From e453c6c613206da749e3ff645e2d92f534535f3e Mon Sep 17 00:00:00 2001 From: Lizan Zhou Date: Wed, 25 Aug 2021 13:47:39 -0700 Subject: [PATCH] api: stop generating v4alpha protos (#17842) Stop generating v4alpha protos as it won't land in foreseeable future. This fixes go-control-plane sync because of it fails to generate contrib API correctly. Risk Level: Medium Testing: CI Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Lizan Zhou --- .gitattributes | 1 - .../network/rocketmq_proxy/v4alpha/BUILD | 15 - .../v4alpha/rocketmq_proxy.proto | 38 - .../rocketmq_proxy/v4alpha/route.proto | 67 - api/envoy/admin/v4alpha/BUILD | 17 - api/envoy/admin/v4alpha/certs.proto | 86 - api/envoy/admin/v4alpha/clusters.proto | 176 -- api/envoy/admin/v4alpha/config_dump.proto | 484 ---- api/envoy/admin/v4alpha/init_dump.proto | 37 - api/envoy/admin/v4alpha/listeners.proto | 36 - api/envoy/admin/v4alpha/memory.proto | 47 - api/envoy/admin/v4alpha/metrics.proto | 32 - api/envoy/admin/v4alpha/mutex_stats.proto | 33 - api/envoy/admin/v4alpha/server_info.proto | 191 -- api/envoy/admin/v4alpha/tap.proto | 28 - api/envoy/config/accesslog/v4alpha/BUILD | 16 - .../config/accesslog/v4alpha/accesslog.proto | 326 --- api/envoy/config/bootstrap/v4alpha/BUILD | 20 - .../config/bootstrap/v4alpha/bootstrap.proto | 620 ----- api/envoy/config/cluster/v4alpha/BUILD | 16 - .../cluster/v4alpha/circuit_breaker.proto | 105 - .../config/cluster/v4alpha/cluster.proto | 1043 --------- api/envoy/config/cluster/v4alpha/filter.proto | 30 - .../cluster/v4alpha/outlier_detection.proto | 157 -- api/envoy/config/common/matcher/v4alpha/BUILD | 15 - .../common/matcher/v4alpha/matcher.proto | 269 --- api/envoy/config/core/v4alpha/BUILD | 16 - api/envoy/config/core/v4alpha/address.proto | 163 -- api/envoy/config/core/v4alpha/backoff.proto | 37 - api/envoy/config/core/v4alpha/base.proto | 456 ---- .../config/core/v4alpha/config_source.proto | 217 -- .../core/v4alpha/event_service_config.proto | 28 - api/envoy/config/core/v4alpha/extension.proto | 68 - .../core/v4alpha/grpc_method_list.proto | 33 - .../config/core/v4alpha/grpc_service.proto | 302 --- .../config/core/v4alpha/health_check.proto | 372 --- api/envoy/config/core/v4alpha/http_uri.proto | 56 - api/envoy/config/core/v4alpha/protocol.proto | 497 ---- .../config/core/v4alpha/proxy_protocol.proto | 29 - api/envoy/config/core/v4alpha/resolver.proto | 48 - .../config/core/v4alpha/socket_option.proto | 56 - .../v4alpha/substitution_format_string.proto | 101 - .../core/v4alpha/udp_socket_config.proto | 35 - api/envoy/config/endpoint/v4alpha/BUILD | 14 - .../config/endpoint/v4alpha/endpoint.proto | 119 - .../v4alpha/endpoint_components.proto | 195 -- .../config/endpoint/v4alpha/load_report.proto | 168 -- api/envoy/config/listener/v4alpha/BUILD | 16 - .../listener/v4alpha/api_listener.proto | 33 - .../config/listener/v4alpha/listener.proto | 317 --- .../v4alpha/listener_components.proto | 349 --- .../config/listener/v4alpha/quic_config.proto | 62 - .../v4alpha/udp_listener_config.proto | 46 - api/envoy/config/metrics/v4alpha/BUILD | 14 - .../metrics/v4alpha/metrics_service.proto | 46 - api/envoy/config/metrics/v4alpha/stats.proto | 411 ---- api/envoy/config/ratelimit/v4alpha/BUILD | 13 - api/envoy/config/ratelimit/v4alpha/rls.proto | 34 - api/envoy/config/rbac/v4alpha/BUILD | 18 - api/envoy/config/rbac/v4alpha/rbac.proto | 303 --- api/envoy/config/route/v4alpha/BUILD | 17 - api/envoy/config/route/v4alpha/route.proto | 146 -- .../route/v4alpha/route_components.proto | 1938 ---------------- .../config/route/v4alpha/scoped_route.proto | 120 - api/envoy/config/tap/v4alpha/BUILD | 15 - api/envoy/config/tap/v4alpha/common.proto | 276 --- api/envoy/config/trace/v4alpha/BUILD | 13 - .../config/trace/v4alpha/http_tracer.proto | 59 - api/envoy/config/trace/v4alpha/service.proto | 25 - api/envoy/data/dns/v4alpha/BUILD | 12 - api/envoy/data/dns/v4alpha/dns_table.proto | 159 -- .../access_loggers/file/v4alpha/BUILD | 13 - .../access_loggers/file/v4alpha/file.proto | 42 - .../access_loggers/grpc/v4alpha/BUILD | 13 - .../access_loggers/grpc/v4alpha/als.proto | 89 - .../open_telemetry/v4alpha/BUILD | 14 - .../open_telemetry/v4alpha/logs_service.proto | 47 - .../access_loggers/stream/v4alpha/BUILD | 13 - .../stream/v4alpha/stream.proto | 45 - .../dynamic_forward_proxy/v4alpha/BUILD | 13 - .../v4alpha/cluster.proto | 35 - .../dynamic_forward_proxy/v4alpha/BUILD | 15 - .../v4alpha/dns_cache.proto | 143 -- .../extensions/common/matching/v4alpha/BUILD | 14 - .../matching/v4alpha/extension_matcher.proto | 39 - api/envoy/extensions/common/tap/v4alpha/BUILD | 13 - .../common/tap/v4alpha/common.proto | 44 - .../filters/http/cache/v4alpha/BUILD | 14 - .../filters/http/cache/v4alpha/cache.proto | 82 - .../filters/http/compressor/v4alpha/BUILD | 13 - .../http/compressor/v4alpha/compressor.proto | 106 - .../filters/http/csrf/v4alpha/BUILD | 14 - .../filters/http/csrf/v4alpha/csrf.proto | 54 - .../http/dynamic_forward_proxy/v4alpha/BUILD | 13 - .../v4alpha/dynamic_forward_proxy.proto | 64 - .../filters/http/ext_authz/v4alpha/BUILD | 15 - .../http/ext_authz/v4alpha/ext_authz.proto | 316 --- .../filters/http/fault/v4alpha/BUILD | 15 - .../filters/http/fault/v4alpha/fault.proto | 150 -- .../filters/http/gzip/v4alpha/BUILD | 13 - .../filters/http/gzip/v4alpha/gzip.proto | 81 - .../http/header_to_metadata/v4alpha/BUILD | 13 - .../v4alpha/header_to_metadata.proto | 130 -- .../filters/http/health_check/v4alpha/BUILD | 14 - .../health_check/v4alpha/health_check.proto | 52 - .../filters/http/jwt_authn/v4alpha/BUILD | 14 - .../http/jwt_authn/v4alpha/config.proto | 674 ------ .../filters/http/oauth2/v4alpha/BUILD | 16 - .../filters/http/oauth2/v4alpha/oauth.proto | 99 - .../filters/http/ratelimit/v4alpha/BUILD | 13 - .../http/ratelimit/v4alpha/rate_limit.proto | 125 - .../filters/http/rbac/v4alpha/BUILD | 13 - .../filters/http/rbac/v4alpha/rbac.proto | 49 - .../filters/http/router/v4alpha/BUILD | 13 - .../filters/http/router/v4alpha/router.proto | 91 - .../extensions/filters/http/tap/v4alpha/BUILD | 13 - .../filters/http/tap/v4alpha/tap.proto | 28 - .../filters/network/dubbo_proxy/v4alpha/BUILD | 15 - .../dubbo_proxy/v4alpha/dubbo_proxy.proto | 70 - .../network/dubbo_proxy/v4alpha/route.proto | 129 - .../filters/network/ext_authz/v4alpha/BUILD | 14 - .../network/ext_authz/v4alpha/ext_authz.proto | 64 - .../http_connection_manager/v4alpha/BUILD | 19 - .../v4alpha/http_connection_manager.proto | 1018 -------- .../filters/network/ratelimit/v4alpha/BUILD | 14 - .../ratelimit/v4alpha/rate_limit.proto | 53 - .../filters/network/rbac/v4alpha/BUILD | 13 - .../filters/network/rbac/v4alpha/rbac.proto | 64 - .../sni_dynamic_forward_proxy/v4alpha/BUILD | 13 - .../v4alpha/sni_dynamic_forward_proxy.proto | 40 - .../filters/network/tcp_proxy/v4alpha/BUILD | 15 - .../network/tcp_proxy/v4alpha/tcp_proxy.proto | 154 -- .../filters/ratelimit/v4alpha/BUILD | 13 - .../ratelimit/v4alpha/rate_limit.proto | 56 - .../network/thrift_proxy/v4alpha/BUILD | 14 - .../network/thrift_proxy/v4alpha/route.proto | 186 -- .../thrift_proxy/v4alpha/thrift_proxy.proto | 140 -- .../filters/udp/dns_filter/v4alpha/BUILD | 14 - .../udp/dns_filter/v4alpha/dns_filter.proto | 84 - .../extensions/tracers/datadog/v4alpha/BUILD | 12 - .../tracers/datadog/v4alpha/datadog.proto | 27 - .../tracers/dynamic_ot/v4alpha/BUILD | 12 - .../dynamic_ot/v4alpha/dynamic_ot.proto | 33 - .../tracers/lightstep/v4alpha/BUILD | 13 - .../tracers/lightstep/v4alpha/lightstep.proto | 52 - .../tracers/opencensus/v4alpha/BUILD | 14 - .../opencensus/v4alpha/opencensus.proto | 91 - .../tracers/skywalking/v4alpha/BUILD | 13 - .../skywalking/v4alpha/skywalking.proto | 68 - .../extensions/tracers/xray/v4alpha/BUILD | 13 - .../tracers/xray/v4alpha/xray.proto | 55 - .../extensions/tracers/zipkin/v4alpha/BUILD | 13 - .../tracers/zipkin/v4alpha/zipkin.proto | 70 - .../transport_sockets/quic/v4alpha/BUILD | 13 - .../quic/v4alpha/quic_transport.proto | 35 - .../transport_sockets/starttls/v4alpha/BUILD | 14 - .../starttls/v4alpha/starttls.proto | 58 - .../transport_sockets/tap/v4alpha/BUILD | 14 - .../transport_sockets/tap/v4alpha/tap.proto | 33 - .../transport_sockets/tls/v4alpha/BUILD | 14 - .../tls/v4alpha/common.proto | 440 ---- .../tls/v4alpha/secret.proto | 58 - .../transport_sockets/tls/v4alpha/tls.proto | 285 --- .../v4alpha/tls_spiffe_validator_config.proto | 66 - .../extensions/upstreams/http/v4alpha/BUILD | 13 - .../http/v4alpha/http_protocol_options.proto | 164 -- api/envoy/service/accesslog/v4alpha/BUILD | 15 - api/envoy/service/accesslog/v4alpha/als.proto | 87 - api/envoy/service/auth/v4alpha/BUILD | 15 - .../auth/v4alpha/attribute_context.proto | 177 -- .../service/auth/v4alpha/external_auth.proto | 130 -- api/envoy/service/discovery/v4alpha/BUILD | 14 - api/envoy/service/discovery/v4alpha/ads.proto | 44 - .../service/discovery/v4alpha/discovery.proto | 286 --- .../service/event_reporting/v4alpha/BUILD | 14 - .../v4alpha/event_reporting_service.proto | 69 - api/envoy/service/health/v4alpha/BUILD | 16 - api/envoy/service/health/v4alpha/hds.proto | 198 -- api/envoy/service/load_stats/v4alpha/BUILD | 15 - .../service/load_stats/v4alpha/lrs.proto | 102 - api/envoy/service/metrics/v4alpha/BUILD | 15 - .../metrics/v4alpha/metrics_service.proto | 53 - api/envoy/service/status/v4alpha/BUILD | 16 - api/envoy/service/status/v4alpha/csds.proto | 185 -- api/envoy/service/tap/v4alpha/BUILD | 15 - api/envoy/service/tap/v4alpha/tap.proto | 64 - api/envoy/service/trace/v4alpha/BUILD | 15 - .../service/trace/v4alpha/trace_service.proto | 55 - api/envoy/type/matcher/v4alpha/BUILD | 13 - .../type/matcher/v4alpha/http_inputs.proto | 70 - api/envoy/type/matcher/v4alpha/metadata.proto | 105 - api/envoy/type/matcher/v4alpha/node.proto | 28 - api/envoy/type/matcher/v4alpha/number.proto | 33 - api/envoy/type/matcher/v4alpha/path.proto | 30 - api/envoy/type/matcher/v4alpha/regex.proto | 82 - api/envoy/type/matcher/v4alpha/string.proto | 78 - api/envoy/type/matcher/v4alpha/struct.proto | 91 - api/envoy/type/matcher/v4alpha/value.proto | 71 - ci/do_ci.sh | 2 + .../network/rocketmq_proxy/v4alpha/BUILD | 15 - .../v4alpha/rocketmq_proxy.proto | 38 - .../rocketmq_proxy/v4alpha/route.proto | 67 - .../envoy/admin/v4alpha/BUILD | 17 - .../envoy/admin/v4alpha/certs.proto | 86 - .../envoy/admin/v4alpha/clusters.proto | 176 -- .../envoy/admin/v4alpha/config_dump.proto | 484 ---- .../envoy/admin/v4alpha/init_dump.proto | 37 - .../envoy/admin/v4alpha/listeners.proto | 36 - .../envoy/admin/v4alpha/memory.proto | 47 - .../envoy/admin/v4alpha/metrics.proto | 32 - .../envoy/admin/v4alpha/mutex_stats.proto | 33 - .../envoy/admin/v4alpha/server_info.proto | 191 -- .../envoy/admin/v4alpha/tap.proto | 28 - .../envoy/config/accesslog/v4alpha/BUILD | 16 - .../config/accesslog/v4alpha/accesslog.proto | 326 --- .../envoy/config/bootstrap/v4alpha/BUILD | 22 - .../config/bootstrap/v4alpha/bootstrap.proto | 652 ------ .../envoy/config/cluster/v4alpha/BUILD | 17 - .../cluster/v4alpha/circuit_breaker.proto | 105 - .../config/cluster/v4alpha/cluster.proto | 1157 --------- .../envoy/config/cluster/v4alpha/filter.proto | 30 - .../cluster/v4alpha/outlier_detection.proto | 157 -- .../envoy/config/common/matcher/v4alpha/BUILD | 15 - .../common/matcher/v4alpha/matcher.proto | 269 --- .../envoy/config/core/v4alpha/BUILD | 16 - .../envoy/config/core/v4alpha/address.proto | 163 -- .../envoy/config/core/v4alpha/backoff.proto | 37 - .../envoy/config/core/v4alpha/base.proto | 465 ---- .../config/core/v4alpha/config_source.proto | 220 -- .../core/v4alpha/event_service_config.proto | 28 - .../envoy/config/core/v4alpha/extension.proto | 68 - .../core/v4alpha/grpc_method_list.proto | 33 - .../config/core/v4alpha/grpc_service.proto | 302 --- .../config/core/v4alpha/health_check.proto | 372 --- .../envoy/config/core/v4alpha/http_uri.proto | 56 - .../envoy/config/core/v4alpha/protocol.proto | 509 ---- .../config/core/v4alpha/proxy_protocol.proto | 29 - .../envoy/config/core/v4alpha/resolver.proto | 48 - .../config/core/v4alpha/socket_option.proto | 56 - .../v4alpha/substitution_format_string.proto | 118 - .../core/v4alpha/udp_socket_config.proto | 35 - .../envoy/config/endpoint/v4alpha/BUILD | 14 - .../config/endpoint/v4alpha/endpoint.proto | 119 - .../v4alpha/endpoint_components.proto | 195 -- .../config/endpoint/v4alpha/load_report.proto | 168 -- .../envoy/config/listener/v4alpha/BUILD | 17 - .../listener/v4alpha/api_listener.proto | 33 - .../config/listener/v4alpha/listener.proto | 324 --- .../v4alpha/listener_components.proto | 363 --- .../config/listener/v4alpha/quic_config.proto | 62 - .../v4alpha/udp_listener_config.proto | 46 - .../envoy/config/metrics/v4alpha/BUILD | 14 - .../metrics/v4alpha/metrics_service.proto | 46 - .../envoy/config/metrics/v4alpha/stats.proto | 411 ---- .../envoy/config/ratelimit/v4alpha/BUILD | 13 - .../envoy/config/ratelimit/v4alpha/rls.proto | 34 - .../envoy/config/rbac/v4alpha/BUILD | 19 - .../envoy/config/rbac/v4alpha/rbac.proto | 305 --- .../envoy/config/route/v4alpha/BUILD | 18 - .../envoy/config/route/v4alpha/route.proto | 146 -- .../route/v4alpha/route_components.proto | 2067 ----------------- .../config/route/v4alpha/scoped_route.proto | 120 - .../envoy/config/tap/v4alpha/BUILD | 16 - .../envoy/config/tap/v4alpha/common.proto | 281 --- .../envoy/config/trace/v4alpha/BUILD | 13 - .../config/trace/v4alpha/http_tracer.proto | 59 - .../envoy/config/trace/v4alpha/service.proto | 25 - .../envoy/data/dns/v4alpha/BUILD | 14 - .../envoy/data/dns/v4alpha/dns_table.proto | 168 -- .../access_loggers/file/v4alpha/BUILD | 14 - .../access_loggers/file/v4alpha/file.proto | 63 - .../access_loggers/grpc/v4alpha/BUILD | 13 - .../access_loggers/grpc/v4alpha/als.proto | 89 - .../open_telemetry/v4alpha/BUILD | 14 - .../open_telemetry/v4alpha/logs_service.proto | 47 - .../access_loggers/stream/v4alpha/BUILD | 13 - .../stream/v4alpha/stream.proto | 45 - .../dynamic_forward_proxy/v4alpha/BUILD | 13 - .../v4alpha/cluster.proto | 35 - .../dynamic_forward_proxy/v4alpha/BUILD | 16 - .../v4alpha/dns_cache.proto | 149 -- .../extensions/common/matching/v4alpha/BUILD | 16 - .../matching/v4alpha/extension_matcher.proto | 41 - .../envoy/extensions/common/tap/v4alpha/BUILD | 13 - .../common/tap/v4alpha/common.proto | 44 - .../filters/http/cache/v4alpha/BUILD | 14 - .../filters/http/cache/v4alpha/cache.proto | 82 - .../filters/http/compressor/v4alpha/BUILD | 14 - .../http/compressor/v4alpha/compressor.proto | 134 -- .../filters/http/csrf/v4alpha/BUILD | 14 - .../filters/http/csrf/v4alpha/csrf.proto | 54 - .../http/dynamic_forward_proxy/v4alpha/BUILD | 13 - .../v4alpha/dynamic_forward_proxy.proto | 64 - .../filters/http/ext_authz/v4alpha/BUILD | 15 - .../http/ext_authz/v4alpha/ext_authz.proto | 316 --- .../filters/http/fault/v4alpha/BUILD | 15 - .../filters/http/fault/v4alpha/fault.proto | 150 -- .../filters/http/gzip/v4alpha/BUILD | 13 - .../filters/http/gzip/v4alpha/gzip.proto | 81 - .../http/header_to_metadata/v4alpha/BUILD | 13 - .../v4alpha/header_to_metadata.proto | 130 -- .../filters/http/health_check/v4alpha/BUILD | 14 - .../health_check/v4alpha/health_check.proto | 52 - .../filters/http/jwt_authn/v4alpha/BUILD | 14 - .../http/jwt_authn/v4alpha/config.proto | 674 ------ .../filters/http/oauth2/v4alpha/BUILD | 16 - .../filters/http/oauth2/v4alpha/oauth.proto | 99 - .../filters/http/ratelimit/v4alpha/BUILD | 13 - .../http/ratelimit/v4alpha/rate_limit.proto | 125 - .../filters/http/rbac/v4alpha/BUILD | 13 - .../filters/http/rbac/v4alpha/rbac.proto | 49 - .../filters/http/router/v4alpha/BUILD | 13 - .../filters/http/router/v4alpha/router.proto | 91 - .../extensions/filters/http/tap/v4alpha/BUILD | 13 - .../filters/http/tap/v4alpha/tap.proto | 28 - .../filters/network/dubbo_proxy/v4alpha/BUILD | 15 - .../dubbo_proxy/v4alpha/dubbo_proxy.proto | 70 - .../network/dubbo_proxy/v4alpha/route.proto | 129 - .../filters/network/ext_authz/v4alpha/BUILD | 14 - .../network/ext_authz/v4alpha/ext_authz.proto | 64 - .../http_connection_manager/v4alpha/BUILD | 19 - .../v4alpha/http_connection_manager.proto | 1018 -------- .../filters/network/ratelimit/v4alpha/BUILD | 14 - .../ratelimit/v4alpha/rate_limit.proto | 53 - .../filters/network/rbac/v4alpha/BUILD | 13 - .../filters/network/rbac/v4alpha/rbac.proto | 64 - .../sni_dynamic_forward_proxy/v4alpha/BUILD | 13 - .../v4alpha/sni_dynamic_forward_proxy.proto | 40 - .../filters/network/tcp_proxy/v4alpha/BUILD | 15 - .../network/tcp_proxy/v4alpha/tcp_proxy.proto | 154 -- .../filters/ratelimit/v4alpha/BUILD | 13 - .../ratelimit/v4alpha/rate_limit.proto | 56 - .../network/thrift_proxy/v4alpha/BUILD | 14 - .../network/thrift_proxy/v4alpha/route.proto | 186 -- .../thrift_proxy/v4alpha/thrift_proxy.proto | 140 -- .../filters/udp/dns_filter/v4alpha/BUILD | 14 - .../udp/dns_filter/v4alpha/dns_filter.proto | 84 - .../extensions/tracers/datadog/v4alpha/BUILD | 12 - .../tracers/datadog/v4alpha/datadog.proto | 27 - .../tracers/dynamic_ot/v4alpha/BUILD | 12 - .../dynamic_ot/v4alpha/dynamic_ot.proto | 33 - .../tracers/lightstep/v4alpha/BUILD | 14 - .../tracers/lightstep/v4alpha/lightstep.proto | 54 - .../tracers/opencensus/v4alpha/BUILD | 15 - .../opencensus/v4alpha/opencensus.proto | 102 - .../tracers/skywalking/v4alpha/BUILD | 13 - .../skywalking/v4alpha/skywalking.proto | 68 - .../extensions/tracers/xray/v4alpha/BUILD | 13 - .../tracers/xray/v4alpha/xray.proto | 55 - .../extensions/tracers/zipkin/v4alpha/BUILD | 13 - .../tracers/zipkin/v4alpha/zipkin.proto | 73 - .../transport_sockets/quic/v4alpha/BUILD | 13 - .../quic/v4alpha/quic_transport.proto | 35 - .../transport_sockets/starttls/v4alpha/BUILD | 14 - .../starttls/v4alpha/starttls.proto | 58 - .../transport_sockets/tap/v4alpha/BUILD | 14 - .../transport_sockets/tap/v4alpha/tap.proto | 33 - .../transport_sockets/tls/v4alpha/BUILD | 15 - .../tls/v4alpha/common.proto | 440 ---- .../tls/v4alpha/secret.proto | 58 - .../transport_sockets/tls/v4alpha/tls.proto | 313 --- .../v4alpha/tls_spiffe_validator_config.proto | 66 - .../extensions/upstreams/http/v4alpha/BUILD | 13 - .../http/v4alpha/http_protocol_options.proto | 164 -- .../envoy/service/accesslog/v4alpha/BUILD | 15 - .../envoy/service/accesslog/v4alpha/als.proto | 87 - .../envoy/service/auth/v4alpha/BUILD | 16 - .../auth/v4alpha/attribute_context.proto | 177 -- .../service/auth/v4alpha/external_auth.proto | 134 -- .../envoy/service/discovery/v4alpha/BUILD | 14 - .../envoy/service/discovery/v4alpha/ads.proto | 44 - .../service/discovery/v4alpha/discovery.proto | 286 --- .../service/event_reporting/v4alpha/BUILD | 14 - .../v4alpha/event_reporting_service.proto | 69 - .../envoy/service/health/v4alpha/BUILD | 17 - .../envoy/service/health/v4alpha/hds.proto | 199 -- .../envoy/service/load_stats/v4alpha/BUILD | 15 - .../service/load_stats/v4alpha/lrs.proto | 102 - .../envoy/service/metrics/v4alpha/BUILD | 15 - .../metrics/v4alpha/metrics_service.proto | 53 - .../envoy/service/status/v4alpha/BUILD | 17 - .../envoy/service/status/v4alpha/csds.proto | 194 -- .../envoy/service/tap/v4alpha/BUILD | 15 - .../envoy/service/tap/v4alpha/tap.proto | 64 - .../envoy/service/trace/v4alpha/BUILD | 15 - .../service/trace/v4alpha/trace_service.proto | 55 - .../envoy/type/matcher/v4alpha/BUILD | 14 - .../type/matcher/v4alpha/http_inputs.proto | 70 - .../envoy/type/matcher/v4alpha/metadata.proto | 105 - .../envoy/type/matcher/v4alpha/node.proto | 28 - .../envoy/type/matcher/v4alpha/number.proto | 33 - .../envoy/type/matcher/v4alpha/path.proto | 30 - .../envoy/type/matcher/v4alpha/regex.proto | 89 - .../envoy/type/matcher/v4alpha/string.proto | 78 - .../envoy/type/matcher/v4alpha/struct.proto | 91 - .../envoy/type/matcher/v4alpha/value.proto | 71 - tools/type_whisperer/typedb_gen.py | 5 +- 397 files changed, 5 insertions(+), 41201 deletions(-) delete mode 100644 api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD delete mode 100644 api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto delete mode 100644 api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto delete mode 100644 api/envoy/admin/v4alpha/BUILD delete mode 100644 api/envoy/admin/v4alpha/certs.proto delete mode 100644 api/envoy/admin/v4alpha/clusters.proto delete mode 100644 api/envoy/admin/v4alpha/config_dump.proto delete mode 100644 api/envoy/admin/v4alpha/init_dump.proto delete mode 100644 api/envoy/admin/v4alpha/listeners.proto delete mode 100644 api/envoy/admin/v4alpha/memory.proto delete mode 100644 api/envoy/admin/v4alpha/metrics.proto delete mode 100644 api/envoy/admin/v4alpha/mutex_stats.proto delete mode 100644 api/envoy/admin/v4alpha/server_info.proto delete mode 100644 api/envoy/admin/v4alpha/tap.proto delete mode 100644 api/envoy/config/accesslog/v4alpha/BUILD delete mode 100644 api/envoy/config/accesslog/v4alpha/accesslog.proto delete mode 100644 api/envoy/config/bootstrap/v4alpha/BUILD delete mode 100644 api/envoy/config/bootstrap/v4alpha/bootstrap.proto delete mode 100644 api/envoy/config/cluster/v4alpha/BUILD delete mode 100644 api/envoy/config/cluster/v4alpha/circuit_breaker.proto delete mode 100644 api/envoy/config/cluster/v4alpha/cluster.proto delete mode 100644 api/envoy/config/cluster/v4alpha/filter.proto delete mode 100644 api/envoy/config/cluster/v4alpha/outlier_detection.proto delete mode 100644 api/envoy/config/common/matcher/v4alpha/BUILD delete mode 100644 api/envoy/config/common/matcher/v4alpha/matcher.proto delete mode 100644 api/envoy/config/core/v4alpha/BUILD delete mode 100644 api/envoy/config/core/v4alpha/address.proto delete mode 100644 api/envoy/config/core/v4alpha/backoff.proto delete mode 100644 api/envoy/config/core/v4alpha/base.proto delete mode 100644 api/envoy/config/core/v4alpha/config_source.proto delete mode 100644 api/envoy/config/core/v4alpha/event_service_config.proto delete mode 100644 api/envoy/config/core/v4alpha/extension.proto delete mode 100644 api/envoy/config/core/v4alpha/grpc_method_list.proto delete mode 100644 api/envoy/config/core/v4alpha/grpc_service.proto delete mode 100644 api/envoy/config/core/v4alpha/health_check.proto delete mode 100644 api/envoy/config/core/v4alpha/http_uri.proto delete mode 100644 api/envoy/config/core/v4alpha/protocol.proto delete mode 100644 api/envoy/config/core/v4alpha/proxy_protocol.proto delete mode 100644 api/envoy/config/core/v4alpha/resolver.proto delete mode 100644 api/envoy/config/core/v4alpha/socket_option.proto delete mode 100644 api/envoy/config/core/v4alpha/substitution_format_string.proto delete mode 100644 api/envoy/config/core/v4alpha/udp_socket_config.proto delete mode 100644 api/envoy/config/endpoint/v4alpha/BUILD delete mode 100644 api/envoy/config/endpoint/v4alpha/endpoint.proto delete mode 100644 api/envoy/config/endpoint/v4alpha/endpoint_components.proto delete mode 100644 api/envoy/config/endpoint/v4alpha/load_report.proto delete mode 100644 api/envoy/config/listener/v4alpha/BUILD delete mode 100644 api/envoy/config/listener/v4alpha/api_listener.proto delete mode 100644 api/envoy/config/listener/v4alpha/listener.proto delete mode 100644 api/envoy/config/listener/v4alpha/listener_components.proto delete mode 100644 api/envoy/config/listener/v4alpha/quic_config.proto delete mode 100644 api/envoy/config/listener/v4alpha/udp_listener_config.proto delete mode 100644 api/envoy/config/metrics/v4alpha/BUILD delete mode 100644 api/envoy/config/metrics/v4alpha/metrics_service.proto delete mode 100644 api/envoy/config/metrics/v4alpha/stats.proto delete mode 100644 api/envoy/config/ratelimit/v4alpha/BUILD delete mode 100644 api/envoy/config/ratelimit/v4alpha/rls.proto delete mode 100644 api/envoy/config/rbac/v4alpha/BUILD delete mode 100644 api/envoy/config/rbac/v4alpha/rbac.proto delete mode 100644 api/envoy/config/route/v4alpha/BUILD delete mode 100644 api/envoy/config/route/v4alpha/route.proto delete mode 100644 api/envoy/config/route/v4alpha/route_components.proto delete mode 100644 api/envoy/config/route/v4alpha/scoped_route.proto delete mode 100644 api/envoy/config/tap/v4alpha/BUILD delete mode 100644 api/envoy/config/tap/v4alpha/common.proto delete mode 100644 api/envoy/config/trace/v4alpha/BUILD delete mode 100644 api/envoy/config/trace/v4alpha/http_tracer.proto delete mode 100644 api/envoy/config/trace/v4alpha/service.proto delete mode 100644 api/envoy/data/dns/v4alpha/BUILD delete mode 100644 api/envoy/data/dns/v4alpha/dns_table.proto delete mode 100644 api/envoy/extensions/access_loggers/file/v4alpha/BUILD delete mode 100644 api/envoy/extensions/access_loggers/file/v4alpha/file.proto delete mode 100644 api/envoy/extensions/access_loggers/grpc/v4alpha/BUILD delete mode 100644 api/envoy/extensions/access_loggers/grpc/v4alpha/als.proto delete mode 100644 api/envoy/extensions/access_loggers/open_telemetry/v4alpha/BUILD delete mode 100644 api/envoy/extensions/access_loggers/open_telemetry/v4alpha/logs_service.proto delete mode 100644 api/envoy/extensions/access_loggers/stream/v4alpha/BUILD delete mode 100644 api/envoy/extensions/access_loggers/stream/v4alpha/stream.proto delete mode 100644 api/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/BUILD delete mode 100644 api/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/cluster.proto delete mode 100644 api/envoy/extensions/common/dynamic_forward_proxy/v4alpha/BUILD delete mode 100644 api/envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto delete mode 100644 api/envoy/extensions/common/matching/v4alpha/BUILD delete mode 100644 api/envoy/extensions/common/matching/v4alpha/extension_matcher.proto delete mode 100644 api/envoy/extensions/common/tap/v4alpha/BUILD delete mode 100644 api/envoy/extensions/common/tap/v4alpha/common.proto delete mode 100644 api/envoy/extensions/filters/http/cache/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/cache/v4alpha/cache.proto delete mode 100644 api/envoy/extensions/filters/http/compressor/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/compressor/v4alpha/compressor.proto delete mode 100644 api/envoy/extensions/filters/http/csrf/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto delete mode 100644 api/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/dynamic_forward_proxy.proto delete mode 100644 api/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto delete mode 100644 api/envoy/extensions/filters/http/fault/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/fault/v4alpha/fault.proto delete mode 100644 api/envoy/extensions/filters/http/gzip/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/gzip/v4alpha/gzip.proto delete mode 100644 api/envoy/extensions/filters/http/header_to_metadata/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/header_to_metadata/v4alpha/header_to_metadata.proto delete mode 100644 api/envoy/extensions/filters/http/health_check/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto delete mode 100644 api/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto delete mode 100644 api/envoy/extensions/filters/http/oauth2/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto delete mode 100644 api/envoy/extensions/filters/http/ratelimit/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/ratelimit/v4alpha/rate_limit.proto delete mode 100644 api/envoy/extensions/filters/http/rbac/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto delete mode 100644 api/envoy/extensions/filters/http/router/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/router/v4alpha/router.proto delete mode 100644 api/envoy/extensions/filters/http/tap/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/http/tap/v4alpha/tap.proto delete mode 100644 api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto delete mode 100644 api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto delete mode 100644 api/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto delete mode 100644 api/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto delete mode 100644 api/envoy/extensions/filters/network/ratelimit/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/network/ratelimit/v4alpha/rate_limit.proto delete mode 100644 api/envoy/extensions/filters/network/rbac/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto delete mode 100644 api/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/sni_dynamic_forward_proxy.proto delete mode 100644 api/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto delete mode 100644 api/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/rate_limit.proto delete mode 100644 api/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto delete mode 100644 api/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto delete mode 100644 api/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD delete mode 100644 api/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto delete mode 100644 api/envoy/extensions/tracers/datadog/v4alpha/BUILD delete mode 100644 api/envoy/extensions/tracers/datadog/v4alpha/datadog.proto delete mode 100644 api/envoy/extensions/tracers/dynamic_ot/v4alpha/BUILD delete mode 100644 api/envoy/extensions/tracers/dynamic_ot/v4alpha/dynamic_ot.proto delete mode 100644 api/envoy/extensions/tracers/lightstep/v4alpha/BUILD delete mode 100644 api/envoy/extensions/tracers/lightstep/v4alpha/lightstep.proto delete mode 100644 api/envoy/extensions/tracers/opencensus/v4alpha/BUILD delete mode 100644 api/envoy/extensions/tracers/opencensus/v4alpha/opencensus.proto delete mode 100644 api/envoy/extensions/tracers/skywalking/v4alpha/BUILD delete mode 100644 api/envoy/extensions/tracers/skywalking/v4alpha/skywalking.proto delete mode 100644 api/envoy/extensions/tracers/xray/v4alpha/BUILD delete mode 100644 api/envoy/extensions/tracers/xray/v4alpha/xray.proto delete mode 100644 api/envoy/extensions/tracers/zipkin/v4alpha/BUILD delete mode 100644 api/envoy/extensions/tracers/zipkin/v4alpha/zipkin.proto delete mode 100644 api/envoy/extensions/transport_sockets/quic/v4alpha/BUILD delete mode 100644 api/envoy/extensions/transport_sockets/quic/v4alpha/quic_transport.proto delete mode 100644 api/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD delete mode 100644 api/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto delete mode 100644 api/envoy/extensions/transport_sockets/tap/v4alpha/BUILD delete mode 100644 api/envoy/extensions/transport_sockets/tap/v4alpha/tap.proto delete mode 100644 api/envoy/extensions/transport_sockets/tls/v4alpha/BUILD delete mode 100644 api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto delete mode 100644 api/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto delete mode 100644 api/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto delete mode 100644 api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto delete mode 100644 api/envoy/extensions/upstreams/http/v4alpha/BUILD delete mode 100644 api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto delete mode 100644 api/envoy/service/accesslog/v4alpha/BUILD delete mode 100644 api/envoy/service/accesslog/v4alpha/als.proto delete mode 100644 api/envoy/service/auth/v4alpha/BUILD delete mode 100644 api/envoy/service/auth/v4alpha/attribute_context.proto delete mode 100644 api/envoy/service/auth/v4alpha/external_auth.proto delete mode 100644 api/envoy/service/discovery/v4alpha/BUILD delete mode 100644 api/envoy/service/discovery/v4alpha/ads.proto delete mode 100644 api/envoy/service/discovery/v4alpha/discovery.proto delete mode 100644 api/envoy/service/event_reporting/v4alpha/BUILD delete mode 100644 api/envoy/service/event_reporting/v4alpha/event_reporting_service.proto delete mode 100644 api/envoy/service/health/v4alpha/BUILD delete mode 100644 api/envoy/service/health/v4alpha/hds.proto delete mode 100644 api/envoy/service/load_stats/v4alpha/BUILD delete mode 100644 api/envoy/service/load_stats/v4alpha/lrs.proto delete mode 100644 api/envoy/service/metrics/v4alpha/BUILD delete mode 100644 api/envoy/service/metrics/v4alpha/metrics_service.proto delete mode 100644 api/envoy/service/status/v4alpha/BUILD delete mode 100644 api/envoy/service/status/v4alpha/csds.proto delete mode 100644 api/envoy/service/tap/v4alpha/BUILD delete mode 100644 api/envoy/service/tap/v4alpha/tap.proto delete mode 100644 api/envoy/service/trace/v4alpha/BUILD delete mode 100644 api/envoy/service/trace/v4alpha/trace_service.proto delete mode 100644 api/envoy/type/matcher/v4alpha/BUILD delete mode 100644 api/envoy/type/matcher/v4alpha/http_inputs.proto delete mode 100644 api/envoy/type/matcher/v4alpha/metadata.proto delete mode 100644 api/envoy/type/matcher/v4alpha/node.proto delete mode 100644 api/envoy/type/matcher/v4alpha/number.proto delete mode 100644 api/envoy/type/matcher/v4alpha/path.proto delete mode 100644 api/envoy/type/matcher/v4alpha/regex.proto delete mode 100644 api/envoy/type/matcher/v4alpha/string.proto delete mode 100644 api/envoy/type/matcher/v4alpha/struct.proto delete mode 100644 api/envoy/type/matcher/v4alpha/value.proto delete mode 100644 generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD delete mode 100644 generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto delete mode 100644 generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/certs.proto delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/clusters.proto delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/config_dump.proto delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/init_dump.proto delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/listeners.proto delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/memory.proto delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/metrics.proto delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/mutex_stats.proto delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/server_info.proto delete mode 100644 generated_api_shadow/envoy/admin/v4alpha/tap.proto delete mode 100644 generated_api_shadow/envoy/config/accesslog/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/accesslog/v4alpha/accesslog.proto delete mode 100644 generated_api_shadow/envoy/config/bootstrap/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/bootstrap/v4alpha/bootstrap.proto delete mode 100644 generated_api_shadow/envoy/config/cluster/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/cluster/v4alpha/circuit_breaker.proto delete mode 100644 generated_api_shadow/envoy/config/cluster/v4alpha/cluster.proto delete mode 100644 generated_api_shadow/envoy/config/cluster/v4alpha/filter.proto delete mode 100644 generated_api_shadow/envoy/config/cluster/v4alpha/outlier_detection.proto delete mode 100644 generated_api_shadow/envoy/config/common/matcher/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/common/matcher/v4alpha/matcher.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/address.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/backoff.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/base.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/config_source.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/event_service_config.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/extension.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/grpc_method_list.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/grpc_service.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/health_check.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/http_uri.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/protocol.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/proxy_protocol.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/resolver.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/socket_option.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/substitution_format_string.proto delete mode 100644 generated_api_shadow/envoy/config/core/v4alpha/udp_socket_config.proto delete mode 100644 generated_api_shadow/envoy/config/endpoint/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/endpoint/v4alpha/endpoint.proto delete mode 100644 generated_api_shadow/envoy/config/endpoint/v4alpha/endpoint_components.proto delete mode 100644 generated_api_shadow/envoy/config/endpoint/v4alpha/load_report.proto delete mode 100644 generated_api_shadow/envoy/config/listener/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/listener/v4alpha/api_listener.proto delete mode 100644 generated_api_shadow/envoy/config/listener/v4alpha/listener.proto delete mode 100644 generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto delete mode 100644 generated_api_shadow/envoy/config/listener/v4alpha/quic_config.proto delete mode 100644 generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto delete mode 100644 generated_api_shadow/envoy/config/metrics/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/metrics/v4alpha/metrics_service.proto delete mode 100644 generated_api_shadow/envoy/config/metrics/v4alpha/stats.proto delete mode 100644 generated_api_shadow/envoy/config/ratelimit/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/ratelimit/v4alpha/rls.proto delete mode 100644 generated_api_shadow/envoy/config/rbac/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/rbac/v4alpha/rbac.proto delete mode 100644 generated_api_shadow/envoy/config/route/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/route/v4alpha/route.proto delete mode 100644 generated_api_shadow/envoy/config/route/v4alpha/route_components.proto delete mode 100644 generated_api_shadow/envoy/config/route/v4alpha/scoped_route.proto delete mode 100644 generated_api_shadow/envoy/config/tap/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/tap/v4alpha/common.proto delete mode 100644 generated_api_shadow/envoy/config/trace/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/config/trace/v4alpha/http_tracer.proto delete mode 100644 generated_api_shadow/envoy/config/trace/v4alpha/service.proto delete mode 100644 generated_api_shadow/envoy/data/dns/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/data/dns/v4alpha/dns_table.proto delete mode 100644 generated_api_shadow/envoy/extensions/access_loggers/file/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/access_loggers/file/v4alpha/file.proto delete mode 100644 generated_api_shadow/envoy/extensions/access_loggers/grpc/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/access_loggers/grpc/v4alpha/als.proto delete mode 100644 generated_api_shadow/envoy/extensions/access_loggers/open_telemetry/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/access_loggers/open_telemetry/v4alpha/logs_service.proto delete mode 100644 generated_api_shadow/envoy/extensions/access_loggers/stream/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/access_loggers/stream/v4alpha/stream.proto delete mode 100644 generated_api_shadow/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/cluster.proto delete mode 100644 generated_api_shadow/envoy/extensions/common/dynamic_forward_proxy/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto delete mode 100644 generated_api_shadow/envoy/extensions/common/matching/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/common/matching/v4alpha/extension_matcher.proto delete mode 100644 generated_api_shadow/envoy/extensions/common/tap/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/common/tap/v4alpha/common.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/cache.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/compressor/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/compressor/v4alpha/compressor.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/dynamic_forward_proxy.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/fault.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/gzip/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/gzip/v4alpha/gzip.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/header_to_metadata/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/header_to_metadata/v4alpha/header_to_metadata.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/oauth2/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/ratelimit/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/ratelimit/v4alpha/rate_limit.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/rbac/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/router.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/tap/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/http/tap/v4alpha/tap.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/ratelimit/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/ratelimit/v4alpha/rate_limit.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/rbac/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/sni_dynamic_forward_proxy.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/rate_limit.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto delete mode 100644 generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto delete mode 100644 generated_api_shadow/envoy/extensions/tracers/datadog/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/tracers/datadog/v4alpha/datadog.proto delete mode 100644 generated_api_shadow/envoy/extensions/tracers/dynamic_ot/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/tracers/dynamic_ot/v4alpha/dynamic_ot.proto delete mode 100644 generated_api_shadow/envoy/extensions/tracers/lightstep/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/tracers/lightstep/v4alpha/lightstep.proto delete mode 100644 generated_api_shadow/envoy/extensions/tracers/opencensus/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/tracers/opencensus/v4alpha/opencensus.proto delete mode 100644 generated_api_shadow/envoy/extensions/tracers/skywalking/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/tracers/skywalking/v4alpha/skywalking.proto delete mode 100644 generated_api_shadow/envoy/extensions/tracers/xray/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/tracers/xray/v4alpha/xray.proto delete mode 100644 generated_api_shadow/envoy/extensions/tracers/zipkin/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/tracers/zipkin/v4alpha/zipkin.proto delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/quic/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/quic/v4alpha/quic_transport.proto delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/tap/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/tap/v4alpha/tap.proto delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto delete mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto delete mode 100644 generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto delete mode 100644 generated_api_shadow/envoy/service/accesslog/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/service/accesslog/v4alpha/als.proto delete mode 100644 generated_api_shadow/envoy/service/auth/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/service/auth/v4alpha/attribute_context.proto delete mode 100644 generated_api_shadow/envoy/service/auth/v4alpha/external_auth.proto delete mode 100644 generated_api_shadow/envoy/service/discovery/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/service/discovery/v4alpha/ads.proto delete mode 100644 generated_api_shadow/envoy/service/discovery/v4alpha/discovery.proto delete mode 100644 generated_api_shadow/envoy/service/event_reporting/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/service/event_reporting/v4alpha/event_reporting_service.proto delete mode 100644 generated_api_shadow/envoy/service/health/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/service/health/v4alpha/hds.proto delete mode 100644 generated_api_shadow/envoy/service/load_stats/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/service/load_stats/v4alpha/lrs.proto delete mode 100644 generated_api_shadow/envoy/service/metrics/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/service/metrics/v4alpha/metrics_service.proto delete mode 100644 generated_api_shadow/envoy/service/status/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/service/status/v4alpha/csds.proto delete mode 100644 generated_api_shadow/envoy/service/tap/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/service/tap/v4alpha/tap.proto delete mode 100644 generated_api_shadow/envoy/service/trace/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/service/trace/v4alpha/trace_service.proto delete mode 100644 generated_api_shadow/envoy/type/matcher/v4alpha/BUILD delete mode 100644 generated_api_shadow/envoy/type/matcher/v4alpha/http_inputs.proto delete mode 100644 generated_api_shadow/envoy/type/matcher/v4alpha/metadata.proto delete mode 100644 generated_api_shadow/envoy/type/matcher/v4alpha/node.proto delete mode 100644 generated_api_shadow/envoy/type/matcher/v4alpha/number.proto delete mode 100644 generated_api_shadow/envoy/type/matcher/v4alpha/path.proto delete mode 100644 generated_api_shadow/envoy/type/matcher/v4alpha/regex.proto delete mode 100644 generated_api_shadow/envoy/type/matcher/v4alpha/string.proto delete mode 100644 generated_api_shadow/envoy/type/matcher/v4alpha/struct.proto delete mode 100644 generated_api_shadow/envoy/type/matcher/v4alpha/value.proto diff --git a/.gitattributes b/.gitattributes index 895c1eeb76ad..aefb99531aad 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,5 +1,4 @@ /docs/root/version_history/current.rst merge=union -/api/envoy/**/v4alpha/* linguist-generated=true /generated_api_shadow/envoy/** linguist-generated=true /generated_api_shadow/bazel/** linguist-generated=true *.svg binary diff --git a/api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD b/api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD deleted file mode 100644 index 06009f5f397f..000000000000 --- a/api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/network/rocketmq_proxy/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto b/api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto deleted file mode 100644 index 45a71da2f8dd..000000000000 --- a/api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto +++ /dev/null @@ -1,38 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.rocketmq_proxy.v4alpha; - -import "envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.rocketmq_proxy.v4alpha"; -option java_outer_classname = "RocketmqProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: RocketMQ Proxy] -// RocketMQ Proxy :ref:`configuration overview `. -// [#extension: envoy.filters.network.rocketmq_proxy] - -message RocketmqProxy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rocketmq_proxy.v3.RocketmqProxy"; - - // The human readable prefix to use when emitting statistics. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // The route table for the connection manager is specified in this property. - RouteConfiguration route_config = 2; - - // The largest duration transient object expected to live, more than 10s is recommended. - google.protobuf.Duration transient_object_life_span = 3; - - // If develop_mode is enabled, this proxy plugin may work without dedicated traffic intercepting - // facility without considering backward compatibility of exiting RocketMQ client SDK. - bool develop_mode = 4; -} diff --git a/api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto b/api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto deleted file mode 100644 index 0925afef833d..000000000000 --- a/api/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto +++ /dev/null @@ -1,67 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.rocketmq_proxy.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.rocketmq_proxy.v4alpha"; -option java_outer_classname = "RouteProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Rocketmq Proxy Route Configuration] -// Rocketmq Proxy :ref:`configuration overview `. - -message RouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteConfiguration"; - - // The name of the route configuration. - string name = 1; - - // The list of routes that will be matched, in order, against incoming requests. The first route - // that matches will be used. - repeated Route routes = 2; -} - -message Route { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rocketmq_proxy.v3.Route"; - - // Route matching parameters. - RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - // Route request to some upstream cluster. - RouteAction route = 2 [(validate.rules).message = {required: true}]; -} - -message RouteMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteMatch"; - - // The name of the topic. - type.matcher.v4alpha.StringMatcher topic = 1 [(validate.rules).message = {required: true}]; - - // Specifies a set of headers that the route should match on. The router will check the request’s - // headers against all the specified headers in the route config. A match will happen if all the - // headers in the route are present in the request with the same values (or based on presence if - // the value field is not in the config). - repeated config.route.v4alpha.HeaderMatcher headers = 2; -} - -message RouteAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteAction"; - - // Indicates the upstream cluster to which the request should be routed. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // Optional endpoint metadata match criteria used by the subset load balancer. - config.core.v4alpha.Metadata metadata_match = 2; -} diff --git a/api/envoy/admin/v4alpha/BUILD b/api/envoy/admin/v4alpha/BUILD deleted file mode 100644 index 74de2ca2a3d5..000000000000 --- a/api/envoy/admin/v4alpha/BUILD +++ /dev/null @@ -1,17 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/admin/v3:pkg", - "//envoy/config/bootstrap/v4alpha:pkg", - "//envoy/config/cluster/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/tap/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/admin/v4alpha/certs.proto b/api/envoy/admin/v4alpha/certs.proto deleted file mode 100644 index 0dd868f71fa6..000000000000 --- a/api/envoy/admin/v4alpha/certs.proto +++ /dev/null @@ -1,86 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "google/protobuf/timestamp.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "CertsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Certificates] - -// Proto representation of certificate details. Admin endpoint uses this wrapper for `/certs` to -// display certificate information. See :ref:`/certs ` for more -// information. -message Certificates { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.Certificates"; - - // List of certificates known to an Envoy. - repeated Certificate certificates = 1; -} - -message Certificate { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.Certificate"; - - // Details of CA certificate. - repeated CertificateDetails ca_cert = 1; - - // Details of Certificate Chain - repeated CertificateDetails cert_chain = 2; -} - -// [#next-free-field: 8] -message CertificateDetails { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.CertificateDetails"; - - message OcspDetails { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.CertificateDetails.OcspDetails"; - - // Indicates the time from which the OCSP response is valid. - google.protobuf.Timestamp valid_from = 1; - - // Indicates the time at which the OCSP response expires. - google.protobuf.Timestamp expiration = 2; - } - - // Path of the certificate. - string path = 1; - - // Certificate Serial Number. - string serial_number = 2; - - // List of Subject Alternate names. - repeated SubjectAlternateName subject_alt_names = 3; - - // Minimum of days until expiration of certificate and it's chain. - uint64 days_until_expiration = 4; - - // Indicates the time from which the certificate is valid. - google.protobuf.Timestamp valid_from = 5; - - // Indicates the time at which the certificate expires. - google.protobuf.Timestamp expiration_time = 6; - - // Details related to the OCSP response associated with this certificate, if any. - OcspDetails ocsp_details = 7; -} - -message SubjectAlternateName { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.SubjectAlternateName"; - - // Subject Alternate Name. - oneof name { - string dns = 1; - - string uri = 2; - - string ip_address = 3; - } -} diff --git a/api/envoy/admin/v4alpha/clusters.proto b/api/envoy/admin/v4alpha/clusters.proto deleted file mode 100644 index 12969a28d008..000000000000 --- a/api/envoy/admin/v4alpha/clusters.proto +++ /dev/null @@ -1,176 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "envoy/admin/v4alpha/metrics.proto"; -import "envoy/config/cluster/v4alpha/circuit_breaker.proto"; -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/health_check.proto"; -import "envoy/type/v3/percent.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "ClustersProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Clusters] - -// Admin endpoint uses this wrapper for `/clusters` to display cluster status information. -// See :ref:`/clusters ` for more information. -message Clusters { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.Clusters"; - - // Mapping from cluster name to each cluster's status. - repeated ClusterStatus cluster_statuses = 1; -} - -// Details an individual cluster's current status. -// [#next-free-field: 8] -message ClusterStatus { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ClusterStatus"; - - // Name of the cluster. - string name = 1; - - // Denotes whether this cluster was added via API or configured statically. - bool added_via_api = 2; - - // The success rate threshold used in the last interval. - // If - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *false*, all errors: externally and locally generated were used to calculate the threshold. - // If - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *true*, only externally generated errors were used to calculate the threshold. - // The threshold is used to eject hosts based on their success rate. See - // :ref:`Cluster outlier detection ` documentation for details. - // - // Note: this field may be omitted in any of the three following cases: - // - // 1. There were not enough hosts with enough request volume to proceed with success rate based - // outlier ejection. - // 2. The threshold is computed to be < 0 because a negative value implies that there was no - // threshold for that interval. - // 3. Outlier detection is not enabled for this cluster. - type.v3.Percent success_rate_ejection_threshold = 3; - - // Mapping from host address to the host's current status. - repeated HostStatus host_statuses = 4; - - // The success rate threshold used in the last interval when only locally originated failures were - // taken into account and externally originated errors were treated as success. - // This field should be interpreted only when - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *true*. The threshold is used to eject hosts based on their success rate. - // See :ref:`Cluster outlier detection ` documentation for - // details. - // - // Note: this field may be omitted in any of the three following cases: - // - // 1. There were not enough hosts with enough request volume to proceed with success rate based - // outlier ejection. - // 2. The threshold is computed to be < 0 because a negative value implies that there was no - // threshold for that interval. - // 3. Outlier detection is not enabled for this cluster. - type.v3.Percent local_origin_success_rate_ejection_threshold = 5; - - // :ref:`Circuit breaking ` settings of the cluster. - config.cluster.v4alpha.CircuitBreakers circuit_breakers = 6; - - // Observability name of the cluster. - string observability_name = 7; -} - -// Current state of a particular host. -// [#next-free-field: 10] -message HostStatus { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.HostStatus"; - - // Address of this host. - config.core.v4alpha.Address address = 1; - - // List of stats specific to this host. - repeated SimpleMetric stats = 2; - - // The host's current health status. - HostHealthStatus health_status = 3; - - // Request success rate for this host over the last calculated interval. - // If - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *false*, all errors: externally and locally generated were used in success rate - // calculation. If - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *true*, only externally generated errors were used in success rate calculation. - // See :ref:`Cluster outlier detection ` documentation for - // details. - // - // Note: the message will not be present if host did not have enough request volume to calculate - // success rate or the cluster did not have enough hosts to run through success rate outlier - // ejection. - type.v3.Percent success_rate = 4; - - // The host's weight. If not configured, the value defaults to 1. - uint32 weight = 5; - - // The hostname of the host, if applicable. - string hostname = 6; - - // The host's priority. If not configured, the value defaults to 0 (highest priority). - uint32 priority = 7; - - // Request success rate for this host over the last calculated - // interval when only locally originated errors are taken into account and externally originated - // errors were treated as success. - // This field should be interpreted only when - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *true*. - // See :ref:`Cluster outlier detection ` documentation for - // details. - // - // Note: the message will not be present if host did not have enough request volume to calculate - // success rate or the cluster did not have enough hosts to run through success rate outlier - // ejection. - type.v3.Percent local_origin_success_rate = 8; - - // locality of the host. - config.core.v4alpha.Locality locality = 9; -} - -// Health status for a host. -// [#next-free-field: 9] -message HostHealthStatus { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.HostHealthStatus"; - - // The host is currently failing active health checks. - bool failed_active_health_check = 1; - - // The host is currently considered an outlier and has been ejected. - bool failed_outlier_check = 2; - - // The host is currently being marked as degraded through active health checking. - bool failed_active_degraded_check = 4; - - // The host has been removed from service discovery, but is being stabilized due to active - // health checking. - bool pending_dynamic_removal = 5; - - // The host has not yet been health checked. - bool pending_active_hc = 6; - - // The host should be excluded from panic, spillover, etc. calculations because it was explicitly - // taken out of rotation via protocol signal and is not meant to be routed to. - bool excluded_via_immediate_hc_fail = 7; - - // The host failed active HC due to timeout. - bool active_hc_timeout = 8; - - // Health status as reported by EDS. Note: only HEALTHY and UNHEALTHY are currently supported - // here. - // [#comment:TODO(mrice32): pipe through remaining EDS health status possibilities.] - config.core.v4alpha.HealthStatus eds_health_status = 3; -} diff --git a/api/envoy/admin/v4alpha/config_dump.proto b/api/envoy/admin/v4alpha/config_dump.proto deleted file mode 100644 index 2e36bc16f9b6..000000000000 --- a/api/envoy/admin/v4alpha/config_dump.proto +++ /dev/null @@ -1,484 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "envoy/config/bootstrap/v4alpha/bootstrap.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/timestamp.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "ConfigDumpProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: ConfigDump] - -// Resource status from the view of a xDS client, which tells the synchronization -// status between the xDS client and the xDS server. -enum ClientResourceStatus { - // Resource status is not available/unknown. - UNKNOWN = 0; - - // Client requested this resource but hasn't received any update from management - // server. The client will not fail requests, but will queue them until update - // arrives or the client times out waiting for the resource. - REQUESTED = 1; - - // This resource has been requested by the client but has either not been - // delivered by the server or was previously delivered by the server and then - // subsequently removed from resources provided by the server. For more - // information, please refer to the :ref:`"Knowing When a Requested Resource - // Does Not Exist" ` section. - DOES_NOT_EXIST = 2; - - // Client received this resource and replied with ACK. - ACKED = 3; - - // Client received this resource and replied with NACK. - NACKED = 4; -} - -// The :ref:`/config_dump ` admin endpoint uses this wrapper -// message to maintain and serve arbitrary configuration information from any component in Envoy. -message ConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ConfigDump"; - - // This list is serialized and dumped in its entirety at the - // :ref:`/config_dump ` endpoint. - // - // The following configurations are currently supported and will be dumped in the order given - // below: - // - // * *bootstrap*: :ref:`BootstrapConfigDump ` - // * *clusters*: :ref:`ClustersConfigDump ` - // * *endpoints*: :ref:`EndpointsConfigDump ` - // * *listeners*: :ref:`ListenersConfigDump ` - // * *scoped_routes*: :ref:`ScopedRoutesConfigDump ` - // * *routes*: :ref:`RoutesConfigDump ` - // * *secrets*: :ref:`SecretsConfigDump ` - // - // EDS Configuration will only be dumped by using parameter `?include_eds` - // - // You can filter output with the resource and mask query parameters. - // See :ref:`/config_dump?resource={} `, - // :ref:`/config_dump?mask={} `, - // or :ref:`/config_dump?resource={},mask={} - // ` for more information. - repeated google.protobuf.Any configs = 1; -} - -message UpdateFailureState { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.UpdateFailureState"; - - // What the component configuration would have been if the update had succeeded. - // This field may not be populated by xDS clients due to storage overhead. - google.protobuf.Any failed_configuration = 1; - - // Time of the latest failed update attempt. - google.protobuf.Timestamp last_update_attempt = 2; - - // Details about the last failed update attempt. - string details = 3; - - // This is the version of the rejected resource. - // [#not-implemented-hide:] - string version_info = 4; -} - -// This message describes the bootstrap configuration that Envoy was started with. This includes -// any CLI overrides that were merged. Bootstrap configuration information can be used to recreate -// the static portions of an Envoy configuration by reusing the output as the bootstrap -// configuration for another Envoy. -message BootstrapConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.BootstrapConfigDump"; - - config.bootstrap.v4alpha.Bootstrap bootstrap = 1; - - // The timestamp when the BootstrapConfig was last updated. - google.protobuf.Timestamp last_updated = 2; -} - -// Envoy's listener manager fills this message with all currently known listeners. Listener -// configuration information can be used to recreate an Envoy configuration by populating all -// listeners as static listeners or by returning them in a LDS response. -message ListenersConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ListenersConfigDump"; - - // Describes a statically loaded listener. - message StaticListener { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ListenersConfigDump.StaticListener"; - - // The listener config. - google.protobuf.Any listener = 1; - - // The timestamp when the Listener was last successfully updated. - google.protobuf.Timestamp last_updated = 2; - } - - message DynamicListenerState { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ListenersConfigDump.DynamicListenerState"; - - // This is the per-resource version information. This version is currently taken from the - // :ref:`version_info ` field at the time - // that the listener was loaded. In the future, discrete per-listener versions may be supported - // by the API. - string version_info = 1; - - // The listener config. - google.protobuf.Any listener = 2; - - // The timestamp when the Listener was last successfully updated. - google.protobuf.Timestamp last_updated = 3; - } - - // Describes a dynamically loaded listener via the LDS API. - // [#next-free-field: 7] - message DynamicListener { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ListenersConfigDump.DynamicListener"; - - // The name or unique id of this listener, pulled from the DynamicListenerState config. - string name = 1; - - // The listener state for any active listener by this name. - // These are listeners that are available to service data plane traffic. - DynamicListenerState active_state = 2; - - // The listener state for any warming listener by this name. - // These are listeners that are currently undergoing warming in preparation to service data - // plane traffic. Note that if attempting to recreate an Envoy configuration from a - // configuration dump, the warming listeners should generally be discarded. - DynamicListenerState warming_state = 3; - - // The listener state for any draining listener by this name. - // These are listeners that are currently undergoing draining in preparation to stop servicing - // data plane traffic. Note that if attempting to recreate an Envoy configuration from a - // configuration dump, the draining listeners should generally be discarded. - DynamicListenerState draining_state = 4; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - UpdateFailureState error_state = 5; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 6; - } - - // This is the :ref:`version_info ` in the - // last processed LDS discovery response. If there are only static bootstrap listeners, this field - // will be "". - string version_info = 1; - - // The statically loaded listener configs. - repeated StaticListener static_listeners = 2; - - // State for any warming, active, or draining listeners. - repeated DynamicListener dynamic_listeners = 3; -} - -// Envoy's cluster manager fills this message with all currently known clusters. Cluster -// configuration information can be used to recreate an Envoy configuration by populating all -// clusters as static clusters or by returning them in a CDS response. -message ClustersConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ClustersConfigDump"; - - // Describes a statically loaded cluster. - message StaticCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ClustersConfigDump.StaticCluster"; - - // The cluster config. - google.protobuf.Any cluster = 1; - - // The timestamp when the Cluster was last updated. - google.protobuf.Timestamp last_updated = 2; - } - - // Describes a dynamically loaded cluster via the CDS API. - // [#next-free-field: 6] - message DynamicCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ClustersConfigDump.DynamicCluster"; - - // This is the per-resource version information. This version is currently taken from the - // :ref:`version_info ` field at the time - // that the cluster was loaded. In the future, discrete per-cluster versions may be supported by - // the API. - string version_info = 1; - - // The cluster config. - google.protobuf.Any cluster = 2; - - // The timestamp when the Cluster was last updated. - google.protobuf.Timestamp last_updated = 3; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - // [#not-implemented-hide:] - UpdateFailureState error_state = 4; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 5; - } - - // This is the :ref:`version_info ` in the - // last processed CDS discovery response. If there are only static bootstrap clusters, this field - // will be "". - string version_info = 1; - - // The statically loaded cluster configs. - repeated StaticCluster static_clusters = 2; - - // The dynamically loaded active clusters. These are clusters that are available to service - // data plane traffic. - repeated DynamicCluster dynamic_active_clusters = 3; - - // The dynamically loaded warming clusters. These are clusters that are currently undergoing - // warming in preparation to service data plane traffic. Note that if attempting to recreate an - // Envoy configuration from a configuration dump, the warming clusters should generally be - // discarded. - repeated DynamicCluster dynamic_warming_clusters = 4; -} - -// Envoy's RDS implementation fills this message with all currently loaded routes, as described by -// their RouteConfiguration objects. Static routes that are either defined in the bootstrap configuration -// or defined inline while configuring listeners are separated from those configured dynamically via RDS. -// Route configuration information can be used to recreate an Envoy configuration by populating all routes -// as static routes or by returning them in RDS responses. -message RoutesConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.RoutesConfigDump"; - - message StaticRouteConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.RoutesConfigDump.StaticRouteConfig"; - - // The route config. - google.protobuf.Any route_config = 1; - - // The timestamp when the Route was last updated. - google.protobuf.Timestamp last_updated = 2; - } - - // [#next-free-field: 6] - message DynamicRouteConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.RoutesConfigDump.DynamicRouteConfig"; - - // This is the per-resource version information. This version is currently taken from the - // :ref:`version_info ` field at the time that - // the route configuration was loaded. - string version_info = 1; - - // The route config. - google.protobuf.Any route_config = 2; - - // The timestamp when the Route was last updated. - google.protobuf.Timestamp last_updated = 3; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - // [#not-implemented-hide:] - UpdateFailureState error_state = 4; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 5; - } - - // The statically loaded route configs. - repeated StaticRouteConfig static_route_configs = 2; - - // The dynamically loaded route configs. - repeated DynamicRouteConfig dynamic_route_configs = 3; -} - -// Envoy's scoped RDS implementation fills this message with all currently loaded route -// configuration scopes (defined via ScopedRouteConfigurationsSet protos). This message lists both -// the scopes defined inline with the higher order object (i.e., the HttpConnectionManager) and the -// dynamically obtained scopes via the SRDS API. -message ScopedRoutesConfigDump { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ScopedRoutesConfigDump"; - - message InlineScopedRouteConfigs { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ScopedRoutesConfigDump.InlineScopedRouteConfigs"; - - // The name assigned to the scoped route configurations. - string name = 1; - - // The scoped route configurations. - repeated google.protobuf.Any scoped_route_configs = 2; - - // The timestamp when the scoped route config set was last updated. - google.protobuf.Timestamp last_updated = 3; - } - - // [#next-free-field: 7] - message DynamicScopedRouteConfigs { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ScopedRoutesConfigDump.DynamicScopedRouteConfigs"; - - // The name assigned to the scoped route configurations. - string name = 1; - - // This is the per-resource version information. This version is currently taken from the - // :ref:`version_info ` field at the time that - // the scoped routes configuration was loaded. - string version_info = 2; - - // The scoped route configurations. - repeated google.protobuf.Any scoped_route_configs = 3; - - // The timestamp when the scoped route config set was last updated. - google.protobuf.Timestamp last_updated = 4; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - // [#not-implemented-hide:] - UpdateFailureState error_state = 5; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 6; - } - - // The statically loaded scoped route configs. - repeated InlineScopedRouteConfigs inline_scoped_route_configs = 1; - - // The dynamically loaded scoped route configs. - repeated DynamicScopedRouteConfigs dynamic_scoped_route_configs = 2; -} - -// Envoys SDS implementation fills this message with all secrets fetched dynamically via SDS. -message SecretsConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.SecretsConfigDump"; - - // DynamicSecret contains secret information fetched via SDS. - // [#next-free-field: 7] - message DynamicSecret { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.SecretsConfigDump.DynamicSecret"; - - // The name assigned to the secret. - string name = 1; - - // This is the per-resource version information. - string version_info = 2; - - // The timestamp when the secret was last updated. - google.protobuf.Timestamp last_updated = 3; - - // The actual secret information. - // Security sensitive information is redacted (replaced with "[redacted]") for - // private keys and passwords in TLS certificates. - google.protobuf.Any secret = 4; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - // [#not-implemented-hide:] - UpdateFailureState error_state = 5; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 6; - } - - // StaticSecret specifies statically loaded secret in bootstrap. - message StaticSecret { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.SecretsConfigDump.StaticSecret"; - - // The name assigned to the secret. - string name = 1; - - // The timestamp when the secret was last updated. - google.protobuf.Timestamp last_updated = 2; - - // The actual secret information. - // Security sensitive information is redacted (replaced with "[redacted]") for - // private keys and passwords in TLS certificates. - google.protobuf.Any secret = 3; - } - - // The statically loaded secrets. - repeated StaticSecret static_secrets = 1; - - // The dynamically loaded active secrets. These are secrets that are available to service - // clusters or listeners. - repeated DynamicSecret dynamic_active_secrets = 2; - - // The dynamically loaded warming secrets. These are secrets that are currently undergoing - // warming in preparation to service clusters or listeners. - repeated DynamicSecret dynamic_warming_secrets = 3; -} - -// Envoy's admin fill this message with all currently known endpoints. Endpoint -// configuration information can be used to recreate an Envoy configuration by populating all -// endpoints as static endpoints or by returning them in an EDS response. -message EndpointsConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.EndpointsConfigDump"; - - message StaticEndpointConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.EndpointsConfigDump.StaticEndpointConfig"; - - // The endpoint config. - google.protobuf.Any endpoint_config = 1; - - // [#not-implemented-hide:] The timestamp when the Endpoint was last updated. - google.protobuf.Timestamp last_updated = 2; - } - - // [#next-free-field: 6] - message DynamicEndpointConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.EndpointsConfigDump.DynamicEndpointConfig"; - - // [#not-implemented-hide:] This is the per-resource version information. This version is currently taken from the - // :ref:`version_info ` field at the time that - // the endpoint configuration was loaded. - string version_info = 1; - - // The endpoint config. - google.protobuf.Any endpoint_config = 2; - - // [#not-implemented-hide:] The timestamp when the Endpoint was last updated. - google.protobuf.Timestamp last_updated = 3; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - // [#not-implemented-hide:] - UpdateFailureState error_state = 4; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 5; - } - - // The statically loaded endpoint configs. - repeated StaticEndpointConfig static_endpoint_configs = 2; - - // The dynamically loaded endpoint configs. - repeated DynamicEndpointConfig dynamic_endpoint_configs = 3; -} diff --git a/api/envoy/admin/v4alpha/init_dump.proto b/api/envoy/admin/v4alpha/init_dump.proto deleted file mode 100644 index 81c423e52024..000000000000 --- a/api/envoy/admin/v4alpha/init_dump.proto +++ /dev/null @@ -1,37 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "InitDumpProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: InitDump] - -// Dumps of unready targets of envoy init managers. Envoy's admin fills this message with init managers, -// which provides the information of their unready targets. -// The :ref:`/init_dump ` will dump all unready targets information. -message UnreadyTargetsDumps { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.UnreadyTargetsDumps"; - - // Message of unready targets information of an init manager. - message UnreadyTargetsDump { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.UnreadyTargetsDumps.UnreadyTargetsDump"; - - // Name of the init manager. Example: "init_manager_xxx". - string name = 1; - - // Names of unready targets of the init manager. Example: "target_xxx". - repeated string target_names = 2; - } - - // You can choose specific component to dump unready targets with mask query parameter. - // See :ref:`/init_dump?mask={} ` for more information. - // The dumps of unready targets of all init managers. - repeated UnreadyTargetsDump unready_targets_dumps = 1; -} diff --git a/api/envoy/admin/v4alpha/listeners.proto b/api/envoy/admin/v4alpha/listeners.proto deleted file mode 100644 index 89bdc4c5bbf8..000000000000 --- a/api/envoy/admin/v4alpha/listeners.proto +++ /dev/null @@ -1,36 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "ListenersProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Listeners] - -// Admin endpoint uses this wrapper for `/listeners` to display listener status information. -// See :ref:`/listeners ` for more information. -message Listeners { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.Listeners"; - - // List of listener statuses. - repeated ListenerStatus listener_statuses = 1; -} - -// Details an individual listener's current status. -message ListenerStatus { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ListenerStatus"; - - // Name of the listener - string name = 1; - - // The actual local address that the listener is listening on. If a listener was configured - // to listen on port 0, then this address has the port that was allocated by the OS. - config.core.v4alpha.Address local_address = 2; -} diff --git a/api/envoy/admin/v4alpha/memory.proto b/api/envoy/admin/v4alpha/memory.proto deleted file mode 100644 index d2f0b57229ce..000000000000 --- a/api/envoy/admin/v4alpha/memory.proto +++ /dev/null @@ -1,47 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "MemoryProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Memory] - -// Proto representation of the internal memory consumption of an Envoy instance. These represent -// values extracted from an internal TCMalloc instance. For more information, see the section of the -// docs entitled ["Generic Tcmalloc Status"](https://gperftools.github.io/gperftools/tcmalloc.html). -// [#next-free-field: 7] -message Memory { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.Memory"; - - // The number of bytes allocated by the heap for Envoy. This is an alias for - // `generic.current_allocated_bytes`. - uint64 allocated = 1; - - // The number of bytes reserved by the heap but not necessarily allocated. This is an alias for - // `generic.heap_size`. - uint64 heap_size = 2; - - // The number of bytes in free, unmapped pages in the page heap. These bytes always count towards - // virtual memory usage, and depending on the OS, typically do not count towards physical memory - // usage. This is an alias for `tcmalloc.pageheap_unmapped_bytes`. - uint64 pageheap_unmapped = 3; - - // The number of bytes in free, mapped pages in the page heap. These bytes always count towards - // virtual memory usage, and unless the underlying memory is swapped out by the OS, they also - // count towards physical memory usage. This is an alias for `tcmalloc.pageheap_free_bytes`. - uint64 pageheap_free = 4; - - // The amount of memory used by the TCMalloc thread caches (for small objects). This is an alias - // for `tcmalloc.current_total_thread_cache_bytes`. - uint64 total_thread_cache = 5; - - // The number of bytes of the physical memory usage by the allocator. This is an alias for - // `generic.total_physical_bytes`. - uint64 total_physical_bytes = 6; -} diff --git a/api/envoy/admin/v4alpha/metrics.proto b/api/envoy/admin/v4alpha/metrics.proto deleted file mode 100644 index 78613320038b..000000000000 --- a/api/envoy/admin/v4alpha/metrics.proto +++ /dev/null @@ -1,32 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "MetricsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Metrics] - -// Proto representation of an Envoy Counter or Gauge value. -message SimpleMetric { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.SimpleMetric"; - - enum Type { - COUNTER = 0; - GAUGE = 1; - } - - // Type of the metric represented. - Type type = 1; - - // Current metric value. - uint64 value = 2; - - // Name of the metric. - string name = 3; -} diff --git a/api/envoy/admin/v4alpha/mutex_stats.proto b/api/envoy/admin/v4alpha/mutex_stats.proto deleted file mode 100644 index 6f9fcd548cc0..000000000000 --- a/api/envoy/admin/v4alpha/mutex_stats.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "MutexStatsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: MutexStats] - -// Proto representation of the statistics collected upon absl::Mutex contention, if Envoy is run -// under :option:`--enable-mutex-tracing`. For more information, see the `absl::Mutex` -// [docs](https://abseil.io/about/design/mutex#extra-features). -// -// *NB*: The wait cycles below are measured by `absl::base_internal::CycleClock`, and may not -// correspond to core clock frequency. For more information, see the `CycleClock` -// [docs](https://github.com/abseil/abseil-cpp/blob/master/absl/base/internal/cycleclock.h). -message MutexStats { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.MutexStats"; - - // The number of individual mutex contentions which have occurred since startup. - uint64 num_contentions = 1; - - // The length of the current contention wait cycle. - uint64 current_wait_cycles = 2; - - // The lifetime total of all contention wait cycles. - uint64 lifetime_wait_cycles = 3; -} diff --git a/api/envoy/admin/v4alpha/server_info.proto b/api/envoy/admin/v4alpha/server_info.proto deleted file mode 100644 index 122aed413441..000000000000 --- a/api/envoy/admin/v4alpha/server_info.proto +++ /dev/null @@ -1,191 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "ServerInfoProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Server State] - -// Proto representation of the value returned by /server_info, containing -// server version/server status information. -// [#next-free-field: 8] -message ServerInfo { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ServerInfo"; - - enum State { - // Server is live and serving traffic. - LIVE = 0; - - // Server is draining listeners in response to external health checks failing. - DRAINING = 1; - - // Server has not yet completed cluster manager initialization. - PRE_INITIALIZING = 2; - - // Server is running the cluster manager initialization callbacks (e.g., RDS). - INITIALIZING = 3; - } - - // Server version. - string version = 1; - - // State of the server. - State state = 2; - - // Uptime since current epoch was started. - google.protobuf.Duration uptime_current_epoch = 3; - - // Uptime since the start of the first epoch. - google.protobuf.Duration uptime_all_epochs = 4; - - // Hot restart version. - string hot_restart_version = 5; - - // Command line options the server is currently running with. - CommandLineOptions command_line_options = 6; - - // Populated node identity of this server. - config.core.v4alpha.Node node = 7; -} - -// [#next-free-field: 38] -message CommandLineOptions { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.CommandLineOptions"; - - enum IpVersion { - v4 = 0; - v6 = 1; - } - - enum Mode { - // Validate configs and then serve traffic normally. - Serve = 0; - - // Validate configs and exit. - Validate = 1; - - // Completely load and initialize the config, and then exit without running the listener loop. - InitOnly = 2; - } - - enum DrainStrategy { - // Gradually discourage connections over the course of the drain period. - Gradual = 0; - - // Discourage all connections for the duration of the drain sequence. - Immediate = 1; - } - - reserved 12, 20, 21, 29; - - reserved "max_stats", "max_obj_name_len", "bootstrap_version"; - - // See :option:`--base-id` for details. - uint64 base_id = 1; - - // See :option:`--use-dynamic-base-id` for details. - bool use_dynamic_base_id = 31; - - // See :option:`--base-id-path` for details. - string base_id_path = 32; - - // See :option:`--concurrency` for details. - uint32 concurrency = 2; - - // See :option:`--config-path` for details. - string config_path = 3; - - // See :option:`--config-yaml` for details. - string config_yaml = 4; - - // See :option:`--allow-unknown-static-fields` for details. - bool allow_unknown_static_fields = 5; - - // See :option:`--reject-unknown-dynamic-fields` for details. - bool reject_unknown_dynamic_fields = 26; - - // See :option:`--ignore-unknown-dynamic-fields` for details. - bool ignore_unknown_dynamic_fields = 30; - - // See :option:`--admin-address-path` for details. - string admin_address_path = 6; - - // See :option:`--local-address-ip-version` for details. - IpVersion local_address_ip_version = 7; - - // See :option:`--log-level` for details. - string log_level = 8; - - // See :option:`--component-log-level` for details. - string component_log_level = 9; - - // See :option:`--log-format` for details. - string log_format = 10; - - // See :option:`--log-format-escaped` for details. - bool log_format_escaped = 27; - - // See :option:`--log-path` for details. - string log_path = 11; - - // See :option:`--service-cluster` for details. - string service_cluster = 13; - - // See :option:`--service-node` for details. - string service_node = 14; - - // See :option:`--service-zone` for details. - string service_zone = 15; - - // See :option:`--file-flush-interval-msec` for details. - google.protobuf.Duration file_flush_interval = 16; - - // See :option:`--drain-time-s` for details. - google.protobuf.Duration drain_time = 17; - - // See :option:`--drain-strategy` for details. - DrainStrategy drain_strategy = 33; - - // See :option:`--parent-shutdown-time-s` for details. - google.protobuf.Duration parent_shutdown_time = 18; - - // See :option:`--mode` for details. - Mode mode = 19; - - // See :option:`--disable-hot-restart` for details. - bool disable_hot_restart = 22; - - // See :option:`--enable-mutex-tracing` for details. - bool enable_mutex_tracing = 23; - - // See :option:`--restart-epoch` for details. - uint32 restart_epoch = 24; - - // See :option:`--cpuset-threads` for details. - bool cpuset_threads = 25; - - // See :option:`--disable-extensions` for details. - repeated string disabled_extensions = 28; - - // See :option:`--enable-fine-grain-logging` for details. - bool enable_fine_grain_logging = 34; - - // See :option:`--socket-path` for details. - string socket_path = 35; - - // See :option:`--socket-mode` for details. - uint32 socket_mode = 36; - - // See :option:`--enable-core-dump` for details. - bool enable_core_dump = 37; -} diff --git a/api/envoy/admin/v4alpha/tap.proto b/api/envoy/admin/v4alpha/tap.proto deleted file mode 100644 index e89259380418..000000000000 --- a/api/envoy/admin/v4alpha/tap.proto +++ /dev/null @@ -1,28 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "envoy/config/tap/v4alpha/common.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "TapProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Tap] - -// The /tap admin request body that is used to configure an active tap session. -message TapRequest { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.TapRequest"; - - // The opaque configuration ID used to match the configuration to a loaded extension. - // A tap extension configures a similar opaque ID that is used to match. - string config_id = 1 [(validate.rules).string = {min_len: 1}]; - - // The tap configuration to load. - config.tap.v4alpha.TapConfig tap_config = 2 [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/config/accesslog/v4alpha/BUILD b/api/envoy/config/accesslog/v4alpha/BUILD deleted file mode 100644 index 68064d3b08d1..000000000000 --- a/api/envoy/config/accesslog/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/accesslog/v3:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/config/accesslog/v4alpha/accesslog.proto b/api/envoy/config/accesslog/v4alpha/accesslog.proto deleted file mode 100644 index 3e0c7f53598c..000000000000 --- a/api/envoy/config/accesslog/v4alpha/accesslog.proto +++ /dev/null @@ -1,326 +0,0 @@ -syntax = "proto3"; - -package envoy.config.accesslog.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/metadata.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.accesslog.v4alpha"; -option java_outer_classname = "AccesslogProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common access log types] - -message AccessLog { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.AccessLog"; - - reserved 3; - - reserved "config"; - - // The name of the access log extension to instantiate. - // The name must match one of the compiled in loggers. - // See the :ref:`extensions listed in typed_config below ` for the default list of available loggers. - string name = 1; - - // Filter which is used to determine if the access log needs to be written. - AccessLogFilter filter = 2; - - // Custom configuration that must be set according to the access logger extension being instantiated. - // [#extension-category: envoy.access_loggers] - oneof config_type { - google.protobuf.Any typed_config = 4; - } -} - -// [#next-free-field: 13] -message AccessLogFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.AccessLogFilter"; - - oneof filter_specifier { - option (validate.required) = true; - - // Status code filter. - StatusCodeFilter status_code_filter = 1; - - // Duration filter. - DurationFilter duration_filter = 2; - - // Not health check filter. - NotHealthCheckFilter not_health_check_filter = 3; - - // Traceable filter. - TraceableFilter traceable_filter = 4; - - // Runtime filter. - RuntimeFilter runtime_filter = 5; - - // And filter. - AndFilter and_filter = 6; - - // Or filter. - OrFilter or_filter = 7; - - // Header filter. - HeaderFilter header_filter = 8; - - // Response flag filter. - ResponseFlagFilter response_flag_filter = 9; - - // gRPC status filter. - GrpcStatusFilter grpc_status_filter = 10; - - // Extension filter. - ExtensionFilter extension_filter = 11; - - // Metadata Filter - MetadataFilter metadata_filter = 12; - } -} - -// Filter on an integer comparison. -message ComparisonFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.ComparisonFilter"; - - enum Op { - // = - EQ = 0; - - // >= - GE = 1; - - // <= - LE = 2; - } - - // Comparison operator. - Op op = 1 [(validate.rules).enum = {defined_only: true}]; - - // Value to compare against. - core.v4alpha.RuntimeUInt32 value = 2; -} - -// Filters on HTTP response/status code. -message StatusCodeFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.StatusCodeFilter"; - - // Comparison. - ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; -} - -// Filters on total request duration in milliseconds. -message DurationFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.DurationFilter"; - - // Comparison. - ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; -} - -// Filters for requests that are not health check requests. A health check -// request is marked by the health check filter. -message NotHealthCheckFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.NotHealthCheckFilter"; -} - -// Filters for requests that are traceable. See the tracing overview for more -// information on how a request becomes traceable. -message TraceableFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.TraceableFilter"; -} - -// Filters for random sampling of requests. -message RuntimeFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.RuntimeFilter"; - - // Runtime key to get an optional overridden numerator for use in the - // *percent_sampled* field. If found in runtime, this value will replace the - // default numerator. - string runtime_key = 1 [(validate.rules).string = {min_len: 1}]; - - // The default sampling percentage. If not specified, defaults to 0% with - // denominator of 100. - type.v3.FractionalPercent percent_sampled = 2; - - // By default, sampling pivots on the header - // :ref:`x-request-id` being - // present. If :ref:`x-request-id` - // is present, the filter will consistently sample across multiple hosts based - // on the runtime key value and the value extracted from - // :ref:`x-request-id`. If it is - // missing, or *use_independent_randomness* is set to true, the filter will - // randomly sample based on the runtime key value alone. - // *use_independent_randomness* can be used for logging kill switches within - // complex nested :ref:`AndFilter - // ` and :ref:`OrFilter - // ` blocks that are easier to - // reason about from a probability perspective (i.e., setting to true will - // cause the filter to behave like an independent random variable when - // composed within logical operator filters). - bool use_independent_randomness = 3; -} - -// Performs a logical “and” operation on the result of each filter in filters. -// Filters are evaluated sequentially and if one of them returns false, the -// filter returns false immediately. -message AndFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.AndFilter"; - - repeated AccessLogFilter filters = 1 [(validate.rules).repeated = {min_items: 2}]; -} - -// Performs a logical “or” operation on the result of each individual filter. -// Filters are evaluated sequentially and if one of them returns true, the -// filter returns true immediately. -message OrFilter { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.accesslog.v3.OrFilter"; - - repeated AccessLogFilter filters = 2 [(validate.rules).repeated = {min_items: 2}]; -} - -// Filters requests based on the presence or value of a request header. -message HeaderFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.HeaderFilter"; - - // Only requests with a header which matches the specified HeaderMatcher will - // pass the filter check. - route.v4alpha.HeaderMatcher header = 1 [(validate.rules).message = {required: true}]; -} - -// Filters requests that received responses with an Envoy response flag set. -// A list of the response flags can be found -// in the access log formatter -// :ref:`documentation`. -message ResponseFlagFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.ResponseFlagFilter"; - - // Only responses with the any of the flags listed in this field will be - // logged. This field is optional. If it is not specified, then any response - // flag will pass the filter check. - repeated string flags = 1 [(validate.rules).repeated = { - items { - string { - in: "LH" - in: "UH" - in: "UT" - in: "LR" - in: "UR" - in: "UF" - in: "UC" - in: "UO" - in: "NR" - in: "DI" - in: "FI" - in: "RL" - in: "UAEX" - in: "RLSE" - in: "DC" - in: "URX" - in: "SI" - in: "IH" - in: "DPE" - in: "UMSDR" - in: "RFCF" - in: "NFCF" - in: "DT" - in: "UPE" - in: "NC" - in: "OM" - } - } - }]; -} - -// Filters gRPC requests based on their response status. If a gRPC status is not -// provided, the filter will infer the status from the HTTP status code. -message GrpcStatusFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.GrpcStatusFilter"; - - enum Status { - OK = 0; - CANCELED = 1; - UNKNOWN = 2; - INVALID_ARGUMENT = 3; - DEADLINE_EXCEEDED = 4; - NOT_FOUND = 5; - ALREADY_EXISTS = 6; - PERMISSION_DENIED = 7; - RESOURCE_EXHAUSTED = 8; - FAILED_PRECONDITION = 9; - ABORTED = 10; - OUT_OF_RANGE = 11; - UNIMPLEMENTED = 12; - INTERNAL = 13; - UNAVAILABLE = 14; - DATA_LOSS = 15; - UNAUTHENTICATED = 16; - } - - // Logs only responses that have any one of the gRPC statuses in this field. - repeated Status statuses = 1 [(validate.rules).repeated = {items {enum {defined_only: true}}}]; - - // If included and set to true, the filter will instead block all responses - // with a gRPC status or inferred gRPC status enumerated in statuses, and - // allow all other responses. - bool exclude = 2; -} - -// Filters based on matching dynamic metadata. -// If the matcher path and key correspond to an existing key in dynamic -// metadata, the request is logged only if the matcher value is equal to the -// metadata value. If the matcher path and key *do not* correspond to an -// existing key in dynamic metadata, the request is logged only if -// match_if_key_not_found is "true" or unset. -message MetadataFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.MetadataFilter"; - - // Matcher to check metadata for specified value. For example, to match on the - // access_log_hint metadata, set the filter to "envoy.common" and the path to - // "access_log_hint", and the value to "true". - type.matcher.v4alpha.MetadataMatcher matcher = 1; - - // Default result if the key does not exist in dynamic metadata: if unset or - // true, then log; if false, then don't log. - google.protobuf.BoolValue match_if_key_not_found = 2; -} - -// Extension filter is statically registered at runtime. -message ExtensionFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.ExtensionFilter"; - - reserved 2; - - reserved "config"; - - // The name of the filter implementation to instantiate. The name must - // match a statically registered filter. - string name = 1; - - // Custom configuration that depends on the filter being instantiated. - oneof config_type { - google.protobuf.Any typed_config = 3; - } -} diff --git a/api/envoy/config/bootstrap/v4alpha/BUILD b/api/envoy/config/bootstrap/v4alpha/BUILD deleted file mode 100644 index 5dc1c5c61f7d..000000000000 --- a/api/envoy/config/bootstrap/v4alpha/BUILD +++ /dev/null @@ -1,20 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/accesslog/v4alpha:pkg", - "//envoy/config/bootstrap/v3:pkg", - "//envoy/config/cluster/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/listener/v4alpha:pkg", - "//envoy/config/metrics/v4alpha:pkg", - "//envoy/config/overload/v3:pkg", - "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/config/bootstrap/v4alpha/bootstrap.proto b/api/envoy/config/bootstrap/v4alpha/bootstrap.proto deleted file mode 100644 index 5c45b8f7dbce..000000000000 --- a/api/envoy/config/bootstrap/v4alpha/bootstrap.proto +++ /dev/null @@ -1,620 +0,0 @@ -syntax = "proto3"; - -package envoy.config.bootstrap.v4alpha; - -import "envoy/config/accesslog/v4alpha/accesslog.proto"; -import "envoy/config/cluster/v4alpha/cluster.proto"; -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/event_service_config.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/resolver.proto"; -import "envoy/config/core/v4alpha/socket_option.proto"; -import "envoy/config/listener/v4alpha/listener.proto"; -import "envoy/config/metrics/v4alpha/stats.proto"; -import "envoy/config/overload/v3/overload.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/security.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.bootstrap.v4alpha"; -option java_outer_classname = "BootstrapProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Bootstrap] -// This proto is supplied via the :option:`-c` CLI flag and acts as the root -// of the Envoy v3 configuration. See the :ref:`v3 configuration overview -// ` for more detail. - -// Bootstrap :ref:`configuration overview `. -// [#next-free-field: 33] -message Bootstrap { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.Bootstrap"; - - message StaticResources { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.Bootstrap.StaticResources"; - - // Static :ref:`Listeners `. These listeners are - // available regardless of LDS configuration. - repeated listener.v4alpha.Listener listeners = 1; - - // If a network based configuration source is specified for :ref:`cds_config - // `, it's necessary - // to have some initial cluster definitions available to allow Envoy to know - // how to speak to the management server. These cluster definitions may not - // use :ref:`EDS ` (i.e. they should be static - // IP or DNS-based). - repeated cluster.v4alpha.Cluster clusters = 2; - - // These static secrets can be used by :ref:`SdsSecretConfig - // ` - repeated envoy.extensions.transport_sockets.tls.v4alpha.Secret secrets = 3; - } - - // [#next-free-field: 7] - message DynamicResources { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.Bootstrap.DynamicResources"; - - reserved 4; - - // All :ref:`Listeners ` are provided by a single - // :ref:`LDS ` configuration source. - core.v4alpha.ConfigSource lds_config = 1; - - // xdstp:// resource locator for listener collection. - // [#not-implemented-hide:] - string lds_resources_locator = 5; - - // All post-bootstrap :ref:`Cluster ` definitions are - // provided by a single :ref:`CDS ` - // configuration source. - core.v4alpha.ConfigSource cds_config = 2; - - // xdstp:// resource locator for cluster collection. - // [#not-implemented-hide:] - string cds_resources_locator = 6; - - // A single :ref:`ADS ` source may be optionally - // specified. This must have :ref:`api_type - // ` :ref:`GRPC - // `. Only - // :ref:`ConfigSources ` that have - // the :ref:`ads ` field set will be - // streamed on the ADS channel. - core.v4alpha.ApiConfigSource ads_config = 3; - } - - reserved 10, 11, 8, 9, 20; - - reserved "runtime", "watchdog", "tracing", "use_tcp_for_dns_lookups"; - - // Node identity to present to the management server and for instance - // identification purposes (e.g. in generated headers). - core.v4alpha.Node node = 1; - - // A list of :ref:`Node ` field names - // that will be included in the context parameters of the effective - // xdstp:// URL that is sent in a discovery request when resource - // locators are used for LDS/CDS. Any non-string field will have its JSON - // encoding set as the context parameter value, with the exception of - // metadata, which will be flattened (see example below). The supported field - // names are: - // - "cluster" - // - "id" - // - "locality.region" - // - "locality.sub_zone" - // - "locality.zone" - // - "metadata" - // - "user_agent_build_version.metadata" - // - "user_agent_build_version.version" - // - "user_agent_name" - // - "user_agent_version" - // - // The node context parameters act as a base layer dictionary for the context - // parameters (i.e. more specific resource specific context parameters will - // override). Field names will be prefixed with “udpa.node.” when included in - // context parameters. - // - // For example, if node_context_params is ``["user_agent_name", "metadata"]``, - // the implied context parameters might be:: - // - // node.user_agent_name: "envoy" - // node.metadata.foo: "{\"bar\": \"baz\"}" - // node.metadata.some: "42" - // node.metadata.thing: "\"thing\"" - // - // [#not-implemented-hide:] - repeated string node_context_params = 26; - - // Statically specified resources. - StaticResources static_resources = 2; - - // xDS configuration sources. - DynamicResources dynamic_resources = 3; - - // Configuration for the cluster manager which owns all upstream clusters - // within the server. - ClusterManager cluster_manager = 4; - - // Health discovery service config option. - // (:ref:`core.ApiConfigSource `) - core.v4alpha.ApiConfigSource hds_config = 14; - - // Optional file system path to search for startup flag files. - string flags_path = 5; - - // Optional set of stats sinks. - repeated metrics.v4alpha.StatsSink stats_sinks = 6; - - // Configuration for internal processing of stats. - metrics.v4alpha.StatsConfig stats_config = 13; - - oneof stats_flush { - // Optional duration between flushes to configured stats sinks. For - // performance reasons Envoy latches counters and only flushes counters and - // gauges at a periodic interval. If not specified the default is 5000ms (5 - // seconds). Only one of `stats_flush_interval` or `stats_flush_on_admin` - // can be set. - // Duration must be at least 1ms and at most 5 min. - google.protobuf.Duration stats_flush_interval = 7 [(validate.rules).duration = { - lt {seconds: 300} - gte {nanos: 1000000} - }]; - - // Flush stats to sinks only when queried for on the admin interface. If set, - // a flush timer is not created. Only one of `stats_flush_on_admin` or - // `stats_flush_interval` can be set. - bool stats_flush_on_admin = 29 [(validate.rules).bool = {const: true}]; - } - - // Optional watchdogs configuration. - // This is used for specifying different watchdogs for the different subsystems. - // [#extension-category: envoy.guarddog_actions] - Watchdogs watchdogs = 27; - - // Configuration for the runtime configuration provider. If not - // specified, a “null” provider will be used which will result in all defaults - // being used. - LayeredRuntime layered_runtime = 17; - - // Configuration for the local administration HTTP server. - Admin admin = 12; - - // Optional overload manager configuration. - overload.v3.OverloadManager overload_manager = 15 [ - (udpa.annotations.security).configure_for_untrusted_downstream = true, - (udpa.annotations.security).configure_for_untrusted_upstream = true - ]; - - // Enable :ref:`stats for event dispatcher `, defaults to false. - // Note that this records a value for each iteration of the event loop on every thread. This - // should normally be minimal overhead, but when using - // :ref:`statsd `, it will send each observed value - // over the wire individually because the statsd protocol doesn't have any way to represent a - // histogram summary. Be aware that this can be a very large volume of data. - bool enable_dispatcher_stats = 16; - - // Optional string which will be used in lieu of x-envoy in prefixing headers. - // - // For example, if this string is present and set to X-Foo, then x-envoy-retry-on will be - // transformed into x-foo-retry-on etc. - // - // Note this applies to the headers Envoy will generate, the headers Envoy will sanitize, and the - // headers Envoy will trust for core code and core extensions only. Be VERY careful making - // changes to this string, especially in multi-layer Envoy deployments or deployments using - // extensions which are not upstream. - string header_prefix = 18; - - // Optional proxy version which will be used to set the value of :ref:`server.version statistic - // ` if specified. Envoy will not process this value, it will be sent as is to - // :ref:`stats sinks `. - google.protobuf.UInt64Value stats_server_version_override = 19; - - // DNS resolution configuration which includes the underlying dns resolver addresses and options. - // This may be overridden on a per-cluster basis in cds_config, when - // :ref:`dns_resolution_config ` - // is specified. - // *dns_resolution_config* will be deprecated once - // :ref:'typed_dns_resolver_config ' - // is fully supported. - core.v4alpha.DnsResolutionConfig dns_resolution_config = 30; - - // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, - // or any other DNS resolver types and the related parameters. - // For example, an object of :ref:`DnsResolutionConfig ` - // can be packed into this *typed_dns_resolver_config*. This configuration will replace the - // :ref:'dns_resolution_config ' - // configuration eventually. - // TODO(yanjunxiang): Investigate the deprecation plan for *dns_resolution_config*. - // During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists, - // this configuration is optional. - // When *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*. - // When *typed_dns_resolver_config* is missing, the default behavior is in place. - // [#not-implemented-hide:] - core.v4alpha.TypedExtensionConfig typed_dns_resolver_config = 31; - - // Specifies optional bootstrap extensions to be instantiated at startup time. - // Each item contains extension specific configuration. - // [#extension-category: envoy.bootstrap] - repeated core.v4alpha.TypedExtensionConfig bootstrap_extensions = 21; - - // Specifies optional extensions instantiated at startup time and - // invoked during crash time on the request that caused the crash. - repeated FatalAction fatal_actions = 28; - - // Configuration sources that will participate in - // xdstp:// URL authority resolution. The algorithm is as - // follows: - // 1. The authority field is taken from the xdstp:// URL, call - // this *resource_authority*. - // 2. *resource_authority* is compared against the authorities in any peer - // *ConfigSource*. The peer *ConfigSource* is the configuration source - // message which would have been used unconditionally for resolution - // with opaque resource names. If there is a match with an authority, the - // peer *ConfigSource* message is used. - // 3. *resource_authority* is compared sequentially with the authorities in - // each configuration source in *config_sources*. The first *ConfigSource* - // to match wins. - // 4. As a fallback, if no configuration source matches, then - // *default_config_source* is used. - // 5. If *default_config_source* is not specified, resolution fails. - // [#not-implemented-hide:] - repeated core.v4alpha.ConfigSource config_sources = 22; - - // Default configuration source for xdstp:// URLs if all - // other resolution fails. - // [#not-implemented-hide:] - core.v4alpha.ConfigSource default_config_source = 23; - - // Optional overriding of default socket interface. The value must be the name of one of the - // socket interface factories initialized through a bootstrap extension - string default_socket_interface = 24; - - // Global map of CertificateProvider instances. These instances are referred to by name in the - // :ref:`CommonTlsContext.CertificateProviderInstance.instance_name - // ` - // field. - // [#not-implemented-hide:] - map certificate_provider_instances = 25; - - // Specifies a set of headers that need to be registered as inline header. This configuration - // allows users to customize the inline headers on-demand at Envoy startup without modifying - // Envoy's source code. - // - // Note that the 'set-cookie' header cannot be registered as inline header. - repeated CustomInlineHeader inline_headers = 32; -} - -// Administration interface :ref:`operations documentation -// `. -// [#next-free-field: 6] -message Admin { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v3.Admin"; - - reserved 1; - - reserved "access_log_path"; - - // Configuration for :ref:`access logs ` - // emitted by the administration server. - repeated accesslog.v4alpha.AccessLog access_log = 5; - - // The cpu profiler output path for the administration server. If no profile - // path is specified, the default is ‘/var/log/envoy/envoy.prof’. - string profile_path = 2; - - // The TCP address that the administration server will listen on. - // If not specified, Envoy will not start an administration server. - core.v4alpha.Address address = 3; - - // Additional socket options that may not be present in Envoy source code or - // precompiled binaries. - repeated core.v4alpha.SocketOption socket_options = 4; -} - -// Cluster manager :ref:`architecture overview `. -message ClusterManager { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.ClusterManager"; - - message OutlierDetection { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.ClusterManager.OutlierDetection"; - - // Specifies the path to the outlier event log. - string event_log_path = 1; - - // [#not-implemented-hide:] - // The gRPC service for the outlier detection event service. - // If empty, outlier detection events won't be sent to a remote endpoint. - core.v4alpha.EventServiceConfig event_service = 2; - } - - // Name of the local cluster (i.e., the cluster that owns the Envoy running - // this configuration). In order to enable :ref:`zone aware routing - // ` this option must be set. - // If *local_cluster_name* is defined then :ref:`clusters - // ` must be defined in the :ref:`Bootstrap - // static cluster resources - // `. This is unrelated to - // the :option:`--service-cluster` option which does not `affect zone aware - // routing `_. - string local_cluster_name = 1; - - // Optional global configuration for outlier detection. - OutlierDetection outlier_detection = 2; - - // Optional configuration used to bind newly established upstream connections. - // This may be overridden on a per-cluster basis by upstream_bind_config in the cds_config. - core.v4alpha.BindConfig upstream_bind_config = 3; - - // A management server endpoint to stream load stats to via - // *StreamLoadStats*. This must have :ref:`api_type - // ` :ref:`GRPC - // `. - core.v4alpha.ApiConfigSource load_stats_config = 4; -} - -// Allows you to specify different watchdog configs for different subsystems. -// This allows finer tuned policies for the watchdog. If a subsystem is omitted -// the default values for that system will be used. -message Watchdogs { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.Watchdogs"; - - // Watchdog for the main thread. - Watchdog main_thread_watchdog = 1; - - // Watchdog for the worker threads. - Watchdog worker_watchdog = 2; -} - -// Envoy process watchdog configuration. When configured, this monitors for -// nonresponsive threads and kills the process after the configured thresholds. -// See the :ref:`watchdog documentation ` for more information. -// [#next-free-field: 8] -message Watchdog { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v3.Watchdog"; - - message WatchdogAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.Watchdog.WatchdogAction"; - - // The events are fired in this order: KILL, MULTIKILL, MEGAMISS, MISS. - // Within an event type, actions execute in the order they are configured. - // For KILL/MULTIKILL there is a default PANIC that will run after the - // registered actions and kills the process if it wasn't already killed. - // It might be useful to specify several debug actions, and possibly an - // alternate FATAL action. - enum WatchdogEvent { - UNKNOWN = 0; - KILL = 1; - MULTIKILL = 2; - MEGAMISS = 3; - MISS = 4; - } - - // Extension specific configuration for the action. - core.v4alpha.TypedExtensionConfig config = 1; - - WatchdogEvent event = 2 [(validate.rules).enum = {defined_only: true}]; - } - - // Register actions that will fire on given WatchDog events. - // See *WatchDogAction* for priority of events. - repeated WatchdogAction actions = 7; - - // The duration after which Envoy counts a nonresponsive thread in the - // *watchdog_miss* statistic. If not specified the default is 200ms. - google.protobuf.Duration miss_timeout = 1; - - // The duration after which Envoy counts a nonresponsive thread in the - // *watchdog_mega_miss* statistic. If not specified the default is - // 1000ms. - google.protobuf.Duration megamiss_timeout = 2; - - // If a watched thread has been nonresponsive for this duration, assume a - // programming error and kill the entire Envoy process. Set to 0 to disable - // kill behavior. If not specified the default is 0 (disabled). - google.protobuf.Duration kill_timeout = 3; - - // Defines the maximum jitter used to adjust the *kill_timeout* if *kill_timeout* is - // enabled. Enabling this feature would help to reduce risk of synchronized - // watchdog kill events across proxies due to external triggers. Set to 0 to - // disable. If not specified the default is 0 (disabled). - google.protobuf.Duration max_kill_timeout_jitter = 6 [(validate.rules).duration = {gte {}}]; - - // If max(2, ceil(registered_threads * Fraction(*multikill_threshold*))) - // threads have been nonresponsive for at least this duration kill the entire - // Envoy process. Set to 0 to disable this behavior. If not specified the - // default is 0 (disabled). - google.protobuf.Duration multikill_timeout = 4; - - // Sets the threshold for *multikill_timeout* in terms of the percentage of - // nonresponsive threads required for the *multikill_timeout*. - // If not specified the default is 0. - type.v3.Percent multikill_threshold = 5; -} - -// Fatal actions to run while crashing. Actions can be safe (meaning they are -// async-signal safe) or unsafe. We run all safe actions before we run unsafe actions. -// If using an unsafe action that could get stuck or deadlock, it important to -// have an out of band system to terminate the process. -// -// The interface for the extension is ``Envoy::Server::Configuration::FatalAction``. -// *FatalAction* extensions live in the ``envoy.extensions.fatal_actions`` API -// namespace. -message FatalAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.FatalAction"; - - // Extension specific configuration for the action. It's expected to conform - // to the ``Envoy::Server::Configuration::FatalAction`` interface. - core.v4alpha.TypedExtensionConfig config = 1; -} - -// Runtime :ref:`configuration overview ` (deprecated). -message Runtime { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v3.Runtime"; - - // The implementation assumes that the file system tree is accessed via a - // symbolic link. An atomic link swap is used when a new tree should be - // switched to. This parameter specifies the path to the symbolic link. Envoy - // will watch the location for changes and reload the file system tree when - // they happen. If this parameter is not set, there will be no disk based - // runtime. - string symlink_root = 1; - - // Specifies the subdirectory to load within the root directory. This is - // useful if multiple systems share the same delivery mechanism. Envoy - // configuration elements can be contained in a dedicated subdirectory. - string subdirectory = 2; - - // Specifies an optional subdirectory to load within the root directory. If - // specified and the directory exists, configuration values within this - // directory will override those found in the primary subdirectory. This is - // useful when Envoy is deployed across many different types of servers. - // Sometimes it is useful to have a per service cluster directory for runtime - // configuration. See below for exactly how the override directory is used. - string override_subdirectory = 3; - - // Static base runtime. This will be :ref:`overridden - // ` by other runtime layers, e.g. - // disk or admin. This follows the :ref:`runtime protobuf JSON representation - // encoding `. - google.protobuf.Struct base = 4; -} - -// [#next-free-field: 6] -message RuntimeLayer { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.RuntimeLayer"; - - // :ref:`Disk runtime ` layer. - message DiskLayer { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.RuntimeLayer.DiskLayer"; - - // The implementation assumes that the file system tree is accessed via a - // symbolic link. An atomic link swap is used when a new tree should be - // switched to. This parameter specifies the path to the symbolic link. - // Envoy will watch the location for changes and reload the file system tree - // when they happen. See documentation on runtime :ref:`atomicity - // ` for further details on how reloads are - // treated. - string symlink_root = 1; - - // Specifies the subdirectory to load within the root directory. This is - // useful if multiple systems share the same delivery mechanism. Envoy - // configuration elements can be contained in a dedicated subdirectory. - string subdirectory = 3; - - // :ref:`Append ` the - // service cluster to the path under symlink root. - bool append_service_cluster = 2; - } - - // :ref:`Admin console runtime ` layer. - message AdminLayer { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.RuntimeLayer.AdminLayer"; - } - - // :ref:`Runtime Discovery Service (RTDS) ` layer. - message RtdsLayer { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.RuntimeLayer.RtdsLayer"; - - // Resource to subscribe to at *rtds_config* for the RTDS layer. - string name = 1; - - // RTDS configuration source. - core.v4alpha.ConfigSource rtds_config = 2; - } - - // Descriptive name for the runtime layer. This is only used for the runtime - // :http:get:`/runtime` output. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - oneof layer_specifier { - option (validate.required) = true; - - // :ref:`Static runtime ` layer. - // This follows the :ref:`runtime protobuf JSON representation encoding - // `. Unlike static xDS resources, this static - // layer is overridable by later layers in the runtime virtual filesystem. - google.protobuf.Struct static_layer = 2; - - DiskLayer disk_layer = 3; - - AdminLayer admin_layer = 4; - - RtdsLayer rtds_layer = 5; - } -} - -// Runtime :ref:`configuration overview `. -message LayeredRuntime { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.LayeredRuntime"; - - // The :ref:`layers ` of the runtime. This is ordered - // such that later layers in the list overlay earlier entries. - repeated RuntimeLayer layers = 1; -} - -// Used to specify the header that needs to be registered as an inline header. -// -// If request or response contain multiple headers with the same name and the header -// name is registered as an inline header. Then multiple headers will be folded -// into one, and multiple header values will be concatenated by a suitable delimiter. -// The delimiter is generally a comma. -// -// For example, if 'foo' is registered as an inline header, and the headers contains -// the following two headers: -// -// .. code-block:: text -// -// foo: bar -// foo: eep -// -// Then they will eventually be folded into: -// -// .. code-block:: text -// -// foo: bar, eep -// -// Inline headers provide O(1) search performance, but each inline header imposes -// an additional memory overhead on all instances of the corresponding type of -// HeaderMap or TrailerMap. -message CustomInlineHeader { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.CustomInlineHeader"; - - enum InlineHeaderType { - REQUEST_HEADER = 0; - REQUEST_TRAILER = 1; - RESPONSE_HEADER = 2; - RESPONSE_TRAILER = 3; - } - - // The name of the header that is expected to be set as the inline header. - string inline_header_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The type of the header that is expected to be set as the inline header. - InlineHeaderType inline_header_type = 2 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/api/envoy/config/cluster/v4alpha/BUILD b/api/envoy/config/cluster/v4alpha/BUILD deleted file mode 100644 index b5db8055b8d1..000000000000 --- a/api/envoy/config/cluster/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/cluster/v3:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/endpoint/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@com_github_cncf_udpa//xds/core/v3:pkg", - ], -) diff --git a/api/envoy/config/cluster/v4alpha/circuit_breaker.proto b/api/envoy/config/cluster/v4alpha/circuit_breaker.proto deleted file mode 100644 index 36aebb897780..000000000000 --- a/api/envoy/config/cluster/v4alpha/circuit_breaker.proto +++ /dev/null @@ -1,105 +0,0 @@ -syntax = "proto3"; - -package envoy.config.cluster.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.cluster.v4alpha"; -option java_outer_classname = "CircuitBreakerProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Circuit breakers] - -// :ref:`Circuit breaking` settings can be -// specified individually for each defined priority. -message CircuitBreakers { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.CircuitBreakers"; - - // A Thresholds defines CircuitBreaker settings for a - // :ref:`RoutingPriority`. - // [#next-free-field: 9] - message Thresholds { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.CircuitBreakers.Thresholds"; - - message RetryBudget { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.CircuitBreakers.Thresholds.RetryBudget"; - - // Specifies the limit on concurrent retries as a percentage of the sum of active requests and - // active pending requests. For example, if there are 100 active requests and the - // budget_percent is set to 25, there may be 25 active retries. - // - // This parameter is optional. Defaults to 20%. - type.v3.Percent budget_percent = 1; - - // Specifies the minimum retry concurrency allowed for the retry budget. The limit on the - // number of active retries may never go below this number. - // - // This parameter is optional. Defaults to 3. - google.protobuf.UInt32Value min_retry_concurrency = 2; - } - - // The :ref:`RoutingPriority` - // the specified CircuitBreaker settings apply to. - core.v4alpha.RoutingPriority priority = 1 [(validate.rules).enum = {defined_only: true}]; - - // The maximum number of connections that Envoy will make to the upstream - // cluster. If not specified, the default is 1024. - google.protobuf.UInt32Value max_connections = 2; - - // The maximum number of pending requests that Envoy will allow to the - // upstream cluster. If not specified, the default is 1024. - google.protobuf.UInt32Value max_pending_requests = 3; - - // The maximum number of parallel requests that Envoy will make to the - // upstream cluster. If not specified, the default is 1024. - google.protobuf.UInt32Value max_requests = 4; - - // The maximum number of parallel retries that Envoy will allow to the - // upstream cluster. If not specified, the default is 3. - google.protobuf.UInt32Value max_retries = 5; - - // Specifies a limit on concurrent retries in relation to the number of active requests. This - // parameter is optional. - // - // .. note:: - // - // If this field is set, the retry budget will override any configured retry circuit - // breaker. - RetryBudget retry_budget = 8; - - // If track_remaining is true, then stats will be published that expose - // the number of resources remaining until the circuit breakers open. If - // not specified, the default is false. - // - // .. note:: - // - // If a retry budget is used in lieu of the max_retries circuit breaker, - // the remaining retry resources remaining will not be tracked. - bool track_remaining = 6; - - // The maximum number of connection pools per cluster that Envoy will concurrently support at - // once. If not specified, the default is unlimited. Set this for clusters which create a - // large number of connection pools. See - // :ref:`Circuit Breaking ` for - // more details. - google.protobuf.UInt32Value max_connection_pools = 7; - } - - // If multiple :ref:`Thresholds` - // are defined with the same :ref:`RoutingPriority`, - // the first one in the list is used. If no Thresholds is defined for a given - // :ref:`RoutingPriority`, the default values - // are used. - repeated Thresholds thresholds = 1; -} diff --git a/api/envoy/config/cluster/v4alpha/cluster.proto b/api/envoy/config/cluster/v4alpha/cluster.proto deleted file mode 100644 index 1fabdbe707cd..000000000000 --- a/api/envoy/config/cluster/v4alpha/cluster.proto +++ /dev/null @@ -1,1043 +0,0 @@ -syntax = "proto3"; - -package envoy.config.cluster.v4alpha; - -import "envoy/config/cluster/v4alpha/circuit_breaker.proto"; -import "envoy/config/cluster/v4alpha/filter.proto"; -import "envoy/config/cluster/v4alpha/outlier_detection.proto"; -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/health_check.proto"; -import "envoy/config/core/v4alpha/resolver.proto"; -import "envoy/config/endpoint/v4alpha/endpoint.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/core/v3/collection_entry.proto"; - -import "udpa/annotations/security.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.cluster.v4alpha"; -option java_outer_classname = "ClusterProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Cluster configuration] - -// Cluster list collections. Entries are *Cluster* resources or references. -// [#not-implemented-hide:] -message ClusterCollection { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.ClusterCollection"; - - xds.core.v3.CollectionEntry entries = 1; -} - -// Configuration for a single upstream cluster. -// [#next-free-field: 56] -message Cluster { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.cluster.v3.Cluster"; - - // Refer to :ref:`service discovery type ` - // for an explanation on each type. - enum DiscoveryType { - // Refer to the :ref:`static discovery type` - // for an explanation. - STATIC = 0; - - // Refer to the :ref:`strict DNS discovery - // type` - // for an explanation. - STRICT_DNS = 1; - - // Refer to the :ref:`logical DNS discovery - // type` - // for an explanation. - LOGICAL_DNS = 2; - - // Refer to the :ref:`service discovery type` - // for an explanation. - EDS = 3; - - // Refer to the :ref:`original destination discovery - // type` - // for an explanation. - ORIGINAL_DST = 4; - } - - // Refer to :ref:`load balancer type ` architecture - // overview section for information on each type. - enum LbPolicy { - reserved 4; - - reserved "ORIGINAL_DST_LB"; - - // Refer to the :ref:`round robin load balancing - // policy` - // for an explanation. - ROUND_ROBIN = 0; - - // Refer to the :ref:`least request load balancing - // policy` - // for an explanation. - LEAST_REQUEST = 1; - - // Refer to the :ref:`ring hash load balancing - // policy` - // for an explanation. - RING_HASH = 2; - - // Refer to the :ref:`random load balancing - // policy` - // for an explanation. - RANDOM = 3; - - // Refer to the :ref:`Maglev load balancing policy` - // for an explanation. - MAGLEV = 5; - - // This load balancer type must be specified if the configured cluster provides a cluster - // specific load balancer. Consult the configured cluster's documentation for whether to set - // this option or not. - CLUSTER_PROVIDED = 6; - - // Use the new :ref:`load_balancing_policy - // ` field to determine the LB policy. - // [#next-major-version: In the v3 API, we should consider deprecating the lb_policy field - // and instead using the new load_balancing_policy field as the one and only mechanism for - // configuring this.] - LOAD_BALANCING_POLICY_CONFIG = 7; - } - - // When V4_ONLY is selected, the DNS resolver will only perform a lookup for - // addresses in the IPv4 family. If V6_ONLY is selected, the DNS resolver will - // only perform a lookup for addresses in the IPv6 family. If AUTO is - // specified, the DNS resolver will first perform a lookup for addresses in - // the IPv6 family and fallback to a lookup for addresses in the IPv4 family. - // For cluster types other than - // :ref:`STRICT_DNS` and - // :ref:`LOGICAL_DNS`, - // this setting is - // ignored. - enum DnsLookupFamily { - AUTO = 0; - V4_ONLY = 1; - V6_ONLY = 2; - } - - enum ClusterProtocolSelection { - // Cluster can only operate on one of the possible upstream protocols (HTTP1.1, HTTP2). - // If :ref:`http2_protocol_options ` are - // present, HTTP2 will be used, otherwise HTTP1.1 will be used. - USE_CONFIGURED_PROTOCOL = 0; - - // Use HTTP1.1 or HTTP2, depending on which one is used on the downstream connection. - USE_DOWNSTREAM_PROTOCOL = 1; - } - - // TransportSocketMatch specifies what transport socket config will be used - // when the match conditions are satisfied. - message TransportSocketMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.TransportSocketMatch"; - - // The name of the match, used in stats generation. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Optional endpoint metadata match criteria. - // The connection to the endpoint with metadata matching what is set in this field - // will use the transport socket configuration specified here. - // The endpoint's metadata entry in *envoy.transport_socket_match* is used to match - // against the values specified in this field. - google.protobuf.Struct match = 2; - - // The configuration of the transport socket. - // [#extension-category: envoy.transport_sockets.upstream] - core.v4alpha.TransportSocket transport_socket = 3; - } - - // Extended cluster type. - message CustomClusterType { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.CustomClusterType"; - - // The type of the cluster to instantiate. The name must match a supported cluster type. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Cluster specific configuration which depends on the cluster being instantiated. - // See the supported cluster for further documentation. - // [#extension-category: envoy.clusters] - google.protobuf.Any typed_config = 2; - } - - // Only valid when discovery type is EDS. - message EdsClusterConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.EdsClusterConfig"; - - // Configuration for the source of EDS updates for this Cluster. - core.v4alpha.ConfigSource eds_config = 1; - - // Optional alternative to cluster name to present to EDS. This does not - // have the same restrictions as cluster name, i.e. it may be arbitrary - // length. This may be a xdstp:// URL. - string service_name = 2; - } - - // Optionally divide the endpoints in this cluster into subsets defined by - // endpoint metadata and selected by route and weighted cluster metadata. - // [#next-free-field: 8] - message LbSubsetConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.LbSubsetConfig"; - - // If NO_FALLBACK is selected, a result - // equivalent to no healthy hosts is reported. If ANY_ENDPOINT is selected, - // any cluster endpoint may be returned (subject to policy, health checks, - // etc). If DEFAULT_SUBSET is selected, load balancing is performed over the - // endpoints matching the values from the default_subset field. - enum LbSubsetFallbackPolicy { - NO_FALLBACK = 0; - ANY_ENDPOINT = 1; - DEFAULT_SUBSET = 2; - } - - // Specifications for subsets. - message LbSubsetSelector { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetSelector"; - - // Allows to override top level fallback policy per selector. - enum LbSubsetSelectorFallbackPolicy { - // If NOT_DEFINED top level config fallback policy is used instead. - NOT_DEFINED = 0; - - // If NO_FALLBACK is selected, a result equivalent to no healthy hosts is reported. - NO_FALLBACK = 1; - - // If ANY_ENDPOINT is selected, any cluster endpoint may be returned - // (subject to policy, health checks, etc). - ANY_ENDPOINT = 2; - - // If DEFAULT_SUBSET is selected, load balancing is performed over the - // endpoints matching the values from the default_subset field. - DEFAULT_SUBSET = 3; - - // If KEYS_SUBSET is selected, subset selector matching is performed again with metadata - // keys reduced to - // :ref:`fallback_keys_subset`. - // It allows for a fallback to a different, less specific selector if some of the keys of - // the selector are considered optional. - KEYS_SUBSET = 4; - } - - // List of keys to match with the weighted cluster metadata. - repeated string keys = 1; - - // Selects a mode of operation in which each subset has only one host. This mode uses the same rules for - // choosing a host, but updating hosts is faster, especially for large numbers of hosts. - // - // If a match is found to a host, that host will be used regardless of priority levels, unless the host is unhealthy. - // - // Currently, this mode is only supported if `subset_selectors` has only one entry, and `keys` contains - // only one entry. - // - // When this mode is enabled, configurations that contain more than one host with the same metadata value for the single key in `keys` - // will use only one of the hosts with the given key; no requests will be routed to the others. The cluster gauge - // :ref:`lb_subsets_single_host_per_subset_duplicate` indicates how many duplicates are - // present in the current configuration. - bool single_host_per_subset = 4; - - // The behavior used when no endpoint subset matches the selected route's - // metadata. - LbSubsetSelectorFallbackPolicy fallback_policy = 2 - [(validate.rules).enum = {defined_only: true}]; - - // Subset of - // :ref:`keys` used by - // :ref:`KEYS_SUBSET` - // fallback policy. - // It has to be a non empty list if KEYS_SUBSET fallback policy is selected. - // For any other fallback policy the parameter is not used and should not be set. - // Only values also present in - // :ref:`keys` are allowed, but - // `fallback_keys_subset` cannot be equal to `keys`. - repeated string fallback_keys_subset = 3; - } - - // The behavior used when no endpoint subset matches the selected route's - // metadata. The value defaults to - // :ref:`NO_FALLBACK`. - LbSubsetFallbackPolicy fallback_policy = 1 [(validate.rules).enum = {defined_only: true}]; - - // Specifies the default subset of endpoints used during fallback if - // fallback_policy is - // :ref:`DEFAULT_SUBSET`. - // Each field in default_subset is - // compared to the matching LbEndpoint.Metadata under the *envoy.lb* - // namespace. It is valid for no hosts to match, in which case the behavior - // is the same as a fallback_policy of - // :ref:`NO_FALLBACK`. - google.protobuf.Struct default_subset = 2; - - // For each entry, LbEndpoint.Metadata's - // *envoy.lb* namespace is traversed and a subset is created for each unique - // combination of key and value. For example: - // - // .. code-block:: json - // - // { "subset_selectors": [ - // { "keys": [ "version" ] }, - // { "keys": [ "stage", "hardware_type" ] } - // ]} - // - // A subset is matched when the metadata from the selected route and - // weighted cluster contains the same keys and values as the subset's - // metadata. The same host may appear in multiple subsets. - repeated LbSubsetSelector subset_selectors = 3; - - // If true, routing to subsets will take into account the localities and locality weights of the - // endpoints when making the routing decision. - // - // There are some potential pitfalls associated with enabling this feature, as the resulting - // traffic split after applying both a subset match and locality weights might be undesirable. - // - // Consider for example a situation in which you have 50/50 split across two localities X/Y - // which have 100 hosts each without subsetting. If the subset LB results in X having only 1 - // host selected but Y having 100, then a lot more load is being dumped on the single host in X - // than originally anticipated in the load balancing assignment delivered via EDS. - bool locality_weight_aware = 4; - - // When used with locality_weight_aware, scales the weight of each locality by the ratio - // of hosts in the subset vs hosts in the original subset. This aims to even out the load - // going to an individual locality if said locality is disproportionately affected by the - // subset predicate. - bool scale_locality_weight = 5; - - // If true, when a fallback policy is configured and its corresponding subset fails to find - // a host this will cause any host to be selected instead. - // - // This is useful when using the default subset as the fallback policy, given the default - // subset might become empty. With this option enabled, if that happens the LB will attempt - // to select a host from the entire cluster. - bool panic_mode_any = 6; - - // If true, metadata specified for a metadata key will be matched against the corresponding - // endpoint metadata if the endpoint metadata matches the value exactly OR it is a list value - // and any of the elements in the list matches the criteria. - bool list_as_any = 7; - } - - // Specific configuration for the LeastRequest load balancing policy. - message LeastRequestLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.LeastRequestLbConfig"; - - // The number of random healthy hosts from which the host with the fewest active requests will - // be chosen. Defaults to 2 so that we perform two-choice selection if the field is not set. - google.protobuf.UInt32Value choice_count = 1 [(validate.rules).uint32 = {gte: 2}]; - - // The following formula is used to calculate the dynamic weights when hosts have different load - // balancing weights: - // - // `weight = load_balancing_weight / (active_requests + 1)^active_request_bias` - // - // The larger the active request bias is, the more aggressively active requests will lower the - // effective weight when all host weights are not equal. - // - // `active_request_bias` must be greater than or equal to 0.0. - // - // When `active_request_bias == 0.0` the Least Request Load Balancer doesn't consider the number - // of active requests at the time it picks a host and behaves like the Round Robin Load - // Balancer. - // - // When `active_request_bias > 0.0` the Least Request Load Balancer scales the load balancing - // weight by the number of active requests at the time it does a pick. - // - // The value is cached for performance reasons and refreshed whenever one of the Load Balancer's - // host sets changes, e.g., whenever there is a host membership update or a host load balancing - // weight change. - // - // .. note:: - // This setting only takes effect if all host weights are not equal. - core.v4alpha.RuntimeDouble active_request_bias = 2; - } - - // Specific configuration for the :ref:`RingHash` - // load balancing policy. - message RingHashLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.RingHashLbConfig"; - - // The hash function used to hash hosts onto the ketama ring. - enum HashFunction { - // Use `xxHash `_, this is the default hash function. - XX_HASH = 0; - - // Use `MurmurHash2 `_, this is compatible with - // std:hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled - // on Linux and not macOS. - MURMUR_HASH_2 = 1; - } - - reserved 2; - - // Minimum hash ring size. The larger the ring is (that is, the more hashes there are for each - // provided host) the better the request distribution will reflect the desired weights. Defaults - // to 1024 entries, and limited to 8M entries. See also - // :ref:`maximum_ring_size`. - google.protobuf.UInt64Value minimum_ring_size = 1 [(validate.rules).uint64 = {lte: 8388608}]; - - // The hash function used to hash hosts onto the ketama ring. The value defaults to - // :ref:`XX_HASH`. - HashFunction hash_function = 3 [(validate.rules).enum = {defined_only: true}]; - - // Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, but can be lowered - // to further constrain resource use. See also - // :ref:`minimum_ring_size`. - google.protobuf.UInt64Value maximum_ring_size = 4 [(validate.rules).uint64 = {lte: 8388608}]; - } - - // Specific configuration for the :ref:`Maglev` - // load balancing policy. - message MaglevLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.MaglevLbConfig"; - - // The table size for Maglev hashing. The Maglev aims for ‘minimal disruption’ rather than an absolute guarantee. - // Minimal disruption means that when the set of upstreams changes, a connection will likely be sent to the same - // upstream as it was before. Increasing the table size reduces the amount of disruption. - // The table size must be prime number limited to 5000011. If it is not specified, the default is 65537. - google.protobuf.UInt64Value table_size = 1 [(validate.rules).uint64 = {lte: 5000011}]; - } - - // Specific configuration for the - // :ref:`Original Destination ` - // load balancing policy. - message OriginalDstLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.OriginalDstLbConfig"; - - // When true, :ref:`x-envoy-original-dst-host - // ` can be used to override destination - // address. - // - // .. attention:: - // - // This header isn't sanitized by default, so enabling this feature allows HTTP clients to - // route traffic to arbitrary hosts and/or ports, which may have serious security - // consequences. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - bool use_http_header = 1; - } - - // Common configuration for all load balancer implementations. - // [#next-free-field: 8] - message CommonLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.CommonLbConfig"; - - // Configuration for :ref:`zone aware routing - // `. - message ZoneAwareLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.CommonLbConfig.ZoneAwareLbConfig"; - - // Configures percentage of requests that will be considered for zone aware routing - // if zone aware routing is configured. If not specified, the default is 100%. - // * :ref:`runtime values `. - // * :ref:`Zone aware routing support `. - type.v3.Percent routing_enabled = 1; - - // Configures minimum upstream cluster size required for zone aware routing - // If upstream cluster size is less than specified, zone aware routing is not performed - // even if zone aware routing is configured. If not specified, the default is 6. - // * :ref:`runtime values `. - // * :ref:`Zone aware routing support `. - google.protobuf.UInt64Value min_cluster_size = 2; - - // If set to true, Envoy will not consider any hosts when the cluster is in :ref:`panic - // mode`. Instead, the cluster will fail all - // requests as if all hosts are unhealthy. This can help avoid potentially overwhelming a - // failing service. - bool fail_traffic_on_panic = 3; - } - - // Configuration for :ref:`locality weighted load balancing - // ` - message LocalityWeightedLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.CommonLbConfig.LocalityWeightedLbConfig"; - } - - // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) - message ConsistentHashingLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.CommonLbConfig.ConsistentHashingLbConfig"; - - // If set to `true`, the cluster will use hostname instead of the resolved - // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address. - bool use_hostname_for_hashing = 1; - - // Configures percentage of average cluster load to bound per upstream host. For example, with a value of 150 - // no upstream host will get a load more than 1.5 times the average load of all the hosts in the cluster. - // If not specified, the load is not bounded for any upstream host. Typical value for this parameter is between 120 and 200. - // Minimum is 100. - // - // Applies to both Ring Hash and Maglev load balancers. - // - // This is implemented based on the method described in the paper https://arxiv.org/abs/1608.01350. For the specified - // `hash_balance_factor`, requests to any upstream host are capped at `hash_balance_factor/100` times the average number of requests - // across the cluster. When a request arrives for an upstream host that is currently serving at its max capacity, linear probing - // is used to identify an eligible host. Further, the linear probe is implemented using a random jump in hosts ring/table to identify - // the eligible host (this technique is as described in the paper https://arxiv.org/abs/1908.08762 - the random jump avoids the - // cascading overflow effect when choosing the next host in the ring/table). - // - // If weights are specified on the hosts, they are respected. - // - // This is an O(N) algorithm, unlike other load balancers. Using a lower `hash_balance_factor` results in more hosts - // being probed, so use a higher value if you require better performance. - google.protobuf.UInt32Value hash_balance_factor = 2 [(validate.rules).uint32 = {gte: 100}]; - } - - // Configures the :ref:`healthy panic threshold `. - // If not specified, the default is 50%. - // To disable panic mode, set to 0%. - // - // .. note:: - // The specified percent will be truncated to the nearest 1%. - type.v3.Percent healthy_panic_threshold = 1; - - oneof locality_config_specifier { - ZoneAwareLbConfig zone_aware_lb_config = 2; - - LocalityWeightedLbConfig locality_weighted_lb_config = 3; - } - - // If set, all health check/weight/metadata updates that happen within this duration will be - // merged and delivered in one shot when the duration expires. The start of the duration is when - // the first update happens. This is useful for big clusters, with potentially noisy deploys - // that might trigger excessive CPU usage due to a constant stream of healthcheck state changes - // or metadata updates. The first set of updates to be seen apply immediately (e.g.: a new - // cluster). Please always keep in mind that the use of sandbox technologies may change this - // behavior. - // - // If this is not set, we default to a merge window of 1000ms. To disable it, set the merge - // window to 0. - // - // Note: merging does not apply to cluster membership changes (e.g.: adds/removes); this is - // because merging those updates isn't currently safe. See - // https://github.com/envoyproxy/envoy/pull/3941. - google.protobuf.Duration update_merge_window = 4; - - // If set to true, Envoy will :ref:`exclude ` new hosts - // when computing load balancing weights until they have been health checked for the first time. - // This will have no effect unless active health checking is also configured. - bool ignore_new_hosts_until_first_hc = 5; - - // If set to `true`, the cluster manager will drain all existing - // connections to upstream hosts whenever hosts are added or removed from the cluster. - bool close_connections_on_host_set_change = 6; - - // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) - ConsistentHashingLbConfig consistent_hashing_lb_config = 7; - } - - message RefreshRate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.RefreshRate"; - - // Specifies the base interval between refreshes. This parameter is required and must be greater - // than zero and less than - // :ref:`max_interval `. - google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { - required: true - gt {nanos: 1000000} - }]; - - // Specifies the maximum interval between refreshes. This parameter is optional, but must be - // greater than or equal to the - // :ref:`base_interval ` if set. The default - // is 10 times the :ref:`base_interval `. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {nanos: 1000000}}]; - } - - message PreconnectPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.PreconnectPolicy"; - - // Indicates how many streams (rounded up) can be anticipated per-upstream for each - // incoming stream. This is useful for high-QPS or latency-sensitive services. Preconnecting - // will only be done if the upstream is healthy and the cluster has traffic. - // - // For example if this is 2, for an incoming HTTP/1.1 stream, 2 connections will be - // established, one for the new incoming stream, and one for a presumed follow-up stream. For - // HTTP/2, only one connection would be established by default as one connection can - // serve both the original and presumed follow-up stream. - // - // In steady state for non-multiplexed connections a value of 1.5 would mean if there were 100 - // active streams, there would be 100 connections in use, and 50 connections preconnected. - // This might be a useful value for something like short lived single-use connections, - // for example proxying HTTP/1.1 if keep-alive were false and each stream resulted in connection - // termination. It would likely be overkill for long lived connections, such as TCP proxying SMTP - // or regular HTTP/1.1 with keep-alive. For long lived traffic, a value of 1.05 would be more - // reasonable, where for every 100 connections, 5 preconnected connections would be in the queue - // in case of unexpected disconnects where the connection could not be reused. - // - // If this value is not set, or set explicitly to one, Envoy will fetch as many connections - // as needed to serve streams in flight. This means in steady state if a connection is torn down, - // a subsequent streams will pay an upstream-rtt latency penalty waiting for a new connection. - // - // This is limited somewhat arbitrarily to 3 because preconnecting too aggressively can - // harm latency more than the preconnecting helps. - google.protobuf.DoubleValue per_upstream_preconnect_ratio = 1 - [(validate.rules).double = {lte: 3.0 gte: 1.0}]; - - // Indicates how many many streams (rounded up) can be anticipated across a cluster for each - // stream, useful for low QPS services. This is currently supported for a subset of - // deterministic non-hash-based load-balancing algorithms (weighted round robin, random). - // Unlike *per_upstream_preconnect_ratio* this preconnects across the upstream instances in a - // cluster, doing best effort predictions of what upstream would be picked next and - // pre-establishing a connection. - // - // Preconnecting will be limited to one preconnect per configured upstream in the cluster and will - // only be done if there are healthy upstreams and the cluster has traffic. - // - // For example if preconnecting is set to 2 for a round robin HTTP/2 cluster, on the first - // incoming stream, 2 connections will be preconnected - one to the first upstream for this - // cluster, one to the second on the assumption there will be a follow-up stream. - // - // If this value is not set, or set explicitly to one, Envoy will fetch as many connections - // as needed to serve streams in flight, so during warm up and in steady state if a connection - // is closed (and per_upstream_preconnect_ratio is not set), there will be a latency hit for - // connection establishment. - // - // If both this and preconnect_ratio are set, Envoy will make sure both predicted needs are met, - // basically preconnecting max(predictive-preconnect, per-upstream-preconnect), for each - // upstream. - google.protobuf.DoubleValue predictive_preconnect_ratio = 2 - [(validate.rules).double = {lte: 3.0 gte: 1.0}]; - } - - reserved 12, 15, 7, 11, 35, 9, 46, 29, 13, 14, 18, 45, 26, 47; - - reserved "hosts", "tls_context", "extension_protocol_options", "max_requests_per_connection", - "upstream_http_protocol_options", "common_http_protocol_options", "http_protocol_options", - "http2_protocol_options", "dns_resolvers", "use_tcp_for_dns_lookups", "protocol_selection", - "track_timeout_budgets"; - - // Configuration to use different transport sockets for different endpoints. - // The entry of *envoy.transport_socket_match* in the - // :ref:`LbEndpoint.Metadata ` - // is used to match against the transport sockets as they appear in the list. The first - // :ref:`match ` is used. - // For example, with the following match - // - // .. code-block:: yaml - // - // transport_socket_matches: - // - name: "enableMTLS" - // match: - // acceptMTLS: true - // transport_socket: - // name: envoy.transport_sockets.tls - // config: { ... } # tls socket configuration - // - name: "defaultToPlaintext" - // match: {} - // transport_socket: - // name: envoy.transport_sockets.raw_buffer - // - // Connections to the endpoints whose metadata value under *envoy.transport_socket_match* - // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration. - // - // If a :ref:`socket match ` with empty match - // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext" - // socket match in case above. - // - // If an endpoint metadata's value under *envoy.transport_socket_match* does not match any - // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or - // *transport_socket* specified in this cluster. - // - // This field allows gradual and flexible transport socket configuration changes. - // - // The metadata of endpoints in EDS can indicate transport socket capabilities. For example, - // an endpoint's metadata can have two key value pairs as "acceptMTLS": "true", - // "acceptPlaintext": "true". While some other endpoints, only accepting plaintext traffic - // has "acceptPlaintext": "true" metadata information. - // - // Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS - // traffic for endpoints with "acceptMTLS": "true", by adding a corresponding - // *TransportSocketMatch* in this field. Other client Envoys receive CDS without - // *transport_socket_match* set, and still send plain text traffic to the same cluster. - // - // This field can be used to specify custom transport socket configurations for health - // checks by adding matching key/value pairs in a health check's - // :ref:`transport socket match criteria ` field. - // - // [#comment:TODO(incfly): add a detailed architecture doc on intended usage.] - repeated TransportSocketMatch transport_socket_matches = 43; - - // Supplies the name of the cluster which must be unique across all clusters. - // The cluster name is used when emitting - // :ref:`statistics ` if :ref:`alt_stat_name - // ` is not provided. - // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // An optional alternative to the cluster name to be used for observability. This name is used - // emitting stats for the cluster and access logging the cluster name. This will appear as - // additional information in configuration dumps of a cluster's current status as - // :ref:`observability_name ` - // and as an additional tag "upstream_cluster.name" while tracing. Note: access logging using - // this field is presently enabled with runtime feature - // `envoy.reloadable_features.use_observable_cluster_name`. Any ``:`` in the name will be - // converted to ``_`` when emitting statistics. This should not be confused with :ref:`Router - // Filter Header `. - string observability_name = 28; - - oneof cluster_discovery_type { - // The :ref:`service discovery type ` - // to use for resolving the cluster. - DiscoveryType type = 2 [(validate.rules).enum = {defined_only: true}]; - - // The custom cluster type. - CustomClusterType cluster_type = 38; - } - - // Configuration to use for EDS updates for the Cluster. - EdsClusterConfig eds_cluster_config = 3; - - // The timeout for new network connections to hosts in the cluster. - // If not set, a default value of 5s will be used. - google.protobuf.Duration connect_timeout = 4 [(validate.rules).duration = {gt {}}]; - - // Soft limit on size of the cluster’s connections read and write buffers. If - // unspecified, an implementation defined default is applied (1MiB). - google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 - [(udpa.annotations.security).configure_for_untrusted_upstream = true]; - - // The :ref:`load balancer type ` to use - // when picking a host in the cluster. - LbPolicy lb_policy = 6 [(validate.rules).enum = {defined_only: true}]; - - // Setting this is required for specifying members of - // :ref:`STATIC`, - // :ref:`STRICT_DNS` - // or :ref:`LOGICAL_DNS` clusters. - // This field supersedes the *hosts* field in the v2 API. - // - // .. attention:: - // - // Setting this allows non-EDS cluster types to contain embedded EDS equivalent - // :ref:`endpoint assignments`. - // - endpoint.v4alpha.ClusterLoadAssignment load_assignment = 33; - - // Optional :ref:`active health checking ` - // configuration for the cluster. If no - // configuration is specified no health checking will be done and all cluster - // members will be considered healthy at all times. - repeated core.v4alpha.HealthCheck health_checks = 8; - - // Optional :ref:`circuit breaking ` for the cluster. - CircuitBreakers circuit_breakers = 10; - - // The extension_protocol_options field is used to provide extension-specific protocol options - // for upstream connections. The key should match the extension filter name, such as - // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on - // specific options. - // [#next-major-version: make this a list of typed extensions.] - map typed_extension_protocol_options = 36; - - // If the DNS refresh rate is specified and the cluster type is either - // :ref:`STRICT_DNS`, - // or :ref:`LOGICAL_DNS`, - // this value is used as the cluster’s DNS refresh - // rate. The value configured must be at least 1ms. If this setting is not specified, the - // value defaults to 5000ms. For cluster types other than - // :ref:`STRICT_DNS` - // and :ref:`LOGICAL_DNS` - // this setting is ignored. - google.protobuf.Duration dns_refresh_rate = 16 - [(validate.rules).duration = {gt {nanos: 1000000}}]; - - // If the DNS failure refresh rate is specified and the cluster type is either - // :ref:`STRICT_DNS`, - // or :ref:`LOGICAL_DNS`, - // this is used as the cluster’s DNS refresh rate when requests are failing. If this setting is - // not specified, the failure refresh rate defaults to the DNS refresh rate. For cluster types - // other than :ref:`STRICT_DNS` and - // :ref:`LOGICAL_DNS` this setting is - // ignored. - RefreshRate dns_failure_refresh_rate = 44; - - // Optional configuration for setting cluster's DNS refresh rate. If the value is set to true, - // cluster's DNS refresh rate will be set to resource record's TTL which comes from DNS - // resolution. - bool respect_dns_ttl = 39; - - // The DNS IP address resolution policy. If this setting is not specified, the - // value defaults to - // :ref:`AUTO`. - DnsLookupFamily dns_lookup_family = 17 [(validate.rules).enum = {defined_only: true}]; - - // DNS resolution configuration which includes the underlying dns resolver addresses and options. - // *dns_resolution_config* will be deprecated once - // :ref:'typed_dns_resolver_config ' - // is fully supported. - core.v4alpha.DnsResolutionConfig dns_resolution_config = 53; - - // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, - // or any other DNS resolver types and the related parameters. - // For example, an object of :ref:`DnsResolutionConfig ` - // can be packed into this *typed_dns_resolver_config*. This configuration will replace the - // :ref:'dns_resolution_config ' - // configuration eventually. - // TODO(yanjunxiang): Investigate the deprecation plan for *dns_resolution_config*. - // During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists, - // this configuration is optional. - // When *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*. - // When *typed_dns_resolver_config* is missing, the default behavior is in place. - // [#not-implemented-hide:] - core.v4alpha.TypedExtensionConfig typed_dns_resolver_config = 55; - - // Optional configuration for having cluster readiness block on warm-up. Currently, only applicable for - // :ref:`STRICT_DNS`, - // or :ref:`LOGICAL_DNS`. - // If true, cluster readiness blocks on warm-up. If false, the cluster will complete - // initialization whether or not warm-up has completed. Defaults to true. - google.protobuf.BoolValue wait_for_warm_on_init = 54; - - // If specified, outlier detection will be enabled for this upstream cluster. - // Each of the configuration values can be overridden via - // :ref:`runtime values `. - OutlierDetection outlier_detection = 19; - - // The interval for removing stale hosts from a cluster type - // :ref:`ORIGINAL_DST`. - // Hosts are considered stale if they have not been used - // as upstream destinations during this interval. New hosts are added - // to original destination clusters on demand as new connections are - // redirected to Envoy, causing the number of hosts in the cluster to - // grow over time. Hosts that are not stale (they are actively used as - // destinations) are kept in the cluster, which allows connections to - // them remain open, saving the latency that would otherwise be spent - // on opening new connections. If this setting is not specified, the - // value defaults to 5000ms. For cluster types other than - // :ref:`ORIGINAL_DST` - // this setting is ignored. - google.protobuf.Duration cleanup_interval = 20 [(validate.rules).duration = {gt {}}]; - - // Optional configuration used to bind newly established upstream connections. - // This overrides any bind_config specified in the bootstrap proto. - // If the address and port are empty, no bind will be performed. - core.v4alpha.BindConfig upstream_bind_config = 21; - - // Configuration for load balancing subsetting. - LbSubsetConfig lb_subset_config = 22; - - // Optional configuration for the load balancing algorithm selected by - // LbPolicy. Currently only - // :ref:`RING_HASH`, - // :ref:`MAGLEV` and - // :ref:`LEAST_REQUEST` - // has additional configuration options. - // Specifying ring_hash_lb_config or maglev_lb_config or least_request_lb_config without setting the corresponding - // LbPolicy will generate an error at runtime. - oneof lb_config { - // Optional configuration for the Ring Hash load balancing policy. - RingHashLbConfig ring_hash_lb_config = 23; - - // Optional configuration for the Maglev load balancing policy. - MaglevLbConfig maglev_lb_config = 52; - - // Optional configuration for the Original Destination load balancing policy. - OriginalDstLbConfig original_dst_lb_config = 34; - - // Optional configuration for the LeastRequest load balancing policy. - LeastRequestLbConfig least_request_lb_config = 37; - } - - // Common configuration for all load balancer implementations. - CommonLbConfig common_lb_config = 27; - - // Optional custom transport socket implementation to use for upstream connections. - // To setup TLS, set a transport socket with name `envoy.transport_sockets.tls` and - // :ref:`UpstreamTlsContexts ` in the `typed_config`. - // If no transport socket configuration is specified, new connections - // will be set up with plaintext. - core.v4alpha.TransportSocket transport_socket = 24; - - // The Metadata field can be used to provide additional information about the - // cluster. It can be used for stats, logging, and varying filter behavior. - // Fields should use reverse DNS notation to denote which entity within Envoy - // will need the information. For instance, if the metadata is intended for - // the Router filter, the filter name should be specified as *envoy.filters.http.router*. - core.v4alpha.Metadata metadata = 25; - - // Optional options for upstream connections. - UpstreamConnectionOptions upstream_connection_options = 30; - - // If an upstream host becomes unhealthy (as determined by the configured health checks - // or outlier detection), immediately close all connections to the failed host. - // - // .. note:: - // - // This is currently only supported for connections created by tcp_proxy. - // - // .. note:: - // - // The current implementation of this feature closes all connections immediately when - // the unhealthy status is detected. If there are a large number of connections open - // to an upstream host that becomes unhealthy, Envoy may spend a substantial amount of - // time exclusively closing these connections, and not processing any other traffic. - bool close_connections_on_host_health_failure = 31; - - // If set to true, Envoy will ignore the health value of a host when processing its removal - // from service discovery. This means that if active health checking is used, Envoy will *not* - // wait for the endpoint to go unhealthy before removing it. - bool ignore_health_on_host_removal = 32; - - // An (optional) network filter chain, listed in the order the filters should be applied. - // The chain will be applied to all outgoing connections that Envoy makes to the upstream - // servers of this cluster. - repeated Filter filters = 40; - - // New mechanism for LB policy configuration. Used only if the - // :ref:`lb_policy` field has the value - // :ref:`LOAD_BALANCING_POLICY_CONFIG`. - LoadBalancingPolicy load_balancing_policy = 41; - - // [#not-implemented-hide:] - // If present, tells the client where to send load reports via LRS. If not present, the - // client will fall back to a client-side default, which may be either (a) don't send any - // load reports or (b) send load reports for all clusters to a single default server - // (which may be configured in the bootstrap file). - // - // Note that if multiple clusters point to the same LRS server, the client may choose to - // create a separate stream for each cluster or it may choose to coalesce the data for - // multiple clusters onto a single stream. Either way, the client must make sure to send - // the data for any given cluster on no more than one stream. - // - // [#next-major-version: In the v3 API, we should consider restructuring this somehow, - // maybe by allowing LRS to go on the ADS stream, or maybe by moving some of the negotiation - // from the LRS stream here.] - core.v4alpha.ConfigSource lrs_server = 42; - - // Optional customization and configuration of upstream connection pool, and upstream type. - // - // Currently this field only applies for HTTP traffic but is designed for eventual use for custom - // TCP upstreams. - // - // For HTTP traffic, Envoy will generally take downstream HTTP and send it upstream as upstream - // HTTP, using the http connection pool and the codec from `http2_protocol_options` - // - // For routes where CONNECT termination is configured, Envoy will take downstream CONNECT - // requests and forward the CONNECT payload upstream over raw TCP using the tcp connection pool. - // - // The default pool used is the generic connection pool which creates the HTTP upstream for most - // HTTP requests, and the TCP upstream if CONNECT termination is configured. - // - // If users desire custom connection pool or upstream behavior, for example terminating - // CONNECT only if a custom filter indicates it is appropriate, the custom factories - // can be registered and configured here. - // [#extension-category: envoy.upstreams] - core.v4alpha.TypedExtensionConfig upstream_config = 48; - - // Configuration to track optional cluster stats. - TrackClusterStats track_cluster_stats = 49; - - // Preconnect configuration for this cluster. - PreconnectPolicy preconnect_policy = 50; - - // If `connection_pool_per_downstream_connection` is true, the cluster will use a separate - // connection pool for every downstream connection - bool connection_pool_per_downstream_connection = 51; -} - -// Extensible load balancing policy configuration. -// -// Every LB policy defined via this mechanism will be identified via a unique name using reverse -// DNS notation. If the policy needs configuration parameters, it must define a message for its -// own configuration, which will be stored in the config field. The name of the policy will tell -// clients which type of message they should expect to see in the config field. -// -// Note that there are cases where it is useful to be able to independently select LB policies -// for choosing a locality and for choosing an endpoint within that locality. For example, a -// given deployment may always use the same policy to choose the locality, but for choosing the -// endpoint within the locality, some clusters may use weighted-round-robin, while others may -// use some sort of session-based balancing. -// -// This can be accomplished via hierarchical LB policies, where the parent LB policy creates a -// child LB policy for each locality. For each request, the parent chooses the locality and then -// delegates to the child policy for that locality to choose the endpoint within the locality. -// -// To facilitate this, the config message for the top-level LB policy may include a field of -// type LoadBalancingPolicy that specifies the child policy. -message LoadBalancingPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.LoadBalancingPolicy"; - - message Policy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.LoadBalancingPolicy.Policy"; - - reserved 2, 1, 3; - - reserved "config", "name", "typed_config"; - - core.v4alpha.TypedExtensionConfig typed_extension_config = 4; - } - - // Each client will iterate over the list in order and stop at the first policy that it - // supports. This provides a mechanism for starting to use new LB policies that are not yet - // supported by all clients. - repeated Policy policies = 1; -} - -// An extensible structure containing the address Envoy should bind to when -// establishing upstream connections. -message UpstreamBindConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.UpstreamBindConfig"; - - // The address Envoy should bind to when establishing upstream connections. - core.v4alpha.Address source_address = 1; -} - -message UpstreamConnectionOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.UpstreamConnectionOptions"; - - // If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - core.v4alpha.TcpKeepalive tcp_keepalive = 1; -} - -message TrackClusterStats { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.TrackClusterStats"; - - // If timeout_budgets is true, the :ref:`timeout budget histograms - // ` will be published for each - // request. These show what percentage of a request's per try and global timeout was used. A value - // of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value - // of 100 would indicate that the request took the entirety of the timeout given to it. - bool timeout_budgets = 1; - - // If request_response_sizes is true, then the :ref:`histograms - // ` tracking header and body sizes - // of requests and responses will be published. - bool request_response_sizes = 2; -} diff --git a/api/envoy/config/cluster/v4alpha/filter.proto b/api/envoy/config/cluster/v4alpha/filter.proto deleted file mode 100644 index d478fd34f1c7..000000000000 --- a/api/envoy/config/cluster/v4alpha/filter.proto +++ /dev/null @@ -1,30 +0,0 @@ -syntax = "proto3"; - -package envoy.config.cluster.v4alpha; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.cluster.v4alpha"; -option java_outer_classname = "FilterProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Upstream filters] -// Upstream filters apply to the connections to the upstream cluster hosts. - -message Filter { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.cluster.v3.Filter"; - - // The name of the filter to instantiate. The name must match a - // supported upstream filter. Note that Envoy's :ref:`downstream network - // filters ` are not valid upstream filters. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Filter specific configuration which depends on the filter being - // instantiated. See the supported filters for further documentation. - google.protobuf.Any typed_config = 2; -} diff --git a/api/envoy/config/cluster/v4alpha/outlier_detection.proto b/api/envoy/config/cluster/v4alpha/outlier_detection.proto deleted file mode 100644 index a64c4b42247f..000000000000 --- a/api/envoy/config/cluster/v4alpha/outlier_detection.proto +++ /dev/null @@ -1,157 +0,0 @@ -syntax = "proto3"; - -package envoy.config.cluster.v4alpha; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.cluster.v4alpha"; -option java_outer_classname = "OutlierDetectionProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Outlier detection] - -// See the :ref:`architecture overview ` for -// more information on outlier detection. -// [#next-free-field: 22] -message OutlierDetection { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.OutlierDetection"; - - // The number of consecutive 5xx responses or local origin errors that are mapped - // to 5xx error codes before a consecutive 5xx ejection - // occurs. Defaults to 5. - google.protobuf.UInt32Value consecutive_5xx = 1; - - // The time interval between ejection analysis sweeps. This can result in - // both new ejections as well as hosts being returned to service. Defaults - // to 10000ms or 10s. - google.protobuf.Duration interval = 2 [(validate.rules).duration = {gt {}}]; - - // The base time that a host is ejected for. The real time is equal to the - // base time multiplied by the number of times the host has been ejected and is - // capped by :ref:`max_ejection_time`. - // Defaults to 30000ms or 30s. - google.protobuf.Duration base_ejection_time = 3 [(validate.rules).duration = {gt {}}]; - - // The maximum % of an upstream cluster that can be ejected due to outlier - // detection. Defaults to 10% but will eject at least one host regardless of the value. - google.protobuf.UInt32Value max_ejection_percent = 4 [(validate.rules).uint32 = {lte: 100}]; - - // The % chance that a host will be actually ejected when an outlier status - // is detected through consecutive 5xx. This setting can be used to disable - // ejection or to ramp it up slowly. Defaults to 100. - google.protobuf.UInt32Value enforcing_consecutive_5xx = 5 [(validate.rules).uint32 = {lte: 100}]; - - // The % chance that a host will be actually ejected when an outlier status - // is detected through success rate statistics. This setting can be used to - // disable ejection or to ramp it up slowly. Defaults to 100. - google.protobuf.UInt32Value enforcing_success_rate = 6 [(validate.rules).uint32 = {lte: 100}]; - - // The number of hosts in a cluster that must have enough request volume to - // detect success rate outliers. If the number of hosts is less than this - // setting, outlier detection via success rate statistics is not performed - // for any host in the cluster. Defaults to 5. - google.protobuf.UInt32Value success_rate_minimum_hosts = 7; - - // The minimum number of total requests that must be collected in one - // interval (as defined by the interval duration above) to include this host - // in success rate based outlier detection. If the volume is lower than this - // setting, outlier detection via success rate statistics is not performed - // for that host. Defaults to 100. - google.protobuf.UInt32Value success_rate_request_volume = 8; - - // This factor is used to determine the ejection threshold for success rate - // outlier ejection. The ejection threshold is the difference between the - // mean success rate, and the product of this factor and the standard - // deviation of the mean success rate: mean - (stdev * - // success_rate_stdev_factor). This factor is divided by a thousand to get a - // double. That is, if the desired factor is 1.9, the runtime value should - // be 1900. Defaults to 1900. - google.protobuf.UInt32Value success_rate_stdev_factor = 9; - - // The number of consecutive gateway failures (502, 503, 504 status codes) - // before a consecutive gateway failure ejection occurs. Defaults to 5. - google.protobuf.UInt32Value consecutive_gateway_failure = 10; - - // The % chance that a host will be actually ejected when an outlier status - // is detected through consecutive gateway failures. This setting can be - // used to disable ejection or to ramp it up slowly. Defaults to 0. - google.protobuf.UInt32Value enforcing_consecutive_gateway_failure = 11 - [(validate.rules).uint32 = {lte: 100}]; - - // Determines whether to distinguish local origin failures from external errors. If set to true - // the following configuration parameters are taken into account: - // :ref:`consecutive_local_origin_failure`, - // :ref:`enforcing_consecutive_local_origin_failure` - // and - // :ref:`enforcing_local_origin_success_rate`. - // Defaults to false. - bool split_external_local_origin_errors = 12; - - // The number of consecutive locally originated failures before ejection - // occurs. Defaults to 5. Parameter takes effect only when - // :ref:`split_external_local_origin_errors` - // is set to true. - google.protobuf.UInt32Value consecutive_local_origin_failure = 13; - - // The % chance that a host will be actually ejected when an outlier status - // is detected through consecutive locally originated failures. This setting can be - // used to disable ejection or to ramp it up slowly. Defaults to 100. - // Parameter takes effect only when - // :ref:`split_external_local_origin_errors` - // is set to true. - google.protobuf.UInt32Value enforcing_consecutive_local_origin_failure = 14 - [(validate.rules).uint32 = {lte: 100}]; - - // The % chance that a host will be actually ejected when an outlier status - // is detected through success rate statistics for locally originated errors. - // This setting can be used to disable ejection or to ramp it up slowly. Defaults to 100. - // Parameter takes effect only when - // :ref:`split_external_local_origin_errors` - // is set to true. - google.protobuf.UInt32Value enforcing_local_origin_success_rate = 15 - [(validate.rules).uint32 = {lte: 100}]; - - // The failure percentage to use when determining failure percentage-based outlier detection. If - // the failure percentage of a given host is greater than or equal to this value, it will be - // ejected. Defaults to 85. - google.protobuf.UInt32Value failure_percentage_threshold = 16 - [(validate.rules).uint32 = {lte: 100}]; - - // The % chance that a host will be actually ejected when an outlier status is detected through - // failure percentage statistics. This setting can be used to disable ejection or to ramp it up - // slowly. Defaults to 0. - // - // [#next-major-version: setting this without setting failure_percentage_threshold should be - // invalid in v4.] - google.protobuf.UInt32Value enforcing_failure_percentage = 17 - [(validate.rules).uint32 = {lte: 100}]; - - // The % chance that a host will be actually ejected when an outlier status is detected through - // local-origin failure percentage statistics. This setting can be used to disable ejection or to - // ramp it up slowly. Defaults to 0. - google.protobuf.UInt32Value enforcing_failure_percentage_local_origin = 18 - [(validate.rules).uint32 = {lte: 100}]; - - // The minimum number of hosts in a cluster in order to perform failure percentage-based ejection. - // If the total number of hosts in the cluster is less than this value, failure percentage-based - // ejection will not be performed. Defaults to 5. - google.protobuf.UInt32Value failure_percentage_minimum_hosts = 19; - - // The minimum number of total requests that must be collected in one interval (as defined by the - // interval duration above) to perform failure percentage-based ejection for this host. If the - // volume is lower than this setting, failure percentage-based ejection will not be performed for - // this host. Defaults to 50. - google.protobuf.UInt32Value failure_percentage_request_volume = 20; - - // The maximum time that a host is ejected for. See :ref:`base_ejection_time` - // for more information. If not specified, the default value (300000ms or 300s) or - // :ref:`base_ejection_time` value is applied, whatever is larger. - google.protobuf.Duration max_ejection_time = 21 [(validate.rules).duration = {gt {}}]; -} diff --git a/api/envoy/config/common/matcher/v4alpha/BUILD b/api/envoy/config/common/matcher/v4alpha/BUILD deleted file mode 100644 index 8c0f8a2e08d8..000000000000 --- a/api/envoy/config/common/matcher/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/common/matcher/v3:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/config/common/matcher/v4alpha/matcher.proto b/api/envoy/config/common/matcher/v4alpha/matcher.proto deleted file mode 100644 index 2027331b31da..000000000000 --- a/api/envoy/config/common/matcher/v4alpha/matcher.proto +++ /dev/null @@ -1,269 +0,0 @@ -syntax = "proto3"; - -package envoy.config.common.matcher.v4alpha; - -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.common.matcher.v4alpha"; -option java_outer_classname = "MatcherProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Unified Matcher API] - -// A matcher, which may traverse a matching tree in order to result in a match action. -// During matching, the tree will be traversed until a match is found, or if no match -// is found the action specified by the most specific on_no_match will be evaluated. -// As an on_no_match might result in another matching tree being evaluated, this process -// might repeat several times until the final OnMatch (or no match) is decided. -// -// [#alpha:] -message Matcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher"; - - // What to do if a match is successful. - message OnMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.OnMatch"; - - oneof on_match { - option (validate.required) = true; - - // Nested matcher to evaluate. - // If the nested matcher does not match and does not specify - // on_no_match, then this matcher is considered not to have - // matched, even if a predicate at this level or above returned - // true. - Matcher matcher = 1; - - // Protocol-specific action to take. - core.v4alpha.TypedExtensionConfig action = 2; - } - } - - // A linear list of field matchers. - // The field matchers are evaluated in order, and the first match - // wins. - message MatcherList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherList"; - - // Predicate to determine if a match is successful. - message Predicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherList.Predicate"; - - // Predicate for a single input field. - message SinglePredicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherList.Predicate.SinglePredicate"; - - // Protocol-specific specification of input field to match on. - // [#extension-category: envoy.matching.common_inputs] - core.v4alpha.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; - - oneof matcher { - option (validate.required) = true; - - // Built-in string matcher. - type.matcher.v4alpha.StringMatcher value_match = 2; - - // Extension for custom matching logic. - // [#extension-category: envoy.matching.input_matchers] - core.v4alpha.TypedExtensionConfig custom_match = 3; - } - } - - // A list of two or more matchers. Used to allow using a list within a oneof. - message PredicateList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherList.Predicate.PredicateList"; - - repeated Predicate predicate = 1 [(validate.rules).repeated = {min_items: 2}]; - } - - oneof match_type { - option (validate.required) = true; - - // A single predicate to evaluate. - SinglePredicate single_predicate = 1; - - // A list of predicates to be OR-ed together. - PredicateList or_matcher = 2; - - // A list of predicates to be AND-ed together. - PredicateList and_matcher = 3; - - // The invert of a predicate - Predicate not_matcher = 4; - } - } - - // An individual matcher. - message FieldMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherList.FieldMatcher"; - - // Determines if the match succeeds. - Predicate predicate = 1 [(validate.rules).message = {required: true}]; - - // What to do if the match succeeds. - OnMatch on_match = 2 [(validate.rules).message = {required: true}]; - } - - // A list of matchers. First match wins. - repeated FieldMatcher matchers = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - message MatcherTree { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherTree"; - - // A map of configured matchers. Used to allow using a map within a oneof. - message MatchMap { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherTree.MatchMap"; - - map map = 1 [(validate.rules).map = {min_pairs: 1}]; - } - - // Protocol-specific specification of input field to match on. - core.v4alpha.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; - - // Exact or prefix match maps in which to look up the input value. - // If the lookup succeeds, the match is considered successful, and - // the corresponding OnMatch is used. - oneof tree_type { - option (validate.required) = true; - - MatchMap exact_match_map = 2; - - // Longest matching prefix wins. - MatchMap prefix_match_map = 3; - - // Extension for custom matching logic. - core.v4alpha.TypedExtensionConfig custom_match = 4; - } - } - - oneof matcher_type { - option (validate.required) = true; - - // A linear list of matchers to evaluate. - MatcherList matcher_list = 1; - - // A match tree to evaluate. - MatcherTree matcher_tree = 2; - } - - // Optional OnMatch to use if the matcher failed. - // If specified, the OnMatch is used, and the matcher is considered - // to have matched. - // If not specified, the matcher is considered not to have matched. - OnMatch on_no_match = 3; -} - -// Match configuration. This is a recursive structure which allows complex nested match -// configurations to be built using various logical operators. -// [#next-free-field: 11] -message MatchPredicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.MatchPredicate"; - - // A set of match configurations used for logical operations. - message MatchSet { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.MatchPredicate.MatchSet"; - - // The list of rules that make up the set. - repeated MatchPredicate rules = 1 [(validate.rules).repeated = {min_items: 2}]; - } - - oneof rule { - option (validate.required) = true; - - // A set that describes a logical OR. If any member of the set matches, the match configuration - // matches. - MatchSet or_match = 1; - - // A set that describes a logical AND. If all members of the set match, the match configuration - // matches. - MatchSet and_match = 2; - - // A negation match. The match configuration will match if the negated match condition matches. - MatchPredicate not_match = 3; - - // The match configuration will always match. - bool any_match = 4 [(validate.rules).bool = {const: true}]; - - // HTTP request headers match configuration. - HttpHeadersMatch http_request_headers_match = 5; - - // HTTP request trailers match configuration. - HttpHeadersMatch http_request_trailers_match = 6; - - // HTTP response headers match configuration. - HttpHeadersMatch http_response_headers_match = 7; - - // HTTP response trailers match configuration. - HttpHeadersMatch http_response_trailers_match = 8; - - // HTTP request generic body match configuration. - HttpGenericBodyMatch http_request_generic_body_match = 9; - - // HTTP response generic body match configuration. - HttpGenericBodyMatch http_response_generic_body_match = 10; - } -} - -// HTTP headers match configuration. -message HttpHeadersMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.HttpHeadersMatch"; - - // HTTP headers to match. - repeated route.v4alpha.HeaderMatcher headers = 1; -} - -// HTTP generic body match configuration. -// List of text strings and hex strings to be located in HTTP body. -// All specified strings must be found in the HTTP body for positive match. -// The search may be limited to specified number of bytes from the body start. -// -// .. attention:: -// -// Searching for patterns in HTTP body is potentially cpu intensive. For each specified pattern, http body is scanned byte by byte to find a match. -// If multiple patterns are specified, the process is repeated for each pattern. If location of a pattern is known, ``bytes_limit`` should be specified -// to scan only part of the http body. -message HttpGenericBodyMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.HttpGenericBodyMatch"; - - message GenericTextMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.HttpGenericBodyMatch.GenericTextMatch"; - - oneof rule { - option (validate.required) = true; - - // Text string to be located in HTTP body. - string string_match = 1 [(validate.rules).string = {min_len: 1}]; - - // Sequence of bytes to be located in HTTP body. - bytes binary_match = 2 [(validate.rules).bytes = {min_len: 1}]; - } - } - - // Limits search to specified number of bytes - default zero (no limit - match entire captured buffer). - uint32 bytes_limit = 1; - - // List of patterns to match. - repeated GenericTextMatch patterns = 2 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/api/envoy/config/core/v4alpha/BUILD b/api/envoy/config/core/v4alpha/BUILD deleted file mode 100644 index c9e435fda9a9..000000000000 --- a/api/envoy/config/core/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@com_github_cncf_udpa//xds/core/v3:pkg", - ], -) diff --git a/api/envoy/config/core/v4alpha/address.proto b/api/envoy/config/core/v4alpha/address.proto deleted file mode 100644 index 63d4d4a14507..000000000000 --- a/api/envoy/config/core/v4alpha/address.proto +++ /dev/null @@ -1,163 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/socket_option.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "AddressProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Network addresses] - -message Pipe { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Pipe"; - - // Unix Domain Socket path. On Linux, paths starting with '@' will use the - // abstract namespace. The starting '@' is replaced by a null byte by Envoy. - // Paths starting with '@' will result in an error in environments other than - // Linux. - string path = 1 [(validate.rules).string = {min_len: 1}]; - - // The mode for the Pipe. Not applicable for abstract sockets. - uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}]; -} - -// [#not-implemented-hide:] The address represents an envoy internal listener. -// TODO(lambdai): Make this address available for listener and endpoint. -// TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30. -message EnvoyInternalAddress { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.EnvoyInternalAddress"; - - oneof address_name_specifier { - option (validate.required) = true; - - // [#not-implemented-hide:] The :ref:`listener name ` of the destination internal listener. - string server_listener_name = 1; - } -} - -// [#next-free-field: 7] -message SocketAddress { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.SocketAddress"; - - enum Protocol { - TCP = 0; - UDP = 1; - } - - Protocol protocol = 1 [(validate.rules).enum = {defined_only: true}]; - - // The address for this socket. :ref:`Listeners ` will bind - // to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::`` - // to bind to any address. [#comment:TODO(zuercher) reinstate when implemented: - // It is possible to distinguish a Listener address via the prefix/suffix matching - // in :ref:`FilterChainMatch `.] When used - // within an upstream :ref:`BindConfig `, the address - // controls the source address of outbound connections. For :ref:`clusters - // `, the cluster type determines whether the - // address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS - // (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized - // via :ref:`resolver_name `. - string address = 2 [(validate.rules).string = {min_len: 1}]; - - oneof port_specifier { - option (validate.required) = true; - - uint32 port_value = 3 [(validate.rules).uint32 = {lte: 65535}]; - - // This is only valid if :ref:`resolver_name - // ` is specified below and the - // named resolver is capable of named port resolution. - string named_port = 4; - } - - // The name of the custom resolver. This must have been registered with Envoy. If - // this is empty, a context dependent default applies. If the address is a concrete - // IP address, no resolution will occur. If address is a hostname this - // should be set for resolution other than DNS. Specifying a custom resolver with - // *STRICT_DNS* or *LOGICAL_DNS* will generate an error at runtime. - string resolver_name = 5; - - // When binding to an IPv6 address above, this enables `IPv4 compatibility - // `_. Binding to ``::`` will - // allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into - // IPv6 space as ``::FFFF:``. - bool ipv4_compat = 6; -} - -message TcpKeepalive { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.TcpKeepalive"; - - // Maximum number of keepalive probes to send without response before deciding - // the connection is dead. Default is to use the OS level configuration (unless - // overridden, Linux defaults to 9.) - google.protobuf.UInt32Value keepalive_probes = 1; - - // The number of seconds a connection needs to be idle before keep-alive probes - // start being sent. Default is to use the OS level configuration (unless - // overridden, Linux defaults to 7200s (i.e., 2 hours.) - google.protobuf.UInt32Value keepalive_time = 2; - - // The number of seconds between keep-alive probes. Default is to use the OS - // level configuration (unless overridden, Linux defaults to 75s.) - google.protobuf.UInt32Value keepalive_interval = 3; -} - -message BindConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.BindConfig"; - - // The address to bind to when creating a socket. - SocketAddress source_address = 1 [(validate.rules).message = {required: true}]; - - // Whether to set the *IP_FREEBIND* option when creating the socket. When this - // flag is set to true, allows the :ref:`source_address - // ` to be an IP address - // that is not configured on the system running Envoy. When this flag is set - // to false, the option *IP_FREEBIND* is disabled on the socket. When this - // flag is not set (default), the socket is not modified, i.e. the option is - // neither enabled nor disabled. - google.protobuf.BoolValue freebind = 2; - - // Additional socket options that may not be present in Envoy source code or - // precompiled binaries. - repeated SocketOption socket_options = 3; -} - -// Addresses specify either a logical or physical address and port, which are -// used to tell Envoy where to bind/listen, connect to upstream and find -// management servers. -message Address { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Address"; - - oneof address { - option (validate.required) = true; - - SocketAddress socket_address = 1; - - Pipe pipe = 2; - - // [#not-implemented-hide:] - EnvoyInternalAddress envoy_internal_address = 3; - } -} - -// CidrRange specifies an IP Address and a prefix length to construct -// the subnet mask for a `CIDR `_ range. -message CidrRange { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.CidrRange"; - - // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``. - string address_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // Length of prefix, e.g. 0, 32. Defaults to 0 when unset. - google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}]; -} diff --git a/api/envoy/config/core/v4alpha/backoff.proto b/api/envoy/config/core/v4alpha/backoff.proto deleted file mode 100644 index 266d57f84e74..000000000000 --- a/api/envoy/config/core/v4alpha/backoff.proto +++ /dev/null @@ -1,37 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "BackoffProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Backoff Strategy] - -// Configuration defining a jittered exponential back off strategy. -message BackoffStrategy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.BackoffStrategy"; - - // The base interval to be used for the next back off computation. It should - // be greater than zero and less than or equal to :ref:`max_interval - // `. - google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { - required: true - gte {nanos: 1000000} - }]; - - // Specifies the maximum interval between retries. This parameter is optional, - // but must be greater than or equal to the :ref:`base_interval - // ` if set. The default - // is 10 times the :ref:`base_interval - // `. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; -} diff --git a/api/envoy/config/core/v4alpha/base.proto b/api/envoy/config/core/v4alpha/base.proto deleted file mode 100644 index b9980eff49ca..000000000000 --- a/api/envoy/config/core/v4alpha/base.proto +++ /dev/null @@ -1,456 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/backoff.proto"; -import "envoy/config/core/v4alpha/http_uri.proto"; -import "envoy/type/v3/percent.proto"; -import "envoy/type/v3/semantic_version.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/core/v3/context_params.