From 827d1ab3471495753426124d6f12083db2102913 Mon Sep 17 00:00:00 2001 From: musi Date: Sat, 3 Dec 2022 18:11:07 +0800 Subject: [PATCH 1/5] feat: add xds proto --- src/main/java/io/opensergo/ConfigKind.java | 6 +- .../OpenSergoConfigKindRegistry.java | 2 + src/main/proto/envoy/annotations/BUILD | 5 + .../proto/envoy/annotations/deprecation.proto | 34 + .../proto/envoy/annotations/resource.proto | 19 + src/main/proto/envoy/config/core/v3/BUILD | 0 .../proto/envoy/config/core/v3/address.proto | 198 ++ .../proto/envoy/config/core/v3/backoff.proto | 37 + .../proto/envoy/config/core/v3/base.proto | 510 ++++ .../envoy/config/core/v3/config_source.proto | 283 ++ .../config/core/v3/event_service_config.proto | 29 + .../envoy/config/core/v3/extension.proto | 32 + .../config/core/v3/grpc_method_list.proto | 33 + .../envoy/config/core/v3/grpc_service.proto | 297 +++ .../envoy/config/core/v3/health_check.proto | 417 +++ .../proto/envoy/config/core/v3/http_uri.proto | 57 + .../proto/envoy/config/core/v3/protocol.proto | 601 +++++ .../envoy/config/core/v3/proxy_protocol.proto | 26 + .../proto/envoy/config/core/v3/resolver.proto | 36 + .../envoy/config/core/v3/socket_option.proto | 81 + .../core/v3/substitution_format_string.proto | 116 + .../config/core/v3/udp_socket_config.proto | 32 + .../proto/envoy/config/route/v3/route.proto | 165 ++ .../config/route/v3/route_components.proto | 2336 +++++++++++++++++ .../envoy/config/route/v3/scoped_route.proto | 133 + src/main/proto/envoy/type/matcher/BUILD | 13 + .../proto/envoy/type/matcher/metadata.proto | 99 + src/main/proto/envoy/type/matcher/node.proto | 26 + .../proto/envoy/type/matcher/number.proto | 30 + src/main/proto/envoy/type/matcher/path.proto | 28 + src/main/proto/envoy/type/matcher/regex.proto | 79 + .../proto/envoy/type/matcher/string.proto | 80 + .../proto/envoy/type/matcher/struct.proto | 85 + src/main/proto/envoy/type/matcher/v3/BUILD | 13 + .../envoy/type/matcher/v3/filter_state.proto | 29 + .../envoy/type/matcher/v3/http_inputs.proto | 62 + .../envoy/type/matcher/v3/metadata.proto | 108 + .../proto/envoy/type/matcher/v3/node.proto | 29 + .../proto/envoy/type/matcher/v3/number.proto | 33 + .../proto/envoy/type/matcher/v3/path.proto | 31 + .../proto/envoy/type/matcher/v3/regex.proto | 100 + .../proto/envoy/type/matcher/v3/string.proto | 78 + .../proto/envoy/type/matcher/v3/struct.proto | 91 + .../proto/envoy/type/matcher/v3/value.proto | 72 + src/main/proto/envoy/type/matcher/value.proto | 65 + src/main/proto/envoy/type/metadata/v2/BUILD | 9 + .../envoy/type/metadata/v2/metadata.proto | 100 + src/main/proto/envoy/type/metadata/v3/BUILD | 9 + .../envoy/type/metadata/v3/metadata.proto | 115 + src/main/proto/envoy/type/range.proto | 43 + src/main/proto/envoy/type/tracing/v2/BUILD | 12 + .../envoy/type/tracing/v2/custom_tag.proto | 87 + src/main/proto/envoy/type/tracing/v3/BUILD | 12 + .../envoy/type/tracing/v3/custom_tag.proto | 102 + src/main/proto/envoy/type/v3/http.proto | 20 + src/main/proto/envoy/type/v3/percent.proto | 57 + src/main/proto/envoy/type/v3/range.proto | 50 + .../envoy/type/v3/semantic_version.proto | 27 + src/main/proto/udpa/annotations/BUILD | 5 + src/main/proto/udpa/annotations/migrate.proto | 55 + .../proto/udpa/annotations/security.proto | 34 + .../proto/udpa/annotations/sensitive.proto | 20 + src/main/proto/udpa/annotations/status.proto | 40 + .../proto/udpa/annotations/versioning.proto | 23 + .../proto/xds/annotations/v3/status.proto | 59 + src/main/proto/xds/core/v3/authority.proto | 22 + .../proto/xds/core/v3/context_params.proto | 23 + src/main/proto/xds/core/v3/extension.proto | 26 + .../proto/xds/type/matcher/v3/matcher.proto | 139 + .../proto/xds/type/matcher/v3/regex.proto | 46 + .../proto/xds/type/matcher/v3/string.proto | 66 + 71 files changed, 7835 insertions(+), 2 deletions(-) create mode 100644 src/main/proto/envoy/annotations/BUILD create mode 100644 src/main/proto/envoy/annotations/deprecation.proto create mode 100644 src/main/proto/envoy/annotations/resource.proto create mode 100644 src/main/proto/envoy/config/core/v3/BUILD create mode 100644 src/main/proto/envoy/config/core/v3/address.proto create mode 100644 src/main/proto/envoy/config/core/v3/backoff.proto create mode 100644 src/main/proto/envoy/config/core/v3/base.proto create mode 100644 src/main/proto/envoy/config/core/v3/config_source.proto create mode 100644 src/main/proto/envoy/config/core/v3/event_service_config.proto create mode 100644 src/main/proto/envoy/config/core/v3/extension.proto create mode 100644 src/main/proto/envoy/config/core/v3/grpc_method_list.proto create mode 100644 src/main/proto/envoy/config/core/v3/grpc_service.proto create mode 100644 src/main/proto/envoy/config/core/v3/health_check.proto create mode 100644 src/main/proto/envoy/config/core/v3/http_uri.proto create mode 100644 src/main/proto/envoy/config/core/v3/protocol.proto create mode 100644 src/main/proto/envoy/config/core/v3/proxy_protocol.proto create mode 100644 src/main/proto/envoy/config/core/v3/resolver.proto create mode 100644 src/main/proto/envoy/config/core/v3/socket_option.proto create mode 100644 src/main/proto/envoy/config/core/v3/substitution_format_string.proto create mode 100644 src/main/proto/envoy/config/core/v3/udp_socket_config.proto create mode 100644 src/main/proto/envoy/config/route/v3/route.proto create mode 100644 src/main/proto/envoy/config/route/v3/route_components.proto create mode 100644 src/main/proto/envoy/config/route/v3/scoped_route.proto create mode 100644 src/main/proto/envoy/type/matcher/BUILD create mode 100644 src/main/proto/envoy/type/matcher/metadata.proto create mode 100644 src/main/proto/envoy/type/matcher/node.proto create mode 100644 src/main/proto/envoy/type/matcher/number.proto create mode 100644 src/main/proto/envoy/type/matcher/path.proto create mode 100644 src/main/proto/envoy/type/matcher/regex.proto create mode 100644 src/main/proto/envoy/type/matcher/string.proto create mode 100644 src/main/proto/envoy/type/matcher/struct.proto create mode 100644 src/main/proto/envoy/type/matcher/v3/BUILD create mode 100644 src/main/proto/envoy/type/matcher/v3/filter_state.proto create mode 100644 src/main/proto/envoy/type/matcher/v3/http_inputs.proto create mode 100644 src/main/proto/envoy/type/matcher/v3/metadata.proto create mode 100644 src/main/proto/envoy/type/matcher/v3/node.proto create mode 100644 src/main/proto/envoy/type/matcher/v3/number.proto create mode 100644 src/main/proto/envoy/type/matcher/v3/path.proto create mode 100644 src/main/proto/envoy/type/matcher/v3/regex.proto create mode 100644 src/main/proto/envoy/type/matcher/v3/string.proto create mode 100644 src/main/proto/envoy/type/matcher/v3/struct.proto create mode 100644 src/main/proto/envoy/type/matcher/v3/value.proto create mode 100644 src/main/proto/envoy/type/matcher/value.proto create mode 100644 src/main/proto/envoy/type/metadata/v2/BUILD create mode 100644 src/main/proto/envoy/type/metadata/v2/metadata.proto create mode 100644 src/main/proto/envoy/type/metadata/v3/BUILD create mode 100644 src/main/proto/envoy/type/metadata/v3/metadata.proto create mode 100644 src/main/proto/envoy/type/range.proto create mode 100644 src/main/proto/envoy/type/tracing/v2/BUILD create mode 100644 src/main/proto/envoy/type/tracing/v2/custom_tag.proto create mode 100644 src/main/proto/envoy/type/tracing/v3/BUILD create mode 100644 src/main/proto/envoy/type/tracing/v3/custom_tag.proto create mode 100644 src/main/proto/envoy/type/v3/http.proto create mode 100644 src/main/proto/envoy/type/v3/percent.proto create mode 100644 src/main/proto/envoy/type/v3/range.proto create mode 100644 src/main/proto/envoy/type/v3/semantic_version.proto create mode 100644 src/main/proto/udpa/annotations/BUILD create mode 100644 src/main/proto/udpa/annotations/migrate.proto create mode 100644 src/main/proto/udpa/annotations/security.proto create mode 100644 src/main/proto/udpa/annotations/sensitive.proto create mode 100644 src/main/proto/udpa/annotations/status.proto create mode 100644 src/main/proto/udpa/annotations/versioning.proto create mode 100644 src/main/proto/xds/annotations/v3/status.proto create mode 100644 src/main/proto/xds/core/v3/authority.proto create mode 100644 src/main/proto/xds/core/v3/context_params.proto create mode 100644 src/main/proto/xds/core/v3/extension.proto create mode 100644 src/main/proto/xds/type/matcher/v3/matcher.proto create mode 100644 src/main/proto/xds/type/matcher/v3/regex.proto create mode 100644 src/main/proto/xds/type/matcher/v3/string.proto diff --git a/src/main/java/io/opensergo/ConfigKind.java b/src/main/java/io/opensergo/ConfigKind.java index 72a8d01..24fd8c8 100644 --- a/src/main/java/io/opensergo/ConfigKind.java +++ b/src/main/java/io/opensergo/ConfigKind.java @@ -27,8 +27,10 @@ public enum ConfigKind { RATE_LIMIT_STRATEGY("fault-tolerance.opensergo.io/v1alpha1/RateLimitStrategy", "RateLimitStrategy"), THROTTLING_STRATEGY("fault-tolerance.opensergo.io/v1alpha1/ThrottlingStrategy", "ThrottlingStrategy"), CONCURRENCY_LIMIT_STRATEGY("fault-tolerance.opensergo.io/v1alpha1/ConcurrencyLimitStrategy", - "ConcurrencyLimitStrategy"), - CIRCUIT_BREAKER_STRATEGY("fault-tolerance.opensergo.io/v1alpha1/CircuitBreakerStrategy", "CircuitBreakerStrategy"); + "ConcurrencyLimitStrategy"), + CIRCUIT_BREAKER_STRATEGY("fault-tolerance.opensergo.io/v1alpha1/CircuitBreakerStrategy", "CircuitBreakerStrategy"), + + VIRTUAL_SERVICE_STRATEGY("networking.istio.io/v1beta1/VirtualService", "VirtualService"); private final String kindName; private final String simpleKindName; diff --git a/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java b/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java index d3bebdc..980f79d 100644 --- a/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java +++ b/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java @@ -18,6 +18,7 @@ import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; +import io.envoyproxy.envoy.config.route.v3.RouteConfiguration; import io.opensergo.proto.fault_tolerance.v1.CircuitBreakerStrategy; import io.opensergo.proto.fault_tolerance.v1.ConcurrencyLimitStrategy; import io.opensergo.proto.fault_tolerance.v1.FaultToleranceRule; @@ -42,6 +43,7 @@ public final class OpenSergoConfigKindRegistry { registerConfigKind(ConfigKind.THROTTLING_STRATEGY, ThrottlingStrategy.class); registerConfigKind(ConfigKind.CONCURRENCY_LIMIT_STRATEGY, ConcurrencyLimitStrategy.class); registerConfigKind(ConfigKind.CIRCUIT_BREAKER_STRATEGY, CircuitBreakerStrategy.class); + registerConfigKind(ConfigKind.VIRTUAL_SERVICE_STRATEGY, RouteConfiguration.class); } public static ConfigKindMetadata getKindMetadata(ConfigKind kind) { diff --git a/src/main/proto/envoy/annotations/BUILD b/src/main/proto/envoy/annotations/BUILD new file mode 100644 index 0000000..5c06e2d --- /dev/null +++ b/src/main/proto/envoy/annotations/BUILD @@ -0,0 +1,5 @@ +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package() diff --git a/src/main/proto/envoy/annotations/deprecation.proto b/src/main/proto/envoy/annotations/deprecation.proto new file mode 100644 index 0000000..c9a96f1 --- /dev/null +++ b/src/main/proto/envoy/annotations/deprecation.proto @@ -0,0 +1,34 @@ +syntax = "proto3"; + +package envoy.annotations; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/annotations"; + +import "google/protobuf/descriptor.proto"; + +// [#protodoc-title: Deprecation] +// Adds annotations for deprecated fields and enums to allow tagging proto +// fields as fatal by default and the minor version on which the field was +// deprecated. One Envoy release after deprecation, deprecated fields will be +// disallowed by default, a state which is reversible with +// :ref:`runtime overrides `. + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "envoy.annotation.disallowed_by_default" and "envoy.annotation.deprecated_at_minor_version" +extend google.protobuf.FieldOptions { + bool disallowed_by_default = 189503207; + + // The API major and minor version on which the field was deprecated + // (e.g., "3.5" for major version 3 and minor version 5). + string deprecated_at_minor_version = 157299826; +} + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "envoy.annotation.disallowed_by_default_enum" and +// "envoy.annotation.deprecated_at_minor_version_eum" +extend google.protobuf.EnumValueOptions { + bool disallowed_by_default_enum = 70100853; + + // The API major and minor version on which the enum value was deprecated + // (e.g., "3.5" for major version 3 and minor version 5). + string deprecated_at_minor_version_enum = 181198657; +} diff --git a/src/main/proto/envoy/annotations/resource.proto b/src/main/proto/envoy/annotations/resource.proto new file mode 100644 index 0000000..3877afc --- /dev/null +++ b/src/main/proto/envoy/annotations/resource.proto @@ -0,0 +1,19 @@ +syntax = "proto3"; + +package envoy.annotations; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/annotations"; + +import "google/protobuf/descriptor.proto"; + +// [#protodoc-title: Resource] + +// Magic number in this file derived from top 28bit of SHA256 digest of "envoy.annotation.resource". +extend google.protobuf.ServiceOptions { + ResourceAnnotation resource = 265073217; +} + +message ResourceAnnotation { + // Annotation for xDS services that indicates the fully-qualified Protobuf type for the resource + // type. + string type = 1; +} diff --git a/src/main/proto/envoy/config/core/v3/BUILD b/src/main/proto/envoy/config/core/v3/BUILD new file mode 100644 index 0000000..e69de29 diff --git a/src/main/proto/envoy/config/core/v3/address.proto b/src/main/proto/envoy/config/core/v3/address.proto new file mode 100644 index 0000000..dcc7dc5 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/address.proto @@ -0,0 +1,198 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/socket_option.proto"; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "AddressProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Network addresses] + +message Pipe { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Pipe"; + + // Unix Domain Socket path. On Linux, paths starting with '@' will use the + // abstract namespace. The starting '@' is replaced by a null byte by Envoy. + // Paths starting with '@' will result in an error in environments other than + // Linux. + string path = 1 [(validate.rules).string = {min_len: 1}]; + + // The mode for the Pipe. Not applicable for abstract sockets. + uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}]; +} + +// The address represents an envoy internal listener. +// [#comment: TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30.] +message EnvoyInternalAddress { + oneof address_name_specifier { + option (validate.required) = true; + + // Specifies the :ref:`name ` of the + // internal listener. + string server_listener_name = 1; + } + + // Specifies an endpoint identifier to distinguish between multiple endpoints for the same internal listener in a + // single upstream pool. Only used in the upstream addresses for tracking changes to individual endpoints. This, for + // example, may be set to the final destination IP for the target internal listener. + string endpoint_id = 2; +} + +// [#next-free-field: 7] +message SocketAddress { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketAddress"; + + enum Protocol { + TCP = 0; + UDP = 1; + } + + Protocol protocol = 1 [(validate.rules).enum = {defined_only: true}]; + + // The address for this socket. :ref:`Listeners ` will bind + // to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::`` + // to bind to any address. [#comment:TODO(zuercher) reinstate when implemented: + // It is possible to distinguish a Listener address via the prefix/suffix matching + // in :ref:`FilterChainMatch `.] When used + // within an upstream :ref:`BindConfig `, the address + // controls the source address of outbound connections. For :ref:`clusters + // `, the cluster type determines whether the + // address must be an IP (``STATIC`` or ``EDS`` clusters) or a hostname resolved by DNS + // (``STRICT_DNS`` or ``LOGICAL_DNS`` clusters). Address resolution can be customized + // via :ref:`resolver_name `. + string address = 2 [(validate.rules).string = {min_len: 1}]; + + oneof port_specifier { + option (validate.required) = true; + + uint32 port_value = 3 [(validate.rules).uint32 = {lte: 65535}]; + + // This is only valid if :ref:`resolver_name + // ` is specified below and the + // named resolver is capable of named port resolution. + string named_port = 4; + } + + // The name of the custom resolver. This must have been registered with Envoy. If + // this is empty, a context dependent default applies. If the address is a concrete + // IP address, no resolution will occur. If address is a hostname this + // should be set for resolution other than DNS. Specifying a custom resolver with + // ``STRICT_DNS`` or ``LOGICAL_DNS`` will generate an error at runtime. + string resolver_name = 5; + + // When binding to an IPv6 address above, this enables `IPv4 compatibility + // `_. Binding to ``::`` will + // allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into + // IPv6 space as ``::FFFF:``. + bool ipv4_compat = 6; +} + +message TcpKeepalive { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.TcpKeepalive"; + + // Maximum number of keepalive probes to send without response before deciding + // the connection is dead. Default is to use the OS level configuration (unless + // overridden, Linux defaults to 9.) + google.protobuf.UInt32Value keepalive_probes = 1; + + // The number of seconds a connection needs to be idle before keep-alive probes + // start being sent. Default is to use the OS level configuration (unless + // overridden, Linux defaults to 7200s (i.e., 2 hours.) + google.protobuf.UInt32Value keepalive_time = 2; + + // The number of seconds between keep-alive probes. Default is to use the OS + // level configuration (unless overridden, Linux defaults to 75s.) + google.protobuf.UInt32Value keepalive_interval = 3; +} + +message ExtraSourceAddress { + // The additional address to bind. + SocketAddress address = 1 [(validate.rules).message = {required: true}]; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. If specified, this will override the + // :ref:`socket_options ` + // in the BindConfig. If specified with no + // :ref:`socket_options ` + // or an empty list of :ref:`socket_options `, + // it means no socket option will apply. + SocketOptionsOverride socket_options = 2; +} + +// [#next-free-field: 6] +message BindConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BindConfig"; + + // The address to bind to when creating a socket. + SocketAddress source_address = 1 [(validate.rules).message = {required: true}]; + + // Whether to set the ``IP_FREEBIND`` option when creating the socket. When this + // flag is set to true, allows the :ref:`source_address + // ` to be an IP address + // that is not configured on the system running Envoy. When this flag is set + // to false, the option ``IP_FREEBIND`` is disabled on the socket. When this + // flag is not set (default), the socket is not modified, i.e. the option is + // neither enabled nor disabled. + google.protobuf.BoolValue freebind = 2; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + repeated SocketOption socket_options = 3; + + // Extra source addresses appended to the address specified in the `source_address` + // field. This enables to specify multiple source addresses. Currently, only one extra + // address can be supported, and the extra address should have a different IP version + // with the address in the `source_address` field. The address which has the same IP + // version with the target host's address IP version will be used as bind address. If more + // than one extra address specified, only the first address matched IP version will be + // returned. If there is no same IP version address found, the address in the `source_address` + // will be returned. + repeated ExtraSourceAddress extra_source_addresses = 5; + + // Deprecated by + // :ref:`extra_source_addresses ` + repeated SocketAddress additional_source_addresses = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; +} + +// Addresses specify either a logical or physical address and port, which are +// used to tell Envoy where to bind/listen, connect to upstream and find +// management servers. +message Address { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Address"; + + oneof address { + option (validate.required) = true; + + SocketAddress socket_address = 1; + + Pipe pipe = 2; + + // Specifies a user-space address handled by :ref:`internal listeners + // `. + EnvoyInternalAddress envoy_internal_address = 3; + } +} + +// CidrRange specifies an IP Address and a prefix length to construct +// the subnet mask for a `CIDR `_ range. +message CidrRange { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.CidrRange"; + + // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``. + string address_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // Length of prefix, e.g. 0, 32. Defaults to 0 when unset. + google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}]; +} diff --git a/src/main/proto/envoy/config/core/v3/backoff.proto b/src/main/proto/envoy/config/core/v3/backoff.proto new file mode 100644 index 0000000..435b361 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/backoff.proto @@ -0,0 +1,37 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "BackoffProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Backoff strategy] + +// Configuration defining a jittered exponential back off strategy. +message BackoffStrategy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BackoffStrategy"; + + // The base interval to be used for the next back off computation. It should + // be greater than zero and less than or equal to :ref:`max_interval + // `. + google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { + required: true + gte {nanos: 1000000} + }]; + + // Specifies the maximum interval between retries. This parameter is optional, + // but must be greater than or equal to the :ref:`base_interval + // ` if set. The default + // is 10 times the :ref:`base_interval + // `. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; +} diff --git a/src/main/proto/envoy/config/core/v3/base.proto b/src/main/proto/envoy/config/core/v3/base.proto new file mode 100644 index 0000000..383b3d9 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/base.proto @@ -0,0 +1,510 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/backoff.proto"; +import "envoy/config/core/v3/http_uri.proto"; +import "envoy/type/v3/percent.proto"; +import "envoy/type/v3/semantic_version.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/core/v3/context_params.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "BaseProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common types] + +// Envoy supports :ref:`upstream priority routing +// ` both at the route and the virtual +// cluster level. The current priority implementation uses different connection +// pool and circuit breaking settings for each priority level. This means that +// even for HTTP/2 requests, two physical connections will be used to an +// upstream host. In the future Envoy will likely support true HTTP/2 priority +// over a single upstream connection. +enum RoutingPriority { + DEFAULT = 0; + HIGH = 1; +} + +// HTTP request method. +enum RequestMethod { + METHOD_UNSPECIFIED = 0; + GET = 1; + HEAD = 2; + POST = 3; + PUT = 4; + DELETE = 5; + CONNECT = 6; + OPTIONS = 7; + TRACE = 8; + PATCH = 9; +} + +// Identifies the direction of the traffic relative to the local Envoy. +enum TrafficDirection { + // Default option is unspecified. + UNSPECIFIED = 0; + + // The transport is used for incoming traffic. + INBOUND = 1; + + // The transport is used for outgoing traffic. + OUTBOUND = 2; +} + +// Identifies location of where either Envoy runs or where upstream hosts run. +message Locality { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Locality"; + + // Region this :ref:`zone ` belongs to. + string region = 1; + + // Defines the local service zone where Envoy is running. Though optional, it + // should be set if discovery service routing is used and the discovery + // service exposes :ref:`zone data `, + // either in this message or via :option:`--service-zone`. The meaning of zone + // is context dependent, e.g. `Availability Zone (AZ) + // `_ + // on AWS, `Zone `_ on + // GCP, etc. + string zone = 2; + + // When used for locality of upstream hosts, this field further splits zone + // into smaller chunks of sub-zones so they can be load balanced + // independently. + string sub_zone = 3; +} + +// BuildVersion combines SemVer version of extension with free-form build information +// (i.e. 'alpha', 'private-build') as a set of strings. +message BuildVersion { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BuildVersion"; + + // SemVer version of extension. + type.v3.SemanticVersion version = 1; + + // Free-form build information. + // Envoy defines several well known keys in the source/common/version/version.h file + google.protobuf.Struct metadata = 2; +} + +// Version and identification for an Envoy extension. +// [#next-free-field: 7] +message Extension { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Extension"; + + // This is the name of the Envoy filter as specified in the Envoy + // configuration, e.g. envoy.filters.http.router, com.acme.widget. + string name = 1; + + // Category of the extension. + // Extension category names use reverse DNS notation. For instance "envoy.filters.listener" + // for Envoy's built-in listener filters or "com.acme.filters.http" for HTTP filters from + // acme.com vendor. + // [#comment:TODO(yanavlasov): Link to the doc with existing envoy category names.] + string category = 2; + + // [#not-implemented-hide:] Type descriptor of extension configuration proto. + // [#comment:TODO(yanavlasov): Link to the doc with existing configuration protos.] + // [#comment:TODO(yanavlasov): Add tests when PR #9391 lands.] + string type_descriptor = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The version is a property of the extension and maintained independently + // of other extensions and the Envoy API. + // This field is not set when extension did not provide version information. + BuildVersion version = 4; + + // Indicates that the extension is present but was disabled via dynamic configuration. + bool disabled = 5; + + // Type URLs of extension configuration protos. + repeated string type_urls = 6; +} + +// Identifies a specific Envoy instance. The node identifier is presented to the +// management server, which may use this identifier to distinguish per Envoy +// configuration for serving. +// [#next-free-field: 13] +message Node { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Node"; + + reserved 5; + + reserved "build_version"; + + // An opaque node identifier for the Envoy node. This also provides the local + // service node name. It should be set if any of the following features are + // used: :ref:`statsd `, :ref:`CDS + // `, and :ref:`HTTP tracing + // `, either in this message or via + // :option:`--service-node`. + string id = 1; + + // Defines the local service cluster name where Envoy is running. Though + // optional, it should be set if any of the following features are used: + // :ref:`statsd `, :ref:`health check cluster + // verification + // `, + // :ref:`runtime override directory `, + // :ref:`user agent addition + // `, + // :ref:`HTTP global rate limiting `, + // :ref:`CDS `, and :ref:`HTTP tracing + // `, either in this message or via + // :option:`--service-cluster`. + string cluster = 2; + + // Opaque metadata extending the node identifier. Envoy will pass this + // directly to the management server. + google.protobuf.Struct metadata = 3; + + // Map from xDS resource type URL to dynamic context parameters. These may vary at runtime (unlike + // other fields in this message). For example, the xDS client may have a shard identifier that + // changes during the lifetime of the xDS client. In Envoy, this would be achieved by updating the + // dynamic context on the Server::Instance's LocalInfo context provider. The shard ID dynamic + // parameter then appears in this field during future discovery requests. + map dynamic_parameters = 12; + + // Locality specifying where the Envoy instance is running. + Locality locality = 4; + + // Free-form string that identifies the entity requesting config. + // E.g. "envoy" or "grpc" + string user_agent_name = 6; + + oneof user_agent_version_type { + // Free-form string that identifies the version of the entity requesting config. + // E.g. "1.12.2" or "abcd1234", or "SpecialEnvoyBuild" + string user_agent_version = 7; + + // Structured version of the entity requesting config. + BuildVersion user_agent_build_version = 8; + } + + // List of extensions and their versions supported by the node. + repeated Extension extensions = 9; + + // Client feature support list. These are well known features described + // in the Envoy API repository for a given major version of an API. Client features + // use reverse DNS naming scheme, for example ``com.acme.feature``. + // See :ref:`the list of features ` that xDS client may + // support. + repeated string client_features = 10; + + // Known listening ports on the node as a generic hint to the management server + // for filtering :ref:`listeners ` to be returned. For example, + // if there is a listener bound to port 80, the list can optionally contain the + // SocketAddress ``(0.0.0.0,80)``. The field is optional and just a hint. + repeated Address listening_addresses = 11 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; +} + +// Metadata provides additional inputs to filters based on matched listeners, +// filter chains, routes and endpoints. It is structured as a map, usually from +// filter name (in reverse DNS format) to metadata specific to the filter. Metadata +// key-values for a filter are merged as connection and request handling occurs, +// with later values for the same key overriding earlier values. +// +// An example use of metadata is providing additional values to +// http_connection_manager in the envoy.http_connection_manager.access_log +// namespace. +// +// Another example use of metadata is to per service config info in cluster metadata, which may get +// consumed by multiple filters. +// +// For load balancing, Metadata provides a means to subset cluster endpoints. +// Endpoints have a Metadata object associated and routes contain a Metadata +// object to match against. There are some well defined metadata used today for +// this purpose: +// +// * ``{"envoy.lb": {"canary": }}`` This indicates the canary status of an +// endpoint and is also used during header processing +// (x-envoy-upstream-canary) and for stats purposes. +// [#next-major-version: move to type/metadata/v2] +message Metadata { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Metadata"; + + // Key is the reverse DNS filter name, e.g. com.acme.widget. The ``envoy.*`` + // namespace is reserved for Envoy's built-in filters. + // If both ``filter_metadata`` and + // :ref:`typed_filter_metadata ` + // fields are present in the metadata with same keys, + // only ``typed_filter_metadata`` field will be parsed. + map filter_metadata = 1; + + // Key is the reverse DNS filter name, e.g. com.acme.widget. The ``envoy.*`` + // namespace is reserved for Envoy's built-in filters. + // The value is encoded as google.protobuf.Any. + // If both :ref:`filter_metadata ` + // and ``typed_filter_metadata`` fields are present in the metadata with same keys, + // only ``typed_filter_metadata`` field will be parsed. + map typed_filter_metadata = 2; +} + +// Runtime derived uint32 with a default when not specified. +message RuntimeUInt32 { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RuntimeUInt32"; + + // Default value if runtime value is not available. + uint32 default_value = 2; + + // Runtime key to get value for comparison. This value is used if defined. + string runtime_key = 3 [(validate.rules).string = {min_len: 1}]; +} + +// Runtime derived percentage with a default when not specified. +message RuntimePercent { + // Default value if runtime value is not available. + type.v3.Percent default_value = 1; + + // Runtime key to get value for comparison. This value is used if defined. + string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; +} + +// Runtime derived double with a default when not specified. +message RuntimeDouble { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RuntimeDouble"; + + // Default value if runtime value is not available. + double default_value = 1; + + // Runtime key to get value for comparison. This value is used if defined. + string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; +} + +// Runtime derived bool with a default when not specified. +message RuntimeFeatureFlag { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.RuntimeFeatureFlag"; + + // Default value if runtime value is not available. + google.protobuf.BoolValue default_value = 1 [(validate.rules).message = {required: true}]; + + // Runtime key to get value for comparison. This value is used if defined. The boolean value must + // be represented via its + // `canonical JSON encoding `_. + string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; +} + +// Query parameter name/value pair. +message QueryParameter { + // The key of the query parameter. Case sensitive. + string key = 1 [(validate.rules).string = {min_len: 1}]; + + // The value of the query parameter. + string value = 2; +} + +// Header name/value pair. +message HeaderValue { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderValue"; + + // Header name. + string key = 1 + [(validate.rules).string = + {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Header value. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown header values are replaced with the empty string instead of ``-``. + string value = 2 [ + (validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false} + ]; +} + +// Header name/value pair plus option to control append behavior. +message HeaderValueOption { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HeaderValueOption"; + + // Describes the supported actions types for header append action. + enum HeaderAppendAction { + // This action will append the specified value to the existing values if the header + // already exists. If the header doesn't exist then this will add the header with + // specified key and value. + APPEND_IF_EXISTS_OR_ADD = 0; + + // This action will add the header if it doesn't already exist. If the header + // already exists then this will be a no-op. + ADD_IF_ABSENT = 1; + + // This action will overwrite the specified value by discarding any existing values if + // the header already exists. If the header doesn't exist then this will add the header + // with specified key and value. + OVERWRITE_IF_EXISTS_OR_ADD = 2; + } + + // Header name/value pair that this option applies to. + HeaderValue header = 1 [(validate.rules).message = {required: true}]; + + // Should the value be appended? If true (default), the value is appended to + // existing values. Otherwise it replaces any existing values. + // This field is deprecated and please use + // :ref:`append_action ` as replacement. + // + // .. note:: + // The :ref:`external authorization service ` and + // :ref:`external processor service ` have + // default value (``false``) for this field. + google.protobuf.BoolValue append = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Describes the action taken to append/overwrite the given value for an existing header + // or to only add this header if it's absent. + // Value defaults to :ref:`APPEND_IF_EXISTS_OR_ADD + // `. + HeaderAppendAction append_action = 3 [(validate.rules).enum = {defined_only: true}]; + + // Is the header value allowed to be empty? If false (default), custom headers with empty values are dropped, + // otherwise they are added. + bool keep_empty_value = 4; +} + +// Wrapper for a set of headers. +message HeaderMap { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderMap"; + + repeated HeaderValue headers = 1; +} + +// A directory that is watched for changes, e.g. by inotify on Linux. Move/rename +// events inside this directory trigger the watch. +message WatchedDirectory { + // Directory path to watch. + string path = 1 [(validate.rules).string = {min_len: 1}]; +} + +// Data source consisting of a file, an inline value, or an environment variable. +message DataSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.DataSource"; + + oneof specifier { + option (validate.required) = true; + + // Local filesystem data source. + string filename = 1 [(validate.rules).string = {min_len: 1}]; + + // Bytes inlined in the configuration. + bytes inline_bytes = 2; + + // String inlined in the configuration. + string inline_string = 3; + + // Environment variable data source. + string environment_variable = 4 [(validate.rules).string = {min_len: 1}]; + } +} + +// The message specifies the retry policy of remote data source when fetching fails. +message RetryPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RetryPolicy"; + + // Specifies parameters that control :ref:`retry backoff strategy `. + // This parameter is optional, in which case the default base interval is 1000 milliseconds. The + // default maximum interval is 10 times the base interval. + BackoffStrategy retry_back_off = 1; + + // Specifies the allowed number of retries. This parameter is optional and + // defaults to 1. + google.protobuf.UInt32Value num_retries = 2 + [(udpa.annotations.field_migrate).rename = "max_retries"]; +} + +// The message specifies how to fetch data from remote and how to verify it. +message RemoteDataSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RemoteDataSource"; + + // The HTTP URI to fetch the remote data. + HttpUri http_uri = 1 [(validate.rules).message = {required: true}]; + + // SHA256 string for verifying data. + string sha256 = 2 [(validate.rules).string = {min_len: 1}]; + + // Retry policy for fetching remote data. + RetryPolicy retry_policy = 3; +} + +// Async data source which support async data fetch. +message AsyncDataSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.AsyncDataSource"; + + oneof specifier { + option (validate.required) = true; + + // Local async data source. + DataSource local = 1; + + // Remote async data source. + RemoteDataSource remote = 2; + } +} + +// Configuration for transport socket in :ref:`listeners ` and +// :ref:`clusters `. If the configuration is +// empty, a default transport socket implementation and configuration will be +// chosen based on the platform and existence of tls_context. +message TransportSocket { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.TransportSocket"; + + reserved 2; + + reserved "config"; + + // The name of the transport socket to instantiate. The name must match a supported transport + // socket implementation. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Implementation specific configuration which depends on the implementation being instantiated. + // See the supported transport socket implementations for further documentation. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +// Runtime derived FractionalPercent with defaults for when the numerator or denominator is not +// specified via a runtime key. +// +// .. note:: +// +// Parsing of the runtime key's data is implemented such that it may be represented as a +// :ref:`FractionalPercent ` proto represented as JSON/YAML +// and may also be represented as an integer with the assumption that the value is an integral +// percentage out of 100. For instance, a runtime key lookup returning the value "42" would parse +// as a ``FractionalPercent`` whose numerator is 42 and denominator is HUNDRED. +message RuntimeFractionalPercent { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.RuntimeFractionalPercent"; + + // Default value if the runtime value's for the numerator/denominator keys are not available. + type.v3.FractionalPercent default_value = 1 [(validate.rules).message = {required: true}]; + + // Runtime key for a YAML representation of a FractionalPercent. + string runtime_key = 2; +} + +// Identifies a specific ControlPlane instance that Envoy is connected to. +message ControlPlane { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ControlPlane"; + + // An opaque control plane identifier that uniquely identifies an instance + // of control plane. This can be used to identify which control plane instance, + // the Envoy is connected to. + string identifier = 1; +} diff --git a/src/main/proto/envoy/config/core/v3/config_source.proto b/src/main/proto/envoy/config/core/v3/config_source.proto new file mode 100644 index 0000000..c129301 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/config_source.proto @@ -0,0 +1,283 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/core/v3/authority.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ConfigSourceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Configuration sources] + +// xDS API and non-xDS services version. This is used to describe both resource and transport +// protocol versions (in distinct configuration fields). +enum ApiVersion { + // When not specified, we assume v2, to ease migration to Envoy's stable API + // versioning. If a client does not support v2 (e.g. due to deprecation), this + // is an invalid value. + AUTO = 0 [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"]; + + // Use xDS v2 API. + V2 = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"]; + + // Use xDS v3 API. + V3 = 2; +} + +// API configuration source. This identifies the API type and cluster that Envoy +// will use to fetch an xDS API. +// [#next-free-field: 10] +message ApiConfigSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ApiConfigSource"; + + // APIs may be fetched via either REST or gRPC. + enum ApiType { + // Ideally this would be 'reserved 0' but one can't reserve the default + // value. Instead we throw an exception if this is ever used. + DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 + [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; + + // REST-JSON v2 API. The `canonical JSON encoding + // `_ for + // the v2 protos is used. + REST = 1; + + // SotW gRPC service. + GRPC = 2; + + // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response} + // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state + // with every update, the xDS server only sends what has changed since the last update. + DELTA_GRPC = 3; + + // SotW xDS gRPC with ADS. All resources which resolve to this configuration source will be + // multiplexed on a single connection to an ADS endpoint. + // [#not-implemented-hide:] + AGGREGATED_GRPC = 5; + + // Delta xDS gRPC with ADS. All resources which resolve to this configuration source will be + // multiplexed on a single connection to an ADS endpoint. + // [#not-implemented-hide:] + AGGREGATED_DELTA_GRPC = 6; + } + + // API type (gRPC, REST, delta gRPC) + ApiType api_type = 1 [(validate.rules).enum = {defined_only: true}]; + + // API version for xDS transport protocol. This describes the xDS gRPC/REST + // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. + ApiVersion transport_api_version = 8 [(validate.rules).enum = {defined_only: true}]; + + // Cluster names should be used only with REST. If > 1 + // cluster is defined, clusters will be cycled through if any kind of failure + // occurs. + // + // .. note:: + // + // The cluster with name ``cluster_name`` must be statically defined and its + // type must not be ``EDS``. + repeated string cluster_names = 2; + + // Multiple gRPC services be provided for GRPC. If > 1 cluster is defined, + // services will be cycled through if any kind of failure occurs. + repeated GrpcService grpc_services = 4; + + // For REST APIs, the delay between successive polls. + google.protobuf.Duration refresh_delay = 3; + + // For REST APIs, the request timeout. If not set, a default value of 1s will be used. + google.protobuf.Duration request_timeout = 5 [(validate.rules).duration = {gt {}}]; + + // For GRPC APIs, the rate limit settings. If present, discovery requests made by Envoy will be + // rate limited. + RateLimitSettings rate_limit_settings = 6; + + // Skip the node identifier in subsequent discovery requests for streaming gRPC config types. + bool set_node_on_first_message_only = 7; + + // A list of config validators that will be executed when a new update is + // received from the ApiConfigSource. Note that each validator handles a + // specific xDS service type, and only the validators corresponding to the + // type url (in ``:ref: DiscoveryResponse`` or ``:ref: DeltaDiscoveryResponse``) + // will be invoked. + // If the validator returns false or throws an exception, the config will be rejected by + // the client, and a NACK will be sent. + // [#extension-category: envoy.config.validators] + repeated TypedExtensionConfig config_validators = 9; +} + +// Aggregated Discovery Service (ADS) options. This is currently empty, but when +// set in :ref:`ConfigSource ` can be used to +// specify that ADS is to be used. +message AggregatedConfigSource { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.AggregatedConfigSource"; +} + +// [#not-implemented-hide:] +// Self-referencing config source options. This is currently empty, but when +// set in :ref:`ConfigSource ` can be used to +// specify that other data can be obtained from the same server. +message SelfConfigSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SelfConfigSource"; + + // API version for xDS transport protocol. This describes the xDS gRPC/REST + // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. + ApiVersion transport_api_version = 1 [(validate.rules).enum = {defined_only: true}]; +} + +// Rate Limit settings to be applied for discovery requests made by Envoy. +message RateLimitSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.RateLimitSettings"; + + // Maximum number of tokens to be used for rate limiting discovery request calls. If not set, a + // default value of 100 will be used. + google.protobuf.UInt32Value max_tokens = 1; + + // Rate at which tokens will be filled per second. If not set, a default fill rate of 10 tokens + // per second will be used. + google.protobuf.DoubleValue fill_rate = 2 [(validate.rules).double = {gt: 0.0}]; +} + +// Local filesystem path configuration source. +message PathConfigSource { + // Path on the filesystem to source and watch for configuration updates. + // When sourcing configuration for a :ref:`secret `, + // the certificate and key files are also watched for updates. + // + // .. note:: + // + // The path to the source must exist at config load time. + // + // .. note:: + // + // If ``watched_directory`` is *not* configured, Envoy will watch the file path for *moves*. + // This is because in general only moves are atomic. The same method of swapping files as is + // demonstrated in the :ref:`runtime documentation ` can be + // used here also. If ``watched_directory`` is configured, no watch will be placed directly on + // this path. Instead, the configured ``watched_directory`` will be used to trigger reloads of + // this path. This is required in certain deployment scenarios. See below for more information. + string path = 1 [(validate.rules).string = {min_len: 1}]; + + // If configured, this directory will be watched for *moves*. When an entry in this directory is + // moved to, the ``path`` will be reloaded. This is required in certain deployment scenarios. + // + // Specifically, if trying to load an xDS resource using a + // `Kubernetes ConfigMap `_, the + // following configuration might be used: + // 1. Store xds.yaml inside a ConfigMap. + // 2. Mount the ConfigMap to ``/config_map/xds`` + // 3. Configure path ``/config_map/xds/xds.yaml`` + // 4. Configure watched directory ``/config_map/xds`` + // + // The above configuration will ensure that Envoy watches the owning directory for moves which is + // required due to how Kubernetes manages ConfigMap symbolic links during atomic updates. + WatchedDirectory watched_directory = 2; +} + +// Configuration for :ref:`listeners `, :ref:`clusters +// `, :ref:`routes +// `, :ref:`endpoints +// ` etc. may either be sourced from the +// filesystem or from an xDS API source. Filesystem configs are watched with +// inotify for updates. +// [#next-free-field: 9] +message ConfigSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ConfigSource"; + + // Authorities that this config source may be used for. An authority specified in a xdstp:// URL + // is resolved to a ``ConfigSource`` prior to configuration fetch. This field provides the + // association between authority name and configuration source. + // [#not-implemented-hide:] + repeated xds.core.v3.Authority authorities = 7; + + oneof config_source_specifier { + option (validate.required) = true; + + // Deprecated in favor of ``path_config_source``. Use that field instead. + string path = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Local filesystem path configuration source. + PathConfigSource path_config_source = 8; + + // API configuration source. + ApiConfigSource api_config_source = 2; + + // When set, ADS will be used to fetch resources. The ADS API configuration + // source in the bootstrap configuration is used. + AggregatedConfigSource ads = 3; + + // [#not-implemented-hide:] + // When set, the client will access the resources from the same server it got the + // ConfigSource from, although not necessarily from the same stream. This is similar to the + // :ref:`ads` field, except that the client may use a + // different stream to the same server. As a result, this field can be used for things + // like LRS that cannot be sent on an ADS stream. It can also be used to link from (e.g.) + // LDS to RDS on the same server without requiring the management server to know its name + // or required credentials. + // [#next-major-version: In xDS v3, consider replacing the ads field with this one, since + // this field can implicitly mean to use the same stream in the case where the ConfigSource + // is provided via ADS and the specified data can also be obtained via ADS.] + SelfConfigSource self = 5; + } + + // When this timeout is specified, Envoy will wait no longer than the specified time for first + // config response on this xDS subscription during the :ref:`initialization process + // `. After reaching the timeout, Envoy will move to the next + // initialization phase, even if the first config is not delivered yet. The timer is activated + // when the xDS API subscription starts, and is disarmed on first config update or on error. 0 + // means no timeout - Envoy will wait indefinitely for the first xDS config (unless another + // timeout applies). The default is 15s. + google.protobuf.Duration initial_fetch_timeout = 4; + + // API version for xDS resources. This implies the type URLs that the client + // will request for resources and the resource type that the client will in + // turn expect to be delivered. + ApiVersion resource_api_version = 6 [(validate.rules).enum = {defined_only: true}]; +} + +// Configuration source specifier for a late-bound extension configuration. The +// parent resource is warmed until all the initial extension configurations are +// received, unless the flag to apply the default configuration is set. +// Subsequent extension updates are atomic on a per-worker basis. Once an +// extension configuration is applied to a request or a connection, it remains +// constant for the duration of processing. If the initial delivery of the +// extension configuration fails, due to a timeout for example, the optional +// default configuration is applied. Without a default configuration, the +// extension is disabled, until an extension configuration is received. The +// behavior of a disabled extension depends on the context. For example, a +// filter chain with a disabled extension filter rejects all incoming streams. +message ExtensionConfigSource { + ConfigSource config_source = 1 [(validate.rules).any = {required: true}]; + + // Optional default configuration to use as the initial configuration if + // there is a failure to receive the initial extension configuration or if + // ``apply_default_config_without_warming`` flag is set. + google.protobuf.Any default_config = 2; + + // Use the default config as the initial configuration without warming and + // waiting for the first discovery response. Requires the default configuration + // to be supplied. + bool apply_default_config_without_warming = 3; + + // A set of permitted extension type URLs. Extension configuration updates are rejected + // if they do not match any type URL in the set. + repeated string type_urls = 4 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/src/main/proto/envoy/config/core/v3/event_service_config.proto b/src/main/proto/envoy/config/core/v3/event_service_config.proto new file mode 100644 index 0000000..68c8df4 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/event_service_config.proto @@ -0,0 +1,29 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/grpc_service.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "EventServiceConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#not-implemented-hide:] +// Configuration of the event reporting service endpoint. +message EventServiceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.EventServiceConfig"; + + oneof config_source_specifier { + option (validate.required) = true; + + // Specifies the gRPC service that hosts the event reporting service. + GrpcService grpc_service = 1; + } +} diff --git a/src/main/proto/envoy/config/core/v3/extension.proto b/src/main/proto/envoy/config/core/v3/extension.proto new file mode 100644 index 0000000..cacc7b0 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/extension.proto @@ -0,0 +1,32 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ExtensionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Extension configuration] + +// Message type for extension configuration. +// [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.]. +message TypedExtensionConfig { + // The name of an extension. This is not used to select the extension, instead + // it serves the role of an opaque identifier. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The typed config for the extension. The type URL will be used to identify + // the extension. In the case that the type URL is ``xds.type.v3.TypedStruct`` + // (or, for historical reasons, ``udpa.type.v1.TypedStruct``), the inner type + // URL of ``TypedStruct`` will be utilized. See the + // :ref:`extension configuration overview + // ` for further details. + google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}]; +} diff --git a/src/main/proto/envoy/config/core/v3/grpc_method_list.proto b/src/main/proto/envoy/config/core/v3/grpc_method_list.proto new file mode 100644 index 0000000..8242b42 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/grpc_method_list.proto @@ -0,0 +1,33 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "GrpcMethodListProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC method list] + +// A list of gRPC methods which can be used as an allowlist, for example. +message GrpcMethodList { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcMethodList"; + + message Service { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcMethodList.Service"; + + // The name of the gRPC service. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The names of the gRPC methods in this service. + repeated string method_names = 2 [(validate.rules).repeated = {min_items: 1}]; + } + + repeated Service services = 1; +} diff --git a/src/main/proto/envoy/config/core/v3/grpc_service.proto b/src/main/proto/envoy/config/core/v3/grpc_service.proto new file mode 100644 index 0000000..6027b2b --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/grpc_service.proto @@ -0,0 +1,297 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "GrpcServiceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC services] + +// gRPC service configuration. This is used by :ref:`ApiConfigSource +// ` and filter configurations. +// [#next-free-field: 6] +message GrpcService { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService"; + + message EnvoyGrpc { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.EnvoyGrpc"; + + // The name of the upstream gRPC cluster. SSL credentials will be supplied + // in the :ref:`Cluster ` :ref:`transport_socket + // `. + string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; + + // The ``:authority`` header in the grpc request. If this field is not set, the authority header value will be ``cluster_name``. + // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster. + string authority = 2 + [(validate.rules).string = + {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + + // [#next-free-field: 9] + message GoogleGrpc { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc"; + + // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html. + message SslCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.SslCredentials"; + + // PEM encoded server root certificates. + DataSource root_certs = 1; + + // PEM encoded client private key. + DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; + + // PEM encoded client certificate chain. + DataSource cert_chain = 3; + } + + // Local channel credentials. Only UDS is supported for now. + // See https://github.com/grpc/grpc/pull/15909. + message GoogleLocalCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.GoogleLocalCredentials"; + } + + // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call + // credential types. + message ChannelCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.ChannelCredentials"; + + oneof credential_specifier { + option (validate.required) = true; + + SslCredentials ssl_credentials = 1; + + // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 + google.protobuf.Empty google_default = 2; + + GoogleLocalCredentials local_credentials = 3; + } + } + + // [#next-free-field: 8] + message CallCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials"; + + message ServiceAccountJWTAccessCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." + "ServiceAccountJWTAccessCredentials"; + + string json_key = 1; + + uint64 token_lifetime_seconds = 2; + } + + message GoogleIAMCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials"; + + string authorization_token = 1; + + string authority_selector = 2; + } + + message MetadataCredentialsFromPlugin { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." + "MetadataCredentialsFromPlugin"; + + reserved 2; + + reserved "config"; + + string name = 1; + + // [#extension-category: envoy.grpc_credentials] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + // Security token service configuration that allows Google gRPC to + // fetch security token from an OAuth 2.0 authorization server. + // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and + // https://github.com/grpc/grpc/pull/19587. + // [#next-free-field: 10] + message StsService { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.StsService"; + + // URI of the token exchange service that handles token exchange requests. + // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by + // https://github.com/bufbuild/protoc-gen-validate/issues/303] + string token_exchange_service_uri = 1; + + // Location of the target service or resource where the client + // intends to use the requested security token. + string resource = 2; + + // Logical name of the target service where the client intends to + // use the requested security token. + string audience = 3; + + // The desired scope of the requested security token in the + // context of the service or resource where the token will be used. + string scope = 4; + + // Type of the requested security token. + string requested_token_type = 5; + + // The path of subject token, a security token that represents the + // identity of the party on behalf of whom the request is being made. + string subject_token_path = 6 [(validate.rules).string = {min_len: 1}]; + + // Type of the subject token. + string subject_token_type = 7 [(validate.rules).string = {min_len: 1}]; + + // The path of actor token, a security token that represents the identity + // of the acting party. The acting party is authorized to use the + // requested security token and act on behalf of the subject. + string actor_token_path = 8; + + // Type of the actor token. + string actor_token_type = 9; + } + + oneof credential_specifier { + option (validate.required) = true; + + // Access token credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d. + string access_token = 1; + + // Google Compute Engine credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 + google.protobuf.Empty google_compute_engine = 2; + + // Google refresh token credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c. + string google_refresh_token = 3; + + // Service Account JWT Access credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa. + ServiceAccountJWTAccessCredentials service_account_jwt_access = 4; + + // Google IAM credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0. + GoogleIAMCredentials google_iam = 5; + + // Custom authenticator credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. + // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms. + MetadataCredentialsFromPlugin from_plugin = 6; + + // Custom security token service which implements OAuth 2.0 token exchange. + // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 + // See https://github.com/grpc/grpc/pull/19587. + StsService sts_service = 7; + } + } + + // Channel arguments. + message ChannelArgs { + message Value { + // Pointer values are not supported, since they don't make any sense when + // delivered via the API. + oneof value_specifier { + option (validate.required) = true; + + string string_value = 1; + + int64 int_value = 2; + } + } + + // See grpc_types.h GRPC_ARG #defines for keys that work here. + map args = 1; + } + + // The target URI when using the `Google C++ gRPC client + // `_. SSL credentials will be supplied in + // :ref:`channel_credentials `. + string target_uri = 1 [(validate.rules).string = {min_len: 1}]; + + ChannelCredentials channel_credentials = 2; + + // A set of call credentials that can be composed with `channel credentials + // `_. + repeated CallCredentials call_credentials = 3; + + // The human readable prefix to use when emitting statistics for the gRPC + // service. + // + // .. csv-table:: + // :header: Name, Type, Description + // :widths: 1, 1, 2 + // + // streams_total, Counter, Total number of streams opened + // streams_closed_, Counter, Total streams closed with + string stat_prefix = 4 [(validate.rules).string = {min_len: 1}]; + + // The name of the Google gRPC credentials factory to use. This must have been registered with + // Envoy. If this is empty, a default credentials factory will be used that sets up channel + // credentials based on other configuration parameters. + string credentials_factory_name = 5; + + // Additional configuration for site-specific customizations of the Google + // gRPC library. + google.protobuf.Struct config = 6; + + // How many bytes each stream can buffer internally. + // If not set an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7; + + // Custom channels args. + ChannelArgs channel_args = 8; + } + + reserved 4; + + oneof target_specifier { + option (validate.required) = true; + + // Envoy's in-built gRPC client. + // See the :ref:`gRPC services overview ` + // documentation for discussion on gRPC client selection. + EnvoyGrpc envoy_grpc = 1; + + // `Google C++ gRPC client `_ + // See the :ref:`gRPC services overview ` + // documentation for discussion on gRPC client selection. + GoogleGrpc google_grpc = 2; + } + + // The timeout for the gRPC request. This is the timeout for a specific + // request. + google.protobuf.Duration timeout = 3; + + // Additional metadata to include in streams initiated to the GrpcService. This can be used for + // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to + // be injected. For more information, including details on header value syntax, see the + // documentation on :ref:`custom request headers + // `. + repeated HeaderValue initial_metadata = 5; +} diff --git a/src/main/proto/envoy/config/core/v3/health_check.proto b/src/main/proto/envoy/config/core/v3/health_check.proto new file mode 100644 index 0000000..f4c9d85 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/health_check.proto @@ -0,0 +1,417 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/event_service_config.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "HealthCheckProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Health check] +// * Health checking :ref:`architecture overview `. +// * If health checking is configured for a cluster, additional statistics are emitted. They are +// documented :ref:`here `. + +// Endpoint health status. +enum HealthStatus { + // The health status is not known. This is interpreted by Envoy as ``HEALTHY``. + UNKNOWN = 0; + + // Healthy. + HEALTHY = 1; + + // Unhealthy. + UNHEALTHY = 2; + + // Connection draining in progress. E.g., + // ``_ + // or + // ``_. + // This is interpreted by Envoy as ``UNHEALTHY``. + DRAINING = 3; + + // Health check timed out. This is part of HDS and is interpreted by Envoy as + // ``UNHEALTHY``. + TIMEOUT = 4; + + // Degraded. + DEGRADED = 5; +} + +message HealthStatusSet { + // An order-independent set of health status. + repeated HealthStatus statuses = 1 + [(validate.rules).repeated = {items {enum {defined_only: true}}}]; +} + +// [#next-free-field: 25] +message HealthCheck { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck"; + + // Describes the encoding of the payload bytes in the payload. + message Payload { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.Payload"; + + oneof payload { + option (validate.required) = true; + + // Hex encoded payload. E.g., "000000FF". + string text = 1 [(validate.rules).string = {min_len: 1}]; + + // Binary payload. + bytes binary = 2; + } + } + + // [#next-free-field: 15] + message HttpHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.HttpHealthCheck"; + + reserved 5, 7; + + reserved "service_name", "use_http2"; + + // The value of the host header in the HTTP health check request. If + // left empty (default value), the name of the cluster this health check is associated + // with will be used. The host header can be customized for a specific endpoint by setting the + // :ref:`hostname ` field. + string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Specifies the HTTP path that will be requested during health checking. For example + // ``/healthcheck``. + string path = 2 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // [#not-implemented-hide:] HTTP specific payload. + Payload send = 3; + + // Specifies a list of HTTP expected responses to match in the first ``response_buffer_size`` bytes of the response body. + // If it is set, both the expected response check and status code determine the health check. + // When checking the response, “fuzzy” matching is performed such that each payload block must be found, + // and in the order specified, but not necessarily contiguous. + // + // .. note:: + // + // It is recommended to set ``response_buffer_size`` based on the total Payload size for efficiency. + // The default buffer size is 1024 bytes when it is not set. + repeated Payload receive = 4; + + // Specifies the size of response buffer in bytes that is used to Payload match. + // The default value is 1024. Setting to 0 implies that the Payload will be matched against the entire response. + google.protobuf.UInt64Value response_buffer_size = 14 [(validate.rules).uint64 = {gte: 0}]; + + // Specifies a list of HTTP headers that should be added to each request that is sent to the + // health checked cluster. For more information, including details on header value syntax, see + // the documentation on :ref:`custom request headers + // `. + repeated HeaderValueOption request_headers_to_add = 6 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request that is sent to the + // health checked cluster. + repeated string request_headers_to_remove = 8 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default + // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open + // semantics of :ref:`Int64Range `. The start and end of each + // range are required. Only statuses in the range [100, 600) are allowed. + repeated type.v3.Int64Range expected_statuses = 9; + + // Specifies a list of HTTP response statuses considered retriable. If provided, responses in this range + // will count towards the configured :ref:`unhealthy_threshold `, + // but will not result in the host being considered immediately unhealthy. Ranges follow half-open semantics of + // :ref:`Int64Range `. The start and end of each range are required. + // Only statuses in the range [100, 600) are allowed. The :ref:`expected_statuses ` + // field takes precedence for any range overlaps with this field i.e. if status code 200 is both retriable and expected, a 200 response will + // be considered a successful health check. By default all responses not in + // :ref:`expected_statuses ` will result in + // the host being considered immediately unhealthy i.e. if status code 200 is expected and there are no configured retriable statuses, any + // non-200 response will result in the host being marked unhealthy. + repeated type.v3.Int64Range retriable_statuses = 12; + + // Use specified application protocol for health checks. + type.v3.CodecClientType codec_client_type = 10 [(validate.rules).enum = {defined_only: true}]; + + // An optional service name parameter which is used to validate the identity of + // the health checked cluster using a :ref:`StringMatcher + // `. See the :ref:`architecture overview + // ` for more information. + type.matcher.v3.StringMatcher service_name_matcher = 11; + + // HTTP Method that will be used for health checking, default is "GET". + // GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PATCH methods are supported, but making request body is not supported. + // CONNECT method is disallowed because it is not appropriate for health check request. + // If a non-200 response is expected by the method, it needs to be set in :ref:`expected_statuses `. + RequestMethod method = 13 [(validate.rules).enum = {defined_only: true not_in: 6}]; + } + + message TcpHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.TcpHealthCheck"; + + // Empty payloads imply a connect-only health check. + Payload send = 1; + + // When checking the response, “fuzzy” matching is performed such that each + // payload block must be found, and in the order specified, but not + // necessarily contiguous. + repeated Payload receive = 2; + } + + message RedisHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.RedisHealthCheck"; + + // If set, optionally perform ``EXISTS `` instead of ``PING``. A return value + // from Redis of 0 (does not exist) is considered a passing healthcheck. A return value other + // than 0 is considered a failure. This allows the user to mark a Redis instance for maintenance + // by setting the specified key to any value and waiting for traffic to drain. + string key = 1; + } + + // `grpc.health.v1.Health + // `_-based + // healthcheck. See `gRPC doc `_ + // for details. + message GrpcHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.GrpcHealthCheck"; + + // An optional service name parameter which will be sent to gRPC service in + // `grpc.health.v1.HealthCheckRequest + // `_. + // message. See `gRPC health-checking overview + // `_ for more information. + string service_name = 1; + + // The value of the :authority header in the gRPC health check request. If + // left empty (default value), the name of the cluster this health check is associated + // with will be used. The authority header can be customized for a specific endpoint by setting + // the :ref:`hostname ` field. + string authority = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Specifies a list of key-value pairs that should be added to the metadata of each GRPC call + // that is sent to the health checked cluster. For more information, including details on header value syntax, + // see the documentation on :ref:`custom request headers + // `. + repeated HeaderValueOption initial_metadata = 3 [(validate.rules).repeated = {max_items: 1000}]; + } + + // Custom health check. + message CustomHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.CustomHealthCheck"; + + reserved 2; + + reserved "config"; + + // The registered name of the custom health checker. