From 815727d5835599617de3792533942b702b5fffcf Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 15 Dec 2024 09:53:52 +0100 Subject: [PATCH] [protobuf] Update protobuf definitions to v1.32.2 (#433) Signed-off-by: envoy-bot Co-authored-by: envoy-bot --- .../conformance/proto2/test_all_types.proto | 2 +- .../conformance/proto3/test_all_types.proto | 2 +- api/src/main/proto/cel/expr/syntax.proto | 36 ++++- .../envoy/config/cluster/v3/cluster.proto | 20 ++- .../proto/envoy/config/core/v3/protocol.proto | 34 +++- .../config/core/v3/socket_cmsg_headers.proto | 28 ++++ .../envoy/config/core/v3/socket_option.proto | 29 +++- .../config/listener/v3/quic_config.proto | 15 +- .../envoy/config/trace/v3/dynamic_ot.proto | 4 +- .../proto/envoy/config/trace/v3/xray.proto | 59 +++++++ .../http/basic_auth/v3/basic_auth.proto | 6 + .../filters/http/ext_authz/v3/ext_authz.proto | 19 ++- .../filters/http/ext_proc/v3/ext_proc.proto | 85 +++++++++- .../grpc_field_extraction/v3/config.proto | 9 +- .../filters/http/jwt_authn/v3/config.proto | 17 +- .../local_ratelimit/v3/local_rate_limit.proto | 22 ++- .../filters/http/oauth2/v3/oauth.proto | 35 ++++- .../v3/config.proto | 148 ++++++++++-------- .../generic_proxy/action/v3/action.proto | 65 ++++++++ .../generic_proxy/codecs/dubbo/v3/dubbo.proto | 20 +++ .../generic_proxy/codecs/http1/v3/http1.proto | 49 ++++++ .../generic_proxy/matcher/v3/matcher.proto | 80 ++++++++++ .../generic_proxy/router/v3/router.proto | 43 +++++ .../generic_proxy/v3/generic_proxy.proto | 67 ++++++++ .../network/generic_proxy/v3/route.proto | 105 +++++++++++++ .../v3/http_connection_manager.proto | 87 ++++++++-- .../network/redis_proxy/v3/redis_proxy.proto | 31 +++- .../filters/udp/udp_proxy/v3/udp_proxy.proto | 6 + .../original_ip_detection/xff/v3/xff.proto | 44 ++++++ .../v3/client_side_weighted_round_robin.proto | 15 +- .../network/v3/network_inputs.proto | 45 ++++++ .../input_matchers/metadata/v3/metadata.proto | 26 +++ .../v3/getaddrinfo_dns_resolver.proto | 5 + .../v3/datasource.proto | 6 - ...ixed_server_preferred_address_config.proto | 6 - .../cpu_utilization/v3/cpu_utilization.proto | 19 +++ .../v3/downstream_connections.proto | 2 +- .../v3/upstream_http_11_connect.proto | 32 ++-- .../transport_sockets/tls/v3/common.proto | 4 +- .../transport_sockets/tls/v3/tls.proto | 16 +- .../ext_proc/v3/external_processor.proto | 29 +--- .../extension/v3/config_discovery.proto | 5 +- .../envoy/service/ratelimit/v3/rls.proto | 2 + .../redis_auth/v3/redis_external_auth.proto | 47 ++++++ .../main/proto/google/api/annotations.proto | 2 +- .../google/api/expr/v1alpha1/checked.proto | 2 +- .../google/api/expr/v1alpha1/syntax.proto | 121 ++++++++++++-- api/src/main/proto/google/api/http.proto | 62 ++++---- api/src/main/proto/google/rpc/status.proto | 2 +- .../v1experimental/pprofextended.proto | 4 +- .../profiles/v1experimental/profiles.proto | 2 +- .../xds/data/orca/v3/orca_load_report.proto | 2 +- .../main/proto/xds/type/matcher/v3/cel.proto | 7 +- .../xds/type/matcher/v3/http_inputs.proto | 6 +- .../proto/xds/type/matcher/v3/matcher.proto | 3 - .../controlplane/server/EnvoyContainer.java | 2 +- tools/API_SHAS | 12 +- tools/envoy_release | 2 +- 58 files changed, 1391 insertions(+), 264 deletions(-) create mode 100644 api/src/main/proto/envoy/config/core/v3/socket_cmsg_headers.proto rename api/src/main/proto/envoy/extensions/filters/http/{proto_message_logging => proto_message_extraction}/v3/config.proto (58%) create mode 100644 api/src/main/proto/envoy/extensions/filters/network/generic_proxy/action/v3/action.proto create mode 100644 api/src/main/proto/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto create mode 100644 api/src/main/proto/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto create mode 100644 api/src/main/proto/envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto create mode 100644 api/src/main/proto/envoy/extensions/filters/network/generic_proxy/router/v3/router.proto create mode 100644 api/src/main/proto/envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto create mode 100644 api/src/main/proto/envoy/extensions/filters/network/generic_proxy/v3/route.proto create mode 100644 api/src/main/proto/envoy/extensions/matching/input_matchers/metadata/v3/metadata.proto create mode 100644 api/src/main/proto/envoy/extensions/resource_monitors/cpu_utilization/v3/cpu_utilization.proto create mode 100644 api/src/main/proto/envoy/service/redis_auth/v3/redis_external_auth.proto diff --git a/api/src/main/proto/cel/expr/conformance/proto2/test_all_types.proto b/api/src/main/proto/cel/expr/conformance/proto2/test_all_types.proto index 737ca3ab7..56d5e99a0 100644 --- a/api/src/main/proto/cel/expr/conformance/proto2/test_all_types.proto +++ b/api/src/main/proto/cel/expr/conformance/proto2/test_all_types.proto @@ -96,7 +96,7 @@ message TestAllTypes { repeated NestedEnum repeated_nested_enum = 52; repeated string repeated_string_piece = 53 [ctype = STRING_PIECE]; repeated string repeated_cord = 54 [ctype = CORD]; - repeated NestedMessage repeated_lazy_message = 55 [lazy = true]; + repeated NestedMessage repeated_lazy_message = 55; // Repeated wellknown. repeated google.protobuf.Any repeated_any = 120; diff --git a/api/src/main/proto/cel/expr/conformance/proto3/test_all_types.proto b/api/src/main/proto/cel/expr/conformance/proto3/test_all_types.proto index c904868ab..221168f0b 100644 --- a/api/src/main/proto/cel/expr/conformance/proto3/test_all_types.proto +++ b/api/src/main/proto/cel/expr/conformance/proto3/test_all_types.proto @@ -96,7 +96,7 @@ message TestAllTypes { repeated NestedEnum repeated_nested_enum = 52; repeated string repeated_string_piece = 53 [ctype = STRING_PIECE]; repeated string repeated_cord = 54 [ctype = CORD]; - repeated NestedMessage repeated_lazy_message = 55 [lazy = true]; + repeated NestedMessage repeated_lazy_message = 55; // Repeated wellknown. repeated google.protobuf.Any repeated_any = 120; diff --git a/api/src/main/proto/cel/expr/syntax.proto b/api/src/main/proto/cel/expr/syntax.proto index ed124a743..f86184239 100644 --- a/api/src/main/proto/cel/expr/syntax.proto +++ b/api/src/main/proto/cel/expr/syntax.proto @@ -185,8 +185,8 @@ message Expr { // macro tests whether the property is set to its default. For map and struct // types, the macro tests whether the property `x` is defined on `m`. // - // Comprehension evaluation can be best visualized as the following - // pseudocode: + // Comprehensions for the standard environment macros evaluation can be best + // visualized as the following pseudocode: // // ``` // let `accu_var` = `accu_init` @@ -198,11 +198,35 @@ message Expr { // } // return `result` // ``` + // + // Comprehensions for the optional V2 macros which support map-to-map + // translation differ slightly from the standard environment macros in that + // they expose both the key or index in addition to the value for each list + // or map entry: + // + // ``` + // let `accu_var` = `accu_init` + // for (let `iter_var`, `iter_var2` in `iter_range`) { + // if (!`loop_condition`) { + // break + // } + // `accu_var` = `loop_step` + // } + // return `result` + // ``` message Comprehension { - // The name of the iteration variable. + // The name of the first iteration variable. + // When the iter_range is a list, this variable is the list element. + // When the iter_range is a map, this variable is the map entry key. string iter_var = 1; - // The range over which var iterates. + // The name of the second iteration variable, empty if not set. + // When the iter_range is a list, this variable is the integer index. + // When the iter_range is a map, this variable is the map entry value. + // This field is only set for comprehension v2 macros. + string iter_var2 = 8; + + // The range over which the comprehension iterates. Expr iter_range = 2; // The name of the variable used for accumulation of the result. @@ -211,13 +235,13 @@ message Expr { // The initial value of the accumulator. Expr accu_init = 4; - // An expression which can contain iter_var and accu_var. + // An expression which can contain iter_var, iter_var2, and accu_var. // // Returns false when the result has been computed and may be used as // a hint to short-circuit the remainder of the comprehension. Expr loop_condition = 5; - // An expression which can contain iter_var and accu_var. + // An expression which can contain iter_var, iter_var2, and accu_var. // // Computes the next value of accu_var. Expr loop_step = 6; diff --git a/api/src/main/proto/envoy/config/cluster/v3/cluster.proto b/api/src/main/proto/envoy/config/cluster/v3/cluster.proto index 5f347ade6..079a1e497 100644 --- a/api/src/main/proto/envoy/config/cluster/v3/cluster.proto +++ b/api/src/main/proto/envoy/config/cluster/v3/cluster.proto @@ -45,7 +45,7 @@ message ClusterCollection { } // Configuration for a single upstream cluster. -// [#next-free-field: 58] +// [#next-free-field: 59] message Cluster { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster"; @@ -956,6 +956,17 @@ message Cluster { google.protobuf.Duration dns_refresh_rate = 16 [(validate.rules).duration = {gt {nanos: 1000000}}]; + // DNS jitter can be optionally specified if the cluster type is either + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`. + // DNS jitter causes the cluster to refresh DNS entries later by a random amount of time to avoid a + // stampede of DNS requests. This value sets the upper bound (exclusive) for the random amount. + // There will be no jitter if this value is omitted. For cluster types other than + // :ref:`STRICT_DNS` + // and :ref:`LOGICAL_DNS` + // this setting is ignored. + google.protobuf.Duration dns_jitter = 58 [(validate.rules).duration = {gte {}}]; + // If the DNS failure refresh rate is specified and the cluster type is either // :ref:`STRICT_DNS`, // or :ref:`LOGICAL_DNS`, @@ -1151,12 +1162,13 @@ message Cluster { // from the LRS stream here.] core.v3.ConfigSource lrs_server = 42; - // [#not-implemented-hide:] - // A list of metric names from ORCA load reports to propagate to LRS. + // A list of metric names from :ref:`ORCA load reports ` to propagate to LRS. + // + // If not specified, then ORCA load reports will not be propagated to LRS. // // For map fields in the ORCA proto, the string will be of the form ``.``. // For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA - // ``named_metrics`` field. + // :ref:`named_metrics ` field. // // The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to // report all entries in the ORCA named_metrics field). Note that this should be used only with trusted diff --git a/api/src/main/proto/envoy/config/core/v3/protocol.proto b/api/src/main/proto/envoy/config/core/v3/protocol.proto index 6dbff8c48..423ec11b8 100644 --- a/api/src/main/proto/envoy/config/core/v3/protocol.proto +++ b/api/src/main/proto/envoy/config/core/v3/protocol.proto @@ -56,7 +56,7 @@ message QuicKeepAliveSettings { } // QUIC protocol options which apply to both downstream and upstream connections. -// [#next-free-field: 9] +// [#next-free-field: 10] message QuicProtocolOptions { // Maximum number of streams that the client can negotiate per connection. 100 // if not specified. @@ -111,6 +111,10 @@ message QuicProtocolOptions { lte {seconds: 600} gte {seconds: 1} }]; + + // Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection. + // If not specified, one of the `default values in QUICHE `_ is used. + google.protobuf.UInt64Value max_packet_length = 9; } message UpstreamHttpProtocolOptions { @@ -205,7 +209,7 @@ message AlternateProtocolsCacheOptions { repeated string canonical_suffixes = 5; } -// [#next-free-field: 7] +// [#next-free-field: 8] message HttpProtocolOptions { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HttpProtocolOptions"; @@ -255,11 +259,31 @@ message HttpProtocolOptions { // `. google.protobuf.Duration max_connection_duration = 3; - // The maximum number of headers. If unconfigured, the default - // maximum number of request headers allowed is 100. Requests that exceed this limit will receive - // a 431 response for HTTP/1.x and cause a stream reset for HTTP/2. + // The maximum number of headers (request headers if configured on HttpConnectionManager, + // response headers when configured on a cluster). + // If unconfigured, the default maximum number of headers allowed is 100. + // The default value for requests can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_count``. + // The default value for responses can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_count``. + // Downstream requests that exceed this limit will receive a 431 response for HTTP/1.x and cause a stream + // reset for HTTP/2. + // Upstream responses that exceed this limit will result in a 503 response. google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}]; + // The maximum size of response headers. + // If unconfigured, the default is 60 KiB, except for HTTP/1 response headers which have a default + // of 80KiB. + // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_size_kb``. + // Responses that exceed this limit will result in a 503 response. + // In Envoy, this setting is only valid when configured on an upstream cluster, not on the + // :ref:`HTTP Connection Manager + // `. + // + // Note: currently some protocol codecs impose limits on the maximum size of a single header: + // HTTP/2 (when using nghttp2) limits a single header to around 100kb. + // HTTP/3 limits a single header to around 1024kb. + google.protobuf.UInt32Value max_response_headers_kb = 7 + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; + // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be // reset independent of any other timeouts. If not specified, this value is not set. google.protobuf.Duration max_stream_duration = 4; diff --git a/api/src/main/proto/envoy/config/core/v3/socket_cmsg_headers.proto b/api/src/main/proto/envoy/config/core/v3/socket_cmsg_headers.proto new file mode 100644 index 000000000..cc3e58e09 --- /dev/null +++ b/api/src/main/proto/envoy/config/core/v3/socket_cmsg_headers.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "SocketCmsgHeadersProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Socket CMSG headers] + +// Configuration for socket cmsg headers. +// See `:ref:CMSG `_ for further information. +message SocketCmsgHeaders { + // cmsg level. Default is unset. + google.protobuf.UInt32Value level = 1; + + // cmsg type. Default is unset. + google.protobuf.UInt32Value type = 2; + + // Expected size of cmsg value. Default is zero. + uint32 expected_size = 3; +} diff --git a/api/src/main/proto/envoy/config/core/v3/socket_option.proto b/api/src/main/proto/envoy/config/core/v3/socket_option.proto index 44f1ce389..ad73d72e4 100644 --- a/api/src/main/proto/envoy/config/core/v3/socket_option.proto +++ b/api/src/main/proto/envoy/config/core/v3/socket_option.proto @@ -36,7 +36,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // :ref:`admin's ` socket_options etc. // // It should be noted that the name or level may have different values on different platforms. -// [#next-free-field: 7] +// [#next-free-field: 8] message SocketOption { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketOption"; @@ -51,6 +51,29 @@ message SocketOption { STATE_LISTENING = 2; } + // The `socket type `_ to apply the socket option to. + // Only one field should be set. If multiple fields are set, the precedence order will determine + // the selected one. If none of the fields is set, the socket option will be applied to all socket types. + // + // For example: + // If :ref:`stream ` is set, + // it takes precedence over :ref:`datagram `. + message SocketType { + // The stream socket type. + message Stream { + } + + // The datagram socket type. + message Datagram { + } + + // Apply the socket option to the stream socket type. + Stream stream = 1; + + // Apply the socket option to the datagram socket type. + Datagram datagram = 2; + } + // An optional name to give this socket option for debugging, etc. // Uniqueness is not required and no special meaning is assumed. string description = 1; @@ -74,6 +97,10 @@ message SocketOption { // The state in which the option will be applied. When used in BindConfig // STATE_PREBIND is currently the only valid value. SocketState state = 6 [(validate.rules).enum = {defined_only: true}]; + + // Apply the socket option to the specified `socket type `_. + // If not specified, the socket option will be applied to all socket types. + SocketType type = 7; } message SocketOptionsOverride { diff --git a/api/src/main/proto/envoy/config/listener/v3/quic_config.proto b/api/src/main/proto/envoy/config/listener/v3/quic_config.proto index 3ddebe900..6c0a5bd20 100644 --- a/api/src/main/proto/envoy/config/listener/v3/quic_config.proto +++ b/api/src/main/proto/envoy/config/listener/v3/quic_config.proto @@ -5,6 +5,7 @@ package envoy.config.listener.v3; import "envoy/config/core/v3/base.proto"; import "envoy/config/core/v3/extension.proto"; import "envoy/config/core/v3/protocol.proto"; +import "envoy/config/core/v3/socket_cmsg_headers.