[protobuf] Update protobuf definitions to v1.32.2 (#433)

Signed-off-by: envoy-bot <envoy-bot@users.noreply.github.com>
Co-authored-by: envoy-bot <envoy-bot@users.noreply.github.com>

api/src/main/proto/cel/expr/conformance/proto2/test_all_types.proto

@@ -96,7 +96,7 @@ message TestAllTypes {
   repeated NestedEnum repeated_nested_enum = 52;
   repeated string repeated_string_piece = 53 [ctype = STRING_PIECE];
   repeated string repeated_cord = 54 [ctype = CORD];
-  repeated NestedMessage repeated_lazy_message = 55 [lazy = true];
+  repeated NestedMessage repeated_lazy_message = 55;
 
   // Repeated wellknown.
   repeated google.protobuf.Any repeated_any = 120;

api/src/main/proto/cel/expr/conformance/proto3/test_all_types.proto

@@ -96,7 +96,7 @@ message TestAllTypes {
   repeated NestedEnum repeated_nested_enum = 52;
   repeated string repeated_string_piece = 53 [ctype = STRING_PIECE];
   repeated string repeated_cord = 54 [ctype = CORD];
-  repeated NestedMessage repeated_lazy_message = 55 [lazy = true];
+  repeated NestedMessage repeated_lazy_message = 55;
 
   // Repeated wellknown.
   repeated google.protobuf.Any repeated_any = 120;

api/src/main/proto/cel/expr/syntax.proto

@@ -185,8 +185,8 @@ message Expr {
   // macro tests whether the property is set to its default. For map and struct
   // types, the macro tests whether the property `x` is defined on `m`.
   //
-  // Comprehension evaluation can be best visualized as the following
-  // pseudocode:
+  // Comprehensions for the standard environment macros evaluation can be best
+  // visualized as the following pseudocode:
   //
   // ```
   // let `accu_var` = `accu_init`
@@ -198,11 +198,35 @@ message Expr {
   // }
   // return `result`
   // ```
+  //
+  // Comprehensions for the optional V2 macros which support map-to-map
+  // translation differ slightly from the standard environment macros in that
+  // they expose both the key or index in addition to the value for each list
+  // or map entry:
+  //
+  // ```
+  // let `accu_var` = `accu_init`
+  // for (let `iter_var`, `iter_var2` in `iter_range`) {
+  //   if (!`loop_condition`) {
+  //     break
+  //   }
+  //   `accu_var` = `loop_step`
+  // }
+  // return `result`
+  // ```
   message Comprehension {
-    // The name of the iteration variable.
+    // The name of the first iteration variable.
+    // When the iter_range is a list, this variable is the list element.
+    // When the iter_range is a map, this variable is the map entry key.
     string iter_var = 1;
 
-    // The range over which var iterates.
+    // The name of the second iteration variable, empty if not set.
+    // When the iter_range is a list, this variable is the integer index.
+    // When the iter_range is a map, this variable is the map entry value.
+    // This field is only set for comprehension v2 macros.
+    string iter_var2 = 8;
+
+    // The range over which the comprehension iterates.
     Expr iter_range = 2;
 
     // The name of the variable used for accumulation of the result.
@@ -211,13 +235,13 @@ message Expr {
     // The initial value of the accumulator.
     Expr accu_init = 4;
 
-    // An expression which can contain iter_var and accu_var.
+    // An expression which can contain iter_var, iter_var2, and accu_var.
     //
     // Returns false when the result has been computed and may be used as
     // a hint to short-circuit the remainder of the comprehension.
     Expr loop_condition = 5;
 
-    // An expression which can contain iter_var and accu_var.
+    // An expression which can contain iter_var, iter_var2, and accu_var.
     //
     // Computes the next value of accu_var.
     Expr loop_step = 6;

api/src/main/proto/envoy/config/cluster/v3/cluster.proto

@@ -45,7 +45,7 @@ message ClusterCollection {
 }
 
 // Configuration for a single upstream cluster.
-// [#next-free-field: 58]
+// [#next-free-field: 59]
 message Cluster {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster";
 
