.listener.v4alpha; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; +option java_outer_classname = "ApiListenerProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: API listener] + +// Describes a type of API listener, which is used in non-proxy clients. The type of API +// exposed to the non-proxy application depends on the type of API listener. +message ApiListener { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.ApiListener"; + + // The type in this field determines the type of API listener. At present, the following + // types are supported: + // envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager (HTTP) + // [#next-major-version: In the v3 API, replace this Any field with a oneof containing the + // specific config message for each type of API listener. We could not do this in v2 because + // it would have caused circular dependencies for go protos: lds.proto depends on this file, + // and http_connection_manager.proto depends on rds.proto, which is in the same directory as + // lds.proto, so lds.proto cannot depend on this file.] + google.protobuf.Any api_listener = 1; +} diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/listener.proto b/generated_api_shadow/envoy/config/listener/v4alpha/listener.proto new file mode 100644 index 000000000000..4438bd2974d4 --- /dev/null +++ b/generated_api_shadow/envoy/config/listener/v4alpha/listener.proto @@ -0,0 +1,241 @@ +syntax = "proto3"; + +package envoy.config.listener.v4alpha; + +import "envoy/config/accesslog/v4alpha/accesslog.proto"; +import "envoy/config/core/v4alpha/address.proto"; +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/socket_option.proto"; +import "envoy/config/listener/v4alpha/api_listener.proto"; +import "envoy/config/listener/v4alpha/listener_components.proto"; +import "envoy/config/listener/v4alpha/udp_listener_config.proto"; + +import "google/api/annotations.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; +option java_outer_classname = "ListenerProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Listener configuration] +// Listener :ref:`configuration overview ` + +// [#next-free-field: 23] +message Listener { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.listener.v3.Listener"; + + enum DrainType { + // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check + // filter), listener removal/modification, and hot restart. + DEFAULT = 0; + + // Drain in response to listener removal/modification and hot restart. This setting does not + // include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress + // and egress listeners. + MODIFY_ONLY = 1; + } + + // [#not-implemented-hide:] + message DeprecatedV1 { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.Listener.DeprecatedV1"; + + // Whether the listener should bind to the port. A listener that doesn't + // bind can only receive connections redirected from other listeners that + // set use_original_dst parameter to true. Default is true. + // + // This is deprecated in v2, all Listeners will bind to their port. An + // additional filter chain must be created for every original destination + // port this listener may redirect to in v2, with the original port + // specified in the FilterChainMatch destination_port field. + // + // [#comment:TODO(PiotrSikora): Remove this once verified that we no longer need it.] + google.protobuf.BoolValue bind_to_port = 1; + } + + // Configuration for listener connection balancing. + message ConnectionBalanceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.Listener.ConnectionBalanceConfig"; + + // A connection balancer implementation that does exact balancing. This means that a lock is + // held during balancing so that connection counts are nearly exactly balanced between worker + // threads. This is "nearly" exact in the sense that a connection might close in parallel thus + // making the counts incorrect, but this should be rectified on the next accept. This balancer + // sacrifices accept throughput for accuracy and should be used when there are a small number of + // connections that rarely cycle (e.g., service mesh gRPC egress). + message ExactBalance { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.Listener.ConnectionBalanceConfig.ExactBalance"; + } + + oneof balance_type { + option (validate.required) = true; + + // If specified, the listener will use the exact connection balancer. + ExactBalance exact_balance = 1; + } + } + + reserved 14, 4; + + reserved "use_original_dst"; + + // The unique name by which this listener is known. If no name is provided, + // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically + // updated or removed via :ref:`LDS ` a unique name must be provided. + string name = 1; + + // The address that the listener should listen on. In general, the address must be unique, though + // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on + // Linux as the actual port will be allocated by the OS. + core.v4alpha.Address address = 2 [(validate.rules).message = {required: true}]; + + // A list of filter chains to consider for this listener. The + // :ref:`FilterChain ` with the most specific + // :ref:`FilterChainMatch ` criteria is used on a + // connection. + // + // Example using SNI for filter chain selection can be found in the + // :ref:`FAQ entry `. + repeated FilterChain filter_chains = 3; + + // Soft limit on size of the listener’s new connection read and write buffers. + // If unspecified, an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5; + + // Listener metadata. + core.v4alpha.Metadata metadata = 6; + + // [#not-implemented-hide:] + DeprecatedV1 deprecated_v1 = 7; + + // The type of draining to perform at a listener-wide level. + DrainType drain_type = 8; + + // Listener filters have the opportunity to manipulate and augment the connection metadata that + // is used in connection filter chain matching, for example. These filters are run before any in + // :ref:`filter_chains `. Order matters as the + // filters are processed sequentially right after a socket has been accepted by the listener, and + // before a connection is created. + // UDP Listener filters can be specified when the protocol in the listener socket address in + // :ref:`protocol ` is :ref:`UDP + // `. + // UDP listeners currently support a single filter. + repeated ListenerFilter listener_filters = 9; + + // The timeout to wait for all listener filters to complete operation. If the timeout is reached, + // the accepted socket is closed without a connection being created unless + // `continue_on_listener_filters_timeout` is set to true. Specify 0 to disable the + // timeout. If not specified, a default timeout of 15s is used. + google.protobuf.Duration listener_filters_timeout = 15; + + // Whether a connection should be created when listener filters timeout. Default is false. + // + // .. attention:: + // + // Some listener filters, such as :ref:`Proxy Protocol filter + // `, should not be used with this option. It will cause + // unexpected behavior when a connection is created. + bool continue_on_listener_filters_timeout = 17; + + // Whether the listener should be set as a transparent socket. + // When this flag is set to true, connections can be redirected to the listener using an + // *iptables* *TPROXY* target, in which case the original source and destination addresses and + // ports are preserved on accepted connections. This flag should be used in combination with + // :ref:`an original_dst ` :ref:`listener filter + // ` to mark the connections' local addresses as + // "restored." This can be used to hand off each redirected connection to another listener + // associated with the connection's destination address. Direct connections to the socket without + // using *TPROXY* cannot be distinguished from connections redirected using *TPROXY* and are + // therefore treated as if they were redirected. + // When this flag is set to false, the listener's socket is explicitly reset as non-transparent. + // Setting this flag requires Envoy to run with the *CAP_NET_ADMIN* capability. + // When this flag is not set (default), the socket is not modified, i.e. the transparent option + // is neither set nor reset. + google.protobuf.BoolValue transparent = 10; + + // Whether the listener should set the *IP_FREEBIND* socket option. When this + // flag is set to true, listeners can be bound to an IP address that is not + // configured on the system running Envoy. When this flag is set to false, the + // option *IP_FREEBIND* is disabled on the socket. When this flag is not set + // (default), the socket is not modified, i.e. the option is neither enabled + // nor disabled. + google.protobuf.BoolValue freebind = 11; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + repeated core.v4alpha.SocketOption socket_options = 13; + + // Whether the listener should accept TCP Fast Open (TFO) connections. + // When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on + // the socket, with a queue length of the specified size + // (see `details in RFC7413 `_). + // When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket. + // When this flag is not set (default), the socket is not modified, + // i.e. the option is neither enabled nor disabled. + // + // On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable + // TCP_FASTOPEN. + // See `ip-sysctl.txt `_. + // + // On macOS, only values of 0, 1, and unset are valid; other values may result in an error. + // To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter. + google.protobuf.UInt32Value tcp_fast_open_queue_length = 12; + + // Specifies the intended direction of the traffic relative to the local Envoy. + core.v4alpha.TrafficDirection traffic_direction = 16; + + // If the protocol in the listener socket address in :ref:`protocol + // ` is :ref:`UDP + // `, this field specifies the actual udp + // listener to create, i.e. :ref:`udp_listener_name + // ` = "raw_udp_listener" for + // creating a packet-oriented UDP listener. If not present, treat it as "raw_udp_listener". + UdpListenerConfig udp_listener_config = 18; + + // Used to represent an API listener, which is used in non-proxy clients. The type of API + // exposed to the non-proxy application depends on the type of API listener. + // When this field is set, no other field except for :ref:`name` + // should be set. + // + // .. note:: + // + // Currently only one ApiListener can be installed; and it can only be done via bootstrap config, + // not LDS. + // + // [#next-major-version: In the v3 API, instead of this messy approach where the socket + // listener fields are directly in the top-level Listener message and the API listener types + // are in the ApiListener message, the socket listener messages should be in their own message, + // and the top-level Listener should essentially be a oneof that selects between the + // socket listener and the various types of API listener. That way, a given Listener message + // can structurally only contain the fields of the relevant type.] + ApiListener api_listener = 19; + + // The listener's connection balancer configuration, currently only applicable to TCP listeners. + // If no configuration is specified, Envoy will not attempt to balance active connections between + // worker threads. + ConnectionBalanceConfig connection_balance_config = 20; + + // When this flag is set to true, listeners set the *SO_REUSEPORT* socket option and + // create one socket for each worker thread. This makes inbound connections + // distribute among worker threads roughly evenly in cases where there are a high number + // of connections. When this flag is set to false, all worker threads share one socket. + // + // Before Linux v4.19-rc1, new TCP connections may be rejected during hot restart + // (see `3rd paragraph in 'soreuseport' commit message + // `_). + // This issue was fixed by `tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket + // `_. + bool reuse_port = 21; + + // Configuration for :ref:`access logs ` + // emitted by this listener. + repeated accesslog.v4alpha.AccessLog access_log = 22; +} diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto b/generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto new file mode 100644 index 000000000000..6900cde39016 --- /dev/null +++ b/generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto @@ -0,0 +1,298 @@ +syntax = "proto3"; + +package envoy.config.listener.v4alpha; + +import "envoy/config/core/v4alpha/address.proto"; +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; +option java_outer_classname = "ListenerComponentsProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Listener components] +// Listener :ref:`configuration overview ` + +message Filter { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.listener.v3.Filter"; + + reserved 3, 2; + + reserved "config"; + + // The name of the filter to instantiate. The name must match a + // :ref:`supported filter `. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + oneof config_type { + google.protobuf.Any typed_config = 4; + } +} + +// Specifies the match criteria for selecting a specific filter chain for a +// listener. +// +// In order for a filter chain to be selected, *ALL* of its criteria must be +// fulfilled by the incoming connection, properties of which are set by the +// networking stack and/or listener filters. +// +// The following order applies: +// +// 1. Destination port. +// 2. Destination IP address. +// 3. Server name (e.g. SNI for TLS protocol), +// 4. Transport protocol. +// 5. Application protocols (e.g. ALPN for TLS protocol). +// 6. Source type (e.g. any, local or external network). +// 7. Source IP address. +// 8. Source port. +// +// For criteria that allow ranges or wildcards, the most specific value in any +// of the configured filter chains that matches the incoming connection is going +// to be used (e.g. for SNI ``www.example.com`` the most specific match would be +// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter +// chain without ``server_names`` requirements). +// +// [#comment: Implemented rules are kept in the preference order, with deprecated fields +// listed at the end, because that's how we want to list them in the docs. +// +// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] +// [#next-free-field: 13] +message FilterChainMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.FilterChainMatch"; + + enum ConnectionSourceType { + // Any connection source matches. + ANY = 0; + + // Match a connection originating from the same host. + SAME_IP_OR_LOOPBACK = 1; + + // Match a connection originating from a different host. + EXTERNAL = 2; + } + + reserved 1; + + // Optional destination port to consider when use_original_dst is set on the + // listener in determining a filter chain match. + google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}]; + + // If non-empty, an IP address and prefix length to match addresses when the + // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. + repeated core.v4alpha.CidrRange prefix_ranges = 3; + + // If non-empty, an IP address and suffix length to match addresses when the + // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. + // [#not-implemented-hide:] + string address_suffix = 4; + + // [#not-implemented-hide:] + google.protobuf.UInt32Value suffix_len = 5; + + // Specifies the connection source IP match type. Can be any, local or external network. + ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}]; + + // The criteria is satisfied if the source IP address of the downstream + // connection is contained in at least one of the specified subnets. If the + // parameter is not specified or the list is empty, the source IP address is + // ignored. + repeated core.v4alpha.CidrRange source_prefix_ranges = 6; + + // The criteria is satisfied if the source port of the downstream connection + // is contained in at least one of the specified ports. If the parameter is + // not specified, the source port is ignored. + repeated uint32 source_ports = 7 + [(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}]; + + // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining + // a filter chain match. Those values will be compared against the server names of a new + // connection, when detected by one of the listener filters. + // + // The server name will be matched against all wildcard domains, i.e. ``www.example.com`` + // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``. + // + // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid. + // + // .. attention:: + // + // See the :ref:`FAQ entry ` on how to configure SNI for more + // information. + repeated string server_names = 11; + + // If non-empty, a transport protocol to consider when determining a filter chain match. + // This value will be compared against the transport protocol of a new connection, when + // it's detected by one of the listener filters. + // + // Suggested values include: + // + // * ``raw_buffer`` - default, used when no transport protocol is detected, + // * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector ` + // when TLS protocol is detected. + string transport_protocol = 9; + + // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when + // determining a filter chain match. Those values will be compared against the application + // protocols of a new connection, when detected by one of the listener filters. + // + // Suggested values include: + // + // * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector + // `, + // * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector ` + // + // .. attention:: + // + // Currently, only :ref:`TLS Inspector ` provides + // application protocol detection based on the requested + // `ALPN `_ values. + // + // However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, + // and matching on values other than ``h2`` is going to lead to a lot of false negatives, + // unless all connecting clients are known to use ALPN. + repeated string application_protocols = 10; +} + +// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and +// various other parameters. +// [#next-free-field: 8] +message FilterChain { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.FilterChain"; + + reserved 2; + + reserved "tls_context"; + + // The criteria to use when matching a connection to this filter chain. + FilterChainMatch filter_chain_match = 1; + + // A list of individual network filters that make up the filter chain for + // connections established with the listener. Order matters as the filters are + // processed sequentially as connection events happen. Note: If the filter + // list is empty, the connection will close by default. + repeated Filter filters = 3; + + // Whether the listener should expect a PROXY protocol V1 header on new + // connections. If this option is enabled, the listener will assume that that + // remote address of the connection is the one specified in the header. Some + // load balancers including the AWS ELB support this option. If the option is + // absent or set to false, Envoy will use the physical peer address of the + // connection as the remote address. + google.protobuf.BoolValue use_proxy_proto = 4; + + // [#not-implemented-hide:] filter chain metadata. + core.v4alpha.Metadata metadata = 5; + + // Optional custom transport socket implementation to use for downstream connections. + // To setup TLS, set a transport socket with name `tls` and + // :ref:`DownstreamTlsContext ` in the `typed_config`. + // If no transport socket configuration is specified, new connections + // will be set up with plaintext. + core.v4alpha.TransportSocket transport_socket = 6; + + // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no + // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter + // chain is to be dynamically updated or removed via FCDS a unique name must be provided. + string name = 7; +} + +// Listener filter chain match configuration. This is a recursive structure which allows complex +// nested match configurations to be built using various logical operators. +// +// Examples: +// +// * Matches if the destination port is 3306. +// +// .. code-block:: yaml +// +// destination_port_range: +// start: 3306 +// end: 3307 +// +// * Matches if the destination port is 3306 or 15000. +// +// .. code-block:: yaml +// +// or_match: +// rules: +// - destination_port_range: +// start: 3306 +// end: 3306 +// - destination_port_range: +// start: 15000 +// end: 15001 +// +// [#next-free-field: 6] +message ListenerFilterChainMatchPredicate { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.ListenerFilterChainMatchPredicate"; + + // A set of match configurations used for logical operations. + message MatchSet { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet"; + + // The list of rules that make up the set. + repeated ListenerFilterChainMatchPredicate rules = 1 + [(validate.rules).repeated = {min_items: 2}]; + } + + oneof rule { + option (validate.required) = true; + + // A set that describes a logical OR. If any member of the set matches, the match configuration + // matches. + MatchSet or_match = 1; + + // A set that describes a logical AND. If all members of the set match, the match configuration + // matches. + MatchSet and_match = 2; + + // A negation match. The match configuration will match if the negated match condition matches. + ListenerFilterChainMatchPredicate not_match = 3; + + // The match configuration will always match. + bool any_match = 4 [(validate.rules).bool = {const: true}]; + + // Match destination port. Particularly, the match evaluation must use the recovered local port if + // the owning listener filter is after :ref:`an original_dst listener filter `. + type.v3.Int32Range destination_port_range = 5; + } +} + +message ListenerFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.ListenerFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter to instantiate. The name must match a + // :ref:`supported filter `. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Filter specific configuration which depends on the filter being instantiated. + // See the supported filters for further documentation. + oneof config_type { + google.protobuf.Any typed_config = 3; + } + + // Optional match predicate used to disable the filter. The filter is enabled when this field is empty. + // See :ref:`ListenerFilterChainMatchPredicate ` + // for further examples. + ListenerFilterChainMatchPredicate filter_disabled = 4; +} diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/quic_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/quic_config.proto new file mode 100644 index 000000000000..97866e4b6ed8 --- /dev/null +++ b/generated_api_shadow/envoy/config/listener/v4alpha/quic_config.proto @@ -0,0 +1,35 @@ +syntax = "proto3"; + +package envoy.config.listener.v4alpha; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; +option java_outer_classname = "QuicConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: QUIC listener Config] + +// Configuration specific to the QUIC protocol. +// Next id: 4 +message QuicProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.QuicProtocolOptions"; + + // Maximum number of streams that the client can negotiate per connection. 100 + // if not specified. + google.protobuf.UInt32Value max_concurrent_streams = 1; + + // Maximum number of milliseconds that connection will be alive when there is + // no network activity. 300000ms if not specified. + google.protobuf.Duration idle_timeout = 2; + + // Connection timeout in milliseconds before the crypto handshake is finished. + // 20000ms if not specified. + google.protobuf.Duration crypto_handshake_timeout = 3; +} diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto new file mode 100644 index 000000000000..7e40e9529f99 --- /dev/null +++ b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto @@ -0,0 +1,42 @@ +syntax = "proto3"; + +package envoy.config.listener.v4alpha; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; +option java_outer_classname = "UdpListenerConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: UDP Listener Config] +// Listener :ref:`configuration overview ` + +message UdpListenerConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.UdpListenerConfig"; + + reserved 2; + + reserved "config"; + + // Used to look up UDP listener factory, matches "raw_udp_listener" or + // "quic_listener" to create a specific udp listener. + // If not specified, treat as "raw_udp_listener". + string udp_listener_name = 1; + + // Used to create a specific listener factory. To some factory, e.g. + // "raw_udp_listener", config is not needed. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +message ActiveRawUdpListenerConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.listener.v3.ActiveRawUdpListenerConfig"; +} diff --git a/generated_api_shadow/envoy/config/metrics/v4alpha/BUILD b/generated_api_shadow/envoy/config/metrics/v4alpha/BUILD new file mode 100644 index 000000000000..4b70ffb4110a --- /dev/null +++ b/generated_api_shadow/envoy/config/metrics/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/metrics/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/config/metrics/v4alpha/metrics_service.proto b/generated_api_shadow/envoy/config/metrics/v4alpha/metrics_service.proto new file mode 100644 index 000000000000..e4da16c56bfd --- /dev/null +++ b/generated_api_shadow/envoy/config/metrics/v4alpha/metrics_service.proto @@ -0,0 +1,36 @@ +syntax = "proto3"; + +package envoy.config.metrics.v4alpha; + +import "envoy/config/core/v4alpha/grpc_service.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.metrics.v4alpha"; +option java_outer_classname = "MetricsServiceProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Metrics service] + +// Metrics Service is configured as a built-in *envoy.stat_sinks.metrics_service* :ref:`StatsSink +// `. This opaque configuration will be used to create +// Metrics Service. +// [#extension: envoy.stat_sinks.metrics_service] +message MetricsServiceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.MetricsServiceConfig"; + + // The upstream gRPC cluster that hosts the metrics service. + core.v4alpha.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; + + // If true, counters are reported as the delta between flushing intervals. Otherwise, the current + // counter value is reported. Defaults to false. + // Eventually (https://github.com/envoyproxy/envoy/issues/10968) if this value is not set, the + // sink will take updates from the :ref:`MetricsResponse `. + google.protobuf.BoolValue report_counters_as_deltas = 2; +} diff --git a/generated_api_shadow/envoy/config/metrics/v4alpha/stats.proto b/generated_api_shadow/envoy/config/metrics/v4alpha/stats.proto new file mode 100644 index 000000000000..f9a4549746c6 --- /dev/null +++ b/generated_api_shadow/envoy/config/metrics/v4alpha/stats.proto @@ -0,0 +1,361 @@ +syntax = "proto3"; + +package envoy.config.metrics.v4alpha; + +import "envoy/config/core/v4alpha/address.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.metrics.v4alpha"; +option java_outer_classname = "StatsProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Stats] +// Statistics :ref:`architecture overview `. + +// Configuration for pluggable stats sinks. +message StatsSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v3.StatsSink"; + + reserved 2; + + reserved "config"; + + // The name of the stats sink to instantiate. The name must match a supported + // stats sink. The built-in stats sinks are: + // + // * :ref:`envoy.stat_sinks.statsd ` + // * :ref:`envoy.stat_sinks.dog_statsd ` + // * :ref:`envoy.stat_sinks.metrics_service ` + // * :ref:`envoy.stat_sinks.hystrix ` + // + // Sinks optionally support tagged/multiple dimensional metrics. + string name = 1; + + // Stats sink specific configuration which depends on the sink being instantiated. See + // :ref:`StatsdSink ` for an example. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +// Statistics configuration such as tagging. +message StatsConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.StatsConfig"; + + // Each stat name is iteratively processed through these tag specifiers. + // When a tag is matched, the first capture group is removed from the name so + // later :ref:`TagSpecifiers ` cannot match that + // same portion of the match. + repeated TagSpecifier stats_tags = 1; + + // Use all default tag regexes specified in Envoy. These can be combined with + // custom tags specified in :ref:`stats_tags + // `. They will be processed before + // the custom tags. + // + // .. note:: + // + // If any default tags are specified twice, the config will be considered + // invalid. + // + // See :repo:`well_known_names.h ` for a list of the + // default tags in Envoy. + // + // If not provided, the value is assumed to be true. + google.protobuf.BoolValue use_all_default_tags = 2; + + // Inclusion/exclusion matcher for stat name creation. If not provided, all stats are instantiated + // as normal. Preventing the instantiation of certain families of stats can improve memory + // performance for Envoys running especially large configs. + // + // .. warning:: + // Excluding stats may affect Envoy's behavior in undocumented ways. See + // `issue #8771 `_ for more information. + // If any unexpected behavior changes are observed, please open a new issue immediately. + StatsMatcher stats_matcher = 3; +} + +// Configuration for disabling stat instantiation. +message StatsMatcher { + // The instantiation of stats is unrestricted by default. If the goal is to configure Envoy to + // instantiate all stats, there is no need to construct a StatsMatcher. + // + // However, StatsMatcher can be used to limit the creation of families of stats in order to + // conserve memory. Stats can either be disabled entirely, or they can be + // limited by either an exclusion or an inclusion list of :ref:`StringMatcher + // ` protos: + // + // * If `reject_all` is set to `true`, no stats will be instantiated. If `reject_all` is set to + // `false`, all stats will be instantiated. + // + // * If an exclusion list is supplied, any stat name matching *any* of the StringMatchers in the + // list will not instantiate. + // + // * If an inclusion list is supplied, no stats will instantiate, except those matching *any* of + // the StringMatchers in the list. + // + // + // A StringMatcher can be used to match against an exact string, a suffix / prefix, or a regex. + // **NB:** For performance reasons, it is highly recommended to use a prefix- or suffix-based + // matcher rather than a regex-based matcher. + // + // Example 1. Excluding all stats. + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "rejectAll": "true" + // } + // } + // + // Example 2. Excluding all cluster-specific stats, but not cluster-manager stats: + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "exclusionList": { + // "patterns": [ + // { + // "prefix": "cluster." + // } + // ] + // } + // } + // } + // + // Example 3. Including only manager-related stats: + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "inclusionList": { + // "patterns": [ + // { + // "prefix": "cluster_manager." + // }, + // { + // "prefix": "listener_manager." + // } + // ] + // } + // } + // } + // + + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.StatsMatcher"; + + oneof stats_matcher { + option (validate.required) = true; + + // If `reject_all` is true, then all stats are disabled. If `reject_all` is false, then all + // stats are enabled. + bool reject_all = 1; + + // Exclusive match. All stats are enabled except for those matching one of the supplied + // StringMatcher protos. + type.matcher.v4alpha.ListStringMatcher exclusion_list = 2; + + // Inclusive match. No stats are enabled except for those matching one of the supplied + // StringMatcher protos. + type.matcher.v4alpha.ListStringMatcher inclusion_list = 3; + } +} + +// Designates a tag name and value pair. The value may be either a fixed value +// or a regex providing the value via capture groups. The specified tag will be +// unconditionally set if a fixed value, otherwise it will only be set if one +// or more capture groups in the regex match. +message TagSpecifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.TagSpecifier"; + + // Attaches an identifier to the tag values to identify the tag being in the + // sink. Envoy has a set of default names and regexes to extract dynamic + // portions of existing stats, which can be found in :repo:`well_known_names.h + // ` in the Envoy repository. If a :ref:`tag_name + // ` is provided in the config and + // neither :ref:`regex ` or + // :ref:`fixed_value ` were specified, + // Envoy will attempt to find that name in its set of defaults and use the accompanying regex. + // + // .. note:: + // + // It is invalid to specify the same tag name twice in a config. + string tag_name = 1; + + oneof tag_value { + // Designates a tag to strip from the tag extracted name and provide as a named + // tag value for all statistics. This will only occur if any part of the name + // matches the regex provided with one or more capture groups. + // + // The first capture group identifies the portion of the name to remove. The + // second capture group (which will normally be nested inside the first) will + // designate the value of the tag for the statistic. If no second capture + // group is provided, the first will also be used to set the value of the tag. + // All other capture groups will be ignored. + // + // Example 1. a stat name ``cluster.foo_cluster.upstream_rq_timeout`` and + // one tag specifier: + // + // .. code-block:: json + // + // { + // "tag_name": "envoy.cluster_name", + // "regex": "^cluster\.((.+?)\.)" + // } + // + // Note that the regex will remove ``foo_cluster.`` making the tag extracted + // name ``cluster.upstream_rq_timeout`` and the tag value for + // ``envoy.cluster_name`` will be ``foo_cluster`` (note: there will be no + // ``.`` character because of the second capture group). + // + // Example 2. a stat name + // ``http.connection_manager_1.user_agent.ios.downstream_cx_total`` and two + // tag specifiers: + // + // .. code-block:: json + // + // [ + // { + // "tag_name": "envoy.http_user_agent", + // "regex": "^http(?=\.).*?\.user_agent\.((.+?)\.)\w+?$" + // }, + // { + // "tag_name": "envoy.http_conn_manager_prefix", + // "regex": "^http\.((.*?)\.)" + // } + // ] + // + // The two regexes of the specifiers will be processed in the definition order. + // + // The first regex will remove ``ios.``, leaving the tag extracted name + // ``http.connection_manager_1.user_agent.downstream_cx_total``. The tag + // ``envoy.http_user_agent`` will be added with tag value ``ios``. + // + // The second regex will remove ``connection_manager_1.`` from the tag + // extracted name produced by the first regex + // ``http.connection_manager_1.user_agent.downstream_cx_total``, leaving + // ``http.user_agent.downstream_cx_total`` as the tag extracted name. The tag + // ``envoy.http_conn_manager_prefix`` will be added with the tag value + // ``connection_manager_1``. + string regex = 2 [(validate.rules).string = {max_bytes: 1024}]; + + // Specifies a fixed tag value for the ``tag_name``. + string fixed_value = 3; + } +} + +// Stats configuration proto schema for built-in *envoy.stat_sinks.statsd* sink. This sink does not support +// tagged metrics. +// [#extension: envoy.stat_sinks.statsd] +message StatsdSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v3.StatsdSink"; + + oneof statsd_specifier { + option (validate.required) = true; + + // The UDP address of a running `statsd `_ + // compliant listener. If specified, statistics will be flushed to this + // address. + core.v4alpha.Address address = 1; + + // The name of a cluster that is running a TCP `statsd + // `_ compliant listener. If specified, + // Envoy will connect to this cluster to flush statistics. + string tcp_cluster_name = 2; + } + + // Optional custom prefix for StatsdSink. If + // specified, this will override the default prefix. + // For example: + // + // .. code-block:: json + // + // { + // "prefix" : "envoy-prod" + // } + // + // will change emitted stats to + // + // .. code-block:: cpp + // + // envoy-prod.test_counter:1|c + // envoy-prod.test_timer:5|ms + // + // Note that the default prefix, "envoy", will be used if a prefix is not + // specified. + // + // Stats with default prefix: + // + // .. code-block:: cpp + // + // envoy.test_counter:1|c + // envoy.test_timer:5|ms + string prefix = 3; +} + +// Stats configuration proto schema for built-in *envoy.stat_sinks.dog_statsd* sink. +// The sink emits stats with `DogStatsD `_ +// compatible tags. Tags are configurable via :ref:`StatsConfig +// `. +// [#extension: envoy.stat_sinks.dog_statsd] +message DogStatsdSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.DogStatsdSink"; + + reserved 2; + + oneof dog_statsd_specifier { + option (validate.required) = true; + + // The UDP address of a running DogStatsD compliant listener. If specified, + // statistics will be flushed to this address. + core.v4alpha.Address address = 1; + } + + // Optional custom metric name prefix. See :ref:`StatsdSink's prefix field + // ` for more details. + string prefix = 3; +} + +// Stats configuration proto schema for built-in *envoy.stat_sinks.hystrix* sink. +// The sink emits stats in `text/event-stream +// `_ +// formatted stream for use by `Hystrix dashboard +// `_. +// +// Note that only a single HystrixSink should be configured. +// +// Streaming is started through an admin endpoint :http:get:`/hystrix_event_stream`. +// [#extension: envoy.stat_sinks.hystrix] +message HystrixSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v3.HystrixSink"; + + // The number of buckets the rolling statistical window is divided into. + // + // Each time the sink is flushed, all relevant Envoy statistics are sampled and + // added to the rolling window (removing the oldest samples in the window + // in the process). The sink then outputs the aggregate statistics across the + // current rolling window to the event stream(s). + // + // rolling_window(ms) = stats_flush_interval(ms) * num_of_buckets + // + // More detailed explanation can be found in `Hystrix wiki + // `_. + int64 num_buckets = 1; +} diff --git a/generated_api_shadow/envoy/config/rbac/v4alpha/BUILD b/generated_api_shadow/envoy/config/rbac/v4alpha/BUILD index dbfa8be4f36f..f0707bae6eae 100644 --- a/generated_api_shadow/envoy/config/rbac/v4alpha/BUILD +++ b/generated_api_shadow/envoy/config/rbac/v4alpha/BUILD @@ -9,7 +9,7 @@ api_proto_package( "//envoy/config/core/v4alpha:pkg", "//envoy/config/rbac/v3:pkg", "//envoy/config/route/v4alpha:pkg", - "//envoy/type/matcher/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto", ], diff --git a/generated_api_shadow/envoy/config/rbac/v4alpha/rbac.proto b/generated_api_shadow/envoy/config/rbac/v4alpha/rbac.proto index cdbeb5bf2eef..8bab830607b6 100644 --- a/generated_api_shadow/envoy/config/rbac/v4alpha/rbac.proto +++ b/generated_api_shadow/envoy/config/rbac/v4alpha/rbac.proto @@ -4,9 +4,9 @@ package envoy.config.rbac.v4alpha; import "envoy/config/core/v4alpha/address.proto"; import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v3/metadata.proto"; -import "envoy/type/matcher/v3/path.proto"; -import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/matcher/v4alpha/metadata.proto"; +import "envoy/type/matcher/v4alpha/path.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; import "google/api/expr/v1alpha1/syntax.proto"; @@ -140,7 +140,7 @@ message Permission { route.v4alpha.HeaderMatcher header = 4; // A URL path on the incoming HTTP request. Only available for HTTP. - type.matcher.v3.PathMatcher url_path = 10; + type.matcher.v4alpha.PathMatcher url_path = 10; // A CIDR block that describes the destination IP. core.v4alpha.CidrRange destination_ip = 5; @@ -149,7 +149,7 @@ message Permission { uint32 destination_port = 6 [(validate.rules).uint32 = {lte: 65535}]; // Metadata that describes additional information about the action. - type.matcher.v3.MetadataMatcher metadata = 7; + type.matcher.v4alpha.MetadataMatcher metadata = 7; // Negates matching the provided permission. For instance, if the value of `not_rule` would // match, this permission would not match. Conversely, if the value of `not_rule` would not @@ -166,7 +166,7 @@ message Permission { // // * If the :ref:`TLS Inspector ` // filter is not added, and if a `FilterChainMatch` is not defined for - // the :ref:`server name `, + // the :ref:`server name `, // a TLS connection's requested SNI server name will be treated as if it // wasn't present. // @@ -175,7 +175,7 @@ message Permission { // // Please refer to :ref:`this FAQ entry ` to learn to // setup SNI. - type.matcher.v3.StringMatcher requested_server_name = 9; + type.matcher.v4alpha.StringMatcher requested_server_name = 9; } } @@ -203,7 +203,7 @@ message Principal { // The name of the principal. If set, The URI SAN or DNS SAN in that order is used from the // certificate, otherwise the subject field is used. If unset, it applies to any user that is // authenticated. - type.matcher.v3.StringMatcher principal_name = 2; + type.matcher.v4alpha.StringMatcher principal_name = 2; } oneof identifier { @@ -245,10 +245,10 @@ message Principal { route.v4alpha.HeaderMatcher header = 6; // A URL path on the incoming HTTP request. Only available for HTTP. - type.matcher.v3.PathMatcher url_path = 9; + type.matcher.v4alpha.PathMatcher url_path = 9; // Metadata that describes additional information about the principal. - type.matcher.v3.MetadataMatcher metadata = 7; + type.matcher.v4alpha.MetadataMatcher metadata = 7; // Negates matching the provided principal. For instance, if the value of `not_id` would match, // this principal would not match. Conversely, if the value of `not_id` would not match, this diff --git a/generated_api_shadow/envoy/config/route/v4alpha/BUILD b/generated_api_shadow/envoy/config/route/v4alpha/BUILD index 507bedd76bdf..13dd451d1b4a 100644 --- a/generated_api_shadow/envoy/config/route/v4alpha/BUILD +++ b/generated_api_shadow/envoy/config/route/v4alpha/BUILD @@ -9,7 +9,7 @@ api_proto_package( "//envoy/annotations:pkg", "//envoy/config/core/v4alpha:pkg", "//envoy/config/route/v3:pkg", - "//envoy/type/matcher/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", "//envoy/type/tracing/v3:pkg", "//envoy/type/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", diff --git a/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto b/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto index 5fb31112b34e..6e1b1f9f5a0a 100644 --- a/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto +++ b/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto @@ -4,8 +4,8 @@ package envoy.config.route.v4alpha; import "envoy/config/core/v4alpha/base.proto"; import "envoy/config/core/v4alpha/proxy_protocol.proto"; -import "envoy/type/matcher/v3/regex.proto"; -import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/matcher/v4alpha/regex.