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; @@ -24,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: QUIC listener config] // Configuration specific to the UDP QUIC listener. -// [#next-free-field: 12] +// [#next-free-field: 14] message QuicProtocolOptions { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.QuicProtocolOptions"; @@ -86,4 +87,16 @@ message QuicProtocolOptions { // If not specified, no debug visitor will be attached to connections. // [#extension-category: envoy.quic.connection_debug_visitor] core.v3.TypedExtensionConfig connection_debug_visitor_config = 11; + + // Configure a type of UDP cmsg to pass to listener filters via QuicReceivedPacket. + // Both level and type must be specified for cmsg to be saved. + // Cmsg may be truncated or omitted if expected size is not set. + // If not specified, no cmsg will be saved to QuicReceivedPacket. + repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12 + [(validate.rules).repeated = {max_items: 1}]; + + // If true, the listener will reject connection-establishing packets at the + // QUIC layer by replying with an empty version negotiation packet to the + // client. + bool reject_new_connections = 13; } diff --git a/api/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto b/api/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto index d2664ef71..40fe8526a 100644 --- a/api/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto +++ b/api/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto @@ -20,10 +20,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Dynamically loadable OpenTracing tracer] -// DynamicOtConfig is used to dynamically load a tracer from a shared library +// DynamicOtConfig was used to dynamically load a tracer from a shared library // that implements the `OpenTracing dynamic loading API // `_. -// [#extension: envoy.tracers.dynamic_ot] +// [#not-implemented-hide:] message DynamicOtConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v2.DynamicOtConfig"; diff --git a/api/src/main/proto/envoy/config/trace/v3/xray.proto b/api/src/main/proto/envoy/config/trace/v3/xray.proto index 223aaaaf4..3ddd7a6ab 100644 --- a/api/src/main/proto/envoy/config/trace/v3/xray.proto +++ b/api/src/main/proto/envoy/config/trace/v3/xray.proto @@ -21,6 +21,65 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: AWS X-Ray Tracer Configuration] // Configuration for AWS X-Ray tracer +// +// The X-Ray tracer will automatically attach :ref:`custom_tags ` as annotations to the span. (See: `Annotations `_.) +// +// AWS X-Ray trace annotations are also created by the tracing subsystem automatically based on metadata provided during creation of a span. +// +// An example X-Ray trace span that is generated by the envoy trace subsystem is as follows: +// +// .. code-block:: json +// +// { +// "Id": "1-6698980d-e829ae270ab34b69b488b098", +// "Duration": 0.016, +// "LimitExceeded": false, +// "Segments": +// [ +// { +// "Id": "15d65e5ced8dfe76", +// "Document": +// { +// "id": "15d65e5ced8dfe76", +// "name": "envoy-example", +// "start_time": 1721276429.410355, +// "trace_id": "1-6698980d-e829ae270ab34b69b488b098", +// "end_time": 1721276429.426068, +// "fault": true, +// "http": +// { +// "request": +// { +// "url": "http://example/path", +// "method": "GET", +// "user_agent": "curl/8.5.0", +// "client_ip": "127.0.0.1", +// "x_forwarded_for": false +// }, +// "response": +// { +// "status": 503, +// "content_length": 216 +// } +// }, +// "aws": {}, +// "annotations": +// { +// "response_flags": "UF", +// "component": "proxy", +// "upstream_cluster": "upstream_cluster", +// "annotation_from_custom_tag": "example", +// "http.protocol": "HTTP/1.1", +// "request_size": "0", +// "downstream_cluster": "-", +// "direction": "ingress", +// "upstream_cluster.name": "upstream_cluster" +// } +// } +// } +// ] +// } +// // [#extension: envoy.tracers.xray] message XRayConfig { diff --git a/api/src/main/proto/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto b/api/src/main/proto/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto index 995d2c3bc..af3c442c0 100644 --- a/api/src/main/proto/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto +++ b/api/src/main/proto/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto @@ -41,6 +41,12 @@ message BasicAuth { // If it is not specified, the username will not be forwarded. string forward_username_header = 2 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // This field specifies the request header to load the basic credential from. + // + // If it is not specified, the filter loads the credential from the "Authorization" header. + string authentication_header = 3 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; } // Extra settings that may be added to per-route configuration for diff --git a/api/src/main/proto/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/api/src/main/proto/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto index 4b4e79ef1..17b0353c1 100644 --- a/api/src/main/proto/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +++ b/api/src/main/proto/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto @@ -11,6 +11,7 @@ import "envoy/type/matcher/v3/metadata.proto"; import "envoy/type/matcher/v3/string.proto"; import "envoy/type/v3/http_status.proto"; +import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; @@ -29,7 +30,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // External Authorization :ref:`configuration overview `. // [#extension: envoy.filters.http.ext_authz] -// [#next-free-field: 28] +// [#next-free-field: 30] message ExtAuthz { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v3.ExtAuthz"; @@ -290,6 +291,22 @@ message ExtAuthz { // // If unset, defaults to true. google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27; + + // Additional metadata to be added to the filter state for logging purposes. The metadata will be + // added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter + // name. + google.protobuf.Struct filter_metadata = 28; + + // When set to true, the filter will emit per-stream stats for access logging. The filter state + // key will be the same as the filter name. + // + // If using Envoy GRPC, emits latency, bytes sent / received, upstream info, and upstream cluster + // info. If not using Envoy GRPC, emits only latency. Note that stats are ONLY added to filter + // state if a check request is actually made to an ext_authz service. + // + // If this is false the filter will not emit stats, but filter_metadata will still be respected if + // it has a value. + bool emit_filter_state_stats = 29; } // Configuration for buffering the request data. diff --git a/api/src/main/proto/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto b/api/src/main/proto/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto index aeaed7aa2..83b15731b 100644 --- a/api/src/main/proto/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto +++ b/api/src/main/proto/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto @@ -5,12 +5,15 @@ package envoy.extensions.filters.http.ext_proc.v3; import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; import "envoy/config/core/v3/base.proto"; import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/config/core/v3/http_service.proto"; import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto"; import "envoy/type/matcher/v3/string.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; +import "xds/annotations/v3/status.proto"; + import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; import "validate/validate.proto"; @@ -27,11 +30,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // The External Processing filter allows an external service to act on HTTP traffic in a flexible way. -// **Current Implementation Status:** -// All options and processing modes are implemented except for the following: -// -// * "async mode" is not implemented. - // The filter communicates with an external gRPC service called an "external processor" // that can do a variety of things with the request and response: // @@ -98,7 +96,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // ` object in a namespace matching the filter // name. // -// [#next-free-field: 20] +// [#next-free-field: 23] message ExternalProcessor { // Describes the route cache action to be taken when an external processor response // is received in response to request headers. @@ -125,7 +123,49 @@ message ExternalProcessor { // Configuration for the gRPC service that the filter will communicate with. // The filter supports both the "Envoy" and "Google" gRPC clients. - config.core.v3.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; + // Only one of ``grpc_service`` or ``http_service`` can be set. + // It is required that one of them must be set. + config.core.v3.GrpcService grpc_service = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "ext_proc_service_type"]; + + // [#not-implemented-hide:] + // Configuration for the HTTP service that the filter will communicate with. + // Only one of ``http_service`` or + // :ref:`grpc_service `. + // can be set. It is required that one of them must be set. + // + // If ``http_service`` is set, the + // :ref:`processing_mode ` + // can not be configured to send any body or trailers. i.e, http_service only supports + // sending request or response headers to the side stream server. + // + // With this configuration, Envoy behavior: + // + // 1. The headers are first put in a proto message + // :ref:`ProcessingRequest `. + // + // 2. This proto message is then transcoded into a JSON text. + // + // 3. Envoy then sends a HTTP POST message with content-type as "application/json", + // and this JSON text as body to the side stream server. + // + // After the side-stream receives this HTTP request message, it is expected to do as follows: + // + // 1. It converts the body, which is a JSON string, into a ``ProcessingRequest`` + // proto message to examine and mutate the headers. + // + // 2. It then sets the mutated headers into a new proto message + // :ref:`ProcessingResponse `. + // + // 3. It converts ``ProcessingResponse`` proto message into a JSON text. + // + // 4. It then sends a HTTP response back to Envoy with status code as "200", + // content-type as "application/json" and sets the JSON text as the body. + // + ExtProcHttpService http_service = 20 [ + (udpa.annotations.field_migrate).oneof_promotion = "ext_proc_service_type", + (xds.annotations.v3.field_status).work_in_progress = true + ]; // By default, if the gRPC stream cannot be established, or if it is closed // prematurely with an error, the filter will fail. Specifically, if the @@ -263,6 +303,37 @@ message ExternalProcessor { // backend stream lifetime. In this case, Envoy will eventually timeout the external processor stream according to this time limit. // The default value is 5000 milliseconds (5 seconds) if not specified. google.protobuf.Duration deferred_close_timeout = 19; + + // Send body to the side stream server once it arrives without waiting for the header response from that server. + // It only works for STREAMED body processing mode. For any other body processing modes, it is ignored. + // The server has two options upon receiving a header request: + // + // 1. Instant Response: send the header response as soon as the header request is received. + // + // 2. Delayed Response: wait for the body before sending any response. + // + // In all scenarios, the header-body ordering must always be maintained. + // + // If enabled Envoy will ignore the + // :ref:`mode_override ` + // value that the server sends in the header response. This is because Envoy may have already + // sent the body to the server, prior to processing the header response. + bool send_body_without_waiting_for_header_response = 21; + + // When :ref:`allow_mode_override + // ` is enabled and + // ``allowed_override_modes`` is configured, the filter config :ref:`processing_mode + // ` + // can only be overridden by the response message from the external processing server iff the + // :ref:`mode_override ` is allowed by + // the ``allowed_override_modes`` allow-list below. + repeated ProcessingMode allowed_override_modes = 22; +} + +// ExtProcHttpService is used for HTTP communication between the filter and the external processing service. +message ExtProcHttpService { + // Sets the HTTP service which the external processing requests must be sent to. + config.core.v3.HttpService http_service = 1; } // The MetadataOptions structure defines options for the sending and receiving of diff --git a/api/src/main/proto/envoy/extensions/filters/http/grpc_field_extraction/v3/config.proto b/api/src/main/proto/envoy/extensions/filters/http/grpc_field_extraction/v3/config.proto index 3684f994d..6eb225980 100644 --- a/api/src/main/proto/envoy/extensions/filters/http/grpc_field_extraction/v3/config.proto +++ b/api/src/main/proto/envoy/extensions/filters/http/grpc_field_extraction/v3/config.proto @@ -52,7 +52,9 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // // Here are config requirements // -// 1. the target field should be among the following primitive types: `string`, `uint32`, `uint64`, `int32`, `int64`, `sint32`, `sint64`, `fixed32`, `fixed64`, `sfixed32`, `sfixed64`, `float`, `double`. +// 1. the target field should be among the following primitive types: `string`, +// `uint32`, `uint64`, `int32`, `int64`, `sint32`, `sint64`, `fixed32`, +// `fixed64`, `sfixed32`, `sfixed64`, `float`, `double`, `map`. // // 2. the target field could be repeated. // @@ -61,9 +63,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Output Format // ------------- // -// 1. the extracted field names/values will be wrapped in be ``field`` -> ``values``, which will be added in the dynamic ``metadata``. +// 1. the extracted field names/values will be wrapped in be ``field`` -> ``values``, which will be added in the dynamic ``metadata``. // -// 2. if the field value is empty, a empty ```` will be set. +// 2. if the field value is empty, an empty ``Value`` will be set. // // Performance // ----------- diff --git