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A custom health checker specific configuration which depends on the custom health checker + // being instantiated. See :api:`envoy/config/health_checker` for reference. + // [#extension-category: envoy.health_checkers] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + // Health checks occur over the transport socket specified for the cluster. This implies that if a + // cluster is using a TLS-enabled transport socket, the health check will also occur over TLS. + // + // This allows overriding the cluster TLS settings, just for health check connections. + message TlsOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.TlsOptions"; + + // Specifies the ALPN protocols for health check connections. This is useful if the + // corresponding upstream is using ALPN-based :ref:`FilterChainMatch + // ` along with different protocols for health checks + // versus data connections. If empty, no ALPN protocols will be set on health check connections. + repeated string alpn_protocols = 1; + } + + reserved 10; + + // The time to wait for a health check response. If the timeout is reached the + // health check attempt will be considered a failure. + google.protobuf.Duration timeout = 1 [(validate.rules).duration = { + required: true + gt {} + }]; + + // The interval between health checks. + google.protobuf.Duration interval = 2 [(validate.rules).duration = { + required: true + gt {} + }]; + + // An optional jitter amount in milliseconds. If specified, Envoy will start health + // checking after for a random time in ms between 0 and initial_jitter. This only + // applies to the first health check. + google.protobuf.Duration initial_jitter = 20; + + // An optional jitter amount in milliseconds. If specified, during every + // interval Envoy will add interval_jitter to the wait time. + google.protobuf.Duration interval_jitter = 3; + + // An optional jitter amount as a percentage of interval_ms. If specified, + // during every interval Envoy will add ``interval_ms`` * + // ``interval_jitter_percent`` / 100 to the wait time. + // + // If interval_jitter_ms and interval_jitter_percent are both set, both of + // them will be used to increase the wait time. + uint32 interval_jitter_percent = 18; + + // The number of unhealthy health checks required before a host is marked + // unhealthy. Note that for ``http`` health checking if a host responds with a code not in + // :ref:`expected_statuses ` + // or :ref:`retriable_statuses `, + // this threshold is ignored and the host is considered immediately unhealthy. + google.protobuf.UInt32Value unhealthy_threshold = 4 [(validate.rules).message = {required: true}]; + + // The number of healthy health checks required before a host is marked + // healthy. Note that during startup, only a single successful health check is + // required to mark a host healthy. + google.protobuf.UInt32Value healthy_threshold = 5 [(validate.rules).message = {required: true}]; + + // [#not-implemented-hide:] Non-serving port for health checking. + google.protobuf.UInt32Value alt_port = 6; + + // Reuse health check connection between health checks. Default is true. + google.protobuf.BoolValue reuse_connection = 7; + + oneof health_checker { + option (validate.required) = true; + + // HTTP health check. + HttpHealthCheck http_health_check = 8; + + // TCP health check. + TcpHealthCheck tcp_health_check = 9; + + // gRPC health check. + GrpcHealthCheck grpc_health_check = 11; + + // Custom health check. + CustomHealthCheck custom_health_check = 13; + } + + // The "no traffic interval" is a special health check interval that is used when a cluster has + // never had traffic routed to it. This lower interval allows cluster information to be kept up to + // date, without sending a potentially large amount of active health checking traffic for no + // reason. Once a cluster has been used for traffic routing, Envoy will shift back to using the + // standard health check interval that is defined. Note that this interval takes precedence over + // any other. + // + // The default value for "no traffic interval" is 60 seconds. + google.protobuf.Duration no_traffic_interval = 12 [(validate.rules).duration = {gt {}}]; + + // The "no traffic healthy interval" is a special health check interval that + // is used for hosts that are currently passing active health checking + // (including new hosts) when the cluster has received no traffic. + // + // This is useful for when we want to send frequent health checks with + // ``no_traffic_interval`` but then revert to lower frequency ``no_traffic_healthy_interval`` once + // a host in the cluster is marked as healthy. + // + // Once a cluster has been used for traffic routing, Envoy will shift back to using the + // standard health check interval that is defined. + // + // If no_traffic_healthy_interval is not set, it will default to the + // no traffic interval and send that interval regardless of health state. + google.protobuf.Duration no_traffic_healthy_interval = 24 [(validate.rules).duration = {gt {}}]; + + // The "unhealthy interval" is a health check interval that is used for hosts that are marked as + // unhealthy. As soon as the host is marked as healthy, Envoy will shift back to using the + // standard health check interval that is defined. + // + // The default value for "unhealthy interval" is the same as "interval". + google.protobuf.Duration unhealthy_interval = 14 [(validate.rules).duration = {gt {}}]; + + // The "unhealthy edge interval" is a special health check interval that is used for the first + // health check right after a host is marked as unhealthy. For subsequent health checks + // Envoy will shift back to using either "unhealthy interval" if present or the standard health + // check interval that is defined. + // + // The default value for "unhealthy edge interval" is the same as "unhealthy interval". + google.protobuf.Duration unhealthy_edge_interval = 15 [(validate.rules).duration = {gt {}}]; + + // The "healthy edge interval" is a special health check interval that is used for the first + // health check right after a host is marked as healthy. For subsequent health checks + // Envoy will shift back to using the standard health check interval that is defined. + // + // The default value for "healthy edge interval" is the same as the default interval. + google.protobuf.Duration healthy_edge_interval = 16 [(validate.rules).duration = {gt {}}]; + + // Specifies the path to the :ref:`health check event log `. + // If empty, no event log will be written. + string event_log_path = 17; + + // [#not-implemented-hide:] + // The gRPC service for the health check event service. + // If empty, health check events won't be sent to a remote endpoint. + EventServiceConfig event_service = 22; + + // If set to true, health check failure events will always be logged. If set to false, only the + // initial health check failure event will be logged. + // The default value is false. + bool always_log_health_check_failures = 19; + + // This allows overriding the cluster TLS settings, just for health check connections. + TlsOptions tls_options = 21; + + // Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's + // :ref:`tranport socket matches `. + // For example, the following match criteria + // + // .. code-block:: yaml + // + // transport_socket_match_criteria: + // useMTLS: true + // + // Will match the following :ref:`cluster socket match ` + // + // .. code-block:: yaml + // + // transport_socket_matches: + // - name: "useMTLS" + // match: + // useMTLS: true + // transport_socket: + // name: envoy.transport_sockets.tls + // config: { ... } # tls socket configuration + // + // If this field is set, then for health checks it will supersede an entry of ``envoy.transport_socket`` in the + // :ref:`LbEndpoint.Metadata `. + // This allows using different transport socket capabilities for health checking versus proxying to the + // endpoint. + // + // If the key/values pairs specified do not match any + // :ref:`transport socket matches `, + // the cluster's :ref:`transport socket ` + // will be used for health check socket configuration. + google.protobuf.Struct transport_socket_match_criteria = 23; +} diff --git a/src/main/proto/envoy/config/core/v3/http_uri.proto b/src/main/proto/envoy/config/core/v3/http_uri.proto new file mode 100644 index 0000000..93b6309 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/http_uri.proto @@ -0,0 +1,57 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "HttpUriProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP service URI ] + +// Envoy external URI descriptor +message HttpUri { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HttpUri"; + + // The HTTP server URI. It should be a full FQDN with protocol, host and path. + // + // Example: + // + // .. code-block:: yaml + // + // uri: https://www.googleapis.com/oauth2/v1/certs + // + string uri = 1 [(validate.rules).string = {min_len: 1}]; + + // Specify how ``uri`` is to be fetched. Today, this requires an explicit + // cluster, but in the future we may support dynamic cluster creation or + // inline DNS resolution. See `issue + // `_. + oneof http_upstream_type { + option (validate.required) = true; + + // A cluster is created in the Envoy "cluster_manager" config + // section. This field specifies the cluster name. + // + // Example: + // + // .. code-block:: yaml + // + // cluster: jwks_cluster + // + string cluster = 2 [(validate.rules).string = {min_len: 1}]; + } + + // Sets the maximum duration in milliseconds that a response can take to arrive upon request. + google.protobuf.Duration timeout = 3 [(validate.rules).duration = { + required: true + gte {} + }]; +} diff --git a/src/main/proto/envoy/config/core/v3/protocol.proto b/src/main/proto/envoy/config/core/v3/protocol.proto new file mode 100644 index 0000000..0def86b --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/protocol.proto @@ -0,0 +1,601 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ProtocolProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Protocol options] + +// [#not-implemented-hide:] +message TcpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.TcpProtocolOptions"; +} + +// Config for keepalive probes in a QUIC connection. +// Note that QUIC keep-alive probing packets work differently from HTTP/2 keep-alive PINGs in a sense that the probing packet +// itself doesn't timeout waiting for a probing response. Quic has a shorter idle timeout than TCP, so it doesn't rely on such probing to discover dead connections. If the peer fails to respond, the connection will idle timeout eventually. Thus, they are configured differently from :ref:`connection_keepalive `. +message QuicKeepAliveSettings { + // The max interval for a connection to send keep-alive probing packets (with PING or PATH_RESPONSE). The value should be smaller than :ref:`connection idle_timeout ` to prevent idle timeout while not less than 1s to avoid throttling the connection or flooding the peer with probes. + // + // If :ref:`initial_interval ` is absent or zero, a client connection will use this value to start probing. + // + // If zero, disable keepalive probing. + // If absent, use the QUICHE default interval to probe. + google.protobuf.Duration max_interval = 1 [(validate.rules).duration = { + lte {} + gte {seconds: 1} + }]; + + // The interval to send the first few keep-alive probing packets to prevent connection from hitting the idle timeout. Subsequent probes will be sent, each one with an interval exponentially longer than previous one, till it reaches :ref:`max_interval `. And the probes afterwards will always use :ref:`max_interval `. + // + // The value should be smaller than :ref:`connection idle_timeout ` to prevent idle timeout and smaller than max_interval to take effect. + // + // If absent or zero, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval ` is also zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time. + google.protobuf.Duration initial_interval = 2 [(validate.rules).duration = { + lte {} + gte {seconds: 1} + }]; +} + +// QUIC protocol options which apply to both downstream and upstream connections. +// [#next-free-field: 6] +message QuicProtocolOptions { + // Maximum number of streams that the client can negotiate per connection. 100 + // if not specified. + google.protobuf.UInt32Value max_concurrent_streams = 1 [(validate.rules).uint32 = {gte: 1}]; + + // `Initial stream-level flow-control receive window + // `_ size. Valid values range from + // 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 65536 (2^16). + // + // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use 16384 instead. + // QUICHE IETF Quic implementation supports 1 bytes window. We only support increasing the default window size now, so it's also the minimum. + // + // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the + // QUIC stream send and receive buffers. Once the buffer reaches this pointer, watermark callbacks will fire to + // stop the flow of data to the stream buffers. + google.protobuf.UInt32Value initial_stream_window_size = 2 + [(validate.rules).uint32 = {lte: 16777216 gte: 1}]; + + // Similar to ``initial_stream_window_size``, but for connection-level + // flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults to 65536 (2^16). + // window. Currently, this has the same minimum/default as ``initial_stream_window_size``. + // + // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default + // window size now, so it's also the minimum. + google.protobuf.UInt32Value initial_connection_window_size = 3 + [(validate.rules).uint32 = {lte: 25165824 gte: 1}]; + + // The number of timeouts that can occur before port migration is triggered for QUIC clients. + // This defaults to 1. If set to 0, port migration will not occur on path degrading. + // Timeout here refers to QUIC internal path degrading timeout mechanism, such as PTO. + // This has no effect on server sessions. + google.protobuf.UInt32Value num_timeouts_to_trigger_port_migration = 4 + [(validate.rules).uint32 = {lte: 5 gte: 0}]; + + // Probes the peer at the configured interval to solicit traffic, i.e. ACK or PATH_RESPONSE, from the peer to push back connection idle timeout. + // If absent, use the default keepalive behavior of which a client connection sends PINGs every 15s, and a server connection doesn't do anything. + QuicKeepAliveSettings connection_keepalive = 5; +} + +message UpstreamHttpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.UpstreamHttpProtocolOptions"; + + // Set transport socket `SNI `_ for new + // upstream connections based on the downstream HTTP host/authority header or any other arbitrary + // header when :ref:`override_auto_sni_header ` + // is set, as seen by the :ref:`router filter `. + bool auto_sni = 1; + + // Automatic validate upstream presented certificate for new upstream connections based on the + // downstream HTTP host/authority header or any other arbitrary header when :ref:`override_auto_sni_header ` + // is set, as seen by the :ref:`router filter `. + // This field is intended to be set with ``auto_sni`` field. + bool auto_san_validation = 2; + + // An optional alternative to the host/authority header to be used for setting the SNI value. + // It should be a valid downstream HTTP header, as seen by the + // :ref:`router filter `. + // If unset, host/authority header will be used for populating the SNI. If the specified header + // is not found or the value is empty, host/authority header will be used instead. + // This field is intended to be set with ``auto_sni`` and/or ``auto_san_validation`` fields. + // If none of these fields are set then setting this would be a no-op. + string override_auto_sni_header = 3 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; +} + +// Configures the alternate protocols cache which tracks alternate protocols that can be used to +// make an HTTP connection to an origin server. See https://tools.ietf.org/html/rfc7838 for +// HTTP Alternative Services and https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-04 +// for the "HTTPS" DNS resource record. +// [#next-free-field: 6] +message AlternateProtocolsCacheOptions { + // Allows pre-populating the cache with HTTP/3 alternate protocols entries with a 7 day lifetime. + // This will cause Envoy to attempt HTTP/3 to those upstreams, even if the upstreams have not + // advertised HTTP/3 support. These entries will be overwritten by alt-svc + // response headers or cached values. + // As with regular cached entries, if the origin response would result in clearing an existing + // alternate protocol cache entry, pre-populated entries will also be cleared. + // Adding a cache entry with hostname=foo.com port=123 is the equivalent of getting + // response headers + // alt-svc: h3=:"123"; ma=86400" in a response to a request to foo.com:123 + message AlternateProtocolsCacheEntry { + // The host name for the alternate protocol entry. + string hostname = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // The port for the alternate protocol entry. + uint32 port = 2 [(validate.rules).uint32 = {lt: 65535 gt: 0}]; + } + + // The name of the cache. Multiple named caches allow independent alternate protocols cache + // configurations to operate within a single Envoy process using different configurations. All + // alternate protocols cache options with the same name *must* be equal in all fields when + // referenced from different configuration components. Configuration will fail to load if this is + // not the case. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The maximum number of entries that the cache will hold. If not specified defaults to 1024. + // + // .. note: + // + // The implementation is approximate and enforced independently on each worker thread, thus + // it is possible for the maximum entries in the cache to go slightly above the configured + // value depending on timing. This is similar to how other circuit breakers work. + google.protobuf.UInt32Value max_entries = 2 [(validate.rules).uint32 = {gt: 0}]; + + // Allows configuring a persistent + // :ref:`key value store ` to flush + // alternate protocols entries to disk. + // This function is currently only supported if concurrency is 1 + // Cached entries will take precedence over pre-populated entries below. + TypedExtensionConfig key_value_store_config = 3; + + // Allows pre-populating the cache with entries, as described above. + repeated AlternateProtocolsCacheEntry prepopulated_entries = 4; + + // Optional list of hostnames suffixes for which Alt-Svc entries can be shared. For example, if + // this list contained the value ``.c.example.com``, then an Alt-Svc entry for ``foo.c.example.com`` + // could be shared with ``bar.c.example.com`` but would not be shared with ``baz.example.com``. On + // the other hand, if the list contained the value ``.example.com`` then all three hosts could share + // Alt-Svc entries. Each entry must start with ``.``. If a hostname matches multiple suffixes, the + // first listed suffix will be used. + // + // Since lookup in this list is O(n), it is recommended that the number of suffixes be limited. + // [#not-implemented-hide:] + repeated string canonical_suffixes = 5; +} + +// [#next-free-field: 7] +message HttpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HttpProtocolOptions"; + + // Action to take when Envoy receives client request with header names containing underscore + // characters. + // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented + // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore + // characters. + enum HeadersWithUnderscoresAction { + // Allow headers with underscores. This is the default behavior. + ALLOW = 0; + + // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests + // end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter + // is incremented for each rejected request. + REJECT_REQUEST = 1; + + // Drop the client header with name containing underscores. The header is dropped before the filter chain is + // invoked and as such filters will not see dropped headers. The + // "httpN.dropped_headers_with_underscores" is incremented for each dropped header. + DROP_HEADER = 2; + } + + // The idle timeout for connections. The idle timeout is defined as the + // period in which there are no active requests. When the + // idle timeout is reached the connection will be closed. If the connection is an HTTP/2 + // downstream connection a drain sequence will occur prior to closing the connection, see + // :ref:`drain_timeout + // `. + // Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. + // If not specified, this defaults to 1 hour. To disable idle timeouts explicitly set this to 0. + // + // .. warning:: + // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP + // FIN packets, etc. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled for downstream connections according to the value for + // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE `. + google.protobuf.Duration idle_timeout = 1; + + // The maximum duration of a connection. The duration is defined as a period since a connection + // was established. If not set, there is no max duration. When max_connection_duration is reached + // and if there are no active streams, the connection will be closed. If the connection is a + // downstream connection and there are any active streams, the drain sequence will kick-in, + // and the connection will be force-closed after the drain period. See :ref:`drain_timeout + // `. + google.protobuf.Duration max_connection_duration = 3; + + // The maximum number of headers. If unconfigured, the default + // maximum number of request headers allowed is 100. Requests that exceed this limit will receive + // a 431 response for HTTP/1.x and cause a stream reset for HTTP/2. + google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}]; + + // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be + // reset independent of any other timeouts. If not specified, this value is not set. + google.protobuf.Duration max_stream_duration = 4; + + // Action to take when a client request with a header name containing underscore characters is received. + // If this setting is not specified, the value defaults to ALLOW. + // Note: upstream responses are not affected by this setting. + // Note: this only affects client headers. It does not affect headers added + // by Envoy filters and does not have any impact if added to cluster config. + HeadersWithUnderscoresAction headers_with_underscores_action = 5; + + // Optional maximum requests for both upstream and downstream connections. + // If not specified, there is no limit. + // Setting this parameter to 1 will effectively disable keep alive. + // For HTTP/2 and HTTP/3, due to concurrent stream processing, the limit is approximate. + google.protobuf.UInt32Value max_requests_per_connection = 6; +} + +// [#next-free-field: 9] +message Http1ProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions"; + + // [#next-free-field: 9] + message HeaderKeyFormat { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat"; + + message ProperCaseWords { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat.ProperCaseWords"; + } + + oneof header_format { + option (validate.required) = true; + + // Formats the header by proper casing words: the first character and any character following + // a special character will be capitalized if it's an alpha character. For example, + // "content-type" becomes "Content-Type", and "foo$b#$are" becomes "Foo$B#$Are". + // Note that while this results in most headers following conventional casing, certain headers + // are not covered. For example, the "TE" header will be formatted as "Te". + ProperCaseWords proper_case_words = 1; + + // Configuration for stateful formatter extensions that allow using received headers to + // affect the output of encoding headers. E.g., preserving case during proxying. + // [#extension-category: envoy.http.stateful_header_formatters] + TypedExtensionConfig stateful_formatter = 8; + } + } + + // Handle HTTP requests with absolute URLs in the requests. These requests + // are generally sent by clients to forward/explicit proxies. This allows clients to configure + // envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the + // ``http_proxy`` environment variable. + google.protobuf.BoolValue allow_absolute_url = 1; + + // Handle incoming HTTP/1.0 and HTTP 0.9 requests. + // This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1 + // style connect logic, dechunking, and handling lack of client host iff + // ``default_host_for_http_10`` is configured. + bool accept_http_10 = 2; + + // A default host for HTTP/1.0 requests. This is highly suggested if ``accept_http_10`` is true as + // Envoy does not otherwise support HTTP/1.0 without a Host header. + // This is a no-op if ``accept_http_10`` is not true. + string default_host_for_http_10 = 3; + + // Describes how the keys for response headers should be formatted. By default, all header keys + // are lower cased. + HeaderKeyFormat header_key_format = 4; + + // Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers. + // + // .. attention:: + // + // Note that this only happens when Envoy is chunk encoding which occurs when: + // - The request is HTTP/1.1. + // - Is neither a HEAD only request nor a HTTP Upgrade. + // - Not a response to a HEAD request. + // - The content length header is not present. + bool enable_trailers = 5; + + // Allows Envoy to process requests/responses with both ``Content-Length`` and ``Transfer-Encoding`` + // headers set. By default such messages are rejected, but if option is enabled - Envoy will + // remove Content-Length header and process message. + // See `RFC7230, sec. 3.3.3 `_ for details. + // + // .. attention:: + // Enabling this option might lead to request smuggling vulnerability, especially if traffic + // is proxied via multiple layers of proxies. + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + bool allow_chunked_length = 6; + + // Allows invalid HTTP messaging. When this option is false, then Envoy will terminate + // HTTP/1.1 connections upon receiving an invalid HTTP message. However, + // when this option is true, then Envoy will leave the HTTP/1.1 connection + // open where possible. + // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // `. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 7; + + // Allows sending fully qualified URLs when proxying the first line of the + // response. By default, Envoy will only send the path components in the first line. + // If this is true, Envoy will create a fully qualified URI composing scheme + // (inferred if not present), host (from the host/:authority header) and path + // (from first line or :path header). + bool send_fully_qualified_url = 8; +} + +message KeepaliveSettings { + // Send HTTP/2 PING frames at this period, in order to test that the connection is still alive. + // If this is zero, interval PINGs will not be sent. + google.protobuf.Duration interval = 1 [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // How long to wait for a response to a keepalive PING. If a response is not received within this + // time period, the connection will be aborted. Note that in order to prevent the influence of + // Head-of-line (HOL) blocking the timeout period is extended when *any* frame is received on + // the connection, under the assumption that if a frame is received the connection is healthy. + google.protobuf.Duration timeout = 2 [(validate.rules).duration = { + required: true + gte {nanos: 1000000} + }]; + + // A random jitter amount as a percentage of interval that will be added to each interval. + // A value of zero means there will be no jitter. + // The default value is 15%. + type.v3.Percent interval_jitter = 3; + + // If the connection has been idle for this duration, send a HTTP/2 ping ahead + // of new stream creation, to quickly detect dead connections. + // If this is zero, this type of PING will not be sent. + // If an interval ping is outstanding, a second ping will not be sent as the + // interval ping will determine if the connection is dead. + // + // The same feature for HTTP/3 is given by inheritance from QUICHE which uses :ref:`connection idle_timeout ` and the current PTO of the connection to decide whether to probe before sending a new request. + google.protobuf.Duration connection_idle_interval = 4 + [(validate.rules).duration = {gte {nanos: 1000000}}]; +} + +// [#next-free-field: 16] +message Http2ProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http2ProtocolOptions"; + + // Defines a parameter to be sent in the SETTINGS frame. + // See `RFC7540, sec. 6.5.1 `_ for details. + message SettingsParameter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http2ProtocolOptions.SettingsParameter"; + + // The 16 bit parameter identifier. + google.protobuf.UInt32Value identifier = 1 [ + (validate.rules).uint32 = {lte: 65535 gte: 0}, + (validate.rules).message = {required: true} + ]; + + // The 32 bit parameter value. + google.protobuf.UInt32Value value = 2 [(validate.rules).message = {required: true}]; + } + + // `Maximum table size `_ + // (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values + // range from 0 to 4294967295 (2^32 - 1) and defaults to 4096. 0 effectively disables header + // compression. + google.protobuf.UInt32Value hpack_table_size = 1; + + // `Maximum concurrent streams `_ + // allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1) + // and defaults to 2147483647. + // + // For upstream connections, this also limits how many streams Envoy will initiate concurrently + // on a single connection. If the limit is reached, Envoy may queue requests or establish + // additional connections (as allowed per circuit breaker limits). + // + // This acts as an upper bound: Envoy will lower the max concurrent streams allowed on a given + // connection based on upstream settings. Config dumps will reflect the configured upper bound, + // not the per-connection negotiated limits. + google.protobuf.UInt32Value max_concurrent_streams = 2 + [(validate.rules).uint32 = {lte: 2147483647 gte: 1}]; + + // `Initial stream-level flow-control window + // `_ size. Valid values range from 65535 + // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to 268435456 + // (256 * 1024 * 1024). + // + // NOTE: 65535 is the initial window size from HTTP/2 spec. We only support increasing the default + // window size now, so it's also the minimum. + // + // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the + // HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to + // stop the flow of data to the codec buffers. + google.protobuf.UInt32Value initial_stream_window_size = 3 + [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; + + // Similar to ``initial_stream_window_size``, but for connection-level flow-control + // window. Currently, this has the same minimum/maximum/default as ``initial_stream_window_size``. + google.protobuf.UInt32Value initial_connection_window_size = 4 + [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; + + // Allows proxying Websocket and other upgrades over H2 connect. + bool allow_connect = 5; + + // [#not-implemented-hide:] Hiding until envoy has full metadata support. + // Still under implementation. DO NOT USE. + // + // Allows metadata. See [metadata + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more + // information. + bool allow_metadata = 6; + + // Limit the number of pending outbound downstream frames of all types (frames that are waiting to + // be written into the socket). Exceeding this limit triggers flood mitigation and connection is + // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due + // to flood mitigation. The default limit is 10000. + google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}]; + + // Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM, + // preventing high memory utilization when receiving continuous stream of these frames. Exceeding + // this limit triggers flood mitigation and connection is terminated. The + // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood + // mitigation. The default limit is 1000. + google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}]; + + // Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an + // empty payload and no end stream flag. Those frames have no legitimate use and are abusive, but + // might be a result of a broken HTTP/2 implementation. The `http2.inbound_empty_frames_flood`` + // stat tracks the number of connections terminated due to flood mitigation. + // Setting this to 0 will terminate connection upon receiving first frame with an empty payload + // and no end stream flag. The default limit is 1. + google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9; + + // Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number + // of PRIORITY frames received over the lifetime of connection exceeds the value calculated + // using this formula:: + // + // ``max_inbound_priority_frames_per_stream`` * (1 + ``opened_streams``) + // + // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when + // Envoy receives complete response headers from the upstream server. For upstream connection the + // ``opened_streams`` is incremented when Envoy send the HEADERS frame for a new stream. The + // ``http2.inbound_priority_frames_flood`` stat tracks + // the number of connections terminated due to flood mitigation. The default limit is 100. + google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10; + + // Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number + // of WINDOW_UPDATE frames received over the lifetime of connection exceeds the value calculated + // using this formula:: + // + // 5 + 2 * (``opened_streams`` + + // ``max_inbound_window_update_frames_per_data_frame_sent`` * ``outbound_data_frames``) + // + // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when + // Envoy receives complete response headers from the upstream server. For upstream connections the + // ``opened_streams`` is incremented when Envoy sends the HEADERS frame for a new stream. The + // ``http2.inbound_priority_frames_flood`` stat tracks the number of connections terminated due to + // flood mitigation. The default max_inbound_window_update_frames_per_data_frame_sent value is 10. + // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control, + // but more complex implementations that try to estimate available bandwidth require at least 2. + google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11 + [(validate.rules).uint32 = {gte: 1}]; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // This is overridden by HCM :ref:`stream_error_on_invalid_http_messaging + // ` + // iff present. + // + // This is deprecated in favor of :ref:`override_stream_error_on_invalid_http_message + // ` + // + // See `RFC7540, sec. 8.1 `_ for details. + bool stream_error_on_invalid_http_messaging = 12 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // ` + // + // See `RFC7540, sec. 8.1 `_ for details. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 14; + + // [#not-implemented-hide:] + // Specifies SETTINGS frame parameters to be sent to the peer, with two exceptions: + // + // 1. SETTINGS_ENABLE_PUSH (0x2) is not configurable as HTTP/2 server push is not supported by + // Envoy. + // + // 2. SETTINGS_ENABLE_CONNECT_PROTOCOL (0x8) is only configurable through the named field + // 'allow_connect'. + // + // Note that custom parameters specified through this field can not also be set in the + // corresponding named parameters: + // + // .. code-block:: text + // + // ID Field Name + // ---------------- + // 0x1 hpack_table_size + // 0x3 max_concurrent_streams + // 0x4 initial_stream_window_size + // + // Collisions will trigger config validation failure on load/update. Likewise, inconsistencies + // between custom parameters with the same identifier will trigger a failure. + // + // See `IANA HTTP/2 Settings + // `_ for + // standardized identifiers. + repeated SettingsParameter custom_settings_parameters = 13; + + // Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer + // does not respond within the configured timeout, the connection will be aborted. + KeepaliveSettings connection_keepalive = 15; +} + +// [#not-implemented-hide:] +message GrpcProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcProtocolOptions"; + + Http2ProtocolOptions http2_protocol_options = 1; +} + +// A message which allows using HTTP/3. +// [#next-free-field: 6] +message Http3ProtocolOptions { + QuicProtocolOptions quic_protocol_options = 1; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/3 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // `. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2; + + // Allows proxying Websocket and other upgrades over HTTP/3 CONNECT using + // the header mechanisms from the `HTTP/2 extended connect RFC + // `_ + // and settings `proposed for HTTP/3 + // `_ + // Note that HTTP/3 CONNECT is not yet an RFC. + bool allow_extended_connect = 5 [(xds.annotations.v3.field_status).work_in_progress = true]; +} + +// A message to control transformations to the :scheme header +message SchemeHeaderTransformation { + oneof transformation { + // Overwrite any Scheme header with the contents of this string. + string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}]; + } +} diff --git a/src/main/proto/envoy/config/core/v3/proxy_protocol.proto b/src/main/proto/envoy/config/core/v3/proxy_protocol.proto new file mode 100644 index 0000000..c276ce4 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/proxy_protocol.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ProxyProtocolProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Proxy protocol] + +message ProxyProtocolConfig { + enum Version { + // PROXY protocol version 1. Human readable format. + V1 = 0; + + // PROXY protocol version 2. Binary format. + V2 = 1; + } + + // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details + Version version = 1; +} diff --git a/src/main/proto/envoy/config/core/v3/resolver.proto b/src/main/proto/envoy/config/core/v3/resolver.proto new file mode 100644 index 0000000..f4d103a --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/resolver.proto @@ -0,0 +1,36 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/address.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ResolverProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Resolver] + +// Configuration of DNS resolver option flags which control the behavior of the DNS resolver. +message DnsResolverOptions { + // Use TCP for all DNS queries instead of the default protocol UDP. + bool use_tcp_for_dns_lookups = 1; + + // Do not use the default search domains; only query hostnames as-is or as aliases. + bool no_default_search_domain = 2; +} + +// DNS resolution configuration which includes the underlying dns resolver addresses and options. +message DnsResolutionConfig { + // A list of dns resolver addresses. If specified, the DNS client library will perform resolution + // via the underlying DNS resolvers. Otherwise, the default system resolvers + // (e.g., /etc/resolv.conf) will be used. + repeated Address resolvers = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Configuration of DNS resolver option flags which control the behavior of the DNS resolver. + DnsResolverOptions dns_resolver_options = 2; +} diff --git a/src/main/proto/envoy/config/core/v3/socket_option.proto b/src/main/proto/envoy/config/core/v3/socket_option.proto new file mode 100644 index 0000000..44f1ce3 --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/socket_option.proto @@ -0,0 +1,81 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "SocketOptionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Socket option] + +// Generic socket option message. This would be used to set socket options that +// might not exist in upstream kernels or precompiled Envoy binaries. +// +// For example: +// +// .. code-block:: json +// +// { +// "description": "support tcp keep alive", +// "state": 0, +// "level": 1, +// "name": 9, +// "int_value": 1, +// } +// +// 1 means SOL_SOCKET and 9 means SO_KEEPALIVE on Linux. +// With the above configuration, `TCP Keep-Alives `_ +// can be enabled in socket with Linux, which can be used in +// :ref:`listener's` or +// :ref:`admin's ` socket_options etc. +// +// It should be noted that the name or level may have different values on different platforms. +// [#next-free-field: 7] +message SocketOption { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketOption"; + + enum SocketState { + // Socket options are applied after socket creation but before binding the socket to a port + STATE_PREBIND = 0; + + // Socket options are applied after binding the socket to a port but before calling listen() + STATE_BOUND = 1; + + // Socket options are applied after calling listen() + STATE_LISTENING = 2; + } + + // An optional name to give this socket option for debugging, etc. + // Uniqueness is not required and no special meaning is assumed. + string description = 1; + + // Corresponding to the level value passed to setsockopt, such as IPPROTO_TCP + int64 level = 2; + + // The numeric name as passed to setsockopt + int64 name = 3; + + oneof value { + option (validate.required) = true; + + // Because many sockopts take an int value. + int64 int_value = 4; + + // Otherwise it's a byte buffer. + bytes buf_value = 5; + } + + // The state in which the option will be applied. When used in BindConfig + // STATE_PREBIND is currently the only valid value. + SocketState state = 6 [(validate.rules).enum = {defined_only: true}]; +} + +message SocketOptionsOverride { + repeated SocketOption socket_options = 1; +} diff --git a/src/main/proto/envoy/config/core/v3/substitution_format_string.proto b/src/main/proto/envoy/config/core/v3/substitution_format_string.proto new file mode 100644 index 0000000..11c834a --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/substitution_format_string.proto @@ -0,0 +1,116 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; + +import "google/protobuf/struct.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "SubstitutionFormatStringProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Substitution format string] + +// Configuration to use multiple :ref:`command operators ` +// to generate a new string in either plain text or JSON format. +// [#next-free-field: 7] +message SubstitutionFormatString { + oneof format { + option (validate.required) = true; + + // Specify a format with command operators to form a text string. + // Its details is described in :ref:`format string`. + // + // For example, setting ``text_format`` like below, + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" + // + // generates plain text similar to: + // + // .. code-block:: text + // + // upstream connect error:503:path=/foo + // + // Deprecated in favor of :ref:`text_format_source `. To migrate text format strings, use the :ref:`inline_string ` field. + string text_format = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Specify a format with command operators to form a JSON string. + // Its details is described in :ref:`format dictionary`. + // Values are rendered as strings, numbers, or boolean values as appropriate. + // Nested JSON objects may be produced by some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). + // See the documentation for a specific command operator for details. + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // json_format: + // status: "%RESPONSE_CODE%" + // message: "%LOCAL_REPLY_BODY%" + // + // The following JSON object would be created: + // + // .. code-block:: json + // + // { + // "status": 500, + // "message": "My error message" + // } + // + google.protobuf.Struct json_format = 2 [(validate.rules).message = {required: true}]; + + // Specify a format with command operators to form a text string. + // Its details is described in :ref:`format string`. + // + // For example, setting ``text_format`` like below, + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // text_format_source: + // inline_string: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" + // + // generates plain text similar to: + // + // .. code-block:: text + // + // upstream connect error:503:path=/foo + // + DataSource text_format_source = 5; + } + + // If set to true, when command operators are evaluated to null, + // + // * for ``text_format``, the output of the empty operator is changed from ``-`` to an + // empty string, so that empty values are omitted entirely. + // * for ``json_format`` the keys with null values are omitted in the output structure. + bool omit_empty_values = 3; + + // Specify a ``content_type`` field. + // If this field is not set then ``text/plain`` is used for ``text_format`` and + // ``application/json`` is used for ``json_format``. + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // content_type: "text/html; charset=UTF-8" + // + string content_type = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Specifies a collection of Formatter plugins that can be called from the access log configuration. + // See the formatters extensions documentation for details. + // [#extension-category: envoy.formatter] + repeated TypedExtensionConfig formatters = 6; +} diff --git a/src/main/proto/envoy/config/core/v3/udp_socket_config.proto b/src/main/proto/envoy/config/core/v3/udp_socket_config.proto new file mode 100644 index 0000000..ec9f77f --- /dev/null +++ b/src/main/proto/envoy/config/core/v3/udp_socket_config.proto @@ -0,0 +1,32 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "UdpSocketConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: UDP socket config] + +// Generic UDP socket configuration. +message UdpSocketConfig { + // The maximum size of received UDP datagrams. Using a larger size will cause Envoy to allocate + // more memory per socket. Received datagrams above this size will be dropped. If not set + // defaults to 1500 bytes. + google.protobuf.UInt64Value max_rx_datagram_size = 1 + [(validate.rules).uint64 = {lt: 65536 gt: 0}]; + + // Configures whether Generic Receive Offload (GRO) + // _ is preferred when reading from the + // UDP socket. The default is context dependent and is documented where UdpSocketConfig is used. + // This option affects performance but not functionality. If GRO is not supported by the operating + // system, non-GRO receive will be used. + google.protobuf.BoolValue prefer_gro = 2; +} diff --git a/src/main/proto/envoy/config/route/v3/route.proto b/src/main/proto/envoy/config/route/v3/route.proto new file mode 100644 index 0000000..d7bc854 --- /dev/null +++ b/src/main/proto/envoy/config/route/v3/route.proto @@ -0,0 +1,165 @@ +syntax = "proto3"; + +package envoy.config.route.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/route/v3/route_components.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.route.v3"; +option java_outer_classname = "RouteProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP route configuration] +// * Routing :ref:`architecture overview ` +// * HTTP :ref:`router filter ` + +// [#next-free-field: 17] +message RouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.RouteConfiguration"; + + // The name of the route configuration. For example, it might match + // :ref:`route_config_name + // ` in + // :ref:`envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.Rds`. + string name = 1; + + // An array of virtual hosts that make up the route table. + repeated VirtualHost virtual_hosts = 2; + + // An array of virtual hosts will be dynamically loaded via the VHDS API. + // Both ``virtual_hosts`` and ``vhds`` fields will be used when present. ``virtual_hosts`` can be used + // for a base routing table or for infrequently changing virtual hosts. ``vhds`` is used for + // on-demand discovery of virtual hosts. The contents of these two fields will be merged to + // generate a routing table for a given RouteConfiguration, with ``vhds`` derived configuration + // taking precedence. + Vhds vhds = 9; + + // Optionally specifies a list of HTTP headers that the connection manager + // will consider to be internal only. If they are found on external requests they will be cleaned + // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more + // information. + repeated string internal_only_headers = 3 [ + (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} + ]; + + // Specifies a list of HTTP headers that should be added to each response that + // the connection manager encodes. Headers specified at this level are applied + // after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or + // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 4 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // that the connection manager encodes. + repeated string response_headers_to_remove = 5 [ + (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} + ]; + + // Specifies a list of HTTP headers that should be added to each request + // routed by the HTTP connection manager. Headers specified at this level are + // applied after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or + // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 6 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // routed by the HTTP connection manager. + repeated string request_headers_to_remove = 8 [ + (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} + ]; + + // By default, headers that should be added/removed are evaluated from most to least specific: + // + // * route level + // * virtual host level + // * connection manager level + // + // To allow setting overrides at the route or virtual host level, this order can be reversed + // by setting this option to true. Defaults to false. + // + bool most_specific_header_mutations_wins = 10; + + // An optional boolean that specifies whether the clusters that the route + // table refers to will be validated by the cluster manager. If set to true + // and a route refers to a non-existent cluster, the route table will not + // load. If set to false and a route refers to a non-existent cluster, the + // route table will load and the router filter will return a 404 if the route + // is selected at runtime. This setting defaults to true if the route table + // is statically defined via the :ref:`route_config + // ` + // option. This setting default to false if the route table is loaded dynamically via the + // :ref:`rds + // ` + // option. Users may wish to override the default behavior in certain cases (for example when + // using CDS with a static route table). + google.protobuf.BoolValue validate_clusters = 7; + + // The maximum bytes of the response :ref:`direct response body + // ` size. If not specified the default + // is 4096. + // + // .. warning:: + // + // Envoy currently holds the content of :ref:`direct response body + // ` in memory. Be careful setting + // this to be larger than the default 4KB, since the allocated memory for direct response body + // is not subject to data plane buffering controls. + // + google.protobuf.UInt32Value max_direct_response_body_size_bytes = 11; + + // A list of plugins and their configurations which may be used by a + // :ref:`cluster specifier plugin name ` + // within the route. All ``extension.name`` fields in this list must be unique. + repeated ClusterSpecifierPlugin cluster_specifier_plugins = 12; + + // Specify a set of default request mirroring policies which apply to all routes under its virtual hosts. + // Note that policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RouteAction.RequestMirrorPolicy request_mirror_policies = 13; + + // By default, port in :authority header (if any) is used in host matching. + // With this option enabled, Envoy will ignore the port number in the :authority header (if any) when picking VirtualHost. + // NOTE: this option will not strip the port number (if any) contained in route config + // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`.domains field. + bool ignore_port_in_host_matching = 14; + + // Ignore path-parameters in path-matching. + // Before RFC3986, URI were like(RFC1808): :///;?# + // Envoy by default takes ":path" as ";". + // For users who want to only match path on the "" portion, this option should be true. + bool ignore_path_parameters_in_path_matching = 15; + + // The typed_per_filter_config field can be used to provide RouteConfiguration level per filter config. + // The key should match the :ref:`filter config name + // `. + // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also + // be used for the backwards compatibility. If there is no entry referred by the filter config name, the + // entry referred by the canonical filter name will be provided to the filters as fallback. + // + // Use of this field is filter specific; + // see the :ref:`HTTP filter documentation ` for if and how it is utilized. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 16; +} + +message Vhds { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Vhds"; + + // Configuration source specifier for VHDS. + core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; +} diff --git a/src/main/proto/envoy/config/route/v3/route_components.proto b/src/main/proto/envoy/config/route/v3/route_components.proto new file mode 100644 index 0000000..b0c0836 --- /dev/null +++ b/src/main/proto/envoy/config/route/v3/route_components.proto @@ -0,0 +1,2336 @@ +syntax = "proto3"; + +package envoy.config.route.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/proxy_protocol.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/matcher/v3/regex.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/metadata/v3/metadata.proto"; +import "envoy/type/tracing/v3/custom_tag.proto"; +import "envoy/type/v3/percent.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.route.v3"; +option java_outer_classname = "RouteComponentsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP route components] +// * Routing :ref:`architecture overview ` +// * HTTP :ref:`router filter ` + +// The top level element in the routing configuration is a virtual host. Each virtual host has +// a logical name as well as a set of domains that get routed to it based on the incoming request's +// host header. This allows a single listener to service multiple top level domain path trees. Once +// a virtual host is selected based on the domain, the routes are processed in order to see which +// upstream cluster to route to or whether to perform a redirect. +// [#next-free-field: 23] +message VirtualHost { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualHost"; + + enum TlsRequirementType { + // No TLS requirement for the virtual host. + NONE = 0; + + // External requests must use TLS. If a request is external and it is not + // using TLS, a 301 redirect will be sent telling the client to use HTTPS. + EXTERNAL_ONLY = 1; + + // All requests must use TLS. If a request is not using TLS, a 301 redirect + // will be sent telling the client to use HTTPS. + ALL = 2; + } + + reserved 9, 12; + + reserved "per_filter_config"; + + // The logical name of the virtual host. This is used when emitting certain + // statistics but is not relevant for routing. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A list of domains (host/authority header) that will be matched to this + // virtual host. Wildcard hosts are supported in the suffix or prefix form. + // + // Domain search order: + // 1. Exact domain names: ``www.foo.com``. + // 2. Suffix domain wildcards: ``*.foo.com`` or ``*-bar.foo.com``. + // 3. Prefix domain wildcards: ``foo.*`` or ``foo-*``. + // 4. Special wildcard ``*`` matching any domain. + // + // .. note:: + // + // The wildcard will not match the empty string. + // e.g. ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``. + // The longest wildcards match first. + // Only a single virtual host in the entire route configuration can match on ``*``. A domain + // must be unique across all virtual hosts or the config will fail to load. + // + // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE. + repeated string domains = 2 [(validate.rules).repeated = { + min_items: 1 + items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}} + }]; + + // The list of routes that will be matched, in order, for incoming requests. + // The first route that matches will be used. + // Only one of this and ``matcher`` can be specified. + repeated Route routes = 3; + + // [#next-major-version: This should be included in a oneof with routes wrapped in a message.] + // The match tree to use when resolving route actions for incoming requests. Only one of this and ``routes`` + // can be specified. + xds.type.matcher.v3.Matcher matcher = 21 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Specifies the type of TLS enforcement the virtual host expects. If this option is not + // specified, there is no TLS requirement for the virtual host. + TlsRequirementType require_tls = 4 [(validate.rules).enum = {defined_only: true}]; + + // A list of virtual clusters defined for this virtual host. Virtual clusters + // are used for additional statistics gathering. + repeated VirtualCluster virtual_clusters = 5; + + // Specifies a set of rate limit configurations that will be applied to the + // virtual host. + repeated RateLimit rate_limits = 6; + + // Specifies a list of HTTP headers that should be added to each request + // handled by this virtual host. Headers specified at this level are applied + // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 7 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // handled by this virtual host. + repeated string request_headers_to_remove = 13 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of HTTP headers that should be added to each response + // handled by this virtual host. Headers specified at this level are applied + // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 10 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // handled by this virtual host. + repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Indicates that the virtual host has a CORS policy. This field is ignored if related cors policy is + // found in the + // :ref:`VirtualHost.typed_per_filter_config`. + // + // .. attention:: + // + // This option has been deprecated. Please use + // :ref:`VirtualHost.typed_per_filter_config` + // to configure the CORS HTTP filter. + CorsPolicy cors = 8 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The per_filter_config field can be used to provide virtual host-specific configurations for filters. + // The key should match the :ref:`filter config name + // `. + // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also + // be used for the backwards compatibility. If there is no entry referred by the filter config name, the + // entry referred by the canonical filter name will be provided to the filters as fallback. + // + // Use of this field is filter specific; + // see the :ref:`HTTP filter documentation ` for if and how it is utilized. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 15; + + // Decides whether the :ref:`x-envoy-attempt-count + // ` header should be included + // in the upstream request. Setting this option will cause it to override any existing header + // value, so in the case of two Envoys on the request path with this option enabled, the upstream + // will see the attempt count as perceived by the second Envoy. Defaults to false. + // This header is unaffected by the + // :ref:`suppress_envoy_headers + // ` flag. + // + // [#next-major-version: rename to include_attempt_count_in_request.] + bool include_request_attempt_count = 14; + + // Decides whether the :ref:`x-envoy-attempt-count + // ` header should be included + // in the downstream response. Setting this option will cause the router to override any existing header + // value, so in the case of two Envoys on the request path with this option enabled, the downstream + // will see the attempt count as perceived by the Envoy closest upstream from itself. Defaults to false. + // This header is unaffected by the + // :ref:`suppress_envoy_headers + // ` flag. + bool include_attempt_count_in_response = 19; + + // Indicates the retry policy for all routes in this virtual host. Note that setting a + // route level entry will take precedence over this config and it'll be treated + // independently (e.g.: values are not inherited). + RetryPolicy retry_policy = 16; + + // [#not-implemented-hide:] + // Specifies the configuration for retry policy extension. Note that setting a route level entry + // will take precedence over this config and it'll be treated independently (e.g.: values are not + // inherited). :ref:`Retry policy ` should not be + // set if this field is used. + google.protobuf.Any retry_policy_typed_config = 20; + + // Indicates the hedge policy for all routes in this virtual host. Note that setting a + // route level entry will take precedence over this config and it'll be treated + // independently (e.g.: values are not inherited). + HedgePolicy hedge_policy = 17; + + // The maximum bytes which will be buffered for retries and shadowing. + // If set and a route-specific limit is not set, the bytes actually buffered will be the minimum + // value of this and the listener per_connection_buffer_limit_bytes. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18; + + // Specify a set of default request mirroring policies for every route under this virtual host. + // It takes precedence over the route config mirror policy entirely. + // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RouteAction.RequestMirrorPolicy request_mirror_policies = 22; +} + +// A filter-defined action type. +message FilterAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.FilterAction"; + + google.protobuf.Any action = 1; +} + +// A route is both a specification of how to match a request as well as an indication of what to do +// next (e.g., redirect, forward, rewrite, etc.). +// +// .. attention:: +// +// Envoy supports routing on HTTP method via :ref:`header matching +// `. +// [#next-free-field: 20] +message Route { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Route"; + + reserved 6, 8; + + reserved "per_filter_config"; + + // Name for the route. + string name = 14; + + // Route matching parameters. + RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + oneof action { + option (validate.required) = true; + + // Route request to some upstream cluster. + RouteAction route = 2; + + // Return a redirect. + RedirectAction redirect = 3; + + // Return an arbitrary HTTP response directly, without proxying. + DirectResponseAction direct_response = 7; + + // [#not-implemented-hide:] + // A filter-defined action (e.g., it could dynamically generate the RouteAction). + // [#comment: TODO(samflattery): Remove cleanup in route_fuzz_test.cc when + // implemented] + FilterAction filter_action = 17; + + // [#not-implemented-hide:] + // An action used when the route will generate a response directly, + // without forwarding to an upstream host. This will be used in non-proxy + // xDS clients like the gRPC server. It could also be used in the future + // in Envoy for a filter that directly generates responses for requests. + NonForwardingAction non_forwarding_action = 18; + } + + // The Metadata field can be used to provide additional information + // about the route. It can be used for configuration, stats, and logging. + // The metadata should go under the filter namespace that will need it. + // For instance, if the metadata is intended for the Router filter, + // the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 4; + + // Decorator for the matched route. + Decorator decorator = 5; + + // The per_filter_config field can be used to provide route-specific configurations for filters. + // The key should match the :ref:`filter config name + // `. + // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also + // be used for the backwards compatibility. If there is no entry referred by the filter config name, the + // entry referred by the canonical filter name will be provided to the filters as fallback. + // + // Use of this field is filter specific; + // see the :ref:`HTTP filter documentation ` for if and how it is utilized. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 13; + + // Specifies a set of headers that will be added to requests matching this + // route. Headers specified at this level are applied before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 9 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // matching this route. + repeated string request_headers_to_remove = 12 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a set of headers that will be added to responses to requests + // matching this route. Headers specified at this level are applied before + // headers from the enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on + // :ref:`custom request headers `. + repeated core.v3.HeaderValueOption response_headers_to_add = 10 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // to requests matching this route. + repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Presence of the object defines whether the connection manager's tracing configuration + // is overridden by this route specific instance. + Tracing tracing = 15; + + // The maximum bytes which will be buffered for retries and shadowing. + // If set, the bytes actually buffered will be the minimum value of this and the + // listener per_connection_buffer_limit_bytes. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16; + + // The human readable prefix to use when emitting statistics for this endpoint. + // The statistics are rooted at vhost..route.. + // This should be set for highly critical + // endpoints that one wishes to get “per-route” statistics on. + // If not set, endpoint statistics are not generated. + // + // The emitted statistics are the same as those documented for :ref:`virtual clusters `. + // + // .. warning:: + // + // We do not recommend setting up a stat prefix for + // every application endpoint. This is both not easily maintainable and + // statistics use a non-trivial amount of memory(approximately 1KiB per route). + string stat_prefix = 19; +} + +// Compared to the :ref:`cluster ` field that specifies a +// single upstream cluster as the target of a request, the :ref:`weighted_clusters +// ` option allows for specification of +// multiple upstream clusters along with weights that indicate the percentage of +// traffic to be forwarded to each cluster. The router selects an upstream cluster based on the +// weights. +message WeightedCluster { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.WeightedCluster"; + + // [#next-free-field: 13] + message ClusterWeight { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.WeightedCluster.ClusterWeight"; + + reserved 7, 8; + + reserved "per_filter_config"; + + // Only one of ``name`` and ``cluster_header`` may be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}] + // Name of the upstream cluster. The cluster must exist in the + // :ref:`cluster manager configuration `. + string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"]; + + // Only one of ``name`` and ``cluster_header`` may be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1 }] + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. If the + // header is not found or the referenced cluster does not exist, Envoy will + // return a 404 response. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 12 [ + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier" + ]; + + // The weight of the cluster. This value is relative to the other clusters' + // weights. When a request matches the route, the choice of an upstream cluster + // is determined by its weight. The sum of weights across all + // entries in the clusters array must be greater than 0. + google.protobuf.UInt32Value weight = 2; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in + // the upstream cluster with metadata matching what is set in this field will be considered for + // load balancing. Note that this will be merged with what's provided in + // :ref:`RouteAction.metadata_match `, with + // values here taking precedence. The filter name should be specified as ``envoy.lb``. + core.v3.Metadata metadata_match = 3; + + // Specifies a list of headers to be added to requests when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + // Headers specified at this level are applied before headers from the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 4 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request when + // this cluster is selected through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + repeated string request_headers_to_remove = 9 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of headers to be added to responses when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + // Headers specified at this level are applied before headers from the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 5 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of headers to be removed from responses when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + repeated string response_headers_to_remove = 6 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // The per_filter_config field can be used to provide weighted cluster-specific configurations + // for filters. + // The key should match the :ref:`filter config name + // `. + // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also + // be used for the backwards compatibility. If there is no entry referred by the filter config name, the + // entry referred by the canonical filter name will be provided to the filters as fallback. + // + // Use of this field is filter specific; + // see the :ref:`HTTP filter documentation ` for if and how it is utilized. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 10; + + oneof host_rewrite_specifier { + // Indicates that during forwarding, the host header will be swapped with + // this value. + string host_rewrite_literal = 11 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + } + + // Specifies one or more upstream clusters associated with the route. + repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Specifies the total weight across all clusters. The sum of all cluster weights must equal this + // value, if this is greater than 0. + // This field is now deprecated, and the client will use the sum of all + // cluster weights. It is up to the management server to supply the correct weights. + google.protobuf.UInt32Value total_weight = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Specifies the runtime key prefix that should be used to construct the + // runtime keys associated with each cluster. When the ``runtime_key_prefix`` is + // specified, the router will look for weights associated with each upstream + // cluster under the key ``runtime_key_prefix`` + ``.`` + ``cluster[i].name`` where + // ``cluster[i]`` denotes an entry in the clusters array field. If the runtime + // key for the cluster does not exist, the value specified in the + // configuration file will be used as the default weight. See the :ref:`runtime documentation + // ` for how key names map to the underlying implementation. + string runtime_key_prefix = 2; + + oneof random_value_specifier { + // Specifies the header name that is used to look up the random value passed in the request header. + // This is used to ensure consistent cluster picking across multiple proxy levels for weighted traffic. + // If header is not present or invalid, Envoy will fall back to use the internally generated random value. + // This header is expected to be single-valued header as we only want to have one selected value throughout + // the process for the consistency. And the value is a unsigned number between 0 and UINT64_MAX. + string header_name = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + } +} + +// Configuration for a cluster specifier plugin. +message ClusterSpecifierPlugin { + // The name of the plugin and its opaque configuration. + core.v3.TypedExtensionConfig extension = 1 [(validate.rules).message = {required: true}]; + + // If is_optional is not set or is set to false and the plugin defined by this message is not a + // supported type, the containing resource is NACKed. If is_optional is set to true, the resource + // would not be NACKed for this reason. In this case, routes referencing this plugin's name would + // not be treated as an illegal configuration, but would result in a failure if the route is + // selected. + bool is_optional = 2; +} + +// [#next-free-field: 16] +message RouteMatch { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch"; + + message GrpcRouteMatchOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteMatch.GrpcRouteMatchOptions"; + } + + message TlsContextMatchOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteMatch.TlsContextMatchOptions"; + + // If specified, the route will match against whether or not a certificate is presented. + // If not specified, certificate presentation status (true or false) will not be considered when route matching. + google.protobuf.BoolValue presented = 1; + + // If specified, the route will match against whether or not a certificate is validated. + // If not specified, certificate validation status (true or false) will not be considered when route matching. + google.protobuf.BoolValue validated = 2; + } + + // An extensible message for matching CONNECT requests. + message ConnectMatcher { + } + + reserved 5, 3; + + reserved "regex"; + + oneof path_specifier { + option (validate.required) = true; + + // If specified, the route is a prefix rule meaning that the prefix must + // match the beginning of the ``:path`` header. + string prefix = 1; + + // If specified, the route is an exact path rule meaning that the path must + // exactly match the ``:path`` header once the query string is removed. + string path = 2; + + // If specified, the route is a regular expression rule meaning that the + // regex must match the ``:path`` header once the query string is removed. The entire path + // (without the query string) must match the regex. The rule will not match if only a + // subsequence of the ``:path`` header matches the regex. + // + // [#next-major-version: In the v3 API we should redo how path specification works such + // that we utilize StringMatcher, and additionally have consistent options around whether we + // strip query strings, do a case sensitive match, etc. In the interim it will be too disruptive + // to deprecate the existing options. We should even consider whether we want to do away with + // path_specifier entirely and just rely on a set of header matchers which can already match + // on :path, etc. The issue with that is it is unclear how to generically deal with query string + // stripping. This needs more thought.] + type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; + + // If this is used as the matcher, the matcher will only match CONNECT requests. + // Note that this will not match HTTP/2 upgrade-style CONNECT requests + // (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style + // upgrades. + // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2, + // where Extended CONNECT requests may have a path, the path matchers will work if + // there is a path present. + // Note that CONNECT support is currently considered alpha in Envoy. + // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] + ConnectMatcher connect_matcher = 12; + + // If specified, the route is a path-separated prefix rule meaning that the + // ``:path`` header (without the query string) must either exactly match the + // ``path_separated_prefix`` or have it as a prefix, followed by ``/`` + // + // For example, ``/api/dev`` would match + // ``/api/dev``, ``/api/dev/``, ``/api/dev/v1``, and ``/api/dev?param=true`` + // but would not match ``/api/developer`` + // + // Expect the value to not contain ``?`` or ``#`` and not to end in ``/`` + string path_separated_prefix = 14 [(validate.rules).string = {pattern: "^[^?#]+[^?