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; import "envoy/type/tracing/v3/custom_tag.proto"; import "envoy/type/v3/percent.proto"; import "envoy/type/v3/range.proto"; @@ -143,7 +143,7 @@ message VirtualHost { // will see the attempt count as perceived by the second Envoy. Defaults to false. // This header is unaffected by the // :ref:`suppress_envoy_headers - // ` flag. + // ` flag. // // [#next-major-version: rename to include_attempt_count_in_request.] bool include_request_attempt_count = 14; @@ -155,7 +155,7 @@ message VirtualHost { // will see the attempt count as perceived by the Envoy closest upstream from itself. Defaults to false. // This header is unaffected by the // :ref:`suppress_envoy_headers - // ` flag. + // ` flag. bool include_attempt_count_in_response = 19; // Indicates the retry policy for all routes in this virtual host. Note that setting a @@ -428,7 +428,7 @@ message RouteMatch { // path_specifier entirely and just rely on a set of header matchers which can already match // on :path, etc. The issue with that is it is unclear how to generically deal with query string // stripping. This needs more thought.] - type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; + type.matcher.v4alpha.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; // [#not-implemented-hide:] // If this is used as the matcher, the matcher will only match CONNECT requests. @@ -499,7 +499,7 @@ message CorsPolicy { // Specifies string patterns that match allowed origins. An origin is allowed if any of the // string matchers match. - repeated type.matcher.v3.StringMatcher allow_origin_string_match = 11; + repeated type.matcher.v4alpha.StringMatcher allow_origin_string_match = 11; // Specifies the content for the *access-control-allow-methods* header. string allow_methods = 2; @@ -855,7 +855,7 @@ message RouteAction { // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to // ``/aaa/yyy/bbb``. - type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 32; + type.matcher.v4alpha.RegexMatchAndSubstitute regex_rewrite = 32; oneof host_rewrite_specifier { // Indicates that during forwarding, the host header will be swapped with @@ -1534,7 +1534,7 @@ message HeaderMatcher { // If specified, this regex string is a regular expression rule which implies the entire request // header value must match the regex. The rule will not match if only a subsequence of the // request header value matches the regex. - type.matcher.v3.RegexMatcher safe_regex_match = 11; + type.matcher.v4alpha.RegexMatcher safe_regex_match = 11; // If specified, header match will be performed based on range. // The rule will match if the request header value is within this range. @@ -1596,7 +1596,8 @@ message QueryParameterMatcher { oneof query_parameter_match_specifier { // Specifies whether a query parameter value should match against a string. - type.matcher.v3.StringMatcher string_match = 5 [(validate.rules).message = {required: true}]; + type.matcher.v4alpha.StringMatcher string_match = 5 + [(validate.rules).message = {required: true}]; // Specifies whether a query parameter should be present. bool present_match = 6; diff --git a/generated_api_shadow/envoy/config/tap/v4alpha/BUILD b/generated_api_shadow/envoy/config/tap/v4alpha/BUILD new file mode 100644 index 000000000000..cb06389f0186 --- /dev/null +++ b/generated_api_shadow/envoy/config/tap/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/route/v4alpha:pkg", + "//envoy/config/tap/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/config/tap/v4alpha/common.proto b/generated_api_shadow/envoy/config/tap/v4alpha/common.proto new file mode 100644 index 000000000000..b8e8dac291f3 --- /dev/null +++ b/generated_api_shadow/envoy/config/tap/v4alpha/common.proto @@ -0,0 +1,225 @@ +syntax = "proto3"; + +package envoy.config.tap.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/grpc_service.proto"; +import "envoy/config/route/v4alpha/route_components.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.tap.v4alpha"; +option java_outer_classname = "CommonProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Common tap configuration] + +// Tap configuration. +message TapConfig { + // [#comment:TODO(mattklein123): Rate limiting] + + option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.TapConfig"; + + // The match configuration. If the configuration matches the data source being tapped, a tap will + // occur, with the result written to the configured output. + MatchPredicate match_config = 1 [(validate.rules).message = {required: true}]; + + // The tap output configuration. If a match configuration matches a data source being tapped, + // a tap will occur and the data will be written to the configured output. + OutputConfig output_config = 2 [(validate.rules).message = {required: true}]; + + // [#not-implemented-hide:] Specify if Tap matching is enabled. The % of requests\connections for + // which the tap matching is enabled. When not enabled, the request\connection will not be + // recorded. + // + // .. note:: + // + // This field defaults to 100/:ref:`HUNDRED + // `. + core.v4alpha.RuntimeFractionalPercent tap_enabled = 3; +} + +// Tap match configuration. This is a recursive structure which allows complex nested match +// configurations to be built using various logical operators. +// [#next-free-field: 9] +message MatchPredicate { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.MatchPredicate"; + + // A set of match configurations used for logical operations. + message MatchSet { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.tap.v3.MatchPredicate.MatchSet"; + + // The list of rules that make up the set. + repeated MatchPredicate rules = 1 [(validate.rules).repeated = {min_items: 2}]; + } + + oneof rule { + option (validate.required) = true; + + // A set that describes a logical OR. If any member of the set matches, the match configuration + // matches. + MatchSet or_match = 1; + + // A set that describes a logical AND. If all members of the set match, the match configuration + // matches. + MatchSet and_match = 2; + + // A negation match. The match configuration will match if the negated match condition matches. + MatchPredicate not_match = 3; + + // The match configuration will always match. + bool any_match = 4 [(validate.rules).bool = {const: true}]; + + // HTTP request headers match configuration. + HttpHeadersMatch http_request_headers_match = 5; + + // HTTP request trailers match configuration. + HttpHeadersMatch http_request_trailers_match = 6; + + // HTTP response headers match configuration. + HttpHeadersMatch http_response_headers_match = 7; + + // HTTP response trailers match configuration. + HttpHeadersMatch http_response_trailers_match = 8; + } +} + +// HTTP headers match configuration. +message HttpHeadersMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.tap.v3.HttpHeadersMatch"; + + // HTTP headers to match. + repeated route.v4alpha.HeaderMatcher headers = 1; +} + +// Tap output configuration. +message OutputConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.OutputConfig"; + + // Output sinks for tap data. Currently a single sink is allowed in the list. Once multiple + // sink types are supported this constraint will be relaxed. + repeated OutputSink sinks = 1 [(validate.rules).repeated = {min_items: 1 max_items: 1}]; + + // For buffered tapping, the maximum amount of received body that will be buffered prior to + // truncation. If truncation occurs, the :ref:`truncated + // ` field will be set. If not specified, the + // default is 1KiB. + google.protobuf.UInt32Value max_buffered_rx_bytes = 2; + + // For buffered tapping, the maximum amount of transmitted body that will be buffered prior to + // truncation. If truncation occurs, the :ref:`truncated + // ` field will be set. If not specified, the + // default is 1KiB. + google.protobuf.UInt32Value max_buffered_tx_bytes = 3; + + // Indicates whether taps produce a single buffered message per tap, or multiple streamed + // messages per tap in the emitted :ref:`TraceWrapper + // ` messages. Note that streamed tapping does not + // mean that no buffering takes place. Buffering may be required if data is processed before a + // match can be determined. See the HTTP tap filter :ref:`streaming + // ` documentation for more information. + bool streaming = 4; +} + +// Tap output sink configuration. +message OutputSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.OutputSink"; + + // Output format. All output is in the form of one or more :ref:`TraceWrapper + // ` messages. This enumeration indicates + // how those messages are written. Note that not all sinks support all output formats. See + // individual sink documentation for more information. + enum Format { + // Each message will be written as JSON. Any :ref:`body ` + // data will be present in the :ref:`as_bytes + // ` field. This means that body data will be + // base64 encoded as per the `proto3 JSON mappings + // `_. + JSON_BODY_AS_BYTES = 0; + + // Each message will be written as JSON. Any :ref:`body ` + // data will be present in the :ref:`as_string + // ` field. This means that body data will be + // string encoded as per the `proto3 JSON mappings + // `_. This format type is + // useful when it is known that that body is human readable (e.g., JSON over HTTP) and the + // user wishes to view it directly without being forced to base64 decode the body. + JSON_BODY_AS_STRING = 1; + + // Binary proto format. Note that binary proto is not self-delimiting. If a sink writes + // multiple binary messages without any length information the data stream will not be + // useful. However, for certain sinks that are self-delimiting (e.g., one message per file) + // this output format makes consumption simpler. + PROTO_BINARY = 2; + + // Messages are written as a sequence tuples, where each tuple is the message length encoded + // as a `protobuf 32-bit varint + // `_ + // followed by the binary message. The messages can be read back using the language specific + // protobuf coded stream implementation to obtain the message length and the message. + PROTO_BINARY_LENGTH_DELIMITED = 3; + + // Text proto format. + PROTO_TEXT = 4; + } + + // Sink output format. + Format format = 1 [(validate.rules).enum = {defined_only: true}]; + + oneof output_sink_type { + option (validate.required) = true; + + // Tap output will be streamed out the :http:post:`/tap` admin endpoint. + // + // .. attention:: + // + // It is only allowed to specify the streaming admin output sink if the tap is being + // configured from the :http:post:`/tap` admin endpoint. Thus, if an extension has + // been configured to receive tap configuration from some other source (e.g., static + // file, XDS, etc.) configuring the streaming admin output type will fail. + StreamingAdminSink streaming_admin = 2; + + // Tap output will be written to a file per tap sink. + FilePerTapSink file_per_tap = 3; + + // [#not-implemented-hide:] + // GrpcService to stream data to. The format argument must be PROTO_BINARY. + StreamingGrpcSink streaming_grpc = 4; + } +} + +// Streaming admin sink configuration. +message StreamingAdminSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.tap.v3.StreamingAdminSink"; +} + +// The file per tap sink outputs a discrete file for every tapped stream. +message FilePerTapSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.FilePerTapSink"; + + // Path prefix. The output file will be of the form _.pb, where is an + // identifier distinguishing the recorded trace for stream instances (the Envoy + // connection ID, HTTP stream ID, etc.). + string path_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; +} + +// [#not-implemented-hide:] Streaming gRPC sink configuration sends the taps to an external gRPC +// server. +message StreamingGrpcSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.tap.v3.StreamingGrpcSink"; + + // Opaque identifier, that will be sent back to the streaming grpc server. + string tap_id = 1; + + // The gRPC server that hosts the Tap Sink Service. + core.v4alpha.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}]; +} diff --git a/generated_api_shadow/envoy/data/dns/v4alpha/BUILD b/generated_api_shadow/envoy/data/dns/v4alpha/BUILD new file mode 100644 index 000000000000..bc8958ceab0b --- /dev/null +++ b/generated_api_shadow/envoy/data/dns/v4alpha/BUILD @@ -0,0 +1,13 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/data/dns/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/data/dns/v4alpha/dns_table.proto b/generated_api_shadow/envoy/data/dns/v4alpha/dns_table.proto new file mode 100644 index 000000000000..83edc20088de --- /dev/null +++ b/generated_api_shadow/envoy/data/dns/v4alpha/dns_table.proto @@ -0,0 +1,85 @@ +syntax = "proto3"; + +package envoy.data.dns.v4alpha; + +import "envoy/type/matcher/v4alpha/string.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.data.dns.v4alpha"; +option java_outer_classname = "DnsTableProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: DNS Filter Table Data] +// :ref:`DNS Filter config overview `. + +// This message contains the configuration for the DNS Filter if populated +// from the control plane +message DnsTable { + option (udpa.annotations.versioning).previous_message_type = "envoy.data.dns.v3.DnsTable"; + + // This message contains a list of IP addresses returned for a query for a known name + message AddressList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.dns.v3.DnsTable.AddressList"; + + // This field contains a well formed IP address that is returned + // in the answer for a name query. The address field can be an + // IPv4 or IPv6 address. Address family detection is done automatically + // when Envoy parses the string. Since this field is repeated, + // Envoy will return one randomly chosen entry from this list in the + // DNS response. The random index will vary per query so that we prevent + // clients pinning on a single address for a configured domain + repeated string address = 1 [(validate.rules).repeated = { + min_items: 1 + items {string {min_len: 3}} + }]; + } + + // This message type is extensible and can contain a list of addresses + // or dictate some other method for resolving the addresses for an + // endpoint + message DnsEndpoint { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.dns.v3.DnsTable.DnsEndpoint"; + + oneof endpoint_config { + option (validate.required) = true; + + AddressList address_list = 1; + } + } + + message DnsVirtualDomain { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.dns.v3.DnsTable.DnsVirtualDomain"; + + // The domain name for which Envoy will respond to query requests + string name = 1 [(validate.rules).string = {min_len: 2 well_known_regex: HTTP_HEADER_NAME}]; + + // The configuration containing the method to determine the address + // of this endpoint + DnsEndpoint endpoint = 2; + + // Sets the TTL in dns answers from Envoy returned to the client + google.protobuf.Duration answer_ttl = 3 [(validate.rules).duration = {gt {}}]; + } + + // Control how many times envoy makes an attempt to forward a query to + // an external server + uint32 external_retry_count = 1; + + // Fully qualified domain names for which Envoy will respond to queries + repeated DnsVirtualDomain virtual_domains = 2 [(validate.rules).repeated = {min_items: 1}]; + + // This field serves to help Envoy determine whether it can authoritatively + // answer a query for a name matching a suffix in this list. If the query + // name does not match a suffix in this list, Envoy will forward + // the query to an upstream DNS server + repeated type.matcher.v4alpha.StringMatcher known_suffixes = 3; +} diff --git a/generated_api_shadow/envoy/extensions/common/tap/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/common/tap/v4alpha/BUILD index d1fe49142a8e..a6fffecd9621 100644 --- a/generated_api_shadow/envoy/extensions/common/tap/v4alpha/BUILD +++ b/generated_api_shadow/envoy/extensions/common/tap/v4alpha/BUILD @@ -7,7 +7,7 @@ licenses(["notice"]) # Apache 2 api_proto_package( deps = [ "//envoy/config/core/v4alpha:pkg", - "//envoy/config/tap/v3:pkg", + "//envoy/config/tap/v4alpha:pkg", "//envoy/extensions/common/tap/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", ], diff --git a/generated_api_shadow/envoy/extensions/common/tap/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/common/tap/v4alpha/common.proto index 63de14a3d6f6..f37889b90212 100644 --- a/generated_api_shadow/envoy/extensions/common/tap/v4alpha/common.proto +++ b/generated_api_shadow/envoy/extensions/common/tap/v4alpha/common.proto @@ -3,7 +3,7 @@ syntax = "proto3"; package envoy.extensions.common.tap.v4alpha; import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/tap/v3/common.proto"; +import "envoy/config/tap/v4alpha/common.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; @@ -42,7 +42,7 @@ message CommonExtensionConfig { // If specified, the tap filter will be configured via a static configuration that cannot be // changed. - config.tap.v3.TapConfig static_config = 2; + config.tap.v4alpha.TapConfig static_config = 2; // [#not-implemented-hide:] Configuration to use for TapDS updates for the filter. TapDSConfig tapds_config = 3; diff --git a/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/BUILD new file mode 100644 index 000000000000..63033acab5cf --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/http/cache/v3alpha:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/cache.proto b/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/cache.proto new file mode 100644 index 000000000000..7cb48d4d6c26 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/cache.proto @@ -0,0 +1,84 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.cache.v4alpha; + +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.cache.v4alpha"; +option java_outer_classname = "CacheProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).work_in_progress = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: HTTP Cache Filter] +// [#extension: envoy.filters.http.cache] + +message CacheConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.cache.v3alpha.CacheConfig"; + + // [#not-implemented-hide:] + // Modifies cache key creation by restricting which parts of the URL are included. + message KeyCreatorParams { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.cache.v3alpha.CacheConfig.KeyCreatorParams"; + + // If true, exclude the URL scheme from the cache key. Set to true if your origins always + // produce the same response for http and https requests. + bool exclude_scheme = 1; + + // If true, exclude the host from the cache key. Set to true if your origins' responses don't + // ever depend on host. + bool exclude_host = 2; + + // If *query_parameters_included* is nonempty, only query parameters matched + // by one or more of its matchers are included in the cache key. Any other + // query params will not affect cache lookup. + repeated config.route.v4alpha.QueryParameterMatcher query_parameters_included = 3; + + // If *query_parameters_excluded* is nonempty, query parameters matched by one + // or more of its matchers are excluded from the cache key (even if also + // matched by *query_parameters_included*), and will not affect cache lookup. + repeated config.route.v4alpha.QueryParameterMatcher query_parameters_excluded = 4; + } + + // Config specific to the cache storage implementation. + google.protobuf.Any typed_config = 1 [(validate.rules).any = {required: true}]; + + // [#not-implemented-hide:] + // + // + // List of allowed *Vary* headers. + // + // The *vary* response header holds a list of header names that affect the + // contents of a response, as described by + // https://httpwg.org/specs/rfc7234.html#caching.negotiated.responses. + // + // During insertion, *allowed_vary_headers* acts as a whitelist: if a + // response's *vary* header mentions any header names that aren't in + // *allowed_vary_headers*, that response will not be cached. + // + // During lookup, *allowed_vary_headers* controls what request headers will be + // sent to the cache storage implementation. + repeated type.matcher.v4alpha.StringMatcher allowed_vary_headers = 2; + + // [#not-implemented-hide:] + // + // + // Modifies cache key creation by restricting which parts of the URL are included. + KeyCreatorParams key_creator_params = 3; + + // [#not-implemented-hide:] + // + // + // Max body size the cache filter will insert into a cache. 