@@ -956,6 +956,17 @@ message Cluster {
   google.protobuf.Duration dns_refresh_rate = 16
       [(validate.rules).duration = {gt {nanos: 1000000}}];
 
+  // DNS jitter can be optionally specified if the cluster type is either
+  // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,
+  // or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`.
+  // DNS jitter causes the cluster to refresh DNS entries later by a random amount of time to avoid a
+  // stampede of DNS requests. This value sets the upper bound (exclusive) for the random amount.
+  // There will be no jitter if this value is omitted. For cluster types other than
+  // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
+  // and :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`
+  // this setting is ignored.
+  google.protobuf.Duration dns_jitter = 58 [(validate.rules).duration = {gte {}}];
+
   // If the DNS failure refresh rate is specified and the cluster type is either
   // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,
   // or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`,
@@ -1151,12 +1162,13 @@ message Cluster {
   // from the LRS stream here.]
   core.v3.ConfigSource lrs_server = 42;
 
-  // [#not-implemented-hide:]
-  // A list of metric names from ORCA load reports to propagate to LRS.
+  // A list of metric names from :ref:`ORCA load reports <envoy_v3_api_msg_.xds.data.orca.v3.OrcaLoadReport>` to propagate to LRS.
+  //
+  // If not specified, then ORCA load reports will not be propagated to LRS.
   //
   // For map fields in the ORCA proto, the string will be of the form ``<map_field_name>.<map_key>``.
   // For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA
-  // ``named_metrics`` field.
+  // :ref:`named_metrics <envoy_v3_api_field_.xds.data.orca.v3.OrcaLoadReport.named_metrics>` field.
   //
   // The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to
   // report all entries in the ORCA named_metrics field). Note that this should be used only with trusted

api/src/main/proto/envoy/config/core/v3/protocol.proto

@@ -56,7 +56,7 @@ message QuicKeepAliveSettings {
 }
 
 // QUIC protocol options which apply to both downstream and upstream connections.
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message QuicProtocolOptions {
   // Maximum number of streams that the client can negotiate per connection. 100
   // if not specified.
@@ -111,6 +111,10 @@ message QuicProtocolOptions {
     lte {seconds: 600}
     gte {seconds: 1}
   }];
+
+  // Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection.
+  // If not specified, one of the `default values in QUICHE <https://github.com/google/quiche/blob/main/quiche/quic/core/quic_constants.h>`_ is used.
+  google.protobuf.UInt64Value max_packet_length = 9;
 }
 
 message UpstreamHttpProtocolOptions {
@@ -205,7 +209,7 @@ message AlternateProtocolsCacheOptions {
   repeated string canonical_suffixes = 5;
 }
 
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message HttpProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.core.HttpProtocolOptions";
@@ -255,11 +259,31 @@ message HttpProtocolOptions {
   // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout>`.
   google.protobuf.Duration max_connection_duration = 3;
 
-  // The maximum number of headers. If unconfigured, the default
-  // maximum number of request headers allowed is 100. Requests that exceed this limit will receive
-  // a 431 response for HTTP/1.x and cause a stream reset for HTTP/2.
+  // The maximum number of headers (request headers if configured on HttpConnectionManager,
+  // response headers when configured on a cluster).
+  // If unconfigured, the default maximum number of headers allowed is 100.
+  // The default value for requests can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_count``.
+  // The default value for responses can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_count``.
+  // Downstream requests that exceed this limit will receive a 431 response for HTTP/1.x and cause a stream
+  // reset for HTTP/2.
+  // Upstream responses that exceed this limit will result in a 503 response.
   google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}];
 