#/]$"}]; + + // [#extension-category: envoy.path.match] + core.v3.TypedExtensionConfig path_match_policy = 15; + } + + // Indicates that prefix/path matching should be case sensitive. The default + // is true. Ignored for safe_regex matching. + google.protobuf.BoolValue case_sensitive = 4; + + // Indicates that the route should additionally match on a runtime key. Every time the route + // is considered for a match, it must also fall under the percentage of matches indicated by + // this field. For some fraction N/D, a random number in the range [0,D) is selected. If the + // number is <= the value of the numerator N, or if the key is not present, the default + // value, the router continues to evaluate the remaining match criteria. A runtime_fraction + // route configuration can be used to roll out route changes in a gradual manner without full + // code/config deploys. Refer to the :ref:`traffic shifting + // ` docs for additional documentation. + // + // .. note:: + // + // Parsing this field is implemented such that the runtime key's data may be represented + // as a FractionalPercent proto represented as JSON/YAML and may also be represented as an + // integer with the assumption that the value is an integral percentage out of 100. For + // instance, a runtime key lookup returning the value "42" would parse as a FractionalPercent + // whose numerator is 42 and denominator is HUNDRED. This preserves legacy semantics. + core.v3.RuntimeFractionalPercent runtime_fraction = 9; + + // Specifies a set of headers that the route should match on. The router will + // check the request’s headers against all the specified headers in the route + // config. A match will happen if all the headers in the route are present in + // the request with the same values (or based on presence if the value field + // is not in the config). + repeated HeaderMatcher headers = 6; + + // Specifies a set of URL query parameters on which the route should + // match. The router will check the query string from the ``path`` header + // against all the specified query parameters. If the number of specified + // query parameters is nonzero, they all must match the ``path`` header's + // query string for a match to occur. + // + // .. note:: + // + // If query parameters are used to pass request message fields when + // `grpc_json_transcoder `_ + // is used, the transcoded message fields maybe different. The query parameters are + // url encoded, but the message fields are not. For example, if a query + // parameter is "foo%20bar", the message field will be "foo bar". + repeated QueryParameterMatcher query_parameters = 7; + + // If specified, only gRPC requests will be matched. The router will check + // that the content-type header has a application/grpc or one of the various + // application/grpc+ values. + GrpcRouteMatchOptions grpc = 8; + + // If specified, the client tls context will be matched against the defined + // match options. + // + // [#next-major-version: unify with RBAC] + TlsContextMatchOptions tls_context = 11; + + // Specifies a set of dynamic metadata matchers on which the route should match. + // The router will check the dynamic metadata against all the specified dynamic metadata matchers. + // If the number of specified dynamic metadata matchers is nonzero, they all must match the + // dynamic metadata for a match to occur. + repeated type.matcher.v3.MetadataMatcher dynamic_metadata = 13; +} + +// Cors policy configuration. +// +// .. attention:: +// +// This message has been deprecated. Please use +// :ref:`CorsPolicy in filter extension ` +// as as alternative. +// +// [#next-free-field: 13] +message CorsPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.CorsPolicy"; + + reserved 1, 8, 7; + + reserved "allow_origin", "allow_origin_regex", "enabled"; + + // Specifies string patterns that match allowed origins. An origin is allowed if any of the + // string matchers match. + repeated type.matcher.v3.StringMatcher allow_origin_string_match = 11; + + // Specifies the content for the ``access-control-allow-methods`` header. + string allow_methods = 2; + + // Specifies the content for the ``access-control-allow-headers`` header. + string allow_headers = 3; + + // Specifies the content for the ``access-control-expose-headers`` header. + string expose_headers = 4; + + // Specifies the content for the ``access-control-max-age`` header. + string max_age = 5; + + // Specifies whether the resource allows credentials. + google.protobuf.BoolValue allow_credentials = 6; + + oneof enabled_specifier { + // Specifies the % of requests for which the CORS filter is enabled. + // + // If neither ``enabled``, ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS + // filter will be enabled for 100% of the requests. + // + // If :ref:`runtime_key ` is + // specified, Envoy will lookup the runtime key to get the percentage of requests to filter. + core.v3.RuntimeFractionalPercent filter_enabled = 9; + } + + // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not + // enforced. + // + // This field is intended to be used when ``filter_enabled`` and ``enabled`` are off. One of those + // fields have to explicitly disable the filter in order for this setting to take effect. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate + // and track the request's ``Origin`` to determine if it's valid but will not enforce any policies. + core.v3.RuntimeFractionalPercent shadow_enabled = 10; + + // Specify whether allow requests whose target server's IP address is more private than that from + // which the request initiator was fetched. + // + // More details refer to https://developer.chrome.com/blog/private-network-access-preflight. + google.protobuf.BoolValue allow_private_network_access = 12; +} + +// [#next-free-field: 42] +message RouteAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction"; + + enum ClusterNotFoundResponseCode { + // HTTP status code - 503 Service Unavailable. + SERVICE_UNAVAILABLE = 0; + + // HTTP status code - 404 Not Found. + NOT_FOUND = 1; + + // HTTP status code - 500 Internal Server Error. + INTERNAL_SERVER_ERROR = 2; + } + + // Configures :ref:`internal redirect ` behavior. + // [#next-major-version: remove this definition - it's defined in the InternalRedirectPolicy message.] + enum InternalRedirectAction { + option deprecated = true; + + PASS_THROUGH_INTERNAL_REDIRECT = 0; + HANDLE_INTERNAL_REDIRECT = 1; + } + + // The router is capable of shadowing traffic from one cluster to another. The current + // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to + // respond before returning the response from the primary cluster. All normal statistics are + // collected for the shadow cluster making this feature useful for testing. + // + // During shadowing, the host/authority header is altered such that ``-shadow`` is appended. This is + // useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``. + // + // .. note:: + // + // Shadowing will not be triggered if the primary cluster does not exist. + // + // .. note:: + // + // Shadowing doesn't support Http CONNECT and upgrades. + // [#next-free-field: 6] + message RequestMirrorPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.RequestMirrorPolicy"; + + reserved 2; + + reserved "runtime_key"; + + // Only one of ``cluster`` and ``cluster_header`` can be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}] + // Specifies the cluster that requests will be mirrored to. The cluster must + // exist in the cluster manager configuration. + string cluster = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"]; + + // Only one of ``cluster`` and ``cluster_header`` can be specified. + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. Only the first value in header is used, + // and no shadow request will happen if the value is not found in headers. Envoy will not wait for + // the shadow cluster to respond before returning the response from the primary cluster. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 5 [ + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier" + ]; + + // If not specified, all requests to the target cluster will be mirrored. + // + // If specified, this field takes precedence over the ``runtime_key`` field and requests must also + // fall under the percentage of matches indicated by this field. + // + // For some fraction N/D, a random number in the range [0,D) is selected. If the + // number is <= the value of the numerator N, or if the key is not present, the default + // value, the request will be mirrored. + core.v3.RuntimeFractionalPercent runtime_fraction = 3; + + // Determines if the trace span should be sampled. Defaults to true. + google.protobuf.BoolValue trace_sampled = 4; + } + + // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer + // `. + // [#next-free-field: 7] + message HashPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy"; + + message Header { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.Header"; + + // The name of the request header that will be used to obtain the hash + // key. If the request header is not present, no hash will be produced. + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // If specified, the request header value will be rewritten and used + // to produce the hash key. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 2; + } + + // Envoy supports two types of cookie affinity: + // + // 1. Passive. Envoy takes a cookie that's present in the cookies header and + // hashes on its value. + // + // 2. Generated. Envoy generates and sets a cookie with an expiration (TTL) + // on the first request from the client in its response to the client, + // based on the endpoint the request gets sent to. The client then + // presents this on the next and all subsequent requests. The hash of + // this is sufficient to ensure these requests get sent to the same + // endpoint. The cookie is generated by hashing the source and + // destination ports and addresses so that multiple independent HTTP2 + // streams on the same connection will independently receive the same + // cookie, even if they arrive at the Envoy simultaneously. + message Cookie { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.Cookie"; + + // The name of the cookie that will be used to obtain the hash key. If the + // cookie is not present and ttl below is not set, no hash will be + // produced. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // If specified, a cookie with the TTL will be generated if the cookie is + // not present. If the TTL is present and zero, the generated cookie will + // be a session cookie. + google.protobuf.Duration ttl = 2; + + // The name of the path for the cookie. If no path is specified here, no path + // will be set for the cookie. + string path = 3; + } + + message ConnectionProperties { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.ConnectionProperties"; + + // Hash on source IP address. + bool source_ip = 1; + } + + message QueryParameter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.QueryParameter"; + + // The name of the URL query parameter that will be used to obtain the hash + // key. If the parameter is not present, no hash will be produced. Query + // parameter names are case-sensitive. + string name = 1 [(validate.rules).string = {min_len: 1}]; + } + + message FilterState { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.FilterState"; + + // The name of the Object in the per-request filterState, which is an + // Envoy::Hashable object. If there is no data associated with the key, + // or the stored object is not Envoy::Hashable, no hash will be produced. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + + oneof policy_specifier { + option (validate.required) = true; + + // Header hash policy. + Header header = 1; + + // Cookie hash policy. + Cookie cookie = 2; + + // Connection properties hash policy. + ConnectionProperties connection_properties = 3; + + // Query parameter hash policy. + QueryParameter query_parameter = 5; + + // Filter state hash policy. + FilterState filter_state = 6; + } + + // The flag that short-circuits the hash computing. This field provides a + // 'fallback' style of configuration: "if a terminal policy doesn't work, + // fallback to rest of the policy list", it saves time when the terminal + // policy works. + // + // If true, and there is already a hash computed, ignore rest of the + // list of hash polices. + // For example, if the following hash methods are configured: + // + // ========= ======== + // specifier terminal + // ========= ======== + // Header A true + // Header B false + // Header C false + // ========= ======== + // + // The generateHash process ends if policy "header A" generates a hash, as + // it's a terminal policy. + bool terminal = 4; + } + + // Allows enabling and disabling upgrades on a per-route basis. + // This overrides any enabled/disabled upgrade filter chain specified in the + // HttpConnectionManager + // :ref:`upgrade_configs + // ` + // but does not affect any custom filter chain specified there. + message UpgradeConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.UpgradeConfig"; + + // Configuration for sending data upstream as a raw data payload. This is used for + // CONNECT or POST requests, when forwarding request payload as raw TCP. + message ConnectConfig { + // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream. + core.v3.ProxyProtocolConfig proxy_protocol_config = 1; + + // If set, the route will also allow forwarding POST payload as raw TCP. + bool allow_post = 2; + } + + // The case-insensitive name of this upgrade, e.g. "websocket". + // For each upgrade type present in upgrade_configs, requests with + // Upgrade: [upgrade_type] will be proxied upstream. + string upgrade_type = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Determines if upgrades are available on this route. Defaults to true. + google.protobuf.BoolValue enabled = 2; + + // Configuration for sending data upstream as a raw data payload. This is used for + // CONNECT requests, when forwarding CONNECT payload as raw TCP. + // Note that CONNECT support is currently considered alpha in Envoy. + // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] + ConnectConfig connect_config = 3; + } + + message MaxStreamDuration { + // Specifies the maximum duration allowed for streams on the route. If not specified, the value + // from the :ref:`max_stream_duration + // ` field in + // :ref:`HttpConnectionManager.common_http_protocol_options + // ` + // is used. If this field is set explicitly to zero, any + // HttpConnectionManager max_stream_duration timeout will be disabled for + // this route. + google.protobuf.Duration max_stream_duration = 1; + + // If present, and the request contains a `grpc-timeout header + // `_, use that value as the + // ``max_stream_duration``, but limit the applied timeout to the maximum value specified here. + // If set to 0, the ``grpc-timeout`` header is used without modification. + google.protobuf.Duration grpc_timeout_header_max = 2; + + // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by + // subtracting the provided duration from the header. This is useful for allowing Envoy to set + // its global timeout to be less than that of the deadline imposed by the calling client, which + // makes it more likely that Envoy will handle the timeout instead of having the call canceled + // by the client. If, after applying the offset, the resulting timeout is zero or negative, + // the stream will timeout immediately. + google.protobuf.Duration grpc_timeout_header_offset = 3; + } + + reserved 12, 18, 19, 16, 22, 21, 10; + + reserved "request_mirror_policy"; + + oneof cluster_specifier { + option (validate.required) = true; + + // Indicates the upstream cluster to which the request should be routed + // to. + string cluster = 1 [(validate.rules).string = {min_len: 1}]; + + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. If the + // header is not found or the referenced cluster does not exist, Envoy will + // return a 404 response. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 2 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Multiple upstream clusters can be specified for a given route. The + // request is routed to one of the upstream clusters based on weights + // assigned to each cluster. See + // :ref:`traffic splitting ` + // for additional documentation. + WeightedCluster weighted_clusters = 3; + + // Name of the cluster specifier plugin to use to determine the cluster for requests on this route. + // The cluster specifier plugin name must be defined in the associated + // :ref:`cluster specifier plugins ` + // in the :ref:`name ` field. + string cluster_specifier_plugin = 37; + + // Custom cluster specifier plugin configuration to use to determine the cluster for requests + // on this route. + ClusterSpecifierPlugin inline_cluster_specifier_plugin = 39; + } + + // The HTTP status code to use when configured cluster is not found. + // The default response code is 503 Service Unavailable. + ClusterNotFoundResponseCode cluster_not_found_response_code = 20 + [(validate.rules).enum = {defined_only: true}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints + // in the upstream cluster with metadata matching what's set in this field will be considered + // for load balancing. If using :ref:`weighted_clusters + // `, metadata will be merged, with values + // provided there taking precedence. The filter name should be specified as ``envoy.lb``. + core.v3.Metadata metadata_match = 4; + + // Indicates that during forwarding, the matched prefix (or path) should be + // swapped with this value. This option allows application URLs to be rooted + // at a different path from those exposed at the reverse proxy layer. The router filter will + // place the original path before rewrite into the :ref:`x-envoy-original-path + // ` header. + // + // Only one of :ref:`regex_rewrite ` + // :ref:`path_rewrite_policy `, + // or :ref:`prefix_rewrite ` may be specified. + // + // .. attention:: + // + // Pay careful attention to the use of trailing slashes in the + // :ref:`route's match ` prefix value. + // Stripping a prefix from a path requires multiple Routes to handle all cases. For example, + // rewriting ``/prefix`` to ``/`` and ``/prefix/etc`` to ``/etc`` cannot be done in a single + // :ref:`Route `, as shown by the below config entries: + // + // .. code-block:: yaml + // + // - match: + // prefix: "/prefix/" + // route: + // prefix_rewrite: "/" + // - match: + // prefix: "/prefix" + // route: + // prefix_rewrite: "/" + // + // Having above entries in the config, requests to ``/prefix`` will be stripped to ``/``, while + // requests to ``/prefix/etc`` will be stripped to ``/etc``. + string prefix_rewrite = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during forwarding, portions of the path that match the + // pattern should be rewritten, even allowing the substitution of capture + // groups from the pattern into the new path as specified by the rewrite + // substitution string. This is useful to allow application paths to be + // rewritten in a way that is aware of segments with variable content like + // identifiers. The router filter will place the original path as it was + // before the rewrite into the :ref:`x-envoy-original-path + // ` header. + // + // Only one of :ref:`regex_rewrite `, + // :ref:`prefix_rewrite `, or + // :ref:`path_rewrite_policy `] + // may be specified. + // + // Examples using Google's `RE2 `_ engine: + // + // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution + // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` + // into ``/v1/api/instance/foo``. + // + // * The pattern ``one`` paired with a substitution string of ``two`` would + // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. + // + // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of + // ``\1two\2`` would replace only the first occurrence of ``one``, + // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. + // + // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` + // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to + // ``/aaa/yyy/bbb``. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 32; + + // [#extension-category: envoy.path.rewrite] + core.v3.TypedExtensionConfig path_rewrite_policy = 41; + + oneof host_rewrite_specifier { + // Indicates that during forwarding, the host header will be swapped with + // this value. Using this option will append the + // :ref:`config_http_conn_man_headers_x-forwarded-host` header if + // :ref:`append_x_forwarded_host ` + // is set. + string host_rewrite_literal = 6 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during forwarding, the host header will be swapped with + // the hostname of the upstream host chosen by the cluster manager. This + // option is applicable only when the destination cluster for a route is of + // type ``strict_dns`` or ``logical_dns``. Setting this to true with other cluster types + // has no effect. Using this option will append the + // :ref:`config_http_conn_man_headers_x-forwarded-host` header if + // :ref:`append_x_forwarded_host ` + // is set. + google.protobuf.BoolValue auto_host_rewrite = 7; + + // Indicates that during forwarding, the host header will be swapped with the content of given + // downstream or :ref:`custom ` header. + // If header value is empty, host header is left intact. Using this option will append the + // :ref:`config_http_conn_man_headers_x-forwarded-host` header if + // :ref:`append_x_forwarded_host ` + // is set. + // + // .. attention:: + // + // Pay attention to the potential security implications of using this option. Provided header + // must come from trusted source. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string host_rewrite_header = 29 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Indicates that during forwarding, the host header will be swapped with + // the result of the regex substitution executed on path value with query and fragment removed. + // This is useful for transitioning variable content between path segment and subdomain. + // Using this option will append the + // :ref:`config_http_conn_man_headers_x-forwarded-host` header if + // :ref:`append_x_forwarded_host ` + // is set. + // + // For example with the following config: + // + // .. code-block:: yaml + // + // host_rewrite_path_regex: + // pattern: + // google_re2: {} + // regex: "^/(.+)/.+$" + // substitution: \1 + // + // Would rewrite the host header to ``envoyproxy.io`` given the path ``/envoyproxy.io/some/path``. + type.matcher.v3.RegexMatchAndSubstitute host_rewrite_path_regex = 35; + } + + // If set, then a host rewrite action (one of + // :ref:`host_rewrite_literal `, + // :ref:`auto_host_rewrite `, + // :ref:`host_rewrite_header `, or + // :ref:`host_rewrite_path_regex `) + // causes the original value of the host header, if any, to be appended to the + // :ref:`config_http_conn_man_headers_x-forwarded-host` HTTP header. + bool append_x_forwarded_host = 38; + + // Specifies the upstream timeout for the route. If not specified, the default is 15s. This + // spans between the point at which the entire downstream request (i.e. end-of-stream) has been + // processed and when the upstream response has been completely processed. A value of 0 will + // disable the route's timeout. + // + // .. note:: + // + // This timeout includes all retries. See also + // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the + // :ref:`retry overview `. + google.protobuf.Duration timeout = 8; + + // Specifies the idle timeout for the route. If not specified, there is no per-route idle timeout, + // although the connection manager wide :ref:`stream_idle_timeout + // ` + // will still apply. A value of 0 will completely disable the route's idle timeout, even if a + // connection manager stream idle timeout is configured. + // + // The idle timeout is distinct to :ref:`timeout + // `, which provides an upper bound + // on the upstream response time; :ref:`idle_timeout + // ` instead bounds the amount + // of time the request's stream may be idle. + // + // After header decoding, the idle timeout will apply on downstream and + // upstream request events. Each time an encode/decode event for headers or + // data is processed for the stream, the timer will be reset. If the timeout + // fires, the stream is terminated with a 408 Request Timeout error code if no + // upstream response header has been received, otherwise a stream reset + // occurs. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled according to the value for + // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. + google.protobuf.Duration idle_timeout = 24; + + // Specifies how to send request over TLS early data. + // If absent, allows `safe HTTP requests `_ to be sent on early data. + // [#extension-category: envoy.route.early_data_policy] + core.v3.TypedExtensionConfig early_data_policy = 40; + + // Indicates that the route has a retry policy. Note that if this is set, + // it'll take precedence over the virtual host level retry policy entirely + // (e.g.: policies are not merged, most internal one becomes the enforced policy). + RetryPolicy retry_policy = 9; + + // [#not-implemented-hide:] + // Specifies the configuration for retry policy extension. Note that if this is set, it'll take + // precedence over the virtual host level retry policy entirely (e.g.: policies are not merged, + // most internal one becomes the enforced policy). :ref:`Retry policy ` + // should not be set if this field is used. + google.protobuf.Any retry_policy_typed_config = 33; + + // Specify a set of route request mirroring policies. + // It takes precedence over the virtual host and route config mirror policy entirely. + // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RequestMirrorPolicy request_mirror_policies = 30; + + // Optionally specifies the :ref:`routing priority `. + core.v3.RoutingPriority priority = 11 [(validate.rules).enum = {defined_only: true}]; + + // Specifies a set of rate limit configurations that could be applied to the + // route. + repeated RateLimit rate_limits = 13; + + // Specifies if the rate limit filter should include the virtual host rate + // limits. By default, if the route configured rate limits, the virtual host + // :ref:`rate_limits ` are not applied to the + // request. + // + // This field is deprecated. Please use :ref:`vh_rate_limits ` + google.protobuf.BoolValue include_vh_rate_limits = 14 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Specifies a list of hash policies to use for ring hash load balancing. Each + // hash policy is evaluated individually and the combined result is used to + // route the request. The method of combination is deterministic such that + // identical lists of hash policies will produce the same hash. Since a hash + // policy examines specific parts of a request, it can fail to produce a hash + // (i.e. if the hashed header is not present). If (and only if) all configured + // hash policies fail to generate a hash, no hash will be produced for + // the route. In this case, the behavior is the same as if no hash policies + // were specified (i.e. the ring hash load balancer will choose a random + // backend). If a hash policy has the "terminal" attribute set to true, and + // there is already a hash generated, the hash is returned immediately, + // ignoring the rest of the hash policy list. + repeated HashPolicy hash_policy = 15; + + // Indicates that the route has a CORS policy. This field is ignored if related cors policy is + // found in the :ref:`Route.typed_per_filter_config` or + // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config`. + // + // .. attention:: + // + // This option has been deprecated. Please use + // :ref:`Route.typed_per_filter_config` or + // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` + // to configure the CORS HTTP filter. + CorsPolicy cors = 17 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Deprecated by :ref:`grpc_timeout_header_max ` + // If present, and the request is a gRPC request, use the + // `grpc-timeout header `_, + // or its default value (infinity) instead of + // :ref:`timeout `, but limit the applied timeout + // to the maximum value specified here. If configured as 0, the maximum allowed timeout for + // gRPC requests is infinity. If not configured at all, the ``grpc-timeout`` header is not used + // and gRPC requests time out like any other requests using + // :ref:`timeout ` or its default. + // This can be used to prevent unexpected upstream request timeouts due to potentially long + // time gaps between gRPC request and response in gRPC streaming mode. + // + // .. note:: + // + // If a timeout is specified using :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, it takes + // precedence over `grpc-timeout header `_, when + // both are present. See also + // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the + // :ref:`retry overview `. + google.protobuf.Duration max_grpc_timeout = 23 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Deprecated by :ref:`grpc_timeout_header_offset `. + // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by subtracting + // the provided duration from the header. This is useful in allowing Envoy to set its global + // timeout to be less than that of the deadline imposed by the calling client, which makes it more + // likely that Envoy will handle the timeout instead of having the call canceled by the client. + // The offset will only be applied if the provided grpc_timeout is greater than the offset. This + // ensures that the offset will only ever decrease the timeout and never set it to 0 (meaning + // infinity). + google.protobuf.Duration grpc_timeout_offset = 28 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + repeated UpgradeConfig upgrade_configs = 25; + + // If present, Envoy will try to follow an upstream redirect response instead of proxying the + // response back to the downstream. An upstream redirect response is defined + // by :ref:`redirect_response_codes + // `. + InternalRedirectPolicy internal_redirect_policy = 34; + + InternalRedirectAction internal_redirect_action = 26 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // An internal redirect is handled, iff the number of previous internal redirects that a + // downstream request has encountered is lower than this value, and + // :ref:`internal_redirect_action ` + // is set to :ref:`HANDLE_INTERNAL_REDIRECT + // ` + // In the case where a downstream request is bounced among multiple routes by internal redirect, + // the first route that hits this threshold, or has + // :ref:`internal_redirect_action ` + // set to + // :ref:`PASS_THROUGH_INTERNAL_REDIRECT + // ` + // will pass the redirect back to downstream. + // + // If not specified, at most one redirect will be followed. + google.protobuf.UInt32Value max_internal_redirects = 31 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Indicates that the route has a hedge policy. Note that if this is set, + // it'll take precedence over the virtual host level hedge policy entirely + // (e.g.: policies are not merged, most internal one becomes the enforced policy). + HedgePolicy hedge_policy = 27; + + // Specifies the maximum stream duration for this route. + MaxStreamDuration max_stream_duration = 36; +} + +// HTTP retry :ref:`architecture overview `. +// [#next-free-field: 14] +message RetryPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RetryPolicy"; + + enum ResetHeaderFormat { + SECONDS = 0; + UNIX_TIMESTAMP = 1; + } + + message RetryPriority { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryPriority"; + + reserved 2; + + reserved "config"; + + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // [#extension-category: envoy.retry_priorities] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + message RetryHostPredicate { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryHostPredicate"; + + reserved 2; + + reserved "config"; + + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // [#extension-category: envoy.retry_host_predicates] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + message RetryBackOff { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryBackOff"; + + // Specifies the base interval between retries. This parameter is required and must be greater + // than zero. Values less than 1 ms are rounded up to 1 ms. + // See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion of Envoy's + // back-off algorithm. + google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { + required: true + gt {} + }]; + + // Specifies the maximum interval between retries. This parameter is optional, but must be + // greater than or equal to the ``base_interval`` if set. The default is 10 times the + // ``base_interval``. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion + // of Envoy's back-off algorithm. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; + } + + message ResetHeader { + // The name of the reset header. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The format of the reset header. + ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}]; + } + + // A retry back-off strategy that applies when the upstream server rate limits + // the request. + // + // Given this configuration: + // + // .. code-block:: yaml + // + // rate_limited_retry_back_off: + // reset_headers: + // - name: Retry-After + // format: SECONDS + // - name: X-RateLimit-Reset + // format: UNIX_TIMESTAMP + // max_interval: "300s" + // + // The following algorithm will apply: + // + // 1. If the response contains the header ``Retry-After`` its value must be on + // the form ``120`` (an integer that represents the number of seconds to + // wait before retrying). If so, this value is used as the back-off interval. + // 2. Otherwise, if the response contains the header ``X-RateLimit-Reset`` its + // value must be on the form ``1595320702`` (an integer that represents the + // point in time at which to retry, as a Unix timestamp in seconds). If so, + // the current time is subtracted from this value and the result is used as + // the back-off interval. + // 3. Otherwise, Envoy will use the default + // :ref:`exponential back-off ` + // strategy. + // + // No matter which format is used, if the resulting back-off interval exceeds + // ``max_interval`` it is discarded and the next header in ``reset_headers`` + // is tried. If a request timeout is configured for the route it will further + // limit how long the request will be allowed to run. + // + // To prevent many clients retrying at the same point in time jitter is added + // to the back-off interval, so the resulting interval is decided by taking: + // ``random(interval, interval * 1.5)``. + // + // .. attention:: + // + // Configuring ``rate_limited_retry_back_off`` will not by itself cause a request + // to be retried. You will still need to configure the right retry policy to match + // the responses from the upstream server. + message RateLimitedRetryBackOff { + // Specifies the reset headers (like ``Retry-After`` or ``X-RateLimit-Reset``) + // to match against the response. Headers are tried in order, and matched case + // insensitive. The first header to be parsed successfully is used. If no headers + // match the default exponential back-off is used instead. + repeated ResetHeader reset_headers = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Specifies the maximum back off interval that Envoy will allow. If a reset + // header contains an interval longer than this then it will be discarded and + // the next header will be tried. Defaults to 300 seconds. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; + } + + // Specifies the conditions under which retry takes place. These are the same + // conditions documented for :ref:`config_http_filters_router_x-envoy-retry-on` and + // :ref:`config_http_filters_router_x-envoy-retry-grpc-on`. + string retry_on = 1; + + // Specifies the allowed number of retries. This parameter is optional and + // defaults to 1. These are the same conditions documented for + // :ref:`config_http_filters_router_x-envoy-max-retries`. + google.protobuf.UInt32Value num_retries = 2 + [(udpa.annotations.field_migrate).rename = "max_retries"]; + + // Specifies a non-zero upstream timeout per retry attempt (including the initial attempt). This + // parameter is optional. The same conditions documented for + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` apply. + // + // .. note:: + // + // If left unspecified, Envoy will use the global + // :ref:`route timeout ` for the request. + // Consequently, when using a :ref:`5xx ` based + // retry policy, a request that times out will not be retried as the total timeout budget + // would have been exhausted. + google.protobuf.Duration per_try_timeout = 3; + + // Specifies an upstream idle timeout per retry attempt (including the initial attempt). This + // parameter is optional and if absent there is no per try idle timeout. The semantics of the per + // try idle timeout are similar to the + // :ref:`route idle timeout ` and + // :ref:`stream idle timeout + // ` + // both enforced by the HTTP connection manager. The difference is that this idle timeout + // is enforced by the router for each individual attempt and thus after all previous filters have + // run, as opposed to *before* all previous filters run for the other idle timeouts. This timeout + // is useful in cases in which total request timeout is bounded by a number of retries and a + // :ref:`per_try_timeout `, but + // there is a desire to ensure each try is making incremental progress. Note also that similar + // to :ref:`per_try_timeout `, + // this idle timeout does not start until after both the entire request has been received by the + // router *and* a connection pool connection has been obtained. Unlike + // :ref:`per_try_timeout `, + // the idle timer continues once the response starts streaming back to the downstream client. + // This ensures that response data continues to make progress without using one of the HTTP + // connection manager idle timeouts. + google.protobuf.Duration per_try_idle_timeout = 13; + + // Specifies an implementation of a RetryPriority which is used to determine the + // distribution of load across priorities used for retries. Refer to + // :ref:`retry plugin configuration ` for more details. + RetryPriority retry_priority = 4; + + // Specifies a collection of RetryHostPredicates that will be consulted when selecting a host + // for retries. If any of the predicates reject the host, host selection will be reattempted. + // Refer to :ref:`retry plugin configuration ` for more + // details. + repeated RetryHostPredicate retry_host_predicate = 5; + + // Retry options predicates that will be applied prior to retrying a request. These predicates + // allow customizing request behavior between retries. + // [#comment: add [#extension-category: envoy.retry_options_predicates] when there are built-in extensions] + repeated core.v3.TypedExtensionConfig retry_options_predicates = 12; + + // The maximum number of times host selection will be reattempted before giving up, at which + // point the host that was last selected will be routed to. If unspecified, this will default to + // retrying once. + int64 host_selection_retry_max_attempts = 6; + + // HTTP status codes that should trigger a retry in addition to those specified by retry_on. + repeated uint32 retriable_status_codes = 7; + + // Specifies parameters that control exponential retry back off. This parameter is optional, in which case the + // default base interval is 25 milliseconds or, if set, the current value of the + // ``upstream.base_retry_backoff_ms`` runtime parameter. The default maximum interval is 10 times + // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries` + // describes Envoy's back-off algorithm. + RetryBackOff retry_back_off = 8; + + // Specifies parameters that control a retry back-off strategy that is used + // when the request is rate limited by the upstream server. The server may + // return a response header like ``Retry-After`` or ``X-RateLimit-Reset`` to + // provide feedback to the client on how long to wait before retrying. If + // configured, this back-off strategy will be used instead of the + // default exponential back off strategy (configured using ``retry_back_off``) + // whenever a response includes the matching headers. + RateLimitedRetryBackOff rate_limited_retry_back_off = 11; + + // HTTP response headers that trigger a retry if present in the response. A retry will be + // triggered if any of the header matches match the upstream response headers. + // The field is only consulted if 'retriable-headers' retry policy is active. + repeated HeaderMatcher retriable_headers = 9; + + // HTTP headers which must be present in the request for retries to be attempted. + repeated HeaderMatcher retriable_request_headers = 10; +} + +// HTTP request hedging :ref:`architecture overview `. +message HedgePolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.HedgePolicy"; + + // Specifies the number of initial requests that should be sent upstream. + // Must be at least 1. + // Defaults to 1. + // [#not-implemented-hide:] + google.protobuf.UInt32Value initial_requests = 1 [(validate.rules).uint32 = {gte: 1}]; + + // Specifies a probability that an additional upstream request should be sent + // on top of what is specified by initial_requests. + // Defaults to 0. + // [#not-implemented-hide:] + type.v3.FractionalPercent additional_request_chance = 2; + + // Indicates that a hedged request should be sent when the per-try timeout is hit. + // This means that a retry will be issued without resetting the original request, leaving multiple upstream requests in flight. + // The first request to complete successfully will be the one returned to the caller. + // + // * At any time, a successful response (i.e. not triggering any of the retry-on conditions) would be returned to the client. + // * Before per-try timeout, an error response (per retry-on conditions) would be retried immediately or returned ot the client + // if there are no more retries left. + // * After per-try timeout, an error response would be discarded, as a retry in the form of a hedged request is already in progress. + // + // Note: For this to have effect, you must have a :ref:`RetryPolicy ` that retries at least + // one error code and specifies a maximum number of retries. + // + // Defaults to false. + bool hedge_on_per_try_timeout = 3; +} + +// [#next-free-field: 10] +message RedirectAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RedirectAction"; + + enum RedirectResponseCode { + // Moved Permanently HTTP Status Code - 301. + MOVED_PERMANENTLY = 0; + + // Found HTTP Status Code - 302. + FOUND = 1; + + // See Other HTTP Status Code - 303. + SEE_OTHER = 2; + + // Temporary Redirect HTTP Status Code - 307. + TEMPORARY_REDIRECT = 3; + + // Permanent Redirect HTTP Status Code - 308. + PERMANENT_REDIRECT = 4; + } + + // When the scheme redirection take place, the following rules apply: + // 1. If the source URI scheme is ``http`` and the port is explicitly + // set to ``:80``, the port will be removed after the redirection + // 2. If the source URI scheme is ``https`` and the port is explicitly + // set to ``:443``, the port will be removed after the redirection + oneof scheme_rewrite_specifier { + // The scheme portion of the URL will be swapped with "https". + bool https_redirect = 4; + + // The scheme portion of the URL will be swapped with this value. + string scheme_redirect = 7; + } + + // The host portion of the URL will be swapped with this value. + string host_redirect = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // The port value of the URL will be swapped with this value. + uint32 port_redirect = 8; + + oneof path_rewrite_specifier { + // The path portion of the URL will be swapped with this value. + // Please note that query string in path_redirect will override the + // request's query string and will not be stripped. + // + // For example, let's say we have the following routes: + // + // - match: { path: "/old-path-1" } + // redirect: { path_redirect: "/new-path-1" } + // - match: { path: "/old-path-2" } + // redirect: { path_redirect: "/new-path-2", strip-query: "true" } + // - match: { path: "/old-path-3" } + // redirect: { path_redirect: "/new-path-3?foo=1", strip_query: "true" } + // + // 1. if request uri is "/old-path-1?bar=1", users will be redirected to "/new-path-1?bar=1" + // 2. if request uri is "/old-path-2?bar=1", users will be redirected to "/new-path-2" + // 3. if request uri is "/old-path-3?bar=1", users will be redirected to "/new-path-3?foo=1" + string path_redirect = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during redirection, the matched prefix (or path) + // should be swapped with this value. This option allows redirect URLs be dynamically created + // based on the request. + // + // .. attention:: + // + // Pay attention to the use of trailing slashes as mentioned in + // :ref:`RouteAction's prefix_rewrite `. + string prefix_rewrite = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during redirect, portions of the path that match the + // pattern should be rewritten, even allowing the substitution of capture + // groups from the pattern into the new path as specified by the rewrite + // substitution string. This is useful to allow application paths to be + // rewritten in a way that is aware of segments with variable content like + // identifiers. + // + // Examples using Google's `RE2 `_ engine: + // + // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution + // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` + // into ``/v1/api/instance/foo``. + // + // * The pattern ``one`` paired with a substitution string of ``two`` would + // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. + // + // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of + // ``\1two\2`` would replace only the first occurrence of ``one``, + // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. + // + // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` + // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to + // ``/aaa/yyy/bbb``. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 9; + } + + // The HTTP status code to use in the redirect response. The default response + // code is MOVED_PERMANENTLY (301). + RedirectResponseCode response_code = 3 [(validate.rules).enum = {defined_only: true}]; + + // Indicates that during redirection, the query portion of the URL will + // be removed. Default value is false. + bool strip_query = 6; +} + +message DirectResponseAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.DirectResponseAction"; + + // Specifies the HTTP response status to be returned. + uint32 status = 1 [(validate.rules).uint32 = {lt: 600 gte: 200}]; + + // Specifies the content of the response body. If this setting is omitted, + // no body is included in the generated response. + // + // .. note:: + // + // Headers can be specified using ``response_headers_to_add`` in the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` or + // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`. + core.v3.DataSource body = 2; +} + +// [#not-implemented-hide:] +message NonForwardingAction { +} + +message Decorator { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Decorator"; + + // The operation name associated with the request matched to this route. If tracing is + // enabled, this information will be used as the span name reported for this request. + // + // .. note:: + // + // For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden + // by the :ref:`x-envoy-decorator-operation + // ` header. + string operation = 1 [(validate.rules).string = {min_len: 1}]; + + // Whether the decorated details should be propagated to the other party. The default is true. + google.protobuf.BoolValue propagate = 2; +} + +message Tracing { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Tracing"; + + // Target percentage of requests managed by this HTTP connection manager that will be force + // traced if the :ref:`x-client-trace-id ` + // header is set. This field is a direct analog for the runtime variable + // 'tracing.client_sampling' in the :ref:`HTTP Connection Manager + // `. + // Default: 100% + type.v3.FractionalPercent client_sampling = 1; + + // Target percentage of requests managed by this HTTP connection manager that will be randomly + // selected for trace generation, if not requested by the client or not forced. This field is + // a direct analog for the runtime variable 'tracing.random_sampling' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.FractionalPercent random_sampling = 2; + + // Target percentage of requests managed by this HTTP connection manager that will be traced + // after all other sampling checks have been applied (client-directed, force tracing, random + // sampling). This field functions as an upper limit on the total configured sampling rate. For + // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% + // of client requests with the appropriate headers to be force traced. This field is a direct + // analog for the runtime variable 'tracing.global_enabled' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.FractionalPercent overall_sampling = 3; + + // A list of custom tags with unique tag name to create tags for the active span. + // It will take effect after merging with the :ref:`corresponding configuration + // ` + // configured in the HTTP connection manager. If two tags with the same name are configured + // each in the HTTP connection manager and the route level, the one configured here takes + // priority. + repeated type.tracing.v3.CustomTag custom_tags = 4; +} + +// A virtual cluster is a way of specifying a regex matching rule against +// certain important endpoints such that statistics are generated explicitly for +// the matched requests. The reason this is useful is that when doing +// prefix/path matching Envoy does not always know what the application +// considers to be an endpoint. Thus, it’s impossible for Envoy to generically +// emit per endpoint statistics. However, often systems have highly critical +// endpoints that they wish to get “perfect” statistics on. Virtual cluster +// statistics are perfect in the sense that they are emitted on the downstream +// side such that they include network level failures. +// +// Documentation for :ref:`virtual cluster statistics `. +// +// .. note:: +// +// Virtual clusters are a useful tool, but we do not recommend setting up a virtual cluster for +// every application endpoint. This is both not easily maintainable and as well the matching and +// statistics output are not free. +message VirtualCluster { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualCluster"; + + reserved 1, 3; + + reserved "pattern", "method"; + + // Specifies a list of header matchers to use for matching requests. Each specified header must + // match. The pseudo-headers ``:path`` and ``:method`` can be used to match the request path and + // method, respectively. + repeated HeaderMatcher headers = 4; + + // Specifies the name of the virtual cluster. The virtual cluster name as well + // as the virtual host name are used when emitting statistics. The statistics are emitted by the + // router filter and are documented :ref:`here `. + string name = 2 [(validate.rules).string = {min_len: 1}]; +} + +// Global rate limiting :ref:`architecture overview `. +// Also applies to Local rate limiting :ref:`using descriptors `. +message RateLimit { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit"; + + // [#next-free-field: 11] + message Action { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action"; + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("source_cluster", "") + // + // is derived from the :option:`--service-cluster` option. + message SourceCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.SourceCluster"; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("destination_cluster", "") + // + // Once a request matches against a route table rule, a routed cluster is determined by one of + // the following :ref:`route table configuration ` + // settings: + // + // * :ref:`cluster ` indicates the upstream cluster + // to route to. + // * :ref:`weighted_clusters ` + // chooses a cluster randomly from a set of clusters with attributed weight. + // * :ref:`cluster_header ` indicates which + // header in the request contains the target cluster. + message DestinationCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.DestinationCluster"; + } + + // The following descriptor entry is appended when a header contains a key that matches the + // ``header_name``: + // + // .. code-block:: cpp + // + // ("", "") + message RequestHeaders { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.RequestHeaders"; + + // The header name to be queried from the request headers. The header’s + // value is used to populate the value of the descriptor entry for the + // descriptor_key. + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The key to use in the descriptor entry. + string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; + + // If set to true, Envoy skips the descriptor while calling rate limiting service + // when header is not present in the request. By default it skips calling the + // rate limiting service if this header is not present in the request. + bool skip_if_absent = 3; + } + + // The following descriptor entry is appended to the descriptor and is populated using the + // trusted address from :ref:`x-forwarded-for `: + // + // .. code-block:: cpp + // + // ("remote_address", "") + message RemoteAddress { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.RemoteAddress"; + } + + // The following descriptor entry is appended to the descriptor and is populated using the + // masked address from :ref:`x-forwarded-for `: + // + // .. code-block:: cpp + // + // ("masked_remote_address", "") + message MaskedRemoteAddress { + // Length of prefix mask len for IPv4 (e.g. 0, 32). + // Defaults to 32 when unset. + // For example, trusted address from x-forwarded-for is ``192.168.1.1``, + // the descriptor entry is ("masked_remote_address", "192.168.1.1/32"); + // if mask len is 24, the descriptor entry is ("masked_remote_address", "192.168.1.0/24"). + google.protobuf.UInt32Value v4_prefix_mask_len = 1 [(validate.rules).uint32 = {lte: 32}]; + + // Length of prefix mask len for IPv6 (e.g. 0, 128). + // Defaults to 128 when unset. + // For example, trusted address from x-forwarded-for is ``2001:abcd:ef01:2345:6789:abcd:ef01:234``, + // the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345:6789:abcd:ef01:234/128"); + // if mask len is 64, the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345::/64"). + google.protobuf.UInt32Value v6_prefix_mask_len = 2 [(validate.rules).uint32 = {lte: 128}]; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("generic_key", "") + message GenericKey { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.GenericKey"; + + // The value to use in the descriptor entry. + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional key to use in the descriptor entry. If not set it defaults + // to 'generic_key' as the descriptor key. + string descriptor_key = 2; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("header_match", "") + message HeaderValueMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch"; + + // The key to use in the descriptor entry. Defaults to ``header_match``. + string descriptor_key = 4; + + // The value to use in the descriptor entry. + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // If set to true, the action will append a descriptor entry when the + // request matches the headers. If set to false, the action will append a + // descriptor entry when the request does not match the headers. The + // default value is true. + google.protobuf.BoolValue expect_match = 2; + + // Specifies a set of headers that the rate limit action should match + // on. The action will check the request’s headers against all the + // specified headers in the config. A match will happen if all the + // headers in the config are present in the request with the same values + // (or based on presence if the value field is not in the config). + repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}]; + } + + // The following descriptor entry is appended when the + // :ref:`dynamic metadata ` contains a key value: + // + // .. code-block:: cpp + // + // ("", "") + // + // .. attention:: + // This action has been deprecated in favor of the :ref:`metadata ` action + message DynamicMetaData { + // The key to use in the descriptor entry. + string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Metadata struct that defines the key and path to retrieve the string value. A match will + // only happen if the value in the dynamic metadata is of type string. + type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; + + // An optional value to use if ``metadata_key`` is empty. If not set and + // no value is present under the metadata_key then no descriptor is generated. + string default_value = 3; + } + + // The following descriptor entry is appended when the metadata contains a key value: + // + // .. code-block:: cpp + // + // ("", "") + message MetaData { + enum Source { + // Query :ref:`dynamic metadata ` + DYNAMIC = 0; + + // Query :ref:`route entry metadata ` + ROUTE_ENTRY = 1; + } + + // The key to use in the descriptor entry. + string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Metadata struct that defines the key and path to retrieve the string value. A match will + // only happen if the value in the metadata is of type string. + type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; + + // An optional value to use if ``metadata_key`` is empty. If not set and + // no value is present under the metadata_key then no descriptor is generated. + string default_value = 3; + + // Source of metadata + Source source = 4 [(validate.rules).enum = {defined_only: true}]; + } + + oneof action_specifier { + option (validate.required) = true; + + // Rate limit on source cluster. + SourceCluster source_cluster = 1; + + // Rate limit on destination cluster. + DestinationCluster destination_cluster = 2; + + // Rate limit on request headers. + RequestHeaders request_headers = 3; + + // Rate limit on remote address. + RemoteAddress remote_address = 4; + + // Rate limit on a generic key. + GenericKey generic_key = 5; + + // Rate limit on the existence of request headers. + HeaderValueMatch header_value_match = 6; + + // Rate limit on dynamic metadata. + // + // .. attention:: + // This field has been deprecated in favor of the :ref:`metadata ` field + DynamicMetaData dynamic_metadata = 7 [ + deprecated = true, + (envoy.annotations.deprecated_at_minor_version) = "3.0", + (envoy.annotations.disallowed_by_default) = true + ]; + + // Rate limit on metadata. + MetaData metadata = 8; + + // Rate limit descriptor extension. See the rate limit descriptor extensions documentation. + // + // :ref:`HTTP matching input functions ` are + // permitted as descriptor extensions. The input functions are only + // looked up if there is no rate limit descriptor extension matching + // the type URL. + // + // [#extension-category: envoy.rate_limit_descriptors] + core.v3.TypedExtensionConfig extension = 9; + + // Rate limit on masked remote address. + MaskedRemoteAddress masked_remote_address = 10; + } + } + + message Override { + // Fetches the override from the dynamic metadata. + message DynamicMetadata { + // Metadata struct that defines the key and path to retrieve the struct value. + // The value must be a struct containing an integer "requests_per_unit" property + // and a "unit" property with a value parseable to :ref:`RateLimitUnit + // enum ` + type.metadata.v3.MetadataKey metadata_key = 1 [(validate.rules).message = {required: true}]; + } + + oneof override_specifier { + option (validate.required) = true; + + // Limit override from dynamic metadata. + DynamicMetadata dynamic_metadata = 1; + } + } + + // Refers to the stage set in the filter. The rate limit configuration only + // applies to filters with the same stage number. The default stage number is + // 0. + // + // .. note:: + // + // The filter supports a range of 0 - 10 inclusively for stage numbers. + google.protobuf.UInt32Value stage = 1 [(validate.rules).uint32 = {lte: 10}]; + + // The key to be set in runtime to disable this rate limit configuration. + string disable_key = 2; + + // A list of actions that are to be applied for this rate limit configuration. + // Order matters as the actions are processed sequentially and the descriptor + // is composed by appending descriptor entries in that sequence. If an action + // cannot append a descriptor entry, no descriptor is generated for the + // configuration. See :ref:`composing actions + // ` for additional documentation. + repeated Action actions = 3 [(validate.rules).repeated = {min_items: 1}]; + + // An optional limit override to be appended to the descriptor produced by this + // rate limit configuration. If the override value is invalid or cannot be resolved + // from metadata, no override is provided. See :ref:`rate limit override + // ` for more information. + Override limit = 4; +} + +// .. attention:: +// +// Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 ``Host`` +// header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. +// +// .. attention:: +// +// To route on HTTP method, use the special HTTP/2 ``:method`` header. This works for both +// HTTP/1 and HTTP/2 as Envoy normalizes headers. E.g., +// +// .. code-block:: json +// +// { +// "name": ":method", +// "exact_match": "POST" +// } +// +// .. attention:: +// In the absence of any header match specifier, match will default to :ref:`present_match +// `. i.e, a request that has the :ref:`name +// ` header will match, regardless of the header's +// value. +// +// [#next-major-version: HeaderMatcher should be refactored to use StringMatcher.] +// [#next-free-field: 15] +message HeaderMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.HeaderMatcher"; + + reserved 2, 3, 5; + + reserved "regex_match"; + + // Specifies the name of the header in the request. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Specifies how the header match will be performed to route the request. + oneof header_match_specifier { + // If specified, header match will be performed based on the value of the header. + // This field is deprecated. Please use :ref:`string_match `. + string exact_match = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If specified, this regex string is a regular expression rule which implies the entire request + // header value must match the regex. The rule will not match if only a subsequence of the + // request header value matches the regex. + // This field is deprecated. Please use :ref:`string_match `. + type.matcher.v3.RegexMatcher safe_regex_match = 11 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If specified, header match will be performed based on range. + // The rule will match if the request header value is within this range. + // The entire request header value must represent an integer in base 10 notation: consisting of + // an optional plus or minus sign followed by a sequence of digits. The rule will not match if + // the header value does not represent an integer. Match will fail for empty values, floating + // point numbers or if only a subsequence of the header value is an integer. + // + // Examples: + // + // * For range [-10,0), route will match for header value -1, but not for 0, ``somestring``, 10.9, + // ``-1somestring`` + type.v3.Int64Range range_match = 6; + + // If specified as true, header match will be performed based on whether the header is in the + // request. If specified as false, header match will be performed based on whether the header is absent. + bool present_match = 7; + + // If specified, header match will be performed based on the prefix of the header value. + // Note: empty prefix is not allowed, please use present_match instead. + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The prefix ``abcd`` matches the value ``abcdxyz``, but not for ``abcxyz``. + string prefix_match = 9 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on the suffix of the header value. + // Note: empty suffix is not allowed, please use present_match instead. + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The suffix ``abcd`` matches the value ``xyzabcd``, but not for ``xyzbcd``. + string suffix_match = 10 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on whether the header value contains + // the given value or not. + // Note: empty contains match is not allowed, please use present_match instead. + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The value ``abcd`` matches the value ``xyzabcdpqr``, but not for ``xyzbcdpqr``. + string contains_match = 12 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on the string match of the header value. + type.matcher.v3.StringMatcher string_match = 13; + } + + // If specified, the match result will be inverted before checking. Defaults to false. + // + // Examples: + // + // * The regex ``\d{3}`` does not match the value ``1234``, so it will match when inverted. + // * The range [-10,0) will match the value -1, so it will not match when inverted. + bool invert_match = 8; + + // If specified, for any header match rule, if the header match rule specified header + // does not exist, this header value will be treated as empty. Defaults to false. + // + // Examples: + // + // * The header match rule specified header "header1" to range match of [0, 10], + // :ref:`invert_match ` + // is set to true and :ref:`treat_missing_header_as_empty ` + // is set to true; The "header1" header is not present. The match rule will + // treat the "header1" as an empty header. The empty header does not match the range, + // so it will match when inverted. + // * The header match rule specified header "header2" to range match of [0, 10], + // :ref:`invert_match ` + // is set to true and :ref:`treat_missing_header_as_empty ` + // is set to false; The "header2" header is not present and the header + // matcher rule for "header2" will be ignored so it will not match. + // * The header match rule specified header "header3" to a string regex match + // ``^$`` which means an empty string, and + // :ref:`treat_missing_header_as_empty ` + // is set to true; The "header3" header is not present. + // The match rule will treat the "header3" header as an empty header so it will match. + // * The header match rule specified header "header4" to a string regex match + // ``^$`` which means an empty string, and + // :ref:`treat_missing_header_as_empty ` + // is set to false; The "header4" header is not present. + // The match rule for "header4" will be ignored so it will not match. + bool treat_missing_header_as_empty = 14; +} + +// Query parameter matching treats the query string of a request's :path header +// as an ampersand-separated list of keys and/or key=value elements. +// [#next-free-field: 7] +message QueryParameterMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.QueryParameterMatcher"; + + reserved 3, 4; + + reserved "value", "regex"; + + // Specifies the name of a key that must be present in the requested + // ``path``'s query string. + string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}]; + + oneof query_parameter_match_specifier { + // Specifies whether a query parameter value should match against a string. + type.matcher.v3.StringMatcher string_match = 5 [(validate.rules).message = {required: true}]; + + // Specifies whether a query parameter should be present. + bool present_match = 6; + } +} + +// HTTP Internal Redirect :ref:`architecture overview `. +message InternalRedirectPolicy { + // An internal redirect is not handled, unless the number of previous internal redirects that a + // downstream request has encountered is lower than this value. + // In the case where a downstream request is bounced among multiple routes by internal redirect, + // the first route that hits this threshold, or does not set :ref:`internal_redirect_policy + // ` + // will pass the redirect back to downstream. + // + // If not specified, at most one redirect will be followed. + google.protobuf.UInt32Value max_internal_redirects = 1; + + // Defines what upstream response codes are allowed to trigger internal redirect. If unspecified, + // only 302 will be treated as internal redirect. + // Only 301, 302, 303, 307 and 308 are valid values. Any other codes will be ignored. + repeated uint32 redirect_response_codes = 2 [(validate.rules).repeated = {max_items: 5}]; + + // Specifies a list of predicates that are queried when an upstream response is deemed + // to trigger an internal redirect by all other criteria. Any predicate in the list can reject + // the redirect, causing the response to be proxied to downstream. + // [#extension-category: envoy.internal_redirect_predicates] + repeated core.v3.TypedExtensionConfig predicates = 3; + + // Allow internal redirect to follow a target URI with a different scheme than the value of + // x-forwarded-proto. The default is false. + bool allow_cross_scheme_redirect = 4; +} + +// A simple wrapper for an HTTP filter config. This is intended to be used as a wrapper for the +// map value in +// :ref:`VirtualHost.typed_per_filter_config`, +// :ref:`Route.typed_per_filter_config`, +// or :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` +// to add additional flags to the filter. +// [#not-implemented-hide:] +message FilterConfig { + // The filter config. + google.protobuf.Any config = 1; + + // If true, the filter is optional, meaning that if the client does + // not support the specified filter, it may ignore the map entry rather + // than rejecting the config. + bool is_optional = 2; +} diff --git a/src/main/proto/envoy/config/route/v3/scoped_route.proto b/src/main/proto/envoy/config/route/v3/scoped_route.proto new file mode 100644 index 0000000..27bcd61 --- /dev/null +++ b/src/main/proto/envoy/config/route/v3/scoped_route.proto @@ -0,0 +1,133 @@ +syntax = "proto3"; + +package envoy.config.route.v3; + +import "envoy/config/route/v3/route.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.route.v3"; +option java_outer_classname = "ScopedRouteProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP scoped routing configuration] +// * Routing :ref:`architecture overview ` + +// Specifies a routing scope, which associates a +// :ref:`Key` to a +// :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. +// The :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` can be obtained dynamically +// via RDS (:ref:`route_configuration_name`) +// or specified inline (:ref:`route_configuration`). +// +// The HTTP connection manager builds up a table consisting of these Key to +// RouteConfiguration mappings, and looks up the RouteConfiguration to use per +// request according to the algorithm specified in the +// :ref:`scope_key_builder` +// assigned to the HttpConnectionManager. +// +// For example, with the following configurations (in YAML): +// +// HttpConnectionManager config: +// +// .. code:: +// +// ... +// scoped_routes: +// name: foo-scoped-routes +// scope_key_builder: +// fragments: +// - header_value_extractor: +// name: X-Route-Selector +// element_separator: , +// element: +// separator: = +// key: vip +// +// ScopedRouteConfiguration resources (specified statically via +// :ref:`scoped_route_configurations_list` +// or obtained dynamically via SRDS): +// +// .. code:: +// +// (1) +// name: route-scope1 +// route_configuration_name: route-config1 +// key: +// fragments: +// - string_key: 172.10.10.20 +// +// (2) +// name: route-scope2 +// route_configuration_name: route-config2 +// key: +// fragments: +// - string_key: 172.20.20.30 +// +// A request from a client such as: +// +// .. code:: +// +// GET / HTTP/1.1 +// Host: foo.com +// X-Route-Selector: vip=172.10.10.20 +// +// would result in the routing table defined by the ``route-config1`` +// RouteConfiguration being assigned to the HTTP request/stream. +// +// [#next-free-field: 6] +message ScopedRouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.ScopedRouteConfiguration"; + + // Specifies a key which is matched against the output of the + // :ref:`scope_key_builder` + // specified in the HttpConnectionManager. The matching is done per HTTP + // request and is dependent on the order of the fragments contained in the + // Key. + message Key { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.ScopedRouteConfiguration.Key"; + + message Fragment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.ScopedRouteConfiguration.Key.Fragment"; + + oneof type { + option (validate.required) = true; + + // A string to match against. + string string_key = 1; + } + } + + // The ordered set of fragments to match against. The order must match the + // fragments in the corresponding + // :ref:`scope_key_builder`. + repeated Fragment fragments = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // Whether the RouteConfiguration should be loaded on demand. + bool on_demand = 4; + + // The name assigned to the routing scope. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The resource name to use for a :ref:`envoy_v3_api_msg_service.discovery.v3.DiscoveryRequest` to an + // RDS server to fetch the :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` associated + // with this scope. + string route_configuration_name = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "route_config"]; + + // The :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` associated with the scope. + RouteConfiguration route_configuration = 5 + [(udpa.annotations.field_migrate).oneof_promotion = "route_config"]; + + // The key to match against. + Key key = 3 [(validate.rules).message = {required: true}]; +} diff --git a/src/main/proto/envoy/type/matcher/BUILD b/src/main/proto/envoy/type/matcher/BUILD new file mode 100644 index 0000000..29613b4 --- /dev/null +++ b/src/main/proto/envoy/type/matcher/BUILD @@ -0,0 +1,13 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/annotations:pkg", + "//envoy/type:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/src/main/proto/envoy/type/matcher/metadata.proto b/src/main/proto/envoy/type/matcher/metadata.proto new file mode 100644 index 0000000..20da230 --- /dev/null +++ b/src/main/proto/envoy/type/matcher/metadata.proto @@ -0,0 +1,99 @@ +syntax = "proto3"; + +package envoy.type.matcher; + +import "envoy/type/matcher/value.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher"; +option java_outer_classname = "MetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Metadata matcher] + +// MetadataMatcher provides a general interface to check if a given value is matched in +// :ref:`Metadata `. It uses `filter` and `path` to retrieve the value +// from the Metadata and then check if it's matched to the specified value. +// +// For example, for the following Metadata: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.filters.http.rbac: +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" +// from the Metadata which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following MetadataMatcher is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to +// enforce access control based on dynamic metadata in a request. See :ref:`Permission +// ` and :ref:`Principal +// `. + +// [#next-major-version: MetadataMatcher should use StructMatcher] +message MetadataMatcher { + // Specifies the segment in a path to retrieve value from Metadata. + // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that + // if the segment key refers to a list, it has to be the last segment in a path. + message PathSegment { + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The filter name to retrieve the Struct from the Metadata. + string filter = 1 [(validate.rules).string = {min_len: 1}]; + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The MetadataMatcher is matched if the value retrieved by path is matched to this value. + ValueMatcher value = 3 [(validate.rules).message = {required: true}]; +} diff --git a/src/main/proto/envoy/type/matcher/node.proto b/src/main/proto/envoy/type/matcher/node.proto new file mode 100644 index 0000000..5dcf1e6 --- /dev/null +++ b/src/main/proto/envoy/type/matcher/node.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package envoy.type.matcher; + +import "envoy/type/matcher/string.proto"; +import "envoy/type/matcher/struct.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher"; +option java_outer_classname = "NodeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Node matcher] + +// Specifies the way to match a Node. +// The match follows AND semantics. +message NodeMatcher { + // Specifies match criteria on the node id. + StringMatcher node_id = 1; + + // Specifies match criteria on the node metadata. + repeated StructMatcher node_metadatas = 2; +} diff --git a/src/main/proto/envoy/type/matcher/number.proto b/src/main/proto/envoy/type/matcher/number.proto new file mode 100644 index 0000000..4c5b4db --- /dev/null +++ b/src/main/proto/envoy/type/matcher/number.proto @@ -0,0 +1,30 @@ +syntax = "proto3"; + +package envoy.type.matcher; + +import "envoy/type/range.