0 means unlimited (though the cache + // storage implementation may have its own limit beyond which it will reject insertions). + uint32 max_body_bytes = 4; +} diff --git a/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/BUILD new file mode 100644 index 000000000000..72211218ff52 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/extensions/filters/http/csrf/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto b/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto new file mode 100644 index 000000000000..dda915a059af --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto @@ -0,0 +1,54 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.csrf.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.csrf.v4alpha"; +option java_outer_classname = "CsrfProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: CSRF] +// Cross-Site Request Forgery :ref:`configuration overview `. +// [#extension: envoy.filters.http.csrf] + +// CSRF filter config. +message CsrfPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.csrf.v3.CsrfPolicy"; + + // Specifies the % of requests for which the CSRF filter is enabled. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests to filter. + // + // .. note:: + // + // This field defaults to 100/:ref:`HUNDRED + // `. + config.core.v4alpha.RuntimeFractionalPercent filter_enabled = 1 + [(validate.rules).message = {required: true}]; + + // Specifies that CSRF policies will be evaluated and tracked, but not enforced. + // + // This is intended to be used when ``filter_enabled`` is off and will be ignored otherwise. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate + // and track the request's *Origin* and *Destination* to determine if it's valid, but will not + // enforce any policies. + config.core.v4alpha.RuntimeFractionalPercent shadow_enabled = 2; + + // Specifies additional source origins that will be allowed in addition to + // the destination origin. + // + // More information on how this can be configured via runtime can be found + // :ref:`here `. + repeated type.matcher.v4alpha.StringMatcher additional_origins = 3; +} diff --git a/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD new file mode 100644 index 000000000000..9a3d8a574a9b --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD @@ -0,0 +1,16 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/annotations:pkg", + "//envoy/config/core/v4alpha:pkg", + "//envoy/extensions/filters/http/ext_authz/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto b/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto new file mode 100644 index 000000000000..b39a2d56d00d --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto @@ -0,0 +1,245 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_authz.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/grpc_service.proto"; +import "envoy/config/core/v4alpha/http_uri.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; +import "envoy/type/v3/http_status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_authz.v4alpha"; +option java_outer_classname = "ExtAuthzProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: External Authorization] +// External Authorization :ref:`configuration overview `. +// [#extension: envoy.filters.http.ext_authz] + +// [#next-free-field: 11] +message ExtAuthz { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"; + + reserved 4; + + reserved "use_alpha"; + + // External authorization service configuration. + oneof services { + // gRPC service configuration (default timeout: 200ms). + config.core.v4alpha.GrpcService grpc_service = 1; + + // HTTP service configuration (default timeout: 200ms). + HttpService http_service = 3; + } + + // Changes filter's behaviour on errors: + // + // 1. When set to true, the filter will *accept* client request even if the communication with + // the authorization service has failed, or if the authorization service has returned a HTTP 5xx + // error. + // + // 2. When set to false, ext-authz will *reject* client requests and return a *Forbidden* + // response if the communication with the authorization service has failed, or if the + // authorization service has returned a HTTP 5xx error. + // + // Note that errors can be *always* tracked in the :ref:`stats + // `. + bool failure_mode_allow = 2; + + // Enables filter to buffer the client request body and send it within the authorization request. + // A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization + // request message indicating if the body data is partial. + BufferSettings with_request_body = 5; + + // Clears route cache in order to allow the external authorization service to correctly affect + // routing decisions. Filter clears all cached routes when: + // + // 1. The field is set to *true*. + // + // 2. The status returned from the authorization service is a HTTP 200 or gRPC 0. + // + // 3. At least one *authorization response header* is added to the client request, or is used for + // altering another client request header. + // + bool clear_route_cache = 6; + + // Sets the HTTP status that is returned to the client when there is a network error between the + // filter and the authorization server. The default status is HTTP 403 Forbidden. + type.v3.HttpStatus status_on_error = 7; + + // Specifies a list of metadata namespaces whose values, if present, will be passed to the + // ext_authz service as an opaque *protobuf::Struct*. + // + // For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata + // ` is set, + // then the following will pass the jwt payload to the authorization server. + // + // .. code-block:: yaml + // + // metadata_context_namespaces: + // - envoy.filters.http.jwt_authn + // + repeated string metadata_context_namespaces = 8; + + // Specifies if the filter is enabled. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests to filter. + // + // If this field is not specified, the filter will be enabled for all requests. + config.core.v4alpha.RuntimeFractionalPercent filter_enabled = 9; + + // Specifies if the peer certificate is sent to the external service. + // + // When this field is true, Envoy will include the peer X.509 certificate, if available, in the + // :ref:`certificate`. + bool include_peer_certificate = 10; +} + +// Configuration for buffering the request data. +message BufferSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.BufferSettings"; + + // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return + // *HTTP 413* and will *not* initiate the authorization process when buffer reaches the number + // set in this field. Note that this setting will have precedence over :ref:`failure_mode_allow + // `. + uint32 max_request_bytes = 1 [(validate.rules).uint32 = {gt: 0}]; + + // When this field is true, Envoy will buffer the message until *max_request_bytes* is reached. + // The authorization request will be dispatched and no 413 HTTP error will be returned by the + // filter. + bool allow_partial_message = 2; +} + +// HttpService is used for raw HTTP communication between the filter and the authorization service. +// When configured, the filter will parse the client request and use these attributes to call the +// authorization server. Depending on the response, the filter may reject or accept the client +// request. Note that in any of these events, metadata can be added, removed or overridden by the +// filter: +// +// *On authorization request*, a list of allowed request headers may be supplied. See +// :ref:`allowed_headers +// ` +// for details. Additional headers metadata may be added to the authorization request. See +// :ref:`headers_to_add +// ` for +// details. +// +// On authorization response status HTTP 200 OK, the filter will allow traffic to the upstream and +// additional headers metadata may be added to the original client request. See +// :ref:`allowed_upstream_headers +// ` +// for details. +// +// On other authorization response statuses, the filter will not allow traffic. Additional headers +// metadata as well as body may be added to the client's response. See :ref:`allowed_client_headers +// ` +// for details. +// [#next-free-field: 9] +message HttpService { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.HttpService"; + + reserved 3, 4, 5, 6; + + // Sets the HTTP server URI which the authorization requests must be sent to. + config.core.v4alpha.HttpUri server_uri = 1; + + // Sets a prefix to the value of authorization request header *Path*. + string path_prefix = 2; + + // Settings used for controlling authorization request metadata. + AuthorizationRequest authorization_request = 7; + + // Settings used for controlling authorization response metadata. + AuthorizationResponse authorization_response = 8; +} + +message AuthorizationRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.AuthorizationRequest"; + + // Authorization request will include the client request headers that have a correspondent match + // in the :ref:`list `. Note that in addition to the + // user's supplied matchers: + // + // 1. *Host*, *Method*, *Path* and *Content-Length* are automatically included to the list. + // + // 2. *Content-Length* will be set to 0 and the request to the authorization service will not have + // a message body. However, the authorization request can include the buffered client request body + // (controlled by :ref:`with_request_body + // ` setting), + // consequently the value of *Content-Length* of the authorization request reflects the size of + // its payload size. + // + type.matcher.v4alpha.ListStringMatcher allowed_headers = 1; + + // Sets a list of headers that will be included to the request to authorization service. Note that + // client request of the same key will be overridden. + repeated config.core.v4alpha.HeaderValue headers_to_add = 2; +} + +message AuthorizationResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.AuthorizationResponse"; + + // When this :ref:`list ` is set, authorization + // response headers that have a correspondent match will be added to the original client request. + // Note that coexistent headers will be overridden. + type.matcher.v4alpha.ListStringMatcher allowed_upstream_headers = 1; + + // When this :ref:`list `. is set, authorization + // response headers that have a correspondent match will be added to the client's response. Note + // that when this list is *not* set, all the authorization response headers, except *Authority + // (Host)* will be in the response to the client. When a header is included in this list, *Path*, + // *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added. + type.matcher.v4alpha.ListStringMatcher allowed_client_headers = 2; +} + +// Extra settings on a per virtualhost/route/weighted-cluster level. +message ExtAuthzPerRoute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute"; + + oneof override { + option (validate.required) = true; + + // Disable the ext auth filter for this particular vhost or route. + // If disabled is specified in multiple per-filter-configs, the most specific one will be used. + bool disabled = 1 [(validate.rules).bool = {const: true}]; + + // Check request settings for this route. + CheckSettings check_settings = 2 [(validate.rules).message = {required: true}]; + } +} + +// Extra settings for the check request. You can use this to provide extra context for the +// external authorization server on specific virtual hosts \ routes. For example, adding a context +// extension on the virtual host level can give the ext-authz server information on what virtual +// host is used without needing to parse the host header. If CheckSettings is specified in multiple +// per-filter-configs, they will be merged in order, and the result will be used. +message CheckSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.ext_authz.v3.CheckSettings"; + + // Context extensions to set on the CheckRequest's + // :ref:`AttributeContext.context_extensions` + // + // Merge semantics for this field are such that keys from more specific configs override. + // + // .. note:: + // + // These settings are only applied to a filter configured with a + // :ref:`grpc_service`. + map context_extensions = 1; +} diff --git a/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/BUILD new file mode 100644 index 000000000000..936ee4414038 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/common/fault/v3:pkg", + "//envoy/extensions/filters/http/fault/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/fault.proto b/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/fault.proto new file mode 100644 index 000000000000..7dd4f48aa476 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/fault.proto @@ -0,0 +1,144 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.fault.v4alpha; + +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/extensions/filters/common/fault/v3/fault.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.fault.v4alpha"; +option java_outer_classname = "FaultProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Fault Injection] +// Fault Injection :ref:`configuration overview `. +// [#extension: envoy.filters.http.fault] + +// [#next-free-field: 6] +message FaultAbort { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.fault.v3.FaultAbort"; + + // Fault aborts are controlled via an HTTP header (if applicable). See the + // :ref:`HTTP fault filter ` documentation for + // more information. + message HeaderAbort { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.fault.v3.FaultAbort.HeaderAbort"; + } + + reserved 1; + + oneof error_type { + option (validate.required) = true; + + // HTTP status code to use to abort the HTTP request. + uint32 http_status = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}]; + + // gRPC status code to use to abort the gRPC request. + uint32 grpc_status = 5; + + // Fault aborts are controlled via an HTTP header (if applicable). + HeaderAbort header_abort = 4; + } + + // The percentage of requests/operations/connections that will be aborted with the error code + // provided. + type.v3.FractionalPercent percentage = 3; +} + +// [#next-free-field: 15] +message HTTPFault { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.fault.v3.HTTPFault"; + + // If specified, the filter will inject delays based on the values in the + // object. + common.fault.v3.FaultDelay delay = 1; + + // If specified, the filter will abort requests based on the values in + // the object. At least *abort* or *delay* must be specified. + FaultAbort abort = 2; + + // Specifies the name of the (destination) upstream cluster that the + // filter should match on. Fault injection will be restricted to requests + // bound to the specific upstream cluster. + string upstream_cluster = 3; + + // Specifies a set of headers that the filter should match on. The fault + // injection filter can be applied selectively to requests that match a set of + // headers specified in the fault filter config. The chances of actual fault + // injection further depend on the value of the :ref:`percentage + // ` field. + // The filter will check the request's headers against all the specified + // headers in the filter config. A match will happen if all the headers in the + // config are present in the request with the same values (or based on + // presence if the *value* field is not in the config). + repeated config.route.v4alpha.HeaderMatcher headers = 4; + + // Faults are injected for the specified list of downstream hosts. If this + // setting is not set, faults are injected for all downstream nodes. + // Downstream node name is taken from :ref:`the HTTP + // x-envoy-downstream-service-node + // ` header and compared + // against downstream_nodes list. + repeated string downstream_nodes = 5; + + // The maximum number of faults that can be active at a single time via the configured fault + // filter. Note that because this setting can be overridden at the route level, it's possible + // for the number of active faults to be greater than this value (if injected via a different + // route). If not specified, defaults to unlimited. This setting can be overridden via + // `runtime ` and any faults that are not injected + // due to overflow will be indicated via the `faults_overflow + // ` stat. + // + // .. attention:: + // Like other :ref:`circuit breakers ` in Envoy, this is a fuzzy + // limit. It's possible for the number of active faults to rise slightly above the configured + // amount due to the implementation details. + google.protobuf.UInt32Value max_active_faults = 6; + + // The response rate limit to be applied to the response body of the stream. When configured, + // the percentage can be overridden by the :ref:`fault.http.rate_limit.response_percent + // ` runtime key. + // + // .. attention:: + // This is a per-stream limit versus a connection level limit. This means that concurrent streams + // will each get an independent limit. + common.fault.v3.FaultRateLimit response_rate_limit = 7; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.delay.fixed_delay_percent + string delay_percent_runtime = 8; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.abort.abort_percent + string abort_percent_runtime = 9; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.delay.fixed_duration_ms + string delay_duration_runtime = 10; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.abort.http_status + string abort_http_status_runtime = 11; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.max_active_faults + string max_active_faults_runtime = 12; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.rate_limit.response_percent + string response_rate_limit_percent_runtime = 13; + + // The runtime key to override the :ref:`default ` + // runtime. The default is: fault.http.abort.grpc_status + string abort_grpc_status_runtime = 14; +} diff --git a/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/BUILD new file mode 100644 index 000000000000..97b6ad2feb2d --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/http/health_check/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto b/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto new file mode 100644 index 000000000000..f530363e2380 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto @@ -0,0 +1,47 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.health_check.v4alpha; + +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.health_check.v4alpha"; +option java_outer_classname = "HealthCheckProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Health check] +// Health check :ref:`configuration overview `. +// [#extension: envoy.filters.http.health_check] + +// [#next-free-field: 6] +message HealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.health_check.v3.HealthCheck"; + + reserved 2; + + // Specifies whether the filter operates in pass through mode or not. + google.protobuf.BoolValue pass_through_mode = 1 [(validate.rules).message = {required: true}]; + + // If operating in pass through mode, the amount of time in milliseconds + // that the filter should cache the upstream response. + google.protobuf.Duration cache_time = 3; + + // If operating in non-pass-through mode, specifies a set of upstream cluster + // names and the minimum percentage of servers in each of those clusters that + // must be healthy or degraded in order for the filter to return a 200. + map cluster_min_healthy_percentages = 4; + + // Specifies a set of health check request headers to match on. The health check filter will + // check a request’s headers against all the specified headers. To specify the health check + // endpoint, set the ``:path`` header to match on. + repeated config.route.v4alpha.HeaderMatcher headers = 5; +} diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD new file mode 100644 index 000000000000..a9f9b8bc44c3 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/http/jwt_authn/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto new file mode 100644 index 000000000000..302cf7253dde --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -0,0 +1,531 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.jwt_authn.