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "BaseProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common types] - -// Envoy supports :ref:`upstream priority routing -// ` both at the route and the virtual -// cluster level. The current priority implementation uses different connection -// pool and circuit breaking settings for each priority level. This means that -// even for HTTP/2 requests, two physical connections will be used to an -// upstream host. In the future Envoy will likely support true HTTP/2 priority -// over a single upstream connection. -enum RoutingPriority { - DEFAULT = 0; - HIGH = 1; -} - -// HTTP request method. -enum RequestMethod { - METHOD_UNSPECIFIED = 0; - GET = 1; - HEAD = 2; - POST = 3; - PUT = 4; - DELETE = 5; - CONNECT = 6; - OPTIONS = 7; - TRACE = 8; - PATCH = 9; -} - -// Identifies the direction of the traffic relative to the local Envoy. -enum TrafficDirection { - // Default option is unspecified. - UNSPECIFIED = 0; - - // The transport is used for incoming traffic. - INBOUND = 1; - - // The transport is used for outgoing traffic. - OUTBOUND = 2; -} - -// Identifies location of where either Envoy runs or where upstream hosts run. -message Locality { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Locality"; - - // Region this :ref:`zone ` belongs to. - string region = 1; - - // Defines the local service zone where Envoy is running. Though optional, it - // should be set if discovery service routing is used and the discovery - // service exposes :ref:`zone data `, - // either in this message or via :option:`--service-zone`. The meaning of zone - // is context dependent, e.g. `Availability Zone (AZ) - // `_ - // on AWS, `Zone `_ on - // GCP, etc. - string zone = 2; - - // When used for locality of upstream hosts, this field further splits zone - // into smaller chunks of sub-zones so they can be load balanced - // independently. - string sub_zone = 3; -} - -// BuildVersion combines SemVer version of extension with free-form build information -// (i.e. 'alpha', 'private-build') as a set of strings. -message BuildVersion { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.BuildVersion"; - - // SemVer version of extension. - type.v3.SemanticVersion version = 1; - - // Free-form build information. - // Envoy defines several well known keys in the source/common/version/version.h file - google.protobuf.Struct metadata = 2; -} - -// Version and identification for an Envoy extension. -// [#next-free-field: 6] -message Extension { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Extension"; - - // This is the name of the Envoy filter as specified in the Envoy - // configuration, e.g. envoy.filters.http.router, com.acme.widget. - string name = 1; - - // Category of the extension. - // Extension category names use reverse DNS notation. For instance "envoy.filters.listener" - // for Envoy's built-in listener filters or "com.acme.filters.http" for HTTP filters from - // acme.com vendor. - // [#comment:TODO(yanavlasov): Link to the doc with existing envoy category names.] - string category = 2; - - // [#not-implemented-hide:] Type descriptor of extension configuration proto. - // [#comment:TODO(yanavlasov): Link to the doc with existing configuration protos.] - // [#comment:TODO(yanavlasov): Add tests when PR #9391 lands.] - string type_descriptor = 3; - - // The version is a property of the extension and maintained independently - // of other extensions and the Envoy API. - // This field is not set when extension did not provide version information. - BuildVersion version = 4; - - // Indicates that the extension is present but was disabled via dynamic configuration. - bool disabled = 5; -} - -// Identifies a specific Envoy instance. The node identifier is presented to the -// management server, which may use this identifier to distinguish per Envoy -// configuration for serving. -// [#next-free-field: 13] -message Node { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Node"; - - reserved 5, 11; - - reserved "build_version", "listening_addresses"; - - // An opaque node identifier for the Envoy node. This also provides the local - // service node name. It should be set if any of the following features are - // used: :ref:`statsd `, :ref:`CDS - // `, and :ref:`HTTP tracing - // `, either in this message or via - // :option:`--service-node`. - string id = 1; - - // Defines the local service cluster name where Envoy is running. Though - // optional, it should be set if any of the following features are used: - // :ref:`statsd `, :ref:`health check cluster - // verification - // `, - // :ref:`runtime override directory `, - // :ref:`user agent addition - // `, - // :ref:`HTTP global rate limiting `, - // :ref:`CDS `, and :ref:`HTTP tracing - // `, either in this message or via - // :option:`--service-cluster`. - string cluster = 2; - - // Opaque metadata extending the node identifier. Envoy will pass this - // directly to the management server. - google.protobuf.Struct metadata = 3; - - // Map from xDS resource type URL to dynamic context parameters. These may vary at runtime (unlike - // other fields in this message). For example, the xDS client may have a shard identifier that - // changes during the lifetime of the xDS client. In Envoy, this would be achieved by updating the - // dynamic context on the Server::Instance's LocalInfo context provider. The shard ID dynamic - // parameter then appears in this field during future discovery requests. - map dynamic_parameters = 12; - - // Locality specifying where the Envoy instance is running. - Locality locality = 4; - - // Free-form string that identifies the entity requesting config. - // E.g. "envoy" or "grpc" - string user_agent_name = 6; - - oneof user_agent_version_type { - // Free-form string that identifies the version of the entity requesting config. - // E.g. "1.12.2" or "abcd1234", or "SpecialEnvoyBuild" - string user_agent_version = 7; - - // Structured version of the entity requesting config. - BuildVersion user_agent_build_version = 8; - } - - // List of extensions and their versions supported by the node. - repeated Extension extensions = 9; - - // Client feature support list. These are well known features described - // in the Envoy API repository for a given major version of an API. Client features - // use reverse DNS naming scheme, for example `com.acme.feature`. - // See :ref:`the list of features ` that xDS client may - // support. - repeated string client_features = 10; -} - -// Metadata provides additional inputs to filters based on matched listeners, -// filter chains, routes and endpoints. It is structured as a map, usually from -// filter name (in reverse DNS format) to metadata specific to the filter. Metadata -// key-values for a filter are merged as connection and request handling occurs, -// with later values for the same key overriding earlier values. -// -// An example use of metadata is providing additional values to -// http_connection_manager in the envoy.http_connection_manager.access_log -// namespace. -// -// Another example use of metadata is to per service config info in cluster metadata, which may get -// consumed by multiple filters. -// -// For load balancing, Metadata provides a means to subset cluster endpoints. -// Endpoints have a Metadata object associated and routes contain a Metadata -// object to match against. There are some well defined metadata used today for -// this purpose: -// -// * ``{"envoy.lb": {"canary": }}`` This indicates the canary status of an -// endpoint and is also used during header processing -// (x-envoy-upstream-canary) and for stats purposes. -// [#next-major-version: move to type/metadata/v2] -message Metadata { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Metadata"; - - // Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.* - // namespace is reserved for Envoy's built-in filters. - // If both *filter_metadata* and - // :ref:`typed_filter_metadata ` - // fields are present in the metadata with same keys, - // only *typed_filter_metadata* field will be parsed. - map filter_metadata = 1; - - // Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.* - // namespace is reserved for Envoy's built-in filters. - // The value is encoded as google.protobuf.Any. - // If both :ref:`filter_metadata ` - // and *typed_filter_metadata* fields are present in the metadata with same keys, - // only *typed_filter_metadata* field will be parsed. - map typed_filter_metadata = 2; -} - -// Runtime derived uint32 with a default when not specified. -message RuntimeUInt32 { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.RuntimeUInt32"; - - // Default value if runtime value is not available. - uint32 default_value = 2; - - // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 3 [(validate.rules).string = {min_len: 1}]; -} - -// Runtime derived percentage with a default when not specified. -message RuntimePercent { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.RuntimePercent"; - - // Default value if runtime value is not available. - type.v3.Percent default_value = 1; - - // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Runtime derived double with a default when not specified. -message RuntimeDouble { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.RuntimeDouble"; - - // Default value if runtime value is not available. - double default_value = 1; - - // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Runtime derived bool with a default when not specified. -message RuntimeFeatureFlag { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.RuntimeFeatureFlag"; - - // Default value if runtime value is not available. - google.protobuf.BoolValue default_value = 1 [(validate.rules).message = {required: true}]; - - // Runtime key to get value for comparison. This value is used if defined. The boolean value must - // be represented via its - // `canonical JSON encoding `_. - string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Header name/value pair. -message HeaderValue { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.HeaderValue"; - - // Header name. - string key = 1 - [(validate.rules).string = - {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Header value. - // - // The same :ref:`format specifier ` as used for - // :ref:`HTTP access logging ` applies here, however - // unknown header values are replaced with the empty string instead of `-`. - string value = 2 [ - (validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false} - ]; -} - -// Header name/value pair plus option to control append behavior. -message HeaderValueOption { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HeaderValueOption"; - - // Header name/value pair that this option applies to. - HeaderValue header = 1 [(validate.rules).message = {required: true}]; - - // Should the value be appended? If true (default), the value is appended to - // existing values. Otherwise it replaces any existing values. - google.protobuf.BoolValue append = 2; -} - -// Wrapper for a set of headers. -message HeaderMap { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.HeaderMap"; - - repeated HeaderValue headers = 1; -} - -// A directory that is watched for changes, e.g. by inotify on Linux. Move/rename -// events inside this directory trigger the watch. -message WatchedDirectory { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.WatchedDirectory"; - - // Directory path to watch. - string path = 1 [(validate.rules).string = {min_len: 1}]; -} - -// Data source consisting of either a file or an inline value. -message DataSource { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.DataSource"; - - oneof specifier { - option (validate.required) = true; - - // Local filesystem data source. - string filename = 1 [(validate.rules).string = {min_len: 1}]; - - // Bytes inlined in the configuration. - bytes inline_bytes = 2; - - // String inlined in the configuration. - string inline_string = 3; - } -} - -// The message specifies the retry policy of remote data source when fetching fails. -message RetryPolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.RetryPolicy"; - - // Specifies parameters that control :ref:`retry backoff strategy `. - // This parameter is optional, in which case the default base interval is 1000 milliseconds. The - // default maximum interval is 10 times the base interval. - BackoffStrategy retry_back_off = 1; - - // Specifies the allowed number of retries. This parameter is optional and - // defaults to 1. - google.protobuf.UInt32Value max_retries = 2; -} - -// The message specifies how to fetch data from remote and how to verify it. -message RemoteDataSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.RemoteDataSource"; - - // The HTTP URI to fetch the remote data. - HttpUri http_uri = 1 [(validate.rules).message = {required: true}]; - - // SHA256 string for verifying data. - string sha256 = 2 [(validate.rules).string = {min_len: 1}]; - - // Retry policy for fetching remote data. - RetryPolicy retry_policy = 3; -} - -// Async data source which support async data fetch. -message AsyncDataSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.AsyncDataSource"; - - oneof specifier { - option (validate.required) = true; - - // Local async data source. - DataSource local = 1; - - // Remote async data source. - RemoteDataSource remote = 2; - } -} - -// Configuration for transport socket in :ref:`listeners ` and -// :ref:`clusters `. If the configuration is -// empty, a default transport socket implementation and configuration will be -// chosen based on the platform and existence of tls_context. -message TransportSocket { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.TransportSocket"; - - reserved 2; - - reserved "config"; - - // The name of the transport socket to instantiate. The name must match a supported transport - // socket implementation. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Implementation specific configuration which depends on the implementation being instantiated. - // See the supported transport socket implementations for further documentation. - oneof config_type { - google.protobuf.Any typed_config = 3; - } -} - -// Runtime derived FractionalPercent with defaults for when the numerator or denominator is not -// specified via a runtime key. -// -// .. note:: -// -// Parsing of the runtime key's data is implemented such that it may be represented as a -// :ref:`FractionalPercent ` proto represented as JSON/YAML -// and may also be represented as an integer with the assumption that the value is an integral -// percentage out of 100. For instance, a runtime key lookup returning the value "42" would parse -// as a `FractionalPercent` whose numerator is 42 and denominator is HUNDRED. -message RuntimeFractionalPercent { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.RuntimeFractionalPercent"; - - // Default value if the runtime value's for the numerator/denominator keys are not available. - type.v3.FractionalPercent default_value = 1 [(validate.rules).message = {required: true}]; - - // Runtime key for a YAML representation of a FractionalPercent. - string runtime_key = 2; -} - -// Identifies a specific ControlPlane instance that Envoy is connected to. -message ControlPlane { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.ControlPlane"; - - // An opaque control plane identifier that uniquely identifies an instance - // of control plane. This can be used to identify which control plane instance, - // the Envoy is connected to. - string identifier = 1; -} diff --git a/api/envoy/config/core/v4alpha/config_source.proto b/api/envoy/config/core/v4alpha/config_source.proto deleted file mode 100644 index 54b482431501..000000000000 --- a/api/envoy/config/core/v4alpha/config_source.proto +++ /dev/null @@ -1,217 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/core/v3/authority.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "ConfigSourceProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Configuration sources] - -// xDS API and non-xDS services version. This is used to describe both resource and transport -// protocol versions (in distinct configuration fields). -enum ApiVersion { - reserved 1; - - reserved "V2"; - - // When not specified, we assume v2, to ease migration to Envoy's stable API - // versioning. If a client does not support v2 (e.g. due to deprecation), this - // is an invalid value. - DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"]; - - // Use xDS v3 API. - V3 = 2; -} - -// API configuration source. This identifies the API type and cluster that Envoy -// will use to fetch an xDS API. -// [#next-free-field: 9] -message ApiConfigSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.ApiConfigSource"; - - // APIs may be fetched via either REST or gRPC. - enum ApiType { - // Ideally this would be 'reserved 0' but one can't reserve the default - // value. Instead we throw an exception if this is ever used. - DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 - [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; - - // REST-JSON v2 API. The `canonical JSON encoding - // `_ for - // the v2 protos is used. - REST = 1; - - // SotW gRPC service. - GRPC = 2; - - // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response} - // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state - // with every update, the xDS server only sends what has changed since the last update. - DELTA_GRPC = 3; - - // SotW xDS gRPC with ADS. All resources which resolve to this configuration source will be - // multiplexed on a single connection to an ADS endpoint. - // [#not-implemented-hide:] - AGGREGATED_GRPC = 5; - - // Delta xDS gRPC with ADS. All resources which resolve to this configuration source will be - // multiplexed on a single connection to an ADS endpoint. - // [#not-implemented-hide:] - AGGREGATED_DELTA_GRPC = 6; - } - - // API type (gRPC, REST, delta gRPC) - ApiType api_type = 1 [(validate.rules).enum = {defined_only: true}]; - - // API version for xDS transport protocol. This describes the xDS gRPC/REST - // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. - ApiVersion transport_api_version = 8 [(validate.rules).enum = {defined_only: true}]; - - // Cluster names should be used only with REST. If > 1 - // cluster is defined, clusters will be cycled through if any kind of failure - // occurs. - // - // .. note:: - // - // The cluster with name ``cluster_name`` must be statically defined and its - // type must not be ``EDS``. - repeated string cluster_names = 2; - - // Multiple gRPC services be provided for GRPC. If > 1 cluster is defined, - // services will be cycled through if any kind of failure occurs. - repeated GrpcService grpc_services = 4; - - // For REST APIs, the delay between successive polls. - google.protobuf.Duration refresh_delay = 3; - - // For REST APIs, the request timeout. If not set, a default value of 1s will be used. - google.protobuf.Duration request_timeout = 5 [(validate.rules).duration = {gt {}}]; - - // For GRPC APIs, the rate limit settings. If present, discovery requests made by Envoy will be - // rate limited. - RateLimitSettings rate_limit_settings = 6; - - // Skip the node identifier in subsequent discovery requests for streaming gRPC config types. - bool set_node_on_first_message_only = 7; -} - -// Aggregated Discovery Service (ADS) options. This is currently empty, but when -// set in :ref:`ConfigSource ` can be used to -// specify that ADS is to be used. -message AggregatedConfigSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.AggregatedConfigSource"; -} - -// [#not-implemented-hide:] -// Self-referencing config source options. This is currently empty, but when -// set in :ref:`ConfigSource ` can be used to -// specify that other data can be obtained from the same server. -message SelfConfigSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.SelfConfigSource"; - - // API version for xDS transport protocol. This describes the xDS gRPC/REST - // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. - ApiVersion transport_api_version = 1 [(validate.rules).enum = {defined_only: true}]; -} - -// Rate Limit settings to be applied for discovery requests made by Envoy. -message RateLimitSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.RateLimitSettings"; - - // Maximum number of tokens to be used for rate limiting discovery request calls. If not set, a - // default value of 100 will be used. - google.protobuf.UInt32Value max_tokens = 1; - - // Rate at which tokens will be filled per second. If not set, a default fill rate of 10 tokens - // per second will be used. - google.protobuf.DoubleValue fill_rate = 2 [(validate.rules).double = {gt: 0.0}]; -} - -// Configuration for :ref:`listeners `, :ref:`clusters -// `, :ref:`routes -// `, :ref:`endpoints -// ` etc. may either be sourced from the -// filesystem or from an xDS API source. Filesystem configs are watched with -// inotify for updates. -// [#next-free-field: 8] -message ConfigSource { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.ConfigSource"; - - // Authorities that this config source may be used for. An authority specified in a xdstp:// URL - // is resolved to a *ConfigSource* prior to configuration fetch. This field provides the - // association between authority name and configuration source. - // [#not-implemented-hide:] - repeated xds.core.v3.Authority authorities = 7; - - oneof config_source_specifier { - option (validate.required) = true; - - // Path on the filesystem to source and watch for configuration updates. - // When sourcing configuration for :ref:`secret `, - // the certificate and key files are also watched for updates. - // - // .. note:: - // - // The path to the source must exist at config load time. - // - // .. note:: - // - // Envoy will only watch the file path for *moves.* This is because in general only moves - // are atomic. The same method of swapping files as is demonstrated in the - // :ref:`runtime documentation ` can be used here also. - string path = 1; - - // API configuration source. - ApiConfigSource api_config_source = 2; - - // When set, ADS will be used to fetch resources. The ADS API configuration - // source in the bootstrap configuration is used. - AggregatedConfigSource ads = 3; - - // [#not-implemented-hide:] - // When set, the client will access the resources from the same server it got the - // ConfigSource from, although not necessarily from the same stream. This is similar to the - // :ref:`ads` field, except that the client may use a - // different stream to the same server. As a result, this field can be used for things - // like LRS that cannot be sent on an ADS stream. It can also be used to link from (e.g.) - // LDS to RDS on the same server without requiring the management server to know its name - // or required credentials. - // [#next-major-version: In xDS v3, consider replacing the ads field with this one, since - // this field can implicitly mean to use the same stream in the case where the ConfigSource - // is provided via ADS and the specified data can also be obtained via ADS.] - SelfConfigSource self = 5; - } - - // When this timeout is specified, Envoy will wait no longer than the specified time for first - // config response on this xDS subscription during the :ref:`initialization process - // `. After reaching the timeout, Envoy will move to the next - // initialization phase, even if the first config is not delivered yet. The timer is activated - // when the xDS API subscription starts, and is disarmed on first config update or on error. 0 - // means no timeout - Envoy will wait indefinitely for the first xDS config (unless another - // timeout applies). The default is 15s. - google.protobuf.Duration initial_fetch_timeout = 4; - - // API version for xDS resources. This implies the type URLs that the client - // will request for resources and the resource type that the client will in - // turn expect to be delivered. - ApiVersion resource_api_version = 6 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/api/envoy/config/core/v4alpha/event_service_config.proto b/api/envoy/config/core/v4alpha/event_service_config.proto deleted file mode 100644 index a0b4e5590d1d..000000000000 --- a/api/envoy/config/core/v4alpha/event_service_config.proto +++ /dev/null @@ -1,28 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "EventServiceConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#not-implemented-hide:] -// Configuration of the event reporting service endpoint. -message EventServiceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.EventServiceConfig"; - - oneof config_source_specifier { - option (validate.required) = true; - - // Specifies the gRPC service that hosts the event reporting service. - GrpcService grpc_service = 1; - } -} diff --git a/api/envoy/config/core/v4alpha/extension.proto b/api/envoy/config/core/v4alpha/extension.proto deleted file mode 100644 index 4de107580d07..000000000000 --- a/api/envoy/config/core/v4alpha/extension.proto +++ /dev/null @@ -1,68 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/config_source.proto"; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "ExtensionProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Extension configuration] - -// Message type for extension configuration. -// [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.]. -message TypedExtensionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.TypedExtensionConfig"; - - // The name of an extension. This is not used to select the extension, instead - // it serves the role of an opaque identifier. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The typed config for the extension. The type URL will be used to identify - // the extension. In the case that the type URL is *udpa.type.v1.TypedStruct*, - // the inner type URL of *TypedStruct* will be utilized. See the - // :ref:`extension configuration overview - // ` for further details. - google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}]; -} - -// Configuration source specifier for a late-bound extension configuration. The -// parent resource is warmed until all the initial extension configurations are -// received, unless the flag to apply the default configuration is set. -// Subsequent extension updates are atomic on a per-worker basis. Once an -// extension configuration is applied to a request or a connection, it remains -// constant for the duration of processing. If the initial delivery of the -// extension configuration fails, due to a timeout for example, the optional -// default configuration is applied. Without a default configuration, the -// extension is disabled, until an extension configuration is received. The -// behavior of a disabled extension depends on the context. For example, a -// filter chain with a disabled extension filter rejects all incoming streams. -message ExtensionConfigSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.ExtensionConfigSource"; - - ConfigSource config_source = 1 [(validate.rules).any = {required: true}]; - - // Optional default configuration to use as the initial configuration if - // there is a failure to receive the initial extension configuration or if - // `apply_default_config_without_warming` flag is set. - google.protobuf.Any default_config = 2; - - // Use the default config as the initial configuration without warming and - // waiting for the first discovery response. Requires the default configuration - // to be supplied. - bool apply_default_config_without_warming = 3; - - // A set of permitted extension type URLs. Extension configuration updates are rejected - // if they do not match any type URL in the set. - repeated string type_urls = 4 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/api/envoy/config/core/v4alpha/grpc_method_list.proto b/api/envoy/config/core/v4alpha/grpc_method_list.proto deleted file mode 100644 index 371ea32c10f3..000000000000 --- a/api/envoy/config/core/v4alpha/grpc_method_list.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "GrpcMethodListProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: gRPC method list] - -// A list of gRPC methods which can be used as an allowlist, for example. -message GrpcMethodList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcMethodList"; - - message Service { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcMethodList.Service"; - - // The name of the gRPC service. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The names of the gRPC methods in this service. - repeated string method_names = 2 [(validate.rules).repeated = {min_items: 1}]; - } - - repeated Service services = 1; -} diff --git a/api/envoy/config/core/v4alpha/grpc_service.proto b/api/envoy/config/core/v4alpha/grpc_service.proto deleted file mode 100644 index 973983386c2e..000000000000 --- a/api/envoy/config/core/v4alpha/grpc_service.proto +++ /dev/null @@ -1,302 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/empty.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/sensitive.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "GrpcServiceProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: gRPC services] - -// gRPC service configuration. This is used by :ref:`ApiConfigSource -// ` and filter configurations. -// [#next-free-field: 6] -message GrpcService { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.GrpcService"; - - message EnvoyGrpc { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.EnvoyGrpc"; - - // The name of the upstream gRPC cluster. SSL credentials will be supplied - // in the :ref:`Cluster ` :ref:`transport_socket - // `. - string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; - - // The `:authority` header in the grpc request. If this field is not set, the authority header value will be `cluster_name`. - // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster. - string authority = 2 - [(validate.rules).string = - {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - } - - // [#next-free-field: 9] - message GoogleGrpc { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc"; - - // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html. - message SslCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.SslCredentials"; - - // PEM encoded server root certificates. - DataSource root_certs = 1; - - // PEM encoded client private key. - DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; - - // PEM encoded client certificate chain. - DataSource cert_chain = 3; - } - - // Local channel credentials. Only UDS is supported for now. - // See https://github.com/grpc/grpc/pull/15909. - message GoogleLocalCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.GoogleLocalCredentials"; - } - - // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call - // credential types. - message ChannelCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.ChannelCredentials"; - - oneof credential_specifier { - option (validate.required) = true; - - SslCredentials ssl_credentials = 1; - - // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 - google.protobuf.Empty google_default = 2; - - GoogleLocalCredentials local_credentials = 3; - } - } - - // [#next-free-field: 8] - message CallCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials"; - - message ServiceAccountJWTAccessCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials." - "ServiceAccountJWTAccessCredentials"; - - string json_key = 1; - - uint64 token_lifetime_seconds = 2; - } - - message GoogleIAMCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials"; - - string authorization_token = 1; - - string authority_selector = 2; - } - - message MetadataCredentialsFromPlugin { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials." - "MetadataCredentialsFromPlugin"; - - reserved 2; - - reserved "config"; - - string name = 1; - - // [#extension-category: envoy.grpc_credentials] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - // Security token service configuration that allows Google gRPC to - // fetch security token from an OAuth 2.0 authorization server. - // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and - // https://github.com/grpc/grpc/pull/19587. - // [#next-free-field: 10] - message StsService { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials.StsService"; - - // URI of the token exchange service that handles token exchange requests. - // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by - // https://github.com/envoyproxy/protoc-gen-validate/issues/303] - string token_exchange_service_uri = 1; - - // Location of the target service or resource where the client - // intends to use the requested security token. - string resource = 2; - - // Logical name of the target service where the client intends to - // use the requested security token. - string audience = 3; - - // The desired scope of the requested security token in the - // context of the service or resource where the token will be used. - string scope = 4; - - // Type of the requested security token. - string requested_token_type = 5; - - // The path of subject token, a security token that represents the - // identity of the party on behalf of whom the request is being made. - string subject_token_path = 6 [(validate.rules).string = {min_len: 1}]; - - // Type of the subject token. - string subject_token_type = 7 [(validate.rules).string = {min_len: 1}]; - - // The path of actor token, a security token that represents the identity - // of the acting party. The acting party is authorized to use the - // requested security token and act on behalf of the subject. - string actor_token_path = 8; - - // Type of the actor token. - string actor_token_type = 9; - } - - oneof credential_specifier { - option (validate.required) = true; - - // Access token credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d. - string access_token = 1; - - // Google Compute Engine credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 - google.protobuf.Empty google_compute_engine = 2; - - // Google refresh token credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c. - string google_refresh_token = 3; - - // Service Account JWT Access credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa. - ServiceAccountJWTAccessCredentials service_account_jwt_access = 4; - - // Google IAM credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0. - GoogleIAMCredentials google_iam = 5; - - // Custom authenticator credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. - // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms. - MetadataCredentialsFromPlugin from_plugin = 6; - - // Custom security token service which implements OAuth 2.0 token exchange. - // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 - // See https://github.com/grpc/grpc/pull/19587. - StsService sts_service = 7; - } - } - - // Channel arguments. - message ChannelArgs { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.ChannelArgs"; - - message Value { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.ChannelArgs.Value"; - - // Pointer values are not supported, since they don't make any sense when - // delivered via the API. - oneof value_specifier { - option (validate.required) = true; - - string string_value = 1; - - int64 int_value = 2; - } - } - - // See grpc_types.h GRPC_ARG #defines for keys that work here. - map args = 1; - } - - // The target URI when using the `Google C++ gRPC client - // `_. SSL credentials will be supplied in - // :ref:`channel_credentials `. - string target_uri = 1 [(validate.rules).string = {min_len: 1}]; - - ChannelCredentials channel_credentials = 2; - - // A set of call credentials that can be composed with `channel credentials - // `_. - repeated CallCredentials call_credentials = 3; - - // The human readable prefix to use when emitting statistics for the gRPC - // service. - // - // .. csv-table:: - // :header: Name, Type, Description - // :widths: 1, 1, 2 - // - // streams_total, Counter, Total number of streams opened - // streams_closed_, Counter, Total streams closed with - string stat_prefix = 4 [(validate.rules).string = {min_len: 1}]; - - // The name of the Google gRPC credentials factory to use. This must have been registered with - // Envoy. If this is empty, a default credentials factory will be used that sets up channel - // credentials based on other configuration parameters. - string credentials_factory_name = 5; - - // Additional configuration for site-specific customizations of the Google - // gRPC library. - google.protobuf.Struct config = 6; - - // How many bytes each stream can buffer internally. - // If not set an implementation defined default is applied (1MiB). - google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7; - - // Custom channels args. - ChannelArgs channel_args = 8; - } - - reserved 4; - - oneof target_specifier { - option (validate.required) = true; - - // Envoy's in-built gRPC client. - // See the :ref:`gRPC services overview ` - // documentation for discussion on gRPC client selection. - EnvoyGrpc envoy_grpc = 1; - - // `Google C++ gRPC client `_ - // See the :ref:`gRPC services overview ` - // documentation for discussion on gRPC client selection. - GoogleGrpc google_grpc = 2; - } - - // The timeout for the gRPC request. This is the timeout for a specific - // request. - google.protobuf.Duration timeout = 3; - - // Additional metadata to include in streams initiated to the GrpcService. This can be used for - // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to - // be injected. For more information, including details on header value syntax, see the - // documentation on :ref:`custom request headers - // `. - repeated HeaderValue initial_metadata = 5; -} diff --git a/api/envoy/config/core/v4alpha/health_check.proto b/api/envoy/config/core/v4alpha/health_check.proto deleted file mode 100644 index bf86f26e665e..000000000000 --- a/api/envoy/config/core/v4alpha/health_check.proto +++ /dev/null @@ -1,372 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/event_service_config.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/v3/http.proto"; -import "envoy/type/v3/range.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "HealthCheckProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Health check] -// * Health checking :ref:`architecture overview `. -// * If health checking is configured for a cluster, additional statistics are emitted. They are -// documented :ref:`here `. - -// Endpoint health status. -enum HealthStatus { - // The health status is not known. This is interpreted by Envoy as *HEALTHY*. - UNKNOWN = 0; - - // Healthy. - HEALTHY = 1; - - // Unhealthy. - UNHEALTHY = 2; - - // Connection draining in progress. E.g., - // ``_ - // or - // ``_. - // This is interpreted by Envoy as *UNHEALTHY*. - DRAINING = 3; - - // Health check timed out. This is part of HDS and is interpreted by Envoy as - // *UNHEALTHY*. - TIMEOUT = 4; - - // Degraded. - DEGRADED = 5; -} - -// [#next-free-field: 25] -message HealthCheck { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.HealthCheck"; - - // Describes the encoding of the payload bytes in the payload. - message Payload { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.Payload"; - - oneof payload { - option (validate.required) = true; - - // Hex encoded payload. E.g., "000000FF". - string text = 1 [(validate.rules).string = {min_len: 1}]; - - // [#not-implemented-hide:] Binary payload. - bytes binary = 2; - } - } - - // [#next-free-field: 12] - message HttpHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.HttpHealthCheck"; - - reserved 5, 7; - - reserved "service_name", "use_http2"; - - // The value of the host header in the HTTP health check request. If - // left empty (default value), the name of the cluster this health check is associated - // with will be used. The host header can be customized for a specific endpoint by setting the - // :ref:`hostname ` field. - string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Specifies the HTTP path that will be requested during health checking. For example - // */healthcheck*. - string path = 2 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // [#not-implemented-hide:] HTTP specific payload. - Payload send = 3; - - // [#not-implemented-hide:] HTTP specific response. - Payload receive = 4; - - // Specifies a list of HTTP headers that should be added to each request that is sent to the - // health checked cluster. For more information, including details on header value syntax, see - // the documentation on :ref:`custom request headers - // `. - repeated HeaderValueOption request_headers_to_add = 6 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request that is sent to the - // health checked cluster. - repeated string request_headers_to_remove = 8 [(validate.rules).repeated = { - items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default - // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open - // semantics of :ref:`Int64Range `. The start and end of each - // range are required. Only statuses in the range [100, 600) are allowed. - repeated type.v3.Int64Range expected_statuses = 9; - - // Use specified application protocol for health checks. - type.v3.CodecClientType codec_client_type = 10 [(validate.rules).enum = {defined_only: true}]; - - // An optional service name parameter which is used to validate the identity of - // the health checked cluster using a :ref:`StringMatcher - // `. See the :ref:`architecture overview - // ` for more information. - type.matcher.v4alpha.StringMatcher service_name_matcher = 11; - } - - message TcpHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.TcpHealthCheck"; - - // Empty payloads imply a connect-only health check. - Payload send = 1; - - // When checking the response, “fuzzy” matching is performed such that each - // binary block must be found, and in the order specified, but not - // necessarily contiguous. - repeated Payload receive = 2; - } - - message RedisHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.RedisHealthCheck"; - - // If set, optionally perform ``EXISTS `` instead of ``PING``. A return value - // from Redis of 0 (does not exist) is considered a passing healthcheck. A return value other - // than 0 is considered a failure. This allows the user to mark a Redis instance for maintenance - // by setting the specified key to any value and waiting for traffic to drain. - string key = 1; - } - - // `grpc.health.v1.Health - // `_-based - // healthcheck. See `gRPC doc `_ - // for details. - message GrpcHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.GrpcHealthCheck"; - - // An optional service name parameter which will be sent to gRPC service in - // `grpc.health.v1.HealthCheckRequest - // `_. - // message. See `gRPC health-checking overview - // `_ for more information. - string service_name = 1; - - // The value of the :authority header in the gRPC health check request. If - // left empty (default value), the name of the cluster this health check is associated - // with will be used. The authority header can be customized for a specific endpoint by setting - // the :ref:`hostname ` field. - string authority = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - } - - // Custom health check. - message CustomHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.CustomHealthCheck"; - - reserved 2; - - reserved "config"; - - // The registered name of the custom health checker. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // A custom health checker specific configuration which depends on the custom health checker - // being instantiated. See :api:`envoy/config/health_checker` for reference. - // [#extension-category: envoy.health_checkers] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - // Health checks occur over the transport socket specified for the cluster. This implies that if a - // cluster is using a TLS-enabled transport socket, the health check will also occur over TLS. - // - // This allows overriding the cluster TLS settings, just for health check connections. - message TlsOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.TlsOptions"; - - // Specifies the ALPN protocols for health check connections. This is useful if the - // corresponding upstream is using ALPN-based :ref:`FilterChainMatch - // ` along with different protocols for health checks - // versus data connections. If empty, no ALPN protocols will be set on health check connections. - repeated string alpn_protocols = 1; - } - - reserved 10; - - // The time to wait for a health check response. If the timeout is reached the - // health check attempt will be considered a failure. - google.protobuf.Duration timeout = 1 [(validate.rules).duration = { - required: true - gt {} - }]; - - // The interval between health checks. - google.protobuf.Duration interval = 2 [(validate.rules).duration = { - required: true - gt {} - }]; - - // An optional jitter amount in milliseconds. If specified, Envoy will start health - // checking after for a random time in ms between 0 and initial_jitter. This only - // applies to the first health check. - google.protobuf.Duration initial_jitter = 20; - - // An optional jitter amount in milliseconds. If specified, during every - // interval Envoy will add interval_jitter to the wait time. - google.protobuf.Duration interval_jitter = 3; - - // An optional jitter amount as a percentage of interval_ms. If specified, - // during every interval Envoy will add interval_ms * - // interval_jitter_percent / 100 to the wait time. - // - // If interval_jitter_ms and interval_jitter_percent are both set, both of - // them will be used to increase the wait time. - uint32 interval_jitter_percent = 18; - - // The number of unhealthy health checks required before a host is marked - // unhealthy. Note that for *http* health checking if a host responds with 503 - // this threshold is ignored and the host is considered unhealthy immediately. - google.protobuf.UInt32Value unhealthy_threshold = 4 [(validate.rules).message = {required: true}]; - - // The number of healthy health checks required before a host is marked - // healthy. Note that during startup, only a single successful health check is - // required to mark a host healthy. - google.protobuf.UInt32Value healthy_threshold = 5 [(validate.rules).message = {required: true}]; - - // [#not-implemented-hide:] Non-serving port for health checking. - google.protobuf.UInt32Value alt_port = 6; - - // Reuse health check connection between health checks. Default is true. - google.protobuf.BoolValue reuse_connection = 7; - - oneof health_checker { - option (validate.required) = true; - - // HTTP health check. - HttpHealthCheck http_health_check = 8; - - // TCP health check. - TcpHealthCheck tcp_health_check = 9; - - // gRPC health check. - GrpcHealthCheck grpc_health_check = 11; - - // Custom health check. - CustomHealthCheck custom_health_check = 13; - } - - // The "no traffic interval" is a special health check interval that is used when a cluster has - // never had traffic routed to it. This lower interval allows cluster information to be kept up to - // date, without sending a potentially large amount of active health checking traffic for no - // reason. Once a cluster has been used for traffic routing, Envoy will shift back to using the - // standard health check interval that is defined. Note that this interval takes precedence over - // any other. - // - // The default value for "no traffic interval" is 60 seconds. - google.protobuf.Duration no_traffic_interval = 12 [(validate.rules).duration = {gt {}}]; - - // The "no traffic healthy interval" is a special health check interval that - // is used for hosts that are currently passing active health checking - // (including new hosts) when the cluster has received no traffic. - // - // This is useful for when we want to send frequent health checks with - // `no_traffic_interval` but then revert to lower frequency `no_traffic_healthy_interval` once - // a host in the cluster is marked as healthy. - // - // Once a cluster has been used for traffic routing, Envoy will shift back to using the - // standard health check interval that is defined. - // - // If no_traffic_healthy_interval is not set, it will default to the - // no traffic interval and send that interval regardless of health state. - google.protobuf.Duration no_traffic_healthy_interval = 24 [(validate.rules).duration = {gt {}}]; - - // The "unhealthy interval" is a health check interval that is used for hosts that are marked as - // unhealthy. As soon as the host is marked as healthy, Envoy will shift back to using the - // standard health check interval that is defined. - // - // The default value for "unhealthy interval" is the same as "interval". - google.protobuf.Duration unhealthy_interval = 14 [(validate.rules).duration = {gt {}}]; - - // The "unhealthy edge interval" is a special health check interval that is used for the first - // health check right after a host is marked as unhealthy. For subsequent health checks - // Envoy will shift back to using either "unhealthy interval" if present or the standard health - // check interval that is defined. - // - // The default value for "unhealthy edge interval" is the same as "unhealthy interval". - google.protobuf.Duration unhealthy_edge_interval = 15 [(validate.rules).duration = {gt {}}]; - - // The "healthy edge interval" is a special health check interval that is used for the first - // health check right after a host is marked as healthy. For subsequent health checks - // Envoy will shift back to using the standard health check interval that is defined. - // - // The default value for "healthy edge interval" is the same as the default interval. - google.protobuf.Duration healthy_edge_interval = 16 [(validate.rules).duration = {gt {}}]; - - // Specifies the path to the :ref:`health check event log `. - // If empty, no event log will be written. - string event_log_path = 17; - - // [#not-implemented-hide:] - // The gRPC service for the health check event service. - // If empty, health check events won't be sent to a remote endpoint. - EventServiceConfig event_service = 22; - - // If set to true, health check failure events will always be logged. If set to false, only the - // initial health check failure event will be logged. - // The default value is false. - bool always_log_health_check_failures = 19; - - // This allows overriding the cluster TLS settings, just for health check connections. - TlsOptions tls_options = 21; - - // Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's - // :ref:`tranport socket matches `. - // For example, the following match criteria - // - // .. code-block:: yaml - // - // transport_socket_match_criteria: - // useMTLS: true - // - // Will match the following :ref:`cluster socket match ` - // - // .. code-block:: yaml - // - // transport_socket_matches: - // - name: "useMTLS" - // match: - // useMTLS: true - // transport_socket: - // name: envoy.transport_sockets.tls - // config: { ... } # tls socket configuration - // - // If this field is set, then for health checks it will supersede an entry of *envoy.transport_socket* in the - // :ref:`LbEndpoint.Metadata `. - // This allows using different transport socket capabilities for health checking versus proxying to the - // endpoint. - // - // If the key/values pairs specified do not match any - // :ref:`transport socket matches `, - // the cluster's :ref:`transport socket ` - // will be used for health check socket configuration. - google.protobuf.Struct transport_socket_match_criteria = 23; -} diff --git a/api/envoy/config/core/v4alpha/http_uri.proto b/api/envoy/config/core/v4alpha/http_uri.proto deleted file mode 100644 index ae1c0c9a3d4e..000000000000 --- a/api/envoy/config/core/v4alpha/http_uri.proto +++ /dev/null @@ -1,56 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "HttpUriProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP Service URI ] - -// Envoy external URI descriptor -message HttpUri { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.HttpUri"; - - // The HTTP server URI. It should be a full FQDN with protocol, host and path. - // - // Example: - // - // .. code-block:: yaml - // - // uri: https://www.googleapis.com/oauth2/v1/certs - // - string uri = 1 [(validate.rules).string = {min_len: 1}]; - - // Specify how `uri` is to be fetched. Today, this requires an explicit - // cluster, but in the future we may support dynamic cluster creation or - // inline DNS resolution. See `issue - // `_. - oneof http_upstream_type { - option (validate.required) = true; - - // A cluster is created in the Envoy "cluster_manager" config - // section. This field specifies the cluster name. - // - // Example: - // - // .. code-block:: yaml - // - // cluster: jwks_cluster - // - string cluster = 2 [(validate.rules).string = {min_len: 1}]; - } - - // Sets the maximum duration in milliseconds that a response can take to arrive upon request. - google.protobuf.Duration timeout = 3 [(validate.rules).duration = { - required: true - gte {} - }]; -} diff --git a/api/envoy/config/core/v4alpha/protocol.proto b/api/envoy/config/core/v4alpha/protocol.proto deleted file mode 100644 index ff3241beb139..000000000000 --- a/api/envoy/config/core/v4alpha/protocol.proto +++ /dev/null @@ -1,497 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "ProtocolProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Protocol options] - -// [#not-implemented-hide:] -message TcpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.TcpProtocolOptions"; -} - -// QUIC protocol options which apply to both downstream and upstream connections. -message QuicProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.QuicProtocolOptions"; - - // Maximum number of streams that the client can negotiate per connection. 100 - // if not specified. - google.protobuf.UInt32Value max_concurrent_streams = 1; - - // `Initial stream-level flow-control receive window - // `_ size. Valid values range from - // 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 65536 (2^16). - // - // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use 16384 instead. - // QUICHE IETF Quic implementation supports 1 bytes window. We only support increasing the default window size now, so it's also the minimum. - // - // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the - // QUIC stream send and receive buffers. Once the buffer reaches this pointer, watermark callbacks will fire to - // stop the flow of data to the stream buffers. - google.protobuf.UInt32Value initial_stream_window_size = 2 - [(validate.rules).uint32 = {lte: 16777216 gte: 1}]; - - // Similar to *initial_stream_window_size*, but for connection-level - // flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults to 65536 (2^16). - // window. Currently, this has the same minimum/default as *initial_stream_window_size*. - // - // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default - // window size now, so it's also the minimum. - google.protobuf.UInt32Value initial_connection_window_size = 3 - [(validate.rules).uint32 = {lte: 25165824 gte: 1}]; -} - -message UpstreamHttpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.UpstreamHttpProtocolOptions"; - - // Set transport socket `SNI `_ for new - // upstream connections based on the downstream HTTP host/authority header, as seen by the - // :ref:`router filter `. - bool auto_sni = 1; - - // Automatic validate upstream presented certificate for new upstream connections based on the - // downstream HTTP host/authority header, as seen by the - // :ref:`router filter `. - // This field is intended to set with `auto_sni` field. - bool auto_san_validation = 2; -} - -// Configures the alternate protocols cache which tracks alternate protocols that can be used to -// make an HTTP connection to an origin server. See https://tools.ietf.org/html/rfc7838 for -// HTTP Alternative Services and https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-04 -// for the "HTTPS" DNS resource record. -message AlternateProtocolsCacheOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.AlternateProtocolsCacheOptions"; - - // The name of the cache. Multiple named caches allow independent alternate protocols cache - // configurations to operate within a single Envoy process using different configurations. All - // alternate protocols cache options with the same name *must* be equal in all fields when - // referenced from different configuration components. Configuration will fail to load if this is - // not the case. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The maximum number of entries that the cache will hold. If not specified defaults to 1024. - // - // .. note: - // - // The implementation is approximate and enforced independently on each worker thread, thus - // it is possible for the maximum entries in the cache to go slightly above the configured - // value depending on timing. This is similar to how other circuit breakers work. - google.protobuf.UInt32Value max_entries = 2 [(validate.rules).uint32 = {gt: 0}]; -} - -// [#next-free-field: 7] -message HttpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HttpProtocolOptions"; - - // Action to take when Envoy receives client request with header names containing underscore - // characters. - // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented - // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore - // characters. - enum HeadersWithUnderscoresAction { - // Allow headers with underscores. This is the default behavior. - ALLOW = 0; - - // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests - // end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter - // is incremented for each rejected request. - REJECT_REQUEST = 1; - - // Drop the header with name containing underscores. The header is dropped before the filter chain is - // invoked and as such filters will not see dropped headers. The - // "httpN.dropped_headers_with_underscores" is incremented for each dropped header. - DROP_HEADER = 2; - } - - // The idle timeout for connections. The idle timeout is defined as the - // period in which there are no active requests. When the - // idle timeout is reached the connection will be closed. If the connection is an HTTP/2 - // downstream connection a drain sequence will occur prior to closing the connection, see - // :ref:`drain_timeout - // `. - // Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. - // If not specified, this defaults to 1 hour. To disable idle timeouts explicitly set this to 0. - // - // .. warning:: - // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP - // FIN packets, etc. - // - // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" - // is configured, this timeout is scaled for downstream connections according to the value for - // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE `. - google.protobuf.Duration idle_timeout = 1; - - // The maximum duration of a connection. The duration is defined as a period since a connection - // was established. If not set, there is no max duration. When max_connection_duration is reached - // the connection will be closed. Drain sequence will occur prior to closing the connection if - // if's applicable. See :ref:`drain_timeout - // `. - // Note: not implemented for upstream connections. - google.protobuf.Duration max_connection_duration = 3; - - // The maximum number of headers. If unconfigured, the default - // maximum number of request headers allowed is 100. Requests that exceed this limit will receive - // a 431 response for HTTP/1.x and cause a stream reset for HTTP/2. - google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}]; - - // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be - // reset independent of any other timeouts. If not specified, this value is not set. - google.protobuf.Duration max_stream_duration = 4; - - // Action to take when a client request with a header name containing underscore characters is received. - // If this setting is not specified, the value defaults to ALLOW. - // Note: upstream responses are not affected by this setting. - HeadersWithUnderscoresAction headers_with_underscores_action = 5; - - // Optional maximum requests for both upstream and downstream connections. - // If not specified, there is no limit. - // Setting this parameter to 1 will effectively disable keep alive. - // For HTTP/2 and HTTP/3, due to concurrent stream processing, the limit is approximate. - google.protobuf.UInt32Value max_requests_per_connection = 6; -} - -// [#next-free-field: 8] -message Http1ProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http1ProtocolOptions"; - - // [#next-free-field: 9] - message HeaderKeyFormat { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http1ProtocolOptions.HeaderKeyFormat"; - - message ProperCaseWords { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http1ProtocolOptions.HeaderKeyFormat.ProperCaseWords"; - } - - oneof header_format { - option (validate.required) = true; - - // Formats the header by proper casing words: the first character and any character following - // a special character will be capitalized if it's an alpha character. For example, - // "content-type" becomes "Content-Type", and "foo$b#$are" becomes "Foo$B#$Are". - // Note that while this results in most headers following conventional casing, certain headers - // are not covered. For example, the "TE" header will be formatted as "Te". - ProperCaseWords proper_case_words = 1; - - // Configuration for stateful formatter extensions that allow using received headers to - // affect the output of encoding headers. E.g., preserving case during proxying. - // [#extension-category: envoy.http.stateful_header_formatters] - TypedExtensionConfig stateful_formatter = 8; - } - } - - // Handle HTTP requests with absolute URLs in the requests. These requests - // are generally sent by clients to forward/explicit proxies. This allows clients to configure - // envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the - // *http_proxy* environment variable. - google.protobuf.BoolValue allow_absolute_url = 1; - - // Handle incoming HTTP/1.0 and HTTP 0.9 requests. - // This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1 - // style connect logic, dechunking, and handling lack of client host iff - // *default_host_for_http_10* is configured. - bool accept_http_10 = 2; - - // A default host for HTTP/1.0 requests. This is highly suggested if *accept_http_10* is true as - // Envoy does not otherwise support HTTP/1.0 without a Host header. - // This is a no-op if *accept_http_10* is not true. - string default_host_for_http_10 = 3; - - // Describes how the keys for response headers should be formatted. By default, all header keys - // are lower cased. - HeaderKeyFormat header_key_format = 4; - - // Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers. - // - // .. attention:: - // - // Note that this only happens when Envoy is chunk encoding which occurs when: - // - The request is HTTP/1.1. - // - Is neither a HEAD only request nor a HTTP Upgrade. - // - Not a response to a HEAD request. - // - The content length header is not present. - bool enable_trailers = 5; - - // Allows Envoy to process requests/responses with both `Content-Length` and `Transfer-Encoding` - // headers set. By default such messages are rejected, but if option is enabled - Envoy will - // remove Content-Length header and process message. - // See `RFC7230, sec. 3.3.3 ` for details. - // - // .. attention:: - // Enabling this option might lead to request smuggling vulnerability, especially if traffic - // is proxied via multiple layers of proxies. - bool allow_chunked_length = 6; - - // Allows invalid HTTP messaging. When this option is false, then Envoy will terminate - // HTTP/1.1 connections upon receiving an invalid HTTP message. However, - // when this option is true, then Envoy will leave the HTTP/1.1 connection - // open where possible. - // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging - // `. - google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 7; -} - -message KeepaliveSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.KeepaliveSettings"; - - // Send HTTP/2 PING frames at this period, in order to test that the connection is still alive. - // If this is zero, interval PINGs will not be sent. - google.protobuf.Duration interval = 1 [(validate.rules).duration = {gte {nanos: 1000000}}]; - - // How long to wait for a response to a keepalive PING. If a response is not received within this - // time period, the connection will be aborted. - google.protobuf.Duration timeout = 2 [(validate.rules).duration = { - required: true - gte {nanos: 1000000} - }]; - - // A random jitter amount as a percentage of interval that will be added to each interval. - // A value of zero means there will be no jitter. - // The default value is 15%. - type.v3.Percent interval_jitter = 3; - - // If the connection has been idle for this duration, send a HTTP/2 ping ahead - // of new stream creation, to quickly detect dead connections. - // If this is zero, this type of PING will not be sent. - // If an interval ping is outstanding, a second ping will not be sent as the - // interval ping will determine if the connection is dead. - google.protobuf.Duration connection_idle_interval = 4 - [(validate.rules).duration = {gte {nanos: 1000000}}]; -} - -// [#next-free-field: 16] -message Http2ProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http2ProtocolOptions"; - - // Defines a parameter to be sent in the SETTINGS frame. - // See `RFC7540, sec. 6.5.1 `_ for details. - message SettingsParameter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http2ProtocolOptions.SettingsParameter"; - - // The 16 bit parameter identifier. - google.protobuf.UInt32Value identifier = 1 [ - (validate.rules).uint32 = {lte: 65535 gte: 0}, - (validate.rules).message = {required: true} - ]; - - // The 32 bit parameter value. - google.protobuf.UInt32Value value = 2 [(validate.rules).message = {required: true}]; - } - - reserved 12; - - reserved "stream_error_on_invalid_http_messaging"; - - // `Maximum table size `_ - // (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values - // range from 0 to 4294967295 (2^32 - 1) and defaults to 4096. 0 effectively disables header - // compression. - google.protobuf.UInt32Value hpack_table_size = 1; - - // `Maximum concurrent streams `_ - // allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1) - // and defaults to 2147483647. - // - // For upstream connections, this also limits how many streams Envoy will initiate concurrently - // on a single connection. If the limit is reached, Envoy may queue requests or establish - // additional connections (as allowed per circuit breaker limits). - // - // This acts as an upper bound: Envoy will lower the max concurrent streams allowed on a given - // connection based on upstream settings. Config dumps will reflect the configured upper bound, - // not the per-connection negotiated limits. - google.protobuf.UInt32Value max_concurrent_streams = 2 - [(validate.rules).uint32 = {lte: 2147483647 gte: 1}]; - - // `Initial stream-level flow-control window - // `_ size. Valid values range from 65535 - // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to 268435456 - // (256 * 1024 * 1024). - // - // NOTE: 65535 is the initial window size from HTTP/2 spec. We only support increasing the default - // window size now, so it's also the minimum. - // - // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the - // HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to - // stop the flow of data to the codec buffers. - google.protobuf.UInt32Value initial_stream_window_size = 3 - [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; - - // Similar to *initial_stream_window_size*, but for connection-level flow-control - // window. Currently, this has the same minimum/maximum/default as *initial_stream_window_size*. - google.protobuf.UInt32Value initial_connection_window_size = 4 - [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; - - // Allows proxying Websocket and other upgrades over H2 connect. - bool allow_connect = 5; - - // [#not-implemented-hide:] Hiding until envoy has full metadata support. - // Still under implementation. DO NOT USE. - // - // Allows metadata. See [metadata - // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more - // information. - bool allow_metadata = 6; - - // Limit the number of pending outbound downstream frames of all types (frames that are waiting to - // be written into the socket). Exceeding this limit triggers flood mitigation and connection is - // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due - // to flood mitigation. The default limit is 10000. - // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the - // `envoy.reloadable_features.upstream_http2_flood_checks` flag. - google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}]; - - // Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM, - // preventing high memory utilization when receiving continuous stream of these frames. Exceeding - // this limit triggers flood mitigation and connection is terminated. The - // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood - // mitigation. The default limit is 1000. - // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the - // `envoy.reloadable_features.upstream_http2_flood_checks` flag. - google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}]; - - // Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an - // empty payload and no end stream flag. Those frames have no legitimate use and are abusive, but - // might be a result of a broken HTTP/2 implementation. The `http2.inbound_empty_frames_flood`` - // stat tracks the number of connections terminated due to flood mitigation. - // Setting this to 0 will terminate connection upon receiving first frame with an empty payload - // and no end stream flag. The default limit is 1. - // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the - // `envoy.reloadable_features.upstream_http2_flood_checks` flag. - google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9; - - // Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number - // of PRIORITY frames received over the lifetime of connection exceeds the value calculated - // using this formula:: - // - // max_inbound_priority_frames_per_stream * (1 + opened_streams) - // - // the connection is terminated. For downstream connections the `opened_streams` is incremented when - // Envoy receives complete response headers from the upstream server. For upstream connection the - // `opened_streams` is incremented when Envoy send the HEADERS frame for a new stream. The - // ``http2.inbound_priority_frames_flood`` stat tracks - // the number of connections terminated due to flood mitigation. The default limit is 100. - // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the - // `envoy.reloadable_features.upstream_http2_flood_checks` flag. - google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10; - - // Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number - // of WINDOW_UPDATE frames received over the lifetime of connection exceeds the value calculated - // using this formula:: - // - // 5 + 2 * (opened_streams + - // max_inbound_window_update_frames_per_data_frame_sent * outbound_data_frames) - // - // the connection is terminated. For downstream connections the `opened_streams` is incremented when - // Envoy receives complete response headers from the upstream server. For upstream connections the - // `opened_streams` is incremented when Envoy sends the HEADERS frame for a new stream. The - // ``http2.inbound_priority_frames_flood`` stat tracks the number of connections terminated due to - // flood mitigation. The default max_inbound_window_update_frames_per_data_frame_sent value is 10. - // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control, - // but more complex implementations that try to estimate available bandwidth require at least 2. - // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the - // `envoy.reloadable_features.upstream_http2_flood_checks` flag. - google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11 - [(validate.rules).uint32 = {gte: 1}]; - - // Allows invalid HTTP messaging and headers. When this option is disabled (default), then - // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, - // when this option is enabled, only the offending stream is terminated. - // - // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging - // ` - // - // See `RFC7540, sec. 8.1 `_ for details. - google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 14; - - // [#not-implemented-hide:] - // Specifies SETTINGS frame parameters to be sent to the peer, with two exceptions: - // - // 1. SETTINGS_ENABLE_PUSH (0x2) is not configurable as HTTP/2 server push is not supported by - // Envoy. - // - // 2. SETTINGS_ENABLE_CONNECT_PROTOCOL (0x8) is only configurable through the named field - // 'allow_connect'. - // - // Note that custom parameters specified through this field can not also be set in the - // corresponding named parameters: - // - // .. code-block:: text - // - // ID Field Name - // ---------------- - // 0x1 hpack_table_size - // 0x3 max_concurrent_streams - // 0x4 initial_stream_window_size - // - // Collisions will trigger config validation failure on load/update. Likewise, inconsistencies - // between custom parameters with the same identifier will trigger a failure. - // - // See `IANA HTTP/2 Settings - // `_ for - // standardized identifiers. - repeated SettingsParameter custom_settings_parameters = 13; - - // Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer - // does not respond within the configured timeout, the connection will be aborted. - KeepaliveSettings connection_keepalive = 15; -} - -// [#not-implemented-hide:] -message GrpcProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcProtocolOptions"; - - Http2ProtocolOptions http2_protocol_options = 1; -} - -// A message which allows using HTTP/3. -message Http3ProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http3ProtocolOptions"; - - QuicProtocolOptions quic_protocol_options = 1; - - // Allows invalid HTTP messaging and headers. When this option is disabled (default), then - // the whole HTTP/3 connection is terminated upon receiving invalid HEADERS frame. However, - // when this option is enabled, only the offending stream is terminated. - // - // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging - // `. - google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2; -} - -// A message to control transformations to the :scheme header -message SchemeHeaderTransformation { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.SchemeHeaderTransformation"; - - oneof transformation { - // Overwrite any Scheme header with the contents of this string. - string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}]; - } -} diff --git a/api/envoy/config/core/v4alpha/proxy_protocol.proto b/api/envoy/config/core/v4alpha/proxy_protocol.proto deleted file mode 100644 index 1650f29d8cab..000000000000 --- a/api/envoy/config/core/v4alpha/proxy_protocol.proto +++ /dev/null @@ -1,29 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "ProxyProtocolProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Proxy Protocol] - -message ProxyProtocolConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.ProxyProtocolConfig"; - - enum Version { - // PROXY protocol version 1. Human readable format. - V1 = 0; - - // PROXY protocol version 2. Binary format. - V2 = 1; - } - - // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details - Version version = 1; -} diff --git a/api/envoy/config/core/v4alpha/resolver.proto b/api/envoy/config/core/v4alpha/resolver.proto deleted file mode 100644 index 4849a54161ce..000000000000 --- a/api/envoy/config/core/v4alpha/resolver.proto +++ /dev/null @@ -1,48 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "ResolverProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Resolver] - -// Configuration of DNS resolver option flags which control the behavior of the DNS resolver. -message DnsResolverOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.DnsResolverOptions"; - - // Use TCP for all DNS queries instead of the default protocol UDP. - // Setting this value causes failure if the - // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during - // server startup. Apple's API only uses UDP for DNS resolution. - bool use_tcp_for_dns_lookups = 1; - - // Do not use the default search domains; only query hostnames as-is or as aliases. - bool no_default_search_domain = 2; -} - -// DNS resolution configuration which includes the underlying dns resolver addresses and options. -message DnsResolutionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.DnsResolutionConfig"; - - // A list of dns resolver addresses. If specified, the DNS client library will perform resolution - // via the underlying DNS resolvers. Otherwise, the default system resolvers - // (e.g., /etc/resolv.conf) will be used. - // Setting this value causes failure if the - // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during - // server startup. Apple's API only allows overriding DNS resolvers via system settings. - repeated Address resolvers = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Configuration of DNS resolver option flags which control the behavior of the DNS resolver. - DnsResolverOptions dns_resolver_options = 2; -} diff --git a/api/envoy/config/core/v4alpha/socket_option.proto b/api/envoy/config/core/v4alpha/socket_option.proto deleted file mode 100644 index 7dac394a865d..000000000000 --- a/api/envoy/config/core/v4alpha/socket_option.proto +++ /dev/null @@ -1,56 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "SocketOptionProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Socket Option ] - -// Generic socket option message. This would be used to set socket options that -// might not exist in upstream kernels or precompiled Envoy binaries. -// [#next-free-field: 7] -message SocketOption { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.SocketOption"; - - enum SocketState { - // Socket options are applied after socket creation but before binding the socket to a port - STATE_PREBIND = 0; - - // Socket options are applied after binding the socket to a port but before calling listen() - STATE_BOUND = 1; - - // Socket options are applied after calling listen() - STATE_LISTENING = 2; - } - - // An optional name to give this socket option for debugging, etc. - // Uniqueness is not required and no special meaning is assumed. - string description = 1; - - // Corresponding to the level value passed to setsockopt, such as IPPROTO_TCP - int64 level = 2; - - // The numeric name as passed to setsockopt - int64 name = 3; - - oneof value { - option (validate.required) = true; - - // Because many sockopts take an int value. - int64 int_value = 4; - - // Otherwise it's a byte buffer. - bytes buf_value = 5; - } - - // The state in which the option will be applied. When used in BindConfig - // STATE_PREBIND is currently the only valid value. - SocketState state = 6 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/api/envoy/config/core/v4alpha/substitution_format_string.proto b/api/envoy/config/core/v4alpha/substitution_format_string.proto deleted file mode 100644 index 6f5037f5f177..000000000000 --- a/api/envoy/config/core/v4alpha/substitution_format_string.proto +++ /dev/null @@ -1,101 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; - -import "google/protobuf/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "SubstitutionFormatStringProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Substitution format string] - -// Configuration to use multiple :ref:`command operators ` -// to generate a new string in either plain text or JSON format. -// [#next-free-field: 7] -message SubstitutionFormatString { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.SubstitutionFormatString"; - - reserved 1; - - reserved "text_format"; - - oneof format { - option (validate.required) = true; - - // Specify a format with command operators to form a JSON string. - // Its details is described in :ref:`format dictionary`. - // Values are rendered as strings, numbers, or boolean values as appropriate. - // Nested JSON objects may be produced by some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). - // See the documentation for a specific command operator for details. - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // json_format: - // status: "%RESPONSE_CODE%" - // message: "%LOCAL_REPLY_BODY%" - // - // The following JSON object would be created: - // - // .. code-block:: json - // - // { - // "status": 500, - // "message": "My error message" - // } - // - google.protobuf.Struct json_format = 2 [(validate.rules).message = {required: true}]; - - // Specify a format with command operators to form a text string. - // Its details is described in :ref:`format string`. - // - // For example, setting ``text_format`` like below, - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // text_format_source: - // inline_string: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" - // - // generates plain text similar to: - // - // .. code-block:: text - // - // upstream connect error:503:path=/foo - // - DataSource text_format_source = 5; - } - - // If set to true, when command operators are evaluated to null, - // - // * for ``text_format``, the output of the empty operator is changed from ``-`` to an - // empty string, so that empty values are omitted entirely. - // * for ``json_format`` the keys with null values are omitted in the output structure. - bool omit_empty_values = 3; - - // Specify a *content_type* field. - // If this field is not set then ``text/plain`` is used for *text_format* and - // ``application/json`` is used for *json_format*. - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // content_type: "text/html; charset=UTF-8" - // - string content_type = 4; - - // Specifies a collection of Formatter plugins that can be called from the access log configuration. - // See the formatters extensions documentation for details. - // [#extension-category: envoy.formatter] - repeated TypedExtensionConfig formatters = 6; -} diff --git a/api/envoy/config/core/v4alpha/udp_socket_config.proto b/api/envoy/config/core/v4alpha/udp_socket_config.proto deleted file mode 100644 index 5fa6c6ec52dd..000000000000 --- a/api/envoy/config/core/v4alpha/udp_socket_config.proto +++ /dev/null @@ -1,35 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "UdpSocketConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: UDP socket config] - -// Generic UDP socket configuration. -message UdpSocketConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.UdpSocketConfig"; - - // The maximum size of received UDP datagrams. Using a larger size will cause Envoy to allocate - // more memory per socket. Received datagrams above this size will be dropped. If not set - // defaults to 1500 bytes. - google.protobuf.UInt64Value max_rx_datagram_size = 1 - [(validate.rules).uint64 = {lt: 65536 gt: 0}]; - - // Configures whether Generic Receive Offload (GRO) - // _ is preferred when reading from the - // UDP socket. The default is context dependent and is documented where UdpSocketConfig is used. - // This option affects performance but not functionality. If GRO is not supported by the operating - // system, non-GRO receive will be used. - google.protobuf.BoolValue prefer_gro = 2; -} diff --git a/api/envoy/config/endpoint/v4alpha/BUILD b/api/envoy/config/endpoint/v4alpha/BUILD deleted file mode 100644 index 79d52ad4cfbc..000000000000 --- a/api/envoy/config/endpoint/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/endpoint/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/config/endpoint/v4alpha/endpoint.proto b/api/envoy/config/endpoint/v4alpha/endpoint.proto deleted file mode 100644 index 6c87e8ffeb6d..000000000000 --- a/api/envoy/config/endpoint/v4alpha/endpoint.proto +++ /dev/null @@ -1,119 +0,0 @@ -syntax = "proto3"; - -package envoy.config.endpoint.v4alpha; - -import "envoy/config/endpoint/v4alpha/endpoint_components.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.endpoint.v4alpha"; -option java_outer_classname = "EndpointProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Endpoint configuration] -// Endpoint discovery :ref:`architecture overview ` - -// Each route from RDS will map to a single cluster or traffic split across -// clusters using weights expressed in the RDS WeightedCluster. -// -// With EDS, each cluster is treated independently from a LB perspective, with -// LB taking place between the Localities within a cluster and at a finer -// granularity between the hosts within a locality. The percentage of traffic -// for each endpoint is determined by both its load_balancing_weight, and the -// load_balancing_weight of its locality. First, a locality will be selected, -// then an endpoint within that locality will be chose based on its weight. -// [#next-free-field: 6] -message ClusterLoadAssignment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.ClusterLoadAssignment"; - - // Load balancing policy settings. - // [#next-free-field: 6] - message Policy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.ClusterLoadAssignment.Policy"; - - // [#not-implemented-hide:] - message DropOverload { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.ClusterLoadAssignment.Policy.DropOverload"; - - // Identifier for the policy specifying the drop. - string category = 1 [(validate.rules).string = {min_len: 1}]; - - // Percentage of traffic that should be dropped for the category. - type.v3.FractionalPercent drop_percentage = 2; - } - - reserved 1, 5; - - reserved "disable_overprovisioning"; - - // Action to trim the overall incoming traffic to protect the upstream - // hosts. This action allows protection in case the hosts are unable to - // recover from an outage, or unable to autoscale or unable to handle - // incoming traffic volume for any reason. - // - // At the client each category is applied one after the other to generate - // the 'actual' drop percentage on all outgoing traffic. For example: - // - // .. code-block:: json - // - // { "drop_overloads": [ - // { "category": "throttle", "drop_percentage": 60 } - // { "category": "lb", "drop_percentage": 50 } - // ]} - // - // The actual drop percentages applied to the traffic at the clients will be - // "throttle"_drop = 60% - // "lb"_drop = 20% // 50% of the remaining 'actual' load, which is 40%. - // actual_outgoing_load = 20% // remaining after applying all categories. - // [#not-implemented-hide:] - repeated DropOverload drop_overloads = 2; - - // Priority levels and localities are considered overprovisioned with this - // factor (in percentage). This means that we don't consider a priority - // level or locality unhealthy until the fraction of healthy hosts - // multiplied by the overprovisioning factor drops below 100. - // With the default value 140(1.4), Envoy doesn't consider a priority level - // or a locality unhealthy until their percentage of healthy hosts drops - // below 72%. For example: - // - // .. code-block:: json - // - // { "overprovisioning_factor": 100 } - // - // Read more at :ref:`priority levels ` and - // :ref:`localities `. - google.protobuf.UInt32Value overprovisioning_factor = 3 [(validate.rules).uint32 = {gt: 0}]; - - // The max time until which the endpoints from this assignment can be used. - // If no new assignments are received before this time expires the endpoints - // are considered stale and should be marked unhealthy. - // Defaults to 0 which means endpoints never go stale. - google.protobuf.Duration endpoint_stale_after = 4 [(validate.rules).duration = {gt {}}]; - } - - // Name of the cluster. This will be the :ref:`service_name - // ` value if specified - // in the cluster :ref:`EdsClusterConfig - // `. - string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; - - // List of endpoints to load balance to. - repeated LocalityLbEndpoints endpoints = 2; - - // Map of named endpoints that can be referenced in LocalityLbEndpoints. - // [#not-implemented-hide:] - map named_endpoints = 5; - - // Load balancing policy settings. - Policy policy = 4; -} diff --git a/api/envoy/config/endpoint/v4alpha/endpoint_components.proto b/api/envoy/config/endpoint/v4alpha/endpoint_components.proto deleted file mode 100644 index 1529458708a9..000000000000 --- a/api/envoy/config/endpoint/v4alpha/endpoint_components.proto +++ /dev/null @@ -1,195 +0,0 @@ -syntax = "proto3"; - -package envoy.config.endpoint.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/health_check.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.endpoint.v4alpha"; -option java_outer_classname = "EndpointComponentsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Endpoints] - -// Upstream host identifier. -message Endpoint { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.endpoint.v3.Endpoint"; - - // The optional health check configuration. - message HealthCheckConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.Endpoint.HealthCheckConfig"; - - // Optional alternative health check port value. - // - // By default the health check address port of an upstream host is the same - // as the host's serving address port. This provides an alternative health - // check port. Setting this with a non-zero value allows an upstream host - // to have different health check address port. - uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}]; - - // By default, the host header for L7 health checks is controlled by cluster level configuration - // (see: :ref:`host ` and - // :ref:`authority `). Setting this - // to a non-empty value allows overriding the cluster level configuration for a specific - // endpoint. - string hostname = 2; - } - - // The upstream host address. - // - // .. attention:: - // - // The form of host address depends on the given cluster type. For STATIC or EDS, - // it is expected to be a direct IP address (or something resolvable by the - // specified :ref:`resolver ` - // in the Address). For LOGICAL or STRICT DNS, it is expected to be hostname, - // and will be resolved via DNS. - core.v4alpha.Address address = 1; - - // The optional health check configuration is used as configuration for the - // health checker to contact the health checked host. - // - // .. attention:: - // - // This takes into effect only for upstream clusters with - // :ref:`active health checking ` enabled. - HealthCheckConfig health_check_config = 2; - - // The hostname associated with this endpoint. This hostname is not used for routing or address - // resolution. If provided, it will be associated with the endpoint, and can be used for features - // that require a hostname, like - // :ref:`auto_host_rewrite `. - string hostname = 3; -} - -// An Endpoint that Envoy can route traffic to. -// [#next-free-field: 6] -message LbEndpoint { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.LbEndpoint"; - - // Upstream host identifier or a named reference. - oneof host_identifier { - Endpoint endpoint = 1; - - // [#not-implemented-hide:] - string endpoint_name = 5; - } - - // Optional health status when known and supplied by EDS server. - core.v4alpha.HealthStatus health_status = 2; - - // The endpoint metadata specifies values that may be used by the load - // balancer to select endpoints in a cluster for a given request. The filter - // name should be specified as *envoy.lb*. An example boolean key-value pair - // is *canary*, providing the optional canary status of the upstream host. - // This may be matched against in a route's - // :ref:`RouteAction ` metadata_match field - // to subset the endpoints considered in cluster load balancing. - core.v4alpha.Metadata metadata = 3; - - // The optional load balancing weight of the upstream host; at least 1. - // Envoy uses the load balancing weight in some of the built in load - // balancers. The load balancing weight for an endpoint is divided by the sum - // of the weights of all endpoints in the endpoint's locality to produce a - // percentage of traffic for the endpoint. This percentage is then further - // weighted by the endpoint's locality's load balancing weight from - // LocalityLbEndpoints. If unspecified, each host is presumed to have equal - // weight in a locality. The sum of the weights of all endpoints in the - // endpoint's locality must not exceed uint32_t maximal value (4294967295). - google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}]; -} - -// [#not-implemented-hide:] -// A configuration for a LEDS collection. -message LedsClusterLocalityConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.LedsClusterLocalityConfig"; - - // Configuration for the source of LEDS updates for a Locality. - core.v4alpha.ConfigSource leds_config = 1; - - // The xDS transport protocol glob collection resource name. - // The service is only supported in delta xDS (incremental) mode. - string leds_collection_name = 2; -} - -// A group of endpoints belonging to a Locality. -// One can have multiple LocalityLbEndpoints for a locality, but this is -// generally only done if the different groups need to have different load -// balancing weights or different priorities. -// [#next-free-field: 9] -message LocalityLbEndpoints { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.LocalityLbEndpoints"; - - // [#not-implemented-hide:] - // A list of endpoints of a specific locality. - message LbEndpointList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.LocalityLbEndpoints.LbEndpointList"; - - repeated LbEndpoint lb_endpoints = 1; - } - - // Identifies location of where the upstream hosts run. - core.v4alpha.Locality locality = 1; - - // The group of endpoints belonging to the locality specified. - // [#comment:TODO(adisuissa): Once LEDS is implemented this field needs to be - // deprecated and replaced by *load_balancer_endpoints*.] - repeated LbEndpoint lb_endpoints = 2; - - // [#not-implemented-hide:] - oneof lb_config { - // The group of endpoints belonging to the locality. - // [#comment:TODO(adisuissa): Once LEDS is implemented the *lb_endpoints* field - // needs to be deprecated.] - LbEndpointList load_balancer_endpoints = 7; - - // LEDS Configuration for the current locality. - LedsClusterLocalityConfig leds_cluster_locality_config = 8; - } - - // Optional: Per priority/region/zone/sub_zone weight; at least 1. The load - // balancing weight for a locality is divided by the sum of the weights of all - // localities at the same priority level to produce the effective percentage - // of traffic for the locality. The sum of the weights of all localities at - // the same priority level must not exceed uint32_t maximal value (4294967295). - // - // Locality weights are only considered when :ref:`locality weighted load - // balancing ` is - // configured. These weights are ignored otherwise. If no weights are - // specified when locality weighted load balancing is enabled, the locality is - // assigned no load. - google.protobuf.UInt32Value load_balancing_weight = 3 [(validate.rules).uint32 = {gte: 1}]; - - // Optional: the priority for this LocalityLbEndpoints. If unspecified this will - // default to the highest priority (0). - // - // Under usual circumstances, Envoy will only select endpoints for the highest - // priority (0). In the event all endpoints for a particular priority are - // unavailable/unhealthy, Envoy will fail over to selecting endpoints for the - // next highest priority group. - // - // Priorities should range from 0 (highest) to N (lowest) without skipping. - uint32 priority = 5 [(validate.rules).uint32 = {lte: 128}]; - - // Optional: Per locality proximity value which indicates how close this - // locality is from the source locality. This value only provides ordering - // information (lower the value, closer it is to the source locality). - // This will be consumed by load balancing schemes that need proximity order - // to determine where to route the requests. - // [#not-implemented-hide:] - google.protobuf.UInt32Value proximity = 6; -} diff --git a/api/envoy/config/endpoint/v4alpha/load_report.proto b/api/envoy/config/endpoint/v4alpha/load_report.proto deleted file mode 100644 index e89fcdadda16..000000000000 --- a/api/envoy/config/endpoint/v4alpha/load_report.proto +++ /dev/null @@ -1,168 +0,0 @@ -syntax = "proto3"; - -package envoy.config.endpoint.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.endpoint.v4alpha"; -option java_outer_classname = "LoadReportProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Load Report] - -// These are stats Envoy reports to the management server at a frequency defined by -// :ref:`LoadStatsResponse.load_reporting_interval`. -// Stats per upstream region/zone and optionally per subzone. -// [#next-free-field: 9] -message UpstreamLocalityStats { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.UpstreamLocalityStats"; - - // Name of zone, region and optionally endpoint group these metrics were - // collected from. Zone and region names could be empty if unknown. - core.v4alpha.Locality locality = 1; - - // The total number of requests successfully completed by the endpoints in the - // locality. - uint64 total_successful_requests = 2; - - // The total number of unfinished requests - uint64 total_requests_in_progress = 3; - - // The total number of requests that failed due to errors at the endpoint, - // aggregated over all endpoints in the locality. - uint64 total_error_requests = 4; - - // The total number of requests that were issued by this Envoy since - // the last report. This information is aggregated over all the - // upstream endpoints in the locality. - uint64 total_issued_requests = 8; - - // Stats for multi-dimensional load balancing. - repeated EndpointLoadMetricStats load_metric_stats = 5; - - // Endpoint granularity stats information for this locality. This information - // is populated if the Server requests it by setting - // :ref:`LoadStatsResponse.report_endpoint_granularity`. - repeated UpstreamEndpointStats upstream_endpoint_stats = 7; - - // [#not-implemented-hide:] The priority of the endpoint group these metrics - // were collected from. - uint32 priority = 6; -} - -// [#next-free-field: 8] -message UpstreamEndpointStats { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.UpstreamEndpointStats"; - - // Upstream host address. - core.v4alpha.Address address = 1; - - // Opaque and implementation dependent metadata of the - // endpoint. Envoy will pass this directly to the management server. - google.protobuf.Struct metadata = 6; - - // The total number of requests successfully completed by the endpoints in the - // locality. These include non-5xx responses for HTTP, where errors - // originate at the client and the endpoint responded successfully. For gRPC, - // the grpc-status values are those not covered by total_error_requests below. - uint64 total_successful_requests = 2; - - // The total number of unfinished requests for this endpoint. - uint64 total_requests_in_progress = 3; - - // The total number of requests that failed due to errors at the endpoint. - // For HTTP these are responses with 5xx status codes and for gRPC the - // grpc-status values: - // - // - DeadlineExceeded - // - Unimplemented - // - Internal - // - Unavailable - // - Unknown - // - DataLoss - uint64 total_error_requests = 4; - - // The total number of requests that were issued to this endpoint - // since the last report. A single TCP connection, HTTP or gRPC - // request or stream is counted as one request. - uint64 total_issued_requests = 7; - - // Stats for multi-dimensional load balancing. - repeated EndpointLoadMetricStats load_metric_stats = 5; -} - -message EndpointLoadMetricStats { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.EndpointLoadMetricStats"; - - // Name of the metric; may be empty. - string metric_name = 1; - - // Number of calls that finished and included this metric. - uint64 num_requests_finished_with_metric = 2; - - // Sum of metric values across all calls that finished with this metric for - // load_reporting_interval. - double total_metric_value = 3; -} - -// Per cluster load stats. Envoy reports these stats a management server in a -// :ref:`LoadStatsRequest` -// Next ID: 7 -// [#next-free-field: 7] -message ClusterStats { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.ClusterStats"; - - message DroppedRequests { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.ClusterStats.DroppedRequests"; - - // Identifier for the policy specifying the drop. - string category = 1 [(validate.rules).string = {min_len: 1}]; - - // Total number of deliberately dropped requests for the category. - uint64 dropped_count = 2; - } - - // The name of the cluster. - string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; - - // The eds_cluster_config service_name of the cluster. - // It's possible that two clusters send the same service_name to EDS, - // in that case, the management server is supposed to do aggregation on the load reports. - string cluster_service_name = 6; - - // Need at least one. - repeated UpstreamLocalityStats upstream_locality_stats = 2 - [(validate.rules).repeated = {min_items: 1}]; - - // Cluster-level stats such as total_successful_requests may be computed by - // summing upstream_locality_stats. In addition, below there are additional - // cluster-wide stats. - // - // The total number of dropped requests. This covers requests - // deliberately dropped by the drop_overload policy and circuit breaking. - uint64 total_dropped_requests = 3; - - // Information about deliberately dropped requests for each category specified - // in the DropOverload policy. - repeated DroppedRequests dropped_requests = 5; - - // Period over which the actual load report occurred. This will be guaranteed to include every - // request reported. Due to system load and delays between the *LoadStatsRequest* sent from Envoy - // and the *LoadStatsResponse* message sent from the management server, this may be longer than - // the requested load reporting interval in the *LoadStatsResponse*. - google.protobuf.Duration load_report_interval = 4; -} diff --git a/api/envoy/config/listener/v4alpha/BUILD b/api/envoy/config/listener/v4alpha/BUILD deleted file mode 100644 index 005a92722c4e..000000000000 --- a/api/envoy/config/listener/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/accesslog/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/listener/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@com_github_cncf_udpa//xds/core/v3:pkg", - ], -) diff --git a/api/envoy/config/listener/v4alpha/api_listener.proto b/api/envoy/config/listener/v4alpha/api_listener.proto deleted file mode 100644 index 518caf879ad5..000000000000 --- a/api/envoy/config/listener/v4alpha/api_listener.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.config.listener.v4alpha; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; -option java_outer_classname = "ApiListenerProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: API listener] - -// Describes a type of API listener, which is used in non-proxy clients. The type of API -// exposed to the non-proxy application depends on the type of API listener. -message ApiListener { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ApiListener"; - - // The type in this field determines the type of API listener. At present, the following - // types are supported: - // envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager (HTTP) - // envoy.extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager (HTTP) - // [#next-major-version: In the v3 API, replace this Any field with a oneof containing the - // specific config message for each type of API listener. We could not do this in v2 because - // it would have caused circular dependencies for go protos: lds.proto depends on this file, - // and http_connection_manager.proto depends on rds.proto, which is in the same directory as - // lds.proto, so lds.proto cannot depend on this file.] - google.protobuf.Any api_listener = 1; -} diff --git a/api/envoy/config/listener/v4alpha/listener.proto b/api/envoy/config/listener/v4alpha/listener.proto deleted file mode 100644 index e26160cb2a4a..000000000000 --- a/api/envoy/config/listener/v4alpha/listener.proto +++ /dev/null @@ -1,317 +0,0 @@ -syntax = "proto3"; - -package envoy.config.listener.v4alpha; - -import "envoy/config/accesslog/v4alpha/accesslog.proto"; -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/socket_option.proto"; -import "envoy/config/listener/v4alpha/api_listener.proto"; -import "envoy/config/listener/v4alpha/listener_components.proto"; -import "envoy/config/listener/v4alpha/udp_listener_config.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/core/v3/collection_entry.proto"; - -import "udpa/annotations/security.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; -option java_outer_classname = "ListenerProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Listener configuration] -// Listener :ref:`configuration overview ` - -// Listener list collections. Entries are *Listener* resources or references. -// [#not-implemented-hide:] -message ListenerCollection { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ListenerCollection"; - - repeated xds.core.v3.CollectionEntry entries = 1; -} - -// [#next-free-field: 30] -message Listener { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.listener.v3.Listener"; - - enum DrainType { - // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check - // filter), listener removal/modification, and hot restart. - DEFAULT = 0; - - // Drain in response to listener removal/modification and hot restart. This setting does not - // include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress - // and egress listeners. - MODIFY_ONLY = 1; - } - - // [#not-implemented-hide:] - message DeprecatedV1 { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.Listener.DeprecatedV1"; - - // Whether the listener should bind to the port. A listener that doesn't - // bind can only receive connections redirected from other listeners that - // set use_original_dst parameter to true. Default is true. - // - // This is deprecated. Use :ref:`Listener.bind_to_port - // ` - google.protobuf.BoolValue bind_to_port = 1; - } - - // Configuration for listener connection balancing. - message ConnectionBalanceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.Listener.ConnectionBalanceConfig"; - - // A connection balancer implementation that does exact balancing. This means that a lock is - // held during balancing so that connection counts are nearly exactly balanced between worker - // threads. This is "nearly" exact in the sense that a connection might close in parallel thus - // making the counts incorrect, but this should be rectified on the next accept. This balancer - // sacrifices accept throughput for accuracy and should be used when there are a small number of - // connections that rarely cycle (e.g., service mesh gRPC egress). - message ExactBalance { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.Listener.ConnectionBalanceConfig.ExactBalance"; - } - - oneof balance_type { - option (validate.required) = true; - - // If specified, the listener will use the exact connection balancer. - ExactBalance exact_balance = 1; - } - } - - // Configuration for envoy internal listener. All the future internal listener features should be added here. - // [#not-implemented-hide:] - message InternalListenerConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.Listener.InternalListenerConfig"; - } - - reserved 14, 23, 7, 21; - - reserved "deprecated_v1", "reuse_port"; - - // The unique name by which this listener is known. If no name is provided, - // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically - // updated or removed via :ref:`LDS ` a unique name must be provided. - string name = 1; - - // The address that the listener should listen on. In general, the address must be unique, though - // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on - // Linux as the actual port will be allocated by the OS. - core.v4alpha.Address address = 2 [(validate.rules).message = {required: true}]; - - // Optional prefix to use on listener stats. If empty, the stats will be rooted at - // `listener.
.`. If non-empty, stats will be rooted at - // `listener..`. - string stat_prefix = 28; - - // A list of filter chains to consider for this listener. The - // :ref:`FilterChain ` with the most specific - // :ref:`FilterChainMatch ` criteria is used on a - // connection. - // - // Example using SNI for filter chain selection can be found in the - // :ref:`FAQ entry `. - repeated FilterChain filter_chains = 3; - - // If a connection is redirected using *iptables*, the port on which the proxy - // receives it might be different from the original destination address. When this flag is set to - // true, the listener hands off redirected connections to the listener associated with the - // original destination address. If there is no listener associated with the original destination - // address, the connection is handled by the listener that receives it. Defaults to false. - google.protobuf.BoolValue use_original_dst = 4; - - // The default filter chain if none of the filter chain matches. If no default filter chain is supplied, - // the connection will be closed. The filter chain match is ignored in this field. - FilterChain default_filter_chain = 25; - - // Soft limit on size of the listener’s new connection read and write buffers. - // If unspecified, an implementation defined default is applied (1MiB). - google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // Listener metadata. - core.v4alpha.Metadata metadata = 6; - - // The type of draining to perform at a listener-wide level. - DrainType drain_type = 8; - - // Listener filters have the opportunity to manipulate and augment the connection metadata that - // is used in connection filter chain matching, for example. These filters are run before any in - // :ref:`filter_chains `. Order matters as the - // filters are processed sequentially right after a socket has been accepted by the listener, and - // before a connection is created. - // UDP Listener filters can be specified when the protocol in the listener socket address in - // :ref:`protocol ` is :ref:`UDP - // `. - // UDP listeners currently support a single filter. - repeated ListenerFilter listener_filters = 9; - - // The timeout to wait for all listener filters to complete operation. If the timeout is reached, - // the accepted socket is closed without a connection being created unless - // `continue_on_listener_filters_timeout` is set to true. Specify 0 to disable the - // timeout. If not specified, a default timeout of 15s is used. - google.protobuf.Duration listener_filters_timeout = 15; - - // Whether a connection should be created when listener filters timeout. Default is false. - // - // .. attention:: - // - // Some listener filters, such as :ref:`Proxy Protocol filter - // `, should not be used with this option. It will cause - // unexpected behavior when a connection is created. - bool continue_on_listener_filters_timeout = 17; - - // Whether the listener should be set as a transparent socket. - // When this flag is set to true, connections can be redirected to the listener using an - // *iptables* *TPROXY* target, in which case the original source and destination addresses and - // ports are preserved on accepted connections. This flag should be used in combination with - // :ref:`an original_dst ` :ref:`listener filter - // ` to mark the connections' local addresses as - // "restored." This can be used to hand off each redirected connection to another listener - // associated with the connection's destination address. Direct connections to the socket without - // using *TPROXY* cannot be distinguished from connections redirected using *TPROXY* and are - // therefore treated as if they were redirected. - // When this flag is set to false, the listener's socket is explicitly reset as non-transparent. - // Setting this flag requires Envoy to run with the *CAP_NET_ADMIN* capability. - // When this flag is not set (default), the socket is not modified, i.e. the transparent option - // is neither set nor reset. - google.protobuf.BoolValue transparent = 10; - - // Whether the listener should set the *IP_FREEBIND* socket option. When this - // flag is set to true, listeners can be bound to an IP address that is not - // configured on the system running Envoy. When this flag is set to false, the - // option *IP_FREEBIND* is disabled on the socket. When this flag is not set - // (default), the socket is not modified, i.e. the option is neither enabled - // nor disabled. - google.protobuf.BoolValue freebind = 11; - - // Additional socket options that may not be present in Envoy source code or - // precompiled binaries. - repeated core.v4alpha.SocketOption socket_options = 13; - - // Whether the listener should accept TCP Fast Open (TFO) connections. - // When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on - // the socket, with a queue length of the specified size - // (see `details in RFC7413 `_). - // When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket. - // When this flag is not set (default), the socket is not modified, - // i.e. the option is neither enabled nor disabled. - // - // On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable - // TCP_FASTOPEN. - // See `ip-sysctl.txt `_. - // - // On macOS, only values of 0, 1, and unset are valid; other values may result in an error. - // To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter. - google.protobuf.UInt32Value tcp_fast_open_queue_length = 12; - - // Specifies the intended direction of the traffic relative to the local Envoy. - // This property is required on Windows for listeners using the original destination filter, - // see :ref:`Original Destination `. - core.v4alpha.TrafficDirection traffic_direction = 16; - - // If the protocol in the listener socket address in :ref:`protocol - // ` is :ref:`UDP - // `, this field specifies UDP - // listener specific configuration. - UdpListenerConfig udp_listener_config = 18; - - // Used to represent an API listener, which is used in non-proxy clients. The type of API - // exposed to the non-proxy application depends on the type of API listener. - // When this field is set, no other field except for :ref:`name` - // should be set. - // - // .. note:: - // - // Currently only one ApiListener can be installed; and it can only be done via bootstrap config, - // not LDS. - // - // [#next-major-version: In the v3 API, instead of this messy approach where the socket - // listener fields are directly in the top-level Listener message and the API listener types - // are in the ApiListener message, the socket listener messages should be in their own message, - // and the top-level Listener should essentially be a oneof that selects between the - // socket listener and the various types of API listener. That way, a given Listener message - // can structurally only contain the fields of the relevant type.] - ApiListener api_listener = 19; - - // The listener's connection balancer configuration, currently only applicable to TCP listeners. - // If no configuration is specified, Envoy will not attempt to balance active connections between - // worker threads. - // - // In the scenario that the listener X redirects all the connections to the listeners Y1 and Y2 - // by setting :ref:`use_original_dst ` in X - // and :ref:`bind_to_port ` to false in Y1 and Y2, - // it is recommended to disable the balance config in listener X to avoid the cost of balancing, and - // enable the balance config in Y1 and Y2 to balance the connections among the workers. - ConnectionBalanceConfig connection_balance_config = 20; - - // When this flag is set to true, listeners set the *SO_REUSEPORT* socket option and - // create one socket for each worker thread. This makes inbound connections - // distribute among worker threads roughly evenly in cases where there are a high number - // of connections. When this flag is set to false, all worker threads share one socket. This field - // defaults to true. - // - // .. attention:: - // - // Although this field defaults to true, it has different behavior on different platforms. See - // the following text for more information. - // - // * On Linux, reuse_port is respected for both TCP and UDP listeners. It also works correctly - // with hot restart. - // * On macOS, reuse_port for TCP does not do what it does on Linux. Instead of load balancing, - // the last socket wins and receives all connections/packets. For TCP, reuse_port is force - // disabled and the user is warned. For UDP, it is enabled, but only one worker will receive - // packets. For QUIC/H3, SW routing will send packets to other workers. For "raw" UDP, only - // a single worker will currently receive packets. - // * On Windows, reuse_port for TCP has undefined behavior. It is force disabled and the user - // is warned similar to macOS. It is left enabled for UDP with undefined behavior currently. - google.protobuf.BoolValue enable_reuse_port = 29; - - // Configuration for :ref:`access logs ` - // emitted by this listener. - repeated accesslog.v4alpha.AccessLog access_log = 22; - - // The maximum length a tcp listener's pending connections queue can grow to. If no value is - // provided net.core.somaxconn will be used on Linux and 128 otherwise. - google.protobuf.UInt32Value tcp_backlog_size = 24; - - // Whether the listener should bind to the port. A listener that doesn't - // bind can only receive connections redirected from other listeners that set - // :ref:`use_original_dst ` - // to true. Default is true. - google.protobuf.BoolValue bind_to_port = 26; - - // The exclusive listener type and the corresponding config. - // TODO(lambdai): https://github.com/envoyproxy/envoy/issues/15372 - // Will create and add TcpListenerConfig. Will add UdpListenerConfig and ApiListener. - // [#not-implemented-hide:] - oneof listener_specifier { - // Used to represent an internal listener which does not listen on OSI L4 address but can be used by the - // :ref:`envoy cluster ` to create a user space connection to. - // The internal listener acts as a tcp listener. It supports listener filters and network filter chains. - // The internal listener require :ref:`address ` has - // field `envoy_internal_address`. - // - // There are some limitations are derived from the implementation. The known limitations include - // - // * :ref:`ConnectionBalanceConfig ` is not - // allowed because both cluster connection and listener connection must be owned by the same dispatcher. - // * :ref:`tcp_backlog_size ` - // * :ref:`freebind ` - // * :ref:`transparent ` - // [#not-implemented-hide:] - InternalListenerConfig internal_listener = 27; - } -} diff --git a/api/envoy/config/listener/v4alpha/listener_components.proto b/api/envoy/config/listener/v4alpha/listener_components.proto deleted file mode 100644 index 6fc16227542f..000000000000 --- a/api/envoy/config/listener/v4alpha/listener_components.proto +++ /dev/null @@ -1,349 +0,0 @@ -syntax = "proto3"; - -package envoy.config.listener.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/type/v3/range.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; -option java_outer_classname = "ListenerComponentsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Listener components] -// Listener :ref:`configuration overview ` - -// [#next-free-field: 6] -message Filter { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.listener.v3.Filter"; - - reserved 3, 2; - - reserved "config"; - - // The name of the filter to instantiate. The name must match a - // :ref:`supported filter `. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - oneof config_type { - // Filter specific configuration which depends on the filter being - // instantiated. See the supported filters for further documentation. - // [#extension-category: envoy.filters.network] - google.protobuf.Any typed_config = 4; - - // Configuration source specifier for an extension configuration discovery - // service. In case of a failure and without the default configuration, the - // listener closes the connections. - // [#not-implemented-hide:] - core.v4alpha.ExtensionConfigSource config_discovery = 5; - } -} - -// Specifies the match criteria for selecting a specific filter chain for a -// listener. -// -// In order for a filter chain to be selected, *ALL* of its criteria must be -// fulfilled by the incoming connection, properties of which are set by the -// networking stack and/or listener filters. -// -// The following order applies: -// -// 1. Destination port. -// 2. Destination IP address. -// 3. Server name (e.g. SNI for TLS protocol), -// 4. Transport protocol. -// 5. Application protocols (e.g. ALPN for TLS protocol). -// 6. Directly connected source IP address (this will only be different from the source IP address -// when using a listener filter that overrides the source address, such as the :ref:`Proxy Protocol -// listener filter `). -// 7. Source type (e.g. any, local or external network). -// 8. Source IP address. -// 9. Source port. -// -// For criteria that allow ranges or wildcards, the most specific value in any -// of the configured filter chains that matches the incoming connection is going -// to be used (e.g. for SNI ``www.example.com`` the most specific match would be -// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter -// chain without ``server_names`` requirements). -// -// A different way to reason about the filter chain matches: -// Suppose there exists N filter chains. Prune the filter chain set using the above 8 steps. -// In each step, filter chains which most specifically matches the attributes continue to the next step. -// The listener guarantees at most 1 filter chain is left after all of the steps. -// -// Example: -// -// For destination port, filter chains specifying the destination port of incoming traffic are the -// most specific match. If none of the filter chains specifies the exact destination port, the filter -// chains which do not specify ports are the most specific match. Filter chains specifying the -// wrong port can never be the most specific match. -// -// [#comment: Implemented rules are kept in the preference order, with deprecated fields -// listed at the end, because that's how we want to list them in the docs. -// -// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] -// [#next-free-field: 14] -message FilterChainMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.FilterChainMatch"; - - enum ConnectionSourceType { - // Any connection source matches. - ANY = 0; - - // Match a connection originating from the same host. - SAME_IP_OR_LOOPBACK = 1; - - // Match a connection originating from a different host. - EXTERNAL = 2; - } - - reserved 1; - - // Optional destination port to consider when use_original_dst is set on the - // listener in determining a filter chain match. - google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}]; - - // If non-empty, an IP address and prefix length to match addresses when the - // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. - repeated core.v4alpha.CidrRange prefix_ranges = 3; - - // If non-empty, an IP address and suffix length to match addresses when the - // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. - // [#not-implemented-hide:] - string address_suffix = 4; - - // [#not-implemented-hide:] - google.protobuf.UInt32Value suffix_len = 5; - - // The criteria is satisfied if the directly connected source IP address of the downstream - // connection is contained in at least one of the specified subnets. If the parameter is not - // specified or the list is empty, the directly connected source IP address is ignored. - repeated core.v4alpha.CidrRange direct_source_prefix_ranges = 13; - - // Specifies the connection source IP match type. Can be any, local or external network. - ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}]; - - // The criteria is satisfied if the source IP address of the downstream - // connection is contained in at least one of the specified subnets. If the - // parameter is not specified or the list is empty, the source IP address is - // ignored. - repeated core.v4alpha.CidrRange source_prefix_ranges = 6; - - // The criteria is satisfied if the source port of the downstream connection - // is contained in at least one of the specified ports. If the parameter is - // not specified, the source port is ignored. - repeated uint32 source_ports = 7 - [(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}]; - - // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining - // a filter chain match. Those values will be compared against the server names of a new - // connection, when detected by one of the listener filters. - // - // The server name will be matched against all wildcard domains, i.e. ``www.example.com`` - // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``. - // - // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid. - // - // .. attention:: - // - // See the :ref:`FAQ entry ` on how to configure SNI for more - // information. - repeated string server_names = 11; - - // If non-empty, a transport protocol to consider when determining a filter chain match. - // This value will be compared against the transport protocol of a new connection, when - // it's detected by one of the listener filters. - // - // Suggested values include: - // - // * ``raw_buffer`` - default, used when no transport protocol is detected, - // * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector ` - // when TLS protocol is detected. - string transport_protocol = 9; - - // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when - // determining a filter chain match. Those values will be compared against the application - // protocols of a new connection, when detected by one of the listener filters. - // - // Suggested values include: - // - // * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector - // `, - // * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector ` - // - // .. attention:: - // - // Currently, only :ref:`TLS Inspector ` provides - // application protocol detection based on the requested - // `ALPN `_ values. - // - // However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, - // and matching on values other than ``h2`` is going to lead to a lot of false negatives, - // unless all connecting clients are known to use ALPN. - repeated string application_protocols = 10; -} - -// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and -// various other parameters. -// [#next-free-field: 10] -message FilterChain { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.FilterChain"; - - // The configuration for on-demand filter chain. If this field is not empty in FilterChain message, - // a filter chain will be built on-demand. - // On-demand filter chains help speedup the warming up of listeners since the building and initialization of - // an on-demand filter chain will be postponed to the arrival of new connection requests that require this filter chain. - // Filter chains that are not often used can be set as on-demand. - message OnDemandConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.FilterChain.OnDemandConfiguration"; - - // The timeout to wait for filter chain placeholders to complete rebuilding. - // 1. If this field is set to 0, timeout is disabled. - // 2. If not specified, a default timeout of 15s is used. - // Rebuilding will wait until dependencies are ready, have failed, or this timeout is reached. - // Upon failure or timeout, all connections related to this filter chain will be closed. - // Rebuilding will start again on the next new connection. - google.protobuf.Duration rebuild_timeout = 1; - } - - reserved 2, 4; - - reserved "tls_context", "use_proxy_proto"; - - // The criteria to use when matching a connection to this filter chain. - FilterChainMatch filter_chain_match = 1; - - // A list of individual network filters that make up the filter chain for - // connections established with the listener. Order matters as the filters are - // processed sequentially as connection events happen. Note: If the filter - // list is empty, the connection will close by default. - repeated Filter filters = 3; - - // [#not-implemented-hide:] filter chain metadata. - core.v4alpha.Metadata metadata = 5; - - // Optional custom transport socket implementation to use for downstream connections. - // To setup TLS, set a transport socket with name `envoy.transport_sockets.tls` and - // :ref:`DownstreamTlsContext ` in the `typed_config`. - // If no transport socket configuration is specified, new connections - // will be set up with plaintext. - // [#extension-category: envoy.transport_sockets.downstream] - core.v4alpha.TransportSocket transport_socket = 6; - - // If present and nonzero, the amount of time to allow incoming connections to complete any - // transport socket negotiations. If this expires before the transport reports connection - // establishment, the connection is summarily closed. - google.protobuf.Duration transport_socket_connect_timeout = 9; - - // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no - // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter - // chain is to be dynamically updated or removed via FCDS a unique name must be provided. - string name = 7; - - // [#not-implemented-hide:] The configuration to specify whether the filter chain will be built on-demand. - // If this field is not empty, the filter chain will be built on-demand. - // Otherwise, the filter chain will be built normally and block listener warming. - OnDemandConfiguration on_demand_configuration = 8; -} - -// Listener filter chain match configuration. This is a recursive structure which allows complex -// nested match configurations to be built using various logical operators. -// -// Examples: -// -// * Matches if the destination port is 3306. -// -// .. code-block:: yaml -// -// destination_port_range: -// start: 3306 -// end: 3307 -// -// * Matches if the destination port is 3306 or 15000. -// -// .. code-block:: yaml -// -// or_match: -// rules: -// - destination_port_range: -// start: 3306 -// end: 3307 -// - destination_port_range: -// start: 15000 -// end: 15001 -// -// [#next-free-field: 6] -message ListenerFilterChainMatchPredicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ListenerFilterChainMatchPredicate"; - - // A set of match configurations used for logical operations. - message MatchSet { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet"; - - // The list of rules that make up the set. - repeated ListenerFilterChainMatchPredicate rules = 1 - [(validate.rules).repeated = {min_items: 2}]; - } - - oneof rule { - option (validate.required) = true; - - // A set that describes a logical OR. If any member of the set matches, the match configuration - // matches. - MatchSet or_match = 1; - - // A set that describes a logical AND. If all members of the set match, the match configuration - // matches. - MatchSet and_match = 2; - - // A negation match. The match configuration will match if the negated match condition matches. - ListenerFilterChainMatchPredicate not_match = 3; - - // The match configuration will always match. - bool any_match = 4 [(validate.rules).bool = {const: true}]; - - // Match destination port. Particularly, the match evaluation must use the recovered local port if - // the owning listener filter is after :ref:`an original_dst listener filter `. - type.v3.Int32Range destination_port_range = 5; - } -} - -message ListenerFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ListenerFilter"; - - reserved 2; - - reserved "config"; - - // The name of the filter to instantiate. The name must match a - // :ref:`supported filter `. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - oneof config_type { - // Filter specific configuration which depends on the filter being - // instantiated. See the supported filters for further documentation. - // [#extension-category: envoy.filters.listener,envoy.filters.udp_listener] - google.protobuf.Any typed_config = 3; - } - - // Optional match predicate used to disable the filter. The filter is enabled when this field is empty. - // See :ref:`ListenerFilterChainMatchPredicate ` - // for further examples. - ListenerFilterChainMatchPredicate filter_disabled = 4; -} diff --git a/api/envoy/config/listener/v4alpha/quic_config.proto b/api/envoy/config/listener/v4alpha/quic_config.proto deleted file mode 100644 index 0b6d6bd7584c..000000000000 --- a/api/envoy/config/listener/v4alpha/quic_config.proto +++ /dev/null @@ -1,62 +0,0 @@ -syntax = "proto3"; - -package envoy.config.listener.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/protocol.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; -option java_outer_classname = "QuicConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: QUIC listener config] - -// Configuration specific to the UDP QUIC listener. -// [#next-free-field: 8] -message QuicProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.QuicProtocolOptions"; - - core.v4alpha.QuicProtocolOptions quic_protocol_options = 1; - - // Maximum number of milliseconds that connection will be alive when there is - // no network activity. 300000ms if not specified. - google.protobuf.Duration idle_timeout = 2; - - // Connection timeout in milliseconds before the crypto handshake is finished. - // 20000ms if not specified. - google.protobuf.Duration crypto_handshake_timeout = 3; - - // Runtime flag that controls whether the listener is enabled or not. If not specified, defaults - // to enabled. - core.v4alpha.RuntimeFeatureFlag enabled = 4; - - // A multiplier to number of connections which is used to determine how many packets to read per - // event loop. A reasonable number should allow the listener to process enough payload but not - // starve TCP and other UDP sockets and also prevent long event loop duration. - // The default value is 32. This means if there are N QUIC connections, the total number of - // packets to read in each read event will be 32 * N. - // The actual number of packets to read in total by the UDP listener is also - // bound by 6000, regardless of this field or how many connections there are. - google.protobuf.UInt32Value packets_to_read_to_connection_count_ratio = 5 - [(validate.rules).uint32 = {gte: 1}]; - - // Configure which implementation of `quic::QuicCryptoClientStreamBase` to be used for this listener. - // If not specified the :ref:`QUICHE default one configured by ` will be used. - // [#extension-category: envoy.quic.server.crypto_stream] - core.v4alpha.TypedExtensionConfig crypto_stream_config = 6; - - // Configure which implementation of `quic::ProofSource` to be used for this listener. - // If not specified the :ref:`default one configured by ` will be used. - // [#extension-category: envoy.quic.proof_source] - core.v4alpha.TypedExtensionConfig proof_source_config = 7; -} diff --git a/api/envoy/config/listener/v4alpha/udp_listener_config.proto b/api/envoy/config/listener/v4alpha/udp_listener_config.proto deleted file mode 100644 index 3cd272de3172..000000000000 --- a/api/envoy/config/listener/v4alpha/udp_listener_config.proto +++ /dev/null @@ -1,46 +0,0 @@ -syntax = "proto3"; - -package envoy.config.listener.v4alpha; - -import "envoy/config/core/v4alpha/udp_socket_config.proto"; -import "envoy/config/listener/v4alpha/quic_config.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; -option java_outer_classname = "UdpListenerConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: UDP listener config] -// Listener :ref:`configuration overview ` - -// [#next-free-field: 8] -message UdpListenerConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.UdpListenerConfig"; - - reserved 1, 2, 3, 4, 6; - - reserved "config"; - - // UDP socket configuration for the listener. The default for - // :ref:`prefer_gro ` is false for - // listener sockets. If receiving a large amount of datagrams from a small number of sources, it - // may be worthwhile to enable this option after performance testing. - core.v4alpha.UdpSocketConfig downstream_socket_config = 5; - - // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set - // to the default object to enable QUIC without modifying any additional options. - // - // .. warning:: - // QUIC support is currently alpha and should be used with caution. Please - // see :ref:`here ` for details. - QuicProtocolOptions quic_options = 7; -} - -message ActiveRawUdpListenerConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ActiveRawUdpListenerConfig"; -} diff --git a/api/envoy/config/metrics/v4alpha/BUILD b/api/envoy/config/metrics/v4alpha/BUILD deleted file mode 100644 index 9f8473e290ae..000000000000 --- a/api/envoy/config/metrics/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/metrics/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/config/metrics/v4alpha/metrics_service.proto b/api/envoy/config/metrics/v4alpha/metrics_service.proto deleted file mode 100644 index fe530b34e690..000000000000 --- a/api/envoy/config/metrics/v4alpha/metrics_service.proto +++ /dev/null @@ -1,46 +0,0 @@ -syntax = "proto3"; - -package envoy.config.metrics.v4alpha; - -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.metrics.v4alpha"; -option java_outer_classname = "MetricsServiceProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Metrics service] - -// Metrics Service is configured as a built-in *envoy.stat_sinks.metrics_service* :ref:`StatsSink -// `. This opaque configuration will be used to create -// Metrics Service. -// [#extension: envoy.stat_sinks.metrics_service] -message MetricsServiceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.MetricsServiceConfig"; - - // The upstream gRPC cluster that hosts the metrics service. - core.v4alpha.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; - - // API version for metric service transport protocol. This describes the metric service gRPC - // endpoint and version of messages used on the wire. - core.v4alpha.ApiVersion transport_api_version = 3 [(validate.rules).enum = {defined_only: true}]; - - // If true, counters are reported as the delta between flushing intervals. Otherwise, the current - // counter value is reported. Defaults to false. - // Eventually (https://github.com/envoyproxy/envoy/issues/10968) if this value is not set, the - // sink will take updates from the :ref:`MetricsResponse `. - google.protobuf.BoolValue report_counters_as_deltas = 2; - - // If true, metrics will have their tags emitted as labels on the metrics objects sent to the MetricsService, - // and the tag extracted name will be used instead of the full name, which may contain values used by the tag - // extractor or additional tags added during stats creation. - bool emit_tags_as_labels = 4; -} diff --git a/api/envoy/config/metrics/v4alpha/stats.proto b/api/envoy/config/metrics/v4alpha/stats.proto deleted file mode 100644 index 6d8a94050d65..000000000000 --- a/api/envoy/config/metrics/v4alpha/stats.proto +++ /dev/null @@ -1,411 +0,0 @@ -syntax = "proto3"; - -package envoy.config.metrics.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.metrics.v4alpha"; -option java_outer_classname = "StatsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Stats] -// Statistics :ref:`architecture overview `. - -// Configuration for pluggable stats sinks. -message StatsSink { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v3.StatsSink"; - - reserved 2; - - reserved "config"; - - // The name of the stats sink to instantiate. The name must match a supported - // stats sink. - // See the :ref:`extensions listed in typed_config below ` for the default list of available stats sink. - // Sinks optionally support tagged/multiple dimensional metrics. - string name = 1; - - // Stats sink specific configuration which depends on the sink being instantiated. See - // :ref:`StatsdSink ` for an example. - // [#extension-category: envoy.stats_sinks] - oneof config_type { - google.protobuf.Any typed_config = 3; - } -} - -// Statistics configuration such as tagging. -message StatsConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.StatsConfig"; - - // Each stat name is iteratively processed through these tag specifiers. - // When a tag is matched, the first capture group is removed from the name so - // later :ref:`TagSpecifiers ` cannot match that - // same portion of the match. - repeated TagSpecifier stats_tags = 1; - - // Use all default tag regexes specified in Envoy. These can be combined with - // custom tags specified in :ref:`stats_tags - // `. They will be processed before - // the custom tags. - // - // .. note:: - // - // If any default tags are specified twice, the config will be considered - // invalid. - // - // See :repo:`well_known_names.h ` for a list of the - // default tags in Envoy. - // - // If not provided, the value is assumed to be true. - google.protobuf.BoolValue use_all_default_tags = 2; - - // Inclusion/exclusion matcher for stat name creation. If not provided, all stats are instantiated - // as normal. Preventing the instantiation of certain families of stats can improve memory - // performance for Envoys running especially large configs. - // - // .. warning:: - // Excluding stats may affect Envoy's behavior in undocumented ways. See - // `issue #8771 `_ for more information. - // If any unexpected behavior changes are observed, please open a new issue immediately. - StatsMatcher stats_matcher = 3; - - // Defines rules for setting the histogram buckets. Rules are evaluated in order, and the first - // match is applied. If no match is found (or if no rules are set), the following default buckets - // are used: - // - // .. code-block:: json - // - // [ - // 0.5, - // 1, - // 5, - // 10, - // 25, - // 50, - // 100, - // 250, - // 500, - // 1000, - // 2500, - // 5000, - // 10000, - // 30000, - // 60000, - // 300000, - // 600000, - // 1800000, - // 3600000 - // ] - repeated HistogramBucketSettings histogram_bucket_settings = 4; -} - -// Configuration for disabling stat instantiation. -message StatsMatcher { - // The instantiation of stats is unrestricted by default. If the goal is to configure Envoy to - // instantiate all stats, there is no need to construct a StatsMatcher. - // - // However, StatsMatcher can be used to limit the creation of families of stats in order to - // conserve memory. Stats can either be disabled entirely, or they can be - // limited by either an exclusion or an inclusion list of :ref:`StringMatcher - // ` protos: - // - // * If `reject_all` is set to `true`, no stats will be instantiated. If `reject_all` is set to - // `false`, all stats will be instantiated. - // - // * If an exclusion list is supplied, any stat name matching *any* of the StringMatchers in the - // list will not instantiate. - // - // * If an inclusion list is supplied, no stats will instantiate, except those matching *any* of - // the StringMatchers in the list. - // - // - // A StringMatcher can be used to match against an exact string, a suffix / prefix, or a regex. - // **NB:** For performance reasons, it is highly recommended to use a prefix- or suffix-based - // matcher rather than a regex-based matcher. - // - // Example 1. Excluding all stats. - // - // .. code-block:: json - // - // { - // "statsMatcher": { - // "rejectAll": "true" - // } - // } - // - // Example 2. Excluding all cluster-specific stats, but not cluster-manager stats: - // - // .. code-block:: json - // - // { - // "statsMatcher": { - // "exclusionList": { - // "patterns": [ - // { - // "prefix": "cluster." - // } - // ] - // } - // } - // } - // - // Example 3. Including only manager-related stats: - // - // .. code-block:: json - // - // { - // "statsMatcher": { - // "inclusionList": { - // "patterns": [ - // { - // "prefix": "cluster_manager." - // }, - // { - // "prefix": "listener_manager." - // } - // ] - // } - // } - // } - // - - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.StatsMatcher"; - - oneof stats_matcher { - option (validate.required) = true; - - // If `reject_all` is true, then all stats are disabled. If `reject_all` is false, then all - // stats are enabled. - bool reject_all = 1; - - // Exclusive match. All stats are enabled except for those matching one of the supplied - // StringMatcher protos. - type.matcher.v4alpha.ListStringMatcher exclusion_list = 2; - - // Inclusive match. No stats are enabled except for those matching one of the supplied - // StringMatcher protos. - type.matcher.v4alpha.ListStringMatcher inclusion_list = 3; - } -} - -// Designates a tag name and value pair. The value may be either a fixed value -// or a regex providing the value via capture groups. The specified tag will be -// unconditionally set if a fixed value, otherwise it will only be set if one -// or more capture groups in the regex match. -message TagSpecifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.TagSpecifier"; - - // Attaches an identifier to the tag values to identify the tag being in the - // sink. Envoy has a set of default names and regexes to extract dynamic - // portions of existing stats, which can be found in :repo:`well_known_names.h - // ` in the Envoy repository. If a :ref:`tag_name - // ` is provided in the config and - // neither :ref:`regex ` or - // :ref:`fixed_value ` were specified, - // Envoy will attempt to find that name in its set of defaults and use the accompanying regex. - // - // .. note:: - // - // It is invalid to specify the same tag name twice in a config. - string tag_name = 1; - - oneof tag_value { - // Designates a tag to strip from the tag extracted name and provide as a named - // tag value for all statistics. This will only occur if any part of the name - // matches the regex provided with one or more capture groups. - // - // The first capture group identifies the portion of the name to remove. The - // second capture group (which will normally be nested inside the first) will - // designate the value of the tag for the statistic. If no second capture - // group is provided, the first will also be used to set the value of the tag. - // All other capture groups will be ignored. - // - // Example 1. a stat name ``cluster.foo_cluster.upstream_rq_timeout`` and - // one tag specifier: - // - // .. code-block:: json - // - // { - // "tag_name": "envoy.cluster_name", - // "regex": "^cluster\\.((.+?)\\.)" - // } - // - // Note that the regex will remove ``foo_cluster.`` making the tag extracted - // name ``cluster.upstream_rq_timeout`` and the tag value for - // ``envoy.cluster_name`` will be ``foo_cluster`` (note: there will be no - // ``.`` character because of the second capture group). - // - // Example 2. a stat name - // ``http.connection_manager_1.user_agent.ios.downstream_cx_total`` and two - // tag specifiers: - // - // .. code-block:: json - // - // [ - // { - // "tag_name": "envoy.http_user_agent", - // "regex": "^http(?=\\.).*?\\.user_agent\\.((.+?)\\.)\\w+?$" - // }, - // { - // "tag_name": "envoy.http_conn_manager_prefix", - // "regex": "^http\\.((.*?)\\.)" - // } - // ] - // - // The two regexes of the specifiers will be processed in the definition order. - // - // The first regex will remove ``ios.``, leaving the tag extracted name - // ``http.connection_manager_1.user_agent.downstream_cx_total``. The tag - // ``envoy.http_user_agent`` will be added with tag value ``ios``. - // - // The second regex will remove ``connection_manager_1.`` from the tag - // extracted name produced by the first regex - // ``http.connection_manager_1.user_agent.downstream_cx_total``, leaving - // ``http.user_agent.downstream_cx_total`` as the tag extracted name. The tag - // ``envoy.http_conn_manager_prefix`` will be added with the tag value - // ``connection_manager_1``. - string regex = 2 [(validate.rules).string = {max_bytes: 1024}]; - - // Specifies a fixed tag value for the ``tag_name``. - string fixed_value = 3; - } -} - -// Specifies a matcher for stats and the buckets that matching stats should use. -message HistogramBucketSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.HistogramBucketSettings"; - - // The stats that this rule applies to. The match is applied to the original stat name - // before tag-extraction, for example `cluster.exampleclustername.upstream_cx_length_ms`. - type.matcher.v4alpha.StringMatcher match = 1 [(validate.rules).message = {required: true}]; - - // Each value is the upper bound of a bucket. Each bucket must be greater than 0 and unique. - // The order of the buckets does not matter. - repeated double buckets = 2 [(validate.rules).repeated = { - min_items: 1 - unique: true - items {double {gt: 0.0}} - }]; -} - -// Stats configuration proto schema for built-in *envoy.stat_sinks.statsd* sink. This sink does not support -// tagged metrics. -// [#extension: envoy.stat_sinks.statsd] -message StatsdSink { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v3.StatsdSink"; - - oneof statsd_specifier { - option (validate.required) = true; - - // The UDP address of a running `statsd `_ - // compliant listener. If specified, statistics will be flushed to this - // address. - core.v4alpha.Address address = 1; - - // The name of a cluster that is running a TCP `statsd - // `_ compliant listener. If specified, - // Envoy will connect to this cluster to flush statistics. - string tcp_cluster_name = 2; - } - - // Optional custom prefix for StatsdSink. If - // specified, this will override the default prefix. - // For example: - // - // .. code-block:: json - // - // { - // "prefix" : "envoy-prod" - // } - // - // will change emitted stats to - // - // .. code-block:: cpp - // - // envoy-prod.test_counter:1|c - // envoy-prod.test_timer:5|ms - // - // Note that the default prefix, "envoy", will be used if a prefix is not - // specified. - // - // Stats with default prefix: - // - // .. code-block:: cpp - // - // envoy.test_counter:1|c - // envoy.test_timer:5|ms - string prefix = 3; -} - -// Stats configuration proto schema for built-in *envoy.stat_sinks.dog_statsd* sink. -// The sink emits stats with `DogStatsD `_ -// compatible tags. Tags are configurable via :ref:`StatsConfig -// `. -// [#extension: envoy.stat_sinks.dog_statsd] -message DogStatsdSink { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.DogStatsdSink"; - - reserved 2; - - oneof dog_statsd_specifier { - option (validate.required) = true; - - // The UDP address of a running DogStatsD compliant listener. If specified, - // statistics will be flushed to this address. - core.v4alpha.Address address = 1; - } - - // Optional custom metric name prefix. See :ref:`StatsdSink's prefix field - // ` for more details. - string prefix = 3; - - // Optional max datagram size to use when sending UDP messages. By default Envoy - // will emit one metric per datagram. By specifying a max-size larger than a single - // metric, Envoy will emit multiple, new-line separated metrics. The max datagram - // size should not exceed your network's MTU. - // - // Note that this value may not be respected if smaller than a single metric. - google.protobuf.UInt64Value max_bytes_per_datagram = 4 [(validate.rules).uint64 = {gt: 0}]; -} - -// Stats configuration proto schema for built-in *envoy.stat_sinks.hystrix* sink. -// The sink emits stats in `text/event-stream -// `_ -// formatted stream for use by `Hystrix dashboard -// `_. -// -// Note that only a single HystrixSink should be configured. -// -// Streaming is started through an admin endpoint :http:get:`/hystrix_event_stream`. -// [#extension: envoy.stat_sinks.hystrix] -message HystrixSink { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.HystrixSink"; - - // The number of buckets the rolling statistical window is divided into. - // - // Each time the sink is flushed, all relevant Envoy statistics are sampled and - // added to the rolling window (removing the oldest samples in the window - // in the process). The sink then outputs the aggregate statistics across the - // current rolling window to the event stream(s). - // - // rolling_window(ms) = stats_flush_interval(ms) * num_of_buckets - // - // More detailed explanation can be found in `Hystrix wiki - // `_. - int64 num_buckets = 1; -} diff --git a/api/envoy/config/ratelimit/v4alpha/BUILD b/api/envoy/config/ratelimit/v4alpha/BUILD deleted file mode 100644 index f335ebe20e6b..000000000000 --- a/api/envoy/config/ratelimit/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/ratelimit/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/config/ratelimit/v4alpha/rls.proto b/api/envoy/config/ratelimit/v4alpha/rls.proto deleted file mode 100644 index 7a13efd7395e..000000000000 --- a/api/envoy/config/ratelimit/v4alpha/rls.proto +++ /dev/null @@ -1,34 +0,0 @@ -syntax = "proto3"; - -package envoy.config.ratelimit.v4alpha; - -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.ratelimit.v4alpha"; -option java_outer_classname = "RlsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Rate limit service] - -// Rate limit :ref:`configuration overview `. -message RateLimitServiceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.ratelimit.v3.RateLimitServiceConfig"; - - reserved 1, 3; - - // Specifies the gRPC service that hosts the rate limit service. The client - // will connect to this cluster when it needs to make rate limit service - // requests. - core.v4alpha.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}]; - - // API version for rate limit transport protocol. This describes the rate limit gRPC endpoint and - // version of messages used on the wire. - core.v4alpha.ApiVersion transport_api_version = 4 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/api/envoy/config/rbac/v4alpha/BUILD b/api/envoy/config/rbac/v4alpha/BUILD deleted file mode 100644 index 090d01f3cd17..000000000000 --- a/api/envoy/config/rbac/v4alpha/BUILD +++ /dev/null @@ -1,18 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/rbac/v3:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto", - "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto", - ], -) diff --git a/api/envoy/config/rbac/v4alpha/rbac.proto b/api/envoy/config/rbac/v4alpha/rbac.proto deleted file mode 100644 index 6fbd5a90f37d..000000000000 --- a/api/envoy/config/rbac/v4alpha/rbac.proto +++ /dev/null @@ -1,303 +0,0 @@ -syntax = "proto3"; - -package envoy.config.rbac.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/metadata.proto"; -import "envoy/type/matcher/v4alpha/path.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/v3/range.proto"; - -import "google/api/expr/v1alpha1/checked.proto"; -import "google/api/expr/v1alpha1/syntax.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.rbac.v4alpha"; -option java_outer_classname = "RbacProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Role Based Access Control (RBAC)] - -// Role Based Access Control (RBAC) provides service-level and method-level access control for a -// service. Requests are allowed or denied based on the `action` and whether a matching policy is -// found. For instance, if the action is ALLOW and a matching policy is found the request should be -// allowed. -// -// RBAC can also be used to make access logging decisions by communicating with access loggers -// through dynamic metadata. When the action is LOG and at least one policy matches, the -// `access_log_hint` value in the shared key namespace 'envoy.common' is set to `true` indicating -// the request should be logged. -// -// Here is an example of RBAC configuration. It has two policies: -// -// * Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so -// does "cluster.local/ns/default/sa/superuser". -// -// * Any user can read ("GET") the service at paths with prefix "/products", so long as the -// destination port is either 80 or 443. -// -// .. code-block:: yaml -// -// action: ALLOW -// policies: -// "service-admin": -// permissions: -// - any: true -// principals: -// - authenticated: -// principal_name: -// exact: "cluster.local/ns/default/sa/admin" -// - authenticated: -// principal_name: -// exact: "cluster.local/ns/default/sa/superuser" -// "product-viewer": -// permissions: -// - and_rules: -// rules: -// - header: -// name: ":method" -// string_match: -// exact: "GET" -// - url_path: -// path: { prefix: "/products" } -// - or_rules: -// rules: -// - destination_port: 80 -// - destination_port: 443 -// principals: -// - any: true -// -message RBAC { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.RBAC"; - - // Should we do safe-list or block-list style access control? - enum Action { - // The policies grant access to principals. The rest are denied. This is safe-list style - // access control. This is the default type. - ALLOW = 0; - - // The policies deny access to principals. The rest are allowed. This is block-list style - // access control. - DENY = 1; - - // The policies set the `access_log_hint` dynamic metadata key based on if requests match. - // All requests are allowed. - LOG = 2; - } - - // The action to take if a policy matches. Every action either allows or denies a request, - // and can also carry out action-specific operations. - // - // Actions: - // - // * ALLOW: Allows the request if and only if there is a policy that matches - // the request. - // * DENY: Allows the request if and only if there are no policies that - // match the request. - // * LOG: Allows all requests. If at least one policy matches, the dynamic - // metadata key `access_log_hint` is set to the value `true` under the shared - // key namespace 'envoy.common'. If no policies match, it is set to `false`. - // Other actions do not modify this key. - // - Action action = 1 [(validate.rules).enum = {defined_only: true}]; - - // Maps from policy name to policy. A match occurs when at least one policy matches the request. - // The policies are evaluated in lexicographic order of the policy name. - map policies = 2; -} - -// Policy specifies a role and the principals that are assigned/denied the role. -// A policy matches if and only if at least one of its permissions match the -// action taking place AND at least one of its principals match the downstream -// AND the condition is true if specified. -message Policy { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Policy"; - - // Required. The set of permissions that define a role. Each permission is - // matched with OR semantics. To match all actions for this policy, a single - // Permission with the `any` field set to true should be used. - repeated Permission permissions = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Required. The set of principals that are assigned/denied the role based on - // “action”. Each principal is matched with OR semantics. To match all - // downstreams for this policy, a single Principal with the `any` field set to - // true should be used. - repeated Principal principals = 2 [(validate.rules).repeated = {min_items: 1}]; - - oneof expression_specifier { - // An optional symbolic expression specifying an access control - // :ref:`condition `. The condition is combined - // with the permissions and the principals as a clause with AND semantics. - // Only be used when checked_condition is not used. - google.api.expr.v1alpha1.Expr condition = 3; - - // [#not-implemented-hide:] - // An optional symbolic expression that has been successfully type checked. - // Only be used when condition is not used. - google.api.expr.v1alpha1.CheckedExpr checked_condition = 4; - } -} - -// Permission defines an action (or actions) that a principal can take. -// [#next-free-field: 12] -message Permission { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Permission"; - - // Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context, - // each are applied with the associated behavior. - message Set { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.rbac.v3.Permission.Set"; - - repeated Permission rules = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - oneof rule { - option (validate.required) = true; - - // A set of rules that all must match in order to define the action. - Set and_rules = 1; - - // A set of rules where at least one must match in order to define the action. - Set or_rules = 2; - - // When any is set, it matches any action. - bool any = 3 [(validate.rules).bool = {const: true}]; - - // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only - // available for HTTP request. - // Note: the pseudo-header :path includes the query and fragment string. Use the `url_path` - // field if you want to match the URL path without the query and fragment string. - route.v4alpha.HeaderMatcher header = 4; - - // A URL path on the incoming HTTP request. Only available for HTTP. - type.matcher.v4alpha.PathMatcher url_path = 10; - - // A CIDR block that describes the destination IP. - core.v4alpha.CidrRange destination_ip = 5; - - // A port number that describes the destination port connecting to. - uint32 destination_port = 6 [(validate.rules).uint32 = {lte: 65535}]; - - // A port number range that describes a range of destination ports connecting to. - type.v3.Int32Range destination_port_range = 11; - - // Metadata that describes additional information about the action. - type.matcher.v4alpha.MetadataMatcher metadata = 7; - - // Negates matching the provided permission. For instance, if the value of - // `not_rule` would match, this permission would not match. Conversely, if - // the value of `not_rule` would not match, this permission would match. - Permission not_rule = 8; - - // The request server from the client's connection request. This is - // typically TLS SNI. - // - // .. attention:: - // - // The behavior of this field may be affected by how Envoy is configured - // as explained below. - // - // * If the :ref:`TLS Inspector ` - // filter is not added, and if a `FilterChainMatch` is not defined for - // the :ref:`server name - // `, - // a TLS connection's requested SNI server name will be treated as if it - // wasn't present. - // - // * A :ref:`listener filter ` may - // overwrite a connection's requested server name within Envoy. - // - // Please refer to :ref:`this FAQ entry ` to learn to - // setup SNI. - type.matcher.v4alpha.StringMatcher requested_server_name = 9; - } -} - -// Principal defines an identity or a group of identities for a downstream -// subject. -// [#next-free-field: 12] -message Principal { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Principal"; - - // Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. - // Depending on the context, each are applied with the associated behavior. - message Set { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.rbac.v3.Principal.Set"; - - repeated Principal ids = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - // Authentication attributes for a downstream. - message Authenticated { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.rbac.v3.Principal.Authenticated"; - - reserved 1; - - // The name of the principal. If set, The URI SAN or DNS SAN in that order - // is used from the certificate, otherwise the subject field is used. If - // unset, it applies to any user that is authenticated. - type.matcher.v4alpha.StringMatcher principal_name = 2; - } - - reserved 5; - - reserved "source_ip"; - - oneof identifier { - option (validate.required) = true; - - // A set of identifiers that all must match in order to define the - // downstream. - Set and_ids = 1; - - // A set of identifiers at least one must match in order to define the - // downstream. - Set or_ids = 2; - - // When any is set, it matches any downstream. - bool any = 3 [(validate.rules).bool = {const: true}]; - - // Authenticated attributes that identify the downstream. - Authenticated authenticated = 4; - - // A CIDR block that describes the downstream remote/origin address. - // Note: This is always the physical peer even if the - // :ref:`remote_ip ` is - // inferred from for example the x-forwarder-for header, proxy protocol, - // etc. - core.v4alpha.CidrRange direct_remote_ip = 10; - - // A CIDR block that describes the downstream remote/origin address. - // Note: This may not be the physical peer and could be different from the - // :ref:`direct_remote_ip - // `. E.g, if the - // remote ip is inferred from for example the x-forwarder-for header, proxy - // protocol, etc. - core.v4alpha.CidrRange remote_ip = 11; - - // A header (or pseudo-header such as :path or :method) on the incoming HTTP - // request. Only available for HTTP request. Note: the pseudo-header :path - // includes the query and fragment string. Use the `url_path` field if you - // want to match the URL path without the query and fragment string. - route.v4alpha.HeaderMatcher header = 6; - - // A URL path on the incoming HTTP request. Only available for HTTP. - type.matcher.v4alpha.PathMatcher url_path = 9; - - // Metadata that describes additional information about the principal. - type.matcher.v4alpha.MetadataMatcher metadata = 7; - - // Negates matching the provided principal. For instance, if the value of - // `not_id` would match, this principal would not match. Conversely, if the - // value of `not_id` would not match, this principal would match. - Principal not_id = 8; - } -} diff --git a/api/envoy/config/route/v4alpha/BUILD b/api/envoy/config/route/v4alpha/BUILD deleted file mode 100644 index 89fa4149b879..000000000000 --- a/api/envoy/config/route/v4alpha/BUILD +++ /dev/null @@ -1,17 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/metadata/v3:pkg", - "//envoy/type/tracing/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/config/route/v4alpha/route.proto b/api/envoy/config/route/v4alpha/route.proto deleted file mode 100644 index 4a1938682482..000000000000 --- a/api/envoy/config/route/v4alpha/route.proto +++ /dev/null @@ -1,146 +0,0 @@ -syntax = "proto3"; - -package envoy.config.route.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.route.v4alpha"; -option java_outer_classname = "RouteProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP route configuration] -// * Routing :ref:`architecture overview ` -// * HTTP :ref:`router filter ` - -// [#next-free-field: 13] -message RouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteConfiguration"; - - // The name of the route configuration. For example, it might match - // :ref:`route_config_name - // ` in - // :ref:`envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.Rds`. - string name = 1; - - // An array of virtual hosts that make up the route table. - repeated VirtualHost virtual_hosts = 2; - - // An array of virtual hosts will be dynamically loaded via the VHDS API. - // Both *virtual_hosts* and *vhds* fields will be used when present. *virtual_hosts* can be used - // for a base routing table or for infrequently changing virtual hosts. *vhds* is used for - // on-demand discovery of virtual hosts. The contents of these two fields will be merged to - // generate a routing table for a given RouteConfiguration, with *vhds* derived configuration - // taking precedence. - Vhds vhds = 9; - - // Optionally specifies a list of HTTP headers that the connection manager - // will consider to be internal only. If they are found on external requests they will be cleaned - // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more - // information. - repeated string internal_only_headers = 3 [ - (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} - ]; - - // Specifies a list of HTTP headers that should be added to each response that - // the connection manager encodes. Headers specified at this level are applied - // after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or - // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption response_headers_to_add = 4 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each response - // that the connection manager encodes. - repeated string response_headers_to_remove = 5 [ - (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} - ]; - - // Specifies a list of HTTP headers that should be added to each request - // routed by the HTTP connection manager. Headers specified at this level are - // applied after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or - // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption request_headers_to_add = 6 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request - // routed by the HTTP connection manager. - repeated string request_headers_to_remove = 8 [ - (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} - ]; - - // By default, headers that should be added/removed are evaluated from most to least specific: - // - // * route level - // * virtual host level - // * connection manager level - // - // To allow setting overrides at the route or virtual host level, this order can be reversed - // by setting this option to true. Defaults to false. - // - // [#next-major-version: In the v3 API, this will default to true.] - bool most_specific_header_mutations_wins = 10; - - // An optional boolean that specifies whether the clusters that the route - // table refers to will be validated by the cluster manager. If set to true - // and a route refers to a non-existent cluster, the route table will not - // load. If set to false and a route refers to a non-existent cluster, the - // route table will load and the router filter will return a 404 if the route - // is selected at runtime. This setting defaults to true if the route table - // is statically defined via the :ref:`route_config - // ` - // option. This setting default to false if the route table is loaded dynamically via the - // :ref:`rds - // ` - // option. Users may wish to override the default behavior in certain cases (for example when - // using CDS with a static route table). - google.protobuf.BoolValue validate_clusters = 7; - - // The maximum bytes of the response :ref:`direct response body - // ` size. If not specified the default - // is 4096. - // - // .. warning:: - // - // Envoy currently holds the content of :ref:`direct response body - // ` in memory. Be careful setting - // this to be larger than the default 4KB, since the allocated memory for direct response body - // is not subject to data plane buffering controls. - // - google.protobuf.UInt32Value max_direct_response_body_size_bytes = 11; - - // [#not-implemented-hide:] - // A list of plugins and their configurations which may be used by a - // :ref:`envoy_v3_api_field_config.route.v3.RouteAction.cluster_specifier_plugin` - // within the route. All *extension.name* fields in this list must be unique. - repeated ClusterSpecifierPlugin cluster_specifier_plugins = 12; -} - -// Configuration for a cluster specifier plugin. -message ClusterSpecifierPlugin { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.ClusterSpecifierPlugin"; - - // The name of the plugin and its opaque configuration. - core.v4alpha.TypedExtensionConfig extension = 1; -} - -message Vhds { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.Vhds"; - - // Configuration source specifier for VHDS. - core.v4alpha.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/config/route/v4alpha/route_components.proto b/api/envoy/config/route/v4alpha/route_components.proto deleted file mode 100644 index 9c0cc8f57d35..000000000000 --- a/api/envoy/config/route/v4alpha/route_components.proto +++ /dev/null @@ -1,1938 +0,0 @@ -syntax = "proto3"; - -package envoy.config.route.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/proxy_protocol.proto"; -import "envoy/type/matcher/v4alpha/regex.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/metadata/v3/metadata.proto"; -import "envoy/type/tracing/v3/custom_tag.proto"; -import "envoy/type/v3/percent.proto"; -import "envoy/type/v3/range.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.route.v4alpha"; -option java_outer_classname = "RouteComponentsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP route components] -// * Routing :ref:`architecture overview ` -// * HTTP :ref:`router filter ` - -// The top level element in the routing configuration is a virtual host. Each virtual host has -// a logical name as well as a set of domains that get routed to it based on the incoming request's -// host header. This allows a single listener to service multiple top level domain path trees. Once -// a virtual host is selected based on the domain, the routes are processed in order to see which -// upstream cluster to route to or whether to perform a redirect. -// [#next-free-field: 21] -message VirtualHost { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.VirtualHost"; - - enum TlsRequirementType { - // No TLS requirement for the virtual host. - NONE = 0; - - // External requests must use TLS. If a request is external and it is not - // using TLS, a 301 redirect will be sent telling the client to use HTTPS. - EXTERNAL_ONLY = 1; - - // All requests must use TLS. If a request is not using TLS, a 301 redirect - // will be sent telling the client to use HTTPS. - ALL = 2; - } - - reserved 9, 12; - - reserved "per_filter_config"; - - // The logical name of the virtual host. This is used when emitting certain - // statistics but is not relevant for routing. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // A list of domains (host/authority header) that will be matched to this - // virtual host. Wildcard hosts are supported in the suffix or prefix form. - // - // Domain search order: - // 1. Exact domain names: ``www.foo.com``. - // 2. Suffix domain wildcards: ``*.foo.com`` or ``*-bar.foo.com``. - // 3. Prefix domain wildcards: ``foo.*`` or ``foo-*``. - // 4. Special wildcard ``*`` matching any domain. - // - // .. note:: - // - // The wildcard will not match the empty string. - // e.g. ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``. - // The longest wildcards match first. - // Only a single virtual host in the entire route configuration can match on ``*``. A domain - // must be unique across all virtual hosts or the config will fail to load. - // - // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE. - repeated string domains = 2 [(validate.rules).repeated = { - min_items: 1 - items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}} - }]; - - // The list of routes that will be matched, in order, for incoming requests. - // The first route that matches will be used. - repeated Route routes = 3; - - // Specifies the type of TLS enforcement the virtual host expects. If this option is not - // specified, there is no TLS requirement for the virtual host. - TlsRequirementType require_tls = 4 [(validate.rules).enum = {defined_only: true}]; - - // A list of virtual clusters defined for this virtual host. Virtual clusters - // are used for additional statistics gathering. - repeated VirtualCluster virtual_clusters = 5; - - // Specifies a set of rate limit configurations that will be applied to the - // virtual host. - repeated RateLimit rate_limits = 6; - - // Specifies a list of HTTP headers that should be added to each request - // handled by this virtual host. Headers specified at this level are applied - // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the - // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including - // details on header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption request_headers_to_add = 7 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request - // handled by this virtual host. - repeated string request_headers_to_remove = 13 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a list of HTTP headers that should be added to each response - // handled by this virtual host. Headers specified at this level are applied - // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the - // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including - // details on header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption response_headers_to_add = 10 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each response - // handled by this virtual host. - repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Indicates that the virtual host has a CORS policy. - CorsPolicy cors = 8; - - // The per_filter_config field can be used to provide virtual host-specific - // configurations for filters. The key should match the filter name, such as - // *envoy.filters.http.buffer* for the HTTP buffer filter. Use of this field is filter - // specific; see the :ref:`HTTP filter documentation ` - // for if and how it is utilized. - // [#comment: An entry's value may be wrapped in a - // :ref:`FilterConfig` - // message to specify additional options.] - map typed_per_filter_config = 15; - - // Decides whether the :ref:`x-envoy-attempt-count - // ` header should be included - // in the upstream request. Setting this option will cause it to override any existing header - // value, so in the case of two Envoys on the request path with this option enabled, the upstream - // will see the attempt count as perceived by the second Envoy. Defaults to false. - // This header is unaffected by the - // :ref:`suppress_envoy_headers - // ` flag. - // - // [#next-major-version: rename to include_attempt_count_in_request.] - bool include_request_attempt_count = 14; - - // Decides whether the :ref:`x-envoy-attempt-count - // ` header should be included - // in the downstream response. Setting this option will cause the router to override any existing header - // value, so in the case of two Envoys on the request path with this option enabled, the downstream - // will see the attempt count as perceived by the Envoy closest upstream from itself. Defaults to false. - // This header is unaffected by the - // :ref:`suppress_envoy_headers - // ` flag. - bool include_attempt_count_in_response = 19; - - // Indicates the retry policy for all routes in this virtual host. Note that setting a - // route level entry will take precedence over this config and it'll be treated - // independently (e.g.: values are not inherited). - RetryPolicy retry_policy = 16; - - // [#not-implemented-hide:] - // Specifies the configuration for retry policy extension. Note that setting a route level entry - // will take precedence over this config and it'll be treated independently (e.g.: values are not - // inherited). :ref:`Retry policy ` should not be - // set if this field is used. - google.protobuf.Any retry_policy_typed_config = 20; - - // Indicates the hedge policy for all routes in this virtual host. Note that setting a - // route level entry will take precedence over this config and it'll be treated - // independently (e.g.: values are not inherited). - HedgePolicy hedge_policy = 17; - - // The maximum bytes which will be buffered for retries and shadowing. - // If set and a route-specific limit is not set, the bytes actually buffered will be the minimum - // value of this and the listener per_connection_buffer_limit_bytes. - google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18; -} - -// A filter-defined action type. -message FilterAction { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.FilterAction"; - - google.protobuf.Any action = 1; -} - -// A route is both a specification of how to match a request as well as an indication of what to do -// next (e.g., redirect, forward, rewrite, etc.). -// -// .. attention:: -// -// Envoy supports routing on HTTP method via :ref:`header matching -// `. -// [#next-free-field: 19] -message Route { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.Route"; - - reserved 6, 8; - - reserved "per_filter_config"; - - // Name for the route. - string name = 14; - - // Route matching parameters. - RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - oneof action { - option (validate.required) = true; - - // Route request to some upstream cluster. - RouteAction route = 2; - - // Return a redirect. - RedirectAction redirect = 3; - - // Return an arbitrary HTTP response directly, without proxying. - DirectResponseAction direct_response = 7; - - // [#not-implemented-hide:] - // A filter-defined action (e.g., it could dynamically generate the RouteAction). - // [#comment: TODO(samflattery): Remove cleanup in route_fuzz_test.cc when - // implemented] - FilterAction filter_action = 17; - - // [#not-implemented-hide:] - // An action used when the route will generate a response directly, - // without forwarding to an upstream host. This will be used in non-proxy - // xDS clients like the gRPC server. It could also be used in the future - // in Envoy for a filter that directly generates responses for requests. - NonForwardingAction non_forwarding_action = 18; - } - - // The Metadata field can be used to provide additional information - // about the route. It can be used for configuration, stats, and logging. - // The metadata should go under the filter namespace that will need it. - // For instance, if the metadata is intended for the Router filter, - // the filter name should be specified as *envoy.filters.http.router*. - core.v4alpha.Metadata metadata = 4; - - // Decorator for the matched route. - Decorator decorator = 5; - - // The typed_per_filter_config field can be used to provide route-specific - // configurations for filters. The key should match the filter name, such as - // *envoy.filters.http.buffer* for the HTTP buffer filter. Use of this field is filter - // specific; see the :ref:`HTTP filter documentation ` for - // if and how it is utilized. - // [#comment: An entry's value may be wrapped in a - // :ref:`FilterConfig` - // message to specify additional options.] - map typed_per_filter_config = 13; - - // Specifies a set of headers that will be added to requests matching this - // route. Headers specified at this level are applied before headers from the - // enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption request_headers_to_add = 9 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request - // matching this route. - repeated string request_headers_to_remove = 12 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a set of headers that will be added to responses to requests - // matching this route. Headers specified at this level are applied before - // headers from the enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including - // details on header value syntax, see the documentation on - // :ref:`custom request headers `. - repeated core.v4alpha.HeaderValueOption response_headers_to_add = 10 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each response - // to requests matching this route. - repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Presence of the object defines whether the connection manager's tracing configuration - // is overridden by this route specific instance. - Tracing tracing = 15; - - // The maximum bytes which will be buffered for retries and shadowing. - // If set, the bytes actually buffered will be the minimum value of this and the - // listener per_connection_buffer_limit_bytes. - google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16; -} - -// Compared to the :ref:`cluster ` field that specifies a -// single upstream cluster as the target of a request, the :ref:`weighted_clusters -// ` option allows for specification of -// multiple upstream clusters along with weights that indicate the percentage of -// traffic to be forwarded to each cluster. The router selects an upstream cluster based on the -// weights. -message WeightedCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.WeightedCluster"; - - // [#next-free-field: 12] - message ClusterWeight { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.WeightedCluster.ClusterWeight"; - - reserved 7, 8; - - reserved "per_filter_config"; - - // Name of the upstream cluster. The cluster must exist in the - // :ref:`cluster manager configuration `. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // An integer between 0 and :ref:`total_weight - // `. When a request matches the route, - // the choice of an upstream cluster is determined by its weight. The sum of weights across all - // entries in the clusters array must add up to the total_weight, which defaults to 100. - google.protobuf.UInt32Value weight = 2; - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in - // the upstream cluster with metadata matching what is set in this field will be considered for - // load balancing. Note that this will be merged with what's provided in - // :ref:`RouteAction.metadata_match `, with - // values here taking precedence. The filter name should be specified as *envoy.lb*. - core.v4alpha.Metadata metadata_match = 3; - - // Specifies a list of headers to be added to requests when this cluster is selected - // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - // Headers specified at this level are applied before headers from the enclosing - // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption request_headers_to_add = 4 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request when - // this cluster is selected through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - repeated string request_headers_to_remove = 9 [(validate.rules).repeated = { - items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a list of headers to be added to responses when this cluster is selected - // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - // Headers specified at this level are applied before headers from the enclosing - // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption response_headers_to_add = 5 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of headers to be removed from responses when this cluster is selected - // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - repeated string response_headers_to_remove = 6 [(validate.rules).repeated = { - items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // The per_filter_config field can be used to provide weighted cluster-specific - // configurations for filters. The key should match the filter name, such as - // *envoy.filters.http.buffer* for the HTTP buffer filter. Use of this field is filter - // specific; see the :ref:`HTTP filter documentation ` - // for if and how it is utilized. - // [#comment: An entry's value may be wrapped in a - // :ref:`FilterConfig` - // message to specify additional options.] - map typed_per_filter_config = 10; - - oneof host_rewrite_specifier { - // Indicates that during forwarding, the host header will be swapped with - // this value. - string host_rewrite_literal = 11 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - } - } - - // Specifies one or more upstream clusters associated with the route. - repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Specifies the total weight across all clusters. The sum of all cluster weights must equal this - // value, which must be greater than 0. Defaults to 100. - google.protobuf.UInt32Value total_weight = 3 [(validate.rules).uint32 = {gte: 1}]; - - // Specifies the runtime key prefix that should be used to construct the - // runtime keys associated with each cluster. When the *runtime_key_prefix* is - // specified, the router will look for weights associated with each upstream - // cluster under the key *runtime_key_prefix* + "." + *cluster[i].name* where - // *cluster[i]* denotes an entry in the clusters array field. If the runtime - // key for the cluster does not exist, the value specified in the - // configuration file will be used as the default weight. See the :ref:`runtime documentation - // ` for how key names map to the underlying implementation. - string runtime_key_prefix = 2; -} - -// [#next-free-field: 13] -message RouteMatch { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.RouteMatch"; - - message GrpcRouteMatchOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteMatch.GrpcRouteMatchOptions"; - } - - message TlsContextMatchOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteMatch.TlsContextMatchOptions"; - - // If specified, the route will match against whether or not a certificate is presented. - // If not specified, certificate presentation status (true or false) will not be considered when route matching. - google.protobuf.BoolValue presented = 1; - - // If specified, the route will match against whether or not a certificate is validated. - // If not specified, certificate validation status (true or false) will not be considered when route matching. - google.protobuf.BoolValue validated = 2; - } - - // An extensible message for matching CONNECT requests. - message ConnectMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteMatch.ConnectMatcher"; - } - - reserved 5, 3; - - reserved "regex"; - - oneof path_specifier { - option (validate.required) = true; - - // If specified, the route is a prefix rule meaning that the prefix must - // match the beginning of the *:path* header. - string prefix = 1; - - // If specified, the route is an exact path rule meaning that the path must - // exactly match the *:path* header once the query string is removed. - string path = 2; - - // If specified, the route is a regular expression rule meaning that the - // regex must match the *:path* header once the query string is removed. The entire path - // (without the query string) must match the regex. The rule will not match if only a - // subsequence of the *:path* header matches the regex. - // - // [#next-major-version: In the v3 API we should redo how path specification works such - // that we utilize StringMatcher, and additionally have consistent options around whether we - // strip query strings, do a case sensitive match, etc. In the interim it will be too disruptive - // to deprecate the existing options. We should even consider whether we want to do away with - // path_specifier entirely and just rely on a set of header matchers which can already match - // on :path, etc. The issue with that is it is unclear how to generically deal with query string - // stripping. This needs more thought.] - type.matcher.v4alpha.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; - - // If this is used as the matcher, the matcher will only match CONNECT requests. - // Note that this will not match HTTP/2 upgrade-style CONNECT requests - // (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style - // upgrades. - // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2, - // where Extended CONNECT requests may have a path, the path matchers will work if - // there is a path present. - // Note that CONNECT support is currently considered alpha in Envoy. - // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] - ConnectMatcher connect_matcher = 12; - } - - // Indicates that prefix/path matching should be case sensitive. The default - // is true. Ignored for safe_regex matching. - google.protobuf.BoolValue case_sensitive = 4; - - // Indicates that the route should additionally match on a runtime key. Every time the route - // is considered for a match, it must also fall under the percentage of matches indicated by - // this field. For some fraction N/D, a random number in the range [0,D) is selected. If the - // number is <= the value of the numerator N, or if the key is not present, the default - // value, the router continues to evaluate the remaining match criteria. A runtime_fraction - // route configuration can be used to roll out route changes in a gradual manner without full - // code/config deploys. Refer to the :ref:`traffic shifting - // ` docs for additional documentation. - // - // .. note:: - // - // Parsing this field is implemented such that the runtime key's data may be represented - // as a FractionalPercent proto represented as JSON/YAML and may also be represented as an - // integer with the assumption that the value is an integral percentage out of 100. For - // instance, a runtime key lookup returning the value "42" would parse as a FractionalPercent - // whose numerator is 42 and denominator is HUNDRED. This preserves legacy semantics. - core.v4alpha.RuntimeFractionalPercent runtime_fraction = 9; - - // Specifies a set of headers that the route should match on. The router will - // check the request’s headers against all the specified headers in the route - // config. A match will happen if all the headers in the route are present in - // the request with the same values (or based on presence if the value field - // is not in the config). - repeated HeaderMatcher headers = 6; - - // Specifies a set of URL query parameters on which the route should - // match. The router will check the query string from the *path* header - // against all the specified query parameters. If the number of specified - // query parameters is nonzero, they all must match the *path* header's - // query string for a match to occur. - repeated QueryParameterMatcher query_parameters = 7; - - // If specified, only gRPC requests will be matched. The router will check - // that the content-type header has a application/grpc or one of the various - // application/grpc+ values. - GrpcRouteMatchOptions grpc = 8; - - // If specified, the client tls context will be matched against the defined - // match options. - // - // [#next-major-version: unify with RBAC] - TlsContextMatchOptions tls_context = 11; -} - -// [#next-free-field: 12] -message CorsPolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.CorsPolicy"; - - reserved 1, 8, 7; - - reserved "allow_origin", "allow_origin_regex", "enabled"; - - // Specifies string patterns that match allowed origins. An origin is allowed if any of the - // string matchers match. - repeated type.matcher.v4alpha.StringMatcher allow_origin_string_match = 11; - - // Specifies the content for the *access-control-allow-methods* header. - string allow_methods = 2; - - // Specifies the content for the *access-control-allow-headers* header. - string allow_headers = 3; - - // Specifies the content for the *access-control-expose-headers* header. - string expose_headers = 4; - - // Specifies the content for the *access-control-max-age* header. - string max_age = 5; - - // Specifies whether the resource allows credentials. - google.protobuf.BoolValue allow_credentials = 6; - - oneof enabled_specifier { - // Specifies the % of requests for which the CORS filter is enabled. - // - // If neither ``enabled``, ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS - // filter will be enabled for 100% of the requests. - // - // If :ref:`runtime_key ` is - // specified, Envoy will lookup the runtime key to get the percentage of requests to filter. - core.v4alpha.RuntimeFractionalPercent filter_enabled = 9; - } - - // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not - // enforced. - // - // This field is intended to be used when ``filter_enabled`` and ``enabled`` are off. One of those - // fields have to explicitly disable the filter in order for this setting to take effect. - // - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate - // and track the request's *Origin* to determine if it's valid but will not enforce any policies. - core.v4alpha.RuntimeFractionalPercent shadow_enabled = 10; -} - -// [#next-free-field: 38] -message RouteAction { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.RouteAction"; - - enum ClusterNotFoundResponseCode { - // HTTP status code - 503 Service Unavailable. - SERVICE_UNAVAILABLE = 0; - - // HTTP status code - 404 Not Found. - NOT_FOUND = 1; - } - - // The router is capable of shadowing traffic from one cluster to another. The current - // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to - // respond before returning the response from the primary cluster. All normal statistics are - // collected for the shadow cluster making this feature useful for testing. - // - // During shadowing, the host/authority header is altered such that *-shadow* is appended. This is - // useful for logging. For example, *cluster1* becomes *cluster1-shadow*. - // - // .. note:: - // - // Shadowing will not be triggered if the primary cluster does not exist. - message RequestMirrorPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.RequestMirrorPolicy"; - - reserved 2; - - reserved "runtime_key"; - - // Specifies the cluster that requests will be mirrored to. The cluster must - // exist in the cluster manager configuration. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // If not specified, all requests to the target cluster will be mirrored. - // - // If specified, this field takes precedence over the `runtime_key` field and requests must also - // fall under the percentage of matches indicated by this field. - // - // For some fraction N/D, a random number in the range [0,D) is selected. If the - // number is <= the value of the numerator N, or if the key is not present, the default - // value, the request will be mirrored. - core.v4alpha.RuntimeFractionalPercent runtime_fraction = 3; - - // Determines if the trace span should be sampled. Defaults to true. - google.protobuf.BoolValue trace_sampled = 4; - } - - // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer - // `. - // [#next-free-field: 7] - message HashPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy"; - - message Header { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy.Header"; - - // The name of the request header that will be used to obtain the hash - // key. If the request header is not present, no hash will be produced. - string header_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // If specified, the request header value will be rewritten and used - // to produce the hash key. - type.matcher.v4alpha.RegexMatchAndSubstitute regex_rewrite = 2; - } - - // Envoy supports two types of cookie affinity: - // - // 1. Passive. Envoy takes a cookie that's present in the cookies header and - // hashes on its value. - // - // 2. Generated. Envoy generates and sets a cookie with an expiration (TTL) - // on the first request from the client in its response to the client, - // based on the endpoint the request gets sent to. The client then - // presents this on the next and all subsequent requests. The hash of - // this is sufficient to ensure these requests get sent to the same - // endpoint. The cookie is generated by hashing the source and - // destination ports and addresses so that multiple independent HTTP2 - // streams on the same connection will independently receive the same - // cookie, even if they arrive at the Envoy simultaneously. - message Cookie { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy.Cookie"; - - // The name of the cookie that will be used to obtain the hash key. If the - // cookie is not present and ttl below is not set, no hash will be - // produced. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // If specified, a cookie with the TTL will be generated if the cookie is - // not present. If the TTL is present and zero, the generated cookie will - // be a session cookie. - google.protobuf.Duration ttl = 2; - - // The name of the path for the cookie. If no path is specified here, no path - // will be set for the cookie. - string path = 3; - } - - message ConnectionProperties { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy.ConnectionProperties"; - - // Hash on source IP address. - bool source_ip = 1; - } - - message QueryParameter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy.QueryParameter"; - - // The name of the URL query parameter that will be used to obtain the hash - // key. If the parameter is not present, no hash will be produced. Query - // parameter names are case-sensitive. - string name = 1 [(validate.rules).string = {min_len: 1}]; - } - - message FilterState { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy.FilterState"; - - // The name of the Object in the per-request filterState, which is an - // Envoy::Http::Hashable object. If there is no data associated with the key, - // or the stored object is not Envoy::Http::Hashable, no hash will be produced. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - - oneof policy_specifier { - option (validate.required) = true; - - // Header hash policy. - Header header = 1; - - // Cookie hash policy. - Cookie cookie = 2; - - // Connection properties hash policy. - ConnectionProperties connection_properties = 3; - - // Query parameter hash policy. - QueryParameter query_parameter = 5; - - // Filter state hash policy. - FilterState filter_state = 6; - } - - // The flag that short-circuits the hash computing. This field provides a - // 'fallback' style of configuration: "if a terminal policy doesn't work, - // fallback to rest of the policy list", it saves time when the terminal - // policy works. - // - // If true, and there is already a hash computed, ignore rest of the - // list of hash polices. - // For example, if the following hash methods are configured: - // - // ========= ======== - // specifier terminal - // ========= ======== - // Header A true - // Header B false - // Header C false - // ========= ======== - // - // The generateHash process ends if policy "header A" generates a hash, as - // it's a terminal policy. - bool terminal = 4; - } - - // Allows enabling and disabling upgrades on a per-route basis. - // This overrides any enabled/disabled upgrade filter chain specified in the - // HttpConnectionManager - // :ref:`upgrade_configs - // ` - // but does not affect any custom filter chain specified there. - message UpgradeConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.UpgradeConfig"; - - // Configuration for sending data upstream as a raw data payload. This is used for - // CONNECT or POST requests, when forwarding request payload as raw TCP. - message ConnectConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.UpgradeConfig.ConnectConfig"; - - // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream. - core.v4alpha.ProxyProtocolConfig proxy_protocol_config = 1; - - // If set, the route will also allow forwarding POST payload as raw TCP. - bool allow_post = 2; - } - - // The case-insensitive name of this upgrade, e.g. "websocket". - // For each upgrade type present in upgrade_configs, requests with - // Upgrade: [upgrade_type] will be proxied upstream. - string upgrade_type = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Determines if upgrades are available on this route. Defaults to true. - google.protobuf.BoolValue enabled = 2; - - // Configuration for sending data upstream as a raw data payload. This is used for - // CONNECT requests, when forwarding CONNECT payload as raw TCP. - // Note that CONNECT support is currently considered alpha in Envoy. - // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] - ConnectConfig connect_config = 3; - } - - message MaxStreamDuration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.MaxStreamDuration"; - - // Specifies the maximum duration allowed for streams on the route. If not specified, the value - // from the :ref:`max_stream_duration - // ` field in - // :ref:`HttpConnectionManager.common_http_protocol_options - // ` - // is used. If this field is set explicitly to zero, any - // HttpConnectionManager max_stream_duration timeout will be disabled for - // this route. - google.protobuf.Duration max_stream_duration = 1; - - // If present, and the request contains a `grpc-timeout header - // `_, use that value as the - // *max_stream_duration*, but limit the applied timeout to the maximum value specified here. - // If set to 0, the `grpc-timeout` header is used without modification. - google.protobuf.Duration grpc_timeout_header_max = 2; - - // If present, Envoy will adjust the timeout provided by the `grpc-timeout` header by - // subtracting the provided duration from the header. This is useful for allowing Envoy to set - // its global timeout to be less than that of the deadline imposed by the calling client, which - // makes it more likely that Envoy will handle the timeout instead of having the call canceled - // by the client. If, after applying the offset, the resulting timeout is zero or negative, - // the stream will timeout immediately. - google.protobuf.Duration grpc_timeout_header_offset = 3; - } - - reserved 12, 18, 19, 16, 22, 21, 10, 14, 23, 28, 26, 31; - - reserved "request_mirror_policy", "include_vh_rate_limits", "max_grpc_timeout", - "grpc_timeout_offset", "internal_redirect_action", "max_internal_redirects"; - - oneof cluster_specifier { - option (validate.required) = true; - - // Indicates the upstream cluster to which the request should be routed - // to. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // Envoy will determine the cluster to route to by reading the value of the - // HTTP header named by cluster_header from the request headers. If the - // header is not found or the referenced cluster does not exist, Envoy will - // return a 404 response. - // - // .. attention:: - // - // Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1 - // *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string cluster_header = 2 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Multiple upstream clusters can be specified for a given route. The - // request is routed to one of the upstream clusters based on weights - // assigned to each cluster. See - // :ref:`traffic splitting ` - // for additional documentation. - WeightedCluster weighted_clusters = 3; - - // [#not-implemented-hide:] - // Name of the cluster specifier plugin to use to determine the cluster for - // requests on this route. The plugin name must be defined in the associated - // :ref:`envoy_v3_api_field_config.route.v3.RouteConfiguration.cluster_specifier_plugins` - // in the - // :ref:`envoy_v3_api_field_config.core.v3.TypedExtensionConfig.name` field. - string cluster_specifier_plugin = 37; - } - - // The HTTP status code to use when configured cluster is not found. - // The default response code is 503 Service Unavailable. - ClusterNotFoundResponseCode cluster_not_found_response_code = 20 - [(validate.rules).enum = {defined_only: true}]; - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints - // in the upstream cluster with metadata matching what's set in this field will be considered - // for load balancing. If using :ref:`weighted_clusters - // `, metadata will be merged, with values - // provided there taking precedence. The filter name should be specified as *envoy.lb*. - core.v4alpha.Metadata metadata_match = 4; - - // Indicates that during forwarding, the matched prefix (or path) should be - // swapped with this value. This option allows application URLs to be rooted - // at a different path from those exposed at the reverse proxy layer. The router filter will - // place the original path before rewrite into the :ref:`x-envoy-original-path - // ` header. - // - // Only one of *prefix_rewrite* or - // :ref:`regex_rewrite ` - // may be specified. - // - // .. attention:: - // - // Pay careful attention to the use of trailing slashes in the - // :ref:`route's match ` prefix value. - // Stripping a prefix from a path requires multiple Routes to handle all cases. For example, - // rewriting */prefix* to */* and */prefix/etc* to */etc* cannot be done in a single - // :ref:`Route `, as shown by the below config entries: - // - // .. code-block:: yaml - // - // - match: - // prefix: "/prefix/" - // route: - // prefix_rewrite: "/" - // - match: - // prefix: "/prefix" - // route: - // prefix_rewrite: "/" - // - // Having above entries in the config, requests to */prefix* will be stripped to */*, while - // requests to */prefix/etc* will be stripped to */etc*. - string prefix_rewrite = 5 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during forwarding, portions of the path that match the - // pattern should be rewritten, even allowing the substitution of capture - // groups from the pattern into the new path as specified by the rewrite - // substitution string. This is useful to allow application paths to be - // rewritten in a way that is aware of segments with variable content like - // identifiers. The router filter will place the original path as it was - // before the rewrite into the :ref:`x-envoy-original-path - // ` header. - // - // Only one of :ref:`prefix_rewrite ` - // or *regex_rewrite* may be specified. - // - // Examples using Google's `RE2 `_ engine: - // - // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution - // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` - // into ``/v1/api/instance/foo``. - // - // * The pattern ``one`` paired with a substitution string of ``two`` would - // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. - // - // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of - // ``\1two\2`` would replace only the first occurrence of ``one``, - // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. - // - // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` - // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to - // ``/aaa/yyy/bbb``. - type.matcher.v4alpha.RegexMatchAndSubstitute regex_rewrite = 32; - - oneof host_rewrite_specifier { - // Indicates that during forwarding, the host header will be swapped with - // this value. - string host_rewrite_literal = 6 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during forwarding, the host header will be swapped with - // the hostname of the upstream host chosen by the cluster manager. This - // option is applicable only when the destination cluster for a route is of - // type *strict_dns* or *logical_dns*. Setting this to true with other cluster - // types has no effect. - google.protobuf.BoolValue auto_host_rewrite = 7; - - // Indicates that during forwarding, the host header will be swapped with the content of given - // downstream or :ref:`custom ` header. - // If header value is empty, host header is left intact. - // - // .. attention:: - // - // Pay attention to the potential security implications of using this option. Provided header - // must come from trusted source. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string host_rewrite_header = 29 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Indicates that during forwarding, the host header will be swapped with - // the result of the regex substitution executed on path value with query and fragment removed. - // This is useful for transitioning variable content between path segment and subdomain. - // - // For example with the following config: - // - // .. code-block:: yaml - // - // host_rewrite_path_regex: - // pattern: - // google_re2: {} - // regex: "^/(.+)/.+$" - // substitution: \1 - // - // Would rewrite the host header to `envoyproxy.io` given the path `/envoyproxy.io/some/path`. - type.matcher.v4alpha.RegexMatchAndSubstitute host_rewrite_path_regex = 35; - } - - // Specifies the upstream timeout for the route. If not specified, the default is 15s. This - // spans between the point at which the entire downstream request (i.e. end-of-stream) has been - // processed and when the upstream response has been completely processed. A value of 0 will - // disable the route's timeout. - // - // .. note:: - // - // This timeout includes all retries. See also - // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, - // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the - // :ref:`retry overview `. - google.protobuf.Duration timeout = 8; - - // Specifies the idle timeout for the route. If not specified, there is no per-route idle timeout, - // although the connection manager wide :ref:`stream_idle_timeout - // ` - // will still apply. A value of 0 will completely disable the route's idle timeout, even if a - // connection manager stream idle timeout is configured. - // - // The idle timeout is distinct to :ref:`timeout - // `, which provides an upper bound - // on the upstream response time; :ref:`idle_timeout - // ` instead bounds the amount - // of time the request's stream may be idle. - // - // After header decoding, the idle timeout will apply on downstream and - // upstream request events. Each time an encode/decode event for headers or - // data is processed for the stream, the timer will be reset. If the timeout - // fires, the stream is terminated with a 408 Request Timeout error code if no - // upstream response header has been received, otherwise a stream reset - // occurs. - // - // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" - // is configured, this timeout is scaled according to the value for - // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. - google.protobuf.Duration idle_timeout = 24; - - // Indicates that the route has a retry policy. Note that if this is set, - // it'll take precedence over the virtual host level retry policy entirely - // (e.g.: policies are not merged, most internal one becomes the enforced policy). - RetryPolicy retry_policy = 9; - - // [#not-implemented-hide:] - // Specifies the configuration for retry policy extension. Note that if this is set, it'll take - // precedence over the virtual host level retry policy entirely (e.g.: policies are not merged, - // most internal one becomes the enforced policy). :ref:`Retry policy ` - // should not be set if this field is used. - google.protobuf.Any retry_policy_typed_config = 33; - - // Indicates that the route has request mirroring policies. - repeated RequestMirrorPolicy request_mirror_policies = 30; - - // Optionally specifies the :ref:`routing priority `. - core.v4alpha.RoutingPriority priority = 11 [(validate.rules).enum = {defined_only: true}]; - - // Specifies a set of rate limit configurations that could be applied to the - // route. - repeated RateLimit rate_limits = 13; - - // Specifies a list of hash policies to use for ring hash load balancing. Each - // hash policy is evaluated individually and the combined result is used to - // route the request. The method of combination is deterministic such that - // identical lists of hash policies will produce the same hash. Since a hash - // policy examines specific parts of a request, it can fail to produce a hash - // (i.e. if the hashed header is not present). If (and only if) all configured - // hash policies fail to generate a hash, no hash will be produced for - // the route. In this case, the behavior is the same as if no hash policies - // were specified (i.e. the ring hash load balancer will choose a random - // backend). If a hash policy has the "terminal" attribute set to true, and - // there is already a hash generated, the hash is returned immediately, - // ignoring the rest of the hash policy list. - repeated HashPolicy hash_policy = 15; - - // Indicates that the route has a CORS policy. - CorsPolicy cors = 17; - - repeated UpgradeConfig upgrade_configs = 25; - - // If present, Envoy will try to follow an upstream redirect response instead of proxying the - // response back to the downstream. An upstream redirect response is defined - // by :ref:`redirect_response_codes - // `. - InternalRedirectPolicy internal_redirect_policy = 34; - - // Indicates that the route has a hedge policy. Note that if this is set, - // it'll take precedence over the virtual host level hedge policy entirely - // (e.g.: policies are not merged, most internal one becomes the enforced policy). - HedgePolicy hedge_policy = 27; - - // Specifies the maximum stream duration for this route. - MaxStreamDuration max_stream_duration = 36; -} - -// HTTP retry :ref:`architecture overview `. -// [#next-free-field: 12] -message RetryPolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.RetryPolicy"; - - enum ResetHeaderFormat { - SECONDS = 0; - UNIX_TIMESTAMP = 1; - } - - message RetryPriority { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RetryPolicy.RetryPriority"; - - reserved 2; - - reserved "config"; - - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // [#extension-category: envoy.retry_priorities] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - message RetryHostPredicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RetryPolicy.RetryHostPredicate"; - - reserved 2; - - reserved "config"; - - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // [#extension-category: envoy.retry_host_predicates] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - message RetryBackOff { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RetryPolicy.RetryBackOff"; - - // Specifies the base interval between retries. This parameter is required and must be greater - // than zero. Values less than 1 ms are rounded up to 1 ms. - // See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion of Envoy's - // back-off algorithm. - google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { - required: true - gt {} - }]; - - // Specifies the maximum interval between retries. This parameter is optional, but must be - // greater than or equal to the `base_interval` if set. The default is 10 times the - // `base_interval`. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion - // of Envoy's back-off algorithm. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; - } - - message ResetHeader { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RetryPolicy.ResetHeader"; - - // The name of the reset header. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The format of the reset header. - ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}]; - } - - // A retry back-off strategy that applies when the upstream server rate limits - // the request. - // - // Given this configuration: - // - // .. code-block:: yaml - // - // rate_limited_retry_back_off: - // reset_headers: - // - name: Retry-After - // format: SECONDS - // - name: X-RateLimit-Reset - // format: UNIX_TIMESTAMP - // max_interval: "300s" - // - // The following algorithm will apply: - // - // 1. If the response contains the header ``Retry-After`` its value must be on - // the form ``120`` (an integer that represents the number of seconds to - // wait before retrying). If so, this value is used as the back-off interval. - // 2. Otherwise, if the response contains the header ``X-RateLimit-Reset`` its - // value must be on the form ``1595320702`` (an integer that represents the - // point in time at which to retry, as a Unix timestamp in seconds). If so, - // the current time is subtracted from this value and the result is used as - // the back-off interval. - // 3. Otherwise, Envoy will use the default - // :ref:`exponential back-off ` - // strategy. - // - // No matter which format is used, if the resulting back-off interval exceeds - // ``max_interval`` it is discarded and the next header in ``reset_headers`` - // is tried. If a request timeout is configured for the route it will further - // limit how long the request will be allowed to run. - // - // To prevent many clients retrying at the same point in time jitter is added - // to the back-off interval, so the resulting interval is decided by taking: - // ``random(interval, interval * 1.5)``. - // - // .. attention:: - // - // Configuring ``rate_limited_retry_back_off`` will not by itself cause a request - // to be retried. You will still need to configure the right retry policy to match - // the responses from the upstream server. - message RateLimitedRetryBackOff { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RetryPolicy.RateLimitedRetryBackOff"; - - // Specifies the reset headers (like ``Retry-After`` or ``X-RateLimit-Reset``) - // to match against the response. Headers are tried in order, and matched case - // insensitive. The first header to be parsed successfully is used. If no headers - // match the default exponential back-off is used instead. - repeated ResetHeader reset_headers = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Specifies the maximum back off interval that Envoy will allow. If a reset - // header contains an interval longer than this then it will be discarded and - // the next header will be tried. Defaults to 300 seconds. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; - } - - // Specifies the conditions under which retry takes place. These are the same - // conditions documented for :ref:`config_http_filters_router_x-envoy-retry-on` and - // :ref:`config_http_filters_router_x-envoy-retry-grpc-on`. - string retry_on = 1; - - // Specifies the allowed number of retries. This parameter is optional and - // defaults to 1. These are the same conditions documented for - // :ref:`config_http_filters_router_x-envoy-max-retries`. - google.protobuf.UInt32Value max_retries = 2; - - // Specifies a non-zero upstream timeout per retry attempt. This parameter is optional. The - // same conditions documented for - // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` apply. - // - // .. note:: - // - // If left unspecified, Envoy will use the global - // :ref:`route timeout ` for the request. - // Consequently, when using a :ref:`5xx ` based - // retry policy, a request that times out will not be retried as the total timeout budget - // would have been exhausted. - google.protobuf.Duration per_try_timeout = 3; - - // Specifies an implementation of a RetryPriority which is used to determine the - // distribution of load across priorities used for retries. Refer to - // :ref:`retry plugin configuration ` for more details. - RetryPriority retry_priority = 4; - - // Specifies a collection of RetryHostPredicates that will be consulted when selecting a host - // for retries. If any of the predicates reject the host, host selection will be reattempted. - // Refer to :ref:`retry plugin configuration ` for more - // details. - repeated RetryHostPredicate retry_host_predicate = 5; - - // The maximum number of times host selection will be reattempted before giving up, at which - // point the host that was last selected will be routed to. If unspecified, this will default to - // retrying once. - int64 host_selection_retry_max_attempts = 6; - - // HTTP status codes that should trigger a retry in addition to those specified by retry_on. - repeated uint32 retriable_status_codes = 7; - - // Specifies parameters that control exponential retry back off. This parameter is optional, in which case the - // default base interval is 25 milliseconds or, if set, the current value of the - // `upstream.base_retry_backoff_ms` runtime parameter. The default maximum interval is 10 times - // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries` - // describes Envoy's back-off algorithm. - RetryBackOff retry_back_off = 8; - - // Specifies parameters that control a retry back-off strategy that is used - // when the request is rate limited by the upstream server. The server may - // return a response header like ``Retry-After`` or ``X-RateLimit-Reset`` to - // provide feedback to the client on how long to wait before retrying. If - // configured, this back-off strategy will be used instead of the - // default exponential back off strategy (configured using `retry_back_off`) - // whenever a response includes the matching headers. - RateLimitedRetryBackOff rate_limited_retry_back_off = 11; - - // HTTP response headers that trigger a retry if present in the response. A retry will be - // triggered if any of the header matches match the upstream response headers. - // The field is only consulted if 'retriable-headers' retry policy is active. - repeated HeaderMatcher retriable_headers = 9; - - // HTTP headers which must be present in the request for retries to be attempted. - repeated HeaderMatcher retriable_request_headers = 10; -} - -// HTTP request hedging :ref:`architecture overview `. -message HedgePolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.HedgePolicy"; - - // Specifies the number of initial requests that should be sent upstream. - // Must be at least 1. - // Defaults to 1. - // [#not-implemented-hide:] - google.protobuf.UInt32Value initial_requests = 1 [(validate.rules).uint32 = {gte: 1}]; - - // Specifies a probability that an additional upstream request should be sent - // on top of what is specified by initial_requests. - // Defaults to 0. - // [#not-implemented-hide:] - type.v3.FractionalPercent additional_request_chance = 2; - - // Indicates that a hedged request should be sent when the per-try timeout is hit. - // This means that a retry will be issued without resetting the original request, leaving multiple upstream requests in flight. - // The first request to complete successfully will be the one returned to the caller. - // - // * At any time, a successful response (i.e. not triggering any of the retry-on conditions) would be returned to the client. - // * Before per-try timeout, an error response (per retry-on conditions) would be retried immediately or returned ot the client - // if there are no more retries left. - // * After per-try timeout, an error response would be discarded, as a retry in the form of a hedged request is already in progress. - // - // Note: For this to have effect, you must have a :ref:`RetryPolicy ` that retries at least - // one error code and specifies a maximum number of retries. - // - // Defaults to false. - bool hedge_on_per_try_timeout = 3; -} - -// [#next-free-field: 10] -message RedirectAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RedirectAction"; - - enum RedirectResponseCode { - // Moved Permanently HTTP Status Code - 301. - MOVED_PERMANENTLY = 0; - - // Found HTTP Status Code - 302. - FOUND = 1; - - // See Other HTTP Status Code - 303. - SEE_OTHER = 2; - - // Temporary Redirect HTTP Status Code - 307. - TEMPORARY_REDIRECT = 3; - - // Permanent Redirect HTTP Status Code - 308. - PERMANENT_REDIRECT = 4; - } - - // When the scheme redirection take place, the following rules apply: - // 1. If the source URI scheme is `http` and the port is explicitly - // set to `:80`, the port will be removed after the redirection - // 2. If the source URI scheme is `https` and the port is explicitly - // set to `:443`, the port will be removed after the redirection - oneof scheme_rewrite_specifier { - // The scheme portion of the URL will be swapped with "https". - bool https_redirect = 4; - - // The scheme portion of the URL will be swapped with this value. - string scheme_redirect = 7; - } - - // The host portion of the URL will be swapped with this value. - string host_redirect = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // The port value of the URL will be swapped with this value. - uint32 port_redirect = 8; - - oneof path_rewrite_specifier { - // The path portion of the URL will be swapped with this value. - // Please note that query string in path_redirect will override the - // request's query string and will not be stripped. - // - // For example, let's say we have the following routes: - // - // - match: { path: "/old-path-1" } - // redirect: { path_redirect: "/new-path-1" } - // - match: { path: "/old-path-2" } - // redirect: { path_redirect: "/new-path-2", strip-query: "true" } - // - match: { path: "/old-path-3" } - // redirect: { path_redirect: "/new-path-3?foo=1", strip_query: "true" } - // - // 1. if request uri is "/old-path-1?bar=1", users will be redirected to "/new-path-1?bar=1" - // 2. if request uri is "/old-path-2?bar=1", users will be redirected to "/new-path-2" - // 3. if request uri is "/old-path-3?bar=1", users will be redirected to "/new-path-3?foo=1" - string path_redirect = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during redirection, the matched prefix (or path) - // should be swapped with this value. This option allows redirect URLs be dynamically created - // based on the request. - // - // .. attention:: - // - // Pay attention to the use of trailing slashes as mentioned in - // :ref:`RouteAction's prefix_rewrite `. - string prefix_rewrite = 5 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during redirect, portions of the path that match the - // pattern should be rewritten, even allowing the substitution of capture - // groups from the pattern into the new path as specified by the rewrite - // substitution string. This is useful to allow application paths to be - // rewritten in a way that is aware of segments with variable content like - // identifiers. - // - // Examples using Google's `RE2 `_ engine: - // - // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution - // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` - // into ``/v1/api/instance/foo``. - // - // * The pattern ``one`` paired with a substitution string of ``two`` would - // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. - // - // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of - // ``\1two\2`` would replace only the first occurrence of ``one``, - // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. - // - // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` - // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to - // ``/aaa/yyy/bbb``. - type.matcher.v4alpha.RegexMatchAndSubstitute regex_rewrite = 9; - } - - // The HTTP status code to use in the redirect response. The default response - // code is MOVED_PERMANENTLY (301). - RedirectResponseCode response_code = 3 [(validate.rules).enum = {defined_only: true}]; - - // Indicates that during redirection, the query portion of the URL will - // be removed. Default value is false. - bool strip_query = 6; -} - -message DirectResponseAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.DirectResponseAction"; - - // Specifies the HTTP response status to be returned. - uint32 status = 1 [(validate.rules).uint32 = {lt: 600 gte: 100}]; - - // Specifies the content of the response body. If this setting is omitted, - // no body is included in the generated response. - // - // .. note:: - // - // Headers can be specified using *response_headers_to_add* in the enclosing - // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` or - // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`. - core.v4alpha.DataSource body = 2; -} - -// [#not-implemented-hide:] -message NonForwardingAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.NonForwardingAction"; -} - -message Decorator { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.Decorator"; - - // The operation name associated with the request matched to this route. If tracing is - // enabled, this information will be used as the span name reported for this request. - // - // .. note:: - // - // For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden - // by the :ref:`x-envoy-decorator-operation - // ` header. - string operation = 1 [(validate.rules).string = {min_len: 1}]; - - // Whether the decorated details should be propagated to the other party. The default is true. - google.protobuf.BoolValue propagate = 2; -} - -message Tracing { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.Tracing"; - - // Target percentage of requests managed by this HTTP connection manager that will be force - // traced if the :ref:`x-client-trace-id ` - // header is set. This field is a direct analog for the runtime variable - // 'tracing.client_sampling' in the :ref:`HTTP Connection Manager - // `. - // Default: 100% - type.v3.FractionalPercent client_sampling = 1; - - // Target percentage of requests managed by this HTTP connection manager that will be randomly - // selected for trace generation, if not requested by the client or not forced. This field is - // a direct analog for the runtime variable 'tracing.random_sampling' in the - // :ref:`HTTP Connection Manager `. - // Default: 100% - type.v3.FractionalPercent random_sampling = 2; - - // Target percentage of requests managed by this HTTP connection manager that will be traced - // after all other sampling checks have been applied (client-directed, force tracing, random - // sampling). This field functions as an upper limit on the total configured sampling rate. For - // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% - // of client requests with the appropriate headers to be force traced. This field is a direct - // analog for the runtime variable 'tracing.global_enabled' in the - // :ref:`HTTP Connection Manager `. - // Default: 100% - type.v3.FractionalPercent overall_sampling = 3; - - // A list of custom tags with unique tag name to create tags for the active span. - // It will take effect after merging with the :ref:`corresponding configuration - // ` - // configured in the HTTP connection manager. If two tags with the same name are configured - // each in the HTTP connection manager and the route level, the one configured here takes - // priority. - repeated type.tracing.v3.CustomTag custom_tags = 4; -} - -// A virtual cluster is a way of specifying a regex matching rule against -// certain important endpoints such that statistics are generated explicitly for -// the matched requests. The reason this is useful is that when doing -// prefix/path matching Envoy does not always know what the application -// considers to be an endpoint. Thus, it’s impossible for Envoy to generically -// emit per endpoint statistics. However, often systems have highly critical -// endpoints that they wish to get “perfect” statistics on. Virtual cluster -// statistics are perfect in the sense that they are emitted on the downstream -// side such that they include network level failures. -// -// Documentation for :ref:`virtual cluster statistics `. -// -// .. note:: -// -// Virtual clusters are a useful tool, but we do not recommend setting up a virtual cluster for -// every application endpoint. This is both not easily maintainable and as well the matching and -// statistics output are not free. -message VirtualCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.VirtualCluster"; - - reserved 1, 3; - - reserved "pattern", "method"; - - // Specifies a list of header matchers to use for matching requests. Each specified header must - // match. The pseudo-headers `:path` and `:method` can be used to match the request path and - // method, respectively. - repeated HeaderMatcher headers = 4; - - // Specifies the name of the virtual cluster. The virtual cluster name as well - // as the virtual host name are used when emitting statistics. The statistics are emitted by the - // router filter and are documented :ref:`here `. - string name = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Global rate limiting :ref:`architecture overview `. -// Also applies to Local rate limiting :ref:`using descriptors `. -message RateLimit { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.RateLimit"; - - // [#next-free-field: 10] - message Action { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action"; - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("source_cluster", "") - // - // is derived from the :option:`--service-cluster` option. - message SourceCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.SourceCluster"; - } - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("destination_cluster", "") - // - // Once a request matches against a route table rule, a routed cluster is determined by one of - // the following :ref:`route table configuration ` - // settings: - // - // * :ref:`cluster ` indicates the upstream cluster - // to route to. - // * :ref:`weighted_clusters ` - // chooses a cluster randomly from a set of clusters with attributed weight. - // * :ref:`cluster_header ` indicates which - // header in the request contains the target cluster. - message DestinationCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.DestinationCluster"; - } - - // The following descriptor entry is appended when a header contains a key that matches the - // *header_name*: - // - // .. code-block:: cpp - // - // ("", "") - message RequestHeaders { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.RequestHeaders"; - - // The header name to be queried from the request headers. The header’s - // value is used to populate the value of the descriptor entry for the - // descriptor_key. - string header_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The key to use in the descriptor entry. - string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; - - // If set to true, Envoy skips the descriptor while calling rate limiting service - // when header is not present in the request. By default it skips calling the - // rate limiting service if this header is not present in the request. - bool skip_if_absent = 3; - } - - // The following descriptor entry is appended to the descriptor and is populated using the - // trusted address from :ref:`x-forwarded-for `: - // - // .. code-block:: cpp - // - // ("remote_address", "") - message RemoteAddress { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.RemoteAddress"; - } - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("generic_key", "") - message GenericKey { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.GenericKey"; - - // The value to use in the descriptor entry. - string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; - - // An optional key to use in the descriptor entry. If not set it defaults - // to 'generic_key' as the descriptor key. - string descriptor_key = 2; - } - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("header_match", "") - message HeaderValueMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.HeaderValueMatch"; - - // The value to use in the descriptor entry. - string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; - - // If set to true, the action will append a descriptor entry when the - // request matches the headers. If set to false, the action will append a - // descriptor entry when the request does not match the headers. The - // default value is true. - google.protobuf.BoolValue expect_match = 2; - - // Specifies a set of headers that the rate limit action should match - // on. The action will check the request’s headers against all the - // specified headers in the config. A match will happen if all the - // headers in the config are present in the request with the same values - // (or based on presence if the value field is not in the config). - repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}]; - } - - // The following descriptor entry is appended when the - // :ref:`dynamic metadata ` contains a key value: - // - // .. code-block:: cpp - // - // ("", "") - // - // .. attention:: - // This action has been deprecated in favor of the :ref:`metadata ` action - message DynamicMetaData { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.DynamicMetaData"; - - // The key to use in the descriptor entry. - string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; - - // Metadata struct that defines the key and path to retrieve the string value. A match will - // only happen if the value in the dynamic metadata is of type string. - type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; - - // An optional value to use if *metadata_key* is empty. If not set and - // no value is present under the metadata_key then no descriptor is generated. - string default_value = 3; - } - - // The following descriptor entry is appended when the metadata contains a key value: - // - // .. code-block:: cpp - // - // ("", "") - message MetaData { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.MetaData"; - - enum Source { - // Query :ref:`dynamic metadata ` - DYNAMIC = 0; - - // Query :ref:`route entry metadata ` - ROUTE_ENTRY = 1; - } - - // The key to use in the descriptor entry. - string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; - - // Metadata struct that defines the key and path to retrieve the string value. A match will - // only happen if the value in the metadata is of type string. - type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; - - // An optional value to use if *metadata_key* is empty. If not set and - // no value is present under the metadata_key then no descriptor is generated. - string default_value = 3; - - // Source of metadata - Source source = 4 [(validate.rules).enum = {defined_only: true}]; - } - - reserved 7; - - reserved "dynamic_metadata"; - - oneof action_specifier { - option (validate.required) = true; - - // Rate limit on source cluster. - SourceCluster source_cluster = 1; - - // Rate limit on destination cluster. - DestinationCluster destination_cluster = 2; - - // Rate limit on request headers. - RequestHeaders request_headers = 3; - - // Rate limit on remote address. - RemoteAddress remote_address = 4; - - // Rate limit on a generic key. - GenericKey generic_key = 5; - - // Rate limit on the existence of request headers. - HeaderValueMatch header_value_match = 6; - - // Rate limit on metadata. - MetaData metadata = 8; - - // Rate limit descriptor extension. See the rate limit descriptor extensions documentation. - // [#extension-category: envoy.rate_limit_descriptors] - core.v4alpha.TypedExtensionConfig extension = 9; - } - } - - message Override { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Override"; - - // Fetches the override from the dynamic metadata. - message DynamicMetadata { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Override.DynamicMetadata"; - - // Metadata struct that defines the key and path to retrieve the struct value. - // The value must be a struct containing an integer "requests_per_unit" property - // and a "unit" property with a value parseable to :ref:`RateLimitUnit - // enum ` - type.metadata.v3.MetadataKey metadata_key = 1 [(validate.rules).message = {required: true}]; - } - - oneof override_specifier { - option (validate.required) = true; - - // Limit override from dynamic metadata. - DynamicMetadata dynamic_metadata = 1; - } - } - - // Refers to the stage set in the filter. The rate limit configuration only - // applies to filters with the same stage number. The default stage number is - // 0. - // - // .. note:: - // - // The filter supports a range of 0 - 10 inclusively for stage numbers. - google.protobuf.UInt32Value stage = 1 [(validate.rules).uint32 = {lte: 10}]; - - // The key to be set in runtime to disable this rate limit configuration. - string disable_key = 2; - - // A list of actions that are to be applied for this rate limit configuration. - // Order matters as the actions are processed sequentially and the descriptor - // is composed by appending descriptor entries in that sequence. If an action - // cannot append a descriptor entry, no descriptor is generated for the - // configuration. See :ref:`composing actions - // ` for additional documentation. - repeated Action actions = 3 [(validate.rules).repeated = {min_items: 1}]; - - // An optional limit override to be appended to the descriptor produced by this - // rate limit configuration. If the override value is invalid or cannot be resolved - // from metadata, no override is provided. See :ref:`rate limit override - // ` for more information. - Override limit = 4; -} - -// .. attention:: -// -// Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1 *Host* -// header. Thus, if attempting to match on *Host*, match on *:authority* instead. -// -// .. attention:: -// -// To route on HTTP method, use the special HTTP/2 *:method* header. This works for both -// HTTP/1 and HTTP/2 as Envoy normalizes headers. E.g., -// -// .. code-block:: json -// -// { -// "name": ":method", -// "exact_match": "POST" -// } -// -// .. attention:: -// In the absence of any header match specifier, match will default to :ref:`present_match -// `. i.e, a request that has the :ref:`name -// ` header will match, regardless of the header's -// value. -// -// [#next-major-version: HeaderMatcher should be refactored to use StringMatcher.] -// [#next-free-field: 14] -message HeaderMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.HeaderMatcher"; - - reserved 2, 3, 5, 4, 11, 9, 10, 12; - - reserved "regex_match", "exact_match", "safe_regex_match", "prefix_match", "suffix_match", - "contains_match"; - - // Specifies the name of the header in the request. - string name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Specifies how the header match will be performed to route the request. - oneof header_match_specifier { - // If specified, header match will be performed based on range. - // The rule will match if the request header value is within this range. - // The entire request header value must represent an integer in base 10 notation: consisting of - // an optional plus or minus sign followed by a sequence of digits. The rule will not match if - // the header value does not represent an integer. Match will fail for empty values, floating - // point numbers or if only a subsequence of the header value is an integer. - // - // Examples: - // - // * For range [-10,0), route will match for header value -1, but not for 0, "somestring", 10.9, - // "-1somestring" - type.v3.Int64Range range_match = 6; - - // If specified as true, header match will be performed based on whether the header is in the - // request. If specified as false, header match will be performed based on whether the header is absent. - bool present_match = 7; - - // If specified, header match will be performed based on the string match of the header value. - type.matcher.v4alpha.StringMatcher string_match = 13; - } - - // If specified, the match result will be inverted before checking. Defaults to false. - // - // Examples: - // - // * The regex ``\d{3}`` does not match the value *1234*, so it will match when inverted. - // * The range [-10,0) will match the value -1, so it will not match when inverted. - bool invert_match = 8; -} - -// Query parameter matching treats the query string of a request's :path header -// as an ampersand-separated list of keys and/or key=value elements. -// [#next-free-field: 7] -message QueryParameterMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.QueryParameterMatcher"; - - reserved 3, 4; - - reserved "value", "regex"; - - // Specifies the name of a key that must be present in the requested - // *path*'s query string. - string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}]; - - oneof query_parameter_match_specifier { - // Specifies whether a query parameter value should match against a string. - type.matcher.v4alpha.StringMatcher string_match = 5 - [(validate.rules).message = {required: true}]; - - // Specifies whether a query parameter should be present. - bool present_match = 6; - } -} - -// HTTP Internal Redirect :ref:`architecture overview `. -message InternalRedirectPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.InternalRedirectPolicy"; - - // An internal redirect is not handled, unless the number of previous internal redirects that a - // downstream request has encountered is lower than this value. - // In the case where a downstream request is bounced among multiple routes by internal redirect, - // the first route that hits this threshold, or does not set :ref:`internal_redirect_policy - // ` - // will pass the redirect back to downstream. - // - // If not specified, at most one redirect will be followed. - google.protobuf.UInt32Value max_internal_redirects = 1; - - // Defines what upstream response codes are allowed to trigger internal redirect. If unspecified, - // only 302 will be treated as internal redirect. - // Only 301, 302, 303, 307 and 308 are valid values. Any other codes will be ignored. - repeated uint32 redirect_response_codes = 2 [(validate.rules).repeated = {max_items: 5}]; - - // Specifies a list of predicates that are queried when an upstream response is deemed - // to trigger an internal redirect by all other criteria. Any predicate in the list can reject - // the redirect, causing the response to be proxied to downstream. - // [#extension-category: envoy.internal_redirect_predicates] - repeated core.v4alpha.TypedExtensionConfig predicates = 3; - - // Allow internal redirect to follow a target URI with a different scheme than the value of - // x-forwarded-proto. The default is false. - bool allow_cross_scheme_redirect = 4; -} - -// A simple wrapper for an HTTP filter config. This is intended to be used as a wrapper for the -// map value in -// :ref:`VirtualHost.typed_per_filter_config`, -// :ref:`Route.typed_per_filter_config`, -// or :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` -// to add additional flags to the filter. -// [#not-implemented-hide:] -message FilterConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.FilterConfig"; - - // The filter config. - google.protobuf.Any config = 1; - - // If true, the filter is optional, meaning that if the client does - // not support the specified filter, it may ignore the map entry rather - // than rejecting the config. - bool is_optional = 2; -} diff --git a/api/envoy/config/route/v4alpha/scoped_route.proto b/api/envoy/config/route/v4alpha/scoped_route.proto deleted file mode 100644 index 4c640223f701..000000000000 --- a/api/envoy/config/route/v4alpha/scoped_route.proto +++ /dev/null @@ -1,120 +0,0 @@ -syntax = "proto3"; - -package envoy.config.route.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.route.v4alpha"; -option java_outer_classname = "ScopedRouteProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP scoped routing configuration] -// * Routing :ref:`architecture overview ` - -// Specifies a routing scope, which associates a -// :ref:`Key` to a -// :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` (identified by its resource name). -// -// The HTTP connection manager builds up a table consisting of these Key to -// RouteConfiguration mappings, and looks up the RouteConfiguration to use per -// request according to the algorithm specified in the -// :ref:`scope_key_builder` -// assigned to the HttpConnectionManager. -// -// For example, with the following configurations (in YAML): -// -// HttpConnectionManager config: -// -// .. code:: -// -// ... -// scoped_routes: -// name: foo-scoped-routes -// scope_key_builder: -// fragments: -// - header_value_extractor: -// name: X-Route-Selector -// element_separator: , -// element: -// separator: = -// key: vip -// -// ScopedRouteConfiguration resources (specified statically via -// :ref:`scoped_route_configurations_list` -// or obtained dynamically via SRDS): -// -// .. code:: -// -// (1) -// name: route-scope1 -// route_configuration_name: route-config1 -// key: -// fragments: -// - string_key: 172.10.10.20 -// -// (2) -// name: route-scope2 -// route_configuration_name: route-config2 -// key: -// fragments: -// - string_key: 172.20.20.30 -// -// A request from a client such as: -// -// .. code:: -// -// GET / HTTP/1.1 -// Host: foo.com -// X-Route-Selector: vip=172.10.10.20 -// -// would result in the routing table defined by the `route-config1` -// RouteConfiguration being assigned to the HTTP request/stream. -// -message ScopedRouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.ScopedRouteConfiguration"; - - // Specifies a key which is matched against the output of the - // :ref:`scope_key_builder` - // specified in the HttpConnectionManager. The matching is done per HTTP - // request and is dependent on the order of the fragments contained in the - // Key. - message Key { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.ScopedRouteConfiguration.Key"; - - message Fragment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.ScopedRouteConfiguration.Key.Fragment"; - - oneof type { - option (validate.required) = true; - - // A string to match against. - string string_key = 1; - } - } - - // The ordered set of fragments to match against. The order must match the - // fragments in the corresponding - // :ref:`scope_key_builder`. - repeated Fragment fragments = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - // Whether the RouteConfiguration should be loaded on demand. - bool on_demand = 4; - - // The name assigned to the routing scope. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The resource name to use for a :ref:`envoy_v3_api_msg_service.discovery.v3.DiscoveryRequest` to an - // RDS server to fetch the :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` associated - // with this scope. - string route_configuration_name = 2 [(validate.rules).string = {min_len: 1}]; - - // The key to match against. - Key key = 3 [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/config/tap/v4alpha/BUILD b/api/envoy/config/tap/v4alpha/BUILD deleted file mode 100644 index f226f8b207e4..000000000000 --- a/api/envoy/config/tap/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/common/matcher/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/config/tap/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/config/tap/v4alpha/common.proto b/api/envoy/config/tap/v4alpha/common.proto deleted file mode 100644 index a425329be4e9..000000000000 --- a/api/envoy/config/tap/v4alpha/common.proto +++ /dev/null @@ -1,276 +0,0 @@ -syntax = "proto3"; - -package envoy.config.tap.v4alpha; - -import "envoy/config/common/matcher/v4alpha/matcher.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.tap.v4alpha"; -option java_outer_classname = "CommonProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common tap configuration] - -// Tap configuration. -message TapConfig { - // [#comment:TODO(mattklein123): Rate limiting] - - option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.TapConfig"; - - reserved 1; - - reserved "match_config"; - - // The match configuration. If the configuration matches the data source being tapped, a tap will - // occur, with the result written to the configured output. - // Exactly one of :ref:`match ` and - // :ref:`match_config ` must be set. If both - // are set, the :ref:`match ` will be used. - common.matcher.v4alpha.MatchPredicate match = 4; - - // The tap output configuration. If a match configuration matches a data source being tapped, - // a tap will occur and the data will be written to the configured output. - OutputConfig output_config = 2 [(validate.rules).message = {required: true}]; - - // [#not-implemented-hide:] Specify if Tap matching is enabled. The % of requests\connections for - // which the tap matching is enabled. When not enabled, the request\connection will not be - // recorded. - // - // .. note:: - // - // This field defaults to 100/:ref:`HUNDRED - // `. - core.v4alpha.RuntimeFractionalPercent tap_enabled = 3; -} - -// Tap match configuration. This is a recursive structure which allows complex nested match -// configurations to be built using various logical operators. -// [#next-free-field: 11] -message MatchPredicate { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.MatchPredicate"; - - // A set of match configurations used for logical operations. - message MatchSet { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.MatchPredicate.MatchSet"; - - // The list of rules that make up the set. - repeated MatchPredicate rules = 1 [(validate.rules).repeated = {min_items: 2}]; - } - - oneof rule { - option (validate.required) = true; - - // A set that describes a logical OR. If any member of the set matches, the match configuration - // matches. - MatchSet or_match = 1; - - // A set that describes a logical AND. If all members of the set match, the match configuration - // matches. - MatchSet and_match = 2; - - // A negation match. The match configuration will match if the negated match condition matches. - MatchPredicate not_match = 3; - - // The match configuration will always match. - bool any_match = 4 [(validate.rules).bool = {const: true}]; - - // HTTP request headers match configuration. - HttpHeadersMatch http_request_headers_match = 5; - - // HTTP request trailers match configuration. - HttpHeadersMatch http_request_trailers_match = 6; - - // HTTP response headers match configuration. - HttpHeadersMatch http_response_headers_match = 7; - - // HTTP response trailers match configuration. - HttpHeadersMatch http_response_trailers_match = 8; - - // HTTP request generic body match configuration. - HttpGenericBodyMatch http_request_generic_body_match = 9; - - // HTTP response generic body match configuration. - HttpGenericBodyMatch http_response_generic_body_match = 10; - } -} - -// HTTP headers match configuration. -message HttpHeadersMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.HttpHeadersMatch"; - - // HTTP headers to match. - repeated route.v4alpha.HeaderMatcher headers = 1; -} - -// HTTP generic body match configuration. -// List of text strings and hex strings to be located in HTTP body. -// All specified strings must be found in the HTTP body for positive match. -// The search may be limited to specified number of bytes from the body start. -// -// .. attention:: -// -// Searching for patterns in HTTP body is potentially cpu intensive. For each specified pattern, http body is scanned byte by byte to find a match. -// If multiple patterns are specified, the process is repeated for each pattern. If location of a pattern is known, ``bytes_limit`` should be specified -// to scan only part of the http body. -message HttpGenericBodyMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.HttpGenericBodyMatch"; - - message GenericTextMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.HttpGenericBodyMatch.GenericTextMatch"; - - oneof rule { - option (validate.required) = true; - - // Text string to be located in HTTP body. - string string_match = 1 [(validate.rules).string = {min_len: 1}]; - - // Sequence of bytes to be located in HTTP body. - bytes binary_match = 2 [(validate.rules).bytes = {min_len: 1}]; - } - } - - // Limits search to specified number of bytes - default zero (no limit - match entire captured buffer). - uint32 bytes_limit = 1; - - // List of patterns to match. - repeated GenericTextMatch patterns = 2 [(validate.rules).repeated = {min_items: 1}]; -} - -// Tap output configuration. -message OutputConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.OutputConfig"; - - // Output sinks for tap data. Currently a single sink is allowed in the list. Once multiple - // sink types are supported this constraint will be relaxed. - repeated OutputSink sinks = 1 [(validate.rules).repeated = {min_items: 1 max_items: 1}]; - - // For buffered tapping, the maximum amount of received body that will be buffered prior to - // truncation. If truncation occurs, the :ref:`truncated - // ` field will be set. If not specified, the - // default is 1KiB. - google.protobuf.UInt32Value max_buffered_rx_bytes = 2; - - // For buffered tapping, the maximum amount of transmitted body that will be buffered prior to - // truncation. If truncation occurs, the :ref:`truncated - // ` field will be set. If not specified, the - // default is 1KiB. - google.protobuf.UInt32Value max_buffered_tx_bytes = 3; - - // Indicates whether taps produce a single buffered message per tap, or multiple streamed - // messages per tap in the emitted :ref:`TraceWrapper - // ` messages. Note that streamed tapping does not - // mean that no buffering takes place. Buffering may be required if data is processed before a - // match can be determined. See the HTTP tap filter :ref:`streaming - // ` documentation for more information. - bool streaming = 4; -} - -// Tap output sink configuration. -message OutputSink { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.OutputSink"; - - // Output format. All output is in the form of one or more :ref:`TraceWrapper - // ` messages. This enumeration indicates - // how those messages are written. Note that not all sinks support all output formats. See - // individual sink documentation for more information. - enum Format { - // Each message will be written as JSON. Any :ref:`body ` - // data will be present in the :ref:`as_bytes - // ` field. This means that body data will be - // base64 encoded as per the `proto3 JSON mappings - // `_. - JSON_BODY_AS_BYTES = 0; - - // Each message will be written as JSON. Any :ref:`body ` - // data will be present in the :ref:`as_string - // ` field. This means that body data will be - // string encoded as per the `proto3 JSON mappings - // `_. This format type is - // useful when it is known that that body is human readable (e.g., JSON over HTTP) and the - // user wishes to view it directly without being forced to base64 decode the body. - JSON_BODY_AS_STRING = 1; - - // Binary proto format. Note that binary proto is not self-delimiting. If a sink writes - // multiple binary messages without any length information the data stream will not be - // useful. However, for certain sinks that are self-delimiting (e.g., one message per file) - // this output format makes consumption simpler. - PROTO_BINARY = 2; - - // Messages are written as a sequence tuples, where each tuple is the message length encoded - // as a `protobuf 32-bit varint - // `_ - // followed by the binary message. The messages can be read back using the language specific - // protobuf coded stream implementation to obtain the message length and the message. - PROTO_BINARY_LENGTH_DELIMITED = 3; - - // Text proto format. - PROTO_TEXT = 4; - } - - // Sink output format. - Format format = 1 [(validate.rules).enum = {defined_only: true}]; - - oneof output_sink_type { - option (validate.required) = true; - - // Tap output will be streamed out the :http:post:`/tap` admin endpoint. - // - // .. attention:: - // - // It is only allowed to specify the streaming admin output sink if the tap is being - // configured from the :http:post:`/tap` admin endpoint. Thus, if an extension has - // been configured to receive tap configuration from some other source (e.g., static - // file, XDS, etc.) configuring the streaming admin output type will fail. - StreamingAdminSink streaming_admin = 2; - - // Tap output will be written to a file per tap sink. - FilePerTapSink file_per_tap = 3; - - // [#not-implemented-hide:] - // GrpcService to stream data to. The format argument must be PROTO_BINARY. - // [#comment: TODO(samflattery): remove cleanup in uber_per_filter.cc once implemented] - StreamingGrpcSink streaming_grpc = 4; - } -} - -// Streaming admin sink configuration. -message StreamingAdminSink { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.StreamingAdminSink"; -} - -// The file per tap sink outputs a discrete file for every tapped stream. -message FilePerTapSink { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.FilePerTapSink"; - - // Path prefix. The output file will be of the form _.pb, where is an - // identifier distinguishing the recorded trace for stream instances (the Envoy - // connection ID, HTTP stream ID, etc.). - string path_prefix = 1 [(validate.rules).string = {min_len: 1}]; -} - -// [#not-implemented-hide:] Streaming gRPC sink configuration sends the taps to an external gRPC -// server. -message StreamingGrpcSink { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.StreamingGrpcSink"; - - // Opaque identifier, that will be sent back to the streaming grpc server. - string tap_id = 1; - - // The gRPC server that hosts the Tap Sink Service. - core.v4alpha.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/config/trace/v4alpha/BUILD b/api/envoy/config/trace/v4alpha/BUILD deleted file mode 100644 index 1d56979cc466..000000000000 --- a/api/envoy/config/trace/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/config/trace/v4alpha/http_tracer.proto b/api/envoy/config/trace/v4alpha/http_tracer.proto deleted file mode 100644 index 33c8e73d56b9..000000000000 --- a/api/envoy/config/trace/v4alpha/http_tracer.proto +++ /dev/null @@ -1,59 +0,0 @@ -syntax = "proto3"; - -package envoy.config.trace.v4alpha; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.trace.v4alpha"; -option java_outer_classname = "HttpTracerProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Tracing] -// Tracing :ref:`architecture overview `. - -// The tracing configuration specifies settings for an HTTP tracer provider used by Envoy. -// -// Envoy may support other tracers in the future, but right now the HTTP tracer is the only one -// supported. -// -// .. attention:: -// -// Use of this message type has been deprecated in favor of direct use of -// :ref:`Tracing.Http `. -message Tracing { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v3.Tracing"; - - // Configuration for an HTTP tracer provider used by Envoy. - // - // The configuration is defined by the - // :ref:`HttpConnectionManager.Tracing ` - // :ref:`provider ` - // field. - message Http { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.Tracing.Http"; - - reserved 2; - - reserved "config"; - - // The name of the HTTP trace driver to instantiate. The name must match a - // supported HTTP trace driver. - // See the :ref:`extensions listed in typed_config below ` for the default list of the HTTP trace driver. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Trace driver specific configuration which must be set according to the driver being instantiated. - // [#extension-category: envoy.tracers] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - // Provides configuration for the HTTP tracer. - Http http = 1; -} diff --git a/api/envoy/config/trace/v4alpha/service.proto b/api/envoy/config/trace/v4alpha/service.proto deleted file mode 100644 index d132b32dd79d..000000000000 --- a/api/envoy/config/trace/v4alpha/service.proto +++ /dev/null @@ -1,25 +0,0 @@ -syntax = "proto3"; - -package envoy.config.trace.v4alpha; - -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.trace.v4alpha"; -option java_outer_classname = "ServiceProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Trace Service] - -// Configuration structure. -message TraceServiceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.TraceServiceConfig"; - - // The upstream gRPC cluster that hosts the metrics service. - core.v4alpha.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/data/dns/v4alpha/BUILD b/api/envoy/data/dns/v4alpha/BUILD deleted file mode 100644 index e32ed76cbd6f..000000000000 --- a/api/envoy/data/dns/v4alpha/BUILD +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/data/dns/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/data/dns/v4alpha/dns_table.proto b/api/envoy/data/dns/v4alpha/dns_table.proto deleted file mode 100644 index 4f8626edece9..000000000000 --- a/api/envoy/data/dns/v4alpha/dns_table.proto +++ /dev/null @@ -1,159 +0,0 @@ -syntax = "proto3"; - -package envoy.data.dns.v4alpha; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.data.dns.v4alpha"; -option java_outer_classname = "DnsTableProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: DNS Filter Table Data] -// :ref:`DNS Filter config overview `. - -// This message contains the configuration for the DNS Filter if populated -// from the control plane -message DnsTable { - option (udpa.annotations.versioning).previous_message_type = "envoy.data.dns.v3.DnsTable"; - - // This message contains a list of IP addresses returned for a query for a known name - message AddressList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.AddressList"; - - // This field contains a well formed IP address that is returned in the answer for a - // name query. The address field can be an IPv4 or IPv6 address. Address family - // detection is done automatically when Envoy parses the string. Since this field is - // repeated, Envoy will return as many entries from this list in the DNS response while - // keeping the response under 512 bytes - repeated string address = 1 [(validate.rules).repeated = { - min_items: 1 - items {string {min_len: 3}} - }]; - } - - // Specify the service protocol using a numeric or string value - message DnsServiceProtocol { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsServiceProtocol"; - - oneof protocol_config { - option (validate.required) = true; - - // Specify the protocol number for the service. Envoy will try to resolve the number to - // the protocol name. For example, 6 will resolve to "tcp". Refer to: - // https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml - // for protocol names and numbers - uint32 number = 1 [(validate.rules).uint32 = {lt: 255}]; - - // Specify the protocol name for the service. - string name = 2 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; - } - } - - // Specify the target for a given DNS service - // [#next-free-field: 6] - message DnsServiceTarget { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsServiceTarget"; - - // Specify the name of the endpoint for the Service. The name is a hostname or a cluster - oneof endpoint_type { - option (validate.required) = true; - - // Use a resolvable hostname as the endpoint for a service. - string host_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; - - // Use a cluster name as the endpoint for a service. - string cluster_name = 2 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; - } - - // The priority of the service record target - uint32 priority = 3 [(validate.rules).uint32 = {lt: 65536}]; - - // The weight of the service record target - uint32 weight = 4 [(validate.rules).uint32 = {lt: 65536}]; - - // The port to which the service is bound. This value is optional if the target is a - // cluster. Setting port to zero in this case makes the filter use the port value - // from the cluster host - uint32 port = 5 [(validate.rules).uint32 = {lt: 65536}]; - } - - // This message defines a service selection record returned for a service query in a domain - message DnsService { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsService"; - - // The name of the service without the protocol or domain name - string service_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; - - // The service protocol. This can be specified as a string or the numeric value of the protocol - DnsServiceProtocol protocol = 2; - - // The service entry time to live. This is independent from the DNS Answer record TTL - google.protobuf.Duration ttl = 3 [(validate.rules).duration = {gte {seconds: 1}}]; - - // The list of targets hosting the service - repeated DnsServiceTarget targets = 4 [(validate.rules).repeated = {min_items: 1}]; - } - - // Define a list of service records for a given service - message DnsServiceList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsServiceList"; - - repeated DnsService services = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - message DnsEndpoint { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsEndpoint"; - - oneof endpoint_config { - option (validate.required) = true; - - // Define a list of addresses to return for the specified endpoint - AddressList address_list = 1; - - // Define a cluster whose addresses are returned for the specified endpoint - string cluster_name = 2; - - // Define a DNS Service List for the specified endpoint - DnsServiceList service_list = 3; - } - } - - message DnsVirtualDomain { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsVirtualDomain"; - - // A domain name for which Envoy will respond to query requests - string name = 1 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; - - // The configuration containing the method to determine the address of this endpoint - DnsEndpoint endpoint = 2; - - // Sets the TTL in DNS answers from Envoy returned to the client. The default TTL is 300s - google.protobuf.Duration answer_ttl = 3 [(validate.rules).duration = {gte {seconds: 30}}]; - } - - reserved 3; - - reserved "known_suffixes"; - - // Control how many times Envoy makes an attempt to forward a query to an external DNS server - uint32 external_retry_count = 1 [(validate.rules).uint32 = {lte: 3}]; - - // Fully qualified domain names for which Envoy will respond to DNS queries. By leaving this - // list empty, Envoy will forward all queries to external resolvers - repeated DnsVirtualDomain virtual_domains = 2; -} diff --git a/api/envoy/extensions/access_loggers/file/v4alpha/BUILD b/api/envoy/extensions/access_loggers/file/v4alpha/BUILD deleted file mode 100644 index c44559b4e763..000000000000 --- a/api/envoy/extensions/access_loggers/file/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/access_loggers/file/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/access_loggers/file/v4alpha/file.proto b/api/envoy/extensions/access_loggers/file/v4alpha/file.proto deleted file mode 100644 index 0597b1168059..000000000000 --- a/api/envoy/extensions/access_loggers/file/v4alpha/file.proto +++ /dev/null @@ -1,42 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.access_loggers.file.v4alpha; - -import "envoy/config/core/v4alpha/substitution_format_string.proto"; - -import "google/protobuf/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.access_loggers.file.v4alpha"; -option java_outer_classname = "FileProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: File access log] -// [#extension: envoy.access_loggers.file] - -// Custom configuration for an :ref:`AccessLog ` -// that writes log entries directly to a file. Configures the built-in *envoy.access_loggers.file* -// AccessLog. -// [#next-free-field: 6] -message FileAccessLog { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.file.v3.FileAccessLog"; - - reserved 2, 3, 4; - - reserved "format", "json_format", "typed_json_format"; - - // A path to a local file to which to write the access log entries. - string path = 1 [(validate.rules).string = {min_len: 1}]; - - oneof access_log_format { - // Configuration to form access log data and format. - // If not specified, use :ref:`default format `. - config.core.v4alpha.SubstitutionFormatString log_format = 5 - [(validate.rules).message = {required: true}]; - } -} diff --git a/api/envoy/extensions/access_loggers/grpc/v4alpha/BUILD b/api/envoy/extensions/access_loggers/grpc/v4alpha/BUILD deleted file mode 100644 index 83758c9e0b82..000000000000 --- a/api/envoy/extensions/access_loggers/grpc/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/access_loggers/grpc/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/access_loggers/grpc/v4alpha/als.proto b/api/envoy/extensions/access_loggers/grpc/v4alpha/als.proto deleted file mode 100644 index 9e6fb1e48386..000000000000 --- a/api/envoy/extensions/access_loggers/grpc/v4alpha/als.proto +++ /dev/null @@ -1,89 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.access_loggers.grpc.v4alpha; - -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.access_loggers.grpc.v4alpha"; -option java_outer_classname = "AlsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: gRPC Access Log Service (ALS)] - -// Configuration for the built-in *envoy.access_loggers.http_grpc* -// :ref:`AccessLog `. This configuration will -// populate :ref:`StreamAccessLogsMessage.http_logs -// `. -// [#extension: envoy.access_loggers.http_grpc] -message HttpGrpcAccessLogConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig"; - - CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}]; - - // Additional request headers to log in :ref:`HTTPRequestProperties.request_headers - // `. - repeated string additional_request_headers_to_log = 2; - - // Additional response headers to log in :ref:`HTTPResponseProperties.response_headers - // `. - repeated string additional_response_headers_to_log = 3; - - // Additional response trailers to log in :ref:`HTTPResponseProperties.response_trailers - // `. - repeated string additional_response_trailers_to_log = 4; -} - -// Configuration for the built-in *envoy.access_loggers.tcp_grpc* type. This configuration will -// populate *StreamAccessLogsMessage.tcp_logs*. -// [#extension: envoy.access_loggers.tcp_grpc] -message TcpGrpcAccessLogConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig"; - - CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}]; -} - -// Common configuration for gRPC access logs. -// [#next-free-field: 7] -message CommonGrpcAccessLogConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.grpc.v3.CommonGrpcAccessLogConfig"; - - // The friendly name of the access log to be returned in :ref:`StreamAccessLogsMessage.Identifier - // `. This allows the - // access log server to differentiate between different access logs coming from the same Envoy. - string log_name = 1 [(validate.rules).string = {min_len: 1}]; - - // The gRPC service for the access log service. - config.core.v4alpha.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}]; - - // API version for access logs service transport protocol. This describes the access logs service - // gRPC endpoint and version of messages used on the wire. - config.core.v4alpha.ApiVersion transport_api_version = 6 - [(validate.rules).enum = {defined_only: true}]; - - // Interval for flushing access logs to the gRPC stream. Logger will flush requests every time - // this interval is elapsed, or when batch size limit is hit, whichever comes first. Defaults to - // 1 second. - google.protobuf.Duration buffer_flush_interval = 3 [(validate.rules).duration = {gt {}}]; - - // Soft size limit in bytes for access log entries buffer. Logger will buffer requests until - // this limit it hit, or every time flush interval is elapsed, whichever comes first. Setting it - // to zero effectively disables the batching. Defaults to 16384. - google.protobuf.UInt32Value buffer_size_bytes = 4; - - // Additional filter state objects to log in :ref:`filter_state_objects - // `. - // Logger will call `FilterState::Object::serializeAsProto` to serialize the filter state object. - repeated string filter_state_objects_to_log = 5; -} diff --git a/api/envoy/extensions/access_loggers/open_telemetry/v4alpha/BUILD b/api/envoy/extensions/access_loggers/open_telemetry/v4alpha/BUILD deleted file mode 100644 index 2c81e3b0b05c..000000000000 --- a/api/envoy/extensions/access_loggers/open_telemetry/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/access_loggers/grpc/v4alpha:pkg", - "//envoy/extensions/access_loggers/open_telemetry/v3alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@opentelemetry_proto//:common", - ], -) diff --git a/api/envoy/extensions/access_loggers/open_telemetry/v4alpha/logs_service.proto b/api/envoy/extensions/access_loggers/open_telemetry/v4alpha/logs_service.proto deleted file mode 100644 index ceecd924e19d..000000000000 --- a/api/envoy/extensions/access_loggers/open_telemetry/v4alpha/logs_service.proto +++ /dev/null @@ -1,47 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.access_loggers.open_telemetry.v4alpha; - -import "envoy/extensions/access_loggers/grpc/v4alpha/als.proto"; - -import "opentelemetry/proto/common/v1/common.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.access_loggers.open_telemetry.v4alpha"; -option java_outer_classname = "LogsServiceProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).work_in_progress = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: OpenTelemetry (gRPC) Access Log] - -// Configuration for the built-in *envoy.access_loggers.open_telemetry* -// :ref:`AccessLog `. This configuration will -// populate `opentelemetry.proto.collector.v1.logs.ExportLogsServiceRequest.resource_logs `_. -// OpenTelemetry `Resource `_ -// attributes are filled with Envoy node info. In addition, the request start time is set in the -// dedicated field. -// [#extension: envoy.access_loggers.open_telemetry] -// [#comment:TODO(itamarkam): allow configuration for resource attributes.] -message OpenTelemetryAccessLogConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.open_telemetry.v3alpha.OpenTelemetryAccessLogConfig"; - - // [#comment:TODO(itamarkam): add 'filter_state_objects_to_log' to logs.] - grpc.v4alpha.CommonGrpcAccessLogConfig common_config = 1 - [(validate.rules).message = {required: true}]; - - // OpenTelemetry `LogResource `_ - // fields, following `Envoy access logging formatting `_. - // - // See 'body' in the LogResource proto for more details. - // Example: ``body { string_value: "%PROTOCOL%" }``. - opentelemetry.proto.common.v1.AnyValue body = 2; - - // See 'attributes' in the LogResource proto for more details. - // Example: ``attributes { values { key: "user_agent" value { string_value: "%REQ(USER-AGENT)%" } } }``. - opentelemetry.proto.common.v1.KeyValueList attributes = 3; -} diff --git a/api/envoy/extensions/access_loggers/stream/v4alpha/BUILD b/api/envoy/extensions/access_loggers/stream/v4alpha/BUILD deleted file mode 100644 index 33240debccd1..000000000000 --- a/api/envoy/extensions/access_loggers/stream/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/access_loggers/stream/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/access_loggers/stream/v4alpha/stream.proto b/api/envoy/extensions/access_loggers/stream/v4alpha/stream.proto deleted file mode 100644 index 5be54ad4721d..000000000000 --- a/api/envoy/extensions/access_loggers/stream/v4alpha/stream.proto +++ /dev/null @@ -1,45 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.access_loggers.stream.v4alpha; - -import "envoy/config/core/v4alpha/substitution_format_string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.access_loggers.stream.v4alpha"; -option java_outer_classname = "StreamProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Standard Streams Access loggers] -// [#extension: envoy.access_loggers.stream] - -// Custom configuration for an :ref:`AccessLog ` -// that writes log entries directly to the operating system's standard output. -message StdoutAccessLog { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.stream.v3.StdoutAccessLog"; - - oneof access_log_format { - // Configuration to form access log data and format. - // If not specified, use :ref:`default format `. - config.core.v4alpha.SubstitutionFormatString log_format = 1 - [(validate.rules).message = {required: true}]; - } -} - -// Custom configuration for an :ref:`AccessLog ` -// that writes log entries directly to the operating system's standard error. -message StderrAccessLog { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.stream.v3.StderrAccessLog"; - - oneof access_log_format { - // Configuration to form access log data and format. - // If not specified, use :ref:`default format `. - config.core.v4alpha.SubstitutionFormatString log_format = 1 - [(validate.rules).message = {required: true}]; - } -} diff --git a/api/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/BUILD b/api/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/BUILD deleted file mode 100644 index ca83092e39b1..000000000000 --- a/api/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg", - "//envoy/extensions/common/dynamic_forward_proxy/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/cluster.proto b/api/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/cluster.proto deleted file mode 100644 index 1b989e0bb725..000000000000 --- a/api/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/cluster.proto +++ /dev/null @@ -1,35 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.clusters.dynamic_forward_proxy.v4alpha; - -import "envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.clusters.dynamic_forward_proxy.v4alpha"; -option java_outer_classname = "ClusterProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dynamic forward proxy cluster configuration] - -// Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview -// ` for more information. -// [#extension: envoy.clusters.dynamic_forward_proxy] -message ClusterConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig"; - - // The DNS cache configuration that the cluster will attach to. Note this configuration must - // match that of associated :ref:`dynamic forward proxy HTTP filter configuration - // `. - common.dynamic_forward_proxy.v4alpha.DnsCacheConfig dns_cache_config = 1 - [(validate.rules).message = {required: true}]; - - // If true allow the cluster configuration to disable the auto_sni and auto_san_validation options - // in the :ref:`cluster's upstream_http_protocol_options - // ` - bool allow_insecure_cluster_options = 2; -} diff --git a/api/envoy/extensions/common/dynamic_forward_proxy/v4alpha/BUILD b/api/envoy/extensions/common/dynamic_forward_proxy/v4alpha/BUILD deleted file mode 100644 index 10c112114ccd..000000000000 --- a/api/envoy/extensions/common/dynamic_forward_proxy/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/cluster/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/common/dynamic_forward_proxy/v3:pkg", - "//envoy/extensions/common/key_value/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto b/api/envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto deleted file mode 100644 index b601a0d21c0b..000000000000 --- a/api/envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto +++ /dev/null @@ -1,143 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.common.dynamic_forward_proxy.v4alpha; - -import "envoy/config/cluster/v4alpha/cluster.proto"; -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/resolver.proto"; -import "envoy/extensions/common/key_value/v3/config.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.common.dynamic_forward_proxy.v4alpha"; -option java_outer_classname = "DnsCacheProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dynamic forward proxy common configuration] - -// Configuration of circuit breakers for resolver. -message DnsCacheCircuitBreakers { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.common.dynamic_forward_proxy.v3.DnsCacheCircuitBreakers"; - - // The maximum number of pending requests that Envoy will allow to the - // resolver. If not specified, the default is 1024. - google.protobuf.UInt32Value max_pending_requests = 1; -} - -// Configuration for the dynamic forward proxy DNS cache. See the :ref:`architecture overview -// ` for more information. -// [#next-free-field: 14] -message DnsCacheConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig"; - - reserved 8; - - reserved "use_tcp_for_dns_lookups"; - - // The name of the cache. Multiple named caches allow independent dynamic forward proxy - // configurations to operate within a single Envoy process using different configurations. All - // configurations with the same name *must* otherwise have the same settings when referenced - // from different configuration components. Configuration will fail to load if this is not - // the case. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The DNS lookup family to use during resolution. - // - // [#comment:TODO(mattklein123): Figure out how to support IPv4/IPv6 "happy eyeballs" mode. The - // way this might work is a new lookup family which returns both IPv4 and IPv6 addresses, and - // then configures a host to have a primary and fall back address. With this, we could very - // likely build a "happy eyeballs" connection pool which would race the primary / fall back - // address and return the one that wins. This same method could potentially also be used for - // QUIC to TCP fall back.] - config.cluster.v4alpha.Cluster.DnsLookupFamily dns_lookup_family = 2 - [(validate.rules).enum = {defined_only: true}]; - - // The DNS refresh rate for currently cached DNS hosts. If not specified defaults to 60s. - // - // .. note: - // - // The returned DNS TTL is not currently used to alter the refresh rate. This feature will be - // added in a future change. - // - // .. note: - // - // The refresh rate is rounded to the closest millisecond, and must be at least 1ms. - google.protobuf.Duration dns_refresh_rate = 3 - [(validate.rules).duration = {gte {nanos: 1000000}}]; - - // The TTL for hosts that are unused. Hosts that have not been used in the configured time - // interval will be purged. If not specified defaults to 5m. - // - // .. note: - // - // The TTL is only checked at the time of DNS refresh, as specified by *dns_refresh_rate*. This - // means that if the configured TTL is shorter than the refresh rate the host may not be removed - // immediately. - // - // .. note: - // - // The TTL has no relation to DNS TTL and is only used to control Envoy's resource usage. - google.protobuf.Duration host_ttl = 4 [(validate.rules).duration = {gt {}}]; - - // The maximum number of hosts that the cache will hold. If not specified defaults to 1024. - // - // .. note: - // - // The implementation is approximate and enforced independently on each worker thread, thus - // it is possible for the maximum hosts in the cache to go slightly above the configured - // value depending on timing. This is similar to how other circuit breakers work. - google.protobuf.UInt32Value max_hosts = 5 [(validate.rules).uint32 = {gt: 0}]; - - // If the DNS failure refresh rate is specified, - // this is used as the cache's DNS refresh rate when DNS requests are failing. If this setting is - // not specified, the failure refresh rate defaults to the dns_refresh_rate. - config.cluster.v4alpha.Cluster.RefreshRate dns_failure_refresh_rate = 6; - - // The config of circuit breakers for resolver. It provides a configurable threshold. - // Envoy will use dns cache circuit breakers with default settings even if this value is not set. - DnsCacheCircuitBreakers dns_cache_circuit_breaker = 7; - - // DNS resolution configuration which includes the underlying dns resolver addresses and options. - // *dns_resolution_config* will be deprecated once - // :ref:'typed_dns_resolver_config ' - // is fully supported. - config.core.v4alpha.DnsResolutionConfig dns_resolution_config = 9; - - // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, - // or any other DNS resolver types and the related parameters. - // For example, an object of :ref:`DnsResolutionConfig ` - // can be packed into this *typed_dns_resolver_config*. This configuration will replace the - // :ref:'dns_resolution_config ' - // configuration eventually. - // TODO(yanjunxiang): Investigate the deprecation plan for *dns_resolution_config*. - // During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists, - // this configuration is optional. - // When *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*. - // When *typed_dns_resolver_config* is missing, the default behavior is in place. - // [#not-implemented-hide:] - config.core.v4alpha.TypedExtensionConfig typed_dns_resolver_config = 12; - - // Hostnames that should be preresolved into the cache upon creation. This might provide a - // performance improvement, in the form of cache hits, for hostnames that are going to be - // resolved during steady state and are known at config load time. - repeated config.core.v4alpha.SocketAddress preresolve_hostnames = 10; - - // The timeout used for DNS queries. This timeout is independent of any timeout and retry policy - // used by the underlying DNS implementation (e.g., c-areas and Apple DNS) which are opaque. - // Setting this timeout will ensure that queries succeed or fail within the specified time frame - // and are then retried using the standard refresh rates. Defaults to 5s if not set. - google.protobuf.Duration dns_query_timeout = 11 [(validate.rules).duration = {gt {}}]; - - // [#not-implemented-hide:] - // Configuration to flush the DNS cache to long term storage. - key_value.v3.KeyValueStoreConfig key_value_config = 13; -} diff --git a/api/envoy/extensions/common/matching/v4alpha/BUILD b/api/envoy/extensions/common/matching/v4alpha/BUILD deleted file mode 100644 index 8082008a9d98..000000000000 --- a/api/envoy/extensions/common/matching/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/common/matching/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@com_github_cncf_udpa//xds/type/matcher/v3:pkg", - ], -) diff --git a/api/envoy/extensions/common/matching/v4alpha/extension_matcher.proto b/api/envoy/extensions/common/matching/v4alpha/extension_matcher.proto deleted file mode 100644 index 9077facc29a4..000000000000 --- a/api/envoy/extensions/common/matching/v4alpha/extension_matcher.proto +++ /dev/null @@ -1,39 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.common.matching.v4alpha; - -import "envoy/config/core/v4alpha/extension.proto"; - -import "xds/type/matcher/v3/matcher.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.common.matching.v4alpha"; -option java_outer_classname = "ExtensionMatcherProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Extension Matcher] - -// Wrapper around an existing extension that provides an associated matcher. This allows -// decorating an existing extension with a matcher, which can be used to match against -// relevant protocol data. -// -// [#alpha:] -message ExtensionWithMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.common.matching.v3.ExtensionWithMatcher"; - - reserved 1; - - reserved "matcher"; - - // The associated matcher. - xds.type.matcher.v3.Matcher xds_matcher = 3; - - // The underlying extension config. - config.core.v4alpha.TypedExtensionConfig extension_config = 2 - [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/extensions/common/tap/v4alpha/BUILD b/api/envoy/extensions/common/tap/v4alpha/BUILD deleted file mode 100644 index 4f2cbe751624..000000000000 --- a/api/envoy/extensions/common/tap/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/tap/v4alpha:pkg", - "//envoy/extensions/common/tap/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/common/tap/v4alpha/common.proto b/api/envoy/extensions/common/tap/v4alpha/common.proto deleted file mode 100644 index d04e033f490b..000000000000 --- a/api/envoy/extensions/common/tap/v4alpha/common.proto +++ /dev/null @@ -1,44 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.common.tap.v4alpha; - -import "envoy/config/tap/v4alpha/common.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.common.tap.v4alpha"; -option java_outer_classname = "CommonProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common tap extension configuration] - -// Common configuration for all tap extensions. -message CommonExtensionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.common.tap.v3.CommonExtensionConfig"; - - oneof config_type { - option (validate.required) = true; - - // If specified, the tap filter will be configured via an admin handler. - AdminConfig admin_config = 1; - - // If specified, the tap filter will be configured via a static configuration that cannot be - // changed. - config.tap.v4alpha.TapConfig static_config = 2; - } -} - -// Configuration for the admin handler. See :ref:`here ` for -// more information. -message AdminConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.common.tap.v3.AdminConfig"; - - // Opaque configuration ID. When requests are made to the admin handler, the passed opaque ID is - // matched to the configured filter opaque ID to determine which filter to configure. - string config_id = 1 [(validate.rules).string = {min_len: 1}]; -} diff --git a/api/envoy/extensions/filters/http/cache/v4alpha/BUILD b/api/envoy/extensions/filters/http/cache/v4alpha/BUILD deleted file mode 100644 index 583ecda68091..000000000000 --- a/api/envoy/extensions/filters/http/cache/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/http/cache/v3alpha:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/cache/v4alpha/cache.proto b/api/envoy/extensions/filters/http/cache/v4alpha/cache.proto deleted file mode 100644 index 5297a3d15ef8..000000000000 --- a/api/envoy/extensions/filters/http/cache/v4alpha/cache.proto +++ /dev/null @@ -1,82 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.cache.v4alpha; - -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.cache.v4alpha"; -option java_outer_classname = "CacheProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).work_in_progress = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP Cache Filter] - -// [#extension: envoy.filters.http.cache] -message CacheConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.cache.v3alpha.CacheConfig"; - - // [#not-implemented-hide:] - // Modifies cache key creation by restricting which parts of the URL are included. - message KeyCreatorParams { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.cache.v3alpha.CacheConfig.KeyCreatorParams"; - - // If true, exclude the URL scheme from the cache key. Set to true if your origins always - // produce the same response for http and https requests. - bool exclude_scheme = 1; - - // If true, exclude the host from the cache key. Set to true if your origins' responses don't - // ever depend on host. - bool exclude_host = 2; - - // If *query_parameters_included* is nonempty, only query parameters matched - // by one or more of its matchers are included in the cache key. Any other - // query params will not affect cache lookup. - repeated config.route.v4alpha.QueryParameterMatcher query_parameters_included = 3; - - // If *query_parameters_excluded* is nonempty, query parameters matched by one - // or more of its matchers are excluded from the cache key (even if also - // matched by *query_parameters_included*), and will not affect cache lookup. - repeated config.route.v4alpha.QueryParameterMatcher query_parameters_excluded = 4; - } - - // Config specific to the cache storage implementation. - // [#extension-category: envoy.filters.http.cache] - google.protobuf.Any typed_config = 1 [(validate.rules).any = {required: true}]; - - // List of matching rules that defines allowed *Vary* headers. - // - // The *vary* response header holds a list of header names that affect the - // contents of a response, as described by - // https://httpwg.org/specs/rfc7234.html#caching.negotiated.responses. - // - // During insertion, *allowed_vary_headers* acts as a allowlist: if a - // response's *vary* header mentions any header names that aren't matched by any rules in - // *allowed_vary_headers*, that response will not be cached. - // - // During lookup, *allowed_vary_headers* controls what request headers will be - // sent to the cache storage implementation. - repeated type.matcher.v4alpha.StringMatcher allowed_vary_headers = 2; - - // [#not-implemented-hide:] - // - // - // Modifies cache key creation by restricting which parts of the URL are included. - KeyCreatorParams key_creator_params = 3; - - // [#not-implemented-hide:] - // - // - // Max body size the cache filter will insert into a cache. 0 means unlimited (though the cache - // storage implementation may have its own limit beyond which it will reject insertions). - uint32 max_body_bytes = 4; -} diff --git a/api/envoy/extensions/filters/http/compressor/v4alpha/BUILD b/api/envoy/extensions/filters/http/compressor/v4alpha/BUILD deleted file mode 100644 index 251b6da666af..000000000000 --- a/api/envoy/extensions/filters/http/compressor/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/filters/http/compressor/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/compressor/v4alpha/compressor.proto b/api/envoy/extensions/filters/http/compressor/v4alpha/compressor.proto deleted file mode 100644 index 11d7757d0980..000000000000 --- a/api/envoy/extensions/filters/http/compressor/v4alpha/compressor.proto +++ /dev/null @@ -1,106 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.compressor.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.compressor.v4alpha"; -option java_outer_classname = "CompressorProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Compressor] -// Compressor :ref:`configuration overview `. -// [#extension: envoy.filters.http.compressor] - -// [#next-free-field: 9] -message Compressor { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.compressor.v3.Compressor"; - - message CommonDirectionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.compressor.v3.Compressor.CommonDirectionConfig"; - - // Runtime flag that controls whether compression is enabled or not for the direction this - // common config is put in. If set to false, the filter will operate as a pass-through filter - // in the chosen direction. If the field is omitted, the filter will be enabled. - config.core.v4alpha.RuntimeFeatureFlag enabled = 1; - - // Minimum value of Content-Length header of request or response messages (depending on the direction - // this common config is put in), in bytes, which will trigger compression. The default value is 30. - google.protobuf.UInt32Value min_content_length = 2; - - // Set of strings that allows specifying which mime-types yield compression; e.g., - // application/json, text/html, etc. When this field is not defined, compression will be applied - // to the following mime-types: "application/javascript", "application/json", - // "application/xhtml+xml", "image/svg+xml", "text/css", "text/html", "text/plain", "text/xml" - // and their synonyms. - repeated string content_type = 3; - } - - // Configuration for filter behavior on the request direction. - message RequestDirectionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.compressor.v3.Compressor.RequestDirectionConfig"; - - CommonDirectionConfig common_config = 1; - } - - // Configuration for filter behavior on the response direction. - message ResponseDirectionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.compressor.v3.Compressor.ResponseDirectionConfig"; - - CommonDirectionConfig common_config = 1; - - // If true, disables compression when the response contains an etag header. When it is false, the - // filter will preserve weak etags and remove the ones that require strong validation. - bool disable_on_etag_header = 2; - - // If true, removes accept-encoding from the request headers before dispatching it to the upstream - // so that responses do not get compressed before reaching the filter. - // - // .. attention:: - // - // To avoid interfering with other compression filters in the same chain use this option in - // the filter closest to the upstream. - bool remove_accept_encoding_header = 3; - } - - reserved 1, 2, 3, 4, 5; - - reserved "content_length", "content_type", "disable_on_etag_header", - "remove_accept_encoding_header", "runtime_enabled"; - - // A compressor library to use for compression. Currently only - // :ref:`envoy.compression.gzip.compressor` - // is included in Envoy. - // [#extension-category: envoy.compression.compressor] - config.core.v4alpha.TypedExtensionConfig compressor_library = 6 - [(validate.rules).message = {required: true}]; - - // Configuration for request compression. Compression is disabled by default if left empty. - RequestDirectionConfig request_direction_config = 7; - - // Configuration for response compression. Compression is enabled by default if left empty. - // - // .. attention:: - // - // If the field is not empty then the duplicate deprecated fields of the `Compressor` message, - // such as `content_length`, `content_type`, `disable_on_etag_header`, - // `remove_accept_encoding_header` and `runtime_enabled`, are ignored. - // - // Also all the statistics related to response compression will be rooted in - // `.compressor...response.*` - // instead of - // `.compressor...*`. - ResponseDirectionConfig response_direction_config = 8; -} diff --git a/api/envoy/extensions/filters/http/csrf/v4alpha/BUILD b/api/envoy/extensions/filters/http/csrf/v4alpha/BUILD deleted file mode 100644 index d12fc7262cac..000000000000 --- a/api/envoy/extensions/filters/http/csrf/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/filters/http/csrf/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto b/api/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto deleted file mode 100644 index 3de55da6be8c..000000000000 --- a/api/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto +++ /dev/null @@ -1,54 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.csrf.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.csrf.v4alpha"; -option java_outer_classname = "CsrfProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: CSRF] -// Cross-Site Request Forgery :ref:`configuration overview `. -// [#extension: envoy.filters.http.csrf] - -// CSRF filter config. -message CsrfPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.csrf.v3.CsrfPolicy"; - - // Specifies the % of requests for which the CSRF filter is enabled. - // - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to get the percentage of requests to filter. - // - // .. note:: - // - // This field defaults to 100/:ref:`HUNDRED - // `. - config.core.v4alpha.RuntimeFractionalPercent filter_enabled = 1 - [(validate.rules).message = {required: true}]; - - // Specifies that CSRF policies will be evaluated and tracked, but not enforced. - // - // This is intended to be used when ``filter_enabled`` is off and will be ignored otherwise. - // - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate - // and track the request's *Origin* and *Destination* to determine if it's valid, but will not - // enforce any policies. - config.core.v4alpha.RuntimeFractionalPercent shadow_enabled = 2; - - // Specifies additional source origins that will be allowed in addition to - // the destination origin. - // - // More information on how this can be configured via runtime can be found - // :ref:`here `. - repeated type.matcher.v4alpha.StringMatcher additional_origins = 3; -} diff --git a/api/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/BUILD b/api/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/BUILD deleted file mode 100644 index 8486b45d71d9..000000000000 --- a/api/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/common/dynamic_forward_proxy/v4alpha:pkg", - "//envoy/extensions/filters/http/dynamic_forward_proxy/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/dynamic_forward_proxy.proto b/api/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/dynamic_forward_proxy.proto deleted file mode 100644 index 0dba06106b07..000000000000 --- a/api/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/dynamic_forward_proxy.proto +++ /dev/null @@ -1,64 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.dynamic_forward_proxy.v4alpha; - -import "envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.dynamic_forward_proxy.v4alpha"; -option java_outer_classname = "DynamicForwardProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dynamic forward proxy] - -// Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview -// ` for more information. -// [#extension: envoy.filters.http.dynamic_forward_proxy] -message FilterConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig"; - - // The DNS cache configuration that the filter will attach to. Note this configuration must - // match that of associated :ref:`dynamic forward proxy cluster configuration - // `. - common.dynamic_forward_proxy.v4alpha.DnsCacheConfig dns_cache_config = 1 - [(validate.rules).message = {required: true}]; -} - -// Per route Configuration for the dynamic forward proxy HTTP filter. -message PerRouteConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig"; - - oneof host_rewrite_specifier { - // Indicates that before DNS lookup, the host header will be swapped with - // this value. If not set or empty, the original host header value - // will be used and no rewrite will happen. - // - // Note: this rewrite affects both DNS lookup and host header forwarding. However, this - // option shouldn't be used with - // :ref:`HCM host rewrite ` given that the - // value set here would be used for DNS lookups whereas the value set in the HCM would be used - // for host header forwarding which is not the desired outcome. - string host_rewrite_literal = 1; - - // Indicates that before DNS lookup, the host header will be swapped with - // the value of this header. If not set or empty, the original host header - // value will be used and no rewrite will happen. - // - // Note: this rewrite affects both DNS lookup and host header forwarding. However, this - // option shouldn't be used with - // :ref:`HCM host rewrite header ` - // given that the value set here would be used for DNS lookups whereas the value set in the HCM - // would be used for host header forwarding which is not the desired outcome. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string host_rewrite_header = 2; - } -} diff --git a/api/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD b/api/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD deleted file mode 100644 index 16a0c5f1b64c..000000000000 --- a/api/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/filters/http/ext_authz/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto b/api/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto deleted file mode 100644 index 35b0cbd2f547..000000000000 --- a/api/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto +++ /dev/null @@ -1,316 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.ext_authz.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; -import "envoy/config/core/v4alpha/http_uri.proto"; -import "envoy/type/matcher/v4alpha/metadata.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/v3/http_status.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_authz.v4alpha"; -option java_outer_classname = "ExtAuthzProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: External Authorization] -// External Authorization :ref:`configuration overview `. -// [#extension: envoy.filters.http.ext_authz] - -// [#next-free-field: 16] -message ExtAuthz { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"; - - reserved 4; - - reserved "use_alpha"; - - // External authorization service configuration. - oneof services { - // gRPC service configuration (default timeout: 200ms). - config.core.v4alpha.GrpcService grpc_service = 1; - - // HTTP service configuration (default timeout: 200ms). - HttpService http_service = 3; - } - - // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and - // version of messages used on the wire. - config.core.v4alpha.ApiVersion transport_api_version = 12 - [(validate.rules).enum = {defined_only: true}]; - - // Changes filter's behaviour on errors: - // - // 1. When set to true, the filter will *accept* client request even if the communication with - // the authorization service has failed, or if the authorization service has returned a HTTP 5xx - // error. - // - // 2. When set to false, ext-authz will *reject* client requests and return a *Forbidden* - // response if the communication with the authorization service has failed, or if the - // authorization service has returned a HTTP 5xx error. - // - // Note that errors can be *always* tracked in the :ref:`stats - // `. - bool failure_mode_allow = 2; - - // Enables filter to buffer the client request body and send it within the authorization request. - // A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization - // request message indicating if the body data is partial. - BufferSettings with_request_body = 5; - - // Clears route cache in order to allow the external authorization service to correctly affect - // routing decisions. Filter clears all cached routes when: - // - // 1. The field is set to *true*. - // - // 2. The status returned from the authorization service is a HTTP 200 or gRPC 0. - // - // 3. At least one *authorization response header* is added to the client request, or is used for - // altering another client request header. - // - bool clear_route_cache = 6; - - // Sets the HTTP status that is returned to the client when there is a network error between the - // filter and the authorization server. The default status is HTTP 403 Forbidden. - type.v3.HttpStatus status_on_error = 7; - - // Specifies a list of metadata namespaces whose values, if present, will be passed to the - // ext_authz service as an opaque *protobuf::Struct*. - // - // For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata - // ` is set, - // then the following will pass the jwt payload to the authorization server. - // - // .. code-block:: yaml - // - // metadata_context_namespaces: - // - envoy.filters.http.jwt_authn - // - repeated string metadata_context_namespaces = 8; - - // Specifies if the filter is enabled. - // - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to get the percentage of requests to filter. - // - // If this field is not specified, the filter will be enabled for all requests. - config.core.v4alpha.RuntimeFractionalPercent filter_enabled = 9; - - // Specifies if the filter is enabled with metadata matcher. - // If this field is not specified, the filter will be enabled for all requests. - type.matcher.v4alpha.MetadataMatcher filter_enabled_metadata = 14; - - // Specifies whether to deny the requests, when the filter is disabled. - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to determine whether to deny request for - // filter protected path at filter disabling. If filter is disabled in - // typed_per_filter_config for the path, requests will not be denied. - // - // If this field is not specified, all requests will be allowed when disabled. - config.core.v4alpha.RuntimeFeatureFlag deny_at_disable = 11; - - // Specifies if the peer certificate is sent to the external service. - // - // When this field is true, Envoy will include the peer X.509 certificate, if available, in the - // :ref:`certificate`. - bool include_peer_certificate = 10; - - // Optional additional prefix to use when emitting statistics. This allows to distinguish - // emitted statistics between configured *ext_authz* filters in an HTTP filter chain. For example: - // - // .. code-block:: yaml - // - // http_filters: - // - name: envoy.filters.http.ext_authz - // typed_config: - // "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz - // stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc. - // - name: envoy.filters.http.ext_authz - // typed_config: - // "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz - // stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc. - // - string stat_prefix = 13; - - // Optional labels that will be passed to :ref:`labels` in - // :ref:`destination`. - // The labels will be read from :ref:`metadata` with the specified key. - string bootstrap_metadata_labels_key = 15; -} - -// Configuration for buffering the request data. -message BufferSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.BufferSettings"; - - // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return - // *HTTP 413* and will *not* initiate the authorization process when buffer reaches the number - // set in this field. Note that this setting will have precedence over :ref:`failure_mode_allow - // `. - uint32 max_request_bytes = 1 [(validate.rules).uint32 = {gt: 0}]; - - // When this field is true, Envoy will buffer the message until *max_request_bytes* is reached. - // The authorization request will be dispatched and no 413 HTTP error will be returned by the - // filter. - bool allow_partial_message = 2; - - // If true, the body sent to the external authorization service is set with raw bytes, it sets - // the :ref:`raw_body` - // field of HTTP request attribute context. Otherwise, :ref:` - // body` will be filled - // with UTF-8 string request body. - bool pack_as_bytes = 3; -} - -// HttpService is used for raw HTTP communication between the filter and the authorization service. -// When configured, the filter will parse the client request and use these attributes to call the -// authorization server. Depending on the response, the filter may reject or accept the client -// request. Note that in any of these events, metadata can be added, removed or overridden by the -// filter: -// -// *On authorization request*, a list of allowed request headers may be supplied. See -// :ref:`allowed_headers -// ` -// for details. Additional headers metadata may be added to the authorization request. See -// :ref:`headers_to_add -// ` for -// details. -// -// On authorization response status HTTP 200 OK, the filter will allow traffic to the upstream and -// additional headers metadata may be added to the original client request. See -// :ref:`allowed_upstream_headers -// ` -// for details. Additionally, the filter may add additional headers to the client's response. See -// :ref:`allowed_client_headers_on_success -// ` -// for details. -// -// On other authorization response statuses, the filter will not allow traffic. Additional headers -// metadata as well as body may be added to the client's response. See :ref:`allowed_client_headers -// ` -// for details. -// [#next-free-field: 9] -message HttpService { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.HttpService"; - - reserved 3, 4, 5, 6; - - // Sets the HTTP server URI which the authorization requests must be sent to. - config.core.v4alpha.HttpUri server_uri = 1; - - // Sets a prefix to the value of authorization request header *Path*. - string path_prefix = 2; - - // Settings used for controlling authorization request metadata. - AuthorizationRequest authorization_request = 7; - - // Settings used for controlling authorization response metadata. - AuthorizationResponse authorization_response = 8; -} - -message AuthorizationRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.AuthorizationRequest"; - - // Authorization request includes the client request headers that have a correspondent match - // in the :ref:`list `. - // - // .. note:: - // - // In addition to the the user's supplied matchers, ``Host``, ``Method``, ``Path``, - // ``Content-Length``, and ``Authorization`` are **automatically included** to the list. - // - // .. note:: - // - // By default, ``Content-Length`` header is set to ``0`` and the request to the authorization - // service has no message body. However, the authorization request *may* include the buffered - // client request body (controlled by :ref:`with_request_body - // ` - // setting) hence the value of its ``Content-Length`` reflects the size of its payload size. - // - type.matcher.v4alpha.ListStringMatcher allowed_headers = 1; - - // Sets a list of headers that will be included to the request to authorization service. Note that - // client request of the same key will be overridden. - repeated config.core.v4alpha.HeaderValue headers_to_add = 2; -} - -message AuthorizationResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.AuthorizationResponse"; - - // When this :ref:`list ` is set, authorization - // response headers that have a correspondent match will be added to the original client request. - // Note that coexistent headers will be overridden. - type.matcher.v4alpha.ListStringMatcher allowed_upstream_headers = 1; - - // When this :ref:`list ` is set, authorization - // response headers that have a correspondent match will be added to the client's response. Note - // that coexistent headers will be appended. - type.matcher.v4alpha.ListStringMatcher allowed_upstream_headers_to_append = 3; - - // When this :ref:`list `. is set, authorization - // response headers that have a correspondent match will be added to the client's response. Note - // that when this list is *not* set, all the authorization response headers, except *Authority - // (Host)* will be in the response to the client. When a header is included in this list, *Path*, - // *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added. - type.matcher.v4alpha.ListStringMatcher allowed_client_headers = 2; - - // When this :ref:`list `. is set, authorization - // response headers that have a correspondent match will be added to the client's response when - // the authorization response itself is successful, i.e. not failed or denied. When this list is - // *not* set, no additional headers will be added to the client's response on success. - type.matcher.v4alpha.ListStringMatcher allowed_client_headers_on_success = 4; -} - -// Extra settings on a per virtualhost/route/weighted-cluster level. -message ExtAuthzPerRoute { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute"; - - oneof override { - option (validate.required) = true; - - // Disable the ext auth filter for this particular vhost or route. - // If disabled is specified in multiple per-filter-configs, the most specific one will be used. - bool disabled = 1 [(validate.rules).bool = {const: true}]; - - // Check request settings for this route. - CheckSettings check_settings = 2 [(validate.rules).message = {required: true}]; - } -} - -// Extra settings for the check request. -message CheckSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.CheckSettings"; - - // Context extensions to set on the CheckRequest's - // :ref:`AttributeContext.context_extensions` - // - // You can use this to provide extra context for the external authorization server on specific - // virtual hosts/routes. For example, adding a context extension on the virtual host level can - // give the ext-authz server information on what virtual host is used without needing to parse the - // host header. If CheckSettings is specified in multiple per-filter-configs, they will be merged - // in order, and the result will be used. - // - // Merge semantics for this field are such that keys from more specific configs override. - // - // .. note:: - // - // These settings are only applied to a filter configured with a - // :ref:`grpc_service`. - map context_extensions = 1; - - // When set to true, disable the configured :ref:`with_request_body - // ` for a route. - bool disable_request_body_buffering = 2; -} diff --git a/api/envoy/extensions/filters/http/fault/v4alpha/BUILD b/api/envoy/extensions/filters/http/fault/v4alpha/BUILD deleted file mode 100644 index 6b7506bcbf76..000000000000 --- a/api/envoy/extensions/filters/http/fault/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/common/fault/v3:pkg", - "//envoy/extensions/filters/http/fault/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/fault/v4alpha/fault.proto b/api/envoy/extensions/filters/http/fault/v4alpha/fault.proto deleted file mode 100644 index da8b8b48ad3f..000000000000 --- a/api/envoy/extensions/filters/http/fault/v4alpha/fault.proto +++ /dev/null @@ -1,150 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.fault.v4alpha; - -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/extensions/filters/common/fault/v3/fault.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.fault.v4alpha"; -option java_outer_classname = "FaultProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Fault Injection] -// Fault Injection :ref:`configuration overview `. -// [#extension: envoy.filters.http.fault] - -// [#next-free-field: 6] -message FaultAbort { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.fault.v3.FaultAbort"; - - // Fault aborts are controlled via an HTTP header (if applicable). See the - // :ref:`HTTP fault filter ` documentation for - // more information. - message HeaderAbort { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.fault.v3.FaultAbort.HeaderAbort"; - } - - reserved 1; - - oneof error_type { - option (validate.required) = true; - - // HTTP status code to use to abort the HTTP request. - uint32 http_status = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}]; - - // gRPC status code to use to abort the gRPC request. - uint32 grpc_status = 5; - - // Fault aborts are controlled via an HTTP header (if applicable). - HeaderAbort header_abort = 4; - } - - // The percentage of requests/operations/connections that will be aborted with the error code - // provided. - type.v3.FractionalPercent percentage = 3; -} - -// [#next-free-field: 16] -message HTTPFault { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.fault.v3.HTTPFault"; - - // If specified, the filter will inject delays based on the values in the - // object. - common.fault.v3.FaultDelay delay = 1; - - // If specified, the filter will abort requests based on the values in - // the object. At least *abort* or *delay* must be specified. - FaultAbort abort = 2; - - // Specifies the name of the (destination) upstream cluster that the - // filter should match on. Fault injection will be restricted to requests - // bound to the specific upstream cluster. - string upstream_cluster = 3; - - // Specifies a set of headers that the filter should match on. The fault - // injection filter can be applied selectively to requests that match a set of - // headers specified in the fault filter config. The chances of actual fault - // injection further depend on the value of the :ref:`percentage - // ` field. - // The filter will check the request's headers against all the specified - // headers in the filter config. A match will happen if all the headers in the - // config are present in the request with the same values (or based on - // presence if the *value* field is not in the config). - repeated config.route.v4alpha.HeaderMatcher headers = 4; - - // Faults are injected for the specified list of downstream hosts. If this - // setting is not set, faults are injected for all downstream nodes. - // Downstream node name is taken from :ref:`the HTTP - // x-envoy-downstream-service-node - // ` header and compared - // against downstream_nodes list. - repeated string downstream_nodes = 5; - - // The maximum number of faults that can be active at a single time via the configured fault - // filter. Note that because this setting can be overridden at the route level, it's possible - // for the number of active faults to be greater than this value (if injected via a different - // route). If not specified, defaults to unlimited. This setting can be overridden via - // `runtime ` and any faults that are not injected - // due to overflow will be indicated via the `faults_overflow - // ` stat. - // - // .. attention:: - // Like other :ref:`circuit breakers ` in Envoy, this is a fuzzy - // limit. It's possible for the number of active faults to rise slightly above the configured - // amount due to the implementation details. - google.protobuf.UInt32Value max_active_faults = 6; - - // The response rate limit to be applied to the response body of the stream. When configured, - // the percentage can be overridden by the :ref:`fault.http.rate_limit.response_percent - // ` runtime key. - // - // .. attention:: - // This is a per-stream limit versus a connection level limit. This means that concurrent streams - // will each get an independent limit. - common.fault.v3.FaultRateLimit response_rate_limit = 7; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.delay.fixed_delay_percent - string delay_percent_runtime = 8; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.abort.abort_percent - string abort_percent_runtime = 9; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.delay.fixed_duration_ms - string delay_duration_runtime = 10; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.abort.http_status - string abort_http_status_runtime = 11; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.max_active_faults - string max_active_faults_runtime = 12; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.rate_limit.response_percent - string response_rate_limit_percent_runtime = 13; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.abort.grpc_status - string abort_grpc_status_runtime = 14; - - // To control whether stats storage is allocated dynamically for each downstream server. - // If set to true, "x-envoy-downstream-service-cluster" field of header will be ignored by this filter. - // If set to false, dynamic stats storage will be allocated for the downstream cluster name. - // Default value is false. - bool disable_downstream_cluster_stats = 15; -} diff --git a/api/envoy/extensions/filters/http/gzip/v4alpha/BUILD b/api/envoy/extensions/filters/http/gzip/v4alpha/BUILD deleted file mode 100644 index 3b9648df0929..000000000000 --- a/api/envoy/extensions/filters/http/gzip/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/filters/http/compressor/v4alpha:pkg", - "//envoy/extensions/filters/http/gzip/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/gzip/v4alpha/gzip.proto b/api/envoy/extensions/filters/http/gzip/v4alpha/gzip.proto deleted file mode 100644 index 8689148b4625..000000000000 --- a/api/envoy/extensions/filters/http/gzip/v4alpha/gzip.proto +++ /dev/null @@ -1,81 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.gzip.v4alpha; - -import "envoy/extensions/filters/http/compressor/v4alpha/compressor.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.gzip.v4alpha"; -option java_outer_classname = "GzipProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Gzip] - -// [#next-free-field: 12] -message Gzip { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.gzip.v3.Gzip"; - - enum CompressionStrategy { - DEFAULT = 0; - FILTERED = 1; - HUFFMAN = 2; - RLE = 3; - } - - message CompressionLevel { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.gzip.v3.Gzip.CompressionLevel"; - - enum Enum { - DEFAULT = 0; - BEST = 1; - SPEED = 2; - } - } - - reserved 2, 6, 7, 8; - - reserved "content_length", "content_type", "disable_on_etag_header", - "remove_accept_encoding_header"; - - // Value from 1 to 9 that controls the amount of internal memory used by zlib. Higher values - // use more memory, but are faster and produce better compression results. The default value is 5. - google.protobuf.UInt32Value memory_level = 1 [(validate.rules).uint32 = {lte: 9 gte: 1}]; - - // A value used for selecting the zlib compression level. This setting will affect speed and - // amount of compression applied to the content. "BEST" provides higher compression at the cost of - // higher latency, "SPEED" provides lower compression with minimum impact on response time. - // "DEFAULT" provides an optimal result between speed and compression. This field will be set to - // "DEFAULT" if not specified. - CompressionLevel.Enum compression_level = 3 [(validate.rules).enum = {defined_only: true}]; - - // A value used for selecting the zlib compression strategy which is directly related to the - // characteristics of the content. Most of the time "DEFAULT" will be the best choice, though - // there are situations which changing this parameter might produce better results. For example, - // run-length encoding (RLE) is typically used when the content is known for having sequences - // which same data occurs many consecutive times. For more information about each strategy, please - // refer to zlib manual. - CompressionStrategy compression_strategy = 4 [(validate.rules).enum = {defined_only: true}]; - - // Value from 9 to 15 that represents the base two logarithmic of the compressor's window size. - // Larger window results in better compression at the expense of memory usage. The default is 12 - // which will produce a 4096 bytes window. For more details about this parameter, please refer to - // zlib manual > deflateInit2. - google.protobuf.UInt32Value window_bits = 9 [(validate.rules).uint32 = {lte: 15 gte: 9}]; - - // Set of configuration parameters common for all compression filters. You can define - // `content_length`, `content_type` and other parameters in this field. - compressor.v4alpha.Compressor compressor = 10; - - // Value for Zlib's next output buffer. If not set, defaults to 4096. - // See https://www.zlib.net/manual.html for more details. Also see - // https://github.com/envoyproxy/envoy/issues/8448 for context on this filter's performance. - google.protobuf.UInt32Value chunk_size = 11 [(validate.rules).uint32 = {lte: 65536 gte: 4096}]; -} diff --git a/api/envoy/extensions/filters/http/header_to_metadata/v4alpha/BUILD b/api/envoy/extensions/filters/http/header_to_metadata/v4alpha/BUILD deleted file mode 100644 index 0a8d5eb27fb4..000000000000 --- a/api/envoy/extensions/filters/http/header_to_metadata/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/filters/http/header_to_metadata/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/header_to_metadata/v4alpha/header_to_metadata.proto b/api/envoy/extensions/filters/http/header_to_metadata/v4alpha/header_to_metadata.proto deleted file mode 100644 index 5b06f1e78556..000000000000 --- a/api/envoy/extensions/filters/http/header_to_metadata/v4alpha/header_to_metadata.proto +++ /dev/null @@ -1,130 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.header_to_metadata.v4alpha; - -import "envoy/type/matcher/v4alpha/regex.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.header_to_metadata.v4alpha"; -option java_outer_classname = "HeaderToMetadataProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Header-To-Metadata Filter] -// -// The configuration for transforming headers into metadata. This is useful -// for matching load balancer subsets, logging, etc. -// -// Header to Metadata :ref:`configuration overview `. -// [#extension: envoy.filters.http.header_to_metadata] - -message Config { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.header_to_metadata.v3.Config"; - - enum ValueType { - STRING = 0; - - NUMBER = 1; - - // The value is a serialized `protobuf.Value - // `_. - PROTOBUF_VALUE = 2; - } - - // ValueEncode defines the encoding algorithm. - enum ValueEncode { - // The value is not encoded. - NONE = 0; - - // The value is encoded in `Base64 `_. - // Note: this is mostly used for STRING and PROTOBUF_VALUE to escape the - // non-ASCII characters in the header. - BASE64 = 1; - } - - // [#next-free-field: 7] - message KeyValuePair { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.header_to_metadata.v3.Config.KeyValuePair"; - - // The namespace — if this is empty, the filter's namespace will be used. - string metadata_namespace = 1; - - // The key to use within the namespace. - string key = 2 [(validate.rules).string = {min_len: 1}]; - - oneof value_type { - // The value to pair with the given key. - // - // When used for a - // :ref:`on_header_present ` - // case, if value is non-empty it'll be used instead of the header value. If both are empty, no metadata is added. - // - // When used for a :ref:`on_header_missing ` - // case, a non-empty value must be provided otherwise no metadata is added. - string value = 3; - - // If present, the header's value will be matched and substituted with this. If there is no match or substitution, the header value - // is used as-is. - // - // This is only used for :ref:`on_header_present `. - // - // Note: if the `value` field is non-empty this field should be empty. - type.matcher.v4alpha.RegexMatchAndSubstitute regex_value_rewrite = 6; - } - - // The value's type — defaults to string. - ValueType type = 4 [(validate.rules).enum = {defined_only: true}]; - - // How is the value encoded, default is NONE (not encoded). - // The value will be decoded accordingly before storing to metadata. - ValueEncode encode = 5; - } - - // A Rule defines what metadata to apply when a header is present or missing. - // [#next-free-field: 6] - message Rule { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.header_to_metadata.v3.Config.Rule"; - - oneof header_cookie_specifier { - // Specifies that a match will be performed on the value of a header or a cookie. - // - // The header to be extracted. - string header = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The cookie to be extracted. - string cookie = 5 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - } - - // If the header or cookie is present, apply this metadata KeyValuePair. - // - // If the value in the KeyValuePair is non-empty, it'll be used instead - // of the header or cookie value. - KeyValuePair on_present = 2; - - // If the header or cookie is not present, apply this metadata KeyValuePair. - // - // The value in the KeyValuePair must be set, since it'll be used in lieu - // of the missing header or cookie value. - KeyValuePair on_missing = 3; - - // Whether or not to remove the header after a rule is applied. - // - // This prevents headers from leaking. - // This field is not supported in case of a cookie. - bool remove = 4; - } - - // The list of rules to apply to requests. - repeated Rule request_rules = 1; - - // The list of rules to apply to responses. - repeated Rule response_rules = 2; -} diff --git a/api/envoy/extensions/filters/http/health_check/v4alpha/BUILD b/api/envoy/extensions/filters/http/health_check/v4alpha/BUILD deleted file mode 100644 index 4c4dc0e45211..000000000000 --- a/api/envoy/extensions/filters/http/health_check/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/http/health_check/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto b/api/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto deleted file mode 100644 index 3725d085dd7b..000000000000 --- a/api/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto +++ /dev/null @@ -1,52 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.health_check.v4alpha; - -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.health_check.v4alpha"; -option java_outer_classname = "HealthCheckProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Health check] -// Health check :ref:`configuration overview `. -// [#extension: envoy.filters.http.health_check] - -// [#next-free-field: 6] -message HealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.health_check.v3.HealthCheck"; - - reserved 2; - - // Specifies whether the filter operates in pass through mode or not. - google.protobuf.BoolValue pass_through_mode = 1 [(validate.rules).message = {required: true}]; - - // If operating in pass through mode, the amount of time in milliseconds - // that the filter should cache the upstream response. - google.protobuf.Duration cache_time = 3; - - // If operating in non-pass-through mode, specifies a set of upstream cluster - // names and the minimum percentage of servers in each of those clusters that - // must be healthy or degraded in order for the filter to return a 200. - // - // .. note:: - // - // This value is interpreted as an integer by truncating, so 12.50% will be calculated - // as if it were 12%. - map cluster_min_healthy_percentages = 4; - - // Specifies a set of health check request headers to match on. The health check filter will - // check a request’s headers against all the specified headers. To specify the health check - // endpoint, set the ``:path`` header to match on. - repeated config.route.v4alpha.HeaderMatcher headers = 5; -} diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD deleted file mode 100644 index f59226044ce7..000000000000 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/http/jwt_authn/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto deleted file mode 100644 index 57c6630c940e..000000000000 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ /dev/null @@ -1,674 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.jwt_authn.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/http_uri.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/empty.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v4alpha"; -option java_outer_classname = "ConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: JWT Authentication] -// JWT Authentication :ref:`configuration overview `. -// [#extension: envoy.filters.http.jwt_authn] - -// Please see following for JWT authentication flow: -// -// * `JSON Web Token (JWT) `_ -// * `The OAuth 2.0 Authorization Framework `_ -// * `OpenID Connect `_ -// -// A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies: -// -// * issuer: the principal that issues the JWT. If specified, it has to match the *iss* field in JWT. -// * allowed audiences: the ones in the token have to be listed here. -// * how to fetch public key JWKS to verify the token signature. -// * how to extract JWT token in the request. -// * how to pass successfully verified token payload. -// -// Example: -// -// .. code-block:: yaml -// -// issuer: https://example.com -// audiences: -// - bookstore_android.apps.googleusercontent.com -// - bookstore_web.apps.googleusercontent.com -// remote_jwks: -// http_uri: -// uri: https://example.com/.well-known/jwks.json -// cluster: example_jwks_cluster -// timeout: 1s -// cache_duration: -// seconds: 300 -// -// [#next-free-field: 13] -message JwtProvider { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtProvider"; - - // Specify the `principal `_ that issued - // the JWT, usually a URL or an email address. - // - // It is optional. If specified, it has to match the *iss* field in JWT. - // - // If a JWT has *iss* field and this field is specified, they have to match, otherwise the - // JWT *iss* field is not checked. - // - // Note: *JwtRequirement* :ref:`allow_missing ` - // and :ref:`allow_missing_or_failed ` - // are implemented differently than other *JwtRequirements*. Hence the usage of this field - // is different as follows if *allow_missing* or *allow_missing_or_failed* is used: - // - // * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*. - // * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty. - // * Multiple *JwtProviders* should not have same value in this field. - // - // Example: https://securetoken.google.com - // Example: 1234567-compute@developer.gserviceaccount.com - // - string issuer = 1; - - // The list of JWT `audiences `_ are - // allowed to access. A JWT containing any of these audiences will be accepted. If not specified, - // will not check audiences in the token. - // - // Example: - // - // .. code-block:: yaml - // - // audiences: - // - bookstore_android.apps.googleusercontent.com - // - bookstore_web.apps.googleusercontent.com - // - repeated string audiences = 2; - - // `JSON Web Key Set (JWKS) `_ is needed to - // validate signature of a JWT. This field specifies where to fetch JWKS. - oneof jwks_source_specifier { - option (validate.required) = true; - - // JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP - // URI and how the fetched JWKS should be cached. - // - // Example: - // - // .. code-block:: yaml - // - // remote_jwks: - // http_uri: - // uri: https://www.googleapis.com/oauth2/v1/certs - // cluster: jwt.www.googleapis.com|443 - // timeout: 1s - // cache_duration: - // seconds: 300 - // - RemoteJwks remote_jwks = 3; - - // JWKS is in local data source. It could be either in a local file or embedded in the - // inline_string. - // - // Example: local file - // - // .. code-block:: yaml - // - // local_jwks: - // filename: /etc/envoy/jwks/jwks1.txt - // - // Example: inline_string - // - // .. code-block:: yaml - // - // local_jwks: - // inline_string: ACADADADADA - // - config.core.v4alpha.DataSource local_jwks = 4; - } - - // If false, the JWT is removed in the request after a success verification. If true, the JWT is - // not removed in the request. Default value is false. - bool forward = 5; - - // Two fields below define where to extract the JWT from an HTTP request. - // - // If no explicit location is specified, the following default locations are tried in order: - // - // 1. The Authorization header using the `Bearer schema - // `_. Example:: - // - // Authorization: Bearer . - // - // 2. `access_token `_ query parameter. - // - // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations - // its provider specified or from the default locations. - // - // Specify the HTTP headers to extract JWT token. For examples, following config: - // - // .. code-block:: yaml - // - // from_headers: - // - name: x-goog-iap-jwt-assertion - // - // can be used to extract token from header:: - // - // ``x-goog-iap-jwt-assertion: ``. - // - repeated JwtHeader from_headers = 6; - - // JWT is sent in a query parameter. `jwt_params` represents the query parameter names. - // - // For example, if config is: - // - // .. code-block:: yaml - // - // from_params: - // - jwt_token - // - // The JWT format in query parameter is:: - // - // /path?jwt_token= - // - repeated string from_params = 7; - - // This field specifies the header name to forward a successfully verified JWT payload to the - // backend. The forwarded data is:: - // - // base64url_encoded(jwt_payload_in_JSON) - // - // If it is not specified, the payload will not be forwarded. - string forward_payload_header = 8 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // When :ref:`forward_payload_header ` - // is specified, the base64 encoded payload will be added to the headers. - // Normally JWT based64 encode doesn't add padding. If this field is true, - // the header will be padded. - // - // This field is only relevant if :ref:`forward_payload_header ` - // is specified. - bool pad_forward_payload_header = 11; - - // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata - // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** - // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields* - // and the value is the *protobuf::Struct* converted from JWT JSON payload. - // - // For example, if payload_in_metadata is *my_payload*: - // - // .. code-block:: yaml - // - // envoy.filters.http.jwt_authn: - // my_payload: - // iss: https://example.com - // sub: test@example.com - // aud: https://example.com - // exp: 1501281058 - // - string payload_in_metadata = 9; - - // Specify the clock skew in seconds when verifying JWT time constraint, - // such as `exp`, and `nbf`. If not specified, default is 60 seconds. - uint32 clock_skew_seconds = 10; - - // Enables JWT cache, its size is specified by *jwt_cache_size*. - // Only valid JWT tokens are cached. - JwtCacheConfig jwt_cache_config = 12; -} - -// This message specifies JWT Cache configuration. -message JwtCacheConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig"; - - // The unit is number of JWT tokens, default to 100. - uint32 jwt_cache_size = 1; -} - -// This message specifies how to fetch JWKS from remote and how to cache it. -message RemoteJwks { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks"; - - // The HTTP URI to fetch the JWKS. For example: - // - // .. code-block:: yaml - // - // http_uri: - // uri: https://www.googleapis.com/oauth2/v1/certs - // cluster: jwt.www.googleapis.com|443 - // timeout: 1s - // - config.core.v4alpha.HttpUri http_uri = 1; - - // Duration after which the cached JWKS should be expired. If not specified, default cache - // duration is 5 minutes. - google.protobuf.Duration cache_duration = 2; - - // Fetch Jwks asynchronously in the main thread before the listener is activated. - // Fetched Jwks can be used by all worker threads. - // - // If this feature is not enabled: - // - // * The Jwks is fetched on-demand when the requests come. During the fetching, first - // few requests are paused until the Jwks is fetched. - // * Each worker thread fetches its own Jwks since Jwks cache is per worker thread. - // - // If this feature is enabled: - // - // * Fetched Jwks is done in the main thread before the listener is activated. Its fetched - // Jwks can be used by all worker threads. Each worker thread doesn't need to fetch its own. - // * Jwks is ready when the requests come, not need to wait for the Jwks fetching. - // - JwksAsyncFetch async_fetch = 3; - - // Retry policy for fetching Jwks. optional. turned off by default. - // - // For example: - // - // .. code-block:: yaml - // - // retry_policy: - // retry_back_off: - // base_interval: 0.01s - // max_interval: 20s - // num_retries: 10 - // - // will yield a randomized truncated exponential backoff policy with an initial delay of 10ms - // 10 maximum attempts spaced at most 20s seconds. - // - // .. code-block:: yaml - // - // retry_policy: - // num_retries:1 - // - // uses the default :ref:`retry backoff strategy `. - // with the default base interval is 1000 milliseconds. and the default maximum interval of 10 times the base interval. - // - // if num_retries is omitted, the default is to allow only one retry. - // - // - // If enabled, the retry policy will apply to all Jwks fetching approaches, e.g. on demand or asynchronously in background. - // - // - config.core.v4alpha.RetryPolicy retry_policy = 4; -} - -// Fetch Jwks asynchronously in the main thread when the filter config is parsed. -// The listener is activated only after the Jwks is fetched. -// When the Jwks is expired in the cache, it is fetched again in the main thread. -// The fetched Jwks from the main thread can be used by all worker threads. -message JwksAsyncFetch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwksAsyncFetch"; - - // If false, the listener is activated after the initial fetch is completed. - // The initial fetch result can be either successful or failed. - // If true, it is activated without waiting for the initial fetch to complete. - // Default is false. - bool fast_listener = 1; -} - -// This message specifies a header location to extract JWT token. -message JwtHeader { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtHeader"; - - // The HTTP header name. - string name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The value prefix. The value format is "value_prefix" - // For example, for "Authorization: Bearer ", value_prefix="Bearer " with a space at the - // end. - string value_prefix = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; -} - -// Specify a required provider with audiences. -message ProviderWithAudiences { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences"; - - // Specify a required provider name. - string provider_name = 1; - - // This field overrides the one specified in the JwtProvider. - repeated string audiences = 2; -} - -// This message specifies a Jwt requirement. An empty message means JWT verification is not -// required. Here are some config examples: -// -// .. code-block:: yaml -// -// # Example 1: not required with an empty message -// -// # Example 2: require A -// provider_name: provider-A -// -// # Example 3: require A or B -// requires_any: -// requirements: -// - provider_name: provider-A -// - provider_name: provider-B -// -// # Example 4: require A and B -// requires_all: -// requirements: -// - provider_name: provider-A -// - provider_name: provider-B -// -// # Example 5: require A and (B or C) -// requires_all: -// requirements: -// - provider_name: provider-A -// - requires_any: -// requirements: -// - provider_name: provider-B -// - provider_name: provider-C -// -// # Example 6: require A or (B and C) -// requires_any: -// requirements: -// - provider_name: provider-A -// - requires_all: -// requirements: -// - provider_name: provider-B -// - provider_name: provider-C -// -// # Example 7: A is optional (if token from A is provided, it must be valid, but also allows -// missing token.) -// requires_any: -// requirements: -// - provider_name: provider-A -// - allow_missing: {} -// -// # Example 8: A is optional and B is required. -// requires_all: -// requirements: -// - requires_any: -// requirements: -// - provider_name: provider-A -// - allow_missing: {} -// - provider_name: provider-B -// -// [#next-free-field: 7] -message JwtRequirement { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement"; - - oneof requires_type { - // Specify a required provider name. - string provider_name = 1; - - // Specify a required provider with audiences. - ProviderWithAudiences provider_and_audiences = 2; - - // Specify list of JwtRequirement. Their results are OR-ed. - // If any one of them passes, the result is passed. - JwtRequirementOrList requires_any = 3; - - // Specify list of JwtRequirement. Their results are AND-ed. - // All of them must pass, if one of them fails or missing, it fails. - JwtRequirementAndList requires_all = 4; - - // The requirement is always satisfied even if JWT is missing or the JWT - // verification fails. A typical usage is: this filter is used to only verify - // JWTs and pass the verified JWT payloads to another filter, the other filter - // will make decision. In this mode, all JWT tokens will be verified. - google.protobuf.Empty allow_missing_or_failed = 5; - - // The requirement is satisfied if JWT is missing, but failed if JWT is - // presented but invalid. Similar to allow_missing_or_failed, this is used - // to only verify JWTs and pass the verified payload to another filter. The - // different is this mode will reject requests with invalid tokens. - google.protobuf.Empty allow_missing = 6; - } -} - -// This message specifies a list of RequiredProvider. -// Their results are OR-ed; if any one of them passes, the result is passed -message JwtRequirementOrList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList"; - - // Specify a list of JwtRequirement. - repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}]; -} - -// This message specifies a list of RequiredProvider. -// Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails. -message JwtRequirementAndList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList"; - - // Specify a list of JwtRequirement. - repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}]; -} - -// This message specifies a Jwt requirement for a specific Route condition. -// Example 1: -// -// .. code-block:: yaml -// -// - match: -// prefix: /healthz -// -// In above example, "requires" field is empty for /healthz prefix match, -// it means that requests matching the path prefix don't require JWT authentication. -// -// Example 2: -// -// .. code-block:: yaml -// -// - match: -// prefix: / -// requires: { provider_name: provider-A } -// -// In above example, all requests matched the path prefix require jwt authentication -// from "provider-A". -message RequirementRule { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.RequirementRule"; - - // The route matching parameter. Only when the match is satisfied, the "requires" field will - // apply. - // - // For example: following match will match all requests. - // - // .. code-block:: yaml - // - // match: - // prefix: / - // - config.route.v4alpha.RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - // Specify a Jwt requirement. - // If not specified, Jwt verification is disabled. - oneof requirement_type { - // Specify a Jwt requirement. Please see detail comment in message JwtRequirement. - JwtRequirement requires = 2; - - // Use requirement_name to specify a Jwt requirement. - // This requirement_name MUST be specified at the - // :ref:`requirement_map ` - // in `JwtAuthentication`. - string requirement_name = 3 [(validate.rules).string = {min_len: 1}]; - } -} - -// This message specifies Jwt requirements based on stream_info.filterState. -// This FilterState should use `Router::StringAccessor` object to set a string value. -// Other HTTP filters can use it to specify Jwt requirements dynamically. -// -// Example: -// -// .. code-block:: yaml -// -// name: jwt_selector -// requires: -// issuer_1: -// provider_name: issuer1 -// issuer_2: -// provider_name: issuer2 -// -// If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, -// jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify. -message FilterStateRule { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.FilterStateRule"; - - // The filter state name to retrieve the `Router::StringAccessor` object. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // A map of string keys to requirements. The string key is the string value - // in the FilterState with the name specified in the *name* field above. - map requires = 3; -} - -// This is the Envoy HTTP filter config for JWT authentication. -// -// For example: -// -// .. code-block:: yaml -// -// providers: -// provider1: -// issuer: issuer1 -// audiences: -// - audience1 -// - audience2 -// remote_jwks: -// http_uri: -// uri: https://example.com/.well-known/jwks.json -// cluster: example_jwks_cluster -// timeout: 1s -// provider2: -// issuer: issuer2 -// local_jwks: -// inline_string: jwks_string -// -// rules: -// # Not jwt verification is required for /health path -// - match: -// prefix: /health -// -// # Jwt verification for provider1 is required for path prefixed with "prefix" -// - match: -// prefix: /prefix -// requires: -// provider_name: provider1 -// -// # Jwt verification for either provider1 or provider2 is required for all other requests. -// - match: -// prefix: / -// requires: -// requires_any: -// requirements: -// - provider_name: provider1 -// - provider_name: provider2 -// -// [#next-free-field: 6] -message JwtAuthentication { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication"; - - // Map of provider names to JwtProviders. - // - // .. code-block:: yaml - // - // providers: - // provider1: - // issuer: issuer1 - // audiences: - // - audience1 - // - audience2 - // remote_jwks: - // http_uri: - // uri: https://example.com/.well-known/jwks.json - // cluster: example_jwks_cluster - // timeout: 1s - // provider2: - // issuer: provider2 - // local_jwks: - // inline_string: jwks_string - // - map providers = 1; - - // Specifies requirements based on the route matches. The first matched requirement will be - // applied. If there are overlapped match conditions, please put the most specific match first. - // - // Examples - // - // .. code-block:: yaml - // - // rules: - // - match: - // prefix: /healthz - // - match: - // prefix: /baz - // requires: - // provider_name: provider1 - // - match: - // prefix: /foo - // requires: - // requires_any: - // requirements: - // - provider_name: provider1 - // - provider_name: provider2 - // - match: - // prefix: /bar - // requires: - // requires_all: - // requirements: - // - provider_name: provider1 - // - provider_name: provider2 - // - repeated RequirementRule rules = 2; - - // This message specifies Jwt requirements based on stream_info.filterState. - // Other HTTP filters can use it to specify Jwt requirements dynamically. - // The *rules* field above is checked first, if it could not find any matches, - // check this one. - FilterStateRule filter_state_rules = 3; - - // When set to true, bypass the `CORS preflight request - // `_ regardless of JWT - // requirements specified in the rules. - bool bypass_cors_preflight = 4; - - // A map of unique requirement_names to JwtRequirements. - // :ref:`requirement_name ` - // in `PerRouteConfig` uses this map to specify a JwtRequirement. - map requirement_map = 5; -} - -// Specify per-route config. -message PerRouteConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig"; - - oneof requirement_specifier { - option (validate.required) = true; - - // Disable Jwt Authentication for this route. - bool disabled = 1 [(validate.rules).bool = {const: true}]; - - // Use requirement_name to specify a JwtRequirement. - // This requirement_name MUST be specified at the - // :ref:`requirement_map ` - // in `JwtAuthentication`. If no, the requests using this route will be rejected with 403. - string requirement_name = 2 [(validate.rules).string = {min_len: 1}]; - } -} diff --git a/api/envoy/extensions/filters/http/oauth2/v4alpha/BUILD b/api/envoy/extensions/filters/http/oauth2/v4alpha/BUILD deleted file mode 100644 index f833eacd5772..000000000000 --- a/api/envoy/extensions/filters/http/oauth2/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/http/oauth2/v3alpha:pkg", - "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto b/api/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto deleted file mode 100644 index 75002c995ccd..000000000000 --- a/api/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto +++ /dev/null @@ -1,99 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.oauth2.v4alpha; - -import "envoy/config/core/v4alpha/http_uri.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto"; -import "envoy/type/matcher/v4alpha/path.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.oauth2.v4alpha"; -option java_outer_classname = "OauthProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).work_in_progress = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: OAuth] -// OAuth :ref:`configuration overview `. -// [#extension: envoy.filters.http.oauth2] -// - -message OAuth2Credentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2Credentials"; - - // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server. - string client_id = 1 [(validate.rules).string = {min_len: 1}]; - - // The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server. - transport_sockets.tls.v4alpha.SdsSecretConfig token_secret = 2 - [(validate.rules).message = {required: true}]; - - // Configures how the secret token should be created. - oneof token_formation { - option (validate.required) = true; - - // If present, the secret token will be a HMAC using the provided secret. - transport_sockets.tls.v4alpha.SdsSecretConfig hmac_secret = 3 - [(validate.rules).message = {required: true}]; - } -} - -// OAuth config -// -// [#next-free-field: 11] -message OAuth2Config { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2Config"; - - // Endpoint on the authorization server to retrieve the access token from. - config.core.v4alpha.HttpUri token_endpoint = 1; - - // The endpoint redirect to for authorization in response to unauthorized requests. - string authorization_endpoint = 2 [(validate.rules).string = {min_len: 1}]; - - // Credentials used for OAuth. - OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}]; - - // The redirect URI passed to the authorization endpoint. Supports header formatting - // tokens. For more information, including details on header value syntax, see the - // documentation on :ref:`custom request headers `. - // - // This URI should not contain any query parameters. - string redirect_uri = 4 [(validate.rules).string = {min_len: 1}]; - - // Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. - type.matcher.v4alpha.PathMatcher redirect_path_matcher = 5 - [(validate.rules).message = {required: true}]; - - // The path to sign a user out, clearing their credential cookies. - type.matcher.v4alpha.PathMatcher signout_path = 6 [(validate.rules).message = {required: true}]; - - // Forward the OAuth token as a Bearer to upstream web service. - bool forward_bearer_token = 7; - - // Any request that matches any of the provided matchers will be passed through without OAuth validation. - repeated config.route.v4alpha.HeaderMatcher pass_through_matcher = 8; - - // Optional list of OAuth scopes to be claimed in the authorization request. If not specified, - // defaults to "user" scope. - // OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3 - repeated string auth_scopes = 9; - - // Optional resource parameter for authorization request - // RFC: https://tools.ietf.org/html/rfc8707 - repeated string resources = 10; -} - -// Filter config. -message OAuth2 { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2"; - - // Leave this empty to disable OAuth2 for a specific route, using per filter config. - OAuth2Config config = 1; -} diff --git a/api/envoy/extensions/filters/http/ratelimit/v4alpha/BUILD b/api/envoy/extensions/filters/http/ratelimit/v4alpha/BUILD deleted file mode 100644 index 329e11fc5017..000000000000 --- a/api/envoy/extensions/filters/http/ratelimit/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/ratelimit/v4alpha:pkg", - "//envoy/extensions/filters/http/ratelimit/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/ratelimit/v4alpha/rate_limit.proto b/api/envoy/extensions/filters/http/ratelimit/v4alpha/rate_limit.proto deleted file mode 100644 index 688be29e6aab..000000000000 --- a/api/envoy/extensions/filters/http/ratelimit/v4alpha/rate_limit.proto +++ /dev/null @@ -1,125 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.ratelimit.v4alpha; - -import "envoy/config/ratelimit/v4alpha/rls.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.ratelimit.v4alpha"; -option java_outer_classname = "RateLimitProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Rate limit] -// Rate limit :ref:`configuration overview `. -// [#extension: envoy.filters.http.ratelimit] - -// [#next-free-field: 10] -message RateLimit { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ratelimit.v3.RateLimit"; - - // Defines the version of the standard to use for X-RateLimit headers. - enum XRateLimitHeadersRFCVersion { - // X-RateLimit headers disabled. - OFF = 0; - - // Use `draft RFC Version 03 `_. - DRAFT_VERSION_03 = 1; - } - - // The rate limit domain to use when calling the rate limit service. - string domain = 1 [(validate.rules).string = {min_len: 1}]; - - // Specifies the rate limit configurations to be applied with the same - // stage number. If not set, the default stage number is 0. - // - // .. note:: - // - // The filter supports a range of 0 - 10 inclusively for stage numbers. - uint32 stage = 2 [(validate.rules).uint32 = {lte: 10}]; - - // The type of requests the filter should apply to. The supported - // types are *internal*, *external* or *both*. A request is considered internal if - // :ref:`x-envoy-internal` is set to true. If - // :ref:`x-envoy-internal` is not set or false, a - // request is considered external. The filter defaults to *both*, and it will apply to all request - // types. - string request_type = 3 - [(validate.rules).string = {in: "internal" in: "external" in: "both" in: ""}]; - - // The timeout in milliseconds for the rate limit service RPC. If not - // set, this defaults to 20ms. - google.protobuf.Duration timeout = 4; - - // The filter's behaviour in case the rate limiting service does - // not respond back. When it is set to true, Envoy will not allow traffic in case of - // communication failure between rate limiting service and the proxy. - bool failure_mode_deny = 5; - - // Specifies whether a `RESOURCE_EXHAUSTED` gRPC code must be returned instead - // of the default `UNAVAILABLE` gRPC code for a rate limited gRPC call. The - // HTTP code will be 200 for a gRPC response. - bool rate_limited_as_resource_exhausted = 6; - - // Configuration for an external rate limit service provider. If not - // specified, any calls to the rate limit service will immediately return - // success. - config.ratelimit.v4alpha.RateLimitServiceConfig rate_limit_service = 7 - [(validate.rules).message = {required: true}]; - - // Defines the standard version to use for X-RateLimit headers emitted by the filter: - // - // * ``X-RateLimit-Limit`` - indicates the request-quota associated to the - // client in the current time-window followed by the description of the - // quota policy. The values are returned by the rate limiting service in - // :ref:`current_limit` - // field. Example: `10, 10;w=1;name="per-ip", 1000;w=3600`. - // * ``X-RateLimit-Remaining`` - indicates the remaining requests in the - // current time-window. The values are returned by the rate limiting service - // in :ref:`limit_remaining` - // field. - // * ``X-RateLimit-Reset`` - indicates the number of seconds until reset of - // the current time-window. The values are returned by the rate limiting service - // in :ref:`duration_until_reset` - // field. - // - // In case rate limiting policy specifies more then one time window, the values - // above represent the window that is closest to reaching its limit. - // - // For more information about the headers specification see selected version of - // the `draft RFC `_. - // - // Disabled by default. - XRateLimitHeadersRFCVersion enable_x_ratelimit_headers = 8 - [(validate.rules).enum = {defined_only: true}]; - - // Disables emitting the :ref:`x-envoy-ratelimited` header - // in case of rate limiting (i.e. 429 responses). - // Having this header not present potentially makes the request retriable. - bool disable_x_envoy_ratelimited_header = 9; -} - -message RateLimitPerRoute { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute"; - - enum VhRateLimitsOptions { - // Use the virtual host rate limits unless the route has a rate limit policy. - OVERRIDE = 0; - - // Use the virtual host rate limits even if the route has a rate limit policy. - INCLUDE = 1; - - // Ignore the virtual host rate limits even if the route does not have a rate limit policy. - IGNORE = 2; - } - - // Specifies if the rate limit filter should include the virtual host rate limits. - VhRateLimitsOptions vh_rate_limits = 1 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/api/envoy/extensions/filters/http/rbac/v4alpha/BUILD b/api/envoy/extensions/filters/http/rbac/v4alpha/BUILD deleted file mode 100644 index 02db15d5bde2..000000000000 --- a/api/envoy/extensions/filters/http/rbac/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/rbac/v4alpha:pkg", - "//envoy/extensions/filters/http/rbac/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto b/api/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto deleted file mode 100644 index 41040592cace..000000000000 --- a/api/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto +++ /dev/null @@ -1,49 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.rbac.v4alpha; - -import "envoy/config/rbac/v4alpha/rbac.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.rbac.v4alpha"; -option java_outer_classname = "RbacProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: RBAC] -// Role-Based Access Control :ref:`configuration overview `. -// [#extension: envoy.filters.http.rbac] - -// RBAC filter config. -message RBAC { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.rbac.v3.RBAC"; - - // Specify the RBAC rules to be applied globally. - // If absent, no enforcing RBAC policy will be applied. - // If present and empty, DENY. - config.rbac.v4alpha.RBAC rules = 1; - - // Shadow rules are not enforced by the filter (i.e., returning a 403) - // but will emit stats and logs and can be used for rule testing. - // If absent, no shadow RBAC policy will be applied. - config.rbac.v4alpha.RBAC shadow_rules = 2; - - // If specified, shadow rules will emit stats with the given prefix. - // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with - // shadow rules. - string shadow_rules_stat_prefix = 3; -} - -message RBACPerRoute { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.rbac.v3.RBACPerRoute"; - - reserved 1; - - // Override the global configuration of the filter with this new config. - // If absent, the global RBAC policy will be disabled for this route. - RBAC rbac = 2; -} diff --git a/api/envoy/extensions/filters/http/router/v4alpha/BUILD b/api/envoy/extensions/filters/http/router/v4alpha/BUILD deleted file mode 100644 index b22ea48735c7..000000000000 --- a/api/envoy/extensions/filters/http/router/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/accesslog/v4alpha:pkg", - "//envoy/extensions/filters/http/router/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/router/v4alpha/router.proto b/api/envoy/extensions/filters/http/router/v4alpha/router.proto deleted file mode 100644 index 2d72bd1470c0..000000000000 --- a/api/envoy/extensions/filters/http/router/v4alpha/router.proto +++ /dev/null @@ -1,91 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.router.v4alpha; - -import "envoy/config/accesslog/v4alpha/accesslog.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.router.v4alpha"; -option java_outer_classname = "RouterProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Router] -// Router :ref:`configuration overview `. -// [#extension: envoy.filters.http.router] - -// [#next-free-field: 8] -message Router { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.router.v3.Router"; - - // Whether the router generates dynamic cluster statistics. Defaults to - // true. Can be disabled in high performance scenarios. - google.protobuf.BoolValue dynamic_stats = 1; - - // Whether to start a child span for egress routed calls. This can be - // useful in scenarios where other filters (auth, ratelimit, etc.) make - // outbound calls and have child spans rooted at the same ingress - // parent. Defaults to false. - bool start_child_span = 2; - - // Configuration for HTTP upstream logs emitted by the router. Upstream logs - // are configured in the same way as access logs, but each log entry represents - // an upstream request. Presuming retries are configured, multiple upstream - // requests may be made for each downstream (inbound) request. - repeated config.accesslog.v4alpha.AccessLog upstream_log = 3; - - // Do not add any additional *x-envoy-* headers to requests or responses. This - // only affects the :ref:`router filter generated *x-envoy-* headers - // `, other Envoy filters and the HTTP - // connection manager may continue to set *x-envoy-* headers. - bool suppress_envoy_headers = 4; - - // Specifies a list of HTTP headers to strictly validate. Envoy will reject a - // request and respond with HTTP status 400 if the request contains an invalid - // value for any of the headers listed in this field. Strict header checking - // is only supported for the following headers: - // - // Value must be a ','-delimited list (i.e. no spaces) of supported retry - // policy values: - // - // * :ref:`config_http_filters_router_x-envoy-retry-grpc-on` - // * :ref:`config_http_filters_router_x-envoy-retry-on` - // - // Value must be an integer: - // - // * :ref:`config_http_filters_router_x-envoy-max-retries` - // * :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms` - // * :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` - repeated string strict_check_headers = 5 [(validate.rules).repeated = { - items { - string { - in: "x-envoy-upstream-rq-timeout-ms" - in: "x-envoy-upstream-rq-per-try-timeout-ms" - in: "x-envoy-max-retries" - in: "x-envoy-retry-grpc-on" - in: "x-envoy-retry-on" - } - } - }]; - - // If not set, ingress Envoy will ignore - // :ref:`config_http_filters_router_x-envoy-expected-rq-timeout-ms` header, populated by egress - // Envoy, when deriving timeout for upstream cluster. - bool respect_expected_rq_timeout = 6; - - // If set, Envoy will avoid incrementing HTTP failure code stats - // on gRPC requests. This includes the individual status code value - // (e.g. upstream_rq_504) and group stats (e.g. upstream_rq_5xx). - // This field is useful if interested in relying only on the gRPC - // stats filter to define success and failure metrics for gRPC requests - // as not all failed gRPC requests charge HTTP status code metrics. See - // :ref:`gRPC stats filter` documentation - // for more details. - bool suppress_grpc_request_failure_code_stats = 7; -} diff --git a/api/envoy/extensions/filters/http/tap/v4alpha/BUILD b/api/envoy/extensions/filters/http/tap/v4alpha/BUILD deleted file mode 100644 index 7e5b65cef9b5..000000000000 --- a/api/envoy/extensions/filters/http/tap/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/common/tap/v4alpha:pkg", - "//envoy/extensions/filters/http/tap/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/http/tap/v4alpha/tap.proto b/api/envoy/extensions/filters/http/tap/v4alpha/tap.proto deleted file mode 100644 index 98798be8bfd2..000000000000 --- a/api/envoy/extensions/filters/http/tap/v4alpha/tap.proto +++ /dev/null @@ -1,28 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.tap.v4alpha; - -import "envoy/extensions/common/tap/v4alpha/common.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.tap.v4alpha"; -option java_outer_classname = "TapProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Tap] -// Tap :ref:`configuration overview `. -// [#extension: envoy.filters.http.tap] - -// Top level configuration for the tap filter. -message Tap { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.tap.v3.Tap"; - - // Common configuration for the HTTP tap filter. - common.tap.v4alpha.CommonExtensionConfig common_config = 1 - [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD b/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD deleted file mode 100644 index 752598d2f625..000000000000 --- a/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/network/dubbo_proxy/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto b/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto deleted file mode 100644 index 30499c27f6f0..000000000000 --- a/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto +++ /dev/null @@ -1,70 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.dubbo_proxy.v4alpha; - -import "envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto"; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.dubbo_proxy.v4alpha"; -option java_outer_classname = "DubboProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dubbo Proxy] -// Dubbo Proxy :ref:`configuration overview `. -// [#extension: envoy.filters.network.dubbo_proxy] - -// Dubbo Protocol types supported by Envoy. -enum ProtocolType { - // the default protocol. - Dubbo = 0; -} - -// Dubbo Serialization types supported by Envoy. -enum SerializationType { - // the default serialization protocol. - Hessian2 = 0; -} - -// [#next-free-field: 6] -message DubboProxy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.DubboProxy"; - - // The human readable prefix to use when emitting statistics. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // Configure the protocol used. - ProtocolType protocol_type = 2 [(validate.rules).enum = {defined_only: true}]; - - // Configure the serialization protocol used. - SerializationType serialization_type = 3 [(validate.rules).enum = {defined_only: true}]; - - // The route table for the connection manager is static and is specified in this property. - repeated RouteConfiguration route_config = 4; - - // A list of individual Dubbo filters that make up the filter chain for requests made to the - // Dubbo proxy. Order matters as the filters are processed sequentially. For backwards - // compatibility, if no dubbo_filters are specified, a default Dubbo router filter - // (`envoy.filters.dubbo.router`) is used. - repeated DubboFilter dubbo_filters = 5; -} - -// DubboFilter configures a Dubbo filter. -message DubboFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.DubboFilter"; - - // The name of the filter to instantiate. The name must match a supported - // filter. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Filter specific configuration which depends on the filter being - // instantiated. See the supported filters for further documentation. - google.protobuf.Any config = 2; -} diff --git a/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto b/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto deleted file mode 100644 index d6314279ed2b..000000000000 --- a/api/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto +++ /dev/null @@ -1,129 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.dubbo_proxy.v4alpha; - -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/v3/range.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.dubbo_proxy.v4alpha"; -option java_outer_classname = "RouteProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dubbo Proxy Route Configuration] -// Dubbo Proxy :ref:`configuration overview `. - -// [#next-free-field: 6] -message RouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.RouteConfiguration"; - - // The name of the route configuration. Reserved for future use in asynchronous route discovery. - string name = 1; - - // The interface name of the service. Wildcard interface are supported in the suffix or prefix form. - // e.g. ``*.methods.add`` will match ``com.dev.methods.add``, ``com.prod.methods.add``, etc. - // ``com.dev.methods.*`` will match ``com.dev.methods.add``, ``com.dev.methods.update``, etc. - // Special wildcard ``*`` matching any interface. - // - // .. note:: - // - // The wildcard will not match the empty string. - // e.g. ``*.methods.add`` will match ``com.dev.methods.add`` but not ``.methods.add``. - string interface = 2; - - // Which group does the interface belong to. - string group = 3; - - // The version number of the interface. - string version = 4; - - // The list of routes that will be matched, in order, against incoming requests. The first route - // that matches will be used. - repeated Route routes = 5; -} - -message Route { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.Route"; - - // Route matching parameters. - RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - // Route request to some upstream cluster. - RouteAction route = 2 [(validate.rules).message = {required: true}]; -} - -message RouteMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.RouteMatch"; - - // Method level routing matching. - MethodMatch method = 1; - - // Specifies a set of headers that the route should match on. The router will check the request’s - // headers against all the specified headers in the route config. A match will happen if all the - // headers in the route are present in the request with the same values (or based on presence if - // the value field is not in the config). - repeated config.route.v4alpha.HeaderMatcher headers = 2; -} - -message RouteAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.RouteAction"; - - oneof cluster_specifier { - option (validate.required) = true; - - // Indicates the upstream cluster to which the request should be routed. - string cluster = 1; - - // Multiple upstream clusters can be specified for a given route. The - // request is routed to one of the upstream clusters based on weights - // assigned to each cluster. - // Currently ClusterWeight only supports the name and weight fields. - config.route.v4alpha.WeightedCluster weighted_clusters = 2; - } -} - -message MethodMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.MethodMatch"; - - // The parameter matching type. - message ParameterMatchSpecifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.MethodMatch.ParameterMatchSpecifier"; - - oneof parameter_match_specifier { - // If specified, header match will be performed based on the value of the header. - string exact_match = 3; - - // If specified, header match will be performed based on range. - // The rule will match if the request header value is within this range. - // The entire request header value must represent an integer in base 10 notation: consisting - // of an optional plus or minus sign followed by a sequence of digits. The rule will not match - // if the header value does not represent an integer. Match will fail for empty values, - // floating point numbers or if only a subsequence of the header value is an integer. - // - // Examples: - // - // * For range [-10,0), route will match for header value -1, but not for 0, - // "somestring", 10.9, "-1somestring" - type.v3.Int64Range range_match = 4; - } - } - - // The name of the method. - type.matcher.v4alpha.StringMatcher name = 1; - - // Method parameter definition. - // The key is the parameter index, starting from 0. - // The value is the parameter matching type. - map params_match = 2; -} diff --git a/api/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD b/api/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD deleted file mode 100644 index 6d146b1c64d1..000000000000 --- a/api/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/filters/network/ext_authz/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto b/api/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto deleted file mode 100644 index 21f30481292f..000000000000 --- a/api/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto +++ /dev/null @@ -1,64 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.ext_authz.v4alpha; - -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; -import "envoy/type/matcher/v4alpha/metadata.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.ext_authz.v4alpha"; -option java_outer_classname = "ExtAuthzProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Network External Authorization ] -// The network layer external authorization service configuration -// :ref:`configuration overview `. -// [#extension: envoy.filters.network.ext_authz] - -// External Authorization filter calls out to an external service over the -// gRPC Authorization API defined by -// :ref:`CheckRequest `. -// A failed check will cause this filter to close the TCP connection. -// [#next-free-field: 8] -message ExtAuthz { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.ext_authz.v3.ExtAuthz"; - - // The prefix to use when emitting statistics. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // The external authorization gRPC service configuration. - // The default timeout is set to 200ms by this filter. - config.core.v4alpha.GrpcService grpc_service = 2; - - // The filter's behaviour in case the external authorization service does - // not respond back. When it is set to true, Envoy will also allow traffic in case of - // communication failure between authorization service and the proxy. - // Defaults to false. - bool failure_mode_allow = 3; - - // Specifies if the peer certificate is sent to the external service. - // - // When this field is true, Envoy will include the peer X.509 certificate, if available, in the - // :ref:`certificate`. - bool include_peer_certificate = 4; - - // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and - // version of Check{Request,Response} used on the wire. - config.core.v4alpha.ApiVersion transport_api_version = 5 - [(validate.rules).enum = {defined_only: true}]; - - // Specifies if the filter is enabled with metadata matcher. - // If this field is not specified, the filter will be enabled for all requests. - type.matcher.v4alpha.MetadataMatcher filter_enabled_metadata = 6; - - // Optional labels that will be passed to :ref:`labels` in - // :ref:`destination`. - // The labels will be read from :ref:`metadata` with the specified key. - string bootstrap_metadata_labels_key = 7; -} diff --git a/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD b/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD deleted file mode 100644 index 64536cdef30b..000000000000 --- a/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD +++ /dev/null @@ -1,19 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/accesslog/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/config/trace/v4alpha:pkg", - "//envoy/extensions/filters/network/http_connection_manager/v3:pkg", - "//envoy/type/http/v3:pkg", - "//envoy/type/tracing/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto b/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto deleted file mode 100644 index 80972e52a095..000000000000 --- a/api/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto +++ /dev/null @@ -1,1018 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.http_connection_manager.v4alpha; - -import "envoy/config/accesslog/v4alpha/accesslog.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/protocol.proto"; -import "envoy/config/core/v4alpha/substitution_format_string.proto"; -import "envoy/config/route/v4alpha/route.proto"; -import "envoy/config/route/v4alpha/scoped_route.proto"; -import "envoy/config/trace/v4alpha/http_tracer.proto"; -import "envoy/type/http/v3/path_transformation.proto"; -import "envoy/type/tracing/v3/custom_tag.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/security.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v4alpha"; -option java_outer_classname = "HttpConnectionManagerProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP connection manager] -// HTTP connection manager :ref:`configuration overview `. -// [#extension: envoy.filters.network.http_connection_manager] - -// [#next-free-field: 49] -message HttpConnectionManager { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"; - - enum CodecType { - // For every new connection, the connection manager will determine which - // codec to use. This mode supports both ALPN for TLS listeners as well as - // protocol inference for plaintext listeners. If ALPN data is available, it - // is preferred, otherwise protocol inference is used. In almost all cases, - // this is the right option to choose for this setting. - AUTO = 0; - - // The connection manager will assume that the client is speaking HTTP/1.1. - HTTP1 = 1; - - // The connection manager will assume that the client is speaking HTTP/2 - // (Envoy does not require HTTP/2 to take place over TLS or to use ALPN. - // Prior knowledge is allowed). - HTTP2 = 2; - - // [#not-implemented-hide:] QUIC implementation is not production ready yet. Use this enum with - // caution to prevent accidental execution of QUIC code. I.e. `!