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher"; +option java_outer_classname = "NumberProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Number matcher] + +// Specifies the way to match a double value. +message DoubleMatcher { + oneof match_pattern { + option (validate.required) = true; + + // If specified, the input double value must be in the range specified here. + // Note: The range is using half-open interval semantics [start, end). + DoubleRange range = 1; + + // If specified, the input double value must be equal to the value specified here. + double exact = 2; + } +} diff --git a/src/main/proto/envoy/type/matcher/path.proto b/src/main/proto/envoy/type/matcher/path.proto new file mode 100644 index 0000000..1a97bbc --- /dev/null +++ b/src/main/proto/envoy/type/matcher/path.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +package envoy.type.matcher; + +import "envoy/type/matcher/string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher"; +option java_outer_classname = "PathProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Path matcher] + +// Specifies the way to match a path on HTTP request. +message PathMatcher { + oneof rule { + option (validate.required) = true; + + // The `path` must match the URL path portion of the :path header. The query and fragment + // string (if present) are removed in the URL path portion. + // For example, the path */data* will match the *:path* header */data#fragment?param=value*. + StringMatcher path = 1 [(validate.rules).message = {required: true}]; + } +} diff --git a/src/main/proto/envoy/type/matcher/regex.proto b/src/main/proto/envoy/type/matcher/regex.proto new file mode 100644 index 0000000..e009a5a --- /dev/null +++ b/src/main/proto/envoy/type/matcher/regex.proto @@ -0,0 +1,79 @@ +syntax = "proto3"; + +package envoy.type.matcher; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher"; +option java_outer_classname = "RegexProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Regex matcher] + +// A regex matcher designed for safety when used with untrusted input. +message RegexMatcher { + // Google's `RE2 `_ regex engine. The regex string must adhere to + // the documented `syntax `_. The engine is designed + // to complete execution in linear time as well as limit the amount of memory used. + // + // Envoy supports program size checking via runtime. The runtime keys ``re2.max_program_size.error_level`` + // and ``re2.max_program_size.warn_level`` can be set to integers as the maximum program size or + // complexity that a compiled regex can have before an exception is thrown or a warning is + // logged, respectively. ``re2.max_program_size.error_level`` defaults to 100, and + // ``re2.max_program_size.warn_level`` has no default if unset (will not check/log a warning). + // + // Envoy emits two stats for tracking the program size of regexes: the histogram `re2.program_size`, + // which records the program size, and the counter `re2.exceeded_warn_level`, which is incremented + // each time the program size exceeds the warn level threshold. + message GoogleRE2 { + // This field controls the RE2 "program size" which is a rough estimate of how complex a + // compiled regex is to evaluate. A regex that has a program size greater than the configured + // value will fail to compile. In this case, the configured max program size can be increased + // or the regex can be simplified. If not specified, the default is 100. + // + // This field is deprecated; regexp validation should be performed on the management server + // instead of being done by each individual client. + google.protobuf.UInt32Value max_program_size = 1 [deprecated = true]; + } + + oneof engine_type { + option (validate.required) = true; + + // Google's RE2 regex engine. + GoogleRE2 google_re2 = 1 [(validate.rules).message = {required: true}]; + } + + // The regex match string. The string must be supported by the configured engine. + string regex = 2 [(validate.rules).string = {min_len: 1}]; +} + +// Describes how to match a string and then produce a new string using a regular +// expression and a substitution string. +message RegexMatchAndSubstitute { + // The regular expression used to find portions of a string (hereafter called + // the "subject string") that should be replaced. When a new string is + // produced during the substitution operation, the new string is initially + // the same as the subject string, but then all matches in the subject string + // are replaced by the substitution string. If replacing all matches isn't + // desired, regular expression anchors can be used to ensure a single match, + // so as to replace just one occurrence of a pattern. Capture groups can be + // used in the pattern to extract portions of the subject string, and then + // referenced in the substitution string. + RegexMatcher pattern = 1; + + // The string that should be substituted into matching portions of the + // subject string during a substitution operation to produce a new string. + // Capture groups in the pattern can be referenced in the substitution + // string. Note, however, that the syntax for referring to capture groups is + // defined by the chosen regular expression engine. Google's `RE2 + // `_ regular expression engine uses a + // backslash followed by the capture group number to denote a numbered + // capture group. E.g., ``\1`` refers to capture group 1, and ``\2`` refers + // to capture group 2. + string substitution = 2; +} diff --git a/src/main/proto/envoy/type/matcher/string.proto b/src/main/proto/envoy/type/matcher/string.proto new file mode 100644 index 0000000..b4571ce --- /dev/null +++ b/src/main/proto/envoy/type/matcher/string.proto @@ -0,0 +1,80 @@ +syntax = "proto3"; + +package envoy.type.matcher; + +import "envoy/type/matcher/regex.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher"; +option java_outer_classname = "StringProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: String matcher] + +// Specifies the way to match a string. +// [#next-free-field: 7] +message StringMatcher { + oneof match_pattern { + option (validate.required) = true; + + // The input string must match exactly the string specified here. + // + // Examples: + // + // * *abc* only matches the value *abc*. + string exact = 1; + + // The input string must have the prefix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *abc.xyz* + string prefix = 2 [(validate.rules).string = {min_len: 1}]; + + // The input string must have the suffix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *xyz.abc* + string suffix = 3 [(validate.rules).string = {min_len: 1}]; + + // The input string must match the regular expression specified here. + // The regex grammar is defined `here + // `_. + // + // Examples: + // + // * The regex ``\d{3}`` matches the value *123* + // * The regex ``\d{3}`` does not match the value *1234* + // * The regex ``\d{3}`` does not match the value *123.456* + // + // .. attention:: + // This field has been deprecated in favor of `safe_regex` as it is not safe for use with + // untrusted input in all cases. + string regex = 4 [ + deprecated = true, + (validate.rules).string = {max_bytes: 1024}, + (envoy.annotations.disallowed_by_default) = true + ]; + + // The input string must match the regular expression specified here. + RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; + } + + // If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no + // effect for the safe_regex match. + // For example, the matcher *data* will match both input string *Data* and *data* if set to true. + bool ignore_case = 6; +} + +// Specifies a list of ways to match a string. +message ListStringMatcher { + repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/src/main/proto/envoy/type/matcher/struct.proto b/src/main/proto/envoy/type/matcher/struct.proto new file mode 100644 index 0000000..f08bf79 --- /dev/null +++ b/src/main/proto/envoy/type/matcher/struct.proto @@ -0,0 +1,85 @@ +syntax = "proto3"; + +package envoy.type.matcher; + +import "envoy/type/matcher/value.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher"; +option java_outer_classname = "StructProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Struct matcher] + +// StructMatcher provides a general interface to check if a given value is matched in +// google.protobuf.Struct. It uses `path` to retrieve the value +// from the struct and then check if it's matched to the specified value. +// +// For example, for the following Struct: +// +// .. code-block:: yaml +// +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" +// from the Metadata which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following StructMatcher is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of StructMatcher is to match metadata in envoy.v*.core.Node. +message StructMatcher { + // Specifies the segment in a path to retrieve value from Struct. + message PathSegment { + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The StructMatcher is matched if the value retrieved by path is matched to this value. + ValueMatcher value = 3 [(validate.rules).message = {required: true}]; +} diff --git a/src/main/proto/envoy/type/matcher/v3/BUILD b/src/main/proto/envoy/type/matcher/v3/BUILD new file mode 100644 index 0000000..fb28aa0 --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/BUILD @@ -0,0 +1,13 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/annotations:pkg", + "//envoy/type/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/src/main/proto/envoy/type/matcher/v3/filter_state.proto b/src/main/proto/envoy/type/matcher/v3/filter_state.proto new file mode 100644 index 0000000..f813178 --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/filter_state.proto @@ -0,0 +1,29 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "FilterStateProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Filter state matcher] + +// FilterStateMatcher provides a general interface for matching the filter state objects. +message FilterStateMatcher { + // The filter state key to retrieve the object. + string key = 1 [(validate.rules).string = {min_len: 1}]; + + oneof matcher { + option (validate.required) = true; + + // Matches the filter state object as a string value. + StringMatcher string_match = 2; + } +} diff --git a/src/main/proto/envoy/type/matcher/v3/http_inputs.proto b/src/main/proto/envoy/type/matcher/v3/http_inputs.proto new file mode 100644 index 0000000..27e29bf --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/http_inputs.proto @@ -0,0 +1,62 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "HttpInputsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common HTTP inputs] + +// Match input indicates that matching should be done on a specific request header. +// The resulting input string will be all headers for the given key joined by a comma, +// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input +// string will be 'bar,baz'. +// [#comment:TODO(snowp): Link to unified matching docs.] +// [#extension: envoy.matching.inputs.request_headers] +message HttpRequestHeaderMatchInput { + // The request header to match on. + string header_name = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; +} + +// Match input indicates that matching should be done on a specific request trailer. +// The resulting input string will be all headers for the given key joined by a comma, +// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input +// string will be 'bar,baz'. +// [#comment:TODO(snowp): Link to unified matching docs.] +// [#extension: envoy.matching.inputs.request_trailers] +message HttpRequestTrailerMatchInput { + // The request trailer to match on. + string header_name = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; +} + +// Match input indicating that matching should be done on a specific response header. +// The resulting input string will be all headers for the given key joined by a comma, +// e.g. if the response contains two 'foo' headers with value 'bar' and 'baz', the input +// string will be 'bar,baz'. +// [#comment:TODO(snowp): Link to unified matching docs.] +// [#extension: envoy.matching.inputs.response_headers] +message HttpResponseHeaderMatchInput { + // The response header to match on. + string header_name = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; +} + +// Match input indicates that matching should be done on a specific response trailer. +// The resulting input string will be all headers for the given key joined by a comma, +// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input +// string will be 'bar,baz'. +// [#comment:TODO(snowp): Link to unified matching docs.] +// [#extension: envoy.matching.inputs.response_trailers] +message HttpResponseTrailerMatchInput { + // The response trailer to match on. + string header_name = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; +} diff --git a/src/main/proto/envoy/type/matcher/v3/metadata.proto b/src/main/proto/envoy/type/matcher/v3/metadata.proto new file mode 100644 index 0000000..d3316e8 --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/metadata.proto @@ -0,0 +1,108 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/value.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "MetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Metadata matcher] + +// MetadataMatcher provides a general interface to check if a given value is matched in +// :ref:`Metadata `. It uses `filter` and `path` to retrieve the value +// from the Metadata and then check if it's matched to the specified value. +// +// For example, for the following Metadata: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.filters.http.rbac: +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" +// from the Metadata which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following MetadataMatcher is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// filter: envoy.filters.http.rbac +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to +// enforce access control based on dynamic metadata in a request. See :ref:`Permission +// ` and :ref:`Principal +// `. + +// [#next-major-version: MetadataMatcher should use StructMatcher] +message MetadataMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.MetadataMatcher"; + + // Specifies the segment in a path to retrieve value from Metadata. + // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that + // if the segment key refers to a list, it has to be the last segment in a path. + message PathSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.MetadataMatcher.PathSegment"; + + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The filter name to retrieve the Struct from the Metadata. + string filter = 1 [(validate.rules).string = {min_len: 1}]; + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The MetadataMatcher is matched if the value retrieved by path is matched to this value. + ValueMatcher value = 3 [(validate.rules).message = {required: true}]; + + // If true, the match result will be inverted. + bool invert = 4; +} diff --git a/src/main/proto/envoy/type/matcher/v3/node.proto b/src/main/proto/envoy/type/matcher/v3/node.proto new file mode 100644 index 0000000..baa92fb --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/node.proto @@ -0,0 +1,29 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/matcher/v3/struct.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "NodeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Node matcher] + +// Specifies the way to match a Node. +// The match follows AND semantics. +message NodeMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.NodeMatcher"; + + // Specifies match criteria on the node id. + StringMatcher node_id = 1; + + // Specifies match criteria on the node metadata. + repeated StructMatcher node_metadatas = 2; +} diff --git a/src/main/proto/envoy/type/matcher/v3/number.proto b/src/main/proto/envoy/type/matcher/v3/number.proto new file mode 100644 index 0000000..99681c9 --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/number.proto @@ -0,0 +1,33 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/v3/range.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "NumberProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Number matcher] + +// Specifies the way to match a double value. +message DoubleMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.DoubleMatcher"; + + oneof match_pattern { + option (validate.required) = true; + + // If specified, the input double value must be in the range specified here. + // Note: The range is using half-open interval semantics [start, end). + type.v3.DoubleRange range = 1; + + // If specified, the input double value must be equal to the value specified here. + double exact = 2; + } +} diff --git a/src/main/proto/envoy/type/matcher/v3/path.proto b/src/main/proto/envoy/type/matcher/v3/path.proto new file mode 100644 index 0000000..46b758e --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/path.proto @@ -0,0 +1,31 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "PathProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Path matcher] + +// Specifies the way to match a path on HTTP request. +message PathMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.PathMatcher"; + + oneof rule { + option (validate.required) = true; + + // The ``path`` must match the URL path portion of the :path header. The query and fragment + // string (if present) are removed in the URL path portion. + // For example, the path ``/data`` will match the ``:path`` header ``/data#fragment?param=value``. + StringMatcher path = 1 [(validate.rules).message = {required: true}]; + } +} diff --git a/src/main/proto/envoy/type/matcher/v3/regex.proto b/src/main/proto/envoy/type/matcher/v3/regex.proto new file mode 100644 index 0000000..69cb8ba --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/regex.proto @@ -0,0 +1,100 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "RegexProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Regex matcher] + +// A regex matcher designed for safety when used with untrusted input. +message RegexMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.RegexMatcher"; + + // Google's `RE2 `_ regex engine. The regex string must adhere to + // the documented `syntax `_. The engine is designed + // to complete execution in linear time as well as limit the amount of memory used. + // + // Envoy supports program size checking via runtime. The runtime keys ``re2.max_program_size.error_level`` + // and ``re2.max_program_size.warn_level`` can be set to integers as the maximum program size or + // complexity that a compiled regex can have before an exception is thrown or a warning is + // logged, respectively. ``re2.max_program_size.error_level`` defaults to 100, and + // ``re2.max_program_size.warn_level`` has no default if unset (will not check/log a warning). + // + // Envoy emits two stats for tracking the program size of regexes: the histogram ``re2.program_size``, + // which records the program size, and the counter ``re2.exceeded_warn_level``, which is incremented + // each time the program size exceeds the warn level threshold. + message GoogleRE2 { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.RegexMatcher.GoogleRE2"; + + // This field controls the RE2 "program size" which is a rough estimate of how complex a + // compiled regex is to evaluate. A regex that has a program size greater than the configured + // value will fail to compile. In this case, the configured max program size can be increased + // or the regex can be simplified. If not specified, the default is 100. + // + // This field is deprecated; regexp validation should be performed on the management server + // instead of being done by each individual client. + // + // .. note:: + // + // Although this field is deprecated, the program size will still be checked against the + // global ``re2.max_program_size.error_level`` runtime value. + // + google.protobuf.UInt32Value max_program_size = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + } + + oneof engine_type { + // Google's RE2 regex engine. + GoogleRE2 google_re2 = 1 [ + deprecated = true, + (validate.rules).message = {required: true}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + } + + // The regex match string. The string must be supported by the configured engine. The regex is matched + // against the full string, not as a partial match. + string regex = 2 [(validate.rules).string = {min_len: 1}]; +} + +// Describes how to match a string and then produce a new string using a regular +// expression and a substitution string. +message RegexMatchAndSubstitute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.RegexMatchAndSubstitute"; + + // The regular expression used to find portions of a string (hereafter called + // the "subject string") that should be replaced. When a new string is + // produced during the substitution operation, the new string is initially + // the same as the subject string, but then all matches in the subject string + // are replaced by the substitution string. If replacing all matches isn't + // desired, regular expression anchors can be used to ensure a single match, + // so as to replace just one occurrence of a pattern. Capture groups can be + // used in the pattern to extract portions of the subject string, and then + // referenced in the substitution string. + RegexMatcher pattern = 1 [(validate.rules).message = {required: true}]; + + // The string that should be substituted into matching portions of the + // subject string during a substitution operation to produce a new string. + // Capture groups in the pattern can be referenced in the substitution + // string. Note, however, that the syntax for referring to capture groups is + // defined by the chosen regular expression engine. Google's `RE2 + // `_ regular expression engine uses a + // backslash followed by the capture group number to denote a numbered + // capture group. E.g., ``\1`` refers to capture group 1, and ``\2`` refers + // to capture group 2. + string substitution = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; +} diff --git a/src/main/proto/envoy/type/matcher/v3/string.proto b/src/main/proto/envoy/type/matcher/v3/string.proto new file mode 100644 index 0000000..2df1bd3 --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/string.proto @@ -0,0 +1,78 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/regex.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "StringProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: String matcher] + +// Specifies the way to match a string. +// [#next-free-field: 8] +message StringMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.StringMatcher"; + + reserved 4; + + reserved "regex"; + + oneof match_pattern { + option (validate.required) = true; + + // The input string must match exactly the string specified here. + // + // Examples: + // + // * ``abc`` only matches the value ``abc``. + string exact = 1; + + // The input string must have the prefix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * ``abc`` matches the value ``abc.xyz`` + string prefix = 2 [(validate.rules).string = {min_len: 1}]; + + // The input string must have the suffix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * ``abc`` matches the value ``xyz.abc`` + string suffix = 3 [(validate.rules).string = {min_len: 1}]; + + // The input string must match the regular expression specified here. + RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; + + // The input string must have the substring specified here. + // Note: empty contains match is not allowed, please use regex instead. + // + // Examples: + // + // * ``abc`` matches the value ``xyz.abc.def`` + string contains = 7 [(validate.rules).string = {min_len: 1}]; + } + + // If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. This + // has no effect for the safe_regex match. + // For example, the matcher ``data`` will match both input string ``Data`` and ``data`` if set to true. + bool ignore_case = 6; +} + +// Specifies a list of ways to match a string. +message ListStringMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.ListStringMatcher"; + + repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/src/main/proto/envoy/type/matcher/v3/struct.proto b/src/main/proto/envoy/type/matcher/v3/struct.proto new file mode 100644 index 0000000..1b96334 --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/struct.proto @@ -0,0 +1,91 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/value.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "StructProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Struct matcher] + +// StructMatcher provides a general interface to check if a given value is matched in +// google.protobuf.Struct. It uses ``path`` to retrieve the value +// from the struct and then check if it's matched to the specified value. +// +// For example, for the following Struct: +// +// .. code-block:: yaml +// +// fields: +// a: +// struct_value: +// fields: +// b: +// struct_value: +// fields: +// c: +// string_value: pro +// t: +// list_value: +// values: +// - string_value: m +// - string_value: n +// +// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" +// from the Metadata which is matched to the specified prefix match. +// +// .. code-block:: yaml +// +// path: +// - key: a +// - key: b +// - key: c +// value: +// string_match: +// prefix: pr +// +// The following StructMatcher is matched as the code will match one of the string values in the +// list at the path [a, t]. +// +// .. code-block:: yaml +// +// path: +// - key: a +// - key: t +// value: +// list_match: +// one_of: +// string_match: +// exact: m +// +// An example use of StructMatcher is to match metadata in envoy.v*.core.Node. +message StructMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.StructMatcher"; + + // Specifies the segment in a path to retrieve value from Struct. + message PathSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.StructMatcher.PathSegment"; + + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The StructMatcher is matched if the value retrieved by path is matched to this value. + ValueMatcher value = 3 [(validate.rules).message = {required: true}]; +} diff --git a/src/main/proto/envoy/type/matcher/v3/value.proto b/src/main/proto/envoy/type/matcher/v3/value.proto new file mode 100644 index 0000000..bd46acc --- /dev/null +++ b/src/main/proto/envoy/type/matcher/v3/value.proto @@ -0,0 +1,72 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/number.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "ValueProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Value matcher] + +// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. +// StructValue is not supported and is always not matched. +// [#next-free-field: 7] +message ValueMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.ValueMatcher"; + + // NullMatch is an empty message to specify a null value. + message NullMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.ValueMatcher.NullMatch"; + } + + // Specifies how to match a value. + oneof match_pattern { + option (validate.required) = true; + + // If specified, a match occurs if and only if the target value is a NullValue. + NullMatch null_match = 1; + + // If specified, a match occurs if and only if the target value is a double value and is + // matched to this field. + DoubleMatcher double_match = 2; + + // If specified, a match occurs if and only if the target value is a string value and is + // matched to this field. + StringMatcher string_match = 3; + + // If specified, a match occurs if and only if the target value is a bool value and is equal + // to this field. + bool bool_match = 4; + + // If specified, value match will be performed based on whether the path is referring to a + // valid primitive value in the metadata. If the path is referring to a non-primitive value, + // the result is always not matched. + bool present_match = 5; + + // If specified, a match occurs if and only if the target value is a list value and + // is matched to this field. + ListMatcher list_match = 6; + } +} + +// Specifies the way to match a list value. +message ListMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.ListMatcher"; + + oneof match_pattern { + option (validate.required) = true; + + // If specified, at least one of the values in the list must match the value specified. + ValueMatcher one_of = 1; + } +} diff --git a/src/main/proto/envoy/type/matcher/value.proto b/src/main/proto/envoy/type/matcher/value.proto new file mode 100644 index 0000000..89d341b --- /dev/null +++ b/src/main/proto/envoy/type/matcher/value.proto @@ -0,0 +1,65 @@ +syntax = "proto3"; + +package envoy.type.matcher; + +import "envoy/type/matcher/number.proto"; +import "envoy/type/matcher/string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher"; +option java_outer_classname = "ValueProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Value matcher] + +// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. +// StructValue is not supported and is always not matched. +// [#next-free-field: 7] +message ValueMatcher { + // NullMatch is an empty message to specify a null value. + message NullMatch { + } + + // Specifies how to match a value. + oneof match_pattern { + option (validate.required) = true; + + // If specified, a match occurs if and only if the target value is a NullValue. + NullMatch null_match = 1; + + // If specified, a match occurs if and only if the target value is a double value and is + // matched to this field. + DoubleMatcher double_match = 2; + + // If specified, a match occurs if and only if the target value is a string value and is + // matched to this field. + StringMatcher string_match = 3; + + // If specified, a match occurs if and only if the target value is a bool value and is equal + // to this field. + bool bool_match = 4; + + // If specified, value match will be performed based on whether the path is referring to a + // valid primitive value in the metadata. If the path is referring to a non-primitive value, + // the result is always not matched. + bool present_match = 5; + + // If specified, a match occurs if and only if the target value is a list value and + // is matched to this field. + ListMatcher list_match = 6; + } +} + +// Specifies the way to match a list value. +message ListMatcher { + oneof match_pattern { + option (validate.required) = true; + + // If specified, at least one of the values in the list must match the value specified. + ValueMatcher one_of = 1; + } +} diff --git a/src/main/proto/envoy/type/metadata/v2/BUILD b/src/main/proto/envoy/type/metadata/v2/BUILD new file mode 100644 index 0000000..ee92fb6 --- /dev/null +++ b/src/main/proto/envoy/type/metadata/v2/BUILD @@ -0,0 +1,9 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"], +) diff --git a/src/main/proto/envoy/type/metadata/v2/metadata.proto b/src/main/proto/envoy/type/metadata/v2/metadata.proto new file mode 100644 index 0000000..75f0250 --- /dev/null +++ b/src/main/proto/envoy/type/metadata/v2/metadata.proto @@ -0,0 +1,100 @@ +syntax = "proto3"; + +package envoy.type.metadata.v2; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.metadata.v2"; +option java_outer_classname = "MetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/metadata/v2;metadatav2"; +option (udpa.annotations.file_migrate).move_to_package = "envoy.type.metadata.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Metadata] + +// MetadataKey provides a general interface using `key` and `path` to retrieve value from +// :ref:`Metadata `. +// +// For example, for the following Metadata: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.xxx: +// prop: +// foo: bar +// xyz: +// hello: envoy +// +// The following MetadataKey will retrieve a string value "bar" from the Metadata. +// +// .. code-block:: yaml +// +// key: envoy.xxx +// path: +// - key: prop +// - key: foo +// +message MetadataKey { + // Specifies the segment in a path to retrieve value from Metadata. + // Currently it is only supported to specify the key, i.e. field name, as one segment of a path. + message PathSegment { + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_bytes: 1}]; + } + } + + // The key name of Metadata to retrieve the Struct from the metadata. + // Typically, it represents a builtin subsystem or custom extension. + string key = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The path to retrieve the Value from the Struct. It can be a prefix or a full path, + // e.g. ``[prop, xyz]`` for a struct or ``[prop, foo]`` for a string in the example, + // which depends on the particular scenario. + // + // Note: Due to that only the key type segment is supported, the path can not specify a list + // unless the list is the last segment. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; +} + +// Describes what kind of metadata. +message MetadataKind { + // Represents dynamic metadata associated with the request. + message Request { + } + + // Represents metadata from :ref:`the route`. + message Route { + } + + // Represents metadata from :ref:`the upstream cluster`. + message Cluster { + } + + // Represents metadata from :ref:`the upstream + // host`. + message Host { + } + + oneof kind { + option (validate.required) = true; + + // Request kind of metadata. + Request request = 1; + + // Route kind of metadata. + Route route = 2; + + // Cluster kind of metadata. + Cluster cluster = 3; + + // Host kind of metadata. + Host host = 4; + } +} diff --git a/src/main/proto/envoy/type/metadata/v3/BUILD b/src/main/proto/envoy/type/metadata/v3/BUILD new file mode 100644 index 0000000..ee92fb6 --- /dev/null +++ b/src/main/proto/envoy/type/metadata/v3/BUILD @@ -0,0 +1,9 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"], +) diff --git a/src/main/proto/envoy/type/metadata/v3/metadata.proto b/src/main/proto/envoy/type/metadata/v3/metadata.proto new file mode 100644 index 0000000..2075857 --- /dev/null +++ b/src/main/proto/envoy/type/metadata/v3/metadata.proto @@ -0,0 +1,115 @@ +syntax = "proto3"; + +package envoy.type.metadata.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.metadata.v3"; +option java_outer_classname = "MetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/metadata/v3;metadatav3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Metadata] + +// MetadataKey provides a general interface using ``key`` and ``path`` to retrieve value from +// :ref:`Metadata `. +// +// For example, for the following Metadata: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.xxx: +// prop: +// foo: bar +// xyz: +// hello: envoy +// +// The following MetadataKey will retrieve a string value "bar" from the Metadata. +// +// .. code-block:: yaml +// +// key: envoy.xxx +// path: +// - key: prop +// - key: foo +// +message MetadataKey { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.metadata.v2.MetadataKey"; + + // Specifies the segment in a path to retrieve value from Metadata. + // Currently it is only supported to specify the key, i.e. field name, as one segment of a path. + message PathSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKey.PathSegment"; + + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The key name of Metadata to retrieve the Struct from the metadata. + // Typically, it represents a builtin subsystem or custom extension. + string key = 1 [(validate.rules).string = {min_len: 1}]; + + // The path to retrieve the Value from the Struct. It can be a prefix or a full path, + // e.g. ``[prop, xyz]`` for a struct or ``[prop, foo]`` for a string in the example, + // which depends on the particular scenario. + // + // Note: Due to that only the key type segment is supported, the path can not specify a list + // unless the list is the last segment. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; +} + +// Describes what kind of metadata. +message MetadataKind { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKind"; + + // Represents dynamic metadata associated with the request. + message Request { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKind.Request"; + } + + // Represents metadata from :ref:`the route`. + message Route { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKind.Route"; + } + + // Represents metadata from :ref:`the upstream cluster`. + message Cluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKind.Cluster"; + } + + // Represents metadata from :ref:`the upstream + // host`. + message Host { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.metadata.v2.MetadataKind.Host"; + } + + oneof kind { + option (validate.required) = true; + + // Request kind of metadata. + Request request = 1; + + // Route kind of metadata. + Route route = 2; + + // Cluster kind of metadata. + Cluster cluster = 3; + + // Host kind of metadata. + Host host = 4; + } +} diff --git a/src/main/proto/envoy/type/range.proto b/src/main/proto/envoy/type/range.proto new file mode 100644 index 0000000..9e66e6f --- /dev/null +++ b/src/main/proto/envoy/type/range.proto @@ -0,0 +1,43 @@ +syntax = "proto3"; + +package envoy.type; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.type"; +option java_outer_classname = "RangeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Range] + +// Specifies the int64 start and end of the range using half-open interval semantics [start, +// end). +message Int64Range { + // start of the range (inclusive) + int64 start = 1; + + // end of the range (exclusive) + int64 end = 2; +} + +// Specifies the int32 start and end of the range using half-open interval semantics [start, +// end). +message Int32Range { + // start of the range (inclusive) + int32 start = 1; + + // end of the range (exclusive) + int32 end = 2; +} + +// Specifies the double start and end of the range using half-open interval semantics [start, +// end). +message DoubleRange { + // start of the range (inclusive) + double start = 1; + + // end of the range (exclusive) + double end = 2; +} diff --git a/src/main/proto/envoy/type/tracing/v2/BUILD b/src/main/proto/envoy/type/tracing/v2/BUILD new file mode 100644 index 0000000..aa64935 --- /dev/null +++ b/src/main/proto/envoy/type/tracing/v2/BUILD @@ -0,0 +1,12 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/type/metadata/v2:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/src/main/proto/envoy/type/tracing/v2/custom_tag.proto b/src/main/proto/envoy/type/tracing/v2/custom_tag.proto new file mode 100644 index 0000000..c37b662 --- /dev/null +++ b/src/main/proto/envoy/type/tracing/v2/custom_tag.proto @@ -0,0 +1,87 @@ +syntax = "proto3"; + +package envoy.type.tracing.v2; + +import "envoy/type/metadata/v2/metadata.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.tracing.v2"; +option java_outer_classname = "CustomTagProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/tracing/v2;tracingv2"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Custom Tag] + +// Describes custom tags for the active span. +// [#next-free-field: 6] +message CustomTag { + // Literal type custom tag with static value for the tag value. + message Literal { + // Static literal value to populate the tag value. + string value = 1 [(validate.rules).string = {min_bytes: 1}]; + } + + // Environment type custom tag with environment name and default value. + message Environment { + // Environment variable name to obtain the value to populate the tag value. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // When the environment variable is not found, + // the tag value will be populated with this default value if specified, + // otherwise no tag will be populated. + string default_value = 2; + } + + // Header type custom tag with header name and default value. + message Header { + // Header name to obtain the value to populate the tag value. + string name = 1 + [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // When the header does not exist, + // the tag value will be populated with this default value if specified, + // otherwise no tag will be populated. + string default_value = 2; + } + + // Metadata type custom tag using + // :ref:`MetadataKey ` to retrieve the protobuf value + // from :ref:`Metadata `, and populate the tag value with + // `the canonical JSON `_ + // representation of it. + message Metadata { + // Specify what kind of metadata to obtain tag value from. + metadata.v2.MetadataKind kind = 1; + + // Metadata key to define the path to retrieve the tag value. + metadata.v2.MetadataKey metadata_key = 2; + + // When no valid metadata is found, + // the tag value would be populated with this default value if specified, + // otherwise no tag would be populated. + string default_value = 3; + } + + // Used to populate the tag name. + string tag = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Used to specify what kind of custom tag. + oneof type { + option (validate.required) = true; + + // A literal custom tag. + Literal literal = 2; + + // An environment custom tag. + Environment environment = 3; + + // A request header custom tag. + Header request_header = 4; + + // A custom tag to obtain tag value from the metadata. + Metadata metadata = 5; + } +} diff --git a/src/main/proto/envoy/type/tracing/v3/BUILD b/src/main/proto/envoy/type/tracing/v3/BUILD new file mode 100644 index 0000000..c797ae6 --- /dev/null +++ b/src/main/proto/envoy/type/tracing/v3/BUILD @@ -0,0 +1,12 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/type/metadata/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/src/main/proto/envoy/type/tracing/v3/custom_tag.proto b/src/main/proto/envoy/type/tracing/v3/custom_tag.proto new file mode 100644 index 0000000..feb57e8 --- /dev/null +++ b/src/main/proto/envoy/type/tracing/v3/custom_tag.proto @@ -0,0 +1,102 @@ +syntax = "proto3"; + +package envoy.type.tracing.v3; + +import "envoy/type/metadata/v3/metadata.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.tracing.v3"; +option java_outer_classname = "CustomTagProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/tracing/v3;tracingv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Custom Tag] + +// Describes custom tags for the active span. +// [#next-free-field: 6] +message CustomTag { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.tracing.v2.CustomTag"; + + // Literal type custom tag with static value for the tag value. + message Literal { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Literal"; + + // Static literal value to populate the tag value. + string value = 1 [(validate.rules).string = {min_len: 1}]; + } + + // Environment type custom tag with environment name and default value. + message Environment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Environment"; + + // Environment variable name to obtain the value to populate the tag value. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // When the environment variable is not found, + // the tag value will be populated with this default value if specified, + // otherwise no tag will be populated. + string default_value = 2; + } + + // Header type custom tag with header name and default value. + message Header { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Header"; + + // Header name to obtain the value to populate the tag value. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // When the header does not exist, + // the tag value will be populated with this default value if specified, + // otherwise no tag will be populated. + string default_value = 2; + } + + // Metadata type custom tag using + // :ref:`MetadataKey ` to retrieve the protobuf value + // from :ref:`Metadata `, and populate the tag value with + // `the canonical JSON `_ + // representation of it. + message Metadata { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Metadata"; + + // Specify what kind of metadata to obtain tag value from. + metadata.v3.MetadataKind kind = 1; + + // Metadata key to define the path to retrieve the tag value. + metadata.v3.MetadataKey metadata_key = 2; + + // When no valid metadata is found, + // the tag value would be populated with this default value if specified, + // otherwise no tag would be populated. + string default_value = 3; + } + + // Used to populate the tag name. + string tag = 1 [(validate.rules).string = {min_len: 1}]; + + // Used to specify what kind of custom tag. + oneof type { + option (validate.required) = true; + + // A literal custom tag. + Literal literal = 2; + + // An environment custom tag. + Environment environment = 3; + + // A request header custom tag. + Header request_header = 4; + + // A custom tag to obtain tag value from the metadata. + Metadata metadata = 5; + } +} diff --git a/src/main/proto/envoy/type/v3/http.proto b/src/main/proto/envoy/type/v3/http.proto new file mode 100644 index 0000000..2018b8a --- /dev/null +++ b/src/main/proto/envoy/type/v3/http.proto @@ -0,0 +1,20 @@ +syntax = "proto3"; + +package envoy.type.v3; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "HttpProto"; +option java_multiple_files = true; + +// [#protodoc-title: HTTP] + +enum CodecClientType { + HTTP1 = 0; + + HTTP2 = 1; + + // [#not-implemented-hide:] QUIC implementation is not production ready yet. Use this enum with + // caution to prevent accidental execution of QUIC code. I.e. `!= HTTP2` is no longer sufficient + // to distinguish HTTP1 and HTTP2 traffic. + HTTP3 = 2; +} diff --git a/src/main/proto/envoy/type/v3/percent.proto b/src/main/proto/envoy/type/v3/percent.proto new file mode 100644 index 0000000..e041ecd --- /dev/null +++ b/src/main/proto/envoy/type/v3/percent.proto @@ -0,0 +1,57 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "PercentProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Percent] + +// Identifies a percentage, in the range [0.0, 100.0]. +message Percent { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.Percent"; + + double value = 1 [(validate.rules).double = {lte: 100.0 gte: 0.0}]; +} + +// A fractional percentage is used in cases in which for performance reasons performing floating +// point to integer conversions during randomness calculations is undesirable. The message includes +// both a numerator and denominator that together determine the final fractional value. +// +// * **Example**: 1/100 = 1%. +// * **Example**: 3/10000 = 0.03%. +message FractionalPercent { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.FractionalPercent"; + + // Fraction percentages support several fixed denominator values. + enum DenominatorType { + // 100. + // + // **Example**: 1/100 = 1%. + HUNDRED = 0; + + // 10,000. + // + // **Example**: 1/10000 = 0.01%. + TEN_THOUSAND = 1; + + // 1,000,000. + // + // **Example**: 1/1000000 = 0.0001%. + MILLION = 2; + } + + // Specifies the numerator. Defaults to 0. + uint32 numerator = 1; + + // Specifies the denominator. If the denominator specified is less than the numerator, the final + // fractional percentage is capped at 1 (100%). + DenominatorType denominator = 2 [(validate.rules).enum = {defined_only: true}]; +} diff --git a/src/main/proto/envoy/type/v3/range.proto b/src/main/proto/envoy/type/v3/range.proto new file mode 100644 index 0000000..3b1af81 --- /dev/null +++ b/src/main/proto/envoy/type/v3/range.proto @@ -0,0 +1,50 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "RangeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Range] + +// Specifies the int64 start and end of the range using half-open interval semantics [start, +// end). +message Int64Range { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.Int64Range"; + + // start of the range (inclusive) + int64 start = 1; + + // end of the range (exclusive) + int64 end = 2; +} + +// Specifies the int32 start and end of the range using half-open interval semantics [start, +// end). +message Int32Range { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.Int32Range"; + + // start of the range (inclusive) + int32 start = 1; + + // end of the range (exclusive) + int32 end = 2; +} + +// Specifies the double start and end of the range using half-open interval semantics [start, +// end). +message DoubleRange { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.DoubleRange"; + + // start of the range (inclusive) + double start = 1; + + // end of the range (exclusive) + double end = 2; +} diff --git a/src/main/proto/envoy/type/v3/semantic_version.proto b/src/main/proto/envoy/type/v3/semantic_version.proto new file mode 100644 index 0000000..e032b4c --- /dev/null +++ b/src/main/proto/envoy/type/v3/semantic_version.proto @@ -0,0 +1,27 @@ +syntax = "proto3"; + +package envoy.type.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.type.v3"; +option java_outer_classname = "SemanticVersionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Semantic version] + +// Envoy uses SemVer (https://semver.org/). Major/minor versions indicate +// expected behaviors and APIs, the patch version field is used only +// for security fixes and can be generally ignored. +message SemanticVersion { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.SemanticVersion"; + + uint32 major_number = 1; + + uint32 minor_number = 2; + + uint32 patch = 3; +} diff --git a/src/main/proto/udpa/annotations/BUILD b/src/main/proto/udpa/annotations/BUILD new file mode 100644 index 0000000..1e79479 --- /dev/null +++ b/src/main/proto/udpa/annotations/BUILD @@ -0,0 +1,5 @@ +load("//bazel:api_build_system.bzl", "xds_proto_package") + +licenses(["notice"]) # Apache 2 + +xds_proto_package() diff --git a/src/main/proto/udpa/annotations/migrate.proto b/src/main/proto/udpa/annotations/migrate.proto new file mode 100644 index 0000000..5f5f389 --- /dev/null +++ b/src/main/proto/udpa/annotations/migrate.proto @@ -0,0 +1,55 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.annotations; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/udpa/annotations"; + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "udpa.annotation.migrate". + +extend google.protobuf.MessageOptions { + MigrateAnnotation message_migrate = 171962766; +} + +extend google.protobuf.FieldOptions { + FieldMigrateAnnotation field_migrate = 171962766; +} + +extend google.protobuf.EnumOptions { + MigrateAnnotation enum_migrate = 171962766; +} + +extend google.protobuf.EnumValueOptions { + MigrateAnnotation enum_value_migrate = 171962766; +} + +extend google.protobuf.FileOptions { + FileMigrateAnnotation file_migrate = 171962766; +} + +message MigrateAnnotation { + // Rename the message/enum/enum value in next version. + string rename = 1; +} + +message FieldMigrateAnnotation { + // Rename the field in next version. + string rename = 1; + + // Add the field to a named oneof in next version. If this already exists, the + // field will join its siblings under the oneof, otherwise a new oneof will be + // created with the given name. + string oneof_promotion = 2; +} + +message FileMigrateAnnotation { + // Move all types in the file to another package, this implies changing proto + // file path. + string move_to_package = 2; +} diff --git a/src/main/proto/udpa/annotations/security.proto b/src/main/proto/udpa/annotations/security.proto new file mode 100644 index 0000000..0ef9197 --- /dev/null +++ b/src/main/proto/udpa/annotations/security.proto @@ -0,0 +1,34 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.annotations; + +import "udpa/annotations/status.proto"; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/udpa/annotations"; + +// All annotations in this file are experimental and subject to change. Their +// only consumer today is the Envoy APIs and SecuritAnnotationValidator protoc +// plugin in this repository. +option (udpa.annotations.file_status).work_in_progress = true; + +extend google.protobuf.FieldOptions { + // Magic number is the 28 most significant bits in the sha256sum of + // "udpa.annotations.security". + FieldSecurityAnnotation security = 11122993; +} + +// These annotations indicate metadata for the purpose of understanding the +// security significance of fields. +message FieldSecurityAnnotation { + // Field should be set in the presence of untrusted downstreams. + bool configure_for_untrusted_downstream = 1; + + // Field should be set in the presence of untrusted upstreams. + bool configure_for_untrusted_upstream = 2; +} diff --git a/src/main/proto/udpa/annotations/sensitive.proto b/src/main/proto/udpa/annotations/sensitive.proto new file mode 100644 index 0000000..c7d8af6 --- /dev/null +++ b/src/main/proto/udpa/annotations/sensitive.proto @@ -0,0 +1,20 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.annotations; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/udpa/annotations"; + +extend google.protobuf.FieldOptions { + // Magic number is the 28 most significant bits in the sha256sum of "udpa.annotations.sensitive". + // When set to true, `sensitive` indicates that this field contains sensitive data, such as + // personally identifiable information, passwords, or private keys, and should be redacted for + // display by tools aware of this annotation. Note that that this has no effect on standard + // Protobuf functions such as `TextFormat::PrintToString`. + bool sensitive = 76569463; +} diff --git a/src/main/proto/udpa/annotations/status.proto b/src/main/proto/udpa/annotations/status.proto new file mode 100644 index 0000000..5a90bde --- /dev/null +++ b/src/main/proto/udpa/annotations/status.proto @@ -0,0 +1,40 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.annotations; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/udpa/annotations"; + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "udpa.annotation.status". +extend google.protobuf.FileOptions { + StatusAnnotation file_status = 222707719; +} + +enum PackageVersionStatus { + // Unknown package version status. + UNKNOWN = 0; + + // This version of the package is frozen. + FROZEN = 1; + + // This version of the package is the active development version. + ACTIVE = 2; + + // This version of the package is the candidate for the next major version. It + // is typically machine generated from the active development version. + NEXT_MAJOR_VERSION_CANDIDATE = 3; +} + +message StatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; + + // The entity belongs to a package with the given version status. + PackageVersionStatus package_version_status = 2; +} diff --git a/src/main/proto/udpa/annotations/versioning.proto b/src/main/proto/udpa/annotations/versioning.proto new file mode 100644 index 0000000..06df78d --- /dev/null +++ b/src/main/proto/udpa/annotations/versioning.proto @@ -0,0 +1,23 @@ +// THIS FILE IS DEPRECATED +// Users should instead use the corresponding proto in the xds tree. +// No new changes will be accepted here. + +syntax = "proto3"; + +package udpa.annotations; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/udpa/annotations"; + +extend google.protobuf.MessageOptions { + // Magic number derived from 0x78 ('x') 0x44 ('D') 0x53 ('S') + VersioningAnnotation versioning = 7881811; +} + +message VersioningAnnotation { + // Track the previous message type. E.g. this message might be + // udpa.foo.v3alpha.Foo and it was previously udpa.bar.v2.Bar. This + // information is consumed by UDPA via proto descriptors. + string previous_message_type = 1; +} diff --git a/src/main/proto/xds/annotations/v3/status.proto b/src/main/proto/xds/annotations/v3/status.proto new file mode 100644 index 0000000..367e784 --- /dev/null +++ b/src/main/proto/xds/annotations/v3/status.proto @@ -0,0 +1,59 @@ +syntax = "proto3"; + +package xds.annotations.v3; + +import "google/protobuf/descriptor.proto"; + +option go_package = "github.com/cncf/xds/go/xds/annotations/v3"; + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "xds.annotations.v3.status". +extend google.protobuf.FileOptions { + FileStatusAnnotation file_status = 226829418; +} + +extend google.protobuf.MessageOptions { + MessageStatusAnnotation message_status = 226829418; +} + +extend google.protobuf.FieldOptions { + FieldStatusAnnotation field_status = 226829418; +} + +message FileStatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; +} + +message MessageStatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; +} + +message FieldStatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; +} + +enum PackageVersionStatus { + // Unknown package version status. + UNKNOWN = 0; + + // This version of the package is frozen. + FROZEN = 1; + + // This version of the package is the active development version. + ACTIVE = 2; + + // This version of the package is the candidate for the next major version. It + // is typically machine generated from the active development version. + NEXT_MAJOR_VERSION_CANDIDATE = 3; +} + +message StatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; + + // The entity belongs to a package with the given version status. + PackageVersionStatus package_version_status = 2; +} diff --git a/src/main/proto/xds/core/v3/authority.proto b/src/main/proto/xds/core/v3/authority.proto new file mode 100644 index 0000000..d666c38 --- /dev/null +++ b/src/main/proto/xds/core/v3/authority.proto @@ -0,0 +1,22 @@ +syntax = "proto3"; + +package xds.core.v3; + +import "xds/annotations/v3/status.proto"; + +import "validate/validate.proto"; + +option java_outer_classname = "AuthorityProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.core.v3"; +option go_package = "github.com/cncf/xds/go/xds/core/v3"; + +option (xds.annotations.v3.file_status).work_in_progress = true; + +// xDS authority information. +message Authority { + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // .. space reserved for additional authority addressing information, e.g. for + // resource signing, items such as CA trust chain, cert pinning may be added. +} diff --git a/src/main/proto/xds/core/v3/context_params.proto b/src/main/proto/xds/core/v3/context_params.proto new file mode 100644 index 0000000..a42c7a8 --- /dev/null +++ b/src/main/proto/xds/core/v3/context_params.proto @@ -0,0 +1,23 @@ +syntax = "proto3"; + +package xds.core.v3; + +import "xds/annotations/v3/status.proto"; + +option java_outer_classname = "ContextParamsProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.core.v3"; +option go_package = "github.com/cncf/xds/go/xds/core/v3"; + +option (xds.annotations.v3.file_status).work_in_progress = true; + +// Additional parameters that can be used to select resource variants. These include any +// global context parameters, per-resource type client feature capabilities and per-resource +// type functional attributes. All per-resource type attributes will be `xds.resource.` +// prefixed and some of these are documented below: +// +// `xds.resource.listening_address`: The value is "IP:port" (e.g. "10.1.1.3:8080") which is +// the listening address of a Listener. Used in a Listener resource query. +message ContextParams { + map params = 1; +} diff --git a/src/main/proto/xds/core/v3/extension.proto b/src/main/proto/xds/core/v3/extension.proto new file mode 100644 index 0000000..dd489eb --- /dev/null +++ b/src/main/proto/xds/core/v3/extension.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package xds.core.v3; + +option java_outer_classname = "ExtensionProto"; +option java_multiple_files = true; +option java_package = "com.github.xds.core.v3"; +option go_package = "github.com/cncf/xds/go/xds/core/v3"; + +import "validate/validate.proto"; +import "google/protobuf/any.proto"; + +// Message type for extension configuration. +message TypedExtensionConfig { + // The name of an extension. This is not used to select the extension, instead + // it serves the role of an opaque identifier. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The typed config for the extension. The type URL will be used to identify + // the extension. In the case that the type URL is *xds.type.v3.TypedStruct* + // (or, for historical reasons, *udpa.type.v1.TypedStruct*), the inner type + // URL of *TypedStruct* will be utilized. See the + // :ref:`extension configuration overview + // ` for further details. + google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}]; +} diff --git a/src/main/proto/xds/type/matcher/v3/matcher.proto b/src/main/proto/xds/type/matcher/v3/matcher.proto new file mode 100644 index 0000000..4966b45 --- /dev/null +++ b/src/main/proto/xds/type/matcher/v3/matcher.proto @@ -0,0 +1,139 @@ +syntax = "proto3"; + +package xds.type.matcher.v3; + +import "xds/annotations/v3/status.proto"; +import "xds/core/v3/extension.proto"; +import "xds/type/matcher/v3/string.proto"; + +import "validate/validate.proto"; + +option java_package = "com.github.xds.type.matcher.v3"; +option java_outer_classname = "MatcherProto"; +option java_multiple_files = true; +option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; + +// [#protodoc-title: Unified Matcher API] + +// A matcher, which may traverse a matching tree in order to result in a match action. +// During matching, the tree will be traversed until a match is found, or if no match +// is found the action specified by the most specific on_no_match will be evaluated. +// As an on_no_match might result in another matching tree being evaluated, this process +// might repeat several times until the final OnMatch (or no match) is decided. +message Matcher { + option (xds.annotations.v3.message_status).work_in_progress = true; + + // What to do if a match is successful. + message OnMatch { + oneof on_match { + option (validate.required) = true; + + // Nested matcher to evaluate. + // If the nested matcher does not match and does not specify + // on_no_match, then this matcher is considered not to have + // matched, even if a predicate at this level or above returned + // true. + Matcher matcher = 1; + + // Protocol-specific action to take. + core.v3.TypedExtensionConfig action = 2; + } + } + + // A linear list of field matchers. + // The field matchers are evaluated in order, and the first match + // wins. + message MatcherList { + // Predicate to determine if a match is successful. + message Predicate { + // Predicate for a single input field. + message SinglePredicate { + // Protocol-specific specification of input field to match on. + // [#extension-category: envoy.matching.common_inputs] + core.v3.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; + + oneof matcher { + option (validate.required) = true; + + // Built-in string matcher. + type.matcher.v3.StringMatcher value_match = 2; + + // Extension for custom matching logic. + // [#extension-category: envoy.matching.input_matchers] + core.v3.TypedExtensionConfig custom_match = 3; + } + } + + // A list of two or more matchers. Used to allow using a list within a oneof. + message PredicateList { + repeated Predicate predicate = 1 [(validate.rules).repeated = {min_items: 2}]; + } + + oneof match_type { + option (validate.required) = true; + + // A single predicate to evaluate. + SinglePredicate single_predicate = 1; + + // A list of predicates to be OR-ed together. + PredicateList or_matcher = 2; + + // A list of predicates to be AND-ed together. + PredicateList and_matcher = 3; + + // The invert of a predicate + Predicate not_matcher = 4; + } + } + + // An individual matcher. + message FieldMatcher { + // Determines if the match succeeds. + Predicate predicate = 1 [(validate.rules).message = {required: true}]; + + // What to do if the match succeeds. + OnMatch on_match = 2 [(validate.rules).message = {required: true}]; + } + + // A list of matchers. First match wins. + repeated FieldMatcher matchers = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + message MatcherTree { + // A map of configured matchers. Used to allow using a map within a oneof. + message MatchMap { + map map = 1 [(validate.rules).map = {min_pairs: 1}]; + } + + // Protocol-specific specification of input field to match on. + core.v3.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; + + // Exact or prefix match maps in which to look up the input value. + // If the lookup succeeds, the match is considered successful, and + // the corresponding OnMatch is used. + oneof tree_type { + option (validate.required) = true; + + MatchMap exact_match_map = 2; + + // Longest matching prefix wins. + MatchMap prefix_match_map = 3; + + // Extension for custom matching logic. + core.v3.TypedExtensionConfig custom_match = 4; + } + } + + oneof matcher_type { + // A linear list of matchers to evaluate. + MatcherList matcher_list = 1; + + // A match tree to evaluate. + MatcherTree matcher_tree = 2; + } + + // Optional OnMatch to use if no matcher above matched (e.g., if there are no matchers specified + // above, or if none of the matches specified above succeeded). + // If no matcher above matched and this field is not populated, the match will be considered unsuccessful. + OnMatch on_no_match = 3; +} diff --git a/src/main/proto/xds/type/matcher/v3/regex.proto b/src/main/proto/xds/type/matcher/v3/regex.proto new file mode 100644 index 0000000..3ff4ca9 --- /dev/null +++ b/src/main/proto/xds/type/matcher/v3/regex.proto @@ -0,0 +1,46 @@ +syntax = "proto3"; + +package xds.type.matcher.v3; + +import "validate/validate.proto"; + +option java_package = "com.github.xds.type.matcher.v3"; +option java_outer_classname = "RegexProto"; +option java_multiple_files = true; +option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; + +// [#protodoc-title: Regex matcher] + +// A regex matcher designed for safety when used with untrusted input. +message RegexMatcher { + // Google's `RE2 `_ regex engine. The regex + // string must adhere to the documented `syntax + // `_. The engine is designed to + // complete execution in linear time as well as limit the amount of memory + // used. + // + // Envoy supports program size checking via runtime. The runtime keys + // `re2.max_program_size.error_level` and `re2.max_program_size.warn_level` + // can be set to integers as the maximum program size or complexity that a + // compiled regex can have before an exception is thrown or a warning is + // logged, respectively. `re2.max_program_size.error_level` defaults to 100, + // and `re2.max_program_size.warn_level` has no default if unset (will not + // check/log a warning). + // + // Envoy emits two stats for tracking the program size of regexes: the + // histogram `re2.program_size`, which records the program size, and the + // counter `re2.exceeded_warn_level`, which is incremented each time the + // program size exceeds the warn level threshold. + message GoogleRE2 {} + + oneof engine_type { + option (validate.required) = true; + + // Google's RE2 regex engine. + GoogleRE2 google_re2 = 1 [ (validate.rules).message = {required : true} ]; + } + + // The regex match string. The string must be supported by the configured + // engine. + string regex = 2 [ (validate.rules).string = {min_len : 1} ]; +} diff --git a/src/main/proto/xds/type/matcher/v3/string.proto b/src/main/proto/xds/type/matcher/v3/string.proto new file mode 100644 index 0000000..fdc598e --- /dev/null +++ b/src/main/proto/xds/type/matcher/v3/string.proto @@ -0,0 +1,66 @@ +syntax = "proto3"; + +package xds.type.matcher.v3; + +import "xds/type/matcher/v3/regex.proto"; + +import "validate/validate.proto"; + +option java_package = "com.github.xds.type.matcher.v3"; +option java_outer_classname = "StringProto"; +option java_multiple_files = true; +option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; + +// [#protodoc-title: String matcher] + +// Specifies the way to match a string. +// [#next-free-field: 8] +message StringMatcher { + oneof match_pattern { + option (validate.required) = true; + + // The input string must match exactly the string specified here. + // + // Examples: + // + // * *abc* only matches the value *abc*. + string exact = 1; + + // The input string must have the prefix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *abc.xyz* + string prefix = 2 [(validate.rules).string = {min_len: 1}]; + + // The input string must have the suffix specified here. + // Note: empty prefix is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *xyz.abc* + string suffix = 3 [(validate.rules).string = {min_len: 1}]; + + // The input string must match the regular expression specified here. + RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; + + // The input string must have the substring specified here. + // Note: empty contains match is not allowed, please use regex instead. + // + // Examples: + // + // * *abc* matches the value *xyz.abc.def* + string contains = 7 [(validate.rules).string = {min_len: 1}]; + } + + // If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no + // effect for the safe_regex match. + // For example, the matcher *data* will match both input string *Data* and *data* if set to true. + bool ignore_case = 6; +} + +// Specifies a list of ways to match a string. +message ListStringMatcher { + repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; +} From d5c0b4b3de180fa4f64b77f45523c7a204b32117 Mon Sep 17 00:00:00 2001 From: musi Date: Mon, 12 Dec 2022 16:06:58 +0800 Subject: [PATCH 2/5] refactor: delete useless proto --- pom.xml | 7 + src/main/proto/envoy/annotations/BUILD | 5 - .../proto/envoy/annotations/deprecation.proto | 34 - .../proto/envoy/annotations/resource.proto | 19 - src/main/proto/envoy/config/core/v3/BUILD | 0 .../proto/envoy/config/core/v3/address.proto | 198 -- .../proto/envoy/config/core/v3/backoff.proto | 37 - .../proto/envoy/config/core/v3/base.proto | 510 ---- .../envoy/config/core/v3/config_source.proto | 283 -- .../config/core/v3/event_service_config.proto | 29 - .../envoy/config/core/v3/extension.proto | 32 - .../config/core/v3/grpc_method_list.proto | 33 - .../envoy/config/core/v3/grpc_service.proto | 297 --- .../envoy/config/core/v3/health_check.proto | 417 --- .../proto/envoy/config/core/v3/http_uri.proto | 57 - .../proto/envoy/config/core/v3/protocol.proto | 601 ----- .../envoy/config/core/v3/proxy_protocol.proto | 26 - .../proto/envoy/config/core/v3/resolver.proto | 36 - .../envoy/config/core/v3/socket_option.proto | 81 - .../core/v3/substitution_format_string.proto | 116 - .../config/core/v3/udp_socket_config.proto | 32 - .../proto/envoy/config/route/v3/route.proto | 165 -- .../config/route/v3/route_components.proto | 2336 ----------------- .../envoy/config/route/v3/scoped_route.proto | 133 - src/main/proto/envoy/type/matcher/BUILD | 13 - .../proto/envoy/type/matcher/metadata.proto | 99 - src/main/proto/envoy/type/matcher/node.proto | 26 - .../proto/envoy/type/matcher/number.proto | 30 - src/main/proto/envoy/type/matcher/path.proto | 28 - src/main/proto/envoy/type/matcher/regex.proto | 79 - .../proto/envoy/type/matcher/string.proto | 80 - .../proto/envoy/type/matcher/struct.proto | 85 - src/main/proto/envoy/type/matcher/v3/BUILD | 13 - .../envoy/type/matcher/v3/filter_state.proto | 29 - .../envoy/type/matcher/v3/http_inputs.proto | 62 - .../envoy/type/matcher/v3/metadata.proto | 108 - .../proto/envoy/type/matcher/v3/node.proto | 29 - .../proto/envoy/type/matcher/v3/number.proto | 33 - .../proto/envoy/type/matcher/v3/path.proto | 31 - .../proto/envoy/type/matcher/v3/regex.proto | 100 - .../proto/envoy/type/matcher/v3/string.proto | 78 - .../proto/envoy/type/matcher/v3/struct.proto | 91 - .../proto/envoy/type/matcher/v3/value.proto | 72 - src/main/proto/envoy/type/matcher/value.proto | 65 - src/main/proto/envoy/type/metadata/v2/BUILD | 9 - .../envoy/type/metadata/v2/metadata.proto | 100 - src/main/proto/envoy/type/metadata/v3/BUILD | 9 - .../envoy/type/metadata/v3/metadata.proto | 115 - src/main/proto/envoy/type/range.proto | 43 - src/main/proto/envoy/type/tracing/v2/BUILD | 12 - .../envoy/type/tracing/v2/custom_tag.proto | 87 - src/main/proto/envoy/type/tracing/v3/BUILD | 12 - .../envoy/type/tracing/v3/custom_tag.proto | 102 - src/main/proto/envoy/type/v3/http.proto | 20 - src/main/proto/envoy/type/v3/percent.proto | 57 - src/main/proto/envoy/type/v3/range.proto | 50 - .../envoy/type/v3/semantic_version.proto | 27 - src/main/proto/udpa/annotations/BUILD | 5 - src/main/proto/udpa/annotations/migrate.proto | 55 - .../proto/udpa/annotations/security.proto | 34 - .../proto/udpa/annotations/sensitive.proto | 20 - src/main/proto/udpa/annotations/status.proto | 40 - .../proto/udpa/annotations/versioning.proto | 23 - .../proto/xds/annotations/v3/status.proto | 59 - src/main/proto/xds/core/v3/authority.proto | 22 - .../proto/xds/core/v3/context_params.proto | 23 - src/main/proto/xds/core/v3/extension.proto | 26 - .../proto/xds/type/matcher/v3/matcher.proto | 139 - .../proto/xds/type/matcher/v3/regex.proto | 46 - .../proto/xds/type/matcher/v3/string.proto | 66 - 70 files changed, 7 insertions(+), 7829 deletions(-) delete mode 100644 src/main/proto/envoy/annotations/BUILD delete mode 100644 src/main/proto/envoy/annotations/deprecation.proto delete mode 100644 src/main/proto/envoy/annotations/resource.proto delete mode 100644 src/main/proto/envoy/config/core/v3/BUILD delete mode 100644 src/main/proto/envoy/config/core/v3/address.proto delete mode 100644 src/main/proto/envoy/config/core/v3/backoff.proto delete mode 100644 src/main/proto/envoy/config/core/v3/base.proto delete mode 100644 src/main/proto/envoy/config/core/v3/config_source.proto delete mode 100644 src/main/proto/envoy/config/core/v3/event_service_config.proto delete mode 100644 src/main/proto/envoy/config/core/v3/extension.proto delete mode 100644 src/main/proto/envoy/config/core/v3/grpc_method_list.proto delete mode 100644 src/main/proto/envoy/config/core/v3/grpc_service.proto delete mode 100644 src/main/proto/envoy/config/core/v3/health_check.proto delete mode 100644 src/main/proto/envoy/config/core/v3/http_uri.proto delete mode 100644 src/main/proto/envoy/config/core/v3/protocol.proto delete mode 100644 src/main/proto/envoy/config/core/v3/proxy_protocol.proto delete mode 100644 src/main/proto/envoy/config/core/v3/resolver.proto delete mode 100644 src/main/proto/envoy/config/core/v3/socket_option.proto delete mode 100644 src/main/proto/envoy/config/core/v3/substitution_format_string.proto delete mode 100644 src/main/proto/envoy/config/core/v3/udp_socket_config.proto delete mode 100644 src/main/proto/envoy/config/route/v3/route.proto delete mode 100644 src/main/proto/envoy/config/route/v3/route_components.proto delete mode 100644 src/main/proto/envoy/config/route/v3/scoped_route.proto delete mode 100644 src/main/proto/envoy/type/matcher/BUILD delete mode 100644 src/main/proto/envoy/type/matcher/metadata.proto delete mode 100644 src/main/proto/envoy/type/matcher/node.proto delete mode 100644 src/main/proto/envoy/type/matcher/number.proto delete mode 100644 src/main/proto/envoy/type/matcher/path.proto delete mode 100644 src/main/proto/envoy/type/matcher/regex.proto delete mode 100644 src/main/proto/envoy/type/matcher/string.proto delete mode 100644 src/main/proto/envoy/type/matcher/struct.proto delete mode 100644 src/main/proto/envoy/type/matcher/v3/BUILD delete mode 100644 src/main/proto/envoy/type/matcher/v3/filter_state.proto delete mode 100644 src/main/proto/envoy/type/matcher/v3/http_inputs.proto delete mode 100644 src/main/proto/envoy/type/matcher/v3/metadata.proto delete mode 100644 src/main/proto/envoy/type/matcher/v3/node.proto delete mode 100644 src/main/proto/envoy/type/matcher/v3/number.proto delete mode 100644 src/main/proto/envoy/type/matcher/v3/path.proto delete mode 100644 src/main/proto/envoy/type/matcher/v3/regex.proto delete mode 100644 src/main/proto/envoy/type/matcher/v3/string.proto delete mode 100644 src/main/proto/envoy/type/matcher/v3/struct.proto delete mode 100644 src/main/proto/envoy/type/matcher/v3/value.proto delete mode 100644 src/main/proto/envoy/type/matcher/value.proto delete mode 100644 src/main/proto/envoy/type/metadata/v2/BUILD delete mode 100644 src/main/proto/envoy/type/metadata/v2/metadata.proto delete mode 100644 src/main/proto/envoy/type/metadata/v3/BUILD delete mode 100644 src/main/proto/envoy/type/metadata/v3/metadata.proto delete mode 100644 