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/http_uri.proto"; +import "envoy/config/route/v4alpha/route_components.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/empty.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v4alpha"; +option java_outer_classname = "ConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: JWT Authentication] +// JWT Authentication :ref:`configuration overview `. +// [#extension: envoy.filters.http.jwt_authn] + +// Please see following for JWT authentication flow: +// +// * `JSON Web Token (JWT) `_ +// * `The OAuth 2.0 Authorization Framework `_ +// * `OpenID Connect `_ +// +// A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies: +// +// * issuer: the principal that issues the JWT. It has to match the one from the token. +// * allowed audiences: the ones in the token have to be listed here. +// * how to fetch public key JWKS to verify the token signature. +// * how to extract JWT token in the request. +// * how to pass successfully verified token payload. +// +// Example: +// +// .. code-block:: yaml +// +// issuer: https://example.com +// audiences: +// - bookstore_android.apps.googleusercontent.com +// - bookstore_web.apps.googleusercontent.com +// remote_jwks: +// http_uri: +// uri: https://example.com/.well-known/jwks.json +// cluster: example_jwks_cluster +// cache_duration: +// seconds: 300 +// +// [#next-free-field: 10] +message JwtProvider { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtProvider"; + + // Specify the `principal `_ that issued + // the JWT, usually a URL or an email address. + // + // Example: https://securetoken.google.com + // Example: 1234567-compute@developer.gserviceaccount.com + // + string issuer = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The list of JWT `audiences `_ are + // allowed to access. A JWT containing any of these audiences will be accepted. If not specified, + // will not check audiences in the token. + // + // Example: + // + // .. code-block:: yaml + // + // audiences: + // - bookstore_android.apps.googleusercontent.com + // - bookstore_web.apps.googleusercontent.com + // + repeated string audiences = 2; + + // `JSON Web Key Set (JWKS) `_ is needed to + // validate signature of a JWT. This field specifies where to fetch JWKS. + oneof jwks_source_specifier { + option (validate.required) = true; + + // JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP + // URI and how the fetched JWKS should be cached. + // + // Example: + // + // .. code-block:: yaml + // + // remote_jwks: + // http_uri: + // uri: https://www.googleapis.com/oauth2/v1/certs + // cluster: jwt.www.googleapis.com|443 + // cache_duration: + // seconds: 300 + // + RemoteJwks remote_jwks = 3; + + // JWKS is in local data source. It could be either in a local file or embedded in the + // inline_string. + // + // Example: local file + // + // .. code-block:: yaml + // + // local_jwks: + // filename: /etc/envoy/jwks/jwks1.txt + // + // Example: inline_string + // + // .. code-block:: yaml + // + // local_jwks: + // inline_string: ACADADADADA + // + config.core.v4alpha.DataSource local_jwks = 4; + } + + // If false, the JWT is removed in the request after a success verification. If true, the JWT is + // not removed in the request. Default value is false. + bool forward = 5; + + // Two fields below define where to extract the JWT from an HTTP request. + // + // If no explicit location is specified, the following default locations are tried in order: + // + // 1. The Authorization header using the `Bearer schema + // `_. Example:: + // + // Authorization: Bearer . + // + // 2. `access_token `_ query parameter. + // + // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations + // its provider specified or from the default locations. + // + // Specify the HTTP headers to extract JWT token. For examples, following config: + // + // .. code-block:: yaml + // + // from_headers: + // - name: x-goog-iap-jwt-assertion + // + // can be used to extract token from header:: + // + // ``x-goog-iap-jwt-assertion: ``. + // + repeated JwtHeader from_headers = 6; + + // JWT is sent in a query parameter. `jwt_params` represents the query parameter names. + // + // For example, if config is: + // + // .. code-block:: yaml + // + // from_params: + // - jwt_token + // + // The JWT format in query parameter is:: + // + // /path?jwt_token= + // + repeated string from_params = 7; + + // This field specifies the header name to forward a successfully verified JWT payload to the + // backend. The forwarded data is:: + // + // base64url_encoded(jwt_payload_in_JSON) + // + // If it is not specified, the payload will not be forwarded. + string forward_payload_header = 8 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata + // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** + // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields* + // and the value is the *protobuf::Struct* converted from JWT JSON payload. + // + // For example, if payload_in_metadata is *my_payload*: + // + // .. code-block:: yaml + // + // envoy.filters.http.jwt_authn: + // my_payload: + // iss: https://example.com + // sub: test@example.com + // aud: https://example.com + // exp: 1501281058 + // + string payload_in_metadata = 9; +} + +// This message specifies how to fetch JWKS from remote and how to cache it. +message RemoteJwks { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks"; + + // The HTTP URI to fetch the JWKS. For example: + // + // .. code-block:: yaml + // + // http_uri: + // uri: https://www.googleapis.com/oauth2/v1/certs + // cluster: jwt.www.googleapis.com|443 + // + config.core.v4alpha.HttpUri http_uri = 1; + + // Duration after which the cached JWKS should be expired. If not specified, default cache + // duration is 5 minutes. + google.protobuf.Duration cache_duration = 2; +} + +// This message specifies a header location to extract JWT token. +message JwtHeader { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtHeader"; + + // The HTTP header name. + string name = 1 + [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The value prefix. The value format is "value_prefix" + // For example, for "Authorization: Bearer ", value_prefix="Bearer " with a space at the + // end. + string value_prefix = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; +} + +// Specify a required provider with audiences. +message ProviderWithAudiences { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences"; + + // Specify a required provider name. + string provider_name = 1; + + // This field overrides the one specified in the JwtProvider. + repeated string audiences = 2; +} + +// This message specifies a Jwt requirement. An empty message means JWT verification is not +// required. Here are some config examples: +// +// .. code-block:: yaml +// +// # Example 1: not required with an empty message +// +// # Example 2: require A +// provider_name: provider-A +// +// # Example 3: require A or B +// requires_any: +// requirements: +// - provider_name: provider-A +// - provider_name: provider-B +// +// # Example 4: require A and B +// requires_all: +// requirements: +// - provider_name: provider-A +// - provider_name: provider-B +// +// # Example 5: require A and (B or C) +// requires_all: +// requirements: +// - provider_name: provider-A +// - requires_any: +// requirements: +// - provider_name: provider-B +// - provider_name: provider-C +// +// # Example 6: require A or (B and C) +// requires_any: +// requirements: +// - provider_name: provider-A +// - requires_all: +// requirements: +// - provider_name: provider-B +// - provider_name: provider-C +// +// # Example 7: A is optional (if token from A is provided, it must be valid, but also allows +// missing token.) +// requires_any: +// requirements: +// - provider_name: provider-A +// - allow_missing: {} +// +// # Example 8: A is optional and B is required. +// requires_all: +// requirements: +// - requires_any: +// requirements: +// - provider_name: provider-A +// - allow_missing: {} +// - provider_name: provider-B +// +// [#next-free-field: 7] +message JwtRequirement { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement"; + + oneof requires_type { + // Specify a required provider name. + string provider_name = 1; + + // Specify a required provider with audiences. + ProviderWithAudiences provider_and_audiences = 2; + + // Specify list of JwtRequirement. Their results are OR-ed. + // If any one of them passes, the result is passed. + JwtRequirementOrList requires_any = 3; + + // Specify list of JwtRequirement. Their results are AND-ed. + // All of them must pass, if one of them fails or missing, it fails. + JwtRequirementAndList requires_all = 4; + + // The requirement is always satisfied even if JWT is missing or the JWT + // verification fails. A typical usage is: this filter is used to only verify + // JWTs and pass the verified JWT payloads to another filter, the other filter + // will make decision. In this mode, all JWT tokens will be verified. + google.protobuf.Empty allow_missing_or_failed = 5; + + // The requirement is satisfied if JWT is missing, but failed if JWT is + // presented but invalid. Similar to allow_missing_or_failed, this is used + // to only verify JWTs and pass the verified payload to another filter. The + // different is this mode will reject requests with invalid tokens. + google.protobuf.Empty allow_missing = 6; + } +} + +// This message specifies a list of RequiredProvider. +// Their results are OR-ed; if any one of them passes, the result is passed +message JwtRequirementOrList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList"; + + // Specify a list of JwtRequirement. + repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}]; +} + +// This message specifies a list of RequiredProvider. +// Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails. +message JwtRequirementAndList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList"; + + // Specify a list of JwtRequirement. + repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}]; +} + +// This message specifies a Jwt requirement for a specific Route condition. +// Example 1: +// +// .. code-block:: yaml +// +// - match: +// prefix: /healthz +// +// In above example, "requires" field is empty for /healthz prefix match, +// it means that requests matching the path prefix don't require JWT authentication. +// +// Example 2: +// +// .. code-block:: yaml +// +// - match: +// prefix: / +// requires: { provider_name: provider-A } +// +// In above example, all requests matched the path prefix require jwt authentication +// from "provider-A". +message RequirementRule { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.RequirementRule"; + + // The route matching parameter. Only when the match is satisfied, the "requires" field will + // apply. + // + // For example: following match will match all requests. + // + // .. code-block:: yaml + // + // match: + // prefix: / + // + config.route.v4alpha.RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + // Specify a Jwt Requirement. Please detail comment in message JwtRequirement. + JwtRequirement requires = 2; +} + +// This message specifies Jwt requirements based on stream_info.filterState. +// This FilterState should use `Router::StringAccessor` object to set a string value. +// Other HTTP filters can use it to specify Jwt requirements dynamically. +// +// Example: +// +// .. code-block:: yaml +// +// name: jwt_selector +// requires: +// issuer_1: +// provider_name: issuer1 +// issuer_2: +// provider_name: issuer2 +// +// If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, +// jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify. +message FilterStateRule { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.FilterStateRule"; + + // The filter state name to retrieve the `Router::StringAccessor` object. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // A map of string keys to requirements. The string key is the string value + // in the FilterState with the name specified in the *name* field above. + map requires = 3; +} + +// This is the Envoy HTTP filter config for JWT authentication. +// +// For example: +// +// .. code-block:: yaml +// +// providers: +// provider1: +// issuer: issuer1 +// audiences: +// - audience1 +// - audience2 +// remote_jwks: +// http_uri: +// uri: https://example.com/.well-known/jwks.json +// cluster: example_jwks_cluster +// provider2: +// issuer: issuer2 +// local_jwks: +// inline_string: jwks_string +// +// rules: +// # Not jwt verification is required for /health path +// - match: +// prefix: /health +// +// # Jwt verification for provider1 is required for path prefixed with "prefix" +// - match: +// prefix: /prefix +// requires: +// provider_name: provider1 +// +// # Jwt verification for either provider1 or provider2 is required for all other requests. +// - match: +// prefix: / +// requires: +// requires_any: +// requirements: +// - provider_name: provider1 +// - provider_name: provider2 +// +message JwtAuthentication { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication"; + + // Map of provider names to JwtProviders. + // + // .. code-block:: yaml + // + // providers: + // provider1: + // issuer: issuer1 + // audiences: + // - audience1 + // - audience2 + // remote_jwks: + // http_uri: + // uri: https://example.com/.well-known/jwks.json + // cluster: example_jwks_cluster + // provider2: + // issuer: provider2 + // local_jwks: + // inline_string: jwks_string + // + map providers = 1; + + // Specifies requirements based on the route matches. The first matched requirement will be + // applied. If there are overlapped match conditions, please put the most specific match first. + // + // Examples + // + // .. code-block:: yaml + // + // rules: + // - match: + // prefix: /healthz + // - match: + // prefix: /baz + // requires: + // provider_name: provider1 + // - match: + // prefix: /foo + // requires: + // requires_any: + // requirements: + // - provider_name: provider1 + // - provider_name: provider2 + // - match: + // prefix: /bar + // requires: + // requires_all: + // requirements: + // - provider_name: provider1 + // - provider_name: provider2 + // + repeated RequirementRule rules = 2; + + // This message specifies Jwt requirements based on stream_info.filterState. + // Other HTTP filters can use it to specify Jwt requirements dynamically. + // The *rules* field above is checked first, if it could not find any matches, + // check this one. + FilterStateRule filter_state_rules = 3; + + // When set to true, bypass the `CORS preflight request + // `_ regardless of JWT + // requirements specified in the rules. + bool bypass_cors_preflight = 4; +} diff --git a/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/BUILD new file mode 100644 index 000000000000..df329be54230 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/BUILD @@ -0,0 +1,13 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/accesslog/v4alpha:pkg", + "//envoy/extensions/filters/http/router/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/router.proto b/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/router.proto new file mode 100644 index 000000000000..d0baaab84a39 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/router.proto @@ -0,0 +1,81 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.router.v4alpha; + +import "envoy/config/accesslog/v4alpha/accesslog.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.router.v4alpha"; +option java_outer_classname = "RouterProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Router] +// Router :ref:`configuration overview `. +// [#extension: envoy.filters.http.router] + +// [#next-free-field: 7] +message Router { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.http.router.v3.Router"; + + // Whether the router generates dynamic cluster statistics. Defaults to + // true. Can be disabled in high performance scenarios. + google.protobuf.BoolValue dynamic_stats = 1; + + // Whether to start a child span for egress routed calls. This can be + // useful in scenarios where other filters (auth, ratelimit, etc.) make + // outbound calls and have child spans rooted at the same ingress + // parent. Defaults to false. + bool start_child_span = 2; + + // Configuration for HTTP upstream logs emitted by the router. Upstream logs + // are configured in the same way as access logs, but each log entry represents + // an upstream request. Presuming retries are configured, multiple upstream + // requests may be made for each downstream (inbound) request. + repeated config.accesslog.v4alpha.AccessLog upstream_log = 3; + + // Do not add any additional *x-envoy-* headers to requests or responses. This + // only affects the :ref:`router filter generated *x-envoy-* headers + // `, other Envoy filters and the HTTP + // connection manager may continue to set *x-envoy-* headers. + bool suppress_envoy_headers = 4; + + // Specifies a list of HTTP headers to strictly validate. Envoy will reject a + // request and respond with HTTP status 400 if the request contains an invalid + // value for any of the headers listed in this field. Strict header checking + // is only supported for the following headers: + // + // Value must be a ','-delimited list (i.e. no spaces) of supported retry + // policy values: + // + // * :ref:`config_http_filters_router_x-envoy-retry-grpc-on` + // * :ref:`config_http_filters_router_x-envoy-retry-on` + // + // Value must be an integer: + // + // * :ref:`config_http_filters_router_x-envoy-max-retries` + // * :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms` + // * :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` + repeated string strict_check_headers = 5 [(validate.rules).repeated = { + items { + string { + in: "x-envoy-upstream-rq-timeout-ms" + in: "x-envoy-upstream-rq-per-try-timeout-ms" + in: "x-envoy-max-retries" + in: "x-envoy-retry-grpc-on" + in: "x-envoy-retry-on" + } + } + }]; + + // If not set, ingress Envoy will ignore + // :ref:`config_http_filters_router_x-envoy-expected-rq-timeout-ms` header, populated by egress + // Envoy, when deriving timeout for upstream cluster. + bool respect_expected_rq_timeout = 6; +} diff --git a/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD new file mode 100644 index 000000000000..663eb0d52d25 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/network/dubbo_proxy/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto b/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto new file mode 100644 index 000000000000..4894c7693fd7 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto @@ -0,0 +1,70 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.dubbo_proxy.v4alpha; + +import "envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.dubbo_proxy.v4alpha"; +option java_outer_classname = "DubboProxyProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Dubbo Proxy] +// Dubbo Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.dubbo_proxy] + +// Dubbo Protocol types supported by Envoy. +enum ProtocolType { + // the default protocol. + Dubbo = 0; +} + +// Dubbo Serialization types supported by Envoy. +enum SerializationType { + // the default serialization protocol. + Hessian2 = 0; +} + +// [#next-free-field: 6] +message DubboProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.DubboProxy"; + + // The human readable prefix to use when emitting statistics. + string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Configure the protocol used. + ProtocolType protocol_type = 2 [(validate.rules).enum = {defined_only: true}]; + + // Configure the serialization protocol used. + SerializationType serialization_type = 3 [(validate.rules).enum = {defined_only: true}]; + + // The route table for the connection manager is static and is specified in this property. + repeated RouteConfiguration route_config = 4; + + // A list of individual Dubbo filters that make up the filter chain for requests made to the + // Dubbo proxy. Order matters as the filters are processed sequentially. For backwards + // compatibility, if no dubbo_filters are specified, a default Dubbo router filter + // (`envoy.filters.dubbo.router`) is used. + repeated DubboFilter dubbo_filters = 5; +} + +// DubboFilter configures a Dubbo filter. +message DubboFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.DubboFilter"; + + // The name of the filter to instantiate. The name must match a supported + // filter. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + google.protobuf.Any config = 2; +} diff --git a/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto b/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto new file mode 100644 index 000000000000..c2ff03b33fb1 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto @@ -0,0 +1,121 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.dubbo_proxy.v4alpha; + +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; +import "envoy/type/v3/range.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.dubbo_proxy.v4alpha"; +option java_outer_classname = "RouteProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Dubbo Proxy Route Configuration] +// Dubbo Proxy :ref:`configuration overview `. + +// [#next-free-field: 6] +message RouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.RouteConfiguration"; + + // The name of the route configuration. Reserved for future use in asynchronous route discovery. + string name = 1; + + // The interface name of the service. + string interface = 2; + + // Which group does the interface belong to. + string group = 3; + + // The version number of the interface. + string version = 4; + + // The list of routes that will be matched, in order, against incoming requests. The first route + // that matches will be used. + repeated Route routes = 5; +} + +message Route { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.Route"; + + // Route matching parameters. + RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + // Route request to some upstream cluster. + RouteAction route = 2 [(validate.rules).message = {required: true}]; +} + +message RouteMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.RouteMatch"; + + // Method level routing matching. + MethodMatch method = 1; + + // Specifies a set of headers that the route should match on. The router will check the request’s + // headers against all the specified headers in the route config. A match will happen if all the + // headers in the route are present in the request with the same values (or based on presence if + // the value field is not in the config). + repeated config.route.v4alpha.HeaderMatcher headers = 2; +} + +message RouteAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.RouteAction"; + + oneof cluster_specifier { + option (validate.required) = true; + + // Indicates the upstream cluster to which the request should be routed. + string cluster = 1; + + // Multiple upstream clusters can be specified for a given route. The + // request is routed to one of the upstream clusters based on weights + // assigned to each cluster. + // Currently ClusterWeight only supports the name and weight fields. + config.route.v4alpha.WeightedCluster weighted_clusters = 2; + } +} + +message MethodMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.MethodMatch"; + + // The parameter matching type. + message ParameterMatchSpecifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.dubbo_proxy.v3.MethodMatch.ParameterMatchSpecifier"; + + oneof parameter_match_specifier { + // If specified, header match will be performed based on the value of the header. + string exact_match = 3; + + // If specified, header match will be performed based on range. + // The rule will match if the request header value is within this range. + // The entire request header value must represent an integer in base 10 notation: consisting + // of an optional plus or minus sign followed by a sequence of digits. The rule will not match + // if the header value does not represent an integer. Match will fail for empty values, + // floating point numbers or if only a subsequence of the header value is an integer. + // + // Examples: + // + // * For range [-10,0), route will match for header value -1, but not for 0, + // "somestring", 10.9, "-1somestring" + type.v3.Int64Range range_match = 4; + } + } + + // The name of the method. + type.matcher.v4alpha.StringMatcher name = 1; + + // Method parameter definition. + // The key is the parameter index, starting from 0. + // The value is the parameter matching type. + map params_match = 2; +} diff --git a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD index 792ccf7ab677..57c9eebb5b19 100644 --- a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD +++ b/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD @@ -7,7 +7,7 @@ licenses(["notice"]) # Apache 2 api_proto_package( deps = [ "//envoy/annotations:pkg", - "//envoy/config/accesslog/v3:pkg", + "//envoy/config/accesslog/v4alpha:pkg", "//envoy/config/core/v4alpha:pkg", "//envoy/config/route/v4alpha:pkg", "//envoy/config/trace/v4alpha:pkg", diff --git a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto b/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto index 5eaefe16037e..03a15d832732 100644 --- a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto +++ b/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto @@ -2,7 +2,7 @@ syntax = "proto3"; package envoy.extensions.filters.network.http_connection_manager.v4alpha; -import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/accesslog/v4alpha/accesslog.proto"; import "envoy/config/core/v4alpha/config_source.proto"; import "envoy/config/core/v4alpha/protocol.proto"; import "envoy/config/route/v4alpha/route.proto"; @@ -383,7 +383,7 @@ message HttpConnectionManager { // Configuration for :ref:`HTTP access logs ` // emitted by the connection manager. - repeated config.accesslog.v3.AccessLog access_log = 13; + repeated config.accesslog.v4alpha.AccessLog access_log = 13; // If set to true, the connection manager will use the real remote address // of the client connection when determining internal versus external origin and manipulating diff --git a/generated_api_shadow/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD new file mode 100644 index 000000000000..d8d88f7f3bb4 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/network/rocketmq_proxy/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto b/generated_api_shadow/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto new file mode 100644 index 000000000000..a765734e66db --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto @@ -0,0 +1,39 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.rocketmq_proxy.v4alpha; + +import "envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.rocketmq_proxy.v4alpha"; +option java_outer_classname = "RocketmqProxyProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: RocketMQ Proxy] +// RocketMQ Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.rocketmq_proxy] + +message RocketmqProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.rocketmq_proxy.v3.RocketmqProxy"; + + // The human readable prefix to use when emitting statistics. + string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The route table for the connection manager is specified in this property. + RouteConfiguration route_config = 2; + + // The largest duration transient object expected to live, more than 10s is recommended. + google.protobuf.Duration transient_object_life_span = 3; + + // If develop_mode is enabled, this proxy plugin may work without dedicated traffic intercepting + // facility without considering backward compatibility of exiting RocketMQ client SDK. + bool develop_mode = 4; +} diff --git a/generated_api_shadow/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto b/generated_api_shadow/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto new file mode 100644 index 000000000000..995e8bcb05e3 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto @@ -0,0 +1,67 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.rocketmq_proxy.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/route/v4alpha/route_components.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.rocketmq_proxy.v4alpha"; +option java_outer_classname = "RouteProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Rocketmq Proxy Route Configuration] +// Rocketmq Proxy :ref:`configuration overview `. + +message RouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteConfiguration"; + + // The name of the route configuration. + string name = 1; + + // The list of routes that will be matched, in order, against incoming requests. The first route + // that matches will be used. + repeated Route routes = 2; +} + +message Route { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.rocketmq_proxy.v3.Route"; + + // Route matching parameters. + RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + // Route request to some upstream cluster. + RouteAction route = 2 [(validate.rules).message = {required: true}]; +} + +message RouteMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteMatch"; + + // The name of the topic. + type.matcher.v4alpha.StringMatcher topic = 1 [(validate.rules).message = {required: true}]; + + // Specifies a set of headers that the route should match on. The router will check the request’s + // headers against all the specified headers in the route config. A match will happen if all the + // headers in the route are present in the request with the same values (or based on presence if + // the value field is not in the config). + repeated config.route.v4alpha.HeaderMatcher headers = 2; +} + +message RouteAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteAction"; + + // Indicates the upstream cluster to which the request should be routed. + string cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. + config.core.v4alpha.Metadata metadata_match = 2; +} diff --git a/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD new file mode 100644 index 000000000000..3825be9a8afc --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/accesslog/v4alpha:pkg", + "//envoy/config/core/v4alpha:pkg", + "//envoy/extensions/filters/network/tcp_proxy/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto b/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto new file mode 100644 index 000000000000..1857f2abcd4e --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto @@ -0,0 +1,137 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.tcp_proxy.v4alpha; + +import "envoy/config/accesslog/v4alpha/accesslog.proto"; +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/type/v3/hash_policy.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.tcp_proxy.v4alpha"; +option java_outer_classname = "TcpProxyProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: TCP Proxy] +// TCP Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.tcp_proxy] + +// [#next-free-field: 13] +message TcpProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy"; + + // Allows for specification of multiple upstream clusters along with weights + // that indicate the percentage of traffic to be forwarded to each cluster. + // The router selects an upstream cluster based on these weights. + message WeightedCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster"; + + message ClusterWeight { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight"; + + // Name of the upstream cluster. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // When a request matches the route, the choice of an upstream cluster is + // determined by its weight. The sum of weights across all entries in the + // clusters array determines the total weight. + uint32 weight = 2 [(validate.rules).uint32 = {gte: 1}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints + // in the upstream cluster with metadata matching what is set in this field will be considered + // for load balancing. Note that this will be merged with what's provided in + // :ref:`TcpProxy.metadata_match + // `, with values + // here taking precedence. The filter name should be specified as *envoy.lb*. + config.core.v4alpha.Metadata metadata_match = 3; + } + + // Specifies one or more upstream clusters associated with the route. + repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // Configuration for tunneling TCP over other transports or application layers. + // Currently, only HTTP/2 is supported. When other options exist, HTTP/2 will + // remain the default. + message TunnelingConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig"; + + // The hostname to send in the synthesized CONNECT headers to the upstream proxy. + string hostname = 1 [(validate.rules).string = {min_bytes: 1}]; + } + + reserved 6; + + reserved "deprecated_v1"; + + // The prefix to use when emitting :ref:`statistics + // `. + string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; + + oneof cluster_specifier { + option (validate.required) = true; + + // The upstream cluster to connect to. + string cluster = 2; + + // Multiple upstream clusters can be specified for a given route. The + // request is routed to one of the upstream clusters based on weights + // assigned to each cluster. + WeightedCluster weighted_clusters = 10; + } + + // Optional endpoint metadata match criteria. Only endpoints in the upstream + // cluster with metadata matching that set in metadata_match will be + // considered. The filter name should be specified as *envoy.lb*. + config.core.v4alpha.Metadata metadata_match = 9; + + // The idle timeout for connections managed by the TCP proxy filter. The idle timeout + // is defined as the period in which there are no bytes sent or received on either + // the upstream or downstream connection. If not set, the default idle timeout is 1 hour. If set + // to 0s, the timeout will be disabled. + // + // .. warning:: + // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP + // FIN packets, etc. + google.protobuf.Duration idle_timeout = 8; + + // [#not-implemented-hide:] The idle timeout for connections managed by the TCP proxy + // filter. The idle timeout is defined as the period in which there is no + // active traffic. If not set, there is no idle timeout. When the idle timeout + // is reached the connection will be closed. The distinction between + // downstream_idle_timeout/upstream_idle_timeout provides a means to set + // timeout based on the last byte sent on the downstream/upstream connection. + google.protobuf.Duration downstream_idle_timeout = 3; + + // [#not-implemented-hide:] + google.protobuf.Duration upstream_idle_timeout = 4; + + // Configuration for :ref:`access logs ` + // emitted by the this tcp_proxy. + repeated config.accesslog.v4alpha.AccessLog access_log = 5; + + // The maximum number of unsuccessful connection attempts that will be made before + // giving up. If the parameter is not specified, 1 connection attempt will be made. + google.protobuf.UInt32Value max_connect_attempts = 7 [(validate.rules).uint32 = {gte: 1}]; + + // Optional configuration for TCP proxy hash policy. If hash_policy is not set, the hash-based + // load balancing algorithms will select a host randomly. Currently the number of hash policies is + // limited to 1. + repeated type.v3.HashPolicy hash_policy = 11 [(validate.rules).repeated = {max_items: 1}]; + + // [#not-implemented-hide:] feature in progress + // If set, this configures tunneling, e.g. configuration options to tunnel multiple TCP + // payloads over a shared HTTP/2 tunnel. If this message is absent, the payload + // will be proxied upstream as per usual. + TunnelingConfig tunneling_config = 12; +} diff --git a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD new file mode 100644 index 000000000000..9ec74c0a9b83 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/route/v4alpha:pkg", + "//envoy/extensions/filters/network/thrift_proxy/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto new file mode 100644 index 000000000000..9b847d645a65 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto @@ -0,0 +1,157 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.thrift_proxy.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/route/v4alpha/route_components.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.v4alpha"; +option java_outer_classname = "RouteProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Thrift Proxy Route Configuration] +// Thrift Proxy :ref:`configuration overview `. + +message RouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.RouteConfiguration"; + + // The name of the route configuration. Reserved for future use in asynchronous route discovery. + string name = 1; + + // The list of routes that will be matched, in order, against incoming requests. The first route + // that matches will be used. + repeated Route routes = 2; +} + +message Route { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.Route"; + + // Route matching parameters. + RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + // Route request to some upstream cluster. + RouteAction route = 2 [(validate.rules).message = {required: true}]; +} + +message RouteMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.RouteMatch"; + + oneof match_specifier { + option (validate.required) = true; + + // If specified, the route must exactly match the request method name. As a special case, an + // empty string matches any request method name. + string method_name = 1; + + // If specified, the route must have the service name as the request method name prefix. As a + // special case, an empty string matches any service name. Only relevant when service + // multiplexing. + string service_name = 2; + } + + // Inverts whatever matching is done in the :ref:`method_name + // ` or + // :ref:`service_name + // ` fields. + // Cannot be combined with wildcard matching as that would result in routes never being matched. + // + // .. note:: + // + // This does not invert matching done as part of the :ref:`headers field + // ` field. To + // invert header matching, see :ref:`invert_match + // `. + bool invert = 3; + + // Specifies a set of headers that the route should match on. The router will check the request’s + // headers against all the specified headers in the route config. A match will happen if all the + // headers in the route are present in the request with the same values (or based on presence if + // the value field is not in the config). Note that this only applies for Thrift transports and/or + // protocols that support headers. + repeated config.route.v4alpha.HeaderMatcher headers = 4; +} + +// [#next-free-field: 7] +message RouteAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.RouteAction"; + + oneof cluster_specifier { + option (validate.required) = true; + + // Indicates a single upstream cluster to which the request should be routed + // to. + string cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Multiple upstream clusters can be specified for a given route. The + // request is routed to one of the upstream clusters based on weights + // assigned to each cluster. + WeightedCluster weighted_clusters = 2; + + // Envoy will determine the cluster to route to by reading the value of the + // Thrift header named by cluster_header from the request headers. If the + // header is not found or the referenced cluster does not exist Envoy will + // respond with an unknown method exception or an internal error exception, + // respectively. + string cluster_header = 6 [(validate.rules).string = {min_bytes: 1}]; + } + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in + // the upstream cluster with metadata matching what is set in this field will be considered. + // Note that this will be merged with what's provided in :ref:`WeightedCluster.metadata_match + // `, + // with values there taking precedence. Keys and values should be provided under the "envoy.lb" + // metadata key. + config.core.v4alpha.Metadata metadata_match = 3; + + // Specifies a set of rate limit configurations that could be applied to the route. + // N.B. Thrift service or method name matching can be achieved by specifying a RequestHeaders + // action with the header name ":method-name". + repeated config.route.v4alpha.RateLimit rate_limits = 4; + + // Strip the service prefix from the method name, if there's a prefix. For + // example, the method call Service:method would end up being just method. + bool strip_service_name = 5; +} + +// Allows for specification of multiple upstream clusters along with weights that indicate the +// percentage of traffic to be forwarded to each cluster. The router selects an upstream cluster +// based on these weights. +message WeightedCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.WeightedCluster"; + + message ClusterWeight { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.WeightedCluster.ClusterWeight"; + + // Name of the upstream cluster. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // When a request matches the route, the choice of an upstream cluster is determined by its + // weight. The sum of weights across all entries in the clusters array determines the total + // weight. + google.protobuf.UInt32Value weight = 2 [(validate.rules).uint32 = {gte: 1}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in + // the upstream cluster with metadata matching what is set in this field, combined with what's + // provided in :ref:`RouteAction's metadata_match + // `, + // will be considered. Values here will take precedence. Keys and values should be provided + // under the "envoy.lb" metadata key. + config.core.v4alpha.Metadata metadata_match = 3; + } + + // Specifies one or more upstream clusters associated with the route. + repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto new file mode 100644 index 000000000000..6bf055da3ce6 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto @@ -0,0 +1,130 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.thrift_proxy.v4alpha; + +import "envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.v4alpha"; +option java_outer_classname = "ThriftProxyProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Thrift Proxy] +// Thrift Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.thrift_proxy] + +// Thrift transport types supported by Envoy. +enum TransportType { + // For downstream connections, the Thrift proxy will attempt to determine which transport to use. + // For upstream connections, the Thrift proxy will use same transport as the downstream + // connection. + AUTO_TRANSPORT = 0; + + // The Thrift proxy will use the Thrift framed transport. + FRAMED = 1; + + // The Thrift proxy will use the Thrift unframed transport. + UNFRAMED = 2; + + // The Thrift proxy will assume the client is using the Thrift header transport. + HEADER = 3; +} + +// Thrift Protocol types supported by Envoy. +enum ProtocolType { + // For downstream connections, the Thrift proxy will attempt to determine which protocol to use. + // Note that the older, non-strict (or lax) binary protocol is not included in automatic protocol + // detection. For upstream connections, the Thrift proxy will use the same protocol as the + // downstream connection. + AUTO_PROTOCOL = 0; + + // The Thrift proxy will use the Thrift binary protocol. + BINARY = 1; + + // The Thrift proxy will use Thrift non-strict binary protocol. + LAX_BINARY = 2; + + // The Thrift proxy will use the Thrift compact protocol. + COMPACT = 3; + + // The Thrift proxy will use the Thrift "Twitter" protocol implemented by the finagle library. + TWITTER = 4; +} + +// [#next-free-field: 6] +message ThriftProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.ThriftProxy"; + + // Supplies the type of transport that the Thrift proxy should use. Defaults to + // :ref:`AUTO_TRANSPORT`. + TransportType transport = 2 [(validate.rules).enum = {defined_only: true}]; + + // Supplies the type of protocol that the Thrift proxy should use. Defaults to + // :ref:`AUTO_PROTOCOL`. + ProtocolType protocol = 3 [(validate.rules).enum = {defined_only: true}]; + + // The human readable prefix to use when emitting statistics. + string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The route table for the connection manager is static and is specified in this property. + RouteConfiguration route_config = 4; + + // A list of individual Thrift filters that make up the filter chain for requests made to the + // Thrift proxy. Order matters as the filters are processed sequentially. For backwards + // compatibility, if no thrift_filters are specified, a default Thrift router filter + // (`envoy.filters.thrift.router`) is used. + repeated ThriftFilter thrift_filters = 5; +} + +// ThriftFilter configures a Thrift filter. +message ThriftFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.ThriftFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter to instantiate. The name must match a supported + // filter. The built-in filters are: + // + // [#comment:TODO(zuercher): Auto generate the following list] + // * :ref:`envoy.filters.thrift.router ` + // * :ref:`envoy.filters.thrift.rate_limit ` + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Filter specific configuration which depends on the filter being instantiated. See the supported + // filters for further documentation. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +// ThriftProtocolOptions specifies Thrift upstream protocol options. This object is used in +// in +// :ref:`typed_extension_protocol_options`, +// keyed by the name `envoy.filters.network.thrift_proxy`. +message ThriftProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.thrift_proxy.v3.ThriftProtocolOptions"; + + // Supplies the type of transport that the Thrift proxy should use for upstream connections. + // Selecting + // :ref:`AUTO_TRANSPORT`, + // which is the default, causes the proxy to use the same transport as the downstream connection. + TransportType transport = 1 [(validate.rules).enum = {defined_only: true}]; + + // Supplies the type of protocol that the Thrift proxy should use for upstream connections. + // Selecting + // :ref:`AUTO_PROTOCOL`, + // which is the default, causes the proxy to use the same protocol as the downstream connection. + ProtocolType protocol = 2 [(validate.rules).enum = {defined_only: true}]; +} diff --git a/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD new file mode 100644 index 000000000000..f869cf5ac123 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/data/dns/v4alpha:pkg", + "//envoy/extensions/filters/udp/dns_filter/v3alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto b/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto new file mode 100644 index 000000000000..be78ebf40c18 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto @@ -0,0 +1,80 @@ +syntax = "proto3"; + +package envoy.extensions.filters.udp.dns_filter.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/data/dns/v4alpha/dns_table.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.udp.dns_filter.v4alpha"; +option java_outer_classname = "DnsFilterProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).work_in_progress = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: DNS Filter] +// DNS Filter :ref:`configuration overview `. +// [#extension: envoy.filters.udp_listener.dns_filter] + +// Configuration for the DNS filter. +message DnsFilterConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig"; + + // This message contains the configuration for the DNS Filter operating + // in a server context. This message will contain the virtual hosts and + // associated addresses with which Envoy will respond to queries + message ServerContextConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig.ServerContextConfig"; + + oneof config_source { + option (validate.required) = true; + + // Load the configuration specified from the control plane + data.dns.v4alpha.DnsTable inline_dns_table = 1; + + // Seed the filter configuration from an external path. This source + // is a yaml formatted file that contains the DnsTable driving Envoy's + // responses to DNS queries + config.core.v4alpha.DataSource external_dns_table = 2; + } + } + + // This message contains the configuration for the DNS Filter operating + // in a client context. This message will contain the timeouts, retry, + // and forwarding configuration for Envoy to make DNS requests to other + // resolvers + message ClientContextConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig.ClientContextConfig"; + + // Sets the maximum time we will wait for the upstream query to complete + // We allow 5s for the upstream resolution to complete, so the minimum + // value here is 5 + google.protobuf.Duration resolver_timeout = 1 [(validate.rules).duration = {gte {seconds: 5}}]; + + // A list of DNS servers to which we can forward queries + repeated string upstream_resolvers = 2 [(validate.rules).repeated = { + min_items: 1 + items {string {min_len: 3}} + }]; + } + + // The stat prefix used when emitting DNS filter statistics + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // Server context configuration contains the data that the filter uses to respond + // to DNS requests. + ServerContextConfig server_config = 2; + + // Client context configuration controls Envoy's behavior when it must use external + // resolvers to answer a query. This object is optional and if omitted instructs + // the filter to resolve queries from the data in the server_config + ClientContextConfig client_config = 3; +} diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/BUILD index e56544584bfe..d294b69de40c 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/BUILD +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/BUILD @@ -8,7 +8,7 @@ api_proto_package( deps = [ "//envoy/config/core/v4alpha:pkg", "//envoy/extensions/transport_sockets/tls/v3:pkg", - "//envoy/type/matcher/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", ], ) diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 9028e380d092..f81442f4dbcd 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -3,7 +3,7 @@ syntax = "proto3"; package envoy.extensions.transport_sockets.tls.v4alpha; import "envoy/config/core/v4alpha/base.proto"; -import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; import "google/protobuf/any.proto"; import "google/protobuf/struct.proto"; @@ -298,7 +298,7 @@ message CertificateValidationContext { // Subject Alternative Name of the presented certificate matches one of the specified matches. // // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be - // configured with exact match type in the :ref:`string matcher `. + // configured with exact match type in the :ref:`string matcher `. // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", // it should be configured as shown below. // @@ -312,7 +312,7 @@ message CertificateValidationContext { // Subject Alternative Names are easily spoofable and verifying only them is insecure, // therefore this option must be used together with :ref:`trusted_ca // `. - repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9; + repeated type.matcher.v4alpha.StringMatcher match_subject_alt_names = 9; // [#not-implemented-hide:] Must present a signed time-stamped OCSP response. google.protobuf.BoolValue require_ocsp_staple = 5; diff --git a/generated_api_shadow/envoy/service/health/v4alpha/BUILD b/generated_api_shadow/envoy/service/health/v4alpha/BUILD new file mode 100644 index 000000000000..b7b2a13bd495 --- /dev/null +++ b/generated_api_shadow/envoy/service/health/v4alpha/BUILD @@ -0,0 +1,15 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + has_services = True, + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/endpoint/v3:pkg", + "//envoy/service/health/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/service/health/v4alpha/hds.proto b/generated_api_shadow/envoy/service/health/v4alpha/hds.proto new file mode 100644 index 000000000000..826d5eeb0301 --- /dev/null +++ b/generated_api_shadow/envoy/service/health/v4alpha/hds.proto @@ -0,0 +1,160 @@ +syntax = "proto3"; + +package envoy.service.health.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/health_check.proto"; +import "envoy/config/endpoint/v3/endpoint_components.proto"; + +import "google/api/annotations.proto"; +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.service.health.v4alpha"; +option java_outer_classname = "HdsProto"; +option java_multiple_files = true; +option java_generic_services = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Health Discovery Service (HDS)] + +// HDS is Health Discovery Service. It compliments Envoy’s health checking +// service by designating this Envoy to be a healthchecker for a subset of hosts +// in the cluster. The status of these health checks will be reported to the +// management server, where it can be aggregated etc and redistributed back to +// Envoy through EDS. +service HealthDiscoveryService { + // 1. Envoy starts up and if its can_healthcheck option in the static + // bootstrap config is enabled, sends HealthCheckRequest to the management + // server. It supplies its capabilities (which protocol it can health check + // with, what zone it resides in, etc.). + // 2. In response to (1), the management server designates this Envoy as a + // healthchecker to health check a subset of all upstream hosts for a given + // cluster (for example upstream Host 1 and Host 2). It streams + // HealthCheckSpecifier messages with cluster related configuration for all + // clusters this Envoy is designated to health check. Subsequent + // HealthCheckSpecifier message will be sent on changes to: + // a. Endpoints to health checks + // b. Per cluster configuration change + // 3. Envoy creates a health probe based on the HealthCheck config and sends + // it to endpoint(ip:port) of Host 1 and 2. Based on the HealthCheck + // configuration Envoy waits upon the arrival of the probe response and + // looks at the content of the response to decide whether the endpoint is + // healthy or not. If a response hasn't been received within the timeout + // interval, the endpoint health status is considered TIMEOUT. + // 4. Envoy reports results back in an EndpointHealthResponse message. + // Envoy streams responses as often as the interval configured by the + // management server in HealthCheckSpecifier. + // 5. The management Server collects health statuses for all endpoints in the + // cluster (for all clusters) and uses this information to construct + // EndpointDiscoveryResponse messages. + // 6. Once Envoy has a list of upstream endpoints to send traffic to, it load + // balances traffic to them without additional health checking. It may + // use inline healthcheck (i.e. consider endpoint UNHEALTHY if connection + // failed to a particular endpoint to account for health status propagation + // delay between HDS and EDS). + // By default, can_healthcheck is true. If can_healthcheck is false, Cluster + // configuration may not contain HealthCheck message. + // TODO(htuch): How is can_healthcheck communicated to CDS to ensure the above + // invariant? + // TODO(htuch): Add @amb67's diagram. + rpc StreamHealthCheck(stream HealthCheckRequestOrEndpointHealthResponse) + returns (stream HealthCheckSpecifier) { + } + + // TODO(htuch): Unlike the gRPC version, there is no stream-based binding of + // request/response. Should we add an identifier to the HealthCheckSpecifier + // to bind with the response? + rpc FetchHealthCheck(HealthCheckRequestOrEndpointHealthResponse) returns (HealthCheckSpecifier) { + option (google.api.http).post = "/v3/discovery:health_check"; + option (google.api.http).body = "*"; + } +} + +// Defines supported protocols etc, so the management server can assign proper +// endpoints to healthcheck. +message Capability { + option (udpa.annotations.versioning).previous_message_type = "envoy.service.health.v3.Capability"; + + // Different Envoy instances may have different capabilities (e.g. Redis) + // and/or have ports enabled for different protocols. + enum Protocol { + HTTP = 0; + TCP = 1; + REDIS = 2; + } + + repeated Protocol health_check_protocols = 1; +} + +message HealthCheckRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.HealthCheckRequest"; + + config.core.v4alpha.Node node = 1; + + Capability capability = 2; +} + +message EndpointHealth { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.EndpointHealth"; + + config.endpoint.v3.Endpoint endpoint = 1; + + config.core.v4alpha.HealthStatus health_status = 2; +} + +message EndpointHealthResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.EndpointHealthResponse"; + + repeated EndpointHealth endpoints_health = 1; +} + +message HealthCheckRequestOrEndpointHealthResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.HealthCheckRequestOrEndpointHealthResponse"; + + oneof request_type { + HealthCheckRequest health_check_request = 1; + + EndpointHealthResponse endpoint_health_response = 2; + } +} + +message LocalityEndpoints { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.LocalityEndpoints"; + + config.core.v4alpha.Locality locality = 1; + + repeated config.endpoint.v3.Endpoint endpoints = 2; +} + +// The cluster name and locality is provided to Envoy for the endpoints that it +// health checks to support statistics reporting, logging and debugging by the +// Envoy instance (outside of HDS). For maximum usefulness, it should match the +// same cluster structure as that provided by EDS. +message ClusterHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.ClusterHealthCheck"; + + string cluster_name = 1; + + repeated config.core.v4alpha.HealthCheck health_checks = 2; + + repeated LocalityEndpoints locality_endpoints = 3; +} + +message HealthCheckSpecifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.health.v3.HealthCheckSpecifier"; + + repeated ClusterHealthCheck cluster_health_checks = 1; + + // The default is 1 second. + google.protobuf.Duration interval = 2; +} diff --git a/generated_api_shadow/envoy/service/status/v4alpha/BUILD b/generated_api_shadow/envoy/service/status/v4alpha/BUILD new file mode 100644 index 000000000000..fb238648fbca --- /dev/null +++ b/generated_api_shadow/envoy/service/status/v4alpha/BUILD @@ -0,0 +1,16 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + has_services = True, + deps = [ + "//envoy/admin/v4alpha:pkg", + "//envoy/config/core/v4alpha:pkg", + "//envoy/service/status/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/service/status/v4alpha/csds.proto b/generated_api_shadow/envoy/service/status/v4alpha/csds.proto new file mode 100644 index 000000000000..f6f5fa654d70 --- /dev/null +++ b/generated_api_shadow/envoy/service/status/v4alpha/csds.proto @@ -0,0 +1,102 @@ +syntax = "proto3"; + +package envoy.service.status.v4alpha; + +import "envoy/admin/v4alpha/config_dump.proto"; +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/type/matcher/v4alpha/node.proto"; + +import "google/api/annotations.proto"; +import "google/protobuf/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.service.status.v4alpha"; +option java_outer_classname = "CsdsProto"; +option java_multiple_files = true; +option java_generic_services = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Client Status Discovery Service (CSDS)] + +// CSDS is Client Status Discovery Service. It can be used to get the status of +// an xDS-compliant client from the management server's point of view. In the +// future, it can potentially be used as an interface to get the current +// state directly from the client. +service ClientStatusDiscoveryService { + rpc StreamClientStatus(stream ClientStatusRequest) returns (stream ClientStatusResponse) { + } + + rpc FetchClientStatus(ClientStatusRequest) returns (ClientStatusResponse) { + option (google.api.http).post = "/v3/discovery:client_status"; + option (google.api.http).body = "*"; + } +} + +// Status of a config. +enum ConfigStatus { + // Status info is not available/unknown. + UNKNOWN = 0; + + // Management server has sent the config to client and received ACK. + SYNCED = 1; + + // Config is not sent. + NOT_SENT = 2; + + // Management server has sent the config to client but hasn’t received + // ACK/NACK. + STALE = 3; + + // Management server has sent the config to client but received NACK. + ERROR = 4; +} + +// Request for client status of clients identified by a list of NodeMatchers. +message ClientStatusRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v3.ClientStatusRequest"; + + // Management server can use these match criteria to identify clients. + // The match follows OR semantics. + repeated type.matcher.v4alpha.NodeMatcher node_matchers = 1; +} + +// Detailed config (per xDS) with status. +// [#next-free-field: 6] +message PerXdsConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v3.PerXdsConfig"; + + ConfigStatus status = 1; + + oneof per_xds_config { + admin.v4alpha.ListenersConfigDump listener_config = 2; + + admin.v4alpha.ClustersConfigDump cluster_config = 3; + + admin.v4alpha.RoutesConfigDump route_config = 4; + + admin.v4alpha.ScopedRoutesConfigDump scoped_route_config = 5; + } +} + +// All xds configs for a particular client. +message ClientConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v3.ClientConfig"; + + // Node for a particular client. + config.core.v4alpha.Node node = 1; + + repeated PerXdsConfig xds_config = 2; +} + +message ClientStatusResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.status.v3.ClientStatusResponse"; + + // Client configs for the clients specified in the ClientStatusRequest. + repeated ClientConfig config = 1; +} diff --git a/generated_api_shadow/envoy/service/tap/v4alpha/BUILD b/generated_api_shadow/envoy/service/tap/v4alpha/BUILD new file mode 100644 index 000000000000..5f75886cd068 --- /dev/null +++ b/generated_api_shadow/envoy/service/tap/v4alpha/BUILD @@ -0,0 +1,17 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + has_services = True, + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/config/tap/v4alpha:pkg", + "//envoy/data/tap/v3:pkg", + "//envoy/service/discovery/v3:pkg", + "//envoy/service/tap/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/service/tap/v4alpha/tap.proto b/generated_api_shadow/envoy/service/tap/v4alpha/tap.proto new file mode 100644 index 000000000000..a1654d18bebb --- /dev/null +++ b/generated_api_shadow/envoy/service/tap/v4alpha/tap.proto @@ -0,0 +1,64 @@ +syntax = "proto3"; + +package envoy.service.tap.