a/api/src/main/proto/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/src/main/proto/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 41d694a01..99212f3ed 100644 --- a/api/src/main/proto/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/src/main/proto/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -63,9 +63,9 @@ message JwtProvider { message NormalizePayload { // Each claim in this list will be interpreted as a space-delimited string // and converted to a list of strings based on the delimited values. - // Example: a token with a claim ``scopes: "email profile"`` is translated - // to dynamic metadata ``scopes: ["email", "profile"]`` if this field is - // set value ``["scopes"]``. This special handling of ``scopes`` is + // Example: a token with a claim ``scope: "email profile"`` is translated + // to dynamic metadata ``scope: ["email", "profile"]`` if this field is + // set value ``["scope"]``. This special handling of ``scope`` is // recommended by `RFC8693 // `_. repeated string space_delimited_claims = 1; @@ -355,11 +355,12 @@ message JwtProvider { // Specify the claim name you want to copy in which HTTP header. For examples, following config: // The claim must be of type; string, int, double, bool. Array type claims are not supported // - // .. code-block:: yaml - // - // claim_to_headers: - // - name: x-jwt-claim-nested-claim - // claim: claim.nested.key + // .. literalinclude:: /_configs/repo/jwt_authn.yaml + // :language: yaml + // :lines: 44-48 + // :linenos: + // :lineno-start: 44 + // :caption: :download:`jwt_authn.yaml ` // // This header is only reserved for jwt claim; any other value will be overwritten. repeated JwtClaimToHeader claim_to_headers = 15; diff --git a/api/src/main/proto/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto b/api/src/main/proto/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto index a32475f35..82e38ed91 100644 --- a/api/src/main/proto/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto +++ b/api/src/main/proto/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.extensions.filters.http.local_ratelimit.v3; import "envoy/config/core/v3/base.proto"; +import "envoy/config/route/v3/route_components.proto"; import "envoy/extensions/common/ratelimit/v3/ratelimit.proto"; import "envoy/type/v3/http_status.proto"; import "envoy/type/v3/token_bucket.proto"; @@ -22,7 +23,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Local Rate limit :ref:`configuration overview `. // [#extension: envoy.filters.http.local_ratelimit] -// [#next-free-field: 17] +// [#next-free-field: 18] message LocalRateLimit { // The human readable prefix to use when emitting stats. string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; @@ -147,4 +148,23 @@ message LocalRateLimit { // of the default ``UNAVAILABLE`` gRPC code for a rate limited gRPC call. The // HTTP code will be 200 for a gRPC response. bool rate_limited_as_resource_exhausted = 15; + + // Rate limit configuration that is used to generate a list of descriptor entries based on + // the request context. The generated entries will be used to find one or multiple matched rate + // limit rule from the ``descriptors``. + // If this is set, then + // :ref:`VirtualHost.rate_limits` or + // :ref:`RouteAction.rate_limits` fields + // will be ignored. + // + // .. note:: + // Not all configuration fields of + // :ref:`rate limit config ` is supported at here. + // Following fields are not supported: + // + // 1. :ref:`rate limit stage `. + // 2. :ref:`dynamic metadata `. + // 3. :ref:`disable_key `. + // 4. :ref:`override limit `. + repeated config.route.v3.RateLimit rate_limits = 17; } diff --git a/api/src/main/proto/envoy/extensions/filters/http/oauth2/v3/oauth.proto b/api/src/main/proto/envoy/extensions/filters/http/oauth2/v3/oauth.proto index 703e3428b..968ec1360 100644 --- a/api/src/main/proto/envoy/extensions/filters/http/oauth2/v3/oauth.proto +++ b/api/src/main/proto/envoy/extensions/filters/http/oauth2/v3/oauth.proto @@ -2,6 +2,7 @@ syntax = "proto3"; package envoy.extensions.filters.http.oauth2.v3; +import "envoy/config/core/v3/base.proto"; import "envoy/config/core/v3/http_uri.proto"; import "envoy/config/route/v3/route_components.proto"; import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; @@ -24,8 +25,9 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#extension: envoy.filters.http.oauth2] // +// [#next-free-field: 6] message OAuth2Credentials { - // [#next-free-field: 6] + // [#next-free-field: 7] message CookieNames { // Cookie name to hold OAuth bearer token value. When the authentication server validates the // client and returns an authorization token back to the OAuth filter, no matter what format @@ -50,6 +52,10 @@ message OAuth2Credentials { // Cookie name to hold the refresh token. Defaults to ``RefreshToken``. string refresh_token = 5 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold the nonce value. Defaults to ``OauthNonce``. + string oauth_nonce = 6 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; } // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server. @@ -70,11 +76,15 @@ message OAuth2Credentials { // The cookie names used in OAuth filters flow. CookieNames cookie_names = 4; + + // The domain to set the cookie on. If not set, the cookie will default to the host of the request, not including the subdomains. + // This is useful when token cookies need to be shared across multiple subdomains. + string cookie_domain = 5; } // OAuth config // -// [#next-free-field: 18] +// [#next-free-field: 21] message OAuth2Config { enum AuthType { // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body. @@ -88,6 +98,9 @@ message OAuth2Config { // Endpoint on the authorization server to retrieve the access token from. config.core.v3.HttpUri token_endpoint = 1; + // Specifies the retry policy for requests to the OAuth server. If not specified, then no retries will be performed. + config.core.v3.RetryPolicy retry_policy = 18; + // The endpoint redirect to for authorization in response to unauthorized requests. string authorization_endpoint = 2 [(validate.rules).string = {min_len: 1}]; @@ -112,7 +125,7 @@ message OAuth2Config { bool forward_bearer_token = 7; // If set to true, preserve the existing authorization header. - // By default Envoy strips the existing authorization header before forwarding upstream. + // By default the client strips the existing authorization header before forwarding upstream. // Can not be set to true if forward_bearer_token is already set to true. // Default value is false. bool preserve_authorization_header = 16; @@ -153,14 +166,26 @@ message OAuth2Config { // // If this value is not set, it will default to ``604800s``. In this case, the cookie with the refresh token will be expired // in a week. - // This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``defaul_expires_in`` is used. + // This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used. google.protobuf.Duration default_refresh_token_expires_in = 15; - // If set to true, Envoy will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID + // If set to true, the client will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID // Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter // will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future // sessions would not set the IdToken cookie header. bool disable_id_token_set_cookie = 17; + + // If set to true, the client will not set a cookie for Access Token even if one is received from the Identity Provider. + // Enabling this option will only disable setting the cookie response header, the filter + // will still process incoming Access Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future + // sessions would not set the Access Token cookie header. + bool disable_access_token_set_cookie = 19; + + // If set to true, the client will not set a cookie for Refresh Token even if one is received from the Identity Provider. + // Enabling this option will only disable setting the cookie response header, the filter + // will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future + // sessions would not set the Refresh Token cookie header. + bool disable_refresh_token_set_cookie = 20; } // Filter config. diff --git a/api/src/main/proto/envoy/extensions/filters/http/proto_message_logging/v3/config.proto b/api/src/main/proto/envoy/extensions/filters/http/proto_message_extraction/v3/config.proto similarity index 58% rename from api/src/main/proto/envoy/extensions/filters/http/proto_message_logging/v3/config.proto rename to api/src/main/proto/envoy/extensions/filters/http/proto_message_extraction/v3/config.proto index 5b57e9c7d..dc51f9d11 100644 --- a/api/src/main/proto/envoy/extensions/filters/http/proto_message_logging/v3/config.proto +++ b/api/src/main/proto/envoy/extensions/filters/http/proto_message_extraction/v3/config.proto @@ -1,6 +1,6 @@ syntax = "proto3"; -package envoy.extensions.filters.http.proto_message_logging.v3; +package envoy.extensions.filters.http.proto_message_extraction.v3; import "envoy/config/core/v3/base.proto"; @@ -8,33 +8,39 @@ import "xds/annotations/v3/status.proto"; import "udpa/annotations/status.proto"; -option java_package = "io.envoyproxy.envoy.extensions.filters.http.proto_message_logging.v3"; +option java_package = "io.envoyproxy.envoy.extensions.filters.http.proto_message_extraction.v3"; option java_outer_classname = "ConfigProto"; option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/proto_message_logging/v3;proto_message_loggingv3"; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/proto_message_extraction/v3;proto_message_extractionv3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; option (xds.annotations.v3.file_status).work_in_progress = true; -// [#not-implemented-hide:] -// [#protodoc-title: Proto Message Logging] -// Proto Message Logging :ref:`configuration overview -// `. -// [#extension: envoy.filters.http.proto_message_logging] +// [#protodoc-title: Proto Message Extraction] // -// ProtoMessageLogging filter supports logging scrubbed gRPC requests/responses(proto messages) -// as google.protobuf.Struct and storing results -// in the dynamic metadata `envoy.filters.http.proto_message_logging` for later access. +// [#extension: envoy.filters.http.proto_message_extraction] +// +// Overview +// -------- +// +// ProtoMessageExtraction filter supports extracting gRPC +// requests/responses(proto messages) into google.protobuf.Struct and storing +// results in the dynamic metadata `envoy.filters.http.proto_message_extraction` +// for later access. +// +// Assumptions +// ----------- // -// # Assumptions // This filter assumes it is only applicable for gRPC with Protobuf as payload. // -// # Process Flow +// Process Flow +// ------------ +// // On the request path, it will check // // 1. if the incoming gRPC request is configured, the filter tries to: // // a. buffer the incoming data to complete protobuf messages -// b. log individual protobuf messages according to directives +// b. extract individual protobuf messages according to directives // c. write the result into the dynamic metadata. // d. pass through the request data // @@ -45,50 +51,57 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // 1. if the incoming gRPC request is configured, the filter tries to: // // a. buffer the incoming data to complete protobuf messages -// b. log individual protobuf messages according to directives +// b. extract individual protobuf messages according to directives // c. write the result into the dynamic metadata. // d. pass through the response data // // 2. otherwise, pass through the response. // -// # Config Requirements +// Config Requirements +// ------------------- + // Here are config requirements -// -// 1. the log target field should be among the following primitive types: `string`, `uint32`, `uint64`, `int32`, `int64`, `sint32`, `sint64`, `fixed32`, `fixed64`, `sfixed32`, `sfixed64`, `float`, `double`. -// + +// 1. the extracted target field should be among the following primitive types: +// `string`, `uint32`, `uint64`, `int32`, `int64`, `sint32`, `sint64`, +// `fixed32`, `fixed64`, `sfixed32`, `sfixed64`, `float`, `double`. + // 2. the target field could be repeated. -// + // 3. the intermediate type could also be repeated. -// -// # Output Format -// The logged requests and responses will be will be added in the dynamic ``metadata`` with the same layout of the message. -// + +// Output Format +// ------------- + +// The extracted requests and responses will be will be added in the dynamic +// ``metadata`` with the same layout of the message. + // For the default `FIRST_AND_LAST` mode, it will be like: + +// .. code-block:: json + // { // "requests":{ // "first":{ // "foo": "val_foo1", -// ... // } // "last":{ // "foo": "val_foo3", -// ... // } // }, // "responses":{ // "first":{ // "baz": "val_baz1", -// ... // } // "last":{ // "baz": "val_foo3", -// ... // } // } // } + +// Example for `FIRST_AND_LAST` mode +// --------------------------------- // -// -// # Example for `FIRST_AND_LAST` mode // Let's say we have the following definition for the bi-streaming request // `pkg.svc.Method`. // @@ -111,7 +124,7 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // // message Msg { // string bar = 1; -// string not_logged = 2; +// string not_extracted = 2; // } // // This is the filter config in JSON. @@ -121,15 +134,15 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // { // "descriptor_set":{}, // "mode": "FIRST_AND_LAST", -// "logging_by_method":{ +// "extraction_by_method":{ // "pkg.svc.Method":{ -// "request_logging_by_field":{ -// "foo":"LOG", -// "nested.doubled_nested.bar":"LOG", -// "redacted":"LOG_REDACT" +// "request_extraction_by_field":{ +// "foo":"EXTRACT", +// "nested.doubled_nested.bar":"EXTRACT", +// "redacted":"EXTRACT_REDACT" // }, -// "response_logging_by_field":{ -// "bar":"LOG", +// "response_extraction_by_field":{ +// "bar":"EXTRACT", // } // } // } @@ -142,18 +155,18 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // // { // "foo": "val_foo1", -// "nested": { "double_nested": {"bar": "val_bar1", "not_logged": "val_not_logged1"}, -// "redacted": { "bar": "val_redacted_bar1"} +// "nested": { "double_nested": {"bar": "val_bar1", "not_extracted": +// "val_not_extracted1"}, "redacted": { "bar": "val_redacted_bar1"} // } // { // "foo": "val_foo2", -// "nested": { "double_nested": {"bar": "val_bar2", "not_logged": "val_not_logged2"}, -// "redacted": { "bar": "val_redacted_bar2"} +// "nested": { "double_nested": {"bar": "val_bar2", "not_extracted": +// "val_not_extracted2"}, "redacted": { "bar": "val_redacted_bar2"} // } // { // "foo": "val_foo3", -// "nested": { "double_nested": {"bar": "val_bar3", "not_logged": "val_not_logged3"}, -// "redacted": { "bar": "val_redacted_bar3"} +// "nested": { "double_nested": {"bar": "val_bar3", "not_extracted": +// "val_not_extracted3"}, "redacted": { "bar": "val_redacted_bar3"} // } // // the filter receives the following `MethodResponse` message in @@ -172,7 +185,7 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // } // // The filter will write the following dynamic -// metadata(`envoy.filters.http.proto_message_logging`) in JSON. +// metadata(`envoy.filters.http.proto_message_extraction`) in JSON. // // .. code-block:: json // @@ -199,11 +212,11 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // } // } -message ProtoMessageLoggingConfig { - enum LogMode { - LogMode_UNSPECIFIED = 0; +message ProtoMessageExtractionConfig { + enum ExtractMode { + ExtractMode_UNSPECIFIED = 0; - // The filter will log the first and the last message for + // The filter will extract the first and the last message for // for streaming cases, containing // client-side streaming, server-side streaming or bi-directional streaming. FIRST_AND_LAST = 1; @@ -216,40 +229,41 @@ message ProtoMessageLoggingConfig { config.core.v3.DataSource data_source = 1; // Unimplemented, the key of proto descriptor TypedMetadata. - // Among filters depending on the proto descriptor, we can have a TypedMetadata - // for proto descriptors, so that these filters can share one copy of proto - // descriptor in memory. + // Among filters depending on the proto descriptor, we can have a + // TypedMetadata for proto descriptors, so that these filters can share one + // copy of proto descriptor in memory. string proto_descriptor_typed_metadata = 2; } - LogMode mode = 3; + ExtractMode mode = 3; - // Specify the message logging info. + // Specify the message extraction info. // The key is the fully qualified gRPC method name. // ``${package}.