src/main/proto/envoy/type/range.proto delete mode 100644 src/main/proto/envoy/type/tracing/v2/BUILD delete mode 100644 src/main/proto/envoy/type/tracing/v2/custom_tag.proto delete mode 100644 src/main/proto/envoy/type/tracing/v3/BUILD delete mode 100644 src/main/proto/envoy/type/tracing/v3/custom_tag.proto delete mode 100644 src/main/proto/envoy/type/v3/http.proto delete mode 100644 src/main/proto/envoy/type/v3/percent.proto delete mode 100644 src/main/proto/envoy/type/v3/range.proto delete mode 100644 src/main/proto/envoy/type/v3/semantic_version.proto delete mode 100644 src/main/proto/udpa/annotations/BUILD delete mode 100644 src/main/proto/udpa/annotations/migrate.proto delete mode 100644 src/main/proto/udpa/annotations/security.proto delete mode 100644 src/main/proto/udpa/annotations/sensitive.proto delete mode 100644 src/main/proto/udpa/annotations/status.proto delete mode 100644 src/main/proto/udpa/annotations/versioning.proto delete mode 100644 src/main/proto/xds/annotations/v3/status.proto delete mode 100644 src/main/proto/xds/core/v3/authority.proto delete mode 100644 src/main/proto/xds/core/v3/context_params.proto delete mode 100644 src/main/proto/xds/core/v3/extension.proto delete mode 100644 src/main/proto/xds/type/matcher/v3/matcher.proto delete mode 100644 src/main/proto/xds/type/matcher/v3/regex.proto delete mode 100644 src/main/proto/xds/type/matcher/v3/string.proto diff --git a/pom.xml b/pom.xml index 9d07e27..45eeab3 100644 --- a/pom.xml +++ b/pom.xml @@ -49,6 +49,7 @@ 1.42.1 1.7.36 1.3.2 + 0.1.32 4.12 @@ -109,6 +110,12 @@ junit test + + + io.envoyproxy.controlplane + api + ${envoy-api.version} + diff --git a/src/main/proto/envoy/annotations/BUILD b/src/main/proto/envoy/annotations/BUILD deleted file mode 100644 index 5c06e2d..0000000 --- a/src/main/proto/envoy/annotations/BUILD +++ /dev/null @@ -1,5 +0,0 @@ -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package() diff --git a/src/main/proto/envoy/annotations/deprecation.proto b/src/main/proto/envoy/annotations/deprecation.proto deleted file mode 100644 index c9a96f1..0000000 --- a/src/main/proto/envoy/annotations/deprecation.proto +++ /dev/null @@ -1,34 +0,0 @@ -syntax = "proto3"; - -package envoy.annotations; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/annotations"; - -import "google/protobuf/descriptor.proto"; - -// [#protodoc-title: Deprecation] -// Adds annotations for deprecated fields and enums to allow tagging proto -// fields as fatal by default and the minor version on which the field was -// deprecated. One Envoy release after deprecation, deprecated fields will be -// disallowed by default, a state which is reversible with -// :ref:`runtime overrides `. - -// Magic number in this file derived from top 28bit of SHA256 digest of -// "envoy.annotation.disallowed_by_default" and "envoy.annotation.deprecated_at_minor_version" -extend google.protobuf.FieldOptions { - bool disallowed_by_default = 189503207; - - // The API major and minor version on which the field was deprecated - // (e.g., "3.5" for major version 3 and minor version 5). - string deprecated_at_minor_version = 157299826; -} - -// Magic number in this file derived from top 28bit of SHA256 digest of -// "envoy.annotation.disallowed_by_default_enum" and -// "envoy.annotation.deprecated_at_minor_version_eum" -extend google.protobuf.EnumValueOptions { - bool disallowed_by_default_enum = 70100853; - - // The API major and minor version on which the enum value was deprecated - // (e.g., "3.5" for major version 3 and minor version 5). - string deprecated_at_minor_version_enum = 181198657; -} diff --git a/src/main/proto/envoy/annotations/resource.proto b/src/main/proto/envoy/annotations/resource.proto deleted file mode 100644 index 3877afc..0000000 --- a/src/main/proto/envoy/annotations/resource.proto +++ /dev/null @@ -1,19 +0,0 @@ -syntax = "proto3"; - -package envoy.annotations; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/annotations"; - -import "google/protobuf/descriptor.proto"; - -// [#protodoc-title: Resource] - -// Magic number in this file derived from top 28bit of SHA256 digest of "envoy.annotation.resource". -extend google.protobuf.ServiceOptions { - ResourceAnnotation resource = 265073217; -} - -message ResourceAnnotation { - // Annotation for xDS services that indicates the fully-qualified Protobuf type for the resource - // type. - string type = 1; -} diff --git a/src/main/proto/envoy/config/core/v3/BUILD b/src/main/proto/envoy/config/core/v3/BUILD deleted file mode 100644 index e69de29..0000000 diff --git a/src/main/proto/envoy/config/core/v3/address.proto b/src/main/proto/envoy/config/core/v3/address.proto deleted file mode 100644 index dcc7dc5..0000000 --- a/src/main/proto/envoy/config/core/v3/address.proto +++ /dev/null @@ -1,198 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "envoy/config/core/v3/socket_option.proto"; - -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "AddressProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Network addresses] - -message Pipe { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Pipe"; - - // Unix Domain Socket path. On Linux, paths starting with '@' will use the - // abstract namespace. The starting '@' is replaced by a null byte by Envoy. - // Paths starting with '@' will result in an error in environments other than - // Linux. - string path = 1 [(validate.rules).string = {min_len: 1}]; - - // The mode for the Pipe. Not applicable for abstract sockets. - uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}]; -} - -// The address represents an envoy internal listener. -// [#comment: TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30.] -message EnvoyInternalAddress { - oneof address_name_specifier { - option (validate.required) = true; - - // Specifies the :ref:`name ` of the - // internal listener. - string server_listener_name = 1; - } - - // Specifies an endpoint identifier to distinguish between multiple endpoints for the same internal listener in a - // single upstream pool. Only used in the upstream addresses for tracking changes to individual endpoints. This, for - // example, may be set to the final destination IP for the target internal listener. - string endpoint_id = 2; -} - -// [#next-free-field: 7] -message SocketAddress { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketAddress"; - - enum Protocol { - TCP = 0; - UDP = 1; - } - - Protocol protocol = 1 [(validate.rules).enum = {defined_only: true}]; - - // The address for this socket. :ref:`Listeners ` will bind - // to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::`` - // to bind to any address. [#comment:TODO(zuercher) reinstate when implemented: - // It is possible to distinguish a Listener address via the prefix/suffix matching - // in :ref:`FilterChainMatch `.] When used - // within an upstream :ref:`BindConfig `, the address - // controls the source address of outbound connections. For :ref:`clusters - // `, the cluster type determines whether the - // address must be an IP (``STATIC`` or ``EDS`` clusters) or a hostname resolved by DNS - // (``STRICT_DNS`` or ``LOGICAL_DNS`` clusters). Address resolution can be customized - // via :ref:`resolver_name `. - string address = 2 [(validate.rules).string = {min_len: 1}]; - - oneof port_specifier { - option (validate.required) = true; - - uint32 port_value = 3 [(validate.rules).uint32 = {lte: 65535}]; - - // This is only valid if :ref:`resolver_name - // ` is specified below and the - // named resolver is capable of named port resolution. - string named_port = 4; - } - - // The name of the custom resolver. This must have been registered with Envoy. If - // this is empty, a context dependent default applies. If the address is a concrete - // IP address, no resolution will occur. If address is a hostname this - // should be set for resolution other than DNS. Specifying a custom resolver with - // ``STRICT_DNS`` or ``LOGICAL_DNS`` will generate an error at runtime. - string resolver_name = 5; - - // When binding to an IPv6 address above, this enables `IPv4 compatibility - // `_. Binding to ``::`` will - // allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into - // IPv6 space as ``::FFFF:``. - bool ipv4_compat = 6; -} - -message TcpKeepalive { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.TcpKeepalive"; - - // Maximum number of keepalive probes to send without response before deciding - // the connection is dead. Default is to use the OS level configuration (unless - // overridden, Linux defaults to 9.) - google.protobuf.UInt32Value keepalive_probes = 1; - - // The number of seconds a connection needs to be idle before keep-alive probes - // start being sent. Default is to use the OS level configuration (unless - // overridden, Linux defaults to 7200s (i.e., 2 hours.) - google.protobuf.UInt32Value keepalive_time = 2; - - // The number of seconds between keep-alive probes. Default is to use the OS - // level configuration (unless overridden, Linux defaults to 75s.) - google.protobuf.UInt32Value keepalive_interval = 3; -} - -message ExtraSourceAddress { - // The additional address to bind. - SocketAddress address = 1 [(validate.rules).message = {required: true}]; - - // Additional socket options that may not be present in Envoy source code or - // precompiled binaries. If specified, this will override the - // :ref:`socket_options ` - // in the BindConfig. If specified with no - // :ref:`socket_options ` - // or an empty list of :ref:`socket_options `, - // it means no socket option will apply. - SocketOptionsOverride socket_options = 2; -} - -// [#next-free-field: 6] -message BindConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BindConfig"; - - // The address to bind to when creating a socket. - SocketAddress source_address = 1 [(validate.rules).message = {required: true}]; - - // Whether to set the ``IP_FREEBIND`` option when creating the socket. When this - // flag is set to true, allows the :ref:`source_address - // ` to be an IP address - // that is not configured on the system running Envoy. When this flag is set - // to false, the option ``IP_FREEBIND`` is disabled on the socket. When this - // flag is not set (default), the socket is not modified, i.e. the option is - // neither enabled nor disabled. - google.protobuf.BoolValue freebind = 2; - - // Additional socket options that may not be present in Envoy source code or - // precompiled binaries. - repeated SocketOption socket_options = 3; - - // Extra source addresses appended to the address specified in the `source_address` - // field. This enables to specify multiple source addresses. Currently, only one extra - // address can be supported, and the extra address should have a different IP version - // with the address in the `source_address` field. The address which has the same IP - // version with the target host's address IP version will be used as bind address. If more - // than one extra address specified, only the first address matched IP version will be - // returned. If there is no same IP version address found, the address in the `source_address` - // will be returned. - repeated ExtraSourceAddress extra_source_addresses = 5; - - // Deprecated by - // :ref:`extra_source_addresses ` - repeated SocketAddress additional_source_addresses = 4 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; -} - -// Addresses specify either a logical or physical address and port, which are -// used to tell Envoy where to bind/listen, connect to upstream and find -// management servers. -message Address { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Address"; - - oneof address { - option (validate.required) = true; - - SocketAddress socket_address = 1; - - Pipe pipe = 2; - - // Specifies a user-space address handled by :ref:`internal listeners - // `. - EnvoyInternalAddress envoy_internal_address = 3; - } -} - -// CidrRange specifies an IP Address and a prefix length to construct -// the subnet mask for a `CIDR `_ range. -message CidrRange { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.CidrRange"; - - // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``. - string address_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // Length of prefix, e.g. 0, 32. Defaults to 0 when unset. - google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}]; -} diff --git a/src/main/proto/envoy/config/core/v3/backoff.proto b/src/main/proto/envoy/config/core/v3/backoff.proto deleted file mode 100644 index 435b361..0000000 --- a/src/main/proto/envoy/config/core/v3/backoff.proto +++ /dev/null @@ -1,37 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "BackoffProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Backoff strategy] - -// Configuration defining a jittered exponential back off strategy. -message BackoffStrategy { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BackoffStrategy"; - - // The base interval to be used for the next back off computation. It should - // be greater than zero and less than or equal to :ref:`max_interval - // `. - google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { - required: true - gte {nanos: 1000000} - }]; - - // Specifies the maximum interval between retries. This parameter is optional, - // but must be greater than or equal to the :ref:`base_interval - // ` if set. The default - // is 10 times the :ref:`base_interval - // `. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; -} diff --git a/src/main/proto/envoy/config/core/v3/base.proto b/src/main/proto/envoy/config/core/v3/base.proto deleted file mode 100644 index 383b3d9..0000000 --- a/src/main/proto/envoy/config/core/v3/base.proto +++ /dev/null @@ -1,510 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "envoy/config/core/v3/address.proto"; -import "envoy/config/core/v3/backoff.proto"; -import "envoy/config/core/v3/http_uri.proto"; -import "envoy/type/v3/percent.proto"; -import "envoy/type/v3/semantic_version.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/core/v3/context_params.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/migrate.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "BaseProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Common types] - -// Envoy supports :ref:`upstream priority routing -// ` both at the route and the virtual -// cluster level. The current priority implementation uses different connection -// pool and circuit breaking settings for each priority level. This means that -// even for HTTP/2 requests, two physical connections will be used to an -// upstream host. In the future Envoy will likely support true HTTP/2 priority -// over a single upstream connection. -enum RoutingPriority { - DEFAULT = 0; - HIGH = 1; -} - -// HTTP request method. -enum RequestMethod { - METHOD_UNSPECIFIED = 0; - GET = 1; - HEAD = 2; - POST = 3; - PUT = 4; - DELETE = 5; - CONNECT = 6; - OPTIONS = 7; - TRACE = 8; - PATCH = 9; -} - -// Identifies the direction of the traffic relative to the local Envoy. -enum TrafficDirection { - // Default option is unspecified. - UNSPECIFIED = 0; - - // The transport is used for incoming traffic. - INBOUND = 1; - - // The transport is used for outgoing traffic. - OUTBOUND = 2; -} - -// Identifies location of where either Envoy runs or where upstream hosts run. -message Locality { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Locality"; - - // Region this :ref:`zone ` belongs to. - string region = 1; - - // Defines the local service zone where Envoy is running. Though optional, it - // should be set if discovery service routing is used and the discovery - // service exposes :ref:`zone data `, - // either in this message or via :option:`--service-zone`. The meaning of zone - // is context dependent, e.g. `Availability Zone (AZ) - // `_ - // on AWS, `Zone `_ on - // GCP, etc. - string zone = 2; - - // When used for locality of upstream hosts, this field further splits zone - // into smaller chunks of sub-zones so they can be load balanced - // independently. - string sub_zone = 3; -} - -// BuildVersion combines SemVer version of extension with free-form build information -// (i.e. 'alpha', 'private-build') as a set of strings. -message BuildVersion { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BuildVersion"; - - // SemVer version of extension. - type.v3.SemanticVersion version = 1; - - // Free-form build information. - // Envoy defines several well known keys in the source/common/version/version.h file - google.protobuf.Struct metadata = 2; -} - -// Version and identification for an Envoy extension. -// [#next-free-field: 7] -message Extension { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Extension"; - - // This is the name of the Envoy filter as specified in the Envoy - // configuration, e.g. envoy.filters.http.router, com.acme.widget. - string name = 1; - - // Category of the extension. - // Extension category names use reverse DNS notation. For instance "envoy.filters.listener" - // for Envoy's built-in listener filters or "com.acme.filters.http" for HTTP filters from - // acme.com vendor. - // [#comment:TODO(yanavlasov): Link to the doc with existing envoy category names.] - string category = 2; - - // [#not-implemented-hide:] Type descriptor of extension configuration proto. - // [#comment:TODO(yanavlasov): Link to the doc with existing configuration protos.] - // [#comment:TODO(yanavlasov): Add tests when PR #9391 lands.] - string type_descriptor = 3 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // The version is a property of the extension and maintained independently - // of other extensions and the Envoy API. - // This field is not set when extension did not provide version information. - BuildVersion version = 4; - - // Indicates that the extension is present but was disabled via dynamic configuration. - bool disabled = 5; - - // Type URLs of extension configuration protos. - repeated string type_urls = 6; -} - -// Identifies a specific Envoy instance. The node identifier is presented to the -// management server, which may use this identifier to distinguish per Envoy -// configuration for serving. -// [#next-free-field: 13] -message Node { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Node"; - - reserved 5; - - reserved "build_version"; - - // An opaque node identifier for the Envoy node. This also provides the local - // service node name. It should be set if any of the following features are - // used: :ref:`statsd `, :ref:`CDS - // `, and :ref:`HTTP tracing - // `, either in this message or via - // :option:`--service-node`. - string id = 1; - - // Defines the local service cluster name where Envoy is running. Though - // optional, it should be set if any of the following features are used: - // :ref:`statsd `, :ref:`health check cluster - // verification - // `, - // :ref:`runtime override directory `, - // :ref:`user agent addition - // `, - // :ref:`HTTP global rate limiting `, - // :ref:`CDS `, and :ref:`HTTP tracing - // `, either in this message or via - // :option:`--service-cluster`. - string cluster = 2; - - // Opaque metadata extending the node identifier. Envoy will pass this - // directly to the management server. - google.protobuf.Struct metadata = 3; - - // Map from xDS resource type URL to dynamic context parameters. These may vary at runtime (unlike - // other fields in this message). For example, the xDS client may have a shard identifier that - // changes during the lifetime of the xDS client. In Envoy, this would be achieved by updating the - // dynamic context on the Server::Instance's LocalInfo context provider. The shard ID dynamic - // parameter then appears in this field during future discovery requests. - map dynamic_parameters = 12; - - // Locality specifying where the Envoy instance is running. - Locality locality = 4; - - // Free-form string that identifies the entity requesting config. - // E.g. "envoy" or "grpc" - string user_agent_name = 6; - - oneof user_agent_version_type { - // Free-form string that identifies the version of the entity requesting config. - // E.g. "1.12.2" or "abcd1234", or "SpecialEnvoyBuild" - string user_agent_version = 7; - - // Structured version of the entity requesting config. - BuildVersion user_agent_build_version = 8; - } - - // List of extensions and their versions supported by the node. - repeated Extension extensions = 9; - - // Client feature support list. These are well known features described - // in the Envoy API repository for a given major version of an API. Client features - // use reverse DNS naming scheme, for example ``com.acme.feature``. - // See :ref:`the list of features ` that xDS client may - // support. - repeated string client_features = 10; - - // Known listening ports on the node as a generic hint to the management server - // for filtering :ref:`listeners ` to be returned. For example, - // if there is a listener bound to port 80, the list can optionally contain the - // SocketAddress ``(0.0.0.0,80)``. The field is optional and just a hint. - repeated Address listening_addresses = 11 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; -} - -// Metadata provides additional inputs to filters based on matched listeners, -// filter chains, routes and endpoints. It is structured as a map, usually from -// filter name (in reverse DNS format) to metadata specific to the filter. Metadata -// key-values for a filter are merged as connection and request handling occurs, -// with later values for the same key overriding earlier values. -// -// An example use of metadata is providing additional values to -// http_connection_manager in the envoy.http_connection_manager.access_log -// namespace. -// -// Another example use of metadata is to per service config info in cluster metadata, which may get -// consumed by multiple filters. -// -// For load balancing, Metadata provides a means to subset cluster endpoints. -// Endpoints have a Metadata object associated and routes contain a Metadata -// object to match against. There are some well defined metadata used today for -// this purpose: -// -// * ``{"envoy.lb": {"canary": }}`` This indicates the canary status of an -// endpoint and is also used during header processing -// (x-envoy-upstream-canary) and for stats purposes. -// [#next-major-version: move to type/metadata/v2] -message Metadata { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Metadata"; - - // Key is the reverse DNS filter name, e.g. com.acme.widget. The ``envoy.*`` - // namespace is reserved for Envoy's built-in filters. - // If both ``filter_metadata`` and - // :ref:`typed_filter_metadata ` - // fields are present in the metadata with same keys, - // only ``typed_filter_metadata`` field will be parsed. - map filter_metadata = 1; - - // Key is the reverse DNS filter name, e.g. com.acme.widget. The ``envoy.*`` - // namespace is reserved for Envoy's built-in filters. - // The value is encoded as google.protobuf.Any. - // If both :ref:`filter_metadata ` - // and ``typed_filter_metadata`` fields are present in the metadata with same keys, - // only ``typed_filter_metadata`` field will be parsed. - map typed_filter_metadata = 2; -} - -// Runtime derived uint32 with a default when not specified. -message RuntimeUInt32 { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RuntimeUInt32"; - - // Default value if runtime value is not available. - uint32 default_value = 2; - - // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 3 [(validate.rules).string = {min_len: 1}]; -} - -// Runtime derived percentage with a default when not specified. -message RuntimePercent { - // Default value if runtime value is not available. - type.v3.Percent default_value = 1; - - // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Runtime derived double with a default when not specified. -message RuntimeDouble { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RuntimeDouble"; - - // Default value if runtime value is not available. - double default_value = 1; - - // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Runtime derived bool with a default when not specified. -message RuntimeFeatureFlag { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.RuntimeFeatureFlag"; - - // Default value if runtime value is not available. - google.protobuf.BoolValue default_value = 1 [(validate.rules).message = {required: true}]; - - // Runtime key to get value for comparison. This value is used if defined. The boolean value must - // be represented via its - // `canonical JSON encoding `_. - string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Query parameter name/value pair. -message QueryParameter { - // The key of the query parameter. Case sensitive. - string key = 1 [(validate.rules).string = {min_len: 1}]; - - // The value of the query parameter. - string value = 2; -} - -// Header name/value pair. -message HeaderValue { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderValue"; - - // Header name. - string key = 1 - [(validate.rules).string = - {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Header value. - // - // The same :ref:`format specifier ` as used for - // :ref:`HTTP access logging ` applies here, however - // unknown header values are replaced with the empty string instead of ``-``. - string value = 2 [ - (validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false} - ]; -} - -// Header name/value pair plus option to control append behavior. -message HeaderValueOption { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.HeaderValueOption"; - - // Describes the supported actions types for header append action. - enum HeaderAppendAction { - // This action will append the specified value to the existing values if the header - // already exists. If the header doesn't exist then this will add the header with - // specified key and value. - APPEND_IF_EXISTS_OR_ADD = 0; - - // This action will add the header if it doesn't already exist. If the header - // already exists then this will be a no-op. - ADD_IF_ABSENT = 1; - - // This action will overwrite the specified value by discarding any existing values if - // the header already exists. If the header doesn't exist then this will add the header - // with specified key and value. - OVERWRITE_IF_EXISTS_OR_ADD = 2; - } - - // Header name/value pair that this option applies to. - HeaderValue header = 1 [(validate.rules).message = {required: true}]; - - // Should the value be appended? If true (default), the value is appended to - // existing values. Otherwise it replaces any existing values. - // This field is deprecated and please use - // :ref:`append_action ` as replacement. - // - // .. note:: - // The :ref:`external authorization service ` and - // :ref:`external processor service ` have - // default value (``false``) for this field. - google.protobuf.BoolValue append = 2 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Describes the action taken to append/overwrite the given value for an existing header - // or to only add this header if it's absent. - // Value defaults to :ref:`APPEND_IF_EXISTS_OR_ADD - // `. - HeaderAppendAction append_action = 3 [(validate.rules).enum = {defined_only: true}]; - - // Is the header value allowed to be empty? If false (default), custom headers with empty values are dropped, - // otherwise they are added. - bool keep_empty_value = 4; -} - -// Wrapper for a set of headers. -message HeaderMap { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderMap"; - - repeated HeaderValue headers = 1; -} - -// A directory that is watched for changes, e.g. by inotify on Linux. Move/rename -// events inside this directory trigger the watch. -message WatchedDirectory { - // Directory path to watch. - string path = 1 [(validate.rules).string = {min_len: 1}]; -} - -// Data source consisting of a file, an inline value, or an environment variable. -message DataSource { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.DataSource"; - - oneof specifier { - option (validate.required) = true; - - // Local filesystem data source. - string filename = 1 [(validate.rules).string = {min_len: 1}]; - - // Bytes inlined in the configuration. - bytes inline_bytes = 2; - - // String inlined in the configuration. - string inline_string = 3; - - // Environment variable data source. - string environment_variable = 4 [(validate.rules).string = {min_len: 1}]; - } -} - -// The message specifies the retry policy of remote data source when fetching fails. -message RetryPolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RetryPolicy"; - - // Specifies parameters that control :ref:`retry backoff strategy `. - // This parameter is optional, in which case the default base interval is 1000 milliseconds. The - // default maximum interval is 10 times the base interval. - BackoffStrategy retry_back_off = 1; - - // Specifies the allowed number of retries. This parameter is optional and - // defaults to 1. - google.protobuf.UInt32Value num_retries = 2 - [(udpa.annotations.field_migrate).rename = "max_retries"]; -} - -// The message specifies how to fetch data from remote and how to verify it. -message RemoteDataSource { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RemoteDataSource"; - - // The HTTP URI to fetch the remote data. - HttpUri http_uri = 1 [(validate.rules).message = {required: true}]; - - // SHA256 string for verifying data. - string sha256 = 2 [(validate.rules).string = {min_len: 1}]; - - // Retry policy for fetching remote data. - RetryPolicy retry_policy = 3; -} - -// Async data source which support async data fetch. -message AsyncDataSource { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.AsyncDataSource"; - - oneof specifier { - option (validate.required) = true; - - // Local async data source. - DataSource local = 1; - - // Remote async data source. - RemoteDataSource remote = 2; - } -} - -// Configuration for transport socket in :ref:`listeners ` and -// :ref:`clusters `. If the configuration is -// empty, a default transport socket implementation and configuration will be -// chosen based on the platform and existence of tls_context. -message TransportSocket { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.TransportSocket"; - - reserved 2; - - reserved "config"; - - // The name of the transport socket to instantiate. The name must match a supported transport - // socket implementation. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Implementation specific configuration which depends on the implementation being instantiated. - // See the supported transport socket implementations for further documentation. - oneof config_type { - google.protobuf.Any typed_config = 3; - } -} - -// Runtime derived FractionalPercent with defaults for when the numerator or denominator is not -// specified via a runtime key. -// -// .. note:: -// -// Parsing of the runtime key's data is implemented such that it may be represented as a -// :ref:`FractionalPercent ` proto represented as JSON/YAML -// and may also be represented as an integer with the assumption that the value is an integral -// percentage out of 100. For instance, a runtime key lookup returning the value "42" would parse -// as a ``FractionalPercent`` whose numerator is 42 and denominator is HUNDRED. -message RuntimeFractionalPercent { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.RuntimeFractionalPercent"; - - // Default value if the runtime value's for the numerator/denominator keys are not available. - type.v3.FractionalPercent default_value = 1 [(validate.rules).message = {required: true}]; - - // Runtime key for a YAML representation of a FractionalPercent. - string runtime_key = 2; -} - -// Identifies a specific ControlPlane instance that Envoy is connected to. -message ControlPlane { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ControlPlane"; - - // An opaque control plane identifier that uniquely identifies an instance - // of control plane. This can be used to identify which control plane instance, - // the Envoy is connected to. - string identifier = 1; -} diff --git a/src/main/proto/envoy/config/core/v3/config_source.proto b/src/main/proto/envoy/config/core/v3/config_source.proto deleted file mode 100644 index c129301..0000000 --- a/src/main/proto/envoy/config/core/v3/config_source.proto +++ /dev/null @@ -1,283 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "envoy/config/core/v3/base.proto"; -import "envoy/config/core/v3/extension.proto"; -import "envoy/config/core/v3/grpc_service.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/core/v3/authority.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "ConfigSourceProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Configuration sources] - -// xDS API and non-xDS services version. This is used to describe both resource and transport -// protocol versions (in distinct configuration fields). -enum ApiVersion { - // When not specified, we assume v2, to ease migration to Envoy's stable API - // versioning. If a client does not support v2 (e.g. due to deprecation), this - // is an invalid value. - AUTO = 0 [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"]; - - // Use xDS v2 API. - V2 = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"]; - - // Use xDS v3 API. - V3 = 2; -} - -// API configuration source. This identifies the API type and cluster that Envoy -// will use to fetch an xDS API. -// [#next-free-field: 10] -message ApiConfigSource { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ApiConfigSource"; - - // APIs may be fetched via either REST or gRPC. - enum ApiType { - // Ideally this would be 'reserved 0' but one can't reserve the default - // value. Instead we throw an exception if this is ever used. - DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 - [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; - - // REST-JSON v2 API. The `canonical JSON encoding - // `_ for - // the v2 protos is used. - REST = 1; - - // SotW gRPC service. - GRPC = 2; - - // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response} - // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state - // with every update, the xDS server only sends what has changed since the last update. - DELTA_GRPC = 3; - - // SotW xDS gRPC with ADS. All resources which resolve to this configuration source will be - // multiplexed on a single connection to an ADS endpoint. - // [#not-implemented-hide:] - AGGREGATED_GRPC = 5; - - // Delta xDS gRPC with ADS. All resources which resolve to this configuration source will be - // multiplexed on a single connection to an ADS endpoint. - // [#not-implemented-hide:] - AGGREGATED_DELTA_GRPC = 6; - } - - // API type (gRPC, REST, delta gRPC) - ApiType api_type = 1 [(validate.rules).enum = {defined_only: true}]; - - // API version for xDS transport protocol. This describes the xDS gRPC/REST - // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. - ApiVersion transport_api_version = 8 [(validate.rules).enum = {defined_only: true}]; - - // Cluster names should be used only with REST. If > 1 - // cluster is defined, clusters will be cycled through if any kind of failure - // occurs. - // - // .. note:: - // - // The cluster with name ``cluster_name`` must be statically defined and its - // type must not be ``EDS``. - repeated string cluster_names = 2; - - // Multiple gRPC services be provided for GRPC. If > 1 cluster is defined, - // services will be cycled through if any kind of failure occurs. - repeated GrpcService grpc_services = 4; - - // For REST APIs, the delay between successive polls. - google.protobuf.Duration refresh_delay = 3; - - // For REST APIs, the request timeout. If not set, a default value of 1s will be used. - google.protobuf.Duration request_timeout = 5 [(validate.rules).duration = {gt {}}]; - - // For GRPC APIs, the rate limit settings. If present, discovery requests made by Envoy will be - // rate limited. - RateLimitSettings rate_limit_settings = 6; - - // Skip the node identifier in subsequent discovery requests for streaming gRPC config types. - bool set_node_on_first_message_only = 7; - - // A list of config validators that will be executed when a new update is - // received from the ApiConfigSource. Note that each validator handles a - // specific xDS service type, and only the validators corresponding to the - // type url (in ``:ref: DiscoveryResponse`` or ``:ref: DeltaDiscoveryResponse``) - // will be invoked. - // If the validator returns false or throws an exception, the config will be rejected by - // the client, and a NACK will be sent. - // [#extension-category: envoy.config.validators] - repeated TypedExtensionConfig config_validators = 9; -} - -// Aggregated Discovery Service (ADS) options. This is currently empty, but when -// set in :ref:`ConfigSource ` can be used to -// specify that ADS is to be used. -message AggregatedConfigSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.AggregatedConfigSource"; -} - -// [#not-implemented-hide:] -// Self-referencing config source options. This is currently empty, but when -// set in :ref:`ConfigSource ` can be used to -// specify that other data can be obtained from the same server. -message SelfConfigSource { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SelfConfigSource"; - - // API version for xDS transport protocol. This describes the xDS gRPC/REST - // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. - ApiVersion transport_api_version = 1 [(validate.rules).enum = {defined_only: true}]; -} - -// Rate Limit settings to be applied for discovery requests made by Envoy. -message RateLimitSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.RateLimitSettings"; - - // Maximum number of tokens to be used for rate limiting discovery request calls. If not set, a - // default value of 100 will be used. - google.protobuf.UInt32Value max_tokens = 1; - - // Rate at which tokens will be filled per second. If not set, a default fill rate of 10 tokens - // per second will be used. - google.protobuf.DoubleValue fill_rate = 2 [(validate.rules).double = {gt: 0.0}]; -} - -// Local filesystem path configuration source. -message PathConfigSource { - // Path on the filesystem to source and watch for configuration updates. - // When sourcing configuration for a :ref:`secret `, - // the certificate and key files are also watched for updates. - // - // .. note:: - // - // The path to the source must exist at config load time. - // - // .. note:: - // - // If ``watched_directory`` is *not* configured, Envoy will watch the file path for *moves*. - // This is because in general only moves are atomic. The same method of swapping files as is - // demonstrated in the :ref:`runtime documentation ` can be - // used here also. If ``watched_directory`` is configured, no watch will be placed directly on - // this path. Instead, the configured ``watched_directory`` will be used to trigger reloads of - // this path. This is required in certain deployment scenarios. See below for more information. - string path = 1 [(validate.rules).string = {min_len: 1}]; - - // If configured, this directory will be watched for *moves*. When an entry in this directory is - // moved to, the ``path`` will be reloaded. This is required in certain deployment scenarios. - // - // Specifically, if trying to load an xDS resource using a - // `Kubernetes ConfigMap `_, the - // following configuration might be used: - // 1. Store xds.yaml inside a ConfigMap. - // 2. Mount the ConfigMap to ``/config_map/xds`` - // 3. Configure path ``/config_map/xds/xds.yaml`` - // 4. Configure watched directory ``/config_map/xds`` - // - // The above configuration will ensure that Envoy watches the owning directory for moves which is - // required due to how Kubernetes manages ConfigMap symbolic links during atomic updates. - WatchedDirectory watched_directory = 2; -} - -// Configuration for :ref:`listeners `, :ref:`clusters -// `, :ref:`routes -// `, :ref:`endpoints -// ` etc. may either be sourced from the -// filesystem or from an xDS API source. Filesystem configs are watched with -// inotify for updates. -// [#next-free-field: 9] -message ConfigSource { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ConfigSource"; - - // Authorities that this config source may be used for. An authority specified in a xdstp:// URL - // is resolved to a ``ConfigSource`` prior to configuration fetch. This field provides the - // association between authority name and configuration source. - // [#not-implemented-hide:] - repeated xds.core.v3.Authority authorities = 7; - - oneof config_source_specifier { - option (validate.required) = true; - - // Deprecated in favor of ``path_config_source``. Use that field instead. - string path = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Local filesystem path configuration source. - PathConfigSource path_config_source = 8; - - // API configuration source. - ApiConfigSource api_config_source = 2; - - // When set, ADS will be used to fetch resources. The ADS API configuration - // source in the bootstrap configuration is used. - AggregatedConfigSource ads = 3; - - // [#not-implemented-hide:] - // When set, the client will access the resources from the same server it got the - // ConfigSource from, although not necessarily from the same stream. This is similar to the - // :ref:`ads` field, except that the client may use a - // different stream to the same server. As a result, this field can be used for things - // like LRS that cannot be sent on an ADS stream. It can also be used to link from (e.g.) - // LDS to RDS on the same server without requiring the management server to know its name - // or required credentials. - // [#next-major-version: In xDS v3, consider replacing the ads field with this one, since - // this field can implicitly mean to use the same stream in the case where the ConfigSource - // is provided via ADS and the specified data can also be obtained via ADS.] - SelfConfigSource self = 5; - } - - // When this timeout is specified, Envoy will wait no longer than the specified time for first - // config response on this xDS subscription during the :ref:`initialization process - // `. After reaching the timeout, Envoy will move to the next - // initialization phase, even if the first config is not delivered yet. The timer is activated - // when the xDS API subscription starts, and is disarmed on first config update or on error. 0 - // means no timeout - Envoy will wait indefinitely for the first xDS config (unless another - // timeout applies). The default is 15s. - google.protobuf.Duration initial_fetch_timeout = 4; - - // API version for xDS resources. This implies the type URLs that the client - // will request for resources and the resource type that the client will in - // turn expect to be delivered. - ApiVersion resource_api_version = 6 [(validate.rules).enum = {defined_only: true}]; -} - -// Configuration source specifier for a late-bound extension configuration. The -// parent resource is warmed until all the initial extension configurations are -// received, unless the flag to apply the default configuration is set. -// Subsequent extension updates are atomic on a per-worker basis. Once an -// extension configuration is applied to a request or a connection, it remains -// constant for the duration of processing. If the initial delivery of the -// extension configuration fails, due to a timeout for example, the optional -// default configuration is applied. Without a default configuration, the -// extension is disabled, until an extension configuration is received. The -// behavior of a disabled extension depends on the context. For example, a -// filter chain with a disabled extension filter rejects all incoming streams. -message ExtensionConfigSource { - ConfigSource config_source = 1 [(validate.rules).any = {required: true}]; - - // Optional default configuration to use as the initial configuration if - // there is a failure to receive the initial extension configuration or if - // ``apply_default_config_without_warming`` flag is set. - google.protobuf.Any default_config = 2; - - // Use the default config as the initial configuration without warming and - // waiting for the first discovery response. Requires the default configuration - // to be supplied. - bool apply_default_config_without_warming = 3; - - // A set of permitted extension type URLs. Extension configuration updates are rejected - // if they do not match any type URL in the set. - repeated string type_urls = 4 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/src/main/proto/envoy/config/core/v3/event_service_config.proto b/src/main/proto/envoy/config/core/v3/event_service_config.proto deleted file mode 100644 index 68c8df4..0000000 --- a/src/main/proto/envoy/config/core/v3/event_service_config.proto +++ /dev/null @@ -1,29 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "envoy/config/core/v3/grpc_service.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "EventServiceConfigProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#not-implemented-hide:] -// Configuration of the event reporting service endpoint. -message EventServiceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.EventServiceConfig"; - - oneof config_source_specifier { - option (validate.required) = true; - - // Specifies the gRPC service that hosts the event reporting service. - GrpcService grpc_service = 1; - } -} diff --git a/src/main/proto/envoy/config/core/v3/extension.proto b/src/main/proto/envoy/config/core/v3/extension.proto deleted file mode 100644 index cacc7b0..0000000 --- a/src/main/proto/envoy/config/core/v3/extension.proto +++ /dev/null @@ -1,32 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "ExtensionProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Extension configuration] - -// Message type for extension configuration. -// [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.]. -message TypedExtensionConfig { - // The name of an extension. This is not used to select the extension, instead - // it serves the role of an opaque identifier. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The typed config for the extension. The type URL will be used to identify - // the extension. In the case that the type URL is ``xds.type.v3.TypedStruct`` - // (or, for historical reasons, ``udpa.type.v1.TypedStruct``), the inner type - // URL of ``TypedStruct`` will be utilized. See the - // :ref:`extension configuration overview - // ` for further details. - google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}]; -} diff --git a/src/main/proto/envoy/config/core/v3/grpc_method_list.proto b/src/main/proto/envoy/config/core/v3/grpc_method_list.proto deleted file mode 100644 index 8242b42..0000000 --- a/src/main/proto/envoy/config/core/v3/grpc_method_list.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "GrpcMethodListProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: gRPC method list] - -// A list of gRPC methods which can be used as an allowlist, for example. -message GrpcMethodList { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcMethodList"; - - message Service { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcMethodList.Service"; - - // The name of the gRPC service. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The names of the gRPC methods in this service. - repeated string method_names = 2 [(validate.rules).repeated = {min_items: 1}]; - } - - repeated Service services = 1; -} diff --git a/src/main/proto/envoy/config/core/v3/grpc_service.proto b/src/main/proto/envoy/config/core/v3/grpc_service.proto deleted file mode 100644 index 6027b2b..0000000 --- a/src/main/proto/envoy/config/core/v3/grpc_service.proto +++ /dev/null @@ -1,297 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "envoy/config/core/v3/base.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/empty.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/sensitive.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "GrpcServiceProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: gRPC services] - -// gRPC service configuration. This is used by :ref:`ApiConfigSource -// ` and filter configurations. -// [#next-free-field: 6] -message GrpcService { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService"; - - message EnvoyGrpc { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcService.EnvoyGrpc"; - - // The name of the upstream gRPC cluster. SSL credentials will be supplied - // in the :ref:`Cluster ` :ref:`transport_socket - // `. - string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; - - // The ``:authority`` header in the grpc request. If this field is not set, the authority header value will be ``cluster_name``. - // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster. - string authority = 2 - [(validate.rules).string = - {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - } - - // [#next-free-field: 9] - message GoogleGrpc { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcService.GoogleGrpc"; - - // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html. - message SslCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcService.GoogleGrpc.SslCredentials"; - - // PEM encoded server root certificates. - DataSource root_certs = 1; - - // PEM encoded client private key. - DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; - - // PEM encoded client certificate chain. - DataSource cert_chain = 3; - } - - // Local channel credentials. Only UDS is supported for now. - // See https://github.com/grpc/grpc/pull/15909. - message GoogleLocalCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcService.GoogleGrpc.GoogleLocalCredentials"; - } - - // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call - // credential types. - message ChannelCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcService.GoogleGrpc.ChannelCredentials"; - - oneof credential_specifier { - option (validate.required) = true; - - SslCredentials ssl_credentials = 1; - - // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 - google.protobuf.Empty google_default = 2; - - GoogleLocalCredentials local_credentials = 3; - } - } - - // [#next-free-field: 8] - message CallCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials"; - - message ServiceAccountJWTAccessCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." - "ServiceAccountJWTAccessCredentials"; - - string json_key = 1; - - uint64 token_lifetime_seconds = 2; - } - - message GoogleIAMCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials"; - - string authorization_token = 1; - - string authority_selector = 2; - } - - message MetadataCredentialsFromPlugin { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." - "MetadataCredentialsFromPlugin"; - - reserved 2; - - reserved "config"; - - string name = 1; - - // [#extension-category: envoy.grpc_credentials] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - // Security token service configuration that allows Google gRPC to - // fetch security token from an OAuth 2.0 authorization server. - // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and - // https://github.com/grpc/grpc/pull/19587. - // [#next-free-field: 10] - message StsService { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.StsService"; - - // URI of the token exchange service that handles token exchange requests. - // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by - // https://github.com/bufbuild/protoc-gen-validate/issues/303] - string token_exchange_service_uri = 1; - - // Location of the target service or resource where the client - // intends to use the requested security token. - string resource = 2; - - // Logical name of the target service where the client intends to - // use the requested security token. - string audience = 3; - - // The desired scope of the requested security token in the - // context of the service or resource where the token will be used. - string scope = 4; - - // Type of the requested security token. - string requested_token_type = 5; - - // The path of subject token, a security token that represents the - // identity of the party on behalf of whom the request is being made. - string subject_token_path = 6 [(validate.rules).string = {min_len: 1}]; - - // Type of the subject token. - string subject_token_type = 7 [(validate.rules).string = {min_len: 1}]; - - // The path of actor token, a security token that represents the identity - // of the acting party. The acting party is authorized to use the - // requested security token and act on behalf of the subject. - string actor_token_path = 8; - - // Type of the actor token. - string actor_token_type = 9; - } - - oneof credential_specifier { - option (validate.required) = true; - - // Access token credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d. - string access_token = 1; - - // Google Compute Engine credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 - google.protobuf.Empty google_compute_engine = 2; - - // Google refresh token credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c. - string google_refresh_token = 3; - - // Service Account JWT Access credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa. - ServiceAccountJWTAccessCredentials service_account_jwt_access = 4; - - // Google IAM credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0. - GoogleIAMCredentials google_iam = 5; - - // Custom authenticator credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. - // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms. - MetadataCredentialsFromPlugin from_plugin = 6; - - // Custom security token service which implements OAuth 2.0 token exchange. - // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 - // See https://github.com/grpc/grpc/pull/19587. - StsService sts_service = 7; - } - } - - // Channel arguments. - message ChannelArgs { - message Value { - // Pointer values are not supported, since they don't make any sense when - // delivered via the API. - oneof value_specifier { - option (validate.required) = true; - - string string_value = 1; - - int64 int_value = 2; - } - } - - // See grpc_types.h GRPC_ARG #defines for keys that work here. - map args = 1; - } - - // The target URI when using the `Google C++ gRPC client - // `_. SSL credentials will be supplied in - // :ref:`channel_credentials `. - string target_uri = 1 [(validate.rules).string = {min_len: 1}]; - - ChannelCredentials channel_credentials = 2; - - // A set of call credentials that can be composed with `channel credentials - // `_. - repeated CallCredentials call_credentials = 3; - - // The human readable prefix to use when emitting statistics for the gRPC - // service. - // - // .. csv-table:: - // :header: Name, Type, Description - // :widths: 1, 1, 2 - // - // streams_total, Counter, Total number of streams opened - // streams_closed_, Counter, Total streams closed with - string stat_prefix = 4 [(validate.rules).string = {min_len: 1}]; - - // The name of the Google gRPC credentials factory to use. This must have been registered with - // Envoy. If this is empty, a default credentials factory will be used that sets up channel - // credentials based on other configuration parameters. - string credentials_factory_name = 5; - - // Additional configuration for site-specific customizations of the Google - // gRPC library. - google.protobuf.Struct config = 6; - - // How many bytes each stream can buffer internally. - // If not set an implementation defined default is applied (1MiB). - google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7; - - // Custom channels args. - ChannelArgs channel_args = 8; - } - - reserved 4; - - oneof target_specifier { - option (validate.required) = true; - - // Envoy's in-built gRPC client. - // See the :ref:`gRPC services overview ` - // documentation for discussion on gRPC client selection. - EnvoyGrpc envoy_grpc = 1; - - // `Google C++ gRPC client `_ - // See the :ref:`gRPC services overview ` - // documentation for discussion on gRPC client selection. - GoogleGrpc google_grpc = 2; - } - - // The timeout for the gRPC request. This is the timeout for a specific - // request. - google.protobuf.Duration timeout = 3; - - // Additional metadata to include in streams initiated to the GrpcService. This can be used for - // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to - // be injected. For more information, including details on header value syntax, see the - // documentation on :ref:`custom request headers - // `. - repeated HeaderValue initial_metadata = 5; -} diff --git a/src/main/proto/envoy/config/core/v3/health_check.proto b/src/main/proto/envoy/config/core/v3/health_check.proto deleted file mode 100644 index f4c9d85..0000000 --- a/src/main/proto/envoy/config/core/v3/health_check.proto +++ /dev/null @@ -1,417 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "envoy/config/core/v3/base.proto"; -import "envoy/config/core/v3/event_service_config.proto"; -import "envoy/type/matcher/v3/string.proto"; -import "envoy/type/v3/http.proto"; -import "envoy/type/v3/range.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "HealthCheckProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Health check] -// * Health checking :ref:`architecture overview `. -// * If health checking is configured for a cluster, additional statistics are emitted. They are -// documented :ref:`here `. - -// Endpoint health status. -enum HealthStatus { - // The health status is not known. This is interpreted by Envoy as ``HEALTHY``. - UNKNOWN = 0; - - // Healthy. - HEALTHY = 1; - - // Unhealthy. - UNHEALTHY = 2; - - // Connection draining in progress. E.g., - // ``_ - // or - // ``_. - // This is interpreted by Envoy as ``UNHEALTHY``. - DRAINING = 3; - - // Health check timed out. This is part of HDS and is interpreted by Envoy as - // ``UNHEALTHY``. - TIMEOUT = 4; - - // Degraded. - DEGRADED = 5; -} - -message HealthStatusSet { - // An order-independent set of health status. - repeated HealthStatus statuses = 1 - [(validate.rules).repeated = {items {enum {defined_only: true}}}]; -} - -// [#next-free-field: 25] -message HealthCheck { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck"; - - // Describes the encoding of the payload bytes in the payload. - message Payload { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.HealthCheck.Payload"; - - oneof payload { - option (validate.required) = true; - - // Hex encoded payload. E.g., "000000FF". - string text = 1 [(validate.rules).string = {min_len: 1}]; - - // Binary payload. - bytes binary = 2; - } - } - - // [#next-free-field: 15] - message HttpHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.HealthCheck.HttpHealthCheck"; - - reserved 5, 7; - - reserved "service_name", "use_http2"; - - // The value of the host header in the HTTP health check request. If - // left empty (default value), the name of the cluster this health check is associated - // with will be used. The host header can be customized for a specific endpoint by setting the - // :ref:`hostname ` field. - string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Specifies the HTTP path that will be requested during health checking. For example - // ``/healthcheck``. - string path = 2 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // [#not-implemented-hide:] HTTP specific payload. - Payload send = 3; - - // Specifies a list of HTTP expected responses to match in the first ``response_buffer_size`` bytes of the response body. - // If it is set, both the expected response check and status code determine the health check. - // When checking the response, “fuzzy” matching is performed such that each payload block must be found, - // and in the order specified, but not necessarily contiguous. - // - // .. note:: - // - // It is recommended to set ``response_buffer_size`` based on the total Payload size for efficiency. - // The default buffer size is 1024 bytes when it is not set. - repeated Payload receive = 4; - - // Specifies the size of response buffer in bytes that is used to Payload match. - // The default value is 1024. Setting to 0 implies that the Payload will be matched against the entire response. - google.protobuf.UInt64Value response_buffer_size = 14 [(validate.rules).uint64 = {gte: 0}]; - - // Specifies a list of HTTP headers that should be added to each request that is sent to the - // health checked cluster. For more information, including details on header value syntax, see - // the documentation on :ref:`custom request headers - // `. - repeated HeaderValueOption request_headers_to_add = 6 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request that is sent to the - // health checked cluster. - repeated string request_headers_to_remove = 8 [(validate.rules).repeated = { - items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default - // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open - // semantics of :ref:`Int64Range `. The start and end of each - // range are required. Only statuses in the range [100, 600) are allowed. - repeated type.v3.Int64Range expected_statuses = 9; - - // Specifies a list of HTTP response statuses considered retriable. If provided, responses in this range - // will count towards the configured :ref:`unhealthy_threshold `, - // but will not result in the host being considered immediately unhealthy. Ranges follow half-open semantics of - // :ref:`Int64Range `. The start and end of each range are required. - // Only statuses in the range [100, 600) are allowed. The :ref:`expected_statuses ` - // field takes precedence for any range overlaps with this field i.e. if status code 200 is both retriable and expected, a 200 response will - // be considered a successful health check. By default all responses not in - // :ref:`expected_statuses ` will result in - // the host being considered immediately unhealthy i.e. if status code 200 is expected and there are no configured retriable statuses, any - // non-200 response will result in the host being marked unhealthy. - repeated type.v3.Int64Range retriable_statuses = 12; - - // Use specified application protocol for health checks. - type.v3.CodecClientType codec_client_type = 10 [(validate.rules).enum = {defined_only: true}]; - - // An optional service name parameter which is used to validate the identity of - // the health checked cluster using a :ref:`StringMatcher - // `. See the :ref:`architecture overview - // ` for more information. - type.matcher.v3.StringMatcher service_name_matcher = 11; - - // HTTP Method that will be used for health checking, default is "GET". - // GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PATCH methods are supported, but making request body is not supported. - // CONNECT method is disallowed because it is not appropriate for health check request. - // If a non-200 response is expected by the method, it needs to be set in :ref:`expected_statuses `. - RequestMethod method = 13 [(validate.rules).enum = {defined_only: true not_in: 6}]; - } - - message TcpHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.HealthCheck.TcpHealthCheck"; - - // Empty payloads imply a connect-only health check. - Payload send = 1; - - // When checking the response, “fuzzy” matching is performed such that each - // payload block must be found, and in the order specified, but not - // necessarily contiguous. - repeated Payload receive = 2; - } - - message RedisHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.HealthCheck.RedisHealthCheck"; - - // If set, optionally perform ``EXISTS `` instead of ``PING``. A return value - // from Redis of 0 (does not exist) is considered a passing healthcheck. A return value other - // than 0 is considered a failure. This allows the user to mark a Redis instance for maintenance - // by setting the specified key to any value and waiting for traffic to drain. - string key = 1; - } - - // `grpc.health.v1.Health - // `_-based - // healthcheck. See `gRPC doc `_ - // for details. - message GrpcHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.HealthCheck.GrpcHealthCheck"; - - // An optional service name parameter which will be sent to gRPC service in - // `grpc.health.v1.HealthCheckRequest - // `_. - // message. See `gRPC health-checking overview - // `_ for more information. - string service_name = 1; - - // The value of the :authority header in the gRPC health check request. If - // left empty (default value), the name of the cluster this health check is associated - // with will be used. The authority header can be customized for a specific endpoint by setting - // the :ref:`hostname ` field. - string authority = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Specifies a list of key-value pairs that should be added to the metadata of each GRPC call - // that is sent to the health checked cluster. For more information, including details on header value syntax, - // see the documentation on :ref:`custom request headers - // `. - repeated HeaderValueOption initial_metadata = 3 [(validate.rules).repeated = {max_items: 1000}]; - } - - // Custom health check. - message CustomHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.HealthCheck.CustomHealthCheck"; - - reserved 2; - - reserved "config"; - - // The registered name of the custom health checker. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // A custom health checker specific configuration which depends on the custom health checker - // being instantiated. See :api:`envoy/config/health_checker` for reference. - // [#extension-category: envoy.health_checkers] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - // Health checks occur over the transport socket specified for the cluster. This implies that if a - // cluster is using a TLS-enabled transport socket, the health check will also occur over TLS. - // - // This allows overriding the cluster TLS settings, just for health check connections. - message TlsOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.HealthCheck.TlsOptions"; - - // Specifies the ALPN protocols for health check connections. This is useful if the - // corresponding upstream is using ALPN-based :ref:`FilterChainMatch - // ` along with different protocols for health checks - // versus data connections. If empty, no ALPN protocols will be set on health check connections. - repeated string alpn_protocols = 1; - } - - reserved 10; - - // The time to wait for a health check response. If the timeout is reached the - // health check attempt will be considered a failure. - google.protobuf.Duration timeout = 1 [(validate.rules).duration = { - required: true - gt {} - }]; - - // The interval between health checks. - google.protobuf.Duration interval = 2 [(validate.rules).duration = { - required: true - gt {} - }]; - - // An optional jitter amount in milliseconds. If specified, Envoy will start health - // checking after for a random time in ms between 0 and initial_jitter. This only - // applies to the first health check. - google.protobuf.Duration initial_jitter = 20; - - // An optional jitter amount in milliseconds. If specified, during every - // interval Envoy will add interval_jitter to the wait time. - google.protobuf.Duration interval_jitter = 3; - - // An optional jitter amount as a percentage of interval_ms. If specified, - // during every interval Envoy will add ``interval_ms`` * - // ``interval_jitter_percent`` / 100 to the wait time. - // - // If interval_jitter_ms and interval_jitter_percent are both set, both of - // them will be used to increase the wait time. - uint32 interval_jitter_percent = 18; - - // The number of unhealthy health checks required before a host is marked - // unhealthy. Note that for ``http`` health checking if a host responds with a code not in - // :ref:`expected_statuses ` - // or :ref:`retriable_statuses `, - // this threshold is ignored and the host is considered immediately unhealthy. - google.protobuf.UInt32Value unhealthy_threshold = 4 [(validate.rules).message = {required: true}]; - - // The number of healthy health checks required before a host is marked - // healthy. Note that during startup, only a single successful health check is - // required to mark a host healthy. - google.protobuf.UInt32Value healthy_threshold = 5 [(validate.rules).message = {required: true}]; - - // [#not-implemented-hide:] Non-serving port for health checking. - google.protobuf.UInt32Value alt_port = 6; - - // Reuse health check connection between health checks. Default is true. - google.protobuf.BoolValue reuse_connection = 7; - - oneof health_checker { - option (validate.required) = true; - - // HTTP health check. - HttpHealthCheck http_health_check = 8; - - // TCP health check. - TcpHealthCheck tcp_health_check = 9; - - // gRPC health check. - GrpcHealthCheck grpc_health_check = 11; - - // Custom health check. - CustomHealthCheck custom_health_check = 13; - } - - // The "no traffic interval" is a special health check interval that is used when a cluster has - // never had traffic routed to it. This lower interval allows cluster information to be kept up to - // date, without sending a potentially large amount of active health checking traffic for no - // reason. Once a cluster has been used for traffic routing, Envoy will shift back to using the - // standard health check interval that is defined. Note that this interval takes precedence over - // any other. - // - // The default value for "no traffic interval" is 60 seconds. - google.protobuf.Duration no_traffic_interval = 12 [(validate.rules).duration = {gt {}}]; - - // The "no traffic healthy interval" is a special health check interval that - // is used for hosts that are currently passing active health checking - // (including new hosts) when the cluster has received no traffic. - // - // This is useful for when we want to send frequent health checks with - // ``no_traffic_interval`` but then revert to lower frequency ``no_traffic_healthy_interval`` once - // a host in the cluster is marked as healthy. - // - // Once a cluster has been used for traffic routing, Envoy will shift back to using the - // standard health check interval that is defined. - // - // If no_traffic_healthy_interval is not set, it will default to the - // no traffic interval and send that interval regardless of health state. - google.protobuf.Duration no_traffic_healthy_interval = 24 [(validate.rules).duration = {gt {}}]; - - // The "unhealthy interval" is a health check interval that is used for hosts that are marked as - // unhealthy. As soon as the host is marked as healthy, Envoy will shift back to using the - // standard health check interval that is defined. - // - // The default value for "unhealthy interval" is the same as "interval". - google.protobuf.Duration unhealthy_interval = 14 [(validate.rules).duration = {gt {}}]; - - // The "unhealthy edge interval" is a special health check interval that is used for the first - // health check right after a host is marked as unhealthy. For subsequent health checks - // Envoy will shift back to using either "unhealthy interval" if present or the standard health - // check interval that is defined. - // - // The default value for "unhealthy edge interval" is the same as "unhealthy interval". - google.protobuf.Duration unhealthy_edge_interval = 15 [(validate.rules).duration = {gt {}}]; - - // The "healthy edge interval" is a special health check interval that is used for the first - // health check right after a host is marked as healthy. For subsequent health checks - // Envoy will shift back to using the standard health check interval that is defined. - // - // The default value for "healthy edge interval" is the same as the default interval. - google.protobuf.Duration healthy_edge_interval = 16 [(validate.rules).duration = {gt {}}]; - - // Specifies the path to the :ref:`health check event log `. - // If empty, no event log will be written. - string event_log_path = 17; - - // [#not-implemented-hide:] - // The gRPC service for the health check event service. - // If empty, health check events won't be sent to a remote endpoint. - EventServiceConfig event_service = 22; - - // If set to true, health check failure events will always be logged. If set to false, only the - // initial health check failure event will be logged. - // The default value is false. - bool always_log_health_check_failures = 19; - - // This allows overriding the cluster TLS settings, just for health check connections. - TlsOptions tls_options = 21; - - // Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's - // :ref:`tranport socket matches `. - // For example, the following match criteria - // - // .. code-block:: yaml - // - // transport_socket_match_criteria: - // useMTLS: true - // - // Will match the following :ref:`cluster socket match ` - // - // .. code-block:: yaml - // - // transport_socket_matches: - // - name: "useMTLS" - // match: - // useMTLS: true - // transport_socket: - // name: envoy.transport_sockets.tls - // config: { ... } # tls socket configuration - // - // If this field is set, then for health checks it will supersede an entry of ``envoy.transport_socket`` in the - // :ref:`LbEndpoint.Metadata `. - // This allows using different transport socket capabilities for health checking versus proxying to the - // endpoint. - // - // If the key/values pairs specified do not match any - // :ref:`transport socket matches `, - // the cluster's :ref:`transport socket ` - // will be used for health check socket configuration. - google.protobuf.Struct transport_socket_match_criteria = 23; -} diff --git a/src/main/proto/envoy/config/core/v3/http_uri.proto b/src/main/proto/envoy/config/core/v3/http_uri.proto deleted file mode 100644 index 93b6309..0000000 --- a/src/main/proto/envoy/config/core/v3/http_uri.proto +++ /dev/null @@ -1,57 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "HttpUriProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: HTTP service URI ] - -// Envoy external URI descriptor -message HttpUri { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HttpUri"; - - // The HTTP server URI. It should be a full FQDN with protocol, host and path. - // - // Example: - // - // .. code-block:: yaml - // - // uri: https://www.googleapis.com/oauth2/v1/certs - // - string uri = 1 [(validate.rules).string = {min_len: 1}]; - - // Specify how ``uri`` is to be fetched. Today, this requires an explicit - // cluster, but in the future we may support dynamic cluster creation or - // inline DNS resolution. See `issue - // `_. - oneof http_upstream_type { - option (validate.required) = true; - - // A cluster is created in the Envoy "cluster_manager" config - // section. This field specifies the cluster name. - // - // Example: - // - // .. code-block:: yaml - // - // cluster: jwks_cluster - // - string cluster = 2 [(validate.rules).string = {min_len: 1}]; - } - - // Sets the maximum duration in milliseconds that a response can take to arrive upon request. - google.protobuf.Duration timeout = 3 [(validate.rules).duration = { - required: true - gte {} - }]; -} diff --git a/src/main/proto/envoy/config/core/v3/protocol.proto b/src/main/proto/envoy/config/core/v3/protocol.proto deleted file mode 100644 index 0def86b..0000000 --- a/src/main/proto/envoy/config/core/v3/protocol.proto +++ /dev/null @@ -1,601 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "envoy/config/core/v3/extension.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/annotations/v3/status.