+  // The maximum size of response headers.
+  // If unconfigured, the default is 60 KiB, except for HTTP/1 response headers which have a default
+  // of 80KiB.
+  // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_size_kb``.
+  // Responses that exceed this limit will result in a 503 response.
+  // In Envoy, this setting is only valid when configured on an upstream cluster, not on the
+  // :ref:`HTTP Connection Manager
+  // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.common_http_protocol_options>`.
+  //
+  // Note: currently some protocol codecs impose limits on the maximum size of a single header:
+  //   HTTP/2 (when using nghttp2) limits a single header to around 100kb.
+  //   HTTP/3 limits a single header to around 1024kb.
+  google.protobuf.UInt32Value max_response_headers_kb = 7
+      [(validate.rules).uint32 = {lte: 8192 gt: 0}];
+
   // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be
   // reset independent of any other timeouts. If not specified, this value is not set.
   google.protobuf.Duration max_stream_duration = 4;

api/src/main/proto/envoy/config/core/v3/socket_cmsg_headers.proto

@@ -0,0 +1,28 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "SocketCmsgHeadersProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Socket CMSG headers]
+
+// Configuration for socket cmsg headers.
+// See `:ref:CMSG <https://man7.org/linux/man-pages/man3/cmsg.3.html>`_ for further information.
+message SocketCmsgHeaders {
+  // cmsg level. Default is unset.
+  google.protobuf.UInt32Value level = 1;
+
+  // cmsg type. Default is unset.
+  google.protobuf.UInt32Value type = 2;
+
+  // Expected size of cmsg value. Default is zero.
+  uint32 expected_size = 3;
+}

api/src/main/proto/envoy/config/core/v3/socket_option.proto

@@ -36,7 +36,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // :ref:`admin's <envoy_v3_api_field_config.bootstrap.v3.Admin.socket_options>` socket_options etc.
 //
 // It should be noted that the name or level may have different values on different platforms.
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message SocketOption {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketOption";
 
@@ -51,6 +51,29 @@ message SocketOption {
     STATE_LISTENING = 2;
   }
 
+  // The `socket type <https://linux.die.net/man/2/socket>`_ to apply the socket option to.
+  // Only one field should be set. If multiple fields are set, the precedence order will determine
+  // the selected one. If none of the fields is set, the socket option will be applied to all socket types.
+  //
+  // For example:
+  // If :ref:`stream <envoy_v3_api_field_config.core.v3.SocketOption.SocketType.stream>` is set,
+  // it takes precedence over :ref:`datagram <envoy_v3_api_field_config.core.v3.SocketOption.SocketType.datagram>`.
+  message SocketType {
+    // The stream socket type.
+    message Stream {
+    }
+
+    // The datagram socket type.
+    message Datagram {
+    }
+
+    // Apply the socket option to the stream socket type.
+    Stream stream = 1;
+
+    // Apply the socket option to the datagram socket type.
+    Datagram datagram = 2;
+  }
+
   // An optional name to give this socket option for debugging, etc.
   // Uniqueness is not required and no special meaning is assumed.
   string description = 1;
@@ -74,6 +97,10 @@ message SocketOption {
   // The state in which the option will be applied. When used in BindConfig
   // STATE_PREBIND is currently the only valid value.
   SocketState state = 6 [(validate.rules).enum = {defined_only: true}];
+
+  // Apply the socket option to the specified `socket type <https://linux.die.net/man/2/socket>`_.
+  // If not specified, the socket option will be applied to all socket types.
+  SocketType type = 7;
 }
 