${Service}.${Method}``, like // ``endpoints.examples.bookstore.BookStore.GetShelf`` // - // The value is the message logging information for individual gRPC methods. - map logging_by_method = 4; + // The value is the message extraction information for individual gRPC + // methods. + map extraction_by_method = 4; } // This message can be used to support per route config approach later even // though the Istio doesn't support that so far. -message MethodLogging { - enum LogDirective { - LogDirective_UNSPECIFIED = 0; +message MethodExtraction { + enum ExtractDirective { + ExtractDirective_UNSPECIFIED = 0; - // The value of this field will be logged. - LOG = 1; + // The value of this field will be extracted. + EXTRACT = 1; // It should be only annotated on Message type fields so if the field isn't - // empty, an empty Struct will be logged. - LOG_REDACT = 2; + // empty, an empty Struct will be extracted. + EXTRACT_REDACT = 2; } - // The mapping of field path to its LogDirective for request messages - map request_logging_by_field = 2; + // The mapping of field path to its ExtractDirective for request messages + map request_extraction_by_field = 2; - // The mapping of field path to its LogDirective for response messages - map response_logging_by_field = 3; + // The mapping of field path to its ExtractDirective for response messages + map response_extraction_by_field = 3; } diff --git a/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/action/v3/action.proto b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/action/v3/action.proto new file mode 100644 index 000000000..3e1b7a790 --- /dev/null +++ b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/action/v3/action.proto @@ -0,0 +1,65 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.generic_proxy.action.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/route/v3/route_components.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.action.v3"; +option java_outer_classname = "ActionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/action/v3;actionv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Generic Proxy Route Action Configuration] + +// Configuration for the route match action. +// [#next-free-field: 8] +message RouteAction { + // The name of the route action. This should be unique across all route actions. + string name = 5; + + oneof cluster_specifier { + option (validate.required) = true; + + // Indicates the upstream cluster to which the request should be routed. + string cluster = 1; + + // [#not-implemented-hide:] + // Multiple upstream clusters can be specified for a given route. The request is routed to one + // of the upstream clusters based on weights assigned to each cluster. + // Currently ClusterWeight only supports the name and weight fields. + config.route.v3.WeightedCluster weighted_clusters = 2; + } + + // Route metadata. + config.core.v3.Metadata metadata = 3; + + // Route level config for L7 generic filters. The key should be the related :ref:`extension name + // ` in the :ref:`generic filters + // `. + map per_filter_config = 4; + + // Specifies the upstream timeout for the route. If not specified, the default is 15s. This + // spans between the point at which the entire downstream request (i.e. end-of-stream) has been + // processed and when the upstream response has been completely processed. A value of 0 will + // disable the route's timeout. + google.protobuf.Duration timeout = 6; + + // Specifies the retry policy for the route. If not specified, then no retries will be performed. + // + // .. note:: + // Only simplest retry policy is supported and only ``num_retries`` field is used for generic + // proxy. The default value for ``num_retries`` is 1 means that the request will be tried once + // and no additional retries will be performed. + config.core.v3.RetryPolicy retry_policy = 7; +} diff --git a/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto new file mode 100644 index 000000000..d5b6782e6 --- /dev/null +++ b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto @@ -0,0 +1,20 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.generic_proxy.codecs.dubbo.v3; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.codecs.dubbo.v3"; +option java_outer_classname = "DubboProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3;dubbov3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Dubbo codec configuration for Generic Proxy] +// [#extension: envoy.generic_proxy.codecs.dubbo] + +message DubboCodecConfig { +} diff --git a/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto new file mode 100644 index 000000000..2a57db608 --- /dev/null +++ b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto @@ -0,0 +1,49 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.generic_proxy.codecs.http1.v3; + +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.codecs.http1.v3"; +option java_outer_classname = "Http1Proto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3;http1v3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: HTTP1 codec configuration for Generic Proxy] +// [#extension: envoy.generic_proxy.codecs.http1] + +// Configuration for HTTP codec. This HTTP1 codec is used to parse and serialize HTTP1 messages +// for the generic proxy filter. +// Any decoding error will result in the generic proxy closing the connection. +// +// .. note:: +// This codec only supports HTTP1.1 messages and does not support HTTP1.0 messages. And it limits +// part of the HTTP1.1 features, such as upgrade, connect, etc. +// This codec is mainly designed for the features evaluation of the generic proxy filter. Please +// be cautious when using it in production. +message Http1CodecConfig { + // If true, the codec will parse and serialize HTTP1 messages in a single frame per message. + // + // A frame is a minimal unit of data that can be processed by the generic proxy. If false, the + // codec will parse and serialize HTTP1 messages in a streaming way. In this case, the codec + // will output multiple frames for a single HTTP1 message to the generic proxy. + // If true, the codec will buffer the entire HTTP1 message body before sending it to the generic + // proxy. This may have better performance in small message scenarios and is more friendly to + // handle the HTTP1 message body. This also may result in higher memory usage and latency if + // the message body is large. + // + // Default is true. + google.protobuf.BoolValue single_frame_mode = 1; + + // The maximum size of the HTTP1 message body in bytes. If not set, 8*1024*1024 (8MB) is used. + // This only makes sense when single_frame_mode is true. + // If the HTTP1 message body size exceeds this value, this will result in a decoding error + // and the generic proxy will close the connection. + google.protobuf.UInt32Value max_buffer_size = 2; +} diff --git a/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto new file mode 100644 index 000000000..13990866e --- /dev/null +++ b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto @@ -0,0 +1,80 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.generic_proxy.matcher.v3; + +import "envoy/type/matcher/v3/string.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.matcher.v3"; +option java_outer_classname = "MatcherProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Generic Proxy Route Matcher Configuration] + +// Used to match request service of the downstream request. Only applicable if a service provided +// by the application protocol. +// This is deprecated and should be replaced by HostMatchInput. This is kept for backward compatibility. +message ServiceMatchInput { +} + +// Used to match request host of the generic downstream request. Only applicable if a host provided +// by the application protocol. +// This is same with the ServiceMatchInput and this should be preferred over ServiceMatchInput. +message HostMatchInput { +} + +// Used to match request path of the generic downstream request. Only applicable if a path provided +// by the application protocol. +message PathMatchInput { +} + +// Used to match request method of the generic downstream request. Only applicable if a method provided +// by the application protocol. +message MethodMatchInput { +} + +// Used to match an arbitrary property of the generic downstream request. +// These properties are populated by the codecs of application protocols. +message PropertyMatchInput { + // The property name to match on. + string property_name = 1 [(validate.rules).string = {min_len: 1}]; +} + +// Used to match an whole generic downstream request. +message RequestMatchInput { +} + +// Used to match an arbitrary key-value pair for headers, trailers or properties. +message KeyValueMatchEntry { + // The key name to match on. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The key value pattern. + type.matcher.v3.StringMatcher string_match = 2 [(validate.rules).message = {required: true}]; +} + +// Custom matcher to match on the generic downstream request. This is used to match +// multiple fields of the downstream request and avoid complex combinations of +// HostMatchInput, PathMatchInput, MethodMatchInput and PropertyMatchInput. +message RequestMatcher { + // Optional host pattern to match on. If not specified, any host will match. + type.matcher.v3.StringMatcher host = 1; + + // Optional path pattern to match on. If not specified, any path will match. + type.matcher.v3.StringMatcher path = 2; + + // Optional method pattern to match on. If not specified, any method will match. + type.matcher.v3.StringMatcher method = 3; + + // Optional arbitrary properties to match on. If not specified, any properties + // will match. The key is the property name and the value is the property value + // to match on. + repeated KeyValueMatchEntry properties = 4; +} diff --git a/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/router/v3/router.proto b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/router/v3/router.proto new file mode 100644 index 000000000..67f14fecf --- /dev/null +++ b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/router/v3/router.proto @@ -0,0 +1,43 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.generic_proxy.router.v3; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.router.v3"; +option java_outer_classname = "RouterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/router/v3;routerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Router for generic proxy] +// [#extension: envoy.filters.generic.router] + +message Router { + // Set to true if the upstream connection should be bound to the downstream connection, false + // otherwise. + // + // By default, one random upstream connection will be selected from the upstream connection pool + // and used for every request. And after the request is finished, the upstream connection will be + // released back to the upstream connection pool. + // + // If this option is true, the upstream connection will be bound to the downstream connection and + // have same lifetime as the downstream connection. The same upstream connection will be used for + // all requests from the same downstream connection. + // + // And if this options is true, one of the following requirements must be met: + // + // 1. The request must be handled one by one. That is, the next request can not be sent to the + // upstream until the previous request is finished. + // 2. Unique request id must be provided for each request and response. The request id must be + // unique for each request and response pair in same connection pair. And the request id must + // be the same for the corresponding request and response. + // + // This could be useful for some protocols that require the same upstream connection to be used + // for all requests from the same downstream connection. For example, the protocol using stateful + // connection. + bool bind_upstream_connection = 1; +} diff --git a/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto new file mode 100644 index 000000000..9ae256047 --- /dev/null +++ b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto @@ -0,0 +1,67 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.generic_proxy.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/extensions/filters/network/generic_proxy/v3/route.proto"; +import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.v3"; +option java_outer_classname = "GenericProxyProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/v3;generic_proxyv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Generic Proxy] +// Generic proxy. +// [#extension: envoy.filters.network.generic_proxy] + +// [#next-free-field: 8] +message GenericProxy { + // The human readable prefix to use when emitting statistics. + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // The codec which encodes and decodes the application protocol. + // [#extension-category: envoy.generic_proxy.codecs] + config.core.v3.TypedExtensionConfig codec_config = 2 + [(validate.rules).message = {required: true}]; + + oneof route_specifier { + option (validate.required) = true; + + // The generic proxies route table will be dynamically loaded via the meta RDS API. + GenericRds generic_rds = 3; + + // The route table for the generic proxy is static and is specified in this property. + RouteConfiguration route_config = 4; + } + + // A list of individual Layer-7 filters that make up the filter chain for requests made to the + // proxy. Order matters as the filters are processed sequentially as request events + // happen. + // [#extension-category: envoy.generic_proxy.filters] + repeated config.core.v3.TypedExtensionConfig filters = 5; + + // Tracing configuration for the generic proxy. + http_connection_manager.v3.HttpConnectionManager.Tracing tracing = 6; + + // Configuration for :ref:`access logs ` emitted by generic proxy. + repeated config.accesslog.v3.AccessLog access_log = 7; +} + +message GenericRds { + // Configuration source specifier for RDS. + config.core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; + + // The name of the route configuration. This name will be passed to the RDS API. This allows an + // Envoy configuration with multiple generic proxies to use different route configurations. + string route_config_name = 2 [(validate.rules).string = {min_len: 1}]; +} diff --git a/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/v3/route.proto b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/v3/route.proto new file mode 100644 index 000000000..c29826618 --- /dev/null +++ b/api/src/main/proto/envoy/extensions/filters/network/generic_proxy/v3/route.proto @@ -0,0 +1,105 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.generic_proxy.v3; + +import "xds/annotations/v3/status.