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "ProtocolProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Protocol options] - -// [#not-implemented-hide:] -message TcpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.TcpProtocolOptions"; -} - -// Config for keepalive probes in a QUIC connection. -// Note that QUIC keep-alive probing packets work differently from HTTP/2 keep-alive PINGs in a sense that the probing packet -// itself doesn't timeout waiting for a probing response. Quic has a shorter idle timeout than TCP, so it doesn't rely on such probing to discover dead connections. If the peer fails to respond, the connection will idle timeout eventually. Thus, they are configured differently from :ref:`connection_keepalive `. -message QuicKeepAliveSettings { - // The max interval for a connection to send keep-alive probing packets (with PING or PATH_RESPONSE). The value should be smaller than :ref:`connection idle_timeout ` to prevent idle timeout while not less than 1s to avoid throttling the connection or flooding the peer with probes. - // - // If :ref:`initial_interval ` is absent or zero, a client connection will use this value to start probing. - // - // If zero, disable keepalive probing. - // If absent, use the QUICHE default interval to probe. - google.protobuf.Duration max_interval = 1 [(validate.rules).duration = { - lte {} - gte {seconds: 1} - }]; - - // The interval to send the first few keep-alive probing packets to prevent connection from hitting the idle timeout. Subsequent probes will be sent, each one with an interval exponentially longer than previous one, till it reaches :ref:`max_interval `. And the probes afterwards will always use :ref:`max_interval `. - // - // The value should be smaller than :ref:`connection idle_timeout ` to prevent idle timeout and smaller than max_interval to take effect. - // - // If absent or zero, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval ` is also zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time. - google.protobuf.Duration initial_interval = 2 [(validate.rules).duration = { - lte {} - gte {seconds: 1} - }]; -} - -// QUIC protocol options which apply to both downstream and upstream connections. -// [#next-free-field: 6] -message QuicProtocolOptions { - // Maximum number of streams that the client can negotiate per connection. 100 - // if not specified. - google.protobuf.UInt32Value max_concurrent_streams = 1 [(validate.rules).uint32 = {gte: 1}]; - - // `Initial stream-level flow-control receive window - // `_ size. Valid values range from - // 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 65536 (2^16). - // - // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use 16384 instead. - // QUICHE IETF Quic implementation supports 1 bytes window. We only support increasing the default window size now, so it's also the minimum. - // - // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the - // QUIC stream send and receive buffers. Once the buffer reaches this pointer, watermark callbacks will fire to - // stop the flow of data to the stream buffers. - google.protobuf.UInt32Value initial_stream_window_size = 2 - [(validate.rules).uint32 = {lte: 16777216 gte: 1}]; - - // Similar to ``initial_stream_window_size``, but for connection-level - // flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults to 65536 (2^16). - // window. Currently, this has the same minimum/default as ``initial_stream_window_size``. - // - // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default - // window size now, so it's also the minimum. - google.protobuf.UInt32Value initial_connection_window_size = 3 - [(validate.rules).uint32 = {lte: 25165824 gte: 1}]; - - // The number of timeouts that can occur before port migration is triggered for QUIC clients. - // This defaults to 1. If set to 0, port migration will not occur on path degrading. - // Timeout here refers to QUIC internal path degrading timeout mechanism, such as PTO. - // This has no effect on server sessions. - google.protobuf.UInt32Value num_timeouts_to_trigger_port_migration = 4 - [(validate.rules).uint32 = {lte: 5 gte: 0}]; - - // Probes the peer at the configured interval to solicit traffic, i.e. ACK or PATH_RESPONSE, from the peer to push back connection idle timeout. - // If absent, use the default keepalive behavior of which a client connection sends PINGs every 15s, and a server connection doesn't do anything. - QuicKeepAliveSettings connection_keepalive = 5; -} - -message UpstreamHttpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.UpstreamHttpProtocolOptions"; - - // Set transport socket `SNI `_ for new - // upstream connections based on the downstream HTTP host/authority header or any other arbitrary - // header when :ref:`override_auto_sni_header ` - // is set, as seen by the :ref:`router filter `. - bool auto_sni = 1; - - // Automatic validate upstream presented certificate for new upstream connections based on the - // downstream HTTP host/authority header or any other arbitrary header when :ref:`override_auto_sni_header ` - // is set, as seen by the :ref:`router filter `. - // This field is intended to be set with ``auto_sni`` field. - bool auto_san_validation = 2; - - // An optional alternative to the host/authority header to be used for setting the SNI value. - // It should be a valid downstream HTTP header, as seen by the - // :ref:`router filter `. - // If unset, host/authority header will be used for populating the SNI. If the specified header - // is not found or the value is empty, host/authority header will be used instead. - // This field is intended to be set with ``auto_sni`` and/or ``auto_san_validation`` fields. - // If none of these fields are set then setting this would be a no-op. - string override_auto_sni_header = 3 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; -} - -// Configures the alternate protocols cache which tracks alternate protocols that can be used to -// make an HTTP connection to an origin server. See https://tools.ietf.org/html/rfc7838 for -// HTTP Alternative Services and https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-04 -// for the "HTTPS" DNS resource record. -// [#next-free-field: 6] -message AlternateProtocolsCacheOptions { - // Allows pre-populating the cache with HTTP/3 alternate protocols entries with a 7 day lifetime. - // This will cause Envoy to attempt HTTP/3 to those upstreams, even if the upstreams have not - // advertised HTTP/3 support. These entries will be overwritten by alt-svc - // response headers or cached values. - // As with regular cached entries, if the origin response would result in clearing an existing - // alternate protocol cache entry, pre-populated entries will also be cleared. - // Adding a cache entry with hostname=foo.com port=123 is the equivalent of getting - // response headers - // alt-svc: h3=:"123"; ma=86400" in a response to a request to foo.com:123 - message AlternateProtocolsCacheEntry { - // The host name for the alternate protocol entry. - string hostname = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - - // The port for the alternate protocol entry. - uint32 port = 2 [(validate.rules).uint32 = {lt: 65535 gt: 0}]; - } - - // The name of the cache. Multiple named caches allow independent alternate protocols cache - // configurations to operate within a single Envoy process using different configurations. All - // alternate protocols cache options with the same name *must* be equal in all fields when - // referenced from different configuration components. Configuration will fail to load if this is - // not the case. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The maximum number of entries that the cache will hold. If not specified defaults to 1024. - // - // .. note: - // - // The implementation is approximate and enforced independently on each worker thread, thus - // it is possible for the maximum entries in the cache to go slightly above the configured - // value depending on timing. This is similar to how other circuit breakers work. - google.protobuf.UInt32Value max_entries = 2 [(validate.rules).uint32 = {gt: 0}]; - - // Allows configuring a persistent - // :ref:`key value store ` to flush - // alternate protocols entries to disk. - // This function is currently only supported if concurrency is 1 - // Cached entries will take precedence over pre-populated entries below. - TypedExtensionConfig key_value_store_config = 3; - - // Allows pre-populating the cache with entries, as described above. - repeated AlternateProtocolsCacheEntry prepopulated_entries = 4; - - // Optional list of hostnames suffixes for which Alt-Svc entries can be shared. For example, if - // this list contained the value ``.c.example.com``, then an Alt-Svc entry for ``foo.c.example.com`` - // could be shared with ``bar.c.example.com`` but would not be shared with ``baz.example.com``. On - // the other hand, if the list contained the value ``.example.com`` then all three hosts could share - // Alt-Svc entries. Each entry must start with ``.``. If a hostname matches multiple suffixes, the - // first listed suffix will be used. - // - // Since lookup in this list is O(n), it is recommended that the number of suffixes be limited. - // [#not-implemented-hide:] - repeated string canonical_suffixes = 5; -} - -// [#next-free-field: 7] -message HttpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.HttpProtocolOptions"; - - // Action to take when Envoy receives client request with header names containing underscore - // characters. - // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented - // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore - // characters. - enum HeadersWithUnderscoresAction { - // Allow headers with underscores. This is the default behavior. - ALLOW = 0; - - // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests - // end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter - // is incremented for each rejected request. - REJECT_REQUEST = 1; - - // Drop the client header with name containing underscores. The header is dropped before the filter chain is - // invoked and as such filters will not see dropped headers. The - // "httpN.dropped_headers_with_underscores" is incremented for each dropped header. - DROP_HEADER = 2; - } - - // The idle timeout for connections. The idle timeout is defined as the - // period in which there are no active requests. When the - // idle timeout is reached the connection will be closed. If the connection is an HTTP/2 - // downstream connection a drain sequence will occur prior to closing the connection, see - // :ref:`drain_timeout - // `. - // Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. - // If not specified, this defaults to 1 hour. To disable idle timeouts explicitly set this to 0. - // - // .. warning:: - // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP - // FIN packets, etc. - // - // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" - // is configured, this timeout is scaled for downstream connections according to the value for - // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE `. - google.protobuf.Duration idle_timeout = 1; - - // The maximum duration of a connection. The duration is defined as a period since a connection - // was established. If not set, there is no max duration. When max_connection_duration is reached - // and if there are no active streams, the connection will be closed. If the connection is a - // downstream connection and there are any active streams, the drain sequence will kick-in, - // and the connection will be force-closed after the drain period. See :ref:`drain_timeout - // `. - google.protobuf.Duration max_connection_duration = 3; - - // The maximum number of headers. If unconfigured, the default - // maximum number of request headers allowed is 100. Requests that exceed this limit will receive - // a 431 response for HTTP/1.x and cause a stream reset for HTTP/2. - google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}]; - - // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be - // reset independent of any other timeouts. If not specified, this value is not set. - google.protobuf.Duration max_stream_duration = 4; - - // Action to take when a client request with a header name containing underscore characters is received. - // If this setting is not specified, the value defaults to ALLOW. - // Note: upstream responses are not affected by this setting. - // Note: this only affects client headers. It does not affect headers added - // by Envoy filters and does not have any impact if added to cluster config. - HeadersWithUnderscoresAction headers_with_underscores_action = 5; - - // Optional maximum requests for both upstream and downstream connections. - // If not specified, there is no limit. - // Setting this parameter to 1 will effectively disable keep alive. - // For HTTP/2 and HTTP/3, due to concurrent stream processing, the limit is approximate. - google.protobuf.UInt32Value max_requests_per_connection = 6; -} - -// [#next-free-field: 9] -message Http1ProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.Http1ProtocolOptions"; - - // [#next-free-field: 9] - message HeaderKeyFormat { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat"; - - message ProperCaseWords { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat.ProperCaseWords"; - } - - oneof header_format { - option (validate.required) = true; - - // Formats the header by proper casing words: the first character and any character following - // a special character will be capitalized if it's an alpha character. For example, - // "content-type" becomes "Content-Type", and "foo$b#$are" becomes "Foo$B#$Are". - // Note that while this results in most headers following conventional casing, certain headers - // are not covered. For example, the "TE" header will be formatted as "Te". - ProperCaseWords proper_case_words = 1; - - // Configuration for stateful formatter extensions that allow using received headers to - // affect the output of encoding headers. E.g., preserving case during proxying. - // [#extension-category: envoy.http.stateful_header_formatters] - TypedExtensionConfig stateful_formatter = 8; - } - } - - // Handle HTTP requests with absolute URLs in the requests. These requests - // are generally sent by clients to forward/explicit proxies. This allows clients to configure - // envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the - // ``http_proxy`` environment variable. - google.protobuf.BoolValue allow_absolute_url = 1; - - // Handle incoming HTTP/1.0 and HTTP 0.9 requests. - // This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1 - // style connect logic, dechunking, and handling lack of client host iff - // ``default_host_for_http_10`` is configured. - bool accept_http_10 = 2; - - // A default host for HTTP/1.0 requests. This is highly suggested if ``accept_http_10`` is true as - // Envoy does not otherwise support HTTP/1.0 without a Host header. - // This is a no-op if ``accept_http_10`` is not true. - string default_host_for_http_10 = 3; - - // Describes how the keys for response headers should be formatted. By default, all header keys - // are lower cased. - HeaderKeyFormat header_key_format = 4; - - // Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers. - // - // .. attention:: - // - // Note that this only happens when Envoy is chunk encoding which occurs when: - // - The request is HTTP/1.1. - // - Is neither a HEAD only request nor a HTTP Upgrade. - // - Not a response to a HEAD request. - // - The content length header is not present. - bool enable_trailers = 5; - - // Allows Envoy to process requests/responses with both ``Content-Length`` and ``Transfer-Encoding`` - // headers set. By default such messages are rejected, but if option is enabled - Envoy will - // remove Content-Length header and process message. - // See `RFC7230, sec. 3.3.3 `_ for details. - // - // .. attention:: - // Enabling this option might lead to request smuggling vulnerability, especially if traffic - // is proxied via multiple layers of proxies. - // [#comment:TODO: This field is ignored when the - // :ref:`header validation configuration ` - // is present.] - bool allow_chunked_length = 6; - - // Allows invalid HTTP messaging. When this option is false, then Envoy will terminate - // HTTP/1.1 connections upon receiving an invalid HTTP message. However, - // when this option is true, then Envoy will leave the HTTP/1.1 connection - // open where possible. - // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging - // `. - google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 7; - - // Allows sending fully qualified URLs when proxying the first line of the - // response. By default, Envoy will only send the path components in the first line. - // If this is true, Envoy will create a fully qualified URI composing scheme - // (inferred if not present), host (from the host/:authority header) and path - // (from first line or :path header). - bool send_fully_qualified_url = 8; -} - -message KeepaliveSettings { - // Send HTTP/2 PING frames at this period, in order to test that the connection is still alive. - // If this is zero, interval PINGs will not be sent. - google.protobuf.Duration interval = 1 [(validate.rules).duration = {gte {nanos: 1000000}}]; - - // How long to wait for a response to a keepalive PING. If a response is not received within this - // time period, the connection will be aborted. Note that in order to prevent the influence of - // Head-of-line (HOL) blocking the timeout period is extended when *any* frame is received on - // the connection, under the assumption that if a frame is received the connection is healthy. - google.protobuf.Duration timeout = 2 [(validate.rules).duration = { - required: true - gte {nanos: 1000000} - }]; - - // A random jitter amount as a percentage of interval that will be added to each interval. - // A value of zero means there will be no jitter. - // The default value is 15%. - type.v3.Percent interval_jitter = 3; - - // If the connection has been idle for this duration, send a HTTP/2 ping ahead - // of new stream creation, to quickly detect dead connections. - // If this is zero, this type of PING will not be sent. - // If an interval ping is outstanding, a second ping will not be sent as the - // interval ping will determine if the connection is dead. - // - // The same feature for HTTP/3 is given by inheritance from QUICHE which uses :ref:`connection idle_timeout ` and the current PTO of the connection to decide whether to probe before sending a new request. - google.protobuf.Duration connection_idle_interval = 4 - [(validate.rules).duration = {gte {nanos: 1000000}}]; -} - -// [#next-free-field: 16] -message Http2ProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.Http2ProtocolOptions"; - - // Defines a parameter to be sent in the SETTINGS frame. - // See `RFC7540, sec. 6.5.1 `_ for details. - message SettingsParameter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.Http2ProtocolOptions.SettingsParameter"; - - // The 16 bit parameter identifier. - google.protobuf.UInt32Value identifier = 1 [ - (validate.rules).uint32 = {lte: 65535 gte: 0}, - (validate.rules).message = {required: true} - ]; - - // The 32 bit parameter value. - google.protobuf.UInt32Value value = 2 [(validate.rules).message = {required: true}]; - } - - // `Maximum table size `_ - // (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values - // range from 0 to 4294967295 (2^32 - 1) and defaults to 4096. 0 effectively disables header - // compression. - google.protobuf.UInt32Value hpack_table_size = 1; - - // `Maximum concurrent streams `_ - // allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1) - // and defaults to 2147483647. - // - // For upstream connections, this also limits how many streams Envoy will initiate concurrently - // on a single connection. If the limit is reached, Envoy may queue requests or establish - // additional connections (as allowed per circuit breaker limits). - // - // This acts as an upper bound: Envoy will lower the max concurrent streams allowed on a given - // connection based on upstream settings. Config dumps will reflect the configured upper bound, - // not the per-connection negotiated limits. - google.protobuf.UInt32Value max_concurrent_streams = 2 - [(validate.rules).uint32 = {lte: 2147483647 gte: 1}]; - - // `Initial stream-level flow-control window - // `_ size. Valid values range from 65535 - // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to 268435456 - // (256 * 1024 * 1024). - // - // NOTE: 65535 is the initial window size from HTTP/2 spec. We only support increasing the default - // window size now, so it's also the minimum. - // - // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the - // HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to - // stop the flow of data to the codec buffers. - google.protobuf.UInt32Value initial_stream_window_size = 3 - [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; - - // Similar to ``initial_stream_window_size``, but for connection-level flow-control - // window. Currently, this has the same minimum/maximum/default as ``initial_stream_window_size``. - google.protobuf.UInt32Value initial_connection_window_size = 4 - [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; - - // Allows proxying Websocket and other upgrades over H2 connect. - bool allow_connect = 5; - - // [#not-implemented-hide:] Hiding until envoy has full metadata support. - // Still under implementation. DO NOT USE. - // - // Allows metadata. See [metadata - // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more - // information. - bool allow_metadata = 6; - - // Limit the number of pending outbound downstream frames of all types (frames that are waiting to - // be written into the socket). Exceeding this limit triggers flood mitigation and connection is - // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due - // to flood mitigation. The default limit is 10000. - google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}]; - - // Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM, - // preventing high memory utilization when receiving continuous stream of these frames. Exceeding - // this limit triggers flood mitigation and connection is terminated. The - // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood - // mitigation. The default limit is 1000. - google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}]; - - // Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an - // empty payload and no end stream flag. Those frames have no legitimate use and are abusive, but - // might be a result of a broken HTTP/2 implementation. The `http2.inbound_empty_frames_flood`` - // stat tracks the number of connections terminated due to flood mitigation. - // Setting this to 0 will terminate connection upon receiving first frame with an empty payload - // and no end stream flag. The default limit is 1. - google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9; - - // Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number - // of PRIORITY frames received over the lifetime of connection exceeds the value calculated - // using this formula:: - // - // ``max_inbound_priority_frames_per_stream`` * (1 + ``opened_streams``) - // - // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when - // Envoy receives complete response headers from the upstream server. For upstream connection the - // ``opened_streams`` is incremented when Envoy send the HEADERS frame for a new stream. The - // ``http2.inbound_priority_frames_flood`` stat tracks - // the number of connections terminated due to flood mitigation. The default limit is 100. - google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10; - - // Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number - // of WINDOW_UPDATE frames received over the lifetime of connection exceeds the value calculated - // using this formula:: - // - // 5 + 2 * (``opened_streams`` + - // ``max_inbound_window_update_frames_per_data_frame_sent`` * ``outbound_data_frames``) - // - // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when - // Envoy receives complete response headers from the upstream server. For upstream connections the - // ``opened_streams`` is incremented when Envoy sends the HEADERS frame for a new stream. The - // ``http2.inbound_priority_frames_flood`` stat tracks the number of connections terminated due to - // flood mitigation. The default max_inbound_window_update_frames_per_data_frame_sent value is 10. - // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control, - // but more complex implementations that try to estimate available bandwidth require at least 2. - google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11 - [(validate.rules).uint32 = {gte: 1}]; - - // Allows invalid HTTP messaging and headers. When this option is disabled (default), then - // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, - // when this option is enabled, only the offending stream is terminated. - // - // This is overridden by HCM :ref:`stream_error_on_invalid_http_messaging - // ` - // iff present. - // - // This is deprecated in favor of :ref:`override_stream_error_on_invalid_http_message - // ` - // - // See `RFC7540, sec. 8.1 `_ for details. - bool stream_error_on_invalid_http_messaging = 12 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Allows invalid HTTP messaging and headers. When this option is disabled (default), then - // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, - // when this option is enabled, only the offending stream is terminated. - // - // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging - // ` - // - // See `RFC7540, sec. 8.1 `_ for details. - google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 14; - - // [#not-implemented-hide:] - // Specifies SETTINGS frame parameters to be sent to the peer, with two exceptions: - // - // 1. SETTINGS_ENABLE_PUSH (0x2) is not configurable as HTTP/2 server push is not supported by - // Envoy. - // - // 2. SETTINGS_ENABLE_CONNECT_PROTOCOL (0x8) is only configurable through the named field - // 'allow_connect'. - // - // Note that custom parameters specified through this field can not also be set in the - // corresponding named parameters: - // - // .. code-block:: text - // - // ID Field Name - // ---------------- - // 0x1 hpack_table_size - // 0x3 max_concurrent_streams - // 0x4 initial_stream_window_size - // - // Collisions will trigger config validation failure on load/update. Likewise, inconsistencies - // between custom parameters with the same identifier will trigger a failure. - // - // See `IANA HTTP/2 Settings - // `_ for - // standardized identifiers. - repeated SettingsParameter custom_settings_parameters = 13; - - // Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer - // does not respond within the configured timeout, the connection will be aborted. - KeepaliveSettings connection_keepalive = 15; -} - -// [#not-implemented-hide:] -message GrpcProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.core.GrpcProtocolOptions"; - - Http2ProtocolOptions http2_protocol_options = 1; -} - -// A message which allows using HTTP/3. -// [#next-free-field: 6] -message Http3ProtocolOptions { - QuicProtocolOptions quic_protocol_options = 1; - - // Allows invalid HTTP messaging and headers. When this option is disabled (default), then - // the whole HTTP/3 connection is terminated upon receiving invalid HEADERS frame. However, - // when this option is enabled, only the offending stream is terminated. - // - // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging - // `. - google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2; - - // Allows proxying Websocket and other upgrades over HTTP/3 CONNECT using - // the header mechanisms from the `HTTP/2 extended connect RFC - // `_ - // and settings `proposed for HTTP/3 - // `_ - // Note that HTTP/3 CONNECT is not yet an RFC. - bool allow_extended_connect = 5 [(xds.annotations.v3.field_status).work_in_progress = true]; -} - -// A message to control transformations to the :scheme header -message SchemeHeaderTransformation { - oneof transformation { - // Overwrite any Scheme header with the contents of this string. - string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}]; - } -} diff --git a/src/main/proto/envoy/config/core/v3/proxy_protocol.proto b/src/main/proto/envoy/config/core/v3/proxy_protocol.proto deleted file mode 100644 index c276ce4..0000000 --- a/src/main/proto/envoy/config/core/v3/proxy_protocol.proto +++ /dev/null @@ -1,26 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "udpa/annotations/status.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "ProxyProtocolProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Proxy protocol] - -message ProxyProtocolConfig { - enum Version { - // PROXY protocol version 1. Human readable format. - V1 = 0; - - // PROXY protocol version 2. Binary format. - V2 = 1; - } - - // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details - Version version = 1; -} diff --git a/src/main/proto/envoy/config/core/v3/resolver.proto b/src/main/proto/envoy/config/core/v3/resolver.proto deleted file mode 100644 index f4d103a..0000000 --- a/src/main/proto/envoy/config/core/v3/resolver.proto +++ /dev/null @@ -1,36 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "envoy/config/core/v3/address.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "ResolverProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Resolver] - -// Configuration of DNS resolver option flags which control the behavior of the DNS resolver. -message DnsResolverOptions { - // Use TCP for all DNS queries instead of the default protocol UDP. - bool use_tcp_for_dns_lookups = 1; - - // Do not use the default search domains; only query hostnames as-is or as aliases. - bool no_default_search_domain = 2; -} - -// DNS resolution configuration which includes the underlying dns resolver addresses and options. -message DnsResolutionConfig { - // A list of dns resolver addresses. If specified, the DNS client library will perform resolution - // via the underlying DNS resolvers. Otherwise, the default system resolvers - // (e.g., /etc/resolv.conf) will be used. - repeated Address resolvers = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Configuration of DNS resolver option flags which control the behavior of the DNS resolver. - DnsResolverOptions dns_resolver_options = 2; -} diff --git a/src/main/proto/envoy/config/core/v3/socket_option.proto b/src/main/proto/envoy/config/core/v3/socket_option.proto deleted file mode 100644 index 44f1ce3..0000000 --- a/src/main/proto/envoy/config/core/v3/socket_option.proto +++ /dev/null @@ -1,81 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "SocketOptionProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Socket option] - -// Generic socket option message. This would be used to set socket options that -// might not exist in upstream kernels or precompiled Envoy binaries. -// -// For example: -// -// .. code-block:: json -// -// { -// "description": "support tcp keep alive", -// "state": 0, -// "level": 1, -// "name": 9, -// "int_value": 1, -// } -// -// 1 means SOL_SOCKET and 9 means SO_KEEPALIVE on Linux. -// With the above configuration, `TCP Keep-Alives `_ -// can be enabled in socket with Linux, which can be used in -// :ref:`listener's` or -// :ref:`admin's ` socket_options etc. -// -// It should be noted that the name or level may have different values on different platforms. -// [#next-free-field: 7] -message SocketOption { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketOption"; - - enum SocketState { - // Socket options are applied after socket creation but before binding the socket to a port - STATE_PREBIND = 0; - - // Socket options are applied after binding the socket to a port but before calling listen() - STATE_BOUND = 1; - - // Socket options are applied after calling listen() - STATE_LISTENING = 2; - } - - // An optional name to give this socket option for debugging, etc. - // Uniqueness is not required and no special meaning is assumed. - string description = 1; - - // Corresponding to the level value passed to setsockopt, such as IPPROTO_TCP - int64 level = 2; - - // The numeric name as passed to setsockopt - int64 name = 3; - - oneof value { - option (validate.required) = true; - - // Because many sockopts take an int value. - int64 int_value = 4; - - // Otherwise it's a byte buffer. - bytes buf_value = 5; - } - - // The state in which the option will be applied. When used in BindConfig - // STATE_PREBIND is currently the only valid value. - SocketState state = 6 [(validate.rules).enum = {defined_only: true}]; -} - -message SocketOptionsOverride { - repeated SocketOption socket_options = 1; -} diff --git a/src/main/proto/envoy/config/core/v3/substitution_format_string.proto b/src/main/proto/envoy/config/core/v3/substitution_format_string.proto deleted file mode 100644 index 11c834a..0000000 --- a/src/main/proto/envoy/config/core/v3/substitution_format_string.proto +++ /dev/null @@ -1,116 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "envoy/config/core/v3/base.proto"; -import "envoy/config/core/v3/extension.proto"; - -import "google/protobuf/struct.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "SubstitutionFormatStringProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Substitution format string] - -// Configuration to use multiple :ref:`command operators ` -// to generate a new string in either plain text or JSON format. -// [#next-free-field: 7] -message SubstitutionFormatString { - oneof format { - option (validate.required) = true; - - // Specify a format with command operators to form a text string. - // Its details is described in :ref:`format string`. - // - // For example, setting ``text_format`` like below, - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" - // - // generates plain text similar to: - // - // .. code-block:: text - // - // upstream connect error:503:path=/foo - // - // Deprecated in favor of :ref:`text_format_source `. To migrate text format strings, use the :ref:`inline_string ` field. - string text_format = 1 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Specify a format with command operators to form a JSON string. - // Its details is described in :ref:`format dictionary`. - // Values are rendered as strings, numbers, or boolean values as appropriate. - // Nested JSON objects may be produced by some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). - // See the documentation for a specific command operator for details. - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // json_format: - // status: "%RESPONSE_CODE%" - // message: "%LOCAL_REPLY_BODY%" - // - // The following JSON object would be created: - // - // .. code-block:: json - // - // { - // "status": 500, - // "message": "My error message" - // } - // - google.protobuf.Struct json_format = 2 [(validate.rules).message = {required: true}]; - - // Specify a format with command operators to form a text string. - // Its details is described in :ref:`format string`. - // - // For example, setting ``text_format`` like below, - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // text_format_source: - // inline_string: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" - // - // generates plain text similar to: - // - // .. code-block:: text - // - // upstream connect error:503:path=/foo - // - DataSource text_format_source = 5; - } - - // If set to true, when command operators are evaluated to null, - // - // * for ``text_format``, the output of the empty operator is changed from ``-`` to an - // empty string, so that empty values are omitted entirely. - // * for ``json_format`` the keys with null values are omitted in the output structure. - bool omit_empty_values = 3; - - // Specify a ``content_type`` field. - // If this field is not set then ``text/plain`` is used for ``text_format`` and - // ``application/json`` is used for ``json_format``. - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // content_type: "text/html; charset=UTF-8" - // - string content_type = 4 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Specifies a collection of Formatter plugins that can be called from the access log configuration. - // See the formatters extensions documentation for details. - // [#extension-category: envoy.formatter] - repeated TypedExtensionConfig formatters = 6; -} diff --git a/src/main/proto/envoy/config/core/v3/udp_socket_config.proto b/src/main/proto/envoy/config/core/v3/udp_socket_config.proto deleted file mode 100644 index ec9f77f..0000000 --- a/src/main/proto/envoy/config/core/v3/udp_socket_config.proto +++ /dev/null @@ -1,32 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v3; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v3"; -option java_outer_classname = "UdpSocketConfigProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: UDP socket config] - -// Generic UDP socket configuration. -message UdpSocketConfig { - // The maximum size of received UDP datagrams. Using a larger size will cause Envoy to allocate - // more memory per socket. Received datagrams above this size will be dropped. If not set - // defaults to 1500 bytes. - google.protobuf.UInt64Value max_rx_datagram_size = 1 - [(validate.rules).uint64 = {lt: 65536 gt: 0}]; - - // Configures whether Generic Receive Offload (GRO) - // _ is preferred when reading from the - // UDP socket. The default is context dependent and is documented where UdpSocketConfig is used. - // This option affects performance but not functionality. If GRO is not supported by the operating - // system, non-GRO receive will be used. - google.protobuf.BoolValue prefer_gro = 2; -} diff --git a/src/main/proto/envoy/config/route/v3/route.proto b/src/main/proto/envoy/config/route/v3/route.proto deleted file mode 100644 index d7bc854..0000000 --- a/src/main/proto/envoy/config/route/v3/route.proto +++ /dev/null @@ -1,165 +0,0 @@ -syntax = "proto3"; - -package envoy.config.route.v3; - -import "envoy/config/core/v3/base.proto"; -import "envoy/config/core/v3/config_source.proto"; -import "envoy/config/route/v3/route_components.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.route.v3"; -option java_outer_classname = "RouteProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: HTTP route configuration] -// * Routing :ref:`architecture overview ` -// * HTTP :ref:`router filter ` - -// [#next-free-field: 17] -message RouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.RouteConfiguration"; - - // The name of the route configuration. For example, it might match - // :ref:`route_config_name - // ` in - // :ref:`envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.Rds`. - string name = 1; - - // An array of virtual hosts that make up the route table. - repeated VirtualHost virtual_hosts = 2; - - // An array of virtual hosts will be dynamically loaded via the VHDS API. - // Both ``virtual_hosts`` and ``vhds`` fields will be used when present. ``virtual_hosts`` can be used - // for a base routing table or for infrequently changing virtual hosts. ``vhds`` is used for - // on-demand discovery of virtual hosts. The contents of these two fields will be merged to - // generate a routing table for a given RouteConfiguration, with ``vhds`` derived configuration - // taking precedence. - Vhds vhds = 9; - - // Optionally specifies a list of HTTP headers that the connection manager - // will consider to be internal only. If they are found on external requests they will be cleaned - // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more - // information. - repeated string internal_only_headers = 3 [ - (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} - ]; - - // Specifies a list of HTTP headers that should be added to each response that - // the connection manager encodes. Headers specified at this level are applied - // after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or - // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v3.HeaderValueOption response_headers_to_add = 4 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each response - // that the connection manager encodes. - repeated string response_headers_to_remove = 5 [ - (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} - ]; - - // Specifies a list of HTTP headers that should be added to each request - // routed by the HTTP connection manager. Headers specified at this level are - // applied after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or - // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v3.HeaderValueOption request_headers_to_add = 6 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request - // routed by the HTTP connection manager. - repeated string request_headers_to_remove = 8 [ - (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} - ]; - - // By default, headers that should be added/removed are evaluated from most to least specific: - // - // * route level - // * virtual host level - // * connection manager level - // - // To allow setting overrides at the route or virtual host level, this order can be reversed - // by setting this option to true. Defaults to false. - // - bool most_specific_header_mutations_wins = 10; - - // An optional boolean that specifies whether the clusters that the route - // table refers to will be validated by the cluster manager. If set to true - // and a route refers to a non-existent cluster, the route table will not - // load. If set to false and a route refers to a non-existent cluster, the - // route table will load and the router filter will return a 404 if the route - // is selected at runtime. This setting defaults to true if the route table - // is statically defined via the :ref:`route_config - // ` - // option. This setting default to false if the route table is loaded dynamically via the - // :ref:`rds - // ` - // option. Users may wish to override the default behavior in certain cases (for example when - // using CDS with a static route table). - google.protobuf.BoolValue validate_clusters = 7; - - // The maximum bytes of the response :ref:`direct response body - // ` size. If not specified the default - // is 4096. - // - // .. warning:: - // - // Envoy currently holds the content of :ref:`direct response body - // ` in memory. Be careful setting - // this to be larger than the default 4KB, since the allocated memory for direct response body - // is not subject to data plane buffering controls. - // - google.protobuf.UInt32Value max_direct_response_body_size_bytes = 11; - - // A list of plugins and their configurations which may be used by a - // :ref:`cluster specifier plugin name ` - // within the route. All ``extension.name`` fields in this list must be unique. - repeated ClusterSpecifierPlugin cluster_specifier_plugins = 12; - - // Specify a set of default request mirroring policies which apply to all routes under its virtual hosts. - // Note that policies are not merged, the most specific non-empty one becomes the mirror policies. - repeated RouteAction.RequestMirrorPolicy request_mirror_policies = 13; - - // By default, port in :authority header (if any) is used in host matching. - // With this option enabled, Envoy will ignore the port number in the :authority header (if any) when picking VirtualHost. - // NOTE: this option will not strip the port number (if any) contained in route config - // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`.domains field. - bool ignore_port_in_host_matching = 14; - - // Ignore path-parameters in path-matching. - // Before RFC3986, URI were like(RFC1808): :///;?# - // Envoy by default takes ":path" as ";". - // For users who want to only match path on the "" portion, this option should be true. - bool ignore_path_parameters_in_path_matching = 15; - - // The typed_per_filter_config field can be used to provide RouteConfiguration level per filter config. - // The key should match the :ref:`filter config name - // `. - // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also - // be used for the backwards compatibility. If there is no entry referred by the filter config name, the - // entry referred by the canonical filter name will be provided to the filters as fallback. - // - // Use of this field is filter specific; - // see the :ref:`HTTP filter documentation ` for if and how it is utilized. - // [#comment: An entry's value may be wrapped in a - // :ref:`FilterConfig` - // message to specify additional options.] - map typed_per_filter_config = 16; -} - -message Vhds { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Vhds"; - - // Configuration source specifier for VHDS. - core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; -} diff --git a/src/main/proto/envoy/config/route/v3/route_components.proto b/src/main/proto/envoy/config/route/v3/route_components.proto deleted file mode 100644 index b0c0836..0000000 --- a/src/main/proto/envoy/config/route/v3/route_components.proto +++ /dev/null @@ -1,2336 +0,0 @@ -syntax = "proto3"; - -package envoy.config.route.v3; - -import "envoy/config/core/v3/base.proto"; -import "envoy/config/core/v3/extension.proto"; -import "envoy/config/core/v3/proxy_protocol.proto"; -import "envoy/type/matcher/v3/metadata.proto"; -import "envoy/type/matcher/v3/regex.proto"; -import "envoy/type/matcher/v3/string.proto"; -import "envoy/type/metadata/v3/metadata.proto"; -import "envoy/type/tracing/v3/custom_tag.proto"; -import "envoy/type/v3/percent.proto"; -import "envoy/type/v3/range.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/annotations/v3/status.proto"; -import "xds/type/matcher/v3/matcher.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/migrate.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.route.v3"; -option java_outer_classname = "RouteComponentsProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: HTTP route components] -// * Routing :ref:`architecture overview ` -// * HTTP :ref:`router filter ` - -// The top level element in the routing configuration is a virtual host. Each virtual host has -// a logical name as well as a set of domains that get routed to it based on the incoming request's -// host header. This allows a single listener to service multiple top level domain path trees. Once -// a virtual host is selected based on the domain, the routes are processed in order to see which -// upstream cluster to route to or whether to perform a redirect. -// [#next-free-field: 23] -message VirtualHost { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualHost"; - - enum TlsRequirementType { - // No TLS requirement for the virtual host. - NONE = 0; - - // External requests must use TLS. If a request is external and it is not - // using TLS, a 301 redirect will be sent telling the client to use HTTPS. - EXTERNAL_ONLY = 1; - - // All requests must use TLS. If a request is not using TLS, a 301 redirect - // will be sent telling the client to use HTTPS. - ALL = 2; - } - - reserved 9, 12; - - reserved "per_filter_config"; - - // The logical name of the virtual host. This is used when emitting certain - // statistics but is not relevant for routing. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // A list of domains (host/authority header) that will be matched to this - // virtual host. Wildcard hosts are supported in the suffix or prefix form. - // - // Domain search order: - // 1. Exact domain names: ``www.foo.com``. - // 2. Suffix domain wildcards: ``*.foo.com`` or ``*-bar.foo.com``. - // 3. Prefix domain wildcards: ``foo.*`` or ``foo-*``. - // 4. Special wildcard ``*`` matching any domain. - // - // .. note:: - // - // The wildcard will not match the empty string. - // e.g. ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``. - // The longest wildcards match first. - // Only a single virtual host in the entire route configuration can match on ``*``. A domain - // must be unique across all virtual hosts or the config will fail to load. - // - // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE. - repeated string domains = 2 [(validate.rules).repeated = { - min_items: 1 - items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}} - }]; - - // The list of routes that will be matched, in order, for incoming requests. - // The first route that matches will be used. - // Only one of this and ``matcher`` can be specified. - repeated Route routes = 3; - - // [#next-major-version: This should be included in a oneof with routes wrapped in a message.] - // The match tree to use when resolving route actions for incoming requests. Only one of this and ``routes`` - // can be specified. - xds.type.matcher.v3.Matcher matcher = 21 - [(xds.annotations.v3.field_status).work_in_progress = true]; - - // Specifies the type of TLS enforcement the virtual host expects. If this option is not - // specified, there is no TLS requirement for the virtual host. - TlsRequirementType require_tls = 4 [(validate.rules).enum = {defined_only: true}]; - - // A list of virtual clusters defined for this virtual host. Virtual clusters - // are used for additional statistics gathering. - repeated VirtualCluster virtual_clusters = 5; - - // Specifies a set of rate limit configurations that will be applied to the - // virtual host. - repeated RateLimit rate_limits = 6; - - // Specifies a list of HTTP headers that should be added to each request - // handled by this virtual host. Headers specified at this level are applied - // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the - // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including - // details on header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v3.HeaderValueOption request_headers_to_add = 7 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request - // handled by this virtual host. - repeated string request_headers_to_remove = 13 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a list of HTTP headers that should be added to each response - // handled by this virtual host. Headers specified at this level are applied - // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the - // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including - // details on header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v3.HeaderValueOption response_headers_to_add = 10 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each response - // handled by this virtual host. - repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Indicates that the virtual host has a CORS policy. This field is ignored if related cors policy is - // found in the - // :ref:`VirtualHost.typed_per_filter_config`. - // - // .. attention:: - // - // This option has been deprecated. Please use - // :ref:`VirtualHost.typed_per_filter_config` - // to configure the CORS HTTP filter. - CorsPolicy cors = 8 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // The per_filter_config field can be used to provide virtual host-specific configurations for filters. - // The key should match the :ref:`filter config name - // `. - // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also - // be used for the backwards compatibility. If there is no entry referred by the filter config name, the - // entry referred by the canonical filter name will be provided to the filters as fallback. - // - // Use of this field is filter specific; - // see the :ref:`HTTP filter documentation ` for if and how it is utilized. - // [#comment: An entry's value may be wrapped in a - // :ref:`FilterConfig` - // message to specify additional options.] - map typed_per_filter_config = 15; - - // Decides whether the :ref:`x-envoy-attempt-count - // ` header should be included - // in the upstream request. Setting this option will cause it to override any existing header - // value, so in the case of two Envoys on the request path with this option enabled, the upstream - // will see the attempt count as perceived by the second Envoy. Defaults to false. - // This header is unaffected by the - // :ref:`suppress_envoy_headers - // ` flag. - // - // [#next-major-version: rename to include_attempt_count_in_request.] - bool include_request_attempt_count = 14; - - // Decides whether the :ref:`x-envoy-attempt-count - // ` header should be included - // in the downstream response. Setting this option will cause the router to override any existing header - // value, so in the case of two Envoys on the request path with this option enabled, the downstream - // will see the attempt count as perceived by the Envoy closest upstream from itself. Defaults to false. - // This header is unaffected by the - // :ref:`suppress_envoy_headers - // ` flag. - bool include_attempt_count_in_response = 19; - - // Indicates the retry policy for all routes in this virtual host. Note that setting a - // route level entry will take precedence over this config and it'll be treated - // independently (e.g.: values are not inherited). - RetryPolicy retry_policy = 16; - - // [#not-implemented-hide:] - // Specifies the configuration for retry policy extension. Note that setting a route level entry - // will take precedence over this config and it'll be treated independently (e.g.: values are not - // inherited). :ref:`Retry policy ` should not be - // set if this field is used. - google.protobuf.Any retry_policy_typed_config = 20; - - // Indicates the hedge policy for all routes in this virtual host. Note that setting a - // route level entry will take precedence over this config and it'll be treated - // independently (e.g.: values are not inherited). - HedgePolicy hedge_policy = 17; - - // The maximum bytes which will be buffered for retries and shadowing. - // If set and a route-specific limit is not set, the bytes actually buffered will be the minimum - // value of this and the listener per_connection_buffer_limit_bytes. - google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18; - - // Specify a set of default request mirroring policies for every route under this virtual host. - // It takes precedence over the route config mirror policy entirely. - // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. - repeated RouteAction.RequestMirrorPolicy request_mirror_policies = 22; -} - -// A filter-defined action type. -message FilterAction { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.FilterAction"; - - google.protobuf.Any action = 1; -} - -// A route is both a specification of how to match a request as well as an indication of what to do -// next (e.g., redirect, forward, rewrite, etc.). -// -// .. attention:: -// -// Envoy supports routing on HTTP method via :ref:`header matching -// `. -// [#next-free-field: 20] -message Route { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Route"; - - reserved 6, 8; - - reserved "per_filter_config"; - - // Name for the route. - string name = 14; - - // Route matching parameters. - RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - oneof action { - option (validate.required) = true; - - // Route request to some upstream cluster. - RouteAction route = 2; - - // Return a redirect. - RedirectAction redirect = 3; - - // Return an arbitrary HTTP response directly, without proxying. - DirectResponseAction direct_response = 7; - - // [#not-implemented-hide:] - // A filter-defined action (e.g., it could dynamically generate the RouteAction). - // [#comment: TODO(samflattery): Remove cleanup in route_fuzz_test.cc when - // implemented] - FilterAction filter_action = 17; - - // [#not-implemented-hide:] - // An action used when the route will generate a response directly, - // without forwarding to an upstream host. This will be used in non-proxy - // xDS clients like the gRPC server. It could also be used in the future - // in Envoy for a filter that directly generates responses for requests. - NonForwardingAction non_forwarding_action = 18; - } - - // The Metadata field can be used to provide additional information - // about the route. It can be used for configuration, stats, and logging. - // The metadata should go under the filter namespace that will need it. - // For instance, if the metadata is intended for the Router filter, - // the filter name should be specified as ``envoy.filters.http.router``. - core.v3.Metadata metadata = 4; - - // Decorator for the matched route. - Decorator decorator = 5; - - // The per_filter_config field can be used to provide route-specific configurations for filters. - // The key should match the :ref:`filter config name - // `. - // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also - // be used for the backwards compatibility. If there is no entry referred by the filter config name, the - // entry referred by the canonical filter name will be provided to the filters as fallback. - // - // Use of this field is filter specific; - // see the :ref:`HTTP filter documentation ` for if and how it is utilized. - // [#comment: An entry's value may be wrapped in a - // :ref:`FilterConfig` - // message to specify additional options.] - map typed_per_filter_config = 13; - - // Specifies a set of headers that will be added to requests matching this - // route. Headers specified at this level are applied before headers from the - // enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v3.HeaderValueOption request_headers_to_add = 9 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request - // matching this route. - repeated string request_headers_to_remove = 12 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a set of headers that will be added to responses to requests - // matching this route. Headers specified at this level are applied before - // headers from the enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including - // details on header value syntax, see the documentation on - // :ref:`custom request headers `. - repeated core.v3.HeaderValueOption response_headers_to_add = 10 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each response - // to requests matching this route. - repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Presence of the object defines whether the connection manager's tracing configuration - // is overridden by this route specific instance. - Tracing tracing = 15; - - // The maximum bytes which will be buffered for retries and shadowing. - // If set, the bytes actually buffered will be the minimum value of this and the - // listener per_connection_buffer_limit_bytes. - google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16; - - // The human readable prefix to use when emitting statistics for this endpoint. - // The statistics are rooted at vhost..route.. - // This should be set for highly critical - // endpoints that one wishes to get “per-route” statistics on. - // If not set, endpoint statistics are not generated. - // - // The emitted statistics are the same as those documented for :ref:`virtual clusters `. - // - // .. warning:: - // - // We do not recommend setting up a stat prefix for - // every application endpoint. This is both not easily maintainable and - // statistics use a non-trivial amount of memory(approximately 1KiB per route). - string stat_prefix = 19; -} - -// Compared to the :ref:`cluster ` field that specifies a -// single upstream cluster as the target of a request, the :ref:`weighted_clusters -// ` option allows for specification of -// multiple upstream clusters along with weights that indicate the percentage of -// traffic to be forwarded to each cluster. The router selects an upstream cluster based on the -// weights. -message WeightedCluster { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.WeightedCluster"; - - // [#next-free-field: 13] - message ClusterWeight { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.WeightedCluster.ClusterWeight"; - - reserved 7, 8; - - reserved "per_filter_config"; - - // Only one of ``name`` and ``cluster_header`` may be specified. - // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}] - // Name of the upstream cluster. The cluster must exist in the - // :ref:`cluster manager configuration `. - string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"]; - - // Only one of ``name`` and ``cluster_header`` may be specified. - // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1 }] - // Envoy will determine the cluster to route to by reading the value of the - // HTTP header named by cluster_header from the request headers. If the - // header is not found or the referenced cluster does not exist, Envoy will - // return a 404 response. - // - // .. attention:: - // - // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 - // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string cluster_header = 12 [ - (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, - (udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier" - ]; - - // The weight of the cluster. This value is relative to the other clusters' - // weights. When a request matches the route, the choice of an upstream cluster - // is determined by its weight. The sum of weights across all - // entries in the clusters array must be greater than 0. - google.protobuf.UInt32Value weight = 2; - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in - // the upstream cluster with metadata matching what is set in this field will be considered for - // load balancing. Note that this will be merged with what's provided in - // :ref:`RouteAction.metadata_match `, with - // values here taking precedence. The filter name should be specified as ``envoy.lb``. - core.v3.Metadata metadata_match = 3; - - // Specifies a list of headers to be added to requests when this cluster is selected - // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - // Headers specified at this level are applied before headers from the enclosing - // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v3.HeaderValueOption request_headers_to_add = 4 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request when - // this cluster is selected through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - repeated string request_headers_to_remove = 9 [(validate.rules).repeated = { - items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a list of headers to be added to responses when this cluster is selected - // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - // Headers specified at this level are applied before headers from the enclosing - // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v3.HeaderValueOption response_headers_to_add = 5 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of headers to be removed from responses when this cluster is selected - // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - repeated string response_headers_to_remove = 6 [(validate.rules).repeated = { - items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // The per_filter_config field can be used to provide weighted cluster-specific configurations - // for filters. - // The key should match the :ref:`filter config name - // `. - // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also - // be used for the backwards compatibility. If there is no entry referred by the filter config name, the - // entry referred by the canonical filter name will be provided to the filters as fallback. - // - // Use of this field is filter specific; - // see the :ref:`HTTP filter documentation ` for if and how it is utilized. - // [#comment: An entry's value may be wrapped in a - // :ref:`FilterConfig` - // message to specify additional options.] - map typed_per_filter_config = 10; - - oneof host_rewrite_specifier { - // Indicates that during forwarding, the host header will be swapped with - // this value. - string host_rewrite_literal = 11 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - } - } - - // Specifies one or more upstream clusters associated with the route. - repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Specifies the total weight across all clusters. The sum of all cluster weights must equal this - // value, if this is greater than 0. - // This field is now deprecated, and the client will use the sum of all - // cluster weights. It is up to the management server to supply the correct weights. - google.protobuf.UInt32Value total_weight = 3 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Specifies the runtime key prefix that should be used to construct the - // runtime keys associated with each cluster. When the ``runtime_key_prefix`` is - // specified, the router will look for weights associated with each upstream - // cluster under the key ``runtime_key_prefix`` + ``.`` + ``cluster[i].name`` where - // ``cluster[i]`` denotes an entry in the clusters array field. If the runtime - // key for the cluster does not exist, the value specified in the - // configuration file will be used as the default weight. See the :ref:`runtime documentation - // ` for how key names map to the underlying implementation. - string runtime_key_prefix = 2; - - oneof random_value_specifier { - // Specifies the header name that is used to look up the random value passed in the request header. - // This is used to ensure consistent cluster picking across multiple proxy levels for weighted traffic. - // If header is not present or invalid, Envoy will fall back to use the internally generated random value. - // This header is expected to be single-valued header as we only want to have one selected value throughout - // the process for the consistency. And the value is a unsigned number between 0 and UINT64_MAX. - string header_name = 4 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - } -} - -// Configuration for a cluster specifier plugin. -message ClusterSpecifierPlugin { - // The name of the plugin and its opaque configuration. - core.v3.TypedExtensionConfig extension = 1 [(validate.rules).message = {required: true}]; - - // If is_optional is not set or is set to false and the plugin defined by this message is not a - // supported type, the containing resource is NACKed. If is_optional is set to true, the resource - // would not be NACKed for this reason. In this case, routes referencing this plugin's name would - // not be treated as an illegal configuration, but would result in a failure if the route is - // selected. - bool is_optional = 2; -} - -// [#next-free-field: 16] -message RouteMatch { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch"; - - message GrpcRouteMatchOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RouteMatch.GrpcRouteMatchOptions"; - } - - message TlsContextMatchOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RouteMatch.TlsContextMatchOptions"; - - // If specified, the route will match against whether or not a certificate is presented. - // If not specified, certificate presentation status (true or false) will not be considered when route matching. - google.protobuf.BoolValue presented = 1; - - // If specified, the route will match against whether or not a certificate is validated. - // If not specified, certificate validation status (true or false) will not be considered when route matching. - google.protobuf.BoolValue validated = 2; - } - - // An extensible message for matching CONNECT requests. - message ConnectMatcher { - } - - reserved 5, 3; - - reserved "regex"; - - oneof path_specifier { - option (validate.required) = true; - - // If specified, the route is a prefix rule meaning that the prefix must - // match the beginning of the ``:path`` header. - string prefix = 1; - - // If specified, the route is an exact path rule meaning that the path must - // exactly match the ``:path`` header once the query string is removed. - string path = 2; - - // If specified, the route is a regular expression rule meaning that the - // regex must match the ``:path`` header once the query string is removed. The entire path - // (without the query string) must match the regex. The rule will not match if only a - // subsequence of the ``:path`` header matches the regex. - // - // [#next-major-version: In the v3 API we should redo how path specification works such - // that we utilize StringMatcher, and additionally have consistent options around whether we - // strip query strings, do a case sensitive match, etc. In the interim it will be too disruptive - // to deprecate the existing options. We should even consider whether we want to do away with - // path_specifier entirely and just rely on a set of header matchers which can already match - // on :path, etc. The issue with that is it is unclear how to generically deal with query string - // stripping. This needs more thought.] - type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; - - // If this is used as the matcher, the matcher will only match CONNECT requests. - // Note that this will not match HTTP/2 upgrade-style CONNECT requests - // (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style - // upgrades. - // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2, - // where Extended CONNECT requests may have a path, the path matchers will work if - // there is a path present. - // Note that CONNECT support is currently considered alpha in Envoy. - // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] - ConnectMatcher connect_matcher = 12; - - // If specified, the route is a path-separated prefix rule meaning that the - // ``:path`` header (without the query string) must either exactly match the - // ``path_separated_prefix`` or have it as a prefix, followed by ``/`` - // - // For example, ``/api/dev`` would match - // ``/api/dev``, ``/api/dev/``, ``/api/dev/v1``, and ``/api/dev?param=true`` - // but would not match ``/api/developer`` - // - // Expect the value to not contain ``?`` or ``#`` and not to end in ``/`` - string path_separated_prefix = 14 [(validate.rules).string = {pattern: "^[^?#]+[^?#/]$"}]; - - // [#extension-category: envoy.path.match] - core.v3.TypedExtensionConfig path_match_policy = 15; - } - - // Indicates that prefix/path matching should be case sensitive. The default - // is true. Ignored for safe_regex matching. - google.protobuf.BoolValue case_sensitive = 4; - - // Indicates that the route should additionally match on a runtime key. Every time the route - // is considered for a match, it must also fall under the percentage of matches indicated by - // this field. For some fraction N/D, a random number in the range [0,D) is selected. If the - // number is <= the value of the numerator N, or if the key is not present, the default - // value, the router continues to evaluate the remaining match criteria. A runtime_fraction - // route configuration can be used to roll out route changes in a gradual manner without full - // code/config deploys. Refer to the :ref:`traffic shifting - // ` docs for additional documentation. - // - // .. note:: - // - // Parsing this field is implemented such that the runtime key's data may be represented - // as a FractionalPercent proto represented as JSON/YAML and may also be represented as an - // integer with the assumption that the value is an integral percentage out of 100. For - // instance, a runtime key lookup returning the value "42" would parse as a FractionalPercent - // whose numerator is 42 and denominator is HUNDRED. This preserves legacy semantics. - core.v3.RuntimeFractionalPercent runtime_fraction = 9; - - // Specifies a set of headers that the route should match on. The router will - // check the request’s headers against all the specified headers in the route - // config. A match will happen if all the headers in the route are present in - // the request with the same values (or based on presence if the value field - // is not in the config). - repeated HeaderMatcher headers = 6; - - // Specifies a set of URL query parameters on which the route should - // match. The router will check the query string from the ``path`` header - // against all the specified query parameters. If the number of specified - // query parameters is nonzero, they all must match the ``path`` header's - // query string for a match to occur. - // - // .. note:: - // - // If query parameters are used to pass request message fields when - // `grpc_json_transcoder `_ - // is used, the transcoded message fields maybe different. The query parameters are - // url encoded, but the message fields are not. For example, if a query - // parameter is "foo%20bar", the message field will be "foo bar". - repeated QueryParameterMatcher query_parameters = 7; - - // If specified, only gRPC requests will be matched. The router will check - // that the content-type header has a application/grpc or one of the various - // application/grpc+ values. - GrpcRouteMatchOptions grpc = 8; - - // If specified, the client tls context will be matched against the defined - // match options. - // - // [#next-major-version: unify with RBAC] - TlsContextMatchOptions tls_context = 11; - - // Specifies a set of dynamic metadata matchers on which the route should match. - // The router will check the dynamic metadata against all the specified dynamic metadata matchers. - // If the number of specified dynamic metadata matchers is nonzero, they all must match the - // dynamic metadata for a match to occur. - repeated type.matcher.v3.MetadataMatcher dynamic_metadata = 13; -} - -// Cors policy configuration. -// -// .. attention:: -// -// This message has been deprecated. Please use -// :ref:`CorsPolicy in filter extension ` -// as as alternative. -// -// [#next-free-field: 13] -message CorsPolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.CorsPolicy"; - - reserved 1, 8, 7; - - reserved "allow_origin", "allow_origin_regex", "enabled"; - - // Specifies string patterns that match allowed origins. An origin is allowed if any of the - // string matchers match. - repeated type.matcher.v3.StringMatcher allow_origin_string_match = 11; - - // Specifies the content for the ``access-control-allow-methods`` header. - string allow_methods = 2; - - // Specifies the content for the ``access-control-allow-headers`` header. - string allow_headers = 3; - - // Specifies the content for the ``access-control-expose-headers`` header. - string expose_headers = 4; - - // Specifies the content for the ``access-control-max-age`` header. - string max_age = 5; - - // Specifies whether the resource allows credentials. - google.protobuf.BoolValue allow_credentials = 6; - - oneof enabled_specifier { - // Specifies the % of requests for which the CORS filter is enabled. - // - // If neither ``enabled``, ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS - // filter will be enabled for 100% of the requests. - // - // If :ref:`runtime_key ` is - // specified, Envoy will lookup the runtime key to get the percentage of requests to filter. - core.v3.RuntimeFractionalPercent filter_enabled = 9; - } - - // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not - // enforced. - // - // This field is intended to be used when ``filter_enabled`` and ``enabled`` are off. One of those - // fields have to explicitly disable the filter in order for this setting to take effect. - // - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate - // and track the request's ``Origin`` to determine if it's valid but will not enforce any policies. - core.v3.RuntimeFractionalPercent shadow_enabled = 10; - - // Specify whether allow requests whose target server's IP address is more private than that from - // which the request initiator was fetched. - // - // More details refer to https://developer.chrome.com/blog/private-network-access-preflight. - google.protobuf.BoolValue allow_private_network_access = 12; -} - -// [#next-free-field: 42] -message RouteAction { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction"; - - enum ClusterNotFoundResponseCode { - // HTTP status code - 503 Service Unavailable. - SERVICE_UNAVAILABLE = 0; - - // HTTP status code - 404 Not Found. - NOT_FOUND = 1; - - // HTTP status code - 500 Internal Server Error. - INTERNAL_SERVER_ERROR = 2; - } - - // Configures :ref:`internal redirect ` behavior. - // [#next-major-version: remove this definition - it's defined in the InternalRedirectPolicy message.] - enum InternalRedirectAction { - option deprecated = true; - - PASS_THROUGH_INTERNAL_REDIRECT = 0; - HANDLE_INTERNAL_REDIRECT = 1; - } - - // The router is capable of shadowing traffic from one cluster to another. The current - // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to - // respond before returning the response from the primary cluster. All normal statistics are - // collected for the shadow cluster making this feature useful for testing. - // - // During shadowing, the host/authority header is altered such that ``-shadow`` is appended. This is - // useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``. - // - // .. note:: - // - // Shadowing will not be triggered if the primary cluster does not exist. - // - // .. note:: - // - // Shadowing doesn't support Http CONNECT and upgrades. - // [#next-free-field: 6] - message RequestMirrorPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RouteAction.RequestMirrorPolicy"; - - reserved 2; - - reserved "runtime_key"; - - // Only one of ``cluster`` and ``cluster_header`` can be specified. - // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}] - // Specifies the cluster that requests will be mirrored to. The cluster must - // exist in the cluster manager configuration. - string cluster = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"]; - - // Only one of ``cluster`` and ``cluster_header`` can be specified. - // Envoy will determine the cluster to route to by reading the value of the - // HTTP header named by cluster_header from the request headers. Only the first value in header is used, - // and no shadow request will happen if the value is not found in headers. Envoy will not wait for - // the shadow cluster to respond before returning the response from the primary cluster. - // - // .. attention:: - // - // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 - // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string cluster_header = 5 [ - (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, - (udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier" - ]; - - // If not specified, all requests to the target cluster will be mirrored. - // - // If specified, this field takes precedence over the ``runtime_key`` field and requests must also - // fall under the percentage of matches indicated by this field. - // - // For some fraction N/D, a random number in the range [0,D) is selected. If the - // number is <= the value of the numerator N, or if the key is not present, the default - // value, the request will be mirrored. - core.v3.RuntimeFractionalPercent runtime_fraction = 3; - - // Determines if the trace span should be sampled. Defaults to true. - google.protobuf.BoolValue trace_sampled = 4; - } - - // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer - // `. - // [#next-free-field: 7] - message HashPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RouteAction.HashPolicy"; - - message Header { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RouteAction.HashPolicy.Header"; - - // The name of the request header that will be used to obtain the hash - // key. If the request header is not present, no hash will be produced. - string header_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // If specified, the request header value will be rewritten and used - // to produce the hash key. - type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 2; - } - - // Envoy supports two types of cookie affinity: - // - // 1. Passive. Envoy takes a cookie that's present in the cookies header and - // hashes on its value. - // - // 2. Generated. Envoy generates and sets a cookie with an expiration (TTL) - // on the first request from the client in its response to the client, - // based on the endpoint the request gets sent to. The client then - // presents this on the next and all subsequent requests. The hash of - // this is sufficient to ensure these requests get sent to the same - // endpoint. The cookie is generated by hashing the source and - // destination ports and addresses so that multiple independent HTTP2 - // streams on the same connection will independently receive the same - // cookie, even if they arrive at the Envoy simultaneously. - message Cookie { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RouteAction.HashPolicy.Cookie"; - - // The name of the cookie that will be used to obtain the hash key. If the - // cookie is not present and ttl below is not set, no hash will be - // produced. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // If specified, a cookie with the TTL will be generated if the cookie is - // not present. If the TTL is present and zero, the generated cookie will - // be a session cookie. - google.protobuf.Duration ttl = 2; - - // The name of the path for the cookie. If no path is specified here, no path - // will be set for the cookie. - string path = 3; - } - - message ConnectionProperties { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RouteAction.HashPolicy.ConnectionProperties"; - - // Hash on source IP address. - bool source_ip = 1; - } - - message QueryParameter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RouteAction.HashPolicy.QueryParameter"; - - // The name of the URL query parameter that will be used to obtain the hash - // key. If the parameter is not present, no hash will be produced. Query - // parameter names are case-sensitive. - string name = 1 [(validate.rules).string = {min_len: 1}]; - } - - message FilterState { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RouteAction.HashPolicy.FilterState"; - - // The name of the Object in the per-request filterState, which is an - // Envoy::Hashable object. If there is no data associated with the key, - // or the stored object is not Envoy::Hashable, no hash will be produced. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - - oneof policy_specifier { - option (validate.required) = true; - - // Header hash policy. - Header header = 1; - - // Cookie hash policy. - Cookie cookie = 2; - - // Connection properties hash policy. - ConnectionProperties connection_properties = 3; - - // Query parameter hash policy. - QueryParameter query_parameter = 5; - - // Filter state hash policy. - FilterState filter_state = 6; - } - - // The flag that short-circuits the hash computing. This field provides a - // 'fallback' style of configuration: "if a terminal policy doesn't work, - // fallback to rest of the policy list", it saves time when the terminal - // policy works. - // - // If true, and there is already a hash computed, ignore rest of the - // list of hash polices. - // For example, if the following hash methods are configured: - // - // ========= ======== - // specifier terminal - // ========= ======== - // Header A true - // Header B false - // Header C false - // ========= ======== - // - // The generateHash process ends if policy "header A" generates a hash, as - // it's a terminal policy. - bool terminal = 4; - } - - // Allows enabling and disabling upgrades on a per-route basis. - // This overrides any enabled/disabled upgrade filter chain specified in the - // HttpConnectionManager - // :ref:`upgrade_configs - // ` - // but does not affect any custom filter chain specified there. - message UpgradeConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RouteAction.UpgradeConfig"; - - // Configuration for sending data upstream as a raw data payload. This is used for - // CONNECT or POST requests, when forwarding request payload as raw TCP. - message ConnectConfig { - // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream. - core.v3.ProxyProtocolConfig proxy_protocol_config = 1; - - // If set, the route will also allow forwarding POST payload as raw TCP. - bool allow_post = 2; - } - - // The case-insensitive name of this upgrade, e.g. "websocket". - // For each upgrade type present in upgrade_configs, requests with - // Upgrade: [upgrade_type] will be proxied upstream. - string upgrade_type = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Determines if upgrades are available on this route. Defaults to true. - google.protobuf.BoolValue enabled = 2; - - // Configuration for sending data upstream as a raw data payload. This is used for - // CONNECT requests, when forwarding CONNECT payload as raw TCP. - // Note that CONNECT support is currently considered alpha in Envoy. - // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] - ConnectConfig connect_config = 3; - } - - message MaxStreamDuration { - // Specifies the maximum duration allowed for streams on the route. If not specified, the value - // from the :ref:`max_stream_duration - // ` field in - // :ref:`HttpConnectionManager.common_http_protocol_options - // ` - // is used. If this field is set explicitly to zero, any - // HttpConnectionManager max_stream_duration timeout will be disabled for - // this route. - google.protobuf.Duration max_stream_duration = 1; - - // If present, and the request contains a `grpc-timeout header - // `_, use that value as the - // ``max_stream_duration``, but limit the applied timeout to the maximum value specified here. - // If set to 0, the ``grpc-timeout`` header is used without modification. - google.protobuf.Duration grpc_timeout_header_max = 2; - - // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by - // subtracting the provided duration from the header. This is useful for allowing Envoy to set - // its global timeout to be less than that of the deadline imposed by the calling client, which - // makes it more likely that Envoy will handle the timeout instead of having the call canceled - // by the client. If, after applying the offset, the resulting timeout is zero or negative, - // the stream will timeout immediately. - google.protobuf.Duration grpc_timeout_header_offset = 3; - } - - reserved 12, 18, 19, 16, 22, 21, 10; - - reserved "request_mirror_policy"; - - oneof cluster_specifier { - option (validate.required) = true; - - // Indicates the upstream cluster to which the request should be routed - // to. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // Envoy will determine the cluster to route to by reading the value of the - // HTTP header named by cluster_header from the request headers. If the - // header is not found or the referenced cluster does not exist, Envoy will - // return a 404 response. - // - // .. attention:: - // - // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 - // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string cluster_header = 2 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Multiple upstream clusters can be specified for a given route. The - // request is routed to one of the upstream clusters based on weights - // assigned to each cluster. See - // :ref:`traffic splitting ` - // for additional documentation. - WeightedCluster weighted_clusters = 3; - - // Name of the cluster specifier plugin to use to determine the cluster for requests on this route. - // The cluster specifier plugin name must be defined in the associated - // :ref:`cluster specifier plugins ` - // in the :ref:`name ` field. - string cluster_specifier_plugin = 37; - - // Custom cluster specifier plugin configuration to use to determine the cluster for requests - // on this route. - ClusterSpecifierPlugin inline_cluster_specifier_plugin = 39; - } - - // The HTTP status code to use when configured cluster is not found. - // The default response code is 503 Service Unavailable. - ClusterNotFoundResponseCode cluster_not_found_response_code = 20 - [(validate.rules).enum = {defined_only: true}]; - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints - // in the upstream cluster with metadata matching what's set in this field will be considered - // for load balancing. If using :ref:`weighted_clusters - // `, metadata will be merged, with values - // provided there taking precedence. The filter name should be specified as ``envoy.lb``. - core.v3.Metadata metadata_match = 4; - - // Indicates that during forwarding, the matched prefix (or path) should be - // swapped with this value. This option allows application URLs to be rooted - // at a different path from those exposed at the reverse proxy layer. The router filter will - // place the original path before rewrite into the :ref:`x-envoy-original-path - // ` header. - // - // Only one of :ref:`regex_rewrite ` - // :ref:`path_rewrite_policy `, - // or :ref:`prefix_rewrite ` may be specified. - // - // .. attention:: - // - // Pay careful attention to the use of trailing slashes in the - // :ref:`route's match ` prefix value. - // Stripping a prefix from a path requires multiple Routes to handle all cases. For example, - // rewriting ``/prefix`` to ``/`` and ``/prefix/etc`` to ``/etc`` cannot be done in a single - // :ref:`Route `, as shown by the below config entries: - // - // .. code-block:: yaml - // - // - match: - // prefix: "/prefix/" - // route: - // prefix_rewrite: "/" - // - match: - // prefix: "/prefix" - // route: - // prefix_rewrite: "/" - // - // Having above entries in the config, requests to ``/prefix`` will be stripped to ``/``, while - // requests to ``/prefix/etc`` will be stripped to ``/etc``. - string prefix_rewrite = 5 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during forwarding, portions of the path that match the - // pattern should be rewritten, even allowing the substitution of capture - // groups from the pattern into the new path as specified by the rewrite - // substitution string. This is useful to allow application paths to be - // rewritten in a way that is aware of segments with variable content like - // identifiers. The router filter will place the original path as it was - // before the rewrite into the :ref:`x-envoy-original-path - // ` header. - // - // Only one of :ref:`regex_rewrite `, - // :ref:`prefix_rewrite `, or - // :ref:`path_rewrite_policy `] - // may be specified. - // - // Examples using Google's `RE2 `_ engine: - // - // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution - // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` - // into ``/v1/api/instance/foo``. - // - // * The pattern ``one`` paired with a substitution string of ``two`` would - // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. - // - // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of - // ``\1two\2`` would replace only the first occurrence of ``one``, - // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. - // - // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` - // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to - // ``/aaa/yyy/bbb``. - type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 32; - - // [#extension-category: envoy.path.rewrite] - core.v3.TypedExtensionConfig path_rewrite_policy = 41; - - oneof host_rewrite_specifier { - // Indicates that during forwarding, the host header will be swapped with - // this value. Using this option will append the - // :ref:`config_http_conn_man_headers_x-forwarded-host` header if - // :ref:`append_x_forwarded_host ` - // is set. - string host_rewrite_literal = 6 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during forwarding, the host header will be swapped with - // the hostname of the upstream host chosen by the cluster manager. This - // option is applicable only when the destination cluster for a route is of - // type ``strict_dns`` or ``logical_dns``. Setting this to true with other cluster types - // has no effect. Using this option will append the - // :ref:`config_http_conn_man_headers_x-forwarded-host` header if - // :ref:`append_x_forwarded_host ` - // is set. - google.protobuf.BoolValue auto_host_rewrite = 7; - - // Indicates that during forwarding, the host header will be swapped with the content of given - // downstream or :ref:`custom ` header. - // If header value is empty, host header is left intact. Using this option will append the - // :ref:`config_http_conn_man_headers_x-forwarded-host` header if - // :ref:`append_x_forwarded_host ` - // is set. - // - // .. attention:: - // - // Pay attention to the potential security implications of using this option. Provided header - // must come from trusted source. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string host_rewrite_header = 29 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Indicates that during forwarding, the host header will be swapped with - // the result of the regex substitution executed on path value with query and fragment removed. - // This is useful for transitioning variable content between path segment and subdomain. - // Using this option will append the - // :ref:`config_http_conn_man_headers_x-forwarded-host` header if - // :ref:`append_x_forwarded_host ` - // is set. - // - // For example with the following config: - // - // .. code-block:: yaml - // - // host_rewrite_path_regex: - // pattern: - // google_re2: {} - // regex: "^/(.+)/.+$" - // substitution: \1 - // - // Would rewrite the host header to ``envoyproxy.io`` given the path ``/envoyproxy.io/some/path``. - type.matcher.v3.RegexMatchAndSubstitute host_rewrite_path_regex = 35; - } - - // If set, then a host rewrite action (one of - // :ref:`host_rewrite_literal `, - // :ref:`auto_host_rewrite `, - // :ref:`host_rewrite_header `, or - // :ref:`host_rewrite_path_regex `) - // causes the original value of the host header, if any, to be appended to the - // :ref:`config_http_conn_man_headers_x-forwarded-host` HTTP header. - bool append_x_forwarded_host = 38; - - // Specifies the upstream timeout for the route. If not specified, the default is 15s. This - // spans between the point at which the entire downstream request (i.e. end-of-stream) has been - // processed and when the upstream response has been completely processed. A value of 0 will - // disable the route's timeout. - // - // .. note:: - // - // This timeout includes all retries. See also - // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, - // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the - // :ref:`retry overview `. - google.protobuf.Duration timeout = 8; - - // Specifies the idle timeout for the route. If not specified, there is no per-route idle timeout, - // although the connection manager wide :ref:`stream_idle_timeout - // ` - // will still apply. A value of 0 will completely disable the route's idle timeout, even if a - // connection manager stream idle timeout is configured. - // - // The idle timeout is distinct to :ref:`timeout - // `, which provides an upper bound - // on the upstream response time; :ref:`idle_timeout - // ` instead bounds the amount - // of time the request's stream may be idle. - // - // After header decoding, the idle timeout will apply on downstream and - // upstream request events. Each time an encode/decode event for headers or - // data is processed for the stream, the timer will be reset. If the timeout - // fires, the stream is terminated with a 408 Request Timeout error code if no - // upstream response header has been received, otherwise a stream reset - // occurs. - // - // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" - // is configured, this timeout is scaled according to the value for - // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. - google.protobuf.Duration idle_timeout = 24; - - // Specifies how to send request over TLS early data. - // If absent, allows `safe HTTP requests `_ to be sent on early data. - // [#extension-category: envoy.route.early_data_policy] - core.v3.TypedExtensionConfig early_data_policy = 40; - - // Indicates that the route has a retry policy. Note that if this is set, - // it'll take precedence over the virtual host level retry policy entirely - // (e.g.: policies are not merged, most internal one becomes the enforced policy). - RetryPolicy retry_policy = 9; - - // [#not-implemented-hide:] - // Specifies the configuration for retry policy extension. Note that if this is set, it'll take - // precedence over the virtual host level retry policy entirely (e.g.: policies are not merged, - // most internal one becomes the enforced policy). :ref:`Retry policy ` - // should not be set if this field is used. - google.protobuf.Any retry_policy_typed_config = 33; - - // Specify a set of route request mirroring policies. - // It takes precedence over the virtual host and route config mirror policy entirely. - // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. - repeated RequestMirrorPolicy request_mirror_policies = 30; - - // Optionally specifies the :ref:`routing priority `. - core.v3.RoutingPriority priority = 11 [(validate.rules).enum = {defined_only: true}]; - - // Specifies a set of rate limit configurations that could be applied to the - // route. - repeated RateLimit rate_limits = 13; - - // Specifies if the rate limit filter should include the virtual host rate - // limits. By default, if the route configured rate limits, the virtual host - // :ref:`rate_limits ` are not applied to the - // request. - // - // This field is deprecated. Please use :ref:`vh_rate_limits ` - google.protobuf.BoolValue include_vh_rate_limits = 14 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Specifies a list of hash policies to use for ring hash load balancing. Each - // hash policy is evaluated individually and the combined result is used to - // route the request. The method of combination is deterministic such that - // identical lists of hash policies will produce the same hash. Since a hash - // policy examines specific parts of a request, it can fail to produce a hash - // (i.e. if the hashed header is not present). If (and only if) all configured - // hash policies fail to generate a hash, no hash will be produced for - // the route. In this case, the behavior is the same as if no hash policies - // were specified (i.e. the ring hash load balancer will choose a random - // backend). If a hash policy has the "terminal" attribute set to true, and - // there is already a hash generated, the hash is returned immediately, - // ignoring the rest of the hash policy list. - repeated HashPolicy hash_policy = 15; - - // Indicates that the route has a CORS policy. This field is ignored if related cors policy is - // found in the :ref:`Route.typed_per_filter_config` or - // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config`. - // - // .. attention:: - // - // This option has been deprecated. Please use - // :ref:`Route.typed_per_filter_config` or - // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` - // to configure the CORS HTTP filter. - CorsPolicy cors = 17 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Deprecated by :ref:`grpc_timeout_header_max ` - // If present, and the request is a gRPC request, use the - // `grpc-timeout header `_, - // or its default value (infinity) instead of - // :ref:`timeout `, but limit the applied timeout - // to the maximum value specified here. If configured as 0, the maximum allowed timeout for - // gRPC requests is infinity. If not configured at all, the ``grpc-timeout`` header is not used - // and gRPC requests time out like any other requests using - // :ref:`timeout ` or its default. - // This can be used to prevent unexpected upstream request timeouts due to potentially long - // time gaps between gRPC request and response in gRPC streaming mode. - // - // .. note:: - // - // If a timeout is specified using :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, it takes - // precedence over `grpc-timeout header `_, when - // both are present. See also - // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, - // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the - // :ref:`retry overview `. - google.protobuf.Duration max_grpc_timeout = 23 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Deprecated by :ref:`grpc_timeout_header_offset `. - // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by subtracting - // the provided duration from the header. This is useful in allowing Envoy to set its global - // timeout to be less than that of the deadline imposed by the calling client, which makes it more - // likely that Envoy will handle the timeout instead of having the call canceled by the client. - // The offset will only be applied if the provided grpc_timeout is greater than the offset. This - // ensures that the offset will only ever decrease the timeout and never set it to 0 (meaning - // infinity). - google.protobuf.Duration grpc_timeout_offset = 28 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - repeated UpgradeConfig upgrade_configs = 25; - - // If present, Envoy will try to follow an upstream redirect response instead of proxying the - // response back to the downstream. An upstream redirect response is defined - // by :ref:`redirect_response_codes - // `. - InternalRedirectPolicy internal_redirect_policy = 34; - - InternalRedirectAction internal_redirect_action = 26 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // An internal redirect is handled, iff the number of previous internal redirects that a - // downstream request has encountered is lower than this value, and - // :ref:`internal_redirect_action ` - // is set to :ref:`HANDLE_INTERNAL_REDIRECT - // ` - // In the case where a downstream request is bounced among multiple routes by internal redirect, - // the first route that hits this threshold, or has - // :ref:`internal_redirect_action ` - // set to - // :ref:`PASS_THROUGH_INTERNAL_REDIRECT - // ` - // will pass the redirect back to downstream. - // - // If not specified, at most one redirect will be followed. - google.protobuf.UInt32Value max_internal_redirects = 31 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Indicates that the route has a hedge policy. Note that if this is set, - // it'll take precedence over the virtual host level hedge policy entirely - // (e.g.: policies are not merged, most internal one becomes the enforced policy). - HedgePolicy hedge_policy = 27; - - // Specifies the maximum stream duration for this route. - MaxStreamDuration max_stream_duration = 36; -} - -// HTTP retry :ref:`architecture overview `. -// [#next-free-field: 14] -message RetryPolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RetryPolicy"; - - enum ResetHeaderFormat { - SECONDS = 0; - UNIX_TIMESTAMP = 1; - } - - message RetryPriority { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RetryPolicy.RetryPriority"; - - reserved 2; - - reserved "config"; - - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // [#extension-category: envoy.retry_priorities] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - message RetryHostPredicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RetryPolicy.RetryHostPredicate"; - - reserved 2; - - reserved "config"; - - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // [#extension-category: envoy.retry_host_predicates] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - message RetryBackOff { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RetryPolicy.RetryBackOff"; - - // Specifies the base interval between retries. This parameter is required and must be greater - // than zero. Values less than 1 ms are rounded up to 1 ms. - // See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion of Envoy's - // back-off algorithm. - google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { - required: true - gt {} - }]; - - // Specifies the maximum interval between retries. This parameter is optional, but must be - // greater than or equal to the ``base_interval`` if set. The default is 10 times the - // ``base_interval``. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion - // of Envoy's back-off algorithm. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; - } - - message ResetHeader { - // The name of the reset header. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The format of the reset header. - ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}]; - } - - // A retry back-off strategy that applies when the upstream server rate limits - // the request. - // - // Given this configuration: - // - // .. code-block:: yaml - // - // rate_limited_retry_back_off: - // reset_headers: - // - name: Retry-After - // format: SECONDS - // - name: X-RateLimit-Reset - // format: UNIX_TIMESTAMP - // max_interval: "300s" - // - // The following algorithm will apply: - // - // 1. If the response contains the header ``Retry-After`` its value must be on - // the form ``120`` (an integer that represents the number of seconds to - // wait before retrying). If so, this value is used as the back-off interval. - // 2. Otherwise, if the response contains the header ``X-RateLimit-Reset`` its - // value must be on the form ``1595320702`` (an integer that represents the - // point in time at which to retry, as a Unix timestamp in seconds). If so, - // the current time is subtracted from this value and the result is used as - // the back-off interval. - // 3. Otherwise, Envoy will use the default - // :ref:`exponential back-off ` - // strategy. - // - // No matter which format is used, if the resulting back-off interval exceeds - // ``max_interval`` it is discarded and the next header in ``reset_headers`` - // is tried. If a request timeout is configured for the route it will further - // limit how long the request will be allowed to run. - // - // To prevent many clients retrying at the same point in time jitter is added - // to the back-off interval, so the resulting interval is decided by taking: - // ``random(interval, interval * 1.5)``. - // - // .. attention:: - // - // Configuring ``rate_limited_retry_back_off`` will not by itself cause a request - // to be retried. You will still need to configure the right retry policy to match - // the responses from the upstream server. - message RateLimitedRetryBackOff { - // Specifies the reset headers (like ``Retry-After`` or ``X-RateLimit-Reset``) - // to match against the response. Headers are tried in order, and matched case - // insensitive. The first header to be parsed successfully is used. If no headers - // match the default exponential back-off is used instead. - repeated ResetHeader reset_headers = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Specifies the maximum back off interval that Envoy will allow. If a reset - // header contains an interval longer than this then it will be discarded and - // the next header will be tried. Defaults to 300 seconds. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; - } - - // Specifies the conditions under which retry takes place. These are the same - // conditions documented for :ref:`config_http_filters_router_x-envoy-retry-on` and - // :ref:`config_http_filters_router_x-envoy-retry-grpc-on`. - string retry_on = 1; - - // Specifies the allowed number of retries. This parameter is optional and - // defaults to 1. These are the same conditions documented for - // :ref:`config_http_filters_router_x-envoy-max-retries`. - google.protobuf.UInt32Value num_retries = 2 - [(udpa.annotations.field_migrate).rename = "max_retries"]; - - // Specifies a non-zero upstream timeout per retry attempt (including the initial attempt). This - // parameter is optional. The same conditions documented for - // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` apply. - // - // .. note:: - // - // If left unspecified, Envoy will use the global - // :ref:`route timeout ` for the request. - // Consequently, when using a :ref:`5xx ` based - // retry policy, a request that times out will not be retried as the total timeout budget - // would have been exhausted. - google.protobuf.Duration per_try_timeout = 3; - - // Specifies an upstream idle timeout per retry attempt (including the initial attempt). This - // parameter is optional and if absent there is no per try idle timeout. The semantics of the per - // try idle timeout are similar to the - // :ref:`route idle timeout ` and - // :ref:`stream idle timeout - // ` - // both enforced by the HTTP connection manager. The difference is that this idle timeout - // is enforced by the router for each individual attempt and thus after all previous filters have - // run, as opposed to *before* all previous filters run for the other idle timeouts. This timeout - // is useful in cases in which total request timeout is bounded by a number of retries and a - // :ref:`per_try_timeout `, but - // there is a desire to ensure each try is making incremental progress. Note also that similar - // to :ref:`per_try_timeout `, - // this idle timeout does not start until after both the entire request has been received by the - // router *and* a connection pool connection has been obtained. Unlike - // :ref:`per_try_timeout `, - // the idle timer continues once the response starts streaming back to the downstream client. - // This ensures that response data continues to make progress without using one of the HTTP - // connection manager idle timeouts. - google.protobuf.Duration per_try_idle_timeout = 13; - - // Specifies an implementation of a RetryPriority which is used to determine the - // distribution of load across priorities used for retries. Refer to - // :ref:`retry plugin configuration ` for more details. - RetryPriority retry_priority = 4; - - // Specifies a collection of RetryHostPredicates that will be consulted when selecting a host - // for retries. If any of the predicates reject the host, host selection will be reattempted. - // Refer to :ref:`retry plugin configuration ` for more - // details. - repeated RetryHostPredicate retry_host_predicate = 5; - - // Retry options predicates that will be applied prior to retrying a request. These predicates - // allow customizing request behavior between retries. - // [#comment: add [#extension-category: envoy.retry_options_predicates] when there are built-in extensions] - repeated core.v3.TypedExtensionConfig retry_options_predicates = 12; - - // The maximum number of times host selection will be reattempted before giving up, at which - // point the host that was last selected will be routed to. If unspecified, this will default to - // retrying once. - int64 host_selection_retry_max_attempts = 6; - - // HTTP status codes that should trigger a retry in addition to those specified by retry_on. - repeated uint32 retriable_status_codes = 7; - - // Specifies parameters that control exponential retry back off. This parameter is optional, in which case the - // default base interval is 25 milliseconds or, if set, the current value of the - // ``upstream.base_retry_backoff_ms`` runtime parameter. The default maximum interval is 10 times - // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries` - // describes Envoy's back-off algorithm. - RetryBackOff retry_back_off = 8; - - // Specifies parameters that control a retry back-off strategy that is used - // when the request is rate limited by the upstream server. The server may - // return a response header like ``Retry-After`` or ``X-RateLimit-Reset`` to - // provide feedback to the client on how long to wait before retrying. If - // configured, this back-off strategy will be used instead of the - // default exponential back off strategy (configured using ``retry_back_off``) - // whenever a response includes the matching headers. - RateLimitedRetryBackOff rate_limited_retry_back_off = 11; - - // HTTP response headers that trigger a retry if present in the response. A retry will be - // triggered if any of the header matches match the upstream response headers. - // The field is only consulted if 'retriable-headers' retry policy is active. - repeated HeaderMatcher retriable_headers = 9; - - // HTTP headers which must be present in the request for retries to be attempted. - repeated HeaderMatcher retriable_request_headers = 10; -} - -// HTTP request hedging :ref:`architecture overview `. -message HedgePolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.HedgePolicy"; - - // Specifies the number of initial requests that should be sent upstream. - // Must be at least 1. - // Defaults to 1. - // [#not-implemented-hide:] - google.protobuf.UInt32Value initial_requests = 1 [(validate.rules).uint32 = {gte: 1}]; - - // Specifies a probability that an additional upstream request should be sent - // on top of what is specified by initial_requests. - // Defaults to 0. - // [#not-implemented-hide:] - type.v3.FractionalPercent additional_request_chance = 2; - - // Indicates that a hedged request should be sent when the per-try timeout is hit. - // This means that a retry will be issued without resetting the original request, leaving multiple upstream requests in flight. - // The first request to complete successfully will be the one returned to the caller. - // - // * At any time, a successful response (i.e. not triggering any of the retry-on conditions) would be returned to the client. - // * Before per-try timeout, an error response (per retry-on conditions) would be retried immediately or returned ot the client - // if there are no more retries left. - // * After per-try timeout, an error response would be discarded, as a retry in the form of a hedged request is already in progress. - // - // Note: For this to have effect, you must have a :ref:`RetryPolicy ` that retries at least - // one error code and specifies a maximum number of retries. - // - // Defaults to false. - bool hedge_on_per_try_timeout = 3; -} - -// [#next-free-field: 10] -message RedirectAction { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RedirectAction"; - - enum RedirectResponseCode { - // Moved Permanently HTTP Status Code - 301. - MOVED_PERMANENTLY = 0; - - // Found HTTP Status Code - 302. - FOUND = 1; - - // See Other HTTP Status Code - 303. - SEE_OTHER = 2; - - // Temporary Redirect HTTP Status Code - 307. - TEMPORARY_REDIRECT = 3; - - // Permanent Redirect HTTP Status Code - 308. - PERMANENT_REDIRECT = 4; - } - - // When the scheme redirection take place, the following rules apply: - // 1. If the source URI scheme is ``http`` and the port is explicitly - // set to ``:80``, the port will be removed after the redirection - // 2. If the source URI scheme is ``https`` and the port is explicitly - // set to ``:443``, the port will be removed after the redirection - oneof scheme_rewrite_specifier { - // The scheme portion of the URL will be swapped with "https". - bool https_redirect = 4; - - // The scheme portion of the URL will be swapped with this value. - string scheme_redirect = 7; - } - - // The host portion of the URL will be swapped with this value. - string host_redirect = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // The port value of the URL will be swapped with this value. - uint32 port_redirect = 8; - - oneof path_rewrite_specifier { - // The path portion of the URL will be swapped with this value. - // Please note that query string in path_redirect will override the - // request's query string and will not be stripped. - // - // For example, let's say we have the following routes: - // - // - match: { path: "/old-path-1" } - // redirect: { path_redirect: "/new-path-1" } - // - match: { path: "/old-path-2" } - // redirect: { path_redirect: "/new-path-2", strip-query: "true" } - // - match: { path: "/old-path-3" } - // redirect: { path_redirect: "/new-path-3?foo=1", strip_query: "true" } - // - // 1. if request uri is "/old-path-1?bar=1", users will be redirected to "/new-path-1?bar=1" - // 2. if request uri is "/old-path-2?bar=1", users will be redirected to "/new-path-2" - // 3. if request uri is "/old-path-3?bar=1", users will be redirected to "/new-path-3?foo=1" - string path_redirect = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during redirection, the matched prefix (or path) - // should be swapped with this value. This option allows redirect URLs be dynamically created - // based on the request. - // - // .. attention:: - // - // Pay attention to the use of trailing slashes as mentioned in - // :ref:`RouteAction's prefix_rewrite `. - string prefix_rewrite = 5 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during redirect, portions of the path that match the - // pattern should be rewritten, even allowing the substitution of capture - // groups from the pattern into the new path as specified by the rewrite - // substitution string. This is useful to allow application paths to be - // rewritten in a way that is aware of segments with variable content like - // identifiers. - // - // Examples using Google's `RE2 `_ engine: - // - // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution - // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` - // into ``/v1/api/instance/foo``. - // - // * The pattern ``one`` paired with a substitution string of ``two`` would - // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. - // - // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of - // ``\1two\2`` would replace only the first occurrence of ``one``, - // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. - // - // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` - // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to - // ``/aaa/yyy/bbb``. - type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 9; - } - - // The HTTP status code to use in the redirect response. The default response - // code is MOVED_PERMANENTLY (301). - RedirectResponseCode response_code = 3 [(validate.rules).enum = {defined_only: true}]; - - // Indicates that during redirection, the query portion of the URL will - // be removed. Default value is false. - bool strip_query = 6; -} - -message DirectResponseAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.DirectResponseAction"; - - // Specifies the HTTP response status to be returned. - uint32 status = 1 [(validate.rules).uint32 = {lt: 600 gte: 200}]; - - // Specifies the content of the response body. If this setting is omitted, - // no body is included in the generated response. - // - // .. note:: - // - // Headers can be specified using ``response_headers_to_add`` in the enclosing - // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` or - // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`. - core.v3.DataSource body = 2; -} - -// [#not-implemented-hide:] -message NonForwardingAction { -} - -message Decorator { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Decorator"; - - // The operation name associated with the request matched to this route. If tracing is - // enabled, this information will be used as the span name reported for this request. - // - // .. note:: - // - // For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden - // by the :ref:`x-envoy-decorator-operation - // ` header. - string operation = 1 [(validate.rules).string = {min_len: 1}]; - - // Whether the decorated details should be propagated to the other party. The default is true. - google.protobuf.BoolValue propagate = 2; -} - -message Tracing { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Tracing"; - - // Target percentage of requests managed by this HTTP connection manager that will be force - // traced if the :ref:`x-client-trace-id ` - // header is set. This field is a direct analog for the runtime variable - // 'tracing.client_sampling' in the :ref:`HTTP Connection Manager - // `. - // Default: 100% - type.v3.FractionalPercent client_sampling = 1; - - // Target percentage of requests managed by this HTTP connection manager that will be randomly - // selected for trace generation, if not requested by the client or not forced. This field is - // a direct analog for the runtime variable 'tracing.random_sampling' in the - // :ref:`HTTP Connection Manager `. - // Default: 100% - type.v3.FractionalPercent random_sampling = 2; - - // Target percentage of requests managed by this HTTP connection manager that will be traced - // after all other sampling checks have been applied (client-directed, force tracing, random - // sampling). This field functions as an upper limit on the total configured sampling rate. For - // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% - // of client requests with the appropriate headers to be force traced. This field is a direct - // analog for the runtime variable 'tracing.global_enabled' in the - // :ref:`HTTP Connection Manager `. - // Default: 100% - type.v3.FractionalPercent overall_sampling = 3; - - // A list of custom tags with unique tag name to create tags for the active span. - // It will take effect after merging with the :ref:`corresponding configuration - // ` - // configured in the HTTP connection manager. If two tags with the same name are configured - // each in the HTTP connection manager and the route level, the one configured here takes - // priority. - repeated type.tracing.v3.CustomTag custom_tags = 4; -} - -// A virtual cluster is a way of specifying a regex matching rule against -// certain important endpoints such that statistics are generated explicitly for -// the matched requests. The reason this is useful is that when doing -// prefix/path matching Envoy does not always know what the application -// considers to be an endpoint. Thus, it’s impossible for Envoy to generically -// emit per endpoint statistics. However, often systems have highly critical -// endpoints that they wish to get “perfect” statistics on. Virtual cluster -// statistics are perfect in the sense that they are emitted on the downstream -// side such that they include network level failures. -// -// Documentation for :ref:`virtual cluster statistics `. -// -// .. note:: -// -// Virtual clusters are a useful tool, but we do not recommend setting up a virtual cluster for -// every application endpoint. This is both not easily maintainable and as well the matching and -// statistics output are not free. -message VirtualCluster { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualCluster"; - - reserved 1, 3; - - reserved "pattern", "method"; - - // Specifies a list of header matchers to use for matching requests. Each specified header must - // match. The pseudo-headers ``:path`` and ``:method`` can be used to match the request path and - // method, respectively. - repeated HeaderMatcher headers = 4; - - // Specifies the name of the virtual cluster. The virtual cluster name as well - // as the virtual host name are used when emitting statistics. The statistics are emitted by the - // router filter and are documented :ref:`here `. - string name = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Global rate limiting :ref:`architecture overview `. -// Also applies to Local rate limiting :ref:`using descriptors `. -message RateLimit { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit"; - - // [#next-free-field: 11] - message Action { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RateLimit.Action"; - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("source_cluster", "") - // - // is derived from the :option:`--service-cluster` option. - message SourceCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RateLimit.Action.SourceCluster"; - } - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("destination_cluster", "") - // - // Once a request matches against a route table rule, a routed cluster is determined by one of - // the following :ref:`route table configuration ` - // settings: - // - // * :ref:`cluster ` indicates the upstream cluster - // to route to. - // * :ref:`weighted_clusters ` - // chooses a cluster randomly from a set of clusters with attributed weight. - // * :ref:`cluster_header ` indicates which - // header in the request contains the target cluster. - message DestinationCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RateLimit.Action.DestinationCluster"; - } - - // The following descriptor entry is appended when a header contains a key that matches the - // ``header_name``: - // - // .. code-block:: cpp - // - // ("", "") - message RequestHeaders { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RateLimit.Action.RequestHeaders"; - - // The header name to be queried from the request headers. The header’s - // value is used to populate the value of the descriptor entry for the - // descriptor_key. - string header_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The key to use in the descriptor entry. - string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; - - // If set to true, Envoy skips the descriptor while calling rate limiting service - // when header is not present in the request. By default it skips calling the - // rate limiting service if this header is not present in the request. - bool skip_if_absent = 3; - } - - // The following descriptor entry is appended to the descriptor and is populated using the - // trusted address from :ref:`x-forwarded-for `: - // - // .. code-block:: cpp - // - // ("remote_address", "") - message RemoteAddress { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RateLimit.Action.RemoteAddress"; - } - - // The following descriptor entry is appended to the descriptor and is populated using the - // masked address from :ref:`x-forwarded-for `: - // - // .. code-block:: cpp - // - // ("masked_remote_address", "") - message MaskedRemoteAddress { - // Length of prefix mask len for IPv4 (e.g. 0, 32). - // Defaults to 32 when unset. - // For example, trusted address from x-forwarded-for is ``192.168.1.1``, - // the descriptor entry is ("masked_remote_address", "192.168.1.1/32"); - // if mask len is 24, the descriptor entry is ("masked_remote_address", "192.168.1.0/24"). - google.protobuf.UInt32Value v4_prefix_mask_len = 1 [(validate.rules).uint32 = {lte: 32}]; - - // Length of prefix mask len for IPv6 (e.g. 0, 128). - // Defaults to 128 when unset. - // For example, trusted address from x-forwarded-for is ``2001:abcd:ef01:2345:6789:abcd:ef01:234``, - // the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345:6789:abcd:ef01:234/128"); - // if mask len is 64, the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345::/64"). - google.protobuf.UInt32Value v6_prefix_mask_len = 2 [(validate.rules).uint32 = {lte: 128}]; - } - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("generic_key", "") - message GenericKey { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RateLimit.Action.GenericKey"; - - // The value to use in the descriptor entry. - string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; - - // An optional key to use in the descriptor entry. If not set it defaults - // to 'generic_key' as the descriptor key. - string descriptor_key = 2; - } - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("header_match", "") - message HeaderValueMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch"; - - // The key to use in the descriptor entry. Defaults to ``header_match``. - string descriptor_key = 4; - - // The value to use in the descriptor entry. - string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; - - // If set to true, the action will append a descriptor entry when the - // request matches the headers. If set to false, the action will append a - // descriptor entry when the request does not match the headers. The - // default value is true. - google.protobuf.BoolValue expect_match = 2; - - // Specifies a set of headers that the rate limit action should match - // on. The action will check the request’s headers against all the - // specified headers in the config. A match will happen if all the - // headers in the config are present in the request with the same values - // (or based on presence if the value field is not in the config). - repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}]; - } - - // The following descriptor entry is appended when the - // :ref:`dynamic metadata ` contains a key value: - // - // .. code-block:: cpp - // - // ("", "") - // - // .. attention:: - // This action has been deprecated in favor of the :ref:`metadata ` action - message DynamicMetaData { - // The key to use in the descriptor entry. - string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; - - // Metadata struct that defines the key and path to retrieve the string value. A match will - // only happen if the value in the dynamic metadata is of type string. - type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; - - // An optional value to use if ``metadata_key`` is empty. If not set and - // no value is present under the metadata_key then no descriptor is generated. - string default_value = 3; - } - - // The following descriptor entry is appended when the metadata contains a key value: - // - // .. code-block:: cpp - // - // ("", "") - message MetaData { - enum Source { - // Query :ref:`dynamic metadata ` - DYNAMIC = 0; - - // Query :ref:`route entry metadata ` - ROUTE_ENTRY = 1; - } - - // The key to use in the descriptor entry. - string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; - - // Metadata struct that defines the key and path to retrieve the string value. A match will - // only happen if the value in the metadata is of type string. - type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; - - // An optional value to use if ``metadata_key`` is empty. If not set and - // no value is present under the metadata_key then no descriptor is generated. - string default_value = 3; - - // Source of metadata - Source source = 4 [(validate.rules).enum = {defined_only: true}]; - } - - oneof action_specifier { - option (validate.required) = true; - - // Rate limit on source cluster. - SourceCluster source_cluster = 1; - - // Rate limit on destination cluster. - DestinationCluster destination_cluster = 2; - - // Rate limit on request headers. - RequestHeaders request_headers = 3; - - // Rate limit on remote address. - RemoteAddress remote_address = 4; - - // Rate limit on a generic key. - GenericKey generic_key = 5; - - // Rate limit on the existence of request headers. - HeaderValueMatch header_value_match = 6; - - // Rate limit on dynamic metadata. - // - // .. attention:: - // This field has been deprecated in favor of the :ref:`metadata ` field - DynamicMetaData dynamic_metadata = 7 [ - deprecated = true, - (envoy.annotations.deprecated_at_minor_version) = "3.0", - (envoy.annotations.disallowed_by_default) = true - ]; - - // Rate limit on metadata. - MetaData metadata = 8; - - // Rate limit descriptor extension. See the rate limit descriptor extensions documentation. - // - // :ref:`HTTP matching input functions ` are - // permitted as descriptor extensions. The input functions are only - // looked up if there is no rate limit descriptor extension matching - // the type URL. - // - // [#extension-category: envoy.rate_limit_descriptors] - core.v3.TypedExtensionConfig extension = 9; - - // Rate limit on masked remote address. - MaskedRemoteAddress masked_remote_address = 10; - } - } - - message Override { - // Fetches the override from the dynamic metadata. - message DynamicMetadata { - // Metadata struct that defines the key and path to retrieve the struct value. - // The value must be a struct containing an integer "requests_per_unit" property - // and a "unit" property with a value parseable to :ref:`RateLimitUnit - // enum ` - type.metadata.v3.MetadataKey metadata_key = 1 [(validate.rules).message = {required: true}]; - } - - oneof override_specifier { - option (validate.required) = true; - - // Limit override from dynamic metadata. - DynamicMetadata dynamic_metadata = 1; - } - } - - // Refers to the stage set in the filter. The rate limit configuration only - // applies to filters with the same stage number. The default stage number is - // 0. - // - // .. note:: - // - // The filter supports a range of 0 - 10 inclusively for stage numbers. - google.protobuf.UInt32Value stage = 1 [(validate.rules).uint32 = {lte: 10}]; - - // The key to be set in runtime to disable this rate limit configuration. - string disable_key = 2; - - // A list of actions that are to be applied for this rate limit configuration. - // Order matters as the actions are processed sequentially and the descriptor - // is composed by appending descriptor entries in that sequence. If an action - // cannot append a descriptor entry, no descriptor is generated for the - // configuration. See :ref:`composing actions - // ` for additional documentation. - repeated Action actions = 3 [(validate.rules).repeated = {min_items: 1}]; - - // An optional limit override to be appended to the descriptor produced by this - // rate limit configuration. If the override value is invalid or cannot be resolved - // from metadata, no override is provided. See :ref:`rate limit override - // ` for more information. - Override limit = 4; -} - -// .. attention:: -// -// Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 ``Host`` -// header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. -// -// .. attention:: -// -// To route on HTTP method, use the special HTTP/2 ``:method`` header. This works for both -// HTTP/1 and HTTP/2 as Envoy normalizes headers. E.g., -// -// .. code-block:: json -// -// { -// "name": ":method", -// "exact_match": "POST" -// } -// -// .. attention:: -// In the absence of any header match specifier, match will default to :ref:`present_match -// `. i.e, a request that has the :ref:`name -// ` header will match, regardless of the header's -// value. -// -// [#next-major-version: HeaderMatcher should be refactored to use StringMatcher.] -// [#next-free-field: 15] -message HeaderMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.HeaderMatcher"; - - reserved 2, 3, 5; - - reserved "regex_match"; - - // Specifies the name of the header in the request. - string name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Specifies how the header match will be performed to route the request. - oneof header_match_specifier { - // If specified, header match will be performed based on the value of the header. - // This field is deprecated. Please use :ref:`string_match `. - string exact_match = 4 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // If specified, this regex string is a regular expression rule which implies the entire request - // header value must match the regex. The rule will not match if only a subsequence of the - // request header value matches the regex. - // This field is deprecated. Please use :ref:`string_match `. - type.matcher.v3.RegexMatcher safe_regex_match = 11 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // If specified, header match will be performed based on range. - // The rule will match if the request header value is within this range. - // The entire request header value must represent an integer in base 10 notation: consisting of - // an optional plus or minus sign followed by a sequence of digits. The rule will not match if - // the header value does not represent an integer. Match will fail for empty values, floating - // point numbers or if only a subsequence of the header value is an integer. - // - // Examples: - // - // * For range [-10,0), route will match for header value -1, but not for 0, ``somestring``, 10.9, - // ``-1somestring`` - type.v3.Int64Range range_match = 6; - - // If specified as true, header match will be performed based on whether the header is in the - // request. If specified as false, header match will be performed based on whether the header is absent. - bool present_match = 7; - - // If specified, header match will be performed based on the prefix of the header value. - // Note: empty prefix is not allowed, please use present_match instead. - // This field is deprecated. Please use :ref:`string_match `. - // - // Examples: - // - // * The prefix ``abcd`` matches the value ``abcdxyz``, but not for ``abcxyz``. - string prefix_match = 9 [ - deprecated = true, - (validate.rules).string = {min_len: 1}, - (envoy.annotations.deprecated_at_minor_version) = "3.0" - ]; - - // If specified, header match will be performed based on the suffix of the header value. - // Note: empty suffix is not allowed, please use present_match instead. - // This field is deprecated. Please use :ref:`string_match `. - // - // Examples: - // - // * The suffix ``abcd`` matches the value ``xyzabcd``, but not for ``xyzbcd``. - string suffix_match = 10 [ - deprecated = true, - (validate.rules).string = {min_len: 1}, - (envoy.annotations.deprecated_at_minor_version) = "3.0" - ]; - - // If specified, header match will be performed based on whether the header value contains - // the given value or not. - // Note: empty contains match is not allowed, please use present_match instead. - // This field is deprecated. Please use :ref:`string_match `. - // - // Examples: - // - // * The value ``abcd`` matches the value ``xyzabcdpqr``, but not for ``xyzbcdpqr``. - string contains_match = 12 [ - deprecated = true, - (validate.rules).string = {min_len: 1}, - (envoy.annotations.deprecated_at_minor_version) = "3.0" - ]; - - // If specified, header match will be performed based on the string match of the header value. - type.matcher.v3.StringMatcher string_match = 13; - } - - // If specified, the match result will be inverted before checking. Defaults to false. - // - // Examples: - // - // * The regex ``\d{3}`` does not match the value ``1234``, so it will match when inverted. - // * The range [-10,0) will match the value -1, so it will not match when inverted. - bool invert_match = 8; - - // If specified, for any header match rule, if the header match rule specified header - // does not exist, this header value will be treated as empty. Defaults to false. - // - // Examples: - // - // * The header match rule specified header "header1" to range match of [0, 10], - // :ref:`invert_match ` - // is set to true and :ref:`treat_missing_header_as_empty ` - // is set to true; The "header1" header is not present. The match rule will - // treat the "header1" as an empty header. The empty header does not match the range, - // so it will match when inverted. - // * The header match rule specified header "header2" to range match of [0, 10], - // :ref:`invert_match ` - // is set to true and :ref:`treat_missing_header_as_empty ` - // is set to false; The "header2" header is not present and the header - // matcher rule for "header2" will be ignored so it will not match. - // * The header match rule specified header "header3" to a string regex match - // ``^$`` which means an empty string, and - // :ref:`treat_missing_header_as_empty ` - // is set to true; The "header3" header is not present. - // The match rule will treat the "header3" header as an empty header so it will match. - // * The header match rule specified header "header4" to a string regex match - // ``^$`` which means an empty string, and - // :ref:`treat_missing_header_as_empty ` - // is set to false; The "header4" header is not present. - // The match rule for "header4" will be ignored so it will not match. - bool treat_missing_header_as_empty = 14; -} - -// Query parameter matching treats the query string of a request's :path header -// as an ampersand-separated list of keys and/or key=value elements. -// [#next-free-field: 7] -message QueryParameterMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.route.QueryParameterMatcher"; - - reserved 3, 4; - - reserved "value", "regex"; - - // Specifies the name of a key that must be present in the requested - // ``path``'s query string. - string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}]; - - oneof query_parameter_match_specifier { - // Specifies whether a query parameter value should match against a string. - type.matcher.v3.StringMatcher string_match = 5 [(validate.rules).message = {required: true}]; - - // Specifies whether a query parameter should be present. - bool present_match = 6; - } -} - -// HTTP Internal Redirect :ref:`architecture overview `. -message InternalRedirectPolicy { - // An internal redirect is not handled, unless the number of previous internal redirects that a - // downstream request has encountered is lower than this value. - // In the case where a downstream request is bounced among multiple routes by internal redirect, - // the first route that hits this threshold, or does not set :ref:`internal_redirect_policy - // ` - // will pass the redirect back to downstream. - // - // If not specified, at most one redirect will be followed. - google.protobuf.UInt32Value max_internal_redirects = 1; - - // Defines what upstream response codes are allowed to trigger internal redirect. If unspecified, - // only 302 will be treated as internal redirect. - // Only 301, 302, 303, 307 and 308 are valid values. Any other codes will be ignored. - repeated uint32 redirect_response_codes = 2 [(validate.rules).repeated = {max_items: 5}]; - - // Specifies a list of predicates that are queried when an upstream response is deemed - // to trigger an internal redirect by all other criteria. Any predicate in the list can reject - // the redirect, causing the response to be proxied to downstream. - // [#extension-category: envoy.internal_redirect_predicates] - repeated core.v3.TypedExtensionConfig predicates = 3; - - // Allow internal redirect to follow a target URI with a different scheme than the value of - // x-forwarded-proto. The default is false. - bool allow_cross_scheme_redirect = 4; -} - -// A simple wrapper for an HTTP filter config. This is intended to be used as a wrapper for the -// map value in -// :ref:`VirtualHost.typed_per_filter_config`, -// :ref:`Route.typed_per_filter_config`, -// or :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` -// to add additional flags to the filter. -// [#not-implemented-hide:] -message FilterConfig { - // The filter config. - google.protobuf.Any config = 1; - - // If true, the filter is optional, meaning that if the client does - // not support the specified filter, it may ignore the map entry rather - // than rejecting the config. - bool is_optional = 2; -} diff --git a/src/main/proto/envoy/config/route/v3/scoped_route.proto b/src/main/proto/envoy/config/route/v3/scoped_route.proto deleted file mode 100644 index 27bcd61..0000000 --- a/src/main/proto/envoy/config/route/v3/scoped_route.proto +++ /dev/null @@ -1,133 +0,0 @@ -syntax = "proto3"; - -package envoy.config.route.v3; - -import "envoy/config/route/v3/route.proto"; - -import "udpa/annotations/migrate.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.route.v3"; -option java_outer_classname = "ScopedRouteProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: HTTP scoped routing configuration] -// * Routing :ref:`architecture overview ` - -// Specifies a routing scope, which associates a -// :ref:`Key` to a -// :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. -// The :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` can be obtained dynamically -// via RDS (:ref:`route_configuration_name`) -// or specified inline (:ref:`route_configuration`). -// -// The HTTP connection manager builds up a table consisting of these Key to -// RouteConfiguration mappings, and looks up the RouteConfiguration to use per -// request according to the algorithm specified in the -// :ref:`scope_key_builder` -// assigned to the HttpConnectionManager. -// -// For example, with the following configurations (in YAML): -// -// HttpConnectionManager config: -// -// .. code:: -// -// ... -// scoped_routes: -// name: foo-scoped-routes -// scope_key_builder: -// fragments: -// - header_value_extractor: -// name: X-Route-Selector -// element_separator: , -// element: -// separator: = -// key: vip -// -// ScopedRouteConfiguration resources (specified statically via -// :ref:`scoped_route_configurations_list` -// or obtained dynamically via SRDS): -// -// .. code:: -// -// (1) -// name: route-scope1 -// route_configuration_name: route-config1 -// key: -// fragments: -// - string_key: 172.10.10.20 -// -// (2) -// name: route-scope2 -// route_configuration_name: route-config2 -// key: -// fragments: -// - string_key: 172.20.20.30 -// -// A request from a client such as: -// -// .. code:: -// -// GET / HTTP/1.1 -// Host: foo.com -// X-Route-Selector: vip=172.10.10.20 -// -// would result in the routing table defined by the ``route-config1`` -// RouteConfiguration being assigned to the HTTP request/stream. -// -// [#next-free-field: 6] -message ScopedRouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.ScopedRouteConfiguration"; - - // Specifies a key which is matched against the output of the - // :ref:`scope_key_builder` - // specified in the HttpConnectionManager. The matching is done per HTTP - // request and is dependent on the order of the fragments contained in the - // Key. - message Key { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.ScopedRouteConfiguration.Key"; - - message Fragment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.ScopedRouteConfiguration.Key.Fragment"; - - oneof type { - option (validate.required) = true; - - // A string to match against. - string string_key = 1; - } - } - - // The ordered set of fragments to match against. The order must match the - // fragments in the corresponding - // :ref:`scope_key_builder`. - repeated Fragment fragments = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - // Whether the RouteConfiguration should be loaded on demand. - bool on_demand = 4; - - // The name assigned to the routing scope. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The resource name to use for a :ref:`envoy_v3_api_msg_service.discovery.v3.DiscoveryRequest` to an - // RDS server to fetch the :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` associated - // with this scope. - string route_configuration_name = 2 - [(udpa.annotations.field_migrate).oneof_promotion = "route_config"]; - - // The :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` associated with the scope. - RouteConfiguration route_configuration = 5 - [(udpa.annotations.field_migrate).oneof_promotion = "route_config"]; - - // The key to match against. - Key key = 3 [(validate.rules).message = {required: true}]; -} diff --git a/src/main/proto/envoy/type/matcher/BUILD b/src/main/proto/envoy/type/matcher/BUILD deleted file mode 100644 index 29613b4..0000000 --- a/src/main/proto/envoy/type/matcher/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/type:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/src/main/proto/envoy/type/matcher/metadata.proto b/src/main/proto/envoy/type/matcher/metadata.proto deleted file mode 100644 index 20da230..0000000 --- a/src/main/proto/envoy/type/matcher/metadata.proto +++ /dev/null @@ -1,99 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher; - -import "envoy/type/matcher/value.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher"; -option java_outer_classname = "MetadataProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: Metadata matcher] - -// MetadataMatcher provides a general interface to check if a given value is matched in -// :ref:`Metadata `. It uses `filter` and `path` to retrieve the value -// from the Metadata and then check if it's matched to the specified value. -// -// For example, for the following Metadata: -// -// .. code-block:: yaml -// -// filter_metadata: -// envoy.filters.http.rbac: -// fields: -// a: -// struct_value: -// fields: -// b: -// struct_value: -// fields: -// c: -// string_value: pro -// t: -// list_value: -// values: -// - string_value: m -// - string_value: n -// -// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" -// from the Metadata which is matched to the specified prefix match. -// -// .. code-block:: yaml -// -// filter: envoy.filters.http.rbac -// path: -// - key: a -// - key: b -// - key: c -// value: -// string_match: -// prefix: pr -// -// The following MetadataMatcher is matched as the code will match one of the string values in the -// list at the path [a, t]. -// -// .. code-block:: yaml -// -// filter: envoy.filters.http.rbac -// path: -// - key: a -// - key: t -// value: -// list_match: -// one_of: -// string_match: -// exact: m -// -// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to -// enforce access control based on dynamic metadata in a request. See :ref:`Permission -// ` and :ref:`Principal -// `. - -// [#next-major-version: MetadataMatcher should use StructMatcher] -message MetadataMatcher { - // Specifies the segment in a path to retrieve value from Metadata. - // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that - // if the segment key refers to a list, it has to be the last segment in a path. - message PathSegment { - oneof segment { - option (validate.required) = true; - - // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - } - - // The filter name to retrieve the Struct from the Metadata. - string filter = 1 [(validate.rules).string = {min_len: 1}]; - - // The path to retrieve the Value from the Struct. - repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; - - // The MetadataMatcher is matched if the value retrieved by path is matched to this value. - ValueMatcher value = 3 [(validate.rules).message = {required: true}]; -} diff --git a/src/main/proto/envoy/type/matcher/node.proto b/src/main/proto/envoy/type/matcher/node.proto deleted file mode 100644 index 5dcf1e6..0000000 --- a/src/main/proto/envoy/type/matcher/node.proto +++ /dev/null @@ -1,26 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher; - -import "envoy/type/matcher/string.proto"; -import "envoy/type/matcher/struct.proto"; - -import "udpa/annotations/status.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher"; -option java_outer_classname = "NodeProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: Node matcher] - -// Specifies the way to match a Node. -// The match follows AND semantics. -message NodeMatcher { - // Specifies match criteria on the node id. - StringMatcher node_id = 1; - - // Specifies match criteria on the node metadata. - repeated StructMatcher node_metadatas = 2; -} diff --git a/src/main/proto/envoy/type/matcher/number.proto b/src/main/proto/envoy/type/matcher/number.proto deleted file mode 100644 index 4c5b4db..0000000 --- a/src/main/proto/envoy/type/matcher/number.proto +++ /dev/null @@ -1,30 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher; - -import "envoy/type/range.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher"; -option java_outer_classname = "NumberProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: Number matcher] - -// Specifies the way to match a double value. -message DoubleMatcher { - oneof match_pattern { - option (validate.required) = true; - - // If specified, the input double value must be in the range specified here. - // Note: The range is using half-open interval semantics [start, end). - DoubleRange range = 1; - - // If specified, the input double value must be equal to the value specified here. - double exact = 2; - } -} diff --git a/src/main/proto/envoy/type/matcher/path.proto b/src/main/proto/envoy/type/matcher/path.proto deleted file mode 100644 index 1a97bbc..0000000 --- a/src/main/proto/envoy/type/matcher/path.proto +++ /dev/null @@ -1,28 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher; - -import "envoy/type/matcher/string.