 message SocketOptionsOverride {

api/src/main/proto/envoy/config/listener/v3/quic_config.proto

@@ -5,6 +5,7 @@ package envoy.config.listener.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/extension.proto";
 import "envoy/config/core/v3/protocol.proto";
+import "envoy/config/core/v3/socket_cmsg_headers.proto";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
@@ -24,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 12]
+// [#next-free-field: 14]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -86,4 +87,16 @@ message QuicProtocolOptions {
   // If not specified, no debug visitor will be attached to connections.
   // [#extension-category: envoy.quic.connection_debug_visitor]
   core.v3.TypedExtensionConfig connection_debug_visitor_config = 11;
+
+  // Configure a type of UDP cmsg to pass to listener filters via QuicReceivedPacket.
+  // Both level and type must be specified for cmsg to be saved.
+  // Cmsg may be truncated or omitted if expected size is not set.
+  // If not specified, no cmsg will be saved to QuicReceivedPacket.
+  repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12
+      [(validate.rules).repeated = {max_items: 1}];
+
+  // If true, the listener will reject connection-establishing packets at the
+  // QUIC layer by replying with an empty version negotiation packet to the
+  // client.
+  bool reject_new_connections = 13;
 }

api/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto

@@ -20,10 +20,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Dynamically loadable OpenTracing tracer]
 
-// DynamicOtConfig is used to dynamically load a tracer from a shared library
+// DynamicOtConfig was used to dynamically load a tracer from a shared library
 // that implements the `OpenTracing dynamic loading API
 // <https://github.com/opentracing/opentracing-cpp>`_.
-// [#extension: envoy.tracers.dynamic_ot]
+// [#not-implemented-hide:]
 message DynamicOtConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.trace.v2.DynamicOtConfig";

api/src/main/proto/envoy/config/trace/v3/xray.proto

@@ -21,6 +21,65 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: AWS X-Ray Tracer Configuration]
 // Configuration for AWS X-Ray tracer
+//
+// The X-Ray tracer will automatically attach :ref:`custom_tags <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.custom_tags>` as annotations to the span. (See: `Annotations <https://docs.aws.amazon.com/xray/latest/devguide/xray-concepts.html#xray-concepts-annotations>`_.)
+//
+// AWS X-Ray trace annotations are also created by the tracing subsystem automatically based on metadata provided during creation of a span.
+//
+// An example X-Ray trace span that is generated by the envoy trace subsystem is as follows:
+//
+// .. code-block:: json
+//
+//   {
+//     "Id": "1-6698980d-e829ae270ab34b69b488b098",
+//     "Duration": 0.016,
+//     "LimitExceeded": false,
+//     "Segments":
+//     [
+//       {
+//         "Id": "15d65e5ced8dfe76",
+//         "Document":
+//         {
+//           "id": "15d65e5ced8dfe76",
+//           "name": "envoy-example",
+//           "start_time": 1721276429.410355,
+//           "trace_id": "1-6698980d-e829ae270ab34b69b488b098",
+//           "end_time": 1721276429.426068,
+//           "fault": true,
+//           "http":
+//           {
+//             "request":
+//             {
+//               "url": "http://example/path",
+//               "method": "GET",
+//               "user_agent": "curl/8.5.0",
+//               "client_ip": "127.0.0.1",
+//               "x_forwarded_for": false
+//             },
+//             "response":
+//             {
+//               "status": 503,
+//               "content_length": 216
+//             }
+//           },
+//           "aws": {},
+//           "annotations":
+//           {
+//             "response_flags": "UF",
+//             "component": "proxy",
+//             "upstream_cluster": "upstream_cluster",
+//             "annotation_from_custom_tag": "example",
+//             "http.protocol": "HTTP/1.1",
+//             "request_size": "0",
+//             "downstream_cluster": "-",
+//             "direction": "ingress",
+//             "upstream_cluster.name": "upstream_cluster"
+//           }
+//         }
+//       }
+//     ]
+//   }
+//
 
 // [#extension: envoy.tracers.xray]
 message XRayConfig {

api/src/main/proto/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto

@@ -41,6 +41,12 @@ message BasicAuth {
   // If it is not specified, the username will not be forwarded.
   string forward_username_header = 2
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
+
+  // This field specifies the request header to load the basic credential from.
+  //
+  // If it is not specified, the filter loads the credential from  the "Authorization" header.
+  string authentication_header = 3
+      [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
 }
 
 // Extra settings that may be added to per-route configuration for