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.generic_proxy.v3"; +option java_outer_classname = "RouteProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/v3;generic_proxyv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Generic Proxy Route Configuration] + +message VirtualHost { + // The name of the virtual host. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A list of hosts that will be matched to this virtual host. Wildcard hosts are supported in + // the suffix or prefix form. + // + // Host search order: + // 1. Exact names: ``www.foo.com``. + // 2. Suffix wildcards: ``*.foo.com`` or ``*-bar.foo.com``. + // 3. Prefix wildcards: ``foo.*`` or ``foo-*``. + // 4. Special wildcard ``*`` matching any host and will be the default virtual host. + // + // .. note:: + // + // The wildcard will not match the empty string. + // e.g. ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``. + // The longest wildcards match first. + // Only a single virtual host in the entire route configuration can match on ``*``. A domain + // must be unique across all virtual hosts or the config will fail to load. + repeated string hosts = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The match tree to use when resolving route actions for incoming requests. + xds.type.matcher.v3.Matcher routes = 3 [(validate.rules).message = {required: true}]; +} + +// The generic proxy makes use of the xDS matching API for routing configurations. +// +// In the below example, we combine a top level tree matcher with a linear matcher to match +// the incoming requests, and send the matching requests to v1 of the upstream service. +// +// .. code-block:: yaml +// +// name: example +// routes: +// matcher_tree: +// input: +// name: request-service +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.filters.network.generic_proxy.matcher.v3.ServiceMatchInput +// exact_match_map: +// map: +// service_name_0: +// matcher: +// matcher_list: +// matchers: +// - predicate: +// and_matcher: +// predicate: +// - single_predicate: +// input: +// name: request-properties +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.filters.network.generic_proxy.matcher.v3.PropertyMatchInput +// property_name: version +// value_match: +// exact: v1 +// - single_predicate: +// input: +// name: request-properties +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.filters.network.generic_proxy.matcher.v3.PropertyMatchInput +// property_name: user +// value_match: +// exact: john +// on_match: +// action: +// name: route +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.filters.network.generic_proxy.action.v3.routeAction +// cluster: cluster_0 +message RouteConfiguration { + // The name of the route configuration. For example, it might match route_config_name in + // envoy.extensions.filters.network.generic_proxy.v3.Rds. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The match tree to use when resolving route actions for incoming requests. + // If no any virtual host is configured in the ``virtual_hosts`` field or no special wildcard + // virtual host is configured, the ``routes`` field will be used as the default route table. + // If both the wildcard virtual host and ``routes`` are configured, the configuration will fail + // to load. + xds.type.matcher.v3.Matcher routes = 2; + + // An array of virtual hosts that make up the route table. + repeated VirtualHost virtual_hosts = 3; +} diff --git a/api/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/api/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto index f4d0c7859..3b49f1329 100644 --- a/api/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +++ b/api/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto @@ -37,7 +37,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // HTTP connection manager :ref:`configuration overview `. // [#extension: envoy.filters.network.http_connection_manager] -// [#next-free-field: 58] +// [#next-free-field: 59] message HttpConnectionManager { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"; @@ -58,9 +58,8 @@ message HttpConnectionManager { // Prior knowledge is allowed). HTTP2 = 2; - // [#not-implemented-hide:] QUIC implementation is not production ready yet. Use this enum with - // caution to prevent accidental execution of QUIC code. I.e. `!= HTTP2` is no longer sufficient - // to distinguish HTTP1 and HTTP2 traffic. + // The connection manager will assume that the client is speaking HTTP/3. + // This needs to be consistent with listener and transport socket config. HTTP3 = 3; } @@ -447,6 +446,21 @@ message HttpConnectionManager { config.core.v3.HttpProtocolOptions common_http_protocol_options = 35 [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + // If set to true, Envoy will not start a drain timer for downstream HTTP1 connections after + // :ref:`common_http_protocol_options.max_connection_duration + // ` passes. + // Instead, Envoy will wait for the next downstream request, add connection:close to the response + // headers, then close the connection after the stream ends. + // + // This behavior is compliant with `RFC 9112 section 9.6 `_ + // + // If set to false, ``max_connection_duration`` will cause Envoy to enter the normal drain + // sequence for HTTP1 with Envoy eventually closing the connection (once there are no active + // streams). + // + // Has no effect if ``max_connection_duration`` is unset. Defaults to false. + bool http1_safe_max_connection_duration = 58; + // Additional HTTP/1 settings that are passed to the HTTP/1 codec. // [#comment:TODO: The following fields are ignored when the // :ref:`header validation configuration ` @@ -459,7 +473,6 @@ message HttpConnectionManager { [(udpa.annotations.security).configure_for_untrusted_downstream = true]; // Additional HTTP/3 settings that are passed directly to the HTTP/3 codec. - // [#not-implemented-hide:] config.core.v3.Http3ProtocolOptions http3_protocol_options = 44; // An optional override that the connection manager will write to the server @@ -480,7 +493,12 @@ message HttpConnectionManager { // The maximum request headers size for incoming connections. // If unconfigured, the default max request headers allowed is 60 KiB. + // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_size_kb``. // Requests that exceed this limit will receive a 431 response. + // + // Note: currently some protocol codecs impose limits on the maximum size of a single header: + // HTTP/2 (when using nghttp2) limits a single header to around 100kb. + // HTTP/3 limits a single header to around 1024kb. google.protobuf.UInt32Value max_request_headers_kb = 29 [(validate.rules).uint32 = {lte: 8192 gt: 0}]; @@ -589,26 +607,33 @@ message HttpConnectionManager { // emitted by the connection manager. repeated config.accesslog.v3.AccessLog access_log = 13; + // The interval to flush the above access logs. + // // .. attention:: - // This field is deprecated in favor of - // :ref:`access_log_flush_interval - // `. - // Note that if both this field and :ref:`access_log_flush_interval - // ` - // are specified, the former (deprecated field) is ignored. + // + // This field is deprecated in favor of + // :ref:`access_log_flush_interval + // `. + // Note that if both this field and :ref:`access_log_flush_interval + // ` + // are specified, the former (deprecated field) is ignored. google.protobuf.Duration access_log_flush_interval = 54 [ deprecated = true, (validate.rules).duration = {gte {nanos: 1000000}}, (envoy.annotations.deprecated_at_minor_version) = "3.0" ]; + // If set to true, HCM will flush an access log once when a new HTTP request is received, after the request + // headers have been evaluated, and before iterating through the HTTP filter chain. + // // .. attention:: - // This field is deprecated in favor of - // :ref:`flush_access_log_on_new_request - // `. - // Note that if both this field and :ref:`flush_access_log_on_new_request - // ` - // are specified, the former (deprecated field) is ignored. + // + // This field is deprecated in favor of + // :ref:`flush_access_log_on_new_request + // `. + // Note that if both this field and :ref:`flush_access_log_on_new_request + // ` + // are specified, the former (deprecated field) is ignored. bool flush_access_log_on_new_request = 55 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; @@ -664,6 +689,34 @@ message HttpConnectionManager { // purposes. If unspecified, only RFC1918 IP addresses will be considered internal. // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more // information about internal/external addresses. + // + // .. warning:: + // In the next release, no IP addresses will be considered trusted. If you have tooling such as probes + // on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers) + // you will have to manually include those addresses or CIDR ranges like: + // + // .. validated-code-block:: yaml + // :type-name: envoy.extensions.filters.network.http_connection_manager.v3.InternalAddressConfig + // + // cidr_ranges: + // address_prefix: 10.0.0.0 + // prefix_len: 8 + // cidr_ranges: + // address_prefix: 192.168.0.0 + // prefix_len: 16 + // cidr_ranges: + // address_prefix: 172.16.0.0 + // prefix_len: 12 + // cidr_ranges: + // address_prefix: 127.0.0.1 + // prefix_len: 32 + // cidr_ranges: + // address_prefix: fd00:: + // prefix_len: 8 + // cidr_ranges: + // address_prefix: ::1 + // prefix_len: 128 + // InternalAddressConfig internal_address_config = 25; // If set, Envoy will not append the remote address to the diff --git a/api/src/main/proto/envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto b/api/src/main/proto/envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto index 28e351fb0..19ab3b453 100644 --- a/api/src/main/proto/envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto +++ b/api/src/main/proto/envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.extensions.filters.network.redis_proxy.v3; import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/grpc_service.proto"; import "envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto"; import "google/protobuf/duration.proto"; @@ -25,7 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Redis Proxy :ref:`configuration overview `. // [#extension: envoy.filters.network.redis_proxy] -// [#next-free-field: 10] +// [#next-free-field: 11] message RedisProxy { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.redis_proxy.v2.RedisProxy"; @@ -353,6 +354,15 @@ message RedisProxy { // client. If an AUTH command is received when the password is not set, then an "ERR Client sent // AUTH, but no ACL is set" error will be returned. config.core.v3.DataSource downstream_auth_username = 7 [(udpa.annotations.sensitive) = true]; + + // External authentication configuration. If set, instead of validating username and password against ``downstream_auth_username`` and ``downstream_auth_password``, + // the filter will call an external gRPC service to authenticate the client. + // A typical usage of this feature is for situations where the password is a one-time token that needs to be validated against a remote service, like a sidecar. + // Expiration is also supported, which will disable any further commands from the client after the expiration time, unless a new AUTH command is received and the external auth service returns a new expiration time. + // If the external auth service returns an error, authentication is considered failed. + // If this setting is set together with ``downstream_auth_username`` and ``downstream_auth_password``, the external auth service will be source of truth, but those fields will still be used for downstream authentication to the cluster. + // The API is defined by :ref:`RedisProxyExternalAuthRequest `. + RedisExternalAuthProvider external_auth_provider = 10; } // RedisProtocolOptions specifies Redis upstream protocol options. This object is used in @@ -370,3 +380,22 @@ message RedisProtocolOptions { // ``_ in the server's configuration file. config.core.v3.DataSource auth_username = 2 [(udpa.annotations.sensitive) = true]; } + +// RedisExternalAuthProvider specifies a gRPC service that can be used to authenticate Redis clients. +// This service will be called every time an AUTH command is received from a client. +// If the service returns an error, authentication is considered failed. +// If the service returns a success, the client is considered authenticated. +// The service can also return an expiration timestamp, which will be used to disable any further +// commands from the client after it passes, unless a new AUTH command is received and the +// external auth service returns a new expiration timestamp. +message RedisExternalAuthProvider { + // External auth gRPC service configuration. + // It will be called every time an AUTH command is received from a client. + config.core.v3.GrpcService grpc_service = 1; + + // If set to true, the filter will expect an expiration timestamp in the response from the external + // auth service. This timestamp will be used to disable any further commands from the client after + // the expiration time, unless a new AUTH command is received and the external auth service returns + // a new expiration timestamp. + bool enable_auth_expiration = 2; +} diff --git a/api/src/main/proto/envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto b/api/src/main/proto/envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto index 1d07668ac..ba08915e6 100644 --- a/api/src/main/proto/envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto +++ b/api/src/main/proto/envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto @@ -4,6 +4,7 @@ package envoy.extensions.filters.udp.udp_proxy.v3; import "envoy/config/accesslog/v3/accesslog.proto"; import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; import "envoy/config/core/v3/udp_socket_config.proto"; import "google/protobuf/any.proto"; @@ -61,6 +62,11 @@ message UdpProxyConfig { // Filter specific configuration which depends on the filter being // instantiated. See the supported filters for further documentation. google.protobuf.Any typed_config = 2; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, the + // UDP session will be removed. + config.core.v3.ExtensionConfigSource config_discovery = 3; } } diff --git a/api/src/main/proto/envoy/extensions/http/original_ip_detection/xff/v3/xff.proto b/api/src/main/proto/envoy/extensions/http/original_ip_detection/xff/v3/xff.proto index b09b6f311..d1dd5f098 100644 --- a/api/src/main/proto/envoy/extensions/http/original_ip_detection/xff/v3/xff.proto +++ b/api/src/main/proto/envoy/extensions/http/original_ip_detection/xff/v3/xff.proto @@ -2,6 +2,10 @@ syntax = "proto3"; package envoy.extensions.http.original_ip_detection.xff.v3; +import "envoy/config/core/v3/address.proto"; + +import "google/protobuf/wrappers.proto"; + import "udpa/annotations/status.proto"; option java_package = "io.envoyproxy.envoy.extensions.http.original_ip_detection.xff.v3"; @@ -22,5 +26,45 @@ message XffConfig { // determining the origin client's IP address. The default is zero if this option // is not specified. See the documentation for // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. + // + // Only one of ``xff_num_trusted_hops`` and ``xff_trusted_cidrs`` can be set. uint32 xff_num_trusted_hops = 1; + + // The `CIDR `_ ranges to trust when + // evaluating the remote IP address to determine the original client's IP address. + // This is used instead of + // :ref:`use_remote_address `. + // When the remote IP address matches a trusted CIDR and the + // :ref:`config_http_conn_man_headers_x-forwarded-for` header was sent, each entry + // in the ``x-forwarded-for`` header is evaluated from right to left and the first + // public non-trusted address is used as the original client address. If all + // addresses in ``x-forwarded-for`` are within the trusted list, the first (leftmost) + // entry is used. + // + // This is typically used when requests are proxied by a + // `CDN `_. + // + // Only one of ``xff_num_trusted_hops`` and ``xff_trusted_cidrs`` can be set. + XffTrustedCidrs xff_trusted_cidrs = 2; + + // If set, Envoy will not append the remote address to the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. + // + // .. attention:: + // + // For proper proxy behaviour it is not recommended to set this option. + // For backwards compatibility, if this option is unset it defaults to true. + // + // This only applies when :ref:`use_remote_address + // ` + // is false, otherwise :ref:`skip_xff_append + // ` + // applies. + google.protobuf.BoolValue skip_xff_append = 3; +} + +message XffTrustedCidrs { + // The list of `CIDRs `_ from which remote + // connections are considered trusted. + repeated config.core.v3.CidrRange cidrs = 1; } diff --git a/api/src/main/proto/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto b/api/src/main/proto/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto index c70360a09..9520f6dbd 100644 --- a/api/src/main/proto/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto +++ b/api/src/main/proto/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto @@ -15,7 +15,7 @@ option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/loa option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Client-Side Weighted Round Robin Load Balancing Policy] -// [#not-implemented-hide:] +// [#extension: envoy.load_balancing_policies.client_side_weighted_round_robin] // Configuration for the client_side_weighted_round_robin LB policy. // @@ -30,11 +30,12 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // regardless of result. Only failed queries count toward eps. A config // parameter error_utilization_penalty controls the penalty to adjust endpoint // weights using eps and qps. The weight of a given endpoint is computed as: -// qps / (utilization + eps/qps * error_utilization_penalty) +// ``qps / (utilization + eps/qps * error_utilization_penalty)``. // -// See the :ref:`load balancing architecture overview` for more information. +// See the :ref:`load balancing architecture +// overview` for more information. // -// [#next-free-field: 7] +// [#next-free-field: 8] message ClientSideWeightedRoundRobin { // Whether to enable out-of-band utilization reporting collection from // the endpoints. By default, per-request utilization reporting is used. @@ -68,4 +69,10 @@ message ClientSideWeightedRoundRobin { // calculated as eps/qps. Configuration is rejected if this value is negative. // Default is 1.0. google.protobuf.FloatValue error_utilization_penalty = 6 [(validate.rules).float = {gte: 0.0}]; + + // By default, endpoint weight is computed based on the :ref:`application_utilization ` field reported by the endpoint. + // If that field is not set, then utilization will instead be computed by taking the max of the values of the metrics specified here. + // For map fields in the ORCA proto, the string will be of the form ``.``. For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA :ref:`named_metrics ` field. + // If none of the specified metrics are present in the load report, then :ref:`cpu_utilization ` is used instead. + repeated string metric_names_for_computing_utilization = 7; } diff --git a/api/src/main/proto/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto b/api/src/main/proto/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto index 59756bc0c..bea415a71 100644 --- a/api/src/main/proto/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto +++ b/api/src/main/proto/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto @@ -103,3 +103,48 @@ message ApplicationProtocolInput { message FilterStateInput { string key = 1 [(validate.rules).string = {min_len: 1}]; } + +// Input that matches dynamic metadata by key. +// DynamicMetadataInput provides a general interface using ``filter`` and ``path`` to retrieve value from +// :ref:`Metadata `. +// +// For example, for the following Metadata: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.xxx: +// prop: +// foo: bar +// xyz: +// hello: envoy +// +// The following DynamicMetadataInput will retrieve a string value "bar" from the Metadata. +// +// .. code-block:: yaml +// +// filter: envoy.xxx +// path: +// - key: prop +// - key: foo +// +// [#extension: envoy.matching.inputs.dynamic_metadata] +message DynamicMetadataInput { + // Specifies the segment in a path to retrieve value from Metadata. + // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that + // if the segment key refers to a list, it has to be the last segment in a path. + message PathSegment { + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The filter name to retrieve the Struct from the Metadata. + string filter = 1 [(validate.rules).string = {min_len: 1}]; + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/api/src/main/proto/envoy/extensions/matching/input_matchers/metadata/v3/metadata.proto b/api/src/main/proto/envoy/extensions/matching/input_matchers/metadata/v3/metadata.proto new file mode 100644 index 000000000..19d74fb41 --- /dev/null +++ b/api/src/main/proto/envoy/extensions/matching/input_matchers/metadata/v3/metadata.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package envoy.extensions.matching.input_matchers.metadata.v3; + +import "envoy/type/matcher/v3/value.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.matching.input_matchers.metadata.v3"; +option java_outer_classname = "MetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/metadata/v3;metadatav3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: metadata matcher] +// [#extension: envoy.matching.matchers.metadata_matcher] + +// Metadata matcher for metadata from http matching input data. +message Metadata { + // The Metadata is matched if the value retrieved by metadata matching input is matched to this value. + type.matcher.v3.ValueMatcher value = 1 [(validate.rules).message = {required: true}]; + + // If true, the match result will be inverted. + bool invert = 4; +} diff --git a/api/src/main/proto/envoy/extensions/network/dns_resolver/getaddrinfo/v3/getaddrinfo_dns_resolver.proto b/api/src/main/proto/envoy/extensions/network/dns_resolver/getaddrinfo/v3/getaddrinfo_dns_resolver.proto index 0ffde4bee..522888a4c 100644 --- a/api/src/main/proto/envoy/extensions/network/dns_resolver/getaddrinfo/v3/getaddrinfo_dns_resolver.proto +++ b/api/src/main/proto/envoy/extensions/network/dns_resolver/getaddrinfo/v3/getaddrinfo_dns_resolver.proto @@ -2,6 +2,8 @@ syntax = "proto3"; package envoy.extensions.network.dns_resolver.getaddrinfo.v3; +import "google/protobuf/wrappers.proto"; + import "udpa/annotations/status.proto"; option java_package = "io.envoyproxy.envoy.extensions.network.dns_resolver.getaddrinfo.v3"; @@ -27,4 +29,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Resolutions currently use a hard coded TTL of 60s because the getaddrinfo() API does not // provide the actual TTL. Configuration for this can be added in the future if needed. message GetAddrInfoDnsResolverConfig { + // Specifies the number of retries before the resolver gives up. If not specified, the resolver will + // retry indefinitely until it succeeds or the DNS query times out. + google.protobuf.UInt32Value num_retries = 1; } diff --git a/api/src/main/proto/envoy/extensions/quic/server_preferred_address/v3/datasource.proto b/api/src/main/proto/envoy/extensions/quic/server_preferred_address/v3/datasource.proto index 6baf39850..5bea48663 100644 --- a/api/src/main/proto/envoy/extensions/quic/server_preferred_address/v3/datasource.proto +++ b/api/src/main/proto/envoy/extensions/quic/server_preferred_address/v3/datasource.proto @@ -4,8 +4,6 @@ package envoy.extensions.quic.server_preferred_address.v3; import "envoy/config/core/v3/base.proto"; -import "xds/annotations/v3/status.proto"; - import "udpa/annotations/status.proto"; import "validate/validate.proto"; @@ -20,10 +18,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Configuration for DataSourceServerPreferredAddressConfig. message DataSourceServerPreferredAddressConfig { - // [#comment:TODO(danzh2010): discuss with API shepherds before removing WiP status.] - - option (xds.annotations.v3.message_status).work_in_progress = true; - // Addresses for server preferred address for a single address family (IPv4 or IPv6). message AddressFamilyConfig { // The server preferred address sent to clients. The data must contain an IP address string. diff --git a/api/src/main/proto/envoy/extensions/quic/server_preferred_address/v3/fixed_server_preferred_address_config.proto b/api/src/main/proto/envoy/extensions/quic/server_preferred_address/v3/fixed_server_preferred_address_config.proto index 20ec9a2a3..43072fd50 100644 --- a/api/src/main/proto/envoy/extensions/quic/server_preferred_address/v3/fixed_server_preferred_address_config.proto +++ b/api/src/main/proto/envoy/extensions/quic/server_preferred_address/v3/fixed_server_preferred_address_config.proto @@ -4,8 +4,6 @@ package envoy.extensions.quic.server_preferred_address.v3; import "envoy/config/core/v3/address.proto"; -import "xds/annotations/v3/status.proto"; - import "udpa/annotations/status.proto"; option java_package = "io.envoyproxy.envoy.extensions.quic.server_preferred_address.v3"; @@ -19,10 +17,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Configuration for FixedServerPreferredAddressConfig. message FixedServerPreferredAddressConfig { - // [#comment:TODO(danzh2010): discuss with API shepherds before removing WiP status.] - - option (xds.annotations.v3.message_status).work_in_progress = true; - // Addresses for server preferred address for a single address family (IPv4 or IPv6). message AddressFamilyConfig { // The server preferred address sent to clients. diff --git a/api/src/main/proto/envoy/extensions/resource_monitors/cpu_utilization/v3/cpu_utilization.proto b/api/src/main/proto/envoy/extensions/resource_monitors/cpu_utilization/v3/cpu_utilization.proto new file mode 100644 index 000000000..a8362e7b8 --- /dev/null +++ b/api/src/main/proto/envoy/extensions/resource_monitors/cpu_utilization/v3/cpu_utilization.proto @@ -0,0 +1,19 @@ +syntax = "proto3"; + +package envoy.extensions.resource_monitors.cpu_utilization.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.resource_monitors.cpu_utilization.v3"; +option java_outer_classname = "CpuUtilizationProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/cpu_utilization/v3;cpu_utilizationv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: CPU utilization] +// [#extension: envoy.resource_monitors.cpu_utilization] + +// The CPU utilization resource monitor reports the Envoy process the CPU Utilization of the entire host. +// Today, this only works on Linux and is calculated using the stats in the /proc/stat file. +message CpuUtilizationConfig { +} diff --git a/api/src/main/proto/envoy/extensions/resource_monitors/downstream_connections/v3/downstream_connections.proto b/api/src/main/proto/envoy/extensions/resource_monitors/downstream_connections/v3/downstream_connections.proto index 5028fdf38..b65b01ae4 100644 --- a/api/src/main/proto/envoy/extensions/resource_monitors/downstream_connections/v3/downstream_connections.proto +++ b/api/src/main/proto/envoy/extensions/resource_monitors/downstream_connections/v3/downstream_connections.proto @@ -12,7 +12,7 @@ option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/res option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Downstream connections] -// [#extension: envoy.resource_monitors.downstream_connections] +// [#extension: envoy.resource_monitors.global_downstream_max_connections] // The downstream connections resource monitor tracks the global number of open downstream connections. message DownstreamConnectionsConfig { diff --git a/api/src/main/proto/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto b/api/src/main/proto/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto index 99c2e4510..2c9b5333f 100644 --- a/api/src/main/proto/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto +++ b/api/src/main/proto/envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto @@ -5,7 +5,6 @@ package envoy.extensions.transport_sockets.http_11_proxy.v3; import "envoy/config/core/v3/base.proto"; import "udpa/annotations/status.proto"; -import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.http_11_proxy.v3"; option java_outer_classname = "UpstreamHttp11ConnectProto"; @@ -16,21 +15,24 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Upstream HTTP/1.1 Proxy] // [#extension: envoy.transport_sockets.http_11_proxy] -// Configuration for HTTP/1.1 proxy transport sockets. -// This is intended for use in Envoy Mobile, though may eventually be extended -// for upstream Envoy use. -// If this transport socket is configured, and an intermediate filter adds the -// stream info necessary for proxying to the stream info (as the test filter -// does :repo:`here `) then +// HTTP/1.1 proxy transport socket establishes an upstream connection to a proxy address +// instead of the target host's address. This behavior is triggered when the transport +// socket is configured and proxy information is provided. // -// * Upstream connections will be directed to the specified proxy address rather -// than the host's address -// * Upstream TLS connections will have a raw HTTP/1.1 CONNECT header prefaced -// to the payload, and 200 response stripped (if less than 200 bytes) -// * Plaintext HTTP/1.1 connections will be sent with a fully qualified URL. +// Behavior when proxying: +// ======================= +// When an upstream connection is established, instead of connecting directly to the endpoint +// address, the client will connect to the specified proxy address, send an HTTP/1.1 ``CONNECT`` request +// indicating the endpoint address, and process the response. If the response has HTTP status 200, +// the connection will be passed down to the underlying transport socket. +// +// Configuring proxy information: +// ============================== +// Set ``typed_filter_metadata`` in :ref:`LbEndpoint.Metadata ` or :ref:`LocalityLbEndpoints.Metadata `. +// using the key ``envoy.http11_proxy_transport_socket.proxy_address`` and the +// proxy address in ``config::core::v3::Address`` format. // -// This transport socket is not compatible with HTTP/3, plaintext HTTP/2, or raw TCP. message Http11ProxyUpstreamTransport { - // The underlying transport socket being wrapped. - config.core.v3.TransportSocket transport_socket = 1 [(validate.rules).message = {required: true}]; + // The underlying transport socket being wrapped. Defaults to plaintext (raw_buffer) if unset. + config.core.v3.TransportSocket transport_socket = 1; } diff --git a/api/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto index c1a3f5b33..46d86b658 100644 --- a/api/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/api/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -290,12 +290,12 @@ message TlsSessionTicketKeys { // respect to the TLS handshake. // [#not-implemented-hide:] message CertificateProviderPluginInstance { - // Provider instance name. If not present, defaults to "default". + // Provider instance name. // // Instance names should generally be defined not in terms of the underlying provider // implementation (e.g., "file_watcher") but rather in terms of the function of the // certificates (e.g., "foo_deployment_identity"). - string instance_name = 1; + string instance_name = 1 [(validate.rules).string = {min_len: 1}]; // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify // a root-certificate (validation context) or "example.com" to specify a certificate for a diff --git a/api/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto b/api/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto index 9d465c973..c305ff74f 100644 --- a/api/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto +++ b/api/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto @@ -63,7 +63,7 @@ message UpstreamTlsContext { google.protobuf.BoolValue enforce_rsa_key_usage = 5; } -// [#next-free-field: 11] +// [#next-free-field: 12] message DownstreamTlsContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.DownstreamTlsContext"; @@ -140,6 +140,11 @@ message DownstreamTlsContext { // If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config. // Defaults to false. See more details in :ref:`Multiple TLS certificates `. google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9; + + // By default, Envoy as a server uses its preferred cipher during the handshake. + // Setting this to true would allow the downstream client's preferred cipher to be used instead. + // Has no effect when using TLSv1_3. + bool prefer_client_ciphers = 11; } // TLS key log configuration. @@ -158,7 +163,7 @@ message TlsKeyLog { } // TLS context shared by both client and server TLS contexts. -// [#next-free-field: 16] +// [#next-free-field: 17] message CommonTlsContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext"; @@ -269,6 +274,13 @@ message CommonTlsContext { // [#not-implemented-hide:] CertificateProviderPluginInstance tls_certificate_provider_instance = 14; + // Custom TLS certificate selector. + // + // Select TLS certificate based on TLS client hello. + // If empty, defaults to native TLS certificate selection behavior: + // DNS SANs or Subject Common Name in TLS certificates is extracted as server name pattern to match SNI. + config.core.v3.TypedExtensionConfig custom_tls_certificate_selector = 16; + // Certificate provider for fetching TLS certificates. // [#not-implemented-hide:] CertificateProvider tls_certificate_certificate_provider = 9 diff --git a/api/src/main/proto/envoy/service/ext_proc/v3/external_processor.proto b/api/src/main/proto/envoy/service/ext_proc/v3/external_processor.proto index e1d698ff7..6ae58c3c7 100644 --- a/api/src/main/proto/envoy/service/ext_proc/v3/external_processor.proto +++ b/api/src/main/proto/envoy/service/ext_proc/v3/external_processor.proto @@ -180,7 +180,10 @@ message ProcessingResponse { // It is also ignored by Envoy when the ext_proc filter config // :ref:`allow_mode_override // ` - // is set to false. + // is set to false, or + // :ref:`send_body_without_waiting_for_header_response + // ` + // is set to true. envoy.extensions.filters.http.ext_proc.v3.ProcessingMode mode_override = 9; // When ext_proc server receives a request message, in case it needs more @@ -206,12 +209,8 @@ message ProcessingResponse { message HttpHeaders { // The HTTP request headers. All header keys will be // lower-cased, because HTTP header keys are case-insensitive. - // The ``headers`` encoding is based on the runtime guard - // envoy_reloadable_features_send_header_raw_value setting. - // When it is true, the header value is encoded in the + // The header value is encoded in the // :ref:`raw_value ` field. - // When it is false, the header value is encoded in the - // :ref:`value ` field. config.core.v3.HeaderMap headers = 1; // [#not-implemented-hide:] @@ -235,12 +234,8 @@ message HttpBody { // This message contains the trailers. message HttpTrailers { - // The ``trailers`` encoding is based on the runtime guard - // envoy_reloadable_features_send_header_raw_value setting. - // When it is true, the header value is encoded in the + // The header value is encoded in the // :ref:`raw_value ` field. - // When it is false, the header value is encoded in the - // :ref:`value ` field. config.core.v3.HeaderMap trailers = 1; } @@ -308,12 +303,8 @@ message CommonResponse { // Add new trailers to the message. This may be used when responding to either a // HttpHeaders or HttpBody message, but only if this message is returned // along with the CONTINUE_AND_REPLACE status. - // The ``trailers`` encoding is based on the runtime guard - // envoy_reloadable_features_send_header_raw_value setting. - // When it is true, the header value is encoded in the + // The header value is encoded in the // :ref:`raw_value ` field. - // When it is false, the header value is encoded in the - // :ref:`value ` field. config.core.v3.HeaderMap trailers = 4; // Clear the route cache for the current client request. This is necessary @@ -362,12 +353,8 @@ message HeaderMutation { // Add or replace HTTP headers. Attempts to set the value of // any ``x-envoy`` header, and attempts to set the ``:method``, // ``:authority``, ``:scheme``, or ``host`` headers will be ignored. - // The ``set_headers`` encoding is based on the runtime guard - // envoy_reloadable_features_send_header_raw_value setting. - // When it is true, the header value is encoded in the + // The header value is encoded in the // :ref:`raw_value ` field. - // When it is false, the header value is encoded in the - // :ref:`value ` field. repeated config.core.v3.HeaderValueOption set_headers = 1; // Remove these HTTP headers. Attempts to remove system headers -- diff --git a/api/src/main/proto/envoy/service/extension/v3/config_discovery.proto b/api/src/main/proto/envoy/service/extension/v3/config_discovery.proto index 2230c8df7..8948555c7 100644 --- a/api/src/main/proto/envoy/service/extension/v3/config_discovery.proto +++ b/api/src/main/proto/envoy/service/extension/v3/config_discovery.proto @@ -18,13 +18,14 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Extension config discovery service (ECDS)] // A service that supports dynamic configuration updates for a specific filter. -// Currently, ECDS is supported for network filters, HTTP filters and Listener filters. +// Currently, ECDS is supported for network filters, HTTP filters, UDP session filters and Listener filters. // Please check :ref:`Extension Config Discovery Service (ECDS) API `. // The overall extension config discovery service works as follows: // // 1. A filter (:ref:`Downstream Network `, // :ref:`Upstream Network `, -// :ref:`Listener ` +// :ref:`Listener `, +// :ref:`UDP Session `, // or :ref:`HTTP `) // contains a :ref:`config_discovery ` configuration. This configuration // includes a :ref:`config_source `, diff --git a/api/src/main/proto/envoy/service/ratelimit/v3/rls.proto b/api/src/main/proto/envoy/service/ratelimit/v3/rls.proto index 7375aceb5..d69a323d8 100644 --- a/api/src/main/proto/envoy/service/ratelimit/v3/rls.proto +++ b/api/src/main/proto/envoy/service/ratelimit/v3/rls.proto @@ -49,6 +49,8 @@ message RateLimitRequest { // Rate limit requests can optionally specify the number of hits a request adds to the matched // limit. If the value is not set in the message, a request increases the matched limit by 1. + // This value can be overridden by setting filter state value ``envoy.ratelimit.hits_addend`` + // to the desired number. Invalid number (< 0) or number will be ignored. uint32 hits_addend = 3; } diff --git a/api/src/main/proto/envoy/service/redis_auth/v3/redis_external_auth.proto b/api/src/main/proto/envoy/service/redis_auth/v3/redis_external_auth.proto new file mode 100644 index 000000000..52bc3bc03 --- /dev/null +++ b/api/src/main/proto/envoy/service/redis_auth/v3/redis_external_auth.proto @@ -0,0 +1,47 @@ +syntax = "proto3"; + +package envoy.service.redis_auth.v3; + +import "google/protobuf/timestamp.proto"; +import "google/rpc/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.service.redis_auth.v3"; +option java_outer_classname = "RedisExternalAuthProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/redis_auth/v3;redis_authv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Redis external authentication service] + +// The messages used by the redis_proxy filter when performing external authentication. + +// A generic interface for performing external password authentication on incoming AUTH commands. +service RedisProxyExternalAuth { + // Performs authentication check based on the data sent with the AUTH request. + // Returns either an OK status or an error status. + rpc Authenticate(RedisProxyExternalAuthRequest) returns (RedisProxyExternalAuthResponse) { + } +} + +message RedisProxyExternalAuthRequest { + // Username, if applicable. Otherwise, empty. + string username = 1; + + // Password sent with the AUTH command. + string password = 2; +} + +message RedisProxyExternalAuthResponse { + // Status of the authentication check. + google.rpc.Status status = 1; + + // Optional expiration time for the authentication. + // If set, the authentication will be valid until this time. + // If not set, the authentication will be valid indefinitely. + google.protobuf.Timestamp expiration = 2; + + // Optional message to be sent back to the client. + string message = 3; +} diff --git a/api/src/main/proto/google/api/annotations.proto b/api/src/main/proto/google/api/annotations.proto index efdab3db6..84c48164a 100644 --- a/api/src/main/proto/google/api/annotations.proto +++ b/api/src/main/proto/google/api/annotations.proto @@ -1,4 +1,4 @@ -// Copyright 2015 Google LLC +// Copyright 2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/api/src/main/proto/google/api/expr/v1alpha1/checked.proto b/api/src/main/proto/google/api/expr/v1alpha1/checked.proto index 930dc4f00..c68493485 100644 --- a/api/src/main/proto/google/api/expr/v1alpha1/checked.proto +++ b/api/src/main/proto/google/api/expr/v1alpha1/checked.proto @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/api/src/main/proto/google/api/expr/v1alpha1/syntax.proto b/api/src/main/proto/google/api/expr/v1alpha1/syntax.proto index 8219ba689..7b6668db1 100644 --- a/api/src/main/proto/google/api/expr/v1alpha1/syntax.proto +++ b/api/src/main/proto/google/api/expr/v1alpha1/syntax.proto @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -44,21 +44,24 @@ message ParsedExpr { // operators with the exception of the '.' operator are modelled as function // calls. This makes it easy to represent new operators into the existing AST. // -// All references within expressions must resolve to a [Decl][google.api.expr.v1alpha1.Decl] provided at -// type-check for an expression to be valid. A reference may either be a bare -// identifier `name` or a qualified identifier `google.api.name`. References -// may either refer to a value or a function declaration. +// All references within expressions must resolve to a +// [Decl][google.api.expr.v1alpha1.Decl] provided at type-check for an +// expression to be valid. A reference may either be a bare identifier `name` or +// a qualified identifier `google.api.name`. References may either refer to a +// value or a function declaration. // // For example, the expression `google.api.name.startsWith('expr')` references -// the declaration `google.api.name` within a [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression, and -// the function declaration `startsWith`. +// the declaration `google.api.name` within a +// [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression, and the +// function declaration `startsWith`. message Expr { // An identifier expression. e.g. `request`. message Ident { // Required. Holds a single, unqualified identifier, possibly preceded by a // '.'. // - // Qualified names are represented by the [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression. + // Qualified names are represented by the + // [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression. string name = 1; } @@ -181,11 +184,49 @@ message Expr { // messages `has(m.x)` is defined as 'defined, but not set`. For proto3, the // macro tests whether the property is set to its default. For map and struct // types, the macro tests whether the property `x` is defined on `m`. + // + // Comprehensions for the standard environment macros evaluation can be best + // visualized as the following pseudocode: + // + // ``` + // let `accu_var` = `accu_init` + // for (let `iter_var` in `iter_range`) { + // if (!`loop_condition`) { + // break + // } + // `accu_var` = `loop_step` + // } + // return `result` + // ``` + // + // Comprehensions for the optional V2 macros which support map-to-map + // translation differ slightly from the standard environment macros in that + // they expose both the key or index in addition to the value for each list + // or map entry: + // + // ``` + // let `accu_var` = `accu_init` + // for (let `iter_var`, `iter_var2` in `iter_range`) { + // if (!`loop_condition`) { + // break + // } + // `accu_var` = `loop_step` + // } + // return `result` + // ``` message Comprehension { - // The name of the iteration variable. + // The name of the first iteration variable. + // When the iter_range is a list, this variable is the list element. + // When the iter_range is a map, this variable is the map entry key. string iter_var = 1; - // The range over which var iterates. + // The name of the second iteration variable, empty if not set. + // When the iter_range is a list, this variable is the integer index. + // When the iter_range is a map, this variable is the map entry value. + // This field is only set for comprehension v2 macros. + string iter_var2 = 8; + + // The range over which the comprehension iterates. Expr iter_range = 2; // The name of the variable used for accumulation of the result. @@ -194,13 +235,13 @@ message Expr { // The initial value of the accumulator. Expr accu_init = 4; - // An expression which can contain iter_var and accu_var. + // An expression which can contain iter_var, iter_var2, and accu_var. // // Returns false when the result has been computed and may be used as // a hint to short-circuit the remainder of the comprehension. Expr loop_condition = 5; - // An expression which can contain iter_var and accu_var. + // An expression which can contain iter_var, iter_var2, and accu_var. // // Computes the next value of accu_var. Expr loop_step = 6; @@ -250,7 +291,8 @@ message Expr { // primitives. // // Lists and structs are not included as constants as these aggregate types may -// contain [Expr][google.api.expr.v1alpha1.Expr] elements which require evaluation and are thus not constant. +// contain [Expr][google.api.expr.v1alpha1.Expr] elements which require +// evaluation and are thus not constant. // // Examples of literals include: `"hello"`, `b'bytes'`, `1u`, `4.2`, `-2`, // `true`, `null`. @@ -292,6 +334,50 @@ message Constant { // Source information collected at parse time. message SourceInfo { + // An extension that was requested for the source expression. + message Extension { + // Version + message Version { + // Major version changes indicate different required support level from + // the required components. + int64 major = 1; + + // Minor version changes must not change the observed behavior from + // existing implementations, but may be provided informationally. + int64 minor = 2; + } + + // CEL component specifier. + enum Component { + // Unspecified, default. + COMPONENT_UNSPECIFIED = 0; + + // Parser. Converts a CEL string to an AST. + COMPONENT_PARSER = 1; + + // Type checker. Checks that references in an AST are defined and types + // agree. + COMPONENT_TYPE_CHECKER = 2; + + // Runtime. Evaluates a parsed and optionally checked CEL AST against a + // context. + COMPONENT_RUNTIME = 3; + } + + // Identifier for the extension. Example: constant_folding + string id = 1; + + // If set, the listed components must understand the extension for the + // expression to evaluate correctly. + // + // This field has set semantics, repeated values should be deduplicated. + repeated Component affected_components = 2; + + // Version info. May be skipped if it isn't meaningful for the extension. + // (for example constant_folding might always be v0.0). + Version version = 3; + } + // The syntax version of the source, e.g. `cel1`. string syntax_version = 1; @@ -323,6 +409,15 @@ message SourceInfo { // in the map corresponds to the expression id of the expanded macro, and the // value is the call `Expr` that was replaced. map macro_calls = 5; + + // A list of tags for extensions that were used while parsing or type checking + // the source expression. For example, optimizations that require special + // runtime support may be specified. + // + // These are used to check feature support between components in separate + // implementations. This can be used to either skip redundant work or + // report an error if the extension is unsupported. + repeated Extension extensions = 6; } // A specific position in source. diff --git a/api/src/main/proto/google/api/http.proto b/api/src/main/proto/google/api/http.proto index 113fa936a..e3270371d 100644 --- a/api/src/main/proto/google/api/http.proto +++ b/api/src/main/proto/google/api/http.proto @@ -1,4 +1,4 @@ -// Copyright 2015 Google LLC +// Copyright 2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -41,7 +41,7 @@ message Http { bool fully_decode_reserved_expansion = 2; } -// # gRPC Transcoding +// gRPC Transcoding // // gRPC Transcoding is a feature for mapping between a gRPC method and one or // more HTTP REST endpoints. It allows developers to build a single API service @@ -82,9 +82,8 @@ message Http { // // This enables an HTTP REST to gRPC mapping as below: // -// HTTP | gRPC -// -----|----- -// `GET /v1/messages/123456` | `GetMessage(name: "messages/123456")` +// - HTTP: `GET /v1/messages/123456` +// - gRPC: `GetMessage(name: "messages/123456")` // // Any fields in the request message which are not bound by the path template // automatically become HTTP query parameters if there is no HTTP request body. @@ -108,11 +107,9 @@ message Http { // // This enables a HTTP JSON to RPC mapping as below: // -// HTTP | gRPC -// -----|----- -// `GET /v1/messages/123456?revision=2&sub.subfield=foo` | -// `GetMessage(message_id: "123456" revision: 2 sub: SubMessage(subfield: -// "foo"))` +// - HTTP: `GET /v1/messages/123456?revision=2&sub.subfield=foo` +// - gRPC: `GetMessage(message_id: "123456" revision: 2 sub: +// SubMessage(subfield: "foo"))` // // Note that fields which are mapped to URL query parameters must have a // primitive type or a repeated primitive type or a non-repeated message type. @@ -142,10 +139,8 @@ message Http { // representation of the JSON in the request body is determined by // protos JSON encoding: // -// HTTP | gRPC -// -----|----- -// `PATCH /v1/messages/123456 { "text": "Hi!" }` | `UpdateMessage(message_id: -// "123456" message { text: "Hi!" })` +// - HTTP: `PATCH /v1/messages/123456 { "text": "Hi!" }` +// - gRPC: `UpdateMessage(message_id: "123456" message { text: "Hi!" })` // // The special name `*` can be used in the body mapping to define that // every field not bound by the path template should be mapped to the @@ -168,10 +163,8 @@ message Http { // // The following HTTP JSON to RPC mapping is enabled: // -// HTTP | gRPC -// -----|----- -// `PATCH /v1/messages/123456 { "text": "Hi!" }` | `UpdateMessage(message_id: -// "123456" text: "Hi!")` +// - HTTP: `PATCH /v1/messages/123456 { "text": "Hi!" }` +// - gRPC: `UpdateMessage(message_id: "123456" text: "Hi!")` // // Note that when using `*` in the body mapping, it is not possible to // have HTTP parameters, as all fields not bound by the path end in @@ -199,29 +192,32 @@ message Http { // // This enables the following two alternative HTTP JSON to RPC mappings: // -// HTTP | gRPC -// -----|----- -// `GET /v1/messages/123456` | `GetMessage(message_id: "123456")` -// `GET /v1/users/me/messages/123456` | `GetMessage(user_id: "me" message_id: -// "123456")` +// - HTTP: `GET /v1/messages/123456` +// - gRPC: `GetMessage(message_id: "123456")` // -// ## Rules for HTTP mapping +// - HTTP: `GET /v1/users/me/messages/123456` +// - gRPC: `GetMessage(user_id: "me" message_id: "123456")` +// +// Rules for HTTP mapping // // 1. Leaf request fields (recursive expansion nested messages in the request // message) are classified into three categories: // - Fields referred by the path template. They are passed via the URL path. -// - Fields referred by the [HttpRule.body][google.api.HttpRule.body]. They are passed via the HTTP +// - Fields referred by the [HttpRule.body][google.api.HttpRule.body]. They +// are passed via the HTTP // request body. // - All other fields are passed via the URL query parameters, and the // parameter name is the field path in the request message. A repeated // field can be represented as multiple query parameters under the same // name. -// 2. If [HttpRule.body][google.api.HttpRule.body] is "*", there is no URL query parameter, all fields +// 2. If [HttpRule.body][google.api.HttpRule.body] is "*", there is no URL +// query parameter, all fields // are passed via URL path and HTTP request body. -// 3. If [HttpRule.body][google.api.HttpRule.body] is omitted, there is no HTTP request body, all +// 3. If [HttpRule.body][google.api.HttpRule.body] is omitted, there is no HTTP +// request body, all // fields are passed via URL path and URL query parameters. // -// ### Path template syntax +// Path template syntax // // Template = "/" Segments [ Verb ] ; // Segments = Segment { "/" Segment } ; @@ -260,7 +256,7 @@ message Http { // Document](https://developers.google.com/discovery/v1/reference/apis) as // `{+var}`. // -// ## Using gRPC API Service Configuration +// Using gRPC API Service Configuration // // gRPC API Service Configuration (service config) is a configuration language // for configuring a gRPC service to become a user-facing product. The @@ -275,15 +271,14 @@ message Http { // specified in the service config will override any matching transcoding // configuration in the proto. // -// Example: +// The following example selects a gRPC method and applies an `HttpRule` to it: // // http: // rules: -// # Selects a gRPC method and applies HttpRule to it. // - selector: example.v1.Messaging.GetMessage // get: /v1/messages/{message_id}/{sub.subfield} // -// ## Special notes +// Special notes // // When gRPC Transcoding is used to map a gRPC to JSON REST endpoints, the // proto to JSON conversion must follow the [proto3 @@ -313,7 +308,8 @@ message Http { message HttpRule { // Selects a method to which this rule applies. // - // Refer to [selector][google.api.DocumentationRule.selector] for syntax details. + // Refer to [selector][google.api.DocumentationRule.selector] for syntax + // details. string selector = 1; // Determines the URL pattern is matched by this rules. This pattern can be diff --git a/api/src/main/proto/google/rpc/status.proto b/api/src/main/proto/google/rpc/status.proto index 923e16938..90b70ddf9 100644 --- a/api/src/main/proto/google/rpc/status.proto +++ b/api/src/main/proto/google/rpc/status.proto @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/api/src/main/proto/opentelemetry/proto/profiles/v1experimental/pprofextended.proto b/api/src/main/proto/opentelemetry/proto/profiles/v1experimental/pprofextended.proto index bd3008355..b5b5b88fc 100644 --- a/api/src/main/proto/opentelemetry/proto/profiles/v1experimental/pprofextended.proto +++ b/api/src/main/proto/opentelemetry/proto/profiles/v1experimental/pprofextended.proto @@ -59,6 +59,8 @@ package opentelemetry.proto.profiles.v1experimental; import "opentelemetry/proto/common/v1/common.proto"; option csharp_namespace = "OpenTelemetry.Proto.Profiles.V1Experimental"; +option java_multiple_files = true; +option java_package = "io.opentelemetry.proto.profiles.v1experimental"; option go_package = "go.opentelemetry.io/proto/otlp/profiles/v1experimental"; // Represents a complete profile, including sample types, samples, @@ -203,7 +205,7 @@ enum AggregationTemporality { 11. A request is received, the system measures 1 request. 12. The 1 second collection cycle ends. A metric is exported for the number of requests received over the interval of time t_1 to - t_0+1 with a value of 1. + t_1+1 with a value of 1. Note: Even though, when reporting changes since last report time, using CUMULATIVE is valid, it is not recommended. */ diff --git a/api/src/main/proto/opentelemetry/proto/profiles/v1experimental/profiles.proto b/api/src/main/proto/opentelemetry/proto/profiles/v1experimental/profiles.proto index bbc2b2931..84b0108f8 100644 --- a/api/src/main/proto/opentelemetry/proto/profiles/v1experimental/profiles.proto +++ b/api/src/main/proto/opentelemetry/proto/profiles/v1experimental/profiles.proto @@ -55,7 +55,7 @@ option go_package = "go.opentelemetry.io/proto/otlp/profiles/v1experimental"; // ┌──────────────────┐ // │ Profile │ // └──────────────────┘ -// │ 1-n +// │ n-1 // │ 1-n ┌───────────────────────────────────────┐ // ▼ │ ▽ // ┌──────────────────┐ 1-n ┌──────────────┐ ┌──────────┐ diff --git a/api/src/main/proto/xds/data/orca/v3/orca_load_report.proto b/api/src/main/proto/xds/data/orca/v3/orca_load_report.proto index 53da75f78..1b0847585 100644 --- a/api/src/main/proto/xds/data/orca/v3/orca_load_report.proto +++ b/api/src/main/proto/xds/data/orca/v3/orca_load_report.proto @@ -10,7 +10,7 @@ option go_package = "github.com/cncf/xds/go/xds/data/orca/v3"; import "validate/validate.proto"; // See section `ORCA load report format` of the design document in -// :ref:`https://github.com/envoyproxy/envoy/issues/6614`. +// https://github.com/envoyproxy/envoy/issues/6614. message OrcaLoadReport { // CPU utilization expressed as a fraction of available CPU resources. This diff --git a/api/src/main/proto/xds/type/matcher/v3/cel.proto b/api/src/main/proto/xds/type/matcher/v3/cel.proto index b1ad1faa2..a9a4e01ab 100644 --- a/api/src/main/proto/xds/type/matcher/v3/cel.proto +++ b/api/src/main/proto/xds/type/matcher/v3/cel.proto @@ -2,9 +2,7 @@ syntax = "proto3"; package xds.type.matcher.v3; -import "xds/annotations/v3/status.proto"; import "xds/type/v3/cel.proto"; - import "validate/validate.proto"; option java_package = "com.github.xds.type.matcher.v3"; @@ -12,8 +10,6 @@ option java_outer_classname = "CelProto"; option java_multiple_files = true; option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; -option (xds.annotations.v3.file_status).work_in_progress = true; - // [#protodoc-title: Common Expression Language (CEL) matchers] // Performs a match by evaluating a `Common Expression Language @@ -30,8 +26,7 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // Refer to :ref:`Unified Matcher API ` documentation // for usage details. // -// [#comment:TODO(sergiitk): Link HttpAttributesMatchInput + usage example.] -// [#comment:TODO(sergiitk): When implemented, add the extension tag.] +// [#comment: envoy.matching.matchers.cel_matcher] message CelMatcher { // Either parsed or checked representation of the CEL program. type.v3.CelExpression expr_match = 1 [(validate.rules).message = {required: true}]; diff --git a/api/src/main/proto/xds/type/matcher/v3/http_inputs.proto b/api/src/main/proto/xds/type/matcher/v3/http_inputs.proto index 0dd80cd6f..5709d6450 100644 --- a/api/src/main/proto/xds/type/matcher/v3/http_inputs.proto +++ b/api/src/main/proto/xds/type/matcher/v3/http_inputs.proto @@ -2,15 +2,11 @@ syntax = "proto3"; package xds.type.matcher.v3; -import "xds/annotations/v3/status.proto"; - option java_package = "com.github.xds.type.matcher.v3"; option java_outer_classname = "HttpInputsProto"; option java_multiple_files = true; option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; -option (xds.annotations.v3.file_status).work_in_progress = true; - // [#protodoc-title: Common HTTP Inputs] // Specifies that matching should be performed on the set of :ref:`HTTP attributes @@ -22,6 +18,6 @@ option (xds.annotations.v3.file_status).work_in_progress = true; // Refer to :ref:`Unified Matcher API ` documentation // for usage details. // -// [#comment:TODO(sergiitk): When implemented, add the extension tag.] +// [#comment: envoy.matching.inputs.cel_data_input] message HttpAttributesCelMatchInput { } diff --git a/api/src/main/proto/xds/type/matcher/v3/matcher.proto b/api/src/main/proto/xds/type/matcher/v3/matcher.proto index 4966b456b..da7c1f91d 100644 --- a/api/src/main/proto/xds/type/matcher/v3/matcher.proto +++ b/api/src/main/proto/xds/type/matcher/v3/matcher.proto @@ -2,7 +2,6 @@ syntax = "proto3"; package xds.type.matcher.v3; -import "xds/annotations/v3/status.proto"; import "xds/core/v3/extension.proto"; import "xds/type/matcher/v3/string.proto"; @@ -21,8 +20,6 @@ option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; // As an on_no_match might result in another matching tree being evaluated, this process // might repeat several times until the final OnMatch (or no match) is decided. message Matcher { - option (xds.annotations.v3.message_status).work_in_progress = true; - // What to do if a match is successful. message OnMatch { oneof on_match { diff --git a/server/src/test/java/io/envoyproxy/controlplane/server/EnvoyContainer.java b/server/src/test/java/io/envoyproxy/controlplane/server/EnvoyContainer.java index 2e74c4d47..0e23a4763 100644 --- a/server/src/test/java/io/envoyproxy/controlplane/server/EnvoyContainer.java +++ b/server/src/test/java/io/envoyproxy/controlplane/server/EnvoyContainer.java @@ -24,7 +24,7 @@ class EnvoyContainer extends GenericContainer { EnvoyContainer(String config, Supplier controlPlanePortSupplier) { // this version is changed automatically by /tools/update-sha.sh:57 // if you change it make sure to reflect changes there - super("envoyproxy/envoy:v1.31.0"); + super("envoyproxy/envoy:v1.32.2"); this.config = config; this.controlPlanePortSupplier = controlPlanePortSupplier; } diff --git a/tools/API_SHAS b/tools/API_SHAS index faea668e8..3a4147eca 100644 --- a/tools/API_SHAS +++ b/tools/API_SHAS @@ -1,13 +1,13 @@ # Update the versions here and run update-api.sh # envoy (source: SHA from https://github.com/envoyproxy/envoy) -ENVOY_SHA="7b8baff1758f0a584dcc3cb657b5032000bcb3d7" +ENVOY_SHA="a0504e87c5a246cb097b37049b1e4dc7706c2a90" -# dependencies (source: https://github.com/envoyproxy/envoy/blob/7b8baff1758f0a584dcc3cb657b5032000bcb3d7/api/bazel/repository_locations.bzl) -GOOGLEAPIS_SHA="114a745b2841a044e98cdbb19358ed29fcf4a5f1" # 2023-01-10 +# dependencies (source: https://github.com/envoyproxy/envoy/blob/a0504e87c5a246cb097b37049b1e4dc7706c2a90/api/bazel/repository_locations.bzl) +GOOGLEAPIS_SHA="fd52b5754b2b268bc3a22a10f29844f206abb327" # 2024-09-16 PGV_VERSION="1.0.4" # 2024-01-17 PROMETHEUS_SHA="0.6.1" # 2024-04-03 OPENCENSUS_VERSION="0.4.1" # 2022-09-23 -OPENTELEMETRY_VERSION="1.3.1" # 2024-05-07 -CEL_VERSION="0.15.0" # 2024-03-27 -XDS_SHA="555b57ec207be86f811fb0c04752db6f85e3d7e2" # 2024-04-23 +OPENTELEMETRY_VERSION="1.3.2" # 2024-06-28 +CEL_VERSION="0.16.2" # 2024-09-18 +XDS_SHA="b4127c9b8d78b77423fd25169f05b7476b6ea932" # 2024-09-05 diff --git a/tools/envoy_release b/tools/envoy_release index d3aa76971..fcc75c453 100644 --- a/tools/envoy_release +++ b/tools/envoy_release @@ -1 +1 @@ -v1.31.0 +v1.32.2