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher"; -option java_outer_classname = "PathProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: Path matcher] - -// Specifies the way to match a path on HTTP request. -message PathMatcher { - oneof rule { - option (validate.required) = true; - - // The `path` must match the URL path portion of the :path header. The query and fragment - // string (if present) are removed in the URL path portion. - // For example, the path */data* will match the *:path* header */data#fragment?param=value*. - StringMatcher path = 1 [(validate.rules).message = {required: true}]; - } -} diff --git a/src/main/proto/envoy/type/matcher/regex.proto b/src/main/proto/envoy/type/matcher/regex.proto deleted file mode 100644 index e009a5a..0000000 --- a/src/main/proto/envoy/type/matcher/regex.proto +++ /dev/null @@ -1,79 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher"; -option java_outer_classname = "RegexProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: Regex matcher] - -// A regex matcher designed for safety when used with untrusted input. -message RegexMatcher { - // Google's `RE2 `_ regex engine. The regex string must adhere to - // the documented `syntax `_. The engine is designed - // to complete execution in linear time as well as limit the amount of memory used. - // - // Envoy supports program size checking via runtime. The runtime keys ``re2.max_program_size.error_level`` - // and ``re2.max_program_size.warn_level`` can be set to integers as the maximum program size or - // complexity that a compiled regex can have before an exception is thrown or a warning is - // logged, respectively. ``re2.max_program_size.error_level`` defaults to 100, and - // ``re2.max_program_size.warn_level`` has no default if unset (will not check/log a warning). - // - // Envoy emits two stats for tracking the program size of regexes: the histogram `re2.program_size`, - // which records the program size, and the counter `re2.exceeded_warn_level`, which is incremented - // each time the program size exceeds the warn level threshold. - message GoogleRE2 { - // This field controls the RE2 "program size" which is a rough estimate of how complex a - // compiled regex is to evaluate. A regex that has a program size greater than the configured - // value will fail to compile. In this case, the configured max program size can be increased - // or the regex can be simplified. If not specified, the default is 100. - // - // This field is deprecated; regexp validation should be performed on the management server - // instead of being done by each individual client. - google.protobuf.UInt32Value max_program_size = 1 [deprecated = true]; - } - - oneof engine_type { - option (validate.required) = true; - - // Google's RE2 regex engine. - GoogleRE2 google_re2 = 1 [(validate.rules).message = {required: true}]; - } - - // The regex match string. The string must be supported by the configured engine. - string regex = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Describes how to match a string and then produce a new string using a regular -// expression and a substitution string. -message RegexMatchAndSubstitute { - // The regular expression used to find portions of a string (hereafter called - // the "subject string") that should be replaced. When a new string is - // produced during the substitution operation, the new string is initially - // the same as the subject string, but then all matches in the subject string - // are replaced by the substitution string. If replacing all matches isn't - // desired, regular expression anchors can be used to ensure a single match, - // so as to replace just one occurrence of a pattern. Capture groups can be - // used in the pattern to extract portions of the subject string, and then - // referenced in the substitution string. - RegexMatcher pattern = 1; - - // The string that should be substituted into matching portions of the - // subject string during a substitution operation to produce a new string. - // Capture groups in the pattern can be referenced in the substitution - // string. Note, however, that the syntax for referring to capture groups is - // defined by the chosen regular expression engine. Google's `RE2 - // `_ regular expression engine uses a - // backslash followed by the capture group number to denote a numbered - // capture group. E.g., ``\1`` refers to capture group 1, and ``\2`` refers - // to capture group 2. - string substitution = 2; -} diff --git a/src/main/proto/envoy/type/matcher/string.proto b/src/main/proto/envoy/type/matcher/string.proto deleted file mode 100644 index b4571ce..0000000 --- a/src/main/proto/envoy/type/matcher/string.proto +++ /dev/null @@ -1,80 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher; - -import "envoy/type/matcher/regex.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher"; -option java_outer_classname = "StringProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: String matcher] - -// Specifies the way to match a string. -// [#next-free-field: 7] -message StringMatcher { - oneof match_pattern { - option (validate.required) = true; - - // The input string must match exactly the string specified here. - // - // Examples: - // - // * *abc* only matches the value *abc*. - string exact = 1; - - // The input string must have the prefix specified here. - // Note: empty prefix is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *abc.xyz* - string prefix = 2 [(validate.rules).string = {min_len: 1}]; - - // The input string must have the suffix specified here. - // Note: empty prefix is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *xyz.abc* - string suffix = 3 [(validate.rules).string = {min_len: 1}]; - - // The input string must match the regular expression specified here. - // The regex grammar is defined `here - // `_. - // - // Examples: - // - // * The regex ``\d{3}`` matches the value *123* - // * The regex ``\d{3}`` does not match the value *1234* - // * The regex ``\d{3}`` does not match the value *123.456* - // - // .. attention:: - // This field has been deprecated in favor of `safe_regex` as it is not safe for use with - // untrusted input in all cases. - string regex = 4 [ - deprecated = true, - (validate.rules).string = {max_bytes: 1024}, - (envoy.annotations.disallowed_by_default) = true - ]; - - // The input string must match the regular expression specified here. - RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; - } - - // If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no - // effect for the safe_regex match. - // For example, the matcher *data* will match both input string *Data* and *data* if set to true. - bool ignore_case = 6; -} - -// Specifies a list of ways to match a string. -message ListStringMatcher { - repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/src/main/proto/envoy/type/matcher/struct.proto b/src/main/proto/envoy/type/matcher/struct.proto deleted file mode 100644 index f08bf79..0000000 --- a/src/main/proto/envoy/type/matcher/struct.proto +++ /dev/null @@ -1,85 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher; - -import "envoy/type/matcher/value.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher"; -option java_outer_classname = "StructProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: Struct matcher] - -// StructMatcher provides a general interface to check if a given value is matched in -// google.protobuf.Struct. It uses `path` to retrieve the value -// from the struct and then check if it's matched to the specified value. -// -// For example, for the following Struct: -// -// .. code-block:: yaml -// -// fields: -// a: -// struct_value: -// fields: -// b: -// struct_value: -// fields: -// c: -// string_value: pro -// t: -// list_value: -// values: -// - string_value: m -// - string_value: n -// -// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" -// from the Metadata which is matched to the specified prefix match. -// -// .. code-block:: yaml -// -// path: -// - key: a -// - key: b -// - key: c -// value: -// string_match: -// prefix: pr -// -// The following StructMatcher is matched as the code will match one of the string values in the -// list at the path [a, t]. -// -// .. code-block:: yaml -// -// path: -// - key: a -// - key: t -// value: -// list_match: -// one_of: -// string_match: -// exact: m -// -// An example use of StructMatcher is to match metadata in envoy.v*.core.Node. -message StructMatcher { - // Specifies the segment in a path to retrieve value from Struct. - message PathSegment { - oneof segment { - option (validate.required) = true; - - // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - } - - // The path to retrieve the Value from the Struct. - repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; - - // The StructMatcher is matched if the value retrieved by path is matched to this value. - ValueMatcher value = 3 [(validate.rules).message = {required: true}]; -} diff --git a/src/main/proto/envoy/type/matcher/v3/BUILD b/src/main/proto/envoy/type/matcher/v3/BUILD deleted file mode 100644 index fb28aa0..0000000 --- a/src/main/proto/envoy/type/matcher/v3/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/src/main/proto/envoy/type/matcher/v3/filter_state.proto b/src/main/proto/envoy/type/matcher/v3/filter_state.proto deleted file mode 100644 index f813178..0000000 --- a/src/main/proto/envoy/type/matcher/v3/filter_state.proto +++ /dev/null @@ -1,29 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v3; - -import "envoy/type/matcher/v3/string.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v3"; -option java_outer_classname = "FilterStateProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Filter state matcher] - -// FilterStateMatcher provides a general interface for matching the filter state objects. -message FilterStateMatcher { - // The filter state key to retrieve the object. - string key = 1 [(validate.rules).string = {min_len: 1}]; - - oneof matcher { - option (validate.required) = true; - - // Matches the filter state object as a string value. - StringMatcher string_match = 2; - } -} diff --git a/src/main/proto/envoy/type/matcher/v3/http_inputs.proto b/src/main/proto/envoy/type/matcher/v3/http_inputs.proto deleted file mode 100644 index 27e29bf..0000000 --- a/src/main/proto/envoy/type/matcher/v3/http_inputs.proto +++ /dev/null @@ -1,62 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v3; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v3"; -option java_outer_classname = "HttpInputsProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Common HTTP inputs] - -// Match input indicates that matching should be done on a specific request header. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -// [#extension: envoy.matching.inputs.request_headers] -message HttpRequestHeaderMatchInput { - // The request header to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} - -// Match input indicates that matching should be done on a specific request trailer. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -// [#extension: envoy.matching.inputs.request_trailers] -message HttpRequestTrailerMatchInput { - // The request trailer to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} - -// Match input indicating that matching should be done on a specific response header. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the response contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -// [#extension: envoy.matching.inputs.response_headers] -message HttpResponseHeaderMatchInput { - // The response header to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} - -// Match input indicates that matching should be done on a specific response trailer. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -// [#extension: envoy.matching.inputs.response_trailers] -message HttpResponseTrailerMatchInput { - // The response trailer to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} diff --git a/src/main/proto/envoy/type/matcher/v3/metadata.proto b/src/main/proto/envoy/type/matcher/v3/metadata.proto deleted file mode 100644 index d3316e8..0000000 --- a/src/main/proto/envoy/type/matcher/v3/metadata.proto +++ /dev/null @@ -1,108 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v3; - -import "envoy/type/matcher/v3/value.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v3"; -option java_outer_classname = "MetadataProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Metadata matcher] - -// MetadataMatcher provides a general interface to check if a given value is matched in -// :ref:`Metadata `. It uses `filter` and `path` to retrieve the value -// from the Metadata and then check if it's matched to the specified value. -// -// For example, for the following Metadata: -// -// .. code-block:: yaml -// -// filter_metadata: -// envoy.filters.http.rbac: -// fields: -// a: -// struct_value: -// fields: -// b: -// struct_value: -// fields: -// c: -// string_value: pro -// t: -// list_value: -// values: -// - string_value: m -// - string_value: n -// -// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" -// from the Metadata which is matched to the specified prefix match. -// -// .. code-block:: yaml -// -// filter: envoy.filters.http.rbac -// path: -// - key: a -// - key: b -// - key: c -// value: -// string_match: -// prefix: pr -// -// The following MetadataMatcher is matched as the code will match one of the string values in the -// list at the path [a, t]. -// -// .. code-block:: yaml -// -// filter: envoy.filters.http.rbac -// path: -// - key: a -// - key: t -// value: -// list_match: -// one_of: -// string_match: -// exact: m -// -// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to -// enforce access control based on dynamic metadata in a request. See :ref:`Permission -// ` and :ref:`Principal -// `. - -// [#next-major-version: MetadataMatcher should use StructMatcher] -message MetadataMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.MetadataMatcher"; - - // Specifies the segment in a path to retrieve value from Metadata. - // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that - // if the segment key refers to a list, it has to be the last segment in a path. - message PathSegment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.MetadataMatcher.PathSegment"; - - oneof segment { - option (validate.required) = true; - - // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - } - - // The filter name to retrieve the Struct from the Metadata. - string filter = 1 [(validate.rules).string = {min_len: 1}]; - - // The path to retrieve the Value from the Struct. - repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; - - // The MetadataMatcher is matched if the value retrieved by path is matched to this value. - ValueMatcher value = 3 [(validate.rules).message = {required: true}]; - - // If true, the match result will be inverted. - bool invert = 4; -} diff --git a/src/main/proto/envoy/type/matcher/v3/node.proto b/src/main/proto/envoy/type/matcher/v3/node.proto deleted file mode 100644 index baa92fb..0000000 --- a/src/main/proto/envoy/type/matcher/v3/node.proto +++ /dev/null @@ -1,29 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v3; - -import "envoy/type/matcher/v3/string.proto"; -import "envoy/type/matcher/v3/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v3"; -option java_outer_classname = "NodeProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Node matcher] - -// Specifies the way to match a Node. -// The match follows AND semantics. -message NodeMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.NodeMatcher"; - - // Specifies match criteria on the node id. - StringMatcher node_id = 1; - - // Specifies match criteria on the node metadata. - repeated StructMatcher node_metadatas = 2; -} diff --git a/src/main/proto/envoy/type/matcher/v3/number.proto b/src/main/proto/envoy/type/matcher/v3/number.proto deleted file mode 100644 index 99681c9..0000000 --- a/src/main/proto/envoy/type/matcher/v3/number.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v3; - -import "envoy/type/v3/range.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v3"; -option java_outer_classname = "NumberProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Number matcher] - -// Specifies the way to match a double value. -message DoubleMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.DoubleMatcher"; - - oneof match_pattern { - option (validate.required) = true; - - // If specified, the input double value must be in the range specified here. - // Note: The range is using half-open interval semantics [start, end). - type.v3.DoubleRange range = 1; - - // If specified, the input double value must be equal to the value specified here. - double exact = 2; - } -} diff --git a/src/main/proto/envoy/type/matcher/v3/path.proto b/src/main/proto/envoy/type/matcher/v3/path.proto deleted file mode 100644 index 46b758e..0000000 --- a/src/main/proto/envoy/type/matcher/v3/path.proto +++ /dev/null @@ -1,31 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v3; - -import "envoy/type/matcher/v3/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v3"; -option java_outer_classname = "PathProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Path matcher] - -// Specifies the way to match a path on HTTP request. -message PathMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.PathMatcher"; - - oneof rule { - option (validate.required) = true; - - // The ``path`` must match the URL path portion of the :path header. The query and fragment - // string (if present) are removed in the URL path portion. - // For example, the path ``/data`` will match the ``:path`` header ``/data#fragment?param=value``. - StringMatcher path = 1 [(validate.rules).message = {required: true}]; - } -} diff --git a/src/main/proto/envoy/type/matcher/v3/regex.proto b/src/main/proto/envoy/type/matcher/v3/regex.proto deleted file mode 100644 index 69cb8ba..0000000 --- a/src/main/proto/envoy/type/matcher/v3/regex.proto +++ /dev/null @@ -1,100 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v3; - -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v3"; -option java_outer_classname = "RegexProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Regex matcher] - -// A regex matcher designed for safety when used with untrusted input. -message RegexMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.RegexMatcher"; - - // Google's `RE2 `_ regex engine. The regex string must adhere to - // the documented `syntax `_. The engine is designed - // to complete execution in linear time as well as limit the amount of memory used. - // - // Envoy supports program size checking via runtime. The runtime keys ``re2.max_program_size.error_level`` - // and ``re2.max_program_size.warn_level`` can be set to integers as the maximum program size or - // complexity that a compiled regex can have before an exception is thrown or a warning is - // logged, respectively. ``re2.max_program_size.error_level`` defaults to 100, and - // ``re2.max_program_size.warn_level`` has no default if unset (will not check/log a warning). - // - // Envoy emits two stats for tracking the program size of regexes: the histogram ``re2.program_size``, - // which records the program size, and the counter ``re2.exceeded_warn_level``, which is incremented - // each time the program size exceeds the warn level threshold. - message GoogleRE2 { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.RegexMatcher.GoogleRE2"; - - // This field controls the RE2 "program size" which is a rough estimate of how complex a - // compiled regex is to evaluate. A regex that has a program size greater than the configured - // value will fail to compile. In this case, the configured max program size can be increased - // or the regex can be simplified. If not specified, the default is 100. - // - // This field is deprecated; regexp validation should be performed on the management server - // instead of being done by each individual client. - // - // .. note:: - // - // Although this field is deprecated, the program size will still be checked against the - // global ``re2.max_program_size.error_level`` runtime value. - // - google.protobuf.UInt32Value max_program_size = 1 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - } - - oneof engine_type { - // Google's RE2 regex engine. - GoogleRE2 google_re2 = 1 [ - deprecated = true, - (validate.rules).message = {required: true}, - (envoy.annotations.deprecated_at_minor_version) = "3.0" - ]; - } - - // The regex match string. The string must be supported by the configured engine. The regex is matched - // against the full string, not as a partial match. - string regex = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Describes how to match a string and then produce a new string using a regular -// expression and a substitution string. -message RegexMatchAndSubstitute { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.RegexMatchAndSubstitute"; - - // The regular expression used to find portions of a string (hereafter called - // the "subject string") that should be replaced. When a new string is - // produced during the substitution operation, the new string is initially - // the same as the subject string, but then all matches in the subject string - // are replaced by the substitution string. If replacing all matches isn't - // desired, regular expression anchors can be used to ensure a single match, - // so as to replace just one occurrence of a pattern. Capture groups can be - // used in the pattern to extract portions of the subject string, and then - // referenced in the substitution string. - RegexMatcher pattern = 1 [(validate.rules).message = {required: true}]; - - // The string that should be substituted into matching portions of the - // subject string during a substitution operation to produce a new string. - // Capture groups in the pattern can be referenced in the substitution - // string. Note, however, that the syntax for referring to capture groups is - // defined by the chosen regular expression engine. Google's `RE2 - // `_ regular expression engine uses a - // backslash followed by the capture group number to denote a numbered - // capture group. E.g., ``\1`` refers to capture group 1, and ``\2`` refers - // to capture group 2. - string substitution = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; -} diff --git a/src/main/proto/envoy/type/matcher/v3/string.proto b/src/main/proto/envoy/type/matcher/v3/string.proto deleted file mode 100644 index 2df1bd3..0000000 --- a/src/main/proto/envoy/type/matcher/v3/string.proto +++ /dev/null @@ -1,78 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v3; - -import "envoy/type/matcher/v3/regex.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v3"; -option java_outer_classname = "StringProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: String matcher] - -// Specifies the way to match a string. -// [#next-free-field: 8] -message StringMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.StringMatcher"; - - reserved 4; - - reserved "regex"; - - oneof match_pattern { - option (validate.required) = true; - - // The input string must match exactly the string specified here. - // - // Examples: - // - // * ``abc`` only matches the value ``abc``. - string exact = 1; - - // The input string must have the prefix specified here. - // Note: empty prefix is not allowed, please use regex instead. - // - // Examples: - // - // * ``abc`` matches the value ``abc.xyz`` - string prefix = 2 [(validate.rules).string = {min_len: 1}]; - - // The input string must have the suffix specified here. - // Note: empty prefix is not allowed, please use regex instead. - // - // Examples: - // - // * ``abc`` matches the value ``xyz.abc`` - string suffix = 3 [(validate.rules).string = {min_len: 1}]; - - // The input string must match the regular expression specified here. - RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; - - // The input string must have the substring specified here. - // Note: empty contains match is not allowed, please use regex instead. - // - // Examples: - // - // * ``abc`` matches the value ``xyz.abc.def`` - string contains = 7 [(validate.rules).string = {min_len: 1}]; - } - - // If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. This - // has no effect for the safe_regex match. - // For example, the matcher ``data`` will match both input string ``Data`` and ``data`` if set to true. - bool ignore_case = 6; -} - -// Specifies a list of ways to match a string. -message ListStringMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.ListStringMatcher"; - - repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/src/main/proto/envoy/type/matcher/v3/struct.proto b/src/main/proto/envoy/type/matcher/v3/struct.proto deleted file mode 100644 index 1b96334..0000000 --- a/src/main/proto/envoy/type/matcher/v3/struct.proto +++ /dev/null @@ -1,91 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v3; - -import "envoy/type/matcher/v3/value.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v3"; -option java_outer_classname = "StructProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Struct matcher] - -// StructMatcher provides a general interface to check if a given value is matched in -// google.protobuf.Struct. It uses ``path`` to retrieve the value -// from the struct and then check if it's matched to the specified value. -// -// For example, for the following Struct: -// -// .. code-block:: yaml -// -// fields: -// a: -// struct_value: -// fields: -// b: -// struct_value: -// fields: -// c: -// string_value: pro -// t: -// list_value: -// values: -// - string_value: m -// - string_value: n -// -// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" -// from the Metadata which is matched to the specified prefix match. -// -// .. code-block:: yaml -// -// path: -// - key: a -// - key: b -// - key: c -// value: -// string_match: -// prefix: pr -// -// The following StructMatcher is matched as the code will match one of the string values in the -// list at the path [a, t]. -// -// .. code-block:: yaml -// -// path: -// - key: a -// - key: t -// value: -// list_match: -// one_of: -// string_match: -// exact: m -// -// An example use of StructMatcher is to match metadata in envoy.v*.core.Node. -message StructMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.StructMatcher"; - - // Specifies the segment in a path to retrieve value from Struct. - message PathSegment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.StructMatcher.PathSegment"; - - oneof segment { - option (validate.required) = true; - - // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - } - - // The path to retrieve the Value from the Struct. - repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; - - // The StructMatcher is matched if the value retrieved by path is matched to this value. - ValueMatcher value = 3 [(validate.rules).message = {required: true}]; -} diff --git a/src/main/proto/envoy/type/matcher/v3/value.proto b/src/main/proto/envoy/type/matcher/v3/value.proto deleted file mode 100644 index bd46acc..0000000 --- a/src/main/proto/envoy/type/matcher/v3/value.proto +++ /dev/null @@ -1,72 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v3; - -import "envoy/type/matcher/v3/number.proto"; -import "envoy/type/matcher/v3/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v3"; -option java_outer_classname = "ValueProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Value matcher] - -// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. -// StructValue is not supported and is always not matched. -// [#next-free-field: 7] -message ValueMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.ValueMatcher"; - - // NullMatch is an empty message to specify a null value. - message NullMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.ValueMatcher.NullMatch"; - } - - // Specifies how to match a value. - oneof match_pattern { - option (validate.required) = true; - - // If specified, a match occurs if and only if the target value is a NullValue. - NullMatch null_match = 1; - - // If specified, a match occurs if and only if the target value is a double value and is - // matched to this field. - DoubleMatcher double_match = 2; - - // If specified, a match occurs if and only if the target value is a string value and is - // matched to this field. - StringMatcher string_match = 3; - - // If specified, a match occurs if and only if the target value is a bool value and is equal - // to this field. - bool bool_match = 4; - - // If specified, value match will be performed based on whether the path is referring to a - // valid primitive value in the metadata. If the path is referring to a non-primitive value, - // the result is always not matched. - bool present_match = 5; - - // If specified, a match occurs if and only if the target value is a list value and - // is matched to this field. - ListMatcher list_match = 6; - } -} - -// Specifies the way to match a list value. -message ListMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.ListMatcher"; - - oneof match_pattern { - option (validate.required) = true; - - // If specified, at least one of the values in the list must match the value specified. - ValueMatcher one_of = 1; - } -} diff --git a/src/main/proto/envoy/type/matcher/value.proto b/src/main/proto/envoy/type/matcher/value.proto deleted file mode 100644 index 89d341b..0000000 --- a/src/main/proto/envoy/type/matcher/value.proto +++ /dev/null @@ -1,65 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher; - -import "envoy/type/matcher/number.proto"; -import "envoy/type/matcher/string.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher"; -option java_outer_classname = "ValueProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: Value matcher] - -// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. -// StructValue is not supported and is always not matched. -// [#next-free-field: 7] -message ValueMatcher { - // NullMatch is an empty message to specify a null value. - message NullMatch { - } - - // Specifies how to match a value. - oneof match_pattern { - option (validate.required) = true; - - // If specified, a match occurs if and only if the target value is a NullValue. - NullMatch null_match = 1; - - // If specified, a match occurs if and only if the target value is a double value and is - // matched to this field. - DoubleMatcher double_match = 2; - - // If specified, a match occurs if and only if the target value is a string value and is - // matched to this field. - StringMatcher string_match = 3; - - // If specified, a match occurs if and only if the target value is a bool value and is equal - // to this field. - bool bool_match = 4; - - // If specified, value match will be performed based on whether the path is referring to a - // valid primitive value in the metadata. If the path is referring to a non-primitive value, - // the result is always not matched. - bool present_match = 5; - - // If specified, a match occurs if and only if the target value is a list value and - // is matched to this field. - ListMatcher list_match = 6; - } -} - -// Specifies the way to match a list value. -message ListMatcher { - oneof match_pattern { - option (validate.required) = true; - - // If specified, at least one of the values in the list must match the value specified. - ValueMatcher one_of = 1; - } -} diff --git a/src/main/proto/envoy/type/metadata/v2/BUILD b/src/main/proto/envoy/type/metadata/v2/BUILD deleted file mode 100644 index ee92fb6..0000000 --- a/src/main/proto/envoy/type/metadata/v2/BUILD +++ /dev/null @@ -1,9 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"], -) diff --git a/src/main/proto/envoy/type/metadata/v2/metadata.proto b/src/main/proto/envoy/type/metadata/v2/metadata.proto deleted file mode 100644 index 75f0250..0000000 --- a/src/main/proto/envoy/type/metadata/v2/metadata.proto +++ /dev/null @@ -1,100 +0,0 @@ -syntax = "proto3"; - -package envoy.type.metadata.v2; - -import "udpa/annotations/migrate.proto"; -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.metadata.v2"; -option java_outer_classname = "MetadataProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/metadata/v2;metadatav2"; -option (udpa.annotations.file_migrate).move_to_package = "envoy.type.metadata.v3"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: Metadata] - -// MetadataKey provides a general interface using `key` and `path` to retrieve value from -// :ref:`Metadata `. -// -// For example, for the following Metadata: -// -// .. code-block:: yaml -// -// filter_metadata: -// envoy.xxx: -// prop: -// foo: bar -// xyz: -// hello: envoy -// -// The following MetadataKey will retrieve a string value "bar" from the Metadata. -// -// .. code-block:: yaml -// -// key: envoy.xxx -// path: -// - key: prop -// - key: foo -// -message MetadataKey { - // Specifies the segment in a path to retrieve value from Metadata. - // Currently it is only supported to specify the key, i.e. field name, as one segment of a path. - message PathSegment { - oneof segment { - option (validate.required) = true; - - // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_bytes: 1}]; - } - } - - // The key name of Metadata to retrieve the Struct from the metadata. - // Typically, it represents a builtin subsystem or custom extension. - string key = 1 [(validate.rules).string = {min_bytes: 1}]; - - // The path to retrieve the Value from the Struct. It can be a prefix or a full path, - // e.g. ``[prop, xyz]`` for a struct or ``[prop, foo]`` for a string in the example, - // which depends on the particular scenario. - // - // Note: Due to that only the key type segment is supported, the path can not specify a list - // unless the list is the last segment. - repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; -} - -// Describes what kind of metadata. -message MetadataKind { - // Represents dynamic metadata associated with the request. - message Request { - } - - // Represents metadata from :ref:`the route`. - message Route { - } - - // Represents metadata from :ref:`the upstream cluster`. - message Cluster { - } - - // Represents metadata from :ref:`the upstream - // host`. - message Host { - } - - oneof kind { - option (validate.required) = true; - - // Request kind of metadata. - Request request = 1; - - // Route kind of metadata. - Route route = 2; - - // Cluster kind of metadata. - Cluster cluster = 3; - - // Host kind of metadata. - Host host = 4; - } -} diff --git a/src/main/proto/envoy/type/metadata/v3/BUILD b/src/main/proto/envoy/type/metadata/v3/BUILD deleted file mode 100644 index ee92fb6..0000000 --- a/src/main/proto/envoy/type/metadata/v3/BUILD +++ /dev/null @@ -1,9 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"], -) diff --git a/src/main/proto/envoy/type/metadata/v3/metadata.proto b/src/main/proto/envoy/type/metadata/v3/metadata.proto deleted file mode 100644 index 2075857..0000000 --- a/src/main/proto/envoy/type/metadata/v3/metadata.proto +++ /dev/null @@ -1,115 +0,0 @@ -syntax = "proto3"; - -package envoy.type.metadata.v3; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.metadata.v3"; -option java_outer_classname = "MetadataProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/metadata/v3;metadatav3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Metadata] - -// MetadataKey provides a general interface using ``key`` and ``path`` to retrieve value from -// :ref:`Metadata `. -// -// For example, for the following Metadata: -// -// .. code-block:: yaml -// -// filter_metadata: -// envoy.xxx: -// prop: -// foo: bar -// xyz: -// hello: envoy -// -// The following MetadataKey will retrieve a string value "bar" from the Metadata. -// -// .. code-block:: yaml -// -// key: envoy.xxx -// path: -// - key: prop -// - key: foo -// -message MetadataKey { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.metadata.v2.MetadataKey"; - - // Specifies the segment in a path to retrieve value from Metadata. - // Currently it is only supported to specify the key, i.e. field name, as one segment of a path. - message PathSegment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.metadata.v2.MetadataKey.PathSegment"; - - oneof segment { - option (validate.required) = true; - - // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - } - - // The key name of Metadata to retrieve the Struct from the metadata. - // Typically, it represents a builtin subsystem or custom extension. - string key = 1 [(validate.rules).string = {min_len: 1}]; - - // The path to retrieve the Value from the Struct. It can be a prefix or a full path, - // e.g. ``[prop, xyz]`` for a struct or ``[prop, foo]`` for a string in the example, - // which depends on the particular scenario. - // - // Note: Due to that only the key type segment is supported, the path can not specify a list - // unless the list is the last segment. - repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; -} - -// Describes what kind of metadata. -message MetadataKind { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.metadata.v2.MetadataKind"; - - // Represents dynamic metadata associated with the request. - message Request { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.metadata.v2.MetadataKind.Request"; - } - - // Represents metadata from :ref:`the route`. - message Route { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.metadata.v2.MetadataKind.Route"; - } - - // Represents metadata from :ref:`the upstream cluster`. - message Cluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.metadata.v2.MetadataKind.Cluster"; - } - - // Represents metadata from :ref:`the upstream - // host`. - message Host { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.metadata.v2.MetadataKind.Host"; - } - - oneof kind { - option (validate.required) = true; - - // Request kind of metadata. - Request request = 1; - - // Route kind of metadata. - Route route = 2; - - // Cluster kind of metadata. - Cluster cluster = 3; - - // Host kind of metadata. - Host host = 4; - } -} diff --git a/src/main/proto/envoy/type/range.proto b/src/main/proto/envoy/type/range.proto deleted file mode 100644 index 9e66e6f..0000000 --- a/src/main/proto/envoy/type/range.proto +++ /dev/null @@ -1,43 +0,0 @@ -syntax = "proto3"; - -package envoy.type; - -import "udpa/annotations/status.proto"; - -option java_package = "io.envoyproxy.envoy.type"; -option java_outer_classname = "RangeProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: Range] - -// Specifies the int64 start and end of the range using half-open interval semantics [start, -// end). -message Int64Range { - // start of the range (inclusive) - int64 start = 1; - - // end of the range (exclusive) - int64 end = 2; -} - -// Specifies the int32 start and end of the range using half-open interval semantics [start, -// end). -message Int32Range { - // start of the range (inclusive) - int32 start = 1; - - // end of the range (exclusive) - int32 end = 2; -} - -// Specifies the double start and end of the range using half-open interval semantics [start, -// end). -message DoubleRange { - // start of the range (inclusive) - double start = 1; - - // end of the range (exclusive) - double end = 2; -} diff --git a/src/main/proto/envoy/type/tracing/v2/BUILD b/src/main/proto/envoy/type/tracing/v2/BUILD deleted file mode 100644 index aa64935..0000000 --- a/src/main/proto/envoy/type/tracing/v2/BUILD +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/type/metadata/v2:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/src/main/proto/envoy/type/tracing/v2/custom_tag.proto b/src/main/proto/envoy/type/tracing/v2/custom_tag.proto deleted file mode 100644 index c37b662..0000000 --- a/src/main/proto/envoy/type/tracing/v2/custom_tag.proto +++ /dev/null @@ -1,87 +0,0 @@ -syntax = "proto3"; - -package envoy.type.tracing.v2; - -import "envoy/type/metadata/v2/metadata.proto"; - -import "udpa/annotations/status.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.tracing.v2"; -option java_outer_classname = "CustomTagProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/tracing/v2;tracingv2"; -option (udpa.annotations.file_status).package_version_status = FROZEN; - -// [#protodoc-title: Custom Tag] - -// Describes custom tags for the active span. -// [#next-free-field: 6] -message CustomTag { - // Literal type custom tag with static value for the tag value. - message Literal { - // Static literal value to populate the tag value. - string value = 1 [(validate.rules).string = {min_bytes: 1}]; - } - - // Environment type custom tag with environment name and default value. - message Environment { - // Environment variable name to obtain the value to populate the tag value. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; - - // When the environment variable is not found, - // the tag value will be populated with this default value if specified, - // otherwise no tag will be populated. - string default_value = 2; - } - - // Header type custom tag with header name and default value. - message Header { - // Header name to obtain the value to populate the tag value. - string name = 1 - [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // When the header does not exist, - // the tag value will be populated with this default value if specified, - // otherwise no tag will be populated. - string default_value = 2; - } - - // Metadata type custom tag using - // :ref:`MetadataKey ` to retrieve the protobuf value - // from :ref:`Metadata `, and populate the tag value with - // `the canonical JSON `_ - // representation of it. - message Metadata { - // Specify what kind of metadata to obtain tag value from. - metadata.v2.MetadataKind kind = 1; - - // Metadata key to define the path to retrieve the tag value. - metadata.v2.MetadataKey metadata_key = 2; - - // When no valid metadata is found, - // the tag value would be populated with this default value if specified, - // otherwise no tag would be populated. - string default_value = 3; - } - - // Used to populate the tag name. - string tag = 1 [(validate.rules).string = {min_bytes: 1}]; - - // Used to specify what kind of custom tag. - oneof type { - option (validate.required) = true; - - // A literal custom tag. - Literal literal = 2; - - // An environment custom tag. - Environment environment = 3; - - // A request header custom tag. - Header request_header = 4; - - // A custom tag to obtain tag value from the metadata. - Metadata metadata = 5; - } -} diff --git a/src/main/proto/envoy/type/tracing/v3/BUILD b/src/main/proto/envoy/type/tracing/v3/BUILD deleted file mode 100644 index c797ae6..0000000 --- a/src/main/proto/envoy/type/tracing/v3/BUILD +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/type/metadata/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/src/main/proto/envoy/type/tracing/v3/custom_tag.proto b/src/main/proto/envoy/type/tracing/v3/custom_tag.proto deleted file mode 100644 index feb57e8..0000000 --- a/src/main/proto/envoy/type/tracing/v3/custom_tag.proto +++ /dev/null @@ -1,102 +0,0 @@ -syntax = "proto3"; - -package envoy.type.tracing.v3; - -import "envoy/type/metadata/v3/metadata.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.tracing.v3"; -option java_outer_classname = "CustomTagProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/tracing/v3;tracingv3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Custom Tag] - -// Describes custom tags for the active span. -// [#next-free-field: 6] -message CustomTag { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.tracing.v2.CustomTag"; - - // Literal type custom tag with static value for the tag value. - message Literal { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.tracing.v2.CustomTag.Literal"; - - // Static literal value to populate the tag value. - string value = 1 [(validate.rules).string = {min_len: 1}]; - } - - // Environment type custom tag with environment name and default value. - message Environment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.tracing.v2.CustomTag.Environment"; - - // Environment variable name to obtain the value to populate the tag value. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // When the environment variable is not found, - // the tag value will be populated with this default value if specified, - // otherwise no tag will be populated. - string default_value = 2; - } - - // Header type custom tag with header name and default value. - message Header { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.tracing.v2.CustomTag.Header"; - - // Header name to obtain the value to populate the tag value. - string name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // When the header does not exist, - // the tag value will be populated with this default value if specified, - // otherwise no tag will be populated. - string default_value = 2; - } - - // Metadata type custom tag using - // :ref:`MetadataKey ` to retrieve the protobuf value - // from :ref:`Metadata `, and populate the tag value with - // `the canonical JSON `_ - // representation of it. - message Metadata { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.tracing.v2.CustomTag.Metadata"; - - // Specify what kind of metadata to obtain tag value from. - metadata.v3.MetadataKind kind = 1; - - // Metadata key to define the path to retrieve the tag value. - metadata.v3.MetadataKey metadata_key = 2; - - // When no valid metadata is found, - // the tag value would be populated with this default value if specified, - // otherwise no tag would be populated. - string default_value = 3; - } - - // Used to populate the tag name. - string tag = 1 [(validate.rules).string = {min_len: 1}]; - - // Used to specify what kind of custom tag. - oneof type { - option (validate.required) = true; - - // A literal custom tag. - Literal literal = 2; - - // An environment custom tag. - Environment environment = 3; - - // A request header custom tag. - Header request_header = 4; - - // A custom tag to obtain tag value from the metadata. - Metadata metadata = 5; - } -} diff --git a/src/main/proto/envoy/type/v3/http.proto b/src/main/proto/envoy/type/v3/http.proto deleted file mode 100644 index 2018b8a..0000000 --- a/src/main/proto/envoy/type/v3/http.proto +++ /dev/null @@ -1,20 +0,0 @@ -syntax = "proto3"; - -package envoy.type.v3; - -option java_package = "io.envoyproxy.envoy.type.v3"; -option java_outer_classname = "HttpProto"; -option java_multiple_files = true; - -// [#protodoc-title: HTTP] - -enum CodecClientType { - HTTP1 = 0; - - HTTP2 = 1; - - // [#not-implemented-hide:] QUIC implementation is not production ready yet. Use this enum with - // caution to prevent accidental execution of QUIC code. I.e. `!= HTTP2` is no longer sufficient - // to distinguish HTTP1 and HTTP2 traffic. - HTTP3 = 2; -} diff --git a/src/main/proto/envoy/type/v3/percent.proto b/src/main/proto/envoy/type/v3/percent.proto deleted file mode 100644 index e041ecd..0000000 --- a/src/main/proto/envoy/type/v3/percent.proto +++ /dev/null @@ -1,57 +0,0 @@ -syntax = "proto3"; - -package envoy.type.v3; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.v3"; -option java_outer_classname = "PercentProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Percent] - -// Identifies a percentage, in the range [0.0, 100.0]. -message Percent { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.Percent"; - - double value = 1 [(validate.rules).double = {lte: 100.0 gte: 0.0}]; -} - -// A fractional percentage is used in cases in which for performance reasons performing floating -// point to integer conversions during randomness calculations is undesirable. The message includes -// both a numerator and denominator that together determine the final fractional value. -// -// * **Example**: 1/100 = 1%. -// * **Example**: 3/10000 = 0.03%. -message FractionalPercent { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.FractionalPercent"; - - // Fraction percentages support several fixed denominator values. - enum DenominatorType { - // 100. - // - // **Example**: 1/100 = 1%. - HUNDRED = 0; - - // 10,000. - // - // **Example**: 1/10000 = 0.01%. - TEN_THOUSAND = 1; - - // 1,000,000. - // - // **Example**: 1/1000000 = 0.0001%. - MILLION = 2; - } - - // Specifies the numerator. Defaults to 0. - uint32 numerator = 1; - - // Specifies the denominator. If the denominator specified is less than the numerator, the final - // fractional percentage is capped at 1 (100%). - DenominatorType denominator = 2 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/src/main/proto/envoy/type/v3/range.proto b/src/main/proto/envoy/type/v3/range.proto deleted file mode 100644 index 3b1af81..0000000 --- a/src/main/proto/envoy/type/v3/range.proto +++ /dev/null @@ -1,50 +0,0 @@ -syntax = "proto3"; - -package envoy.type.v3; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.type.v3"; -option java_outer_classname = "RangeProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Range] - -// Specifies the int64 start and end of the range using half-open interval semantics [start, -// end). -message Int64Range { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.Int64Range"; - - // start of the range (inclusive) - int64 start = 1; - - // end of the range (exclusive) - int64 end = 2; -} - -// Specifies the int32 start and end of the range using half-open interval semantics [start, -// end). -message Int32Range { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.Int32Range"; - - // start of the range (inclusive) - int32 start = 1; - - // end of the range (exclusive) - int32 end = 2; -} - -// Specifies the double start and end of the range using half-open interval semantics [start, -// end). -message DoubleRange { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.DoubleRange"; - - // start of the range (inclusive) - double start = 1; - - // end of the range (exclusive) - double end = 2; -} diff --git a/src/main/proto/envoy/type/v3/semantic_version.proto b/src/main/proto/envoy/type/v3/semantic_version.proto deleted file mode 100644 index e032b4c..0000000 --- a/src/main/proto/envoy/type/v3/semantic_version.proto +++ /dev/null @@ -1,27 +0,0 @@ -syntax = "proto3"; - -package envoy.type.v3; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.type.v3"; -option java_outer_classname = "SemanticVersionProto"; -option java_multiple_files = true; -option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/v3;typev3"; -option (udpa.annotations.file_status).package_version_status = ACTIVE; - -// [#protodoc-title: Semantic version] - -// Envoy uses SemVer (https://semver.org/). Major/minor versions indicate -// expected behaviors and APIs, the patch version field is used only -// for security fixes and can be generally ignored. -message SemanticVersion { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.SemanticVersion"; - - uint32 major_number = 1; - - uint32 minor_number = 2; - - uint32 patch = 3; -} diff --git a/src/main/proto/udpa/annotations/BUILD b/src/main/proto/udpa/annotations/BUILD deleted file mode 100644 index 1e79479..0000000 --- a/src/main/proto/udpa/annotations/BUILD +++ /dev/null @@ -1,5 +0,0 @@ -load("//bazel:api_build_system.bzl", "xds_proto_package") - -licenses(["notice"]) # Apache 2 - -xds_proto_package() diff --git a/src/main/proto/udpa/annotations/migrate.proto b/src/main/proto/udpa/annotations/migrate.proto deleted file mode 100644 index 5f5f389..0000000 --- a/src/main/proto/udpa/annotations/migrate.proto +++ /dev/null @@ -1,55 +0,0 @@ -// THIS FILE IS DEPRECATED -// Users should instead use the corresponding proto in the xds tree. -// No new changes will be accepted here. - -syntax = "proto3"; - -package udpa.annotations; - -import "google/protobuf/descriptor.proto"; - -option go_package = "github.com/cncf/xds/go/udpa/annotations"; - -// Magic number in this file derived from top 28bit of SHA256 digest of -// "udpa.annotation.migrate". - -extend google.protobuf.MessageOptions { - MigrateAnnotation message_migrate = 171962766; -} - -extend google.protobuf.FieldOptions { - FieldMigrateAnnotation field_migrate = 171962766; -} - -extend google.protobuf.EnumOptions { - MigrateAnnotation enum_migrate = 171962766; -} - -extend google.protobuf.EnumValueOptions { - MigrateAnnotation enum_value_migrate = 171962766; -} - -extend google.protobuf.FileOptions { - FileMigrateAnnotation file_migrate = 171962766; -} - -message MigrateAnnotation { - // Rename the message/enum/enum value in next version. - string rename = 1; -} - -message FieldMigrateAnnotation { - // Rename the field in next version. - string rename = 1; - - // Add the field to a named oneof in next version. If this already exists, the - // field will join its siblings under the oneof, otherwise a new oneof will be - // created with the given name. - string oneof_promotion = 2; -} - -message FileMigrateAnnotation { - // Move all types in the file to another package, this implies changing proto - // file path. - string move_to_package = 2; -} diff --git a/src/main/proto/udpa/annotations/security.proto b/src/main/proto/udpa/annotations/security.proto deleted file mode 100644 index 0ef9197..0000000 --- a/src/main/proto/udpa/annotations/security.proto +++ /dev/null @@ -1,34 +0,0 @@ -// THIS FILE IS DEPRECATED -// Users should instead use the corresponding proto in the xds tree. -// No new changes will be accepted here. - -syntax = "proto3"; - -package udpa.annotations; - -import "udpa/annotations/status.proto"; - -import "google/protobuf/descriptor.proto"; - -option go_package = "github.com/cncf/xds/go/udpa/annotations"; - -// All annotations in this file are experimental and subject to change. Their -// only consumer today is the Envoy APIs and SecuritAnnotationValidator protoc -// plugin in this repository. -option (udpa.annotations.file_status).work_in_progress = true; - -extend google.protobuf.FieldOptions { - // Magic number is the 28 most significant bits in the sha256sum of - // "udpa.annotations.security". - FieldSecurityAnnotation security = 11122993; -} - -// These annotations indicate metadata for the purpose of understanding the -// security significance of fields. -message FieldSecurityAnnotation { - // Field should be set in the presence of untrusted downstreams. - bool configure_for_untrusted_downstream = 1; - - // Field should be set in the presence of untrusted upstreams. - bool configure_for_untrusted_upstream = 2; -} diff --git a/src/main/proto/udpa/annotations/sensitive.proto b/src/main/proto/udpa/annotations/sensitive.proto deleted file mode 100644 index c7d8af6..0000000 --- a/src/main/proto/udpa/annotations/sensitive.proto +++ /dev/null @@ -1,20 +0,0 @@ -// THIS FILE IS DEPRECATED -// Users should instead use the corresponding proto in the xds tree. -// No new changes will be accepted here. - -syntax = "proto3"; - -package udpa.annotations; - -import "google/protobuf/descriptor.proto"; - -option go_package = "github.com/cncf/xds/go/udpa/annotations"; - -extend google.protobuf.FieldOptions { - // Magic number is the 28 most significant bits in the sha256sum of "udpa.annotations.sensitive". - // When set to true, `sensitive` indicates that this field contains sensitive data, such as - // personally identifiable information, passwords, or private keys, and should be redacted for - // display by tools aware of this annotation. Note that that this has no effect on standard - // Protobuf functions such as `TextFormat::PrintToString`. - bool sensitive = 76569463; -} diff --git a/src/main/proto/udpa/annotations/status.proto b/src/main/proto/udpa/annotations/status.proto deleted file mode 100644 index 5a90bde..0000000 --- a/src/main/proto/udpa/annotations/status.proto +++ /dev/null @@ -1,40 +0,0 @@ -// THIS FILE IS DEPRECATED -// Users should instead use the corresponding proto in the xds tree. -// No new changes will be accepted here. - -syntax = "proto3"; - -package udpa.annotations; - -import "google/protobuf/descriptor.proto"; - -option go_package = "github.com/cncf/xds/go/udpa/annotations"; - -// Magic number in this file derived from top 28bit of SHA256 digest of -// "udpa.annotation.status". -extend google.protobuf.FileOptions { - StatusAnnotation file_status = 222707719; -} - -enum PackageVersionStatus { - // Unknown package version status. - UNKNOWN = 0; - - // This version of the package is frozen. - FROZEN = 1; - - // This version of the package is the active development version. - ACTIVE = 2; - - // This version of the package is the candidate for the next major version. It - // is typically machine generated from the active development version. - NEXT_MAJOR_VERSION_CANDIDATE = 3; -} - -message StatusAnnotation { - // The entity is work-in-progress and subject to breaking changes. - bool work_in_progress = 1; - - // The entity belongs to a package with the given version status. - PackageVersionStatus package_version_status = 2; -} diff --git a/src/main/proto/udpa/annotations/versioning.proto b/src/main/proto/udpa/annotations/versioning.proto deleted file mode 100644 index 06df78d..0000000 --- a/src/main/proto/udpa/annotations/versioning.proto +++ /dev/null @@ -1,23 +0,0 @@ -// THIS FILE IS DEPRECATED -// Users should instead use the corresponding proto in the xds tree. -// No new changes will be accepted here. - -syntax = "proto3"; - -package udpa.annotations; - -import "google/protobuf/descriptor.proto"; - -option go_package = "github.com/cncf/xds/go/udpa/annotations"; - -extend google.protobuf.MessageOptions { - // Magic number derived from 0x78 ('x') 0x44 ('D') 0x53 ('S') - VersioningAnnotation versioning = 7881811; -} - -message VersioningAnnotation { - // Track the previous message type. E.g. this message might be - // udpa.foo.v3alpha.Foo and it was previously udpa.bar.v2.Bar. This - // information is consumed by UDPA via proto descriptors. - string previous_message_type = 1; -} diff --git a/src/main/proto/xds/annotations/v3/status.proto b/src/main/proto/xds/annotations/v3/status.proto deleted file mode 100644 index 367e784..0000000 --- a/src/main/proto/xds/annotations/v3/status.proto +++ /dev/null @@ -1,59 +0,0 @@ -syntax = "proto3"; - -package xds.annotations.v3; - -import "google/protobuf/descriptor.proto"; - -option go_package = "github.com/cncf/xds/go/xds/annotations/v3"; - -// Magic number in this file derived from top 28bit of SHA256 digest of -// "xds.annotations.v3.status". -extend google.protobuf.FileOptions { - FileStatusAnnotation file_status = 226829418; -} - -extend google.protobuf.MessageOptions { - MessageStatusAnnotation message_status = 226829418; -} - -extend google.protobuf.FieldOptions { - FieldStatusAnnotation field_status = 226829418; -} - -message FileStatusAnnotation { - // The entity is work-in-progress and subject to breaking changes. - bool work_in_progress = 1; -} - -message MessageStatusAnnotation { - // The entity is work-in-progress and subject to breaking changes. - bool work_in_progress = 1; -} - -message FieldStatusAnnotation { - // The entity is work-in-progress and subject to breaking changes. - bool work_in_progress = 1; -} - -enum PackageVersionStatus { - // Unknown package version status. - UNKNOWN = 0; - - // This version of the package is frozen. - FROZEN = 1; - - // This version of the package is the active development version. - ACTIVE = 2; - - // This version of the package is the candidate for the next major version. It - // is typically machine generated from the active development version. - NEXT_MAJOR_VERSION_CANDIDATE = 3; -} - -message StatusAnnotation { - // The entity is work-in-progress and subject to breaking changes. - bool work_in_progress = 1; - - // The entity belongs to a package with the given version status. - PackageVersionStatus package_version_status = 2; -} diff --git a/src/main/proto/xds/core/v3/authority.proto b/src/main/proto/xds/core/v3/authority.proto deleted file mode 100644 index d666c38..0000000 --- a/src/main/proto/xds/core/v3/authority.proto +++ /dev/null @@ -1,22 +0,0 @@ -syntax = "proto3"; - -package xds.core.v3; - -import "xds/annotations/v3/status.proto"; - -import "validate/validate.proto"; - -option java_outer_classname = "AuthorityProto"; -option java_multiple_files = true; -option java_package = "com.github.xds.core.v3"; -option go_package = "github.com/cncf/xds/go/xds/core/v3"; - -option (xds.annotations.v3.file_status).work_in_progress = true; - -// xDS authority information. -message Authority { - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // .. space reserved for additional authority addressing information, e.g. for - // resource signing, items such as CA trust chain, cert pinning may be added. -} diff --git a/src/main/proto/xds/core/v3/context_params.proto b/src/main/proto/xds/core/v3/context_params.proto deleted file mode 100644 index a42c7a8..0000000 --- a/src/main/proto/xds/core/v3/context_params.proto +++ /dev/null @@ -1,23 +0,0 @@ -syntax = "proto3"; - -package xds.core.v3; - -import "xds/annotations/v3/status.proto"; - -option java_outer_classname = "ContextParamsProto"; -option java_multiple_files = true; -option java_package = "com.github.xds.core.v3"; -option go_package = "github.com/cncf/xds/go/xds/core/v3"; - -option (xds.annotations.v3.file_status).work_in_progress = true; - -// Additional parameters that can be used to select resource variants. These include any -// global context parameters, per-resource type client feature capabilities and per-resource -// type functional attributes. All per-resource type attributes will be `xds.resource.` -// prefixed and some of these are documented below: -// -// `xds.resource.listening_address`: The value is "IP:port" (e.g. "10.1.1.3:8080") which is -// the listening address of a Listener. Used in a Listener resource query. -message ContextParams { - map params = 1; -} diff --git a/src/main/proto/xds/core/v3/extension.proto b/src/main/proto/xds/core/v3/extension.proto deleted file mode 100644 index dd489eb..0000000 --- a/src/main/proto/xds/core/v3/extension.proto +++ /dev/null @@ -1,26 +0,0 @@ -syntax = "proto3"; - -package xds.core.v3; - -option java_outer_classname = "ExtensionProto"; -option java_multiple_files = true; -option java_package = "com.github.xds.core.v3"; -option go_package = "github.com/cncf/xds/go/xds/core/v3"; - -import "validate/validate.proto"; -import "google/protobuf/any.proto"; - -// Message type for extension configuration. -message TypedExtensionConfig { - // The name of an extension. This is not used to select the extension, instead - // it serves the role of an opaque identifier. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The typed config for the extension. The type URL will be used to identify - // the extension. In the case that the type URL is *xds.type.v3.TypedStruct* - // (or, for historical reasons, *udpa.type.v1.TypedStruct*), the inner type - // URL of *TypedStruct* will be utilized. See the - // :ref:`extension configuration overview - // ` for further details. - google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}]; -} diff --git a/src/main/proto/xds/type/matcher/v3/matcher.proto b/src/main/proto/xds/type/matcher/v3/matcher.proto deleted file mode 100644 index 4966b45..0000000 --- a/src/main/proto/xds/type/matcher/v3/matcher.proto +++ /dev/null @@ -1,139 +0,0 @@ -syntax = "proto3"; - -package xds.type.matcher.v3; - -import "xds/annotations/v3/status.proto"; -import "xds/core/v3/extension.proto"; -import "xds/type/matcher/v3/string.proto"; - -import "validate/validate.proto"; - -option java_package = "com.github.xds.type.matcher.v3"; -option java_outer_classname = "MatcherProto"; -option java_multiple_files = true; -option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; - -// [#protodoc-title: Unified Matcher API] - -// A matcher, which may traverse a matching tree in order to result in a match action. -// During matching, the tree will be traversed until a match is found, or if no match -// is found the action specified by the most specific on_no_match will be evaluated. -// As an on_no_match might result in another matching tree being evaluated, this process -// might repeat several times until the final OnMatch (or no match) is decided. -message Matcher { - option (xds.annotations.v3.message_status).work_in_progress = true; - - // What to do if a match is successful. - message OnMatch { - oneof on_match { - option (validate.required) = true; - - // Nested matcher to evaluate. - // If the nested matcher does not match and does not specify - // on_no_match, then this matcher is considered not to have - // matched, even if a predicate at this level or above returned - // true. - Matcher matcher = 1; - - // Protocol-specific action to take. - core.v3.TypedExtensionConfig action = 2; - } - } - - // A linear list of field matchers. - // The field matchers are evaluated in order, and the first match - // wins. - message MatcherList { - // Predicate to determine if a match is successful. - message Predicate { - // Predicate for a single input field. - message SinglePredicate { - // Protocol-specific specification of input field to match on. - // [#extension-category: envoy.matching.common_inputs] - core.v3.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; - - oneof matcher { - option (validate.required) = true; - - // Built-in string matcher. - type.matcher.v3.StringMatcher value_match = 2; - - // Extension for custom matching logic. - // [#extension-category: envoy.matching.input_matchers] - core.v3.TypedExtensionConfig custom_match = 3; - } - } - - // A list of two or more matchers. Used to allow using a list within a oneof. - message PredicateList { - repeated Predicate predicate = 1 [(validate.rules).repeated = {min_items: 2}]; - } - - oneof match_type { - option (validate.required) = true; - - // A single predicate to evaluate. - SinglePredicate single_predicate = 1; - - // A list of predicates to be OR-ed together. - PredicateList or_matcher = 2; - - // A list of predicates to be AND-ed together. - PredicateList and_matcher = 3; - - // The invert of a predicate - Predicate not_matcher = 4; - } - } - - // An individual matcher. - message FieldMatcher { - // Determines if the match succeeds. - Predicate predicate = 1 [(validate.rules).message = {required: true}]; - - // What to do if the match succeeds. - OnMatch on_match = 2 [(validate.rules).message = {required: true}]; - } - - // A list of matchers. First match wins. - repeated FieldMatcher matchers = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - message MatcherTree { - // A map of configured matchers. Used to allow using a map within a oneof. - message MatchMap { - map map = 1 [(validate.rules).map = {min_pairs: 1}]; - } - - // Protocol-specific specification of input field to match on. - core.v3.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; - - // Exact or prefix match maps in which to look up the input value. - // If the lookup succeeds, the match is considered successful, and - // the corresponding OnMatch is used. - oneof tree_type { - option (validate.required) = true; - - MatchMap exact_match_map = 2; - - // Longest matching prefix wins. - MatchMap prefix_match_map = 3; - - // Extension for custom matching logic. - core.v3.TypedExtensionConfig custom_match = 4; - } - } - - oneof matcher_type { - // A linear list of matchers to evaluate. - MatcherList matcher_list = 1; - - // A match tree to evaluate. - MatcherTree matcher_tree = 2; - } - - // Optional OnMatch to use if no matcher above matched (e.g., if there are no matchers specified - // above, or if none of the matches specified above succeeded). - // If no matcher above matched and this field is not populated, the match will be considered unsuccessful. - OnMatch on_no_match = 3; -} diff --git a/src/main/proto/xds/type/matcher/v3/regex.proto b/src/main/proto/xds/type/matcher/v3/regex.proto deleted file mode 100644 index 3ff4ca9..0000000 --- a/src/main/proto/xds/type/matcher/v3/regex.proto +++ /dev/null @@ -1,46 +0,0 @@ -syntax = "proto3"; - -package xds.type.matcher.v3; - -import "validate/validate.proto"; - -option java_package = "com.github.xds.type.matcher.v3"; -option java_outer_classname = "RegexProto"; -option java_multiple_files = true; -option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; - -// [#protodoc-title: Regex matcher] - -// A regex matcher designed for safety when used with untrusted input. -message RegexMatcher { - // Google's `RE2 `_ regex engine. The regex - // string must adhere to the documented `syntax - // `_. The engine is designed to - // complete execution in linear time as well as limit the amount of memory - // used. - // - // Envoy supports program size checking via runtime. The runtime keys - // `re2.max_program_size.error_level` and `re2.max_program_size.warn_level` - // can be set to integers as the maximum program size or complexity that a - // compiled regex can have before an exception is thrown or a warning is - // logged, respectively. `re2.max_program_size.error_level` defaults to 100, - // and `re2.max_program_size.warn_level` has no default if unset (will not - // check/log a warning). - // - // Envoy emits two stats for tracking the program size of regexes: the - // histogram `re2.program_size`, which records the program size, and the - // counter `re2.exceeded_warn_level`, which is incremented each time the - // program size exceeds the warn level threshold. - message GoogleRE2 {} - - oneof engine_type { - option (validate.required) = true; - - // Google's RE2 regex engine. - GoogleRE2 google_re2 = 1 [ (validate.rules).message = {required : true} ]; - } - - // The regex match string. The string must be supported by the configured - // engine. - string regex = 2 [ (validate.rules).string = {min_len : 1} ]; -} diff --git a/src/main/proto/xds/type/matcher/v3/string.proto b/src/main/proto/xds/type/matcher/v3/string.proto deleted file mode 100644 index fdc598e..0000000 --- a/src/main/proto/xds/type/matcher/v3/string.proto +++ /dev/null @@ -1,66 +0,0 @@ -syntax = "proto3"; - -package xds.type.matcher.v3; - -import "xds/type/matcher/v3/regex.proto"; - -import "validate/validate.proto"; - -option java_package = "com.github.xds.type.matcher.v3"; -option java_outer_classname = "StringProto"; -option java_multiple_files = true; -option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3"; - -// [#protodoc-title: String matcher] - -// Specifies the way to match a string. -// [#next-free-field: 8] -message StringMatcher { - oneof match_pattern { - option (validate.required) = true; - - // The input string must match exactly the string specified here. - // - // Examples: - // - // * *abc* only matches the value *abc*. - string exact = 1; - - // The input string must have the prefix specified here. - // Note: empty prefix is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *abc.xyz* - string prefix = 2 [(validate.rules).string = {min_len: 1}]; - - // The input string must have the suffix specified here. - // Note: empty prefix is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *xyz.abc* - string suffix = 3 [(validate.rules).string = {min_len: 1}]; - - // The input string must match the regular expression specified here. - RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; - - // The input string must have the substring specified here. - // Note: empty contains match is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *xyz.abc.def* - string contains = 7 [(validate.rules).string = {min_len: 1}]; - } - - // If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no - // effect for the safe_regex match. - // For example, the matcher *data* will match both input string *Data* and *data* if set to true. - bool ignore_case = 6; -} - -// Specifies a list of ways to match a string. -message ListStringMatcher { - repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; -} From 172126cecf77a3ded2cc80928c7b1c7707f6641d Mon Sep 17 00:00:00 2001 From: musi Date: Tue, 13 Dec 2022 11:45:34 +0800 Subject: [PATCH 3/5] refactor: rename virtualservice to traffic router --- src/main/java/io/opensergo/ConfigKind.java | 2 +- src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/io/opensergo/ConfigKind.java b/src/main/java/io/opensergo/ConfigKind.java index 24fd8c8..80330ed 100644 --- a/src/main/java/io/opensergo/ConfigKind.java +++ b/src/main/java/io/opensergo/ConfigKind.java @@ -30,7 +30,7 @@ public enum ConfigKind { "ConcurrencyLimitStrategy"), CIRCUIT_BREAKER_STRATEGY("fault-tolerance.opensergo.io/v1alpha1/CircuitBreakerStrategy", "CircuitBreakerStrategy"), - VIRTUAL_SERVICE_STRATEGY("networking.istio.io/v1beta1/VirtualService", "VirtualService"); + TRAFFIC_ROUTER_STRATEGY("traffic.opensergo.io/v1alpha1/TrafficRouter", "TrafficRouter"); private final String kindName; private final String simpleKindName; diff --git a/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java b/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java index 980f79d..3707b1c 100644 --- a/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java +++ b/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java @@ -43,7 +43,7 @@ public final class OpenSergoConfigKindRegistry { registerConfigKind(ConfigKind.THROTTLING_STRATEGY, ThrottlingStrategy.class); registerConfigKind(ConfigKind.CONCURRENCY_LIMIT_STRATEGY, ConcurrencyLimitStrategy.class); registerConfigKind(ConfigKind.CIRCUIT_BREAKER_STRATEGY, CircuitBreakerStrategy.class); - registerConfigKind(ConfigKind.VIRTUAL_SERVICE_STRATEGY, RouteConfiguration.class); + registerConfigKind(ConfigKind.TRAFFIC_ROUTER_STRATEGY, RouteConfiguration.class); } public static ConfigKindMetadata getKindMetadata(ConfigKind kind) { From 98da3186ffec977331b6acb64137736d49e93d01 Mon Sep 17 00:00:00 2001 From: musi Date: Mon, 16 Jan 2023 19:02:39 +0800 Subject: [PATCH 4/5] feat: add VirtualWorkload kind --- src/main/java/io/opensergo/ConfigKind.java | 4 +++- src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/main/java/io/opensergo/ConfigKind.java b/src/main/java/io/opensergo/ConfigKind.java index 80330ed..abd8a10 100644 --- a/src/main/java/io/opensergo/ConfigKind.java +++ b/src/main/java/io/opensergo/ConfigKind.java @@ -30,7 +30,9 @@ public enum ConfigKind { "ConcurrencyLimitStrategy"), CIRCUIT_BREAKER_STRATEGY("fault-tolerance.opensergo.io/v1alpha1/CircuitBreakerStrategy", "CircuitBreakerStrategy"), - TRAFFIC_ROUTER_STRATEGY("traffic.opensergo.io/v1alpha1/TrafficRouter", "TrafficRouter"); + TRAFFIC_ROUTER_STRATEGY("traffic.opensergo.io/v1alpha1/TrafficRouter", "TrafficRouter"), + + VIRTUAL_WORKLOAD_STRATEGY("traffic.opensergo.io/v1alpha1/VirtualWorkload", "VirtualWorkload"); private final String kindName; private final String simpleKindName; diff --git a/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java b/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java index 3707b1c..2ea2308 100644 --- a/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java +++ b/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java @@ -44,6 +44,7 @@ public final class OpenSergoConfigKindRegistry { registerConfigKind(ConfigKind.CONCURRENCY_LIMIT_STRATEGY, ConcurrencyLimitStrategy.class); registerConfigKind(ConfigKind.CIRCUIT_BREAKER_STRATEGY, CircuitBreakerStrategy.class); registerConfigKind(ConfigKind.TRAFFIC_ROUTER_STRATEGY, RouteConfiguration.class); + registerConfigKind(ConfigKind.VIRTUAL_WORKLOAD_STRATEGY, RouteConfiguration.class); } public static ConfigKindMetadata getKindMetadata(ConfigKind kind) { From 0318388eba1dbdb705ff00201c046af02e464398 Mon Sep 17 00:00:00 2001 From: musi Date: Thu, 19 Jan 2023 22:12:21 +0800 Subject: [PATCH 5/5] feat: change return type in VirtualWorkload --- src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java b/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java index 713a738..e7ac8ac 100644 --- a/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java +++ b/src/main/java/io/opensergo/OpenSergoConfigKindRegistry.java @@ -19,6 +19,7 @@ import java.util.concurrent.ConcurrentMap; import io.envoyproxy.envoy.config.route.v3.RouteConfiguration; +import io.envoyproxy.envoy.service.discovery.v3.DiscoveryResponse; import io.opensergo.proto.fault_tolerance.v1.CircuitBreakerStrategy; import io.opensergo.proto.fault_tolerance.v1.ConcurrencyLimitStrategy; import io.opensergo.proto.fault_tolerance.v1.FaultToleranceRule; @@ -48,7 +49,7 @@ public final class OpenSergoConfigKindRegistry { // domain: traffic // NOTE: here we've reused a few parts of xDS proto (e.g. route proto) registerConfigKind(ConfigKind.TRAFFIC_ROUTER_STRATEGY, RouteConfiguration.class); - registerConfigKind(ConfigKind.VIRTUAL_WORKLOAD_STRATEGY, RouteConfiguration.class); + registerConfigKind(ConfigKind.VIRTUAL_WORKLOAD_STRATEGY, DiscoveryResponse.class); } public static ConfigKindMetadata getKindMetadata(ConfigKind kind) {