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; +import "envoy/data/tap/v3/wrapper.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.service.tap.v4alpha"; +option java_outer_classname = "TapProto"; +option java_multiple_files = true; +option java_generic_services = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Tap Sink Service] + +// [#not-implemented-hide:] A tap service to receive incoming taps. Envoy will call +// StreamTaps to deliver captured taps to the server +service TapSinkService { + // Envoy will connect and send StreamTapsRequest messages forever. It does not expect any + // response to be sent as nothing would be done in the case of failure. The server should + // disconnect if it expects Envoy to reconnect. + rpc StreamTaps(stream StreamTapsRequest) returns (StreamTapsResponse) { + } +} + +// [#not-implemented-hide:] Stream message for the Tap API. Envoy will open a stream to the server +// and stream taps without ever expecting a response. +message StreamTapsRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.tap.v3.StreamTapsRequest"; + + message Identifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.tap.v3.StreamTapsRequest.Identifier"; + + // The node sending taps over the stream. + config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; + + // The opaque identifier that was set in the :ref:`output config + // `. + string tap_id = 2; + } + + // Identifier data effectively is a structured metadata. As a performance optimization this will + // only be sent in the first message on the stream. + Identifier identifier = 1; + + // The trace id. this can be used to merge together a streaming trace. Note that the trace_id + // is not guaranteed to be spatially or temporally unique. + uint64 trace_id = 2; + + // The trace data. + data.tap.v3.TraceWrapper trace = 3; +} + +// [#not-implemented-hide:] +message StreamTapsResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.tap.v3.StreamTapsResponse"; +} diff --git a/generated_api_shadow/envoy/service/tap/v4alpha/tapds.proto b/generated_api_shadow/envoy/service/tap/v4alpha/tapds.proto new file mode 100644 index 000000000000..855fde8c8e63 --- /dev/null +++ b/generated_api_shadow/envoy/service/tap/v4alpha/tapds.proto @@ -0,0 +1,48 @@ +syntax = "proto3"; + +package envoy.service.tap.v4alpha; + +import "envoy/config/tap/v4alpha/common.proto"; +import "envoy/service/discovery/v3/discovery.proto"; + +import "google/api/annotations.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.service.tap.v4alpha"; +option java_outer_classname = "TapdsProto"; +option java_multiple_files = true; +option java_generic_services = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Tap discovery service] + +// [#not-implemented-hide:] Tap discovery service. +service TapDiscoveryService { + rpc StreamTapConfigs(stream discovery.v3.DiscoveryRequest) + returns (stream discovery.v3.DiscoveryResponse) { + } + + rpc DeltaTapConfigs(stream discovery.v3.DeltaDiscoveryRequest) + returns (stream discovery.v3.DeltaDiscoveryResponse) { + } + + rpc FetchTapConfigs(discovery.v3.DiscoveryRequest) returns (discovery.v3.DiscoveryResponse) { + option (google.api.http).post = "/v3/discovery:tap_configs"; + option (google.api.http).body = "*"; + } +} + +// [#not-implemented-hide:] A tap resource is essentially a tap configuration with a name +// The filter TapDS config references this name. +message TapResource { + option (udpa.annotations.versioning).previous_message_type = "envoy.service.tap.v3.TapResource"; + + // The name of the tap configuration. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Tap config to apply + config.tap.v4alpha.TapConfig config = 2; +} diff --git a/generated_api_shadow/envoy/type/matcher/regex.proto b/generated_api_shadow/envoy/type/matcher/regex.proto index 78b4a2c1d61e..9e41637ab70c 100644 --- a/generated_api_shadow/envoy/type/matcher/regex.proto +++ b/generated_api_shadow/envoy/type/matcher/regex.proto @@ -24,7 +24,10 @@ message RegexMatcher { // compiled regex is to evaluate. A regex that has a program size greater than the configured // value will fail to compile. In this case, the configured max program size can be increased // or the regex can be simplified. If not specified, the default is 100. - google.protobuf.UInt32Value max_program_size = 1; + // + // This field is deprecated; regexp validation should be performed on the management server + // instead of being done by each individual client. + google.protobuf.UInt32Value max_program_size = 1 [deprecated = true]; } oneof engine_type { diff --git a/generated_api_shadow/envoy/type/matcher/v3/regex.proto b/generated_api_shadow/envoy/type/matcher/v3/regex.proto index 1b10df3ff1ba..5de7fd9baf54 100644 --- a/generated_api_shadow/envoy/type/matcher/v3/regex.proto +++ b/generated_api_shadow/envoy/type/matcher/v3/regex.proto @@ -30,7 +30,10 @@ message RegexMatcher { // compiled regex is to evaluate. A regex that has a program size greater than the configured // value will fail to compile. In this case, the configured max program size can be increased // or the regex can be simplified. If not specified, the default is 100. - google.protobuf.UInt32Value max_program_size = 1; + // + // This field is deprecated; regexp validation should be performed on the management server + // instead of being done by each individual client. + google.protobuf.UInt32Value max_program_size = 1 [deprecated = true]; } // Google's RE2 regex engine. diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/BUILD b/generated_api_shadow/envoy/type/matcher/v4alpha/BUILD new file mode 100644 index 000000000000..e63f52b2baa5 --- /dev/null +++ b/generated_api_shadow/envoy/type/matcher/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/annotations:pkg", + "//envoy/type/matcher/v3:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/metadata.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/metadata.proto new file mode 100644 index 000000000000..8abe14e7b667 --- /dev/null +++ b/generated_api_shadow/envoy/type/matcher/v4alpha/metadata.proto @@ -0,0 +1,105 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/value.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "MetadataProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Metadata matcher] + +// MetadataMatcher provides a general interface to check if a given value is matched in +// :ref:`Metadata `. It uses `filter` and `path` to retrieve the value +// from the Metadata and then check if it's matched to the specified value. +// +// For example, for the following Metadata: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.filters.http.rbac: +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" +// from the Metadata which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following MetadataMatcher is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to +// enforce access control based on dynamic metadata in a request. See :ref:`Permission +// ` and :ref:`Principal +// `. + +// [#next-major-version: MetadataMatcher should use StructMatcher] +message MetadataMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.MetadataMatcher"; + + // Specifies the segment in a path to retrieve value from Metadata. + // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that + // if the segment key refers to a list, it has to be the last segment in a path. + message PathSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.MetadataMatcher.PathSegment"; + + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_bytes: 1}]; + } + } + + // The filter name to retrieve the Struct from the Metadata. + string filter = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The MetadataMatcher is matched if the value retrieved by path is matched to this value. + ValueMatcher value = 3 [(validate.rules).message = {required: true}]; +} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/node.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/node.proto new file mode 100644 index 000000000000..a74bf808f05a --- /dev/null +++ b/generated_api_shadow/envoy/type/matcher/v4alpha/node.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/string.proto"; +import "envoy/type/matcher/v4alpha/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "NodeProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Node matcher] + +// Specifies the way to match a Node. +// The match follows AND semantics. +message NodeMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.NodeMatcher"; + + // Specifies match criteria on the node id. + StringMatcher node_id = 1; + + // Specifies match criteria on the node metadata. + repeated StructMatcher node_metadatas = 2; +} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/number.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/number.proto new file mode 100644 index 000000000000..b168af19ab50 --- /dev/null +++ b/generated_api_shadow/envoy/type/matcher/v4alpha/number.proto @@ -0,0 +1,33 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/v3/range.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "NumberProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Number matcher] + +// Specifies the way to match a double value. +message DoubleMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.DoubleMatcher"; + + oneof match_pattern { + option (validate.required) = true; + + // If specified, the input double value must be in the range specified here. + // Note: The range is using half-open interval semantics [start, end). + v3.DoubleRange range = 1; + + // If specified, the input double value must be equal to the value specified here. + double exact = 2; + } +} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/path.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/path.proto new file mode 100644 index 000000000000..9150939bf2ee --- /dev/null +++ b/generated_api_shadow/envoy/type/matcher/v4alpha/path.proto @@ -0,0 +1,30 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "PathProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Path matcher] + +// Specifies the way to match a path on HTTP request. +message PathMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.PathMatcher"; + + oneof rule { + option (validate.required) = true; + + // The `path` must match the URL path portion of the :path header. The query and fragment + // string (if present) are removed in the URL path portion. + // For example, the path */data* will match the *:path* header */data#fragment?param=value*. + StringMatcher path = 1 [(validate.rules).message = {required: true}]; + } +} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/regex.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/regex.proto new file mode 100644 index 000000000000..ed038ec3abb4 --- /dev/null +++ b/generated_api_shadow/envoy/type/matcher/v4alpha/regex.proto @@ -0,0 +1,77 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "RegexProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Regex matcher] + +// A regex matcher designed for safety when used with untrusted input. +message RegexMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.RegexMatcher"; + + // Google's `RE2 `_ regex engine. The regex string must adhere to + // the documented `syntax `_. The engine is designed + // to complete execution in linear time as well as limit the amount of memory used. + message GoogleRE2 { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.RegexMatcher.GoogleRE2"; + + // This field controls the RE2 "program size" which is a rough estimate of how complex a + // compiled regex is to evaluate. A regex that has a program size greater than the configured + // value will fail to compile. In this case, the configured max program size can be increased + // or the regex can be simplified. If not specified, the default is 100. + // + // This field is deprecated; regexp validation should be performed on the management server + // instead of being done by each individual client. + google.protobuf.UInt32Value hidden_envoy_deprecated_max_program_size = 1 [deprecated = true]; + } + + oneof engine_type { + option (validate.required) = true; + + // Google's RE2 regex engine. + GoogleRE2 google_re2 = 1 [(validate.rules).message = {required: true}]; + } + + // The regex match string. The string must be supported by the configured engine. + string regex = 2 [(validate.rules).string = {min_bytes: 1}]; +} + +// Describes how to match a string and then produce a new string using a regular +// expression and a substitution string. +message RegexMatchAndSubstitute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.RegexMatchAndSubstitute"; + + // The regular expression used to find portions of a string (hereafter called + // the "subject string") that should be replaced. When a new string is + // produced during the substitution operation, the new string is initially + // the same as the subject string, but then all matches in the subject string + // are replaced by the substitution string. If replacing all matches isn't + // desired, regular expression anchors can be used to ensure a single match, + // so as to replace just one occurrence of a pattern. Capture groups can be + // used in the pattern to extract portions of the subject string, and then + // referenced in the substitution string. + RegexMatcher pattern = 1; + + // The string that should be substituted into matching portions of the + // subject string during a substitution operation to produce a new string. + // Capture groups in the pattern can be referenced in the substitution + // string. Note, however, that the syntax for referring to capture groups is + // defined by the chosen regular expression engine. Google's `RE2 + // `_ regular expression engine uses a + // backslash followed by the capture group number to denote a numbered + // capture group. E.g., ``\1`` refers to capture group 1, and ``\2`` refers + // to capture group 2. + string substitution = 2; +} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/string.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/string.proto new file mode 100644 index 000000000000..8ce0b12f9e2a --- /dev/null +++ b/generated_api_shadow/envoy/type/matcher/v4alpha/string.proto @@ -0,0 +1,71 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/regex.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "StringProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: String matcher] + +// Specifies the way to match a string. +// [#next-free-field: 7] +message StringMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.StringMatcher"; + + reserved 4; + + reserved "regex"; + + oneof match_pattern { + option (validate.required) = true; + + // The input string must match exactly the string specified here. + // + // Examples: + // + // * *abc* only matches the value *abc*. + string exact = 1; + + // The input string must have the prefix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *abc.xyz* + string prefix = 2 [(validate.rules).string = {min_bytes: 1}]; + + // The input string must have the suffix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *xyz.abc* + string suffix = 3 [(validate.rules).string = {min_bytes: 1}]; + + // The input string must match the regular expression specified here. + RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; + } + + // If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no + // effect for the safe_regex match. + // For example, the matcher *data* will match both input string *Data* and *data* if set to true. + bool ignore_case = 6; +} + +// Specifies a list of ways to match a string. +message ListStringMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.ListStringMatcher"; + + repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/struct.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/struct.proto new file mode 100644 index 000000000000..643cc5a47570 --- /dev/null +++ b/generated_api_shadow/envoy/type/matcher/v4alpha/struct.proto @@ -0,0 +1,91 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/value.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "StructProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Struct matcher] + +// StructMatcher provides a general interface to check if a given value is matched in +// google.protobuf.Struct. It uses `path` to retrieve the value +// from the struct and then check if it's matched to the specified value. +// +// For example, for the following Struct: +// +// .. code-block:: yaml +// +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" +// from the Metadata which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following StructMatcher is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of StructMatcher is to match metadata in envoy.v*.core.Node. +message StructMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.StructMatcher"; + + // Specifies the segment in a path to retrieve value from Struct. + message PathSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.StructMatcher.PathSegment"; + + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_bytes: 1}]; + } + } + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The StructMatcher is matched if the value retrieved by path is matched to this value. + ValueMatcher value = 3 [(validate.rules).message = {required: true}]; +} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/value.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/value.proto new file mode 100644 index 000000000000..6e509d460109 --- /dev/null +++ b/generated_api_shadow/envoy/type/matcher/v4alpha/value.proto @@ -0,0 +1,71 @@ +syntax = "proto3"; + +package envoy.type.matcher.v4alpha; + +import "envoy/type/matcher/v4alpha/number.proto"; +import "envoy/type/matcher/v4alpha/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; +option java_outer_classname = "ValueProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Value matcher] + +// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. +// StructValue is not supported and is always not matched. +// [#next-free-field: 7] +message ValueMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.ValueMatcher"; + + // NullMatch is an empty message to specify a null value. + message NullMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.v3.ValueMatcher.NullMatch"; + } + + // Specifies how to match a value. + oneof match_pattern { + option (validate.required) = true; + + // If specified, a match occurs if and only if the target value is a NullValue. + NullMatch null_match = 1; + + // If specified, a match occurs if and only if the target value is a double value and is + // matched to this field. + DoubleMatcher double_match = 2; + + // If specified, a match occurs if and only if the target value is a string value and is + // matched to this field. + StringMatcher string_match = 3; + + // If specified, a match occurs if and only if the target value is a bool value and is equal + // to this field. + bool bool_match = 4; + + // If specified, value match will be performed based on whether the path is referring to a + // valid primitive value in the metadata. If the path is referring to a non-primitive value, + // the result is always not matched. + bool present_match = 5; + + // If specified, a match occurs if and only if the target value is a list value and + // is matched to this field. + ListMatcher list_match = 6; + } +} + +// Specifies the way to match a list value. +message ListMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.ListMatcher"; + + oneof match_pattern { + option (validate.required) = true; + + // If specified, at least one of the values in the list must match the value specified. + ValueMatcher one_of = 1; + } +} diff --git a/tools/api_boost/testdata/deprecate.cc.gold b/tools/api_boost/testdata/deprecate.cc.gold index bee1dacfe56e..0158efa26d9a 100644 --- a/tools/api_boost/testdata/deprecate.cc.gold +++ b/tools/api_boost/testdata/deprecate.cc.gold @@ -1,11 +1,11 @@ #include "envoy/config/cluster/v4alpha/cluster.pb.h" #include "envoy/config/route/v4alpha/route_components.pb.h" -#include "envoy/type/matcher/v3/string.pb.h" +#include "envoy/type/matcher/v4alpha/string.pb.h" void test() { envoy::config::route::v4alpha::VirtualHost vhost; vhost.hidden_envoy_deprecated_per_filter_config(); vhost.mutable_hidden_envoy_deprecated_per_filter_config(); - static_cast(envoy::type::matcher::v3::StringMatcher::MatchPatternCase::kHiddenEnvoyDeprecatedRegex); + static_cast(envoy::type::matcher::v4alpha::StringMatcher::MatchPatternCase::kHiddenEnvoyDeprecatedRegex); static_cast(envoy::config::cluster::v4alpha::Cluster::hidden_envoy_deprecated_ORIGINAL_DST_LB); }