= HTTP2` is no longer sufficient - // to distinguish HTTP1 and HTTP2 traffic. - HTTP3 = 3; - } - - enum ServerHeaderTransformation { - // Overwrite any Server header with the contents of server_name. - OVERWRITE = 0; - - // If no Server header is present, append Server server_name - // If a Server header is present, pass it through. - APPEND_IF_ABSENT = 1; - - // Pass through the value of the server header, and do not append a header - // if none is present. - PASS_THROUGH = 2; - } - - // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP - // header. - enum ForwardClientCertDetails { - // Do not send the XFCC header to the next hop. This is the default value. - SANITIZE = 0; - - // When the client connection is mTLS (Mutual TLS), forward the XFCC header - // in the request. - FORWARD_ONLY = 1; - - // When the client connection is mTLS, append the client certificate - // information to the request’s XFCC header and forward it. - APPEND_FORWARD = 2; - - // When the client connection is mTLS, reset the XFCC header with the client - // certificate information and send it to the next hop. - SANITIZE_SET = 3; - - // Always forward the XFCC header in the request, regardless of whether the - // client connection is mTLS. - ALWAYS_FORWARD_ONLY = 4; - } - - // Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path. - // This operation occurs before URL normalization and the merge slashes transformations if they were enabled. - enum PathWithEscapedSlashesAction { - // Default behavior specific to implementation (i.e. Envoy) of this configuration option. - // Envoy, by default, takes the KEEP_UNCHANGED action. - // NOTE: the implementation may change the default behavior at-will. - IMPLEMENTATION_SPECIFIC_DEFAULT = 0; - - // Keep escaped slashes. - KEEP_UNCHANGED = 1; - - // Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. - // The "httpN.downstream_rq_failed_path_normalization" counter is incremented for each rejected request. - REJECT_REQUEST = 2; - - // Unescape %2F and %5C sequences and redirect request to the new path if these sequences were present. - // Redirect occurs after path normalization and merge slashes transformations if they were configured. - // NOTE: gRPC requests will be rejected with the INTERNAL (13) error code. - // This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to - // traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. - // The "httpN.downstream_rq_redirected_with_normalized_path" counter is incremented for each - // redirected request. - UNESCAPE_AND_REDIRECT = 3; - - // Unescape %2F and %5C sequences. - // Note: this option should not be enabled if intermediaries perform path based access control as - // it may lead to path confusion vulnerabilities. - UNESCAPE_AND_FORWARD = 4; - } - - // [#next-free-field: 10] - message Tracing { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing"; - - enum OperationName { - // The HTTP listener is used for ingress/incoming requests. - INGRESS = 0; - - // The HTTP listener is used for egress/outgoing requests. - EGRESS = 1; - } - - reserved 1, 2; - - reserved "operation_name", "request_headers_for_tags"; - - // Target percentage of requests managed by this HTTP connection manager that will be force - // traced if the :ref:`x-client-trace-id ` - // header is set. This field is a direct analog for the runtime variable - // 'tracing.client_sampling' in the :ref:`HTTP Connection Manager - // `. - // Default: 100% - type.v3.Percent client_sampling = 3; - - // Target percentage of requests managed by this HTTP connection manager that will be randomly - // selected for trace generation, if not requested by the client or not forced. This field is - // a direct analog for the runtime variable 'tracing.random_sampling' in the - // :ref:`HTTP Connection Manager `. - // Default: 100% - type.v3.Percent random_sampling = 4; - - // Target percentage of requests managed by this HTTP connection manager that will be traced - // after all other sampling checks have been applied (client-directed, force tracing, random - // sampling). This field functions as an upper limit on the total configured sampling rate. For - // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% - // of client requests with the appropriate headers to be force traced. This field is a direct - // analog for the runtime variable 'tracing.global_enabled' in the - // :ref:`HTTP Connection Manager `. - // Default: 100% - type.v3.Percent overall_sampling = 5; - - // Whether to annotate spans with additional data. If true, spans will include logs for stream - // events. - bool verbose = 6; - - // Maximum length of the request path to extract and include in the HttpUrl tag. Used to - // truncate lengthy request paths to meet the needs of a tracing backend. - // Default: 256 - google.protobuf.UInt32Value max_path_tag_length = 7; - - // A list of custom tags with unique tag name to create tags for the active span. - repeated type.tracing.v3.CustomTag custom_tags = 8; - - // Configuration for an external tracing provider. - // If not specified, no tracing will be performed. - // - // .. attention:: - // Please be aware that *envoy.tracers.opencensus* provider can only be configured once - // in Envoy lifetime. - // Any attempts to reconfigure it or to use different configurations for different HCM filters - // will be rejected. - // Such a constraint is inherent to OpenCensus itself. It cannot be overcome without changes - // on OpenCensus side. - config.trace.v4alpha.Tracing.Http provider = 9; - } - - message InternalAddressConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager." - "InternalAddressConfig"; - - // Whether unix socket addresses should be considered internal. - bool unix_sockets = 1; - } - - // [#next-free-field: 7] - message SetCurrentClientCertDetails { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager." - "SetCurrentClientCertDetails"; - - reserved 2; - - // Whether to forward the subject of the client cert. Defaults to false. - google.protobuf.BoolValue subject = 1; - - // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the - // XFCC header comma separated from other values with the value Cert="PEM". - // Defaults to false. - bool cert = 3; - - // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM - // format. This will appear in the XFCC header comma separated from other values with the value - // Chain="PEM". - // Defaults to false. - bool chain = 6; - - // Whether to forward the DNS type Subject Alternative Names of the client cert. - // Defaults to false. - bool dns = 4; - - // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to - // false. - bool uri = 5; - } - - // The configuration for HTTP upgrades. - // For each upgrade type desired, an UpgradeConfig must be added. - // - // .. warning:: - // - // The current implementation of upgrade headers does not handle - // multi-valued upgrade headers. Support for multi-valued headers may be - // added in the future if needed. - // - // .. warning:: - // The current implementation of upgrade headers does not work with HTTP/2 - // upstreams. - message UpgradeConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager." - "UpgradeConfig"; - - // The case-insensitive name of this upgrade, e.g. "websocket". - // For each upgrade type present in upgrade_configs, requests with - // Upgrade: [upgrade_type] - // will be proxied upstream. - string upgrade_type = 1; - - // If present, this represents the filter chain which will be created for - // this type of upgrade. If no filters are present, the filter chain for - // HTTP connections will be used for this upgrade type. - repeated HttpFilter filters = 2; - - // Determines if upgrades are enabled or disabled by default. Defaults to true. - // This can be overridden on a per-route basis with :ref:`cluster - // ` as documented in the - // :ref:`upgrade documentation `. - google.protobuf.BoolValue enabled = 3; - } - - // [#not-implemented-hide:] Transformations that apply to path headers. Transformations are applied - // before any processing of requests by HTTP filters, routing, and matching. Only the normalized - // path will be visible internally if a transformation is enabled. Any path rewrites that the - // router performs (e.g. :ref:`regex_rewrite - // ` or :ref:`prefix_rewrite - // `) will apply to the *:path* header - // destined for the upstream. - // - // Note: access logging and tracing will show the original *:path* header. - message PathNormalizationOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager." - "PathNormalizationOptions"; - - // [#not-implemented-hide:] Normalization applies internally before any processing of requests by - // HTTP filters, routing, and matching *and* will affect the forwarded *:path* header. Defaults - // to :ref:`NormalizePathRFC3986 - // `. When not - // specified, this value may be overridden by the runtime variable - // :ref:`http_connection_manager.normalize_path`. - // Envoy will respond with 400 to paths that are malformed (e.g. for paths that fail RFC 3986 - // normalization due to disallowed characters.) - type.http.v3.PathTransformation forwarding_transformation = 1; - - // [#not-implemented-hide:] Normalization only applies internally before any processing of - // requests by HTTP filters, routing, and matching. These will be applied after full - // transformation is applied. The *:path* header before this transformation will be restored in - // the router filter and sent upstream unless it was mutated by a filter. Defaults to no - // transformations. - // Multiple actions can be applied in the same Transformation, forming a sequential - // pipeline. The transformations will be performed in the order that they appear. Envoy will - // respond with 400 to paths that are malformed (e.g. for paths that fail RFC 3986 - // normalization due to disallowed characters.) - type.http.v3.PathTransformation http_filter_transformation = 2; - } - - reserved 27, 11; - - reserved "idle_timeout"; - - // Supplies the type of codec that the connection manager should use. - CodecType codec_type = 1 [(validate.rules).enum = {defined_only: true}]; - - // The human readable prefix to use when emitting statistics for the - // connection manager. See the :ref:`statistics documentation ` for - // more information. - string stat_prefix = 2 [(validate.rules).string = {min_len: 1}]; - - oneof route_specifier { - option (validate.required) = true; - - // The connection manager’s route table will be dynamically loaded via the RDS API. - Rds rds = 3; - - // The route table for the connection manager is static and is specified in this property. - config.route.v4alpha.RouteConfiguration route_config = 4; - - // A route table will be dynamically assigned to each request based on request attributes - // (e.g., the value of a header). The "routing scopes" (i.e., route tables) and "scope keys" are - // specified in this message. - ScopedRoutes scoped_routes = 31; - } - - // A list of individual HTTP filters that make up the filter chain for - // requests made to the connection manager. :ref:`Order matters ` - // as the filters are processed sequentially as request events happen. - repeated HttpFilter http_filters = 5; - - // Whether the connection manager manipulates the :ref:`config_http_conn_man_headers_user-agent` - // and :ref:`config_http_conn_man_headers_downstream-service-cluster` headers. See the linked - // documentation for more information. Defaults to false. - google.protobuf.BoolValue add_user_agent = 6; - - // Presence of the object defines whether the connection manager - // emits :ref:`tracing ` data to the :ref:`configured tracing provider - // `. - Tracing tracing = 7; - - // Additional settings for HTTP requests handled by the connection manager. These will be - // applicable to both HTTP1 and HTTP2 requests. - config.core.v4alpha.HttpProtocolOptions common_http_protocol_options = 35 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // Additional HTTP/1 settings that are passed to the HTTP/1 codec. - config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 8; - - // Additional HTTP/2 settings that are passed directly to the HTTP/2 codec. - config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 9 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // Additional HTTP/3 settings that are passed directly to the HTTP/3 codec. - // [#not-implemented-hide:] - config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 44; - - // An optional override that the connection manager will write to the server - // header in responses. If not set, the default is *envoy*. - string server_name = 10 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Defines the action to be applied to the Server header on the response path. - // By default, Envoy will overwrite the header with the value specified in - // server_name. - ServerHeaderTransformation server_header_transformation = 34 - [(validate.rules).enum = {defined_only: true}]; - - // Allows for explicit transformation of the :scheme header on the request path. - // If not set, Envoy's default :ref:`scheme ` - // handling applies. - config.core.v4alpha.SchemeHeaderTransformation scheme_header_transformation = 48; - - // The maximum request headers size for incoming connections. - // If unconfigured, the default max request headers allowed is 60 KiB. - // Requests that exceed this limit will receive a 431 response. - google.protobuf.UInt32Value max_request_headers_kb = 29 - [(validate.rules).uint32 = {lte: 8192 gt: 0}]; - - // The stream idle timeout for connections managed by the connection manager. - // If not specified, this defaults to 5 minutes. The default value was selected - // so as not to interfere with any smaller configured timeouts that may have - // existed in configurations prior to the introduction of this feature, while - // introducing robustness to TCP connections that terminate without a FIN. - // - // This idle timeout applies to new streams and is overridable by the - // :ref:`route-level idle_timeout - // `. Even on a stream in - // which the override applies, prior to receipt of the initial request - // headers, the :ref:`stream_idle_timeout - // ` - // applies. Each time an encode/decode event for headers or data is processed - // for the stream, the timer will be reset. If the timeout fires, the stream - // is terminated with a 408 Request Timeout error code if no upstream response - // header has been received, otherwise a stream reset occurs. - // - // This timeout also specifies the amount of time that Envoy will wait for the peer to open enough - // window to write any remaining stream data once the entirety of stream data (local end stream is - // true) has been buffered pending available window. In other words, this timeout defends against - // a peer that does not release enough window to completely write the stream, even though all - // data has been proxied within available flow control windows. If the timeout is hit in this - // case, the :ref:`tx_flush_timeout ` counter will be - // incremented. Note that :ref:`max_stream_duration - // ` does not apply to - // this corner case. - // - // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" - // is configured, this timeout is scaled according to the value for - // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. - // - // Note that it is possible to idle timeout even if the wire traffic for a stream is non-idle, due - // to the granularity of events presented to the connection manager. For example, while receiving - // very large request headers, it may be the case that there is traffic regularly arriving on the - // wire while the connection manage is only able to observe the end-of-headers event, hence the - // stream may still idle timeout. - // - // A value of 0 will completely disable the connection manager stream idle - // timeout, although per-route idle timeout overrides will continue to apply. - google.protobuf.Duration stream_idle_timeout = 24 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // The amount of time that Envoy will wait for the entire request to be received. - // The timer is activated when the request is initiated, and is disarmed when the last byte of the - // request is sent upstream (i.e. all decoding filters have processed the request), OR when the - // response is initiated. If not specified or set to 0, this timeout is disabled. - google.protobuf.Duration request_timeout = 28 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // The amount of time that Envoy will wait for the request headers to be received. The timer is - // activated when the first byte of the headers is received, and is disarmed when the last byte of - // the headers has been received. If not specified or set to 0, this timeout is disabled. - google.protobuf.Duration request_headers_timeout = 41 [ - (validate.rules).duration = {gte {}}, - (udpa.annotations.security).configure_for_untrusted_downstream = true - ]; - - // The time that Envoy will wait between sending an HTTP/2 “shutdown - // notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame. - // This is used so that Envoy provides a grace period for new streams that - // race with the final GOAWAY frame. During this grace period, Envoy will - // continue to accept new streams. After the grace period, a final GOAWAY - // frame is sent and Envoy will start refusing new streams. Draining occurs - // both when a connection hits the idle timeout or during general server - // draining. The default grace period is 5000 milliseconds (5 seconds) if this - // option is not specified. - google.protobuf.Duration drain_timeout = 12; - - // The delayed close timeout is for downstream connections managed by the HTTP connection manager. - // It is defined as a grace period after connection close processing has been locally initiated - // during which Envoy will wait for the peer to close (i.e., a TCP FIN/RST is received by Envoy - // from the downstream connection) prior to Envoy closing the socket associated with that - // connection. - // NOTE: This timeout is enforced even when the socket associated with the downstream connection - // is pending a flush of the write buffer. However, any progress made writing data to the socket - // will restart the timer associated with this timeout. This means that the total grace period for - // a socket in this state will be - // +. - // - // Delaying Envoy's connection close and giving the peer the opportunity to initiate the close - // sequence mitigates a race condition that exists when downstream clients do not drain/process - // data in a connection's receive buffer after a remote close has been detected via a socket - // write(). This race leads to such clients failing to process the response code sent by Envoy, - // which could result in erroneous downstream processing. - // - // If the timeout triggers, Envoy will close the connection's socket. - // - // The default timeout is 1000 ms if this option is not specified. - // - // .. NOTE:: - // To be useful in avoiding the race condition described above, this timeout must be set - // to *at least* +<100ms to account for - // a reasonable "worst" case processing time for a full iteration of Envoy's event loop>. - // - // .. WARNING:: - // A value of 0 will completely disable delayed close processing. When disabled, the downstream - // connection's socket will be closed immediately after the write flush is completed or will - // never close if the write flush does not complete. - google.protobuf.Duration delayed_close_timeout = 26; - - // Configuration for :ref:`HTTP access logs ` - // emitted by the connection manager. - repeated config.accesslog.v4alpha.AccessLog access_log = 13; - - // If set to true, the connection manager will use the real remote address - // of the client connection when determining internal versus external origin and manipulating - // various headers. If set to false or absent, the connection manager will use the - // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. See the documentation for - // :ref:`config_http_conn_man_headers_x-forwarded-for`, - // :ref:`config_http_conn_man_headers_x-envoy-internal`, and - // :ref:`config_http_conn_man_headers_x-envoy-external-address` for more information. - google.protobuf.BoolValue use_remote_address = 14 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // The number of additional ingress proxy hops from the right side of the - // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when - // determining the origin client's IP address. The default is zero if this option - // is not specified. See the documentation for - // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. - uint32 xff_num_trusted_hops = 19; - - // The configuration for the original IP detection extensions. - // - // When configured the extensions will be called along with the request headers - // and information about the downstream connection, such as the directly connected address. - // Each extension will then use these parameters to decide the request's effective remote address. - // If an extension fails to detect the original IP address and isn't configured to reject - // the request, the HCM will try the remaining extensions until one succeeds or rejects - // the request. If the request isn't rejected nor any extension succeeds, the HCM will - // fallback to using the remote address. - // - // .. WARNING:: - // Extensions cannot be used in conjunction with :ref:`use_remote_address - // ` - // nor :ref:`xff_num_trusted_hops - // `. - // - // [#extension-category: envoy.http.original_ip_detection] - repeated config.core.v4alpha.TypedExtensionConfig original_ip_detection_extensions = 46; - - // Configures what network addresses are considered internal for stats and header sanitation - // purposes. If unspecified, only RFC1918 IP addresses will be considered internal. - // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more - // information about internal/external addresses. - InternalAddressConfig internal_address_config = 25; - - // If set, Envoy will not append the remote address to the - // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. This may be used in - // conjunction with HTTP filters that explicitly manipulate XFF after the HTTP connection manager - // has mutated the request headers. While :ref:`use_remote_address - // ` - // will also suppress XFF addition, it has consequences for logging and other - // Envoy uses of the remote address, so *skip_xff_append* should be used - // when only an elision of XFF addition is intended. - bool skip_xff_append = 21; - - // Via header value to append to request and response headers. If this is - // empty, no via header will be appended. - string via = 22 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Whether the connection manager will generate the :ref:`x-request-id - // ` header if it does not exist. This defaults to - // true. Generating a random UUID4 is expensive so in high throughput scenarios where this feature - // is not desired it can be disabled. - google.protobuf.BoolValue generate_request_id = 15; - - // Whether the connection manager will keep the :ref:`x-request-id - // ` header if passed for a request that is edge - // (Edge request is the request from external clients to front Envoy) and not reset it, which - // is the current Envoy behaviour. This defaults to false. - bool preserve_external_request_id = 32; - - // If set, Envoy will always set :ref:`x-request-id ` header in response. - // If this is false or not set, the request ID is returned in responses only if tracing is forced using - // :ref:`x-envoy-force-trace ` header. - bool always_set_request_id_in_response = 37; - - // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP - // header. - ForwardClientCertDetails forward_client_cert_details = 16 - [(validate.rules).enum = {defined_only: true}]; - - // This field is valid only when :ref:`forward_client_cert_details - // ` - // is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in - // the client certificate to be forwarded. Note that in the - // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, *Hash* is always set, and - // *By* is always set when the client certificate presents the URI type Subject Alternative Name - // value. - SetCurrentClientCertDetails set_current_client_cert_details = 17; - - // If proxy_100_continue is true, Envoy will proxy incoming "Expect: - // 100-continue" headers upstream, and forward "100 Continue" responses - // downstream. If this is false or not set, Envoy will instead strip the - // "Expect: 100-continue" header, and send a "100 Continue" response itself. - bool proxy_100_continue = 18; - - // If - // :ref:`use_remote_address - // ` - // is true and represent_ipv4_remote_address_as_ipv4_mapped_ipv6 is true and the remote address is - // an IPv4 address, the address will be mapped to IPv6 before it is appended to *x-forwarded-for*. - // This is useful for testing compatibility of upstream services that parse the header value. For - // example, 50.0.0.1 is represented as ::FFFF:50.0.0.1. See `IPv4-Mapped IPv6 Addresses - // `_ for details. This will also affect the - // :ref:`config_http_conn_man_headers_x-envoy-external-address` header. See - // :ref:`http_connection_manager.represent_ipv4_remote_address_as_ipv4_mapped_ipv6 - // ` for runtime - // control. - // [#not-implemented-hide:] - bool represent_ipv4_remote_address_as_ipv4_mapped_ipv6 = 20; - - repeated UpgradeConfig upgrade_configs = 23; - - // Should paths be normalized according to RFC 3986 before any processing of - // requests by HTTP filters or routing? This affects the upstream *:path* header - // as well. For paths that fail this check, Envoy will respond with 400 to - // paths that are malformed. This defaults to false currently but will default - // true in the future. When not specified, this value may be overridden by the - // runtime variable - // :ref:`http_connection_manager.normalize_path`. - // See `Normalization and Comparison `_ - // for details of normalization. - // Note that Envoy does not perform - // `case normalization `_ - google.protobuf.BoolValue normalize_path = 30; - - // Determines if adjacent slashes in the path are merged into one before any processing of - // requests by HTTP filters or routing. This affects the upstream *:path* header as well. Without - // setting this option, incoming requests with path `//dir///file` will not match against route - // with `prefix` match set to `/dir`. Defaults to `false`. Note that slash merging is not part of - // `HTTP spec `_ and is provided for convenience. - bool merge_slashes = 33; - - // Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c). - // The default value can be overridden by the :ref:`http_connection_manager.path_with_escaped_slashes_action` - // runtime variable. - // The :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling` runtime - // variable can be used to apply the action to a portion of all requests. - PathWithEscapedSlashesAction path_with_escaped_slashes_action = 45; - - // The configuration of the request ID extension. This includes operations such as - // generation, validation, and associated tracing operations. If empty, the - // :ref:`UuidRequestIdConfig ` - // default extension is used with default parameters. See the documentation for that extension - // for details on what it does. Customizing the configuration for the default extension can be - // achieved by configuring it explicitly here. For example, to disable trace reason packing, - // the following configuration can be used: - // - // .. validated-code-block:: yaml - // :type-name: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension - // - // typed_config: - // "@type": type.googleapis.com/envoy.extensions.request_id.uuid.v3.UuidRequestIdConfig - // pack_trace_reason: false - // - // [#extension-category: envoy.request_id] - RequestIDExtension request_id_extension = 36; - - // The configuration to customize local reply returned by Envoy. It can customize status code, - // body text and response content type. If not specified, status code and text body are hard - // coded in Envoy, the response content type is plain text. - LocalReplyConfig local_reply_config = 38; - - oneof strip_port_mode { - // Determines if the port part should be removed from host/authority header before any processing - // of request by HTTP filters or routing. The port would be removed only if it is equal to the :ref:`listener's` - // local port. This affects the upstream host header unless the method is - // CONNECT in which case if no filter adds a port the original port will be restored before headers are - // sent upstream. - // Without setting this option, incoming requests with host `example:443` will not match against - // route with :ref:`domains` match set to `example`. Defaults to `false`. Note that port removal is not part - // of `HTTP spec `_ and is provided for convenience. - // Only one of `strip_matching_host_port` or `strip_any_host_port` can be set. - bool strip_matching_host_port = 39; - - // Determines if the port part should be removed from host/authority header before any processing - // of request by HTTP filters or routing. - // This affects the upstream host header unless the method is CONNECT in - // which case if no filter adds a port the original port will be restored before headers are sent upstream. - // Without setting this option, incoming requests with host `example:443` will not match against - // route with :ref:`domains` match set to `example`. Defaults to `false`. Note that port removal is not part - // of `HTTP spec `_ and is provided for convenience. - // Only one of `strip_matching_host_port` or `strip_any_host_port` can be set. - bool strip_any_host_port = 42; - } - - // Governs Envoy's behavior when receiving invalid HTTP from downstream. - // If this option is false (default), Envoy will err on the conservative side handling HTTP - // errors, terminating both HTTP/1.1 and HTTP/2 connections when receiving an invalid request. - // If this option is set to true, Envoy will be more permissive, only resetting the invalid - // stream in the case of HTTP/2 and leaving the connection open where possible (if the entire - // request is read for HTTP/1.1) - // In general this should be true for deployments receiving trusted traffic (L2 Envoys, - // company-internal mesh) and false when receiving untrusted traffic (edge deployments). - // - // If different behaviors for invalid_http_message for HTTP/1 and HTTP/2 are - // desired, one should use the new HTTP/1 option :ref:`override_stream_error_on_invalid_http_message - // ` or the new HTTP/2 option - // :ref:`override_stream_error_on_invalid_http_message - // ` - // *not* the deprecated but similarly named :ref:`stream_error_on_invalid_http_messaging - // ` - google.protobuf.BoolValue stream_error_on_invalid_http_message = 40; - - // [#not-implemented-hide:] Path normalization configuration. This includes - // configurations for transformations (e.g. RFC 3986 normalization or merge - // adjacent slashes) and the policy to apply them. The policy determines - // whether transformations affect the forwarded *:path* header. RFC 3986 path - // normalization is enabled by default and the default policy is that the - // normalized header will be forwarded. See :ref:`PathNormalizationOptions - // ` - // for details. - PathNormalizationOptions path_normalization_options = 43; - - // Determines if trailing dot of the host should be removed from host/authority header before any - // processing of request by HTTP filters or routing. - // This affects the upstream host header. - // Without setting this option, incoming requests with host `example.com.` will not match against - // route with :ref:`domains` match set to `example.com`. Defaults to `false`. - // When the incoming request contains a host/authority header that includes a port number, - // setting this option will strip a trailing dot, if present, from the host section, - // leaving the port as is (e.g. host value `example.com.:443` will be updated to `example.com:443`). - bool strip_trailing_host_dot = 47; -} - -// The configuration to customize local reply returned by Envoy. -message LocalReplyConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig"; - - // Configuration of list of mappers which allows to filter and change local response. - // The mappers will be checked by the specified order until one is matched. - repeated ResponseMapper mappers = 1; - - // The configuration to form response body from the :ref:`command operators ` - // and to specify response content type as one of: plain/text or application/json. - // - // Example one: "plain/text" ``body_format``. - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" - // - // The following response body in "plain/text" format will be generated for a request with - // local reply body of "upstream connection error", response_code=503 and path=/foo. - // - // .. code-block:: text - // - // upstream connect error:503:path=/foo - // - // Example two: "application/json" ``body_format``. - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // json_format: - // status: "%RESPONSE_CODE%" - // message: "%LOCAL_REPLY_BODY%" - // path: "%REQ(:path)%" - // - // The following response body in "application/json" format would be generated for a request with - // local reply body of "upstream connection error", response_code=503 and path=/foo. - // - // .. code-block:: json - // - // { - // "status": 503, - // "message": "upstream connection error", - // "path": "/foo" - // } - // - config.core.v4alpha.SubstitutionFormatString body_format = 2; -} - -// The configuration to filter and change local response. -// [#next-free-field: 6] -message ResponseMapper { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper"; - - // Filter to determine if this mapper should apply. - config.accesslog.v4alpha.AccessLogFilter filter = 1 [(validate.rules).message = {required: true}]; - - // The new response status code if specified. - google.protobuf.UInt32Value status_code = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}]; - - // The new local reply body text if specified. It will be used in the `%LOCAL_REPLY_BODY%` - // command operator in the `body_format`. - config.core.v4alpha.DataSource body = 3; - - // A per mapper `body_format` to override the :ref:`body_format `. - // It will be used when this mapper is matched. - config.core.v4alpha.SubstitutionFormatString body_format_override = 4; - - // HTTP headers to add to a local reply. This allows the response mapper to append, to add - // or to override headers of any local reply before it is sent to a downstream client. - repeated config.core.v4alpha.HeaderValueOption headers_to_add = 5 - [(validate.rules).repeated = {max_items: 1000}]; -} - -message Rds { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.Rds"; - - // Configuration source specifier for RDS. - config.core.v4alpha.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; - - // The name of the route configuration. This name will be passed to the RDS - // API. This allows an Envoy configuration with multiple HTTP listeners (and - // associated HTTP connection manager filters) to use different route - // configurations. - string route_config_name = 2; -} - -// This message is used to work around the limitations with 'oneof' and repeated fields. -message ScopedRouteConfigurationsList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList"; - - repeated config.route.v4alpha.ScopedRouteConfiguration scoped_route_configurations = 1 - [(validate.rules).repeated = {min_items: 1}]; -} - -// [#next-free-field: 6] -message ScopedRoutes { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes"; - - // Specifies the mechanism for constructing "scope keys" based on HTTP request attributes. These - // keys are matched against a set of :ref:`Key` - // objects assembled from :ref:`ScopedRouteConfiguration` - // messages distributed via SRDS (the Scoped Route Discovery Service) or assigned statically via - // :ref:`scoped_route_configurations_list`. - // - // Upon receiving a request's headers, the Router will build a key using the algorithm specified - // by this message. This key will be used to look up the routing table (i.e., the - // :ref:`RouteConfiguration`) to use for the request. - message ScopeKeyBuilder { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder"; - - // Specifies the mechanism for constructing key fragments which are composed into scope keys. - message FragmentBuilder { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes." - "ScopeKeyBuilder.FragmentBuilder"; - - // Specifies how the value of a header should be extracted. - // The following example maps the structure of a header to the fields in this message. - // - // .. code:: - // - // <0> <1> <-- index - // X-Header: a=b;c=d - // | || | - // | || \----> - // | || - // | |\----> - // | | - // | \----> - // | - // \----> - // - // Each 'a=b' key-value pair constitutes an 'element' of the header field. - message HeaderValueExtractor { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes." - "ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor"; - - // Specifies a header field's key value pair to match on. - message KvElement { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes." - "ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement"; - - // The separator between key and value (e.g., '=' separates 'k=v;...'). - // If an element is an empty string, the element is ignored. - // If an element contains no separator, the whole element is parsed as key and the - // fragment value is an empty string. - // If there are multiple values for a matched key, the first value is returned. - string separator = 1 [(validate.rules).string = {min_len: 1}]; - - // The key to match on. - string key = 2 [(validate.rules).string = {min_len: 1}]; - } - - // The name of the header field to extract the value from. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The element separator (e.g., ';' separates 'a;b;c;d'). - // Default: empty string. This causes the entirety of the header field to be extracted. - // If this field is set to an empty string and 'index' is used in the oneof below, 'index' - // must be set to 0. - string element_separator = 2; - - oneof extract_type { - // Specifies the zero based index of the element to extract. - // Note Envoy concatenates multiple values of the same header key into a comma separated - // string, the splitting always happens after the concatenation. - uint32 index = 3; - - // Specifies the key value pair to extract the value from. - KvElement element = 4; - } - } - - oneof type { - option (validate.required) = true; - - // Specifies how a header field's value should be extracted. - HeaderValueExtractor header_value_extractor = 1; - } - } - - // The final(built) scope key consists of the ordered union of these fragments, which are compared in order with the - // fragments of a :ref:`ScopedRouteConfiguration`. - // A missing fragment during comparison will make the key invalid, i.e., the computed key doesn't match any key. - repeated FragmentBuilder fragments = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - // The name assigned to the scoped routing configuration. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The algorithm to use for constructing a scope key for each request. - ScopeKeyBuilder scope_key_builder = 2 [(validate.rules).message = {required: true}]; - - // Configuration source specifier for RDS. - // This config source is used to subscribe to RouteConfiguration resources specified in - // ScopedRouteConfiguration messages. - config.core.v4alpha.ConfigSource rds_config_source = 3 - [(validate.rules).message = {required: true}]; - - oneof config_specifier { - option (validate.required) = true; - - // The set of routing scopes corresponding to the HCM. A scope is assigned to a request by - // matching a key constructed from the request's attributes according to the algorithm specified - // by the - // :ref:`ScopeKeyBuilder` - // in this message. - ScopedRouteConfigurationsList scoped_route_configurations_list = 4; - - // The set of routing scopes associated with the HCM will be dynamically loaded via the SRDS - // API. A scope is assigned to a request by matching a key constructed from the request's - // attributes according to the algorithm specified by the - // :ref:`ScopeKeyBuilder` - // in this message. - ScopedRds scoped_rds = 5; - } -} - -message ScopedRds { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds"; - - // Configuration source specifier for scoped RDS. - config.core.v4alpha.ConfigSource scoped_rds_config_source = 1 - [(validate.rules).message = {required: true}]; - - // xdstp:// resource locator for scoped RDS collection. - // [#not-implemented-hide:] - string srds_resources_locator = 2; -} - -// [#next-free-field: 7] -message HttpFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter"; - - reserved 3, 2; - - reserved "config"; - - // The name of the filter configuration. The name is used as a fallback to - // select an extension if the type of the configuration proto is not - // sufficient. It also serves as a resource name in ExtensionConfigDS. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - oneof config_type { - // Filter specific configuration which depends on the filter being instantiated. See the supported - // filters for further documentation. - // - // To support configuring a :ref:`match tree `, use an - // :ref:`ExtensionWithMatcher ` - // with the desired HTTP filter. - // [#extension-category: envoy.filters.http] - google.protobuf.Any typed_config = 4; - - // Configuration source specifier for an extension configuration discovery service. - // In case of a failure and without the default configuration, the HTTP listener responds with code 500. - // Extension configs delivered through this mechanism are not expected to require warming (see https://github.com/envoyproxy/envoy/issues/12061). - // - // To support configuring a :ref:`match tree `, use an - // :ref:`ExtensionWithMatcher ` - // with the desired HTTP filter. This works for both the default filter configuration as well - // as for filters provided via the API. - config.core.v4alpha.ExtensionConfigSource config_discovery = 5; - } - - // If true, clients that do not support this filter may ignore the - // filter but otherwise accept the config. - // Otherwise, clients that do not support this filter must reject the config. - // This is also same with typed per filter config. - bool is_optional = 6; -} - -message RequestIDExtension { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension"; - - // Request ID extension specific configuration. - google.protobuf.Any typed_config = 1; -} - -// [#protodoc-title: Envoy Mobile HTTP connection manager] -// HTTP connection manager for use in Envoy mobile. -// [#extension: envoy.filters.network.envoy_mobile_http_connection_manager] -message EnvoyMobileHttpConnectionManager { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3." - "EnvoyMobileHttpConnectionManager"; - - // The configuration for the underlying HttpConnectionManager which will be - // instantiated for Envoy mobile. - HttpConnectionManager config = 1; -} diff --git a/api/envoy/extensions/filters/network/ratelimit/v4alpha/BUILD b/api/envoy/extensions/filters/network/ratelimit/v4alpha/BUILD deleted file mode 100644 index d9d0ca109526..000000000000 --- a/api/envoy/extensions/filters/network/ratelimit/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/ratelimit/v4alpha:pkg", - "//envoy/extensions/common/ratelimit/v3:pkg", - "//envoy/extensions/filters/network/ratelimit/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/network/ratelimit/v4alpha/rate_limit.proto b/api/envoy/extensions/filters/network/ratelimit/v4alpha/rate_limit.proto deleted file mode 100644 index b53cb3bcc1d0..000000000000 --- a/api/envoy/extensions/filters/network/ratelimit/v4alpha/rate_limit.proto +++ /dev/null @@ -1,53 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.ratelimit.v4alpha; - -import "envoy/config/ratelimit/v4alpha/rls.proto"; -import "envoy/extensions/common/ratelimit/v3/ratelimit.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.ratelimit.v4alpha"; -option java_outer_classname = "RateLimitProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Rate limit] -// Rate limit :ref:`configuration overview `. -// [#extension: envoy.filters.network.ratelimit] - -// [#next-free-field: 7] -message RateLimit { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.ratelimit.v3.RateLimit"; - - // The prefix to use when emitting :ref:`statistics `. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // The rate limit domain to use in the rate limit service request. - string domain = 2 [(validate.rules).string = {min_len: 1}]; - - // The rate limit descriptor list to use in the rate limit service request. - repeated common.ratelimit.v3.RateLimitDescriptor descriptors = 3 - [(validate.rules).repeated = {min_items: 1}]; - - // The timeout in milliseconds for the rate limit service RPC. If not - // set, this defaults to 20ms. - google.protobuf.Duration timeout = 4; - - // The filter's behaviour in case the rate limiting service does - // not respond back. When it is set to true, Envoy will not allow traffic in case of - // communication failure between rate limiting service and the proxy. - // Defaults to false. - bool failure_mode_deny = 5; - - // Configuration for an external rate limit service provider. If not - // specified, any calls to the rate limit service will immediately return - // success. - config.ratelimit.v4alpha.RateLimitServiceConfig rate_limit_service = 6 - [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/extensions/filters/network/rbac/v4alpha/BUILD b/api/envoy/extensions/filters/network/rbac/v4alpha/BUILD deleted file mode 100644 index 27418dd3299e..000000000000 --- a/api/envoy/extensions/filters/network/rbac/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/rbac/v4alpha:pkg", - "//envoy/extensions/filters/network/rbac/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto b/api/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto deleted file mode 100644 index 3512bae2d2ab..000000000000 --- a/api/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto +++ /dev/null @@ -1,64 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.rbac.v4alpha; - -import "envoy/config/rbac/v4alpha/rbac.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.rbac.v4alpha"; -option java_outer_classname = "RbacProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: RBAC] -// Role-Based Access Control :ref:`configuration overview `. -// [#extension: envoy.filters.network.rbac] - -// RBAC network filter config. -// -// Header should not be used in rules/shadow_rules in RBAC network filter as -// this information is only available in :ref:`RBAC http filter `. -// [#next-free-field: 6] -message RBAC { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rbac.v3.RBAC"; - - enum EnforcementType { - // Apply RBAC policies when the first byte of data arrives on the connection. - ONE_TIME_ON_FIRST_BYTE = 0; - - // Continuously apply RBAC policies as data arrives. Use this mode when - // using RBAC with message oriented protocols such as Mongo, MySQL, Kafka, - // etc. when the protocol decoders emit dynamic metadata such as the - // resources being accessed and the operations on the resources. - CONTINUOUS = 1; - } - - // Specify the RBAC rules to be applied globally. - // If absent, no enforcing RBAC policy will be applied. - // If present and empty, DENY. - config.rbac.v4alpha.RBAC rules = 1; - - // Shadow rules are not enforced by the filter but will emit stats and logs - // and can be used for rule testing. - // If absent, no shadow RBAC policy will be applied. - config.rbac.v4alpha.RBAC shadow_rules = 2; - - // If specified, shadow rules will emit stats with the given prefix. - // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with - // shadow rules. - string shadow_rules_stat_prefix = 5; - - // The prefix to use when emitting statistics. - string stat_prefix = 3 [(validate.rules).string = {min_len: 1}]; - - // RBAC enforcement strategy. By default RBAC will be enforced only once - // when the first byte of data arrives from the downstream. When used in - // conjunction with filters that emit dynamic metadata after decoding - // every payload (e.g., Mongo, MySQL, Kafka) set the enforcement type to - // CONTINUOUS to enforce RBAC policies on every message boundary. - EnforcementType enforcement_type = 4; -} diff --git a/api/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/BUILD b/api/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/BUILD deleted file mode 100644 index 465ea4ff2844..000000000000 --- a/api/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/common/dynamic_forward_proxy/v4alpha:pkg", - "//envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/sni_dynamic_forward_proxy.proto b/api/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/sni_dynamic_forward_proxy.proto deleted file mode 100644 index de2947fcba9e..000000000000 --- a/api/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/sni_dynamic_forward_proxy.proto +++ /dev/null @@ -1,40 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.sni_dynamic_forward_proxy.v4alpha; - -import "envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.sni_dynamic_forward_proxy.v4alpha"; -option java_outer_classname = "SniDynamicForwardProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).work_in_progress = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: SNI dynamic forward proxy] - -// Configuration for the SNI-based dynamic forward proxy filter. See the -// :ref:`architecture overview ` for -// more information. Note this filter must be configured along with -// :ref:`TLS inspector listener filter ` -// to work. -// [#extension: envoy.filters.network.sni_dynamic_forward_proxy] -message FilterConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3alpha.FilterConfig"; - - // The DNS cache configuration that the filter will attach to. Note this - // configuration must match that of associated :ref:`dynamic forward proxy - // cluster configuration - // `. - common.dynamic_forward_proxy.v4alpha.DnsCacheConfig dns_cache_config = 1 - [(validate.rules).message = {required: true}]; - - oneof port_specifier { - // The port number to connect to the upstream. - uint32 port_value = 2 [(validate.rules).uint32 = {lte: 65535 gt: 0}]; - } -} diff --git a/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD b/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD deleted file mode 100644 index 1b359dc7be52..000000000000 --- a/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/accesslog/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/filters/network/tcp_proxy/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto b/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto deleted file mode 100644 index 95f2c26c888c..000000000000 --- a/api/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto +++ /dev/null @@ -1,154 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.tcp_proxy.v4alpha; - -import "envoy/config/accesslog/v4alpha/accesslog.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/type/v3/hash_policy.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.tcp_proxy.v4alpha"; -option java_outer_classname = "TcpProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: TCP Proxy] -// TCP Proxy :ref:`configuration overview `. -// [#extension: envoy.filters.network.tcp_proxy] - -// [#next-free-field: 14] -message TcpProxy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy"; - - // Allows for specification of multiple upstream clusters along with weights - // that indicate the percentage of traffic to be forwarded to each cluster. - // The router selects an upstream cluster based on these weights. - message WeightedCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster"; - - message ClusterWeight { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight"; - - // Name of the upstream cluster. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // When a request matches the route, the choice of an upstream cluster is - // determined by its weight. The sum of weights across all entries in the - // clusters array determines the total weight. - uint32 weight = 2 [(validate.rules).uint32 = {gte: 1}]; - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints - // in the upstream cluster with metadata matching what is set in this field will be considered - // for load balancing. Note that this will be merged with what's provided in - // :ref:`TcpProxy.metadata_match - // `, with values - // here taking precedence. The filter name should be specified as *envoy.lb*. - config.core.v4alpha.Metadata metadata_match = 3; - } - - // Specifies one or more upstream clusters associated with the route. - repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - // Configuration for tunneling TCP over other transports or application layers. - // Tunneling is supported over both HTTP/1.1 and HTTP/2. Upstream protocol is - // determined by the cluster configuration. - message TunnelingConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig"; - - // The hostname to send in the synthesized CONNECT headers to the upstream proxy. - string hostname = 1 [(validate.rules).string = {min_len: 1}]; - - // Use POST method instead of CONNECT method to tunnel the TCP stream. - // The 'protocol: bytestream' header is also NOT set for HTTP/2 to comply with the spec. - // - // The upstream proxy is expected to convert POST payload as raw TCP. - bool use_post = 2; - - // Additional request headers to upstream proxy. This is mainly used to - // trigger upstream to convert POST requests back to CONNECT requests. - // - // Neither *:-prefixed* pseudo-headers nor the Host: header can be overridden. - repeated config.core.v4alpha.HeaderValueOption headers_to_add = 3 - [(validate.rules).repeated = {max_items: 1000}]; - } - - reserved 6; - - reserved "deprecated_v1"; - - // The prefix to use when emitting :ref:`statistics - // `. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - oneof cluster_specifier { - option (validate.required) = true; - - // The upstream cluster to connect to. - string cluster = 2; - - // Multiple upstream clusters can be specified for a given route. The - // request is routed to one of the upstream clusters based on weights - // assigned to each cluster. - WeightedCluster weighted_clusters = 10; - } - - // Optional endpoint metadata match criteria. Only endpoints in the upstream - // cluster with metadata matching that set in metadata_match will be - // considered. The filter name should be specified as *envoy.lb*. - config.core.v4alpha.Metadata metadata_match = 9; - - // The idle timeout for connections managed by the TCP proxy filter. The idle timeout - // is defined as the period in which there are no bytes sent or received on either - // the upstream or downstream connection. If not set, the default idle timeout is 1 hour. If set - // to 0s, the timeout will be disabled. - // - // .. warning:: - // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP - // FIN packets, etc. - google.protobuf.Duration idle_timeout = 8; - - // [#not-implemented-hide:] The idle timeout for connections managed by the TCP proxy - // filter. The idle timeout is defined as the period in which there is no - // active traffic. If not set, there is no idle timeout. When the idle timeout - // is reached the connection will be closed. The distinction between - // downstream_idle_timeout/upstream_idle_timeout provides a means to set - // timeout based on the last byte sent on the downstream/upstream connection. - google.protobuf.Duration downstream_idle_timeout = 3; - - // [#not-implemented-hide:] - google.protobuf.Duration upstream_idle_timeout = 4; - - // Configuration for :ref:`access logs ` - // emitted by the this tcp_proxy. - repeated config.accesslog.v4alpha.AccessLog access_log = 5; - - // The maximum number of unsuccessful connection attempts that will be made before - // giving up. If the parameter is not specified, 1 connection attempt will be made. - google.protobuf.UInt32Value max_connect_attempts = 7 [(validate.rules).uint32 = {gte: 1}]; - - // Optional configuration for TCP proxy hash policy. If hash_policy is not set, the hash-based - // load balancing algorithms will select a host randomly. Currently the number of hash policies is - // limited to 1. - repeated type.v3.HashPolicy hash_policy = 11 [(validate.rules).repeated = {max_items: 1}]; - - // If set, this configures tunneling, e.g. configuration options to tunnel TCP payload over - // HTTP CONNECT. If this message is absent, the payload will be proxied upstream as per usual. - TunnelingConfig tunneling_config = 12; - - // The maximum duration of a connection. The duration is defined as the period since a connection - // was established. If not set, there is no max duration. When max_downstream_connection_duration - // is reached the connection will be closed. Duration must be at least 1ms. - google.protobuf.Duration max_downstream_connection_duration = 13 - [(validate.rules).duration = {gte {nanos: 1000000}}]; -} diff --git a/api/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/BUILD b/api/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/BUILD deleted file mode 100644 index a58bc9ebda54..000000000000 --- a/api/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/ratelimit/v4alpha:pkg", - "//envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/rate_limit.proto b/api/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/rate_limit.proto deleted file mode 100644 index ed2a33290268..000000000000 --- a/api/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/rate_limit.proto +++ /dev/null @@ -1,56 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.thrift_proxy.filters.ratelimit.v4alpha; - -import "envoy/config/ratelimit/v4alpha/rls.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.filters.ratelimit.v4alpha"; -option java_outer_classname = "RateLimitProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Rate limit] -// Rate limit :ref:`configuration overview `. -// [#extension: envoy.filters.thrift.ratelimit] - -// [#next-free-field: 6] -message RateLimit { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.filters.ratelimit.v3.RateLimit"; - - // The rate limit domain to use in the rate limit service request. - string domain = 1 [(validate.rules).string = {min_len: 1}]; - - // Specifies the rate limit configuration stage. Each configured rate limit filter performs a - // rate limit check using descriptors configured in the - // :ref:`envoy_v3_api_msg_extensions.filters.network.thrift_proxy.v3.RouteAction` for the request. - // Only those entries with a matching stage number are used for a given filter. If not set, the - // default stage number is 0. - // - // .. note:: - // - // The filter supports a range of 0 - 10 inclusively for stage numbers. - uint32 stage = 2 [(validate.rules).uint32 = {lte: 10}]; - - // The timeout in milliseconds for the rate limit service RPC. If not - // set, this defaults to 20ms. - google.protobuf.Duration timeout = 3; - - // The filter's behaviour in case the rate limiting service does - // not respond back. When it is set to true, Envoy will not allow traffic in case of - // communication failure between rate limiting service and the proxy. - // Defaults to false. - bool failure_mode_deny = 4; - - // Configuration for an external rate limit service provider. If not - // specified, any calls to the rate limit service will immediately return - // success. - config.ratelimit.v4alpha.RateLimitServiceConfig rate_limit_service = 5 - [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD b/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD deleted file mode 100644 index 995c04093a7d..000000000000 --- a/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/network/thrift_proxy/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto b/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto deleted file mode 100644 index 48caaadf2b75..000000000000 --- a/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto +++ /dev/null @@ -1,186 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.thrift_proxy.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.v4alpha"; -option java_outer_classname = "RouteProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Thrift Proxy Route Configuration] -// Thrift Proxy :ref:`configuration overview `. - -message RouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.RouteConfiguration"; - - // The name of the route configuration. Reserved for future use in asynchronous route discovery. - string name = 1; - - // The list of routes that will be matched, in order, against incoming requests. The first route - // that matches will be used. - repeated Route routes = 2; -} - -message Route { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.Route"; - - // Route matching parameters. - RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - // Route request to some upstream cluster. - RouteAction route = 2 [(validate.rules).message = {required: true}]; -} - -message RouteMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.RouteMatch"; - - oneof match_specifier { - option (validate.required) = true; - - // If specified, the route must exactly match the request method name. As a special case, an - // empty string matches any request method name. - string method_name = 1; - - // If specified, the route must have the service name as the request method name prefix. As a - // special case, an empty string matches any service name. Only relevant when service - // multiplexing. - string service_name = 2; - } - - // Inverts whatever matching is done in the :ref:`method_name - // ` or - // :ref:`service_name - // ` fields. - // Cannot be combined with wildcard matching as that would result in routes never being matched. - // - // .. note:: - // - // This does not invert matching done as part of the :ref:`headers field - // ` field. To - // invert header matching, see :ref:`invert_match - // `. - bool invert = 3; - - // Specifies a set of headers that the route should match on. The router will check the request’s - // headers against all the specified headers in the route config. A match will happen if all the - // headers in the route are present in the request with the same values (or based on presence if - // the value field is not in the config). Note that this only applies for Thrift transports and/or - // protocols that support headers. - repeated config.route.v4alpha.HeaderMatcher headers = 4; -} - -// [#next-free-field: 8] -message RouteAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.RouteAction"; - - // The router is capable of shadowing traffic from one cluster to another. The current - // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to - // respond before returning the response from the primary cluster. All normal statistics are - // collected for the shadow cluster making this feature useful for testing. - // - // .. note:: - // - // Shadowing will not be triggered if the primary cluster does not exist. - message RequestMirrorPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.RouteAction.RequestMirrorPolicy"; - - // Specifies the cluster that requests will be mirrored to. The cluster must - // exist in the cluster manager configuration when the route configuration is loaded. - // If it disappears at runtime, the shadow request will silently be ignored. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // If not specified, all requests to the target cluster will be mirrored. - // - // For some fraction N/D, a random number in the range [0,D) is selected. If the - // number is <= the value of the numerator N, or if the key is not present, the default - // value, the request will be mirrored. - config.core.v4alpha.RuntimeFractionalPercent runtime_fraction = 2; - } - - oneof cluster_specifier { - option (validate.required) = true; - - // Indicates a single upstream cluster to which the request should be routed - // to. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // Multiple upstream clusters can be specified for a given route. The - // request is routed to one of the upstream clusters based on weights - // assigned to each cluster. - WeightedCluster weighted_clusters = 2; - - // Envoy will determine the cluster to route to by reading the value of the - // Thrift header named by cluster_header from the request headers. If the - // header is not found or the referenced cluster does not exist Envoy will - // respond with an unknown method exception or an internal error exception, - // respectively. - string cluster_header = 6 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - } - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in - // the upstream cluster with metadata matching what is set in this field will be considered. - // Note that this will be merged with what's provided in :ref:`WeightedCluster.metadata_match - // `, - // with values there taking precedence. Keys and values should be provided under the "envoy.lb" - // metadata key. - config.core.v4alpha.Metadata metadata_match = 3; - - // Specifies a set of rate limit configurations that could be applied to the route. - // N.B. Thrift service or method name matching can be achieved by specifying a RequestHeaders - // action with the header name ":method-name". - repeated config.route.v4alpha.RateLimit rate_limits = 4; - - // Strip the service prefix from the method name, if there's a prefix. For - // example, the method call Service:method would end up being just method. - bool strip_service_name = 5; - - // Indicates that the route has request mirroring policies. - repeated RequestMirrorPolicy request_mirror_policies = 7; -} - -// Allows for specification of multiple upstream clusters along with weights that indicate the -// percentage of traffic to be forwarded to each cluster. The router selects an upstream cluster -// based on these weights. -message WeightedCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.WeightedCluster"; - - message ClusterWeight { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.WeightedCluster.ClusterWeight"; - - // Name of the upstream cluster. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // When a request matches the route, the choice of an upstream cluster is determined by its - // weight. The sum of weights across all entries in the clusters array determines the total - // weight. - google.protobuf.UInt32Value weight = 2 [(validate.rules).uint32 = {gte: 1}]; - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in - // the upstream cluster with metadata matching what is set in this field, combined with what's - // provided in :ref:`RouteAction's metadata_match - // `, - // will be considered. Values here will take precedence. Keys and values should be provided - // under the "envoy.lb" metadata key. - config.core.v4alpha.Metadata metadata_match = 3; - } - - // Specifies one or more upstream clusters associated with the route. - repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto b/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto deleted file mode 100644 index de399582869a..000000000000 --- a/api/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto +++ /dev/null @@ -1,140 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.thrift_proxy.v4alpha; - -import "envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.v4alpha"; -option java_outer_classname = "ThriftProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Thrift Proxy] -// Thrift Proxy :ref:`configuration overview `. -// [#extension: envoy.filters.network.thrift_proxy] - -// Thrift transport types supported by Envoy. -enum TransportType { - // For downstream connections, the Thrift proxy will attempt to determine which transport to use. - // For upstream connections, the Thrift proxy will use same transport as the downstream - // connection. - AUTO_TRANSPORT = 0; - - // The Thrift proxy will use the Thrift framed transport. - FRAMED = 1; - - // The Thrift proxy will use the Thrift unframed transport. - UNFRAMED = 2; - - // The Thrift proxy will assume the client is using the Thrift header transport. - HEADER = 3; -} - -// Thrift Protocol types supported by Envoy. -enum ProtocolType { - // For downstream connections, the Thrift proxy will attempt to determine which protocol to use. - // Note that the older, non-strict (or lax) binary protocol is not included in automatic protocol - // detection. For upstream connections, the Thrift proxy will use the same protocol as the - // downstream connection. - AUTO_PROTOCOL = 0; - - // The Thrift proxy will use the Thrift binary protocol. - BINARY = 1; - - // The Thrift proxy will use Thrift non-strict binary protocol. - LAX_BINARY = 2; - - // The Thrift proxy will use the Thrift compact protocol. - COMPACT = 3; - - // The Thrift proxy will use the Thrift "Twitter" protocol implemented by the finagle library. - TWITTER = 4; -} - -// [#next-free-field: 8] -message ThriftProxy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.ThriftProxy"; - - // Supplies the type of transport that the Thrift proxy should use. Defaults to - // :ref:`AUTO_TRANSPORT`. - TransportType transport = 2 [(validate.rules).enum = {defined_only: true}]; - - // Supplies the type of protocol that the Thrift proxy should use. Defaults to - // :ref:`AUTO_PROTOCOL`. - ProtocolType protocol = 3 [(validate.rules).enum = {defined_only: true}]; - - // The human readable prefix to use when emitting statistics. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // The route table for the connection manager is static and is specified in this property. - RouteConfiguration route_config = 4; - - // A list of individual Thrift filters that make up the filter chain for requests made to the - // Thrift proxy. Order matters as the filters are processed sequentially. For backwards - // compatibility, if no thrift_filters are specified, a default Thrift router filter - // (`envoy.filters.thrift.router`) is used. - // [#extension-category: envoy.thrift_proxy.filters] - repeated ThriftFilter thrift_filters = 5; - - // If set to true, Envoy will try to skip decode data after metadata in the Thrift message. - // This mode will only work if the upstream and downstream protocols are the same and the transport - // is the same, the transport type is framed and the protocol is not Twitter. Otherwise Envoy will - // fallback to decode the data. - bool payload_passthrough = 6; - - // Optional maximum requests for a single downstream connection. If not specified, there is no limit. - google.protobuf.UInt32Value max_requests_per_connection = 7; -} - -// ThriftFilter configures a Thrift filter. -message ThriftFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.ThriftFilter"; - - reserved 2; - - reserved "config"; - - // The name of the filter to instantiate. The name must match a supported - // filter. The built-in filters are: - // - // [#comment:TODO(zuercher): Auto generate the following list] - // * :ref:`envoy.filters.thrift.router ` - // * :ref:`envoy.filters.thrift.rate_limit ` - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Filter specific configuration which depends on the filter being instantiated. See the supported - // filters for further documentation. - oneof config_type { - google.protobuf.Any typed_config = 3; - } -} - -// ThriftProtocolOptions specifies Thrift upstream protocol options. This object is used in -// in -// :ref:`typed_extension_protocol_options`, -// keyed by the name `envoy.filters.network.thrift_proxy`. -message ThriftProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.ThriftProtocolOptions"; - - // Supplies the type of transport that the Thrift proxy should use for upstream connections. - // Selecting - // :ref:`AUTO_TRANSPORT`, - // which is the default, causes the proxy to use the same transport as the downstream connection. - TransportType transport = 1 [(validate.rules).enum = {defined_only: true}]; - - // Supplies the type of protocol that the Thrift proxy should use for upstream connections. - // Selecting - // :ref:`AUTO_PROTOCOL`, - // which is the default, causes the proxy to use the same protocol as the downstream connection. - ProtocolType protocol = 2 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/api/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD b/api/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD deleted file mode 100644 index 28c2427c4a49..000000000000 --- a/api/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/data/dns/v4alpha:pkg", - "//envoy/extensions/filters/udp/dns_filter/v3alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto b/api/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto deleted file mode 100644 index 6957e58dbb06..000000000000 --- a/api/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto +++ /dev/null @@ -1,84 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.udp.dns_filter.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/resolver.proto"; -import "envoy/data/dns/v4alpha/dns_table.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.udp.dns_filter.v4alpha"; -option java_outer_classname = "DnsFilterProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).work_in_progress = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: DNS Filter] -// DNS Filter :ref:`configuration overview `. -// [#extension: envoy.filters.udp_listener.dns_filter] - -// Configuration for the DNS filter. -message DnsFilterConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig"; - - // This message contains the configuration for the DNS Filter operating - // in a server context. This message will contain the virtual hosts and - // associated addresses with which Envoy will respond to queries - message ServerContextConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig.ServerContextConfig"; - - oneof config_source { - option (validate.required) = true; - - // Load the configuration specified from the control plane - data.dns.v4alpha.DnsTable inline_dns_table = 1; - - // Seed the filter configuration from an external path. This source - // is a yaml formatted file that contains the DnsTable driving Envoy's - // responses to DNS queries - config.core.v4alpha.DataSource external_dns_table = 2; - } - } - - // This message contains the configuration for the DNS Filter operating - // in a client context. This message will contain the timeouts, retry, - // and forwarding configuration for Envoy to make DNS requests to other - // resolvers - message ClientContextConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig.ClientContextConfig"; - - // Sets the maximum time we will wait for the upstream query to complete - // We allow 5s for the upstream resolution to complete, so the minimum - // value here is 1. Note that the total latency for a failed query is the - // number of retries multiplied by the resolver_timeout. - google.protobuf.Duration resolver_timeout = 1 [(validate.rules).duration = {gte {seconds: 1}}]; - - // DNS resolution configuration which includes the underlying dns resolver addresses and options. - config.core.v4alpha.DnsResolutionConfig dns_resolution_config = 2; - - // Controls how many outstanding external lookup contexts the filter tracks. - // The context structure allows the filter to respond to every query even if the external - // resolution times out or is otherwise unsuccessful - uint64 max_pending_lookups = 3 [(validate.rules).uint64 = {gte: 1}]; - } - - // The stat prefix used when emitting DNS filter statistics - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // Server context configuration contains the data that the filter uses to respond - // to DNS requests. - ServerContextConfig server_config = 2; - - // Client context configuration controls Envoy's behavior when it must use external - // resolvers to answer a query. This object is optional and if omitted instructs - // the filter to resolve queries from the data in the server_config - ClientContextConfig client_config = 3; -} diff --git a/api/envoy/extensions/tracers/datadog/v4alpha/BUILD b/api/envoy/extensions/tracers/datadog/v4alpha/BUILD deleted file mode 100644 index d500cc41da1f..000000000000 --- a/api/envoy/extensions/tracers/datadog/v4alpha/BUILD +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/tracers/datadog/v4alpha/datadog.proto b/api/envoy/extensions/tracers/datadog/v4alpha/datadog.proto deleted file mode 100644 index f41c8added21..000000000000 --- a/api/envoy/extensions/tracers/datadog/v4alpha/datadog.proto +++ /dev/null @@ -1,27 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.datadog.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.datadog.v4alpha"; -option java_outer_classname = "DatadogProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Datadog tracer] - -// Configuration for the Datadog tracer. -// [#extension: envoy.tracers.datadog] -message DatadogConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.DatadogConfig"; - - // The cluster to use for submitting traces to the Datadog agent. - string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // The name used for the service when traces are generated by envoy. - string service_name = 2 [(validate.rules).string = {min_len: 1}]; -} diff --git a/api/envoy/extensions/tracers/dynamic_ot/v4alpha/BUILD b/api/envoy/extensions/tracers/dynamic_ot/v4alpha/BUILD deleted file mode 100644 index d500cc41da1f..000000000000 --- a/api/envoy/extensions/tracers/dynamic_ot/v4alpha/BUILD +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/tracers/dynamic_ot/v4alpha/dynamic_ot.proto b/api/envoy/extensions/tracers/dynamic_ot/v4alpha/dynamic_ot.proto deleted file mode 100644 index 21455a974d3b..000000000000 --- a/api/envoy/extensions/tracers/dynamic_ot/v4alpha/dynamic_ot.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.dynamic_ot.v4alpha; - -import "google/protobuf/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.dynamic_ot.v4alpha"; -option java_outer_classname = "DynamicOtProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dynamically loadable OpenTracing tracer] - -// DynamicOtConfig is used to dynamically load a tracer from a shared library -// that implements the `OpenTracing dynamic loading API -// `_. -// [#extension: envoy.tracers.dynamic_ot] -message DynamicOtConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.DynamicOtConfig"; - - // Dynamic library implementing the `OpenTracing API - // `_. - string library = 1 [(validate.rules).string = {min_len: 1}]; - - // The configuration to use when creating a tracer from the given dynamic - // library. - google.protobuf.Struct config = 2; -} diff --git a/api/envoy/extensions/tracers/lightstep/v4alpha/BUILD b/api/envoy/extensions/tracers/lightstep/v4alpha/BUILD deleted file mode 100644 index 1d56979cc466..000000000000 --- a/api/envoy/extensions/tracers/lightstep/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/tracers/lightstep/v4alpha/lightstep.proto b/api/envoy/extensions/tracers/lightstep/v4alpha/lightstep.proto deleted file mode 100644 index 11d5b2ea84a9..000000000000 --- a/api/envoy/extensions/tracers/lightstep/v4alpha/lightstep.proto +++ /dev/null @@ -1,52 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.lightstep.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.lightstep.v4alpha"; -option java_outer_classname = "LightstepProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: LightStep tracer] - -// Configuration for the LightStep tracer. -// [#extension: envoy.tracers.lightstep] -message LightstepConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.LightstepConfig"; - - // Available propagation modes - enum PropagationMode { - // Propagate trace context in the single header x-ot-span-context. - ENVOY = 0; - - // Propagate trace context using LightStep's native format. - LIGHTSTEP = 1; - - // Propagate trace context using the b3 format. - B3 = 2; - - // Propagation trace context using the w3 trace-context standard. - TRACE_CONTEXT = 3; - } - - reserved 2; - - reserved "access_token_file"; - - // The cluster manager cluster that hosts the LightStep collectors. - string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // Access token to the `LightStep `_ API. - config.core.v4alpha.DataSource access_token = 4; - - // Propagation modes to use by LightStep's tracer. - repeated PropagationMode propagation_modes = 3 - [(validate.rules).repeated = {items {enum {defined_only: true}}}]; -} diff --git a/api/envoy/extensions/tracers/opencensus/v4alpha/BUILD b/api/envoy/extensions/tracers/opencensus/v4alpha/BUILD deleted file mode 100644 index e43ed53877f4..000000000000 --- a/api/envoy/extensions/tracers/opencensus/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto", - ], -) diff --git a/api/envoy/extensions/tracers/opencensus/v4alpha/opencensus.proto b/api/envoy/extensions/tracers/opencensus/v4alpha/opencensus.proto deleted file mode 100644 index 03a5905a1bb9..000000000000 --- a/api/envoy/extensions/tracers/opencensus/v4alpha/opencensus.proto +++ /dev/null @@ -1,91 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.opencensus.v4alpha; - -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "opencensus/proto/trace/v1/trace_config.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.opencensus.v4alpha"; -option java_outer_classname = "OpencensusProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: OpenCensus tracer] - -// Configuration for the OpenCensus tracer. -// [#next-free-field: 15] -// [#extension: envoy.tracers.opencensus] -message OpenCensusConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.OpenCensusConfig"; - - enum TraceContext { - // No-op default, no trace context is utilized. - NONE = 0; - - // W3C Trace-Context format "traceparent:" header. - TRACE_CONTEXT = 1; - - // Binary "grpc-trace-bin:" header. - GRPC_TRACE_BIN = 2; - - // "X-Cloud-Trace-Context:" header. - CLOUD_TRACE_CONTEXT = 3; - - // X-B3-* headers. - B3 = 4; - } - - reserved 7, 5, 6; - - reserved "zipkin_exporter_enabled", "zipkin_url"; - - // Configures tracing, e.g. the sampler, max number of annotations, etc. - .opencensus.proto.trace.v1.TraceConfig trace_config = 1; - - // Enables the stdout exporter if set to true. This is intended for debugging - // purposes. - bool stdout_exporter_enabled = 2; - - // Enables the Stackdriver exporter if set to true. The project_id must also - // be set. - bool stackdriver_exporter_enabled = 3; - - // The Cloud project_id to use for Stackdriver tracing. - string stackdriver_project_id = 4; - - // (optional) By default, the Stackdriver exporter will connect to production - // Stackdriver. If stackdriver_address is non-empty, it will instead connect - // to this address, which is in the gRPC format: - // https://github.com/grpc/grpc/blob/master/doc/naming.md - string stackdriver_address = 10; - - // (optional) The gRPC server that hosts Stackdriver tracing service. Only - // Google gRPC is supported. If :ref:`target_uri ` - // is not provided, the default production Stackdriver address will be used. - config.core.v4alpha.GrpcService stackdriver_grpc_service = 13; - - // Enables the OpenCensus Agent exporter if set to true. The ocagent_address or - // ocagent_grpc_service must also be set. - bool ocagent_exporter_enabled = 11; - - // The address of the OpenCensus Agent, if its exporter is enabled, in gRPC - // format: https://github.com/grpc/grpc/blob/master/doc/naming.md - // [#comment:TODO: deprecate this field] - string ocagent_address = 12; - - // (optional) The gRPC server hosted by the OpenCensus Agent. Only Google gRPC is supported. - // This is only used if the ocagent_address is left empty. - config.core.v4alpha.GrpcService ocagent_grpc_service = 14; - - // List of incoming trace context headers we will accept. First one found - // wins. - repeated TraceContext incoming_trace_context = 8; - - // List of outgoing trace context headers we will produce. - repeated TraceContext outgoing_trace_context = 9; -} diff --git a/api/envoy/extensions/tracers/skywalking/v4alpha/BUILD b/api/envoy/extensions/tracers/skywalking/v4alpha/BUILD deleted file mode 100644 index 1d56979cc466..000000000000 --- a/api/envoy/extensions/tracers/skywalking/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/tracers/skywalking/v4alpha/skywalking.proto b/api/envoy/extensions/tracers/skywalking/v4alpha/skywalking.proto deleted file mode 100644 index 37936faa6133..000000000000 --- a/api/envoy/extensions/tracers/skywalking/v4alpha/skywalking.proto +++ /dev/null @@ -1,68 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.skywalking.v4alpha; - -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/sensitive.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.skywalking.v4alpha"; -option java_outer_classname = "SkywalkingProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: SkyWalking tracer] - -// Configuration for the SkyWalking tracer. Please note that if SkyWalking tracer is used as the -// provider of http tracer, then -// :ref:`start_child_span ` -// in the router must be set to true to get the correct topology and tracing data. Moreover, SkyWalking -// Tracer does not support SkyWalking extension header (``sw8-x``) temporarily. -// [#extension: envoy.tracers.skywalking] -message SkyWalkingConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.SkyWalkingConfig"; - - // SkyWalking collector service. - config.core.v4alpha.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; - - ClientConfig client_config = 2; -} - -// Client config for SkyWalking tracer. -message ClientConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v3.ClientConfig"; - - // Service name for SkyWalking tracer. If this field is empty, then local service cluster name - // that configured by :ref:`Bootstrap node ` - // message's :ref:`cluster ` field or command line - // option :option:`--service-cluster` will be used. If both this field and local service cluster - // name are empty, ``EnvoyProxy`` is used as the service name by default. - string service_name = 1; - - // Service instance name for SkyWalking tracer. If this field is empty, then local service node - // that configured by :ref:`Bootstrap node ` - // message's :ref:`id ` field or command line option - // :option:`--service-node` will be used. If both this field and local service node are empty, - // ``EnvoyProxy`` is used as the instance name by default. - string instance_name = 2; - - // Authentication token config for SkyWalking. SkyWalking can use token authentication to secure - // that monitoring application data can be trusted. In current version, Token is considered as a - // simple string. - // [#comment:TODO(wbpcode): Get backend token through the SDS API.] - oneof backend_token_specifier { - // Inline authentication token string. - string backend_token = 3 [(udpa.annotations.sensitive) = true]; - } - - // Envoy caches the segment in memory when the SkyWalking backend service is temporarily unavailable. - // This field specifies the maximum number of segments that can be cached. If not specified, the - // default is 1024. - google.protobuf.UInt32Value max_cache_size = 4; -} diff --git a/api/envoy/extensions/tracers/xray/v4alpha/BUILD b/api/envoy/extensions/tracers/xray/v4alpha/BUILD deleted file mode 100644 index 1d56979cc466..000000000000 --- a/api/envoy/extensions/tracers/xray/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/tracers/xray/v4alpha/xray.proto b/api/envoy/extensions/tracers/xray/v4alpha/xray.proto deleted file mode 100644 index 649f294b4273..000000000000 --- a/api/envoy/extensions/tracers/xray/v4alpha/xray.proto +++ /dev/null @@ -1,55 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.xray.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.xray.v4alpha"; -option java_outer_classname = "XrayProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: AWS X-Ray Tracer Configuration] -// Configuration for AWS X-Ray tracer - -// [#extension: envoy.tracers.xray] -message XRayConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v3.XRayConfig"; - - message SegmentFields { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.XRayConfig.SegmentFields"; - - // The type of AWS resource, e.g. "AWS::AppMesh::Proxy". - string origin = 1; - - // AWS resource metadata dictionary. - // See: `X-Ray Segment Document documentation `__ - google.protobuf.Struct aws = 2; - } - - // The UDP endpoint of the X-Ray Daemon where the spans will be sent. - // If this value is not set, the default value of 127.0.0.1:2000 will be used. - config.core.v4alpha.SocketAddress daemon_endpoint = 1; - - // The name of the X-Ray segment. - string segment_name = 2 [(validate.rules).string = {min_len: 1}]; - - // The location of a local custom sampling rules JSON file. - // For an example of the sampling rules see: - // `X-Ray SDK documentation - // `_ - config.core.v4alpha.DataSource sampling_rule_manifest = 3; - - // Optional custom fields to be added to each trace segment. - // see: `X-Ray Segment Document documentation - // `__ - SegmentFields segment_fields = 4; -} diff --git a/api/envoy/extensions/tracers/zipkin/v4alpha/BUILD b/api/envoy/extensions/tracers/zipkin/v4alpha/BUILD deleted file mode 100644 index aefd915ae054..000000000000 --- a/api/envoy/extensions/tracers/zipkin/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/tracers/zipkin/v4alpha/zipkin.proto b/api/envoy/extensions/tracers/zipkin/v4alpha/zipkin.proto deleted file mode 100644 index 93ffefc48390..000000000000 --- a/api/envoy/extensions/tracers/zipkin/v4alpha/zipkin.proto +++ /dev/null @@ -1,70 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.zipkin.v4alpha; - -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.zipkin.v4alpha"; -option java_outer_classname = "ZipkinProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Zipkin tracer] - -// Configuration for the Zipkin tracer. -// [#extension: envoy.tracers.zipkin] -// [#next-free-field: 7] -message ZipkinConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v3.ZipkinConfig"; - - // Available Zipkin collector endpoint versions. - enum CollectorEndpointVersion { - // Zipkin API v1, JSON over HTTP. - // [#comment: The default implementation of Zipkin client before this field is added was only v1 - // and the way user configure this was by not explicitly specifying the version. Consequently, - // before this is added, the corresponding Zipkin collector expected to receive v1 payload. - // Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when - // user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field, - // since in Zipkin realm this v1 version is considered to be not preferable anymore.] - DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 - [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; - - // Zipkin API v2, JSON over HTTP. - HTTP_JSON = 1; - - // Zipkin API v2, protobuf over HTTP. - HTTP_PROTO = 2; - - // [#not-implemented-hide:] - GRPC = 3; - } - - // The cluster manager cluster that hosts the Zipkin collectors. - string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // The API endpoint of the Zipkin service where the spans will be sent. When - // using a standard Zipkin installation, the API endpoint is typically - // /api/v1/spans, which is the default value. - string collector_endpoint = 2 [(validate.rules).string = {min_len: 1}]; - - // Determines whether a 128bit trace id will be used when creating a new - // trace instance. The default value is false, which will result in a 64 bit trace id being used. - bool trace_id_128bit = 3; - - // Determines whether client and server spans will share the same span context. - // The default value is true. - google.protobuf.BoolValue shared_span_context = 4; - - // Determines the selected collector endpoint version. By default, the ``HTTP_JSON_V1`` will be - // used. - CollectorEndpointVersion collector_endpoint_version = 5; - - // Optional hostname to use when sending spans to the collector_cluster. Useful for collectors - // that require a specific hostname. Defaults to :ref:`collector_cluster ` above. - string collector_hostname = 6; -} diff --git a/api/envoy/extensions/transport_sockets/quic/v4alpha/BUILD b/api/envoy/extensions/transport_sockets/quic/v4alpha/BUILD deleted file mode 100644 index 976cefd189cc..000000000000 --- a/api/envoy/extensions/transport_sockets/quic/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/transport_sockets/quic/v3:pkg", - "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/transport_sockets/quic/v4alpha/quic_transport.proto b/api/envoy/extensions/transport_sockets/quic/v4alpha/quic_transport.proto deleted file mode 100644 index 9a5f096f56c7..000000000000 --- a/api/envoy/extensions/transport_sockets/quic/v4alpha/quic_transport.proto +++ /dev/null @@ -1,35 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.quic.v4alpha; - -import "envoy/extensions/transport_sockets/tls/v4alpha/tls.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.quic.v4alpha"; -option java_outer_classname = "QuicTransportProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: quic transport] -// [#comment:#extension: envoy.transport_sockets.quic] - -// Configuration for Downstream QUIC transport socket. This provides Google's implementation of Google QUIC and IETF QUIC to Envoy. -message QuicDownstreamTransport { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport"; - - tls.v4alpha.DownstreamTlsContext downstream_tls_context = 1 - [(validate.rules).message = {required: true}]; -} - -// Configuration for Upstream QUIC transport socket. This provides Google's implementation of Google QUIC and IETF QUIC to Envoy. -message QuicUpstreamTransport { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.quic.v3.QuicUpstreamTransport"; - - tls.v4alpha.UpstreamTlsContext upstream_tls_context = 1 - [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD b/api/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD deleted file mode 100644 index b160d85ddb5b..000000000000 --- a/api/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg", - "//envoy/extensions/transport_sockets/starttls/v3:pkg", - "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto b/api/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto deleted file mode 100644 index d2a9dbeaf2ed..000000000000 --- a/api/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto +++ /dev/null @@ -1,58 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.starttls.v4alpha; - -import "envoy/extensions/transport_sockets/raw_buffer/v3/raw_buffer.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/tls.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.starttls.v4alpha"; -option java_outer_classname = "StarttlsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: StartTls] -// [#extension: envoy.transport_sockets.starttls] - -// StartTls transport socket addresses situations when a protocol starts in clear-text and -// negotiates an in-band switch to TLS. StartTls transport socket is protocol agnostic. In the -// case of downstream StartTls a network filter is required which understands protocol exchange -// and a state machine to signal to the StartTls transport socket when a switch to TLS is -// required. Similarly, upstream StartTls requires the owner of an upstream transport socket to -// manage the state machine necessary to properly coordinate negotiation with the upstream and -// signal to the transport socket when a switch to secure transport is required. - -// Configuration for a downstream StartTls transport socket. -// StartTls transport socket wraps two sockets: -// * raw_buffer socket which is used at the beginning of the session -// * TLS socket used when a protocol negotiates a switch to encrypted traffic. -message StartTlsConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.starttls.v3.StartTlsConfig"; - - // (optional) Configuration for clear-text socket used at the beginning of the session. - raw_buffer.v3.RawBuffer cleartext_socket_config = 1; - - // Configuration for a downstream TLS socket. - transport_sockets.tls.v4alpha.DownstreamTlsContext tls_socket_config = 2 - [(validate.rules).message = {required: true}]; -} - -// Configuration for an upstream StartTls transport socket. -// StartTls transport socket wraps two sockets: -// * raw_buffer socket which is used at the beginning of the session -// * TLS socket used when a protocol negotiates a switch to encrypted traffic. -message UpstreamStartTlsConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.starttls.v3.UpstreamStartTlsConfig"; - - // (optional) Configuration for clear-text socket used at the beginning of the session. - raw_buffer.v3.RawBuffer cleartext_socket_config = 1; - - // Configuration for an upstream TLS socket. - transport_sockets.tls.v4alpha.UpstreamTlsContext tls_socket_config = 2 - [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/extensions/transport_sockets/tap/v4alpha/BUILD b/api/envoy/extensions/transport_sockets/tap/v4alpha/BUILD deleted file mode 100644 index fe393f574d0d..000000000000 --- a/api/envoy/extensions/transport_sockets/tap/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/common/tap/v4alpha:pkg", - "//envoy/extensions/transport_sockets/tap/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/transport_sockets/tap/v4alpha/tap.proto b/api/envoy/extensions/transport_sockets/tap/v4alpha/tap.proto deleted file mode 100644 index 5e0efc403ab5..000000000000 --- a/api/envoy/extensions/transport_sockets/tap/v4alpha/tap.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.tap.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/extensions/common/tap/v4alpha/common.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tap.v4alpha"; -option java_outer_classname = "TapProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Tap] -// [#extension: envoy.transport_sockets.tap] - -// Configuration for tap transport socket. This wraps another transport socket, providing the -// ability to interpose and record in plain text any traffic that is surfaced to Envoy. -message Tap { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tap.v3.Tap"; - - // Common configuration for the tap transport socket. - common.tap.v4alpha.CommonExtensionConfig common_config = 1 - [(validate.rules).message = {required: true}]; - - // The underlying transport socket being wrapped. - config.core.v4alpha.TransportSocket transport_socket = 2 - [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/BUILD b/api/envoy/extensions/transport_sockets/tls/v4alpha/BUILD deleted file mode 100644 index 0cf3219ca2cd..000000000000 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/transport_sockets/tls/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto deleted file mode 100644 index 4e4488c770f8..000000000000 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ /dev/null @@ -1,440 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.tls.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/sensitive.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha"; -option java_outer_classname = "CommonProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common TLS configuration] - -message TlsParameters { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.TlsParameters"; - - enum TlsProtocol { - // Envoy will choose the optimal TLS version. - TLS_AUTO = 0; - - // TLS 1.0 - TLSv1_0 = 1; - - // TLS 1.1 - TLSv1_1 = 2; - - // TLS 1.2 - TLSv1_2 = 3; - - // TLS 1.3 - TLSv1_3 = 4; - } - - // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for - // servers. - TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; - - // Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for - // servers. - TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}]; - - // If specified, the TLS listener will only support the specified `cipher list - // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). - // - // If not specified, a default list will be used. Defaults are different for server (downstream) and - // client (upstream) TLS configurations. - // - // In non-FIPS builds, the default server cipher list is: - // - // .. code-block:: none - // - // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - // ECDHE-ECDSA-AES128-SHA - // ECDHE-RSA-AES128-SHA - // AES128-GCM-SHA256 - // AES128-SHA - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - // ECDHE-ECDSA-AES256-SHA - // ECDHE-RSA-AES256-SHA - // AES256-GCM-SHA384 - // AES256-SHA - // - // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: - // - // .. code-block:: none - // - // ECDHE-ECDSA-AES128-GCM-SHA256 - // ECDHE-RSA-AES128-GCM-SHA256 - // ECDHE-ECDSA-AES128-SHA - // ECDHE-RSA-AES128-SHA - // AES128-GCM-SHA256 - // AES128-SHA - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - // ECDHE-ECDSA-AES256-SHA - // ECDHE-RSA-AES256-SHA - // AES256-GCM-SHA384 - // AES256-SHA - // - // In non-FIPS builds, the default client cipher list is: - // - // .. code-block:: none - // - // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - // - // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: - // - // .. code-block:: none - // - // ECDHE-ECDSA-AES128-GCM-SHA256 - // ECDHE-RSA-AES128-GCM-SHA256 - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - repeated string cipher_suites = 3; - - // If specified, the TLS connection will only support the specified ECDH - // curves. If not specified, the default curves will be used. - // - // In non-FIPS builds, the default curves are: - // - // .. code-block:: none - // - // X25519 - // P-256 - // - // In builds using :ref:`BoringSSL FIPS `, the default curve is: - // - // .. code-block:: none - // - // P-256 - repeated string ecdh_curves = 4; -} - -// BoringSSL private key method configuration. The private key methods are used for external -// (potentially asynchronous) signing and decryption operations. Some use cases for private key -// methods would be TPM support and TLS acceleration. -message PrivateKeyProvider { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.PrivateKeyProvider"; - - reserved 2; - - reserved "config"; - - // Private key method provider name. The name must match a - // supported private key method provider type. - string provider_name = 1 [(validate.rules).string = {min_len: 1}]; - - // Private key method provider specific configuration. - oneof config_type { - google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true]; - } -} - -// [#next-free-field: 8] -message TlsCertificate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.TlsCertificate"; - - // The TLS certificate chain. - // - // If *certificate_chain* is a filesystem path, a watch will be added to the - // parent directory for any file moves to support rotation. This currently - // only applies to dynamic secrets, when the *TlsCertificate* is delivered via - // SDS. - config.core.v4alpha.DataSource certificate_chain = 1; - - // The TLS private key. - // - // If *private_key* is a filesystem path, a watch will be added to the parent - // directory for any file moves to support rotation. This currently only - // applies to dynamic secrets, when the *TlsCertificate* is delivered via SDS. - config.core.v4alpha.DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; - - // If specified, updates of file-based *certificate_chain* and *private_key* - // sources will be triggered by this watch. The certificate/key pair will be - // read together and validated for atomic read consistency (i.e. no - // intervening modification occurred between cert/key read, verified by file - // hash comparisons). This allows explicit control over the path watched, by - // default the parent directories of the filesystem paths in - // *certificate_chain* and *private_key* are watched if this field is not - // specified. This only applies when a *TlsCertificate* is delivered by SDS - // with references to filesystem paths. See the :ref:`SDS key rotation - // ` documentation for further details. - config.core.v4alpha.WatchedDirectory watched_directory = 7; - - // BoringSSL private key method provider. This is an alternative to :ref:`private_key - // ` field. This can't be - // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key - // ` and - // :ref:`private_key_provider - // ` fields will result in an - // error. - PrivateKeyProvider private_key_provider = 6; - - // The password to decrypt the TLS private key. If this field is not set, it is assumed that the - // TLS private key is not password encrypted. - config.core.v4alpha.DataSource password = 3 [(udpa.annotations.sensitive) = true]; - - // The OCSP response to be stapled with this certificate during the handshake. - // The response must be DER-encoded and may only be provided via ``filename`` or - // ``inline_bytes``. The response may pertain to only one certificate. - config.core.v4alpha.DataSource ocsp_staple = 4; - - // [#not-implemented-hide:] - repeated config.core.v4alpha.DataSource signed_certificate_timestamp = 5; -} - -message TlsSessionTicketKeys { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.TlsSessionTicketKeys"; - - // Keys for encrypting and decrypting TLS session tickets. The - // first key in the array contains the key to encrypt all new sessions created by this context. - // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys - // by, for example, putting the new key first, and the previous key second. - // - // If :ref:`session_ticket_keys ` - // is not specified, the TLS library will still support resuming sessions via tickets, but it will - // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts - // or on different hosts. - // - // Each key must contain exactly 80 bytes of cryptographically-secure random data. For - // example, the output of ``openssl rand 80``. - // - // .. attention:: - // - // Using this feature has serious security considerations and risks. Improper handling of keys - // may result in loss of secrecy in connections, even if ciphers supporting perfect forward - // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some - // discussion. To minimize the risk, you must: - // - // * Keep the session ticket keys at least as secure as your TLS certificate private keys - // * Rotate session ticket keys at least daily, and preferably hourly - // * Always generate keys using a cryptographically-secure random data source - repeated config.core.v4alpha.DataSource keys = 1 - [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; -} - -// Indicates a certificate to be obtained from a named CertificateProvider plugin instance. -// The plugin instances are defined in the client's bootstrap file. -// The plugin allows certificates to be fetched/refreshed over the network asynchronously with -// respect to the TLS handshake. -// [#not-implemented-hide:] -message CertificateProviderPluginInstance { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance"; - - // Provider instance name. If not present, defaults to "default". - // - // Instance names should generally be defined not in terms of the underlying provider - // implementation (e.g., "file_watcher") but rather in terms of the function of the - // certificates (e.g., "foo_deployment_identity"). - string instance_name = 1; - - // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify - // a root-certificate (validation context) or "example.com" to specify a certificate for a - // particular domain. Not all provider instances will actually use this field, so the value - // defaults to the empty string. - string certificate_name = 2; -} - -// [#next-free-field: 14] -message CertificateValidationContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext"; - - // Peer certificate verification mode. - enum TrustChainVerification { - // Perform default certificate verification (e.g., against CA / verification lists) - VERIFY_TRUST_CHAIN = 0; - - // Connections where the certificate fails verification will be permitted. - // For HTTP connections, the result of certificate verification can be used in route matching. ( - // see :ref:`validated ` ). - ACCEPT_UNTRUSTED = 1; - } - - reserved 4, 5; - - reserved "verify_subject_alt_name"; - - oneof ca_cert_source { - // TLS certificate data containing certificate authority certificates to use in verifying - // a presented peer certificate (e.g. server certificate for clusters or client certificate - // for listeners). If not specified and a peer certificate is presented it will not be - // verified. By default, a client certificate is optional, unless one of the additional - // options (:ref:`require_client_certificate - // `, - // :ref:`verify_certificate_spki - // `, - // :ref:`verify_certificate_hash - // `, or - // :ref:`match_subject_alt_names - // `) is also - // specified. - // - // It can optionally contain certificate revocation lists, in which case Envoy will verify - // that the presented peer certificate has not been revoked by one of the included CRLs. Note - // that if a CRL is provided for any certificate authority in a trust chain, a CRL must be - // provided for all certificate authorities in that chain. Failure to do so will result in - // verification failure for both revoked and unrevoked certificates from that chain. - // - // See :ref:`the TLS overview ` for a list of common - // system CA locations. - // - // If *trusted_ca* is a filesystem path, a watch will be added to the parent - // directory for any file moves to support rotation. This currently only - // applies to dynamic secrets, when the *CertificateValidationContext* is - // delivered via SDS. - // - // Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified. - // - // [#next-major-version: This field and watched_directory below should ideally be moved into a - // separate sub-message, since there's no point in specifying the latter field without this one.] - config.core.v4alpha.DataSource trusted_ca = 1; - - // Certificate provider instance for fetching TLS certificates. - // - // Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified. - // [#not-implemented-hide:] - CertificateProviderPluginInstance ca_certificate_provider_instance = 13; - } - - // If specified, updates of a file-based *trusted_ca* source will be triggered - // by this watch. This allows explicit control over the path watched, by - // default the parent directory of the filesystem path in *trusted_ca* is - // watched if this field is not specified. This only applies when a - // *CertificateValidationContext* is delivered by SDS with references to - // filesystem paths. See the :ref:`SDS key rotation ` - // documentation for further details. - config.core.v4alpha.WatchedDirectory watched_directory = 11; - - // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the - // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate - // matches one of the specified values. - // - // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate - // can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -noout -pubkey - // | openssl pkey -pubin -outform DER - // | openssl dgst -sha256 -binary - // | openssl enc -base64 - // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= - // - // This is the format used in HTTP Public Key Pinning. - // - // When both: - // :ref:`verify_certificate_hash - // ` and - // :ref:`verify_certificate_spki - // ` are specified, - // a hash matching value from either of the lists will result in the certificate being accepted. - // - // .. attention:: - // - // This option is preferred over :ref:`verify_certificate_hash - // `, - // because SPKI is tied to a private key, so it doesn't change when the certificate - // is renewed using the same private key. - repeated string verify_certificate_spki = 3 - [(validate.rules).repeated = {items {string {min_len: 44 max_bytes: 44}}}]; - - // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that - // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - // - // A hex-encoded SHA-256 of the certificate can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 - // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a - // - // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate - // can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 - // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A - // - // Both of those formats are acceptable. - // - // When both: - // :ref:`verify_certificate_hash - // ` and - // :ref:`verify_certificate_spki - // ` are specified, - // a hash matching value from either of the lists will result in the certificate being accepted. - repeated string verify_certificate_hash = 2 - [(validate.rules).repeated = {items {string {min_len: 64 max_bytes: 95}}}]; - - // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the - // Subject Alternative Name of the presented certificate matches one of the specified matchers. - // - // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be - // configured with exact match type in the :ref:`string matcher `. - // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", - // it should be configured as shown below. - // - // .. code-block:: yaml - // - // match_subject_alt_names: - // exact: "api.example.com" - // - // .. attention:: - // - // Subject Alternative Names are easily spoofable and verifying only them is insecure, - // therefore this option must be used together with :ref:`trusted_ca - // `. - repeated type.matcher.v4alpha.StringMatcher match_subject_alt_names = 9; - - // [#not-implemented-hide:] Must present signed certificate time-stamp. - google.protobuf.BoolValue require_signed_certificate_timestamp = 6; - - // An optional `certificate revocation list - // `_ - // (in PEM format). If specified, Envoy will verify that the presented peer - // certificate has not been revoked by this CRL. If this DataSource contains - // multiple CRLs, all of them will be used. Note that if a CRL is provided - // for any certificate authority in a trust chain, a CRL must be provided - // for all certificate authorities in that chain. Failure to do so will - // result in verification failure for both revoked and unrevoked certificates - // from that chain. - config.core.v4alpha.DataSource crl = 7; - - // If specified, Envoy will not reject expired certificates. - bool allow_expired_certificate = 8; - - // Certificate trust chain verification mode. - TrustChainVerification trust_chain_verification = 10 - [(validate.rules).enum = {defined_only: true}]; - - // The configuration of an extension specific certificate validator. - // If specified, all validation is done by the specified validator, - // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). - // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. - // [#extension-category: envoy.tls.cert_validator] - config.core.v4alpha.TypedExtensionConfig custom_validator_config = 12; -} diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto deleted file mode 100644 index 5bb8c86b9438..000000000000 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto +++ /dev/null @@ -1,58 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.tls.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/common.proto"; - -import "udpa/annotations/sensitive.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha"; -option java_outer_classname = "SecretProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Secrets configuration] - -message GenericSecret { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.GenericSecret"; - - // Secret of generic type and is available to filters. - config.core.v4alpha.DataSource secret = 1 [(udpa.annotations.sensitive) = true]; -} - -message SdsSecretConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig"; - - // Name by which the secret can be uniquely referred to. When both name and config are specified, - // then secret can be fetched and/or reloaded via SDS. When only name is specified, then secret - // will be loaded from static resources. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - config.core.v4alpha.ConfigSource sds_config = 2; -} - -// [#next-free-field: 6] -message Secret { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.Secret"; - - // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. - string name = 1; - - oneof type { - TlsCertificate tls_certificate = 2; - - TlsSessionTicketKeys session_ticket_keys = 3; - - CertificateValidationContext validation_context = 4; - - GenericSecret generic_secret = 5; - } -} diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto deleted file mode 100644 index 0a7d92671499..000000000000 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto +++ /dev/null @@ -1,285 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.tls.v4alpha; - -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/common.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha"; -option java_outer_classname = "TlsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: TLS transport socket] -// [#extension: envoy.transport_sockets.tls] -// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS. - -message UpstreamTlsContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext"; - - // Common TLS context settings. - // - // .. attention:: - // - // Server certificate verification is not enabled by default. Configure - // :ref:`trusted_ca` to enable - // verification. - CommonTlsContext common_tls_context = 1; - - // SNI string to use when creating TLS backend connections. - string sni = 2 [(validate.rules).string = {max_bytes: 255}]; - - // If true, server-initiated TLS renegotiation will be allowed. - // - // .. attention:: - // - // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. - bool allow_renegotiation = 3; - - // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets - // for TLSv1.2 and older) to store for the purpose of session resumption. - // - // Defaults to 1, setting this to 0 disables session resumption. - google.protobuf.UInt32Value max_session_keys = 4; -} - -// [#next-free-field: 9] -message DownstreamTlsContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext"; - - enum OcspStaplePolicy { - // OCSP responses are optional. If an OCSP response is absent - // or expired, the associated certificate will be used for - // connections without an OCSP staple. - LENIENT_STAPLING = 0; - - // OCSP responses are optional. If an OCSP response is absent, - // the associated certificate will be used without an - // OCSP staple. If a response is provided but is expired, - // the associated certificate will not be used for - // subsequent connections. If no suitable certificate is found, - // the connection is rejected. - STRICT_STAPLING = 1; - - // OCSP responses are required. Configuration will fail if - // a certificate is provided without an OCSP response. If a - // response expires, the associated certificate will not be - // used connections. If no suitable certificate is found, the - // connection is rejected. - MUST_STAPLE = 2; - } - - // Common TLS context settings. - CommonTlsContext common_tls_context = 1; - - // If specified, Envoy will reject connections without a valid client - // certificate. - google.protobuf.BoolValue require_client_certificate = 2; - - // If specified, Envoy will reject connections without a valid and matching SNI. - // [#not-implemented-hide:] - google.protobuf.BoolValue require_sni = 3; - - oneof session_ticket_keys_type { - // TLS session ticket key settings. - TlsSessionTicketKeys session_ticket_keys = 4; - - // Config for fetching TLS session ticket keys via SDS API. - SdsSecretConfig session_ticket_keys_sds_secret_config = 5; - - // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS - // server to not issue TLS session tickets for the purposes of stateless TLS session resumption. - // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using - // the keys specified through either :ref:`session_ticket_keys ` - // or :ref:`session_ticket_keys_sds_secret_config `. - // If this config is set to false and no keys are explicitly configured, the TLS server will issue - // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the - // implication that sessions cannot be resumed across hot restarts or on different hosts. - bool disable_stateless_session_resumption = 7; - } - - // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session - // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2) - // ` - // only seconds could be specified (fractional seconds are going to be ignored). - google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = { - lt {seconds: 4294967296} - gte {} - }]; - - // Config for whether to use certificates if they do not have - // an accompanying OCSP response or if the response expires at runtime. - // Defaults to LENIENT_STAPLING - OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}]; -} - -// TLS context shared by both client and server TLS contexts. -// [#next-free-field: 15] -message CommonTlsContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext"; - - // Config for Certificate provider to get certificates. This provider should allow certificates to be - // fetched/refreshed over the network asynchronously with respect to the TLS handshake. - // - // DEPRECATED: This message is not currently used, but if we ever do need it, we will want to - // move it out of CommonTlsContext and into common.proto, similar to the existing - // CertificateProviderPluginInstance message. - // - // [#not-implemented-hide:] - message CertificateProvider { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProvider"; - - // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify - // a root-certificate (validation context) or "TLS" to specify a new tls-certificate. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Provider specific config. - // Note: an implementation is expected to dedup multiple instances of the same config - // to maintain a single certificate-provider instance. The sharing can happen, for - // example, among multiple clusters or between the tls_certificate and validation_context - // certificate providers of a cluster. - // This config could be supplied inline or (in future) a named xDS resource. - oneof config { - option (validate.required) = true; - - config.core.v4alpha.TypedExtensionConfig typed_config = 2; - } - } - - // Similar to CertificateProvider above, but allows the provider instances to be configured on - // the client side instead of being sent from the control plane. - // - // DEPRECATED: This message was moved outside of CommonTlsContext - // and now lives in common.proto. - // - // [#not-implemented-hide:] - message CertificateProviderInstance { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance"; - - // Provider instance name. This name must be defined in the client's configuration (e.g., a - // bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config - // field that would be sent in the CertificateProvider message if the config was sent by the - // control plane). If not present, defaults to "default". - // - // Instance names should generally be defined not in terms of the underlying provider - // implementation (e.g., "file_watcher") but rather in terms of the function of the - // certificates (e.g., "foo_deployment_identity"). - string instance_name = 1; - - // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify - // a root-certificate (validation context) or "example.com" to specify a certificate for a - // particular domain. Not all provider instances will actually use this field, so the value - // defaults to the empty string. - string certificate_name = 2; - } - - message CombinedCertificateValidationContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext." - "CombinedCertificateValidationContext"; - - reserved 3, 4; - - reserved "validation_context_certificate_provider", - "validation_context_certificate_provider_instance"; - - // How to validate peer certificates. - CertificateValidationContext default_validation_context = 1 - [(validate.rules).message = {required: true}]; - - // Config for fetching validation context via SDS API. Note SDS API allows certificates to be - // fetched/refreshed over the network asynchronously with respect to the TLS handshake. - SdsSecretConfig validation_context_sds_secret_config = 2 - [(validate.rules).message = {required: true}]; - } - - reserved 5, 9, 11, 10, 12; - - reserved "tls_certificate_certificate_provider", "tls_certificate_certificate_provider_instance", - "validation_context_certificate_provider", "validation_context_certificate_provider_instance"; - - // TLS protocol versions, cipher suites etc. - TlsParameters tls_params = 1; - - // :ref:`Multiple TLS certificates ` can be associated with the - // same context to allow both RSA and ECDSA certificates. - // - // Only a single TLS certificate is supported in client contexts. In server contexts, the first - // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is - // used for clients that support ECDSA. - // - // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*, - // and *tls_certificate_provider_instance* may be used. - // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's - // not legal to put a repeated field in a oneof. In the next major version, we should rework - // this to avoid this problem.] - repeated TlsCertificate tls_certificates = 2; - - // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be - // fetched/refreshed over the network asynchronously with respect to the TLS handshake. - // - // The same number and types of certificates as :ref:`tls_certificates ` - // are valid in the the certificates fetched through this setting. - // - // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*, - // and *tls_certificate_provider_instance* may be used. - // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's - // not legal to put a repeated field in a oneof. In the next major version, we should rework - // this to avoid this problem.] - repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6 - [(validate.rules).repeated = {max_items: 2}]; - - // Certificate provider instance for fetching TLS certs. - // - // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*, - // and *tls_certificate_provider_instance* may be used. - // [#not-implemented-hide:] - CertificateProviderPluginInstance tls_certificate_provider_instance = 14; - - oneof validation_context_type { - // How to validate peer certificates. - CertificateValidationContext validation_context = 3; - - // Config for fetching validation context via SDS API. Note SDS API allows certificates to be - // fetched/refreshed over the network asynchronously with respect to the TLS handshake. - SdsSecretConfig validation_context_sds_secret_config = 7; - - // Combined certificate validation context holds a default CertificateValidationContext - // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic - // and default CertificateValidationContext are merged into a new CertificateValidationContext - // for validation. This merge is done by Message::MergeFrom(), so dynamic - // CertificateValidationContext overwrites singular fields in default - // CertificateValidationContext, and concatenates repeated fields to default - // CertificateValidationContext, and logical OR is applied to boolean fields. - CombinedCertificateValidationContext combined_validation_context = 8; - } - - // Supplies the list of ALPN protocols that the listener should expose. In - // practice this is likely to be set to one of two values (see the - // :ref:`codec_type - // ` - // parameter in the HTTP connection manager for more information): - // - // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. - // * "http/1.1" If the listener is only going to support HTTP/1.1. - // - // There is no default for this parameter. If empty, Envoy will not expose ALPN. - repeated string alpn_protocols = 4; - - // Custom TLS handshaker. If empty, defaults to native TLS handshaking - // behavior. - config.core.v4alpha.TypedExtensionConfig custom_handshaker = 13; -} diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto deleted file mode 100644 index 8191318930be..000000000000 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ /dev/null @@ -1,66 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.tls.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha"; -option java_outer_classname = "TlsSpiffeValidatorConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: SPIFFE Certificate Validator] -// [#extension: envoy.tls.cert_validator.spiffe] - -// Configuration specific to the `SPIFFE `_ certificate validator. -// -// Example: -// -// .. validated-code-block:: yaml -// :type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext -// -// custom_validator_config: -// name: envoy.tls.cert_validator.spiffe -// typed_config: -// "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig -// trust_domains: -// - name: foo.com -// trust_bundle: -// filename: "foo.pem" -// - name: envoy.com -// trust_bundle: -// filename: "envoy.pem" -// -// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against -// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint -// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` -// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. -// -// Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. -// -// - :ref:`allow_expired_certificate ` to allow expired certificates. -// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. -// -message SPIFFECertValidatorConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; - - message TrustDomain { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain"; - - // Name of the trust domain, `example.com`, `foo.bar.gov` for example. - // Note that this must *not* have "spiffe://" prefix. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. - config.core.v4alpha.DataSource trust_bundle = 2; - } - - // This field specifies trust domains used for validating incoming X.509-SVID(s). - repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/api/envoy/extensions/upstreams/http/v4alpha/BUILD b/api/envoy/extensions/upstreams/http/v4alpha/BUILD deleted file mode 100644 index 3b00c0d6e6f2..000000000000 --- a/api/envoy/extensions/upstreams/http/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/upstreams/http/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto deleted file mode 100644 index d69966ef92d3..000000000000 --- a/api/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ /dev/null @@ -1,164 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.upstreams.http.v4alpha; - -import "envoy/config/core/v4alpha/protocol.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.v4alpha"; -option java_outer_classname = "HttpProtocolOptionsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP Protocol Options] -// [#extension: envoy.upstreams.http.http_protocol_options] - -// HttpProtocolOptions specifies Http upstream protocol options. This object -// is used in -// :ref:`typed_extension_protocol_options`, -// keyed by the name `envoy.extensions.upstreams.http.v3.HttpProtocolOptions`. -// -// This controls what protocol(s) should be used for upstream and how said protocol(s) are configured. -// -// This replaces the prior pattern of explicit protocol configuration directly -// in the cluster. So a configuration like this, explicitly configuring the use of HTTP/2 upstream: -// -// .. code:: -// -// clusters: -// - name: some_service -// connect_timeout: 5s -// upstream_http_protocol_options: -// auto_sni: true -// common_http_protocol_options: -// idle_timeout: 1s -// http2_protocol_options: -// max_concurrent_streams: 100 -// .... [further cluster config] -// -// Would now look like this: -// -// .. code:: -// -// clusters: -// - name: some_service -// connect_timeout: 5s -// typed_extension_protocol_options: -// envoy.extensions.upstreams.http.v3.HttpProtocolOptions: -// "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions -// upstream_http_protocol_options: -// auto_sni: true -// common_http_protocol_options: -// idle_timeout: 1s -// explicit_http_config: -// http2_protocol_options: -// max_concurrent_streams: 100 -// .... [further cluster config] -// [#next-free-field: 6] -message HttpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions"; - - // If this is used, the cluster will only operate on one of the possible upstream protocols. - // Note that HTTP/2 or above should generally be used for upstream gRPC clusters. - message ExplicitHttpConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.ExplicitHttpConfig"; - - oneof protocol_config { - option (validate.required) = true; - - config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 1; - - config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - - // .. warning:: - // QUIC support is currently alpha and should be used with caution. Please - // see :ref:`here ` for details. - config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; - } - } - - // If this is used, the cluster can use either of the configured protocols, and - // will use whichever protocol was used by the downstream connection. - // - // If HTTP/3 is configured for downstream and not configured for upstream, - // HTTP/3 requests will fail over to HTTP/2. - message UseDownstreamHttpConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.UseDownstreamHttpConfig"; - - config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 1; - - config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - - // .. warning:: - // QUIC support is currently alpha and should be used with caution. Please - // see :ref:`here ` for details. - config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; - } - - // If this is used, the cluster can use either HTTP/1 or HTTP/2, and will use whichever - // protocol is negotiated by ALPN with the upstream. - // Clusters configured with *AutoHttpConfig* will use the highest available - // protocol; HTTP/2 if supported, otherwise HTTP/1. - // If the upstream does not support ALPN, *AutoHttpConfig* will fail over to HTTP/1. - // This can only be used with transport sockets which support ALPN. Using a - // transport socket which does not support ALPN will result in configuration - // failure. The transport layer may be configured with custom ALPN, but the default ALPN - // for the cluster (or if custom ALPN fails) will be "h2,http/1.1". - message AutoHttpConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.AutoHttpConfig"; - - config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 1; - - config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - - // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is - // present, and (soon) only if there is an indication of server side - // support. - // See :ref:`here ` for more information on - // when HTTP/3 will be used, and when Envoy will fail over to TCP. - // - // .. warning:: - // QUIC support is currently alpha and should be used with caution. Please - // see :ref:`here ` for details. - // AutoHttpConfig config is undergoing especially rapid change and as it - // is alpha is not guaranteed to be API-stable. - config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; - - // [#not-implemented-hide:] - // The presence of alternate protocols cache options causes the use of the - // alternate protocols cache, which is responsible for parsing and caching - // HTTP Alt-Svc headers. This enables the use of HTTP/3 for origins that - // advertise supporting it. - // TODO(RyanTheOptimist): Make this field required when HTTP/3 is enabled. - config.core.v4alpha.AlternateProtocolsCacheOptions alternate_protocols_cache_options = 4; - } - - // This contains options common across HTTP/1 and HTTP/2 - config.core.v4alpha.HttpProtocolOptions common_http_protocol_options = 1; - - // This contains common protocol options which are only applied upstream. - config.core.v4alpha.UpstreamHttpProtocolOptions upstream_http_protocol_options = 2; - - // This controls the actual protocol to be used upstream. - oneof upstream_protocol_options { - option (validate.required) = true; - - // To explicitly configure either HTTP/1 or HTTP/2 (but not both!) use *explicit_http_config*. - // If the *explicit_http_config* is empty, HTTP/1.1 is used. - ExplicitHttpConfig explicit_http_config = 3; - - // This allows switching on protocol based on what protocol the downstream - // connection used. - UseDownstreamHttpConfig use_downstream_protocol_config = 4; - - // This allows switching on protocol based on ALPN - AutoHttpConfig auto_config = 5; - } -} diff --git a/api/envoy/service/accesslog/v4alpha/BUILD b/api/envoy/service/accesslog/v4alpha/BUILD deleted file mode 100644 index 94c70bc66967..000000000000 --- a/api/envoy/service/accesslog/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/data/accesslog/v3:pkg", - "//envoy/service/accesslog/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/service/accesslog/v4alpha/als.proto b/api/envoy/service/accesslog/v4alpha/als.proto deleted file mode 100644 index ab0ba0e15213..000000000000 --- a/api/envoy/service/accesslog/v4alpha/als.proto +++ /dev/null @@ -1,87 +0,0 @@ -syntax = "proto3"; - -package envoy.service.accesslog.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/data/accesslog/v3/accesslog.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.accesslog.v4alpha"; -option java_outer_classname = "AlsProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: gRPC Access Log Service (ALS)] - -// Service for streaming access logs from Envoy to an access log server. -service AccessLogService { - // Envoy will connect and send StreamAccessLogsMessage messages forever. It does not expect any - // response to be sent as nothing would be done in the case of failure. The server should - // disconnect if it expects Envoy to reconnect. In the future we may decide to add a different - // API for "critical" access logs in which Envoy will buffer access logs for some period of time - // until it gets an ACK so it could then retry. This API is designed for high throughput with the - // expectation that it might be lossy. - rpc StreamAccessLogs(stream StreamAccessLogsMessage) returns (StreamAccessLogsResponse) { - } -} - -// Empty response for the StreamAccessLogs API. Will never be sent. See below. -message StreamAccessLogsResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.accesslog.v3.StreamAccessLogsResponse"; -} - -// Stream message for the StreamAccessLogs API. Envoy will open a stream to the server and stream -// access logs without ever expecting a response. -message StreamAccessLogsMessage { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.accesslog.v3.StreamAccessLogsMessage"; - - message Identifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.accesslog.v3.StreamAccessLogsMessage.Identifier"; - - // The node sending the access log messages over the stream. - config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; - - // The friendly name of the log configured in :ref:`CommonGrpcAccessLogConfig - // `. - string log_name = 2 [(validate.rules).string = {min_len: 1}]; - } - - // Wrapper for batches of HTTP access log entries. - message HTTPAccessLogEntries { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.accesslog.v3.StreamAccessLogsMessage.HTTPAccessLogEntries"; - - repeated data.accesslog.v3.HTTPAccessLogEntry log_entry = 1 - [(validate.rules).repeated = {min_items: 1}]; - } - - // Wrapper for batches of TCP access log entries. - message TCPAccessLogEntries { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.accesslog.v3.StreamAccessLogsMessage.TCPAccessLogEntries"; - - repeated data.accesslog.v3.TCPAccessLogEntry log_entry = 1 - [(validate.rules).repeated = {min_items: 1}]; - } - - // Identifier data that will only be sent in the first message on the stream. This is effectively - // structured metadata and is a performance optimization. - Identifier identifier = 1; - - // Batches of log entries of a single type. Generally speaking, a given stream should only - // ever include one type of log entry. - oneof log_entries { - option (validate.required) = true; - - HTTPAccessLogEntries http_logs = 2; - - TCPAccessLogEntries tcp_logs = 3; - } -} diff --git a/api/envoy/service/auth/v4alpha/BUILD b/api/envoy/service/auth/v4alpha/BUILD deleted file mode 100644 index 0c2b40ee253b..000000000000 --- a/api/envoy/service/auth/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/auth/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/service/auth/v4alpha/attribute_context.proto b/api/envoy/service/auth/v4alpha/attribute_context.proto deleted file mode 100644 index eed7a2e704ad..000000000000 --- a/api/envoy/service/auth/v4alpha/attribute_context.proto +++ /dev/null @@ -1,177 +0,0 @@ -syntax = "proto3"; - -package envoy.service.auth.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/timestamp.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.auth.v4alpha"; -option java_outer_classname = "AttributeContextProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Attribute Context ] - -// See :ref:`network filter configuration overview ` -// and :ref:`HTTP filter configuration overview `. - -// An attribute is a piece of metadata that describes an activity on a network. -// For example, the size of an HTTP request, or the status code of an HTTP response. -// -// Each attribute has a type and a name, which is logically defined as a proto message field -// of the `AttributeContext`. The `AttributeContext` is a collection of individual attributes -// supported by Envoy authorization system. -// [#comment: The following items are left out of this proto -// Request.Auth field for jwt tokens -// Request.Api for api management -// Origin peer that originated the request -// Caching Protocol -// request_context return values to inject back into the filter chain -// peer.claims -- from X.509 extensions -// Configuration -// - field mask to send -// - which return values from request_context are copied back -// - which return values are copied into request_headers] -// [#next-free-field: 12] -message AttributeContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.AttributeContext"; - - // This message defines attributes for a node that handles a network request. - // The node can be either a service or an application that sends, forwards, - // or receives the request. Service peers should fill in the `service`, - // `principal`, and `labels` as appropriate. - // [#next-free-field: 6] - message Peer { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.AttributeContext.Peer"; - - // The address of the peer, this is typically the IP address. - // It can also be UDS path, or others. - config.core.v4alpha.Address address = 1; - - // The canonical service name of the peer. - // It should be set to :ref:`the HTTP x-envoy-downstream-service-cluster - // ` - // If a more trusted source of the service name is available through mTLS/secure naming, it - // should be used. - string service = 2; - - // The labels associated with the peer. - // These could be pod labels for Kubernetes or tags for VMs. - // The source of the labels could be an X.509 certificate or other configuration. - map labels = 3; - - // The authenticated identity of this peer. - // For example, the identity associated with the workload such as a service account. - // If an X.509 certificate is used to assert the identity this field should be sourced from - // `URI Subject Alternative Names`, `DNS Subject Alternate Names` or `Subject` in that order. - // The primary identity should be the principal. The principal format is issuer specific. - // - // Example: - // * SPIFFE format is `spiffe://trust-domain/path` - // * Google account format is `https://accounts.google.com/{userid}` - string principal = 4; - - // The X.509 certificate used to authenticate the identify of this peer. - // When present, the certificate contents are encoded in URL and PEM format. - string certificate = 5; - } - - // Represents a network request, such as an HTTP request. - message Request { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.AttributeContext.Request"; - - // The timestamp when the proxy receives the first byte of the request. - google.protobuf.Timestamp time = 1; - - // Represents an HTTP request or an HTTP-like request. - HttpRequest http = 2; - } - - // This message defines attributes for an HTTP request. - // HTTP/1.x, HTTP/2, gRPC are all considered as HTTP requests. - // [#next-free-field: 13] - message HttpRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.AttributeContext.HttpRequest"; - - // The unique ID for a request, which can be propagated to downstream - // systems. The ID should have low probability of collision - // within a single day for a specific service. - // For HTTP requests, it should be X-Request-ID or equivalent. - string id = 1; - - // The HTTP request method, such as `GET`, `POST`. - string method = 2; - - // The HTTP request headers. If multiple headers share the same key, they - // must be merged according to the HTTP spec. All header keys must be - // lower-cased, because HTTP header keys are case-insensitive. - map headers = 3; - - // The request target, as it appears in the first line of the HTTP request. This includes - // the URL path and query-string. No decoding is performed. - string path = 4; - - // The HTTP request `Host` or 'Authority` header value. - string host = 5; - - // The HTTP URL scheme, such as `http` and `https`. - string scheme = 6; - - // This field is always empty, and exists for compatibility reasons. The HTTP URL query is - // included in `path` field. - string query = 7; - - // This field is always empty, and exists for compatibility reasons. The URL fragment is - // not submitted as part of HTTP requests; it is unknowable. - string fragment = 8; - - // The HTTP request size in bytes. If unknown, it must be -1. - int64 size = 9; - - // The network protocol used with the request, such as "HTTP/1.0", "HTTP/1.1", or "HTTP/2". - // - // See :repo:`headers.h:ProtocolStrings ` for a list of all - // possible values. - string protocol = 10; - - // The HTTP request body. - string body = 11; - - // The HTTP request body in bytes. This is used instead of - // :ref:`body ` when - // :ref:`pack_as_bytes ` - // is set to true. - bytes raw_body = 12; - } - - // The source of a network activity, such as starting a TCP connection. - // In a multi hop network activity, the source represents the sender of the - // last hop. - Peer source = 1; - - // The destination of a network activity, such as accepting a TCP connection. - // In a multi hop network activity, the destination represents the receiver of - // the last hop. - Peer destination = 2; - - // Represents a network request, such as an HTTP request. - Request request = 4; - - // This is analogous to http_request.headers, however these contents will not be sent to the - // upstream server. Context_extensions provide an extension mechanism for sending additional - // information to the auth server without modifying the proto definition. It maps to the - // internal opaque context in the filter chain. - map context_extensions = 10; - - // Dynamic metadata associated with the request. - config.core.v4alpha.Metadata metadata_context = 11; -} diff --git a/api/envoy/service/auth/v4alpha/external_auth.proto b/api/envoy/service/auth/v4alpha/external_auth.proto deleted file mode 100644 index f368516c302e..000000000000 --- a/api/envoy/service/auth/v4alpha/external_auth.proto +++ /dev/null @@ -1,130 +0,0 @@ -syntax = "proto3"; - -package envoy.service.auth.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/service/auth/v4alpha/attribute_context.proto"; -import "envoy/type/v3/http_status.proto"; - -import "google/protobuf/struct.proto"; -import "google/rpc/status.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.auth.v4alpha"; -option java_outer_classname = "ExternalAuthProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Authorization Service ] - -// The authorization service request messages used by external authorization :ref:`network filter -// ` and :ref:`HTTP filter `. - -// A generic interface for performing authorization check on incoming -// requests to a networked service. -service Authorization { - // Performs authorization check based on the attributes associated with the - // incoming request, and returns status `OK` or not `OK`. - rpc Check(CheckRequest) returns (CheckResponse) { - } -} - -message CheckRequest { - option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v3.CheckRequest"; - - // The request attributes. - AttributeContext attributes = 1; -} - -// HTTP attributes for a denied response. -message DeniedHttpResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.DeniedHttpResponse"; - - // This field allows the authorization service to send a HTTP response status - // code to the downstream client other than 403 (Forbidden). - type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}]; - - // This field allows the authorization service to send HTTP response headers - // to the downstream client. Note that the :ref:`append field in HeaderValueOption ` defaults to - // false when used in this message. - repeated config.core.v4alpha.HeaderValueOption headers = 2; - - // This field allows the authorization service to send a response body data - // to the downstream client. - string body = 3; -} - -// HTTP attributes for an OK response. -// [#next-free-field: 7] -message OkHttpResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.OkHttpResponse"; - - reserved 3; - - reserved "dynamic_metadata"; - - // HTTP entity headers in addition to the original request headers. This allows the authorization - // service to append, to add or to override headers from the original request before - // dispatching it to the upstream. Note that the :ref:`append field in HeaderValueOption ` defaults to - // false when used in this message. By setting the `append` field to `true`, - // the filter will append the correspondent header value to the matched request header. - // By leaving `append` as false, the filter will either add a new header, or override an existing - // one if there is a match. - repeated config.core.v4alpha.HeaderValueOption headers = 2; - - // HTTP entity headers to remove from the original request before dispatching - // it to the upstream. This allows the authorization service to act on auth - // related headers (like `Authorization`), process them, and consume them. - // Under this model, the upstream will either receive the request (if it's - // authorized) or not receive it (if it's not), but will not see headers - // containing authorization credentials. - // - // Pseudo headers (such as `:authority`, `:method`, `:path` etc), as well as - // the header `Host`, may not be removed as that would make the request - // malformed. If mentioned in `headers_to_remove` these special headers will - // be ignored. - // - // When using the HTTP service this must instead be set by the HTTP - // authorization service as a comma separated list like so: - // ``x-envoy-auth-headers-to-remove: one-auth-header, another-auth-header``. - repeated string headers_to_remove = 5; - - // This field allows the authorization service to send HTTP response headers - // to the downstream client on success. Note that the :ref:`append field in HeaderValueOption ` - // defaults to false when used in this message. - repeated config.core.v4alpha.HeaderValueOption response_headers_to_add = 6; -} - -// Intended for gRPC and Network Authorization servers `only`. -message CheckResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.CheckResponse"; - - // Status `OK` allows the request. Any other status indicates the request should be denied. - google.rpc.Status status = 1; - - // An message that contains HTTP response attributes. This message is - // used when the authorization service needs to send custom responses to the - // downstream client or, to modify/add request headers being dispatched to the upstream. - oneof http_response { - // Supplies http attributes for a denied response. - DeniedHttpResponse denied_response = 2; - - // Supplies http attributes for an ok response. - OkHttpResponse ok_response = 3; - } - - // Optional response metadata that will be emitted as dynamic metadata to be consumed by the next - // filter. This metadata lives in a namespace specified by the canonical name of extension filter - // that requires it: - // - // - :ref:`envoy.filters.http.ext_authz ` for HTTP filter. - // - :ref:`envoy.filters.network.ext_authz ` for network filter. - google.protobuf.Struct dynamic_metadata = 4; -} diff --git a/api/envoy/service/discovery/v4alpha/BUILD b/api/envoy/service/discovery/v4alpha/BUILD deleted file mode 100644 index 2de065dc5b39..000000000000 --- a/api/envoy/service/discovery/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/discovery/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/service/discovery/v4alpha/ads.proto b/api/envoy/service/discovery/v4alpha/ads.proto deleted file mode 100644 index 41435811bd17..000000000000 --- a/api/envoy/service/discovery/v4alpha/ads.proto +++ /dev/null @@ -1,44 +0,0 @@ -syntax = "proto3"; - -package envoy.service.discovery.v4alpha; - -import "envoy/service/discovery/v4alpha/discovery.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.discovery.v4alpha"; -option java_outer_classname = "AdsProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Aggregated Discovery Service (ADS)] - -// [#not-implemented-hide:] Discovery services for endpoints, clusters, routes, -// and listeners are retained in the package `envoy.api.v2` for backwards -// compatibility with existing management servers. New development in discovery -// services should proceed in the package `envoy.service.discovery.v2`. - -// See https://github.com/lyft/envoy-api#apis for a description of the role of -// ADS and how it is intended to be used by a management server. ADS requests -// have the same structure as their singleton xDS counterparts, but can -// multiplex many resource types on a single stream. The type_url in the -// DiscoveryRequest/DiscoveryResponse provides sufficient information to recover -// the multiplexed singleton APIs at the Envoy instance and management server. -service AggregatedDiscoveryService { - // This is a gRPC-only API. - rpc StreamAggregatedResources(stream DiscoveryRequest) returns (stream DiscoveryResponse) { - } - - rpc DeltaAggregatedResources(stream DeltaDiscoveryRequest) - returns (stream DeltaDiscoveryResponse) { - } -} - -// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing -// services: https://github.com/google/protobuf/issues/4221 -message AdsDummy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.AdsDummy"; -} diff --git a/api/envoy/service/discovery/v4alpha/discovery.proto b/api/envoy/service/discovery/v4alpha/discovery.proto deleted file mode 100644 index bf8d48fc7a37..000000000000 --- a/api/envoy/service/discovery/v4alpha/discovery.proto +++ /dev/null @@ -1,286 +0,0 @@ -syntax = "proto3"; - -package envoy.service.discovery.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/rpc/status.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.discovery.v4alpha"; -option java_outer_classname = "DiscoveryProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common discovery API components] - -// A DiscoveryRequest requests a set of versioned resources of the same type for -// a given Envoy node on some API. -// [#next-free-field: 7] -message DiscoveryRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.DiscoveryRequest"; - - // The version_info provided in the request messages will be the version_info - // received with the most recent successfully processed response or empty on - // the first request. It is expected that no new request is sent after a - // response is received until the Envoy instance is ready to ACK/NACK the new - // configuration. ACK/NACK takes place by returning the new API config version - // as applied or the previous API config version respectively. Each type_url - // (see below) has an independent version associated with it. - string version_info = 1; - - // The node making the request. - config.core.v4alpha.Node node = 2; - - // List of resources to subscribe to, e.g. list of cluster names or a route - // configuration name. If this is empty, all resources for the API are - // returned. LDS/CDS may have empty resource_names, which will cause all - // resources for the Envoy instance to be returned. The LDS and CDS responses - // will then imply a number of resources that need to be fetched via EDS/RDS, - // which will be explicitly enumerated in resource_names. - repeated string resource_names = 3; - - // Type of the resource that is being requested, e.g. - // "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment". This is implicit - // in requests made via singleton xDS APIs such as CDS, LDS, etc. but is - // required for ADS. - string type_url = 4; - - // nonce corresponding to DiscoveryResponse being ACK/NACKed. See above - // discussion on version_info and the DiscoveryResponse nonce comment. This - // may be empty only if 1) this is a non-persistent-stream xDS such as HTTP, - // or 2) the client has not yet accepted an update in this xDS stream (unlike - // delta, where it is populated only for new explicit ACKs). - string response_nonce = 5; - - // This is populated when the previous :ref:`DiscoveryResponse ` - // failed to update configuration. The *message* field in *error_details* provides the Envoy - // internal exception related to the failure. It is only intended for consumption during manual - // debugging, the string provided is not guaranteed to be stable across Envoy versions. - google.rpc.Status error_detail = 6; -} - -// [#next-free-field: 7] -message DiscoveryResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.DiscoveryResponse"; - - // The version of the response data. - string version_info = 1; - - // The response resources. These resources are typed and depend on the API being called. - repeated google.protobuf.Any resources = 2; - - // [#not-implemented-hide:] - // Canary is used to support two Envoy command line flags: - // - // * --terminate-on-canary-transition-failure. When set, Envoy is able to - // terminate if it detects that configuration is stuck at canary. Consider - // this example sequence of updates: - // - Management server applies a canary config successfully. - // - Management server rolls back to a production config. - // - Envoy rejects the new production config. - // Since there is no sensible way to continue receiving configuration - // updates, Envoy will then terminate and apply production config from a - // clean slate. - // * --dry-run-canary. When set, a canary response will never be applied, only - // validated via a dry run. - bool canary = 3; - - // Type URL for resources. Identifies the xDS API when muxing over ADS. - // Must be consistent with the type_url in the 'resources' repeated Any (if non-empty). - string type_url = 4; - - // For gRPC based subscriptions, the nonce provides a way to explicitly ack a - // specific DiscoveryResponse in a following DiscoveryRequest. Additional - // messages may have been sent by Envoy to the management server for the - // previous version on the stream prior to this DiscoveryResponse, that were - // unprocessed at response send time. The nonce allows the management server - // to ignore any further DiscoveryRequests for the previous version until a - // DiscoveryRequest bearing the nonce. The nonce is optional and is not - // required for non-stream based xDS implementations. - string nonce = 5; - - // The control plane instance that sent the response. - config.core.v4alpha.ControlPlane control_plane = 6; -} - -// DeltaDiscoveryRequest and DeltaDiscoveryResponse are used in a new gRPC -// endpoint for Delta xDS. -// -// With Delta xDS, the DeltaDiscoveryResponses do not need to include a full -// snapshot of the tracked resources. Instead, DeltaDiscoveryResponses are a -// diff to the state of a xDS client. -// In Delta XDS there are per-resource versions, which allow tracking state at -// the resource granularity. -// An xDS Delta session is always in the context of a gRPC bidirectional -// stream. This allows the xDS server to keep track of the state of xDS clients -// connected to it. -// -// In Delta xDS the nonce field is required and used to pair -// DeltaDiscoveryResponse to a DeltaDiscoveryRequest ACK or NACK. -// Optionally, a response message level system_version_info is present for -// debugging purposes only. -// -// DeltaDiscoveryRequest plays two independent roles. Any DeltaDiscoveryRequest -// can be either or both of: [1] informing the server of what resources the -// client has gained/lost interest in (using resource_names_subscribe and -// resource_names_unsubscribe), or [2] (N)ACKing an earlier resource update from -// the server (using response_nonce, with presence of error_detail making it a NACK). -// Additionally, the first message (for a given type_url) of a reconnected gRPC stream -// has a third role: informing the server of the resources (and their versions) -// that the client already possesses, using the initial_resource_versions field. -// -// As with state-of-the-world, when multiple resource types are multiplexed (ADS), -// all requests/acknowledgments/updates are logically walled off by type_url: -// a Cluster ACK exists in a completely separate world from a prior Route NACK. -// In particular, initial_resource_versions being sent at the "start" of every -// gRPC stream actually entails a message for each type_url, each with its own -// initial_resource_versions. -// [#next-free-field: 8] -message DeltaDiscoveryRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.DeltaDiscoveryRequest"; - - // The node making the request. - config.core.v4alpha.Node node = 1; - - // Type of the resource that is being requested, e.g. - // "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment". This does not need to be set if - // resources are only referenced via *xds_resource_subscribe* and - // *xds_resources_unsubscribe*. - string type_url = 2; - - // DeltaDiscoveryRequests allow the client to add or remove individual - // resources to the set of tracked resources in the context of a stream. - // All resource names in the resource_names_subscribe list are added to the - // set of tracked resources and all resource names in the resource_names_unsubscribe - // list are removed from the set of tracked resources. - // - // *Unlike* state-of-the-world xDS, an empty resource_names_subscribe or - // resource_names_unsubscribe list simply means that no resources are to be - // added or removed to the resource list. - // *Like* state-of-the-world xDS, the server must send updates for all tracked - // resources, but can also send updates for resources the client has not subscribed to. - // - // NOTE: the server must respond with all resources listed in resource_names_subscribe, - // even if it believes the client has the most recent version of them. The reason: - // the client may have dropped them, but then regained interest before it had a chance - // to send the unsubscribe message. See DeltaSubscriptionStateTest.RemoveThenAdd. - // - // These two fields can be set in any DeltaDiscoveryRequest, including ACKs - // and initial_resource_versions. - // - // A list of Resource names to add to the list of tracked resources. - repeated string resource_names_subscribe = 3; - - // A list of Resource names to remove from the list of tracked resources. - repeated string resource_names_unsubscribe = 4; - - // Informs the server of the versions of the resources the xDS client knows of, to enable the - // client to continue the same logical xDS session even in the face of gRPC stream reconnection. - // It will not be populated: [1] in the very first stream of a session, since the client will - // not yet have any resources, [2] in any message after the first in a stream (for a given - // type_url), since the server will already be correctly tracking the client's state. - // (In ADS, the first message *of each type_url* of a reconnected stream populates this map.) - // The map's keys are names of xDS resources known to the xDS client. - // The map's values are opaque resource versions. - map initial_resource_versions = 5; - - // When the DeltaDiscoveryRequest is a ACK or NACK message in response - // to a previous DeltaDiscoveryResponse, the response_nonce must be the - // nonce in the DeltaDiscoveryResponse. - // Otherwise (unlike in DiscoveryRequest) response_nonce must be omitted. - string response_nonce = 6; - - // This is populated when the previous :ref:`DiscoveryResponse ` - // failed to update configuration. The *message* field in *error_details* - // provides the Envoy internal exception related to the failure. - google.rpc.Status error_detail = 7; -} - -// [#next-free-field: 8] -message DeltaDiscoveryResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.DeltaDiscoveryResponse"; - - // The version of the response data (used for debugging). - string system_version_info = 1; - - // The response resources. These are typed resources, whose types must match - // the type_url field. - repeated Resource resources = 2; - - // field id 3 IS available! - - // Type URL for resources. Identifies the xDS API when muxing over ADS. - // Must be consistent with the type_url in the Any within 'resources' if 'resources' is non-empty. - string type_url = 4; - - // Resources names of resources that have be deleted and to be removed from the xDS Client. - // Removed resources for missing resources can be ignored. - repeated string removed_resources = 6; - - // The nonce provides a way for DeltaDiscoveryRequests to uniquely - // reference a DeltaDiscoveryResponse when (N)ACKing. The nonce is required. - string nonce = 5; - - // [#not-implemented-hide:] - // The control plane instance that sent the response. - config.core.v4alpha.ControlPlane control_plane = 7; -} - -// [#next-free-field: 8] -message Resource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.Resource"; - - // Cache control properties for the resource. - // [#not-implemented-hide:] - message CacheControl { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.Resource.CacheControl"; - - // If true, xDS proxies may not cache this resource. - // Note that this does not apply to clients other than xDS proxies, which must cache resources - // for their own use, regardless of the value of this field. - bool do_not_cache = 1; - } - - // The resource's name, to distinguish it from others of the same type of resource. - string name = 3; - - // The aliases are a list of other names that this resource can go by. - repeated string aliases = 4; - - // The resource level version. It allows xDS to track the state of individual - // resources. - string version = 1; - - // The resource being tracked. - google.protobuf.Any resource = 2; - - // Time-to-live value for the resource. For each resource, a timer is started. The timer is - // reset each time the resource is received with a new TTL. If the resource is received with - // no TTL set, the timer is removed for the resource. Upon expiration of the timer, the - // configuration for the resource will be removed. - // - // The TTL can be refreshed or changed by sending a response that doesn't change the resource - // version. In this case the resource field does not need to be populated, which allows for - // light-weight "heartbeat" updates to keep a resource with a TTL alive. - // - // The TTL feature is meant to support configurations that should be removed in the event of - // a management server failure. For example, the feature may be used for fault injection - // testing where the fault injection should be terminated in the event that Envoy loses contact - // with the management server. - google.protobuf.Duration ttl = 6; - - // Cache control properties for the resource. - // [#not-implemented-hide:] - CacheControl cache_control = 7; -} diff --git a/api/envoy/service/event_reporting/v4alpha/BUILD b/api/envoy/service/event_reporting/v4alpha/BUILD deleted file mode 100644 index 7f342132a86d..000000000000 --- a/api/envoy/service/event_reporting/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/event_reporting/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/service/event_reporting/v4alpha/event_reporting_service.proto b/api/envoy/service/event_reporting/v4alpha/event_reporting_service.proto deleted file mode 100644 index 6bff2a09c25b..000000000000 --- a/api/envoy/service/event_reporting/v4alpha/event_reporting_service.proto +++ /dev/null @@ -1,69 +0,0 @@ -syntax = "proto3"; - -package envoy.service.event_reporting.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.event_reporting.v4alpha"; -option java_outer_classname = "EventReportingServiceProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: gRPC Event Reporting Service] - -// [#not-implemented-hide:] -// Service for streaming different types of events from Envoy to a server. The examples of -// such events may be health check or outlier detection events. -service EventReportingService { - // Envoy will connect and send StreamEventsRequest messages forever. - // The management server may send StreamEventsResponse to configure event stream. See below. - // This API is designed for high throughput with the expectation that it might be lossy. - rpc StreamEvents(stream StreamEventsRequest) returns (stream StreamEventsResponse) { - } -} - -// [#not-implemented-hide:] -// An events envoy sends to the management server. -message StreamEventsRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.event_reporting.v3.StreamEventsRequest"; - - message Identifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.event_reporting.v3.StreamEventsRequest.Identifier"; - - // The node sending the event messages over the stream. - config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; - } - - // Identifier data that will only be sent in the first message on the stream. This is effectively - // structured metadata and is a performance optimization. - Identifier identifier = 1; - - // Batch of events. When the stream is already active, it will be the events occurred - // since the last message had been sent. If the server receives unknown event type, it should - // silently ignore it. - // - // The following events are supported: - // - // * :ref:`HealthCheckEvent ` - // * :ref:`OutlierDetectionEvent ` - repeated google.protobuf.Any events = 2 [(validate.rules).repeated = {min_items: 1}]; -} - -// [#not-implemented-hide:] -// The management server may send envoy a StreamEventsResponse to tell which events the server -// is interested in. In future, with aggregated event reporting service, this message will -// contain, for example, clusters the envoy should send events for, or event types the server -// wants to process. -message StreamEventsResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.event_reporting.v3.StreamEventsResponse"; -} diff --git a/api/envoy/service/health/v4alpha/BUILD b/api/envoy/service/health/v4alpha/BUILD deleted file mode 100644 index ed1ef41e9400..000000000000 --- a/api/envoy/service/health/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/cluster/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/endpoint/v4alpha:pkg", - "//envoy/service/health/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/service/health/v4alpha/hds.proto b/api/envoy/service/health/v4alpha/hds.proto deleted file mode 100644 index 3677ed3bbbfb..000000000000 --- a/api/envoy/service/health/v4alpha/hds.proto +++ /dev/null @@ -1,198 +0,0 @@ -syntax = "proto3"; - -package envoy.service.health.v4alpha; - -import "envoy/config/cluster/v4alpha/cluster.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/health_check.proto"; -import "envoy/config/endpoint/v4alpha/endpoint_components.proto"; - -import "google/api/annotations.proto"; -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.health.v4alpha"; -option java_outer_classname = "HdsProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Health Discovery Service (HDS)] - -// HDS is Health Discovery Service. It compliments Envoy’s health checking -// service by designating this Envoy to be a healthchecker for a subset of hosts -// in the cluster. The status of these health checks will be reported to the -// management server, where it can be aggregated etc and redistributed back to -// Envoy through EDS. -service HealthDiscoveryService { - // 1. Envoy starts up and if its can_healthcheck option in the static - // bootstrap config is enabled, sends HealthCheckRequest to the management - // server. It supplies its capabilities (which protocol it can health check - // with, what zone it resides in, etc.). - // 2. In response to (1), the management server designates this Envoy as a - // healthchecker to health check a subset of all upstream hosts for a given - // cluster (for example upstream Host 1 and Host 2). It streams - // HealthCheckSpecifier messages with cluster related configuration for all - // clusters this Envoy is designated to health check. Subsequent - // HealthCheckSpecifier message will be sent on changes to: - // a. Endpoints to health checks - // b. Per cluster configuration change - // 3. Envoy creates a health probe based on the HealthCheck config and sends - // it to endpoint(ip:port) of Host 1 and 2. Based on the HealthCheck - // configuration Envoy waits upon the arrival of the probe response and - // looks at the content of the response to decide whether the endpoint is - // healthy or not. If a response hasn't been received within the timeout - // interval, the endpoint health status is considered TIMEOUT. - // 4. Envoy reports results back in an EndpointHealthResponse message. - // Envoy streams responses as often as the interval configured by the - // management server in HealthCheckSpecifier. - // 5. The management Server collects health statuses for all endpoints in the - // cluster (for all clusters) and uses this information to construct - // EndpointDiscoveryResponse messages. - // 6. Once Envoy has a list of upstream endpoints to send traffic to, it load - // balances traffic to them without additional health checking. It may - // use inline healthcheck (i.e. consider endpoint UNHEALTHY if connection - // failed to a particular endpoint to account for health status propagation - // delay between HDS and EDS). - // By default, can_healthcheck is true. If can_healthcheck is false, Cluster - // configuration may not contain HealthCheck message. - // TODO(htuch): How is can_healthcheck communicated to CDS to ensure the above - // invariant? - // TODO(htuch): Add @amb67's diagram. - rpc StreamHealthCheck(stream HealthCheckRequestOrEndpointHealthResponse) - returns (stream HealthCheckSpecifier) { - } - - // TODO(htuch): Unlike the gRPC version, there is no stream-based binding of - // request/response. Should we add an identifier to the HealthCheckSpecifier - // to bind with the response? - rpc FetchHealthCheck(HealthCheckRequestOrEndpointHealthResponse) returns (HealthCheckSpecifier) { - option (google.api.http).post = "/v3/discovery:health_check"; - option (google.api.http).body = "*"; - } -} - -// Defines supported protocols etc, so the management server can assign proper -// endpoints to healthcheck. -message Capability { - option (udpa.annotations.versioning).previous_message_type = "envoy.service.health.v3.Capability"; - - // Different Envoy instances may have different capabilities (e.g. Redis) - // and/or have ports enabled for different protocols. - enum Protocol { - HTTP = 0; - TCP = 1; - REDIS = 2; - } - - repeated Protocol health_check_protocols = 1; -} - -message HealthCheckRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.HealthCheckRequest"; - - config.core.v4alpha.Node node = 1; - - Capability capability = 2; -} - -message EndpointHealth { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.EndpointHealth"; - - config.endpoint.v4alpha.Endpoint endpoint = 1; - - config.core.v4alpha.HealthStatus health_status = 2; -} - -// Group endpoint health by locality under each cluster. -message LocalityEndpointsHealth { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.LocalityEndpointsHealth"; - - config.core.v4alpha.Locality locality = 1; - - repeated EndpointHealth endpoints_health = 2; -} - -// The health status of endpoints in a cluster. The cluster name and locality -// should match the corresponding fields in ClusterHealthCheck message. -message ClusterEndpointsHealth { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.ClusterEndpointsHealth"; - - string cluster_name = 1; - - repeated LocalityEndpointsHealth locality_endpoints_health = 2; -} - -message EndpointHealthResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.EndpointHealthResponse"; - - reserved 1; - - reserved "endpoints_health"; - - // Organize Endpoint health information by cluster. - repeated ClusterEndpointsHealth cluster_endpoints_health = 2; -} - -message HealthCheckRequestOrEndpointHealthResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.HealthCheckRequestOrEndpointHealthResponse"; - - oneof request_type { - HealthCheckRequest health_check_request = 1; - - EndpointHealthResponse endpoint_health_response = 2; - } -} - -message LocalityEndpoints { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.LocalityEndpoints"; - - config.core.v4alpha.Locality locality = 1; - - repeated config.endpoint.v4alpha.Endpoint endpoints = 2; -} - -// The cluster name and locality is provided to Envoy for the endpoints that it -// health checks to support statistics reporting, logging and debugging by the -// Envoy instance (outside of HDS). For maximum usefulness, it should match the -// same cluster structure as that provided by EDS. -message ClusterHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.ClusterHealthCheck"; - - string cluster_name = 1; - - repeated config.core.v4alpha.HealthCheck health_checks = 2; - - repeated LocalityEndpoints locality_endpoints = 3; - - // Optional map that gets filtered by :ref:`health_checks.transport_socket_match_criteria ` - // on connection when health checking. For more details, see - // :ref:`config.cluster.v3.Cluster.transport_socket_matches `. - repeated config.cluster.v4alpha.Cluster.TransportSocketMatch transport_socket_matches = 4; -} - -message HealthCheckSpecifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.HealthCheckSpecifier"; - - repeated ClusterHealthCheck cluster_health_checks = 1; - - // The default is 1 second. - google.protobuf.Duration interval = 2; -} - -// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing -// services: https://github.com/google/protobuf/issues/4221 and protoxform to upgrade the file. -message HdsDummy { - option (udpa.annotations.versioning).previous_message_type = "envoy.service.health.v3.HdsDummy"; -} diff --git a/api/envoy/service/load_stats/v4alpha/BUILD b/api/envoy/service/load_stats/v4alpha/BUILD deleted file mode 100644 index 870673013a0e..000000000000 --- a/api/envoy/service/load_stats/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/endpoint/v4alpha:pkg", - "//envoy/service/load_stats/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/service/load_stats/v4alpha/lrs.proto b/api/envoy/service/load_stats/v4alpha/lrs.proto deleted file mode 100644 index 86bbe1318633..000000000000 --- a/api/envoy/service/load_stats/v4alpha/lrs.proto +++ /dev/null @@ -1,102 +0,0 @@ -syntax = "proto3"; - -package envoy.service.load_stats.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/endpoint/v4alpha/load_report.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.load_stats.v4alpha"; -option java_outer_classname = "LrsProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Load Reporting service (LRS)] - -// Load Reporting Service is an Envoy API to emit load reports. Envoy will initiate a bi-directional -// stream with a management server. Upon connecting, the management server can send a -// :ref:`LoadStatsResponse ` to a node it is -// interested in getting the load reports for. Envoy in this node will start sending -// :ref:`LoadStatsRequest `. This is done periodically -// based on the :ref:`load reporting interval ` -// For details, take a look at the :ref:`Load Reporting Service sandbox example `. - -service LoadReportingService { - // Advanced API to allow for multi-dimensional load balancing by remote - // server. For receiving LB assignments, the steps are: - // 1, The management server is configured with per cluster/zone/load metric - // capacity configuration. The capacity configuration definition is - // outside of the scope of this document. - // 2. Envoy issues a standard {Stream,Fetch}Endpoints request for the clusters - // to balance. - // - // Independently, Envoy will initiate a StreamLoadStats bidi stream with a - // management server: - // 1. Once a connection establishes, the management server publishes a - // LoadStatsResponse for all clusters it is interested in learning load - // stats about. - // 2. For each cluster, Envoy load balances incoming traffic to upstream hosts - // based on per-zone weights and/or per-instance weights (if specified) - // based on intra-zone LbPolicy. This information comes from the above - // {Stream,Fetch}Endpoints. - // 3. When upstream hosts reply, they optionally add header with ASCII representation of EndpointLoadMetricStats. - // 4. Envoy aggregates load reports over the period of time given to it in - // LoadStatsResponse.load_reporting_interval. This includes aggregation - // stats Envoy maintains by itself (total_requests, rpc_errors etc.) as - // well as load metrics from upstream hosts. - // 5. When the timer of load_reporting_interval expires, Envoy sends new - // LoadStatsRequest filled with load reports for each cluster. - // 6. The management server uses the load reports from all reported Envoys - // from around the world, computes global assignment and prepares traffic - // assignment destined for each zone Envoys are located in. Goto 2. - rpc StreamLoadStats(stream LoadStatsRequest) returns (stream LoadStatsResponse) { - } -} - -// A load report Envoy sends to the management server. -message LoadStatsRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.load_stats.v3.LoadStatsRequest"; - - // Node identifier for Envoy instance. - config.core.v4alpha.Node node = 1; - - // A list of load stats to report. - repeated config.endpoint.v4alpha.ClusterStats cluster_stats = 2; -} - -// The management server sends envoy a LoadStatsResponse with all clusters it -// is interested in learning load stats about. -message LoadStatsResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.load_stats.v3.LoadStatsResponse"; - - // Clusters to report stats for. - // Not populated if *send_all_clusters* is true. - repeated string clusters = 1; - - // If true, the client should send all clusters it knows about. - // Only clients that advertise the "envoy.lrs.supports_send_all_clusters" capability in their - // :ref:`client_features` field will honor this field. - bool send_all_clusters = 4; - - // The minimum interval of time to collect stats over. This is only a minimum for two reasons: - // - // 1. There may be some delay from when the timer fires until stats sampling occurs. - // 2. For clusters that were already feature in the previous *LoadStatsResponse*, any traffic - // that is observed in between the corresponding previous *LoadStatsRequest* and this - // *LoadStatsResponse* will also be accumulated and billed to the cluster. This avoids a period - // of inobservability that might otherwise exists between the messages. New clusters are not - // subject to this consideration. - google.protobuf.Duration load_reporting_interval = 2; - - // Set to *true* if the management server supports endpoint granularity - // report. - bool report_endpoint_granularity = 3; -} diff --git a/api/envoy/service/metrics/v4alpha/BUILD b/api/envoy/service/metrics/v4alpha/BUILD deleted file mode 100644 index 285d31cf31d4..000000000000 --- a/api/envoy/service/metrics/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/metrics/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@prometheus_metrics_model//:client_model", - ], -) diff --git a/api/envoy/service/metrics/v4alpha/metrics_service.proto b/api/envoy/service/metrics/v4alpha/metrics_service.proto deleted file mode 100644 index 5e1412f103e9..000000000000 --- a/api/envoy/service/metrics/v4alpha/metrics_service.proto +++ /dev/null @@ -1,53 +0,0 @@ -syntax = "proto3"; - -package envoy.service.metrics.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "io/prometheus/client/metrics.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.metrics.v4alpha"; -option java_outer_classname = "MetricsServiceProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Metrics service] - -// Service for streaming metrics to server that consumes the metrics data. It uses Prometheus metric -// data model as a standard to represent metrics information. -service MetricsService { - // Envoy will connect and send StreamMetricsMessage messages forever. It does not expect any - // response to be sent as nothing would be done in the case of failure. - rpc StreamMetrics(stream StreamMetricsMessage) returns (StreamMetricsResponse) { - } -} - -message StreamMetricsResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.metrics.v3.StreamMetricsResponse"; -} - -message StreamMetricsMessage { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.metrics.v3.StreamMetricsMessage"; - - message Identifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.metrics.v3.StreamMetricsMessage.Identifier"; - - // The node sending metrics over the stream. - config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; - } - - // Identifier data effectively is a structured metadata. As a performance optimization this will - // only be sent in the first message on the stream. - Identifier identifier = 1; - - // A list of metric entries - repeated io.prometheus.client.MetricFamily envoy_metrics = 2; -} diff --git a/api/envoy/service/status/v4alpha/BUILD b/api/envoy/service/status/v4alpha/BUILD deleted file mode 100644 index ddcf51e3b265..000000000000 --- a/api/envoy/service/status/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/admin/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/status/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/service/status/v4alpha/csds.proto b/api/envoy/service/status/v4alpha/csds.proto deleted file mode 100644 index 9680c6feacf7..000000000000 --- a/api/envoy/service/status/v4alpha/csds.proto +++ /dev/null @@ -1,185 +0,0 @@ -syntax = "proto3"; - -package envoy.service.status.v4alpha; - -import "envoy/admin/v4alpha/config_dump.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/type/matcher/v4alpha/node.proto"; - -import "google/api/annotations.proto"; -import "google/protobuf/any.proto"; -import "google/protobuf/timestamp.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.status.v4alpha"; -option java_outer_classname = "CsdsProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Client Status Discovery Service (CSDS)] - -// CSDS is Client Status Discovery Service. It can be used to get the status of -// an xDS-compliant client from the management server's point of view. It can -// also be used to get the current xDS states directly from the client. -service ClientStatusDiscoveryService { - rpc StreamClientStatus(stream ClientStatusRequest) returns (stream ClientStatusResponse) { - } - - rpc FetchClientStatus(ClientStatusRequest) returns (ClientStatusResponse) { - option (google.api.http).post = "/v3/discovery:client_status"; - option (google.api.http).body = "*"; - } -} - -// Status of a config from a management server view. -enum ConfigStatus { - // Status info is not available/unknown. - UNKNOWN = 0; - - // Management server has sent the config to client and received ACK. - SYNCED = 1; - - // Config is not sent. - NOT_SENT = 2; - - // Management server has sent the config to client but hasn’t received - // ACK/NACK. - STALE = 3; - - // Management server has sent the config to client but received NACK. The - // attached config dump will be the latest config (the rejected one), since - // it is the persisted version in the management server. - ERROR = 4; -} - -// Config status from a client-side view. -enum ClientConfigStatus { - // Config status is not available/unknown. - CLIENT_UNKNOWN = 0; - - // Client requested the config but hasn't received any config from management - // server yet. - CLIENT_REQUESTED = 1; - - // Client received the config and replied with ACK. - CLIENT_ACKED = 2; - - // Client received the config and replied with NACK. Notably, the attached - // config dump is not the NACKed version, but the most recent accepted one. If - // no config is accepted yet, the attached config dump will be empty. - CLIENT_NACKED = 3; -} - -// Request for client status of clients identified by a list of NodeMatchers. -message ClientStatusRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.status.v3.ClientStatusRequest"; - - // Management server can use these match criteria to identify clients. - // The match follows OR semantics. - repeated type.matcher.v4alpha.NodeMatcher node_matchers = 1; - - // The node making the csds request. - config.core.v4alpha.Node node = 2; -} - -// Detailed config (per xDS) with status. -// [#next-free-field: 8] -message PerXdsConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.status.v3.PerXdsConfig"; - - reserved 7; - - reserved "client_status"; - - // Config status generated by management servers. Will not be present if the - // CSDS server is an xDS client. - ConfigStatus status = 1; - - oneof per_xds_config { - admin.v4alpha.ListenersConfigDump listener_config = 2; - - admin.v4alpha.ClustersConfigDump cluster_config = 3; - - admin.v4alpha.RoutesConfigDump route_config = 4; - - admin.v4alpha.ScopedRoutesConfigDump scoped_route_config = 5; - - admin.v4alpha.EndpointsConfigDump endpoint_config = 6; - } -} - -// All xds configs for a particular client. -message ClientConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.status.v3.ClientConfig"; - - // GenericXdsConfig is used to specify the config status and the dump - // of any xDS resource identified by their type URL. It is the generalized - // version of the now deprecated ListenersConfigDump, ClustersConfigDump etc - // [#next-free-field: 10] - message GenericXdsConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.status.v3.ClientConfig.GenericXdsConfig"; - - // Type_url represents the fully qualified name of xDS resource type - // like envoy.v3.Cluster, envoy.v3.ClusterLoadAssignment etc. - string type_url = 1; - - // Name of the xDS resource - string name = 2; - - // This is the :ref:`version_info ` - // in the last processed xDS discovery response. If there are only - // static bootstrap listeners, this field will be "" - string version_info = 3; - - // The xDS resource config. Actual content depends on the type - google.protobuf.Any xds_config = 4; - - // Timestamp when the xDS resource was last updated - google.protobuf.Timestamp last_updated = 5; - - // Per xDS resource config status. It is generated by management servers. - // It will not be present if the CSDS server is an xDS client. - ConfigStatus config_status = 6; - - // Per xDS resource status from the view of a xDS client - admin.v4alpha.ClientResourceStatus client_status = 7; - - // Set if the last update failed, cleared after the next successful - // update. The *error_state* field contains the rejected version of - // this particular resource along with the reason and timestamp. For - // successfully updated or acknowledged resource, this field should - // be empty. - // [#not-implemented-hide:] - admin.v4alpha.UpdateFailureState error_state = 8; - - // Is static resource is true if it is specified in the config supplied - // through the file at the startup. - bool is_static_resource = 9; - } - - reserved 2; - - reserved "xds_config"; - - // Node for a particular client. - config.core.v4alpha.Node node = 1; - - // Represents generic xDS config and the exact config structure depends on - // the type URL (like Cluster if it is CDS) - repeated GenericXdsConfig generic_xds_configs = 3; -} - -message ClientStatusResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.status.v3.ClientStatusResponse"; - - // Client configs for the clients specified in the ClientStatusRequest. - repeated ClientConfig config = 1; -} diff --git a/api/envoy/service/tap/v4alpha/BUILD b/api/envoy/service/tap/v4alpha/BUILD deleted file mode 100644 index cb89a6907d9a..000000000000 --- a/api/envoy/service/tap/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/data/tap/v3:pkg", - "//envoy/service/tap/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/service/tap/v4alpha/tap.proto b/api/envoy/service/tap/v4alpha/tap.proto deleted file mode 100644 index 4ef38d1bae98..000000000000 --- a/api/envoy/service/tap/v4alpha/tap.proto +++ /dev/null @@ -1,64 +0,0 @@ -syntax = "proto3"; - -package envoy.service.tap.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/data/tap/v3/wrapper.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.tap.v4alpha"; -option java_outer_classname = "TapProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Tap Sink Service] - -// [#not-implemented-hide:] A tap service to receive incoming taps. Envoy will call -// StreamTaps to deliver captured taps to the server -service TapSinkService { - // Envoy will connect and send StreamTapsRequest messages forever. It does not expect any - // response to be sent as nothing would be done in the case of failure. The server should - // disconnect if it expects Envoy to reconnect. - rpc StreamTaps(stream StreamTapsRequest) returns (StreamTapsResponse) { - } -} - -// [#not-implemented-hide:] Stream message for the Tap API. Envoy will open a stream to the server -// and stream taps without ever expecting a response. -message StreamTapsRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.tap.v3.StreamTapsRequest"; - - message Identifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.tap.v3.StreamTapsRequest.Identifier"; - - // The node sending taps over the stream. - config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; - - // The opaque identifier that was set in the :ref:`output config - // `. - string tap_id = 2; - } - - // Identifier data effectively is a structured metadata. As a performance optimization this will - // only be sent in the first message on the stream. - Identifier identifier = 1; - - // The trace id. this can be used to merge together a streaming trace. Note that the trace_id - // is not guaranteed to be spatially or temporally unique. - uint64 trace_id = 2; - - // The trace data. - data.tap.v3.TraceWrapper trace = 3; -} - -// [#not-implemented-hide:] -message StreamTapsResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.tap.v3.StreamTapsResponse"; -} diff --git a/api/envoy/service/trace/v4alpha/BUILD b/api/envoy/service/trace/v4alpha/BUILD deleted file mode 100644 index df379cbe9d5d..000000000000 --- a/api/envoy/service/trace/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@opencensus_proto//opencensus/proto/trace/v1:trace_proto", - ], -) diff --git a/api/envoy/service/trace/v4alpha/trace_service.proto b/api/envoy/service/trace/v4alpha/trace_service.proto deleted file mode 100644 index 4cfdbbe576df..000000000000 --- a/api/envoy/service/trace/v4alpha/trace_service.proto +++ /dev/null @@ -1,55 +0,0 @@ -syntax = "proto3"; - -package envoy.service.trace.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "opencensus/proto/trace/v1/trace.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.trace.v4alpha"; -option java_outer_classname = "TraceServiceProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Trace service] - -// Service for streaming traces to server that consumes the trace data. It -// uses OpenCensus data model as a standard to represent trace information. -service TraceService { - // Envoy will connect and send StreamTracesMessage messages forever. It does - // not expect any response to be sent as nothing would be done in the case - // of failure. - rpc StreamTraces(stream StreamTracesMessage) returns (StreamTracesResponse) { - } -} - -message StreamTracesResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.trace.v3.StreamTracesResponse"; -} - -message StreamTracesMessage { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.trace.v3.StreamTracesMessage"; - - message Identifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.trace.v3.StreamTracesMessage.Identifier"; - - // The node sending the access log messages over the stream. - config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; - } - - // Identifier data effectively is a structured metadata. - // As a performance optimization this will only be sent in the first message - // on the stream. - Identifier identifier = 1; - - // A list of Span entries - repeated opencensus.proto.trace.v1.Span spans = 2; -} diff --git a/api/envoy/type/matcher/v4alpha/BUILD b/api/envoy/type/matcher/v4alpha/BUILD deleted file mode 100644 index 0d4a45d002ce..000000000000 --- a/api/envoy/type/matcher/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/type/matcher/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/api/envoy/type/matcher/v4alpha/http_inputs.proto b/api/envoy/type/matcher/v4alpha/http_inputs.proto deleted file mode 100644 index bd7758ad53fb..000000000000 --- a/api/envoy/type/matcher/v4alpha/http_inputs.proto +++ /dev/null @@ -1,70 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "HttpInputsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common HTTP Inputs] - -// Match input indicates that matching should be done on a specific request header. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -message HttpRequestHeaderMatchInput { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.HttpRequestHeaderMatchInput"; - - // The request header to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} - -// Match input indicates that matching should be done on a specific request trailer. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -message HttpRequestTrailerMatchInput { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.HttpRequestTrailerMatchInput"; - - // The request trailer to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} - -// Match input indicating that matching should be done on a specific response header. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the response contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -message HttpResponseHeaderMatchInput { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.HttpResponseHeaderMatchInput"; - - // The response header to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} - -// Match input indicates that matching should be done on a specific response trailer. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -message HttpResponseTrailerMatchInput { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.HttpResponseTrailerMatchInput"; - - // The response trailer to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} diff --git a/api/envoy/type/matcher/v4alpha/metadata.proto b/api/envoy/type/matcher/v4alpha/metadata.proto deleted file mode 100644 index e61ba2754337..000000000000 --- a/api/envoy/type/matcher/v4alpha/metadata.proto +++ /dev/null @@ -1,105 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/value.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "MetadataProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Metadata matcher] - -// MetadataMatcher provides a general interface to check if a given value is matched in -// :ref:`Metadata `. It uses `filter` and `path` to retrieve the value -// from the Metadata and then check if it's matched to the specified value. -// -// For example, for the following Metadata: -// -// .. code-block:: yaml -// -// filter_metadata: -// envoy.filters.http.rbac: -// fields: -// a: -// struct_value: -// fields: -// b: -// struct_value: -// fields: -// c: -// string_value: pro -// t: -// list_value: -// values: -// - string_value: m -// - string_value: n -// -// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" -// from the Metadata which is matched to the specified prefix match. -// -// .. code-block:: yaml -// -// filter: envoy.filters.http.rbac -// path: -// - key: a -// - key: b -// - key: c -// value: -// string_match: -// prefix: pr -// -// The following MetadataMatcher is matched as the code will match one of the string values in the -// list at the path [a, t]. -// -// .. code-block:: yaml -// -// filter: envoy.filters.http.rbac -// path: -// - key: a -// - key: t -// value: -// list_match: -// one_of: -// string_match: -// exact: m -// -// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to -// enforce access control based on dynamic metadata in a request. See :ref:`Permission -// ` and :ref:`Principal -// `. - -// [#next-major-version: MetadataMatcher should use StructMatcher] -message MetadataMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.MetadataMatcher"; - - // Specifies the segment in a path to retrieve value from Metadata. - // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that - // if the segment key refers to a list, it has to be the last segment in a path. - message PathSegment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.MetadataMatcher.PathSegment"; - - oneof segment { - option (validate.required) = true; - - // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - } - - // The filter name to retrieve the Struct from the Metadata. - string filter = 1 [(validate.rules).string = {min_len: 1}]; - - // The path to retrieve the Value from the Struct. - repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; - - // The MetadataMatcher is matched if the value retrieved by path is matched to this value. - ValueMatcher value = 3 [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/type/matcher/v4alpha/node.proto b/api/envoy/type/matcher/v4alpha/node.proto deleted file mode 100644 index a74bf808f05a..000000000000 --- a/api/envoy/type/matcher/v4alpha/node.proto +++ /dev/null @@ -1,28 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/matcher/v4alpha/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "NodeProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Node matcher] - -// Specifies the way to match a Node. -// The match follows AND semantics. -message NodeMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.NodeMatcher"; - - // Specifies match criteria on the node id. - StringMatcher node_id = 1; - - // Specifies match criteria on the node metadata. - repeated StructMatcher node_metadatas = 2; -} diff --git a/api/envoy/type/matcher/v4alpha/number.proto b/api/envoy/type/matcher/v4alpha/number.proto deleted file mode 100644 index b168af19ab50..000000000000 --- a/api/envoy/type/matcher/v4alpha/number.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/v3/range.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "NumberProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Number matcher] - -// Specifies the way to match a double value. -message DoubleMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.DoubleMatcher"; - - oneof match_pattern { - option (validate.required) = true; - - // If specified, the input double value must be in the range specified here. - // Note: The range is using half-open interval semantics [start, end). - v3.DoubleRange range = 1; - - // If specified, the input double value must be equal to the value specified here. - double exact = 2; - } -} diff --git a/api/envoy/type/matcher/v4alpha/path.proto b/api/envoy/type/matcher/v4alpha/path.proto deleted file mode 100644 index 9150939bf2ee..000000000000 --- a/api/envoy/type/matcher/v4alpha/path.proto +++ /dev/null @@ -1,30 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "PathProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Path matcher] - -// Specifies the way to match a path on HTTP request. -message PathMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.PathMatcher"; - - oneof rule { - option (validate.required) = true; - - // The `path` must match the URL path portion of the :path header. The query and fragment - // string (if present) are removed in the URL path portion. - // For example, the path */data* will match the *:path* header */data#fragment?param=value*. - StringMatcher path = 1 [(validate.rules).message = {required: true}]; - } -} diff --git a/api/envoy/type/matcher/v4alpha/regex.proto b/api/envoy/type/matcher/v4alpha/regex.proto deleted file mode 100644 index 537635ec87d0..000000000000 --- a/api/envoy/type/matcher/v4alpha/regex.proto +++ /dev/null @@ -1,82 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "RegexProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Regex matcher] - -// A regex matcher designed for safety when used with untrusted input. -message RegexMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.RegexMatcher"; - - // Google's `RE2 `_ regex engine. The regex string must adhere to - // the documented `syntax `_. The engine is designed - // to complete execution in linear time as well as limit the amount of memory used. - // - // Envoy supports program size checking via runtime. The runtime keys `re2.max_program_size.error_level` - // and `re2.max_program_size.warn_level` can be set to integers as the maximum program size or - // complexity that a compiled regex can have before an exception is thrown or a warning is - // logged, respectively. `re2.max_program_size.error_level` defaults to 100, and - // `re2.max_program_size.warn_level` has no default if unset (will not check/log a warning). - // - // Envoy emits two stats for tracking the program size of regexes: the histogram `re2.program_size`, - // which records the program size, and the counter `re2.exceeded_warn_level`, which is incremented - // each time the program size exceeds the warn level threshold. - message GoogleRE2 { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.RegexMatcher.GoogleRE2"; - - reserved 1; - - reserved "max_program_size"; - } - - oneof engine_type { - option (validate.required) = true; - - // Google's RE2 regex engine. - GoogleRE2 google_re2 = 1 [(validate.rules).message = {required: true}]; - } - - // The regex match string. The string must be supported by the configured engine. - string regex = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Describes how to match a string and then produce a new string using a regular -// expression and a substitution string. -message RegexMatchAndSubstitute { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.RegexMatchAndSubstitute"; - - // The regular expression used to find portions of a string (hereafter called - // the "subject string") that should be replaced. When a new string is - // produced during the substitution operation, the new string is initially - // the same as the subject string, but then all matches in the subject string - // are replaced by the substitution string. If replacing all matches isn't - // desired, regular expression anchors can be used to ensure a single match, - // so as to replace just one occurrence of a pattern. Capture groups can be - // used in the pattern to extract portions of the subject string, and then - // referenced in the substitution string. - RegexMatcher pattern = 1 [(validate.rules).message = {required: true}]; - - // The string that should be substituted into matching portions of the - // subject string during a substitution operation to produce a new string. - // Capture groups in the pattern can be referenced in the substitution - // string. Note, however, that the syntax for referring to capture groups is - // defined by the chosen regular expression engine. Google's `RE2 - // `_ regular expression engine uses a - // backslash followed by the capture group number to denote a numbered - // capture group. E.g., ``\1`` refers to capture group 1, and ``\2`` refers - // to capture group 2. - string substitution = 2; -} diff --git a/api/envoy/type/matcher/v4alpha/string.proto b/api/envoy/type/matcher/v4alpha/string.proto deleted file mode 100644 index f9fa48cd3195..000000000000 --- a/api/envoy/type/matcher/v4alpha/string.proto +++ /dev/null @@ -1,78 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/regex.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "StringProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: String matcher] - -// Specifies the way to match a string. -// [#next-free-field: 8] -message StringMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.StringMatcher"; - - reserved 4; - - reserved "regex"; - - oneof match_pattern { - option (validate.required) = true; - - // The input string must match exactly the string specified here. - // - // Examples: - // - // * *abc* only matches the value *abc*. - string exact = 1; - - // The input string must have the prefix specified here. - // Note: empty prefix is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *abc.xyz* - string prefix = 2 [(validate.rules).string = {min_len: 1}]; - - // The input string must have the suffix specified here. - // Note: empty prefix is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *xyz.abc* - string suffix = 3 [(validate.rules).string = {min_len: 1}]; - - // The input string must match the regular expression specified here. - RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; - - // The input string must have the substring specified here. - // Note: empty contains match is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *xyz.abc.def* - string contains = 7 [(validate.rules).string = {min_len: 1}]; - } - - // If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. This - // has no effect for the safe_regex match. - // For example, the matcher *data* will match both input string *Data* and *data* if set to true. - bool ignore_case = 6; -} - -// Specifies a list of ways to match a string. -message ListStringMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.ListStringMatcher"; - - repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/api/envoy/type/matcher/v4alpha/struct.proto b/api/envoy/type/matcher/v4alpha/struct.proto deleted file mode 100644 index 328ac555bd81..000000000000 --- a/api/envoy/type/matcher/v4alpha/struct.proto +++ /dev/null @@ -1,91 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/value.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "StructProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Struct matcher] - -// StructMatcher provides a general interface to check if a given value is matched in -// google.protobuf.Struct. It uses `path` to retrieve the value -// from the struct and then check if it's matched to the specified value. -// -// For example, for the following Struct: -// -// .. code-block:: yaml -// -// fields: -// a: -// struct_value: -// fields: -// b: -// struct_value: -// fields: -// c: -// string_value: pro -// t: -// list_value: -// values: -// - string_value: m -// - string_value: n -// -// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" -// from the Metadata which is matched to the specified prefix match. -// -// .. code-block:: yaml -// -// path: -// - key: a -// - key: b -// - key: c -// value: -// string_match: -// prefix: pr -// -// The following StructMatcher is matched as the code will match one of the string values in the -// list at the path [a, t]. -// -// .. code-block:: yaml -// -// path: -// - key: a -// - key: t -// value: -// list_match: -// one_of: -// string_match: -// exact: m -// -// An example use of StructMatcher is to match metadata in envoy.v*.core.Node. -message StructMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.StructMatcher"; - - // Specifies the segment in a path to retrieve value from Struct. - message PathSegment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.StructMatcher.PathSegment"; - - oneof segment { - option (validate.required) = true; - - // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - } - - // The path to retrieve the Value from the Struct. - repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; - - // The StructMatcher is matched if the value retrieved by path is matched to this value. - ValueMatcher value = 3 [(validate.rules).message = {required: true}]; -} diff --git a/api/envoy/type/matcher/v4alpha/value.proto b/api/envoy/type/matcher/v4alpha/value.proto deleted file mode 100644 index 6e509d460109..000000000000 --- a/api/envoy/type/matcher/v4alpha/value.proto +++ /dev/null @@ -1,71 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/number.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "ValueProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Value matcher] - -// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. -// StructValue is not supported and is always not matched. -// [#next-free-field: 7] -message ValueMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.ValueMatcher"; - - // NullMatch is an empty message to specify a null value. - message NullMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.ValueMatcher.NullMatch"; - } - - // Specifies how to match a value. - oneof match_pattern { - option (validate.required) = true; - - // If specified, a match occurs if and only if the target value is a NullValue. - NullMatch null_match = 1; - - // If specified, a match occurs if and only if the target value is a double value and is - // matched to this field. - DoubleMatcher double_match = 2; - - // If specified, a match occurs if and only if the target value is a string value and is - // matched to this field. - StringMatcher string_match = 3; - - // If specified, a match occurs if and only if the target value is a bool value and is equal - // to this field. - bool bool_match = 4; - - // If specified, value match will be performed based on whether the path is referring to a - // valid primitive value in the metadata. If the path is referring to a non-primitive value, - // the result is always not matched. - bool present_match = 5; - - // If specified, a match occurs if and only if the target value is a list value and - // is matched to this field. - ListMatcher list_match = 6; - } -} - -// Specifies the way to match a list value. -message ListMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.ListMatcher"; - - oneof match_pattern { - option (validate.required) = true; - - // If specified, at least one of the values in the list must match the value specified. - ValueMatcher one_of = 1; - } -} diff --git a/ci/do_ci.sh b/ci/do_ci.sh index 4f8e196fd256..73696fb0c268 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -366,6 +366,8 @@ elif [[ "$CI_TARGET" == "bazel.api" ]]; then export LLVM_CONFIG="${LLVM_ROOT}"/bin/llvm-config echo "Validating API structure..." "${ENVOY_SRCDIR}"/tools/api/validate_structure.py + echo "Validate Golang protobuf generation..." + "${ENVOY_SRCDIR}"/tools/api/generate_go_protobuf.py echo "Testing API and API Boosting..." bazel_with_collection test "${BAZEL_BUILD_OPTIONS[@]}" -c fastbuild @envoy_api_canonical//test/... @envoy_api_canonical//tools/... \ @envoy_api_canonical//tools:tap2pcap_test @envoy_dev//clang_tools/api_booster/... diff --git a/generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD b/generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD deleted file mode 100644 index 06009f5f397f..000000000000 --- a/generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/network/rocketmq_proxy/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto b/generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto deleted file mode 100644 index 45a71da2f8dd..000000000000 --- a/generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/rocketmq_proxy.proto +++ /dev/null @@ -1,38 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.rocketmq_proxy.v4alpha; - -import "envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.rocketmq_proxy.v4alpha"; -option java_outer_classname = "RocketmqProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: RocketMQ Proxy] -// RocketMQ Proxy :ref:`configuration overview `. -// [#extension: envoy.filters.network.rocketmq_proxy] - -message RocketmqProxy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rocketmq_proxy.v3.RocketmqProxy"; - - // The human readable prefix to use when emitting statistics. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // The route table for the connection manager is specified in this property. - RouteConfiguration route_config = 2; - - // The largest duration transient object expected to live, more than 10s is recommended. - google.protobuf.Duration transient_object_life_span = 3; - - // If develop_mode is enabled, this proxy plugin may work without dedicated traffic intercepting - // facility without considering backward compatibility of exiting RocketMQ client SDK. - bool develop_mode = 4; -} diff --git a/generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto b/generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto deleted file mode 100644 index 0925afef833d..000000000000 --- a/generated_api_shadow/contrib/envoy/extensions/filters/network/rocketmq_proxy/v4alpha/route.proto +++ /dev/null @@ -1,67 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.rocketmq_proxy.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.rocketmq_proxy.v4alpha"; -option java_outer_classname = "RouteProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Rocketmq Proxy Route Configuration] -// Rocketmq Proxy :ref:`configuration overview `. - -message RouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteConfiguration"; - - // The name of the route configuration. - string name = 1; - - // The list of routes that will be matched, in order, against incoming requests. The first route - // that matches will be used. - repeated Route routes = 2; -} - -message Route { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rocketmq_proxy.v3.Route"; - - // Route matching parameters. - RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - // Route request to some upstream cluster. - RouteAction route = 2 [(validate.rules).message = {required: true}]; -} - -message RouteMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteMatch"; - - // The name of the topic. - type.matcher.v4alpha.StringMatcher topic = 1 [(validate.rules).message = {required: true}]; - - // Specifies a set of headers that the route should match on. The router will check the request’s - // headers against all the specified headers in the route config. A match will happen if all the - // headers in the route are present in the request with the same values (or based on presence if - // the value field is not in the config). - repeated config.route.v4alpha.HeaderMatcher headers = 2; -} - -message RouteAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rocketmq_proxy.v3.RouteAction"; - - // Indicates the upstream cluster to which the request should be routed. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // Optional endpoint metadata match criteria used by the subset load balancer. - config.core.v4alpha.Metadata metadata_match = 2; -} diff --git a/generated_api_shadow/envoy/admin/v4alpha/BUILD b/generated_api_shadow/envoy/admin/v4alpha/BUILD deleted file mode 100644 index 74de2ca2a3d5..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/BUILD +++ /dev/null @@ -1,17 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/admin/v3:pkg", - "//envoy/config/bootstrap/v4alpha:pkg", - "//envoy/config/cluster/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/tap/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/admin/v4alpha/certs.proto b/generated_api_shadow/envoy/admin/v4alpha/certs.proto deleted file mode 100644 index 0dd868f71fa6..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/certs.proto +++ /dev/null @@ -1,86 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "google/protobuf/timestamp.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "CertsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Certificates] - -// Proto representation of certificate details. Admin endpoint uses this wrapper for `/certs` to -// display certificate information. See :ref:`/certs ` for more -// information. -message Certificates { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.Certificates"; - - // List of certificates known to an Envoy. - repeated Certificate certificates = 1; -} - -message Certificate { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.Certificate"; - - // Details of CA certificate. - repeated CertificateDetails ca_cert = 1; - - // Details of Certificate Chain - repeated CertificateDetails cert_chain = 2; -} - -// [#next-free-field: 8] -message CertificateDetails { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.CertificateDetails"; - - message OcspDetails { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.CertificateDetails.OcspDetails"; - - // Indicates the time from which the OCSP response is valid. - google.protobuf.Timestamp valid_from = 1; - - // Indicates the time at which the OCSP response expires. - google.protobuf.Timestamp expiration = 2; - } - - // Path of the certificate. - string path = 1; - - // Certificate Serial Number. - string serial_number = 2; - - // List of Subject Alternate names. - repeated SubjectAlternateName subject_alt_names = 3; - - // Minimum of days until expiration of certificate and it's chain. - uint64 days_until_expiration = 4; - - // Indicates the time from which the certificate is valid. - google.protobuf.Timestamp valid_from = 5; - - // Indicates the time at which the certificate expires. - google.protobuf.Timestamp expiration_time = 6; - - // Details related to the OCSP response associated with this certificate, if any. - OcspDetails ocsp_details = 7; -} - -message SubjectAlternateName { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.SubjectAlternateName"; - - // Subject Alternate Name. - oneof name { - string dns = 1; - - string uri = 2; - - string ip_address = 3; - } -} diff --git a/generated_api_shadow/envoy/admin/v4alpha/clusters.proto b/generated_api_shadow/envoy/admin/v4alpha/clusters.proto deleted file mode 100644 index 12969a28d008..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/clusters.proto +++ /dev/null @@ -1,176 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "envoy/admin/v4alpha/metrics.proto"; -import "envoy/config/cluster/v4alpha/circuit_breaker.proto"; -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/health_check.proto"; -import "envoy/type/v3/percent.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "ClustersProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Clusters] - -// Admin endpoint uses this wrapper for `/clusters` to display cluster status information. -// See :ref:`/clusters ` for more information. -message Clusters { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.Clusters"; - - // Mapping from cluster name to each cluster's status. - repeated ClusterStatus cluster_statuses = 1; -} - -// Details an individual cluster's current status. -// [#next-free-field: 8] -message ClusterStatus { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ClusterStatus"; - - // Name of the cluster. - string name = 1; - - // Denotes whether this cluster was added via API or configured statically. - bool added_via_api = 2; - - // The success rate threshold used in the last interval. - // If - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *false*, all errors: externally and locally generated were used to calculate the threshold. - // If - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *true*, only externally generated errors were used to calculate the threshold. - // The threshold is used to eject hosts based on their success rate. See - // :ref:`Cluster outlier detection ` documentation for details. - // - // Note: this field may be omitted in any of the three following cases: - // - // 1. There were not enough hosts with enough request volume to proceed with success rate based - // outlier ejection. - // 2. The threshold is computed to be < 0 because a negative value implies that there was no - // threshold for that interval. - // 3. Outlier detection is not enabled for this cluster. - type.v3.Percent success_rate_ejection_threshold = 3; - - // Mapping from host address to the host's current status. - repeated HostStatus host_statuses = 4; - - // The success rate threshold used in the last interval when only locally originated failures were - // taken into account and externally originated errors were treated as success. - // This field should be interpreted only when - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *true*. The threshold is used to eject hosts based on their success rate. - // See :ref:`Cluster outlier detection ` documentation for - // details. - // - // Note: this field may be omitted in any of the three following cases: - // - // 1. There were not enough hosts with enough request volume to proceed with success rate based - // outlier ejection. - // 2. The threshold is computed to be < 0 because a negative value implies that there was no - // threshold for that interval. - // 3. Outlier detection is not enabled for this cluster. - type.v3.Percent local_origin_success_rate_ejection_threshold = 5; - - // :ref:`Circuit breaking ` settings of the cluster. - config.cluster.v4alpha.CircuitBreakers circuit_breakers = 6; - - // Observability name of the cluster. - string observability_name = 7; -} - -// Current state of a particular host. -// [#next-free-field: 10] -message HostStatus { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.HostStatus"; - - // Address of this host. - config.core.v4alpha.Address address = 1; - - // List of stats specific to this host. - repeated SimpleMetric stats = 2; - - // The host's current health status. - HostHealthStatus health_status = 3; - - // Request success rate for this host over the last calculated interval. - // If - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *false*, all errors: externally and locally generated were used in success rate - // calculation. If - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *true*, only externally generated errors were used in success rate calculation. - // See :ref:`Cluster outlier detection ` documentation for - // details. - // - // Note: the message will not be present if host did not have enough request volume to calculate - // success rate or the cluster did not have enough hosts to run through success rate outlier - // ejection. - type.v3.Percent success_rate = 4; - - // The host's weight. If not configured, the value defaults to 1. - uint32 weight = 5; - - // The hostname of the host, if applicable. - string hostname = 6; - - // The host's priority. If not configured, the value defaults to 0 (highest priority). - uint32 priority = 7; - - // Request success rate for this host over the last calculated - // interval when only locally originated errors are taken into account and externally originated - // errors were treated as success. - // This field should be interpreted only when - // :ref:`outlier_detection.split_external_local_origin_errors` - // is *true*. - // See :ref:`Cluster outlier detection ` documentation for - // details. - // - // Note: the message will not be present if host did not have enough request volume to calculate - // success rate or the cluster did not have enough hosts to run through success rate outlier - // ejection. - type.v3.Percent local_origin_success_rate = 8; - - // locality of the host. - config.core.v4alpha.Locality locality = 9; -} - -// Health status for a host. -// [#next-free-field: 9] -message HostHealthStatus { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.HostHealthStatus"; - - // The host is currently failing active health checks. - bool failed_active_health_check = 1; - - // The host is currently considered an outlier and has been ejected. - bool failed_outlier_check = 2; - - // The host is currently being marked as degraded through active health checking. - bool failed_active_degraded_check = 4; - - // The host has been removed from service discovery, but is being stabilized due to active - // health checking. - bool pending_dynamic_removal = 5; - - // The host has not yet been health checked. - bool pending_active_hc = 6; - - // The host should be excluded from panic, spillover, etc. calculations because it was explicitly - // taken out of rotation via protocol signal and is not meant to be routed to. - bool excluded_via_immediate_hc_fail = 7; - - // The host failed active HC due to timeout. - bool active_hc_timeout = 8; - - // Health status as reported by EDS. Note: only HEALTHY and UNHEALTHY are currently supported - // here. - // [#comment:TODO(mrice32): pipe through remaining EDS health status possibilities.] - config.core.v4alpha.HealthStatus eds_health_status = 3; -} diff --git a/generated_api_shadow/envoy/admin/v4alpha/config_dump.proto b/generated_api_shadow/envoy/admin/v4alpha/config_dump.proto deleted file mode 100644 index 2e36bc16f9b6..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/config_dump.proto +++ /dev/null @@ -1,484 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "envoy/config/bootstrap/v4alpha/bootstrap.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/timestamp.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "ConfigDumpProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: ConfigDump] - -// Resource status from the view of a xDS client, which tells the synchronization -// status between the xDS client and the xDS server. -enum ClientResourceStatus { - // Resource status is not available/unknown. - UNKNOWN = 0; - - // Client requested this resource but hasn't received any update from management - // server. The client will not fail requests, but will queue them until update - // arrives or the client times out waiting for the resource. - REQUESTED = 1; - - // This resource has been requested by the client but has either not been - // delivered by the server or was previously delivered by the server and then - // subsequently removed from resources provided by the server. For more - // information, please refer to the :ref:`"Knowing When a Requested Resource - // Does Not Exist" ` section. - DOES_NOT_EXIST = 2; - - // Client received this resource and replied with ACK. - ACKED = 3; - - // Client received this resource and replied with NACK. - NACKED = 4; -} - -// The :ref:`/config_dump ` admin endpoint uses this wrapper -// message to maintain and serve arbitrary configuration information from any component in Envoy. -message ConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ConfigDump"; - - // This list is serialized and dumped in its entirety at the - // :ref:`/config_dump ` endpoint. - // - // The following configurations are currently supported and will be dumped in the order given - // below: - // - // * *bootstrap*: :ref:`BootstrapConfigDump ` - // * *clusters*: :ref:`ClustersConfigDump ` - // * *endpoints*: :ref:`EndpointsConfigDump ` - // * *listeners*: :ref:`ListenersConfigDump ` - // * *scoped_routes*: :ref:`ScopedRoutesConfigDump ` - // * *routes*: :ref:`RoutesConfigDump ` - // * *secrets*: :ref:`SecretsConfigDump ` - // - // EDS Configuration will only be dumped by using parameter `?include_eds` - // - // You can filter output with the resource and mask query parameters. - // See :ref:`/config_dump?resource={} `, - // :ref:`/config_dump?mask={} `, - // or :ref:`/config_dump?resource={},mask={} - // ` for more information. - repeated google.protobuf.Any configs = 1; -} - -message UpdateFailureState { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.UpdateFailureState"; - - // What the component configuration would have been if the update had succeeded. - // This field may not be populated by xDS clients due to storage overhead. - google.protobuf.Any failed_configuration = 1; - - // Time of the latest failed update attempt. - google.protobuf.Timestamp last_update_attempt = 2; - - // Details about the last failed update attempt. - string details = 3; - - // This is the version of the rejected resource. - // [#not-implemented-hide:] - string version_info = 4; -} - -// This message describes the bootstrap configuration that Envoy was started with. This includes -// any CLI overrides that were merged. Bootstrap configuration information can be used to recreate -// the static portions of an Envoy configuration by reusing the output as the bootstrap -// configuration for another Envoy. -message BootstrapConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.BootstrapConfigDump"; - - config.bootstrap.v4alpha.Bootstrap bootstrap = 1; - - // The timestamp when the BootstrapConfig was last updated. - google.protobuf.Timestamp last_updated = 2; -} - -// Envoy's listener manager fills this message with all currently known listeners. Listener -// configuration information can be used to recreate an Envoy configuration by populating all -// listeners as static listeners or by returning them in a LDS response. -message ListenersConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ListenersConfigDump"; - - // Describes a statically loaded listener. - message StaticListener { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ListenersConfigDump.StaticListener"; - - // The listener config. - google.protobuf.Any listener = 1; - - // The timestamp when the Listener was last successfully updated. - google.protobuf.Timestamp last_updated = 2; - } - - message DynamicListenerState { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ListenersConfigDump.DynamicListenerState"; - - // This is the per-resource version information. This version is currently taken from the - // :ref:`version_info ` field at the time - // that the listener was loaded. In the future, discrete per-listener versions may be supported - // by the API. - string version_info = 1; - - // The listener config. - google.protobuf.Any listener = 2; - - // The timestamp when the Listener was last successfully updated. - google.protobuf.Timestamp last_updated = 3; - } - - // Describes a dynamically loaded listener via the LDS API. - // [#next-free-field: 7] - message DynamicListener { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ListenersConfigDump.DynamicListener"; - - // The name or unique id of this listener, pulled from the DynamicListenerState config. - string name = 1; - - // The listener state for any active listener by this name. - // These are listeners that are available to service data plane traffic. - DynamicListenerState active_state = 2; - - // The listener state for any warming listener by this name. - // These are listeners that are currently undergoing warming in preparation to service data - // plane traffic. Note that if attempting to recreate an Envoy configuration from a - // configuration dump, the warming listeners should generally be discarded. - DynamicListenerState warming_state = 3; - - // The listener state for any draining listener by this name. - // These are listeners that are currently undergoing draining in preparation to stop servicing - // data plane traffic. Note that if attempting to recreate an Envoy configuration from a - // configuration dump, the draining listeners should generally be discarded. - DynamicListenerState draining_state = 4; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - UpdateFailureState error_state = 5; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 6; - } - - // This is the :ref:`version_info ` in the - // last processed LDS discovery response. If there are only static bootstrap listeners, this field - // will be "". - string version_info = 1; - - // The statically loaded listener configs. - repeated StaticListener static_listeners = 2; - - // State for any warming, active, or draining listeners. - repeated DynamicListener dynamic_listeners = 3; -} - -// Envoy's cluster manager fills this message with all currently known clusters. Cluster -// configuration information can be used to recreate an Envoy configuration by populating all -// clusters as static clusters or by returning them in a CDS response. -message ClustersConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ClustersConfigDump"; - - // Describes a statically loaded cluster. - message StaticCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ClustersConfigDump.StaticCluster"; - - // The cluster config. - google.protobuf.Any cluster = 1; - - // The timestamp when the Cluster was last updated. - google.protobuf.Timestamp last_updated = 2; - } - - // Describes a dynamically loaded cluster via the CDS API. - // [#next-free-field: 6] - message DynamicCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ClustersConfigDump.DynamicCluster"; - - // This is the per-resource version information. This version is currently taken from the - // :ref:`version_info ` field at the time - // that the cluster was loaded. In the future, discrete per-cluster versions may be supported by - // the API. - string version_info = 1; - - // The cluster config. - google.protobuf.Any cluster = 2; - - // The timestamp when the Cluster was last updated. - google.protobuf.Timestamp last_updated = 3; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - // [#not-implemented-hide:] - UpdateFailureState error_state = 4; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 5; - } - - // This is the :ref:`version_info ` in the - // last processed CDS discovery response. If there are only static bootstrap clusters, this field - // will be "". - string version_info = 1; - - // The statically loaded cluster configs. - repeated StaticCluster static_clusters = 2; - - // The dynamically loaded active clusters. These are clusters that are available to service - // data plane traffic. - repeated DynamicCluster dynamic_active_clusters = 3; - - // The dynamically loaded warming clusters. These are clusters that are currently undergoing - // warming in preparation to service data plane traffic. Note that if attempting to recreate an - // Envoy configuration from a configuration dump, the warming clusters should generally be - // discarded. - repeated DynamicCluster dynamic_warming_clusters = 4; -} - -// Envoy's RDS implementation fills this message with all currently loaded routes, as described by -// their RouteConfiguration objects. Static routes that are either defined in the bootstrap configuration -// or defined inline while configuring listeners are separated from those configured dynamically via RDS. -// Route configuration information can be used to recreate an Envoy configuration by populating all routes -// as static routes or by returning them in RDS responses. -message RoutesConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.RoutesConfigDump"; - - message StaticRouteConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.RoutesConfigDump.StaticRouteConfig"; - - // The route config. - google.protobuf.Any route_config = 1; - - // The timestamp when the Route was last updated. - google.protobuf.Timestamp last_updated = 2; - } - - // [#next-free-field: 6] - message DynamicRouteConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.RoutesConfigDump.DynamicRouteConfig"; - - // This is the per-resource version information. This version is currently taken from the - // :ref:`version_info ` field at the time that - // the route configuration was loaded. - string version_info = 1; - - // The route config. - google.protobuf.Any route_config = 2; - - // The timestamp when the Route was last updated. - google.protobuf.Timestamp last_updated = 3; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - // [#not-implemented-hide:] - UpdateFailureState error_state = 4; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 5; - } - - // The statically loaded route configs. - repeated StaticRouteConfig static_route_configs = 2; - - // The dynamically loaded route configs. - repeated DynamicRouteConfig dynamic_route_configs = 3; -} - -// Envoy's scoped RDS implementation fills this message with all currently loaded route -// configuration scopes (defined via ScopedRouteConfigurationsSet protos). This message lists both -// the scopes defined inline with the higher order object (i.e., the HttpConnectionManager) and the -// dynamically obtained scopes via the SRDS API. -message ScopedRoutesConfigDump { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ScopedRoutesConfigDump"; - - message InlineScopedRouteConfigs { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ScopedRoutesConfigDump.InlineScopedRouteConfigs"; - - // The name assigned to the scoped route configurations. - string name = 1; - - // The scoped route configurations. - repeated google.protobuf.Any scoped_route_configs = 2; - - // The timestamp when the scoped route config set was last updated. - google.protobuf.Timestamp last_updated = 3; - } - - // [#next-free-field: 7] - message DynamicScopedRouteConfigs { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.ScopedRoutesConfigDump.DynamicScopedRouteConfigs"; - - // The name assigned to the scoped route configurations. - string name = 1; - - // This is the per-resource version information. This version is currently taken from the - // :ref:`version_info ` field at the time that - // the scoped routes configuration was loaded. - string version_info = 2; - - // The scoped route configurations. - repeated google.protobuf.Any scoped_route_configs = 3; - - // The timestamp when the scoped route config set was last updated. - google.protobuf.Timestamp last_updated = 4; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - // [#not-implemented-hide:] - UpdateFailureState error_state = 5; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 6; - } - - // The statically loaded scoped route configs. - repeated InlineScopedRouteConfigs inline_scoped_route_configs = 1; - - // The dynamically loaded scoped route configs. - repeated DynamicScopedRouteConfigs dynamic_scoped_route_configs = 2; -} - -// Envoys SDS implementation fills this message with all secrets fetched dynamically via SDS. -message SecretsConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.SecretsConfigDump"; - - // DynamicSecret contains secret information fetched via SDS. - // [#next-free-field: 7] - message DynamicSecret { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.SecretsConfigDump.DynamicSecret"; - - // The name assigned to the secret. - string name = 1; - - // This is the per-resource version information. - string version_info = 2; - - // The timestamp when the secret was last updated. - google.protobuf.Timestamp last_updated = 3; - - // The actual secret information. - // Security sensitive information is redacted (replaced with "[redacted]") for - // private keys and passwords in TLS certificates. - google.protobuf.Any secret = 4; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - // [#not-implemented-hide:] - UpdateFailureState error_state = 5; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 6; - } - - // StaticSecret specifies statically loaded secret in bootstrap. - message StaticSecret { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.SecretsConfigDump.StaticSecret"; - - // The name assigned to the secret. - string name = 1; - - // The timestamp when the secret was last updated. - google.protobuf.Timestamp last_updated = 2; - - // The actual secret information. - // Security sensitive information is redacted (replaced with "[redacted]") for - // private keys and passwords in TLS certificates. - google.protobuf.Any secret = 3; - } - - // The statically loaded secrets. - repeated StaticSecret static_secrets = 1; - - // The dynamically loaded active secrets. These are secrets that are available to service - // clusters or listeners. - repeated DynamicSecret dynamic_active_secrets = 2; - - // The dynamically loaded warming secrets. These are secrets that are currently undergoing - // warming in preparation to service clusters or listeners. - repeated DynamicSecret dynamic_warming_secrets = 3; -} - -// Envoy's admin fill this message with all currently known endpoints. Endpoint -// configuration information can be used to recreate an Envoy configuration by populating all -// endpoints as static endpoints or by returning them in an EDS response. -message EndpointsConfigDump { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.EndpointsConfigDump"; - - message StaticEndpointConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.EndpointsConfigDump.StaticEndpointConfig"; - - // The endpoint config. - google.protobuf.Any endpoint_config = 1; - - // [#not-implemented-hide:] The timestamp when the Endpoint was last updated. - google.protobuf.Timestamp last_updated = 2; - } - - // [#next-free-field: 6] - message DynamicEndpointConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.EndpointsConfigDump.DynamicEndpointConfig"; - - // [#not-implemented-hide:] This is the per-resource version information. This version is currently taken from the - // :ref:`version_info ` field at the time that - // the endpoint configuration was loaded. - string version_info = 1; - - // The endpoint config. - google.protobuf.Any endpoint_config = 2; - - // [#not-implemented-hide:] The timestamp when the Endpoint was last updated. - google.protobuf.Timestamp last_updated = 3; - - // Set if the last update failed, cleared after the next successful update. - // The *error_state* field contains the rejected version of this particular - // resource along with the reason and timestamp. For successfully updated or - // acknowledged resource, this field should be empty. - // [#not-implemented-hide:] - UpdateFailureState error_state = 4; - - // The client status of this resource. - // [#not-implemented-hide:] - ClientResourceStatus client_status = 5; - } - - // The statically loaded endpoint configs. - repeated StaticEndpointConfig static_endpoint_configs = 2; - - // The dynamically loaded endpoint configs. - repeated DynamicEndpointConfig dynamic_endpoint_configs = 3; -} diff --git a/generated_api_shadow/envoy/admin/v4alpha/init_dump.proto b/generated_api_shadow/envoy/admin/v4alpha/init_dump.proto deleted file mode 100644 index 81c423e52024..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/init_dump.proto +++ /dev/null @@ -1,37 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "InitDumpProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: InitDump] - -// Dumps of unready targets of envoy init managers. Envoy's admin fills this message with init managers, -// which provides the information of their unready targets. -// The :ref:`/init_dump ` will dump all unready targets information. -message UnreadyTargetsDumps { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.UnreadyTargetsDumps"; - - // Message of unready targets information of an init manager. - message UnreadyTargetsDump { - option (udpa.annotations.versioning).previous_message_type = - "envoy.admin.v3.UnreadyTargetsDumps.UnreadyTargetsDump"; - - // Name of the init manager. Example: "init_manager_xxx". - string name = 1; - - // Names of unready targets of the init manager. Example: "target_xxx". - repeated string target_names = 2; - } - - // You can choose specific component to dump unready targets with mask query parameter. - // See :ref:`/init_dump?mask={} ` for more information. - // The dumps of unready targets of all init managers. - repeated UnreadyTargetsDump unready_targets_dumps = 1; -} diff --git a/generated_api_shadow/envoy/admin/v4alpha/listeners.proto b/generated_api_shadow/envoy/admin/v4alpha/listeners.proto deleted file mode 100644 index 89bdc4c5bbf8..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/listeners.proto +++ /dev/null @@ -1,36 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "ListenersProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Listeners] - -// Admin endpoint uses this wrapper for `/listeners` to display listener status information. -// See :ref:`/listeners ` for more information. -message Listeners { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.Listeners"; - - // List of listener statuses. - repeated ListenerStatus listener_statuses = 1; -} - -// Details an individual listener's current status. -message ListenerStatus { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ListenerStatus"; - - // Name of the listener - string name = 1; - - // The actual local address that the listener is listening on. If a listener was configured - // to listen on port 0, then this address has the port that was allocated by the OS. - config.core.v4alpha.Address local_address = 2; -} diff --git a/generated_api_shadow/envoy/admin/v4alpha/memory.proto b/generated_api_shadow/envoy/admin/v4alpha/memory.proto deleted file mode 100644 index d2f0b57229ce..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/memory.proto +++ /dev/null @@ -1,47 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "MemoryProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Memory] - -// Proto representation of the internal memory consumption of an Envoy instance. These represent -// values extracted from an internal TCMalloc instance. For more information, see the section of the -// docs entitled ["Generic Tcmalloc Status"](https://gperftools.github.io/gperftools/tcmalloc.html). -// [#next-free-field: 7] -message Memory { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.Memory"; - - // The number of bytes allocated by the heap for Envoy. This is an alias for - // `generic.current_allocated_bytes`. - uint64 allocated = 1; - - // The number of bytes reserved by the heap but not necessarily allocated. This is an alias for - // `generic.heap_size`. - uint64 heap_size = 2; - - // The number of bytes in free, unmapped pages in the page heap. These bytes always count towards - // virtual memory usage, and depending on the OS, typically do not count towards physical memory - // usage. This is an alias for `tcmalloc.pageheap_unmapped_bytes`. - uint64 pageheap_unmapped = 3; - - // The number of bytes in free, mapped pages in the page heap. These bytes always count towards - // virtual memory usage, and unless the underlying memory is swapped out by the OS, they also - // count towards physical memory usage. This is an alias for `tcmalloc.pageheap_free_bytes`. - uint64 pageheap_free = 4; - - // The amount of memory used by the TCMalloc thread caches (for small objects). This is an alias - // for `tcmalloc.current_total_thread_cache_bytes`. - uint64 total_thread_cache = 5; - - // The number of bytes of the physical memory usage by the allocator. This is an alias for - // `generic.total_physical_bytes`. - uint64 total_physical_bytes = 6; -} diff --git a/generated_api_shadow/envoy/admin/v4alpha/metrics.proto b/generated_api_shadow/envoy/admin/v4alpha/metrics.proto deleted file mode 100644 index 78613320038b..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/metrics.proto +++ /dev/null @@ -1,32 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "MetricsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Metrics] - -// Proto representation of an Envoy Counter or Gauge value. -message SimpleMetric { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.SimpleMetric"; - - enum Type { - COUNTER = 0; - GAUGE = 1; - } - - // Type of the metric represented. - Type type = 1; - - // Current metric value. - uint64 value = 2; - - // Name of the metric. - string name = 3; -} diff --git a/generated_api_shadow/envoy/admin/v4alpha/mutex_stats.proto b/generated_api_shadow/envoy/admin/v4alpha/mutex_stats.proto deleted file mode 100644 index 6f9fcd548cc0..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/mutex_stats.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "MutexStatsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: MutexStats] - -// Proto representation of the statistics collected upon absl::Mutex contention, if Envoy is run -// under :option:`--enable-mutex-tracing`. For more information, see the `absl::Mutex` -// [docs](https://abseil.io/about/design/mutex#extra-features). -// -// *NB*: The wait cycles below are measured by `absl::base_internal::CycleClock`, and may not -// correspond to core clock frequency. For more information, see the `CycleClock` -// [docs](https://github.com/abseil/abseil-cpp/blob/master/absl/base/internal/cycleclock.h). -message MutexStats { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.MutexStats"; - - // The number of individual mutex contentions which have occurred since startup. - uint64 num_contentions = 1; - - // The length of the current contention wait cycle. - uint64 current_wait_cycles = 2; - - // The lifetime total of all contention wait cycles. - uint64 lifetime_wait_cycles = 3; -} diff --git a/generated_api_shadow/envoy/admin/v4alpha/server_info.proto b/generated_api_shadow/envoy/admin/v4alpha/server_info.proto deleted file mode 100644 index 122aed413441..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/server_info.proto +++ /dev/null @@ -1,191 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "ServerInfoProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Server State] - -// Proto representation of the value returned by /server_info, containing -// server version/server status information. -// [#next-free-field: 8] -message ServerInfo { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.ServerInfo"; - - enum State { - // Server is live and serving traffic. - LIVE = 0; - - // Server is draining listeners in response to external health checks failing. - DRAINING = 1; - - // Server has not yet completed cluster manager initialization. - PRE_INITIALIZING = 2; - - // Server is running the cluster manager initialization callbacks (e.g., RDS). - INITIALIZING = 3; - } - - // Server version. - string version = 1; - - // State of the server. - State state = 2; - - // Uptime since current epoch was started. - google.protobuf.Duration uptime_current_epoch = 3; - - // Uptime since the start of the first epoch. - google.protobuf.Duration uptime_all_epochs = 4; - - // Hot restart version. - string hot_restart_version = 5; - - // Command line options the server is currently running with. - CommandLineOptions command_line_options = 6; - - // Populated node identity of this server. - config.core.v4alpha.Node node = 7; -} - -// [#next-free-field: 38] -message CommandLineOptions { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.CommandLineOptions"; - - enum IpVersion { - v4 = 0; - v6 = 1; - } - - enum Mode { - // Validate configs and then serve traffic normally. - Serve = 0; - - // Validate configs and exit. - Validate = 1; - - // Completely load and initialize the config, and then exit without running the listener loop. - InitOnly = 2; - } - - enum DrainStrategy { - // Gradually discourage connections over the course of the drain period. - Gradual = 0; - - // Discourage all connections for the duration of the drain sequence. - Immediate = 1; - } - - reserved 12, 20, 21, 29; - - reserved "max_stats", "max_obj_name_len", "bootstrap_version"; - - // See :option:`--base-id` for details. - uint64 base_id = 1; - - // See :option:`--use-dynamic-base-id` for details. - bool use_dynamic_base_id = 31; - - // See :option:`--base-id-path` for details. - string base_id_path = 32; - - // See :option:`--concurrency` for details. - uint32 concurrency = 2; - - // See :option:`--config-path` for details. - string config_path = 3; - - // See :option:`--config-yaml` for details. - string config_yaml = 4; - - // See :option:`--allow-unknown-static-fields` for details. - bool allow_unknown_static_fields = 5; - - // See :option:`--reject-unknown-dynamic-fields` for details. - bool reject_unknown_dynamic_fields = 26; - - // See :option:`--ignore-unknown-dynamic-fields` for details. - bool ignore_unknown_dynamic_fields = 30; - - // See :option:`--admin-address-path` for details. - string admin_address_path = 6; - - // See :option:`--local-address-ip-version` for details. - IpVersion local_address_ip_version = 7; - - // See :option:`--log-level` for details. - string log_level = 8; - - // See :option:`--component-log-level` for details. - string component_log_level = 9; - - // See :option:`--log-format` for details. - string log_format = 10; - - // See :option:`--log-format-escaped` for details. - bool log_format_escaped = 27; - - // See :option:`--log-path` for details. - string log_path = 11; - - // See :option:`--service-cluster` for details. - string service_cluster = 13; - - // See :option:`--service-node` for details. - string service_node = 14; - - // See :option:`--service-zone` for details. - string service_zone = 15; - - // See :option:`--file-flush-interval-msec` for details. - google.protobuf.Duration file_flush_interval = 16; - - // See :option:`--drain-time-s` for details. - google.protobuf.Duration drain_time = 17; - - // See :option:`--drain-strategy` for details. - DrainStrategy drain_strategy = 33; - - // See :option:`--parent-shutdown-time-s` for details. - google.protobuf.Duration parent_shutdown_time = 18; - - // See :option:`--mode` for details. - Mode mode = 19; - - // See :option:`--disable-hot-restart` for details. - bool disable_hot_restart = 22; - - // See :option:`--enable-mutex-tracing` for details. - bool enable_mutex_tracing = 23; - - // See :option:`--restart-epoch` for details. - uint32 restart_epoch = 24; - - // See :option:`--cpuset-threads` for details. - bool cpuset_threads = 25; - - // See :option:`--disable-extensions` for details. - repeated string disabled_extensions = 28; - - // See :option:`--enable-fine-grain-logging` for details. - bool enable_fine_grain_logging = 34; - - // See :option:`--socket-path` for details. - string socket_path = 35; - - // See :option:`--socket-mode` for details. - uint32 socket_mode = 36; - - // See :option:`--enable-core-dump` for details. - bool enable_core_dump = 37; -} diff --git a/generated_api_shadow/envoy/admin/v4alpha/tap.proto b/generated_api_shadow/envoy/admin/v4alpha/tap.proto deleted file mode 100644 index e89259380418..000000000000 --- a/generated_api_shadow/envoy/admin/v4alpha/tap.proto +++ /dev/null @@ -1,28 +0,0 @@ -syntax = "proto3"; - -package envoy.admin.v4alpha; - -import "envoy/config/tap/v4alpha/common.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.admin.v4alpha"; -option java_outer_classname = "TapProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Tap] - -// The /tap admin request body that is used to configure an active tap session. -message TapRequest { - option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v3.TapRequest"; - - // The opaque configuration ID used to match the configuration to a loaded extension. - // A tap extension configures a similar opaque ID that is used to match. - string config_id = 1 [(validate.rules).string = {min_len: 1}]; - - // The tap configuration to load. - config.tap.v4alpha.TapConfig tap_config = 2 [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/config/accesslog/v4alpha/BUILD b/generated_api_shadow/envoy/config/accesslog/v4alpha/BUILD deleted file mode 100644 index 68064d3b08d1..000000000000 --- a/generated_api_shadow/envoy/config/accesslog/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/accesslog/v3:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/accesslog/v4alpha/accesslog.proto b/generated_api_shadow/envoy/config/accesslog/v4alpha/accesslog.proto deleted file mode 100644 index 3e0c7f53598c..000000000000 --- a/generated_api_shadow/envoy/config/accesslog/v4alpha/accesslog.proto +++ /dev/null @@ -1,326 +0,0 @@ -syntax = "proto3"; - -package envoy.config.accesslog.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/metadata.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.accesslog.v4alpha"; -option java_outer_classname = "AccesslogProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common access log types] - -message AccessLog { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.AccessLog"; - - reserved 3; - - reserved "config"; - - // The name of the access log extension to instantiate. - // The name must match one of the compiled in loggers. - // See the :ref:`extensions listed in typed_config below ` for the default list of available loggers. - string name = 1; - - // Filter which is used to determine if the access log needs to be written. - AccessLogFilter filter = 2; - - // Custom configuration that must be set according to the access logger extension being instantiated. - // [#extension-category: envoy.access_loggers] - oneof config_type { - google.protobuf.Any typed_config = 4; - } -} - -// [#next-free-field: 13] -message AccessLogFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.AccessLogFilter"; - - oneof filter_specifier { - option (validate.required) = true; - - // Status code filter. - StatusCodeFilter status_code_filter = 1; - - // Duration filter. - DurationFilter duration_filter = 2; - - // Not health check filter. - NotHealthCheckFilter not_health_check_filter = 3; - - // Traceable filter. - TraceableFilter traceable_filter = 4; - - // Runtime filter. - RuntimeFilter runtime_filter = 5; - - // And filter. - AndFilter and_filter = 6; - - // Or filter. - OrFilter or_filter = 7; - - // Header filter. - HeaderFilter header_filter = 8; - - // Response flag filter. - ResponseFlagFilter response_flag_filter = 9; - - // gRPC status filter. - GrpcStatusFilter grpc_status_filter = 10; - - // Extension filter. - ExtensionFilter extension_filter = 11; - - // Metadata Filter - MetadataFilter metadata_filter = 12; - } -} - -// Filter on an integer comparison. -message ComparisonFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.ComparisonFilter"; - - enum Op { - // = - EQ = 0; - - // >= - GE = 1; - - // <= - LE = 2; - } - - // Comparison operator. - Op op = 1 [(validate.rules).enum = {defined_only: true}]; - - // Value to compare against. - core.v4alpha.RuntimeUInt32 value = 2; -} - -// Filters on HTTP response/status code. -message StatusCodeFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.StatusCodeFilter"; - - // Comparison. - ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; -} - -// Filters on total request duration in milliseconds. -message DurationFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.DurationFilter"; - - // Comparison. - ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; -} - -// Filters for requests that are not health check requests. A health check -// request is marked by the health check filter. -message NotHealthCheckFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.NotHealthCheckFilter"; -} - -// Filters for requests that are traceable. See the tracing overview for more -// information on how a request becomes traceable. -message TraceableFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.TraceableFilter"; -} - -// Filters for random sampling of requests. -message RuntimeFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.RuntimeFilter"; - - // Runtime key to get an optional overridden numerator for use in the - // *percent_sampled* field. If found in runtime, this value will replace the - // default numerator. - string runtime_key = 1 [(validate.rules).string = {min_len: 1}]; - - // The default sampling percentage. If not specified, defaults to 0% with - // denominator of 100. - type.v3.FractionalPercent percent_sampled = 2; - - // By default, sampling pivots on the header - // :ref:`x-request-id` being - // present. If :ref:`x-request-id` - // is present, the filter will consistently sample across multiple hosts based - // on the runtime key value and the value extracted from - // :ref:`x-request-id`. If it is - // missing, or *use_independent_randomness* is set to true, the filter will - // randomly sample based on the runtime key value alone. - // *use_independent_randomness* can be used for logging kill switches within - // complex nested :ref:`AndFilter - // ` and :ref:`OrFilter - // ` blocks that are easier to - // reason about from a probability perspective (i.e., setting to true will - // cause the filter to behave like an independent random variable when - // composed within logical operator filters). - bool use_independent_randomness = 3; -} - -// Performs a logical “and” operation on the result of each filter in filters. -// Filters are evaluated sequentially and if one of them returns false, the -// filter returns false immediately. -message AndFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.AndFilter"; - - repeated AccessLogFilter filters = 1 [(validate.rules).repeated = {min_items: 2}]; -} - -// Performs a logical “or” operation on the result of each individual filter. -// Filters are evaluated sequentially and if one of them returns true, the -// filter returns true immediately. -message OrFilter { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.accesslog.v3.OrFilter"; - - repeated AccessLogFilter filters = 2 [(validate.rules).repeated = {min_items: 2}]; -} - -// Filters requests based on the presence or value of a request header. -message HeaderFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.HeaderFilter"; - - // Only requests with a header which matches the specified HeaderMatcher will - // pass the filter check. - route.v4alpha.HeaderMatcher header = 1 [(validate.rules).message = {required: true}]; -} - -// Filters requests that received responses with an Envoy response flag set. -// A list of the response flags can be found -// in the access log formatter -// :ref:`documentation`. -message ResponseFlagFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.ResponseFlagFilter"; - - // Only responses with the any of the flags listed in this field will be - // logged. This field is optional. If it is not specified, then any response - // flag will pass the filter check. - repeated string flags = 1 [(validate.rules).repeated = { - items { - string { - in: "LH" - in: "UH" - in: "UT" - in: "LR" - in: "UR" - in: "UF" - in: "UC" - in: "UO" - in: "NR" - in: "DI" - in: "FI" - in: "RL" - in: "UAEX" - in: "RLSE" - in: "DC" - in: "URX" - in: "SI" - in: "IH" - in: "DPE" - in: "UMSDR" - in: "RFCF" - in: "NFCF" - in: "DT" - in: "UPE" - in: "NC" - in: "OM" - } - } - }]; -} - -// Filters gRPC requests based on their response status. If a gRPC status is not -// provided, the filter will infer the status from the HTTP status code. -message GrpcStatusFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.GrpcStatusFilter"; - - enum Status { - OK = 0; - CANCELED = 1; - UNKNOWN = 2; - INVALID_ARGUMENT = 3; - DEADLINE_EXCEEDED = 4; - NOT_FOUND = 5; - ALREADY_EXISTS = 6; - PERMISSION_DENIED = 7; - RESOURCE_EXHAUSTED = 8; - FAILED_PRECONDITION = 9; - ABORTED = 10; - OUT_OF_RANGE = 11; - UNIMPLEMENTED = 12; - INTERNAL = 13; - UNAVAILABLE = 14; - DATA_LOSS = 15; - UNAUTHENTICATED = 16; - } - - // Logs only responses that have any one of the gRPC statuses in this field. - repeated Status statuses = 1 [(validate.rules).repeated = {items {enum {defined_only: true}}}]; - - // If included and set to true, the filter will instead block all responses - // with a gRPC status or inferred gRPC status enumerated in statuses, and - // allow all other responses. - bool exclude = 2; -} - -// Filters based on matching dynamic metadata. -// If the matcher path and key correspond to an existing key in dynamic -// metadata, the request is logged only if the matcher value is equal to the -// metadata value. If the matcher path and key *do not* correspond to an -// existing key in dynamic metadata, the request is logged only if -// match_if_key_not_found is "true" or unset. -message MetadataFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.MetadataFilter"; - - // Matcher to check metadata for specified value. For example, to match on the - // access_log_hint metadata, set the filter to "envoy.common" and the path to - // "access_log_hint", and the value to "true". - type.matcher.v4alpha.MetadataMatcher matcher = 1; - - // Default result if the key does not exist in dynamic metadata: if unset or - // true, then log; if false, then don't log. - google.protobuf.BoolValue match_if_key_not_found = 2; -} - -// Extension filter is statically registered at runtime. -message ExtensionFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.accesslog.v3.ExtensionFilter"; - - reserved 2; - - reserved "config"; - - // The name of the filter implementation to instantiate. The name must - // match a statically registered filter. - string name = 1; - - // Custom configuration that depends on the filter being instantiated. - oneof config_type { - google.protobuf.Any typed_config = 3; - } -} diff --git a/generated_api_shadow/envoy/config/bootstrap/v4alpha/BUILD b/generated_api_shadow/envoy/config/bootstrap/v4alpha/BUILD deleted file mode 100644 index b1604d76d220..000000000000 --- a/generated_api_shadow/envoy/config/bootstrap/v4alpha/BUILD +++ /dev/null @@ -1,22 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/accesslog/v4alpha:pkg", - "//envoy/config/bootstrap/v3:pkg", - "//envoy/config/cluster/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/listener/v4alpha:pkg", - "//envoy/config/metrics/v4alpha:pkg", - "//envoy/config/overload/v3:pkg", - "//envoy/config/trace/v4alpha:pkg", - "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/bootstrap/v4alpha/bootstrap.proto b/generated_api_shadow/envoy/config/bootstrap/v4alpha/bootstrap.proto deleted file mode 100644 index b21acabe686f..000000000000 --- a/generated_api_shadow/envoy/config/bootstrap/v4alpha/bootstrap.proto +++ /dev/null @@ -1,652 +0,0 @@ -syntax = "proto3"; - -package envoy.config.bootstrap.v4alpha; - -import "envoy/config/accesslog/v4alpha/accesslog.proto"; -import "envoy/config/cluster/v4alpha/cluster.proto"; -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/event_service_config.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/resolver.proto"; -import "envoy/config/core/v4alpha/socket_option.proto"; -import "envoy/config/listener/v4alpha/listener.proto"; -import "envoy/config/metrics/v4alpha/stats.proto"; -import "envoy/config/overload/v3/overload.proto"; -import "envoy/config/trace/v4alpha/http_tracer.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/security.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.bootstrap.v4alpha"; -option java_outer_classname = "BootstrapProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Bootstrap] -// This proto is supplied via the :option:`-c` CLI flag and acts as the root -// of the Envoy v3 configuration. See the :ref:`v3 configuration overview -// ` for more detail. - -// Bootstrap :ref:`configuration overview `. -// [#next-free-field: 33] -message Bootstrap { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.Bootstrap"; - - message StaticResources { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.Bootstrap.StaticResources"; - - // Static :ref:`Listeners `. These listeners are - // available regardless of LDS configuration. - repeated listener.v4alpha.Listener listeners = 1; - - // If a network based configuration source is specified for :ref:`cds_config - // `, it's necessary - // to have some initial cluster definitions available to allow Envoy to know - // how to speak to the management server. These cluster definitions may not - // use :ref:`EDS ` (i.e. they should be static - // IP or DNS-based). - repeated cluster.v4alpha.Cluster clusters = 2; - - // These static secrets can be used by :ref:`SdsSecretConfig - // ` - repeated envoy.extensions.transport_sockets.tls.v4alpha.Secret secrets = 3; - } - - // [#next-free-field: 7] - message DynamicResources { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.Bootstrap.DynamicResources"; - - reserved 4; - - // All :ref:`Listeners ` are provided by a single - // :ref:`LDS ` configuration source. - core.v4alpha.ConfigSource lds_config = 1; - - // xdstp:// resource locator for listener collection. - // [#not-implemented-hide:] - string lds_resources_locator = 5; - - // All post-bootstrap :ref:`Cluster ` definitions are - // provided by a single :ref:`CDS ` - // configuration source. - core.v4alpha.ConfigSource cds_config = 2; - - // xdstp:// resource locator for cluster collection. - // [#not-implemented-hide:] - string cds_resources_locator = 6; - - // A single :ref:`ADS ` source may be optionally - // specified. This must have :ref:`api_type - // ` :ref:`GRPC - // `. Only - // :ref:`ConfigSources ` that have - // the :ref:`ads ` field set will be - // streamed on the ADS channel. - core.v4alpha.ApiConfigSource ads_config = 3; - } - - reserved 10, 11; - - reserved "runtime"; - - // Node identity to present to the management server and for instance - // identification purposes (e.g. in generated headers). - core.v4alpha.Node node = 1; - - // A list of :ref:`Node ` field names - // that will be included in the context parameters of the effective - // xdstp:// URL that is sent in a discovery request when resource - // locators are used for LDS/CDS. Any non-string field will have its JSON - // encoding set as the context parameter value, with the exception of - // metadata, which will be flattened (see example below). The supported field - // names are: - // - "cluster" - // - "id" - // - "locality.region" - // - "locality.sub_zone" - // - "locality.zone" - // - "metadata" - // - "user_agent_build_version.metadata" - // - "user_agent_build_version.version" - // - "user_agent_name" - // - "user_agent_version" - // - // The node context parameters act as a base layer dictionary for the context - // parameters (i.e. more specific resource specific context parameters will - // override). Field names will be prefixed with “udpa.node.” when included in - // context parameters. - // - // For example, if node_context_params is ``["user_agent_name", "metadata"]``, - // the implied context parameters might be:: - // - // node.user_agent_name: "envoy" - // node.metadata.foo: "{\"bar\": \"baz\"}" - // node.metadata.some: "42" - // node.metadata.thing: "\"thing\"" - // - // [#not-implemented-hide:] - repeated string node_context_params = 26; - - // Statically specified resources. - StaticResources static_resources = 2; - - // xDS configuration sources. - DynamicResources dynamic_resources = 3; - - // Configuration for the cluster manager which owns all upstream clusters - // within the server. - ClusterManager cluster_manager = 4; - - // Health discovery service config option. - // (:ref:`core.ApiConfigSource `) - core.v4alpha.ApiConfigSource hds_config = 14; - - // Optional file system path to search for startup flag files. - string flags_path = 5; - - // Optional set of stats sinks. - repeated metrics.v4alpha.StatsSink stats_sinks = 6; - - // Configuration for internal processing of stats. - metrics.v4alpha.StatsConfig stats_config = 13; - - oneof stats_flush { - // Optional duration between flushes to configured stats sinks. For - // performance reasons Envoy latches counters and only flushes counters and - // gauges at a periodic interval. If not specified the default is 5000ms (5 - // seconds). Only one of `stats_flush_interval` or `stats_flush_on_admin` - // can be set. - // Duration must be at least 1ms and at most 5 min. - google.protobuf.Duration stats_flush_interval = 7 [(validate.rules).duration = { - lt {seconds: 300} - gte {nanos: 1000000} - }]; - - // Flush stats to sinks only when queried for on the admin interface. If set, - // a flush timer is not created. Only one of `stats_flush_on_admin` or - // `stats_flush_interval` can be set. - bool stats_flush_on_admin = 29 [(validate.rules).bool = {const: true}]; - } - - // Optional watchdog configuration. - // This is for a single watchdog configuration for the entire system. - // Deprecated in favor of *watchdogs* which has finer granularity. - Watchdog hidden_envoy_deprecated_watchdog = 8 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Optional watchdogs configuration. - // This is used for specifying different watchdogs for the different subsystems. - // [#extension-category: envoy.guarddog_actions] - Watchdogs watchdogs = 27; - - // Configuration for an external tracing provider. - // - // .. attention:: - // This field has been deprecated in favor of :ref:`HttpConnectionManager.Tracing.provider - // `. - trace.v4alpha.Tracing hidden_envoy_deprecated_tracing = 9 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Configuration for the runtime configuration provider. If not - // specified, a “null” provider will be used which will result in all defaults - // being used. - LayeredRuntime layered_runtime = 17; - - // Configuration for the local administration HTTP server. - Admin admin = 12; - - // Optional overload manager configuration. - overload.v3.OverloadManager overload_manager = 15 [ - (udpa.annotations.security).configure_for_untrusted_downstream = true, - (udpa.annotations.security).configure_for_untrusted_upstream = true - ]; - - // Enable :ref:`stats for event dispatcher `, defaults to false. - // Note that this records a value for each iteration of the event loop on every thread. This - // should normally be minimal overhead, but when using - // :ref:`statsd `, it will send each observed value - // over the wire individually because the statsd protocol doesn't have any way to represent a - // histogram summary. Be aware that this can be a very large volume of data. - bool enable_dispatcher_stats = 16; - - // Optional string which will be used in lieu of x-envoy in prefixing headers. - // - // For example, if this string is present and set to X-Foo, then x-envoy-retry-on will be - // transformed into x-foo-retry-on etc. - // - // Note this applies to the headers Envoy will generate, the headers Envoy will sanitize, and the - // headers Envoy will trust for core code and core extensions only. Be VERY careful making - // changes to this string, especially in multi-layer Envoy deployments or deployments using - // extensions which are not upstream. - string header_prefix = 18; - - // Optional proxy version which will be used to set the value of :ref:`server.version statistic - // ` if specified. Envoy will not process this value, it will be sent as is to - // :ref:`stats sinks `. - google.protobuf.UInt64Value stats_server_version_override = 19; - - // Always use TCP queries instead of UDP queries for DNS lookups. - // This may be overridden on a per-cluster basis in cds_config, - // when :ref:`dns_resolvers ` and - // :ref:`use_tcp_for_dns_lookups ` are - // specified. - // Setting this value causes failure if the - // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during - // server startup. Apple' API only uses UDP for DNS resolution. - // This field is deprecated in favor of *dns_resolution_config* - // which aggregates all of the DNS resolver configuration in a single message. - bool hidden_envoy_deprecated_use_tcp_for_dns_lookups = 20 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // DNS resolution configuration which includes the underlying dns resolver addresses and options. - // This may be overridden on a per-cluster basis in cds_config, when - // :ref:`dns_resolution_config ` - // is specified. - // *dns_resolution_config* will be deprecated once - // :ref:'typed_dns_resolver_config ' - // is fully supported. - core.v4alpha.DnsResolutionConfig dns_resolution_config = 30; - - // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, - // or any other DNS resolver types and the related parameters. - // For example, an object of :ref:`DnsResolutionConfig ` - // can be packed into this *typed_dns_resolver_config*. This configuration will replace the - // :ref:'dns_resolution_config ' - // configuration eventually. - // TODO(yanjunxiang): Investigate the deprecation plan for *dns_resolution_config*. - // During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists, - // this configuration is optional. - // When *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*. - // When *typed_dns_resolver_config* is missing, the default behavior is in place. - // [#not-implemented-hide:] - core.v4alpha.TypedExtensionConfig typed_dns_resolver_config = 31; - - // Specifies optional bootstrap extensions to be instantiated at startup time. - // Each item contains extension specific configuration. - // [#extension-category: envoy.bootstrap] - repeated core.v4alpha.TypedExtensionConfig bootstrap_extensions = 21; - - // Specifies optional extensions instantiated at startup time and - // invoked during crash time on the request that caused the crash. - repeated FatalAction fatal_actions = 28; - - // Configuration sources that will participate in - // xdstp:// URL authority resolution. The algorithm is as - // follows: - // 1. The authority field is taken from the xdstp:// URL, call - // this *resource_authority*. - // 2. *resource_authority* is compared against the authorities in any peer - // *ConfigSource*. The peer *ConfigSource* is the configuration source - // message which would have been used unconditionally for resolution - // with opaque resource names. If there is a match with an authority, the - // peer *ConfigSource* message is used. - // 3. *resource_authority* is compared sequentially with the authorities in - // each configuration source in *config_sources*. The first *ConfigSource* - // to match wins. - // 4. As a fallback, if no configuration source matches, then - // *default_config_source* is used. - // 5. If *default_config_source* is not specified, resolution fails. - // [#not-implemented-hide:] - repeated core.v4alpha.ConfigSource config_sources = 22; - - // Default configuration source for xdstp:// URLs if all - // other resolution fails. - // [#not-implemented-hide:] - core.v4alpha.ConfigSource default_config_source = 23; - - // Optional overriding of default socket interface. The value must be the name of one of the - // socket interface factories initialized through a bootstrap extension - string default_socket_interface = 24; - - // Global map of CertificateProvider instances. These instances are referred to by name in the - // :ref:`CommonTlsContext.CertificateProviderInstance.instance_name - // ` - // field. - // [#not-implemented-hide:] - map certificate_provider_instances = 25; - - // Specifies a set of headers that need to be registered as inline header. This configuration - // allows users to customize the inline headers on-demand at Envoy startup without modifying - // Envoy's source code. - // - // Note that the 'set-cookie' header cannot be registered as inline header. - repeated CustomInlineHeader inline_headers = 32; -} - -// Administration interface :ref:`operations documentation -// `. -// [#next-free-field: 6] -message Admin { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v3.Admin"; - - // Configuration for :ref:`access logs ` - // emitted by the administration server. - repeated accesslog.v4alpha.AccessLog access_log = 5; - - // The path to write the access log for the administration server. If no - // access log is desired specify ‘/dev/null’. This is only required if - // :ref:`address ` is set. - // Deprecated in favor of *access_log* which offers more options. - string hidden_envoy_deprecated_access_log_path = 1 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // The cpu profiler output path for the administration server. If no profile - // path is specified, the default is ‘/var/log/envoy/envoy.prof’. - string profile_path = 2; - - // The TCP address that the administration server will listen on. - // If not specified, Envoy will not start an administration server. - core.v4alpha.Address address = 3; - - // Additional socket options that may not be present in Envoy source code or - // precompiled binaries. - repeated core.v4alpha.SocketOption socket_options = 4; -} - -// Cluster manager :ref:`architecture overview `. -message ClusterManager { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.ClusterManager"; - - message OutlierDetection { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.ClusterManager.OutlierDetection"; - - // Specifies the path to the outlier event log. - string event_log_path = 1; - - // [#not-implemented-hide:] - // The gRPC service for the outlier detection event service. - // If empty, outlier detection events won't be sent to a remote endpoint. - core.v4alpha.EventServiceConfig event_service = 2; - } - - // Name of the local cluster (i.e., the cluster that owns the Envoy running - // this configuration). In order to enable :ref:`zone aware routing - // ` this option must be set. - // If *local_cluster_name* is defined then :ref:`clusters - // ` must be defined in the :ref:`Bootstrap - // static cluster resources - // `. This is unrelated to - // the :option:`--service-cluster` option which does not `affect zone aware - // routing `_. - string local_cluster_name = 1; - - // Optional global configuration for outlier detection. - OutlierDetection outlier_detection = 2; - - // Optional configuration used to bind newly established upstream connections. - // This may be overridden on a per-cluster basis by upstream_bind_config in the cds_config. - core.v4alpha.BindConfig upstream_bind_config = 3; - - // A management server endpoint to stream load stats to via - // *StreamLoadStats*. This must have :ref:`api_type - // ` :ref:`GRPC - // `. - core.v4alpha.ApiConfigSource load_stats_config = 4; -} - -// Allows you to specify different watchdog configs for different subsystems. -// This allows finer tuned policies for the watchdog. If a subsystem is omitted -// the default values for that system will be used. -message Watchdogs { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.Watchdogs"; - - // Watchdog for the main thread. - Watchdog main_thread_watchdog = 1; - - // Watchdog for the worker threads. - Watchdog worker_watchdog = 2; -} - -// Envoy process watchdog configuration. When configured, this monitors for -// nonresponsive threads and kills the process after the configured thresholds. -// See the :ref:`watchdog documentation ` for more information. -// [#next-free-field: 8] -message Watchdog { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v3.Watchdog"; - - message WatchdogAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.Watchdog.WatchdogAction"; - - // The events are fired in this order: KILL, MULTIKILL, MEGAMISS, MISS. - // Within an event type, actions execute in the order they are configured. - // For KILL/MULTIKILL there is a default PANIC that will run after the - // registered actions and kills the process if it wasn't already killed. - // It might be useful to specify several debug actions, and possibly an - // alternate FATAL action. - enum WatchdogEvent { - UNKNOWN = 0; - KILL = 1; - MULTIKILL = 2; - MEGAMISS = 3; - MISS = 4; - } - - // Extension specific configuration for the action. - core.v4alpha.TypedExtensionConfig config = 1; - - WatchdogEvent event = 2 [(validate.rules).enum = {defined_only: true}]; - } - - // Register actions that will fire on given WatchDog events. - // See *WatchDogAction* for priority of events. - repeated WatchdogAction actions = 7; - - // The duration after which Envoy counts a nonresponsive thread in the - // *watchdog_miss* statistic. If not specified the default is 200ms. - google.protobuf.Duration miss_timeout = 1; - - // The duration after which Envoy counts a nonresponsive thread in the - // *watchdog_mega_miss* statistic. If not specified the default is - // 1000ms. - google.protobuf.Duration megamiss_timeout = 2; - - // If a watched thread has been nonresponsive for this duration, assume a - // programming error and kill the entire Envoy process. Set to 0 to disable - // kill behavior. If not specified the default is 0 (disabled). - google.protobuf.Duration kill_timeout = 3; - - // Defines the maximum jitter used to adjust the *kill_timeout* if *kill_timeout* is - // enabled. Enabling this feature would help to reduce risk of synchronized - // watchdog kill events across proxies due to external triggers. Set to 0 to - // disable. If not specified the default is 0 (disabled). - google.protobuf.Duration max_kill_timeout_jitter = 6 [(validate.rules).duration = {gte {}}]; - - // If max(2, ceil(registered_threads * Fraction(*multikill_threshold*))) - // threads have been nonresponsive for at least this duration kill the entire - // Envoy process. Set to 0 to disable this behavior. If not specified the - // default is 0 (disabled). - google.protobuf.Duration multikill_timeout = 4; - - // Sets the threshold for *multikill_timeout* in terms of the percentage of - // nonresponsive threads required for the *multikill_timeout*. - // If not specified the default is 0. - type.v3.Percent multikill_threshold = 5; -} - -// Fatal actions to run while crashing. Actions can be safe (meaning they are -// async-signal safe) or unsafe. We run all safe actions before we run unsafe actions. -// If using an unsafe action that could get stuck or deadlock, it important to -// have an out of band system to terminate the process. -// -// The interface for the extension is ``Envoy::Server::Configuration::FatalAction``. -// *FatalAction* extensions live in the ``envoy.extensions.fatal_actions`` API -// namespace. -message FatalAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.FatalAction"; - - // Extension specific configuration for the action. It's expected to conform - // to the ``Envoy::Server::Configuration::FatalAction`` interface. - core.v4alpha.TypedExtensionConfig config = 1; -} - -// Runtime :ref:`configuration overview ` (deprecated). -message Runtime { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v3.Runtime"; - - // The implementation assumes that the file system tree is accessed via a - // symbolic link. An atomic link swap is used when a new tree should be - // switched to. This parameter specifies the path to the symbolic link. Envoy - // will watch the location for changes and reload the file system tree when - // they happen. If this parameter is not set, there will be no disk based - // runtime. - string symlink_root = 1; - - // Specifies the subdirectory to load within the root directory. This is - // useful if multiple systems share the same delivery mechanism. Envoy - // configuration elements can be contained in a dedicated subdirectory. - string subdirectory = 2; - - // Specifies an optional subdirectory to load within the root directory. If - // specified and the directory exists, configuration values within this - // directory will override those found in the primary subdirectory. This is - // useful when Envoy is deployed across many different types of servers. - // Sometimes it is useful to have a per service cluster directory for runtime - // configuration. See below for exactly how the override directory is used. - string override_subdirectory = 3; - - // Static base runtime. This will be :ref:`overridden - // ` by other runtime layers, e.g. - // disk or admin. This follows the :ref:`runtime protobuf JSON representation - // encoding `. - google.protobuf.Struct base = 4; -} - -// [#next-free-field: 6] -message RuntimeLayer { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.RuntimeLayer"; - - // :ref:`Disk runtime ` layer. - message DiskLayer { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.RuntimeLayer.DiskLayer"; - - // The implementation assumes that the file system tree is accessed via a - // symbolic link. An atomic link swap is used when a new tree should be - // switched to. This parameter specifies the path to the symbolic link. - // Envoy will watch the location for changes and reload the file system tree - // when they happen. See documentation on runtime :ref:`atomicity - // ` for further details on how reloads are - // treated. - string symlink_root = 1; - - // Specifies the subdirectory to load within the root directory. This is - // useful if multiple systems share the same delivery mechanism. Envoy - // configuration elements can be contained in a dedicated subdirectory. - string subdirectory = 3; - - // :ref:`Append ` the - // service cluster to the path under symlink root. - bool append_service_cluster = 2; - } - - // :ref:`Admin console runtime ` layer. - message AdminLayer { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.RuntimeLayer.AdminLayer"; - } - - // :ref:`Runtime Discovery Service (RTDS) ` layer. - message RtdsLayer { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.RuntimeLayer.RtdsLayer"; - - // Resource to subscribe to at *rtds_config* for the RTDS layer. - string name = 1; - - // RTDS configuration source. - core.v4alpha.ConfigSource rtds_config = 2; - } - - // Descriptive name for the runtime layer. This is only used for the runtime - // :http:get:`/runtime` output. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - oneof layer_specifier { - option (validate.required) = true; - - // :ref:`Static runtime ` layer. - // This follows the :ref:`runtime protobuf JSON representation encoding - // `. Unlike static xDS resources, this static - // layer is overridable by later layers in the runtime virtual filesystem. - google.protobuf.Struct static_layer = 2; - - DiskLayer disk_layer = 3; - - AdminLayer admin_layer = 4; - - RtdsLayer rtds_layer = 5; - } -} - -// Runtime :ref:`configuration overview `. -message LayeredRuntime { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.LayeredRuntime"; - - // The :ref:`layers ` of the runtime. This is ordered - // such that later layers in the list overlay earlier entries. - repeated RuntimeLayer layers = 1; -} - -// Used to specify the header that needs to be registered as an inline header. -// -// If request or response contain multiple headers with the same name and the header -// name is registered as an inline header. Then multiple headers will be folded -// into one, and multiple header values will be concatenated by a suitable delimiter. -// The delimiter is generally a comma. -// -// For example, if 'foo' is registered as an inline header, and the headers contains -// the following two headers: -// -// .. code-block:: text -// -// foo: bar -// foo: eep -// -// Then they will eventually be folded into: -// -// .. code-block:: text -// -// foo: bar, eep -// -// Inline headers provide O(1) search performance, but each inline header imposes -// an additional memory overhead on all instances of the corresponding type of -// HeaderMap or TrailerMap. -message CustomInlineHeader { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.bootstrap.v3.CustomInlineHeader"; - - enum InlineHeaderType { - REQUEST_HEADER = 0; - REQUEST_TRAILER = 1; - RESPONSE_HEADER = 2; - RESPONSE_TRAILER = 3; - } - - // The name of the header that is expected to be set as the inline header. - string inline_header_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The type of the header that is expected to be set as the inline header. - InlineHeaderType inline_header_type = 2 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/generated_api_shadow/envoy/config/cluster/v4alpha/BUILD b/generated_api_shadow/envoy/config/cluster/v4alpha/BUILD deleted file mode 100644 index 49a44abbd4f7..000000000000 --- a/generated_api_shadow/envoy/config/cluster/v4alpha/BUILD +++ /dev/null @@ -1,17 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/cluster/v3:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/endpoint/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@com_github_cncf_udpa//xds/core/v3:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/cluster/v4alpha/circuit_breaker.proto b/generated_api_shadow/envoy/config/cluster/v4alpha/circuit_breaker.proto deleted file mode 100644 index 36aebb897780..000000000000 --- a/generated_api_shadow/envoy/config/cluster/v4alpha/circuit_breaker.proto +++ /dev/null @@ -1,105 +0,0 @@ -syntax = "proto3"; - -package envoy.config.cluster.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.cluster.v4alpha"; -option java_outer_classname = "CircuitBreakerProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Circuit breakers] - -// :ref:`Circuit breaking` settings can be -// specified individually for each defined priority. -message CircuitBreakers { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.CircuitBreakers"; - - // A Thresholds defines CircuitBreaker settings for a - // :ref:`RoutingPriority`. - // [#next-free-field: 9] - message Thresholds { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.CircuitBreakers.Thresholds"; - - message RetryBudget { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.CircuitBreakers.Thresholds.RetryBudget"; - - // Specifies the limit on concurrent retries as a percentage of the sum of active requests and - // active pending requests. For example, if there are 100 active requests and the - // budget_percent is set to 25, there may be 25 active retries. - // - // This parameter is optional. Defaults to 20%. - type.v3.Percent budget_percent = 1; - - // Specifies the minimum retry concurrency allowed for the retry budget. The limit on the - // number of active retries may never go below this number. - // - // This parameter is optional. Defaults to 3. - google.protobuf.UInt32Value min_retry_concurrency = 2; - } - - // The :ref:`RoutingPriority` - // the specified CircuitBreaker settings apply to. - core.v4alpha.RoutingPriority priority = 1 [(validate.rules).enum = {defined_only: true}]; - - // The maximum number of connections that Envoy will make to the upstream - // cluster. If not specified, the default is 1024. - google.protobuf.UInt32Value max_connections = 2; - - // The maximum number of pending requests that Envoy will allow to the - // upstream cluster. If not specified, the default is 1024. - google.protobuf.UInt32Value max_pending_requests = 3; - - // The maximum number of parallel requests that Envoy will make to the - // upstream cluster. If not specified, the default is 1024. - google.protobuf.UInt32Value max_requests = 4; - - // The maximum number of parallel retries that Envoy will allow to the - // upstream cluster. If not specified, the default is 3. - google.protobuf.UInt32Value max_retries = 5; - - // Specifies a limit on concurrent retries in relation to the number of active requests. This - // parameter is optional. - // - // .. note:: - // - // If this field is set, the retry budget will override any configured retry circuit - // breaker. - RetryBudget retry_budget = 8; - - // If track_remaining is true, then stats will be published that expose - // the number of resources remaining until the circuit breakers open. If - // not specified, the default is false. - // - // .. note:: - // - // If a retry budget is used in lieu of the max_retries circuit breaker, - // the remaining retry resources remaining will not be tracked. - bool track_remaining = 6; - - // The maximum number of connection pools per cluster that Envoy will concurrently support at - // once. If not specified, the default is unlimited. Set this for clusters which create a - // large number of connection pools. See - // :ref:`Circuit Breaking ` for - // more details. - google.protobuf.UInt32Value max_connection_pools = 7; - } - - // If multiple :ref:`Thresholds` - // are defined with the same :ref:`RoutingPriority`, - // the first one in the list is used. If no Thresholds is defined for a given - // :ref:`RoutingPriority`, the default values - // are used. - repeated Thresholds thresholds = 1; -} diff --git a/generated_api_shadow/envoy/config/cluster/v4alpha/cluster.proto b/generated_api_shadow/envoy/config/cluster/v4alpha/cluster.proto deleted file mode 100644 index fea9bb6e49c0..000000000000 --- a/generated_api_shadow/envoy/config/cluster/v4alpha/cluster.proto +++ /dev/null @@ -1,1157 +0,0 @@ -syntax = "proto3"; - -package envoy.config.cluster.v4alpha; - -import "envoy/config/cluster/v4alpha/circuit_breaker.proto"; -import "envoy/config/cluster/v4alpha/filter.proto"; -import "envoy/config/cluster/v4alpha/outlier_detection.proto"; -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/health_check.proto"; -import "envoy/config/core/v4alpha/protocol.proto"; -import "envoy/config/core/v4alpha/resolver.proto"; -import "envoy/config/endpoint/v4alpha/endpoint.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/core/v3/collection_entry.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/security.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.cluster.v4alpha"; -option java_outer_classname = "ClusterProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Cluster configuration] - -// Cluster list collections. Entries are *Cluster* resources or references. -// [#not-implemented-hide:] -message ClusterCollection { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.ClusterCollection"; - - xds.core.v3.CollectionEntry entries = 1; -} - -// Configuration for a single upstream cluster. -// [#next-free-field: 56] -message Cluster { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.cluster.v3.Cluster"; - - // Refer to :ref:`service discovery type ` - // for an explanation on each type. - enum DiscoveryType { - // Refer to the :ref:`static discovery type` - // for an explanation. - STATIC = 0; - - // Refer to the :ref:`strict DNS discovery - // type` - // for an explanation. - STRICT_DNS = 1; - - // Refer to the :ref:`logical DNS discovery - // type` - // for an explanation. - LOGICAL_DNS = 2; - - // Refer to the :ref:`service discovery type` - // for an explanation. - EDS = 3; - - // Refer to the :ref:`original destination discovery - // type` - // for an explanation. - ORIGINAL_DST = 4; - } - - // Refer to :ref:`load balancer type ` architecture - // overview section for information on each type. - enum LbPolicy { - reserved 4; - - reserved "ORIGINAL_DST_LB"; - - // Refer to the :ref:`round robin load balancing - // policy` - // for an explanation. - ROUND_ROBIN = 0; - - // Refer to the :ref:`least request load balancing - // policy` - // for an explanation. - LEAST_REQUEST = 1; - - // Refer to the :ref:`ring hash load balancing - // policy` - // for an explanation. - RING_HASH = 2; - - // Refer to the :ref:`random load balancing - // policy` - // for an explanation. - RANDOM = 3; - - // Refer to the :ref:`Maglev load balancing policy` - // for an explanation. - MAGLEV = 5; - - // This load balancer type must be specified if the configured cluster provides a cluster - // specific load balancer. Consult the configured cluster's documentation for whether to set - // this option or not. - CLUSTER_PROVIDED = 6; - - // Use the new :ref:`load_balancing_policy - // ` field to determine the LB policy. - // [#next-major-version: In the v3 API, we should consider deprecating the lb_policy field - // and instead using the new load_balancing_policy field as the one and only mechanism for - // configuring this.] - LOAD_BALANCING_POLICY_CONFIG = 7; - } - - // When V4_ONLY is selected, the DNS resolver will only perform a lookup for - // addresses in the IPv4 family. If V6_ONLY is selected, the DNS resolver will - // only perform a lookup for addresses in the IPv6 family. If AUTO is - // specified, the DNS resolver will first perform a lookup for addresses in - // the IPv6 family and fallback to a lookup for addresses in the IPv4 family. - // For cluster types other than - // :ref:`STRICT_DNS` and - // :ref:`LOGICAL_DNS`, - // this setting is - // ignored. - enum DnsLookupFamily { - AUTO = 0; - V4_ONLY = 1; - V6_ONLY = 2; - } - - enum ClusterProtocolSelection { - // Cluster can only operate on one of the possible upstream protocols (HTTP1.1, HTTP2). - // If :ref:`http2_protocol_options ` are - // present, HTTP2 will be used, otherwise HTTP1.1 will be used. - USE_CONFIGURED_PROTOCOL = 0; - - // Use HTTP1.1 or HTTP2, depending on which one is used on the downstream connection. - USE_DOWNSTREAM_PROTOCOL = 1; - } - - // TransportSocketMatch specifies what transport socket config will be used - // when the match conditions are satisfied. - message TransportSocketMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.TransportSocketMatch"; - - // The name of the match, used in stats generation. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Optional endpoint metadata match criteria. - // The connection to the endpoint with metadata matching what is set in this field - // will use the transport socket configuration specified here. - // The endpoint's metadata entry in *envoy.transport_socket_match* is used to match - // against the values specified in this field. - google.protobuf.Struct match = 2; - - // The configuration of the transport socket. - // [#extension-category: envoy.transport_sockets.upstream] - core.v4alpha.TransportSocket transport_socket = 3; - } - - // Extended cluster type. - message CustomClusterType { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.CustomClusterType"; - - // The type of the cluster to instantiate. The name must match a supported cluster type. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Cluster specific configuration which depends on the cluster being instantiated. - // See the supported cluster for further documentation. - // [#extension-category: envoy.clusters] - google.protobuf.Any typed_config = 2; - } - - // Only valid when discovery type is EDS. - message EdsClusterConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.EdsClusterConfig"; - - // Configuration for the source of EDS updates for this Cluster. - core.v4alpha.ConfigSource eds_config = 1; - - // Optional alternative to cluster name to present to EDS. This does not - // have the same restrictions as cluster name, i.e. it may be arbitrary - // length. This may be a xdstp:// URL. - string service_name = 2; - } - - // Optionally divide the endpoints in this cluster into subsets defined by - // endpoint metadata and selected by route and weighted cluster metadata. - // [#next-free-field: 8] - message LbSubsetConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.LbSubsetConfig"; - - // If NO_FALLBACK is selected, a result - // equivalent to no healthy hosts is reported. If ANY_ENDPOINT is selected, - // any cluster endpoint may be returned (subject to policy, health checks, - // etc). If DEFAULT_SUBSET is selected, load balancing is performed over the - // endpoints matching the values from the default_subset field. - enum LbSubsetFallbackPolicy { - NO_FALLBACK = 0; - ANY_ENDPOINT = 1; - DEFAULT_SUBSET = 2; - } - - // Specifications for subsets. - message LbSubsetSelector { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetSelector"; - - // Allows to override top level fallback policy per selector. - enum LbSubsetSelectorFallbackPolicy { - // If NOT_DEFINED top level config fallback policy is used instead. - NOT_DEFINED = 0; - - // If NO_FALLBACK is selected, a result equivalent to no healthy hosts is reported. - NO_FALLBACK = 1; - - // If ANY_ENDPOINT is selected, any cluster endpoint may be returned - // (subject to policy, health checks, etc). - ANY_ENDPOINT = 2; - - // If DEFAULT_SUBSET is selected, load balancing is performed over the - // endpoints matching the values from the default_subset field. - DEFAULT_SUBSET = 3; - - // If KEYS_SUBSET is selected, subset selector matching is performed again with metadata - // keys reduced to - // :ref:`fallback_keys_subset`. - // It allows for a fallback to a different, less specific selector if some of the keys of - // the selector are considered optional. - KEYS_SUBSET = 4; - } - - // List of keys to match with the weighted cluster metadata. - repeated string keys = 1; - - // Selects a mode of operation in which each subset has only one host. This mode uses the same rules for - // choosing a host, but updating hosts is faster, especially for large numbers of hosts. - // - // If a match is found to a host, that host will be used regardless of priority levels, unless the host is unhealthy. - // - // Currently, this mode is only supported if `subset_selectors` has only one entry, and `keys` contains - // only one entry. - // - // When this mode is enabled, configurations that contain more than one host with the same metadata value for the single key in `keys` - // will use only one of the hosts with the given key; no requests will be routed to the others. The cluster gauge - // :ref:`lb_subsets_single_host_per_subset_duplicate` indicates how many duplicates are - // present in the current configuration. - bool single_host_per_subset = 4; - - // The behavior used when no endpoint subset matches the selected route's - // metadata. - LbSubsetSelectorFallbackPolicy fallback_policy = 2 - [(validate.rules).enum = {defined_only: true}]; - - // Subset of - // :ref:`keys` used by - // :ref:`KEYS_SUBSET` - // fallback policy. - // It has to be a non empty list if KEYS_SUBSET fallback policy is selected. - // For any other fallback policy the parameter is not used and should not be set. - // Only values also present in - // :ref:`keys` are allowed, but - // `fallback_keys_subset` cannot be equal to `keys`. - repeated string fallback_keys_subset = 3; - } - - // The behavior used when no endpoint subset matches the selected route's - // metadata. The value defaults to - // :ref:`NO_FALLBACK`. - LbSubsetFallbackPolicy fallback_policy = 1 [(validate.rules).enum = {defined_only: true}]; - - // Specifies the default subset of endpoints used during fallback if - // fallback_policy is - // :ref:`DEFAULT_SUBSET`. - // Each field in default_subset is - // compared to the matching LbEndpoint.Metadata under the *envoy.lb* - // namespace. It is valid for no hosts to match, in which case the behavior - // is the same as a fallback_policy of - // :ref:`NO_FALLBACK`. - google.protobuf.Struct default_subset = 2; - - // For each entry, LbEndpoint.Metadata's - // *envoy.lb* namespace is traversed and a subset is created for each unique - // combination of key and value. For example: - // - // .. code-block:: json - // - // { "subset_selectors": [ - // { "keys": [ "version" ] }, - // { "keys": [ "stage", "hardware_type" ] } - // ]} - // - // A subset is matched when the metadata from the selected route and - // weighted cluster contains the same keys and values as the subset's - // metadata. The same host may appear in multiple subsets. - repeated LbSubsetSelector subset_selectors = 3; - - // If true, routing to subsets will take into account the localities and locality weights of the - // endpoints when making the routing decision. - // - // There are some potential pitfalls associated with enabling this feature, as the resulting - // traffic split after applying both a subset match and locality weights might be undesirable. - // - // Consider for example a situation in which you have 50/50 split across two localities X/Y - // which have 100 hosts each without subsetting. If the subset LB results in X having only 1 - // host selected but Y having 100, then a lot more load is being dumped on the single host in X - // than originally anticipated in the load balancing assignment delivered via EDS. - bool locality_weight_aware = 4; - - // When used with locality_weight_aware, scales the weight of each locality by the ratio - // of hosts in the subset vs hosts in the original subset. This aims to even out the load - // going to an individual locality if said locality is disproportionately affected by the - // subset predicate. - bool scale_locality_weight = 5; - - // If true, when a fallback policy is configured and its corresponding subset fails to find - // a host this will cause any host to be selected instead. - // - // This is useful when using the default subset as the fallback policy, given the default - // subset might become empty. With this option enabled, if that happens the LB will attempt - // to select a host from the entire cluster. - bool panic_mode_any = 6; - - // If true, metadata specified for a metadata key will be matched against the corresponding - // endpoint metadata if the endpoint metadata matches the value exactly OR it is a list value - // and any of the elements in the list matches the criteria. - bool list_as_any = 7; - } - - // Specific configuration for the LeastRequest load balancing policy. - message LeastRequestLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.LeastRequestLbConfig"; - - // The number of random healthy hosts from which the host with the fewest active requests will - // be chosen. Defaults to 2 so that we perform two-choice selection if the field is not set. - google.protobuf.UInt32Value choice_count = 1 [(validate.rules).uint32 = {gte: 2}]; - - // The following formula is used to calculate the dynamic weights when hosts have different load - // balancing weights: - // - // `weight = load_balancing_weight / (active_requests + 1)^active_request_bias` - // - // The larger the active request bias is, the more aggressively active requests will lower the - // effective weight when all host weights are not equal. - // - // `active_request_bias` must be greater than or equal to 0.0. - // - // When `active_request_bias == 0.0` the Least Request Load Balancer doesn't consider the number - // of active requests at the time it picks a host and behaves like the Round Robin Load - // Balancer. - // - // When `active_request_bias > 0.0` the Least Request Load Balancer scales the load balancing - // weight by the number of active requests at the time it does a pick. - // - // The value is cached for performance reasons and refreshed whenever one of the Load Balancer's - // host sets changes, e.g., whenever there is a host membership update or a host load balancing - // weight change. - // - // .. note:: - // This setting only takes effect if all host weights are not equal. - core.v4alpha.RuntimeDouble active_request_bias = 2; - } - - // Specific configuration for the :ref:`RingHash` - // load balancing policy. - message RingHashLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.RingHashLbConfig"; - - // The hash function used to hash hosts onto the ketama ring. - enum HashFunction { - // Use `xxHash `_, this is the default hash function. - XX_HASH = 0; - - // Use `MurmurHash2 `_, this is compatible with - // std:hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled - // on Linux and not macOS. - MURMUR_HASH_2 = 1; - } - - reserved 2; - - // Minimum hash ring size. The larger the ring is (that is, the more hashes there are for each - // provided host) the better the request distribution will reflect the desired weights. Defaults - // to 1024 entries, and limited to 8M entries. See also - // :ref:`maximum_ring_size`. - google.protobuf.UInt64Value minimum_ring_size = 1 [(validate.rules).uint64 = {lte: 8388608}]; - - // The hash function used to hash hosts onto the ketama ring. The value defaults to - // :ref:`XX_HASH`. - HashFunction hash_function = 3 [(validate.rules).enum = {defined_only: true}]; - - // Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, but can be lowered - // to further constrain resource use. See also - // :ref:`minimum_ring_size`. - google.protobuf.UInt64Value maximum_ring_size = 4 [(validate.rules).uint64 = {lte: 8388608}]; - } - - // Specific configuration for the :ref:`Maglev` - // load balancing policy. - message MaglevLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.MaglevLbConfig"; - - // The table size for Maglev hashing. The Maglev aims for ‘minimal disruption’ rather than an absolute guarantee. - // Minimal disruption means that when the set of upstreams changes, a connection will likely be sent to the same - // upstream as it was before. Increasing the table size reduces the amount of disruption. - // The table size must be prime number limited to 5000011. If it is not specified, the default is 65537. - google.protobuf.UInt64Value table_size = 1 [(validate.rules).uint64 = {lte: 5000011}]; - } - - // Specific configuration for the - // :ref:`Original Destination ` - // load balancing policy. - message OriginalDstLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.OriginalDstLbConfig"; - - // When true, :ref:`x-envoy-original-dst-host - // ` can be used to override destination - // address. - // - // .. attention:: - // - // This header isn't sanitized by default, so enabling this feature allows HTTP clients to - // route traffic to arbitrary hosts and/or ports, which may have serious security - // consequences. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - bool use_http_header = 1; - } - - // Common configuration for all load balancer implementations. - // [#next-free-field: 8] - message CommonLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.CommonLbConfig"; - - // Configuration for :ref:`zone aware routing - // `. - message ZoneAwareLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.CommonLbConfig.ZoneAwareLbConfig"; - - // Configures percentage of requests that will be considered for zone aware routing - // if zone aware routing is configured. If not specified, the default is 100%. - // * :ref:`runtime values `. - // * :ref:`Zone aware routing support `. - type.v3.Percent routing_enabled = 1; - - // Configures minimum upstream cluster size required for zone aware routing - // If upstream cluster size is less than specified, zone aware routing is not performed - // even if zone aware routing is configured. If not specified, the default is 6. - // * :ref:`runtime values `. - // * :ref:`Zone aware routing support `. - google.protobuf.UInt64Value min_cluster_size = 2; - - // If set to true, Envoy will not consider any hosts when the cluster is in :ref:`panic - // mode`. Instead, the cluster will fail all - // requests as if all hosts are unhealthy. This can help avoid potentially overwhelming a - // failing service. - bool fail_traffic_on_panic = 3; - } - - // Configuration for :ref:`locality weighted load balancing - // ` - message LocalityWeightedLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.CommonLbConfig.LocalityWeightedLbConfig"; - } - - // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) - message ConsistentHashingLbConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.CommonLbConfig.ConsistentHashingLbConfig"; - - // If set to `true`, the cluster will use hostname instead of the resolved - // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address. - bool use_hostname_for_hashing = 1; - - // Configures percentage of average cluster load to bound per upstream host. For example, with a value of 150 - // no upstream host will get a load more than 1.5 times the average load of all the hosts in the cluster. - // If not specified, the load is not bounded for any upstream host. Typical value for this parameter is between 120 and 200. - // Minimum is 100. - // - // Applies to both Ring Hash and Maglev load balancers. - // - // This is implemented based on the method described in the paper https://arxiv.org/abs/1608.01350. For the specified - // `hash_balance_factor`, requests to any upstream host are capped at `hash_balance_factor/100` times the average number of requests - // across the cluster. When a request arrives for an upstream host that is currently serving at its max capacity, linear probing - // is used to identify an eligible host. Further, the linear probe is implemented using a random jump in hosts ring/table to identify - // the eligible host (this technique is as described in the paper https://arxiv.org/abs/1908.08762 - the random jump avoids the - // cascading overflow effect when choosing the next host in the ring/table). - // - // If weights are specified on the hosts, they are respected. - // - // This is an O(N) algorithm, unlike other load balancers. Using a lower `hash_balance_factor` results in more hosts - // being probed, so use a higher value if you require better performance. - google.protobuf.UInt32Value hash_balance_factor = 2 [(validate.rules).uint32 = {gte: 100}]; - } - - // Configures the :ref:`healthy panic threshold `. - // If not specified, the default is 50%. - // To disable panic mode, set to 0%. - // - // .. note:: - // The specified percent will be truncated to the nearest 1%. - type.v3.Percent healthy_panic_threshold = 1; - - oneof locality_config_specifier { - ZoneAwareLbConfig zone_aware_lb_config = 2; - - LocalityWeightedLbConfig locality_weighted_lb_config = 3; - } - - // If set, all health check/weight/metadata updates that happen within this duration will be - // merged and delivered in one shot when the duration expires. The start of the duration is when - // the first update happens. This is useful for big clusters, with potentially noisy deploys - // that might trigger excessive CPU usage due to a constant stream of healthcheck state changes - // or metadata updates. The first set of updates to be seen apply immediately (e.g.: a new - // cluster). Please always keep in mind that the use of sandbox technologies may change this - // behavior. - // - // If this is not set, we default to a merge window of 1000ms. To disable it, set the merge - // window to 0. - // - // Note: merging does not apply to cluster membership changes (e.g.: adds/removes); this is - // because merging those updates isn't currently safe. See - // https://github.com/envoyproxy/envoy/pull/3941. - google.protobuf.Duration update_merge_window = 4; - - // If set to true, Envoy will :ref:`exclude ` new hosts - // when computing load balancing weights until they have been health checked for the first time. - // This will have no effect unless active health checking is also configured. - bool ignore_new_hosts_until_first_hc = 5; - - // If set to `true`, the cluster manager will drain all existing - // connections to upstream hosts whenever hosts are added or removed from the cluster. - bool close_connections_on_host_set_change = 6; - - // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) - ConsistentHashingLbConfig consistent_hashing_lb_config = 7; - } - - message RefreshRate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.RefreshRate"; - - // Specifies the base interval between refreshes. This parameter is required and must be greater - // than zero and less than - // :ref:`max_interval `. - google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { - required: true - gt {nanos: 1000000} - }]; - - // Specifies the maximum interval between refreshes. This parameter is optional, but must be - // greater than or equal to the - // :ref:`base_interval ` if set. The default - // is 10 times the :ref:`base_interval `. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {nanos: 1000000}}]; - } - - message PreconnectPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.Cluster.PreconnectPolicy"; - - // Indicates how many streams (rounded up) can be anticipated per-upstream for each - // incoming stream. This is useful for high-QPS or latency-sensitive services. Preconnecting - // will only be done if the upstream is healthy and the cluster has traffic. - // - // For example if this is 2, for an incoming HTTP/1.1 stream, 2 connections will be - // established, one for the new incoming stream, and one for a presumed follow-up stream. For - // HTTP/2, only one connection would be established by default as one connection can - // serve both the original and presumed follow-up stream. - // - // In steady state for non-multiplexed connections a value of 1.5 would mean if there were 100 - // active streams, there would be 100 connections in use, and 50 connections preconnected. - // This might be a useful value for something like short lived single-use connections, - // for example proxying HTTP/1.1 if keep-alive were false and each stream resulted in connection - // termination. It would likely be overkill for long lived connections, such as TCP proxying SMTP - // or regular HTTP/1.1 with keep-alive. For long lived traffic, a value of 1.05 would be more - // reasonable, where for every 100 connections, 5 preconnected connections would be in the queue - // in case of unexpected disconnects where the connection could not be reused. - // - // If this value is not set, or set explicitly to one, Envoy will fetch as many connections - // as needed to serve streams in flight. This means in steady state if a connection is torn down, - // a subsequent streams will pay an upstream-rtt latency penalty waiting for a new connection. - // - // This is limited somewhat arbitrarily to 3 because preconnecting too aggressively can - // harm latency more than the preconnecting helps. - google.protobuf.DoubleValue per_upstream_preconnect_ratio = 1 - [(validate.rules).double = {lte: 3.0 gte: 1.0}]; - - // Indicates how many many streams (rounded up) can be anticipated across a cluster for each - // stream, useful for low QPS services. This is currently supported for a subset of - // deterministic non-hash-based load-balancing algorithms (weighted round robin, random). - // Unlike *per_upstream_preconnect_ratio* this preconnects across the upstream instances in a - // cluster, doing best effort predictions of what upstream would be picked next and - // pre-establishing a connection. - // - // Preconnecting will be limited to one preconnect per configured upstream in the cluster and will - // only be done if there are healthy upstreams and the cluster has traffic. - // - // For example if preconnecting is set to 2 for a round robin HTTP/2 cluster, on the first - // incoming stream, 2 connections will be preconnected - one to the first upstream for this - // cluster, one to the second on the assumption there will be a follow-up stream. - // - // If this value is not set, or set explicitly to one, Envoy will fetch as many connections - // as needed to serve streams in flight, so during warm up and in steady state if a connection - // is closed (and per_upstream_preconnect_ratio is not set), there will be a latency hit for - // connection establishment. - // - // If both this and preconnect_ratio are set, Envoy will make sure both predicted needs are met, - // basically preconnecting max(predictive-preconnect, per-upstream-preconnect), for each - // upstream. - google.protobuf.DoubleValue predictive_preconnect_ratio = 2 - [(validate.rules).double = {lte: 3.0 gte: 1.0}]; - } - - reserved 12, 15, 7, 11, 35; - - reserved "hosts", "tls_context", "extension_protocol_options"; - - // Configuration to use different transport sockets for different endpoints. - // The entry of *envoy.transport_socket_match* in the - // :ref:`LbEndpoint.Metadata ` - // is used to match against the transport sockets as they appear in the list. The first - // :ref:`match ` is used. - // For example, with the following match - // - // .. code-block:: yaml - // - // transport_socket_matches: - // - name: "enableMTLS" - // match: - // acceptMTLS: true - // transport_socket: - // name: envoy.transport_sockets.tls - // config: { ... } # tls socket configuration - // - name: "defaultToPlaintext" - // match: {} - // transport_socket: - // name: envoy.transport_sockets.raw_buffer - // - // Connections to the endpoints whose metadata value under *envoy.transport_socket_match* - // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration. - // - // If a :ref:`socket match ` with empty match - // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext" - // socket match in case above. - // - // If an endpoint metadata's value under *envoy.transport_socket_match* does not match any - // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or - // *transport_socket* specified in this cluster. - // - // This field allows gradual and flexible transport socket configuration changes. - // - // The metadata of endpoints in EDS can indicate transport socket capabilities. For example, - // an endpoint's metadata can have two key value pairs as "acceptMTLS": "true", - // "acceptPlaintext": "true". While some other endpoints, only accepting plaintext traffic - // has "acceptPlaintext": "true" metadata information. - // - // Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS - // traffic for endpoints with "acceptMTLS": "true", by adding a corresponding - // *TransportSocketMatch* in this field. Other client Envoys receive CDS without - // *transport_socket_match* set, and still send plain text traffic to the same cluster. - // - // This field can be used to specify custom transport socket configurations for health - // checks by adding matching key/value pairs in a health check's - // :ref:`transport socket match criteria ` field. - // - // [#comment:TODO(incfly): add a detailed architecture doc on intended usage.] - repeated TransportSocketMatch transport_socket_matches = 43; - - // Supplies the name of the cluster which must be unique across all clusters. - // The cluster name is used when emitting - // :ref:`statistics ` if :ref:`alt_stat_name - // ` is not provided. - // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // An optional alternative to the cluster name to be used for observability. This name is used - // emitting stats for the cluster and access logging the cluster name. This will appear as - // additional information in configuration dumps of a cluster's current status as - // :ref:`observability_name ` - // and as an additional tag "upstream_cluster.name" while tracing. Note: access logging using - // this field is presently enabled with runtime feature - // `envoy.reloadable_features.use_observable_cluster_name`. Any ``:`` in the name will be - // converted to ``_`` when emitting statistics. This should not be confused with :ref:`Router - // Filter Header `. - string observability_name = 28; - - oneof cluster_discovery_type { - // The :ref:`service discovery type ` - // to use for resolving the cluster. - DiscoveryType type = 2 [(validate.rules).enum = {defined_only: true}]; - - // The custom cluster type. - CustomClusterType cluster_type = 38; - } - - // Configuration to use for EDS updates for the Cluster. - EdsClusterConfig eds_cluster_config = 3; - - // The timeout for new network connections to hosts in the cluster. - // If not set, a default value of 5s will be used. - google.protobuf.Duration connect_timeout = 4 [(validate.rules).duration = {gt {}}]; - - // Soft limit on size of the cluster’s connections read and write buffers. If - // unspecified, an implementation defined default is applied (1MiB). - google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 - [(udpa.annotations.security).configure_for_untrusted_upstream = true]; - - // The :ref:`load balancer type ` to use - // when picking a host in the cluster. - LbPolicy lb_policy = 6 [(validate.rules).enum = {defined_only: true}]; - - // Setting this is required for specifying members of - // :ref:`STATIC`, - // :ref:`STRICT_DNS` - // or :ref:`LOGICAL_DNS` clusters. - // This field supersedes the *hosts* field in the v2 API. - // - // .. attention:: - // - // Setting this allows non-EDS cluster types to contain embedded EDS equivalent - // :ref:`endpoint assignments`. - // - endpoint.v4alpha.ClusterLoadAssignment load_assignment = 33; - - // Optional :ref:`active health checking ` - // configuration for the cluster. If no - // configuration is specified no health checking will be done and all cluster - // members will be considered healthy at all times. - repeated core.v4alpha.HealthCheck health_checks = 8; - - // Optional maximum requests for a single upstream connection. This parameter - // is respected by both the HTTP/1.1 and HTTP/2 connection pool - // implementations. If not specified, there is no limit. Setting this - // parameter to 1 will effectively disable keep alive. - // - // .. attention:: - // This field has been deprecated in favor of the :ref:`max_requests_per_connection ` field. - google.protobuf.UInt32Value hidden_envoy_deprecated_max_requests_per_connection = 9 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Optional :ref:`circuit breaking ` for the cluster. - CircuitBreakers circuit_breakers = 10; - - // HTTP protocol options that are applied only to upstream HTTP connections. - // These options apply to all HTTP versions. - // This has been deprecated in favor of - // :ref:`upstream_http_protocol_options ` - // in the :ref:`http_protocol_options ` message. - // upstream_http_protocol_options can be set via the cluster's - // :ref:`extension_protocol_options`. - // See :ref:`upstream_http_protocol_options - // ` - // for example usage. - core.v4alpha.UpstreamHttpProtocolOptions hidden_envoy_deprecated_upstream_http_protocol_options = - 46 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Additional options when handling HTTP requests upstream. These options will be applicable to - // both HTTP1 and HTTP2 requests. - // This has been deprecated in favor of - // :ref:`common_http_protocol_options ` - // in the :ref:`http_protocol_options ` message. - // common_http_protocol_options can be set via the cluster's - // :ref:`extension_protocol_options`. - // See :ref:`upstream_http_protocol_options - // ` - // for example usage. - core.v4alpha.HttpProtocolOptions hidden_envoy_deprecated_common_http_protocol_options = 29 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Additional options when handling HTTP1 requests. - // This has been deprecated in favor of http_protocol_options fields in the - // :ref:`http_protocol_options ` message. - // http_protocol_options can be set via the cluster's - // :ref:`extension_protocol_options`. - // See :ref:`upstream_http_protocol_options - // ` - // for example usage. - core.v4alpha.Http1ProtocolOptions hidden_envoy_deprecated_http_protocol_options = 13 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Even if default HTTP2 protocol options are desired, this field must be - // set so that Envoy will assume that the upstream supports HTTP/2 when - // making new HTTP connection pool connections. Currently, Envoy only - // supports prior knowledge for upstream connections. Even if TLS is used - // with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2 - // connections to happen over plain text. - // This has been deprecated in favor of http2_protocol_options fields in the - // :ref:`http_protocol_options ` - // message. http2_protocol_options can be set via the cluster's - // :ref:`extension_protocol_options`. - // See :ref:`upstream_http_protocol_options - // ` - // for example usage. - core.v4alpha.Http2ProtocolOptions hidden_envoy_deprecated_http2_protocol_options = 14 [ - deprecated = true, - (udpa.annotations.security).configure_for_untrusted_upstream = true, - (envoy.annotations.deprecated_at_minor_version) = "3.0" - ]; - - // The extension_protocol_options field is used to provide extension-specific protocol options - // for upstream connections. The key should match the extension filter name, such as - // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on - // specific options. - // [#next-major-version: make this a list of typed extensions.] - map typed_extension_protocol_options = 36; - - // If the DNS refresh rate is specified and the cluster type is either - // :ref:`STRICT_DNS`, - // or :ref:`LOGICAL_DNS`, - // this value is used as the cluster’s DNS refresh - // rate. The value configured must be at least 1ms. If this setting is not specified, the - // value defaults to 5000ms. For cluster types other than - // :ref:`STRICT_DNS` - // and :ref:`LOGICAL_DNS` - // this setting is ignored. - google.protobuf.Duration dns_refresh_rate = 16 - [(validate.rules).duration = {gt {nanos: 1000000}}]; - - // If the DNS failure refresh rate is specified and the cluster type is either - // :ref:`STRICT_DNS`, - // or :ref:`LOGICAL_DNS`, - // this is used as the cluster’s DNS refresh rate when requests are failing. If this setting is - // not specified, the failure refresh rate defaults to the DNS refresh rate. For cluster types - // other than :ref:`STRICT_DNS` and - // :ref:`LOGICAL_DNS` this setting is - // ignored. - RefreshRate dns_failure_refresh_rate = 44; - - // Optional configuration for setting cluster's DNS refresh rate. If the value is set to true, - // cluster's DNS refresh rate will be set to resource record's TTL which comes from DNS - // resolution. - bool respect_dns_ttl = 39; - - // The DNS IP address resolution policy. If this setting is not specified, the - // value defaults to - // :ref:`AUTO`. - DnsLookupFamily dns_lookup_family = 17 [(validate.rules).enum = {defined_only: true}]; - - // If DNS resolvers are specified and the cluster type is either - // :ref:`STRICT_DNS`, - // or :ref:`LOGICAL_DNS`, - // this value is used to specify the cluster’s dns resolvers. - // If this setting is not specified, the value defaults to the default - // resolver, which uses /etc/resolv.conf for configuration. For cluster types - // other than - // :ref:`STRICT_DNS` - // and :ref:`LOGICAL_DNS` - // this setting is ignored. - // Setting this value causes failure if the - // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during - // server startup. Apple's API only allows overriding DNS resolvers via system settings. - // This field is deprecated in favor of *dns_resolution_config* - // which aggregates all of the DNS resolver configuration in a single message. - repeated core.v4alpha.Address hidden_envoy_deprecated_dns_resolvers = 18 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Always use TCP queries instead of UDP queries for DNS lookups. - // Setting this value causes failure if the - // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during - // server startup. Apple' API only uses UDP for DNS resolution. - // This field is deprecated in favor of *dns_resolution_config* - // which aggregates all of the DNS resolver configuration in a single message. - bool hidden_envoy_deprecated_use_tcp_for_dns_lookups = 45 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // DNS resolution configuration which includes the underlying dns resolver addresses and options. - // *dns_resolution_config* will be deprecated once - // :ref:'typed_dns_resolver_config ' - // is fully supported. - core.v4alpha.DnsResolutionConfig dns_resolution_config = 53; - - // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, - // or any other DNS resolver types and the related parameters. - // For example, an object of :ref:`DnsResolutionConfig ` - // can be packed into this *typed_dns_resolver_config*. This configuration will replace the - // :ref:'dns_resolution_config ' - // configuration eventually. - // TODO(yanjunxiang): Investigate the deprecation plan for *dns_resolution_config*. - // During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists, - // this configuration is optional. - // When *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*. - // When *typed_dns_resolver_config* is missing, the default behavior is in place. - // [#not-implemented-hide:] - core.v4alpha.TypedExtensionConfig typed_dns_resolver_config = 55; - - // Optional configuration for having cluster readiness block on warm-up. Currently, only applicable for - // :ref:`STRICT_DNS`, - // or :ref:`LOGICAL_DNS`. - // If true, cluster readiness blocks on warm-up. If false, the cluster will complete - // initialization whether or not warm-up has completed. Defaults to true. - google.protobuf.BoolValue wait_for_warm_on_init = 54; - - // If specified, outlier detection will be enabled for this upstream cluster. - // Each of the configuration values can be overridden via - // :ref:`runtime values `. - OutlierDetection outlier_detection = 19; - - // The interval for removing stale hosts from a cluster type - // :ref:`ORIGINAL_DST`. - // Hosts are considered stale if they have not been used - // as upstream destinations during this interval. New hosts are added - // to original destination clusters on demand as new connections are - // redirected to Envoy, causing the number of hosts in the cluster to - // grow over time. Hosts that are not stale (they are actively used as - // destinations) are kept in the cluster, which allows connections to - // them remain open, saving the latency that would otherwise be spent - // on opening new connections. If this setting is not specified, the - // value defaults to 5000ms. For cluster types other than - // :ref:`ORIGINAL_DST` - // this setting is ignored. - google.protobuf.Duration cleanup_interval = 20 [(validate.rules).duration = {gt {}}]; - - // Optional configuration used to bind newly established upstream connections. - // This overrides any bind_config specified in the bootstrap proto. - // If the address and port are empty, no bind will be performed. - core.v4alpha.BindConfig upstream_bind_config = 21; - - // Configuration for load balancing subsetting. - LbSubsetConfig lb_subset_config = 22; - - // Optional configuration for the load balancing algorithm selected by - // LbPolicy. Currently only - // :ref:`RING_HASH`, - // :ref:`MAGLEV` and - // :ref:`LEAST_REQUEST` - // has additional configuration options. - // Specifying ring_hash_lb_config or maglev_lb_config or least_request_lb_config without setting the corresponding - // LbPolicy will generate an error at runtime. - oneof lb_config { - // Optional configuration for the Ring Hash load balancing policy. - RingHashLbConfig ring_hash_lb_config = 23; - - // Optional configuration for the Maglev load balancing policy. - MaglevLbConfig maglev_lb_config = 52; - - // Optional configuration for the Original Destination load balancing policy. - OriginalDstLbConfig original_dst_lb_config = 34; - - // Optional configuration for the LeastRequest load balancing policy. - LeastRequestLbConfig least_request_lb_config = 37; - } - - // Common configuration for all load balancer implementations. - CommonLbConfig common_lb_config = 27; - - // Optional custom transport socket implementation to use for upstream connections. - // To setup TLS, set a transport socket with name `envoy.transport_sockets.tls` and - // :ref:`UpstreamTlsContexts ` in the `typed_config`. - // If no transport socket configuration is specified, new connections - // will be set up with plaintext. - core.v4alpha.TransportSocket transport_socket = 24; - - // The Metadata field can be used to provide additional information about the - // cluster. It can be used for stats, logging, and varying filter behavior. - // Fields should use reverse DNS notation to denote which entity within Envoy - // will need the information. For instance, if the metadata is intended for - // the Router filter, the filter name should be specified as *envoy.filters.http.router*. - core.v4alpha.Metadata metadata = 25; - - // Determines how Envoy selects the protocol used to speak to upstream hosts. - // This has been deprecated in favor of setting explicit protocol selection - // in the :ref:`http_protocol_options - // ` message. - // http_protocol_options can be set via the cluster's - // :ref:`extension_protocol_options`. - ClusterProtocolSelection hidden_envoy_deprecated_protocol_selection = 26 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Optional options for upstream connections. - UpstreamConnectionOptions upstream_connection_options = 30; - - // If an upstream host becomes unhealthy (as determined by the configured health checks - // or outlier detection), immediately close all connections to the failed host. - // - // .. note:: - // - // This is currently only supported for connections created by tcp_proxy. - // - // .. note:: - // - // The current implementation of this feature closes all connections immediately when - // the unhealthy status is detected. If there are a large number of connections open - // to an upstream host that becomes unhealthy, Envoy may spend a substantial amount of - // time exclusively closing these connections, and not processing any other traffic. - bool close_connections_on_host_health_failure = 31; - - // If set to true, Envoy will ignore the health value of a host when processing its removal - // from service discovery. This means that if active health checking is used, Envoy will *not* - // wait for the endpoint to go unhealthy before removing it. - bool ignore_health_on_host_removal = 32; - - // An (optional) network filter chain, listed in the order the filters should be applied. - // The chain will be applied to all outgoing connections that Envoy makes to the upstream - // servers of this cluster. - repeated Filter filters = 40; - - // New mechanism for LB policy configuration. Used only if the - // :ref:`lb_policy` field has the value - // :ref:`LOAD_BALANCING_POLICY_CONFIG`. - LoadBalancingPolicy load_balancing_policy = 41; - - // [#not-implemented-hide:] - // If present, tells the client where to send load reports via LRS. If not present, the - // client will fall back to a client-side default, which may be either (a) don't send any - // load reports or (b) send load reports for all clusters to a single default server - // (which may be configured in the bootstrap file). - // - // Note that if multiple clusters point to the same LRS server, the client may choose to - // create a separate stream for each cluster or it may choose to coalesce the data for - // multiple clusters onto a single stream. Either way, the client must make sure to send - // the data for any given cluster on no more than one stream. - // - // [#next-major-version: In the v3 API, we should consider restructuring this somehow, - // maybe by allowing LRS to go on the ADS stream, or maybe by moving some of the negotiation - // from the LRS stream here.] - core.v4alpha.ConfigSource lrs_server = 42; - - // If track_timeout_budgets is true, the :ref:`timeout budget histograms - // ` will be published for each - // request. These show what percentage of a request's per try and global timeout was used. A value - // of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value - // of 100 would indicate that the request took the entirety of the timeout given to it. - // - // .. attention:: - // - // This field has been deprecated in favor of `timeout_budgets`, part of - // :ref:`track_cluster_stats `. - bool hidden_envoy_deprecated_track_timeout_budgets = 47 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Optional customization and configuration of upstream connection pool, and upstream type. - // - // Currently this field only applies for HTTP traffic but is designed for eventual use for custom - // TCP upstreams. - // - // For HTTP traffic, Envoy will generally take downstream HTTP and send it upstream as upstream - // HTTP, using the http connection pool and the codec from `http2_protocol_options` - // - // For routes where CONNECT termination is configured, Envoy will take downstream CONNECT - // requests and forward the CONNECT payload upstream over raw TCP using the tcp connection pool. - // - // The default pool used is the generic connection pool which creates the HTTP upstream for most - // HTTP requests, and the TCP upstream if CONNECT termination is configured. - // - // If users desire custom connection pool or upstream behavior, for example terminating - // CONNECT only if a custom filter indicates it is appropriate, the custom factories - // can be registered and configured here. - // [#extension-category: envoy.upstreams] - core.v4alpha.TypedExtensionConfig upstream_config = 48; - - // Configuration to track optional cluster stats. - TrackClusterStats track_cluster_stats = 49; - - // Preconnect configuration for this cluster. - PreconnectPolicy preconnect_policy = 50; - - // If `connection_pool_per_downstream_connection` is true, the cluster will use a separate - // connection pool for every downstream connection - bool connection_pool_per_downstream_connection = 51; -} - -// Extensible load balancing policy configuration. -// -// Every LB policy defined via this mechanism will be identified via a unique name using reverse -// DNS notation. If the policy needs configuration parameters, it must define a message for its -// own configuration, which will be stored in the config field. The name of the policy will tell -// clients which type of message they should expect to see in the config field. -// -// Note that there are cases where it is useful to be able to independently select LB policies -// for choosing a locality and for choosing an endpoint within that locality. For example, a -// given deployment may always use the same policy to choose the locality, but for choosing the -// endpoint within the locality, some clusters may use weighted-round-robin, while others may -// use some sort of session-based balancing. -// -// This can be accomplished via hierarchical LB policies, where the parent LB policy creates a -// child LB policy for each locality. For each request, the parent chooses the locality and then -// delegates to the child policy for that locality to choose the endpoint within the locality. -// -// To facilitate this, the config message for the top-level LB policy may include a field of -// type LoadBalancingPolicy that specifies the child policy. -message LoadBalancingPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.LoadBalancingPolicy"; - - message Policy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.LoadBalancingPolicy.Policy"; - - reserved 2, 1, 3; - - reserved "config", "name", "typed_config"; - - core.v4alpha.TypedExtensionConfig typed_extension_config = 4; - } - - // Each client will iterate over the list in order and stop at the first policy that it - // supports. This provides a mechanism for starting to use new LB policies that are not yet - // supported by all clients. - repeated Policy policies = 1; -} - -// An extensible structure containing the address Envoy should bind to when -// establishing upstream connections. -message UpstreamBindConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.UpstreamBindConfig"; - - // The address Envoy should bind to when establishing upstream connections. - core.v4alpha.Address source_address = 1; -} - -message UpstreamConnectionOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.UpstreamConnectionOptions"; - - // If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - core.v4alpha.TcpKeepalive tcp_keepalive = 1; -} - -message TrackClusterStats { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.TrackClusterStats"; - - // If timeout_budgets is true, the :ref:`timeout budget histograms - // ` will be published for each - // request. These show what percentage of a request's per try and global timeout was used. A value - // of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value - // of 100 would indicate that the request took the entirety of the timeout given to it. - bool timeout_budgets = 1; - - // If request_response_sizes is true, then the :ref:`histograms - // ` tracking header and body sizes - // of requests and responses will be published. - bool request_response_sizes = 2; -} diff --git a/generated_api_shadow/envoy/config/cluster/v4alpha/filter.proto b/generated_api_shadow/envoy/config/cluster/v4alpha/filter.proto deleted file mode 100644 index d478fd34f1c7..000000000000 --- a/generated_api_shadow/envoy/config/cluster/v4alpha/filter.proto +++ /dev/null @@ -1,30 +0,0 @@ -syntax = "proto3"; - -package envoy.config.cluster.v4alpha; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.cluster.v4alpha"; -option java_outer_classname = "FilterProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Upstream filters] -// Upstream filters apply to the connections to the upstream cluster hosts. - -message Filter { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.cluster.v3.Filter"; - - // The name of the filter to instantiate. The name must match a - // supported upstream filter. Note that Envoy's :ref:`downstream network - // filters ` are not valid upstream filters. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Filter specific configuration which depends on the filter being - // instantiated. See the supported filters for further documentation. - google.protobuf.Any typed_config = 2; -} diff --git a/generated_api_shadow/envoy/config/cluster/v4alpha/outlier_detection.proto b/generated_api_shadow/envoy/config/cluster/v4alpha/outlier_detection.proto deleted file mode 100644 index a64c4b42247f..000000000000 --- a/generated_api_shadow/envoy/config/cluster/v4alpha/outlier_detection.proto +++ /dev/null @@ -1,157 +0,0 @@ -syntax = "proto3"; - -package envoy.config.cluster.v4alpha; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.cluster.v4alpha"; -option java_outer_classname = "OutlierDetectionProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Outlier detection] - -// See the :ref:`architecture overview ` for -// more information on outlier detection. -// [#next-free-field: 22] -message OutlierDetection { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.cluster.v3.OutlierDetection"; - - // The number of consecutive 5xx responses or local origin errors that are mapped - // to 5xx error codes before a consecutive 5xx ejection - // occurs. Defaults to 5. - google.protobuf.UInt32Value consecutive_5xx = 1; - - // The time interval between ejection analysis sweeps. This can result in - // both new ejections as well as hosts being returned to service. Defaults - // to 10000ms or 10s. - google.protobuf.Duration interval = 2 [(validate.rules).duration = {gt {}}]; - - // The base time that a host is ejected for. The real time is equal to the - // base time multiplied by the number of times the host has been ejected and is - // capped by :ref:`max_ejection_time`. - // Defaults to 30000ms or 30s. - google.protobuf.Duration base_ejection_time = 3 [(validate.rules).duration = {gt {}}]; - - // The maximum % of an upstream cluster that can be ejected due to outlier - // detection. Defaults to 10% but will eject at least one host regardless of the value. - google.protobuf.UInt32Value max_ejection_percent = 4 [(validate.rules).uint32 = {lte: 100}]; - - // The % chance that a host will be actually ejected when an outlier status - // is detected through consecutive 5xx. This setting can be used to disable - // ejection or to ramp it up slowly. Defaults to 100. - google.protobuf.UInt32Value enforcing_consecutive_5xx = 5 [(validate.rules).uint32 = {lte: 100}]; - - // The % chance that a host will be actually ejected when an outlier status - // is detected through success rate statistics. This setting can be used to - // disable ejection or to ramp it up slowly. Defaults to 100. - google.protobuf.UInt32Value enforcing_success_rate = 6 [(validate.rules).uint32 = {lte: 100}]; - - // The number of hosts in a cluster that must have enough request volume to - // detect success rate outliers. If the number of hosts is less than this - // setting, outlier detection via success rate statistics is not performed - // for any host in the cluster. Defaults to 5. - google.protobuf.UInt32Value success_rate_minimum_hosts = 7; - - // The minimum number of total requests that must be collected in one - // interval (as defined by the interval duration above) to include this host - // in success rate based outlier detection. If the volume is lower than this - // setting, outlier detection via success rate statistics is not performed - // for that host. Defaults to 100. - google.protobuf.UInt32Value success_rate_request_volume = 8; - - // This factor is used to determine the ejection threshold for success rate - // outlier ejection. The ejection threshold is the difference between the - // mean success rate, and the product of this factor and the standard - // deviation of the mean success rate: mean - (stdev * - // success_rate_stdev_factor). This factor is divided by a thousand to get a - // double. That is, if the desired factor is 1.9, the runtime value should - // be 1900. Defaults to 1900. - google.protobuf.UInt32Value success_rate_stdev_factor = 9; - - // The number of consecutive gateway failures (502, 503, 504 status codes) - // before a consecutive gateway failure ejection occurs. Defaults to 5. - google.protobuf.UInt32Value consecutive_gateway_failure = 10; - - // The % chance that a host will be actually ejected when an outlier status - // is detected through consecutive gateway failures. This setting can be - // used to disable ejection or to ramp it up slowly. Defaults to 0. - google.protobuf.UInt32Value enforcing_consecutive_gateway_failure = 11 - [(validate.rules).uint32 = {lte: 100}]; - - // Determines whether to distinguish local origin failures from external errors. If set to true - // the following configuration parameters are taken into account: - // :ref:`consecutive_local_origin_failure`, - // :ref:`enforcing_consecutive_local_origin_failure` - // and - // :ref:`enforcing_local_origin_success_rate`. - // Defaults to false. - bool split_external_local_origin_errors = 12; - - // The number of consecutive locally originated failures before ejection - // occurs. Defaults to 5. Parameter takes effect only when - // :ref:`split_external_local_origin_errors` - // is set to true. - google.protobuf.UInt32Value consecutive_local_origin_failure = 13; - - // The % chance that a host will be actually ejected when an outlier status - // is detected through consecutive locally originated failures. This setting can be - // used to disable ejection or to ramp it up slowly. Defaults to 100. - // Parameter takes effect only when - // :ref:`split_external_local_origin_errors` - // is set to true. - google.protobuf.UInt32Value enforcing_consecutive_local_origin_failure = 14 - [(validate.rules).uint32 = {lte: 100}]; - - // The % chance that a host will be actually ejected when an outlier status - // is detected through success rate statistics for locally originated errors. - // This setting can be used to disable ejection or to ramp it up slowly. Defaults to 100. - // Parameter takes effect only when - // :ref:`split_external_local_origin_errors` - // is set to true. - google.protobuf.UInt32Value enforcing_local_origin_success_rate = 15 - [(validate.rules).uint32 = {lte: 100}]; - - // The failure percentage to use when determining failure percentage-based outlier detection. If - // the failure percentage of a given host is greater than or equal to this value, it will be - // ejected. Defaults to 85. - google.protobuf.UInt32Value failure_percentage_threshold = 16 - [(validate.rules).uint32 = {lte: 100}]; - - // The % chance that a host will be actually ejected when an outlier status is detected through - // failure percentage statistics. This setting can be used to disable ejection or to ramp it up - // slowly. Defaults to 0. - // - // [#next-major-version: setting this without setting failure_percentage_threshold should be - // invalid in v4.] - google.protobuf.UInt32Value enforcing_failure_percentage = 17 - [(validate.rules).uint32 = {lte: 100}]; - - // The % chance that a host will be actually ejected when an outlier status is detected through - // local-origin failure percentage statistics. This setting can be used to disable ejection or to - // ramp it up slowly. Defaults to 0. - google.protobuf.UInt32Value enforcing_failure_percentage_local_origin = 18 - [(validate.rules).uint32 = {lte: 100}]; - - // The minimum number of hosts in a cluster in order to perform failure percentage-based ejection. - // If the total number of hosts in the cluster is less than this value, failure percentage-based - // ejection will not be performed. Defaults to 5. - google.protobuf.UInt32Value failure_percentage_minimum_hosts = 19; - - // The minimum number of total requests that must be collected in one interval (as defined by the - // interval duration above) to perform failure percentage-based ejection for this host. If the - // volume is lower than this setting, failure percentage-based ejection will not be performed for - // this host. Defaults to 50. - google.protobuf.UInt32Value failure_percentage_request_volume = 20; - - // The maximum time that a host is ejected for. See :ref:`base_ejection_time` - // for more information. If not specified, the default value (300000ms or 300s) or - // :ref:`base_ejection_time` value is applied, whatever is larger. - google.protobuf.Duration max_ejection_time = 21 [(validate.rules).duration = {gt {}}]; -} diff --git a/generated_api_shadow/envoy/config/common/matcher/v4alpha/BUILD b/generated_api_shadow/envoy/config/common/matcher/v4alpha/BUILD deleted file mode 100644 index 8c0f8a2e08d8..000000000000 --- a/generated_api_shadow/envoy/config/common/matcher/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/common/matcher/v3:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/common/matcher/v4alpha/matcher.proto b/generated_api_shadow/envoy/config/common/matcher/v4alpha/matcher.proto deleted file mode 100644 index 2027331b31da..000000000000 --- a/generated_api_shadow/envoy/config/common/matcher/v4alpha/matcher.proto +++ /dev/null @@ -1,269 +0,0 @@ -syntax = "proto3"; - -package envoy.config.common.matcher.v4alpha; - -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.common.matcher.v4alpha"; -option java_outer_classname = "MatcherProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Unified Matcher API] - -// A matcher, which may traverse a matching tree in order to result in a match action. -// During matching, the tree will be traversed until a match is found, or if no match -// is found the action specified by the most specific on_no_match will be evaluated. -// As an on_no_match might result in another matching tree being evaluated, this process -// might repeat several times until the final OnMatch (or no match) is decided. -// -// [#alpha:] -message Matcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher"; - - // What to do if a match is successful. - message OnMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.OnMatch"; - - oneof on_match { - option (validate.required) = true; - - // Nested matcher to evaluate. - // If the nested matcher does not match and does not specify - // on_no_match, then this matcher is considered not to have - // matched, even if a predicate at this level or above returned - // true. - Matcher matcher = 1; - - // Protocol-specific action to take. - core.v4alpha.TypedExtensionConfig action = 2; - } - } - - // A linear list of field matchers. - // The field matchers are evaluated in order, and the first match - // wins. - message MatcherList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherList"; - - // Predicate to determine if a match is successful. - message Predicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherList.Predicate"; - - // Predicate for a single input field. - message SinglePredicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherList.Predicate.SinglePredicate"; - - // Protocol-specific specification of input field to match on. - // [#extension-category: envoy.matching.common_inputs] - core.v4alpha.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; - - oneof matcher { - option (validate.required) = true; - - // Built-in string matcher. - type.matcher.v4alpha.StringMatcher value_match = 2; - - // Extension for custom matching logic. - // [#extension-category: envoy.matching.input_matchers] - core.v4alpha.TypedExtensionConfig custom_match = 3; - } - } - - // A list of two or more matchers. Used to allow using a list within a oneof. - message PredicateList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherList.Predicate.PredicateList"; - - repeated Predicate predicate = 1 [(validate.rules).repeated = {min_items: 2}]; - } - - oneof match_type { - option (validate.required) = true; - - // A single predicate to evaluate. - SinglePredicate single_predicate = 1; - - // A list of predicates to be OR-ed together. - PredicateList or_matcher = 2; - - // A list of predicates to be AND-ed together. - PredicateList and_matcher = 3; - - // The invert of a predicate - Predicate not_matcher = 4; - } - } - - // An individual matcher. - message FieldMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherList.FieldMatcher"; - - // Determines if the match succeeds. - Predicate predicate = 1 [(validate.rules).message = {required: true}]; - - // What to do if the match succeeds. - OnMatch on_match = 2 [(validate.rules).message = {required: true}]; - } - - // A list of matchers. First match wins. - repeated FieldMatcher matchers = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - message MatcherTree { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherTree"; - - // A map of configured matchers. Used to allow using a map within a oneof. - message MatchMap { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.Matcher.MatcherTree.MatchMap"; - - map map = 1 [(validate.rules).map = {min_pairs: 1}]; - } - - // Protocol-specific specification of input field to match on. - core.v4alpha.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}]; - - // Exact or prefix match maps in which to look up the input value. - // If the lookup succeeds, the match is considered successful, and - // the corresponding OnMatch is used. - oneof tree_type { - option (validate.required) = true; - - MatchMap exact_match_map = 2; - - // Longest matching prefix wins. - MatchMap prefix_match_map = 3; - - // Extension for custom matching logic. - core.v4alpha.TypedExtensionConfig custom_match = 4; - } - } - - oneof matcher_type { - option (validate.required) = true; - - // A linear list of matchers to evaluate. - MatcherList matcher_list = 1; - - // A match tree to evaluate. - MatcherTree matcher_tree = 2; - } - - // Optional OnMatch to use if the matcher failed. - // If specified, the OnMatch is used, and the matcher is considered - // to have matched. - // If not specified, the matcher is considered not to have matched. - OnMatch on_no_match = 3; -} - -// Match configuration. This is a recursive structure which allows complex nested match -// configurations to be built using various logical operators. -// [#next-free-field: 11] -message MatchPredicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.MatchPredicate"; - - // A set of match configurations used for logical operations. - message MatchSet { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.MatchPredicate.MatchSet"; - - // The list of rules that make up the set. - repeated MatchPredicate rules = 1 [(validate.rules).repeated = {min_items: 2}]; - } - - oneof rule { - option (validate.required) = true; - - // A set that describes a logical OR. If any member of the set matches, the match configuration - // matches. - MatchSet or_match = 1; - - // A set that describes a logical AND. If all members of the set match, the match configuration - // matches. - MatchSet and_match = 2; - - // A negation match. The match configuration will match if the negated match condition matches. - MatchPredicate not_match = 3; - - // The match configuration will always match. - bool any_match = 4 [(validate.rules).bool = {const: true}]; - - // HTTP request headers match configuration. - HttpHeadersMatch http_request_headers_match = 5; - - // HTTP request trailers match configuration. - HttpHeadersMatch http_request_trailers_match = 6; - - // HTTP response headers match configuration. - HttpHeadersMatch http_response_headers_match = 7; - - // HTTP response trailers match configuration. - HttpHeadersMatch http_response_trailers_match = 8; - - // HTTP request generic body match configuration. - HttpGenericBodyMatch http_request_generic_body_match = 9; - - // HTTP response generic body match configuration. - HttpGenericBodyMatch http_response_generic_body_match = 10; - } -} - -// HTTP headers match configuration. -message HttpHeadersMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.HttpHeadersMatch"; - - // HTTP headers to match. - repeated route.v4alpha.HeaderMatcher headers = 1; -} - -// HTTP generic body match configuration. -// List of text strings and hex strings to be located in HTTP body. -// All specified strings must be found in the HTTP body for positive match. -// The search may be limited to specified number of bytes from the body start. -// -// .. attention:: -// -// Searching for patterns in HTTP body is potentially cpu intensive. For each specified pattern, http body is scanned byte by byte to find a match. -// If multiple patterns are specified, the process is repeated for each pattern. If location of a pattern is known, ``bytes_limit`` should be specified -// to scan only part of the http body. -message HttpGenericBodyMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.HttpGenericBodyMatch"; - - message GenericTextMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.common.matcher.v3.HttpGenericBodyMatch.GenericTextMatch"; - - oneof rule { - option (validate.required) = true; - - // Text string to be located in HTTP body. - string string_match = 1 [(validate.rules).string = {min_len: 1}]; - - // Sequence of bytes to be located in HTTP body. - bytes binary_match = 2 [(validate.rules).bytes = {min_len: 1}]; - } - } - - // Limits search to specified number of bytes - default zero (no limit - match entire captured buffer). - uint32 bytes_limit = 1; - - // List of patterns to match. - repeated GenericTextMatch patterns = 2 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/BUILD b/generated_api_shadow/envoy/config/core/v4alpha/BUILD deleted file mode 100644 index c9e435fda9a9..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@com_github_cncf_udpa//xds/core/v3:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/core/v4alpha/address.proto b/generated_api_shadow/envoy/config/core/v4alpha/address.proto deleted file mode 100644 index 63d4d4a14507..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/address.proto +++ /dev/null @@ -1,163 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/socket_option.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "AddressProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Network addresses] - -message Pipe { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Pipe"; - - // Unix Domain Socket path. On Linux, paths starting with '@' will use the - // abstract namespace. The starting '@' is replaced by a null byte by Envoy. - // Paths starting with '@' will result in an error in environments other than - // Linux. - string path = 1 [(validate.rules).string = {min_len: 1}]; - - // The mode for the Pipe. Not applicable for abstract sockets. - uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}]; -} - -// [#not-implemented-hide:] The address represents an envoy internal listener. -// TODO(lambdai): Make this address available for listener and endpoint. -// TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30. -message EnvoyInternalAddress { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.EnvoyInternalAddress"; - - oneof address_name_specifier { - option (validate.required) = true; - - // [#not-implemented-hide:] The :ref:`listener name ` of the destination internal listener. - string server_listener_name = 1; - } -} - -// [#next-free-field: 7] -message SocketAddress { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.SocketAddress"; - - enum Protocol { - TCP = 0; - UDP = 1; - } - - Protocol protocol = 1 [(validate.rules).enum = {defined_only: true}]; - - // The address for this socket. :ref:`Listeners ` will bind - // to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::`` - // to bind to any address. [#comment:TODO(zuercher) reinstate when implemented: - // It is possible to distinguish a Listener address via the prefix/suffix matching - // in :ref:`FilterChainMatch `.] When used - // within an upstream :ref:`BindConfig `, the address - // controls the source address of outbound connections. For :ref:`clusters - // `, the cluster type determines whether the - // address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS - // (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized - // via :ref:`resolver_name `. - string address = 2 [(validate.rules).string = {min_len: 1}]; - - oneof port_specifier { - option (validate.required) = true; - - uint32 port_value = 3 [(validate.rules).uint32 = {lte: 65535}]; - - // This is only valid if :ref:`resolver_name - // ` is specified below and the - // named resolver is capable of named port resolution. - string named_port = 4; - } - - // The name of the custom resolver. This must have been registered with Envoy. If - // this is empty, a context dependent default applies. If the address is a concrete - // IP address, no resolution will occur. If address is a hostname this - // should be set for resolution other than DNS. Specifying a custom resolver with - // *STRICT_DNS* or *LOGICAL_DNS* will generate an error at runtime. - string resolver_name = 5; - - // When binding to an IPv6 address above, this enables `IPv4 compatibility - // `_. Binding to ``::`` will - // allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into - // IPv6 space as ``::FFFF:``. - bool ipv4_compat = 6; -} - -message TcpKeepalive { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.TcpKeepalive"; - - // Maximum number of keepalive probes to send without response before deciding - // the connection is dead. Default is to use the OS level configuration (unless - // overridden, Linux defaults to 9.) - google.protobuf.UInt32Value keepalive_probes = 1; - - // The number of seconds a connection needs to be idle before keep-alive probes - // start being sent. Default is to use the OS level configuration (unless - // overridden, Linux defaults to 7200s (i.e., 2 hours.) - google.protobuf.UInt32Value keepalive_time = 2; - - // The number of seconds between keep-alive probes. Default is to use the OS - // level configuration (unless overridden, Linux defaults to 75s.) - google.protobuf.UInt32Value keepalive_interval = 3; -} - -message BindConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.BindConfig"; - - // The address to bind to when creating a socket. - SocketAddress source_address = 1 [(validate.rules).message = {required: true}]; - - // Whether to set the *IP_FREEBIND* option when creating the socket. When this - // flag is set to true, allows the :ref:`source_address - // ` to be an IP address - // that is not configured on the system running Envoy. When this flag is set - // to false, the option *IP_FREEBIND* is disabled on the socket. When this - // flag is not set (default), the socket is not modified, i.e. the option is - // neither enabled nor disabled. - google.protobuf.BoolValue freebind = 2; - - // Additional socket options that may not be present in Envoy source code or - // precompiled binaries. - repeated SocketOption socket_options = 3; -} - -// Addresses specify either a logical or physical address and port, which are -// used to tell Envoy where to bind/listen, connect to upstream and find -// management servers. -message Address { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Address"; - - oneof address { - option (validate.required) = true; - - SocketAddress socket_address = 1; - - Pipe pipe = 2; - - // [#not-implemented-hide:] - EnvoyInternalAddress envoy_internal_address = 3; - } -} - -// CidrRange specifies an IP Address and a prefix length to construct -// the subnet mask for a `CIDR `_ range. -message CidrRange { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.CidrRange"; - - // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``. - string address_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // Length of prefix, e.g. 0, 32. Defaults to 0 when unset. - google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}]; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/backoff.proto b/generated_api_shadow/envoy/config/core/v4alpha/backoff.proto deleted file mode 100644 index 266d57f84e74..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/backoff.proto +++ /dev/null @@ -1,37 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "BackoffProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Backoff Strategy] - -// Configuration defining a jittered exponential back off strategy. -message BackoffStrategy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.BackoffStrategy"; - - // The base interval to be used for the next back off computation. It should - // be greater than zero and less than or equal to :ref:`max_interval - // `. - google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { - required: true - gte {nanos: 1000000} - }]; - - // Specifies the maximum interval between retries. This parameter is optional, - // but must be greater than or equal to the :ref:`base_interval - // ` if set. The default - // is 10 times the :ref:`base_interval - // `. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/base.proto b/generated_api_shadow/envoy/config/core/v4alpha/base.proto deleted file mode 100644 index 99ce121ddf63..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/base.proto +++ /dev/null @@ -1,465 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/backoff.proto"; -import "envoy/config/core/v4alpha/http_uri.proto"; -import "envoy/type/v3/percent.proto"; -import "envoy/type/v3/semantic_version.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/core/v3/context_params.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "BaseProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common types] - -// Envoy supports :ref:`upstream priority routing -// ` both at the route and the virtual -// cluster level. The current priority implementation uses different connection -// pool and circuit breaking settings for each priority level. This means that -// even for HTTP/2 requests, two physical connections will be used to an -// upstream host. In the future Envoy will likely support true HTTP/2 priority -// over a single upstream connection. -enum RoutingPriority { - DEFAULT = 0; - HIGH = 1; -} - -// HTTP request method. -enum RequestMethod { - METHOD_UNSPECIFIED = 0; - GET = 1; - HEAD = 2; - POST = 3; - PUT = 4; - DELETE = 5; - CONNECT = 6; - OPTIONS = 7; - TRACE = 8; - PATCH = 9; -} - -// Identifies the direction of the traffic relative to the local Envoy. -enum TrafficDirection { - // Default option is unspecified. - UNSPECIFIED = 0; - - // The transport is used for incoming traffic. - INBOUND = 1; - - // The transport is used for outgoing traffic. - OUTBOUND = 2; -} - -// Identifies location of where either Envoy runs or where upstream hosts run. -message Locality { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Locality"; - - // Region this :ref:`zone ` belongs to. - string region = 1; - - // Defines the local service zone where Envoy is running. Though optional, it - // should be set if discovery service routing is used and the discovery - // service exposes :ref:`zone data `, - // either in this message or via :option:`--service-zone`. The meaning of zone - // is context dependent, e.g. `Availability Zone (AZ) - // `_ - // on AWS, `Zone `_ on - // GCP, etc. - string zone = 2; - - // When used for locality of upstream hosts, this field further splits zone - // into smaller chunks of sub-zones so they can be load balanced - // independently. - string sub_zone = 3; -} - -// BuildVersion combines SemVer version of extension with free-form build information -// (i.e. 'alpha', 'private-build') as a set of strings. -message BuildVersion { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.BuildVersion"; - - // SemVer version of extension. - type.v3.SemanticVersion version = 1; - - // Free-form build information. - // Envoy defines several well known keys in the source/common/version/version.h file - google.protobuf.Struct metadata = 2; -} - -// Version and identification for an Envoy extension. -// [#next-free-field: 6] -message Extension { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Extension"; - - // This is the name of the Envoy filter as specified in the Envoy - // configuration, e.g. envoy.filters.http.router, com.acme.widget. - string name = 1; - - // Category of the extension. - // Extension category names use reverse DNS notation. For instance "envoy.filters.listener" - // for Envoy's built-in listener filters or "com.acme.filters.http" for HTTP filters from - // acme.com vendor. - // [#comment:TODO(yanavlasov): Link to the doc with existing envoy category names.] - string category = 2; - - // [#not-implemented-hide:] Type descriptor of extension configuration proto. - // [#comment:TODO(yanavlasov): Link to the doc with existing configuration protos.] - // [#comment:TODO(yanavlasov): Add tests when PR #9391 lands.] - string type_descriptor = 3; - - // The version is a property of the extension and maintained independently - // of other extensions and the Envoy API. - // This field is not set when extension did not provide version information. - BuildVersion version = 4; - - // Indicates that the extension is present but was disabled via dynamic configuration. - bool disabled = 5; -} - -// Identifies a specific Envoy instance. The node identifier is presented to the -// management server, which may use this identifier to distinguish per Envoy -// configuration for serving. -// [#next-free-field: 13] -message Node { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Node"; - - reserved 5; - - reserved "build_version"; - - // An opaque node identifier for the Envoy node. This also provides the local - // service node name. It should be set if any of the following features are - // used: :ref:`statsd `, :ref:`CDS - // `, and :ref:`HTTP tracing - // `, either in this message or via - // :option:`--service-node`. - string id = 1; - - // Defines the local service cluster name where Envoy is running. Though - // optional, it should be set if any of the following features are used: - // :ref:`statsd `, :ref:`health check cluster - // verification - // `, - // :ref:`runtime override directory `, - // :ref:`user agent addition - // `, - // :ref:`HTTP global rate limiting `, - // :ref:`CDS `, and :ref:`HTTP tracing - // `, either in this message or via - // :option:`--service-cluster`. - string cluster = 2; - - // Opaque metadata extending the node identifier. Envoy will pass this - // directly to the management server. - google.protobuf.Struct metadata = 3; - - // Map from xDS resource type URL to dynamic context parameters. These may vary at runtime (unlike - // other fields in this message). For example, the xDS client may have a shard identifier that - // changes during the lifetime of the xDS client. In Envoy, this would be achieved by updating the - // dynamic context on the Server::Instance's LocalInfo context provider. The shard ID dynamic - // parameter then appears in this field during future discovery requests. - map dynamic_parameters = 12; - - // Locality specifying where the Envoy instance is running. - Locality locality = 4; - - // Free-form string that identifies the entity requesting config. - // E.g. "envoy" or "grpc" - string user_agent_name = 6; - - oneof user_agent_version_type { - // Free-form string that identifies the version of the entity requesting config. - // E.g. "1.12.2" or "abcd1234", or "SpecialEnvoyBuild" - string user_agent_version = 7; - - // Structured version of the entity requesting config. - BuildVersion user_agent_build_version = 8; - } - - // List of extensions and their versions supported by the node. - repeated Extension extensions = 9; - - // Client feature support list. These are well known features described - // in the Envoy API repository for a given major version of an API. Client features - // use reverse DNS naming scheme, for example `com.acme.feature`. - // See :ref:`the list of features ` that xDS client may - // support. - repeated string client_features = 10; - - // Known listening ports on the node as a generic hint to the management server - // for filtering :ref:`listeners ` to be returned. For example, - // if there is a listener bound to port 80, the list can optionally contain the - // SocketAddress `(0.0.0.0,80)`. The field is optional and just a hint. - repeated Address hidden_envoy_deprecated_listening_addresses = 11 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; -} - -// Metadata provides additional inputs to filters based on matched listeners, -// filter chains, routes and endpoints. It is structured as a map, usually from -// filter name (in reverse DNS format) to metadata specific to the filter. Metadata -// key-values for a filter are merged as connection and request handling occurs, -// with later values for the same key overriding earlier values. -// -// An example use of metadata is providing additional values to -// http_connection_manager in the envoy.http_connection_manager.access_log -// namespace. -// -// Another example use of metadata is to per service config info in cluster metadata, which may get -// consumed by multiple filters. -// -// For load balancing, Metadata provides a means to subset cluster endpoints. -// Endpoints have a Metadata object associated and routes contain a Metadata -// object to match against. There are some well defined metadata used today for -// this purpose: -// -// * ``{"envoy.lb": {"canary": }}`` This indicates the canary status of an -// endpoint and is also used during header processing -// (x-envoy-upstream-canary) and for stats purposes. -// [#next-major-version: move to type/metadata/v2] -message Metadata { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.Metadata"; - - // Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.* - // namespace is reserved for Envoy's built-in filters. - // If both *filter_metadata* and - // :ref:`typed_filter_metadata ` - // fields are present in the metadata with same keys, - // only *typed_filter_metadata* field will be parsed. - map filter_metadata = 1; - - // Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.* - // namespace is reserved for Envoy's built-in filters. - // The value is encoded as google.protobuf.Any. - // If both :ref:`filter_metadata ` - // and *typed_filter_metadata* fields are present in the metadata with same keys, - // only *typed_filter_metadata* field will be parsed. - map typed_filter_metadata = 2; -} - -// Runtime derived uint32 with a default when not specified. -message RuntimeUInt32 { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.RuntimeUInt32"; - - // Default value if runtime value is not available. - uint32 default_value = 2; - - // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 3 [(validate.rules).string = {min_len: 1}]; -} - -// Runtime derived percentage with a default when not specified. -message RuntimePercent { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.RuntimePercent"; - - // Default value if runtime value is not available. - type.v3.Percent default_value = 1; - - // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Runtime derived double with a default when not specified. -message RuntimeDouble { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.RuntimeDouble"; - - // Default value if runtime value is not available. - double default_value = 1; - - // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Runtime derived bool with a default when not specified. -message RuntimeFeatureFlag { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.RuntimeFeatureFlag"; - - // Default value if runtime value is not available. - google.protobuf.BoolValue default_value = 1 [(validate.rules).message = {required: true}]; - - // Runtime key to get value for comparison. This value is used if defined. The boolean value must - // be represented via its - // `canonical JSON encoding `_. - string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Header name/value pair. -message HeaderValue { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.HeaderValue"; - - // Header name. - string key = 1 - [(validate.rules).string = - {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Header value. - // - // The same :ref:`format specifier ` as used for - // :ref:`HTTP access logging ` applies here, however - // unknown header values are replaced with the empty string instead of `-`. - string value = 2 [ - (validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false} - ]; -} - -// Header name/value pair plus option to control append behavior. -message HeaderValueOption { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HeaderValueOption"; - - // Header name/value pair that this option applies to. - HeaderValue header = 1 [(validate.rules).message = {required: true}]; - - // Should the value be appended? If true (default), the value is appended to - // existing values. Otherwise it replaces any existing values. - google.protobuf.BoolValue append = 2; -} - -// Wrapper for a set of headers. -message HeaderMap { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.HeaderMap"; - - repeated HeaderValue headers = 1; -} - -// A directory that is watched for changes, e.g. by inotify on Linux. Move/rename -// events inside this directory trigger the watch. -message WatchedDirectory { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.WatchedDirectory"; - - // Directory path to watch. - string path = 1 [(validate.rules).string = {min_len: 1}]; -} - -// Data source consisting of either a file or an inline value. -message DataSource { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.DataSource"; - - oneof specifier { - option (validate.required) = true; - - // Local filesystem data source. - string filename = 1 [(validate.rules).string = {min_len: 1}]; - - // Bytes inlined in the configuration. - bytes inline_bytes = 2; - - // String inlined in the configuration. - string inline_string = 3; - } -} - -// The message specifies the retry policy of remote data source when fetching fails. -message RetryPolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.RetryPolicy"; - - // Specifies parameters that control :ref:`retry backoff strategy `. - // This parameter is optional, in which case the default base interval is 1000 milliseconds. The - // default maximum interval is 10 times the base interval. - BackoffStrategy retry_back_off = 1; - - // Specifies the allowed number of retries. This parameter is optional and - // defaults to 1. - google.protobuf.UInt32Value max_retries = 2; -} - -// The message specifies how to fetch data from remote and how to verify it. -message RemoteDataSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.RemoteDataSource"; - - // The HTTP URI to fetch the remote data. - HttpUri http_uri = 1 [(validate.rules).message = {required: true}]; - - // SHA256 string for verifying data. - string sha256 = 2 [(validate.rules).string = {min_len: 1}]; - - // Retry policy for fetching remote data. - RetryPolicy retry_policy = 3; -} - -// Async data source which support async data fetch. -message AsyncDataSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.AsyncDataSource"; - - oneof specifier { - option (validate.required) = true; - - // Local async data source. - DataSource local = 1; - - // Remote async data source. - RemoteDataSource remote = 2; - } -} - -// Configuration for transport socket in :ref:`listeners ` and -// :ref:`clusters `. If the configuration is -// empty, a default transport socket implementation and configuration will be -// chosen based on the platform and existence of tls_context. -message TransportSocket { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.TransportSocket"; - - reserved 2; - - reserved "config"; - - // The name of the transport socket to instantiate. The name must match a supported transport - // socket implementation. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Implementation specific configuration which depends on the implementation being instantiated. - // See the supported transport socket implementations for further documentation. - oneof config_type { - google.protobuf.Any typed_config = 3; - } -} - -// Runtime derived FractionalPercent with defaults for when the numerator or denominator is not -// specified via a runtime key. -// -// .. note:: -// -// Parsing of the runtime key's data is implemented such that it may be represented as a -// :ref:`FractionalPercent ` proto represented as JSON/YAML -// and may also be represented as an integer with the assumption that the value is an integral -// percentage out of 100. For instance, a runtime key lookup returning the value "42" would parse -// as a `FractionalPercent` whose numerator is 42 and denominator is HUNDRED. -message RuntimeFractionalPercent { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.RuntimeFractionalPercent"; - - // Default value if the runtime value's for the numerator/denominator keys are not available. - type.v3.FractionalPercent default_value = 1 [(validate.rules).message = {required: true}]; - - // Runtime key for a YAML representation of a FractionalPercent. - string runtime_key = 2; -} - -// Identifies a specific ControlPlane instance that Envoy is connected to. -message ControlPlane { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.ControlPlane"; - - // An opaque control plane identifier that uniquely identifies an instance - // of control plane. This can be used to identify which control plane instance, - // the Envoy is connected to. - string identifier = 1; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/config_source.proto b/generated_api_shadow/envoy/config/core/v4alpha/config_source.proto deleted file mode 100644 index 34f8a8bdb7a2..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/config_source.proto +++ /dev/null @@ -1,220 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/core/v3/authority.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "ConfigSourceProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Configuration sources] - -// xDS API and non-xDS services version. This is used to describe both resource and transport -// protocol versions (in distinct configuration fields). -enum ApiVersion { - // When not specified, we assume v2, to ease migration to Envoy's stable API - // versioning. If a client does not support v2 (e.g. due to deprecation), this - // is an invalid value. - hidden_envoy_deprecated_AUTO = 0 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"]; - - // Use xDS v2 API. - hidden_envoy_deprecated_V2 = 1 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"]; - - // Use xDS v3 API. - V3 = 2; -} - -// API configuration source. This identifies the API type and cluster that Envoy -// will use to fetch an xDS API. -// [#next-free-field: 9] -message ApiConfigSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.ApiConfigSource"; - - // APIs may be fetched via either REST or gRPC. - enum ApiType { - // Ideally this would be 'reserved 0' but one can't reserve the default - // value. Instead we throw an exception if this is ever used. - hidden_envoy_deprecated_DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 [ - deprecated = true, - (envoy.annotations.disallowed_by_default_enum) = true, - (envoy.annotations.deprecated_at_minor_version_enum) = "3.0" - ]; - - // REST-JSON v2 API. The `canonical JSON encoding - // `_ for - // the v2 protos is used. - REST = 1; - - // SotW gRPC service. - GRPC = 2; - - // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response} - // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state - // with every update, the xDS server only sends what has changed since the last update. - DELTA_GRPC = 3; - - // SotW xDS gRPC with ADS. All resources which resolve to this configuration source will be - // multiplexed on a single connection to an ADS endpoint. - // [#not-implemented-hide:] - AGGREGATED_GRPC = 5; - - // Delta xDS gRPC with ADS. All resources which resolve to this configuration source will be - // multiplexed on a single connection to an ADS endpoint. - // [#not-implemented-hide:] - AGGREGATED_DELTA_GRPC = 6; - } - - // API type (gRPC, REST, delta gRPC) - ApiType api_type = 1 [(validate.rules).enum = {defined_only: true}]; - - // API version for xDS transport protocol. This describes the xDS gRPC/REST - // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. - ApiVersion transport_api_version = 8 [(validate.rules).enum = {defined_only: true}]; - - // Cluster names should be used only with REST. If > 1 - // cluster is defined, clusters will be cycled through if any kind of failure - // occurs. - // - // .. note:: - // - // The cluster with name ``cluster_name`` must be statically defined and its - // type must not be ``EDS``. - repeated string cluster_names = 2; - - // Multiple gRPC services be provided for GRPC. If > 1 cluster is defined, - // services will be cycled through if any kind of failure occurs. - repeated GrpcService grpc_services = 4; - - // For REST APIs, the delay between successive polls. - google.protobuf.Duration refresh_delay = 3; - - // For REST APIs, the request timeout. If not set, a default value of 1s will be used. - google.protobuf.Duration request_timeout = 5 [(validate.rules).duration = {gt {}}]; - - // For GRPC APIs, the rate limit settings. If present, discovery requests made by Envoy will be - // rate limited. - RateLimitSettings rate_limit_settings = 6; - - // Skip the node identifier in subsequent discovery requests for streaming gRPC config types. - bool set_node_on_first_message_only = 7; -} - -// Aggregated Discovery Service (ADS) options. This is currently empty, but when -// set in :ref:`ConfigSource ` can be used to -// specify that ADS is to be used. -message AggregatedConfigSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.AggregatedConfigSource"; -} - -// [#not-implemented-hide:] -// Self-referencing config source options. This is currently empty, but when -// set in :ref:`ConfigSource ` can be used to -// specify that other data can be obtained from the same server. -message SelfConfigSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.SelfConfigSource"; - - // API version for xDS transport protocol. This describes the xDS gRPC/REST - // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. - ApiVersion transport_api_version = 1 [(validate.rules).enum = {defined_only: true}]; -} - -// Rate Limit settings to be applied for discovery requests made by Envoy. -message RateLimitSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.RateLimitSettings"; - - // Maximum number of tokens to be used for rate limiting discovery request calls. If not set, a - // default value of 100 will be used. - google.protobuf.UInt32Value max_tokens = 1; - - // Rate at which tokens will be filled per second. If not set, a default fill rate of 10 tokens - // per second will be used. - google.protobuf.DoubleValue fill_rate = 2 [(validate.rules).double = {gt: 0.0}]; -} - -// Configuration for :ref:`listeners `, :ref:`clusters -// `, :ref:`routes -// `, :ref:`endpoints -// ` etc. may either be sourced from the -// filesystem or from an xDS API source. Filesystem configs are watched with -// inotify for updates. -// [#next-free-field: 8] -message ConfigSource { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.ConfigSource"; - - // Authorities that this config source may be used for. An authority specified in a xdstp:// URL - // is resolved to a *ConfigSource* prior to configuration fetch. This field provides the - // association between authority name and configuration source. - // [#not-implemented-hide:] - repeated xds.core.v3.Authority authorities = 7; - - oneof config_source_specifier { - option (validate.required) = true; - - // Path on the filesystem to source and watch for configuration updates. - // When sourcing configuration for :ref:`secret `, - // the certificate and key files are also watched for updates. - // - // .. note:: - // - // The path to the source must exist at config load time. - // - // .. note:: - // - // Envoy will only watch the file path for *moves.* This is because in general only moves - // are atomic. The same method of swapping files as is demonstrated in the - // :ref:`runtime documentation ` can be used here also. - string path = 1; - - // API configuration source. - ApiConfigSource api_config_source = 2; - - // When set, ADS will be used to fetch resources. The ADS API configuration - // source in the bootstrap configuration is used. - AggregatedConfigSource ads = 3; - - // [#not-implemented-hide:] - // When set, the client will access the resources from the same server it got the - // ConfigSource from, although not necessarily from the same stream. This is similar to the - // :ref:`ads` field, except that the client may use a - // different stream to the same server. As a result, this field can be used for things - // like LRS that cannot be sent on an ADS stream. It can also be used to link from (e.g.) - // LDS to RDS on the same server without requiring the management server to know its name - // or required credentials. - // [#next-major-version: In xDS v3, consider replacing the ads field with this one, since - // this field can implicitly mean to use the same stream in the case where the ConfigSource - // is provided via ADS and the specified data can also be obtained via ADS.] - SelfConfigSource self = 5; - } - - // When this timeout is specified, Envoy will wait no longer than the specified time for first - // config response on this xDS subscription during the :ref:`initialization process - // `. After reaching the timeout, Envoy will move to the next - // initialization phase, even if the first config is not delivered yet. The timer is activated - // when the xDS API subscription starts, and is disarmed on first config update or on error. 0 - // means no timeout - Envoy will wait indefinitely for the first xDS config (unless another - // timeout applies). The default is 15s. - google.protobuf.Duration initial_fetch_timeout = 4; - - // API version for xDS resources. This implies the type URLs that the client - // will request for resources and the resource type that the client will in - // turn expect to be delivered. - ApiVersion resource_api_version = 6 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/event_service_config.proto b/generated_api_shadow/envoy/config/core/v4alpha/event_service_config.proto deleted file mode 100644 index a0b4e5590d1d..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/event_service_config.proto +++ /dev/null @@ -1,28 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "EventServiceConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#not-implemented-hide:] -// Configuration of the event reporting service endpoint. -message EventServiceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.EventServiceConfig"; - - oneof config_source_specifier { - option (validate.required) = true; - - // Specifies the gRPC service that hosts the event reporting service. - GrpcService grpc_service = 1; - } -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/extension.proto b/generated_api_shadow/envoy/config/core/v4alpha/extension.proto deleted file mode 100644 index 4de107580d07..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/extension.proto +++ /dev/null @@ -1,68 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/config_source.proto"; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "ExtensionProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Extension configuration] - -// Message type for extension configuration. -// [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.]. -message TypedExtensionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.TypedExtensionConfig"; - - // The name of an extension. This is not used to select the extension, instead - // it serves the role of an opaque identifier. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The typed config for the extension. The type URL will be used to identify - // the extension. In the case that the type URL is *udpa.type.v1.TypedStruct*, - // the inner type URL of *TypedStruct* will be utilized. See the - // :ref:`extension configuration overview - // ` for further details. - google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}]; -} - -// Configuration source specifier for a late-bound extension configuration. The -// parent resource is warmed until all the initial extension configurations are -// received, unless the flag to apply the default configuration is set. -// Subsequent extension updates are atomic on a per-worker basis. Once an -// extension configuration is applied to a request or a connection, it remains -// constant for the duration of processing. If the initial delivery of the -// extension configuration fails, due to a timeout for example, the optional -// default configuration is applied. Without a default configuration, the -// extension is disabled, until an extension configuration is received. The -// behavior of a disabled extension depends on the context. For example, a -// filter chain with a disabled extension filter rejects all incoming streams. -message ExtensionConfigSource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.ExtensionConfigSource"; - - ConfigSource config_source = 1 [(validate.rules).any = {required: true}]; - - // Optional default configuration to use as the initial configuration if - // there is a failure to receive the initial extension configuration or if - // `apply_default_config_without_warming` flag is set. - google.protobuf.Any default_config = 2; - - // Use the default config as the initial configuration without warming and - // waiting for the first discovery response. Requires the default configuration - // to be supplied. - bool apply_default_config_without_warming = 3; - - // A set of permitted extension type URLs. Extension configuration updates are rejected - // if they do not match any type URL in the set. - repeated string type_urls = 4 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/grpc_method_list.proto b/generated_api_shadow/envoy/config/core/v4alpha/grpc_method_list.proto deleted file mode 100644 index 371ea32c10f3..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/grpc_method_list.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "GrpcMethodListProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: gRPC method list] - -// A list of gRPC methods which can be used as an allowlist, for example. -message GrpcMethodList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcMethodList"; - - message Service { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcMethodList.Service"; - - // The name of the gRPC service. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The names of the gRPC methods in this service. - repeated string method_names = 2 [(validate.rules).repeated = {min_items: 1}]; - } - - repeated Service services = 1; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/grpc_service.proto b/generated_api_shadow/envoy/config/core/v4alpha/grpc_service.proto deleted file mode 100644 index 973983386c2e..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/grpc_service.proto +++ /dev/null @@ -1,302 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/empty.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/sensitive.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "GrpcServiceProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: gRPC services] - -// gRPC service configuration. This is used by :ref:`ApiConfigSource -// ` and filter configurations. -// [#next-free-field: 6] -message GrpcService { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.GrpcService"; - - message EnvoyGrpc { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.EnvoyGrpc"; - - // The name of the upstream gRPC cluster. SSL credentials will be supplied - // in the :ref:`Cluster ` :ref:`transport_socket - // `. - string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; - - // The `:authority` header in the grpc request. If this field is not set, the authority header value will be `cluster_name`. - // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster. - string authority = 2 - [(validate.rules).string = - {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - } - - // [#next-free-field: 9] - message GoogleGrpc { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc"; - - // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html. - message SslCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.SslCredentials"; - - // PEM encoded server root certificates. - DataSource root_certs = 1; - - // PEM encoded client private key. - DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; - - // PEM encoded client certificate chain. - DataSource cert_chain = 3; - } - - // Local channel credentials. Only UDS is supported for now. - // See https://github.com/grpc/grpc/pull/15909. - message GoogleLocalCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.GoogleLocalCredentials"; - } - - // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call - // credential types. - message ChannelCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.ChannelCredentials"; - - oneof credential_specifier { - option (validate.required) = true; - - SslCredentials ssl_credentials = 1; - - // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 - google.protobuf.Empty google_default = 2; - - GoogleLocalCredentials local_credentials = 3; - } - } - - // [#next-free-field: 8] - message CallCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials"; - - message ServiceAccountJWTAccessCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials." - "ServiceAccountJWTAccessCredentials"; - - string json_key = 1; - - uint64 token_lifetime_seconds = 2; - } - - message GoogleIAMCredentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials"; - - string authorization_token = 1; - - string authority_selector = 2; - } - - message MetadataCredentialsFromPlugin { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials." - "MetadataCredentialsFromPlugin"; - - reserved 2; - - reserved "config"; - - string name = 1; - - // [#extension-category: envoy.grpc_credentials] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - // Security token service configuration that allows Google gRPC to - // fetch security token from an OAuth 2.0 authorization server. - // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and - // https://github.com/grpc/grpc/pull/19587. - // [#next-free-field: 10] - message StsService { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials.StsService"; - - // URI of the token exchange service that handles token exchange requests. - // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by - // https://github.com/envoyproxy/protoc-gen-validate/issues/303] - string token_exchange_service_uri = 1; - - // Location of the target service or resource where the client - // intends to use the requested security token. - string resource = 2; - - // Logical name of the target service where the client intends to - // use the requested security token. - string audience = 3; - - // The desired scope of the requested security token in the - // context of the service or resource where the token will be used. - string scope = 4; - - // Type of the requested security token. - string requested_token_type = 5; - - // The path of subject token, a security token that represents the - // identity of the party on behalf of whom the request is being made. - string subject_token_path = 6 [(validate.rules).string = {min_len: 1}]; - - // Type of the subject token. - string subject_token_type = 7 [(validate.rules).string = {min_len: 1}]; - - // The path of actor token, a security token that represents the identity - // of the acting party. The acting party is authorized to use the - // requested security token and act on behalf of the subject. - string actor_token_path = 8; - - // Type of the actor token. - string actor_token_type = 9; - } - - oneof credential_specifier { - option (validate.required) = true; - - // Access token credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d. - string access_token = 1; - - // Google Compute Engine credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 - google.protobuf.Empty google_compute_engine = 2; - - // Google refresh token credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c. - string google_refresh_token = 3; - - // Service Account JWT Access credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa. - ServiceAccountJWTAccessCredentials service_account_jwt_access = 4; - - // Google IAM credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0. - GoogleIAMCredentials google_iam = 5; - - // Custom authenticator credentials. - // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. - // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms. - MetadataCredentialsFromPlugin from_plugin = 6; - - // Custom security token service which implements OAuth 2.0 token exchange. - // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 - // See https://github.com/grpc/grpc/pull/19587. - StsService sts_service = 7; - } - } - - // Channel arguments. - message ChannelArgs { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.ChannelArgs"; - - message Value { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcService.GoogleGrpc.ChannelArgs.Value"; - - // Pointer values are not supported, since they don't make any sense when - // delivered via the API. - oneof value_specifier { - option (validate.required) = true; - - string string_value = 1; - - int64 int_value = 2; - } - } - - // See grpc_types.h GRPC_ARG #defines for keys that work here. - map args = 1; - } - - // The target URI when using the `Google C++ gRPC client - // `_. SSL credentials will be supplied in - // :ref:`channel_credentials `. - string target_uri = 1 [(validate.rules).string = {min_len: 1}]; - - ChannelCredentials channel_credentials = 2; - - // A set of call credentials that can be composed with `channel credentials - // `_. - repeated CallCredentials call_credentials = 3; - - // The human readable prefix to use when emitting statistics for the gRPC - // service. - // - // .. csv-table:: - // :header: Name, Type, Description - // :widths: 1, 1, 2 - // - // streams_total, Counter, Total number of streams opened - // streams_closed_, Counter, Total streams closed with - string stat_prefix = 4 [(validate.rules).string = {min_len: 1}]; - - // The name of the Google gRPC credentials factory to use. This must have been registered with - // Envoy. If this is empty, a default credentials factory will be used that sets up channel - // credentials based on other configuration parameters. - string credentials_factory_name = 5; - - // Additional configuration for site-specific customizations of the Google - // gRPC library. - google.protobuf.Struct config = 6; - - // How many bytes each stream can buffer internally. - // If not set an implementation defined default is applied (1MiB). - google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7; - - // Custom channels args. - ChannelArgs channel_args = 8; - } - - reserved 4; - - oneof target_specifier { - option (validate.required) = true; - - // Envoy's in-built gRPC client. - // See the :ref:`gRPC services overview ` - // documentation for discussion on gRPC client selection. - EnvoyGrpc envoy_grpc = 1; - - // `Google C++ gRPC client `_ - // See the :ref:`gRPC services overview ` - // documentation for discussion on gRPC client selection. - GoogleGrpc google_grpc = 2; - } - - // The timeout for the gRPC request. This is the timeout for a specific - // request. - google.protobuf.Duration timeout = 3; - - // Additional metadata to include in streams initiated to the GrpcService. This can be used for - // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to - // be injected. For more information, including details on header value syntax, see the - // documentation on :ref:`custom request headers - // `. - repeated HeaderValue initial_metadata = 5; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/health_check.proto b/generated_api_shadow/envoy/config/core/v4alpha/health_check.proto deleted file mode 100644 index bf86f26e665e..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/health_check.proto +++ /dev/null @@ -1,372 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/event_service_config.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/v3/http.proto"; -import "envoy/type/v3/range.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "HealthCheckProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Health check] -// * Health checking :ref:`architecture overview `. -// * If health checking is configured for a cluster, additional statistics are emitted. They are -// documented :ref:`here `. - -// Endpoint health status. -enum HealthStatus { - // The health status is not known. This is interpreted by Envoy as *HEALTHY*. - UNKNOWN = 0; - - // Healthy. - HEALTHY = 1; - - // Unhealthy. - UNHEALTHY = 2; - - // Connection draining in progress. E.g., - // ``_ - // or - // ``_. - // This is interpreted by Envoy as *UNHEALTHY*. - DRAINING = 3; - - // Health check timed out. This is part of HDS and is interpreted by Envoy as - // *UNHEALTHY*. - TIMEOUT = 4; - - // Degraded. - DEGRADED = 5; -} - -// [#next-free-field: 25] -message HealthCheck { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.HealthCheck"; - - // Describes the encoding of the payload bytes in the payload. - message Payload { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.Payload"; - - oneof payload { - option (validate.required) = true; - - // Hex encoded payload. E.g., "000000FF". - string text = 1 [(validate.rules).string = {min_len: 1}]; - - // [#not-implemented-hide:] Binary payload. - bytes binary = 2; - } - } - - // [#next-free-field: 12] - message HttpHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.HttpHealthCheck"; - - reserved 5, 7; - - reserved "service_name", "use_http2"; - - // The value of the host header in the HTTP health check request. If - // left empty (default value), the name of the cluster this health check is associated - // with will be used. The host header can be customized for a specific endpoint by setting the - // :ref:`hostname ` field. - string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Specifies the HTTP path that will be requested during health checking. For example - // */healthcheck*. - string path = 2 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // [#not-implemented-hide:] HTTP specific payload. - Payload send = 3; - - // [#not-implemented-hide:] HTTP specific response. - Payload receive = 4; - - // Specifies a list of HTTP headers that should be added to each request that is sent to the - // health checked cluster. For more information, including details on header value syntax, see - // the documentation on :ref:`custom request headers - // `. - repeated HeaderValueOption request_headers_to_add = 6 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request that is sent to the - // health checked cluster. - repeated string request_headers_to_remove = 8 [(validate.rules).repeated = { - items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default - // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open - // semantics of :ref:`Int64Range `. The start and end of each - // range are required. Only statuses in the range [100, 600) are allowed. - repeated type.v3.Int64Range expected_statuses = 9; - - // Use specified application protocol for health checks. - type.v3.CodecClientType codec_client_type = 10 [(validate.rules).enum = {defined_only: true}]; - - // An optional service name parameter which is used to validate the identity of - // the health checked cluster using a :ref:`StringMatcher - // `. See the :ref:`architecture overview - // ` for more information. - type.matcher.v4alpha.StringMatcher service_name_matcher = 11; - } - - message TcpHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.TcpHealthCheck"; - - // Empty payloads imply a connect-only health check. - Payload send = 1; - - // When checking the response, “fuzzy” matching is performed such that each - // binary block must be found, and in the order specified, but not - // necessarily contiguous. - repeated Payload receive = 2; - } - - message RedisHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.RedisHealthCheck"; - - // If set, optionally perform ``EXISTS `` instead of ``PING``. A return value - // from Redis of 0 (does not exist) is considered a passing healthcheck. A return value other - // than 0 is considered a failure. This allows the user to mark a Redis instance for maintenance - // by setting the specified key to any value and waiting for traffic to drain. - string key = 1; - } - - // `grpc.health.v1.Health - // `_-based - // healthcheck. See `gRPC doc `_ - // for details. - message GrpcHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.GrpcHealthCheck"; - - // An optional service name parameter which will be sent to gRPC service in - // `grpc.health.v1.HealthCheckRequest - // `_. - // message. See `gRPC health-checking overview - // `_ for more information. - string service_name = 1; - - // The value of the :authority header in the gRPC health check request. If - // left empty (default value), the name of the cluster this health check is associated - // with will be used. The authority header can be customized for a specific endpoint by setting - // the :ref:`hostname ` field. - string authority = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - } - - // Custom health check. - message CustomHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.CustomHealthCheck"; - - reserved 2; - - reserved "config"; - - // The registered name of the custom health checker. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // A custom health checker specific configuration which depends on the custom health checker - // being instantiated. See :api:`envoy/config/health_checker` for reference. - // [#extension-category: envoy.health_checkers] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - // Health checks occur over the transport socket specified for the cluster. This implies that if a - // cluster is using a TLS-enabled transport socket, the health check will also occur over TLS. - // - // This allows overriding the cluster TLS settings, just for health check connections. - message TlsOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HealthCheck.TlsOptions"; - - // Specifies the ALPN protocols for health check connections. This is useful if the - // corresponding upstream is using ALPN-based :ref:`FilterChainMatch - // ` along with different protocols for health checks - // versus data connections. If empty, no ALPN protocols will be set on health check connections. - repeated string alpn_protocols = 1; - } - - reserved 10; - - // The time to wait for a health check response. If the timeout is reached the - // health check attempt will be considered a failure. - google.protobuf.Duration timeout = 1 [(validate.rules).duration = { - required: true - gt {} - }]; - - // The interval between health checks. - google.protobuf.Duration interval = 2 [(validate.rules).duration = { - required: true - gt {} - }]; - - // An optional jitter amount in milliseconds. If specified, Envoy will start health - // checking after for a random time in ms between 0 and initial_jitter. This only - // applies to the first health check. - google.protobuf.Duration initial_jitter = 20; - - // An optional jitter amount in milliseconds. If specified, during every - // interval Envoy will add interval_jitter to the wait time. - google.protobuf.Duration interval_jitter = 3; - - // An optional jitter amount as a percentage of interval_ms. If specified, - // during every interval Envoy will add interval_ms * - // interval_jitter_percent / 100 to the wait time. - // - // If interval_jitter_ms and interval_jitter_percent are both set, both of - // them will be used to increase the wait time. - uint32 interval_jitter_percent = 18; - - // The number of unhealthy health checks required before a host is marked - // unhealthy. Note that for *http* health checking if a host responds with 503 - // this threshold is ignored and the host is considered unhealthy immediately. - google.protobuf.UInt32Value unhealthy_threshold = 4 [(validate.rules).message = {required: true}]; - - // The number of healthy health checks required before a host is marked - // healthy. Note that during startup, only a single successful health check is - // required to mark a host healthy. - google.protobuf.UInt32Value healthy_threshold = 5 [(validate.rules).message = {required: true}]; - - // [#not-implemented-hide:] Non-serving port for health checking. - google.protobuf.UInt32Value alt_port = 6; - - // Reuse health check connection between health checks. Default is true. - google.protobuf.BoolValue reuse_connection = 7; - - oneof health_checker { - option (validate.required) = true; - - // HTTP health check. - HttpHealthCheck http_health_check = 8; - - // TCP health check. - TcpHealthCheck tcp_health_check = 9; - - // gRPC health check. - GrpcHealthCheck grpc_health_check = 11; - - // Custom health check. - CustomHealthCheck custom_health_check = 13; - } - - // The "no traffic interval" is a special health check interval that is used when a cluster has - // never had traffic routed to it. This lower interval allows cluster information to be kept up to - // date, without sending a potentially large amount of active health checking traffic for no - // reason. Once a cluster has been used for traffic routing, Envoy will shift back to using the - // standard health check interval that is defined. Note that this interval takes precedence over - // any other. - // - // The default value for "no traffic interval" is 60 seconds. - google.protobuf.Duration no_traffic_interval = 12 [(validate.rules).duration = {gt {}}]; - - // The "no traffic healthy interval" is a special health check interval that - // is used for hosts that are currently passing active health checking - // (including new hosts) when the cluster has received no traffic. - // - // This is useful for when we want to send frequent health checks with - // `no_traffic_interval` but then revert to lower frequency `no_traffic_healthy_interval` once - // a host in the cluster is marked as healthy. - // - // Once a cluster has been used for traffic routing, Envoy will shift back to using the - // standard health check interval that is defined. - // - // If no_traffic_healthy_interval is not set, it will default to the - // no traffic interval and send that interval regardless of health state. - google.protobuf.Duration no_traffic_healthy_interval = 24 [(validate.rules).duration = {gt {}}]; - - // The "unhealthy interval" is a health check interval that is used for hosts that are marked as - // unhealthy. As soon as the host is marked as healthy, Envoy will shift back to using the - // standard health check interval that is defined. - // - // The default value for "unhealthy interval" is the same as "interval". - google.protobuf.Duration unhealthy_interval = 14 [(validate.rules).duration = {gt {}}]; - - // The "unhealthy edge interval" is a special health check interval that is used for the first - // health check right after a host is marked as unhealthy. For subsequent health checks - // Envoy will shift back to using either "unhealthy interval" if present or the standard health - // check interval that is defined. - // - // The default value for "unhealthy edge interval" is the same as "unhealthy interval". - google.protobuf.Duration unhealthy_edge_interval = 15 [(validate.rules).duration = {gt {}}]; - - // The "healthy edge interval" is a special health check interval that is used for the first - // health check right after a host is marked as healthy. For subsequent health checks - // Envoy will shift back to using the standard health check interval that is defined. - // - // The default value for "healthy edge interval" is the same as the default interval. - google.protobuf.Duration healthy_edge_interval = 16 [(validate.rules).duration = {gt {}}]; - - // Specifies the path to the :ref:`health check event log `. - // If empty, no event log will be written. - string event_log_path = 17; - - // [#not-implemented-hide:] - // The gRPC service for the health check event service. - // If empty, health check events won't be sent to a remote endpoint. - EventServiceConfig event_service = 22; - - // If set to true, health check failure events will always be logged. If set to false, only the - // initial health check failure event will be logged. - // The default value is false. - bool always_log_health_check_failures = 19; - - // This allows overriding the cluster TLS settings, just for health check connections. - TlsOptions tls_options = 21; - - // Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's - // :ref:`tranport socket matches `. - // For example, the following match criteria - // - // .. code-block:: yaml - // - // transport_socket_match_criteria: - // useMTLS: true - // - // Will match the following :ref:`cluster socket match ` - // - // .. code-block:: yaml - // - // transport_socket_matches: - // - name: "useMTLS" - // match: - // useMTLS: true - // transport_socket: - // name: envoy.transport_sockets.tls - // config: { ... } # tls socket configuration - // - // If this field is set, then for health checks it will supersede an entry of *envoy.transport_socket* in the - // :ref:`LbEndpoint.Metadata `. - // This allows using different transport socket capabilities for health checking versus proxying to the - // endpoint. - // - // If the key/values pairs specified do not match any - // :ref:`transport socket matches `, - // the cluster's :ref:`transport socket ` - // will be used for health check socket configuration. - google.protobuf.Struct transport_socket_match_criteria = 23; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/http_uri.proto b/generated_api_shadow/envoy/config/core/v4alpha/http_uri.proto deleted file mode 100644 index ae1c0c9a3d4e..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/http_uri.proto +++ /dev/null @@ -1,56 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "HttpUriProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP Service URI ] - -// Envoy external URI descriptor -message HttpUri { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.HttpUri"; - - // The HTTP server URI. It should be a full FQDN with protocol, host and path. - // - // Example: - // - // .. code-block:: yaml - // - // uri: https://www.googleapis.com/oauth2/v1/certs - // - string uri = 1 [(validate.rules).string = {min_len: 1}]; - - // Specify how `uri` is to be fetched. Today, this requires an explicit - // cluster, but in the future we may support dynamic cluster creation or - // inline DNS resolution. See `issue - // `_. - oneof http_upstream_type { - option (validate.required) = true; - - // A cluster is created in the Envoy "cluster_manager" config - // section. This field specifies the cluster name. - // - // Example: - // - // .. code-block:: yaml - // - // cluster: jwks_cluster - // - string cluster = 2 [(validate.rules).string = {min_len: 1}]; - } - - // Sets the maximum duration in milliseconds that a response can take to arrive upon request. - google.protobuf.Duration timeout = 3 [(validate.rules).duration = { - required: true - gte {} - }]; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto b/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto deleted file mode 100644 index 9c44aa51dd91..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto +++ /dev/null @@ -1,509 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "ProtocolProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Protocol options] - -// [#not-implemented-hide:] -message TcpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.TcpProtocolOptions"; -} - -// QUIC protocol options which apply to both downstream and upstream connections. -message QuicProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.QuicProtocolOptions"; - - // Maximum number of streams that the client can negotiate per connection. 100 - // if not specified. - google.protobuf.UInt32Value max_concurrent_streams = 1; - - // `Initial stream-level flow-control receive window - // `_ size. Valid values range from - // 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 65536 (2^16). - // - // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use 16384 instead. - // QUICHE IETF Quic implementation supports 1 bytes window. We only support increasing the default window size now, so it's also the minimum. - // - // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the - // QUIC stream send and receive buffers. Once the buffer reaches this pointer, watermark callbacks will fire to - // stop the flow of data to the stream buffers. - google.protobuf.UInt32Value initial_stream_window_size = 2 - [(validate.rules).uint32 = {lte: 16777216 gte: 1}]; - - // Similar to *initial_stream_window_size*, but for connection-level - // flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults to 65536 (2^16). - // window. Currently, this has the same minimum/default as *initial_stream_window_size*. - // - // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default - // window size now, so it's also the minimum. - google.protobuf.UInt32Value initial_connection_window_size = 3 - [(validate.rules).uint32 = {lte: 25165824 gte: 1}]; -} - -message UpstreamHttpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.UpstreamHttpProtocolOptions"; - - // Set transport socket `SNI `_ for new - // upstream connections based on the downstream HTTP host/authority header, as seen by the - // :ref:`router filter `. - bool auto_sni = 1; - - // Automatic validate upstream presented certificate for new upstream connections based on the - // downstream HTTP host/authority header, as seen by the - // :ref:`router filter `. - // This field is intended to set with `auto_sni` field. - bool auto_san_validation = 2; -} - -// Configures the alternate protocols cache which tracks alternate protocols that can be used to -// make an HTTP connection to an origin server. See https://tools.ietf.org/html/rfc7838 for -// HTTP Alternative Services and https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-04 -// for the "HTTPS" DNS resource record. -message AlternateProtocolsCacheOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.AlternateProtocolsCacheOptions"; - - // The name of the cache. Multiple named caches allow independent alternate protocols cache - // configurations to operate within a single Envoy process using different configurations. All - // alternate protocols cache options with the same name *must* be equal in all fields when - // referenced from different configuration components. Configuration will fail to load if this is - // not the case. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The maximum number of entries that the cache will hold. If not specified defaults to 1024. - // - // .. note: - // - // The implementation is approximate and enforced independently on each worker thread, thus - // it is possible for the maximum entries in the cache to go slightly above the configured - // value depending on timing. This is similar to how other circuit breakers work. - google.protobuf.UInt32Value max_entries = 2 [(validate.rules).uint32 = {gt: 0}]; -} - -// [#next-free-field: 7] -message HttpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.HttpProtocolOptions"; - - // Action to take when Envoy receives client request with header names containing underscore - // characters. - // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented - // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore - // characters. - enum HeadersWithUnderscoresAction { - // Allow headers with underscores. This is the default behavior. - ALLOW = 0; - - // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests - // end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter - // is incremented for each rejected request. - REJECT_REQUEST = 1; - - // Drop the header with name containing underscores. The header is dropped before the filter chain is - // invoked and as such filters will not see dropped headers. The - // "httpN.dropped_headers_with_underscores" is incremented for each dropped header. - DROP_HEADER = 2; - } - - // The idle timeout for connections. The idle timeout is defined as the - // period in which there are no active requests. When the - // idle timeout is reached the connection will be closed. If the connection is an HTTP/2 - // downstream connection a drain sequence will occur prior to closing the connection, see - // :ref:`drain_timeout - // `. - // Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. - // If not specified, this defaults to 1 hour. To disable idle timeouts explicitly set this to 0. - // - // .. warning:: - // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP - // FIN packets, etc. - // - // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" - // is configured, this timeout is scaled for downstream connections according to the value for - // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE `. - google.protobuf.Duration idle_timeout = 1; - - // The maximum duration of a connection. The duration is defined as a period since a connection - // was established. If not set, there is no max duration. When max_connection_duration is reached - // the connection will be closed. Drain sequence will occur prior to closing the connection if - // if's applicable. See :ref:`drain_timeout - // `. - // Note: not implemented for upstream connections. - google.protobuf.Duration max_connection_duration = 3; - - // The maximum number of headers. If unconfigured, the default - // maximum number of request headers allowed is 100. Requests that exceed this limit will receive - // a 431 response for HTTP/1.x and cause a stream reset for HTTP/2. - google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}]; - - // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be - // reset independent of any other timeouts. If not specified, this value is not set. - google.protobuf.Duration max_stream_duration = 4; - - // Action to take when a client request with a header name containing underscore characters is received. - // If this setting is not specified, the value defaults to ALLOW. - // Note: upstream responses are not affected by this setting. - HeadersWithUnderscoresAction headers_with_underscores_action = 5; - - // Optional maximum requests for both upstream and downstream connections. - // If not specified, there is no limit. - // Setting this parameter to 1 will effectively disable keep alive. - // For HTTP/2 and HTTP/3, due to concurrent stream processing, the limit is approximate. - google.protobuf.UInt32Value max_requests_per_connection = 6; -} - -// [#next-free-field: 8] -message Http1ProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http1ProtocolOptions"; - - // [#next-free-field: 9] - message HeaderKeyFormat { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http1ProtocolOptions.HeaderKeyFormat"; - - message ProperCaseWords { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http1ProtocolOptions.HeaderKeyFormat.ProperCaseWords"; - } - - oneof header_format { - option (validate.required) = true; - - // Formats the header by proper casing words: the first character and any character following - // a special character will be capitalized if it's an alpha character. For example, - // "content-type" becomes "Content-Type", and "foo$b#$are" becomes "Foo$B#$Are". - // Note that while this results in most headers following conventional casing, certain headers - // are not covered. For example, the "TE" header will be formatted as "Te". - ProperCaseWords proper_case_words = 1; - - // Configuration for stateful formatter extensions that allow using received headers to - // affect the output of encoding headers. E.g., preserving case during proxying. - // [#extension-category: envoy.http.stateful_header_formatters] - TypedExtensionConfig stateful_formatter = 8; - } - } - - // Handle HTTP requests with absolute URLs in the requests. These requests - // are generally sent by clients to forward/explicit proxies. This allows clients to configure - // envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the - // *http_proxy* environment variable. - google.protobuf.BoolValue allow_absolute_url = 1; - - // Handle incoming HTTP/1.0 and HTTP 0.9 requests. - // This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1 - // style connect logic, dechunking, and handling lack of client host iff - // *default_host_for_http_10* is configured. - bool accept_http_10 = 2; - - // A default host for HTTP/1.0 requests. This is highly suggested if *accept_http_10* is true as - // Envoy does not otherwise support HTTP/1.0 without a Host header. - // This is a no-op if *accept_http_10* is not true. - string default_host_for_http_10 = 3; - - // Describes how the keys for response headers should be formatted. By default, all header keys - // are lower cased. - HeaderKeyFormat header_key_format = 4; - - // Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers. - // - // .. attention:: - // - // Note that this only happens when Envoy is chunk encoding which occurs when: - // - The request is HTTP/1.1. - // - Is neither a HEAD only request nor a HTTP Upgrade. - // - Not a response to a HEAD request. - // - The content length header is not present. - bool enable_trailers = 5; - - // Allows Envoy to process requests/responses with both `Content-Length` and `Transfer-Encoding` - // headers set. By default such messages are rejected, but if option is enabled - Envoy will - // remove Content-Length header and process message. - // See `RFC7230, sec. 3.3.3 ` for details. - // - // .. attention:: - // Enabling this option might lead to request smuggling vulnerability, especially if traffic - // is proxied via multiple layers of proxies. - bool allow_chunked_length = 6; - - // Allows invalid HTTP messaging. When this option is false, then Envoy will terminate - // HTTP/1.1 connections upon receiving an invalid HTTP message. However, - // when this option is true, then Envoy will leave the HTTP/1.1 connection - // open where possible. - // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging - // `. - google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 7; -} - -message KeepaliveSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.KeepaliveSettings"; - - // Send HTTP/2 PING frames at this period, in order to test that the connection is still alive. - // If this is zero, interval PINGs will not be sent. - google.protobuf.Duration interval = 1 [(validate.rules).duration = {gte {nanos: 1000000}}]; - - // How long to wait for a response to a keepalive PING. If a response is not received within this - // time period, the connection will be aborted. - google.protobuf.Duration timeout = 2 [(validate.rules).duration = { - required: true - gte {nanos: 1000000} - }]; - - // A random jitter amount as a percentage of interval that will be added to each interval. - // A value of zero means there will be no jitter. - // The default value is 15%. - type.v3.Percent interval_jitter = 3; - - // If the connection has been idle for this duration, send a HTTP/2 ping ahead - // of new stream creation, to quickly detect dead connections. - // If this is zero, this type of PING will not be sent. - // If an interval ping is outstanding, a second ping will not be sent as the - // interval ping will determine if the connection is dead. - google.protobuf.Duration connection_idle_interval = 4 - [(validate.rules).duration = {gte {nanos: 1000000}}]; -} - -// [#next-free-field: 16] -message Http2ProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http2ProtocolOptions"; - - // Defines a parameter to be sent in the SETTINGS frame. - // See `RFC7540, sec. 6.5.1 `_ for details. - message SettingsParameter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http2ProtocolOptions.SettingsParameter"; - - // The 16 bit parameter identifier. - google.protobuf.UInt32Value identifier = 1 [ - (validate.rules).uint32 = {lte: 65535 gte: 0}, - (validate.rules).message = {required: true} - ]; - - // The 32 bit parameter value. - google.protobuf.UInt32Value value = 2 [(validate.rules).message = {required: true}]; - } - - // `Maximum table size `_ - // (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values - // range from 0 to 4294967295 (2^32 - 1) and defaults to 4096. 0 effectively disables header - // compression. - google.protobuf.UInt32Value hpack_table_size = 1; - - // `Maximum concurrent streams `_ - // allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1) - // and defaults to 2147483647. - // - // For upstream connections, this also limits how many streams Envoy will initiate concurrently - // on a single connection. If the limit is reached, Envoy may queue requests or establish - // additional connections (as allowed per circuit breaker limits). - // - // This acts as an upper bound: Envoy will lower the max concurrent streams allowed on a given - // connection based on upstream settings. Config dumps will reflect the configured upper bound, - // not the per-connection negotiated limits. - google.protobuf.UInt32Value max_concurrent_streams = 2 - [(validate.rules).uint32 = {lte: 2147483647 gte: 1}]; - - // `Initial stream-level flow-control window - // `_ size. Valid values range from 65535 - // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to 268435456 - // (256 * 1024 * 1024). - // - // NOTE: 65535 is the initial window size from HTTP/2 spec. We only support increasing the default - // window size now, so it's also the minimum. - // - // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the - // HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to - // stop the flow of data to the codec buffers. - google.protobuf.UInt32Value initial_stream_window_size = 3 - [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; - - // Similar to *initial_stream_window_size*, but for connection-level flow-control - // window. Currently, this has the same minimum/maximum/default as *initial_stream_window_size*. - google.protobuf.UInt32Value initial_connection_window_size = 4 - [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; - - // Allows proxying Websocket and other upgrades over H2 connect. - bool allow_connect = 5; - - // [#not-implemented-hide:] Hiding until envoy has full metadata support. - // Still under implementation. DO NOT USE. - // - // Allows metadata. See [metadata - // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more - // information. - bool allow_metadata = 6; - - // Limit the number of pending outbound downstream frames of all types (frames that are waiting to - // be written into the socket). Exceeding this limit triggers flood mitigation and connection is - // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due - // to flood mitigation. The default limit is 10000. - // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the - // `envoy.reloadable_features.upstream_http2_flood_checks` flag. - google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}]; - - // Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM, - // preventing high memory utilization when receiving continuous stream of these frames. Exceeding - // this limit triggers flood mitigation and connection is terminated. The - // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood - // mitigation. The default limit is 1000. - // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the - // `envoy.reloadable_features.upstream_http2_flood_checks` flag. - google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}]; - - // Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an - // empty payload and no end stream flag. Those frames have no legitimate use and are abusive, but - // might be a result of a broken HTTP/2 implementation. The `http2.inbound_empty_frames_flood`` - // stat tracks the number of connections terminated due to flood mitigation. - // Setting this to 0 will terminate connection upon receiving first frame with an empty payload - // and no end stream flag. The default limit is 1. - // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the - // `envoy.reloadable_features.upstream_http2_flood_checks` flag. - google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9; - - // Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number - // of PRIORITY frames received over the lifetime of connection exceeds the value calculated - // using this formula:: - // - // max_inbound_priority_frames_per_stream * (1 + opened_streams) - // - // the connection is terminated. For downstream connections the `opened_streams` is incremented when - // Envoy receives complete response headers from the upstream server. For upstream connection the - // `opened_streams` is incremented when Envoy send the HEADERS frame for a new stream. The - // ``http2.inbound_priority_frames_flood`` stat tracks - // the number of connections terminated due to flood mitigation. The default limit is 100. - // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the - // `envoy.reloadable_features.upstream_http2_flood_checks` flag. - google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10; - - // Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number - // of WINDOW_UPDATE frames received over the lifetime of connection exceeds the value calculated - // using this formula:: - // - // 5 + 2 * (opened_streams + - // max_inbound_window_update_frames_per_data_frame_sent * outbound_data_frames) - // - // the connection is terminated. For downstream connections the `opened_streams` is incremented when - // Envoy receives complete response headers from the upstream server. For upstream connections the - // `opened_streams` is incremented when Envoy sends the HEADERS frame for a new stream. The - // ``http2.inbound_priority_frames_flood`` stat tracks the number of connections terminated due to - // flood mitigation. The default max_inbound_window_update_frames_per_data_frame_sent value is 10. - // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control, - // but more complex implementations that try to estimate available bandwidth require at least 2. - // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the - // `envoy.reloadable_features.upstream_http2_flood_checks` flag. - google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11 - [(validate.rules).uint32 = {gte: 1}]; - - // Allows invalid HTTP messaging and headers. When this option is disabled (default), then - // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, - // when this option is enabled, only the offending stream is terminated. - // - // This is overridden by HCM :ref:`stream_error_on_invalid_http_messaging - // ` - // iff present. - // - // This is deprecated in favor of :ref:`override_stream_error_on_invalid_http_message - // ` - // - // See `RFC7540, sec. 8.1 `_ for details. - bool hidden_envoy_deprecated_stream_error_on_invalid_http_messaging = 12 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Allows invalid HTTP messaging and headers. When this option is disabled (default), then - // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, - // when this option is enabled, only the offending stream is terminated. - // - // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging - // ` - // - // See `RFC7540, sec. 8.1 `_ for details. - google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 14; - - // [#not-implemented-hide:] - // Specifies SETTINGS frame parameters to be sent to the peer, with two exceptions: - // - // 1. SETTINGS_ENABLE_PUSH (0x2) is not configurable as HTTP/2 server push is not supported by - // Envoy. - // - // 2. SETTINGS_ENABLE_CONNECT_PROTOCOL (0x8) is only configurable through the named field - // 'allow_connect'. - // - // Note that custom parameters specified through this field can not also be set in the - // corresponding named parameters: - // - // .. code-block:: text - // - // ID Field Name - // ---------------- - // 0x1 hpack_table_size - // 0x3 max_concurrent_streams - // 0x4 initial_stream_window_size - // - // Collisions will trigger config validation failure on load/update. Likewise, inconsistencies - // between custom parameters with the same identifier will trigger a failure. - // - // See `IANA HTTP/2 Settings - // `_ for - // standardized identifiers. - repeated SettingsParameter custom_settings_parameters = 13; - - // Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer - // does not respond within the configured timeout, the connection will be aborted. - KeepaliveSettings connection_keepalive = 15; -} - -// [#not-implemented-hide:] -message GrpcProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.GrpcProtocolOptions"; - - Http2ProtocolOptions http2_protocol_options = 1; -} - -// A message which allows using HTTP/3. -message Http3ProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.Http3ProtocolOptions"; - - QuicProtocolOptions quic_protocol_options = 1; - - // Allows invalid HTTP messaging and headers. When this option is disabled (default), then - // the whole HTTP/3 connection is terminated upon receiving invalid HEADERS frame. However, - // when this option is enabled, only the offending stream is terminated. - // - // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging - // `. - google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2; -} - -// A message to control transformations to the :scheme header -message SchemeHeaderTransformation { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.SchemeHeaderTransformation"; - - oneof transformation { - // Overwrite any Scheme header with the contents of this string. - string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}]; - } -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/proxy_protocol.proto b/generated_api_shadow/envoy/config/core/v4alpha/proxy_protocol.proto deleted file mode 100644 index 1650f29d8cab..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/proxy_protocol.proto +++ /dev/null @@ -1,29 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "ProxyProtocolProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Proxy Protocol] - -message ProxyProtocolConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.ProxyProtocolConfig"; - - enum Version { - // PROXY protocol version 1. Human readable format. - V1 = 0; - - // PROXY protocol version 2. Binary format. - V2 = 1; - } - - // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details - Version version = 1; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/resolver.proto b/generated_api_shadow/envoy/config/core/v4alpha/resolver.proto deleted file mode 100644 index 4849a54161ce..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/resolver.proto +++ /dev/null @@ -1,48 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "ResolverProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Resolver] - -// Configuration of DNS resolver option flags which control the behavior of the DNS resolver. -message DnsResolverOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.DnsResolverOptions"; - - // Use TCP for all DNS queries instead of the default protocol UDP. - // Setting this value causes failure if the - // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during - // server startup. Apple's API only uses UDP for DNS resolution. - bool use_tcp_for_dns_lookups = 1; - - // Do not use the default search domains; only query hostnames as-is or as aliases. - bool no_default_search_domain = 2; -} - -// DNS resolution configuration which includes the underlying dns resolver addresses and options. -message DnsResolutionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.DnsResolutionConfig"; - - // A list of dns resolver addresses. If specified, the DNS client library will perform resolution - // via the underlying DNS resolvers. Otherwise, the default system resolvers - // (e.g., /etc/resolv.conf) will be used. - // Setting this value causes failure if the - // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during - // server startup. Apple's API only allows overriding DNS resolvers via system settings. - repeated Address resolvers = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Configuration of DNS resolver option flags which control the behavior of the DNS resolver. - DnsResolverOptions dns_resolver_options = 2; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/socket_option.proto b/generated_api_shadow/envoy/config/core/v4alpha/socket_option.proto deleted file mode 100644 index 7dac394a865d..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/socket_option.proto +++ /dev/null @@ -1,56 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "SocketOptionProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Socket Option ] - -// Generic socket option message. This would be used to set socket options that -// might not exist in upstream kernels or precompiled Envoy binaries. -// [#next-free-field: 7] -message SocketOption { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.core.v3.SocketOption"; - - enum SocketState { - // Socket options are applied after socket creation but before binding the socket to a port - STATE_PREBIND = 0; - - // Socket options are applied after binding the socket to a port but before calling listen() - STATE_BOUND = 1; - - // Socket options are applied after calling listen() - STATE_LISTENING = 2; - } - - // An optional name to give this socket option for debugging, etc. - // Uniqueness is not required and no special meaning is assumed. - string description = 1; - - // Corresponding to the level value passed to setsockopt, such as IPPROTO_TCP - int64 level = 2; - - // The numeric name as passed to setsockopt - int64 name = 3; - - oneof value { - option (validate.required) = true; - - // Because many sockopts take an int value. - int64 int_value = 4; - - // Otherwise it's a byte buffer. - bytes buf_value = 5; - } - - // The state in which the option will be applied. When used in BindConfig - // STATE_PREBIND is currently the only valid value. - SocketState state = 6 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/substitution_format_string.proto b/generated_api_shadow/envoy/config/core/v4alpha/substitution_format_string.proto deleted file mode 100644 index 8bb1a9e53e56..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/substitution_format_string.proto +++ /dev/null @@ -1,118 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; - -import "google/protobuf/struct.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "SubstitutionFormatStringProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Substitution format string] - -// Configuration to use multiple :ref:`command operators ` -// to generate a new string in either plain text or JSON format. -// [#next-free-field: 7] -message SubstitutionFormatString { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.SubstitutionFormatString"; - - oneof format { - option (validate.required) = true; - - // Specify a format with command operators to form a text string. - // Its details is described in :ref:`format string`. - // - // For example, setting ``text_format`` like below, - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" - // - // generates plain text similar to: - // - // .. code-block:: text - // - // upstream connect error:503:path=/foo - // - // Deprecated in favor of :ref:`text_format_source `. To migrate text format strings, use the :ref:`inline_string ` field. - string hidden_envoy_deprecated_text_format = 1 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Specify a format with command operators to form a JSON string. - // Its details is described in :ref:`format dictionary`. - // Values are rendered as strings, numbers, or boolean values as appropriate. - // Nested JSON objects may be produced by some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). - // See the documentation for a specific command operator for details. - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // json_format: - // status: "%RESPONSE_CODE%" - // message: "%LOCAL_REPLY_BODY%" - // - // The following JSON object would be created: - // - // .. code-block:: json - // - // { - // "status": 500, - // "message": "My error message" - // } - // - google.protobuf.Struct json_format = 2 [(validate.rules).message = {required: true}]; - - // Specify a format with command operators to form a text string. - // Its details is described in :ref:`format string`. - // - // For example, setting ``text_format`` like below, - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // text_format_source: - // inline_string: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" - // - // generates plain text similar to: - // - // .. code-block:: text - // - // upstream connect error:503:path=/foo - // - DataSource text_format_source = 5; - } - - // If set to true, when command operators are evaluated to null, - // - // * for ``text_format``, the output of the empty operator is changed from ``-`` to an - // empty string, so that empty values are omitted entirely. - // * for ``json_format`` the keys with null values are omitted in the output structure. - bool omit_empty_values = 3; - - // Specify a *content_type* field. - // If this field is not set then ``text/plain`` is used for *text_format* and - // ``application/json`` is used for *json_format*. - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // content_type: "text/html; charset=UTF-8" - // - string content_type = 4; - - // Specifies a collection of Formatter plugins that can be called from the access log configuration. - // See the formatters extensions documentation for details. - // [#extension-category: envoy.formatter] - repeated TypedExtensionConfig formatters = 6; -} diff --git a/generated_api_shadow/envoy/config/core/v4alpha/udp_socket_config.proto b/generated_api_shadow/envoy/config/core/v4alpha/udp_socket_config.proto deleted file mode 100644 index 5fa6c6ec52dd..000000000000 --- a/generated_api_shadow/envoy/config/core/v4alpha/udp_socket_config.proto +++ /dev/null @@ -1,35 +0,0 @@ -syntax = "proto3"; - -package envoy.config.core.v4alpha; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.core.v4alpha"; -option java_outer_classname = "UdpSocketConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: UDP socket config] - -// Generic UDP socket configuration. -message UdpSocketConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.core.v3.UdpSocketConfig"; - - // The maximum size of received UDP datagrams. Using a larger size will cause Envoy to allocate - // more memory per socket. Received datagrams above this size will be dropped. If not set - // defaults to 1500 bytes. - google.protobuf.UInt64Value max_rx_datagram_size = 1 - [(validate.rules).uint64 = {lt: 65536 gt: 0}]; - - // Configures whether Generic Receive Offload (GRO) - // _ is preferred when reading from the - // UDP socket. The default is context dependent and is documented where UdpSocketConfig is used. - // This option affects performance but not functionality. If GRO is not supported by the operating - // system, non-GRO receive will be used. - google.protobuf.BoolValue prefer_gro = 2; -} diff --git a/generated_api_shadow/envoy/config/endpoint/v4alpha/BUILD b/generated_api_shadow/envoy/config/endpoint/v4alpha/BUILD deleted file mode 100644 index 79d52ad4cfbc..000000000000 --- a/generated_api_shadow/envoy/config/endpoint/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/endpoint/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/endpoint/v4alpha/endpoint.proto b/generated_api_shadow/envoy/config/endpoint/v4alpha/endpoint.proto deleted file mode 100644 index 6c87e8ffeb6d..000000000000 --- a/generated_api_shadow/envoy/config/endpoint/v4alpha/endpoint.proto +++ /dev/null @@ -1,119 +0,0 @@ -syntax = "proto3"; - -package envoy.config.endpoint.v4alpha; - -import "envoy/config/endpoint/v4alpha/endpoint_components.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.endpoint.v4alpha"; -option java_outer_classname = "EndpointProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Endpoint configuration] -// Endpoint discovery :ref:`architecture overview ` - -// Each route from RDS will map to a single cluster or traffic split across -// clusters using weights expressed in the RDS WeightedCluster. -// -// With EDS, each cluster is treated independently from a LB perspective, with -// LB taking place between the Localities within a cluster and at a finer -// granularity between the hosts within a locality. The percentage of traffic -// for each endpoint is determined by both its load_balancing_weight, and the -// load_balancing_weight of its locality. First, a locality will be selected, -// then an endpoint within that locality will be chose based on its weight. -// [#next-free-field: 6] -message ClusterLoadAssignment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.ClusterLoadAssignment"; - - // Load balancing policy settings. - // [#next-free-field: 6] - message Policy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.ClusterLoadAssignment.Policy"; - - // [#not-implemented-hide:] - message DropOverload { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.ClusterLoadAssignment.Policy.DropOverload"; - - // Identifier for the policy specifying the drop. - string category = 1 [(validate.rules).string = {min_len: 1}]; - - // Percentage of traffic that should be dropped for the category. - type.v3.FractionalPercent drop_percentage = 2; - } - - reserved 1, 5; - - reserved "disable_overprovisioning"; - - // Action to trim the overall incoming traffic to protect the upstream - // hosts. This action allows protection in case the hosts are unable to - // recover from an outage, or unable to autoscale or unable to handle - // incoming traffic volume for any reason. - // - // At the client each category is applied one after the other to generate - // the 'actual' drop percentage on all outgoing traffic. For example: - // - // .. code-block:: json - // - // { "drop_overloads": [ - // { "category": "throttle", "drop_percentage": 60 } - // { "category": "lb", "drop_percentage": 50 } - // ]} - // - // The actual drop percentages applied to the traffic at the clients will be - // "throttle"_drop = 60% - // "lb"_drop = 20% // 50% of the remaining 'actual' load, which is 40%. - // actual_outgoing_load = 20% // remaining after applying all categories. - // [#not-implemented-hide:] - repeated DropOverload drop_overloads = 2; - - // Priority levels and localities are considered overprovisioned with this - // factor (in percentage). This means that we don't consider a priority - // level or locality unhealthy until the fraction of healthy hosts - // multiplied by the overprovisioning factor drops below 100. - // With the default value 140(1.4), Envoy doesn't consider a priority level - // or a locality unhealthy until their percentage of healthy hosts drops - // below 72%. For example: - // - // .. code-block:: json - // - // { "overprovisioning_factor": 100 } - // - // Read more at :ref:`priority levels ` and - // :ref:`localities `. - google.protobuf.UInt32Value overprovisioning_factor = 3 [(validate.rules).uint32 = {gt: 0}]; - - // The max time until which the endpoints from this assignment can be used. - // If no new assignments are received before this time expires the endpoints - // are considered stale and should be marked unhealthy. - // Defaults to 0 which means endpoints never go stale. - google.protobuf.Duration endpoint_stale_after = 4 [(validate.rules).duration = {gt {}}]; - } - - // Name of the cluster. This will be the :ref:`service_name - // ` value if specified - // in the cluster :ref:`EdsClusterConfig - // `. - string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; - - // List of endpoints to load balance to. - repeated LocalityLbEndpoints endpoints = 2; - - // Map of named endpoints that can be referenced in LocalityLbEndpoints. - // [#not-implemented-hide:] - map named_endpoints = 5; - - // Load balancing policy settings. - Policy policy = 4; -} diff --git a/generated_api_shadow/envoy/config/endpoint/v4alpha/endpoint_components.proto b/generated_api_shadow/envoy/config/endpoint/v4alpha/endpoint_components.proto deleted file mode 100644 index 1529458708a9..000000000000 --- a/generated_api_shadow/envoy/config/endpoint/v4alpha/endpoint_components.proto +++ /dev/null @@ -1,195 +0,0 @@ -syntax = "proto3"; - -package envoy.config.endpoint.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/health_check.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.endpoint.v4alpha"; -option java_outer_classname = "EndpointComponentsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Endpoints] - -// Upstream host identifier. -message Endpoint { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.endpoint.v3.Endpoint"; - - // The optional health check configuration. - message HealthCheckConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.Endpoint.HealthCheckConfig"; - - // Optional alternative health check port value. - // - // By default the health check address port of an upstream host is the same - // as the host's serving address port. This provides an alternative health - // check port. Setting this with a non-zero value allows an upstream host - // to have different health check address port. - uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}]; - - // By default, the host header for L7 health checks is controlled by cluster level configuration - // (see: :ref:`host ` and - // :ref:`authority `). Setting this - // to a non-empty value allows overriding the cluster level configuration for a specific - // endpoint. - string hostname = 2; - } - - // The upstream host address. - // - // .. attention:: - // - // The form of host address depends on the given cluster type. For STATIC or EDS, - // it is expected to be a direct IP address (or something resolvable by the - // specified :ref:`resolver ` - // in the Address). For LOGICAL or STRICT DNS, it is expected to be hostname, - // and will be resolved via DNS. - core.v4alpha.Address address = 1; - - // The optional health check configuration is used as configuration for the - // health checker to contact the health checked host. - // - // .. attention:: - // - // This takes into effect only for upstream clusters with - // :ref:`active health checking ` enabled. - HealthCheckConfig health_check_config = 2; - - // The hostname associated with this endpoint. This hostname is not used for routing or address - // resolution. If provided, it will be associated with the endpoint, and can be used for features - // that require a hostname, like - // :ref:`auto_host_rewrite `. - string hostname = 3; -} - -// An Endpoint that Envoy can route traffic to. -// [#next-free-field: 6] -message LbEndpoint { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.LbEndpoint"; - - // Upstream host identifier or a named reference. - oneof host_identifier { - Endpoint endpoint = 1; - - // [#not-implemented-hide:] - string endpoint_name = 5; - } - - // Optional health status when known and supplied by EDS server. - core.v4alpha.HealthStatus health_status = 2; - - // The endpoint metadata specifies values that may be used by the load - // balancer to select endpoints in a cluster for a given request. The filter - // name should be specified as *envoy.lb*. An example boolean key-value pair - // is *canary*, providing the optional canary status of the upstream host. - // This may be matched against in a route's - // :ref:`RouteAction ` metadata_match field - // to subset the endpoints considered in cluster load balancing. - core.v4alpha.Metadata metadata = 3; - - // The optional load balancing weight of the upstream host; at least 1. - // Envoy uses the load balancing weight in some of the built in load - // balancers. The load balancing weight for an endpoint is divided by the sum - // of the weights of all endpoints in the endpoint's locality to produce a - // percentage of traffic for the endpoint. This percentage is then further - // weighted by the endpoint's locality's load balancing weight from - // LocalityLbEndpoints. If unspecified, each host is presumed to have equal - // weight in a locality. The sum of the weights of all endpoints in the - // endpoint's locality must not exceed uint32_t maximal value (4294967295). - google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}]; -} - -// [#not-implemented-hide:] -// A configuration for a LEDS collection. -message LedsClusterLocalityConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.LedsClusterLocalityConfig"; - - // Configuration for the source of LEDS updates for a Locality. - core.v4alpha.ConfigSource leds_config = 1; - - // The xDS transport protocol glob collection resource name. - // The service is only supported in delta xDS (incremental) mode. - string leds_collection_name = 2; -} - -// A group of endpoints belonging to a Locality. -// One can have multiple LocalityLbEndpoints for a locality, but this is -// generally only done if the different groups need to have different load -// balancing weights or different priorities. -// [#next-free-field: 9] -message LocalityLbEndpoints { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.LocalityLbEndpoints"; - - // [#not-implemented-hide:] - // A list of endpoints of a specific locality. - message LbEndpointList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.LocalityLbEndpoints.LbEndpointList"; - - repeated LbEndpoint lb_endpoints = 1; - } - - // Identifies location of where the upstream hosts run. - core.v4alpha.Locality locality = 1; - - // The group of endpoints belonging to the locality specified. - // [#comment:TODO(adisuissa): Once LEDS is implemented this field needs to be - // deprecated and replaced by *load_balancer_endpoints*.] - repeated LbEndpoint lb_endpoints = 2; - - // [#not-implemented-hide:] - oneof lb_config { - // The group of endpoints belonging to the locality. - // [#comment:TODO(adisuissa): Once LEDS is implemented the *lb_endpoints* field - // needs to be deprecated.] - LbEndpointList load_balancer_endpoints = 7; - - // LEDS Configuration for the current locality. - LedsClusterLocalityConfig leds_cluster_locality_config = 8; - } - - // Optional: Per priority/region/zone/sub_zone weight; at least 1. The load - // balancing weight for a locality is divided by the sum of the weights of all - // localities at the same priority level to produce the effective percentage - // of traffic for the locality. The sum of the weights of all localities at - // the same priority level must not exceed uint32_t maximal value (4294967295). - // - // Locality weights are only considered when :ref:`locality weighted load - // balancing ` is - // configured. These weights are ignored otherwise. If no weights are - // specified when locality weighted load balancing is enabled, the locality is - // assigned no load. - google.protobuf.UInt32Value load_balancing_weight = 3 [(validate.rules).uint32 = {gte: 1}]; - - // Optional: the priority for this LocalityLbEndpoints. If unspecified this will - // default to the highest priority (0). - // - // Under usual circumstances, Envoy will only select endpoints for the highest - // priority (0). In the event all endpoints for a particular priority are - // unavailable/unhealthy, Envoy will fail over to selecting endpoints for the - // next highest priority group. - // - // Priorities should range from 0 (highest) to N (lowest) without skipping. - uint32 priority = 5 [(validate.rules).uint32 = {lte: 128}]; - - // Optional: Per locality proximity value which indicates how close this - // locality is from the source locality. This value only provides ordering - // information (lower the value, closer it is to the source locality). - // This will be consumed by load balancing schemes that need proximity order - // to determine where to route the requests. - // [#not-implemented-hide:] - google.protobuf.UInt32Value proximity = 6; -} diff --git a/generated_api_shadow/envoy/config/endpoint/v4alpha/load_report.proto b/generated_api_shadow/envoy/config/endpoint/v4alpha/load_report.proto deleted file mode 100644 index e89fcdadda16..000000000000 --- a/generated_api_shadow/envoy/config/endpoint/v4alpha/load_report.proto +++ /dev/null @@ -1,168 +0,0 @@ -syntax = "proto3"; - -package envoy.config.endpoint.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.endpoint.v4alpha"; -option java_outer_classname = "LoadReportProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Load Report] - -// These are stats Envoy reports to the management server at a frequency defined by -// :ref:`LoadStatsResponse.load_reporting_interval`. -// Stats per upstream region/zone and optionally per subzone. -// [#next-free-field: 9] -message UpstreamLocalityStats { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.UpstreamLocalityStats"; - - // Name of zone, region and optionally endpoint group these metrics were - // collected from. Zone and region names could be empty if unknown. - core.v4alpha.Locality locality = 1; - - // The total number of requests successfully completed by the endpoints in the - // locality. - uint64 total_successful_requests = 2; - - // The total number of unfinished requests - uint64 total_requests_in_progress = 3; - - // The total number of requests that failed due to errors at the endpoint, - // aggregated over all endpoints in the locality. - uint64 total_error_requests = 4; - - // The total number of requests that were issued by this Envoy since - // the last report. This information is aggregated over all the - // upstream endpoints in the locality. - uint64 total_issued_requests = 8; - - // Stats for multi-dimensional load balancing. - repeated EndpointLoadMetricStats load_metric_stats = 5; - - // Endpoint granularity stats information for this locality. This information - // is populated if the Server requests it by setting - // :ref:`LoadStatsResponse.report_endpoint_granularity`. - repeated UpstreamEndpointStats upstream_endpoint_stats = 7; - - // [#not-implemented-hide:] The priority of the endpoint group these metrics - // were collected from. - uint32 priority = 6; -} - -// [#next-free-field: 8] -message UpstreamEndpointStats { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.UpstreamEndpointStats"; - - // Upstream host address. - core.v4alpha.Address address = 1; - - // Opaque and implementation dependent metadata of the - // endpoint. Envoy will pass this directly to the management server. - google.protobuf.Struct metadata = 6; - - // The total number of requests successfully completed by the endpoints in the - // locality. These include non-5xx responses for HTTP, where errors - // originate at the client and the endpoint responded successfully. For gRPC, - // the grpc-status values are those not covered by total_error_requests below. - uint64 total_successful_requests = 2; - - // The total number of unfinished requests for this endpoint. - uint64 total_requests_in_progress = 3; - - // The total number of requests that failed due to errors at the endpoint. - // For HTTP these are responses with 5xx status codes and for gRPC the - // grpc-status values: - // - // - DeadlineExceeded - // - Unimplemented - // - Internal - // - Unavailable - // - Unknown - // - DataLoss - uint64 total_error_requests = 4; - - // The total number of requests that were issued to this endpoint - // since the last report. A single TCP connection, HTTP or gRPC - // request or stream is counted as one request. - uint64 total_issued_requests = 7; - - // Stats for multi-dimensional load balancing. - repeated EndpointLoadMetricStats load_metric_stats = 5; -} - -message EndpointLoadMetricStats { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.EndpointLoadMetricStats"; - - // Name of the metric; may be empty. - string metric_name = 1; - - // Number of calls that finished and included this metric. - uint64 num_requests_finished_with_metric = 2; - - // Sum of metric values across all calls that finished with this metric for - // load_reporting_interval. - double total_metric_value = 3; -} - -// Per cluster load stats. Envoy reports these stats a management server in a -// :ref:`LoadStatsRequest` -// Next ID: 7 -// [#next-free-field: 7] -message ClusterStats { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.ClusterStats"; - - message DroppedRequests { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.endpoint.v3.ClusterStats.DroppedRequests"; - - // Identifier for the policy specifying the drop. - string category = 1 [(validate.rules).string = {min_len: 1}]; - - // Total number of deliberately dropped requests for the category. - uint64 dropped_count = 2; - } - - // The name of the cluster. - string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; - - // The eds_cluster_config service_name of the cluster. - // It's possible that two clusters send the same service_name to EDS, - // in that case, the management server is supposed to do aggregation on the load reports. - string cluster_service_name = 6; - - // Need at least one. - repeated UpstreamLocalityStats upstream_locality_stats = 2 - [(validate.rules).repeated = {min_items: 1}]; - - // Cluster-level stats such as total_successful_requests may be computed by - // summing upstream_locality_stats. In addition, below there are additional - // cluster-wide stats. - // - // The total number of dropped requests. This covers requests - // deliberately dropped by the drop_overload policy and circuit breaking. - uint64 total_dropped_requests = 3; - - // Information about deliberately dropped requests for each category specified - // in the DropOverload policy. - repeated DroppedRequests dropped_requests = 5; - - // Period over which the actual load report occurred. This will be guaranteed to include every - // request reported. Due to system load and delays between the *LoadStatsRequest* sent from Envoy - // and the *LoadStatsResponse* message sent from the management server, this may be longer than - // the requested load reporting interval in the *LoadStatsResponse*. - google.protobuf.Duration load_report_interval = 4; -} diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/BUILD b/generated_api_shadow/envoy/config/listener/v4alpha/BUILD deleted file mode 100644 index 6b67fe7e4cdd..000000000000 --- a/generated_api_shadow/envoy/config/listener/v4alpha/BUILD +++ /dev/null @@ -1,17 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/accesslog/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/listener/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@com_github_cncf_udpa//xds/core/v3:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/api_listener.proto b/generated_api_shadow/envoy/config/listener/v4alpha/api_listener.proto deleted file mode 100644 index 518caf879ad5..000000000000 --- a/generated_api_shadow/envoy/config/listener/v4alpha/api_listener.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.config.listener.v4alpha; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; -option java_outer_classname = "ApiListenerProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: API listener] - -// Describes a type of API listener, which is used in non-proxy clients. The type of API -// exposed to the non-proxy application depends on the type of API listener. -message ApiListener { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ApiListener"; - - // The type in this field determines the type of API listener. At present, the following - // types are supported: - // envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager (HTTP) - // envoy.extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager (HTTP) - // [#next-major-version: In the v3 API, replace this Any field with a oneof containing the - // specific config message for each type of API listener. We could not do this in v2 because - // it would have caused circular dependencies for go protos: lds.proto depends on this file, - // and http_connection_manager.proto depends on rds.proto, which is in the same directory as - // lds.proto, so lds.proto cannot depend on this file.] - google.protobuf.Any api_listener = 1; -} diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/listener.proto b/generated_api_shadow/envoy/config/listener/v4alpha/listener.proto deleted file mode 100644 index ccd900b6f4d3..000000000000 --- a/generated_api_shadow/envoy/config/listener/v4alpha/listener.proto +++ /dev/null @@ -1,324 +0,0 @@ -syntax = "proto3"; - -package envoy.config.listener.v4alpha; - -import "envoy/config/accesslog/v4alpha/accesslog.proto"; -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/socket_option.proto"; -import "envoy/config/listener/v4alpha/api_listener.proto"; -import "envoy/config/listener/v4alpha/listener_components.proto"; -import "envoy/config/listener/v4alpha/udp_listener_config.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "xds/core/v3/collection_entry.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/security.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; -option java_outer_classname = "ListenerProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Listener configuration] -// Listener :ref:`configuration overview ` - -// Listener list collections. Entries are *Listener* resources or references. -// [#not-implemented-hide:] -message ListenerCollection { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ListenerCollection"; - - repeated xds.core.v3.CollectionEntry entries = 1; -} - -// [#next-free-field: 30] -message Listener { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.listener.v3.Listener"; - - enum DrainType { - // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check - // filter), listener removal/modification, and hot restart. - DEFAULT = 0; - - // Drain in response to listener removal/modification and hot restart. This setting does not - // include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress - // and egress listeners. - MODIFY_ONLY = 1; - } - - // [#not-implemented-hide:] - message DeprecatedV1 { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.Listener.DeprecatedV1"; - - // Whether the listener should bind to the port. A listener that doesn't - // bind can only receive connections redirected from other listeners that - // set use_original_dst parameter to true. Default is true. - // - // This is deprecated. Use :ref:`Listener.bind_to_port - // ` - google.protobuf.BoolValue bind_to_port = 1; - } - - // Configuration for listener connection balancing. - message ConnectionBalanceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.Listener.ConnectionBalanceConfig"; - - // A connection balancer implementation that does exact balancing. This means that a lock is - // held during balancing so that connection counts are nearly exactly balanced between worker - // threads. This is "nearly" exact in the sense that a connection might close in parallel thus - // making the counts incorrect, but this should be rectified on the next accept. This balancer - // sacrifices accept throughput for accuracy and should be used when there are a small number of - // connections that rarely cycle (e.g., service mesh gRPC egress). - message ExactBalance { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.Listener.ConnectionBalanceConfig.ExactBalance"; - } - - oneof balance_type { - option (validate.required) = true; - - // If specified, the listener will use the exact connection balancer. - ExactBalance exact_balance = 1; - } - } - - // Configuration for envoy internal listener. All the future internal listener features should be added here. - // [#not-implemented-hide:] - message InternalListenerConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.Listener.InternalListenerConfig"; - } - - reserved 14, 23; - - // The unique name by which this listener is known. If no name is provided, - // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically - // updated or removed via :ref:`LDS ` a unique name must be provided. - string name = 1; - - // The address that the listener should listen on. In general, the address must be unique, though - // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on - // Linux as the actual port will be allocated by the OS. - core.v4alpha.Address address = 2 [(validate.rules).message = {required: true}]; - - // Optional prefix to use on listener stats. If empty, the stats will be rooted at - // `listener.
.`. If non-empty, stats will be rooted at - // `listener..`. - string stat_prefix = 28; - - // A list of filter chains to consider for this listener. The - // :ref:`FilterChain ` with the most specific - // :ref:`FilterChainMatch ` criteria is used on a - // connection. - // - // Example using SNI for filter chain selection can be found in the - // :ref:`FAQ entry `. - repeated FilterChain filter_chains = 3; - - // If a connection is redirected using *iptables*, the port on which the proxy - // receives it might be different from the original destination address. When this flag is set to - // true, the listener hands off redirected connections to the listener associated with the - // original destination address. If there is no listener associated with the original destination - // address, the connection is handled by the listener that receives it. Defaults to false. - google.protobuf.BoolValue use_original_dst = 4; - - // The default filter chain if none of the filter chain matches. If no default filter chain is supplied, - // the connection will be closed. The filter chain match is ignored in this field. - FilterChain default_filter_chain = 25; - - // Soft limit on size of the listener’s new connection read and write buffers. - // If unspecified, an implementation defined default is applied (1MiB). - google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // Listener metadata. - core.v4alpha.Metadata metadata = 6; - - // [#not-implemented-hide:] - DeprecatedV1 hidden_envoy_deprecated_deprecated_v1 = 7 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // The type of draining to perform at a listener-wide level. - DrainType drain_type = 8; - - // Listener filters have the opportunity to manipulate and augment the connection metadata that - // is used in connection filter chain matching, for example. These filters are run before any in - // :ref:`filter_chains `. Order matters as the - // filters are processed sequentially right after a socket has been accepted by the listener, and - // before a connection is created. - // UDP Listener filters can be specified when the protocol in the listener socket address in - // :ref:`protocol ` is :ref:`UDP - // `. - // UDP listeners currently support a single filter. - repeated ListenerFilter listener_filters = 9; - - // The timeout to wait for all listener filters to complete operation. If the timeout is reached, - // the accepted socket is closed without a connection being created unless - // `continue_on_listener_filters_timeout` is set to true. Specify 0 to disable the - // timeout. If not specified, a default timeout of 15s is used. - google.protobuf.Duration listener_filters_timeout = 15; - - // Whether a connection should be created when listener filters timeout. Default is false. - // - // .. attention:: - // - // Some listener filters, such as :ref:`Proxy Protocol filter - // `, should not be used with this option. It will cause - // unexpected behavior when a connection is created. - bool continue_on_listener_filters_timeout = 17; - - // Whether the listener should be set as a transparent socket. - // When this flag is set to true, connections can be redirected to the listener using an - // *iptables* *TPROXY* target, in which case the original source and destination addresses and - // ports are preserved on accepted connections. This flag should be used in combination with - // :ref:`an original_dst ` :ref:`listener filter - // ` to mark the connections' local addresses as - // "restored." This can be used to hand off each redirected connection to another listener - // associated with the connection's destination address. Direct connections to the socket without - // using *TPROXY* cannot be distinguished from connections redirected using *TPROXY* and are - // therefore treated as if they were redirected. - // When this flag is set to false, the listener's socket is explicitly reset as non-transparent. - // Setting this flag requires Envoy to run with the *CAP_NET_ADMIN* capability. - // When this flag is not set (default), the socket is not modified, i.e. the transparent option - // is neither set nor reset. - google.protobuf.BoolValue transparent = 10; - - // Whether the listener should set the *IP_FREEBIND* socket option. When this - // flag is set to true, listeners can be bound to an IP address that is not - // configured on the system running Envoy. When this flag is set to false, the - // option *IP_FREEBIND* is disabled on the socket. When this flag is not set - // (default), the socket is not modified, i.e. the option is neither enabled - // nor disabled. - google.protobuf.BoolValue freebind = 11; - - // Additional socket options that may not be present in Envoy source code or - // precompiled binaries. - repeated core.v4alpha.SocketOption socket_options = 13; - - // Whether the listener should accept TCP Fast Open (TFO) connections. - // When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on - // the socket, with a queue length of the specified size - // (see `details in RFC7413 `_). - // When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket. - // When this flag is not set (default), the socket is not modified, - // i.e. the option is neither enabled nor disabled. - // - // On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable - // TCP_FASTOPEN. - // See `ip-sysctl.txt `_. - // - // On macOS, only values of 0, 1, and unset are valid; other values may result in an error. - // To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter. - google.protobuf.UInt32Value tcp_fast_open_queue_length = 12; - - // Specifies the intended direction of the traffic relative to the local Envoy. - // This property is required on Windows for listeners using the original destination filter, - // see :ref:`Original Destination `. - core.v4alpha.TrafficDirection traffic_direction = 16; - - // If the protocol in the listener socket address in :ref:`protocol - // ` is :ref:`UDP - // `, this field specifies UDP - // listener specific configuration. - UdpListenerConfig udp_listener_config = 18; - - // Used to represent an API listener, which is used in non-proxy clients. The type of API - // exposed to the non-proxy application depends on the type of API listener. - // When this field is set, no other field except for :ref:`name` - // should be set. - // - // .. note:: - // - // Currently only one ApiListener can be installed; and it can only be done via bootstrap config, - // not LDS. - // - // [#next-major-version: In the v3 API, instead of this messy approach where the socket - // listener fields are directly in the top-level Listener message and the API listener types - // are in the ApiListener message, the socket listener messages should be in their own message, - // and the top-level Listener should essentially be a oneof that selects between the - // socket listener and the various types of API listener. That way, a given Listener message - // can structurally only contain the fields of the relevant type.] - ApiListener api_listener = 19; - - // The listener's connection balancer configuration, currently only applicable to TCP listeners. - // If no configuration is specified, Envoy will not attempt to balance active connections between - // worker threads. - // - // In the scenario that the listener X redirects all the connections to the listeners Y1 and Y2 - // by setting :ref:`use_original_dst ` in X - // and :ref:`bind_to_port ` to false in Y1 and Y2, - // it is recommended to disable the balance config in listener X to avoid the cost of balancing, and - // enable the balance config in Y1 and Y2 to balance the connections among the workers. - ConnectionBalanceConfig connection_balance_config = 20; - - // Deprecated. Use `enable_reuse_port` instead. - bool hidden_envoy_deprecated_reuse_port = 21 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // When this flag is set to true, listeners set the *SO_REUSEPORT* socket option and - // create one socket for each worker thread. This makes inbound connections - // distribute among worker threads roughly evenly in cases where there are a high number - // of connections. When this flag is set to false, all worker threads share one socket. This field - // defaults to true. - // - // .. attention:: - // - // Although this field defaults to true, it has different behavior on different platforms. See - // the following text for more information. - // - // * On Linux, reuse_port is respected for both TCP and UDP listeners. It also works correctly - // with hot restart. - // * On macOS, reuse_port for TCP does not do what it does on Linux. Instead of load balancing, - // the last socket wins and receives all connections/packets. For TCP, reuse_port is force - // disabled and the user is warned. For UDP, it is enabled, but only one worker will receive - // packets. For QUIC/H3, SW routing will send packets to other workers. For "raw" UDP, only - // a single worker will currently receive packets. - // * On Windows, reuse_port for TCP has undefined behavior. It is force disabled and the user - // is warned similar to macOS. It is left enabled for UDP with undefined behavior currently. - google.protobuf.BoolValue enable_reuse_port = 29; - - // Configuration for :ref:`access logs ` - // emitted by this listener. - repeated accesslog.v4alpha.AccessLog access_log = 22; - - // The maximum length a tcp listener's pending connections queue can grow to. If no value is - // provided net.core.somaxconn will be used on Linux and 128 otherwise. - google.protobuf.UInt32Value tcp_backlog_size = 24; - - // Whether the listener should bind to the port. A listener that doesn't - // bind can only receive connections redirected from other listeners that set - // :ref:`use_original_dst ` - // to true. Default is true. - google.protobuf.BoolValue bind_to_port = 26; - - // The exclusive listener type and the corresponding config. - // TODO(lambdai): https://github.com/envoyproxy/envoy/issues/15372 - // Will create and add TcpListenerConfig. Will add UdpListenerConfig and ApiListener. - // [#not-implemented-hide:] - oneof listener_specifier { - // Used to represent an internal listener which does not listen on OSI L4 address but can be used by the - // :ref:`envoy cluster ` to create a user space connection to. - // The internal listener acts as a tcp listener. It supports listener filters and network filter chains. - // The internal listener require :ref:`address ` has - // field `envoy_internal_address`. - // - // There are some limitations are derived from the implementation. The known limitations include - // - // * :ref:`ConnectionBalanceConfig ` is not - // allowed because both cluster connection and listener connection must be owned by the same dispatcher. - // * :ref:`tcp_backlog_size ` - // * :ref:`freebind ` - // * :ref:`transparent ` - // [#not-implemented-hide:] - InternalListenerConfig internal_listener = 27; - } -} diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto b/generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto deleted file mode 100644 index 48e068e4ae59..000000000000 --- a/generated_api_shadow/envoy/config/listener/v4alpha/listener_components.proto +++ /dev/null @@ -1,363 +0,0 @@ -syntax = "proto3"; - -package envoy.config.listener.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/type/v3/range.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; -option java_outer_classname = "ListenerComponentsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Listener components] -// Listener :ref:`configuration overview ` - -// [#next-free-field: 6] -message Filter { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.listener.v3.Filter"; - - reserved 3, 2; - - reserved "config"; - - // The name of the filter to instantiate. The name must match a - // :ref:`supported filter `. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - oneof config_type { - // Filter specific configuration which depends on the filter being - // instantiated. See the supported filters for further documentation. - // [#extension-category: envoy.filters.network] - google.protobuf.Any typed_config = 4; - - // Configuration source specifier for an extension configuration discovery - // service. In case of a failure and without the default configuration, the - // listener closes the connections. - // [#not-implemented-hide:] - core.v4alpha.ExtensionConfigSource config_discovery = 5; - } -} - -// Specifies the match criteria for selecting a specific filter chain for a -// listener. -// -// In order for a filter chain to be selected, *ALL* of its criteria must be -// fulfilled by the incoming connection, properties of which are set by the -// networking stack and/or listener filters. -// -// The following order applies: -// -// 1. Destination port. -// 2. Destination IP address. -// 3. Server name (e.g. SNI for TLS protocol), -// 4. Transport protocol. -// 5. Application protocols (e.g. ALPN for TLS protocol). -// 6. Directly connected source IP address (this will only be different from the source IP address -// when using a listener filter that overrides the source address, such as the :ref:`Proxy Protocol -// listener filter `). -// 7. Source type (e.g. any, local or external network). -// 8. Source IP address. -// 9. Source port. -// -// For criteria that allow ranges or wildcards, the most specific value in any -// of the configured filter chains that matches the incoming connection is going -// to be used (e.g. for SNI ``www.example.com`` the most specific match would be -// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter -// chain without ``server_names`` requirements). -// -// A different way to reason about the filter chain matches: -// Suppose there exists N filter chains. Prune the filter chain set using the above 8 steps. -// In each step, filter chains which most specifically matches the attributes continue to the next step. -// The listener guarantees at most 1 filter chain is left after all of the steps. -// -// Example: -// -// For destination port, filter chains specifying the destination port of incoming traffic are the -// most specific match. If none of the filter chains specifies the exact destination port, the filter -// chains which do not specify ports are the most specific match. Filter chains specifying the -// wrong port can never be the most specific match. -// -// [#comment: Implemented rules are kept in the preference order, with deprecated fields -// listed at the end, because that's how we want to list them in the docs. -// -// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] -// [#next-free-field: 14] -message FilterChainMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.FilterChainMatch"; - - enum ConnectionSourceType { - // Any connection source matches. - ANY = 0; - - // Match a connection originating from the same host. - SAME_IP_OR_LOOPBACK = 1; - - // Match a connection originating from a different host. - EXTERNAL = 2; - } - - reserved 1; - - // Optional destination port to consider when use_original_dst is set on the - // listener in determining a filter chain match. - google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}]; - - // If non-empty, an IP address and prefix length to match addresses when the - // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. - repeated core.v4alpha.CidrRange prefix_ranges = 3; - - // If non-empty, an IP address and suffix length to match addresses when the - // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. - // [#not-implemented-hide:] - string address_suffix = 4; - - // [#not-implemented-hide:] - google.protobuf.UInt32Value suffix_len = 5; - - // The criteria is satisfied if the directly connected source IP address of the downstream - // connection is contained in at least one of the specified subnets. If the parameter is not - // specified or the list is empty, the directly connected source IP address is ignored. - repeated core.v4alpha.CidrRange direct_source_prefix_ranges = 13; - - // Specifies the connection source IP match type. Can be any, local or external network. - ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}]; - - // The criteria is satisfied if the source IP address of the downstream - // connection is contained in at least one of the specified subnets. If the - // parameter is not specified or the list is empty, the source IP address is - // ignored. - repeated core.v4alpha.CidrRange source_prefix_ranges = 6; - - // The criteria is satisfied if the source port of the downstream connection - // is contained in at least one of the specified ports. If the parameter is - // not specified, the source port is ignored. - repeated uint32 source_ports = 7 - [(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}]; - - // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining - // a filter chain match. Those values will be compared against the server names of a new - // connection, when detected by one of the listener filters. - // - // The server name will be matched against all wildcard domains, i.e. ``www.example.com`` - // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``. - // - // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid. - // - // .. attention:: - // - // See the :ref:`FAQ entry ` on how to configure SNI for more - // information. - repeated string server_names = 11; - - // If non-empty, a transport protocol to consider when determining a filter chain match. - // This value will be compared against the transport protocol of a new connection, when - // it's detected by one of the listener filters. - // - // Suggested values include: - // - // * ``raw_buffer`` - default, used when no transport protocol is detected, - // * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector ` - // when TLS protocol is detected. - string transport_protocol = 9; - - // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when - // determining a filter chain match. Those values will be compared against the application - // protocols of a new connection, when detected by one of the listener filters. - // - // Suggested values include: - // - // * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector - // `, - // * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector ` - // - // .. attention:: - // - // Currently, only :ref:`TLS Inspector ` provides - // application protocol detection based on the requested - // `ALPN `_ values. - // - // However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, - // and matching on values other than ``h2`` is going to lead to a lot of false negatives, - // unless all connecting clients are known to use ALPN. - repeated string application_protocols = 10; -} - -// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and -// various other parameters. -// [#next-free-field: 10] -message FilterChain { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.FilterChain"; - - // The configuration for on-demand filter chain. If this field is not empty in FilterChain message, - // a filter chain will be built on-demand. - // On-demand filter chains help speedup the warming up of listeners since the building and initialization of - // an on-demand filter chain will be postponed to the arrival of new connection requests that require this filter chain. - // Filter chains that are not often used can be set as on-demand. - message OnDemandConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.FilterChain.OnDemandConfiguration"; - - // The timeout to wait for filter chain placeholders to complete rebuilding. - // 1. If this field is set to 0, timeout is disabled. - // 2. If not specified, a default timeout of 15s is used. - // Rebuilding will wait until dependencies are ready, have failed, or this timeout is reached. - // Upon failure or timeout, all connections related to this filter chain will be closed. - // Rebuilding will start again on the next new connection. - google.protobuf.Duration rebuild_timeout = 1; - } - - reserved 2; - - reserved "tls_context"; - - // The criteria to use when matching a connection to this filter chain. - FilterChainMatch filter_chain_match = 1; - - // A list of individual network filters that make up the filter chain for - // connections established with the listener. Order matters as the filters are - // processed sequentially as connection events happen. Note: If the filter - // list is empty, the connection will close by default. - repeated Filter filters = 3; - - // Whether the listener should expect a PROXY protocol V1 header on new - // connections. If this option is enabled, the listener will assume that that - // remote address of the connection is the one specified in the header. Some - // load balancers including the AWS ELB support this option. If the option is - // absent or set to false, Envoy will use the physical peer address of the - // connection as the remote address. - // - // This field is deprecated. Add a - // :ref:`PROXY protocol listener filter ` - // explicitly instead. - google.protobuf.BoolValue hidden_envoy_deprecated_use_proxy_proto = 4 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // [#not-implemented-hide:] filter chain metadata. - core.v4alpha.Metadata metadata = 5; - - // Optional custom transport socket implementation to use for downstream connections. - // To setup TLS, set a transport socket with name `envoy.transport_sockets.tls` and - // :ref:`DownstreamTlsContext ` in the `typed_config`. - // If no transport socket configuration is specified, new connections - // will be set up with plaintext. - // [#extension-category: envoy.transport_sockets.downstream] - core.v4alpha.TransportSocket transport_socket = 6; - - // If present and nonzero, the amount of time to allow incoming connections to complete any - // transport socket negotiations. If this expires before the transport reports connection - // establishment, the connection is summarily closed. - google.protobuf.Duration transport_socket_connect_timeout = 9; - - // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no - // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter - // chain is to be dynamically updated or removed via FCDS a unique name must be provided. - string name = 7; - - // [#not-implemented-hide:] The configuration to specify whether the filter chain will be built on-demand. - // If this field is not empty, the filter chain will be built on-demand. - // Otherwise, the filter chain will be built normally and block listener warming. - OnDemandConfiguration on_demand_configuration = 8; -} - -// Listener filter chain match configuration. This is a recursive structure which allows complex -// nested match configurations to be built using various logical operators. -// -// Examples: -// -// * Matches if the destination port is 3306. -// -// .. code-block:: yaml -// -// destination_port_range: -// start: 3306 -// end: 3307 -// -// * Matches if the destination port is 3306 or 15000. -// -// .. code-block:: yaml -// -// or_match: -// rules: -// - destination_port_range: -// start: 3306 -// end: 3307 -// - destination_port_range: -// start: 15000 -// end: 15001 -// -// [#next-free-field: 6] -message ListenerFilterChainMatchPredicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ListenerFilterChainMatchPredicate"; - - // A set of match configurations used for logical operations. - message MatchSet { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet"; - - // The list of rules that make up the set. - repeated ListenerFilterChainMatchPredicate rules = 1 - [(validate.rules).repeated = {min_items: 2}]; - } - - oneof rule { - option (validate.required) = true; - - // A set that describes a logical OR. If any member of the set matches, the match configuration - // matches. - MatchSet or_match = 1; - - // A set that describes a logical AND. If all members of the set match, the match configuration - // matches. - MatchSet and_match = 2; - - // A negation match. The match configuration will match if the negated match condition matches. - ListenerFilterChainMatchPredicate not_match = 3; - - // The match configuration will always match. - bool any_match = 4 [(validate.rules).bool = {const: true}]; - - // Match destination port. Particularly, the match evaluation must use the recovered local port if - // the owning listener filter is after :ref:`an original_dst listener filter `. - type.v3.Int32Range destination_port_range = 5; - } -} - -message ListenerFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ListenerFilter"; - - reserved 2; - - reserved "config"; - - // The name of the filter to instantiate. The name must match a - // :ref:`supported filter `. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - oneof config_type { - // Filter specific configuration which depends on the filter being - // instantiated. See the supported filters for further documentation. - // [#extension-category: envoy.filters.listener,envoy.filters.udp_listener] - google.protobuf.Any typed_config = 3; - } - - // Optional match predicate used to disable the filter. The filter is enabled when this field is empty. - // See :ref:`ListenerFilterChainMatchPredicate ` - // for further examples. - ListenerFilterChainMatchPredicate filter_disabled = 4; -} diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/quic_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/quic_config.proto deleted file mode 100644 index 0b6d6bd7584c..000000000000 --- a/generated_api_shadow/envoy/config/listener/v4alpha/quic_config.proto +++ /dev/null @@ -1,62 +0,0 @@ -syntax = "proto3"; - -package envoy.config.listener.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/protocol.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; -option java_outer_classname = "QuicConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: QUIC listener config] - -// Configuration specific to the UDP QUIC listener. -// [#next-free-field: 8] -message QuicProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.QuicProtocolOptions"; - - core.v4alpha.QuicProtocolOptions quic_protocol_options = 1; - - // Maximum number of milliseconds that connection will be alive when there is - // no network activity. 300000ms if not specified. - google.protobuf.Duration idle_timeout = 2; - - // Connection timeout in milliseconds before the crypto handshake is finished. - // 20000ms if not specified. - google.protobuf.Duration crypto_handshake_timeout = 3; - - // Runtime flag that controls whether the listener is enabled or not. If not specified, defaults - // to enabled. - core.v4alpha.RuntimeFeatureFlag enabled = 4; - - // A multiplier to number of connections which is used to determine how many packets to read per - // event loop. A reasonable number should allow the listener to process enough payload but not - // starve TCP and other UDP sockets and also prevent long event loop duration. - // The default value is 32. This means if there are N QUIC connections, the total number of - // packets to read in each read event will be 32 * N. - // The actual number of packets to read in total by the UDP listener is also - // bound by 6000, regardless of this field or how many connections there are. - google.protobuf.UInt32Value packets_to_read_to_connection_count_ratio = 5 - [(validate.rules).uint32 = {gte: 1}]; - - // Configure which implementation of `quic::QuicCryptoClientStreamBase` to be used for this listener. - // If not specified the :ref:`QUICHE default one configured by ` will be used. - // [#extension-category: envoy.quic.server.crypto_stream] - core.v4alpha.TypedExtensionConfig crypto_stream_config = 6; - - // Configure which implementation of `quic::ProofSource` to be used for this listener. - // If not specified the :ref:`default one configured by ` will be used. - // [#extension-category: envoy.quic.proof_source] - core.v4alpha.TypedExtensionConfig proof_source_config = 7; -} diff --git a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto b/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto deleted file mode 100644 index 3cd272de3172..000000000000 --- a/generated_api_shadow/envoy/config/listener/v4alpha/udp_listener_config.proto +++ /dev/null @@ -1,46 +0,0 @@ -syntax = "proto3"; - -package envoy.config.listener.v4alpha; - -import "envoy/config/core/v4alpha/udp_socket_config.proto"; -import "envoy/config/listener/v4alpha/quic_config.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.config.listener.v4alpha"; -option java_outer_classname = "UdpListenerConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: UDP listener config] -// Listener :ref:`configuration overview ` - -// [#next-free-field: 8] -message UdpListenerConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.UdpListenerConfig"; - - reserved 1, 2, 3, 4, 6; - - reserved "config"; - - // UDP socket configuration for the listener. The default for - // :ref:`prefer_gro ` is false for - // listener sockets. If receiving a large amount of datagrams from a small number of sources, it - // may be worthwhile to enable this option after performance testing. - core.v4alpha.UdpSocketConfig downstream_socket_config = 5; - - // Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set - // to the default object to enable QUIC without modifying any additional options. - // - // .. warning:: - // QUIC support is currently alpha and should be used with caution. Please - // see :ref:`here ` for details. - QuicProtocolOptions quic_options = 7; -} - -message ActiveRawUdpListenerConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.listener.v3.ActiveRawUdpListenerConfig"; -} diff --git a/generated_api_shadow/envoy/config/metrics/v4alpha/BUILD b/generated_api_shadow/envoy/config/metrics/v4alpha/BUILD deleted file mode 100644 index 9f8473e290ae..000000000000 --- a/generated_api_shadow/envoy/config/metrics/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/metrics/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/metrics/v4alpha/metrics_service.proto b/generated_api_shadow/envoy/config/metrics/v4alpha/metrics_service.proto deleted file mode 100644 index fe530b34e690..000000000000 --- a/generated_api_shadow/envoy/config/metrics/v4alpha/metrics_service.proto +++ /dev/null @@ -1,46 +0,0 @@ -syntax = "proto3"; - -package envoy.config.metrics.v4alpha; - -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.metrics.v4alpha"; -option java_outer_classname = "MetricsServiceProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Metrics service] - -// Metrics Service is configured as a built-in *envoy.stat_sinks.metrics_service* :ref:`StatsSink -// `. This opaque configuration will be used to create -// Metrics Service. -// [#extension: envoy.stat_sinks.metrics_service] -message MetricsServiceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.MetricsServiceConfig"; - - // The upstream gRPC cluster that hosts the metrics service. - core.v4alpha.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; - - // API version for metric service transport protocol. This describes the metric service gRPC - // endpoint and version of messages used on the wire. - core.v4alpha.ApiVersion transport_api_version = 3 [(validate.rules).enum = {defined_only: true}]; - - // If true, counters are reported as the delta between flushing intervals. Otherwise, the current - // counter value is reported. Defaults to false. - // Eventually (https://github.com/envoyproxy/envoy/issues/10968) if this value is not set, the - // sink will take updates from the :ref:`MetricsResponse `. - google.protobuf.BoolValue report_counters_as_deltas = 2; - - // If true, metrics will have their tags emitted as labels on the metrics objects sent to the MetricsService, - // and the tag extracted name will be used instead of the full name, which may contain values used by the tag - // extractor or additional tags added during stats creation. - bool emit_tags_as_labels = 4; -} diff --git a/generated_api_shadow/envoy/config/metrics/v4alpha/stats.proto b/generated_api_shadow/envoy/config/metrics/v4alpha/stats.proto deleted file mode 100644 index 6d8a94050d65..000000000000 --- a/generated_api_shadow/envoy/config/metrics/v4alpha/stats.proto +++ /dev/null @@ -1,411 +0,0 @@ -syntax = "proto3"; - -package envoy.config.metrics.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.metrics.v4alpha"; -option java_outer_classname = "StatsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Stats] -// Statistics :ref:`architecture overview `. - -// Configuration for pluggable stats sinks. -message StatsSink { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v3.StatsSink"; - - reserved 2; - - reserved "config"; - - // The name of the stats sink to instantiate. The name must match a supported - // stats sink. - // See the :ref:`extensions listed in typed_config below ` for the default list of available stats sink. - // Sinks optionally support tagged/multiple dimensional metrics. - string name = 1; - - // Stats sink specific configuration which depends on the sink being instantiated. See - // :ref:`StatsdSink ` for an example. - // [#extension-category: envoy.stats_sinks] - oneof config_type { - google.protobuf.Any typed_config = 3; - } -} - -// Statistics configuration such as tagging. -message StatsConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.StatsConfig"; - - // Each stat name is iteratively processed through these tag specifiers. - // When a tag is matched, the first capture group is removed from the name so - // later :ref:`TagSpecifiers ` cannot match that - // same portion of the match. - repeated TagSpecifier stats_tags = 1; - - // Use all default tag regexes specified in Envoy. These can be combined with - // custom tags specified in :ref:`stats_tags - // `. They will be processed before - // the custom tags. - // - // .. note:: - // - // If any default tags are specified twice, the config will be considered - // invalid. - // - // See :repo:`well_known_names.h ` for a list of the - // default tags in Envoy. - // - // If not provided, the value is assumed to be true. - google.protobuf.BoolValue use_all_default_tags = 2; - - // Inclusion/exclusion matcher for stat name creation. If not provided, all stats are instantiated - // as normal. Preventing the instantiation of certain families of stats can improve memory - // performance for Envoys running especially large configs. - // - // .. warning:: - // Excluding stats may affect Envoy's behavior in undocumented ways. See - // `issue #8771 `_ for more information. - // If any unexpected behavior changes are observed, please open a new issue immediately. - StatsMatcher stats_matcher = 3; - - // Defines rules for setting the histogram buckets. Rules are evaluated in order, and the first - // match is applied. If no match is found (or if no rules are set), the following default buckets - // are used: - // - // .. code-block:: json - // - // [ - // 0.5, - // 1, - // 5, - // 10, - // 25, - // 50, - // 100, - // 250, - // 500, - // 1000, - // 2500, - // 5000, - // 10000, - // 30000, - // 60000, - // 300000, - // 600000, - // 1800000, - // 3600000 - // ] - repeated HistogramBucketSettings histogram_bucket_settings = 4; -} - -// Configuration for disabling stat instantiation. -message StatsMatcher { - // The instantiation of stats is unrestricted by default. If the goal is to configure Envoy to - // instantiate all stats, there is no need to construct a StatsMatcher. - // - // However, StatsMatcher can be used to limit the creation of families of stats in order to - // conserve memory. Stats can either be disabled entirely, or they can be - // limited by either an exclusion or an inclusion list of :ref:`StringMatcher - // ` protos: - // - // * If `reject_all` is set to `true`, no stats will be instantiated. If `reject_all` is set to - // `false`, all stats will be instantiated. - // - // * If an exclusion list is supplied, any stat name matching *any* of the StringMatchers in the - // list will not instantiate. - // - // * If an inclusion list is supplied, no stats will instantiate, except those matching *any* of - // the StringMatchers in the list. - // - // - // A StringMatcher can be used to match against an exact string, a suffix / prefix, or a regex. - // **NB:** For performance reasons, it is highly recommended to use a prefix- or suffix-based - // matcher rather than a regex-based matcher. - // - // Example 1. Excluding all stats. - // - // .. code-block:: json - // - // { - // "statsMatcher": { - // "rejectAll": "true" - // } - // } - // - // Example 2. Excluding all cluster-specific stats, but not cluster-manager stats: - // - // .. code-block:: json - // - // { - // "statsMatcher": { - // "exclusionList": { - // "patterns": [ - // { - // "prefix": "cluster." - // } - // ] - // } - // } - // } - // - // Example 3. Including only manager-related stats: - // - // .. code-block:: json - // - // { - // "statsMatcher": { - // "inclusionList": { - // "patterns": [ - // { - // "prefix": "cluster_manager." - // }, - // { - // "prefix": "listener_manager." - // } - // ] - // } - // } - // } - // - - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.StatsMatcher"; - - oneof stats_matcher { - option (validate.required) = true; - - // If `reject_all` is true, then all stats are disabled. If `reject_all` is false, then all - // stats are enabled. - bool reject_all = 1; - - // Exclusive match. All stats are enabled except for those matching one of the supplied - // StringMatcher protos. - type.matcher.v4alpha.ListStringMatcher exclusion_list = 2; - - // Inclusive match. No stats are enabled except for those matching one of the supplied - // StringMatcher protos. - type.matcher.v4alpha.ListStringMatcher inclusion_list = 3; - } -} - -// Designates a tag name and value pair. The value may be either a fixed value -// or a regex providing the value via capture groups. The specified tag will be -// unconditionally set if a fixed value, otherwise it will only be set if one -// or more capture groups in the regex match. -message TagSpecifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.TagSpecifier"; - - // Attaches an identifier to the tag values to identify the tag being in the - // sink. Envoy has a set of default names and regexes to extract dynamic - // portions of existing stats, which can be found in :repo:`well_known_names.h - // ` in the Envoy repository. If a :ref:`tag_name - // ` is provided in the config and - // neither :ref:`regex ` or - // :ref:`fixed_value ` were specified, - // Envoy will attempt to find that name in its set of defaults and use the accompanying regex. - // - // .. note:: - // - // It is invalid to specify the same tag name twice in a config. - string tag_name = 1; - - oneof tag_value { - // Designates a tag to strip from the tag extracted name and provide as a named - // tag value for all statistics. This will only occur if any part of the name - // matches the regex provided with one or more capture groups. - // - // The first capture group identifies the portion of the name to remove. The - // second capture group (which will normally be nested inside the first) will - // designate the value of the tag for the statistic. If no second capture - // group is provided, the first will also be used to set the value of the tag. - // All other capture groups will be ignored. - // - // Example 1. a stat name ``cluster.foo_cluster.upstream_rq_timeout`` and - // one tag specifier: - // - // .. code-block:: json - // - // { - // "tag_name": "envoy.cluster_name", - // "regex": "^cluster\\.((.+?)\\.)" - // } - // - // Note that the regex will remove ``foo_cluster.`` making the tag extracted - // name ``cluster.upstream_rq_timeout`` and the tag value for - // ``envoy.cluster_name`` will be ``foo_cluster`` (note: there will be no - // ``.`` character because of the second capture group). - // - // Example 2. a stat name - // ``http.connection_manager_1.user_agent.ios.downstream_cx_total`` and two - // tag specifiers: - // - // .. code-block:: json - // - // [ - // { - // "tag_name": "envoy.http_user_agent", - // "regex": "^http(?=\\.).*?\\.user_agent\\.((.+?)\\.)\\w+?$" - // }, - // { - // "tag_name": "envoy.http_conn_manager_prefix", - // "regex": "^http\\.((.*?)\\.)" - // } - // ] - // - // The two regexes of the specifiers will be processed in the definition order. - // - // The first regex will remove ``ios.``, leaving the tag extracted name - // ``http.connection_manager_1.user_agent.downstream_cx_total``. The tag - // ``envoy.http_user_agent`` will be added with tag value ``ios``. - // - // The second regex will remove ``connection_manager_1.`` from the tag - // extracted name produced by the first regex - // ``http.connection_manager_1.user_agent.downstream_cx_total``, leaving - // ``http.user_agent.downstream_cx_total`` as the tag extracted name. The tag - // ``envoy.http_conn_manager_prefix`` will be added with the tag value - // ``connection_manager_1``. - string regex = 2 [(validate.rules).string = {max_bytes: 1024}]; - - // Specifies a fixed tag value for the ``tag_name``. - string fixed_value = 3; - } -} - -// Specifies a matcher for stats and the buckets that matching stats should use. -message HistogramBucketSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.HistogramBucketSettings"; - - // The stats that this rule applies to. The match is applied to the original stat name - // before tag-extraction, for example `cluster.exampleclustername.upstream_cx_length_ms`. - type.matcher.v4alpha.StringMatcher match = 1 [(validate.rules).message = {required: true}]; - - // Each value is the upper bound of a bucket. Each bucket must be greater than 0 and unique. - // The order of the buckets does not matter. - repeated double buckets = 2 [(validate.rules).repeated = { - min_items: 1 - unique: true - items {double {gt: 0.0}} - }]; -} - -// Stats configuration proto schema for built-in *envoy.stat_sinks.statsd* sink. This sink does not support -// tagged metrics. -// [#extension: envoy.stat_sinks.statsd] -message StatsdSink { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v3.StatsdSink"; - - oneof statsd_specifier { - option (validate.required) = true; - - // The UDP address of a running `statsd `_ - // compliant listener. If specified, statistics will be flushed to this - // address. - core.v4alpha.Address address = 1; - - // The name of a cluster that is running a TCP `statsd - // `_ compliant listener. If specified, - // Envoy will connect to this cluster to flush statistics. - string tcp_cluster_name = 2; - } - - // Optional custom prefix for StatsdSink. If - // specified, this will override the default prefix. - // For example: - // - // .. code-block:: json - // - // { - // "prefix" : "envoy-prod" - // } - // - // will change emitted stats to - // - // .. code-block:: cpp - // - // envoy-prod.test_counter:1|c - // envoy-prod.test_timer:5|ms - // - // Note that the default prefix, "envoy", will be used if a prefix is not - // specified. - // - // Stats with default prefix: - // - // .. code-block:: cpp - // - // envoy.test_counter:1|c - // envoy.test_timer:5|ms - string prefix = 3; -} - -// Stats configuration proto schema for built-in *envoy.stat_sinks.dog_statsd* sink. -// The sink emits stats with `DogStatsD `_ -// compatible tags. Tags are configurable via :ref:`StatsConfig -// `. -// [#extension: envoy.stat_sinks.dog_statsd] -message DogStatsdSink { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.DogStatsdSink"; - - reserved 2; - - oneof dog_statsd_specifier { - option (validate.required) = true; - - // The UDP address of a running DogStatsD compliant listener. If specified, - // statistics will be flushed to this address. - core.v4alpha.Address address = 1; - } - - // Optional custom metric name prefix. See :ref:`StatsdSink's prefix field - // ` for more details. - string prefix = 3; - - // Optional max datagram size to use when sending UDP messages. By default Envoy - // will emit one metric per datagram. By specifying a max-size larger than a single - // metric, Envoy will emit multiple, new-line separated metrics. The max datagram - // size should not exceed your network's MTU. - // - // Note that this value may not be respected if smaller than a single metric. - google.protobuf.UInt64Value max_bytes_per_datagram = 4 [(validate.rules).uint64 = {gt: 0}]; -} - -// Stats configuration proto schema for built-in *envoy.stat_sinks.hystrix* sink. -// The sink emits stats in `text/event-stream -// `_ -// formatted stream for use by `Hystrix dashboard -// `_. -// -// Note that only a single HystrixSink should be configured. -// -// Streaming is started through an admin endpoint :http:get:`/hystrix_event_stream`. -// [#extension: envoy.stat_sinks.hystrix] -message HystrixSink { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.metrics.v3.HystrixSink"; - - // The number of buckets the rolling statistical window is divided into. - // - // Each time the sink is flushed, all relevant Envoy statistics are sampled and - // added to the rolling window (removing the oldest samples in the window - // in the process). The sink then outputs the aggregate statistics across the - // current rolling window to the event stream(s). - // - // rolling_window(ms) = stats_flush_interval(ms) * num_of_buckets - // - // More detailed explanation can be found in `Hystrix wiki - // `_. - int64 num_buckets = 1; -} diff --git a/generated_api_shadow/envoy/config/ratelimit/v4alpha/BUILD b/generated_api_shadow/envoy/config/ratelimit/v4alpha/BUILD deleted file mode 100644 index f335ebe20e6b..000000000000 --- a/generated_api_shadow/envoy/config/ratelimit/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/ratelimit/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/ratelimit/v4alpha/rls.proto b/generated_api_shadow/envoy/config/ratelimit/v4alpha/rls.proto deleted file mode 100644 index 7a13efd7395e..000000000000 --- a/generated_api_shadow/envoy/config/ratelimit/v4alpha/rls.proto +++ /dev/null @@ -1,34 +0,0 @@ -syntax = "proto3"; - -package envoy.config.ratelimit.v4alpha; - -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.ratelimit.v4alpha"; -option java_outer_classname = "RlsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Rate limit service] - -// Rate limit :ref:`configuration overview `. -message RateLimitServiceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.ratelimit.v3.RateLimitServiceConfig"; - - reserved 1, 3; - - // Specifies the gRPC service that hosts the rate limit service. The client - // will connect to this cluster when it needs to make rate limit service - // requests. - core.v4alpha.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}]; - - // API version for rate limit transport protocol. This describes the rate limit gRPC endpoint and - // version of messages used on the wire. - core.v4alpha.ApiVersion transport_api_version = 4 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/generated_api_shadow/envoy/config/rbac/v4alpha/BUILD b/generated_api_shadow/envoy/config/rbac/v4alpha/BUILD deleted file mode 100644 index 2b205e737363..000000000000 --- a/generated_api_shadow/envoy/config/rbac/v4alpha/BUILD +++ /dev/null @@ -1,19 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/rbac/v3:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto", - "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto", - ], -) diff --git a/generated_api_shadow/envoy/config/rbac/v4alpha/rbac.proto b/generated_api_shadow/envoy/config/rbac/v4alpha/rbac.proto deleted file mode 100644 index bff8576a27c8..000000000000 --- a/generated_api_shadow/envoy/config/rbac/v4alpha/rbac.proto +++ /dev/null @@ -1,305 +0,0 @@ -syntax = "proto3"; - -package envoy.config.rbac.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/metadata.proto"; -import "envoy/type/matcher/v4alpha/path.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/v3/range.proto"; - -import "google/api/expr/v1alpha1/checked.proto"; -import "google/api/expr/v1alpha1/syntax.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.rbac.v4alpha"; -option java_outer_classname = "RbacProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Role Based Access Control (RBAC)] - -// Role Based Access Control (RBAC) provides service-level and method-level access control for a -// service. Requests are allowed or denied based on the `action` and whether a matching policy is -// found. For instance, if the action is ALLOW and a matching policy is found the request should be -// allowed. -// -// RBAC can also be used to make access logging decisions by communicating with access loggers -// through dynamic metadata. When the action is LOG and at least one policy matches, the -// `access_log_hint` value in the shared key namespace 'envoy.common' is set to `true` indicating -// the request should be logged. -// -// Here is an example of RBAC configuration. It has two policies: -// -// * Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so -// does "cluster.local/ns/default/sa/superuser". -// -// * Any user can read ("GET") the service at paths with prefix "/products", so long as the -// destination port is either 80 or 443. -// -// .. code-block:: yaml -// -// action: ALLOW -// policies: -// "service-admin": -// permissions: -// - any: true -// principals: -// - authenticated: -// principal_name: -// exact: "cluster.local/ns/default/sa/admin" -// - authenticated: -// principal_name: -// exact: "cluster.local/ns/default/sa/superuser" -// "product-viewer": -// permissions: -// - and_rules: -// rules: -// - header: -// name: ":method" -// string_match: -// exact: "GET" -// - url_path: -// path: { prefix: "/products" } -// - or_rules: -// rules: -// - destination_port: 80 -// - destination_port: 443 -// principals: -// - any: true -// -message RBAC { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.RBAC"; - - // Should we do safe-list or block-list style access control? - enum Action { - // The policies grant access to principals. The rest are denied. This is safe-list style - // access control. This is the default type. - ALLOW = 0; - - // The policies deny access to principals. The rest are allowed. This is block-list style - // access control. - DENY = 1; - - // The policies set the `access_log_hint` dynamic metadata key based on if requests match. - // All requests are allowed. - LOG = 2; - } - - // The action to take if a policy matches. Every action either allows or denies a request, - // and can also carry out action-specific operations. - // - // Actions: - // - // * ALLOW: Allows the request if and only if there is a policy that matches - // the request. - // * DENY: Allows the request if and only if there are no policies that - // match the request. - // * LOG: Allows all requests. If at least one policy matches, the dynamic - // metadata key `access_log_hint` is set to the value `true` under the shared - // key namespace 'envoy.common'. If no policies match, it is set to `false`. - // Other actions do not modify this key. - // - Action action = 1 [(validate.rules).enum = {defined_only: true}]; - - // Maps from policy name to policy. A match occurs when at least one policy matches the request. - // The policies are evaluated in lexicographic order of the policy name. - map policies = 2; -} - -// Policy specifies a role and the principals that are assigned/denied the role. -// A policy matches if and only if at least one of its permissions match the -// action taking place AND at least one of its principals match the downstream -// AND the condition is true if specified. -message Policy { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Policy"; - - // Required. The set of permissions that define a role. Each permission is - // matched with OR semantics. To match all actions for this policy, a single - // Permission with the `any` field set to true should be used. - repeated Permission permissions = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Required. The set of principals that are assigned/denied the role based on - // “action”. Each principal is matched with OR semantics. To match all - // downstreams for this policy, a single Principal with the `any` field set to - // true should be used. - repeated Principal principals = 2 [(validate.rules).repeated = {min_items: 1}]; - - oneof expression_specifier { - // An optional symbolic expression specifying an access control - // :ref:`condition `. The condition is combined - // with the permissions and the principals as a clause with AND semantics. - // Only be used when checked_condition is not used. - google.api.expr.v1alpha1.Expr condition = 3; - - // [#not-implemented-hide:] - // An optional symbolic expression that has been successfully type checked. - // Only be used when condition is not used. - google.api.expr.v1alpha1.CheckedExpr checked_condition = 4; - } -} - -// Permission defines an action (or actions) that a principal can take. -// [#next-free-field: 12] -message Permission { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Permission"; - - // Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context, - // each are applied with the associated behavior. - message Set { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.rbac.v3.Permission.Set"; - - repeated Permission rules = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - oneof rule { - option (validate.required) = true; - - // A set of rules that all must match in order to define the action. - Set and_rules = 1; - - // A set of rules where at least one must match in order to define the action. - Set or_rules = 2; - - // When any is set, it matches any action. - bool any = 3 [(validate.rules).bool = {const: true}]; - - // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only - // available for HTTP request. - // Note: the pseudo-header :path includes the query and fragment string. Use the `url_path` - // field if you want to match the URL path without the query and fragment string. - route.v4alpha.HeaderMatcher header = 4; - - // A URL path on the incoming HTTP request. Only available for HTTP. - type.matcher.v4alpha.PathMatcher url_path = 10; - - // A CIDR block that describes the destination IP. - core.v4alpha.CidrRange destination_ip = 5; - - // A port number that describes the destination port connecting to. - uint32 destination_port = 6 [(validate.rules).uint32 = {lte: 65535}]; - - // A port number range that describes a range of destination ports connecting to. - type.v3.Int32Range destination_port_range = 11; - - // Metadata that describes additional information about the action. - type.matcher.v4alpha.MetadataMatcher metadata = 7; - - // Negates matching the provided permission. For instance, if the value of - // `not_rule` would match, this permission would not match. Conversely, if - // the value of `not_rule` would not match, this permission would match. - Permission not_rule = 8; - - // The request server from the client's connection request. This is - // typically TLS SNI. - // - // .. attention:: - // - // The behavior of this field may be affected by how Envoy is configured - // as explained below. - // - // * If the :ref:`TLS Inspector ` - // filter is not added, and if a `FilterChainMatch` is not defined for - // the :ref:`server name - // `, - // a TLS connection's requested SNI server name will be treated as if it - // wasn't present. - // - // * A :ref:`listener filter ` may - // overwrite a connection's requested server name within Envoy. - // - // Please refer to :ref:`this FAQ entry ` to learn to - // setup SNI. - type.matcher.v4alpha.StringMatcher requested_server_name = 9; - } -} - -// Principal defines an identity or a group of identities for a downstream -// subject. -// [#next-free-field: 12] -message Principal { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Principal"; - - // Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. - // Depending on the context, each are applied with the associated behavior. - message Set { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.rbac.v3.Principal.Set"; - - repeated Principal ids = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - // Authentication attributes for a downstream. - message Authenticated { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.rbac.v3.Principal.Authenticated"; - - reserved 1; - - // The name of the principal. If set, The URI SAN or DNS SAN in that order - // is used from the certificate, otherwise the subject field is used. If - // unset, it applies to any user that is authenticated. - type.matcher.v4alpha.StringMatcher principal_name = 2; - } - - oneof identifier { - option (validate.required) = true; - - // A set of identifiers that all must match in order to define the - // downstream. - Set and_ids = 1; - - // A set of identifiers at least one must match in order to define the - // downstream. - Set or_ids = 2; - - // When any is set, it matches any downstream. - bool any = 3 [(validate.rules).bool = {const: true}]; - - // Authenticated attributes that identify the downstream. - Authenticated authenticated = 4; - - // A CIDR block that describes the downstream IP. - // This address will honor proxy protocol, but will not honor XFF. - core.v4alpha.CidrRange hidden_envoy_deprecated_source_ip = 5 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // A CIDR block that describes the downstream remote/origin address. - // Note: This is always the physical peer even if the - // :ref:`remote_ip ` is - // inferred from for example the x-forwarder-for header, proxy protocol, - // etc. - core.v4alpha.CidrRange direct_remote_ip = 10; - - // A CIDR block that describes the downstream remote/origin address. - // Note: This may not be the physical peer and could be different from the - // :ref:`direct_remote_ip - // `. E.g, if the - // remote ip is inferred from for example the x-forwarder-for header, proxy - // protocol, etc. - core.v4alpha.CidrRange remote_ip = 11; - - // A header (or pseudo-header such as :path or :method) on the incoming HTTP - // request. Only available for HTTP request. Note: the pseudo-header :path - // includes the query and fragment string. Use the `url_path` field if you - // want to match the URL path without the query and fragment string. - route.v4alpha.HeaderMatcher header = 6; - - // A URL path on the incoming HTTP request. Only available for HTTP. - type.matcher.v4alpha.PathMatcher url_path = 9; - - // Metadata that describes additional information about the principal. - type.matcher.v4alpha.MetadataMatcher metadata = 7; - - // Negates matching the provided principal. For instance, if the value of - // `not_id` would match, this principal would not match. Conversely, if the - // value of `not_id` would not match, this principal would match. - Principal not_id = 8; - } -} diff --git a/generated_api_shadow/envoy/config/route/v4alpha/BUILD b/generated_api_shadow/envoy/config/route/v4alpha/BUILD deleted file mode 100644 index 569a1a438e07..000000000000 --- a/generated_api_shadow/envoy/config/route/v4alpha/BUILD +++ /dev/null @@ -1,18 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/metadata/v3:pkg", - "//envoy/type/tracing/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/route/v4alpha/route.proto b/generated_api_shadow/envoy/config/route/v4alpha/route.proto deleted file mode 100644 index 4a1938682482..000000000000 --- a/generated_api_shadow/envoy/config/route/v4alpha/route.proto +++ /dev/null @@ -1,146 +0,0 @@ -syntax = "proto3"; - -package envoy.config.route.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.route.v4alpha"; -option java_outer_classname = "RouteProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP route configuration] -// * Routing :ref:`architecture overview ` -// * HTTP :ref:`router filter ` - -// [#next-free-field: 13] -message RouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteConfiguration"; - - // The name of the route configuration. For example, it might match - // :ref:`route_config_name - // ` in - // :ref:`envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.Rds`. - string name = 1; - - // An array of virtual hosts that make up the route table. - repeated VirtualHost virtual_hosts = 2; - - // An array of virtual hosts will be dynamically loaded via the VHDS API. - // Both *virtual_hosts* and *vhds* fields will be used when present. *virtual_hosts* can be used - // for a base routing table or for infrequently changing virtual hosts. *vhds* is used for - // on-demand discovery of virtual hosts. The contents of these two fields will be merged to - // generate a routing table for a given RouteConfiguration, with *vhds* derived configuration - // taking precedence. - Vhds vhds = 9; - - // Optionally specifies a list of HTTP headers that the connection manager - // will consider to be internal only. If they are found on external requests they will be cleaned - // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more - // information. - repeated string internal_only_headers = 3 [ - (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} - ]; - - // Specifies a list of HTTP headers that should be added to each response that - // the connection manager encodes. Headers specified at this level are applied - // after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or - // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption response_headers_to_add = 4 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each response - // that the connection manager encodes. - repeated string response_headers_to_remove = 5 [ - (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} - ]; - - // Specifies a list of HTTP headers that should be added to each request - // routed by the HTTP connection manager. Headers specified at this level are - // applied after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or - // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption request_headers_to_add = 6 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request - // routed by the HTTP connection manager. - repeated string request_headers_to_remove = 8 [ - (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} - ]; - - // By default, headers that should be added/removed are evaluated from most to least specific: - // - // * route level - // * virtual host level - // * connection manager level - // - // To allow setting overrides at the route or virtual host level, this order can be reversed - // by setting this option to true. Defaults to false. - // - // [#next-major-version: In the v3 API, this will default to true.] - bool most_specific_header_mutations_wins = 10; - - // An optional boolean that specifies whether the clusters that the route - // table refers to will be validated by the cluster manager. If set to true - // and a route refers to a non-existent cluster, the route table will not - // load. If set to false and a route refers to a non-existent cluster, the - // route table will load and the router filter will return a 404 if the route - // is selected at runtime. This setting defaults to true if the route table - // is statically defined via the :ref:`route_config - // ` - // option. This setting default to false if the route table is loaded dynamically via the - // :ref:`rds - // ` - // option. Users may wish to override the default behavior in certain cases (for example when - // using CDS with a static route table). - google.protobuf.BoolValue validate_clusters = 7; - - // The maximum bytes of the response :ref:`direct response body - // ` size. If not specified the default - // is 4096. - // - // .. warning:: - // - // Envoy currently holds the content of :ref:`direct response body - // ` in memory. Be careful setting - // this to be larger than the default 4KB, since the allocated memory for direct response body - // is not subject to data plane buffering controls. - // - google.protobuf.UInt32Value max_direct_response_body_size_bytes = 11; - - // [#not-implemented-hide:] - // A list of plugins and their configurations which may be used by a - // :ref:`envoy_v3_api_field_config.route.v3.RouteAction.cluster_specifier_plugin` - // within the route. All *extension.name* fields in this list must be unique. - repeated ClusterSpecifierPlugin cluster_specifier_plugins = 12; -} - -// Configuration for a cluster specifier plugin. -message ClusterSpecifierPlugin { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.ClusterSpecifierPlugin"; - - // The name of the plugin and its opaque configuration. - core.v4alpha.TypedExtensionConfig extension = 1; -} - -message Vhds { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.Vhds"; - - // Configuration source specifier for VHDS. - core.v4alpha.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto b/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto deleted file mode 100644 index f72806788245..000000000000 --- a/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto +++ /dev/null @@ -1,2067 +0,0 @@ -syntax = "proto3"; - -package envoy.config.route.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/proxy_protocol.proto"; -import "envoy/type/matcher/v4alpha/regex.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/metadata/v3/metadata.proto"; -import "envoy/type/tracing/v3/custom_tag.proto"; -import "envoy/type/v3/percent.proto"; -import "envoy/type/v3/range.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.route.v4alpha"; -option java_outer_classname = "RouteComponentsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP route components] -// * Routing :ref:`architecture overview ` -// * HTTP :ref:`router filter ` - -// The top level element in the routing configuration is a virtual host. Each virtual host has -// a logical name as well as a set of domains that get routed to it based on the incoming request's -// host header. This allows a single listener to service multiple top level domain path trees. Once -// a virtual host is selected based on the domain, the routes are processed in order to see which -// upstream cluster to route to or whether to perform a redirect. -// [#next-free-field: 21] -message VirtualHost { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.VirtualHost"; - - enum TlsRequirementType { - // No TLS requirement for the virtual host. - NONE = 0; - - // External requests must use TLS. If a request is external and it is not - // using TLS, a 301 redirect will be sent telling the client to use HTTPS. - EXTERNAL_ONLY = 1; - - // All requests must use TLS. If a request is not using TLS, a 301 redirect - // will be sent telling the client to use HTTPS. - ALL = 2; - } - - reserved 9, 12; - - reserved "per_filter_config"; - - // The logical name of the virtual host. This is used when emitting certain - // statistics but is not relevant for routing. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // A list of domains (host/authority header) that will be matched to this - // virtual host. Wildcard hosts are supported in the suffix or prefix form. - // - // Domain search order: - // 1. Exact domain names: ``www.foo.com``. - // 2. Suffix domain wildcards: ``*.foo.com`` or ``*-bar.foo.com``. - // 3. Prefix domain wildcards: ``foo.*`` or ``foo-*``. - // 4. Special wildcard ``*`` matching any domain. - // - // .. note:: - // - // The wildcard will not match the empty string. - // e.g. ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``. - // The longest wildcards match first. - // Only a single virtual host in the entire route configuration can match on ``*``. A domain - // must be unique across all virtual hosts or the config will fail to load. - // - // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE. - repeated string domains = 2 [(validate.rules).repeated = { - min_items: 1 - items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}} - }]; - - // The list of routes that will be matched, in order, for incoming requests. - // The first route that matches will be used. - repeated Route routes = 3; - - // Specifies the type of TLS enforcement the virtual host expects. If this option is not - // specified, there is no TLS requirement for the virtual host. - TlsRequirementType require_tls = 4 [(validate.rules).enum = {defined_only: true}]; - - // A list of virtual clusters defined for this virtual host. Virtual clusters - // are used for additional statistics gathering. - repeated VirtualCluster virtual_clusters = 5; - - // Specifies a set of rate limit configurations that will be applied to the - // virtual host. - repeated RateLimit rate_limits = 6; - - // Specifies a list of HTTP headers that should be added to each request - // handled by this virtual host. Headers specified at this level are applied - // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the - // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including - // details on header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption request_headers_to_add = 7 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request - // handled by this virtual host. - repeated string request_headers_to_remove = 13 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a list of HTTP headers that should be added to each response - // handled by this virtual host. Headers specified at this level are applied - // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the - // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including - // details on header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption response_headers_to_add = 10 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each response - // handled by this virtual host. - repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Indicates that the virtual host has a CORS policy. - CorsPolicy cors = 8; - - // The per_filter_config field can be used to provide virtual host-specific - // configurations for filters. The key should match the filter name, such as - // *envoy.filters.http.buffer* for the HTTP buffer filter. Use of this field is filter - // specific; see the :ref:`HTTP filter documentation ` - // for if and how it is utilized. - // [#comment: An entry's value may be wrapped in a - // :ref:`FilterConfig` - // message to specify additional options.] - map typed_per_filter_config = 15; - - // Decides whether the :ref:`x-envoy-attempt-count - // ` header should be included - // in the upstream request. Setting this option will cause it to override any existing header - // value, so in the case of two Envoys on the request path with this option enabled, the upstream - // will see the attempt count as perceived by the second Envoy. Defaults to false. - // This header is unaffected by the - // :ref:`suppress_envoy_headers - // ` flag. - // - // [#next-major-version: rename to include_attempt_count_in_request.] - bool include_request_attempt_count = 14; - - // Decides whether the :ref:`x-envoy-attempt-count - // ` header should be included - // in the downstream response. Setting this option will cause the router to override any existing header - // value, so in the case of two Envoys on the request path with this option enabled, the downstream - // will see the attempt count as perceived by the Envoy closest upstream from itself. Defaults to false. - // This header is unaffected by the - // :ref:`suppress_envoy_headers - // ` flag. - bool include_attempt_count_in_response = 19; - - // Indicates the retry policy for all routes in this virtual host. Note that setting a - // route level entry will take precedence over this config and it'll be treated - // independently (e.g.: values are not inherited). - RetryPolicy retry_policy = 16; - - // [#not-implemented-hide:] - // Specifies the configuration for retry policy extension. Note that setting a route level entry - // will take precedence over this config and it'll be treated independently (e.g.: values are not - // inherited). :ref:`Retry policy ` should not be - // set if this field is used. - google.protobuf.Any retry_policy_typed_config = 20; - - // Indicates the hedge policy for all routes in this virtual host. Note that setting a - // route level entry will take precedence over this config and it'll be treated - // independently (e.g.: values are not inherited). - HedgePolicy hedge_policy = 17; - - // The maximum bytes which will be buffered for retries and shadowing. - // If set and a route-specific limit is not set, the bytes actually buffered will be the minimum - // value of this and the listener per_connection_buffer_limit_bytes. - google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18; -} - -// A filter-defined action type. -message FilterAction { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.FilterAction"; - - google.protobuf.Any action = 1; -} - -// A route is both a specification of how to match a request as well as an indication of what to do -// next (e.g., redirect, forward, rewrite, etc.). -// -// .. attention:: -// -// Envoy supports routing on HTTP method via :ref:`header matching -// `. -// [#next-free-field: 19] -message Route { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.Route"; - - reserved 6, 8; - - reserved "per_filter_config"; - - // Name for the route. - string name = 14; - - // Route matching parameters. - RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - oneof action { - option (validate.required) = true; - - // Route request to some upstream cluster. - RouteAction route = 2; - - // Return a redirect. - RedirectAction redirect = 3; - - // Return an arbitrary HTTP response directly, without proxying. - DirectResponseAction direct_response = 7; - - // [#not-implemented-hide:] - // A filter-defined action (e.g., it could dynamically generate the RouteAction). - // [#comment: TODO(samflattery): Remove cleanup in route_fuzz_test.cc when - // implemented] - FilterAction filter_action = 17; - - // [#not-implemented-hide:] - // An action used when the route will generate a response directly, - // without forwarding to an upstream host. This will be used in non-proxy - // xDS clients like the gRPC server. It could also be used in the future - // in Envoy for a filter that directly generates responses for requests. - NonForwardingAction non_forwarding_action = 18; - } - - // The Metadata field can be used to provide additional information - // about the route. It can be used for configuration, stats, and logging. - // The metadata should go under the filter namespace that will need it. - // For instance, if the metadata is intended for the Router filter, - // the filter name should be specified as *envoy.filters.http.router*. - core.v4alpha.Metadata metadata = 4; - - // Decorator for the matched route. - Decorator decorator = 5; - - // The typed_per_filter_config field can be used to provide route-specific - // configurations for filters. The key should match the filter name, such as - // *envoy.filters.http.buffer* for the HTTP buffer filter. Use of this field is filter - // specific; see the :ref:`HTTP filter documentation ` for - // if and how it is utilized. - // [#comment: An entry's value may be wrapped in a - // :ref:`FilterConfig` - // message to specify additional options.] - map typed_per_filter_config = 13; - - // Specifies a set of headers that will be added to requests matching this - // route. Headers specified at this level are applied before headers from the - // enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption request_headers_to_add = 9 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request - // matching this route. - repeated string request_headers_to_remove = 12 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a set of headers that will be added to responses to requests - // matching this route. Headers specified at this level are applied before - // headers from the enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including - // details on header value syntax, see the documentation on - // :ref:`custom request headers `. - repeated core.v4alpha.HeaderValueOption response_headers_to_add = 10 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each response - // to requests matching this route. - repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { - items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Presence of the object defines whether the connection manager's tracing configuration - // is overridden by this route specific instance. - Tracing tracing = 15; - - // The maximum bytes which will be buffered for retries and shadowing. - // If set, the bytes actually buffered will be the minimum value of this and the - // listener per_connection_buffer_limit_bytes. - google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16; -} - -// Compared to the :ref:`cluster ` field that specifies a -// single upstream cluster as the target of a request, the :ref:`weighted_clusters -// ` option allows for specification of -// multiple upstream clusters along with weights that indicate the percentage of -// traffic to be forwarded to each cluster. The router selects an upstream cluster based on the -// weights. -message WeightedCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.WeightedCluster"; - - // [#next-free-field: 12] - message ClusterWeight { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.WeightedCluster.ClusterWeight"; - - reserved 7, 8; - - reserved "per_filter_config"; - - // Name of the upstream cluster. The cluster must exist in the - // :ref:`cluster manager configuration `. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // An integer between 0 and :ref:`total_weight - // `. When a request matches the route, - // the choice of an upstream cluster is determined by its weight. The sum of weights across all - // entries in the clusters array must add up to the total_weight, which defaults to 100. - google.protobuf.UInt32Value weight = 2; - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in - // the upstream cluster with metadata matching what is set in this field will be considered for - // load balancing. Note that this will be merged with what's provided in - // :ref:`RouteAction.metadata_match `, with - // values here taking precedence. The filter name should be specified as *envoy.lb*. - core.v4alpha.Metadata metadata_match = 3; - - // Specifies a list of headers to be added to requests when this cluster is selected - // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - // Headers specified at this level are applied before headers from the enclosing - // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption request_headers_to_add = 4 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of HTTP headers that should be removed from each request when - // this cluster is selected through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - repeated string request_headers_to_remove = 9 [(validate.rules).repeated = { - items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // Specifies a list of headers to be added to responses when this cluster is selected - // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - // Headers specified at this level are applied before headers from the enclosing - // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and - // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on - // header value syntax, see the documentation on :ref:`custom request headers - // `. - repeated core.v4alpha.HeaderValueOption response_headers_to_add = 5 - [(validate.rules).repeated = {max_items: 1000}]; - - // Specifies a list of headers to be removed from responses when this cluster is selected - // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. - repeated string response_headers_to_remove = 6 [(validate.rules).repeated = { - items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} - }]; - - // The per_filter_config field can be used to provide weighted cluster-specific - // configurations for filters. The key should match the filter name, such as - // *envoy.filters.http.buffer* for the HTTP buffer filter. Use of this field is filter - // specific; see the :ref:`HTTP filter documentation ` - // for if and how it is utilized. - // [#comment: An entry's value may be wrapped in a - // :ref:`FilterConfig` - // message to specify additional options.] - map typed_per_filter_config = 10; - - oneof host_rewrite_specifier { - // Indicates that during forwarding, the host header will be swapped with - // this value. - string host_rewrite_literal = 11 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - } - } - - // Specifies one or more upstream clusters associated with the route. - repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Specifies the total weight across all clusters. The sum of all cluster weights must equal this - // value, which must be greater than 0. Defaults to 100. - google.protobuf.UInt32Value total_weight = 3 [(validate.rules).uint32 = {gte: 1}]; - - // Specifies the runtime key prefix that should be used to construct the - // runtime keys associated with each cluster. When the *runtime_key_prefix* is - // specified, the router will look for weights associated with each upstream - // cluster under the key *runtime_key_prefix* + "." + *cluster[i].name* where - // *cluster[i]* denotes an entry in the clusters array field. If the runtime - // key for the cluster does not exist, the value specified in the - // configuration file will be used as the default weight. See the :ref:`runtime documentation - // ` for how key names map to the underlying implementation. - string runtime_key_prefix = 2; -} - -// [#next-free-field: 13] -message RouteMatch { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.RouteMatch"; - - message GrpcRouteMatchOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteMatch.GrpcRouteMatchOptions"; - } - - message TlsContextMatchOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteMatch.TlsContextMatchOptions"; - - // If specified, the route will match against whether or not a certificate is presented. - // If not specified, certificate presentation status (true or false) will not be considered when route matching. - google.protobuf.BoolValue presented = 1; - - // If specified, the route will match against whether or not a certificate is validated. - // If not specified, certificate validation status (true or false) will not be considered when route matching. - google.protobuf.BoolValue validated = 2; - } - - // An extensible message for matching CONNECT requests. - message ConnectMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteMatch.ConnectMatcher"; - } - - reserved 5, 3; - - reserved "regex"; - - oneof path_specifier { - option (validate.required) = true; - - // If specified, the route is a prefix rule meaning that the prefix must - // match the beginning of the *:path* header. - string prefix = 1; - - // If specified, the route is an exact path rule meaning that the path must - // exactly match the *:path* header once the query string is removed. - string path = 2; - - // If specified, the route is a regular expression rule meaning that the - // regex must match the *:path* header once the query string is removed. The entire path - // (without the query string) must match the regex. The rule will not match if only a - // subsequence of the *:path* header matches the regex. - // - // [#next-major-version: In the v3 API we should redo how path specification works such - // that we utilize StringMatcher, and additionally have consistent options around whether we - // strip query strings, do a case sensitive match, etc. In the interim it will be too disruptive - // to deprecate the existing options. We should even consider whether we want to do away with - // path_specifier entirely and just rely on a set of header matchers which can already match - // on :path, etc. The issue with that is it is unclear how to generically deal with query string - // stripping. This needs more thought.] - type.matcher.v4alpha.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; - - // If this is used as the matcher, the matcher will only match CONNECT requests. - // Note that this will not match HTTP/2 upgrade-style CONNECT requests - // (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style - // upgrades. - // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2, - // where Extended CONNECT requests may have a path, the path matchers will work if - // there is a path present. - // Note that CONNECT support is currently considered alpha in Envoy. - // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] - ConnectMatcher connect_matcher = 12; - } - - // Indicates that prefix/path matching should be case sensitive. The default - // is true. Ignored for safe_regex matching. - google.protobuf.BoolValue case_sensitive = 4; - - // Indicates that the route should additionally match on a runtime key. Every time the route - // is considered for a match, it must also fall under the percentage of matches indicated by - // this field. For some fraction N/D, a random number in the range [0,D) is selected. If the - // number is <= the value of the numerator N, or if the key is not present, the default - // value, the router continues to evaluate the remaining match criteria. A runtime_fraction - // route configuration can be used to roll out route changes in a gradual manner without full - // code/config deploys. Refer to the :ref:`traffic shifting - // ` docs for additional documentation. - // - // .. note:: - // - // Parsing this field is implemented such that the runtime key's data may be represented - // as a FractionalPercent proto represented as JSON/YAML and may also be represented as an - // integer with the assumption that the value is an integral percentage out of 100. For - // instance, a runtime key lookup returning the value "42" would parse as a FractionalPercent - // whose numerator is 42 and denominator is HUNDRED. This preserves legacy semantics. - core.v4alpha.RuntimeFractionalPercent runtime_fraction = 9; - - // Specifies a set of headers that the route should match on. The router will - // check the request’s headers against all the specified headers in the route - // config. A match will happen if all the headers in the route are present in - // the request with the same values (or based on presence if the value field - // is not in the config). - repeated HeaderMatcher headers = 6; - - // Specifies a set of URL query parameters on which the route should - // match. The router will check the query string from the *path* header - // against all the specified query parameters. If the number of specified - // query parameters is nonzero, they all must match the *path* header's - // query string for a match to occur. - repeated QueryParameterMatcher query_parameters = 7; - - // If specified, only gRPC requests will be matched. The router will check - // that the content-type header has a application/grpc or one of the various - // application/grpc+ values. - GrpcRouteMatchOptions grpc = 8; - - // If specified, the client tls context will be matched against the defined - // match options. - // - // [#next-major-version: unify with RBAC] - TlsContextMatchOptions tls_context = 11; -} - -// [#next-free-field: 12] -message CorsPolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.CorsPolicy"; - - reserved 1, 8, 7; - - reserved "allow_origin", "allow_origin_regex", "enabled"; - - // Specifies string patterns that match allowed origins. An origin is allowed if any of the - // string matchers match. - repeated type.matcher.v4alpha.StringMatcher allow_origin_string_match = 11; - - // Specifies the content for the *access-control-allow-methods* header. - string allow_methods = 2; - - // Specifies the content for the *access-control-allow-headers* header. - string allow_headers = 3; - - // Specifies the content for the *access-control-expose-headers* header. - string expose_headers = 4; - - // Specifies the content for the *access-control-max-age* header. - string max_age = 5; - - // Specifies whether the resource allows credentials. - google.protobuf.BoolValue allow_credentials = 6; - - oneof enabled_specifier { - // Specifies the % of requests for which the CORS filter is enabled. - // - // If neither ``enabled``, ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS - // filter will be enabled for 100% of the requests. - // - // If :ref:`runtime_key ` is - // specified, Envoy will lookup the runtime key to get the percentage of requests to filter. - core.v4alpha.RuntimeFractionalPercent filter_enabled = 9; - } - - // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not - // enforced. - // - // This field is intended to be used when ``filter_enabled`` and ``enabled`` are off. One of those - // fields have to explicitly disable the filter in order for this setting to take effect. - // - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate - // and track the request's *Origin* to determine if it's valid but will not enforce any policies. - core.v4alpha.RuntimeFractionalPercent shadow_enabled = 10; -} - -// [#next-free-field: 38] -message RouteAction { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.RouteAction"; - - enum ClusterNotFoundResponseCode { - // HTTP status code - 503 Service Unavailable. - SERVICE_UNAVAILABLE = 0; - - // HTTP status code - 404 Not Found. - NOT_FOUND = 1; - } - - // Configures :ref:`internal redirect ` behavior. - // [#next-major-version: remove this definition - it's defined in the InternalRedirectPolicy message.] - enum InternalRedirectAction { - option deprecated = true; - - PASS_THROUGH_INTERNAL_REDIRECT = 0; - HANDLE_INTERNAL_REDIRECT = 1; - } - - // The router is capable of shadowing traffic from one cluster to another. The current - // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to - // respond before returning the response from the primary cluster. All normal statistics are - // collected for the shadow cluster making this feature useful for testing. - // - // During shadowing, the host/authority header is altered such that *-shadow* is appended. This is - // useful for logging. For example, *cluster1* becomes *cluster1-shadow*. - // - // .. note:: - // - // Shadowing will not be triggered if the primary cluster does not exist. - message RequestMirrorPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.RequestMirrorPolicy"; - - reserved 2; - - reserved "runtime_key"; - - // Specifies the cluster that requests will be mirrored to. The cluster must - // exist in the cluster manager configuration. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // If not specified, all requests to the target cluster will be mirrored. - // - // If specified, this field takes precedence over the `runtime_key` field and requests must also - // fall under the percentage of matches indicated by this field. - // - // For some fraction N/D, a random number in the range [0,D) is selected. If the - // number is <= the value of the numerator N, or if the key is not present, the default - // value, the request will be mirrored. - core.v4alpha.RuntimeFractionalPercent runtime_fraction = 3; - - // Determines if the trace span should be sampled. Defaults to true. - google.protobuf.BoolValue trace_sampled = 4; - } - - // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer - // `. - // [#next-free-field: 7] - message HashPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy"; - - message Header { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy.Header"; - - // The name of the request header that will be used to obtain the hash - // key. If the request header is not present, no hash will be produced. - string header_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // If specified, the request header value will be rewritten and used - // to produce the hash key. - type.matcher.v4alpha.RegexMatchAndSubstitute regex_rewrite = 2; - } - - // Envoy supports two types of cookie affinity: - // - // 1. Passive. Envoy takes a cookie that's present in the cookies header and - // hashes on its value. - // - // 2. Generated. Envoy generates and sets a cookie with an expiration (TTL) - // on the first request from the client in its response to the client, - // based on the endpoint the request gets sent to. The client then - // presents this on the next and all subsequent requests. The hash of - // this is sufficient to ensure these requests get sent to the same - // endpoint. The cookie is generated by hashing the source and - // destination ports and addresses so that multiple independent HTTP2 - // streams on the same connection will independently receive the same - // cookie, even if they arrive at the Envoy simultaneously. - message Cookie { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy.Cookie"; - - // The name of the cookie that will be used to obtain the hash key. If the - // cookie is not present and ttl below is not set, no hash will be - // produced. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // If specified, a cookie with the TTL will be generated if the cookie is - // not present. If the TTL is present and zero, the generated cookie will - // be a session cookie. - google.protobuf.Duration ttl = 2; - - // The name of the path for the cookie. If no path is specified here, no path - // will be set for the cookie. - string path = 3; - } - - message ConnectionProperties { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy.ConnectionProperties"; - - // Hash on source IP address. - bool source_ip = 1; - } - - message QueryParameter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy.QueryParameter"; - - // The name of the URL query parameter that will be used to obtain the hash - // key. If the parameter is not present, no hash will be produced. Query - // parameter names are case-sensitive. - string name = 1 [(validate.rules).string = {min_len: 1}]; - } - - message FilterState { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.HashPolicy.FilterState"; - - // The name of the Object in the per-request filterState, which is an - // Envoy::Http::Hashable object. If there is no data associated with the key, - // or the stored object is not Envoy::Http::Hashable, no hash will be produced. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - - oneof policy_specifier { - option (validate.required) = true; - - // Header hash policy. - Header header = 1; - - // Cookie hash policy. - Cookie cookie = 2; - - // Connection properties hash policy. - ConnectionProperties connection_properties = 3; - - // Query parameter hash policy. - QueryParameter query_parameter = 5; - - // Filter state hash policy. - FilterState filter_state = 6; - } - - // The flag that short-circuits the hash computing. This field provides a - // 'fallback' style of configuration: "if a terminal policy doesn't work, - // fallback to rest of the policy list", it saves time when the terminal - // policy works. - // - // If true, and there is already a hash computed, ignore rest of the - // list of hash polices. - // For example, if the following hash methods are configured: - // - // ========= ======== - // specifier terminal - // ========= ======== - // Header A true - // Header B false - // Header C false - // ========= ======== - // - // The generateHash process ends if policy "header A" generates a hash, as - // it's a terminal policy. - bool terminal = 4; - } - - // Allows enabling and disabling upgrades on a per-route basis. - // This overrides any enabled/disabled upgrade filter chain specified in the - // HttpConnectionManager - // :ref:`upgrade_configs - // ` - // but does not affect any custom filter chain specified there. - message UpgradeConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.UpgradeConfig"; - - // Configuration for sending data upstream as a raw data payload. This is used for - // CONNECT or POST requests, when forwarding request payload as raw TCP. - message ConnectConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.UpgradeConfig.ConnectConfig"; - - // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream. - core.v4alpha.ProxyProtocolConfig proxy_protocol_config = 1; - - // If set, the route will also allow forwarding POST payload as raw TCP. - bool allow_post = 2; - } - - // The case-insensitive name of this upgrade, e.g. "websocket". - // For each upgrade type present in upgrade_configs, requests with - // Upgrade: [upgrade_type] will be proxied upstream. - string upgrade_type = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Determines if upgrades are available on this route. Defaults to true. - google.protobuf.BoolValue enabled = 2; - - // Configuration for sending data upstream as a raw data payload. This is used for - // CONNECT requests, when forwarding CONNECT payload as raw TCP. - // Note that CONNECT support is currently considered alpha in Envoy. - // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] - ConnectConfig connect_config = 3; - } - - message MaxStreamDuration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RouteAction.MaxStreamDuration"; - - // Specifies the maximum duration allowed for streams on the route. If not specified, the value - // from the :ref:`max_stream_duration - // ` field in - // :ref:`HttpConnectionManager.common_http_protocol_options - // ` - // is used. If this field is set explicitly to zero, any - // HttpConnectionManager max_stream_duration timeout will be disabled for - // this route. - google.protobuf.Duration max_stream_duration = 1; - - // If present, and the request contains a `grpc-timeout header - // `_, use that value as the - // *max_stream_duration*, but limit the applied timeout to the maximum value specified here. - // If set to 0, the `grpc-timeout` header is used without modification. - google.protobuf.Duration grpc_timeout_header_max = 2; - - // If present, Envoy will adjust the timeout provided by the `grpc-timeout` header by - // subtracting the provided duration from the header. This is useful for allowing Envoy to set - // its global timeout to be less than that of the deadline imposed by the calling client, which - // makes it more likely that Envoy will handle the timeout instead of having the call canceled - // by the client. If, after applying the offset, the resulting timeout is zero or negative, - // the stream will timeout immediately. - google.protobuf.Duration grpc_timeout_header_offset = 3; - } - - reserved 12, 18, 19, 16, 22, 21, 10; - - reserved "request_mirror_policy"; - - oneof cluster_specifier { - option (validate.required) = true; - - // Indicates the upstream cluster to which the request should be routed - // to. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // Envoy will determine the cluster to route to by reading the value of the - // HTTP header named by cluster_header from the request headers. If the - // header is not found or the referenced cluster does not exist, Envoy will - // return a 404 response. - // - // .. attention:: - // - // Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1 - // *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string cluster_header = 2 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Multiple upstream clusters can be specified for a given route. The - // request is routed to one of the upstream clusters based on weights - // assigned to each cluster. See - // :ref:`traffic splitting ` - // for additional documentation. - WeightedCluster weighted_clusters = 3; - - // [#not-implemented-hide:] - // Name of the cluster specifier plugin to use to determine the cluster for - // requests on this route. The plugin name must be defined in the associated - // :ref:`envoy_v3_api_field_config.route.v3.RouteConfiguration.cluster_specifier_plugins` - // in the - // :ref:`envoy_v3_api_field_config.core.v3.TypedExtensionConfig.name` field. - string cluster_specifier_plugin = 37; - } - - // The HTTP status code to use when configured cluster is not found. - // The default response code is 503 Service Unavailable. - ClusterNotFoundResponseCode cluster_not_found_response_code = 20 - [(validate.rules).enum = {defined_only: true}]; - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints - // in the upstream cluster with metadata matching what's set in this field will be considered - // for load balancing. If using :ref:`weighted_clusters - // `, metadata will be merged, with values - // provided there taking precedence. The filter name should be specified as *envoy.lb*. - core.v4alpha.Metadata metadata_match = 4; - - // Indicates that during forwarding, the matched prefix (or path) should be - // swapped with this value. This option allows application URLs to be rooted - // at a different path from those exposed at the reverse proxy layer. The router filter will - // place the original path before rewrite into the :ref:`x-envoy-original-path - // ` header. - // - // Only one of *prefix_rewrite* or - // :ref:`regex_rewrite ` - // may be specified. - // - // .. attention:: - // - // Pay careful attention to the use of trailing slashes in the - // :ref:`route's match ` prefix value. - // Stripping a prefix from a path requires multiple Routes to handle all cases. For example, - // rewriting */prefix* to */* and */prefix/etc* to */etc* cannot be done in a single - // :ref:`Route `, as shown by the below config entries: - // - // .. code-block:: yaml - // - // - match: - // prefix: "/prefix/" - // route: - // prefix_rewrite: "/" - // - match: - // prefix: "/prefix" - // route: - // prefix_rewrite: "/" - // - // Having above entries in the config, requests to */prefix* will be stripped to */*, while - // requests to */prefix/etc* will be stripped to */etc*. - string prefix_rewrite = 5 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during forwarding, portions of the path that match the - // pattern should be rewritten, even allowing the substitution of capture - // groups from the pattern into the new path as specified by the rewrite - // substitution string. This is useful to allow application paths to be - // rewritten in a way that is aware of segments with variable content like - // identifiers. The router filter will place the original path as it was - // before the rewrite into the :ref:`x-envoy-original-path - // ` header. - // - // Only one of :ref:`prefix_rewrite ` - // or *regex_rewrite* may be specified. - // - // Examples using Google's `RE2 `_ engine: - // - // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution - // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` - // into ``/v1/api/instance/foo``. - // - // * The pattern ``one`` paired with a substitution string of ``two`` would - // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. - // - // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of - // ``\1two\2`` would replace only the first occurrence of ``one``, - // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. - // - // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` - // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to - // ``/aaa/yyy/bbb``. - type.matcher.v4alpha.RegexMatchAndSubstitute regex_rewrite = 32; - - oneof host_rewrite_specifier { - // Indicates that during forwarding, the host header will be swapped with - // this value. - string host_rewrite_literal = 6 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during forwarding, the host header will be swapped with - // the hostname of the upstream host chosen by the cluster manager. This - // option is applicable only when the destination cluster for a route is of - // type *strict_dns* or *logical_dns*. Setting this to true with other cluster - // types has no effect. - google.protobuf.BoolValue auto_host_rewrite = 7; - - // Indicates that during forwarding, the host header will be swapped with the content of given - // downstream or :ref:`custom ` header. - // If header value is empty, host header is left intact. - // - // .. attention:: - // - // Pay attention to the potential security implications of using this option. Provided header - // must come from trusted source. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string host_rewrite_header = 29 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Indicates that during forwarding, the host header will be swapped with - // the result of the regex substitution executed on path value with query and fragment removed. - // This is useful for transitioning variable content between path segment and subdomain. - // - // For example with the following config: - // - // .. code-block:: yaml - // - // host_rewrite_path_regex: - // pattern: - // google_re2: {} - // regex: "^/(.+)/.+$" - // substitution: \1 - // - // Would rewrite the host header to `envoyproxy.io` given the path `/envoyproxy.io/some/path`. - type.matcher.v4alpha.RegexMatchAndSubstitute host_rewrite_path_regex = 35; - } - - // Specifies the upstream timeout for the route. If not specified, the default is 15s. This - // spans between the point at which the entire downstream request (i.e. end-of-stream) has been - // processed and when the upstream response has been completely processed. A value of 0 will - // disable the route's timeout. - // - // .. note:: - // - // This timeout includes all retries. See also - // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, - // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the - // :ref:`retry overview `. - google.protobuf.Duration timeout = 8; - - // Specifies the idle timeout for the route. If not specified, there is no per-route idle timeout, - // although the connection manager wide :ref:`stream_idle_timeout - // ` - // will still apply. A value of 0 will completely disable the route's idle timeout, even if a - // connection manager stream idle timeout is configured. - // - // The idle timeout is distinct to :ref:`timeout - // `, which provides an upper bound - // on the upstream response time; :ref:`idle_timeout - // ` instead bounds the amount - // of time the request's stream may be idle. - // - // After header decoding, the idle timeout will apply on downstream and - // upstream request events. Each time an encode/decode event for headers or - // data is processed for the stream, the timer will be reset. If the timeout - // fires, the stream is terminated with a 408 Request Timeout error code if no - // upstream response header has been received, otherwise a stream reset - // occurs. - // - // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" - // is configured, this timeout is scaled according to the value for - // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. - google.protobuf.Duration idle_timeout = 24; - - // Indicates that the route has a retry policy. Note that if this is set, - // it'll take precedence over the virtual host level retry policy entirely - // (e.g.: policies are not merged, most internal one becomes the enforced policy). - RetryPolicy retry_policy = 9; - - // [#not-implemented-hide:] - // Specifies the configuration for retry policy extension. Note that if this is set, it'll take - // precedence over the virtual host level retry policy entirely (e.g.: policies are not merged, - // most internal one becomes the enforced policy). :ref:`Retry policy ` - // should not be set if this field is used. - google.protobuf.Any retry_policy_typed_config = 33; - - // Indicates that the route has request mirroring policies. - repeated RequestMirrorPolicy request_mirror_policies = 30; - - // Optionally specifies the :ref:`routing priority `. - core.v4alpha.RoutingPriority priority = 11 [(validate.rules).enum = {defined_only: true}]; - - // Specifies a set of rate limit configurations that could be applied to the - // route. - repeated RateLimit rate_limits = 13; - - // Specifies if the rate limit filter should include the virtual host rate - // limits. By default, if the route configured rate limits, the virtual host - // :ref:`rate_limits ` are not applied to the - // request. - // - // This field is deprecated. Please use :ref:`vh_rate_limits ` - google.protobuf.BoolValue hidden_envoy_deprecated_include_vh_rate_limits = 14 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Specifies a list of hash policies to use for ring hash load balancing. Each - // hash policy is evaluated individually and the combined result is used to - // route the request. The method of combination is deterministic such that - // identical lists of hash policies will produce the same hash. Since a hash - // policy examines specific parts of a request, it can fail to produce a hash - // (i.e. if the hashed header is not present). If (and only if) all configured - // hash policies fail to generate a hash, no hash will be produced for - // the route. In this case, the behavior is the same as if no hash policies - // were specified (i.e. the ring hash load balancer will choose a random - // backend). If a hash policy has the "terminal" attribute set to true, and - // there is already a hash generated, the hash is returned immediately, - // ignoring the rest of the hash policy list. - repeated HashPolicy hash_policy = 15; - - // Indicates that the route has a CORS policy. - CorsPolicy cors = 17; - - // Deprecated by :ref:`grpc_timeout_header_max ` - // If present, and the request is a gRPC request, use the - // `grpc-timeout header `_, - // or its default value (infinity) instead of - // :ref:`timeout `, but limit the applied timeout - // to the maximum value specified here. If configured as 0, the maximum allowed timeout for - // gRPC requests is infinity. If not configured at all, the `grpc-timeout` header is not used - // and gRPC requests time out like any other requests using - // :ref:`timeout ` or its default. - // This can be used to prevent unexpected upstream request timeouts due to potentially long - // time gaps between gRPC request and response in gRPC streaming mode. - // - // .. note:: - // - // If a timeout is specified using :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, it takes - // precedence over `grpc-timeout header `_, when - // both are present. See also - // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, - // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the - // :ref:`retry overview `. - google.protobuf.Duration hidden_envoy_deprecated_max_grpc_timeout = 23 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Deprecated by :ref:`grpc_timeout_header_offset `. - // If present, Envoy will adjust the timeout provided by the `grpc-timeout` header by subtracting - // the provided duration from the header. This is useful in allowing Envoy to set its global - // timeout to be less than that of the deadline imposed by the calling client, which makes it more - // likely that Envoy will handle the timeout instead of having the call canceled by the client. - // The offset will only be applied if the provided grpc_timeout is greater than the offset. This - // ensures that the offset will only ever decrease the timeout and never set it to 0 (meaning - // infinity). - google.protobuf.Duration hidden_envoy_deprecated_grpc_timeout_offset = 28 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - repeated UpgradeConfig upgrade_configs = 25; - - // If present, Envoy will try to follow an upstream redirect response instead of proxying the - // response back to the downstream. An upstream redirect response is defined - // by :ref:`redirect_response_codes - // `. - InternalRedirectPolicy internal_redirect_policy = 34; - - InternalRedirectAction hidden_envoy_deprecated_internal_redirect_action = 26 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // An internal redirect is handled, iff the number of previous internal redirects that a - // downstream request has encountered is lower than this value, and - // :ref:`internal_redirect_action ` - // is set to :ref:`HANDLE_INTERNAL_REDIRECT - // ` - // In the case where a downstream request is bounced among multiple routes by internal redirect, - // the first route that hits this threshold, or has - // :ref:`internal_redirect_action ` - // set to - // :ref:`PASS_THROUGH_INTERNAL_REDIRECT - // ` - // will pass the redirect back to downstream. - // - // If not specified, at most one redirect will be followed. - google.protobuf.UInt32Value hidden_envoy_deprecated_max_internal_redirects = 31 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Indicates that the route has a hedge policy. Note that if this is set, - // it'll take precedence over the virtual host level hedge policy entirely - // (e.g.: policies are not merged, most internal one becomes the enforced policy). - HedgePolicy hedge_policy = 27; - - // Specifies the maximum stream duration for this route. - MaxStreamDuration max_stream_duration = 36; -} - -// HTTP retry :ref:`architecture overview `. -// [#next-free-field: 12] -message RetryPolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.RetryPolicy"; - - enum ResetHeaderFormat { - SECONDS = 0; - UNIX_TIMESTAMP = 1; - } - - message RetryPriority { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RetryPolicy.RetryPriority"; - - reserved 2; - - reserved "config"; - - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // [#extension-category: envoy.retry_priorities] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - message RetryHostPredicate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RetryPolicy.RetryHostPredicate"; - - reserved 2; - - reserved "config"; - - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // [#extension-category: envoy.retry_host_predicates] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - message RetryBackOff { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RetryPolicy.RetryBackOff"; - - // Specifies the base interval between retries. This parameter is required and must be greater - // than zero. Values less than 1 ms are rounded up to 1 ms. - // See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion of Envoy's - // back-off algorithm. - google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { - required: true - gt {} - }]; - - // Specifies the maximum interval between retries. This parameter is optional, but must be - // greater than or equal to the `base_interval` if set. The default is 10 times the - // `base_interval`. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion - // of Envoy's back-off algorithm. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; - } - - message ResetHeader { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RetryPolicy.ResetHeader"; - - // The name of the reset header. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The format of the reset header. - ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}]; - } - - // A retry back-off strategy that applies when the upstream server rate limits - // the request. - // - // Given this configuration: - // - // .. code-block:: yaml - // - // rate_limited_retry_back_off: - // reset_headers: - // - name: Retry-After - // format: SECONDS - // - name: X-RateLimit-Reset - // format: UNIX_TIMESTAMP - // max_interval: "300s" - // - // The following algorithm will apply: - // - // 1. If the response contains the header ``Retry-After`` its value must be on - // the form ``120`` (an integer that represents the number of seconds to - // wait before retrying). If so, this value is used as the back-off interval. - // 2. Otherwise, if the response contains the header ``X-RateLimit-Reset`` its - // value must be on the form ``1595320702`` (an integer that represents the - // point in time at which to retry, as a Unix timestamp in seconds). If so, - // the current time is subtracted from this value and the result is used as - // the back-off interval. - // 3. Otherwise, Envoy will use the default - // :ref:`exponential back-off ` - // strategy. - // - // No matter which format is used, if the resulting back-off interval exceeds - // ``max_interval`` it is discarded and the next header in ``reset_headers`` - // is tried. If a request timeout is configured for the route it will further - // limit how long the request will be allowed to run. - // - // To prevent many clients retrying at the same point in time jitter is added - // to the back-off interval, so the resulting interval is decided by taking: - // ``random(interval, interval * 1.5)``. - // - // .. attention:: - // - // Configuring ``rate_limited_retry_back_off`` will not by itself cause a request - // to be retried. You will still need to configure the right retry policy to match - // the responses from the upstream server. - message RateLimitedRetryBackOff { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RetryPolicy.RateLimitedRetryBackOff"; - - // Specifies the reset headers (like ``Retry-After`` or ``X-RateLimit-Reset``) - // to match against the response. Headers are tried in order, and matched case - // insensitive. The first header to be parsed successfully is used. If no headers - // match the default exponential back-off is used instead. - repeated ResetHeader reset_headers = 1 [(validate.rules).repeated = {min_items: 1}]; - - // Specifies the maximum back off interval that Envoy will allow. If a reset - // header contains an interval longer than this then it will be discarded and - // the next header will be tried. Defaults to 300 seconds. - google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; - } - - // Specifies the conditions under which retry takes place. These are the same - // conditions documented for :ref:`config_http_filters_router_x-envoy-retry-on` and - // :ref:`config_http_filters_router_x-envoy-retry-grpc-on`. - string retry_on = 1; - - // Specifies the allowed number of retries. This parameter is optional and - // defaults to 1. These are the same conditions documented for - // :ref:`config_http_filters_router_x-envoy-max-retries`. - google.protobuf.UInt32Value max_retries = 2; - - // Specifies a non-zero upstream timeout per retry attempt. This parameter is optional. The - // same conditions documented for - // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` apply. - // - // .. note:: - // - // If left unspecified, Envoy will use the global - // :ref:`route timeout ` for the request. - // Consequently, when using a :ref:`5xx ` based - // retry policy, a request that times out will not be retried as the total timeout budget - // would have been exhausted. - google.protobuf.Duration per_try_timeout = 3; - - // Specifies an implementation of a RetryPriority which is used to determine the - // distribution of load across priorities used for retries. Refer to - // :ref:`retry plugin configuration ` for more details. - RetryPriority retry_priority = 4; - - // Specifies a collection of RetryHostPredicates that will be consulted when selecting a host - // for retries. If any of the predicates reject the host, host selection will be reattempted. - // Refer to :ref:`retry plugin configuration ` for more - // details. - repeated RetryHostPredicate retry_host_predicate = 5; - - // The maximum number of times host selection will be reattempted before giving up, at which - // point the host that was last selected will be routed to. If unspecified, this will default to - // retrying once. - int64 host_selection_retry_max_attempts = 6; - - // HTTP status codes that should trigger a retry in addition to those specified by retry_on. - repeated uint32 retriable_status_codes = 7; - - // Specifies parameters that control exponential retry back off. This parameter is optional, in which case the - // default base interval is 25 milliseconds or, if set, the current value of the - // `upstream.base_retry_backoff_ms` runtime parameter. The default maximum interval is 10 times - // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries` - // describes Envoy's back-off algorithm. - RetryBackOff retry_back_off = 8; - - // Specifies parameters that control a retry back-off strategy that is used - // when the request is rate limited by the upstream server. The server may - // return a response header like ``Retry-After`` or ``X-RateLimit-Reset`` to - // provide feedback to the client on how long to wait before retrying. If - // configured, this back-off strategy will be used instead of the - // default exponential back off strategy (configured using `retry_back_off`) - // whenever a response includes the matching headers. - RateLimitedRetryBackOff rate_limited_retry_back_off = 11; - - // HTTP response headers that trigger a retry if present in the response. A retry will be - // triggered if any of the header matches match the upstream response headers. - // The field is only consulted if 'retriable-headers' retry policy is active. - repeated HeaderMatcher retriable_headers = 9; - - // HTTP headers which must be present in the request for retries to be attempted. - repeated HeaderMatcher retriable_request_headers = 10; -} - -// HTTP request hedging :ref:`architecture overview `. -message HedgePolicy { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.HedgePolicy"; - - // Specifies the number of initial requests that should be sent upstream. - // Must be at least 1. - // Defaults to 1. - // [#not-implemented-hide:] - google.protobuf.UInt32Value initial_requests = 1 [(validate.rules).uint32 = {gte: 1}]; - - // Specifies a probability that an additional upstream request should be sent - // on top of what is specified by initial_requests. - // Defaults to 0. - // [#not-implemented-hide:] - type.v3.FractionalPercent additional_request_chance = 2; - - // Indicates that a hedged request should be sent when the per-try timeout is hit. - // This means that a retry will be issued without resetting the original request, leaving multiple upstream requests in flight. - // The first request to complete successfully will be the one returned to the caller. - // - // * At any time, a successful response (i.e. not triggering any of the retry-on conditions) would be returned to the client. - // * Before per-try timeout, an error response (per retry-on conditions) would be retried immediately or returned ot the client - // if there are no more retries left. - // * After per-try timeout, an error response would be discarded, as a retry in the form of a hedged request is already in progress. - // - // Note: For this to have effect, you must have a :ref:`RetryPolicy ` that retries at least - // one error code and specifies a maximum number of retries. - // - // Defaults to false. - bool hedge_on_per_try_timeout = 3; -} - -// [#next-free-field: 10] -message RedirectAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RedirectAction"; - - enum RedirectResponseCode { - // Moved Permanently HTTP Status Code - 301. - MOVED_PERMANENTLY = 0; - - // Found HTTP Status Code - 302. - FOUND = 1; - - // See Other HTTP Status Code - 303. - SEE_OTHER = 2; - - // Temporary Redirect HTTP Status Code - 307. - TEMPORARY_REDIRECT = 3; - - // Permanent Redirect HTTP Status Code - 308. - PERMANENT_REDIRECT = 4; - } - - // When the scheme redirection take place, the following rules apply: - // 1. If the source URI scheme is `http` and the port is explicitly - // set to `:80`, the port will be removed after the redirection - // 2. If the source URI scheme is `https` and the port is explicitly - // set to `:443`, the port will be removed after the redirection - oneof scheme_rewrite_specifier { - // The scheme portion of the URL will be swapped with "https". - bool https_redirect = 4; - - // The scheme portion of the URL will be swapped with this value. - string scheme_redirect = 7; - } - - // The host portion of the URL will be swapped with this value. - string host_redirect = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // The port value of the URL will be swapped with this value. - uint32 port_redirect = 8; - - oneof path_rewrite_specifier { - // The path portion of the URL will be swapped with this value. - // Please note that query string in path_redirect will override the - // request's query string and will not be stripped. - // - // For example, let's say we have the following routes: - // - // - match: { path: "/old-path-1" } - // redirect: { path_redirect: "/new-path-1" } - // - match: { path: "/old-path-2" } - // redirect: { path_redirect: "/new-path-2", strip-query: "true" } - // - match: { path: "/old-path-3" } - // redirect: { path_redirect: "/new-path-3?foo=1", strip_query: "true" } - // - // 1. if request uri is "/old-path-1?bar=1", users will be redirected to "/new-path-1?bar=1" - // 2. if request uri is "/old-path-2?bar=1", users will be redirected to "/new-path-2" - // 3. if request uri is "/old-path-3?bar=1", users will be redirected to "/new-path-3?foo=1" - string path_redirect = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during redirection, the matched prefix (or path) - // should be swapped with this value. This option allows redirect URLs be dynamically created - // based on the request. - // - // .. attention:: - // - // Pay attention to the use of trailing slashes as mentioned in - // :ref:`RouteAction's prefix_rewrite `. - string prefix_rewrite = 5 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Indicates that during redirect, portions of the path that match the - // pattern should be rewritten, even allowing the substitution of capture - // groups from the pattern into the new path as specified by the rewrite - // substitution string. This is useful to allow application paths to be - // rewritten in a way that is aware of segments with variable content like - // identifiers. - // - // Examples using Google's `RE2 `_ engine: - // - // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution - // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` - // into ``/v1/api/instance/foo``. - // - // * The pattern ``one`` paired with a substitution string of ``two`` would - // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. - // - // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of - // ``\1two\2`` would replace only the first occurrence of ``one``, - // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. - // - // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` - // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to - // ``/aaa/yyy/bbb``. - type.matcher.v4alpha.RegexMatchAndSubstitute regex_rewrite = 9; - } - - // The HTTP status code to use in the redirect response. The default response - // code is MOVED_PERMANENTLY (301). - RedirectResponseCode response_code = 3 [(validate.rules).enum = {defined_only: true}]; - - // Indicates that during redirection, the query portion of the URL will - // be removed. Default value is false. - bool strip_query = 6; -} - -message DirectResponseAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.DirectResponseAction"; - - // Specifies the HTTP response status to be returned. - uint32 status = 1 [(validate.rules).uint32 = {lt: 600 gte: 100}]; - - // Specifies the content of the response body. If this setting is omitted, - // no body is included in the generated response. - // - // .. note:: - // - // Headers can be specified using *response_headers_to_add* in the enclosing - // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` or - // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`. - core.v4alpha.DataSource body = 2; -} - -// [#not-implemented-hide:] -message NonForwardingAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.NonForwardingAction"; -} - -message Decorator { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.Decorator"; - - // The operation name associated with the request matched to this route. If tracing is - // enabled, this information will be used as the span name reported for this request. - // - // .. note:: - // - // For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden - // by the :ref:`x-envoy-decorator-operation - // ` header. - string operation = 1 [(validate.rules).string = {min_len: 1}]; - - // Whether the decorated details should be propagated to the other party. The default is true. - google.protobuf.BoolValue propagate = 2; -} - -message Tracing { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.Tracing"; - - // Target percentage of requests managed by this HTTP connection manager that will be force - // traced if the :ref:`x-client-trace-id ` - // header is set. This field is a direct analog for the runtime variable - // 'tracing.client_sampling' in the :ref:`HTTP Connection Manager - // `. - // Default: 100% - type.v3.FractionalPercent client_sampling = 1; - - // Target percentage of requests managed by this HTTP connection manager that will be randomly - // selected for trace generation, if not requested by the client or not forced. This field is - // a direct analog for the runtime variable 'tracing.random_sampling' in the - // :ref:`HTTP Connection Manager `. - // Default: 100% - type.v3.FractionalPercent random_sampling = 2; - - // Target percentage of requests managed by this HTTP connection manager that will be traced - // after all other sampling checks have been applied (client-directed, force tracing, random - // sampling). This field functions as an upper limit on the total configured sampling rate. For - // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% - // of client requests with the appropriate headers to be force traced. This field is a direct - // analog for the runtime variable 'tracing.global_enabled' in the - // :ref:`HTTP Connection Manager `. - // Default: 100% - type.v3.FractionalPercent overall_sampling = 3; - - // A list of custom tags with unique tag name to create tags for the active span. - // It will take effect after merging with the :ref:`corresponding configuration - // ` - // configured in the HTTP connection manager. If two tags with the same name are configured - // each in the HTTP connection manager and the route level, the one configured here takes - // priority. - repeated type.tracing.v3.CustomTag custom_tags = 4; -} - -// A virtual cluster is a way of specifying a regex matching rule against -// certain important endpoints such that statistics are generated explicitly for -// the matched requests. The reason this is useful is that when doing -// prefix/path matching Envoy does not always know what the application -// considers to be an endpoint. Thus, it’s impossible for Envoy to generically -// emit per endpoint statistics. However, often systems have highly critical -// endpoints that they wish to get “perfect” statistics on. Virtual cluster -// statistics are perfect in the sense that they are emitted on the downstream -// side such that they include network level failures. -// -// Documentation for :ref:`virtual cluster statistics `. -// -// .. note:: -// -// Virtual clusters are a useful tool, but we do not recommend setting up a virtual cluster for -// every application endpoint. This is both not easily maintainable and as well the matching and -// statistics output are not free. -message VirtualCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.VirtualCluster"; - - reserved 1, 3; - - reserved "pattern", "method"; - - // Specifies a list of header matchers to use for matching requests. Each specified header must - // match. The pseudo-headers `:path` and `:method` can be used to match the request path and - // method, respectively. - repeated HeaderMatcher headers = 4; - - // Specifies the name of the virtual cluster. The virtual cluster name as well - // as the virtual host name are used when emitting statistics. The statistics are emitted by the - // router filter and are documented :ref:`here `. - string name = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Global rate limiting :ref:`architecture overview `. -// Also applies to Local rate limiting :ref:`using descriptors `. -message RateLimit { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.RateLimit"; - - // [#next-free-field: 10] - message Action { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action"; - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("source_cluster", "") - // - // is derived from the :option:`--service-cluster` option. - message SourceCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.SourceCluster"; - } - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("destination_cluster", "") - // - // Once a request matches against a route table rule, a routed cluster is determined by one of - // the following :ref:`route table configuration ` - // settings: - // - // * :ref:`cluster ` indicates the upstream cluster - // to route to. - // * :ref:`weighted_clusters ` - // chooses a cluster randomly from a set of clusters with attributed weight. - // * :ref:`cluster_header ` indicates which - // header in the request contains the target cluster. - message DestinationCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.DestinationCluster"; - } - - // The following descriptor entry is appended when a header contains a key that matches the - // *header_name*: - // - // .. code-block:: cpp - // - // ("", "") - message RequestHeaders { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.RequestHeaders"; - - // The header name to be queried from the request headers. The header’s - // value is used to populate the value of the descriptor entry for the - // descriptor_key. - string header_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The key to use in the descriptor entry. - string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; - - // If set to true, Envoy skips the descriptor while calling rate limiting service - // when header is not present in the request. By default it skips calling the - // rate limiting service if this header is not present in the request. - bool skip_if_absent = 3; - } - - // The following descriptor entry is appended to the descriptor and is populated using the - // trusted address from :ref:`x-forwarded-for `: - // - // .. code-block:: cpp - // - // ("remote_address", "") - message RemoteAddress { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.RemoteAddress"; - } - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("generic_key", "") - message GenericKey { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.GenericKey"; - - // The value to use in the descriptor entry. - string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; - - // An optional key to use in the descriptor entry. If not set it defaults - // to 'generic_key' as the descriptor key. - string descriptor_key = 2; - } - - // The following descriptor entry is appended to the descriptor: - // - // .. code-block:: cpp - // - // ("header_match", "") - message HeaderValueMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.HeaderValueMatch"; - - // The value to use in the descriptor entry. - string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; - - // If set to true, the action will append a descriptor entry when the - // request matches the headers. If set to false, the action will append a - // descriptor entry when the request does not match the headers. The - // default value is true. - google.protobuf.BoolValue expect_match = 2; - - // Specifies a set of headers that the rate limit action should match - // on. The action will check the request’s headers against all the - // specified headers in the config. A match will happen if all the - // headers in the config are present in the request with the same values - // (or based on presence if the value field is not in the config). - repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}]; - } - - // The following descriptor entry is appended when the - // :ref:`dynamic metadata ` contains a key value: - // - // .. code-block:: cpp - // - // ("", "") - // - // .. attention:: - // This action has been deprecated in favor of the :ref:`metadata ` action - message DynamicMetaData { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.DynamicMetaData"; - - // The key to use in the descriptor entry. - string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; - - // Metadata struct that defines the key and path to retrieve the string value. A match will - // only happen if the value in the dynamic metadata is of type string. - type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; - - // An optional value to use if *metadata_key* is empty. If not set and - // no value is present under the metadata_key then no descriptor is generated. - string default_value = 3; - } - - // The following descriptor entry is appended when the metadata contains a key value: - // - // .. code-block:: cpp - // - // ("", "") - message MetaData { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Action.MetaData"; - - enum Source { - // Query :ref:`dynamic metadata ` - DYNAMIC = 0; - - // Query :ref:`route entry metadata ` - ROUTE_ENTRY = 1; - } - - // The key to use in the descriptor entry. - string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; - - // Metadata struct that defines the key and path to retrieve the string value. A match will - // only happen if the value in the metadata is of type string. - type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; - - // An optional value to use if *metadata_key* is empty. If not set and - // no value is present under the metadata_key then no descriptor is generated. - string default_value = 3; - - // Source of metadata - Source source = 4 [(validate.rules).enum = {defined_only: true}]; - } - - oneof action_specifier { - option (validate.required) = true; - - // Rate limit on source cluster. - SourceCluster source_cluster = 1; - - // Rate limit on destination cluster. - DestinationCluster destination_cluster = 2; - - // Rate limit on request headers. - RequestHeaders request_headers = 3; - - // Rate limit on remote address. - RemoteAddress remote_address = 4; - - // Rate limit on a generic key. - GenericKey generic_key = 5; - - // Rate limit on the existence of request headers. - HeaderValueMatch header_value_match = 6; - - // Rate limit on dynamic metadata. - // - // .. attention:: - // This field has been deprecated in favor of the :ref:`metadata ` field - DynamicMetaData hidden_envoy_deprecated_dynamic_metadata = 7 [ - deprecated = true, - (envoy.annotations.deprecated_at_minor_version) = "3.0", - (envoy.annotations.disallowed_by_default) = true - ]; - - // Rate limit on metadata. - MetaData metadata = 8; - - // Rate limit descriptor extension. See the rate limit descriptor extensions documentation. - // [#extension-category: envoy.rate_limit_descriptors] - core.v4alpha.TypedExtensionConfig extension = 9; - } - } - - message Override { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Override"; - - // Fetches the override from the dynamic metadata. - message DynamicMetadata { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.RateLimit.Override.DynamicMetadata"; - - // Metadata struct that defines the key and path to retrieve the struct value. - // The value must be a struct containing an integer "requests_per_unit" property - // and a "unit" property with a value parseable to :ref:`RateLimitUnit - // enum ` - type.metadata.v3.MetadataKey metadata_key = 1 [(validate.rules).message = {required: true}]; - } - - oneof override_specifier { - option (validate.required) = true; - - // Limit override from dynamic metadata. - DynamicMetadata dynamic_metadata = 1; - } - } - - // Refers to the stage set in the filter. The rate limit configuration only - // applies to filters with the same stage number. The default stage number is - // 0. - // - // .. note:: - // - // The filter supports a range of 0 - 10 inclusively for stage numbers. - google.protobuf.UInt32Value stage = 1 [(validate.rules).uint32 = {lte: 10}]; - - // The key to be set in runtime to disable this rate limit configuration. - string disable_key = 2; - - // A list of actions that are to be applied for this rate limit configuration. - // Order matters as the actions are processed sequentially and the descriptor - // is composed by appending descriptor entries in that sequence. If an action - // cannot append a descriptor entry, no descriptor is generated for the - // configuration. See :ref:`composing actions - // ` for additional documentation. - repeated Action actions = 3 [(validate.rules).repeated = {min_items: 1}]; - - // An optional limit override to be appended to the descriptor produced by this - // rate limit configuration. If the override value is invalid or cannot be resolved - // from metadata, no override is provided. See :ref:`rate limit override - // ` for more information. - Override limit = 4; -} - -// .. attention:: -// -// Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1 *Host* -// header. Thus, if attempting to match on *Host*, match on *:authority* instead. -// -// .. attention:: -// -// To route on HTTP method, use the special HTTP/2 *:method* header. This works for both -// HTTP/1 and HTTP/2 as Envoy normalizes headers. E.g., -// -// .. code-block:: json -// -// { -// "name": ":method", -// "exact_match": "POST" -// } -// -// .. attention:: -// In the absence of any header match specifier, match will default to :ref:`present_match -// `. i.e, a request that has the :ref:`name -// ` header will match, regardless of the header's -// value. -// -// [#next-major-version: HeaderMatcher should be refactored to use StringMatcher.] -// [#next-free-field: 14] -message HeaderMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.HeaderMatcher"; - - reserved 2, 3, 5; - - reserved "regex_match"; - - // Specifies the name of the header in the request. - string name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // Specifies how the header match will be performed to route the request. - oneof header_match_specifier { - // If specified, header match will be performed based on the value of the header. - // This field is deprecated. Please use :ref:`string_match `. - string hidden_envoy_deprecated_exact_match = 4 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // If specified, this regex string is a regular expression rule which implies the entire request - // header value must match the regex. The rule will not match if only a subsequence of the - // request header value matches the regex. - // This field is deprecated. Please use :ref:`string_match `. - type.matcher.v4alpha.RegexMatcher hidden_envoy_deprecated_safe_regex_match = 11 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // If specified, header match will be performed based on range. - // The rule will match if the request header value is within this range. - // The entire request header value must represent an integer in base 10 notation: consisting of - // an optional plus or minus sign followed by a sequence of digits. The rule will not match if - // the header value does not represent an integer. Match will fail for empty values, floating - // point numbers or if only a subsequence of the header value is an integer. - // - // Examples: - // - // * For range [-10,0), route will match for header value -1, but not for 0, "somestring", 10.9, - // "-1somestring" - type.v3.Int64Range range_match = 6; - - // If specified as true, header match will be performed based on whether the header is in the - // request. If specified as false, header match will be performed based on whether the header is absent. - bool present_match = 7; - - // If specified, header match will be performed based on the prefix of the header value. - // Note: empty prefix is not allowed, please use present_match instead. - // This field is deprecated. Please use :ref:`string_match `. - // - // Examples: - // - // * The prefix *abcd* matches the value *abcdxyz*, but not for *abcxyz*. - string hidden_envoy_deprecated_prefix_match = 9 [ - deprecated = true, - (validate.rules).string = {min_len: 1}, - (envoy.annotations.deprecated_at_minor_version) = "3.0" - ]; - - // If specified, header match will be performed based on the suffix of the header value. - // Note: empty suffix is not allowed, please use present_match instead. - // This field is deprecated. Please use :ref:`string_match `. - // - // Examples: - // - // * The suffix *abcd* matches the value *xyzabcd*, but not for *xyzbcd*. - string hidden_envoy_deprecated_suffix_match = 10 [ - deprecated = true, - (validate.rules).string = {min_len: 1}, - (envoy.annotations.deprecated_at_minor_version) = "3.0" - ]; - - // If specified, header match will be performed based on whether the header value contains - // the given value or not. - // Note: empty contains match is not allowed, please use present_match instead. - // This field is deprecated. Please use :ref:`string_match `. - // - // Examples: - // - // * The value *abcd* matches the value *xyzabcdpqr*, but not for *xyzbcdpqr*. - string hidden_envoy_deprecated_contains_match = 12 [ - deprecated = true, - (validate.rules).string = {min_len: 1}, - (envoy.annotations.deprecated_at_minor_version) = "3.0" - ]; - - // If specified, header match will be performed based on the string match of the header value. - type.matcher.v4alpha.StringMatcher string_match = 13; - } - - // If specified, the match result will be inverted before checking. Defaults to false. - // - // Examples: - // - // * The regex ``\d{3}`` does not match the value *1234*, so it will match when inverted. - // * The range [-10,0) will match the value -1, so it will not match when inverted. - bool invert_match = 8; -} - -// Query parameter matching treats the query string of a request's :path header -// as an ampersand-separated list of keys and/or key=value elements. -// [#next-free-field: 7] -message QueryParameterMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.QueryParameterMatcher"; - - reserved 3, 4; - - reserved "value", "regex"; - - // Specifies the name of a key that must be present in the requested - // *path*'s query string. - string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}]; - - oneof query_parameter_match_specifier { - // Specifies whether a query parameter value should match against a string. - type.matcher.v4alpha.StringMatcher string_match = 5 - [(validate.rules).message = {required: true}]; - - // Specifies whether a query parameter should be present. - bool present_match = 6; - } -} - -// HTTP Internal Redirect :ref:`architecture overview `. -message InternalRedirectPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.InternalRedirectPolicy"; - - // An internal redirect is not handled, unless the number of previous internal redirects that a - // downstream request has encountered is lower than this value. - // In the case where a downstream request is bounced among multiple routes by internal redirect, - // the first route that hits this threshold, or does not set :ref:`internal_redirect_policy - // ` - // will pass the redirect back to downstream. - // - // If not specified, at most one redirect will be followed. - google.protobuf.UInt32Value max_internal_redirects = 1; - - // Defines what upstream response codes are allowed to trigger internal redirect. If unspecified, - // only 302 will be treated as internal redirect. - // Only 301, 302, 303, 307 and 308 are valid values. Any other codes will be ignored. - repeated uint32 redirect_response_codes = 2 [(validate.rules).repeated = {max_items: 5}]; - - // Specifies a list of predicates that are queried when an upstream response is deemed - // to trigger an internal redirect by all other criteria. Any predicate in the list can reject - // the redirect, causing the response to be proxied to downstream. - // [#extension-category: envoy.internal_redirect_predicates] - repeated core.v4alpha.TypedExtensionConfig predicates = 3; - - // Allow internal redirect to follow a target URI with a different scheme than the value of - // x-forwarded-proto. The default is false. - bool allow_cross_scheme_redirect = 4; -} - -// A simple wrapper for an HTTP filter config. This is intended to be used as a wrapper for the -// map value in -// :ref:`VirtualHost.typed_per_filter_config`, -// :ref:`Route.typed_per_filter_config`, -// or :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` -// to add additional flags to the filter. -// [#not-implemented-hide:] -message FilterConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.route.v3.FilterConfig"; - - // The filter config. - google.protobuf.Any config = 1; - - // If true, the filter is optional, meaning that if the client does - // not support the specified filter, it may ignore the map entry rather - // than rejecting the config. - bool is_optional = 2; -} diff --git a/generated_api_shadow/envoy/config/route/v4alpha/scoped_route.proto b/generated_api_shadow/envoy/config/route/v4alpha/scoped_route.proto deleted file mode 100644 index 4c640223f701..000000000000 --- a/generated_api_shadow/envoy/config/route/v4alpha/scoped_route.proto +++ /dev/null @@ -1,120 +0,0 @@ -syntax = "proto3"; - -package envoy.config.route.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.route.v4alpha"; -option java_outer_classname = "ScopedRouteProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP scoped routing configuration] -// * Routing :ref:`architecture overview ` - -// Specifies a routing scope, which associates a -// :ref:`Key` to a -// :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` (identified by its resource name). -// -// The HTTP connection manager builds up a table consisting of these Key to -// RouteConfiguration mappings, and looks up the RouteConfiguration to use per -// request according to the algorithm specified in the -// :ref:`scope_key_builder` -// assigned to the HttpConnectionManager. -// -// For example, with the following configurations (in YAML): -// -// HttpConnectionManager config: -// -// .. code:: -// -// ... -// scoped_routes: -// name: foo-scoped-routes -// scope_key_builder: -// fragments: -// - header_value_extractor: -// name: X-Route-Selector -// element_separator: , -// element: -// separator: = -// key: vip -// -// ScopedRouteConfiguration resources (specified statically via -// :ref:`scoped_route_configurations_list` -// or obtained dynamically via SRDS): -// -// .. code:: -// -// (1) -// name: route-scope1 -// route_configuration_name: route-config1 -// key: -// fragments: -// - string_key: 172.10.10.20 -// -// (2) -// name: route-scope2 -// route_configuration_name: route-config2 -// key: -// fragments: -// - string_key: 172.20.20.30 -// -// A request from a client such as: -// -// .. code:: -// -// GET / HTTP/1.1 -// Host: foo.com -// X-Route-Selector: vip=172.10.10.20 -// -// would result in the routing table defined by the `route-config1` -// RouteConfiguration being assigned to the HTTP request/stream. -// -message ScopedRouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.ScopedRouteConfiguration"; - - // Specifies a key which is matched against the output of the - // :ref:`scope_key_builder` - // specified in the HttpConnectionManager. The matching is done per HTTP - // request and is dependent on the order of the fragments contained in the - // Key. - message Key { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.ScopedRouteConfiguration.Key"; - - message Fragment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.route.v3.ScopedRouteConfiguration.Key.Fragment"; - - oneof type { - option (validate.required) = true; - - // A string to match against. - string string_key = 1; - } - } - - // The ordered set of fragments to match against. The order must match the - // fragments in the corresponding - // :ref:`scope_key_builder`. - repeated Fragment fragments = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - // Whether the RouteConfiguration should be loaded on demand. - bool on_demand = 4; - - // The name assigned to the routing scope. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The resource name to use for a :ref:`envoy_v3_api_msg_service.discovery.v3.DiscoveryRequest` to an - // RDS server to fetch the :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` associated - // with this scope. - string route_configuration_name = 2 [(validate.rules).string = {min_len: 1}]; - - // The key to match against. - Key key = 3 [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/config/tap/v4alpha/BUILD b/generated_api_shadow/envoy/config/tap/v4alpha/BUILD deleted file mode 100644 index 95c7990fbc47..000000000000 --- a/generated_api_shadow/envoy/config/tap/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/common/matcher/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/config/tap/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/tap/v4alpha/common.proto b/generated_api_shadow/envoy/config/tap/v4alpha/common.proto deleted file mode 100644 index f436c7947d6e..000000000000 --- a/generated_api_shadow/envoy/config/tap/v4alpha/common.proto +++ /dev/null @@ -1,281 +0,0 @@ -syntax = "proto3"; - -package envoy.config.tap.v4alpha; - -import "envoy/config/common/matcher/v4alpha/matcher.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; - -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.tap.v4alpha"; -option java_outer_classname = "CommonProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common tap configuration] - -// Tap configuration. -message TapConfig { - // [#comment:TODO(mattklein123): Rate limiting] - - option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.TapConfig"; - - // The match configuration. If the configuration matches the data source being tapped, a tap will - // occur, with the result written to the configured output. - // Exactly one of :ref:`match ` and - // :ref:`match_config ` must be set. If both - // are set, the :ref:`match ` will be used. - MatchPredicate hidden_envoy_deprecated_match_config = 1 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // The match configuration. If the configuration matches the data source being tapped, a tap will - // occur, with the result written to the configured output. - // Exactly one of :ref:`match ` and - // :ref:`match_config ` must be set. If both - // are set, the :ref:`match ` will be used. - common.matcher.v4alpha.MatchPredicate match = 4; - - // The tap output configuration. If a match configuration matches a data source being tapped, - // a tap will occur and the data will be written to the configured output. - OutputConfig output_config = 2 [(validate.rules).message = {required: true}]; - - // [#not-implemented-hide:] Specify if Tap matching is enabled. The % of requests\connections for - // which the tap matching is enabled. When not enabled, the request\connection will not be - // recorded. - // - // .. note:: - // - // This field defaults to 100/:ref:`HUNDRED - // `. - core.v4alpha.RuntimeFractionalPercent tap_enabled = 3; -} - -// Tap match configuration. This is a recursive structure which allows complex nested match -// configurations to be built using various logical operators. -// [#next-free-field: 11] -message MatchPredicate { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.MatchPredicate"; - - // A set of match configurations used for logical operations. - message MatchSet { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.MatchPredicate.MatchSet"; - - // The list of rules that make up the set. - repeated MatchPredicate rules = 1 [(validate.rules).repeated = {min_items: 2}]; - } - - oneof rule { - option (validate.required) = true; - - // A set that describes a logical OR. If any member of the set matches, the match configuration - // matches. - MatchSet or_match = 1; - - // A set that describes a logical AND. If all members of the set match, the match configuration - // matches. - MatchSet and_match = 2; - - // A negation match. The match configuration will match if the negated match condition matches. - MatchPredicate not_match = 3; - - // The match configuration will always match. - bool any_match = 4 [(validate.rules).bool = {const: true}]; - - // HTTP request headers match configuration. - HttpHeadersMatch http_request_headers_match = 5; - - // HTTP request trailers match configuration. - HttpHeadersMatch http_request_trailers_match = 6; - - // HTTP response headers match configuration. - HttpHeadersMatch http_response_headers_match = 7; - - // HTTP response trailers match configuration. - HttpHeadersMatch http_response_trailers_match = 8; - - // HTTP request generic body match configuration. - HttpGenericBodyMatch http_request_generic_body_match = 9; - - // HTTP response generic body match configuration. - HttpGenericBodyMatch http_response_generic_body_match = 10; - } -} - -// HTTP headers match configuration. -message HttpHeadersMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.HttpHeadersMatch"; - - // HTTP headers to match. - repeated route.v4alpha.HeaderMatcher headers = 1; -} - -// HTTP generic body match configuration. -// List of text strings and hex strings to be located in HTTP body. -// All specified strings must be found in the HTTP body for positive match. -// The search may be limited to specified number of bytes from the body start. -// -// .. attention:: -// -// Searching for patterns in HTTP body is potentially cpu intensive. For each specified pattern, http body is scanned byte by byte to find a match. -// If multiple patterns are specified, the process is repeated for each pattern. If location of a pattern is known, ``bytes_limit`` should be specified -// to scan only part of the http body. -message HttpGenericBodyMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.HttpGenericBodyMatch"; - - message GenericTextMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.HttpGenericBodyMatch.GenericTextMatch"; - - oneof rule { - option (validate.required) = true; - - // Text string to be located in HTTP body. - string string_match = 1 [(validate.rules).string = {min_len: 1}]; - - // Sequence of bytes to be located in HTTP body. - bytes binary_match = 2 [(validate.rules).bytes = {min_len: 1}]; - } - } - - // Limits search to specified number of bytes - default zero (no limit - match entire captured buffer). - uint32 bytes_limit = 1; - - // List of patterns to match. - repeated GenericTextMatch patterns = 2 [(validate.rules).repeated = {min_items: 1}]; -} - -// Tap output configuration. -message OutputConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.OutputConfig"; - - // Output sinks for tap data. Currently a single sink is allowed in the list. Once multiple - // sink types are supported this constraint will be relaxed. - repeated OutputSink sinks = 1 [(validate.rules).repeated = {min_items: 1 max_items: 1}]; - - // For buffered tapping, the maximum amount of received body that will be buffered prior to - // truncation. If truncation occurs, the :ref:`truncated - // ` field will be set. If not specified, the - // default is 1KiB. - google.protobuf.UInt32Value max_buffered_rx_bytes = 2; - - // For buffered tapping, the maximum amount of transmitted body that will be buffered prior to - // truncation. If truncation occurs, the :ref:`truncated - // ` field will be set. If not specified, the - // default is 1KiB. - google.protobuf.UInt32Value max_buffered_tx_bytes = 3; - - // Indicates whether taps produce a single buffered message per tap, or multiple streamed - // messages per tap in the emitted :ref:`TraceWrapper - // ` messages. Note that streamed tapping does not - // mean that no buffering takes place. Buffering may be required if data is processed before a - // match can be determined. See the HTTP tap filter :ref:`streaming - // ` documentation for more information. - bool streaming = 4; -} - -// Tap output sink configuration. -message OutputSink { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.OutputSink"; - - // Output format. All output is in the form of one or more :ref:`TraceWrapper - // ` messages. This enumeration indicates - // how those messages are written. Note that not all sinks support all output formats. See - // individual sink documentation for more information. - enum Format { - // Each message will be written as JSON. Any :ref:`body ` - // data will be present in the :ref:`as_bytes - // ` field. This means that body data will be - // base64 encoded as per the `proto3 JSON mappings - // `_. - JSON_BODY_AS_BYTES = 0; - - // Each message will be written as JSON. Any :ref:`body ` - // data will be present in the :ref:`as_string - // ` field. This means that body data will be - // string encoded as per the `proto3 JSON mappings - // `_. This format type is - // useful when it is known that that body is human readable (e.g., JSON over HTTP) and the - // user wishes to view it directly without being forced to base64 decode the body. - JSON_BODY_AS_STRING = 1; - - // Binary proto format. Note that binary proto is not self-delimiting. If a sink writes - // multiple binary messages without any length information the data stream will not be - // useful. However, for certain sinks that are self-delimiting (e.g., one message per file) - // this output format makes consumption simpler. - PROTO_BINARY = 2; - - // Messages are written as a sequence tuples, where each tuple is the message length encoded - // as a `protobuf 32-bit varint - // `_ - // followed by the binary message. The messages can be read back using the language specific - // protobuf coded stream implementation to obtain the message length and the message. - PROTO_BINARY_LENGTH_DELIMITED = 3; - - // Text proto format. - PROTO_TEXT = 4; - } - - // Sink output format. - Format format = 1 [(validate.rules).enum = {defined_only: true}]; - - oneof output_sink_type { - option (validate.required) = true; - - // Tap output will be streamed out the :http:post:`/tap` admin endpoint. - // - // .. attention:: - // - // It is only allowed to specify the streaming admin output sink if the tap is being - // configured from the :http:post:`/tap` admin endpoint. Thus, if an extension has - // been configured to receive tap configuration from some other source (e.g., static - // file, XDS, etc.) configuring the streaming admin output type will fail. - StreamingAdminSink streaming_admin = 2; - - // Tap output will be written to a file per tap sink. - FilePerTapSink file_per_tap = 3; - - // [#not-implemented-hide:] - // GrpcService to stream data to. The format argument must be PROTO_BINARY. - // [#comment: TODO(samflattery): remove cleanup in uber_per_filter.cc once implemented] - StreamingGrpcSink streaming_grpc = 4; - } -} - -// Streaming admin sink configuration. -message StreamingAdminSink { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.StreamingAdminSink"; -} - -// The file per tap sink outputs a discrete file for every tapped stream. -message FilePerTapSink { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.tap.v3.FilePerTapSink"; - - // Path prefix. The output file will be of the form _.pb, where is an - // identifier distinguishing the recorded trace for stream instances (the Envoy - // connection ID, HTTP stream ID, etc.). - string path_prefix = 1 [(validate.rules).string = {min_len: 1}]; -} - -// [#not-implemented-hide:] Streaming gRPC sink configuration sends the taps to an external gRPC -// server. -message StreamingGrpcSink { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.tap.v3.StreamingGrpcSink"; - - // Opaque identifier, that will be sent back to the streaming grpc server. - string tap_id = 1; - - // The gRPC server that hosts the Tap Sink Service. - core.v4alpha.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/config/trace/v4alpha/BUILD b/generated_api_shadow/envoy/config/trace/v4alpha/BUILD deleted file mode 100644 index 1d56979cc466..000000000000 --- a/generated_api_shadow/envoy/config/trace/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/config/trace/v4alpha/http_tracer.proto b/generated_api_shadow/envoy/config/trace/v4alpha/http_tracer.proto deleted file mode 100644 index 33c8e73d56b9..000000000000 --- a/generated_api_shadow/envoy/config/trace/v4alpha/http_tracer.proto +++ /dev/null @@ -1,59 +0,0 @@ -syntax = "proto3"; - -package envoy.config.trace.v4alpha; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.trace.v4alpha"; -option java_outer_classname = "HttpTracerProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Tracing] -// Tracing :ref:`architecture overview `. - -// The tracing configuration specifies settings for an HTTP tracer provider used by Envoy. -// -// Envoy may support other tracers in the future, but right now the HTTP tracer is the only one -// supported. -// -// .. attention:: -// -// Use of this message type has been deprecated in favor of direct use of -// :ref:`Tracing.Http `. -message Tracing { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v3.Tracing"; - - // Configuration for an HTTP tracer provider used by Envoy. - // - // The configuration is defined by the - // :ref:`HttpConnectionManager.Tracing ` - // :ref:`provider ` - // field. - message Http { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.Tracing.Http"; - - reserved 2; - - reserved "config"; - - // The name of the HTTP trace driver to instantiate. The name must match a - // supported HTTP trace driver. - // See the :ref:`extensions listed in typed_config below ` for the default list of the HTTP trace driver. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Trace driver specific configuration which must be set according to the driver being instantiated. - // [#extension-category: envoy.tracers] - oneof config_type { - google.protobuf.Any typed_config = 3; - } - } - - // Provides configuration for the HTTP tracer. - Http http = 1; -} diff --git a/generated_api_shadow/envoy/config/trace/v4alpha/service.proto b/generated_api_shadow/envoy/config/trace/v4alpha/service.proto deleted file mode 100644 index d132b32dd79d..000000000000 --- a/generated_api_shadow/envoy/config/trace/v4alpha/service.proto +++ /dev/null @@ -1,25 +0,0 @@ -syntax = "proto3"; - -package envoy.config.trace.v4alpha; - -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.config.trace.v4alpha"; -option java_outer_classname = "ServiceProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Trace Service] - -// Configuration structure. -message TraceServiceConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.TraceServiceConfig"; - - // The upstream gRPC cluster that hosts the metrics service. - core.v4alpha.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/data/dns/v4alpha/BUILD b/generated_api_shadow/envoy/data/dns/v4alpha/BUILD deleted file mode 100644 index d26c09b3bed0..000000000000 --- a/generated_api_shadow/envoy/data/dns/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/data/dns/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/data/dns/v4alpha/dns_table.proto b/generated_api_shadow/envoy/data/dns/v4alpha/dns_table.proto deleted file mode 100644 index ed596b2cee79..000000000000 --- a/generated_api_shadow/envoy/data/dns/v4alpha/dns_table.proto +++ /dev/null @@ -1,168 +0,0 @@ -syntax = "proto3"; - -package envoy.data.dns.v4alpha; - -import "envoy/type/matcher/v4alpha/string.proto"; - -import "google/protobuf/duration.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.data.dns.v4alpha"; -option java_outer_classname = "DnsTableProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: DNS Filter Table Data] -// :ref:`DNS Filter config overview `. - -// This message contains the configuration for the DNS Filter if populated -// from the control plane -message DnsTable { - option (udpa.annotations.versioning).previous_message_type = "envoy.data.dns.v3.DnsTable"; - - // This message contains a list of IP addresses returned for a query for a known name - message AddressList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.AddressList"; - - // This field contains a well formed IP address that is returned in the answer for a - // name query. The address field can be an IPv4 or IPv6 address. Address family - // detection is done automatically when Envoy parses the string. Since this field is - // repeated, Envoy will return as many entries from this list in the DNS response while - // keeping the response under 512 bytes - repeated string address = 1 [(validate.rules).repeated = { - min_items: 1 - items {string {min_len: 3}} - }]; - } - - // Specify the service protocol using a numeric or string value - message DnsServiceProtocol { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsServiceProtocol"; - - oneof protocol_config { - option (validate.required) = true; - - // Specify the protocol number for the service. Envoy will try to resolve the number to - // the protocol name. For example, 6 will resolve to "tcp". Refer to: - // https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml - // for protocol names and numbers - uint32 number = 1 [(validate.rules).uint32 = {lt: 255}]; - - // Specify the protocol name for the service. - string name = 2 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; - } - } - - // Specify the target for a given DNS service - // [#next-free-field: 6] - message DnsServiceTarget { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsServiceTarget"; - - // Specify the name of the endpoint for the Service. The name is a hostname or a cluster - oneof endpoint_type { - option (validate.required) = true; - - // Use a resolvable hostname as the endpoint for a service. - string host_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; - - // Use a cluster name as the endpoint for a service. - string cluster_name = 2 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; - } - - // The priority of the service record target - uint32 priority = 3 [(validate.rules).uint32 = {lt: 65536}]; - - // The weight of the service record target - uint32 weight = 4 [(validate.rules).uint32 = {lt: 65536}]; - - // The port to which the service is bound. This value is optional if the target is a - // cluster. Setting port to zero in this case makes the filter use the port value - // from the cluster host - uint32 port = 5 [(validate.rules).uint32 = {lt: 65536}]; - } - - // This message defines a service selection record returned for a service query in a domain - message DnsService { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsService"; - - // The name of the service without the protocol or domain name - string service_name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; - - // The service protocol. This can be specified as a string or the numeric value of the protocol - DnsServiceProtocol protocol = 2; - - // The service entry time to live. This is independent from the DNS Answer record TTL - google.protobuf.Duration ttl = 3 [(validate.rules).duration = {gte {seconds: 1}}]; - - // The list of targets hosting the service - repeated DnsServiceTarget targets = 4 [(validate.rules).repeated = {min_items: 1}]; - } - - // Define a list of service records for a given service - message DnsServiceList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsServiceList"; - - repeated DnsService services = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - message DnsEndpoint { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsEndpoint"; - - oneof endpoint_config { - option (validate.required) = true; - - // Define a list of addresses to return for the specified endpoint - AddressList address_list = 1; - - // Define a cluster whose addresses are returned for the specified endpoint - string cluster_name = 2; - - // Define a DNS Service List for the specified endpoint - DnsServiceList service_list = 3; - } - } - - message DnsVirtualDomain { - option (udpa.annotations.versioning).previous_message_type = - "envoy.data.dns.v3.DnsTable.DnsVirtualDomain"; - - // A domain name for which Envoy will respond to query requests - string name = 1 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; - - // The configuration containing the method to determine the address of this endpoint - DnsEndpoint endpoint = 2; - - // Sets the TTL in DNS answers from Envoy returned to the client. The default TTL is 300s - google.protobuf.Duration answer_ttl = 3 [(validate.rules).duration = {gte {seconds: 30}}]; - } - - // Control how many times Envoy makes an attempt to forward a query to an external DNS server - uint32 external_retry_count = 1 [(validate.rules).uint32 = {lte: 3}]; - - // Fully qualified domain names for which Envoy will respond to DNS queries. By leaving this - // list empty, Envoy will forward all queries to external resolvers - repeated DnsVirtualDomain virtual_domains = 2; - - // This field is deprecated and no longer used in Envoy. The filter's behavior has changed - // internally to use a different data structure allowing the filter to determine whether a - // query is for known domain without the use of this field. - // - // This field serves to help Envoy determine whether it can authoritatively answer a query - // for a name matching a suffix in this list. If the query name does not match a suffix in - // this list, Envoy will forward the query to an upstream DNS server - repeated type.matcher.v4alpha.StringMatcher hidden_envoy_deprecated_known_suffixes = 3 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; -} diff --git a/generated_api_shadow/envoy/extensions/access_loggers/file/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/access_loggers/file/v4alpha/BUILD deleted file mode 100644 index 7d52fd1c2b1c..000000000000 --- a/generated_api_shadow/envoy/extensions/access_loggers/file/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/access_loggers/file/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/access_loggers/file/v4alpha/file.proto b/generated_api_shadow/envoy/extensions/access_loggers/file/v4alpha/file.proto deleted file mode 100644 index 62afb2040fda..000000000000 --- a/generated_api_shadow/envoy/extensions/access_loggers/file/v4alpha/file.proto +++ /dev/null @@ -1,63 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.access_loggers.file.v4alpha; - -import "envoy/config/core/v4alpha/substitution_format_string.proto"; - -import "google/protobuf/struct.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.access_loggers.file.v4alpha"; -option java_outer_classname = "FileProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: File access log] -// [#extension: envoy.access_loggers.file] - -// Custom configuration for an :ref:`AccessLog ` -// that writes log entries directly to a file. Configures the built-in *envoy.access_loggers.file* -// AccessLog. -// [#next-free-field: 6] -message FileAccessLog { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.file.v3.FileAccessLog"; - - // A path to a local file to which to write the access log entries. - string path = 1 [(validate.rules).string = {min_len: 1}]; - - oneof access_log_format { - // Access log :ref:`format string`. - // Envoy supports :ref:`custom access log formats ` as well as a - // :ref:`default format `. - // This field is deprecated. - // Please use :ref:`log_format `. - string hidden_envoy_deprecated_format = 2 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Access log :ref:`format dictionary`. All values - // are rendered as strings. - // This field is deprecated. - // Please use :ref:`log_format `. - google.protobuf.Struct hidden_envoy_deprecated_json_format = 3 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Access log :ref:`format dictionary`. Values are - // rendered as strings, numbers, or boolean values as appropriate. Nested JSON objects may - // be produced by some command operators (e.g.FILTER_STATE or DYNAMIC_METADATA). See the - // documentation for a specific command operator for details. - // This field is deprecated. - // Please use :ref:`log_format `. - google.protobuf.Struct hidden_envoy_deprecated_typed_json_format = 4 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Configuration to form access log data and format. - // If not specified, use :ref:`default format `. - config.core.v4alpha.SubstitutionFormatString log_format = 5 - [(validate.rules).message = {required: true}]; - } -} diff --git a/generated_api_shadow/envoy/extensions/access_loggers/grpc/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/access_loggers/grpc/v4alpha/BUILD deleted file mode 100644 index 83758c9e0b82..000000000000 --- a/generated_api_shadow/envoy/extensions/access_loggers/grpc/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/access_loggers/grpc/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/access_loggers/grpc/v4alpha/als.proto b/generated_api_shadow/envoy/extensions/access_loggers/grpc/v4alpha/als.proto deleted file mode 100644 index 9e6fb1e48386..000000000000 --- a/generated_api_shadow/envoy/extensions/access_loggers/grpc/v4alpha/als.proto +++ /dev/null @@ -1,89 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.access_loggers.grpc.v4alpha; - -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.access_loggers.grpc.v4alpha"; -option java_outer_classname = "AlsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: gRPC Access Log Service (ALS)] - -// Configuration for the built-in *envoy.access_loggers.http_grpc* -// :ref:`AccessLog `. This configuration will -// populate :ref:`StreamAccessLogsMessage.http_logs -// `. -// [#extension: envoy.access_loggers.http_grpc] -message HttpGrpcAccessLogConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig"; - - CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}]; - - // Additional request headers to log in :ref:`HTTPRequestProperties.request_headers - // `. - repeated string additional_request_headers_to_log = 2; - - // Additional response headers to log in :ref:`HTTPResponseProperties.response_headers - // `. - repeated string additional_response_headers_to_log = 3; - - // Additional response trailers to log in :ref:`HTTPResponseProperties.response_trailers - // `. - repeated string additional_response_trailers_to_log = 4; -} - -// Configuration for the built-in *envoy.access_loggers.tcp_grpc* type. This configuration will -// populate *StreamAccessLogsMessage.tcp_logs*. -// [#extension: envoy.access_loggers.tcp_grpc] -message TcpGrpcAccessLogConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig"; - - CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}]; -} - -// Common configuration for gRPC access logs. -// [#next-free-field: 7] -message CommonGrpcAccessLogConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.grpc.v3.CommonGrpcAccessLogConfig"; - - // The friendly name of the access log to be returned in :ref:`StreamAccessLogsMessage.Identifier - // `. This allows the - // access log server to differentiate between different access logs coming from the same Envoy. - string log_name = 1 [(validate.rules).string = {min_len: 1}]; - - // The gRPC service for the access log service. - config.core.v4alpha.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}]; - - // API version for access logs service transport protocol. This describes the access logs service - // gRPC endpoint and version of messages used on the wire. - config.core.v4alpha.ApiVersion transport_api_version = 6 - [(validate.rules).enum = {defined_only: true}]; - - // Interval for flushing access logs to the gRPC stream. Logger will flush requests every time - // this interval is elapsed, or when batch size limit is hit, whichever comes first. Defaults to - // 1 second. - google.protobuf.Duration buffer_flush_interval = 3 [(validate.rules).duration = {gt {}}]; - - // Soft size limit in bytes for access log entries buffer. Logger will buffer requests until - // this limit it hit, or every time flush interval is elapsed, whichever comes first. Setting it - // to zero effectively disables the batching. Defaults to 16384. - google.protobuf.UInt32Value buffer_size_bytes = 4; - - // Additional filter state objects to log in :ref:`filter_state_objects - // `. - // Logger will call `FilterState::Object::serializeAsProto` to serialize the filter state object. - repeated string filter_state_objects_to_log = 5; -} diff --git a/generated_api_shadow/envoy/extensions/access_loggers/open_telemetry/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/access_loggers/open_telemetry/v4alpha/BUILD deleted file mode 100644 index 2c81e3b0b05c..000000000000 --- a/generated_api_shadow/envoy/extensions/access_loggers/open_telemetry/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/access_loggers/grpc/v4alpha:pkg", - "//envoy/extensions/access_loggers/open_telemetry/v3alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@opentelemetry_proto//:common", - ], -) diff --git a/generated_api_shadow/envoy/extensions/access_loggers/open_telemetry/v4alpha/logs_service.proto b/generated_api_shadow/envoy/extensions/access_loggers/open_telemetry/v4alpha/logs_service.proto deleted file mode 100644 index ceecd924e19d..000000000000 --- a/generated_api_shadow/envoy/extensions/access_loggers/open_telemetry/v4alpha/logs_service.proto +++ /dev/null @@ -1,47 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.access_loggers.open_telemetry.v4alpha; - -import "envoy/extensions/access_loggers/grpc/v4alpha/als.proto"; - -import "opentelemetry/proto/common/v1/common.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.access_loggers.open_telemetry.v4alpha"; -option java_outer_classname = "LogsServiceProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).work_in_progress = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: OpenTelemetry (gRPC) Access Log] - -// Configuration for the built-in *envoy.access_loggers.open_telemetry* -// :ref:`AccessLog `. This configuration will -// populate `opentelemetry.proto.collector.v1.logs.ExportLogsServiceRequest.resource_logs `_. -// OpenTelemetry `Resource `_ -// attributes are filled with Envoy node info. In addition, the request start time is set in the -// dedicated field. -// [#extension: envoy.access_loggers.open_telemetry] -// [#comment:TODO(itamarkam): allow configuration for resource attributes.] -message OpenTelemetryAccessLogConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.open_telemetry.v3alpha.OpenTelemetryAccessLogConfig"; - - // [#comment:TODO(itamarkam): add 'filter_state_objects_to_log' to logs.] - grpc.v4alpha.CommonGrpcAccessLogConfig common_config = 1 - [(validate.rules).message = {required: true}]; - - // OpenTelemetry `LogResource `_ - // fields, following `Envoy access logging formatting `_. - // - // See 'body' in the LogResource proto for more details. - // Example: ``body { string_value: "%PROTOCOL%" }``. - opentelemetry.proto.common.v1.AnyValue body = 2; - - // See 'attributes' in the LogResource proto for more details. - // Example: ``attributes { values { key: "user_agent" value { string_value: "%REQ(USER-AGENT)%" } } }``. - opentelemetry.proto.common.v1.KeyValueList attributes = 3; -} diff --git a/generated_api_shadow/envoy/extensions/access_loggers/stream/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/access_loggers/stream/v4alpha/BUILD deleted file mode 100644 index 33240debccd1..000000000000 --- a/generated_api_shadow/envoy/extensions/access_loggers/stream/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/access_loggers/stream/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/access_loggers/stream/v4alpha/stream.proto b/generated_api_shadow/envoy/extensions/access_loggers/stream/v4alpha/stream.proto deleted file mode 100644 index 5be54ad4721d..000000000000 --- a/generated_api_shadow/envoy/extensions/access_loggers/stream/v4alpha/stream.proto +++ /dev/null @@ -1,45 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.access_loggers.stream.v4alpha; - -import "envoy/config/core/v4alpha/substitution_format_string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.access_loggers.stream.v4alpha"; -option java_outer_classname = "StreamProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Standard Streams Access loggers] -// [#extension: envoy.access_loggers.stream] - -// Custom configuration for an :ref:`AccessLog ` -// that writes log entries directly to the operating system's standard output. -message StdoutAccessLog { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.stream.v3.StdoutAccessLog"; - - oneof access_log_format { - // Configuration to form access log data and format. - // If not specified, use :ref:`default format `. - config.core.v4alpha.SubstitutionFormatString log_format = 1 - [(validate.rules).message = {required: true}]; - } -} - -// Custom configuration for an :ref:`AccessLog ` -// that writes log entries directly to the operating system's standard error. -message StderrAccessLog { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.access_loggers.stream.v3.StderrAccessLog"; - - oneof access_log_format { - // Configuration to form access log data and format. - // If not specified, use :ref:`default format `. - config.core.v4alpha.SubstitutionFormatString log_format = 1 - [(validate.rules).message = {required: true}]; - } -} diff --git a/generated_api_shadow/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/BUILD deleted file mode 100644 index ca83092e39b1..000000000000 --- a/generated_api_shadow/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg", - "//envoy/extensions/common/dynamic_forward_proxy/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/cluster.proto b/generated_api_shadow/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/cluster.proto deleted file mode 100644 index 1b989e0bb725..000000000000 --- a/generated_api_shadow/envoy/extensions/clusters/dynamic_forward_proxy/v4alpha/cluster.proto +++ /dev/null @@ -1,35 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.clusters.dynamic_forward_proxy.v4alpha; - -import "envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.clusters.dynamic_forward_proxy.v4alpha"; -option java_outer_classname = "ClusterProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dynamic forward proxy cluster configuration] - -// Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview -// ` for more information. -// [#extension: envoy.clusters.dynamic_forward_proxy] -message ClusterConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig"; - - // The DNS cache configuration that the cluster will attach to. Note this configuration must - // match that of associated :ref:`dynamic forward proxy HTTP filter configuration - // `. - common.dynamic_forward_proxy.v4alpha.DnsCacheConfig dns_cache_config = 1 - [(validate.rules).message = {required: true}]; - - // If true allow the cluster configuration to disable the auto_sni and auto_san_validation options - // in the :ref:`cluster's upstream_http_protocol_options - // ` - bool allow_insecure_cluster_options = 2; -} diff --git a/generated_api_shadow/envoy/extensions/common/dynamic_forward_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/common/dynamic_forward_proxy/v4alpha/BUILD deleted file mode 100644 index 1269a85e6137..000000000000 --- a/generated_api_shadow/envoy/extensions/common/dynamic_forward_proxy/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/cluster/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/common/dynamic_forward_proxy/v3:pkg", - "//envoy/extensions/common/key_value/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto b/generated_api_shadow/envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto deleted file mode 100644 index be58083d7a05..000000000000 --- a/generated_api_shadow/envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto +++ /dev/null @@ -1,149 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.common.dynamic_forward_proxy.v4alpha; - -import "envoy/config/cluster/v4alpha/cluster.proto"; -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/resolver.proto"; -import "envoy/extensions/common/key_value/v3/config.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.common.dynamic_forward_proxy.v4alpha"; -option java_outer_classname = "DnsCacheProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dynamic forward proxy common configuration] - -// Configuration of circuit breakers for resolver. -message DnsCacheCircuitBreakers { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.common.dynamic_forward_proxy.v3.DnsCacheCircuitBreakers"; - - // The maximum number of pending requests that Envoy will allow to the - // resolver. If not specified, the default is 1024. - google.protobuf.UInt32Value max_pending_requests = 1; -} - -// Configuration for the dynamic forward proxy DNS cache. See the :ref:`architecture overview -// ` for more information. -// [#next-free-field: 14] -message DnsCacheConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig"; - - // The name of the cache. Multiple named caches allow independent dynamic forward proxy - // configurations to operate within a single Envoy process using different configurations. All - // configurations with the same name *must* otherwise have the same settings when referenced - // from different configuration components. Configuration will fail to load if this is not - // the case. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The DNS lookup family to use during resolution. - // - // [#comment:TODO(mattklein123): Figure out how to support IPv4/IPv6 "happy eyeballs" mode. The - // way this might work is a new lookup family which returns both IPv4 and IPv6 addresses, and - // then configures a host to have a primary and fall back address. With this, we could very - // likely build a "happy eyeballs" connection pool which would race the primary / fall back - // address and return the one that wins. This same method could potentially also be used for - // QUIC to TCP fall back.] - config.cluster.v4alpha.Cluster.DnsLookupFamily dns_lookup_family = 2 - [(validate.rules).enum = {defined_only: true}]; - - // The DNS refresh rate for currently cached DNS hosts. If not specified defaults to 60s. - // - // .. note: - // - // The returned DNS TTL is not currently used to alter the refresh rate. This feature will be - // added in a future change. - // - // .. note: - // - // The refresh rate is rounded to the closest millisecond, and must be at least 1ms. - google.protobuf.Duration dns_refresh_rate = 3 - [(validate.rules).duration = {gte {nanos: 1000000}}]; - - // The TTL for hosts that are unused. Hosts that have not been used in the configured time - // interval will be purged. If not specified defaults to 5m. - // - // .. note: - // - // The TTL is only checked at the time of DNS refresh, as specified by *dns_refresh_rate*. This - // means that if the configured TTL is shorter than the refresh rate the host may not be removed - // immediately. - // - // .. note: - // - // The TTL has no relation to DNS TTL and is only used to control Envoy's resource usage. - google.protobuf.Duration host_ttl = 4 [(validate.rules).duration = {gt {}}]; - - // The maximum number of hosts that the cache will hold. If not specified defaults to 1024. - // - // .. note: - // - // The implementation is approximate and enforced independently on each worker thread, thus - // it is possible for the maximum hosts in the cache to go slightly above the configured - // value depending on timing. This is similar to how other circuit breakers work. - google.protobuf.UInt32Value max_hosts = 5 [(validate.rules).uint32 = {gt: 0}]; - - // If the DNS failure refresh rate is specified, - // this is used as the cache's DNS refresh rate when DNS requests are failing. If this setting is - // not specified, the failure refresh rate defaults to the dns_refresh_rate. - config.cluster.v4alpha.Cluster.RefreshRate dns_failure_refresh_rate = 6; - - // The config of circuit breakers for resolver. It provides a configurable threshold. - // Envoy will use dns cache circuit breakers with default settings even if this value is not set. - DnsCacheCircuitBreakers dns_cache_circuit_breaker = 7; - - // Always use TCP queries instead of UDP queries for DNS lookups. - // Setting this value causes failure if the - // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during - // server startup. Apple' API only uses UDP for DNS resolution. - // This field is deprecated in favor of *dns_resolution_config* - // which aggregates all of the DNS resolver configuration in a single message. - bool hidden_envoy_deprecated_use_tcp_for_dns_lookups = 8 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // DNS resolution configuration which includes the underlying dns resolver addresses and options. - // *dns_resolution_config* will be deprecated once - // :ref:'typed_dns_resolver_config ' - // is fully supported. - config.core.v4alpha.DnsResolutionConfig dns_resolution_config = 9; - - // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, - // or any other DNS resolver types and the related parameters. - // For example, an object of :ref:`DnsResolutionConfig ` - // can be packed into this *typed_dns_resolver_config*. This configuration will replace the - // :ref:'dns_resolution_config ' - // configuration eventually. - // TODO(yanjunxiang): Investigate the deprecation plan for *dns_resolution_config*. - // During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists, - // this configuration is optional. - // When *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*. - // When *typed_dns_resolver_config* is missing, the default behavior is in place. - // [#not-implemented-hide:] - config.core.v4alpha.TypedExtensionConfig typed_dns_resolver_config = 12; - - // Hostnames that should be preresolved into the cache upon creation. This might provide a - // performance improvement, in the form of cache hits, for hostnames that are going to be - // resolved during steady state and are known at config load time. - repeated config.core.v4alpha.SocketAddress preresolve_hostnames = 10; - - // The timeout used for DNS queries. This timeout is independent of any timeout and retry policy - // used by the underlying DNS implementation (e.g., c-areas and Apple DNS) which are opaque. - // Setting this timeout will ensure that queries succeed or fail within the specified time frame - // and are then retried using the standard refresh rates. Defaults to 5s if not set. - google.protobuf.Duration dns_query_timeout = 11 [(validate.rules).duration = {gt {}}]; - - // [#not-implemented-hide:] - // Configuration to flush the DNS cache to long term storage. - key_value.v3.KeyValueStoreConfig key_value_config = 13; -} diff --git a/generated_api_shadow/envoy/extensions/common/matching/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/common/matching/v4alpha/BUILD deleted file mode 100644 index 5337b3622aa7..000000000000 --- a/generated_api_shadow/envoy/extensions/common/matching/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/common/matcher/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/common/matching/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@com_github_cncf_udpa//xds/type/matcher/v3:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/common/matching/v4alpha/extension_matcher.proto b/generated_api_shadow/envoy/extensions/common/matching/v4alpha/extension_matcher.proto deleted file mode 100644 index 2fdfab931775..000000000000 --- a/generated_api_shadow/envoy/extensions/common/matching/v4alpha/extension_matcher.proto +++ /dev/null @@ -1,41 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.common.matching.v4alpha; - -import "envoy/config/common/matcher/v4alpha/matcher.proto"; -import "envoy/config/core/v4alpha/extension.proto"; - -import "xds/type/matcher/v3/matcher.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.common.matching.v4alpha"; -option java_outer_classname = "ExtensionMatcherProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Extension Matcher] - -// Wrapper around an existing extension that provides an associated matcher. This allows -// decorating an existing extension with a matcher, which can be used to match against -// relevant protocol data. -// -// [#alpha:] -message ExtensionWithMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.common.matching.v3.ExtensionWithMatcher"; - - // The associated matcher. This is deprecated in favor of xds_matcher. - config.common.matcher.v4alpha.Matcher hidden_envoy_deprecated_matcher = 1 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // The associated matcher. - xds.type.matcher.v3.Matcher xds_matcher = 3; - - // The underlying extension config. - config.core.v4alpha.TypedExtensionConfig extension_config = 2 - [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/extensions/common/tap/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/common/tap/v4alpha/BUILD deleted file mode 100644 index 4f2cbe751624..000000000000 --- a/generated_api_shadow/envoy/extensions/common/tap/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/tap/v4alpha:pkg", - "//envoy/extensions/common/tap/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/common/tap/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/common/tap/v4alpha/common.proto deleted file mode 100644 index d04e033f490b..000000000000 --- a/generated_api_shadow/envoy/extensions/common/tap/v4alpha/common.proto +++ /dev/null @@ -1,44 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.common.tap.v4alpha; - -import "envoy/config/tap/v4alpha/common.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.common.tap.v4alpha"; -option java_outer_classname = "CommonProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common tap extension configuration] - -// Common configuration for all tap extensions. -message CommonExtensionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.common.tap.v3.CommonExtensionConfig"; - - oneof config_type { - option (validate.required) = true; - - // If specified, the tap filter will be configured via an admin handler. - AdminConfig admin_config = 1; - - // If specified, the tap filter will be configured via a static configuration that cannot be - // changed. - config.tap.v4alpha.TapConfig static_config = 2; - } -} - -// Configuration for the admin handler. See :ref:`here ` for -// more information. -message AdminConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.common.tap.v3.AdminConfig"; - - // Opaque configuration ID. When requests are made to the admin handler, the passed opaque ID is - // matched to the configured filter opaque ID to determine which filter to configure. - string config_id = 1 [(validate.rules).string = {min_len: 1}]; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/BUILD deleted file mode 100644 index 583ecda68091..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/http/cache/v3alpha:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/cache.proto b/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/cache.proto deleted file mode 100644 index 5297a3d15ef8..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/cache/v4alpha/cache.proto +++ /dev/null @@ -1,82 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.cache.v4alpha; - -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.cache.v4alpha"; -option java_outer_classname = "CacheProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).work_in_progress = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP Cache Filter] - -// [#extension: envoy.filters.http.cache] -message CacheConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.cache.v3alpha.CacheConfig"; - - // [#not-implemented-hide:] - // Modifies cache key creation by restricting which parts of the URL are included. - message KeyCreatorParams { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.cache.v3alpha.CacheConfig.KeyCreatorParams"; - - // If true, exclude the URL scheme from the cache key. Set to true if your origins always - // produce the same response for http and https requests. - bool exclude_scheme = 1; - - // If true, exclude the host from the cache key. Set to true if your origins' responses don't - // ever depend on host. - bool exclude_host = 2; - - // If *query_parameters_included* is nonempty, only query parameters matched - // by one or more of its matchers are included in the cache key. Any other - // query params will not affect cache lookup. - repeated config.route.v4alpha.QueryParameterMatcher query_parameters_included = 3; - - // If *query_parameters_excluded* is nonempty, query parameters matched by one - // or more of its matchers are excluded from the cache key (even if also - // matched by *query_parameters_included*), and will not affect cache lookup. - repeated config.route.v4alpha.QueryParameterMatcher query_parameters_excluded = 4; - } - - // Config specific to the cache storage implementation. - // [#extension-category: envoy.filters.http.cache] - google.protobuf.Any typed_config = 1 [(validate.rules).any = {required: true}]; - - // List of matching rules that defines allowed *Vary* headers. - // - // The *vary* response header holds a list of header names that affect the - // contents of a response, as described by - // https://httpwg.org/specs/rfc7234.html#caching.negotiated.responses. - // - // During insertion, *allowed_vary_headers* acts as a allowlist: if a - // response's *vary* header mentions any header names that aren't matched by any rules in - // *allowed_vary_headers*, that response will not be cached. - // - // During lookup, *allowed_vary_headers* controls what request headers will be - // sent to the cache storage implementation. - repeated type.matcher.v4alpha.StringMatcher allowed_vary_headers = 2; - - // [#not-implemented-hide:] - // - // - // Modifies cache key creation by restricting which parts of the URL are included. - KeyCreatorParams key_creator_params = 3; - - // [#not-implemented-hide:] - // - // - // Max body size the cache filter will insert into a cache. 0 means unlimited (though the cache - // storage implementation may have its own limit beyond which it will reject insertions). - uint32 max_body_bytes = 4; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/compressor/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/compressor/v4alpha/BUILD deleted file mode 100644 index b8bf9faed35f..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/compressor/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/filters/http/compressor/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/compressor/v4alpha/compressor.proto b/generated_api_shadow/envoy/extensions/filters/http/compressor/v4alpha/compressor.proto deleted file mode 100644 index b7757531c024..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/compressor/v4alpha/compressor.proto +++ /dev/null @@ -1,134 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.compressor.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; - -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.compressor.v4alpha"; -option java_outer_classname = "CompressorProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Compressor] -// Compressor :ref:`configuration overview `. -// [#extension: envoy.filters.http.compressor] - -// [#next-free-field: 9] -message Compressor { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.compressor.v3.Compressor"; - - message CommonDirectionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.compressor.v3.Compressor.CommonDirectionConfig"; - - // Runtime flag that controls whether compression is enabled or not for the direction this - // common config is put in. If set to false, the filter will operate as a pass-through filter - // in the chosen direction. If the field is omitted, the filter will be enabled. - config.core.v4alpha.RuntimeFeatureFlag enabled = 1; - - // Minimum value of Content-Length header of request or response messages (depending on the direction - // this common config is put in), in bytes, which will trigger compression. The default value is 30. - google.protobuf.UInt32Value min_content_length = 2; - - // Set of strings that allows specifying which mime-types yield compression; e.g., - // application/json, text/html, etc. When this field is not defined, compression will be applied - // to the following mime-types: "application/javascript", "application/json", - // "application/xhtml+xml", "image/svg+xml", "text/css", "text/html", "text/plain", "text/xml" - // and their synonyms. - repeated string content_type = 3; - } - - // Configuration for filter behavior on the request direction. - message RequestDirectionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.compressor.v3.Compressor.RequestDirectionConfig"; - - CommonDirectionConfig common_config = 1; - } - - // Configuration for filter behavior on the response direction. - message ResponseDirectionConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.compressor.v3.Compressor.ResponseDirectionConfig"; - - CommonDirectionConfig common_config = 1; - - // If true, disables compression when the response contains an etag header. When it is false, the - // filter will preserve weak etags and remove the ones that require strong validation. - bool disable_on_etag_header = 2; - - // If true, removes accept-encoding from the request headers before dispatching it to the upstream - // so that responses do not get compressed before reaching the filter. - // - // .. attention:: - // - // To avoid interfering with other compression filters in the same chain use this option in - // the filter closest to the upstream. - bool remove_accept_encoding_header = 3; - } - - // Minimum response length, in bytes, which will trigger compression. The default value is 30. - google.protobuf.UInt32Value hidden_envoy_deprecated_content_length = 1 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Set of strings that allows specifying which mime-types yield compression; e.g., - // application/json, text/html, etc. When this field is not defined, compression will be applied - // to the following mime-types: "application/javascript", "application/json", - // "application/xhtml+xml", "image/svg+xml", "text/css", "text/html", "text/plain", "text/xml" - // and their synonyms. - repeated string hidden_envoy_deprecated_content_type = 2 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // If true, disables compression when the response contains an etag header. When it is false, the - // filter will preserve weak etags and remove the ones that require strong validation. - bool hidden_envoy_deprecated_disable_on_etag_header = 3 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // If true, removes accept-encoding from the request headers before dispatching it to the upstream - // so that responses do not get compressed before reaching the filter. - // - // .. attention:: - // - // To avoid interfering with other compression filters in the same chain use this option in - // the filter closest to the upstream. - bool hidden_envoy_deprecated_remove_accept_encoding_header = 4 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Runtime flag that controls whether the filter is enabled or not. If set to false, the - // filter will operate as a pass-through filter. If not specified, defaults to enabled. - config.core.v4alpha.RuntimeFeatureFlag hidden_envoy_deprecated_runtime_enabled = 5 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // A compressor library to use for compression. Currently only - // :ref:`envoy.compression.gzip.compressor` - // is included in Envoy. - // [#extension-category: envoy.compression.compressor] - config.core.v4alpha.TypedExtensionConfig compressor_library = 6 - [(validate.rules).message = {required: true}]; - - // Configuration for request compression. Compression is disabled by default if left empty. - RequestDirectionConfig request_direction_config = 7; - - // Configuration for response compression. Compression is enabled by default if left empty. - // - // .. attention:: - // - // If the field is not empty then the duplicate deprecated fields of the `Compressor` message, - // such as `content_length`, `content_type`, `disable_on_etag_header`, - // `remove_accept_encoding_header` and `runtime_enabled`, are ignored. - // - // Also all the statistics related to response compression will be rooted in - // `.compressor...response.*` - // instead of - // `.compressor...*`. - ResponseDirectionConfig response_direction_config = 8; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/BUILD deleted file mode 100644 index d12fc7262cac..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/filters/http/csrf/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto b/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto deleted file mode 100644 index 3de55da6be8c..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/csrf/v4alpha/csrf.proto +++ /dev/null @@ -1,54 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.csrf.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.csrf.v4alpha"; -option java_outer_classname = "CsrfProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: CSRF] -// Cross-Site Request Forgery :ref:`configuration overview `. -// [#extension: envoy.filters.http.csrf] - -// CSRF filter config. -message CsrfPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.csrf.v3.CsrfPolicy"; - - // Specifies the % of requests for which the CSRF filter is enabled. - // - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to get the percentage of requests to filter. - // - // .. note:: - // - // This field defaults to 100/:ref:`HUNDRED - // `. - config.core.v4alpha.RuntimeFractionalPercent filter_enabled = 1 - [(validate.rules).message = {required: true}]; - - // Specifies that CSRF policies will be evaluated and tracked, but not enforced. - // - // This is intended to be used when ``filter_enabled`` is off and will be ignored otherwise. - // - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate - // and track the request's *Origin* and *Destination* to determine if it's valid, but will not - // enforce any policies. - config.core.v4alpha.RuntimeFractionalPercent shadow_enabled = 2; - - // Specifies additional source origins that will be allowed in addition to - // the destination origin. - // - // More information on how this can be configured via runtime can be found - // :ref:`here `. - repeated type.matcher.v4alpha.StringMatcher additional_origins = 3; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/BUILD deleted file mode 100644 index 8486b45d71d9..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/common/dynamic_forward_proxy/v4alpha:pkg", - "//envoy/extensions/filters/http/dynamic_forward_proxy/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/dynamic_forward_proxy.proto b/generated_api_shadow/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/dynamic_forward_proxy.proto deleted file mode 100644 index 0dba06106b07..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/dynamic_forward_proxy/v4alpha/dynamic_forward_proxy.proto +++ /dev/null @@ -1,64 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.dynamic_forward_proxy.v4alpha; - -import "envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.dynamic_forward_proxy.v4alpha"; -option java_outer_classname = "DynamicForwardProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dynamic forward proxy] - -// Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview -// ` for more information. -// [#extension: envoy.filters.http.dynamic_forward_proxy] -message FilterConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig"; - - // The DNS cache configuration that the filter will attach to. Note this configuration must - // match that of associated :ref:`dynamic forward proxy cluster configuration - // `. - common.dynamic_forward_proxy.v4alpha.DnsCacheConfig dns_cache_config = 1 - [(validate.rules).message = {required: true}]; -} - -// Per route Configuration for the dynamic forward proxy HTTP filter. -message PerRouteConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig"; - - oneof host_rewrite_specifier { - // Indicates that before DNS lookup, the host header will be swapped with - // this value. If not set or empty, the original host header value - // will be used and no rewrite will happen. - // - // Note: this rewrite affects both DNS lookup and host header forwarding. However, this - // option shouldn't be used with - // :ref:`HCM host rewrite ` given that the - // value set here would be used for DNS lookups whereas the value set in the HCM would be used - // for host header forwarding which is not the desired outcome. - string host_rewrite_literal = 1; - - // Indicates that before DNS lookup, the host header will be swapped with - // the value of this header. If not set or empty, the original host header - // value will be used and no rewrite will happen. - // - // Note: this rewrite affects both DNS lookup and host header forwarding. However, this - // option shouldn't be used with - // :ref:`HCM host rewrite header ` - // given that the value set here would be used for DNS lookups whereas the value set in the HCM - // would be used for host header forwarding which is not the desired outcome. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string host_rewrite_header = 2; - } -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD deleted file mode 100644 index 16a0c5f1b64c..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/filters/http/ext_authz/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto b/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto deleted file mode 100644 index 35b0cbd2f547..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto +++ /dev/null @@ -1,316 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.ext_authz.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; -import "envoy/config/core/v4alpha/http_uri.proto"; -import "envoy/type/matcher/v4alpha/metadata.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/v3/http_status.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_authz.v4alpha"; -option java_outer_classname = "ExtAuthzProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: External Authorization] -// External Authorization :ref:`configuration overview `. -// [#extension: envoy.filters.http.ext_authz] - -// [#next-free-field: 16] -message ExtAuthz { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"; - - reserved 4; - - reserved "use_alpha"; - - // External authorization service configuration. - oneof services { - // gRPC service configuration (default timeout: 200ms). - config.core.v4alpha.GrpcService grpc_service = 1; - - // HTTP service configuration (default timeout: 200ms). - HttpService http_service = 3; - } - - // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and - // version of messages used on the wire. - config.core.v4alpha.ApiVersion transport_api_version = 12 - [(validate.rules).enum = {defined_only: true}]; - - // Changes filter's behaviour on errors: - // - // 1. When set to true, the filter will *accept* client request even if the communication with - // the authorization service has failed, or if the authorization service has returned a HTTP 5xx - // error. - // - // 2. When set to false, ext-authz will *reject* client requests and return a *Forbidden* - // response if the communication with the authorization service has failed, or if the - // authorization service has returned a HTTP 5xx error. - // - // Note that errors can be *always* tracked in the :ref:`stats - // `. - bool failure_mode_allow = 2; - - // Enables filter to buffer the client request body and send it within the authorization request. - // A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization - // request message indicating if the body data is partial. - BufferSettings with_request_body = 5; - - // Clears route cache in order to allow the external authorization service to correctly affect - // routing decisions. Filter clears all cached routes when: - // - // 1. The field is set to *true*. - // - // 2. The status returned from the authorization service is a HTTP 200 or gRPC 0. - // - // 3. At least one *authorization response header* is added to the client request, or is used for - // altering another client request header. - // - bool clear_route_cache = 6; - - // Sets the HTTP status that is returned to the client when there is a network error between the - // filter and the authorization server. The default status is HTTP 403 Forbidden. - type.v3.HttpStatus status_on_error = 7; - - // Specifies a list of metadata namespaces whose values, if present, will be passed to the - // ext_authz service as an opaque *protobuf::Struct*. - // - // For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata - // ` is set, - // then the following will pass the jwt payload to the authorization server. - // - // .. code-block:: yaml - // - // metadata_context_namespaces: - // - envoy.filters.http.jwt_authn - // - repeated string metadata_context_namespaces = 8; - - // Specifies if the filter is enabled. - // - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to get the percentage of requests to filter. - // - // If this field is not specified, the filter will be enabled for all requests. - config.core.v4alpha.RuntimeFractionalPercent filter_enabled = 9; - - // Specifies if the filter is enabled with metadata matcher. - // If this field is not specified, the filter will be enabled for all requests. - type.matcher.v4alpha.MetadataMatcher filter_enabled_metadata = 14; - - // Specifies whether to deny the requests, when the filter is disabled. - // If :ref:`runtime_key ` is specified, - // Envoy will lookup the runtime key to determine whether to deny request for - // filter protected path at filter disabling. If filter is disabled in - // typed_per_filter_config for the path, requests will not be denied. - // - // If this field is not specified, all requests will be allowed when disabled. - config.core.v4alpha.RuntimeFeatureFlag deny_at_disable = 11; - - // Specifies if the peer certificate is sent to the external service. - // - // When this field is true, Envoy will include the peer X.509 certificate, if available, in the - // :ref:`certificate`. - bool include_peer_certificate = 10; - - // Optional additional prefix to use when emitting statistics. This allows to distinguish - // emitted statistics between configured *ext_authz* filters in an HTTP filter chain. For example: - // - // .. code-block:: yaml - // - // http_filters: - // - name: envoy.filters.http.ext_authz - // typed_config: - // "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz - // stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc. - // - name: envoy.filters.http.ext_authz - // typed_config: - // "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz - // stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc. - // - string stat_prefix = 13; - - // Optional labels that will be passed to :ref:`labels` in - // :ref:`destination`. - // The labels will be read from :ref:`metadata` with the specified key. - string bootstrap_metadata_labels_key = 15; -} - -// Configuration for buffering the request data. -message BufferSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.BufferSettings"; - - // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return - // *HTTP 413* and will *not* initiate the authorization process when buffer reaches the number - // set in this field. Note that this setting will have precedence over :ref:`failure_mode_allow - // `. - uint32 max_request_bytes = 1 [(validate.rules).uint32 = {gt: 0}]; - - // When this field is true, Envoy will buffer the message until *max_request_bytes* is reached. - // The authorization request will be dispatched and no 413 HTTP error will be returned by the - // filter. - bool allow_partial_message = 2; - - // If true, the body sent to the external authorization service is set with raw bytes, it sets - // the :ref:`raw_body` - // field of HTTP request attribute context. Otherwise, :ref:` - // body` will be filled - // with UTF-8 string request body. - bool pack_as_bytes = 3; -} - -// HttpService is used for raw HTTP communication between the filter and the authorization service. -// When configured, the filter will parse the client request and use these attributes to call the -// authorization server. Depending on the response, the filter may reject or accept the client -// request. Note that in any of these events, metadata can be added, removed or overridden by the -// filter: -// -// *On authorization request*, a list of allowed request headers may be supplied. See -// :ref:`allowed_headers -// ` -// for details. Additional headers metadata may be added to the authorization request. See -// :ref:`headers_to_add -// ` for -// details. -// -// On authorization response status HTTP 200 OK, the filter will allow traffic to the upstream and -// additional headers metadata may be added to the original client request. See -// :ref:`allowed_upstream_headers -// ` -// for details. Additionally, the filter may add additional headers to the client's response. See -// :ref:`allowed_client_headers_on_success -// ` -// for details. -// -// On other authorization response statuses, the filter will not allow traffic. Additional headers -// metadata as well as body may be added to the client's response. See :ref:`allowed_client_headers -// ` -// for details. -// [#next-free-field: 9] -message HttpService { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.HttpService"; - - reserved 3, 4, 5, 6; - - // Sets the HTTP server URI which the authorization requests must be sent to. - config.core.v4alpha.HttpUri server_uri = 1; - - // Sets a prefix to the value of authorization request header *Path*. - string path_prefix = 2; - - // Settings used for controlling authorization request metadata. - AuthorizationRequest authorization_request = 7; - - // Settings used for controlling authorization response metadata. - AuthorizationResponse authorization_response = 8; -} - -message AuthorizationRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.AuthorizationRequest"; - - // Authorization request includes the client request headers that have a correspondent match - // in the :ref:`list `. - // - // .. note:: - // - // In addition to the the user's supplied matchers, ``Host``, ``Method``, ``Path``, - // ``Content-Length``, and ``Authorization`` are **automatically included** to the list. - // - // .. note:: - // - // By default, ``Content-Length`` header is set to ``0`` and the request to the authorization - // service has no message body. However, the authorization request *may* include the buffered - // client request body (controlled by :ref:`with_request_body - // ` - // setting) hence the value of its ``Content-Length`` reflects the size of its payload size. - // - type.matcher.v4alpha.ListStringMatcher allowed_headers = 1; - - // Sets a list of headers that will be included to the request to authorization service. Note that - // client request of the same key will be overridden. - repeated config.core.v4alpha.HeaderValue headers_to_add = 2; -} - -message AuthorizationResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.AuthorizationResponse"; - - // When this :ref:`list ` is set, authorization - // response headers that have a correspondent match will be added to the original client request. - // Note that coexistent headers will be overridden. - type.matcher.v4alpha.ListStringMatcher allowed_upstream_headers = 1; - - // When this :ref:`list ` is set, authorization - // response headers that have a correspondent match will be added to the client's response. Note - // that coexistent headers will be appended. - type.matcher.v4alpha.ListStringMatcher allowed_upstream_headers_to_append = 3; - - // When this :ref:`list `. is set, authorization - // response headers that have a correspondent match will be added to the client's response. Note - // that when this list is *not* set, all the authorization response headers, except *Authority - // (Host)* will be in the response to the client. When a header is included in this list, *Path*, - // *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added. - type.matcher.v4alpha.ListStringMatcher allowed_client_headers = 2; - - // When this :ref:`list `. is set, authorization - // response headers that have a correspondent match will be added to the client's response when - // the authorization response itself is successful, i.e. not failed or denied. When this list is - // *not* set, no additional headers will be added to the client's response on success. - type.matcher.v4alpha.ListStringMatcher allowed_client_headers_on_success = 4; -} - -// Extra settings on a per virtualhost/route/weighted-cluster level. -message ExtAuthzPerRoute { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute"; - - oneof override { - option (validate.required) = true; - - // Disable the ext auth filter for this particular vhost or route. - // If disabled is specified in multiple per-filter-configs, the most specific one will be used. - bool disabled = 1 [(validate.rules).bool = {const: true}]; - - // Check request settings for this route. - CheckSettings check_settings = 2 [(validate.rules).message = {required: true}]; - } -} - -// Extra settings for the check request. -message CheckSettings { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ext_authz.v3.CheckSettings"; - - // Context extensions to set on the CheckRequest's - // :ref:`AttributeContext.context_extensions` - // - // You can use this to provide extra context for the external authorization server on specific - // virtual hosts/routes. For example, adding a context extension on the virtual host level can - // give the ext-authz server information on what virtual host is used without needing to parse the - // host header. If CheckSettings is specified in multiple per-filter-configs, they will be merged - // in order, and the result will be used. - // - // Merge semantics for this field are such that keys from more specific configs override. - // - // .. note:: - // - // These settings are only applied to a filter configured with a - // :ref:`grpc_service`. - map context_extensions = 1; - - // When set to true, disable the configured :ref:`with_request_body - // ` for a route. - bool disable_request_body_buffering = 2; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/BUILD deleted file mode 100644 index 6b7506bcbf76..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/common/fault/v3:pkg", - "//envoy/extensions/filters/http/fault/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/fault.proto b/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/fault.proto deleted file mode 100644 index da8b8b48ad3f..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/fault/v4alpha/fault.proto +++ /dev/null @@ -1,150 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.fault.v4alpha; - -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/extensions/filters/common/fault/v3/fault.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.fault.v4alpha"; -option java_outer_classname = "FaultProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Fault Injection] -// Fault Injection :ref:`configuration overview `. -// [#extension: envoy.filters.http.fault] - -// [#next-free-field: 6] -message FaultAbort { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.fault.v3.FaultAbort"; - - // Fault aborts are controlled via an HTTP header (if applicable). See the - // :ref:`HTTP fault filter ` documentation for - // more information. - message HeaderAbort { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.fault.v3.FaultAbort.HeaderAbort"; - } - - reserved 1; - - oneof error_type { - option (validate.required) = true; - - // HTTP status code to use to abort the HTTP request. - uint32 http_status = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}]; - - // gRPC status code to use to abort the gRPC request. - uint32 grpc_status = 5; - - // Fault aborts are controlled via an HTTP header (if applicable). - HeaderAbort header_abort = 4; - } - - // The percentage of requests/operations/connections that will be aborted with the error code - // provided. - type.v3.FractionalPercent percentage = 3; -} - -// [#next-free-field: 16] -message HTTPFault { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.fault.v3.HTTPFault"; - - // If specified, the filter will inject delays based on the values in the - // object. - common.fault.v3.FaultDelay delay = 1; - - // If specified, the filter will abort requests based on the values in - // the object. At least *abort* or *delay* must be specified. - FaultAbort abort = 2; - - // Specifies the name of the (destination) upstream cluster that the - // filter should match on. Fault injection will be restricted to requests - // bound to the specific upstream cluster. - string upstream_cluster = 3; - - // Specifies a set of headers that the filter should match on. The fault - // injection filter can be applied selectively to requests that match a set of - // headers specified in the fault filter config. The chances of actual fault - // injection further depend on the value of the :ref:`percentage - // ` field. - // The filter will check the request's headers against all the specified - // headers in the filter config. A match will happen if all the headers in the - // config are present in the request with the same values (or based on - // presence if the *value* field is not in the config). - repeated config.route.v4alpha.HeaderMatcher headers = 4; - - // Faults are injected for the specified list of downstream hosts. If this - // setting is not set, faults are injected for all downstream nodes. - // Downstream node name is taken from :ref:`the HTTP - // x-envoy-downstream-service-node - // ` header and compared - // against downstream_nodes list. - repeated string downstream_nodes = 5; - - // The maximum number of faults that can be active at a single time via the configured fault - // filter. Note that because this setting can be overridden at the route level, it's possible - // for the number of active faults to be greater than this value (if injected via a different - // route). If not specified, defaults to unlimited. This setting can be overridden via - // `runtime ` and any faults that are not injected - // due to overflow will be indicated via the `faults_overflow - // ` stat. - // - // .. attention:: - // Like other :ref:`circuit breakers ` in Envoy, this is a fuzzy - // limit. It's possible for the number of active faults to rise slightly above the configured - // amount due to the implementation details. - google.protobuf.UInt32Value max_active_faults = 6; - - // The response rate limit to be applied to the response body of the stream. When configured, - // the percentage can be overridden by the :ref:`fault.http.rate_limit.response_percent - // ` runtime key. - // - // .. attention:: - // This is a per-stream limit versus a connection level limit. This means that concurrent streams - // will each get an independent limit. - common.fault.v3.FaultRateLimit response_rate_limit = 7; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.delay.fixed_delay_percent - string delay_percent_runtime = 8; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.abort.abort_percent - string abort_percent_runtime = 9; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.delay.fixed_duration_ms - string delay_duration_runtime = 10; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.abort.http_status - string abort_http_status_runtime = 11; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.max_active_faults - string max_active_faults_runtime = 12; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.rate_limit.response_percent - string response_rate_limit_percent_runtime = 13; - - // The runtime key to override the :ref:`default ` - // runtime. The default is: fault.http.abort.grpc_status - string abort_grpc_status_runtime = 14; - - // To control whether stats storage is allocated dynamically for each downstream server. - // If set to true, "x-envoy-downstream-service-cluster" field of header will be ignored by this filter. - // If set to false, dynamic stats storage will be allocated for the downstream cluster name. - // Default value is false. - bool disable_downstream_cluster_stats = 15; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/gzip/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/gzip/v4alpha/BUILD deleted file mode 100644 index 3b9648df0929..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/gzip/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/filters/http/compressor/v4alpha:pkg", - "//envoy/extensions/filters/http/gzip/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/gzip/v4alpha/gzip.proto b/generated_api_shadow/envoy/extensions/filters/http/gzip/v4alpha/gzip.proto deleted file mode 100644 index 8689148b4625..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/gzip/v4alpha/gzip.proto +++ /dev/null @@ -1,81 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.gzip.v4alpha; - -import "envoy/extensions/filters/http/compressor/v4alpha/compressor.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.gzip.v4alpha"; -option java_outer_classname = "GzipProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Gzip] - -// [#next-free-field: 12] -message Gzip { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.gzip.v3.Gzip"; - - enum CompressionStrategy { - DEFAULT = 0; - FILTERED = 1; - HUFFMAN = 2; - RLE = 3; - } - - message CompressionLevel { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.gzip.v3.Gzip.CompressionLevel"; - - enum Enum { - DEFAULT = 0; - BEST = 1; - SPEED = 2; - } - } - - reserved 2, 6, 7, 8; - - reserved "content_length", "content_type", "disable_on_etag_header", - "remove_accept_encoding_header"; - - // Value from 1 to 9 that controls the amount of internal memory used by zlib. Higher values - // use more memory, but are faster and produce better compression results. The default value is 5. - google.protobuf.UInt32Value memory_level = 1 [(validate.rules).uint32 = {lte: 9 gte: 1}]; - - // A value used for selecting the zlib compression level. This setting will affect speed and - // amount of compression applied to the content. "BEST" provides higher compression at the cost of - // higher latency, "SPEED" provides lower compression with minimum impact on response time. - // "DEFAULT" provides an optimal result between speed and compression. This field will be set to - // "DEFAULT" if not specified. - CompressionLevel.Enum compression_level = 3 [(validate.rules).enum = {defined_only: true}]; - - // A value used for selecting the zlib compression strategy which is directly related to the - // characteristics of the content. Most of the time "DEFAULT" will be the best choice, though - // there are situations which changing this parameter might produce better results. For example, - // run-length encoding (RLE) is typically used when the content is known for having sequences - // which same data occurs many consecutive times. For more information about each strategy, please - // refer to zlib manual. - CompressionStrategy compression_strategy = 4 [(validate.rules).enum = {defined_only: true}]; - - // Value from 9 to 15 that represents the base two logarithmic of the compressor's window size. - // Larger window results in better compression at the expense of memory usage. The default is 12 - // which will produce a 4096 bytes window. For more details about this parameter, please refer to - // zlib manual > deflateInit2. - google.protobuf.UInt32Value window_bits = 9 [(validate.rules).uint32 = {lte: 15 gte: 9}]; - - // Set of configuration parameters common for all compression filters. You can define - // `content_length`, `content_type` and other parameters in this field. - compressor.v4alpha.Compressor compressor = 10; - - // Value for Zlib's next output buffer. If not set, defaults to 4096. - // See https://www.zlib.net/manual.html for more details. Also see - // https://github.com/envoyproxy/envoy/issues/8448 for context on this filter's performance. - google.protobuf.UInt32Value chunk_size = 11 [(validate.rules).uint32 = {lte: 65536 gte: 4096}]; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/header_to_metadata/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/header_to_metadata/v4alpha/BUILD deleted file mode 100644 index 0a8d5eb27fb4..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/header_to_metadata/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/filters/http/header_to_metadata/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/header_to_metadata/v4alpha/header_to_metadata.proto b/generated_api_shadow/envoy/extensions/filters/http/header_to_metadata/v4alpha/header_to_metadata.proto deleted file mode 100644 index 5b06f1e78556..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/header_to_metadata/v4alpha/header_to_metadata.proto +++ /dev/null @@ -1,130 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.header_to_metadata.v4alpha; - -import "envoy/type/matcher/v4alpha/regex.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.header_to_metadata.v4alpha"; -option java_outer_classname = "HeaderToMetadataProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Header-To-Metadata Filter] -// -// The configuration for transforming headers into metadata. This is useful -// for matching load balancer subsets, logging, etc. -// -// Header to Metadata :ref:`configuration overview `. -// [#extension: envoy.filters.http.header_to_metadata] - -message Config { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.header_to_metadata.v3.Config"; - - enum ValueType { - STRING = 0; - - NUMBER = 1; - - // The value is a serialized `protobuf.Value - // `_. - PROTOBUF_VALUE = 2; - } - - // ValueEncode defines the encoding algorithm. - enum ValueEncode { - // The value is not encoded. - NONE = 0; - - // The value is encoded in `Base64 `_. - // Note: this is mostly used for STRING and PROTOBUF_VALUE to escape the - // non-ASCII characters in the header. - BASE64 = 1; - } - - // [#next-free-field: 7] - message KeyValuePair { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.header_to_metadata.v3.Config.KeyValuePair"; - - // The namespace — if this is empty, the filter's namespace will be used. - string metadata_namespace = 1; - - // The key to use within the namespace. - string key = 2 [(validate.rules).string = {min_len: 1}]; - - oneof value_type { - // The value to pair with the given key. - // - // When used for a - // :ref:`on_header_present ` - // case, if value is non-empty it'll be used instead of the header value. If both are empty, no metadata is added. - // - // When used for a :ref:`on_header_missing ` - // case, a non-empty value must be provided otherwise no metadata is added. - string value = 3; - - // If present, the header's value will be matched and substituted with this. If there is no match or substitution, the header value - // is used as-is. - // - // This is only used for :ref:`on_header_present `. - // - // Note: if the `value` field is non-empty this field should be empty. - type.matcher.v4alpha.RegexMatchAndSubstitute regex_value_rewrite = 6; - } - - // The value's type — defaults to string. - ValueType type = 4 [(validate.rules).enum = {defined_only: true}]; - - // How is the value encoded, default is NONE (not encoded). - // The value will be decoded accordingly before storing to metadata. - ValueEncode encode = 5; - } - - // A Rule defines what metadata to apply when a header is present or missing. - // [#next-free-field: 6] - message Rule { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.header_to_metadata.v3.Config.Rule"; - - oneof header_cookie_specifier { - // Specifies that a match will be performed on the value of a header or a cookie. - // - // The header to be extracted. - string header = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The cookie to be extracted. - string cookie = 5 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - } - - // If the header or cookie is present, apply this metadata KeyValuePair. - // - // If the value in the KeyValuePair is non-empty, it'll be used instead - // of the header or cookie value. - KeyValuePair on_present = 2; - - // If the header or cookie is not present, apply this metadata KeyValuePair. - // - // The value in the KeyValuePair must be set, since it'll be used in lieu - // of the missing header or cookie value. - KeyValuePair on_missing = 3; - - // Whether or not to remove the header after a rule is applied. - // - // This prevents headers from leaking. - // This field is not supported in case of a cookie. - bool remove = 4; - } - - // The list of rules to apply to requests. - repeated Rule request_rules = 1; - - // The list of rules to apply to responses. - repeated Rule response_rules = 2; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/BUILD deleted file mode 100644 index 4c4dc0e45211..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/http/health_check/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto b/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto deleted file mode 100644 index 3725d085dd7b..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/health_check/v4alpha/health_check.proto +++ /dev/null @@ -1,52 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.health_check.v4alpha; - -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.health_check.v4alpha"; -option java_outer_classname = "HealthCheckProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Health check] -// Health check :ref:`configuration overview `. -// [#extension: envoy.filters.http.health_check] - -// [#next-free-field: 6] -message HealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.health_check.v3.HealthCheck"; - - reserved 2; - - // Specifies whether the filter operates in pass through mode or not. - google.protobuf.BoolValue pass_through_mode = 1 [(validate.rules).message = {required: true}]; - - // If operating in pass through mode, the amount of time in milliseconds - // that the filter should cache the upstream response. - google.protobuf.Duration cache_time = 3; - - // If operating in non-pass-through mode, specifies a set of upstream cluster - // names and the minimum percentage of servers in each of those clusters that - // must be healthy or degraded in order for the filter to return a 200. - // - // .. note:: - // - // This value is interpreted as an integer by truncating, so 12.50% will be calculated - // as if it were 12%. - map cluster_min_healthy_percentages = 4; - - // Specifies a set of health check request headers to match on. The health check filter will - // check a request’s headers against all the specified headers. To specify the health check - // endpoint, set the ``:path`` header to match on. - repeated config.route.v4alpha.HeaderMatcher headers = 5; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD deleted file mode 100644 index f59226044ce7..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/http/jwt_authn/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto deleted file mode 100644 index 57c6630c940e..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ /dev/null @@ -1,674 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.jwt_authn.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/http_uri.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/empty.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v4alpha"; -option java_outer_classname = "ConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: JWT Authentication] -// JWT Authentication :ref:`configuration overview `. -// [#extension: envoy.filters.http.jwt_authn] - -// Please see following for JWT authentication flow: -// -// * `JSON Web Token (JWT) `_ -// * `The OAuth 2.0 Authorization Framework `_ -// * `OpenID Connect `_ -// -// A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies: -// -// * issuer: the principal that issues the JWT. If specified, it has to match the *iss* field in JWT. -// * allowed audiences: the ones in the token have to be listed here. -// * how to fetch public key JWKS to verify the token signature. -// * how to extract JWT token in the request. -// * how to pass successfully verified token payload. -// -// Example: -// -// .. code-block:: yaml -// -// issuer: https://example.com -// audiences: -// - bookstore_android.apps.googleusercontent.com -// - bookstore_web.apps.googleusercontent.com -// remote_jwks: -// http_uri: -// uri: https://example.com/.well-known/jwks.json -// cluster: example_jwks_cluster -// timeout: 1s -// cache_duration: -// seconds: 300 -// -// [#next-free-field: 13] -message JwtProvider { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtProvider"; - - // Specify the `principal `_ that issued - // the JWT, usually a URL or an email address. - // - // It is optional. If specified, it has to match the *iss* field in JWT. - // - // If a JWT has *iss* field and this field is specified, they have to match, otherwise the - // JWT *iss* field is not checked. - // - // Note: *JwtRequirement* :ref:`allow_missing ` - // and :ref:`allow_missing_or_failed ` - // are implemented differently than other *JwtRequirements*. Hence the usage of this field - // is different as follows if *allow_missing* or *allow_missing_or_failed* is used: - // - // * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*. - // * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty. - // * Multiple *JwtProviders* should not have same value in this field. - // - // Example: https://securetoken.google.com - // Example: 1234567-compute@developer.gserviceaccount.com - // - string issuer = 1; - - // The list of JWT `audiences `_ are - // allowed to access. A JWT containing any of these audiences will be accepted. If not specified, - // will not check audiences in the token. - // - // Example: - // - // .. code-block:: yaml - // - // audiences: - // - bookstore_android.apps.googleusercontent.com - // - bookstore_web.apps.googleusercontent.com - // - repeated string audiences = 2; - - // `JSON Web Key Set (JWKS) `_ is needed to - // validate signature of a JWT. This field specifies where to fetch JWKS. - oneof jwks_source_specifier { - option (validate.required) = true; - - // JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP - // URI and how the fetched JWKS should be cached. - // - // Example: - // - // .. code-block:: yaml - // - // remote_jwks: - // http_uri: - // uri: https://www.googleapis.com/oauth2/v1/certs - // cluster: jwt.www.googleapis.com|443 - // timeout: 1s - // cache_duration: - // seconds: 300 - // - RemoteJwks remote_jwks = 3; - - // JWKS is in local data source. It could be either in a local file or embedded in the - // inline_string. - // - // Example: local file - // - // .. code-block:: yaml - // - // local_jwks: - // filename: /etc/envoy/jwks/jwks1.txt - // - // Example: inline_string - // - // .. code-block:: yaml - // - // local_jwks: - // inline_string: ACADADADADA - // - config.core.v4alpha.DataSource local_jwks = 4; - } - - // If false, the JWT is removed in the request after a success verification. If true, the JWT is - // not removed in the request. Default value is false. - bool forward = 5; - - // Two fields below define where to extract the JWT from an HTTP request. - // - // If no explicit location is specified, the following default locations are tried in order: - // - // 1. The Authorization header using the `Bearer schema - // `_. Example:: - // - // Authorization: Bearer . - // - // 2. `access_token `_ query parameter. - // - // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations - // its provider specified or from the default locations. - // - // Specify the HTTP headers to extract JWT token. For examples, following config: - // - // .. code-block:: yaml - // - // from_headers: - // - name: x-goog-iap-jwt-assertion - // - // can be used to extract token from header:: - // - // ``x-goog-iap-jwt-assertion: ``. - // - repeated JwtHeader from_headers = 6; - - // JWT is sent in a query parameter. `jwt_params` represents the query parameter names. - // - // For example, if config is: - // - // .. code-block:: yaml - // - // from_params: - // - jwt_token - // - // The JWT format in query parameter is:: - // - // /path?jwt_token= - // - repeated string from_params = 7; - - // This field specifies the header name to forward a successfully verified JWT payload to the - // backend. The forwarded data is:: - // - // base64url_encoded(jwt_payload_in_JSON) - // - // If it is not specified, the payload will not be forwarded. - string forward_payload_header = 8 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // When :ref:`forward_payload_header ` - // is specified, the base64 encoded payload will be added to the headers. - // Normally JWT based64 encode doesn't add padding. If this field is true, - // the header will be padded. - // - // This field is only relevant if :ref:`forward_payload_header ` - // is specified. - bool pad_forward_payload_header = 11; - - // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata - // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** - // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields* - // and the value is the *protobuf::Struct* converted from JWT JSON payload. - // - // For example, if payload_in_metadata is *my_payload*: - // - // .. code-block:: yaml - // - // envoy.filters.http.jwt_authn: - // my_payload: - // iss: https://example.com - // sub: test@example.com - // aud: https://example.com - // exp: 1501281058 - // - string payload_in_metadata = 9; - - // Specify the clock skew in seconds when verifying JWT time constraint, - // such as `exp`, and `nbf`. If not specified, default is 60 seconds. - uint32 clock_skew_seconds = 10; - - // Enables JWT cache, its size is specified by *jwt_cache_size*. - // Only valid JWT tokens are cached. - JwtCacheConfig jwt_cache_config = 12; -} - -// This message specifies JWT Cache configuration. -message JwtCacheConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtCacheConfig"; - - // The unit is number of JWT tokens, default to 100. - uint32 jwt_cache_size = 1; -} - -// This message specifies how to fetch JWKS from remote and how to cache it. -message RemoteJwks { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks"; - - // The HTTP URI to fetch the JWKS. For example: - // - // .. code-block:: yaml - // - // http_uri: - // uri: https://www.googleapis.com/oauth2/v1/certs - // cluster: jwt.www.googleapis.com|443 - // timeout: 1s - // - config.core.v4alpha.HttpUri http_uri = 1; - - // Duration after which the cached JWKS should be expired. If not specified, default cache - // duration is 5 minutes. - google.protobuf.Duration cache_duration = 2; - - // Fetch Jwks asynchronously in the main thread before the listener is activated. - // Fetched Jwks can be used by all worker threads. - // - // If this feature is not enabled: - // - // * The Jwks is fetched on-demand when the requests come. During the fetching, first - // few requests are paused until the Jwks is fetched. - // * Each worker thread fetches its own Jwks since Jwks cache is per worker thread. - // - // If this feature is enabled: - // - // * Fetched Jwks is done in the main thread before the listener is activated. Its fetched - // Jwks can be used by all worker threads. Each worker thread doesn't need to fetch its own. - // * Jwks is ready when the requests come, not need to wait for the Jwks fetching. - // - JwksAsyncFetch async_fetch = 3; - - // Retry policy for fetching Jwks. optional. turned off by default. - // - // For example: - // - // .. code-block:: yaml - // - // retry_policy: - // retry_back_off: - // base_interval: 0.01s - // max_interval: 20s - // num_retries: 10 - // - // will yield a randomized truncated exponential backoff policy with an initial delay of 10ms - // 10 maximum attempts spaced at most 20s seconds. - // - // .. code-block:: yaml - // - // retry_policy: - // num_retries:1 - // - // uses the default :ref:`retry backoff strategy `. - // with the default base interval is 1000 milliseconds. and the default maximum interval of 10 times the base interval. - // - // if num_retries is omitted, the default is to allow only one retry. - // - // - // If enabled, the retry policy will apply to all Jwks fetching approaches, e.g. on demand or asynchronously in background. - // - // - config.core.v4alpha.RetryPolicy retry_policy = 4; -} - -// Fetch Jwks asynchronously in the main thread when the filter config is parsed. -// The listener is activated only after the Jwks is fetched. -// When the Jwks is expired in the cache, it is fetched again in the main thread. -// The fetched Jwks from the main thread can be used by all worker threads. -message JwksAsyncFetch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwksAsyncFetch"; - - // If false, the listener is activated after the initial fetch is completed. - // The initial fetch result can be either successful or failed. - // If true, it is activated without waiting for the initial fetch to complete. - // Default is false. - bool fast_listener = 1; -} - -// This message specifies a header location to extract JWT token. -message JwtHeader { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtHeader"; - - // The HTTP header name. - string name = 1 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The value prefix. The value format is "value_prefix" - // For example, for "Authorization: Bearer ", value_prefix="Bearer " with a space at the - // end. - string value_prefix = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; -} - -// Specify a required provider with audiences. -message ProviderWithAudiences { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.ProviderWithAudiences"; - - // Specify a required provider name. - string provider_name = 1; - - // This field overrides the one specified in the JwtProvider. - repeated string audiences = 2; -} - -// This message specifies a Jwt requirement. An empty message means JWT verification is not -// required. Here are some config examples: -// -// .. code-block:: yaml -// -// # Example 1: not required with an empty message -// -// # Example 2: require A -// provider_name: provider-A -// -// # Example 3: require A or B -// requires_any: -// requirements: -// - provider_name: provider-A -// - provider_name: provider-B -// -// # Example 4: require A and B -// requires_all: -// requirements: -// - provider_name: provider-A -// - provider_name: provider-B -// -// # Example 5: require A and (B or C) -// requires_all: -// requirements: -// - provider_name: provider-A -// - requires_any: -// requirements: -// - provider_name: provider-B -// - provider_name: provider-C -// -// # Example 6: require A or (B and C) -// requires_any: -// requirements: -// - provider_name: provider-A -// - requires_all: -// requirements: -// - provider_name: provider-B -// - provider_name: provider-C -// -// # Example 7: A is optional (if token from A is provided, it must be valid, but also allows -// missing token.) -// requires_any: -// requirements: -// - provider_name: provider-A -// - allow_missing: {} -// -// # Example 8: A is optional and B is required. -// requires_all: -// requirements: -// - requires_any: -// requirements: -// - provider_name: provider-A -// - allow_missing: {} -// - provider_name: provider-B -// -// [#next-free-field: 7] -message JwtRequirement { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement"; - - oneof requires_type { - // Specify a required provider name. - string provider_name = 1; - - // Specify a required provider with audiences. - ProviderWithAudiences provider_and_audiences = 2; - - // Specify list of JwtRequirement. Their results are OR-ed. - // If any one of them passes, the result is passed. - JwtRequirementOrList requires_any = 3; - - // Specify list of JwtRequirement. Their results are AND-ed. - // All of them must pass, if one of them fails or missing, it fails. - JwtRequirementAndList requires_all = 4; - - // The requirement is always satisfied even if JWT is missing or the JWT - // verification fails. A typical usage is: this filter is used to only verify - // JWTs and pass the verified JWT payloads to another filter, the other filter - // will make decision. In this mode, all JWT tokens will be verified. - google.protobuf.Empty allow_missing_or_failed = 5; - - // The requirement is satisfied if JWT is missing, but failed if JWT is - // presented but invalid. Similar to allow_missing_or_failed, this is used - // to only verify JWTs and pass the verified payload to another filter. The - // different is this mode will reject requests with invalid tokens. - google.protobuf.Empty allow_missing = 6; - } -} - -// This message specifies a list of RequiredProvider. -// Their results are OR-ed; if any one of them passes, the result is passed -message JwtRequirementOrList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementOrList"; - - // Specify a list of JwtRequirement. - repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}]; -} - -// This message specifies a list of RequiredProvider. -// Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails. -message JwtRequirementAndList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtRequirementAndList"; - - // Specify a list of JwtRequirement. - repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}]; -} - -// This message specifies a Jwt requirement for a specific Route condition. -// Example 1: -// -// .. code-block:: yaml -// -// - match: -// prefix: /healthz -// -// In above example, "requires" field is empty for /healthz prefix match, -// it means that requests matching the path prefix don't require JWT authentication. -// -// Example 2: -// -// .. code-block:: yaml -// -// - match: -// prefix: / -// requires: { provider_name: provider-A } -// -// In above example, all requests matched the path prefix require jwt authentication -// from "provider-A". -message RequirementRule { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.RequirementRule"; - - // The route matching parameter. Only when the match is satisfied, the "requires" field will - // apply. - // - // For example: following match will match all requests. - // - // .. code-block:: yaml - // - // match: - // prefix: / - // - config.route.v4alpha.RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - // Specify a Jwt requirement. - // If not specified, Jwt verification is disabled. - oneof requirement_type { - // Specify a Jwt requirement. Please see detail comment in message JwtRequirement. - JwtRequirement requires = 2; - - // Use requirement_name to specify a Jwt requirement. - // This requirement_name MUST be specified at the - // :ref:`requirement_map ` - // in `JwtAuthentication`. - string requirement_name = 3 [(validate.rules).string = {min_len: 1}]; - } -} - -// This message specifies Jwt requirements based on stream_info.filterState. -// This FilterState should use `Router::StringAccessor` object to set a string value. -// Other HTTP filters can use it to specify Jwt requirements dynamically. -// -// Example: -// -// .. code-block:: yaml -// -// name: jwt_selector -// requires: -// issuer_1: -// provider_name: issuer1 -// issuer_2: -// provider_name: issuer2 -// -// If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, -// jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify. -message FilterStateRule { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.FilterStateRule"; - - // The filter state name to retrieve the `Router::StringAccessor` object. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // A map of string keys to requirements. The string key is the string value - // in the FilterState with the name specified in the *name* field above. - map requires = 3; -} - -// This is the Envoy HTTP filter config for JWT authentication. -// -// For example: -// -// .. code-block:: yaml -// -// providers: -// provider1: -// issuer: issuer1 -// audiences: -// - audience1 -// - audience2 -// remote_jwks: -// http_uri: -// uri: https://example.com/.well-known/jwks.json -// cluster: example_jwks_cluster -// timeout: 1s -// provider2: -// issuer: issuer2 -// local_jwks: -// inline_string: jwks_string -// -// rules: -// # Not jwt verification is required for /health path -// - match: -// prefix: /health -// -// # Jwt verification for provider1 is required for path prefixed with "prefix" -// - match: -// prefix: /prefix -// requires: -// provider_name: provider1 -// -// # Jwt verification for either provider1 or provider2 is required for all other requests. -// - match: -// prefix: / -// requires: -// requires_any: -// requirements: -// - provider_name: provider1 -// - provider_name: provider2 -// -// [#next-free-field: 6] -message JwtAuthentication { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication"; - - // Map of provider names to JwtProviders. - // - // .. code-block:: yaml - // - // providers: - // provider1: - // issuer: issuer1 - // audiences: - // - audience1 - // - audience2 - // remote_jwks: - // http_uri: - // uri: https://example.com/.well-known/jwks.json - // cluster: example_jwks_cluster - // timeout: 1s - // provider2: - // issuer: provider2 - // local_jwks: - // inline_string: jwks_string - // - map providers = 1; - - // Specifies requirements based on the route matches. The first matched requirement will be - // applied. If there are overlapped match conditions, please put the most specific match first. - // - // Examples - // - // .. code-block:: yaml - // - // rules: - // - match: - // prefix: /healthz - // - match: - // prefix: /baz - // requires: - // provider_name: provider1 - // - match: - // prefix: /foo - // requires: - // requires_any: - // requirements: - // - provider_name: provider1 - // - provider_name: provider2 - // - match: - // prefix: /bar - // requires: - // requires_all: - // requirements: - // - provider_name: provider1 - // - provider_name: provider2 - // - repeated RequirementRule rules = 2; - - // This message specifies Jwt requirements based on stream_info.filterState. - // Other HTTP filters can use it to specify Jwt requirements dynamically. - // The *rules* field above is checked first, if it could not find any matches, - // check this one. - FilterStateRule filter_state_rules = 3; - - // When set to true, bypass the `CORS preflight request - // `_ regardless of JWT - // requirements specified in the rules. - bool bypass_cors_preflight = 4; - - // A map of unique requirement_names to JwtRequirements. - // :ref:`requirement_name ` - // in `PerRouteConfig` uses this map to specify a JwtRequirement. - map requirement_map = 5; -} - -// Specify per-route config. -message PerRouteConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig"; - - oneof requirement_specifier { - option (validate.required) = true; - - // Disable Jwt Authentication for this route. - bool disabled = 1 [(validate.rules).bool = {const: true}]; - - // Use requirement_name to specify a JwtRequirement. - // This requirement_name MUST be specified at the - // :ref:`requirement_map ` - // in `JwtAuthentication`. If no, the requests using this route will be rejected with 403. - string requirement_name = 2 [(validate.rules).string = {min_len: 1}]; - } -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/oauth2/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/oauth2/v4alpha/BUILD deleted file mode 100644 index f833eacd5772..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/oauth2/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/http/oauth2/v3alpha:pkg", - "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto b/generated_api_shadow/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto deleted file mode 100644 index 75002c995ccd..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto +++ /dev/null @@ -1,99 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.oauth2.v4alpha; - -import "envoy/config/core/v4alpha/http_uri.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto"; -import "envoy/type/matcher/v4alpha/path.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.oauth2.v4alpha"; -option java_outer_classname = "OauthProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).work_in_progress = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: OAuth] -// OAuth :ref:`configuration overview `. -// [#extension: envoy.filters.http.oauth2] -// - -message OAuth2Credentials { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2Credentials"; - - // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server. - string client_id = 1 [(validate.rules).string = {min_len: 1}]; - - // The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server. - transport_sockets.tls.v4alpha.SdsSecretConfig token_secret = 2 - [(validate.rules).message = {required: true}]; - - // Configures how the secret token should be created. - oneof token_formation { - option (validate.required) = true; - - // If present, the secret token will be a HMAC using the provided secret. - transport_sockets.tls.v4alpha.SdsSecretConfig hmac_secret = 3 - [(validate.rules).message = {required: true}]; - } -} - -// OAuth config -// -// [#next-free-field: 11] -message OAuth2Config { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2Config"; - - // Endpoint on the authorization server to retrieve the access token from. - config.core.v4alpha.HttpUri token_endpoint = 1; - - // The endpoint redirect to for authorization in response to unauthorized requests. - string authorization_endpoint = 2 [(validate.rules).string = {min_len: 1}]; - - // Credentials used for OAuth. - OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}]; - - // The redirect URI passed to the authorization endpoint. Supports header formatting - // tokens. For more information, including details on header value syntax, see the - // documentation on :ref:`custom request headers `. - // - // This URI should not contain any query parameters. - string redirect_uri = 4 [(validate.rules).string = {min_len: 1}]; - - // Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. - type.matcher.v4alpha.PathMatcher redirect_path_matcher = 5 - [(validate.rules).message = {required: true}]; - - // The path to sign a user out, clearing their credential cookies. - type.matcher.v4alpha.PathMatcher signout_path = 6 [(validate.rules).message = {required: true}]; - - // Forward the OAuth token as a Bearer to upstream web service. - bool forward_bearer_token = 7; - - // Any request that matches any of the provided matchers will be passed through without OAuth validation. - repeated config.route.v4alpha.HeaderMatcher pass_through_matcher = 8; - - // Optional list of OAuth scopes to be claimed in the authorization request. If not specified, - // defaults to "user" scope. - // OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3 - repeated string auth_scopes = 9; - - // Optional resource parameter for authorization request - // RFC: https://tools.ietf.org/html/rfc8707 - repeated string resources = 10; -} - -// Filter config. -message OAuth2 { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2"; - - // Leave this empty to disable OAuth2 for a specific route, using per filter config. - OAuth2Config config = 1; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/ratelimit/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/ratelimit/v4alpha/BUILD deleted file mode 100644 index 329e11fc5017..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/ratelimit/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/ratelimit/v4alpha:pkg", - "//envoy/extensions/filters/http/ratelimit/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/ratelimit/v4alpha/rate_limit.proto b/generated_api_shadow/envoy/extensions/filters/http/ratelimit/v4alpha/rate_limit.proto deleted file mode 100644 index 688be29e6aab..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/ratelimit/v4alpha/rate_limit.proto +++ /dev/null @@ -1,125 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.ratelimit.v4alpha; - -import "envoy/config/ratelimit/v4alpha/rls.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.ratelimit.v4alpha"; -option java_outer_classname = "RateLimitProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Rate limit] -// Rate limit :ref:`configuration overview `. -// [#extension: envoy.filters.http.ratelimit] - -// [#next-free-field: 10] -message RateLimit { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ratelimit.v3.RateLimit"; - - // Defines the version of the standard to use for X-RateLimit headers. - enum XRateLimitHeadersRFCVersion { - // X-RateLimit headers disabled. - OFF = 0; - - // Use `draft RFC Version 03 `_. - DRAFT_VERSION_03 = 1; - } - - // The rate limit domain to use when calling the rate limit service. - string domain = 1 [(validate.rules).string = {min_len: 1}]; - - // Specifies the rate limit configurations to be applied with the same - // stage number. If not set, the default stage number is 0. - // - // .. note:: - // - // The filter supports a range of 0 - 10 inclusively for stage numbers. - uint32 stage = 2 [(validate.rules).uint32 = {lte: 10}]; - - // The type of requests the filter should apply to. The supported - // types are *internal*, *external* or *both*. A request is considered internal if - // :ref:`x-envoy-internal` is set to true. If - // :ref:`x-envoy-internal` is not set or false, a - // request is considered external. The filter defaults to *both*, and it will apply to all request - // types. - string request_type = 3 - [(validate.rules).string = {in: "internal" in: "external" in: "both" in: ""}]; - - // The timeout in milliseconds for the rate limit service RPC. If not - // set, this defaults to 20ms. - google.protobuf.Duration timeout = 4; - - // The filter's behaviour in case the rate limiting service does - // not respond back. When it is set to true, Envoy will not allow traffic in case of - // communication failure between rate limiting service and the proxy. - bool failure_mode_deny = 5; - - // Specifies whether a `RESOURCE_EXHAUSTED` gRPC code must be returned instead - // of the default `UNAVAILABLE` gRPC code for a rate limited gRPC call. The - // HTTP code will be 200 for a gRPC response. - bool rate_limited_as_resource_exhausted = 6; - - // Configuration for an external rate limit service provider. If not - // specified, any calls to the rate limit service will immediately return - // success. - config.ratelimit.v4alpha.RateLimitServiceConfig rate_limit_service = 7 - [(validate.rules).message = {required: true}]; - - // Defines the standard version to use for X-RateLimit headers emitted by the filter: - // - // * ``X-RateLimit-Limit`` - indicates the request-quota associated to the - // client in the current time-window followed by the description of the - // quota policy. The values are returned by the rate limiting service in - // :ref:`current_limit` - // field. Example: `10, 10;w=1;name="per-ip", 1000;w=3600`. - // * ``X-RateLimit-Remaining`` - indicates the remaining requests in the - // current time-window. The values are returned by the rate limiting service - // in :ref:`limit_remaining` - // field. - // * ``X-RateLimit-Reset`` - indicates the number of seconds until reset of - // the current time-window. The values are returned by the rate limiting service - // in :ref:`duration_until_reset` - // field. - // - // In case rate limiting policy specifies more then one time window, the values - // above represent the window that is closest to reaching its limit. - // - // For more information about the headers specification see selected version of - // the `draft RFC `_. - // - // Disabled by default. - XRateLimitHeadersRFCVersion enable_x_ratelimit_headers = 8 - [(validate.rules).enum = {defined_only: true}]; - - // Disables emitting the :ref:`x-envoy-ratelimited` header - // in case of rate limiting (i.e. 429 responses). - // Having this header not present potentially makes the request retriable. - bool disable_x_envoy_ratelimited_header = 9; -} - -message RateLimitPerRoute { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute"; - - enum VhRateLimitsOptions { - // Use the virtual host rate limits unless the route has a rate limit policy. - OVERRIDE = 0; - - // Use the virtual host rate limits even if the route has a rate limit policy. - INCLUDE = 1; - - // Ignore the virtual host rate limits even if the route does not have a rate limit policy. - IGNORE = 2; - } - - // Specifies if the rate limit filter should include the virtual host rate limits. - VhRateLimitsOptions vh_rate_limits = 1 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/rbac/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/rbac/v4alpha/BUILD deleted file mode 100644 index 02db15d5bde2..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/rbac/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/rbac/v4alpha:pkg", - "//envoy/extensions/filters/http/rbac/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto b/generated_api_shadow/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto deleted file mode 100644 index 41040592cace..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto +++ /dev/null @@ -1,49 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.rbac.v4alpha; - -import "envoy/config/rbac/v4alpha/rbac.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.rbac.v4alpha"; -option java_outer_classname = "RbacProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: RBAC] -// Role-Based Access Control :ref:`configuration overview `. -// [#extension: envoy.filters.http.rbac] - -// RBAC filter config. -message RBAC { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.rbac.v3.RBAC"; - - // Specify the RBAC rules to be applied globally. - // If absent, no enforcing RBAC policy will be applied. - // If present and empty, DENY. - config.rbac.v4alpha.RBAC rules = 1; - - // Shadow rules are not enforced by the filter (i.e., returning a 403) - // but will emit stats and logs and can be used for rule testing. - // If absent, no shadow RBAC policy will be applied. - config.rbac.v4alpha.RBAC shadow_rules = 2; - - // If specified, shadow rules will emit stats with the given prefix. - // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with - // shadow rules. - string shadow_rules_stat_prefix = 3; -} - -message RBACPerRoute { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.rbac.v3.RBACPerRoute"; - - reserved 1; - - // Override the global configuration of the filter with this new config. - // If absent, the global RBAC policy will be disabled for this route. - RBAC rbac = 2; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/BUILD deleted file mode 100644 index b22ea48735c7..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/accesslog/v4alpha:pkg", - "//envoy/extensions/filters/http/router/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/router.proto b/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/router.proto deleted file mode 100644 index 2d72bd1470c0..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/router/v4alpha/router.proto +++ /dev/null @@ -1,91 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.router.v4alpha; - -import "envoy/config/accesslog/v4alpha/accesslog.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.router.v4alpha"; -option java_outer_classname = "RouterProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Router] -// Router :ref:`configuration overview `. -// [#extension: envoy.filters.http.router] - -// [#next-free-field: 8] -message Router { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.router.v3.Router"; - - // Whether the router generates dynamic cluster statistics. Defaults to - // true. Can be disabled in high performance scenarios. - google.protobuf.BoolValue dynamic_stats = 1; - - // Whether to start a child span for egress routed calls. This can be - // useful in scenarios where other filters (auth, ratelimit, etc.) make - // outbound calls and have child spans rooted at the same ingress - // parent. Defaults to false. - bool start_child_span = 2; - - // Configuration for HTTP upstream logs emitted by the router. Upstream logs - // are configured in the same way as access logs, but each log entry represents - // an upstream request. Presuming retries are configured, multiple upstream - // requests may be made for each downstream (inbound) request. - repeated config.accesslog.v4alpha.AccessLog upstream_log = 3; - - // Do not add any additional *x-envoy-* headers to requests or responses. This - // only affects the :ref:`router filter generated *x-envoy-* headers - // `, other Envoy filters and the HTTP - // connection manager may continue to set *x-envoy-* headers. - bool suppress_envoy_headers = 4; - - // Specifies a list of HTTP headers to strictly validate. Envoy will reject a - // request and respond with HTTP status 400 if the request contains an invalid - // value for any of the headers listed in this field. Strict header checking - // is only supported for the following headers: - // - // Value must be a ','-delimited list (i.e. no spaces) of supported retry - // policy values: - // - // * :ref:`config_http_filters_router_x-envoy-retry-grpc-on` - // * :ref:`config_http_filters_router_x-envoy-retry-on` - // - // Value must be an integer: - // - // * :ref:`config_http_filters_router_x-envoy-max-retries` - // * :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms` - // * :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` - repeated string strict_check_headers = 5 [(validate.rules).repeated = { - items { - string { - in: "x-envoy-upstream-rq-timeout-ms" - in: "x-envoy-upstream-rq-per-try-timeout-ms" - in: "x-envoy-max-retries" - in: "x-envoy-retry-grpc-on" - in: "x-envoy-retry-on" - } - } - }]; - - // If not set, ingress Envoy will ignore - // :ref:`config_http_filters_router_x-envoy-expected-rq-timeout-ms` header, populated by egress - // Envoy, when deriving timeout for upstream cluster. - bool respect_expected_rq_timeout = 6; - - // If set, Envoy will avoid incrementing HTTP failure code stats - // on gRPC requests. This includes the individual status code value - // (e.g. upstream_rq_504) and group stats (e.g. upstream_rq_5xx). - // This field is useful if interested in relying only on the gRPC - // stats filter to define success and failure metrics for gRPC requests - // as not all failed gRPC requests charge HTTP status code metrics. See - // :ref:`gRPC stats filter` documentation - // for more details. - bool suppress_grpc_request_failure_code_stats = 7; -} diff --git a/generated_api_shadow/envoy/extensions/filters/http/tap/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/http/tap/v4alpha/BUILD deleted file mode 100644 index 7e5b65cef9b5..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/tap/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/common/tap/v4alpha:pkg", - "//envoy/extensions/filters/http/tap/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/http/tap/v4alpha/tap.proto b/generated_api_shadow/envoy/extensions/filters/http/tap/v4alpha/tap.proto deleted file mode 100644 index 98798be8bfd2..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/http/tap/v4alpha/tap.proto +++ /dev/null @@ -1,28 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.http.tap.v4alpha; - -import "envoy/extensions/common/tap/v4alpha/common.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.http.tap.v4alpha"; -option java_outer_classname = "TapProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Tap] -// Tap :ref:`configuration overview `. -// [#extension: envoy.filters.http.tap] - -// Top level configuration for the tap filter. -message Tap { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.http.tap.v3.Tap"; - - // Common configuration for the HTTP tap filter. - common.tap.v4alpha.CommonExtensionConfig common_config = 1 - [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD deleted file mode 100644 index 752598d2f625..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/network/dubbo_proxy/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto b/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto deleted file mode 100644 index 30499c27f6f0..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/dubbo_proxy.proto +++ /dev/null @@ -1,70 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.dubbo_proxy.v4alpha; - -import "envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto"; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.dubbo_proxy.v4alpha"; -option java_outer_classname = "DubboProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dubbo Proxy] -// Dubbo Proxy :ref:`configuration overview `. -// [#extension: envoy.filters.network.dubbo_proxy] - -// Dubbo Protocol types supported by Envoy. -enum ProtocolType { - // the default protocol. - Dubbo = 0; -} - -// Dubbo Serialization types supported by Envoy. -enum SerializationType { - // the default serialization protocol. - Hessian2 = 0; -} - -// [#next-free-field: 6] -message DubboProxy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.DubboProxy"; - - // The human readable prefix to use when emitting statistics. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // Configure the protocol used. - ProtocolType protocol_type = 2 [(validate.rules).enum = {defined_only: true}]; - - // Configure the serialization protocol used. - SerializationType serialization_type = 3 [(validate.rules).enum = {defined_only: true}]; - - // The route table for the connection manager is static and is specified in this property. - repeated RouteConfiguration route_config = 4; - - // A list of individual Dubbo filters that make up the filter chain for requests made to the - // Dubbo proxy. Order matters as the filters are processed sequentially. For backwards - // compatibility, if no dubbo_filters are specified, a default Dubbo router filter - // (`envoy.filters.dubbo.router`) is used. - repeated DubboFilter dubbo_filters = 5; -} - -// DubboFilter configures a Dubbo filter. -message DubboFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.DubboFilter"; - - // The name of the filter to instantiate. The name must match a supported - // filter. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Filter specific configuration which depends on the filter being - // instantiated. See the supported filters for further documentation. - google.protobuf.Any config = 2; -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto b/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto deleted file mode 100644 index d6314279ed2b..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/dubbo_proxy/v4alpha/route.proto +++ /dev/null @@ -1,129 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.dubbo_proxy.v4alpha; - -import "envoy/config/route/v4alpha/route_components.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/v3/range.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.dubbo_proxy.v4alpha"; -option java_outer_classname = "RouteProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dubbo Proxy Route Configuration] -// Dubbo Proxy :ref:`configuration overview `. - -// [#next-free-field: 6] -message RouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.RouteConfiguration"; - - // The name of the route configuration. Reserved for future use in asynchronous route discovery. - string name = 1; - - // The interface name of the service. Wildcard interface are supported in the suffix or prefix form. - // e.g. ``*.methods.add`` will match ``com.dev.methods.add``, ``com.prod.methods.add``, etc. - // ``com.dev.methods.*`` will match ``com.dev.methods.add``, ``com.dev.methods.update``, etc. - // Special wildcard ``*`` matching any interface. - // - // .. note:: - // - // The wildcard will not match the empty string. - // e.g. ``*.methods.add`` will match ``com.dev.methods.add`` but not ``.methods.add``. - string interface = 2; - - // Which group does the interface belong to. - string group = 3; - - // The version number of the interface. - string version = 4; - - // The list of routes that will be matched, in order, against incoming requests. The first route - // that matches will be used. - repeated Route routes = 5; -} - -message Route { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.Route"; - - // Route matching parameters. - RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - // Route request to some upstream cluster. - RouteAction route = 2 [(validate.rules).message = {required: true}]; -} - -message RouteMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.RouteMatch"; - - // Method level routing matching. - MethodMatch method = 1; - - // Specifies a set of headers that the route should match on. The router will check the request’s - // headers against all the specified headers in the route config. A match will happen if all the - // headers in the route are present in the request with the same values (or based on presence if - // the value field is not in the config). - repeated config.route.v4alpha.HeaderMatcher headers = 2; -} - -message RouteAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.RouteAction"; - - oneof cluster_specifier { - option (validate.required) = true; - - // Indicates the upstream cluster to which the request should be routed. - string cluster = 1; - - // Multiple upstream clusters can be specified for a given route. The - // request is routed to one of the upstream clusters based on weights - // assigned to each cluster. - // Currently ClusterWeight only supports the name and weight fields. - config.route.v4alpha.WeightedCluster weighted_clusters = 2; - } -} - -message MethodMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.MethodMatch"; - - // The parameter matching type. - message ParameterMatchSpecifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.dubbo_proxy.v3.MethodMatch.ParameterMatchSpecifier"; - - oneof parameter_match_specifier { - // If specified, header match will be performed based on the value of the header. - string exact_match = 3; - - // If specified, header match will be performed based on range. - // The rule will match if the request header value is within this range. - // The entire request header value must represent an integer in base 10 notation: consisting - // of an optional plus or minus sign followed by a sequence of digits. The rule will not match - // if the header value does not represent an integer. Match will fail for empty values, - // floating point numbers or if only a subsequence of the header value is an integer. - // - // Examples: - // - // * For range [-10,0), route will match for header value -1, but not for 0, - // "somestring", 10.9, "-1somestring" - type.v3.Int64Range range_match = 4; - } - } - - // The name of the method. - type.matcher.v4alpha.StringMatcher name = 1; - - // Method parameter definition. - // The key is the parameter index, starting from 0. - // The value is the parameter matching type. - map params_match = 2; -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD deleted file mode 100644 index 6d146b1c64d1..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/filters/network/ext_authz/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto b/generated_api_shadow/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto deleted file mode 100644 index 21f30481292f..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto +++ /dev/null @@ -1,64 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.ext_authz.v4alpha; - -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/grpc_service.proto"; -import "envoy/type/matcher/v4alpha/metadata.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.ext_authz.v4alpha"; -option java_outer_classname = "ExtAuthzProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Network External Authorization ] -// The network layer external authorization service configuration -// :ref:`configuration overview `. -// [#extension: envoy.filters.network.ext_authz] - -// External Authorization filter calls out to an external service over the -// gRPC Authorization API defined by -// :ref:`CheckRequest `. -// A failed check will cause this filter to close the TCP connection. -// [#next-free-field: 8] -message ExtAuthz { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.ext_authz.v3.ExtAuthz"; - - // The prefix to use when emitting statistics. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // The external authorization gRPC service configuration. - // The default timeout is set to 200ms by this filter. - config.core.v4alpha.GrpcService grpc_service = 2; - - // The filter's behaviour in case the external authorization service does - // not respond back. When it is set to true, Envoy will also allow traffic in case of - // communication failure between authorization service and the proxy. - // Defaults to false. - bool failure_mode_allow = 3; - - // Specifies if the peer certificate is sent to the external service. - // - // When this field is true, Envoy will include the peer X.509 certificate, if available, in the - // :ref:`certificate`. - bool include_peer_certificate = 4; - - // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and - // version of Check{Request,Response} used on the wire. - config.core.v4alpha.ApiVersion transport_api_version = 5 - [(validate.rules).enum = {defined_only: true}]; - - // Specifies if the filter is enabled with metadata matcher. - // If this field is not specified, the filter will be enabled for all requests. - type.matcher.v4alpha.MetadataMatcher filter_enabled_metadata = 6; - - // Optional labels that will be passed to :ref:`labels` in - // :ref:`destination`. - // The labels will be read from :ref:`metadata` with the specified key. - string bootstrap_metadata_labels_key = 7; -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD deleted file mode 100644 index 64536cdef30b..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/BUILD +++ /dev/null @@ -1,19 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/accesslog/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/config/trace/v4alpha:pkg", - "//envoy/extensions/filters/network/http_connection_manager/v3:pkg", - "//envoy/type/http/v3:pkg", - "//envoy/type/tracing/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto b/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto deleted file mode 100644 index 80972e52a095..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto +++ /dev/null @@ -1,1018 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.http_connection_manager.v4alpha; - -import "envoy/config/accesslog/v4alpha/accesslog.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/config/core/v4alpha/protocol.proto"; -import "envoy/config/core/v4alpha/substitution_format_string.proto"; -import "envoy/config/route/v4alpha/route.proto"; -import "envoy/config/route/v4alpha/scoped_route.proto"; -import "envoy/config/trace/v4alpha/http_tracer.proto"; -import "envoy/type/http/v3/path_transformation.proto"; -import "envoy/type/tracing/v3/custom_tag.proto"; -import "envoy/type/v3/percent.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/security.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v4alpha"; -option java_outer_classname = "HttpConnectionManagerProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP connection manager] -// HTTP connection manager :ref:`configuration overview `. -// [#extension: envoy.filters.network.http_connection_manager] - -// [#next-free-field: 49] -message HttpConnectionManager { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"; - - enum CodecType { - // For every new connection, the connection manager will determine which - // codec to use. This mode supports both ALPN for TLS listeners as well as - // protocol inference for plaintext listeners. If ALPN data is available, it - // is preferred, otherwise protocol inference is used. In almost all cases, - // this is the right option to choose for this setting. - AUTO = 0; - - // The connection manager will assume that the client is speaking HTTP/1.1. - HTTP1 = 1; - - // The connection manager will assume that the client is speaking HTTP/2 - // (Envoy does not require HTTP/2 to take place over TLS or to use ALPN. - // Prior knowledge is allowed). - HTTP2 = 2; - - // [#not-implemented-hide:] QUIC implementation is not production ready yet. Use this enum with - // caution to prevent accidental execution of QUIC code. I.e. `!= HTTP2` is no longer sufficient - // to distinguish HTTP1 and HTTP2 traffic. - HTTP3 = 3; - } - - enum ServerHeaderTransformation { - // Overwrite any Server header with the contents of server_name. - OVERWRITE = 0; - - // If no Server header is present, append Server server_name - // If a Server header is present, pass it through. - APPEND_IF_ABSENT = 1; - - // Pass through the value of the server header, and do not append a header - // if none is present. - PASS_THROUGH = 2; - } - - // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP - // header. - enum ForwardClientCertDetails { - // Do not send the XFCC header to the next hop. This is the default value. - SANITIZE = 0; - - // When the client connection is mTLS (Mutual TLS), forward the XFCC header - // in the request. - FORWARD_ONLY = 1; - - // When the client connection is mTLS, append the client certificate - // information to the request’s XFCC header and forward it. - APPEND_FORWARD = 2; - - // When the client connection is mTLS, reset the XFCC header with the client - // certificate information and send it to the next hop. - SANITIZE_SET = 3; - - // Always forward the XFCC header in the request, regardless of whether the - // client connection is mTLS. - ALWAYS_FORWARD_ONLY = 4; - } - - // Determines the action for request that contain %2F, %2f, %5C or %5c sequences in the URI path. - // This operation occurs before URL normalization and the merge slashes transformations if they were enabled. - enum PathWithEscapedSlashesAction { - // Default behavior specific to implementation (i.e. Envoy) of this configuration option. - // Envoy, by default, takes the KEEP_UNCHANGED action. - // NOTE: the implementation may change the default behavior at-will. - IMPLEMENTATION_SPECIFIC_DEFAULT = 0; - - // Keep escaped slashes. - KEEP_UNCHANGED = 1; - - // Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. - // The "httpN.downstream_rq_failed_path_normalization" counter is incremented for each rejected request. - REJECT_REQUEST = 2; - - // Unescape %2F and %5C sequences and redirect request to the new path if these sequences were present. - // Redirect occurs after path normalization and merge slashes transformations if they were configured. - // NOTE: gRPC requests will be rejected with the INTERNAL (13) error code. - // This option minimizes possibility of path confusion exploits by forcing request with unescaped slashes to - // traverse all parties: downstream client, intermediate proxies, Envoy and upstream server. - // The "httpN.downstream_rq_redirected_with_normalized_path" counter is incremented for each - // redirected request. - UNESCAPE_AND_REDIRECT = 3; - - // Unescape %2F and %5C sequences. - // Note: this option should not be enabled if intermediaries perform path based access control as - // it may lead to path confusion vulnerabilities. - UNESCAPE_AND_FORWARD = 4; - } - - // [#next-free-field: 10] - message Tracing { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing"; - - enum OperationName { - // The HTTP listener is used for ingress/incoming requests. - INGRESS = 0; - - // The HTTP listener is used for egress/outgoing requests. - EGRESS = 1; - } - - reserved 1, 2; - - reserved "operation_name", "request_headers_for_tags"; - - // Target percentage of requests managed by this HTTP connection manager that will be force - // traced if the :ref:`x-client-trace-id ` - // header is set. This field is a direct analog for the runtime variable - // 'tracing.client_sampling' in the :ref:`HTTP Connection Manager - // `. - // Default: 100% - type.v3.Percent client_sampling = 3; - - // Target percentage of requests managed by this HTTP connection manager that will be randomly - // selected for trace generation, if not requested by the client or not forced. This field is - // a direct analog for the runtime variable 'tracing.random_sampling' in the - // :ref:`HTTP Connection Manager `. - // Default: 100% - type.v3.Percent random_sampling = 4; - - // Target percentage of requests managed by this HTTP connection manager that will be traced - // after all other sampling checks have been applied (client-directed, force tracing, random - // sampling). This field functions as an upper limit on the total configured sampling rate. For - // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% - // of client requests with the appropriate headers to be force traced. This field is a direct - // analog for the runtime variable 'tracing.global_enabled' in the - // :ref:`HTTP Connection Manager `. - // Default: 100% - type.v3.Percent overall_sampling = 5; - - // Whether to annotate spans with additional data. If true, spans will include logs for stream - // events. - bool verbose = 6; - - // Maximum length of the request path to extract and include in the HttpUrl tag. Used to - // truncate lengthy request paths to meet the needs of a tracing backend. - // Default: 256 - google.protobuf.UInt32Value max_path_tag_length = 7; - - // A list of custom tags with unique tag name to create tags for the active span. - repeated type.tracing.v3.CustomTag custom_tags = 8; - - // Configuration for an external tracing provider. - // If not specified, no tracing will be performed. - // - // .. attention:: - // Please be aware that *envoy.tracers.opencensus* provider can only be configured once - // in Envoy lifetime. - // Any attempts to reconfigure it or to use different configurations for different HCM filters - // will be rejected. - // Such a constraint is inherent to OpenCensus itself. It cannot be overcome without changes - // on OpenCensus side. - config.trace.v4alpha.Tracing.Http provider = 9; - } - - message InternalAddressConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager." - "InternalAddressConfig"; - - // Whether unix socket addresses should be considered internal. - bool unix_sockets = 1; - } - - // [#next-free-field: 7] - message SetCurrentClientCertDetails { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager." - "SetCurrentClientCertDetails"; - - reserved 2; - - // Whether to forward the subject of the client cert. Defaults to false. - google.protobuf.BoolValue subject = 1; - - // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the - // XFCC header comma separated from other values with the value Cert="PEM". - // Defaults to false. - bool cert = 3; - - // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM - // format. This will appear in the XFCC header comma separated from other values with the value - // Chain="PEM". - // Defaults to false. - bool chain = 6; - - // Whether to forward the DNS type Subject Alternative Names of the client cert. - // Defaults to false. - bool dns = 4; - - // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to - // false. - bool uri = 5; - } - - // The configuration for HTTP upgrades. - // For each upgrade type desired, an UpgradeConfig must be added. - // - // .. warning:: - // - // The current implementation of upgrade headers does not handle - // multi-valued upgrade headers. Support for multi-valued headers may be - // added in the future if needed. - // - // .. warning:: - // The current implementation of upgrade headers does not work with HTTP/2 - // upstreams. - message UpgradeConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager." - "UpgradeConfig"; - - // The case-insensitive name of this upgrade, e.g. "websocket". - // For each upgrade type present in upgrade_configs, requests with - // Upgrade: [upgrade_type] - // will be proxied upstream. - string upgrade_type = 1; - - // If present, this represents the filter chain which will be created for - // this type of upgrade. If no filters are present, the filter chain for - // HTTP connections will be used for this upgrade type. - repeated HttpFilter filters = 2; - - // Determines if upgrades are enabled or disabled by default. Defaults to true. - // This can be overridden on a per-route basis with :ref:`cluster - // ` as documented in the - // :ref:`upgrade documentation `. - google.protobuf.BoolValue enabled = 3; - } - - // [#not-implemented-hide:] Transformations that apply to path headers. Transformations are applied - // before any processing of requests by HTTP filters, routing, and matching. Only the normalized - // path will be visible internally if a transformation is enabled. Any path rewrites that the - // router performs (e.g. :ref:`regex_rewrite - // ` or :ref:`prefix_rewrite - // `) will apply to the *:path* header - // destined for the upstream. - // - // Note: access logging and tracing will show the original *:path* header. - message PathNormalizationOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager." - "PathNormalizationOptions"; - - // [#not-implemented-hide:] Normalization applies internally before any processing of requests by - // HTTP filters, routing, and matching *and* will affect the forwarded *:path* header. Defaults - // to :ref:`NormalizePathRFC3986 - // `. When not - // specified, this value may be overridden by the runtime variable - // :ref:`http_connection_manager.normalize_path`. - // Envoy will respond with 400 to paths that are malformed (e.g. for paths that fail RFC 3986 - // normalization due to disallowed characters.) - type.http.v3.PathTransformation forwarding_transformation = 1; - - // [#not-implemented-hide:] Normalization only applies internally before any processing of - // requests by HTTP filters, routing, and matching. These will be applied after full - // transformation is applied. The *:path* header before this transformation will be restored in - // the router filter and sent upstream unless it was mutated by a filter. Defaults to no - // transformations. - // Multiple actions can be applied in the same Transformation, forming a sequential - // pipeline. The transformations will be performed in the order that they appear. Envoy will - // respond with 400 to paths that are malformed (e.g. for paths that fail RFC 3986 - // normalization due to disallowed characters.) - type.http.v3.PathTransformation http_filter_transformation = 2; - } - - reserved 27, 11; - - reserved "idle_timeout"; - - // Supplies the type of codec that the connection manager should use. - CodecType codec_type = 1 [(validate.rules).enum = {defined_only: true}]; - - // The human readable prefix to use when emitting statistics for the - // connection manager. See the :ref:`statistics documentation ` for - // more information. - string stat_prefix = 2 [(validate.rules).string = {min_len: 1}]; - - oneof route_specifier { - option (validate.required) = true; - - // The connection manager’s route table will be dynamically loaded via the RDS API. - Rds rds = 3; - - // The route table for the connection manager is static and is specified in this property. - config.route.v4alpha.RouteConfiguration route_config = 4; - - // A route table will be dynamically assigned to each request based on request attributes - // (e.g., the value of a header). The "routing scopes" (i.e., route tables) and "scope keys" are - // specified in this message. - ScopedRoutes scoped_routes = 31; - } - - // A list of individual HTTP filters that make up the filter chain for - // requests made to the connection manager. :ref:`Order matters ` - // as the filters are processed sequentially as request events happen. - repeated HttpFilter http_filters = 5; - - // Whether the connection manager manipulates the :ref:`config_http_conn_man_headers_user-agent` - // and :ref:`config_http_conn_man_headers_downstream-service-cluster` headers. See the linked - // documentation for more information. Defaults to false. - google.protobuf.BoolValue add_user_agent = 6; - - // Presence of the object defines whether the connection manager - // emits :ref:`tracing ` data to the :ref:`configured tracing provider - // `. - Tracing tracing = 7; - - // Additional settings for HTTP requests handled by the connection manager. These will be - // applicable to both HTTP1 and HTTP2 requests. - config.core.v4alpha.HttpProtocolOptions common_http_protocol_options = 35 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // Additional HTTP/1 settings that are passed to the HTTP/1 codec. - config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 8; - - // Additional HTTP/2 settings that are passed directly to the HTTP/2 codec. - config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 9 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // Additional HTTP/3 settings that are passed directly to the HTTP/3 codec. - // [#not-implemented-hide:] - config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 44; - - // An optional override that the connection manager will write to the server - // header in responses. If not set, the default is *envoy*. - string server_name = 10 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Defines the action to be applied to the Server header on the response path. - // By default, Envoy will overwrite the header with the value specified in - // server_name. - ServerHeaderTransformation server_header_transformation = 34 - [(validate.rules).enum = {defined_only: true}]; - - // Allows for explicit transformation of the :scheme header on the request path. - // If not set, Envoy's default :ref:`scheme ` - // handling applies. - config.core.v4alpha.SchemeHeaderTransformation scheme_header_transformation = 48; - - // The maximum request headers size for incoming connections. - // If unconfigured, the default max request headers allowed is 60 KiB. - // Requests that exceed this limit will receive a 431 response. - google.protobuf.UInt32Value max_request_headers_kb = 29 - [(validate.rules).uint32 = {lte: 8192 gt: 0}]; - - // The stream idle timeout for connections managed by the connection manager. - // If not specified, this defaults to 5 minutes. The default value was selected - // so as not to interfere with any smaller configured timeouts that may have - // existed in configurations prior to the introduction of this feature, while - // introducing robustness to TCP connections that terminate without a FIN. - // - // This idle timeout applies to new streams and is overridable by the - // :ref:`route-level idle_timeout - // `. Even on a stream in - // which the override applies, prior to receipt of the initial request - // headers, the :ref:`stream_idle_timeout - // ` - // applies. Each time an encode/decode event for headers or data is processed - // for the stream, the timer will be reset. If the timeout fires, the stream - // is terminated with a 408 Request Timeout error code if no upstream response - // header has been received, otherwise a stream reset occurs. - // - // This timeout also specifies the amount of time that Envoy will wait for the peer to open enough - // window to write any remaining stream data once the entirety of stream data (local end stream is - // true) has been buffered pending available window. In other words, this timeout defends against - // a peer that does not release enough window to completely write the stream, even though all - // data has been proxied within available flow control windows. If the timeout is hit in this - // case, the :ref:`tx_flush_timeout ` counter will be - // incremented. Note that :ref:`max_stream_duration - // ` does not apply to - // this corner case. - // - // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" - // is configured, this timeout is scaled according to the value for - // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. - // - // Note that it is possible to idle timeout even if the wire traffic for a stream is non-idle, due - // to the granularity of events presented to the connection manager. For example, while receiving - // very large request headers, it may be the case that there is traffic regularly arriving on the - // wire while the connection manage is only able to observe the end-of-headers event, hence the - // stream may still idle timeout. - // - // A value of 0 will completely disable the connection manager stream idle - // timeout, although per-route idle timeout overrides will continue to apply. - google.protobuf.Duration stream_idle_timeout = 24 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // The amount of time that Envoy will wait for the entire request to be received. - // The timer is activated when the request is initiated, and is disarmed when the last byte of the - // request is sent upstream (i.e. all decoding filters have processed the request), OR when the - // response is initiated. If not specified or set to 0, this timeout is disabled. - google.protobuf.Duration request_timeout = 28 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // The amount of time that Envoy will wait for the request headers to be received. The timer is - // activated when the first byte of the headers is received, and is disarmed when the last byte of - // the headers has been received. If not specified or set to 0, this timeout is disabled. - google.protobuf.Duration request_headers_timeout = 41 [ - (validate.rules).duration = {gte {}}, - (udpa.annotations.security).configure_for_untrusted_downstream = true - ]; - - // The time that Envoy will wait between sending an HTTP/2 “shutdown - // notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame. - // This is used so that Envoy provides a grace period for new streams that - // race with the final GOAWAY frame. During this grace period, Envoy will - // continue to accept new streams. After the grace period, a final GOAWAY - // frame is sent and Envoy will start refusing new streams. Draining occurs - // both when a connection hits the idle timeout or during general server - // draining. The default grace period is 5000 milliseconds (5 seconds) if this - // option is not specified. - google.protobuf.Duration drain_timeout = 12; - - // The delayed close timeout is for downstream connections managed by the HTTP connection manager. - // It is defined as a grace period after connection close processing has been locally initiated - // during which Envoy will wait for the peer to close (i.e., a TCP FIN/RST is received by Envoy - // from the downstream connection) prior to Envoy closing the socket associated with that - // connection. - // NOTE: This timeout is enforced even when the socket associated with the downstream connection - // is pending a flush of the write buffer. However, any progress made writing data to the socket - // will restart the timer associated with this timeout. This means that the total grace period for - // a socket in this state will be - // +. - // - // Delaying Envoy's connection close and giving the peer the opportunity to initiate the close - // sequence mitigates a race condition that exists when downstream clients do not drain/process - // data in a connection's receive buffer after a remote close has been detected via a socket - // write(). This race leads to such clients failing to process the response code sent by Envoy, - // which could result in erroneous downstream processing. - // - // If the timeout triggers, Envoy will close the connection's socket. - // - // The default timeout is 1000 ms if this option is not specified. - // - // .. NOTE:: - // To be useful in avoiding the race condition described above, this timeout must be set - // to *at least* +<100ms to account for - // a reasonable "worst" case processing time for a full iteration of Envoy's event loop>. - // - // .. WARNING:: - // A value of 0 will completely disable delayed close processing. When disabled, the downstream - // connection's socket will be closed immediately after the write flush is completed or will - // never close if the write flush does not complete. - google.protobuf.Duration delayed_close_timeout = 26; - - // Configuration for :ref:`HTTP access logs ` - // emitted by the connection manager. - repeated config.accesslog.v4alpha.AccessLog access_log = 13; - - // If set to true, the connection manager will use the real remote address - // of the client connection when determining internal versus external origin and manipulating - // various headers. If set to false or absent, the connection manager will use the - // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. See the documentation for - // :ref:`config_http_conn_man_headers_x-forwarded-for`, - // :ref:`config_http_conn_man_headers_x-envoy-internal`, and - // :ref:`config_http_conn_man_headers_x-envoy-external-address` for more information. - google.protobuf.BoolValue use_remote_address = 14 - [(udpa.annotations.security).configure_for_untrusted_downstream = true]; - - // The number of additional ingress proxy hops from the right side of the - // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when - // determining the origin client's IP address. The default is zero if this option - // is not specified. See the documentation for - // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. - uint32 xff_num_trusted_hops = 19; - - // The configuration for the original IP detection extensions. - // - // When configured the extensions will be called along with the request headers - // and information about the downstream connection, such as the directly connected address. - // Each extension will then use these parameters to decide the request's effective remote address. - // If an extension fails to detect the original IP address and isn't configured to reject - // the request, the HCM will try the remaining extensions until one succeeds or rejects - // the request. If the request isn't rejected nor any extension succeeds, the HCM will - // fallback to using the remote address. - // - // .. WARNING:: - // Extensions cannot be used in conjunction with :ref:`use_remote_address - // ` - // nor :ref:`xff_num_trusted_hops - // `. - // - // [#extension-category: envoy.http.original_ip_detection] - repeated config.core.v4alpha.TypedExtensionConfig original_ip_detection_extensions = 46; - - // Configures what network addresses are considered internal for stats and header sanitation - // purposes. If unspecified, only RFC1918 IP addresses will be considered internal. - // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more - // information about internal/external addresses. - InternalAddressConfig internal_address_config = 25; - - // If set, Envoy will not append the remote address to the - // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. This may be used in - // conjunction with HTTP filters that explicitly manipulate XFF after the HTTP connection manager - // has mutated the request headers. While :ref:`use_remote_address - // ` - // will also suppress XFF addition, it has consequences for logging and other - // Envoy uses of the remote address, so *skip_xff_append* should be used - // when only an elision of XFF addition is intended. - bool skip_xff_append = 21; - - // Via header value to append to request and response headers. If this is - // empty, no via header will be appended. - string via = 22 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; - - // Whether the connection manager will generate the :ref:`x-request-id - // ` header if it does not exist. This defaults to - // true. Generating a random UUID4 is expensive so in high throughput scenarios where this feature - // is not desired it can be disabled. - google.protobuf.BoolValue generate_request_id = 15; - - // Whether the connection manager will keep the :ref:`x-request-id - // ` header if passed for a request that is edge - // (Edge request is the request from external clients to front Envoy) and not reset it, which - // is the current Envoy behaviour. This defaults to false. - bool preserve_external_request_id = 32; - - // If set, Envoy will always set :ref:`x-request-id ` header in response. - // If this is false or not set, the request ID is returned in responses only if tracing is forced using - // :ref:`x-envoy-force-trace ` header. - bool always_set_request_id_in_response = 37; - - // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP - // header. - ForwardClientCertDetails forward_client_cert_details = 16 - [(validate.rules).enum = {defined_only: true}]; - - // This field is valid only when :ref:`forward_client_cert_details - // ` - // is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in - // the client certificate to be forwarded. Note that in the - // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, *Hash* is always set, and - // *By* is always set when the client certificate presents the URI type Subject Alternative Name - // value. - SetCurrentClientCertDetails set_current_client_cert_details = 17; - - // If proxy_100_continue is true, Envoy will proxy incoming "Expect: - // 100-continue" headers upstream, and forward "100 Continue" responses - // downstream. If this is false or not set, Envoy will instead strip the - // "Expect: 100-continue" header, and send a "100 Continue" response itself. - bool proxy_100_continue = 18; - - // If - // :ref:`use_remote_address - // ` - // is true and represent_ipv4_remote_address_as_ipv4_mapped_ipv6 is true and the remote address is - // an IPv4 address, the address will be mapped to IPv6 before it is appended to *x-forwarded-for*. - // This is useful for testing compatibility of upstream services that parse the header value. For - // example, 50.0.0.1 is represented as ::FFFF:50.0.0.1. See `IPv4-Mapped IPv6 Addresses - // `_ for details. This will also affect the - // :ref:`config_http_conn_man_headers_x-envoy-external-address` header. See - // :ref:`http_connection_manager.represent_ipv4_remote_address_as_ipv4_mapped_ipv6 - // ` for runtime - // control. - // [#not-implemented-hide:] - bool represent_ipv4_remote_address_as_ipv4_mapped_ipv6 = 20; - - repeated UpgradeConfig upgrade_configs = 23; - - // Should paths be normalized according to RFC 3986 before any processing of - // requests by HTTP filters or routing? This affects the upstream *:path* header - // as well. For paths that fail this check, Envoy will respond with 400 to - // paths that are malformed. This defaults to false currently but will default - // true in the future. When not specified, this value may be overridden by the - // runtime variable - // :ref:`http_connection_manager.normalize_path`. - // See `Normalization and Comparison `_ - // for details of normalization. - // Note that Envoy does not perform - // `case normalization `_ - google.protobuf.BoolValue normalize_path = 30; - - // Determines if adjacent slashes in the path are merged into one before any processing of - // requests by HTTP filters or routing. This affects the upstream *:path* header as well. Without - // setting this option, incoming requests with path `//dir///file` will not match against route - // with `prefix` match set to `/dir`. Defaults to `false`. Note that slash merging is not part of - // `HTTP spec `_ and is provided for convenience. - bool merge_slashes = 33; - - // Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c). - // The default value can be overridden by the :ref:`http_connection_manager.path_with_escaped_slashes_action` - // runtime variable. - // The :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling` runtime - // variable can be used to apply the action to a portion of all requests. - PathWithEscapedSlashesAction path_with_escaped_slashes_action = 45; - - // The configuration of the request ID extension. This includes operations such as - // generation, validation, and associated tracing operations. If empty, the - // :ref:`UuidRequestIdConfig ` - // default extension is used with default parameters. See the documentation for that extension - // for details on what it does. Customizing the configuration for the default extension can be - // achieved by configuring it explicitly here. For example, to disable trace reason packing, - // the following configuration can be used: - // - // .. validated-code-block:: yaml - // :type-name: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension - // - // typed_config: - // "@type": type.googleapis.com/envoy.extensions.request_id.uuid.v3.UuidRequestIdConfig - // pack_trace_reason: false - // - // [#extension-category: envoy.request_id] - RequestIDExtension request_id_extension = 36; - - // The configuration to customize local reply returned by Envoy. It can customize status code, - // body text and response content type. If not specified, status code and text body are hard - // coded in Envoy, the response content type is plain text. - LocalReplyConfig local_reply_config = 38; - - oneof strip_port_mode { - // Determines if the port part should be removed from host/authority header before any processing - // of request by HTTP filters or routing. The port would be removed only if it is equal to the :ref:`listener's` - // local port. This affects the upstream host header unless the method is - // CONNECT in which case if no filter adds a port the original port will be restored before headers are - // sent upstream. - // Without setting this option, incoming requests with host `example:443` will not match against - // route with :ref:`domains` match set to `example`. Defaults to `false`. Note that port removal is not part - // of `HTTP spec `_ and is provided for convenience. - // Only one of `strip_matching_host_port` or `strip_any_host_port` can be set. - bool strip_matching_host_port = 39; - - // Determines if the port part should be removed from host/authority header before any processing - // of request by HTTP filters or routing. - // This affects the upstream host header unless the method is CONNECT in - // which case if no filter adds a port the original port will be restored before headers are sent upstream. - // Without setting this option, incoming requests with host `example:443` will not match against - // route with :ref:`domains` match set to `example`. Defaults to `false`. Note that port removal is not part - // of `HTTP spec `_ and is provided for convenience. - // Only one of `strip_matching_host_port` or `strip_any_host_port` can be set. - bool strip_any_host_port = 42; - } - - // Governs Envoy's behavior when receiving invalid HTTP from downstream. - // If this option is false (default), Envoy will err on the conservative side handling HTTP - // errors, terminating both HTTP/1.1 and HTTP/2 connections when receiving an invalid request. - // If this option is set to true, Envoy will be more permissive, only resetting the invalid - // stream in the case of HTTP/2 and leaving the connection open where possible (if the entire - // request is read for HTTP/1.1) - // In general this should be true for deployments receiving trusted traffic (L2 Envoys, - // company-internal mesh) and false when receiving untrusted traffic (edge deployments). - // - // If different behaviors for invalid_http_message for HTTP/1 and HTTP/2 are - // desired, one should use the new HTTP/1 option :ref:`override_stream_error_on_invalid_http_message - // ` or the new HTTP/2 option - // :ref:`override_stream_error_on_invalid_http_message - // ` - // *not* the deprecated but similarly named :ref:`stream_error_on_invalid_http_messaging - // ` - google.protobuf.BoolValue stream_error_on_invalid_http_message = 40; - - // [#not-implemented-hide:] Path normalization configuration. This includes - // configurations for transformations (e.g. RFC 3986 normalization or merge - // adjacent slashes) and the policy to apply them. The policy determines - // whether transformations affect the forwarded *:path* header. RFC 3986 path - // normalization is enabled by default and the default policy is that the - // normalized header will be forwarded. See :ref:`PathNormalizationOptions - // ` - // for details. - PathNormalizationOptions path_normalization_options = 43; - - // Determines if trailing dot of the host should be removed from host/authority header before any - // processing of request by HTTP filters or routing. - // This affects the upstream host header. - // Without setting this option, incoming requests with host `example.com.` will not match against - // route with :ref:`domains` match set to `example.com`. Defaults to `false`. - // When the incoming request contains a host/authority header that includes a port number, - // setting this option will strip a trailing dot, if present, from the host section, - // leaving the port as is (e.g. host value `example.com.:443` will be updated to `example.com:443`). - bool strip_trailing_host_dot = 47; -} - -// The configuration to customize local reply returned by Envoy. -message LocalReplyConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.LocalReplyConfig"; - - // Configuration of list of mappers which allows to filter and change local response. - // The mappers will be checked by the specified order until one is matched. - repeated ResponseMapper mappers = 1; - - // The configuration to form response body from the :ref:`command operators ` - // and to specify response content type as one of: plain/text or application/json. - // - // Example one: "plain/text" ``body_format``. - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" - // - // The following response body in "plain/text" format will be generated for a request with - // local reply body of "upstream connection error", response_code=503 and path=/foo. - // - // .. code-block:: text - // - // upstream connect error:503:path=/foo - // - // Example two: "application/json" ``body_format``. - // - // .. validated-code-block:: yaml - // :type-name: envoy.config.core.v3.SubstitutionFormatString - // - // json_format: - // status: "%RESPONSE_CODE%" - // message: "%LOCAL_REPLY_BODY%" - // path: "%REQ(:path)%" - // - // The following response body in "application/json" format would be generated for a request with - // local reply body of "upstream connection error", response_code=503 and path=/foo. - // - // .. code-block:: json - // - // { - // "status": 503, - // "message": "upstream connection error", - // "path": "/foo" - // } - // - config.core.v4alpha.SubstitutionFormatString body_format = 2; -} - -// The configuration to filter and change local response. -// [#next-free-field: 6] -message ResponseMapper { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ResponseMapper"; - - // Filter to determine if this mapper should apply. - config.accesslog.v4alpha.AccessLogFilter filter = 1 [(validate.rules).message = {required: true}]; - - // The new response status code if specified. - google.protobuf.UInt32Value status_code = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}]; - - // The new local reply body text if specified. It will be used in the `%LOCAL_REPLY_BODY%` - // command operator in the `body_format`. - config.core.v4alpha.DataSource body = 3; - - // A per mapper `body_format` to override the :ref:`body_format `. - // It will be used when this mapper is matched. - config.core.v4alpha.SubstitutionFormatString body_format_override = 4; - - // HTTP headers to add to a local reply. This allows the response mapper to append, to add - // or to override headers of any local reply before it is sent to a downstream client. - repeated config.core.v4alpha.HeaderValueOption headers_to_add = 5 - [(validate.rules).repeated = {max_items: 1000}]; -} - -message Rds { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.Rds"; - - // Configuration source specifier for RDS. - config.core.v4alpha.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; - - // The name of the route configuration. This name will be passed to the RDS - // API. This allows an Envoy configuration with multiple HTTP listeners (and - // associated HTTP connection manager filters) to use different route - // configurations. - string route_config_name = 2; -} - -// This message is used to work around the limitations with 'oneof' and repeated fields. -message ScopedRouteConfigurationsList { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRouteConfigurationsList"; - - repeated config.route.v4alpha.ScopedRouteConfiguration scoped_route_configurations = 1 - [(validate.rules).repeated = {min_items: 1}]; -} - -// [#next-free-field: 6] -message ScopedRoutes { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes"; - - // Specifies the mechanism for constructing "scope keys" based on HTTP request attributes. These - // keys are matched against a set of :ref:`Key` - // objects assembled from :ref:`ScopedRouteConfiguration` - // messages distributed via SRDS (the Scoped Route Discovery Service) or assigned statically via - // :ref:`scoped_route_configurations_list`. - // - // Upon receiving a request's headers, the Router will build a key using the algorithm specified - // by this message. This key will be used to look up the routing table (i.e., the - // :ref:`RouteConfiguration`) to use for the request. - message ScopeKeyBuilder { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes.ScopeKeyBuilder"; - - // Specifies the mechanism for constructing key fragments which are composed into scope keys. - message FragmentBuilder { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes." - "ScopeKeyBuilder.FragmentBuilder"; - - // Specifies how the value of a header should be extracted. - // The following example maps the structure of a header to the fields in this message. - // - // .. code:: - // - // <0> <1> <-- index - // X-Header: a=b;c=d - // | || | - // | || \----> - // | || - // | |\----> - // | | - // | \----> - // | - // \----> - // - // Each 'a=b' key-value pair constitutes an 'element' of the header field. - message HeaderValueExtractor { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes." - "ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor"; - - // Specifies a header field's key value pair to match on. - message KvElement { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRoutes." - "ScopeKeyBuilder.FragmentBuilder.HeaderValueExtractor.KvElement"; - - // The separator between key and value (e.g., '=' separates 'k=v;...'). - // If an element is an empty string, the element is ignored. - // If an element contains no separator, the whole element is parsed as key and the - // fragment value is an empty string. - // If there are multiple values for a matched key, the first value is returned. - string separator = 1 [(validate.rules).string = {min_len: 1}]; - - // The key to match on. - string key = 2 [(validate.rules).string = {min_len: 1}]; - } - - // The name of the header field to extract the value from. - // - // .. note:: - // - // If the header appears multiple times only the first value is used. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The element separator (e.g., ';' separates 'a;b;c;d'). - // Default: empty string. This causes the entirety of the header field to be extracted. - // If this field is set to an empty string and 'index' is used in the oneof below, 'index' - // must be set to 0. - string element_separator = 2; - - oneof extract_type { - // Specifies the zero based index of the element to extract. - // Note Envoy concatenates multiple values of the same header key into a comma separated - // string, the splitting always happens after the concatenation. - uint32 index = 3; - - // Specifies the key value pair to extract the value from. - KvElement element = 4; - } - } - - oneof type { - option (validate.required) = true; - - // Specifies how a header field's value should be extracted. - HeaderValueExtractor header_value_extractor = 1; - } - } - - // The final(built) scope key consists of the ordered union of these fragments, which are compared in order with the - // fragments of a :ref:`ScopedRouteConfiguration`. - // A missing fragment during comparison will make the key invalid, i.e., the computed key doesn't match any key. - repeated FragmentBuilder fragments = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - // The name assigned to the scoped routing configuration. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // The algorithm to use for constructing a scope key for each request. - ScopeKeyBuilder scope_key_builder = 2 [(validate.rules).message = {required: true}]; - - // Configuration source specifier for RDS. - // This config source is used to subscribe to RouteConfiguration resources specified in - // ScopedRouteConfiguration messages. - config.core.v4alpha.ConfigSource rds_config_source = 3 - [(validate.rules).message = {required: true}]; - - oneof config_specifier { - option (validate.required) = true; - - // The set of routing scopes corresponding to the HCM. A scope is assigned to a request by - // matching a key constructed from the request's attributes according to the algorithm specified - // by the - // :ref:`ScopeKeyBuilder` - // in this message. - ScopedRouteConfigurationsList scoped_route_configurations_list = 4; - - // The set of routing scopes associated with the HCM will be dynamically loaded via the SRDS - // API. A scope is assigned to a request by matching a key constructed from the request's - // attributes according to the algorithm specified by the - // :ref:`ScopeKeyBuilder` - // in this message. - ScopedRds scoped_rds = 5; - } -} - -message ScopedRds { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.ScopedRds"; - - // Configuration source specifier for scoped RDS. - config.core.v4alpha.ConfigSource scoped_rds_config_source = 1 - [(validate.rules).message = {required: true}]; - - // xdstp:// resource locator for scoped RDS collection. - // [#not-implemented-hide:] - string srds_resources_locator = 2; -} - -// [#next-free-field: 7] -message HttpFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter"; - - reserved 3, 2; - - reserved "config"; - - // The name of the filter configuration. The name is used as a fallback to - // select an extension if the type of the configuration proto is not - // sufficient. It also serves as a resource name in ExtensionConfigDS. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - oneof config_type { - // Filter specific configuration which depends on the filter being instantiated. See the supported - // filters for further documentation. - // - // To support configuring a :ref:`match tree `, use an - // :ref:`ExtensionWithMatcher ` - // with the desired HTTP filter. - // [#extension-category: envoy.filters.http] - google.protobuf.Any typed_config = 4; - - // Configuration source specifier for an extension configuration discovery service. - // In case of a failure and without the default configuration, the HTTP listener responds with code 500. - // Extension configs delivered through this mechanism are not expected to require warming (see https://github.com/envoyproxy/envoy/issues/12061). - // - // To support configuring a :ref:`match tree `, use an - // :ref:`ExtensionWithMatcher ` - // with the desired HTTP filter. This works for both the default filter configuration as well - // as for filters provided via the API. - config.core.v4alpha.ExtensionConfigSource config_discovery = 5; - } - - // If true, clients that do not support this filter may ignore the - // filter but otherwise accept the config. - // Otherwise, clients that do not support this filter must reject the config. - // This is also same with typed per filter config. - bool is_optional = 6; -} - -message RequestIDExtension { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension"; - - // Request ID extension specific configuration. - google.protobuf.Any typed_config = 1; -} - -// [#protodoc-title: Envoy Mobile HTTP connection manager] -// HTTP connection manager for use in Envoy mobile. -// [#extension: envoy.filters.network.envoy_mobile_http_connection_manager] -message EnvoyMobileHttpConnectionManager { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.http_connection_manager.v3." - "EnvoyMobileHttpConnectionManager"; - - // The configuration for the underlying HttpConnectionManager which will be - // instantiated for Envoy mobile. - HttpConnectionManager config = 1; -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/ratelimit/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/ratelimit/v4alpha/BUILD deleted file mode 100644 index d9d0ca109526..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/ratelimit/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/ratelimit/v4alpha:pkg", - "//envoy/extensions/common/ratelimit/v3:pkg", - "//envoy/extensions/filters/network/ratelimit/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/network/ratelimit/v4alpha/rate_limit.proto b/generated_api_shadow/envoy/extensions/filters/network/ratelimit/v4alpha/rate_limit.proto deleted file mode 100644 index b53cb3bcc1d0..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/ratelimit/v4alpha/rate_limit.proto +++ /dev/null @@ -1,53 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.ratelimit.v4alpha; - -import "envoy/config/ratelimit/v4alpha/rls.proto"; -import "envoy/extensions/common/ratelimit/v3/ratelimit.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.ratelimit.v4alpha"; -option java_outer_classname = "RateLimitProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Rate limit] -// Rate limit :ref:`configuration overview `. -// [#extension: envoy.filters.network.ratelimit] - -// [#next-free-field: 7] -message RateLimit { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.ratelimit.v3.RateLimit"; - - // The prefix to use when emitting :ref:`statistics `. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // The rate limit domain to use in the rate limit service request. - string domain = 2 [(validate.rules).string = {min_len: 1}]; - - // The rate limit descriptor list to use in the rate limit service request. - repeated common.ratelimit.v3.RateLimitDescriptor descriptors = 3 - [(validate.rules).repeated = {min_items: 1}]; - - // The timeout in milliseconds for the rate limit service RPC. If not - // set, this defaults to 20ms. - google.protobuf.Duration timeout = 4; - - // The filter's behaviour in case the rate limiting service does - // not respond back. When it is set to true, Envoy will not allow traffic in case of - // communication failure between rate limiting service and the proxy. - // Defaults to false. - bool failure_mode_deny = 5; - - // Configuration for an external rate limit service provider. If not - // specified, any calls to the rate limit service will immediately return - // success. - config.ratelimit.v4alpha.RateLimitServiceConfig rate_limit_service = 6 - [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/rbac/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/rbac/v4alpha/BUILD deleted file mode 100644 index 27418dd3299e..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/rbac/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/rbac/v4alpha:pkg", - "//envoy/extensions/filters/network/rbac/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto b/generated_api_shadow/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto deleted file mode 100644 index 3512bae2d2ab..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto +++ /dev/null @@ -1,64 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.rbac.v4alpha; - -import "envoy/config/rbac/v4alpha/rbac.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.rbac.v4alpha"; -option java_outer_classname = "RbacProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: RBAC] -// Role-Based Access Control :ref:`configuration overview `. -// [#extension: envoy.filters.network.rbac] - -// RBAC network filter config. -// -// Header should not be used in rules/shadow_rules in RBAC network filter as -// this information is only available in :ref:`RBAC http filter `. -// [#next-free-field: 6] -message RBAC { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.rbac.v3.RBAC"; - - enum EnforcementType { - // Apply RBAC policies when the first byte of data arrives on the connection. - ONE_TIME_ON_FIRST_BYTE = 0; - - // Continuously apply RBAC policies as data arrives. Use this mode when - // using RBAC with message oriented protocols such as Mongo, MySQL, Kafka, - // etc. when the protocol decoders emit dynamic metadata such as the - // resources being accessed and the operations on the resources. - CONTINUOUS = 1; - } - - // Specify the RBAC rules to be applied globally. - // If absent, no enforcing RBAC policy will be applied. - // If present and empty, DENY. - config.rbac.v4alpha.RBAC rules = 1; - - // Shadow rules are not enforced by the filter but will emit stats and logs - // and can be used for rule testing. - // If absent, no shadow RBAC policy will be applied. - config.rbac.v4alpha.RBAC shadow_rules = 2; - - // If specified, shadow rules will emit stats with the given prefix. - // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with - // shadow rules. - string shadow_rules_stat_prefix = 5; - - // The prefix to use when emitting statistics. - string stat_prefix = 3 [(validate.rules).string = {min_len: 1}]; - - // RBAC enforcement strategy. By default RBAC will be enforced only once - // when the first byte of data arrives from the downstream. When used in - // conjunction with filters that emit dynamic metadata after decoding - // every payload (e.g., Mongo, MySQL, Kafka) set the enforcement type to - // CONTINUOUS to enforce RBAC policies on every message boundary. - EnforcementType enforcement_type = 4; -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/BUILD deleted file mode 100644 index 465ea4ff2844..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/common/dynamic_forward_proxy/v4alpha:pkg", - "//envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/sni_dynamic_forward_proxy.proto b/generated_api_shadow/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/sni_dynamic_forward_proxy.proto deleted file mode 100644 index de2947fcba9e..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/sni_dynamic_forward_proxy/v4alpha/sni_dynamic_forward_proxy.proto +++ /dev/null @@ -1,40 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.sni_dynamic_forward_proxy.v4alpha; - -import "envoy/extensions/common/dynamic_forward_proxy/v4alpha/dns_cache.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.sni_dynamic_forward_proxy.v4alpha"; -option java_outer_classname = "SniDynamicForwardProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).work_in_progress = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: SNI dynamic forward proxy] - -// Configuration for the SNI-based dynamic forward proxy filter. See the -// :ref:`architecture overview ` for -// more information. Note this filter must be configured along with -// :ref:`TLS inspector listener filter ` -// to work. -// [#extension: envoy.filters.network.sni_dynamic_forward_proxy] -message FilterConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3alpha.FilterConfig"; - - // The DNS cache configuration that the filter will attach to. Note this - // configuration must match that of associated :ref:`dynamic forward proxy - // cluster configuration - // `. - common.dynamic_forward_proxy.v4alpha.DnsCacheConfig dns_cache_config = 1 - [(validate.rules).message = {required: true}]; - - oneof port_specifier { - // The port number to connect to the upstream. - uint32 port_value = 2 [(validate.rules).uint32 = {lte: 65535 gt: 0}]; - } -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD deleted file mode 100644 index 1b359dc7be52..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/accesslog/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/filters/network/tcp_proxy/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto b/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto deleted file mode 100644 index 95f2c26c888c..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/tcp_proxy/v4alpha/tcp_proxy.proto +++ /dev/null @@ -1,154 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.tcp_proxy.v4alpha; - -import "envoy/config/accesslog/v4alpha/accesslog.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/type/v3/hash_policy.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.tcp_proxy.v4alpha"; -option java_outer_classname = "TcpProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: TCP Proxy] -// TCP Proxy :ref:`configuration overview `. -// [#extension: envoy.filters.network.tcp_proxy] - -// [#next-free-field: 14] -message TcpProxy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy"; - - // Allows for specification of multiple upstream clusters along with weights - // that indicate the percentage of traffic to be forwarded to each cluster. - // The router selects an upstream cluster based on these weights. - message WeightedCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster"; - - message ClusterWeight { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.WeightedCluster.ClusterWeight"; - - // Name of the upstream cluster. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // When a request matches the route, the choice of an upstream cluster is - // determined by its weight. The sum of weights across all entries in the - // clusters array determines the total weight. - uint32 weight = 2 [(validate.rules).uint32 = {gte: 1}]; - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints - // in the upstream cluster with metadata matching what is set in this field will be considered - // for load balancing. Note that this will be merged with what's provided in - // :ref:`TcpProxy.metadata_match - // `, with values - // here taking precedence. The filter name should be specified as *envoy.lb*. - config.core.v4alpha.Metadata metadata_match = 3; - } - - // Specifies one or more upstream clusters associated with the route. - repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; - } - - // Configuration for tunneling TCP over other transports or application layers. - // Tunneling is supported over both HTTP/1.1 and HTTP/2. Upstream protocol is - // determined by the cluster configuration. - message TunnelingConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig"; - - // The hostname to send in the synthesized CONNECT headers to the upstream proxy. - string hostname = 1 [(validate.rules).string = {min_len: 1}]; - - // Use POST method instead of CONNECT method to tunnel the TCP stream. - // The 'protocol: bytestream' header is also NOT set for HTTP/2 to comply with the spec. - // - // The upstream proxy is expected to convert POST payload as raw TCP. - bool use_post = 2; - - // Additional request headers to upstream proxy. This is mainly used to - // trigger upstream to convert POST requests back to CONNECT requests. - // - // Neither *:-prefixed* pseudo-headers nor the Host: header can be overridden. - repeated config.core.v4alpha.HeaderValueOption headers_to_add = 3 - [(validate.rules).repeated = {max_items: 1000}]; - } - - reserved 6; - - reserved "deprecated_v1"; - - // The prefix to use when emitting :ref:`statistics - // `. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - oneof cluster_specifier { - option (validate.required) = true; - - // The upstream cluster to connect to. - string cluster = 2; - - // Multiple upstream clusters can be specified for a given route. The - // request is routed to one of the upstream clusters based on weights - // assigned to each cluster. - WeightedCluster weighted_clusters = 10; - } - - // Optional endpoint metadata match criteria. Only endpoints in the upstream - // cluster with metadata matching that set in metadata_match will be - // considered. The filter name should be specified as *envoy.lb*. - config.core.v4alpha.Metadata metadata_match = 9; - - // The idle timeout for connections managed by the TCP proxy filter. The idle timeout - // is defined as the period in which there are no bytes sent or received on either - // the upstream or downstream connection. If not set, the default idle timeout is 1 hour. If set - // to 0s, the timeout will be disabled. - // - // .. warning:: - // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP - // FIN packets, etc. - google.protobuf.Duration idle_timeout = 8; - - // [#not-implemented-hide:] The idle timeout for connections managed by the TCP proxy - // filter. The idle timeout is defined as the period in which there is no - // active traffic. If not set, there is no idle timeout. When the idle timeout - // is reached the connection will be closed. The distinction between - // downstream_idle_timeout/upstream_idle_timeout provides a means to set - // timeout based on the last byte sent on the downstream/upstream connection. - google.protobuf.Duration downstream_idle_timeout = 3; - - // [#not-implemented-hide:] - google.protobuf.Duration upstream_idle_timeout = 4; - - // Configuration for :ref:`access logs ` - // emitted by the this tcp_proxy. - repeated config.accesslog.v4alpha.AccessLog access_log = 5; - - // The maximum number of unsuccessful connection attempts that will be made before - // giving up. If the parameter is not specified, 1 connection attempt will be made. - google.protobuf.UInt32Value max_connect_attempts = 7 [(validate.rules).uint32 = {gte: 1}]; - - // Optional configuration for TCP proxy hash policy. If hash_policy is not set, the hash-based - // load balancing algorithms will select a host randomly. Currently the number of hash policies is - // limited to 1. - repeated type.v3.HashPolicy hash_policy = 11 [(validate.rules).repeated = {max_items: 1}]; - - // If set, this configures tunneling, e.g. configuration options to tunnel TCP payload over - // HTTP CONNECT. If this message is absent, the payload will be proxied upstream as per usual. - TunnelingConfig tunneling_config = 12; - - // The maximum duration of a connection. The duration is defined as the period since a connection - // was established. If not set, there is no max duration. When max_downstream_connection_duration - // is reached the connection will be closed. Duration must be at least 1ms. - google.protobuf.Duration max_downstream_connection_duration = 13 - [(validate.rules).duration = {gte {nanos: 1000000}}]; -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/BUILD deleted file mode 100644 index a58bc9ebda54..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/ratelimit/v4alpha:pkg", - "//envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/rate_limit.proto b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/rate_limit.proto deleted file mode 100644 index ed2a33290268..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/rate_limit.proto +++ /dev/null @@ -1,56 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.thrift_proxy.filters.ratelimit.v4alpha; - -import "envoy/config/ratelimit/v4alpha/rls.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.filters.ratelimit.v4alpha"; -option java_outer_classname = "RateLimitProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Rate limit] -// Rate limit :ref:`configuration overview `. -// [#extension: envoy.filters.thrift.ratelimit] - -// [#next-free-field: 6] -message RateLimit { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.filters.ratelimit.v3.RateLimit"; - - // The rate limit domain to use in the rate limit service request. - string domain = 1 [(validate.rules).string = {min_len: 1}]; - - // Specifies the rate limit configuration stage. Each configured rate limit filter performs a - // rate limit check using descriptors configured in the - // :ref:`envoy_v3_api_msg_extensions.filters.network.thrift_proxy.v3.RouteAction` for the request. - // Only those entries with a matching stage number are used for a given filter. If not set, the - // default stage number is 0. - // - // .. note:: - // - // The filter supports a range of 0 - 10 inclusively for stage numbers. - uint32 stage = 2 [(validate.rules).uint32 = {lte: 10}]; - - // The timeout in milliseconds for the rate limit service RPC. If not - // set, this defaults to 20ms. - google.protobuf.Duration timeout = 3; - - // The filter's behaviour in case the rate limiting service does - // not respond back. When it is set to true, Envoy will not allow traffic in case of - // communication failure between rate limiting service and the proxy. - // Defaults to false. - bool failure_mode_deny = 4; - - // Configuration for an external rate limit service provider. If not - // specified, any calls to the rate limit service will immediately return - // success. - config.ratelimit.v4alpha.RateLimitServiceConfig rate_limit_service = 5 - [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD deleted file mode 100644 index 995c04093a7d..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/route/v4alpha:pkg", - "//envoy/extensions/filters/network/thrift_proxy/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto deleted file mode 100644 index 48caaadf2b75..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto +++ /dev/null @@ -1,186 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.thrift_proxy.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/route/v4alpha/route_components.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.v4alpha"; -option java_outer_classname = "RouteProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Thrift Proxy Route Configuration] -// Thrift Proxy :ref:`configuration overview `. - -message RouteConfiguration { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.RouteConfiguration"; - - // The name of the route configuration. Reserved for future use in asynchronous route discovery. - string name = 1; - - // The list of routes that will be matched, in order, against incoming requests. The first route - // that matches will be used. - repeated Route routes = 2; -} - -message Route { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.Route"; - - // Route matching parameters. - RouteMatch match = 1 [(validate.rules).message = {required: true}]; - - // Route request to some upstream cluster. - RouteAction route = 2 [(validate.rules).message = {required: true}]; -} - -message RouteMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.RouteMatch"; - - oneof match_specifier { - option (validate.required) = true; - - // If specified, the route must exactly match the request method name. As a special case, an - // empty string matches any request method name. - string method_name = 1; - - // If specified, the route must have the service name as the request method name prefix. As a - // special case, an empty string matches any service name. Only relevant when service - // multiplexing. - string service_name = 2; - } - - // Inverts whatever matching is done in the :ref:`method_name - // ` or - // :ref:`service_name - // ` fields. - // Cannot be combined with wildcard matching as that would result in routes never being matched. - // - // .. note:: - // - // This does not invert matching done as part of the :ref:`headers field - // ` field. To - // invert header matching, see :ref:`invert_match - // `. - bool invert = 3; - - // Specifies a set of headers that the route should match on. The router will check the request’s - // headers against all the specified headers in the route config. A match will happen if all the - // headers in the route are present in the request with the same values (or based on presence if - // the value field is not in the config). Note that this only applies for Thrift transports and/or - // protocols that support headers. - repeated config.route.v4alpha.HeaderMatcher headers = 4; -} - -// [#next-free-field: 8] -message RouteAction { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.RouteAction"; - - // The router is capable of shadowing traffic from one cluster to another. The current - // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to - // respond before returning the response from the primary cluster. All normal statistics are - // collected for the shadow cluster making this feature useful for testing. - // - // .. note:: - // - // Shadowing will not be triggered if the primary cluster does not exist. - message RequestMirrorPolicy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.RouteAction.RequestMirrorPolicy"; - - // Specifies the cluster that requests will be mirrored to. The cluster must - // exist in the cluster manager configuration when the route configuration is loaded. - // If it disappears at runtime, the shadow request will silently be ignored. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // If not specified, all requests to the target cluster will be mirrored. - // - // For some fraction N/D, a random number in the range [0,D) is selected. If the - // number is <= the value of the numerator N, or if the key is not present, the default - // value, the request will be mirrored. - config.core.v4alpha.RuntimeFractionalPercent runtime_fraction = 2; - } - - oneof cluster_specifier { - option (validate.required) = true; - - // Indicates a single upstream cluster to which the request should be routed - // to. - string cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // Multiple upstream clusters can be specified for a given route. The - // request is routed to one of the upstream clusters based on weights - // assigned to each cluster. - WeightedCluster weighted_clusters = 2; - - // Envoy will determine the cluster to route to by reading the value of the - // Thrift header named by cluster_header from the request headers. If the - // header is not found or the referenced cluster does not exist Envoy will - // respond with an unknown method exception or an internal error exception, - // respectively. - string cluster_header = 6 - [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - } - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in - // the upstream cluster with metadata matching what is set in this field will be considered. - // Note that this will be merged with what's provided in :ref:`WeightedCluster.metadata_match - // `, - // with values there taking precedence. Keys and values should be provided under the "envoy.lb" - // metadata key. - config.core.v4alpha.Metadata metadata_match = 3; - - // Specifies a set of rate limit configurations that could be applied to the route. - // N.B. Thrift service or method name matching can be achieved by specifying a RequestHeaders - // action with the header name ":method-name". - repeated config.route.v4alpha.RateLimit rate_limits = 4; - - // Strip the service prefix from the method name, if there's a prefix. For - // example, the method call Service:method would end up being just method. - bool strip_service_name = 5; - - // Indicates that the route has request mirroring policies. - repeated RequestMirrorPolicy request_mirror_policies = 7; -} - -// Allows for specification of multiple upstream clusters along with weights that indicate the -// percentage of traffic to be forwarded to each cluster. The router selects an upstream cluster -// based on these weights. -message WeightedCluster { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.WeightedCluster"; - - message ClusterWeight { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.WeightedCluster.ClusterWeight"; - - // Name of the upstream cluster. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // When a request matches the route, the choice of an upstream cluster is determined by its - // weight. The sum of weights across all entries in the clusters array determines the total - // weight. - google.protobuf.UInt32Value weight = 2 [(validate.rules).uint32 = {gte: 1}]; - - // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in - // the upstream cluster with metadata matching what is set in this field, combined with what's - // provided in :ref:`RouteAction's metadata_match - // `, - // will be considered. Values here will take precedence. Keys and values should be provided - // under the "envoy.lb" metadata key. - config.core.v4alpha.Metadata metadata_match = 3; - } - - // Specifies one or more upstream clusters associated with the route. - repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto b/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto deleted file mode 100644 index de399582869a..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/network/thrift_proxy/v4alpha/thrift_proxy.proto +++ /dev/null @@ -1,140 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.network.thrift_proxy.v4alpha; - -import "envoy/extensions/filters/network/thrift_proxy/v4alpha/route.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.v4alpha"; -option java_outer_classname = "ThriftProxyProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Thrift Proxy] -// Thrift Proxy :ref:`configuration overview `. -// [#extension: envoy.filters.network.thrift_proxy] - -// Thrift transport types supported by Envoy. -enum TransportType { - // For downstream connections, the Thrift proxy will attempt to determine which transport to use. - // For upstream connections, the Thrift proxy will use same transport as the downstream - // connection. - AUTO_TRANSPORT = 0; - - // The Thrift proxy will use the Thrift framed transport. - FRAMED = 1; - - // The Thrift proxy will use the Thrift unframed transport. - UNFRAMED = 2; - - // The Thrift proxy will assume the client is using the Thrift header transport. - HEADER = 3; -} - -// Thrift Protocol types supported by Envoy. -enum ProtocolType { - // For downstream connections, the Thrift proxy will attempt to determine which protocol to use. - // Note that the older, non-strict (or lax) binary protocol is not included in automatic protocol - // detection. For upstream connections, the Thrift proxy will use the same protocol as the - // downstream connection. - AUTO_PROTOCOL = 0; - - // The Thrift proxy will use the Thrift binary protocol. - BINARY = 1; - - // The Thrift proxy will use Thrift non-strict binary protocol. - LAX_BINARY = 2; - - // The Thrift proxy will use the Thrift compact protocol. - COMPACT = 3; - - // The Thrift proxy will use the Thrift "Twitter" protocol implemented by the finagle library. - TWITTER = 4; -} - -// [#next-free-field: 8] -message ThriftProxy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.ThriftProxy"; - - // Supplies the type of transport that the Thrift proxy should use. Defaults to - // :ref:`AUTO_TRANSPORT`. - TransportType transport = 2 [(validate.rules).enum = {defined_only: true}]; - - // Supplies the type of protocol that the Thrift proxy should use. Defaults to - // :ref:`AUTO_PROTOCOL`. - ProtocolType protocol = 3 [(validate.rules).enum = {defined_only: true}]; - - // The human readable prefix to use when emitting statistics. - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // The route table for the connection manager is static and is specified in this property. - RouteConfiguration route_config = 4; - - // A list of individual Thrift filters that make up the filter chain for requests made to the - // Thrift proxy. Order matters as the filters are processed sequentially. For backwards - // compatibility, if no thrift_filters are specified, a default Thrift router filter - // (`envoy.filters.thrift.router`) is used. - // [#extension-category: envoy.thrift_proxy.filters] - repeated ThriftFilter thrift_filters = 5; - - // If set to true, Envoy will try to skip decode data after metadata in the Thrift message. - // This mode will only work if the upstream and downstream protocols are the same and the transport - // is the same, the transport type is framed and the protocol is not Twitter. Otherwise Envoy will - // fallback to decode the data. - bool payload_passthrough = 6; - - // Optional maximum requests for a single downstream connection. If not specified, there is no limit. - google.protobuf.UInt32Value max_requests_per_connection = 7; -} - -// ThriftFilter configures a Thrift filter. -message ThriftFilter { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.ThriftFilter"; - - reserved 2; - - reserved "config"; - - // The name of the filter to instantiate. The name must match a supported - // filter. The built-in filters are: - // - // [#comment:TODO(zuercher): Auto generate the following list] - // * :ref:`envoy.filters.thrift.router ` - // * :ref:`envoy.filters.thrift.rate_limit ` - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Filter specific configuration which depends on the filter being instantiated. See the supported - // filters for further documentation. - oneof config_type { - google.protobuf.Any typed_config = 3; - } -} - -// ThriftProtocolOptions specifies Thrift upstream protocol options. This object is used in -// in -// :ref:`typed_extension_protocol_options`, -// keyed by the name `envoy.filters.network.thrift_proxy`. -message ThriftProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.network.thrift_proxy.v3.ThriftProtocolOptions"; - - // Supplies the type of transport that the Thrift proxy should use for upstream connections. - // Selecting - // :ref:`AUTO_TRANSPORT`, - // which is the default, causes the proxy to use the same transport as the downstream connection. - TransportType transport = 1 [(validate.rules).enum = {defined_only: true}]; - - // Supplies the type of protocol that the Thrift proxy should use for upstream connections. - // Selecting - // :ref:`AUTO_PROTOCOL`, - // which is the default, causes the proxy to use the same protocol as the downstream connection. - ProtocolType protocol = 2 [(validate.rules).enum = {defined_only: true}]; -} diff --git a/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD deleted file mode 100644 index 28c2427c4a49..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/data/dns/v4alpha:pkg", - "//envoy/extensions/filters/udp/dns_filter/v3alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto b/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto deleted file mode 100644 index 6957e58dbb06..000000000000 --- a/generated_api_shadow/envoy/extensions/filters/udp/dns_filter/v4alpha/dns_filter.proto +++ /dev/null @@ -1,84 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.filters.udp.dns_filter.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/resolver.proto"; -import "envoy/data/dns/v4alpha/dns_table.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.filters.udp.dns_filter.v4alpha"; -option java_outer_classname = "DnsFilterProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).work_in_progress = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: DNS Filter] -// DNS Filter :ref:`configuration overview `. -// [#extension: envoy.filters.udp_listener.dns_filter] - -// Configuration for the DNS filter. -message DnsFilterConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig"; - - // This message contains the configuration for the DNS Filter operating - // in a server context. This message will contain the virtual hosts and - // associated addresses with which Envoy will respond to queries - message ServerContextConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig.ServerContextConfig"; - - oneof config_source { - option (validate.required) = true; - - // Load the configuration specified from the control plane - data.dns.v4alpha.DnsTable inline_dns_table = 1; - - // Seed the filter configuration from an external path. This source - // is a yaml formatted file that contains the DnsTable driving Envoy's - // responses to DNS queries - config.core.v4alpha.DataSource external_dns_table = 2; - } - } - - // This message contains the configuration for the DNS Filter operating - // in a client context. This message will contain the timeouts, retry, - // and forwarding configuration for Envoy to make DNS requests to other - // resolvers - message ClientContextConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig.ClientContextConfig"; - - // Sets the maximum time we will wait for the upstream query to complete - // We allow 5s for the upstream resolution to complete, so the minimum - // value here is 1. Note that the total latency for a failed query is the - // number of retries multiplied by the resolver_timeout. - google.protobuf.Duration resolver_timeout = 1 [(validate.rules).duration = {gte {seconds: 1}}]; - - // DNS resolution configuration which includes the underlying dns resolver addresses and options. - config.core.v4alpha.DnsResolutionConfig dns_resolution_config = 2; - - // Controls how many outstanding external lookup contexts the filter tracks. - // The context structure allows the filter to respond to every query even if the external - // resolution times out or is otherwise unsuccessful - uint64 max_pending_lookups = 3 [(validate.rules).uint64 = {gte: 1}]; - } - - // The stat prefix used when emitting DNS filter statistics - string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; - - // Server context configuration contains the data that the filter uses to respond - // to DNS requests. - ServerContextConfig server_config = 2; - - // Client context configuration controls Envoy's behavior when it must use external - // resolvers to answer a query. This object is optional and if omitted instructs - // the filter to resolve queries from the data in the server_config - ClientContextConfig client_config = 3; -} diff --git a/generated_api_shadow/envoy/extensions/tracers/datadog/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/tracers/datadog/v4alpha/BUILD deleted file mode 100644 index d500cc41da1f..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/datadog/v4alpha/BUILD +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/tracers/datadog/v4alpha/datadog.proto b/generated_api_shadow/envoy/extensions/tracers/datadog/v4alpha/datadog.proto deleted file mode 100644 index f41c8added21..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/datadog/v4alpha/datadog.proto +++ /dev/null @@ -1,27 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.datadog.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.datadog.v4alpha"; -option java_outer_classname = "DatadogProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Datadog tracer] - -// Configuration for the Datadog tracer. -// [#extension: envoy.tracers.datadog] -message DatadogConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.DatadogConfig"; - - // The cluster to use for submitting traces to the Datadog agent. - string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // The name used for the service when traces are generated by envoy. - string service_name = 2 [(validate.rules).string = {min_len: 1}]; -} diff --git a/generated_api_shadow/envoy/extensions/tracers/dynamic_ot/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/tracers/dynamic_ot/v4alpha/BUILD deleted file mode 100644 index d500cc41da1f..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/dynamic_ot/v4alpha/BUILD +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/tracers/dynamic_ot/v4alpha/dynamic_ot.proto b/generated_api_shadow/envoy/extensions/tracers/dynamic_ot/v4alpha/dynamic_ot.proto deleted file mode 100644 index 21455a974d3b..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/dynamic_ot/v4alpha/dynamic_ot.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.dynamic_ot.v4alpha; - -import "google/protobuf/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.dynamic_ot.v4alpha"; -option java_outer_classname = "DynamicOtProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Dynamically loadable OpenTracing tracer] - -// DynamicOtConfig is used to dynamically load a tracer from a shared library -// that implements the `OpenTracing dynamic loading API -// `_. -// [#extension: envoy.tracers.dynamic_ot] -message DynamicOtConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.DynamicOtConfig"; - - // Dynamic library implementing the `OpenTracing API - // `_. - string library = 1 [(validate.rules).string = {min_len: 1}]; - - // The configuration to use when creating a tracer from the given dynamic - // library. - google.protobuf.Struct config = 2; -} diff --git a/generated_api_shadow/envoy/extensions/tracers/lightstep/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/tracers/lightstep/v4alpha/BUILD deleted file mode 100644 index 8e63f3d42668..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/lightstep/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/tracers/lightstep/v4alpha/lightstep.proto b/generated_api_shadow/envoy/extensions/tracers/lightstep/v4alpha/lightstep.proto deleted file mode 100644 index c169d86e0ca0..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/lightstep/v4alpha/lightstep.proto +++ /dev/null @@ -1,54 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.lightstep.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.lightstep.v4alpha"; -option java_outer_classname = "LightstepProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: LightStep tracer] - -// Configuration for the LightStep tracer. -// [#extension: envoy.tracers.lightstep] -message LightstepConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.LightstepConfig"; - - // Available propagation modes - enum PropagationMode { - // Propagate trace context in the single header x-ot-span-context. - ENVOY = 0; - - // Propagate trace context using LightStep's native format. - LIGHTSTEP = 1; - - // Propagate trace context using the b3 format. - B3 = 2; - - // Propagation trace context using the w3 trace-context standard. - TRACE_CONTEXT = 3; - } - - // The cluster manager cluster that hosts the LightStep collectors. - string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // File containing the access token to the `LightStep - // `_ API. - string hidden_envoy_deprecated_access_token_file = 2 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Access token to the `LightStep `_ API. - config.core.v4alpha.DataSource access_token = 4; - - // Propagation modes to use by LightStep's tracer. - repeated PropagationMode propagation_modes = 3 - [(validate.rules).repeated = {items {enum {defined_only: true}}}]; -} diff --git a/generated_api_shadow/envoy/extensions/tracers/opencensus/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/tracers/opencensus/v4alpha/BUILD deleted file mode 100644 index cedd6b14bf88..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/opencensus/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto", - ], -) diff --git a/generated_api_shadow/envoy/extensions/tracers/opencensus/v4alpha/opencensus.proto b/generated_api_shadow/envoy/extensions/tracers/opencensus/v4alpha/opencensus.proto deleted file mode 100644 index 792ff58454c9..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/opencensus/v4alpha/opencensus.proto +++ /dev/null @@ -1,102 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.opencensus.v4alpha; - -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "opencensus/proto/trace/v1/trace_config.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.opencensus.v4alpha"; -option java_outer_classname = "OpencensusProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: OpenCensus tracer] - -// Configuration for the OpenCensus tracer. -// [#next-free-field: 15] -// [#extension: envoy.tracers.opencensus] -message OpenCensusConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.OpenCensusConfig"; - - enum TraceContext { - // No-op default, no trace context is utilized. - NONE = 0; - - // W3C Trace-Context format "traceparent:" header. - TRACE_CONTEXT = 1; - - // Binary "grpc-trace-bin:" header. - GRPC_TRACE_BIN = 2; - - // "X-Cloud-Trace-Context:" header. - CLOUD_TRACE_CONTEXT = 3; - - // X-B3-* headers. - B3 = 4; - } - - reserved 7; - - // Configures tracing, e.g. the sampler, max number of annotations, etc. - .opencensus.proto.trace.v1.TraceConfig trace_config = 1; - - // Enables the stdout exporter if set to true. This is intended for debugging - // purposes. - bool stdout_exporter_enabled = 2; - - // Enables the Stackdriver exporter if set to true. The project_id must also - // be set. - bool stackdriver_exporter_enabled = 3; - - // The Cloud project_id to use for Stackdriver tracing. - string stackdriver_project_id = 4; - - // (optional) By default, the Stackdriver exporter will connect to production - // Stackdriver. If stackdriver_address is non-empty, it will instead connect - // to this address, which is in the gRPC format: - // https://github.com/grpc/grpc/blob/master/doc/naming.md - string stackdriver_address = 10; - - // (optional) The gRPC server that hosts Stackdriver tracing service. Only - // Google gRPC is supported. If :ref:`target_uri ` - // is not provided, the default production Stackdriver address will be used. - config.core.v4alpha.GrpcService stackdriver_grpc_service = 13; - - // Enables the Zipkin exporter if set to true. The url and service name must - // also be set. This is deprecated, prefer to use Envoy's :ref:`native Zipkin - // tracer `. - bool hidden_envoy_deprecated_zipkin_exporter_enabled = 5 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // The URL to Zipkin, e.g. "http://127.0.0.1:9411/api/v2/spans". This is - // deprecated, prefer to use Envoy's :ref:`native Zipkin tracer - // `. - string hidden_envoy_deprecated_zipkin_url = 6 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Enables the OpenCensus Agent exporter if set to true. The ocagent_address or - // ocagent_grpc_service must also be set. - bool ocagent_exporter_enabled = 11; - - // The address of the OpenCensus Agent, if its exporter is enabled, in gRPC - // format: https://github.com/grpc/grpc/blob/master/doc/naming.md - // [#comment:TODO: deprecate this field] - string ocagent_address = 12; - - // (optional) The gRPC server hosted by the OpenCensus Agent. Only Google gRPC is supported. - // This is only used if the ocagent_address is left empty. - config.core.v4alpha.GrpcService ocagent_grpc_service = 14; - - // List of incoming trace context headers we will accept. First one found - // wins. - repeated TraceContext incoming_trace_context = 8; - - // List of outgoing trace context headers we will produce. - repeated TraceContext outgoing_trace_context = 9; -} diff --git a/generated_api_shadow/envoy/extensions/tracers/skywalking/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/tracers/skywalking/v4alpha/BUILD deleted file mode 100644 index 1d56979cc466..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/skywalking/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/tracers/skywalking/v4alpha/skywalking.proto b/generated_api_shadow/envoy/extensions/tracers/skywalking/v4alpha/skywalking.proto deleted file mode 100644 index 37936faa6133..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/skywalking/v4alpha/skywalking.proto +++ /dev/null @@ -1,68 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.skywalking.v4alpha; - -import "envoy/config/core/v4alpha/grpc_service.proto"; - -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/sensitive.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.skywalking.v4alpha"; -option java_outer_classname = "SkywalkingProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: SkyWalking tracer] - -// Configuration for the SkyWalking tracer. Please note that if SkyWalking tracer is used as the -// provider of http tracer, then -// :ref:`start_child_span ` -// in the router must be set to true to get the correct topology and tracing data. Moreover, SkyWalking -// Tracer does not support SkyWalking extension header (``sw8-x``) temporarily. -// [#extension: envoy.tracers.skywalking] -message SkyWalkingConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.SkyWalkingConfig"; - - // SkyWalking collector service. - config.core.v4alpha.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; - - ClientConfig client_config = 2; -} - -// Client config for SkyWalking tracer. -message ClientConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v3.ClientConfig"; - - // Service name for SkyWalking tracer. If this field is empty, then local service cluster name - // that configured by :ref:`Bootstrap node ` - // message's :ref:`cluster ` field or command line - // option :option:`--service-cluster` will be used. If both this field and local service cluster - // name are empty, ``EnvoyProxy`` is used as the service name by default. - string service_name = 1; - - // Service instance name for SkyWalking tracer. If this field is empty, then local service node - // that configured by :ref:`Bootstrap node ` - // message's :ref:`id ` field or command line option - // :option:`--service-node` will be used. If both this field and local service node are empty, - // ``EnvoyProxy`` is used as the instance name by default. - string instance_name = 2; - - // Authentication token config for SkyWalking. SkyWalking can use token authentication to secure - // that monitoring application data can be trusted. In current version, Token is considered as a - // simple string. - // [#comment:TODO(wbpcode): Get backend token through the SDS API.] - oneof backend_token_specifier { - // Inline authentication token string. - string backend_token = 3 [(udpa.annotations.sensitive) = true]; - } - - // Envoy caches the segment in memory when the SkyWalking backend service is temporarily unavailable. - // This field specifies the maximum number of segments that can be cached. If not specified, the - // default is 1024. - google.protobuf.UInt32Value max_cache_size = 4; -} diff --git a/generated_api_shadow/envoy/extensions/tracers/xray/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/tracers/xray/v4alpha/BUILD deleted file mode 100644 index 1d56979cc466..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/xray/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/tracers/xray/v4alpha/xray.proto b/generated_api_shadow/envoy/extensions/tracers/xray/v4alpha/xray.proto deleted file mode 100644 index 649f294b4273..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/xray/v4alpha/xray.proto +++ /dev/null @@ -1,55 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.xray.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.xray.v4alpha"; -option java_outer_classname = "XrayProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: AWS X-Ray Tracer Configuration] -// Configuration for AWS X-Ray tracer - -// [#extension: envoy.tracers.xray] -message XRayConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v3.XRayConfig"; - - message SegmentFields { - option (udpa.annotations.versioning).previous_message_type = - "envoy.config.trace.v3.XRayConfig.SegmentFields"; - - // The type of AWS resource, e.g. "AWS::AppMesh::Proxy". - string origin = 1; - - // AWS resource metadata dictionary. - // See: `X-Ray Segment Document documentation `__ - google.protobuf.Struct aws = 2; - } - - // The UDP endpoint of the X-Ray Daemon where the spans will be sent. - // If this value is not set, the default value of 127.0.0.1:2000 will be used. - config.core.v4alpha.SocketAddress daemon_endpoint = 1; - - // The name of the X-Ray segment. - string segment_name = 2 [(validate.rules).string = {min_len: 1}]; - - // The location of a local custom sampling rules JSON file. - // For an example of the sampling rules see: - // `X-Ray SDK documentation - // `_ - config.core.v4alpha.DataSource sampling_rule_manifest = 3; - - // Optional custom fields to be added to each trace segment. - // see: `X-Ray Segment Document documentation - // `__ - SegmentFields segment_fields = 4; -} diff --git a/generated_api_shadow/envoy/extensions/tracers/zipkin/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/tracers/zipkin/v4alpha/BUILD deleted file mode 100644 index aefd915ae054..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/zipkin/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/tracers/zipkin/v4alpha/zipkin.proto b/generated_api_shadow/envoy/extensions/tracers/zipkin/v4alpha/zipkin.proto deleted file mode 100644 index f7e11e43ab82..000000000000 --- a/generated_api_shadow/envoy/extensions/tracers/zipkin/v4alpha/zipkin.proto +++ /dev/null @@ -1,73 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.tracers.zipkin.v4alpha; - -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.tracers.zipkin.v4alpha"; -option java_outer_classname = "ZipkinProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Zipkin tracer] - -// Configuration for the Zipkin tracer. -// [#extension: envoy.tracers.zipkin] -// [#next-free-field: 7] -message ZipkinConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v3.ZipkinConfig"; - - // Available Zipkin collector endpoint versions. - enum CollectorEndpointVersion { - // Zipkin API v1, JSON over HTTP. - // [#comment: The default implementation of Zipkin client before this field is added was only v1 - // and the way user configure this was by not explicitly specifying the version. Consequently, - // before this is added, the corresponding Zipkin collector expected to receive v1 payload. - // Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when - // user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field, - // since in Zipkin realm this v1 version is considered to be not preferable anymore.] - hidden_envoy_deprecated_DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 [ - deprecated = true, - (envoy.annotations.disallowed_by_default_enum) = true, - (envoy.annotations.deprecated_at_minor_version_enum) = "3.0" - ]; - - // Zipkin API v2, JSON over HTTP. - HTTP_JSON = 1; - - // Zipkin API v2, protobuf over HTTP. - HTTP_PROTO = 2; - - // [#not-implemented-hide:] - GRPC = 3; - } - - // The cluster manager cluster that hosts the Zipkin collectors. - string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; - - // The API endpoint of the Zipkin service where the spans will be sent. When - // using a standard Zipkin installation, the API endpoint is typically - // /api/v1/spans, which is the default value. - string collector_endpoint = 2 [(validate.rules).string = {min_len: 1}]; - - // Determines whether a 128bit trace id will be used when creating a new - // trace instance. The default value is false, which will result in a 64 bit trace id being used. - bool trace_id_128bit = 3; - - // Determines whether client and server spans will share the same span context. - // The default value is true. - google.protobuf.BoolValue shared_span_context = 4; - - // Determines the selected collector endpoint version. By default, the ``HTTP_JSON_V1`` will be - // used. - CollectorEndpointVersion collector_endpoint_version = 5; - - // Optional hostname to use when sending spans to the collector_cluster. Useful for collectors - // that require a specific hostname. Defaults to :ref:`collector_cluster ` above. - string collector_hostname = 6; -} diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/quic/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/transport_sockets/quic/v4alpha/BUILD deleted file mode 100644 index 976cefd189cc..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/quic/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/transport_sockets/quic/v3:pkg", - "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/quic/v4alpha/quic_transport.proto b/generated_api_shadow/envoy/extensions/transport_sockets/quic/v4alpha/quic_transport.proto deleted file mode 100644 index 9a5f096f56c7..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/quic/v4alpha/quic_transport.proto +++ /dev/null @@ -1,35 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.quic.v4alpha; - -import "envoy/extensions/transport_sockets/tls/v4alpha/tls.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.quic.v4alpha"; -option java_outer_classname = "QuicTransportProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: quic transport] -// [#comment:#extension: envoy.transport_sockets.quic] - -// Configuration for Downstream QUIC transport socket. This provides Google's implementation of Google QUIC and IETF QUIC to Envoy. -message QuicDownstreamTransport { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport"; - - tls.v4alpha.DownstreamTlsContext downstream_tls_context = 1 - [(validate.rules).message = {required: true}]; -} - -// Configuration for Upstream QUIC transport socket. This provides Google's implementation of Google QUIC and IETF QUIC to Envoy. -message QuicUpstreamTransport { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.quic.v3.QuicUpstreamTransport"; - - tls.v4alpha.UpstreamTlsContext upstream_tls_context = 1 - [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD deleted file mode 100644 index b160d85ddb5b..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg", - "//envoy/extensions/transport_sockets/starttls/v3:pkg", - "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto b/generated_api_shadow/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto deleted file mode 100644 index d2a9dbeaf2ed..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto +++ /dev/null @@ -1,58 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.starttls.v4alpha; - -import "envoy/extensions/transport_sockets/raw_buffer/v3/raw_buffer.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/tls.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.starttls.v4alpha"; -option java_outer_classname = "StarttlsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: StartTls] -// [#extension: envoy.transport_sockets.starttls] - -// StartTls transport socket addresses situations when a protocol starts in clear-text and -// negotiates an in-band switch to TLS. StartTls transport socket is protocol agnostic. In the -// case of downstream StartTls a network filter is required which understands protocol exchange -// and a state machine to signal to the StartTls transport socket when a switch to TLS is -// required. Similarly, upstream StartTls requires the owner of an upstream transport socket to -// manage the state machine necessary to properly coordinate negotiation with the upstream and -// signal to the transport socket when a switch to secure transport is required. - -// Configuration for a downstream StartTls transport socket. -// StartTls transport socket wraps two sockets: -// * raw_buffer socket which is used at the beginning of the session -// * TLS socket used when a protocol negotiates a switch to encrypted traffic. -message StartTlsConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.starttls.v3.StartTlsConfig"; - - // (optional) Configuration for clear-text socket used at the beginning of the session. - raw_buffer.v3.RawBuffer cleartext_socket_config = 1; - - // Configuration for a downstream TLS socket. - transport_sockets.tls.v4alpha.DownstreamTlsContext tls_socket_config = 2 - [(validate.rules).message = {required: true}]; -} - -// Configuration for an upstream StartTls transport socket. -// StartTls transport socket wraps two sockets: -// * raw_buffer socket which is used at the beginning of the session -// * TLS socket used when a protocol negotiates a switch to encrypted traffic. -message UpstreamStartTlsConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.starttls.v3.UpstreamStartTlsConfig"; - - // (optional) Configuration for clear-text socket used at the beginning of the session. - raw_buffer.v3.RawBuffer cleartext_socket_config = 1; - - // Configuration for an upstream TLS socket. - transport_sockets.tls.v4alpha.UpstreamTlsContext tls_socket_config = 2 - [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tap/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/transport_sockets/tap/v4alpha/BUILD deleted file mode 100644 index fe393f574d0d..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tap/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/common/tap/v4alpha:pkg", - "//envoy/extensions/transport_sockets/tap/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tap/v4alpha/tap.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tap/v4alpha/tap.proto deleted file mode 100644 index 5e0efc403ab5..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tap/v4alpha/tap.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.tap.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/extensions/common/tap/v4alpha/common.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tap.v4alpha"; -option java_outer_classname = "TapProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Tap] -// [#extension: envoy.transport_sockets.tap] - -// Configuration for tap transport socket. This wraps another transport socket, providing the -// ability to interpose and record in plain text any traffic that is surfaced to Envoy. -message Tap { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tap.v3.Tap"; - - // Common configuration for the tap transport socket. - common.tap.v4alpha.CommonExtensionConfig common_config = 1 - [(validate.rules).message = {required: true}]; - - // The underlying transport socket being wrapped. - config.core.v4alpha.TransportSocket transport_socket = 2 - [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/BUILD deleted file mode 100644 index bccc7346c650..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/transport_sockets/tls/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto deleted file mode 100644 index 4e4488c770f8..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ /dev/null @@ -1,440 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.tls.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/sensitive.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha"; -option java_outer_classname = "CommonProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common TLS configuration] - -message TlsParameters { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.TlsParameters"; - - enum TlsProtocol { - // Envoy will choose the optimal TLS version. - TLS_AUTO = 0; - - // TLS 1.0 - TLSv1_0 = 1; - - // TLS 1.1 - TLSv1_1 = 2; - - // TLS 1.2 - TLSv1_2 = 3; - - // TLS 1.3 - TLSv1_3 = 4; - } - - // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for - // servers. - TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; - - // Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for - // servers. - TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}]; - - // If specified, the TLS listener will only support the specified `cipher list - // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). - // - // If not specified, a default list will be used. Defaults are different for server (downstream) and - // client (upstream) TLS configurations. - // - // In non-FIPS builds, the default server cipher list is: - // - // .. code-block:: none - // - // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - // ECDHE-ECDSA-AES128-SHA - // ECDHE-RSA-AES128-SHA - // AES128-GCM-SHA256 - // AES128-SHA - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - // ECDHE-ECDSA-AES256-SHA - // ECDHE-RSA-AES256-SHA - // AES256-GCM-SHA384 - // AES256-SHA - // - // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: - // - // .. code-block:: none - // - // ECDHE-ECDSA-AES128-GCM-SHA256 - // ECDHE-RSA-AES128-GCM-SHA256 - // ECDHE-ECDSA-AES128-SHA - // ECDHE-RSA-AES128-SHA - // AES128-GCM-SHA256 - // AES128-SHA - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - // ECDHE-ECDSA-AES256-SHA - // ECDHE-RSA-AES256-SHA - // AES256-GCM-SHA384 - // AES256-SHA - // - // In non-FIPS builds, the default client cipher list is: - // - // .. code-block:: none - // - // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - // - // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: - // - // .. code-block:: none - // - // ECDHE-ECDSA-AES128-GCM-SHA256 - // ECDHE-RSA-AES128-GCM-SHA256 - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - repeated string cipher_suites = 3; - - // If specified, the TLS connection will only support the specified ECDH - // curves. If not specified, the default curves will be used. - // - // In non-FIPS builds, the default curves are: - // - // .. code-block:: none - // - // X25519 - // P-256 - // - // In builds using :ref:`BoringSSL FIPS `, the default curve is: - // - // .. code-block:: none - // - // P-256 - repeated string ecdh_curves = 4; -} - -// BoringSSL private key method configuration. The private key methods are used for external -// (potentially asynchronous) signing and decryption operations. Some use cases for private key -// methods would be TPM support and TLS acceleration. -message PrivateKeyProvider { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.PrivateKeyProvider"; - - reserved 2; - - reserved "config"; - - // Private key method provider name. The name must match a - // supported private key method provider type. - string provider_name = 1 [(validate.rules).string = {min_len: 1}]; - - // Private key method provider specific configuration. - oneof config_type { - google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true]; - } -} - -// [#next-free-field: 8] -message TlsCertificate { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.TlsCertificate"; - - // The TLS certificate chain. - // - // If *certificate_chain* is a filesystem path, a watch will be added to the - // parent directory for any file moves to support rotation. This currently - // only applies to dynamic secrets, when the *TlsCertificate* is delivered via - // SDS. - config.core.v4alpha.DataSource certificate_chain = 1; - - // The TLS private key. - // - // If *private_key* is a filesystem path, a watch will be added to the parent - // directory for any file moves to support rotation. This currently only - // applies to dynamic secrets, when the *TlsCertificate* is delivered via SDS. - config.core.v4alpha.DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; - - // If specified, updates of file-based *certificate_chain* and *private_key* - // sources will be triggered by this watch. The certificate/key pair will be - // read together and validated for atomic read consistency (i.e. no - // intervening modification occurred between cert/key read, verified by file - // hash comparisons). This allows explicit control over the path watched, by - // default the parent directories of the filesystem paths in - // *certificate_chain* and *private_key* are watched if this field is not - // specified. This only applies when a *TlsCertificate* is delivered by SDS - // with references to filesystem paths. See the :ref:`SDS key rotation - // ` documentation for further details. - config.core.v4alpha.WatchedDirectory watched_directory = 7; - - // BoringSSL private key method provider. This is an alternative to :ref:`private_key - // ` field. This can't be - // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key - // ` and - // :ref:`private_key_provider - // ` fields will result in an - // error. - PrivateKeyProvider private_key_provider = 6; - - // The password to decrypt the TLS private key. If this field is not set, it is assumed that the - // TLS private key is not password encrypted. - config.core.v4alpha.DataSource password = 3 [(udpa.annotations.sensitive) = true]; - - // The OCSP response to be stapled with this certificate during the handshake. - // The response must be DER-encoded and may only be provided via ``filename`` or - // ``inline_bytes``. The response may pertain to only one certificate. - config.core.v4alpha.DataSource ocsp_staple = 4; - - // [#not-implemented-hide:] - repeated config.core.v4alpha.DataSource signed_certificate_timestamp = 5; -} - -message TlsSessionTicketKeys { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.TlsSessionTicketKeys"; - - // Keys for encrypting and decrypting TLS session tickets. The - // first key in the array contains the key to encrypt all new sessions created by this context. - // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys - // by, for example, putting the new key first, and the previous key second. - // - // If :ref:`session_ticket_keys ` - // is not specified, the TLS library will still support resuming sessions via tickets, but it will - // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts - // or on different hosts. - // - // Each key must contain exactly 80 bytes of cryptographically-secure random data. For - // example, the output of ``openssl rand 80``. - // - // .. attention:: - // - // Using this feature has serious security considerations and risks. Improper handling of keys - // may result in loss of secrecy in connections, even if ciphers supporting perfect forward - // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some - // discussion. To minimize the risk, you must: - // - // * Keep the session ticket keys at least as secure as your TLS certificate private keys - // * Rotate session ticket keys at least daily, and preferably hourly - // * Always generate keys using a cryptographically-secure random data source - repeated config.core.v4alpha.DataSource keys = 1 - [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; -} - -// Indicates a certificate to be obtained from a named CertificateProvider plugin instance. -// The plugin instances are defined in the client's bootstrap file. -// The plugin allows certificates to be fetched/refreshed over the network asynchronously with -// respect to the TLS handshake. -// [#not-implemented-hide:] -message CertificateProviderPluginInstance { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance"; - - // Provider instance name. If not present, defaults to "default". - // - // Instance names should generally be defined not in terms of the underlying provider - // implementation (e.g., "file_watcher") but rather in terms of the function of the - // certificates (e.g., "foo_deployment_identity"). - string instance_name = 1; - - // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify - // a root-certificate (validation context) or "example.com" to specify a certificate for a - // particular domain. Not all provider instances will actually use this field, so the value - // defaults to the empty string. - string certificate_name = 2; -} - -// [#next-free-field: 14] -message CertificateValidationContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext"; - - // Peer certificate verification mode. - enum TrustChainVerification { - // Perform default certificate verification (e.g., against CA / verification lists) - VERIFY_TRUST_CHAIN = 0; - - // Connections where the certificate fails verification will be permitted. - // For HTTP connections, the result of certificate verification can be used in route matching. ( - // see :ref:`validated ` ). - ACCEPT_UNTRUSTED = 1; - } - - reserved 4, 5; - - reserved "verify_subject_alt_name"; - - oneof ca_cert_source { - // TLS certificate data containing certificate authority certificates to use in verifying - // a presented peer certificate (e.g. server certificate for clusters or client certificate - // for listeners). If not specified and a peer certificate is presented it will not be - // verified. By default, a client certificate is optional, unless one of the additional - // options (:ref:`require_client_certificate - // `, - // :ref:`verify_certificate_spki - // `, - // :ref:`verify_certificate_hash - // `, or - // :ref:`match_subject_alt_names - // `) is also - // specified. - // - // It can optionally contain certificate revocation lists, in which case Envoy will verify - // that the presented peer certificate has not been revoked by one of the included CRLs. Note - // that if a CRL is provided for any certificate authority in a trust chain, a CRL must be - // provided for all certificate authorities in that chain. Failure to do so will result in - // verification failure for both revoked and unrevoked certificates from that chain. - // - // See :ref:`the TLS overview ` for a list of common - // system CA locations. - // - // If *trusted_ca* is a filesystem path, a watch will be added to the parent - // directory for any file moves to support rotation. This currently only - // applies to dynamic secrets, when the *CertificateValidationContext* is - // delivered via SDS. - // - // Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified. - // - // [#next-major-version: This field and watched_directory below should ideally be moved into a - // separate sub-message, since there's no point in specifying the latter field without this one.] - config.core.v4alpha.DataSource trusted_ca = 1; - - // Certificate provider instance for fetching TLS certificates. - // - // Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified. - // [#not-implemented-hide:] - CertificateProviderPluginInstance ca_certificate_provider_instance = 13; - } - - // If specified, updates of a file-based *trusted_ca* source will be triggered - // by this watch. This allows explicit control over the path watched, by - // default the parent directory of the filesystem path in *trusted_ca* is - // watched if this field is not specified. This only applies when a - // *CertificateValidationContext* is delivered by SDS with references to - // filesystem paths. See the :ref:`SDS key rotation ` - // documentation for further details. - config.core.v4alpha.WatchedDirectory watched_directory = 11; - - // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the - // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate - // matches one of the specified values. - // - // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate - // can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -noout -pubkey - // | openssl pkey -pubin -outform DER - // | openssl dgst -sha256 -binary - // | openssl enc -base64 - // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= - // - // This is the format used in HTTP Public Key Pinning. - // - // When both: - // :ref:`verify_certificate_hash - // ` and - // :ref:`verify_certificate_spki - // ` are specified, - // a hash matching value from either of the lists will result in the certificate being accepted. - // - // .. attention:: - // - // This option is preferred over :ref:`verify_certificate_hash - // `, - // because SPKI is tied to a private key, so it doesn't change when the certificate - // is renewed using the same private key. - repeated string verify_certificate_spki = 3 - [(validate.rules).repeated = {items {string {min_len: 44 max_bytes: 44}}}]; - - // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that - // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - // - // A hex-encoded SHA-256 of the certificate can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 - // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a - // - // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate - // can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 - // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A - // - // Both of those formats are acceptable. - // - // When both: - // :ref:`verify_certificate_hash - // ` and - // :ref:`verify_certificate_spki - // ` are specified, - // a hash matching value from either of the lists will result in the certificate being accepted. - repeated string verify_certificate_hash = 2 - [(validate.rules).repeated = {items {string {min_len: 64 max_bytes: 95}}}]; - - // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the - // Subject Alternative Name of the presented certificate matches one of the specified matchers. - // - // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be - // configured with exact match type in the :ref:`string matcher `. - // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", - // it should be configured as shown below. - // - // .. code-block:: yaml - // - // match_subject_alt_names: - // exact: "api.example.com" - // - // .. attention:: - // - // Subject Alternative Names are easily spoofable and verifying only them is insecure, - // therefore this option must be used together with :ref:`trusted_ca - // `. - repeated type.matcher.v4alpha.StringMatcher match_subject_alt_names = 9; - - // [#not-implemented-hide:] Must present signed certificate time-stamp. - google.protobuf.BoolValue require_signed_certificate_timestamp = 6; - - // An optional `certificate revocation list - // `_ - // (in PEM format). If specified, Envoy will verify that the presented peer - // certificate has not been revoked by this CRL. If this DataSource contains - // multiple CRLs, all of them will be used. Note that if a CRL is provided - // for any certificate authority in a trust chain, a CRL must be provided - // for all certificate authorities in that chain. Failure to do so will - // result in verification failure for both revoked and unrevoked certificates - // from that chain. - config.core.v4alpha.DataSource crl = 7; - - // If specified, Envoy will not reject expired certificates. - bool allow_expired_certificate = 8; - - // Certificate trust chain verification mode. - TrustChainVerification trust_chain_verification = 10 - [(validate.rules).enum = {defined_only: true}]; - - // The configuration of an extension specific certificate validator. - // If specified, all validation is done by the specified validator, - // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). - // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. - // [#extension-category: envoy.tls.cert_validator] - config.core.v4alpha.TypedExtensionConfig custom_validator_config = 12; -} diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto deleted file mode 100644 index 5bb8c86b9438..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/secret.proto +++ /dev/null @@ -1,58 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.tls.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/config_source.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/common.proto"; - -import "udpa/annotations/sensitive.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha"; -option java_outer_classname = "SecretProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Secrets configuration] - -message GenericSecret { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.GenericSecret"; - - // Secret of generic type and is available to filters. - config.core.v4alpha.DataSource secret = 1 [(udpa.annotations.sensitive) = true]; -} - -message SdsSecretConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig"; - - // Name by which the secret can be uniquely referred to. When both name and config are specified, - // then secret can be fetched and/or reloaded via SDS. When only name is specified, then secret - // will be loaded from static resources. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - config.core.v4alpha.ConfigSource sds_config = 2; -} - -// [#next-free-field: 6] -message Secret { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.Secret"; - - // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. - string name = 1; - - oneof type { - TlsCertificate tls_certificate = 2; - - TlsSessionTicketKeys session_ticket_keys = 3; - - CertificateValidationContext validation_context = 4; - - GenericSecret generic_secret = 5; - } -} diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto deleted file mode 100644 index d6bdc420c2e5..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto +++ /dev/null @@ -1,313 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.tls.v4alpha; - -import "envoy/config/core/v4alpha/extension.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/common.proto"; -import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto"; - -import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha"; -option java_outer_classname = "TlsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: TLS transport socket] -// [#extension: envoy.transport_sockets.tls] -// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS. - -message UpstreamTlsContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext"; - - // Common TLS context settings. - // - // .. attention:: - // - // Server certificate verification is not enabled by default. Configure - // :ref:`trusted_ca` to enable - // verification. - CommonTlsContext common_tls_context = 1; - - // SNI string to use when creating TLS backend connections. - string sni = 2 [(validate.rules).string = {max_bytes: 255}]; - - // If true, server-initiated TLS renegotiation will be allowed. - // - // .. attention:: - // - // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. - bool allow_renegotiation = 3; - - // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets - // for TLSv1.2 and older) to store for the purpose of session resumption. - // - // Defaults to 1, setting this to 0 disables session resumption. - google.protobuf.UInt32Value max_session_keys = 4; -} - -// [#next-free-field: 9] -message DownstreamTlsContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext"; - - enum OcspStaplePolicy { - // OCSP responses are optional. If an OCSP response is absent - // or expired, the associated certificate will be used for - // connections without an OCSP staple. - LENIENT_STAPLING = 0; - - // OCSP responses are optional. If an OCSP response is absent, - // the associated certificate will be used without an - // OCSP staple. If a response is provided but is expired, - // the associated certificate will not be used for - // subsequent connections. If no suitable certificate is found, - // the connection is rejected. - STRICT_STAPLING = 1; - - // OCSP responses are required. Configuration will fail if - // a certificate is provided without an OCSP response. If a - // response expires, the associated certificate will not be - // used connections. If no suitable certificate is found, the - // connection is rejected. - MUST_STAPLE = 2; - } - - // Common TLS context settings. - CommonTlsContext common_tls_context = 1; - - // If specified, Envoy will reject connections without a valid client - // certificate. - google.protobuf.BoolValue require_client_certificate = 2; - - // If specified, Envoy will reject connections without a valid and matching SNI. - // [#not-implemented-hide:] - google.protobuf.BoolValue require_sni = 3; - - oneof session_ticket_keys_type { - // TLS session ticket key settings. - TlsSessionTicketKeys session_ticket_keys = 4; - - // Config for fetching TLS session ticket keys via SDS API. - SdsSecretConfig session_ticket_keys_sds_secret_config = 5; - - // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS - // server to not issue TLS session tickets for the purposes of stateless TLS session resumption. - // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using - // the keys specified through either :ref:`session_ticket_keys ` - // or :ref:`session_ticket_keys_sds_secret_config `. - // If this config is set to false and no keys are explicitly configured, the TLS server will issue - // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the - // implication that sessions cannot be resumed across hot restarts or on different hosts. - bool disable_stateless_session_resumption = 7; - } - - // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session - // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2) - // ` - // only seconds could be specified (fractional seconds are going to be ignored). - google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = { - lt {seconds: 4294967296} - gte {} - }]; - - // Config for whether to use certificates if they do not have - // an accompanying OCSP response or if the response expires at runtime. - // Defaults to LENIENT_STAPLING - OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}]; -} - -// TLS context shared by both client and server TLS contexts. -// [#next-free-field: 15] -message CommonTlsContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext"; - - // Config for Certificate provider to get certificates. This provider should allow certificates to be - // fetched/refreshed over the network asynchronously with respect to the TLS handshake. - // - // DEPRECATED: This message is not currently used, but if we ever do need it, we will want to - // move it out of CommonTlsContext and into common.proto, similar to the existing - // CertificateProviderPluginInstance message. - // - // [#not-implemented-hide:] - message CertificateProvider { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProvider"; - - // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify - // a root-certificate (validation context) or "TLS" to specify a new tls-certificate. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Provider specific config. - // Note: an implementation is expected to dedup multiple instances of the same config - // to maintain a single certificate-provider instance. The sharing can happen, for - // example, among multiple clusters or between the tls_certificate and validation_context - // certificate providers of a cluster. - // This config could be supplied inline or (in future) a named xDS resource. - oneof config { - option (validate.required) = true; - - config.core.v4alpha.TypedExtensionConfig typed_config = 2; - } - } - - // Similar to CertificateProvider above, but allows the provider instances to be configured on - // the client side instead of being sent from the control plane. - // - // DEPRECATED: This message was moved outside of CommonTlsContext - // and now lives in common.proto. - // - // [#not-implemented-hide:] - message CertificateProviderInstance { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance"; - - // Provider instance name. This name must be defined in the client's configuration (e.g., a - // bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config - // field that would be sent in the CertificateProvider message if the config was sent by the - // control plane). If not present, defaults to "default". - // - // Instance names should generally be defined not in terms of the underlying provider - // implementation (e.g., "file_watcher") but rather in terms of the function of the - // certificates (e.g., "foo_deployment_identity"). - string instance_name = 1; - - // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify - // a root-certificate (validation context) or "example.com" to specify a certificate for a - // particular domain. Not all provider instances will actually use this field, so the value - // defaults to the empty string. - string certificate_name = 2; - } - - message CombinedCertificateValidationContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext." - "CombinedCertificateValidationContext"; - - // How to validate peer certificates. - CertificateValidationContext default_validation_context = 1 - [(validate.rules).message = {required: true}]; - - // Config for fetching validation context via SDS API. Note SDS API allows certificates to be - // fetched/refreshed over the network asynchronously with respect to the TLS handshake. - SdsSecretConfig validation_context_sds_secret_config = 2 - [(validate.rules).message = {required: true}]; - - // Certificate provider for fetching CA certs. This will populate the - // *default_validation_context.trusted_ca* field. - // [#not-implemented-hide:] - CertificateProvider hidden_envoy_deprecated_validation_context_certificate_provider = 3 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Certificate provider instance for fetching CA certs. This will populate the - // *default_validation_context.trusted_ca* field. - // [#not-implemented-hide:] - CertificateProviderInstance - hidden_envoy_deprecated_validation_context_certificate_provider_instance = 4 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - } - - reserved 5; - - // TLS protocol versions, cipher suites etc. - TlsParameters tls_params = 1; - - // :ref:`Multiple TLS certificates ` can be associated with the - // same context to allow both RSA and ECDSA certificates. - // - // Only a single TLS certificate is supported in client contexts. In server contexts, the first - // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is - // used for clients that support ECDSA. - // - // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*, - // and *tls_certificate_provider_instance* may be used. - // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's - // not legal to put a repeated field in a oneof. In the next major version, we should rework - // this to avoid this problem.] - repeated TlsCertificate tls_certificates = 2; - - // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be - // fetched/refreshed over the network asynchronously with respect to the TLS handshake. - // - // The same number and types of certificates as :ref:`tls_certificates ` - // are valid in the the certificates fetched through this setting. - // - // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*, - // and *tls_certificate_provider_instance* may be used. - // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's - // not legal to put a repeated field in a oneof. In the next major version, we should rework - // this to avoid this problem.] - repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6 - [(validate.rules).repeated = {max_items: 2}]; - - // Certificate provider instance for fetching TLS certs. - // - // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*, - // and *tls_certificate_provider_instance* may be used. - // [#not-implemented-hide:] - CertificateProviderPluginInstance tls_certificate_provider_instance = 14; - - // Certificate provider for fetching TLS certificates. - // [#not-implemented-hide:] - CertificateProvider hidden_envoy_deprecated_tls_certificate_certificate_provider = 9 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Certificate provider instance for fetching TLS certificates. - // [#not-implemented-hide:] - CertificateProviderInstance - hidden_envoy_deprecated_tls_certificate_certificate_provider_instance = 11 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - oneof validation_context_type { - // How to validate peer certificates. - CertificateValidationContext validation_context = 3; - - // Config for fetching validation context via SDS API. Note SDS API allows certificates to be - // fetched/refreshed over the network asynchronously with respect to the TLS handshake. - SdsSecretConfig validation_context_sds_secret_config = 7; - - // Combined certificate validation context holds a default CertificateValidationContext - // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic - // and default CertificateValidationContext are merged into a new CertificateValidationContext - // for validation. This merge is done by Message::MergeFrom(), so dynamic - // CertificateValidationContext overwrites singular fields in default - // CertificateValidationContext, and concatenates repeated fields to default - // CertificateValidationContext, and logical OR is applied to boolean fields. - CombinedCertificateValidationContext combined_validation_context = 8; - - // Certificate provider for fetching validation context. - // [#not-implemented-hide:] - CertificateProvider hidden_envoy_deprecated_validation_context_certificate_provider = 10 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Certificate provider instance for fetching validation context. - // [#not-implemented-hide:] - CertificateProviderInstance - hidden_envoy_deprecated_validation_context_certificate_provider_instance = 12 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - } - - // Supplies the list of ALPN protocols that the listener should expose. In - // practice this is likely to be set to one of two values (see the - // :ref:`codec_type - // ` - // parameter in the HTTP connection manager for more information): - // - // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. - // * "http/1.1" If the listener is only going to support HTTP/1.1. - // - // There is no default for this parameter. If empty, Envoy will not expose ALPN. - repeated string alpn_protocols = 4; - - // Custom TLS handshaker. If empty, defaults to native TLS handshaking - // behavior. - config.core.v4alpha.TypedExtensionConfig custom_handshaker = 13; -} diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto deleted file mode 100644 index 8191318930be..000000000000 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ /dev/null @@ -1,66 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.transport_sockets.tls.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha"; -option java_outer_classname = "TlsSpiffeValidatorConfigProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: SPIFFE Certificate Validator] -// [#extension: envoy.tls.cert_validator.spiffe] - -// Configuration specific to the `SPIFFE `_ certificate validator. -// -// Example: -// -// .. validated-code-block:: yaml -// :type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext -// -// custom_validator_config: -// name: envoy.tls.cert_validator.spiffe -// typed_config: -// "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig -// trust_domains: -// - name: foo.com -// trust_bundle: -// filename: "foo.pem" -// - name: envoy.com -// trust_bundle: -// filename: "envoy.pem" -// -// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against -// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint -// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` -// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. -// -// Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. -// -// - :ref:`allow_expired_certificate ` to allow expired certificates. -// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. -// -message SPIFFECertValidatorConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; - - message TrustDomain { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain"; - - // Name of the trust domain, `example.com`, `foo.bar.gov` for example. - // Note that this must *not* have "spiffe://" prefix. - string name = 1 [(validate.rules).string = {min_len: 1}]; - - // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. - config.core.v4alpha.DataSource trust_bundle = 2; - } - - // This field specifies trust domains used for validating incoming X.509-SVID(s). - repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/BUILD b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/BUILD deleted file mode 100644 index 3b00c0d6e6f2..000000000000 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/BUILD +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/extensions/upstreams/http/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto b/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto deleted file mode 100644 index d69966ef92d3..000000000000 --- a/generated_api_shadow/envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto +++ /dev/null @@ -1,164 +0,0 @@ -syntax = "proto3"; - -package envoy.extensions.upstreams.http.v4alpha; - -import "envoy/config/core/v4alpha/protocol.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.v4alpha"; -option java_outer_classname = "HttpProtocolOptionsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: HTTP Protocol Options] -// [#extension: envoy.upstreams.http.http_protocol_options] - -// HttpProtocolOptions specifies Http upstream protocol options. This object -// is used in -// :ref:`typed_extension_protocol_options`, -// keyed by the name `envoy.extensions.upstreams.http.v3.HttpProtocolOptions`. -// -// This controls what protocol(s) should be used for upstream and how said protocol(s) are configured. -// -// This replaces the prior pattern of explicit protocol configuration directly -// in the cluster. So a configuration like this, explicitly configuring the use of HTTP/2 upstream: -// -// .. code:: -// -// clusters: -// - name: some_service -// connect_timeout: 5s -// upstream_http_protocol_options: -// auto_sni: true -// common_http_protocol_options: -// idle_timeout: 1s -// http2_protocol_options: -// max_concurrent_streams: 100 -// .... [further cluster config] -// -// Would now look like this: -// -// .. code:: -// -// clusters: -// - name: some_service -// connect_timeout: 5s -// typed_extension_protocol_options: -// envoy.extensions.upstreams.http.v3.HttpProtocolOptions: -// "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions -// upstream_http_protocol_options: -// auto_sni: true -// common_http_protocol_options: -// idle_timeout: 1s -// explicit_http_config: -// http2_protocol_options: -// max_concurrent_streams: 100 -// .... [further cluster config] -// [#next-free-field: 6] -message HttpProtocolOptions { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions"; - - // If this is used, the cluster will only operate on one of the possible upstream protocols. - // Note that HTTP/2 or above should generally be used for upstream gRPC clusters. - message ExplicitHttpConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.ExplicitHttpConfig"; - - oneof protocol_config { - option (validate.required) = true; - - config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 1; - - config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - - // .. warning:: - // QUIC support is currently alpha and should be used with caution. Please - // see :ref:`here ` for details. - config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; - } - } - - // If this is used, the cluster can use either of the configured protocols, and - // will use whichever protocol was used by the downstream connection. - // - // If HTTP/3 is configured for downstream and not configured for upstream, - // HTTP/3 requests will fail over to HTTP/2. - message UseDownstreamHttpConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.UseDownstreamHttpConfig"; - - config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 1; - - config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - - // .. warning:: - // QUIC support is currently alpha and should be used with caution. Please - // see :ref:`here ` for details. - config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; - } - - // If this is used, the cluster can use either HTTP/1 or HTTP/2, and will use whichever - // protocol is negotiated by ALPN with the upstream. - // Clusters configured with *AutoHttpConfig* will use the highest available - // protocol; HTTP/2 if supported, otherwise HTTP/1. - // If the upstream does not support ALPN, *AutoHttpConfig* will fail over to HTTP/1. - // This can only be used with transport sockets which support ALPN. Using a - // transport socket which does not support ALPN will result in configuration - // failure. The transport layer may be configured with custom ALPN, but the default ALPN - // for the cluster (or if custom ALPN fails) will be "h2,http/1.1". - message AutoHttpConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.AutoHttpConfig"; - - config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 1; - - config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2; - - // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is - // present, and (soon) only if there is an indication of server side - // support. - // See :ref:`here ` for more information on - // when HTTP/3 will be used, and when Envoy will fail over to TCP. - // - // .. warning:: - // QUIC support is currently alpha and should be used with caution. Please - // see :ref:`here ` for details. - // AutoHttpConfig config is undergoing especially rapid change and as it - // is alpha is not guaranteed to be API-stable. - config.core.v4alpha.Http3ProtocolOptions http3_protocol_options = 3; - - // [#not-implemented-hide:] - // The presence of alternate protocols cache options causes the use of the - // alternate protocols cache, which is responsible for parsing and caching - // HTTP Alt-Svc headers. This enables the use of HTTP/3 for origins that - // advertise supporting it. - // TODO(RyanTheOptimist): Make this field required when HTTP/3 is enabled. - config.core.v4alpha.AlternateProtocolsCacheOptions alternate_protocols_cache_options = 4; - } - - // This contains options common across HTTP/1 and HTTP/2 - config.core.v4alpha.HttpProtocolOptions common_http_protocol_options = 1; - - // This contains common protocol options which are only applied upstream. - config.core.v4alpha.UpstreamHttpProtocolOptions upstream_http_protocol_options = 2; - - // This controls the actual protocol to be used upstream. - oneof upstream_protocol_options { - option (validate.required) = true; - - // To explicitly configure either HTTP/1 or HTTP/2 (but not both!) use *explicit_http_config*. - // If the *explicit_http_config* is empty, HTTP/1.1 is used. - ExplicitHttpConfig explicit_http_config = 3; - - // This allows switching on protocol based on what protocol the downstream - // connection used. - UseDownstreamHttpConfig use_downstream_protocol_config = 4; - - // This allows switching on protocol based on ALPN - AutoHttpConfig auto_config = 5; - } -} diff --git a/generated_api_shadow/envoy/service/accesslog/v4alpha/BUILD b/generated_api_shadow/envoy/service/accesslog/v4alpha/BUILD deleted file mode 100644 index 94c70bc66967..000000000000 --- a/generated_api_shadow/envoy/service/accesslog/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/data/accesslog/v3:pkg", - "//envoy/service/accesslog/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/service/accesslog/v4alpha/als.proto b/generated_api_shadow/envoy/service/accesslog/v4alpha/als.proto deleted file mode 100644 index ab0ba0e15213..000000000000 --- a/generated_api_shadow/envoy/service/accesslog/v4alpha/als.proto +++ /dev/null @@ -1,87 +0,0 @@ -syntax = "proto3"; - -package envoy.service.accesslog.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/data/accesslog/v3/accesslog.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.accesslog.v4alpha"; -option java_outer_classname = "AlsProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: gRPC Access Log Service (ALS)] - -// Service for streaming access logs from Envoy to an access log server. -service AccessLogService { - // Envoy will connect and send StreamAccessLogsMessage messages forever. It does not expect any - // response to be sent as nothing would be done in the case of failure. The server should - // disconnect if it expects Envoy to reconnect. In the future we may decide to add a different - // API for "critical" access logs in which Envoy will buffer access logs for some period of time - // until it gets an ACK so it could then retry. This API is designed for high throughput with the - // expectation that it might be lossy. - rpc StreamAccessLogs(stream StreamAccessLogsMessage) returns (StreamAccessLogsResponse) { - } -} - -// Empty response for the StreamAccessLogs API. Will never be sent. See below. -message StreamAccessLogsResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.accesslog.v3.StreamAccessLogsResponse"; -} - -// Stream message for the StreamAccessLogs API. Envoy will open a stream to the server and stream -// access logs without ever expecting a response. -message StreamAccessLogsMessage { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.accesslog.v3.StreamAccessLogsMessage"; - - message Identifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.accesslog.v3.StreamAccessLogsMessage.Identifier"; - - // The node sending the access log messages over the stream. - config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; - - // The friendly name of the log configured in :ref:`CommonGrpcAccessLogConfig - // `. - string log_name = 2 [(validate.rules).string = {min_len: 1}]; - } - - // Wrapper for batches of HTTP access log entries. - message HTTPAccessLogEntries { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.accesslog.v3.StreamAccessLogsMessage.HTTPAccessLogEntries"; - - repeated data.accesslog.v3.HTTPAccessLogEntry log_entry = 1 - [(validate.rules).repeated = {min_items: 1}]; - } - - // Wrapper for batches of TCP access log entries. - message TCPAccessLogEntries { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.accesslog.v3.StreamAccessLogsMessage.TCPAccessLogEntries"; - - repeated data.accesslog.v3.TCPAccessLogEntry log_entry = 1 - [(validate.rules).repeated = {min_items: 1}]; - } - - // Identifier data that will only be sent in the first message on the stream. This is effectively - // structured metadata and is a performance optimization. - Identifier identifier = 1; - - // Batches of log entries of a single type. Generally speaking, a given stream should only - // ever include one type of log entry. - oneof log_entries { - option (validate.required) = true; - - HTTPAccessLogEntries http_logs = 2; - - TCPAccessLogEntries tcp_logs = 3; - } -} diff --git a/generated_api_shadow/envoy/service/auth/v4alpha/BUILD b/generated_api_shadow/envoy/service/auth/v4alpha/BUILD deleted file mode 100644 index 5a172e093202..000000000000 --- a/generated_api_shadow/envoy/service/auth/v4alpha/BUILD +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/auth/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/service/auth/v4alpha/attribute_context.proto b/generated_api_shadow/envoy/service/auth/v4alpha/attribute_context.proto deleted file mode 100644 index eed7a2e704ad..000000000000 --- a/generated_api_shadow/envoy/service/auth/v4alpha/attribute_context.proto +++ /dev/null @@ -1,177 +0,0 @@ -syntax = "proto3"; - -package envoy.service.auth.v4alpha; - -import "envoy/config/core/v4alpha/address.proto"; -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/timestamp.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.auth.v4alpha"; -option java_outer_classname = "AttributeContextProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Attribute Context ] - -// See :ref:`network filter configuration overview ` -// and :ref:`HTTP filter configuration overview `. - -// An attribute is a piece of metadata that describes an activity on a network. -// For example, the size of an HTTP request, or the status code of an HTTP response. -// -// Each attribute has a type and a name, which is logically defined as a proto message field -// of the `AttributeContext`. The `AttributeContext` is a collection of individual attributes -// supported by Envoy authorization system. -// [#comment: The following items are left out of this proto -// Request.Auth field for jwt tokens -// Request.Api for api management -// Origin peer that originated the request -// Caching Protocol -// request_context return values to inject back into the filter chain -// peer.claims -- from X.509 extensions -// Configuration -// - field mask to send -// - which return values from request_context are copied back -// - which return values are copied into request_headers] -// [#next-free-field: 12] -message AttributeContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.AttributeContext"; - - // This message defines attributes for a node that handles a network request. - // The node can be either a service or an application that sends, forwards, - // or receives the request. Service peers should fill in the `service`, - // `principal`, and `labels` as appropriate. - // [#next-free-field: 6] - message Peer { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.AttributeContext.Peer"; - - // The address of the peer, this is typically the IP address. - // It can also be UDS path, or others. - config.core.v4alpha.Address address = 1; - - // The canonical service name of the peer. - // It should be set to :ref:`the HTTP x-envoy-downstream-service-cluster - // ` - // If a more trusted source of the service name is available through mTLS/secure naming, it - // should be used. - string service = 2; - - // The labels associated with the peer. - // These could be pod labels for Kubernetes or tags for VMs. - // The source of the labels could be an X.509 certificate or other configuration. - map labels = 3; - - // The authenticated identity of this peer. - // For example, the identity associated with the workload such as a service account. - // If an X.509 certificate is used to assert the identity this field should be sourced from - // `URI Subject Alternative Names`, `DNS Subject Alternate Names` or `Subject` in that order. - // The primary identity should be the principal. The principal format is issuer specific. - // - // Example: - // * SPIFFE format is `spiffe://trust-domain/path` - // * Google account format is `https://accounts.google.com/{userid}` - string principal = 4; - - // The X.509 certificate used to authenticate the identify of this peer. - // When present, the certificate contents are encoded in URL and PEM format. - string certificate = 5; - } - - // Represents a network request, such as an HTTP request. - message Request { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.AttributeContext.Request"; - - // The timestamp when the proxy receives the first byte of the request. - google.protobuf.Timestamp time = 1; - - // Represents an HTTP request or an HTTP-like request. - HttpRequest http = 2; - } - - // This message defines attributes for an HTTP request. - // HTTP/1.x, HTTP/2, gRPC are all considered as HTTP requests. - // [#next-free-field: 13] - message HttpRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.AttributeContext.HttpRequest"; - - // The unique ID for a request, which can be propagated to downstream - // systems. The ID should have low probability of collision - // within a single day for a specific service. - // For HTTP requests, it should be X-Request-ID or equivalent. - string id = 1; - - // The HTTP request method, such as `GET`, `POST`. - string method = 2; - - // The HTTP request headers. If multiple headers share the same key, they - // must be merged according to the HTTP spec. All header keys must be - // lower-cased, because HTTP header keys are case-insensitive. - map headers = 3; - - // The request target, as it appears in the first line of the HTTP request. This includes - // the URL path and query-string. No decoding is performed. - string path = 4; - - // The HTTP request `Host` or 'Authority` header value. - string host = 5; - - // The HTTP URL scheme, such as `http` and `https`. - string scheme = 6; - - // This field is always empty, and exists for compatibility reasons. The HTTP URL query is - // included in `path` field. - string query = 7; - - // This field is always empty, and exists for compatibility reasons. The URL fragment is - // not submitted as part of HTTP requests; it is unknowable. - string fragment = 8; - - // The HTTP request size in bytes. If unknown, it must be -1. - int64 size = 9; - - // The network protocol used with the request, such as "HTTP/1.0", "HTTP/1.1", or "HTTP/2". - // - // See :repo:`headers.h:ProtocolStrings ` for a list of all - // possible values. - string protocol = 10; - - // The HTTP request body. - string body = 11; - - // The HTTP request body in bytes. This is used instead of - // :ref:`body ` when - // :ref:`pack_as_bytes ` - // is set to true. - bytes raw_body = 12; - } - - // The source of a network activity, such as starting a TCP connection. - // In a multi hop network activity, the source represents the sender of the - // last hop. - Peer source = 1; - - // The destination of a network activity, such as accepting a TCP connection. - // In a multi hop network activity, the destination represents the receiver of - // the last hop. - Peer destination = 2; - - // Represents a network request, such as an HTTP request. - Request request = 4; - - // This is analogous to http_request.headers, however these contents will not be sent to the - // upstream server. Context_extensions provide an extension mechanism for sending additional - // information to the auth server without modifying the proto definition. It maps to the - // internal opaque context in the filter chain. - map context_extensions = 10; - - // Dynamic metadata associated with the request. - config.core.v4alpha.Metadata metadata_context = 11; -} diff --git a/generated_api_shadow/envoy/service/auth/v4alpha/external_auth.proto b/generated_api_shadow/envoy/service/auth/v4alpha/external_auth.proto deleted file mode 100644 index f2a2cfe6c61c..000000000000 --- a/generated_api_shadow/envoy/service/auth/v4alpha/external_auth.proto +++ /dev/null @@ -1,134 +0,0 @@ -syntax = "proto3"; - -package envoy.service.auth.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/service/auth/v4alpha/attribute_context.proto"; -import "envoy/type/v3/http_status.proto"; - -import "google/protobuf/struct.proto"; -import "google/rpc/status.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.auth.v4alpha"; -option java_outer_classname = "ExternalAuthProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Authorization Service ] - -// The authorization service request messages used by external authorization :ref:`network filter -// ` and :ref:`HTTP filter `. - -// A generic interface for performing authorization check on incoming -// requests to a networked service. -service Authorization { - // Performs authorization check based on the attributes associated with the - // incoming request, and returns status `OK` or not `OK`. - rpc Check(CheckRequest) returns (CheckResponse) { - } -} - -message CheckRequest { - option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v3.CheckRequest"; - - // The request attributes. - AttributeContext attributes = 1; -} - -// HTTP attributes for a denied response. -message DeniedHttpResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.DeniedHttpResponse"; - - // This field allows the authorization service to send a HTTP response status - // code to the downstream client other than 403 (Forbidden). - type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}]; - - // This field allows the authorization service to send HTTP response headers - // to the downstream client. Note that the :ref:`append field in HeaderValueOption ` defaults to - // false when used in this message. - repeated config.core.v4alpha.HeaderValueOption headers = 2; - - // This field allows the authorization service to send a response body data - // to the downstream client. - string body = 3; -} - -// HTTP attributes for an OK response. -// [#next-free-field: 7] -message OkHttpResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.OkHttpResponse"; - - // HTTP entity headers in addition to the original request headers. This allows the authorization - // service to append, to add or to override headers from the original request before - // dispatching it to the upstream. Note that the :ref:`append field in HeaderValueOption ` defaults to - // false when used in this message. By setting the `append` field to `true`, - // the filter will append the correspondent header value to the matched request header. - // By leaving `append` as false, the filter will either add a new header, or override an existing - // one if there is a match. - repeated config.core.v4alpha.HeaderValueOption headers = 2; - - // HTTP entity headers to remove from the original request before dispatching - // it to the upstream. This allows the authorization service to act on auth - // related headers (like `Authorization`), process them, and consume them. - // Under this model, the upstream will either receive the request (if it's - // authorized) or not receive it (if it's not), but will not see headers - // containing authorization credentials. - // - // Pseudo headers (such as `:authority`, `:method`, `:path` etc), as well as - // the header `Host`, may not be removed as that would make the request - // malformed. If mentioned in `headers_to_remove` these special headers will - // be ignored. - // - // When using the HTTP service this must instead be set by the HTTP - // authorization service as a comma separated list like so: - // ``x-envoy-auth-headers-to-remove: one-auth-header, another-auth-header``. - repeated string headers_to_remove = 5; - - // This field has been deprecated in favor of :ref:`CheckResponse.dynamic_metadata - // `. Until it is removed, - // setting this field overrides :ref:`CheckResponse.dynamic_metadata - // `. - google.protobuf.Struct hidden_envoy_deprecated_dynamic_metadata = 3 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // This field allows the authorization service to send HTTP response headers - // to the downstream client on success. Note that the :ref:`append field in HeaderValueOption ` - // defaults to false when used in this message. - repeated config.core.v4alpha.HeaderValueOption response_headers_to_add = 6; -} - -// Intended for gRPC and Network Authorization servers `only`. -message CheckResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.auth.v3.CheckResponse"; - - // Status `OK` allows the request. Any other status indicates the request should be denied. - google.rpc.Status status = 1; - - // An message that contains HTTP response attributes. This message is - // used when the authorization service needs to send custom responses to the - // downstream client or, to modify/add request headers being dispatched to the upstream. - oneof http_response { - // Supplies http attributes for a denied response. - DeniedHttpResponse denied_response = 2; - - // Supplies http attributes for an ok response. - OkHttpResponse ok_response = 3; - } - - // Optional response metadata that will be emitted as dynamic metadata to be consumed by the next - // filter. This metadata lives in a namespace specified by the canonical name of extension filter - // that requires it: - // - // - :ref:`envoy.filters.http.ext_authz ` for HTTP filter. - // - :ref:`envoy.filters.network.ext_authz ` for network filter. - google.protobuf.Struct dynamic_metadata = 4; -} diff --git a/generated_api_shadow/envoy/service/discovery/v4alpha/BUILD b/generated_api_shadow/envoy/service/discovery/v4alpha/BUILD deleted file mode 100644 index 2de065dc5b39..000000000000 --- a/generated_api_shadow/envoy/service/discovery/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/discovery/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/service/discovery/v4alpha/ads.proto b/generated_api_shadow/envoy/service/discovery/v4alpha/ads.proto deleted file mode 100644 index 41435811bd17..000000000000 --- a/generated_api_shadow/envoy/service/discovery/v4alpha/ads.proto +++ /dev/null @@ -1,44 +0,0 @@ -syntax = "proto3"; - -package envoy.service.discovery.v4alpha; - -import "envoy/service/discovery/v4alpha/discovery.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.discovery.v4alpha"; -option java_outer_classname = "AdsProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Aggregated Discovery Service (ADS)] - -// [#not-implemented-hide:] Discovery services for endpoints, clusters, routes, -// and listeners are retained in the package `envoy.api.v2` for backwards -// compatibility with existing management servers. New development in discovery -// services should proceed in the package `envoy.service.discovery.v2`. - -// See https://github.com/lyft/envoy-api#apis for a description of the role of -// ADS and how it is intended to be used by a management server. ADS requests -// have the same structure as their singleton xDS counterparts, but can -// multiplex many resource types on a single stream. The type_url in the -// DiscoveryRequest/DiscoveryResponse provides sufficient information to recover -// the multiplexed singleton APIs at the Envoy instance and management server. -service AggregatedDiscoveryService { - // This is a gRPC-only API. - rpc StreamAggregatedResources(stream DiscoveryRequest) returns (stream DiscoveryResponse) { - } - - rpc DeltaAggregatedResources(stream DeltaDiscoveryRequest) - returns (stream DeltaDiscoveryResponse) { - } -} - -// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing -// services: https://github.com/google/protobuf/issues/4221 -message AdsDummy { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.AdsDummy"; -} diff --git a/generated_api_shadow/envoy/service/discovery/v4alpha/discovery.proto b/generated_api_shadow/envoy/service/discovery/v4alpha/discovery.proto deleted file mode 100644 index bf8d48fc7a37..000000000000 --- a/generated_api_shadow/envoy/service/discovery/v4alpha/discovery.proto +++ /dev/null @@ -1,286 +0,0 @@ -syntax = "proto3"; - -package envoy.service.discovery.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/rpc/status.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.discovery.v4alpha"; -option java_outer_classname = "DiscoveryProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common discovery API components] - -// A DiscoveryRequest requests a set of versioned resources of the same type for -// a given Envoy node on some API. -// [#next-free-field: 7] -message DiscoveryRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.DiscoveryRequest"; - - // The version_info provided in the request messages will be the version_info - // received with the most recent successfully processed response or empty on - // the first request. It is expected that no new request is sent after a - // response is received until the Envoy instance is ready to ACK/NACK the new - // configuration. ACK/NACK takes place by returning the new API config version - // as applied or the previous API config version respectively. Each type_url - // (see below) has an independent version associated with it. - string version_info = 1; - - // The node making the request. - config.core.v4alpha.Node node = 2; - - // List of resources to subscribe to, e.g. list of cluster names or a route - // configuration name. If this is empty, all resources for the API are - // returned. LDS/CDS may have empty resource_names, which will cause all - // resources for the Envoy instance to be returned. The LDS and CDS responses - // will then imply a number of resources that need to be fetched via EDS/RDS, - // which will be explicitly enumerated in resource_names. - repeated string resource_names = 3; - - // Type of the resource that is being requested, e.g. - // "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment". This is implicit - // in requests made via singleton xDS APIs such as CDS, LDS, etc. but is - // required for ADS. - string type_url = 4; - - // nonce corresponding to DiscoveryResponse being ACK/NACKed. See above - // discussion on version_info and the DiscoveryResponse nonce comment. This - // may be empty only if 1) this is a non-persistent-stream xDS such as HTTP, - // or 2) the client has not yet accepted an update in this xDS stream (unlike - // delta, where it is populated only for new explicit ACKs). - string response_nonce = 5; - - // This is populated when the previous :ref:`DiscoveryResponse ` - // failed to update configuration. The *message* field in *error_details* provides the Envoy - // internal exception related to the failure. It is only intended for consumption during manual - // debugging, the string provided is not guaranteed to be stable across Envoy versions. - google.rpc.Status error_detail = 6; -} - -// [#next-free-field: 7] -message DiscoveryResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.DiscoveryResponse"; - - // The version of the response data. - string version_info = 1; - - // The response resources. These resources are typed and depend on the API being called. - repeated google.protobuf.Any resources = 2; - - // [#not-implemented-hide:] - // Canary is used to support two Envoy command line flags: - // - // * --terminate-on-canary-transition-failure. When set, Envoy is able to - // terminate if it detects that configuration is stuck at canary. Consider - // this example sequence of updates: - // - Management server applies a canary config successfully. - // - Management server rolls back to a production config. - // - Envoy rejects the new production config. - // Since there is no sensible way to continue receiving configuration - // updates, Envoy will then terminate and apply production config from a - // clean slate. - // * --dry-run-canary. When set, a canary response will never be applied, only - // validated via a dry run. - bool canary = 3; - - // Type URL for resources. Identifies the xDS API when muxing over ADS. - // Must be consistent with the type_url in the 'resources' repeated Any (if non-empty). - string type_url = 4; - - // For gRPC based subscriptions, the nonce provides a way to explicitly ack a - // specific DiscoveryResponse in a following DiscoveryRequest. Additional - // messages may have been sent by Envoy to the management server for the - // previous version on the stream prior to this DiscoveryResponse, that were - // unprocessed at response send time. The nonce allows the management server - // to ignore any further DiscoveryRequests for the previous version until a - // DiscoveryRequest bearing the nonce. The nonce is optional and is not - // required for non-stream based xDS implementations. - string nonce = 5; - - // The control plane instance that sent the response. - config.core.v4alpha.ControlPlane control_plane = 6; -} - -// DeltaDiscoveryRequest and DeltaDiscoveryResponse are used in a new gRPC -// endpoint for Delta xDS. -// -// With Delta xDS, the DeltaDiscoveryResponses do not need to include a full -// snapshot of the tracked resources. Instead, DeltaDiscoveryResponses are a -// diff to the state of a xDS client. -// In Delta XDS there are per-resource versions, which allow tracking state at -// the resource granularity. -// An xDS Delta session is always in the context of a gRPC bidirectional -// stream. This allows the xDS server to keep track of the state of xDS clients -// connected to it. -// -// In Delta xDS the nonce field is required and used to pair -// DeltaDiscoveryResponse to a DeltaDiscoveryRequest ACK or NACK. -// Optionally, a response message level system_version_info is present for -// debugging purposes only. -// -// DeltaDiscoveryRequest plays two independent roles. Any DeltaDiscoveryRequest -// can be either or both of: [1] informing the server of what resources the -// client has gained/lost interest in (using resource_names_subscribe and -// resource_names_unsubscribe), or [2] (N)ACKing an earlier resource update from -// the server (using response_nonce, with presence of error_detail making it a NACK). -// Additionally, the first message (for a given type_url) of a reconnected gRPC stream -// has a third role: informing the server of the resources (and their versions) -// that the client already possesses, using the initial_resource_versions field. -// -// As with state-of-the-world, when multiple resource types are multiplexed (ADS), -// all requests/acknowledgments/updates are logically walled off by type_url: -// a Cluster ACK exists in a completely separate world from a prior Route NACK. -// In particular, initial_resource_versions being sent at the "start" of every -// gRPC stream actually entails a message for each type_url, each with its own -// initial_resource_versions. -// [#next-free-field: 8] -message DeltaDiscoveryRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.DeltaDiscoveryRequest"; - - // The node making the request. - config.core.v4alpha.Node node = 1; - - // Type of the resource that is being requested, e.g. - // "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment". This does not need to be set if - // resources are only referenced via *xds_resource_subscribe* and - // *xds_resources_unsubscribe*. - string type_url = 2; - - // DeltaDiscoveryRequests allow the client to add or remove individual - // resources to the set of tracked resources in the context of a stream. - // All resource names in the resource_names_subscribe list are added to the - // set of tracked resources and all resource names in the resource_names_unsubscribe - // list are removed from the set of tracked resources. - // - // *Unlike* state-of-the-world xDS, an empty resource_names_subscribe or - // resource_names_unsubscribe list simply means that no resources are to be - // added or removed to the resource list. - // *Like* state-of-the-world xDS, the server must send updates for all tracked - // resources, but can also send updates for resources the client has not subscribed to. - // - // NOTE: the server must respond with all resources listed in resource_names_subscribe, - // even if it believes the client has the most recent version of them. The reason: - // the client may have dropped them, but then regained interest before it had a chance - // to send the unsubscribe message. See DeltaSubscriptionStateTest.RemoveThenAdd. - // - // These two fields can be set in any DeltaDiscoveryRequest, including ACKs - // and initial_resource_versions. - // - // A list of Resource names to add to the list of tracked resources. - repeated string resource_names_subscribe = 3; - - // A list of Resource names to remove from the list of tracked resources. - repeated string resource_names_unsubscribe = 4; - - // Informs the server of the versions of the resources the xDS client knows of, to enable the - // client to continue the same logical xDS session even in the face of gRPC stream reconnection. - // It will not be populated: [1] in the very first stream of a session, since the client will - // not yet have any resources, [2] in any message after the first in a stream (for a given - // type_url), since the server will already be correctly tracking the client's state. - // (In ADS, the first message *of each type_url* of a reconnected stream populates this map.) - // The map's keys are names of xDS resources known to the xDS client. - // The map's values are opaque resource versions. - map initial_resource_versions = 5; - - // When the DeltaDiscoveryRequest is a ACK or NACK message in response - // to a previous DeltaDiscoveryResponse, the response_nonce must be the - // nonce in the DeltaDiscoveryResponse. - // Otherwise (unlike in DiscoveryRequest) response_nonce must be omitted. - string response_nonce = 6; - - // This is populated when the previous :ref:`DiscoveryResponse ` - // failed to update configuration. The *message* field in *error_details* - // provides the Envoy internal exception related to the failure. - google.rpc.Status error_detail = 7; -} - -// [#next-free-field: 8] -message DeltaDiscoveryResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.DeltaDiscoveryResponse"; - - // The version of the response data (used for debugging). - string system_version_info = 1; - - // The response resources. These are typed resources, whose types must match - // the type_url field. - repeated Resource resources = 2; - - // field id 3 IS available! - - // Type URL for resources. Identifies the xDS API when muxing over ADS. - // Must be consistent with the type_url in the Any within 'resources' if 'resources' is non-empty. - string type_url = 4; - - // Resources names of resources that have be deleted and to be removed from the xDS Client. - // Removed resources for missing resources can be ignored. - repeated string removed_resources = 6; - - // The nonce provides a way for DeltaDiscoveryRequests to uniquely - // reference a DeltaDiscoveryResponse when (N)ACKing. The nonce is required. - string nonce = 5; - - // [#not-implemented-hide:] - // The control plane instance that sent the response. - config.core.v4alpha.ControlPlane control_plane = 7; -} - -// [#next-free-field: 8] -message Resource { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.Resource"; - - // Cache control properties for the resource. - // [#not-implemented-hide:] - message CacheControl { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.discovery.v3.Resource.CacheControl"; - - // If true, xDS proxies may not cache this resource. - // Note that this does not apply to clients other than xDS proxies, which must cache resources - // for their own use, regardless of the value of this field. - bool do_not_cache = 1; - } - - // The resource's name, to distinguish it from others of the same type of resource. - string name = 3; - - // The aliases are a list of other names that this resource can go by. - repeated string aliases = 4; - - // The resource level version. It allows xDS to track the state of individual - // resources. - string version = 1; - - // The resource being tracked. - google.protobuf.Any resource = 2; - - // Time-to-live value for the resource. For each resource, a timer is started. The timer is - // reset each time the resource is received with a new TTL. If the resource is received with - // no TTL set, the timer is removed for the resource. Upon expiration of the timer, the - // configuration for the resource will be removed. - // - // The TTL can be refreshed or changed by sending a response that doesn't change the resource - // version. In this case the resource field does not need to be populated, which allows for - // light-weight "heartbeat" updates to keep a resource with a TTL alive. - // - // The TTL feature is meant to support configurations that should be removed in the event of - // a management server failure. For example, the feature may be used for fault injection - // testing where the fault injection should be terminated in the event that Envoy loses contact - // with the management server. - google.protobuf.Duration ttl = 6; - - // Cache control properties for the resource. - // [#not-implemented-hide:] - CacheControl cache_control = 7; -} diff --git a/generated_api_shadow/envoy/service/event_reporting/v4alpha/BUILD b/generated_api_shadow/envoy/service/event_reporting/v4alpha/BUILD deleted file mode 100644 index 7f342132a86d..000000000000 --- a/generated_api_shadow/envoy/service/event_reporting/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/event_reporting/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/service/event_reporting/v4alpha/event_reporting_service.proto b/generated_api_shadow/envoy/service/event_reporting/v4alpha/event_reporting_service.proto deleted file mode 100644 index 6bff2a09c25b..000000000000 --- a/generated_api_shadow/envoy/service/event_reporting/v4alpha/event_reporting_service.proto +++ /dev/null @@ -1,69 +0,0 @@ -syntax = "proto3"; - -package envoy.service.event_reporting.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "google/protobuf/any.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.event_reporting.v4alpha"; -option java_outer_classname = "EventReportingServiceProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: gRPC Event Reporting Service] - -// [#not-implemented-hide:] -// Service for streaming different types of events from Envoy to a server. The examples of -// such events may be health check or outlier detection events. -service EventReportingService { - // Envoy will connect and send StreamEventsRequest messages forever. - // The management server may send StreamEventsResponse to configure event stream. See below. - // This API is designed for high throughput with the expectation that it might be lossy. - rpc StreamEvents(stream StreamEventsRequest) returns (stream StreamEventsResponse) { - } -} - -// [#not-implemented-hide:] -// An events envoy sends to the management server. -message StreamEventsRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.event_reporting.v3.StreamEventsRequest"; - - message Identifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.event_reporting.v3.StreamEventsRequest.Identifier"; - - // The node sending the event messages over the stream. - config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; - } - - // Identifier data that will only be sent in the first message on the stream. This is effectively - // structured metadata and is a performance optimization. - Identifier identifier = 1; - - // Batch of events. When the stream is already active, it will be the events occurred - // since the last message had been sent. If the server receives unknown event type, it should - // silently ignore it. - // - // The following events are supported: - // - // * :ref:`HealthCheckEvent ` - // * :ref:`OutlierDetectionEvent ` - repeated google.protobuf.Any events = 2 [(validate.rules).repeated = {min_items: 1}]; -} - -// [#not-implemented-hide:] -// The management server may send envoy a StreamEventsResponse to tell which events the server -// is interested in. In future, with aggregated event reporting service, this message will -// contain, for example, clusters the envoy should send events for, or event types the server -// wants to process. -message StreamEventsResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.event_reporting.v3.StreamEventsResponse"; -} diff --git a/generated_api_shadow/envoy/service/health/v4alpha/BUILD b/generated_api_shadow/envoy/service/health/v4alpha/BUILD deleted file mode 100644 index dc88ee92239b..000000000000 --- a/generated_api_shadow/envoy/service/health/v4alpha/BUILD +++ /dev/null @@ -1,17 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/annotations:pkg", - "//envoy/config/cluster/v4alpha:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/endpoint/v4alpha:pkg", - "//envoy/service/health/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/service/health/v4alpha/hds.proto b/generated_api_shadow/envoy/service/health/v4alpha/hds.proto deleted file mode 100644 index 6dc6dced37e1..000000000000 --- a/generated_api_shadow/envoy/service/health/v4alpha/hds.proto +++ /dev/null @@ -1,199 +0,0 @@ -syntax = "proto3"; - -package envoy.service.health.v4alpha; - -import "envoy/config/cluster/v4alpha/cluster.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/core/v4alpha/health_check.proto"; -import "envoy/config/endpoint/v4alpha/endpoint_components.proto"; - -import "google/api/annotations.proto"; -import "google/protobuf/duration.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.health.v4alpha"; -option java_outer_classname = "HdsProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Health Discovery Service (HDS)] - -// HDS is Health Discovery Service. It compliments Envoy’s health checking -// service by designating this Envoy to be a healthchecker for a subset of hosts -// in the cluster. The status of these health checks will be reported to the -// management server, where it can be aggregated etc and redistributed back to -// Envoy through EDS. -service HealthDiscoveryService { - // 1. Envoy starts up and if its can_healthcheck option in the static - // bootstrap config is enabled, sends HealthCheckRequest to the management - // server. It supplies its capabilities (which protocol it can health check - // with, what zone it resides in, etc.). - // 2. In response to (1), the management server designates this Envoy as a - // healthchecker to health check a subset of all upstream hosts for a given - // cluster (for example upstream Host 1 and Host 2). It streams - // HealthCheckSpecifier messages with cluster related configuration for all - // clusters this Envoy is designated to health check. Subsequent - // HealthCheckSpecifier message will be sent on changes to: - // a. Endpoints to health checks - // b. Per cluster configuration change - // 3. Envoy creates a health probe based on the HealthCheck config and sends - // it to endpoint(ip:port) of Host 1 and 2. Based on the HealthCheck - // configuration Envoy waits upon the arrival of the probe response and - // looks at the content of the response to decide whether the endpoint is - // healthy or not. If a response hasn't been received within the timeout - // interval, the endpoint health status is considered TIMEOUT. - // 4. Envoy reports results back in an EndpointHealthResponse message. - // Envoy streams responses as often as the interval configured by the - // management server in HealthCheckSpecifier. - // 5. The management Server collects health statuses for all endpoints in the - // cluster (for all clusters) and uses this information to construct - // EndpointDiscoveryResponse messages. - // 6. Once Envoy has a list of upstream endpoints to send traffic to, it load - // balances traffic to them without additional health checking. It may - // use inline healthcheck (i.e. consider endpoint UNHEALTHY if connection - // failed to a particular endpoint to account for health status propagation - // delay between HDS and EDS). - // By default, can_healthcheck is true. If can_healthcheck is false, Cluster - // configuration may not contain HealthCheck message. - // TODO(htuch): How is can_healthcheck communicated to CDS to ensure the above - // invariant? - // TODO(htuch): Add @amb67's diagram. - rpc StreamHealthCheck(stream HealthCheckRequestOrEndpointHealthResponse) - returns (stream HealthCheckSpecifier) { - } - - // TODO(htuch): Unlike the gRPC version, there is no stream-based binding of - // request/response. Should we add an identifier to the HealthCheckSpecifier - // to bind with the response? - rpc FetchHealthCheck(HealthCheckRequestOrEndpointHealthResponse) returns (HealthCheckSpecifier) { - option (google.api.http).post = "/v3/discovery:health_check"; - option (google.api.http).body = "*"; - } -} - -// Defines supported protocols etc, so the management server can assign proper -// endpoints to healthcheck. -message Capability { - option (udpa.annotations.versioning).previous_message_type = "envoy.service.health.v3.Capability"; - - // Different Envoy instances may have different capabilities (e.g. Redis) - // and/or have ports enabled for different protocols. - enum Protocol { - HTTP = 0; - TCP = 1; - REDIS = 2; - } - - repeated Protocol health_check_protocols = 1; -} - -message HealthCheckRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.HealthCheckRequest"; - - config.core.v4alpha.Node node = 1; - - Capability capability = 2; -} - -message EndpointHealth { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.EndpointHealth"; - - config.endpoint.v4alpha.Endpoint endpoint = 1; - - config.core.v4alpha.HealthStatus health_status = 2; -} - -// Group endpoint health by locality under each cluster. -message LocalityEndpointsHealth { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.LocalityEndpointsHealth"; - - config.core.v4alpha.Locality locality = 1; - - repeated EndpointHealth endpoints_health = 2; -} - -// The health status of endpoints in a cluster. The cluster name and locality -// should match the corresponding fields in ClusterHealthCheck message. -message ClusterEndpointsHealth { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.ClusterEndpointsHealth"; - - string cluster_name = 1; - - repeated LocalityEndpointsHealth locality_endpoints_health = 2; -} - -message EndpointHealthResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.EndpointHealthResponse"; - - // Deprecated - Flat list of endpoint health information. - repeated EndpointHealth hidden_envoy_deprecated_endpoints_health = 1 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Organize Endpoint health information by cluster. - repeated ClusterEndpointsHealth cluster_endpoints_health = 2; -} - -message HealthCheckRequestOrEndpointHealthResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.HealthCheckRequestOrEndpointHealthResponse"; - - oneof request_type { - HealthCheckRequest health_check_request = 1; - - EndpointHealthResponse endpoint_health_response = 2; - } -} - -message LocalityEndpoints { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.LocalityEndpoints"; - - config.core.v4alpha.Locality locality = 1; - - repeated config.endpoint.v4alpha.Endpoint endpoints = 2; -} - -// The cluster name and locality is provided to Envoy for the endpoints that it -// health checks to support statistics reporting, logging and debugging by the -// Envoy instance (outside of HDS). For maximum usefulness, it should match the -// same cluster structure as that provided by EDS. -message ClusterHealthCheck { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.ClusterHealthCheck"; - - string cluster_name = 1; - - repeated config.core.v4alpha.HealthCheck health_checks = 2; - - repeated LocalityEndpoints locality_endpoints = 3; - - // Optional map that gets filtered by :ref:`health_checks.transport_socket_match_criteria ` - // on connection when health checking. For more details, see - // :ref:`config.cluster.v3.Cluster.transport_socket_matches `. - repeated config.cluster.v4alpha.Cluster.TransportSocketMatch transport_socket_matches = 4; -} - -message HealthCheckSpecifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.health.v3.HealthCheckSpecifier"; - - repeated ClusterHealthCheck cluster_health_checks = 1; - - // The default is 1 second. - google.protobuf.Duration interval = 2; -} - -// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing -// services: https://github.com/google/protobuf/issues/4221 and protoxform to upgrade the file. -message HdsDummy { - option (udpa.annotations.versioning).previous_message_type = "envoy.service.health.v3.HdsDummy"; -} diff --git a/generated_api_shadow/envoy/service/load_stats/v4alpha/BUILD b/generated_api_shadow/envoy/service/load_stats/v4alpha/BUILD deleted file mode 100644 index 870673013a0e..000000000000 --- a/generated_api_shadow/envoy/service/load_stats/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/config/endpoint/v4alpha:pkg", - "//envoy/service/load_stats/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/service/load_stats/v4alpha/lrs.proto b/generated_api_shadow/envoy/service/load_stats/v4alpha/lrs.proto deleted file mode 100644 index 86bbe1318633..000000000000 --- a/generated_api_shadow/envoy/service/load_stats/v4alpha/lrs.proto +++ /dev/null @@ -1,102 +0,0 @@ -syntax = "proto3"; - -package envoy.service.load_stats.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/config/endpoint/v4alpha/load_report.proto"; - -import "google/protobuf/duration.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.load_stats.v4alpha"; -option java_outer_classname = "LrsProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Load Reporting service (LRS)] - -// Load Reporting Service is an Envoy API to emit load reports. Envoy will initiate a bi-directional -// stream with a management server. Upon connecting, the management server can send a -// :ref:`LoadStatsResponse ` to a node it is -// interested in getting the load reports for. Envoy in this node will start sending -// :ref:`LoadStatsRequest `. This is done periodically -// based on the :ref:`load reporting interval ` -// For details, take a look at the :ref:`Load Reporting Service sandbox example `. - -service LoadReportingService { - // Advanced API to allow for multi-dimensional load balancing by remote - // server. For receiving LB assignments, the steps are: - // 1, The management server is configured with per cluster/zone/load metric - // capacity configuration. The capacity configuration definition is - // outside of the scope of this document. - // 2. Envoy issues a standard {Stream,Fetch}Endpoints request for the clusters - // to balance. - // - // Independently, Envoy will initiate a StreamLoadStats bidi stream with a - // management server: - // 1. Once a connection establishes, the management server publishes a - // LoadStatsResponse for all clusters it is interested in learning load - // stats about. - // 2. For each cluster, Envoy load balances incoming traffic to upstream hosts - // based on per-zone weights and/or per-instance weights (if specified) - // based on intra-zone LbPolicy. This information comes from the above - // {Stream,Fetch}Endpoints. - // 3. When upstream hosts reply, they optionally add header with ASCII representation of EndpointLoadMetricStats. - // 4. Envoy aggregates load reports over the period of time given to it in - // LoadStatsResponse.load_reporting_interval. This includes aggregation - // stats Envoy maintains by itself (total_requests, rpc_errors etc.) as - // well as load metrics from upstream hosts. - // 5. When the timer of load_reporting_interval expires, Envoy sends new - // LoadStatsRequest filled with load reports for each cluster. - // 6. The management server uses the load reports from all reported Envoys - // from around the world, computes global assignment and prepares traffic - // assignment destined for each zone Envoys are located in. Goto 2. - rpc StreamLoadStats(stream LoadStatsRequest) returns (stream LoadStatsResponse) { - } -} - -// A load report Envoy sends to the management server. -message LoadStatsRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.load_stats.v3.LoadStatsRequest"; - - // Node identifier for Envoy instance. - config.core.v4alpha.Node node = 1; - - // A list of load stats to report. - repeated config.endpoint.v4alpha.ClusterStats cluster_stats = 2; -} - -// The management server sends envoy a LoadStatsResponse with all clusters it -// is interested in learning load stats about. -message LoadStatsResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.load_stats.v3.LoadStatsResponse"; - - // Clusters to report stats for. - // Not populated if *send_all_clusters* is true. - repeated string clusters = 1; - - // If true, the client should send all clusters it knows about. - // Only clients that advertise the "envoy.lrs.supports_send_all_clusters" capability in their - // :ref:`client_features` field will honor this field. - bool send_all_clusters = 4; - - // The minimum interval of time to collect stats over. This is only a minimum for two reasons: - // - // 1. There may be some delay from when the timer fires until stats sampling occurs. - // 2. For clusters that were already feature in the previous *LoadStatsResponse*, any traffic - // that is observed in between the corresponding previous *LoadStatsRequest* and this - // *LoadStatsResponse* will also be accumulated and billed to the cluster. This avoids a period - // of inobservability that might otherwise exists between the messages. New clusters are not - // subject to this consideration. - google.protobuf.Duration load_reporting_interval = 2; - - // Set to *true* if the management server supports endpoint granularity - // report. - bool report_endpoint_granularity = 3; -} diff --git a/generated_api_shadow/envoy/service/metrics/v4alpha/BUILD b/generated_api_shadow/envoy/service/metrics/v4alpha/BUILD deleted file mode 100644 index 285d31cf31d4..000000000000 --- a/generated_api_shadow/envoy/service/metrics/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/metrics/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@prometheus_metrics_model//:client_model", - ], -) diff --git a/generated_api_shadow/envoy/service/metrics/v4alpha/metrics_service.proto b/generated_api_shadow/envoy/service/metrics/v4alpha/metrics_service.proto deleted file mode 100644 index 5e1412f103e9..000000000000 --- a/generated_api_shadow/envoy/service/metrics/v4alpha/metrics_service.proto +++ /dev/null @@ -1,53 +0,0 @@ -syntax = "proto3"; - -package envoy.service.metrics.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "io/prometheus/client/metrics.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.metrics.v4alpha"; -option java_outer_classname = "MetricsServiceProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Metrics service] - -// Service for streaming metrics to server that consumes the metrics data. It uses Prometheus metric -// data model as a standard to represent metrics information. -service MetricsService { - // Envoy will connect and send StreamMetricsMessage messages forever. It does not expect any - // response to be sent as nothing would be done in the case of failure. - rpc StreamMetrics(stream StreamMetricsMessage) returns (StreamMetricsResponse) { - } -} - -message StreamMetricsResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.metrics.v3.StreamMetricsResponse"; -} - -message StreamMetricsMessage { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.metrics.v3.StreamMetricsMessage"; - - message Identifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.metrics.v3.StreamMetricsMessage.Identifier"; - - // The node sending metrics over the stream. - config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; - } - - // Identifier data effectively is a structured metadata. As a performance optimization this will - // only be sent in the first message on the stream. - Identifier identifier = 1; - - // A list of metric entries - repeated io.prometheus.client.MetricFamily envoy_metrics = 2; -} diff --git a/generated_api_shadow/envoy/service/status/v4alpha/BUILD b/generated_api_shadow/envoy/service/status/v4alpha/BUILD deleted file mode 100644 index 7c365494828d..000000000000 --- a/generated_api_shadow/envoy/service/status/v4alpha/BUILD +++ /dev/null @@ -1,17 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/admin/v4alpha:pkg", - "//envoy/annotations:pkg", - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/status/v3:pkg", - "//envoy/type/matcher/v4alpha:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/service/status/v4alpha/csds.proto b/generated_api_shadow/envoy/service/status/v4alpha/csds.proto deleted file mode 100644 index 8a47045546f7..000000000000 --- a/generated_api_shadow/envoy/service/status/v4alpha/csds.proto +++ /dev/null @@ -1,194 +0,0 @@ -syntax = "proto3"; - -package envoy.service.status.v4alpha; - -import "envoy/admin/v4alpha/config_dump.proto"; -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/type/matcher/v4alpha/node.proto"; - -import "google/api/annotations.proto"; -import "google/protobuf/any.proto"; -import "google/protobuf/timestamp.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.service.status.v4alpha"; -option java_outer_classname = "CsdsProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Client Status Discovery Service (CSDS)] - -// CSDS is Client Status Discovery Service. It can be used to get the status of -// an xDS-compliant client from the management server's point of view. It can -// also be used to get the current xDS states directly from the client. -service ClientStatusDiscoveryService { - rpc StreamClientStatus(stream ClientStatusRequest) returns (stream ClientStatusResponse) { - } - - rpc FetchClientStatus(ClientStatusRequest) returns (ClientStatusResponse) { - option (google.api.http).post = "/v3/discovery:client_status"; - option (google.api.http).body = "*"; - } -} - -// Status of a config from a management server view. -enum ConfigStatus { - // Status info is not available/unknown. - UNKNOWN = 0; - - // Management server has sent the config to client and received ACK. - SYNCED = 1; - - // Config is not sent. - NOT_SENT = 2; - - // Management server has sent the config to client but hasn’t received - // ACK/NACK. - STALE = 3; - - // Management server has sent the config to client but received NACK. The - // attached config dump will be the latest config (the rejected one), since - // it is the persisted version in the management server. - ERROR = 4; -} - -// Config status from a client-side view. -enum ClientConfigStatus { - // Config status is not available/unknown. - CLIENT_UNKNOWN = 0; - - // Client requested the config but hasn't received any config from management - // server yet. - CLIENT_REQUESTED = 1; - - // Client received the config and replied with ACK. - CLIENT_ACKED = 2; - - // Client received the config and replied with NACK. Notably, the attached - // config dump is not the NACKed version, but the most recent accepted one. If - // no config is accepted yet, the attached config dump will be empty. - CLIENT_NACKED = 3; -} - -// Request for client status of clients identified by a list of NodeMatchers. -message ClientStatusRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.status.v3.ClientStatusRequest"; - - // Management server can use these match criteria to identify clients. - // The match follows OR semantics. - repeated type.matcher.v4alpha.NodeMatcher node_matchers = 1; - - // The node making the csds request. - config.core.v4alpha.Node node = 2; -} - -// Detailed config (per xDS) with status. -// [#next-free-field: 8] -message PerXdsConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.status.v3.PerXdsConfig"; - - // Config status generated by management servers. Will not be present if the - // CSDS server is an xDS client. - ConfigStatus status = 1; - - // Client config status is populated by xDS clients. Will not be present if - // the CSDS server is an xDS server. No matter what the client config status - // is, xDS clients should always dump the most recent accepted xDS config. - // - // .. attention:: - // This field is deprecated. Use :ref:`ClientResourceStatus - // ` for per-resource - // config status instead. - ClientConfigStatus hidden_envoy_deprecated_client_status = 7 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - oneof per_xds_config { - admin.v4alpha.ListenersConfigDump listener_config = 2; - - admin.v4alpha.ClustersConfigDump cluster_config = 3; - - admin.v4alpha.RoutesConfigDump route_config = 4; - - admin.v4alpha.ScopedRoutesConfigDump scoped_route_config = 5; - - admin.v4alpha.EndpointsConfigDump endpoint_config = 6; - } -} - -// All xds configs for a particular client. -message ClientConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.status.v3.ClientConfig"; - - // GenericXdsConfig is used to specify the config status and the dump - // of any xDS resource identified by their type URL. It is the generalized - // version of the now deprecated ListenersConfigDump, ClustersConfigDump etc - // [#next-free-field: 10] - message GenericXdsConfig { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.status.v3.ClientConfig.GenericXdsConfig"; - - // Type_url represents the fully qualified name of xDS resource type - // like envoy.v3.Cluster, envoy.v3.ClusterLoadAssignment etc. - string type_url = 1; - - // Name of the xDS resource - string name = 2; - - // This is the :ref:`version_info ` - // in the last processed xDS discovery response. If there are only - // static bootstrap listeners, this field will be "" - string version_info = 3; - - // The xDS resource config. Actual content depends on the type - google.protobuf.Any xds_config = 4; - - // Timestamp when the xDS resource was last updated - google.protobuf.Timestamp last_updated = 5; - - // Per xDS resource config status. It is generated by management servers. - // It will not be present if the CSDS server is an xDS client. - ConfigStatus config_status = 6; - - // Per xDS resource status from the view of a xDS client - admin.v4alpha.ClientResourceStatus client_status = 7; - - // Set if the last update failed, cleared after the next successful - // update. The *error_state* field contains the rejected version of - // this particular resource along with the reason and timestamp. For - // successfully updated or acknowledged resource, this field should - // be empty. - // [#not-implemented-hide:] - admin.v4alpha.UpdateFailureState error_state = 8; - - // Is static resource is true if it is specified in the config supplied - // through the file at the startup. - bool is_static_resource = 9; - } - - // Node for a particular client. - config.core.v4alpha.Node node = 1; - - // This field is deprecated in favor of generic_xds_configs which is - // much simpler and uniform in structure. - repeated PerXdsConfig hidden_envoy_deprecated_xds_config = 2 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - - // Represents generic xDS config and the exact config structure depends on - // the type URL (like Cluster if it is CDS) - repeated GenericXdsConfig generic_xds_configs = 3; -} - -message ClientStatusResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.status.v3.ClientStatusResponse"; - - // Client configs for the clients specified in the ClientStatusRequest. - repeated ClientConfig config = 1; -} diff --git a/generated_api_shadow/envoy/service/tap/v4alpha/BUILD b/generated_api_shadow/envoy/service/tap/v4alpha/BUILD deleted file mode 100644 index cb89a6907d9a..000000000000 --- a/generated_api_shadow/envoy/service/tap/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/data/tap/v3:pkg", - "//envoy/service/tap/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/service/tap/v4alpha/tap.proto b/generated_api_shadow/envoy/service/tap/v4alpha/tap.proto deleted file mode 100644 index 4ef38d1bae98..000000000000 --- a/generated_api_shadow/envoy/service/tap/v4alpha/tap.proto +++ /dev/null @@ -1,64 +0,0 @@ -syntax = "proto3"; - -package envoy.service.tap.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; -import "envoy/data/tap/v3/wrapper.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.tap.v4alpha"; -option java_outer_classname = "TapProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Tap Sink Service] - -// [#not-implemented-hide:] A tap service to receive incoming taps. Envoy will call -// StreamTaps to deliver captured taps to the server -service TapSinkService { - // Envoy will connect and send StreamTapsRequest messages forever. It does not expect any - // response to be sent as nothing would be done in the case of failure. The server should - // disconnect if it expects Envoy to reconnect. - rpc StreamTaps(stream StreamTapsRequest) returns (StreamTapsResponse) { - } -} - -// [#not-implemented-hide:] Stream message for the Tap API. Envoy will open a stream to the server -// and stream taps without ever expecting a response. -message StreamTapsRequest { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.tap.v3.StreamTapsRequest"; - - message Identifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.tap.v3.StreamTapsRequest.Identifier"; - - // The node sending taps over the stream. - config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; - - // The opaque identifier that was set in the :ref:`output config - // `. - string tap_id = 2; - } - - // Identifier data effectively is a structured metadata. As a performance optimization this will - // only be sent in the first message on the stream. - Identifier identifier = 1; - - // The trace id. this can be used to merge together a streaming trace. Note that the trace_id - // is not guaranteed to be spatially or temporally unique. - uint64 trace_id = 2; - - // The trace data. - data.tap.v3.TraceWrapper trace = 3; -} - -// [#not-implemented-hide:] -message StreamTapsResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.tap.v3.StreamTapsResponse"; -} diff --git a/generated_api_shadow/envoy/service/trace/v4alpha/BUILD b/generated_api_shadow/envoy/service/trace/v4alpha/BUILD deleted file mode 100644 index df379cbe9d5d..000000000000 --- a/generated_api_shadow/envoy/service/trace/v4alpha/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - has_services = True, - deps = [ - "//envoy/config/core/v4alpha:pkg", - "//envoy/service/trace/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - "@opencensus_proto//opencensus/proto/trace/v1:trace_proto", - ], -) diff --git a/generated_api_shadow/envoy/service/trace/v4alpha/trace_service.proto b/generated_api_shadow/envoy/service/trace/v4alpha/trace_service.proto deleted file mode 100644 index 4cfdbbe576df..000000000000 --- a/generated_api_shadow/envoy/service/trace/v4alpha/trace_service.proto +++ /dev/null @@ -1,55 +0,0 @@ -syntax = "proto3"; - -package envoy.service.trace.v4alpha; - -import "envoy/config/core/v4alpha/base.proto"; - -import "opencensus/proto/trace/v1/trace.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.service.trace.v4alpha"; -option java_outer_classname = "TraceServiceProto"; -option java_multiple_files = true; -option java_generic_services = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Trace service] - -// Service for streaming traces to server that consumes the trace data. It -// uses OpenCensus data model as a standard to represent trace information. -service TraceService { - // Envoy will connect and send StreamTracesMessage messages forever. It does - // not expect any response to be sent as nothing would be done in the case - // of failure. - rpc StreamTraces(stream StreamTracesMessage) returns (StreamTracesResponse) { - } -} - -message StreamTracesResponse { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.trace.v3.StreamTracesResponse"; -} - -message StreamTracesMessage { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.trace.v3.StreamTracesMessage"; - - message Identifier { - option (udpa.annotations.versioning).previous_message_type = - "envoy.service.trace.v3.StreamTracesMessage.Identifier"; - - // The node sending the access log messages over the stream. - config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}]; - } - - // Identifier data effectively is a structured metadata. - // As a performance optimization this will only be sent in the first message - // on the stream. - Identifier identifier = 1; - - // A list of Span entries - repeated opencensus.proto.trace.v1.Span spans = 2; -} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/BUILD b/generated_api_shadow/envoy/type/matcher/v4alpha/BUILD deleted file mode 100644 index 37561e92662c..000000000000 --- a/generated_api_shadow/envoy/type/matcher/v4alpha/BUILD +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. - -load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") - -licenses(["notice"]) # Apache 2 - -api_proto_package( - deps = [ - "//envoy/annotations:pkg", - "//envoy/type/matcher/v3:pkg", - "//envoy/type/v3:pkg", - "@com_github_cncf_udpa//udpa/annotations:pkg", - ], -) diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/http_inputs.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/http_inputs.proto deleted file mode 100644 index bd7758ad53fb..000000000000 --- a/generated_api_shadow/envoy/type/matcher/v4alpha/http_inputs.proto +++ /dev/null @@ -1,70 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "HttpInputsProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Common HTTP Inputs] - -// Match input indicates that matching should be done on a specific request header. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -message HttpRequestHeaderMatchInput { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.HttpRequestHeaderMatchInput"; - - // The request header to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} - -// Match input indicates that matching should be done on a specific request trailer. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -message HttpRequestTrailerMatchInput { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.HttpRequestTrailerMatchInput"; - - // The request trailer to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} - -// Match input indicating that matching should be done on a specific response header. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the response contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -message HttpResponseHeaderMatchInput { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.HttpResponseHeaderMatchInput"; - - // The response header to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} - -// Match input indicates that matching should be done on a specific response trailer. -// The resulting input string will be all headers for the given key joined by a comma, -// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input -// string will be 'bar,baz'. -// [#comment:TODO(snowp): Link to unified matching docs.] -message HttpResponseTrailerMatchInput { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.HttpResponseTrailerMatchInput"; - - // The response trailer to match on. - string header_name = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; -} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/metadata.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/metadata.proto deleted file mode 100644 index e61ba2754337..000000000000 --- a/generated_api_shadow/envoy/type/matcher/v4alpha/metadata.proto +++ /dev/null @@ -1,105 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/value.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "MetadataProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Metadata matcher] - -// MetadataMatcher provides a general interface to check if a given value is matched in -// :ref:`Metadata `. It uses `filter` and `path` to retrieve the value -// from the Metadata and then check if it's matched to the specified value. -// -// For example, for the following Metadata: -// -// .. code-block:: yaml -// -// filter_metadata: -// envoy.filters.http.rbac: -// fields: -// a: -// struct_value: -// fields: -// b: -// struct_value: -// fields: -// c: -// string_value: pro -// t: -// list_value: -// values: -// - string_value: m -// - string_value: n -// -// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" -// from the Metadata which is matched to the specified prefix match. -// -// .. code-block:: yaml -// -// filter: envoy.filters.http.rbac -// path: -// - key: a -// - key: b -// - key: c -// value: -// string_match: -// prefix: pr -// -// The following MetadataMatcher is matched as the code will match one of the string values in the -// list at the path [a, t]. -// -// .. code-block:: yaml -// -// filter: envoy.filters.http.rbac -// path: -// - key: a -// - key: t -// value: -// list_match: -// one_of: -// string_match: -// exact: m -// -// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to -// enforce access control based on dynamic metadata in a request. See :ref:`Permission -// ` and :ref:`Principal -// `. - -// [#next-major-version: MetadataMatcher should use StructMatcher] -message MetadataMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.MetadataMatcher"; - - // Specifies the segment in a path to retrieve value from Metadata. - // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that - // if the segment key refers to a list, it has to be the last segment in a path. - message PathSegment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.MetadataMatcher.PathSegment"; - - oneof segment { - option (validate.required) = true; - - // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - } - - // The filter name to retrieve the Struct from the Metadata. - string filter = 1 [(validate.rules).string = {min_len: 1}]; - - // The path to retrieve the Value from the Struct. - repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; - - // The MetadataMatcher is matched if the value retrieved by path is matched to this value. - ValueMatcher value = 3 [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/node.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/node.proto deleted file mode 100644 index a74bf808f05a..000000000000 --- a/generated_api_shadow/envoy/type/matcher/v4alpha/node.proto +++ /dev/null @@ -1,28 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/string.proto"; -import "envoy/type/matcher/v4alpha/struct.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "NodeProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Node matcher] - -// Specifies the way to match a Node. -// The match follows AND semantics. -message NodeMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.NodeMatcher"; - - // Specifies match criteria on the node id. - StringMatcher node_id = 1; - - // Specifies match criteria on the node metadata. - repeated StructMatcher node_metadatas = 2; -} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/number.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/number.proto deleted file mode 100644 index b168af19ab50..000000000000 --- a/generated_api_shadow/envoy/type/matcher/v4alpha/number.proto +++ /dev/null @@ -1,33 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/v3/range.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "NumberProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Number matcher] - -// Specifies the way to match a double value. -message DoubleMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.DoubleMatcher"; - - oneof match_pattern { - option (validate.required) = true; - - // If specified, the input double value must be in the range specified here. - // Note: The range is using half-open interval semantics [start, end). - v3.DoubleRange range = 1; - - // If specified, the input double value must be equal to the value specified here. - double exact = 2; - } -} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/path.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/path.proto deleted file mode 100644 index 9150939bf2ee..000000000000 --- a/generated_api_shadow/envoy/type/matcher/v4alpha/path.proto +++ /dev/null @@ -1,30 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "PathProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Path matcher] - -// Specifies the way to match a path on HTTP request. -message PathMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.PathMatcher"; - - oneof rule { - option (validate.required) = true; - - // The `path` must match the URL path portion of the :path header. The query and fragment - // string (if present) are removed in the URL path portion. - // For example, the path */data* will match the *:path* header */data#fragment?param=value*. - StringMatcher path = 1 [(validate.rules).message = {required: true}]; - } -} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/regex.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/regex.proto deleted file mode 100644 index 523889b9d3f7..000000000000 --- a/generated_api_shadow/envoy/type/matcher/v4alpha/regex.proto +++ /dev/null @@ -1,89 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "google/protobuf/wrappers.proto"; - -import "envoy/annotations/deprecation.proto"; -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "RegexProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Regex matcher] - -// A regex matcher designed for safety when used with untrusted input. -message RegexMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.RegexMatcher"; - - // Google's `RE2 `_ regex engine. The regex string must adhere to - // the documented `syntax `_. The engine is designed - // to complete execution in linear time as well as limit the amount of memory used. - // - // Envoy supports program size checking via runtime. The runtime keys `re2.max_program_size.error_level` - // and `re2.max_program_size.warn_level` can be set to integers as the maximum program size or - // complexity that a compiled regex can have before an exception is thrown or a warning is - // logged, respectively. `re2.max_program_size.error_level` defaults to 100, and - // `re2.max_program_size.warn_level` has no default if unset (will not check/log a warning). - // - // Envoy emits two stats for tracking the program size of regexes: the histogram `re2.program_size`, - // which records the program size, and the counter `re2.exceeded_warn_level`, which is incremented - // each time the program size exceeds the warn level threshold. - message GoogleRE2 { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.RegexMatcher.GoogleRE2"; - - // This field controls the RE2 "program size" which is a rough estimate of how complex a - // compiled regex is to evaluate. A regex that has a program size greater than the configured - // value will fail to compile. In this case, the configured max program size can be increased - // or the regex can be simplified. If not specified, the default is 100. - // - // This field is deprecated; regexp validation should be performed on the management server - // instead of being done by each individual client. - google.protobuf.UInt32Value hidden_envoy_deprecated_max_program_size = 1 - [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - } - - oneof engine_type { - option (validate.required) = true; - - // Google's RE2 regex engine. - GoogleRE2 google_re2 = 1 [(validate.rules).message = {required: true}]; - } - - // The regex match string. The string must be supported by the configured engine. - string regex = 2 [(validate.rules).string = {min_len: 1}]; -} - -// Describes how to match a string and then produce a new string using a regular -// expression and a substitution string. -message RegexMatchAndSubstitute { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.RegexMatchAndSubstitute"; - - // The regular expression used to find portions of a string (hereafter called - // the "subject string") that should be replaced. When a new string is - // produced during the substitution operation, the new string is initially - // the same as the subject string, but then all matches in the subject string - // are replaced by the substitution string. If replacing all matches isn't - // desired, regular expression anchors can be used to ensure a single match, - // so as to replace just one occurrence of a pattern. Capture groups can be - // used in the pattern to extract portions of the subject string, and then - // referenced in the substitution string. - RegexMatcher pattern = 1 [(validate.rules).message = {required: true}]; - - // The string that should be substituted into matching portions of the - // subject string during a substitution operation to produce a new string. - // Capture groups in the pattern can be referenced in the substitution - // string. Note, however, that the syntax for referring to capture groups is - // defined by the chosen regular expression engine. Google's `RE2 - // `_ regular expression engine uses a - // backslash followed by the capture group number to denote a numbered - // capture group. E.g., ``\1`` refers to capture group 1, and ``\2`` refers - // to capture group 2. - string substitution = 2; -} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/string.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/string.proto deleted file mode 100644 index f9fa48cd3195..000000000000 --- a/generated_api_shadow/envoy/type/matcher/v4alpha/string.proto +++ /dev/null @@ -1,78 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/regex.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "StringProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: String matcher] - -// Specifies the way to match a string. -// [#next-free-field: 8] -message StringMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.StringMatcher"; - - reserved 4; - - reserved "regex"; - - oneof match_pattern { - option (validate.required) = true; - - // The input string must match exactly the string specified here. - // - // Examples: - // - // * *abc* only matches the value *abc*. - string exact = 1; - - // The input string must have the prefix specified here. - // Note: empty prefix is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *abc.xyz* - string prefix = 2 [(validate.rules).string = {min_len: 1}]; - - // The input string must have the suffix specified here. - // Note: empty prefix is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *xyz.abc* - string suffix = 3 [(validate.rules).string = {min_len: 1}]; - - // The input string must match the regular expression specified here. - RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; - - // The input string must have the substring specified here. - // Note: empty contains match is not allowed, please use regex instead. - // - // Examples: - // - // * *abc* matches the value *xyz.abc.def* - string contains = 7 [(validate.rules).string = {min_len: 1}]; - } - - // If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. This - // has no effect for the safe_regex match. - // For example, the matcher *data* will match both input string *Data* and *data* if set to true. - bool ignore_case = 6; -} - -// Specifies a list of ways to match a string. -message ListStringMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.ListStringMatcher"; - - repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}]; -} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/struct.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/struct.proto deleted file mode 100644 index 328ac555bd81..000000000000 --- a/generated_api_shadow/envoy/type/matcher/v4alpha/struct.proto +++ /dev/null @@ -1,91 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/value.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "StructProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Struct matcher] - -// StructMatcher provides a general interface to check if a given value is matched in -// google.protobuf.Struct. It uses `path` to retrieve the value -// from the struct and then check if it's matched to the specified value. -// -// For example, for the following Struct: -// -// .. code-block:: yaml -// -// fields: -// a: -// struct_value: -// fields: -// b: -// struct_value: -// fields: -// c: -// string_value: pro -// t: -// list_value: -// values: -// - string_value: m -// - string_value: n -// -// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro" -// from the Metadata which is matched to the specified prefix match. -// -// .. code-block:: yaml -// -// path: -// - key: a -// - key: b -// - key: c -// value: -// string_match: -// prefix: pr -// -// The following StructMatcher is matched as the code will match one of the string values in the -// list at the path [a, t]. -// -// .. code-block:: yaml -// -// path: -// - key: a -// - key: t -// value: -// list_match: -// one_of: -// string_match: -// exact: m -// -// An example use of StructMatcher is to match metadata in envoy.v*.core.Node. -message StructMatcher { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.StructMatcher"; - - // Specifies the segment in a path to retrieve value from Struct. - message PathSegment { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.StructMatcher.PathSegment"; - - oneof segment { - option (validate.required) = true; - - // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_len: 1}]; - } - } - - // The path to retrieve the Value from the Struct. - repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; - - // The StructMatcher is matched if the value retrieved by path is matched to this value. - ValueMatcher value = 3 [(validate.rules).message = {required: true}]; -} diff --git a/generated_api_shadow/envoy/type/matcher/v4alpha/value.proto b/generated_api_shadow/envoy/type/matcher/v4alpha/value.proto deleted file mode 100644 index 6e509d460109..000000000000 --- a/generated_api_shadow/envoy/type/matcher/v4alpha/value.proto +++ /dev/null @@ -1,71 +0,0 @@ -syntax = "proto3"; - -package envoy.type.matcher.v4alpha; - -import "envoy/type/matcher/v4alpha/number.proto"; -import "envoy/type/matcher/v4alpha/string.proto"; - -import "udpa/annotations/status.proto"; -import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; - -option java_package = "io.envoyproxy.envoy.type.matcher.v4alpha"; -option java_outer_classname = "ValueProto"; -option java_multiple_files = true; -option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; - -// [#protodoc-title: Value matcher] - -// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. -// StructValue is not supported and is always not matched. -// [#next-free-field: 7] -message ValueMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.ValueMatcher"; - - // NullMatch is an empty message to specify a null value. - message NullMatch { - option (udpa.annotations.versioning).previous_message_type = - "envoy.type.matcher.v3.ValueMatcher.NullMatch"; - } - - // Specifies how to match a value. - oneof match_pattern { - option (validate.required) = true; - - // If specified, a match occurs if and only if the target value is a NullValue. - NullMatch null_match = 1; - - // If specified, a match occurs if and only if the target value is a double value and is - // matched to this field. - DoubleMatcher double_match = 2; - - // If specified, a match occurs if and only if the target value is a string value and is - // matched to this field. - StringMatcher string_match = 3; - - // If specified, a match occurs if and only if the target value is a bool value and is equal - // to this field. - bool bool_match = 4; - - // If specified, value match will be performed based on whether the path is referring to a - // valid primitive value in the metadata. If the path is referring to a non-primitive value, - // the result is always not matched. - bool present_match = 5; - - // If specified, a match occurs if and only if the target value is a list value and - // is matched to this field. - ListMatcher list_match = 6; - } -} - -// Specifies the way to match a list value. -message ListMatcher { - option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.v3.ListMatcher"; - - oneof match_pattern { - option (validate.required) = true; - - // If specified, at least one of the values in the list must match the value specified. - ValueMatcher one_of = 1; - } -} diff --git a/tools/type_whisperer/typedb_gen.py b/tools/type_whisperer/typedb_gen.py index 44905c6b3e6a..b89e3efdcbde 100644 --- a/tools/type_whisperer/typedb_gen.py +++ b/tools/type_whisperer/typedb_gen.py @@ -181,8 +181,9 @@ def next_version_upgrade(type_name, type_map, next_version_upgrade_memo, visited type_map[type_desc.next_version_type_name].proto_path, type_map[type_desc.next_version_type_name].qualified_package) for proto_path, (next_proto_path, next_package) in sorted(next_proto_info.items()): - type_db.next_version_protos[proto_path].proto_path = next_proto_path - type_db.next_version_protos[proto_path].qualified_package = next_package + if not next_package.endswith('.v4alpha'): + type_db.next_version_protos[proto_path].proto_path = next_proto_path + type_db.next_version_protos[proto_path].qualified_package = next_package # Write out proto text. with open(out_path, 'w') as f: